It’s time to play Guess That Threat. Let’s skip right to the bonus round.
Contestants, here’s the question: What seldom-encountered but ever-looming threat can put a restaurant out of business with a single incident?
If you answered “food-borne illness,” you lose even the lovely parting gifts. But consider yourself lucky that experience hasn't burned the correct answer into your brain. Then you’d be among the small but growing number of restaurateurs who’ve learned how hackers can devastate a business by swiping guests’ credit card info.
The oblivious might find out when grim-looking people with wires in their ears show up at the front door, flashing Secret Service credentials. Or when they’re hit with six-figure fines from their credit-card company or bank. Those blows to the bottom line would be in addition to the 16% of clientele that experts say a retail business typically loses after a data theft.
“Stealing credit cards is big business,” Brad Cyprus of VendorSafe Technologies told the seemingly chilled audience at the FSTEC foodservice technology conference this week. “This is no longer some college students hacking into your computers. This is organized crime.”
Cyprus’ company sells data-security devices to restaurants, so he has a business reason to sound the alarm. Yet his warning was relatively mild compared to the ones delivered by other speakers at the conference.
Then there was the video about a two-unit operation called Spanky’s, which had to close because fines and fees were running into the hundreds of thousands. The proprietor explained on camera that she’d assumed the restaurants were safe from a security breach because they’d just been outfitted with new POS and computer equipment. She didn’t know she’d been hacked until the affected parties started demanding make-good payments.
As Cyprus and others explained, data crooks spend millions of dollars today on programs and technology to swipe passwords. Then they slip inside a restaurant company’s protected computer files and patiently harvest credit card information over a period of weeks or months. It’s not a rip-and-run situation, like you see in the movies. The hacked operation may not know it’s been robbed until the data is sold and customers start screaming about the outrageous charges on their monthly bills.
Once the intruders find a way into the technology of a certain chain, they’ll proceed franchisee by franchisee or restaurant by restaurant, quietly robbing data until the alarm is sounded.
Other times, restaurants help the thieves by failing to reset the password that allows employees to enter a new system. Seventy-five percent of the restaurants whose data was stolen were still using the default passwords left by their vendor, according to the Secret Service, which has jurisdiction over card data theft. Default passwords are usually meant to be simple, memorable series of numbers or letters—something as obvious as 1-2-3-4 or the start of the restaurant’s name.
Once they crack the code, the hackers surf the vendor’s website for mentions of other restaurants serviced by the company, recounted Dave Matthews, CIO for the National Restaurant Association. Then they see if those places failed to reset their password, too.
If a restaurant is hacked, the operator, not the credit card company or the bank that issued the card, is in the crosshairs. Despite the lobbying efforts of the NRA and its allies on the matter, the laws and regulations specific that “all of the costs can be transferred down to you as the merchant,” said Matthews.
Restaurants are vulnerable in part because this is something beyond their ken. “You know restaurants, not data security,” noted Matthews. “You are not the bad guys. The bad guys are the crooks out there."
Another big reason for the industry’s vulnerability is trust where it’s not due. Restaurants buy the technology to safeguard their data, but they don’t ask the installer if it has followed the best practices recommended by the technology’s supplier. They may have left some backdoor entries.
Hackers are also adept at finding new ways to swipe data. Operators have to install the update patches recommended by their vendors to safeguard data, or to do the upgrades their POS vendors advise. Operators typically grumble about the revisions, damning the suppliers for trying to snag a few more dollars.
Get over it, the speakers advised. Keep your protections current through constant upgrades, because the thieves are constantly finding new ways to bust you. You should be as vigilant as you are about food safety, they agreed.
Matthews aired a practical list the NRA has just developed to help restaurateurs safeguard customers’ information.
“Unless you have a support staff or unless you have a trusted advisor, don’t try to do this yourself,” he advised. “You just won’t get it.”
The precautions that he urged restaurants to make part of their standard procedures:
1) Install and maintain a firewall configuration to protect cardholder data. “You need to get this done,” he Matthews stressed.
2) Do not use vendor-supplied defaults for systems passwords. Reset them immediately.
3) Protect cardholder data by not storing it. “Get rid of it—you don’t need it anymore,” said Matthews. If an operation needs to retain it for some reason, encrypt the data.
4) Encrypt transmission of cardholder data across open, public networks. “I don’t expect any of you restaurateurs to know what that means,” but a technology specialist would understand, Matthews said.
5) Maintain a vulnerability management program. Use and regularly update anti-virus software. In addition, develop and maintain or purchase secure systems and applications, and make sure they’re updated.
6) Implement strong access control measures by restricting access to cardholder data. “That’s a fancy way of saying, ‘Make sure everyone has a unique password,’” explained Matthews.
7) Regularly monitor and test networks and security systems with external scans.
8) Maintain some form of an Information Security Policy, a HAACP for technology.
“Be aware of what you have to do,” advised Matthews. “View this as food safety. It’s risk management and risk mitigation for your business.”