You might consider it a wake-up call. A data-hacking scheme recently targeted more than 100 Subway stores and stole more than $10 million from customer credit cards, putting the threat of data breaches back in the national spotlight and giving restaurants even more reason to pay attention to their network security.
Protecting a restaurant’s data—and its customers’ data—should be an operator’s top priority, especially given high-profile cases like Subway’s. Cyber crimes are on the rise nationally, and the restaurant industry is taking the brunt of the damage. More than half of all worldwide data breaches in 2011 occurred in the food and hospitality industries, according to Verizon’s 2012 Data Breach Investigations Report.
And hackers can take more than just information. The harm done by a breach is exponential, putting untold dents in customer perceptions and loyalty.
After working for several months to become PCI compliant in 2011, Brian Swann felt his restaurants’ networks were more secure. But he remains realistic about the threat of hackers. “I think, while we’re not in perfect shape, if somebody’s going to go after somebody, we’re not at the top of the list,” says Swann, director of information technology for C.R. Restaurants, which operates 29 Burger King stores and Cosi restaurants in Maryland and Pennsylvania.
C.R. Restaurants beefed up its cyber security by working with SecureConnect, a company that provides firewall service, security management, and PCI consultation. Mark Eicher, SecureConnect strategic account executive, says many restaurants don’t seek out such security help until a breach has already happened. “Unfortunately, the nature of the beast is that a lot of people aren’t really aware of how vulnerable they are until it’s a little too late,” Eicher says.
But restaurants, and franchise units in particular, are vulnerable to hacking, he says. While POS systems and remote-access desktop services are frequent targets, Eicher says technology as simple as in-store WiFi networks, DVRs, and digital menuboards can open restaurants up to security threats. “People just don’t understand how much risk they run into,” he says.
Some experts argue that restaurants and retailers should protect their data infrastructures, the pipelines that carry and store sensitive information. But others say the key is in protecting the data itself so it’s no use to hackers if they do find it.
Whatever solution operators choose, it’s clear that data protection requires a serious commitment, one that often needs expertise restaurants lack. Many security experts recommend brands look for outside help in managing their systems.
“[Hackers are] targeting these guys for a lot of different reasons, not the least of which is these are restaurants. They know how to make food; they don’t know a lot about security,” says Bob Russo, general manager of the PCI Security Standards Council, a nonprofit that establishes standards for all organizations that store, process, or transmit credit-card data.
While consumers often have no liability for credit-card data theft, merchants have a duty to protect that data, Russo says. “Consumers may walk away from dealing with a specific merchant if they feel like their security is being compromised by a restaurant not doing the proper things to make sure that information is secure,” he says.
He adds that the way hackers find their way into companies is often incredibly simple. POS systems, for example, are an easy target. Many are created in a cookie-cutter format, especially within multiunit systems.
Companies often maintain a standard administration login and password that’s entered by multiple users throughout the organization. Instead, users should have individual, hard-to-guess passwords, Russo says.
Remote desktop applications are also a common entry point for firewall breaches, as they allow IT or management staff remote access to individual machines from virtually anywhere. But that access -comes with a price: vulnerability.
Companies should constantly patch holes in firewalls, making sure there’s no back-door entrance to the network, says Adam Bosnian, executive vice president of the Americas for Cyber-Ark Software, an information security company that protects organizations against insider and external threats.
Creating unique accounts and passwords for all users is key, he says, so you can limit who gets access to what. And operators should be cautious when handing out administrative or privileged accounts. “It’s one thing for the bad guy to get in,” he says. “It’s another thing to let the bad guy have free rein once he’s inside.”
Mark Bower, data protection expert and vice president of Voltage Security, which works with payment processors and merchants, says that just as retailers must plan for a certain amount of shoplifting in their stores, restaurants should assume a data breach will eventually happen. With that philosophy, it’s important to focus on protecting credit-card data through tools like encryption.
“You have to make sure you’re giving the attackers something they can’t do anything with,” Bower says. “When you do that, they go somewhere else.”
Companies like Voltage offer complex security management that can use encryption or tokenization, replacing credit-card numbers with proxy numbers that are virtually useless to outsiders. Bower says this allows operators to lose some of the headaches that come from the constant maintenance of protecting the data pipelines.
“Whether it’s small merchants or large merchants, they have an opportunity of taking the issue off the table,” he says. “It really allows quick-service restaurants to just get on with their business.”