Some Tim Hortons locations had to close after a virus infected cash registers at potentially 1,000 stores. More than 160 Applebee’s restaurants found malware on their point of sale (POS) systems that could have captured guests’ names, credit or debit card numbers, expiration dates, and card verification codes. A data breach at a former supplier led to the leak of Domino’s customer data.

This rash of stories over the past six months underscores three truths: Your restaurant network is a gold mine of personal information about your customers, hackers know it and are doing their best to acquire it, and third-party vendors can compromise your ability to protect customer information.

If your vendors are connected to your network and the proper controls aren’t in place, it could be a pathway into your network for hackers who could lock down your systems, prevent you from serving customers, and hold you for ransom or make off with your customers’ personal information.

But by rethinking your network security and thoroughly vetting third-party vendors, you can stay out of the headlines and keep customers—and yourself—safe. Here’s how. 

Vetting your vendors

How many third-party vendors work with and enter your restaurant daily? Most likely, you have vendors for your produce, electrical, cleaning services and more. And while you hire them based on factors like quality, customer service and so on, increasingly you need to take a look at their security practices as well.

As we’ve seen, many restaurants have suffered data breaches not because hackers penetrated their own systems, but because vendors were vulnerable. So if you’re hiring a third-party vendor that needs access to your network and data, make sure the following questions are part of your vetting process:

  • Does the vendor have a security program?
  • Does the vendor use firewall and security services to protect its business?
  • Is its security audited by any third-party companies? Can it send you reporting results of those tests?
  • Does it need to put equipment on your network? If so, what kind?
  • If the vendor is hacked, how will this affect your restaurant?

The first three questions will give you a sense of how seriously the company takes security. If it answers no to all three, that should be a huge red flag.

The fourth and fifth questions will help you understand what inroads into your network the vendor needs and how you can limit its access to your systems so that even if the vendor is compromised, your network and data remain safe (more on this below).

Vendor security should be one of your top priorities. It doesn’t matter how great the service or product is; if the vendor doesn’t make the grade, find someone else.

Strengthening your network

In addition to working with vendors that take security seriously, you should take a look at your network. By reviewing how your network is set up and taking the proper precautions, you can keep your systems secure even if a third-party vendor is attacked. There are three steps to implement.

  • Review the staples of security. Outfit your main office computer with antivirus protection and make sure it has the latest updates and patches. Add web filters to set standards for approved content and avoid malicious sites. Use firewalls.
  • Police your Wi-Fi. Open Wi-Fi networks are a beacon for hackers, who can sit and monitor the information passing back and forth and steal bits along the way. Lock down your network with a password and be selective about who can access it—any compromised devices using the network could be a threat. Create a guest portal for employees or customers so they’re not on the same network as your POS systems.
  • Segment your network. By blocking off areas of the network, you not only make it harder for malware to spread, but you can limit different users to only the parts of the network they need. If you segment your network correctly, you can keep business information (like POS transactions) inaccessible to third-party vendors.

Don’t become the next victim

Cyberattacks on restaurants are all too common. But you can avoid becoming a victim by making sure all the basic security measures are in place; checking security as part of vetting any vendor; policing access to your network among employees, customers and third parties; and segmenting your network to contain any damage if you’re attacked.

Your customers entrust you with their sensitive personal data and money – in exchange for both, they expect to receive your services while retaining their privacy. In the end, protecting your customers’ data is protecting yourself and ensures recurrent patronage to your restaurant.

Asher de Metz is senior manager of security consulting at Sungard Availability Services, conducting penetration tests and security assessments for U.S.-based clients, helping them identify risks and secure their systems in order to avoid hacking attacks. With 20 years of experience, Asher has been involved in hundreds of IT-security projects and has provided security counsel to some the largest companies throughout the U.K., Europe, Middle East and North America.
Outside Insights, Security, Story