Quick-service restaurants have been the birthplace of endless inventions and applications of new technology, all designed to improve the product and customer experience. Today, these technologies are internet-connected and use the term “operational technology.” From drive-thru windows, audio communication systems, and the milkshake machines we grew up with to the automated and online experiences we are enjoying now, quick-serves develop and implement OT at a rate that seems to be outpacing their ability to meet the new cybersecurity challenges they face.
Security gives us all the freedom to do new and better things. Entrepreneurs should be free to adopt innovations as soon as they like without worrying about risk and liability. Business owners already understand the benefits of tech in their restaurants. Many quick-service restaurants that are franchised or part of a chain rely on OT. Beyond the point of sale system, there are self-order stations, online order reception, in-store displays and in-store audio, order management systems and terminals, as well as machines used to make food, such as soft serve ice cream machines.
Attempting new things always brings new risks, but with proper security, we can safely move ahead. With an understanding of the risks, businesses can safely stay on the forefront of their industry and one step ahead of cyber attackers. It is also important to understand the strategies for mitigating and avoiding these risks. While frameworks such as the CIS 20, a set of practices and protocols recommended by the Center for Internet Security, are likely part of cybersecurity planning at businesses with much of the same risks as quick-serves, banks for example, restaurants are often lumped in with the least likely targets for cyberattack. This passive defense stance however is just one of the many reasons quick-service restaurants are appealing targets for crime. Many of the risks and associated recommendations map directly to the CIS 20, a set of controls that collectively make up a holistic cyber defense strategy. Below are common risks for quick-service restaurants and the CIS controls to consider regarding mitigating those risks.
The Human Factor (Your Employees)
Employees, through intentional malfeasance or unintentional bad action, will always be a large source of vulnerability and risk for your business’ cybersecurity. Just as your employees must be educated and trained to recognize and defend your business against con artists and change scams, theft, and property damage, they must also be educated to avoid social engineering attempts online, trained to not post business sensitive information or pictures to social media, and practice safe use of all of the company’s online devices. A large-scale cyberattack on Chipotle originated through the phishing of an employee. High turnover may make training difficult, but it should be considered as important as food safety and other protocols. Intentional malpractice by an employee is always a concern, and this is one of the many reasons why it is important to be running detection on your network. You should also have documented policies in place and in action for account management and access control management. No employees should share account credentials or use a device while it is logged into someone else. If possible, multi factor authentication should be put into place at least for any accounts with administrative power.
CIS Controls to Consider:
CIS Control 6: Access Control Management
CIS Control 5: Account Management
CIS Control 14: Security Awareness and Skills Training
Divide and Conquer
While managing multiple networks does not seem the kind of thing a restaurant executive would have to do, most restaurants already have more than one network in operation. Properly segmenting and separating your network is vital to protection, as well as doing much to aid in detection efforts on your network. Awareness and understanding of the risks for different types of network uses allows you to organize and build your network operation from a secure place.
Most restaurants will likely have two networks, at the very least. A public, guest network for guests to access via WiFi, and a private network for business use. It is a good practice, however, to consider further segmentation of your private business network, in order to isolate sensitive systems and prevent full access. For example, any of your physical security and access devices, like closed circuit cameras or door ID scanners should be segmented. Any internet-connected devices, including HVAC systems, should be on their own network.
Many restaurants offer WiFi access to guests. This is another place where access control should be managed and this traffic should be monitored. While public WiFi networks can be allowed to “broadcast," internal employee networks should be obscured in order to discourage attempted access.
CIS Controls to Consider:
CIS Security Control 12: Network Infrastructure Management
Seeing What’s Happening on Your Network
One way to cut down on a cyberattack's effects on your business is to catch them early. Dwell time, or the time that hackers have access to a network before they are discovered, is high across all industries, but can be especially high in restaurants, where there is a lack of detection and control over network traffic. This means that attacks last weeks, if not months, before they are stopped. In the case of an attack on Huddle House, they were not even able to detect the attack themselves, and were only made aware of a breach after they were approached by law enforcement, who had received complaints from affected customers. This actually opened the company up to further litigation. Establishing proper cybersecurity controls, like detection, can also protect you if a breach occurs and there is a question of liability.
CIS Controls to Consider:
CIS Control 13: Network Monitoring and Defense
Know and Understand Your Tech
After several high-profile attacks on credit card swipers at POS systems in quick-serves, many credit card companies and businesses that accept cards have moved to using cards with chips, thought to be more secure. Innovations in security, however, always lead to innovations in crime. New vulnerabilities are found. A cyberattack on Wendy’s was still able to access the POS and credit card information even though an EMV chip card was implemented. All technology that is in use, hardware and software, should be inventoried and documented at your business. This helps manage access, as well as manage updating, which is crucial to security. This information will also be vital to your detection effort, allowing you to make sure you are pulling all available data, as well as any forensic efforts should a breach occur. You should also be inventorying and controlling your vendors and other third parties, as they are a frequent source of vulnerability and breach.
CIS Controls to Consider:
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
Continue to Grow Safely
Cybersecurity for quick-service restaurants will continue to be a growing area of concern as new technologies are developed and implemented, especially if technology is implemented to deal with crisis, such as online ordering and self-service kiosks in order to allow for social distancing and COVID-19 safety measures. The lessons learned in the restaurant business can and do change the way the rest of the world does business and there is no reason for brands to stop leading the way. With knowledge and preparation, you are free to do and be the next big thing.
Internationally recognized security thought leader Stel Valavanis leads a team of Cybersecurity’s most trusted experts as CEO and Founder of onShore Security. The Chicago-headquartered managed security firm is relied upon by top tier organizations across a variety of highly regulated and information sensitive sectors including financial services, healthcare, government, global construction, and manufacturing.