It’s time to play Guess That Threat. Let’s skip right to the
bonus round.
Contestants, here’s the question: What seldom-encountered
but ever-looming threat can put a restaurant out of business with a single
incident?
If you answered “food-borne illness,” you lose even the
lovely parting gifts. But consider yourself lucky that experience hasn't burned the correct answer into your brain. Then you’d be among the small but growing number
of restaurateurs who’ve learned how hackers can devastate a business by swiping guests’ credit card info.
The oblivious might find out when grim-looking people
with wires in their ears show up at the front door, flashing Secret Service
credentials. Or when they’re hit with six-figure fines from their credit-card
company or bank. Those blows to the bottom line would be in addition to the 16%
of clientele that experts say a retail business typically loses after a data theft.
“Stealing credit cards is big business,” Brad Cyprus of
VendorSafe Technologies told the seemingly chilled audience at the FSTEC
foodservice technology conference this week. “This is no longer some college
students hacking into your computers. This is organized crime.”
Cyprus’ company sells data-security devices to restaurants,
so he has a business reason to sound the alarm. Yet his warning was relatively
mild compared to the ones delivered by other speakers at the conference.
Then there was the video about a two-unit operation
called Spanky’s, which had to close because fines and fees were running into
the hundreds of thousands. The proprietor explained on camera that she’d
assumed the restaurants were safe from a security breach because they’d just
been outfitted with new POS and computer equipment. She didn’t know she’d been
hacked until the affected parties started demanding make-good payments.
As Cyprus and others explained, data crooks spend millions
of dollars today on programs and technology to swipe passwords. Then they slip
inside a restaurant company’s protected computer files and patiently harvest
credit card information over a period of weeks or months. It’s not a
rip-and-run situation, like you see in the movies. The hacked operation may not
know it’s been robbed until the data is sold and customers start screaming
about the outrageous charges on their monthly bills.
Once the intruders find a way into the technology of a
certain chain, they’ll proceed franchisee by franchisee or restaurant by
restaurant, quietly robbing data until the alarm is sounded.
Other times, restaurants help the thieves by failing to reset
the password that allows employees to enter a new system. Seventy-five percent
of the restaurants whose data was stolen were still using the default passwords
left by their vendor, according to the Secret Service, which has jurisdiction over
card data theft. Default passwords are usually meant to be simple, memorable
series of numbers or letters—something as obvious as 1-2-3-4 or the start of
the restaurant’s name.
Once they crack the code, the hackers
surf the vendor’s website for mentions of other restaurants serviced by
the company, recounted Dave Matthews, CIO for the National Restaurant Association. Then they see if those places failed to reset their password,
too.
If a restaurant is hacked, the operator, not the credit card
company or the bank that issued the card, is in the crosshairs. Despite the
lobbying efforts of the NRA and its allies on the matter, the laws and
regulations specific that “all of the costs can be transferred down to you as
the merchant,” said Matthews.
Restaurants are vulnerable in part because this is something
beyond their ken. “You know restaurants, not data security,” noted Matthews.
“You are not the bad guys. The bad guys are the crooks out there."
Another big reason for the industry’s vulnerability is trust
where it’s not due. Restaurants buy the technology to safeguard their data, but
they don’t ask the installer if it has followed the best practices recommended
by the technology’s supplier. They may have left some backdoor entries.
Hackers are also adept at finding new ways to swipe data.
Operators have to install the update patches recommended by their vendors to safeguard
data, or to do the upgrades their POS vendors advise. Operators typically
grumble about the revisions, damning the suppliers for trying to snag a few
more dollars.
Get over it, the speakers advised. Keep your protections
current through constant upgrades, because the thieves are constantly finding new ways to bust you. You should be as vigilant as you are about food
safety, they agreed.
Matthews aired a practical list the NRA has just developed
to help restaurateurs safeguard customers’ information.
“Unless you have a support staff or unless you have a
trusted advisor, don’t try to do this yourself,” he advised. “You just won’t
get it.”
The precautions that he urged restaurants to make part of their standard procedures:
1)
Install and maintain a firewall configuration to
protect cardholder data. “You need to get this done,” he Matthews stressed.
2)
Do not use vendor-supplied defaults for systems
passwords. Reset them immediately.
3)
Protect cardholder data by not storing it. “Get
rid of it—you don’t need it anymore,” said Matthews. If an operation needs to
retain it for some reason, encrypt the data.
4)
Encrypt transmission of cardholder data across
open, public networks. “I don’t expect any of you restaurateurs to know what
that means,” but a technology specialist would understand, Matthews said.
5)
Maintain a vulnerability management program. Use
and regularly update anti-virus software. In addition, develop and maintain or
purchase secure systems and applications, and make sure they’re updated.
6)
Implement strong access control measures by
restricting access to cardholder data. “That’s a fancy way of saying, ‘Make
sure everyone has a unique password,’” explained Matthews.
7)
Regularly monitor and test networks and security
systems with external scans.
8)
Maintain some form of an Information Security
Policy, a HAACP for technology.
“Be aware of what you have to do,” advised
Matthews. “View this as food safety. It’s risk management and risk mitigation
for your business.”
Posts
No comments:
Post a Comment