According to the most recent Verizon Data Breach Investigations Report, hackers are apparently spending a lot more time discovering the latest hip, trendy restaurants. But they are not spending money on artisanal cheeses, free-range chicken, or chickpea and orzo salad with Piquillo pepper vinaigrette. Nope. They are haunting quick-serve restaurants, local diners, franchises, pubs and taco stands—as well as high end eating establishments—looking for credit card information to steal. Visa reportsthat restaurants now account for 73% of the data breaches in the United States, up from 29% just 3 years ago.
Why do hackers have such a taste for the restaurant business? The answer is pretty simple—opportunity:
- Target Rich Environment. There are over 400,000 restaurants in the US alone, including quick serve (QSR), fast casual, fine dining, bars and pubs.
- High Yield. Ubiquitous credit cards account for the majority of the transactions at restaurants. With many small transactions, a single restaurant hack can provide a plethora of credit card numbers.
- Simplicity. The lack of dedicated IT personnel means most restaurant businesses have few security best practices in place. Multi-site businesses are especially appetizing, as their information networks will generally be configured the same from store to store.
Here are five of the most common ways hackers can eat into your network and access your sensitive data:
- Weak firewall defenses. Your firewall is the first line of defense against hackers, but a firewall that is not properly configured is only slightly better than no firewall at all. The most common mistakes:
- Weak, default or no passwords. The most commonly hacked password is “Password1.” Really? Please don’t make it easy for hackers!
- Default firewall settings. A firewall at default settings is completely open to allow full inbound and outbound access. A strong door is only good if it is locked. Lock down your firewall to allow only absolutely essential access.
- Non Business-class firewalls. Many small businesses will buy a small, inexpensive, residential-class firewall that is easily hacked and does not have enterprise class features. Make sure you implement a firewall that is robust enough to secure your business.
- Non-segmented networks. If your network is not segmented, that means that all Web-connected devices (POS, computer, security camera, DVR, etc.) can “talk” to each other like they are people talking together in the same room. By segmenting your network, you put groups of devices in separate rooms where they cannot talk. For example, if your POS systems are in one segment or room, and only allowed access to your payment processor, then they can’t talk to your DVR. If a hacker compromises your DVR, then at least he can’t get to your POS where credit card data passes.One very common mistake is putting public or customer WiFi on the same network as the POS system. This effectively allows a hacker sitting in the parking lot to hack in and install software for collecting your sensitive data.
- Outdated POS systems. POS systems that are not kept updated, or that use old technology, are a common source of entry for hackers. Your point-of-sale systems should encrypt credit card data at the point of swipe, then send that information directly to the payment processor, without first going through a back office computer (this is an important data safeguard). Also, your POS, at its current version, should be PCI PA-DSS compliant. If it is not, you are at risk of a breach.
- Unsecured remote access systems. Most restaurants have a need for systems to be accessed from the outside – managers need to access back office systems from home, vendors need access to systems for troubleshooting, etc. Access should be limited to secure methods like remote VPN, and passwords should be strong, not shared and changed regularly.
- Unaware employees. Employees often will not question an official looking person “servicing” your POS systems unless they have been trained to be skeptical. Would one of your employees pick up a USB drive left at a table and plug it into a computer to see what is on it? Set time aside on a regular basis to talk to employees about security best practices and areas of concern.
Hackers want to get into your restaurant’s information network so they can get their hands on your customers’ credit card data and other sensitive information. However, if you start with some basic security practices, layer on some internal education, and top it off with a little perseverance, you will have the recipe for continued success at keeping data thieves out of your business.
If the five action steps outlined above aren’t within your reach, you may want to consider partnering with a managed security service provider (MSSP) that specializes in taking the security burden off restaurants and other small- to mid-sized businesses. These external service providers can be much more affordable than you may think and can give you the peace of mind that your business is protected.
We’d be happy to help answer any questions you may have about securing your restaurant business. Just give ControlScan a call at 1-800-825-3301, ext. 2.