Online security company Norton defines a data breach as “a security incident in which information is accessed without authorization.” For restaurants, that might mean business data, employee data, or guest data. No matter who’s affected, it’s a potential disaster.
In the past decade, restaurant chains from coast to coast including P.F. Chang’s and Chipotle have experienced significant data breaches. A recent IBM report concludes that hospitality-industry data breaches cost an average of $3.03 million each. That’s real damage.
It’s not just big operators who are at risk. Nearly half of cyber-attacks are aimed at small businesses. Consumers don’t just view a data breach as a failure to protect their information. They see it as a violation of an implicit trust between themselves and their trusted vendors. They blame companies for making it possible for criminals to commit illegal acts and they take their business someplace where they feel safer.
60% of small companies go out of business after a cyber attack. Any restaurant owner or operator must be proactive about keeping their data safe. Do you know the steps to take?
In 2017, the National Restaurant Association published a Digital Security 101 guide for restaurants. That initial publication was revised and reissued in 2020, along with a more in-depth 201-level guide. The Association recommends five steps:
Begin by taking a good look at the way that you handle customer data and asking yourself a few hard questions:
Are you using the same methods that you put in place years ago?
Chances are that you’ve upgraded your phone, laptop, and website in the past few years – even your television has likely changed to keep up with the times. Similarly, POS and other systems that were good enough once upon a time are probably no longer secure.
Where are the weaknesses in your system?
While malicious system hacks tend to get the lion’s share of media attention, the fact is that 90% of data breaches are directly attributable to human error. A good manager understands all aspects of the systems at their business, if not at an expert level, at least enough to operate them skillfully and detect problems before they reach crisis-level.
Do you need outside help?
You’ve worked hard to build your brand. Hiring an IT specialist to examine the ways that you’re handling data might cost a bit, but the expense will be justified if you prevent a PR nightmare and long-term damage to your reputation.
You’ve got to be proactive about protecting business, employee, and customer information. Here are ten tips to keep in mind:
- Keep all software up to date. Run updates and apply patches. Use secure passwords (nothing factory set or easy to guess!) and properly lock down your wifi network.
- Establish company policies and employee processes to protect customer data along with protocols to ensure they are followed.
- Experts emphasize the need for restaurants to use PCI [Payment Card Industry]- certified point-to-point encryption (P2PE). Are you in compliance?
- Restrict employees’ use of personal devices and remote access to business systems.
- Limit the number of employees who have access to data. Run background checks on new hires who will use sensitive information in their work.
- Keep track of who accesses your systems, when, and for how long.
- Change passwords often, especially after employee turnover.
- Ensure that data flows from end to end of your system in as few steps as possible.
- Even businesses can fall prey to “phishing.” Verify all requests for information with your bank or trusted vendor.
- Stay one step ahead of the bad guys. Read industry publications and other sources to learn about their latest scams and tools.
An IBM report determined that it took an average of 287 days for organizations to spot and resolve a data breach. Just like the rest of your business, once your end-to-end network is established, you’ve got to keep an eye on it. The sooner you identify a problem, the sooner you can begin to respond to it.
Factors including high staff turnover and reliance on electronic payments make restaurants particularly vulnerable to cybercrime. Toast reports that 88% of restaurant transactions are paid by credit card. Every single one of those transactions represents a potential vulnerability. What can you do to reduce risk?
- Monitor activity regularly to detect possible problems.
- Delete credentials assigned to former staff members and make sure that current employees are using two-step authentication.
- Disable dormant customer accounts.
- Encrypt data where possible.
- Train employees in best practices.
The time to figure out how to respond to a security breach is before one occurs. Should a problem occur, being prepared with a plan will enable you to shorten response time, limiting loss and mitigating the damage to your reputation.
If you are the victim of a cybercrime, notify the authorities immediately. Notify your financial institution and insurance provider. They have experts who will be able to assist you. Contact any customers or staff members who might be affected and offer to support them through the challenge.
If, despite all of your efforts, the worst occurs and your data is compromised, you’re going to need to manage community perception of the event. You may not be responsible for the event, but you need to be accountable. Be transparent in your communications. Explain how the breach occurred, what you’re doing to work with customers who were affected, and the steps that you’re taking to ensure that the problem doesn’t occur again.
As a franchise owner, how can you ensure procedures are being done properly and consistently across all your locations? Learn how in our latest ebook “How to Achieve Operational Consistency Across All Stores.”