Briton Smetzer, director of IT operations at Dallas-based Fuzzy’s Taco Shop, recently received a message no tech professional wants to see. It was an intrusion alert, meaning something strange could be happening inside the company’s network.
Smetzer knew that restaurants, including quick serves and fast casuals, are appealing targets for cyber criminals. Per Fuzzy’s plan for such a scenario, he immediately called Cradlepoint, the brand’s security partner specializing in network solutions. Shortly after, a Cradlepoint engineer told him the alert was a false positive. The only strange thing happening was a Windows update.
“Wendy’s has had two waves of attacks over the span of an entire year, and they’re just now catching up,” Smetzer says in reference to the burger giant’s security breaches. “I was able to get clarification on an intrusion in six hours. The Cradlepoint support is tremendous.”
When it comes to cyber security, “the best defense is an aggressive offense,” says Collin Hite, leader of the insurance recovery group at Hirschler Fleischer law firm in Virginia. Having partners and plans in place, like Smetzer did, can enable restaurants to learn the facts promptly in the event of a data breach. Fast knowledge and fast responses can mean big savings, as well as less PR damage.
“If you don’t properly handle a response in the first 72 hours, the cost of responding is at least three times higher,” Hite says.
Technological developments have improved restaurant operations in myriad ways, but they have also created new opportunities for cyber criminals. Ten years ago, hackers had to be highly skilled with computers and had to possess expensive, specialized equipment to pull off a data breach, Hite says. Today, practically anyone can buy credit-card information off the Internet. The increased data access points—such as online reservation apps, loyalty apps, and WiFi service—only make it easier for criminals looking to breach restaurants.
Restaurants are high-value targets that tend to be behind the curve on cyber security, Hite says, which makes them especially vulnerable. Restaurants deal with a large number of credit-card transactions daily; have high employee turnover, granting a great deal of people to have access to passwords and data; and have many access points.
While restaurants have been good about implementing new operational technologies that save money, many have ignored the need for cyber security. Independent restaurants often think they’re too small for a criminal to notice, but Hite says this is not the case. In addition to getting credit-card information, a thief can buy “ransomware” online for next to nothing, hack a small restaurant’s network and infect it, and then hold the restaurant network hostage until the operator provides a specified sum.
Large or national chains are harder for amateurs to hack but can have huge payoffs in data information for experts. And just because a restaurant chain has a strong security system doesn’t mean that all their third-party partners do. The Wendy’s breach happened when criminals were able to access one of its vendors’ networks.
A similar thing happened to Target in 2013. It served as a wakeup call for the retail industry. Hite hopes the Wendy’s breach will do the same for restaurants.
Different types and sizes of restaurants will need different cyber-security elements. Brad Lowry is a Jimmy John’s franchisee, the cofounder and head of the Jimmy John’s Franchisee Association, and CEO of Lowry & Associates, a franchisee-focused auditing service. Lowry thinks operators must first understand their Payment Card Industry Data Security Standard (pci dss) compliance requirements.
All businesses that take credit cards are required to be PCI compliant. Someone who owns 50 stores will have different requirements than someone who owns four.
Regardless of PCI compliance level, Hite recommends that restaurants follow the National Institute of Standards and Technology’s five-point Contingency Planning Guide, which has been endorsed by the National Restaurant Association. Taking the first three steps before a breach occurs is necessary to ensure a timely and correct response.
“First, identify what data assets you have and what the risks are of exposure of them,” Hite says. “Second, implement a plan of protection. You want to come up with policies and procedures. That’s the stage where you consider cyber insurance, as well as other legal risk management techniques. That’s where you deal with third-party vendors.”
Step three involves working with the selected security provider to develop processes that detect breaches. The fourth step, which only occurs in the event of a breach, is to implement the plan. At this point, it is critical to know whom to contact and have people assigned to make decisions in case a team member can’t be reached. Data breaches always come to light at busy times, like the Saturday of Labor Day weekend, Hite says.
In the case of a breach, Hite recommends operators talk to their cyber security lawyer first so attorney-client privilege is in place from the beginning of the response. Talking to a lawyer can also ensure that notification laws for separate states are met. For example, a breached restaurant in Virginia that served a customer from Ohio might have to follow Ohio’s notification laws for that customer.
These steps, which are essential to a strong offense, require significant research and may have different focuses. For example, when identifying their data assets (step one), a restaurant using a service like Seamless would need to be aware of Seamless’s policies. Often, Hite says, cloud-based services try to disclaim any responsibility for the data because, according to their contracts, it belongs to the restaurant. This awareness could be important in preventing or at least quickly responding to a breach like Wendy’s, which involved a third-party vendor.
Part of developing a strong response plan (step two) is consulting with third-party security providers and perhaps buying insurance. Fuzzy’s, which is growing rapidly, was frustrated with network outages and trying to maintain consistent security measures across hundreds of stores, Smetzer says. It turned to Cradlepoint and found an affordable system that, from one central management location, could provide it with 99.99 percent uptime (time during which the system is operational), a standardized firewall protector for all of its stores, and documentation of all PCI-compliance actions.
Fuzzy’s extends such data protection to its customers, too. “We protect the guests in many shapes and forms,” Smetzer says. “Not only do we protect the guests with the way the credit cards are passed through the network, [but] we protect from breaches from the WiFi, as well.”
In Lowry’s case, he took the matter of cyber security into his own hands. Jimmy John’s suffered a credit-card breach in 2014, and the company implemented a cyber security plan. But it was overkill for his own small group of Cincinnati franchises, Lowry says. It had more pieces of equipment than he needed, including EMV chip readers. “Chip readers protect the credit-card companies from fraud and … push more liability back onto the franchisees,” he says. “Right now, we all eat chargebacks because you can’t dispute them. You have to have overwhelming proof that the person bought that food, and that doesn’t happen.”
After much research, Lowry found NuArx, a managed payment and security provider. NuArx provided a firewall in its router and also offered network security, monitoring, and consistent connection.
“It works with every Jimmy John’s in the system because it works with every system you could have,” Lowry says. “We are able to protect our systems with no interference in the way we do business.”
Step two is also when restaurateurs should consider buying cyber insurance—or, as Hite and other industry experts call it, the “Wild West of insurance.”
Cyber insurance policies are among the most complex and have no uniformity, so Hite warns against blindly tacking cyber insurance onto a standard policy without having an attorney view it for gaps.
“I just reviewed a policy that had 57 separate definitions for things like computer network and computer systems,” Hite says. “That’s where the ‘gotcha’ comes in. Definitions can become exclusions because they define things in ways that take away coverage.”
Hite recalls a data breach at P.F. Chang’s, in which the restaurant had purchased insurance but found huge gaps upon trying to use it. P.F. Chang’s sued and appealed, but at press time, the courts have ruled in favor of the insurance company.
Insurance can still be important, because even with the best security providers and plans, human error can wreak havoc. Employee error or maliciousness is usually the No. 1 or 2 cause of a data breach, Hite says. Employees are often trying to be efficient, but writing passwords on Post-Its and logging in for a coworker who’s in a hurry can open the door for danger. Keeping a data cabinet with routers, modems, and other technologies locked is essential, Lowry says.
Because of human error, it is impossible to protect a company 100 percent from cyber threats. “Therefore,” Lowry says, “any franchise operator should surround themselves with those experts for when [or] if that bad day does happen.”