Cyber criminals are targeting POS systems. Here’s how you can protect yourself. By Susan Chenery
Last year, the US burger chain Wendy’s was targeted in a series of massive cyber attacks. Because the franchises are all run on one system, the “highly sophisticated, criminal attacks” that went on for several months affected 1,025 of its restaurants across the country. The attacks, in which the debit and credit card information of its customers was stolen, were made by malware—malicious software—being installed on point-of-sale systems in the affected locations. Customers began reporting fraudulent activity on their credit cards.
“It did make a fairly big dent in Wendy’s reputation,” says Andrew Faber, branch manager for Parramatta at Arthur J Gallagher, the appointed insurer for the restaurant and catering industry. “Our role as a broker is to work with members to advise them of these risks.”
The risk of cyber attacks and security breaches is a critical concern for restaurant executives, says Deloitte, the financial advisory services company.
The company has warned that technological innovations—making reservations on mobile phones, table-side technology, kiosks and food delivery—is creating security vulnerabilities at points of sale. Deloitte reported that “Restaurants access data through companies that provide these platforms and may not have knowledge of how their data is securely stored, segregated, and transmitted.”
It pointed to “an ever-increasing number of third parties that interact with customers.”
Cyber criminals know that restaurants process millions of credit card transactions annually, capturing sensitive data from customers, which may make them prime targets.
“If you have got systems that hold and store credit-card data, that is an exposure for a business,” says Faber. “People [are] walking around scanning credit cards at the table. There is a wireless system that is picking up that data and transferring that data. You have got a potential breach there. With so many businesses offering free wi-fi, just getting a modem and plugging it in and putting a daily password in it, those plug-and-play systems are not built to withstand a professional attack.”
He says, “it is quite hard to quantify the reputational impact on a business that gets in the news because credit cards are not secure if you go to this restaurant. Part of any risk-management plan should be having a strong, robust data-security program in place. Most restaurateurs don’t realise how dependent they are on technology. They think the money is made by cooking food in my kitchen. But if you can’t make bookings, online is down, then that is all going to have a flow-on effect into how many customers you get placing orders. You will still be able to cook your meals, but you may not have customers to cook for.”
Cyber attacks can come in the form of ransomware, which will take control of your system until a sum of money is paid. They threaten to start deleting data or releasing your information. “So if that happened to be a four o’clock on a Friday afternoon leading into the busy trade period,” says Faber, the cyber criminals “will say, ‘We now control your point of sale, your entire software activity, unless you pay us.’” Even if you have an insurance policy and a dedicated hotline to computer experts, they will often advise you to pay it. There is very little the police can do because these people are operating out of Russia or Nigeria and outside Australian jurisdiction.
“Make sure the staff are aware of what they need to do to make the access minimal, in the same way that you tell your staff to lock up the building.”—Andrew Faber, Parramatta branch manager, Arthur J Gallagher
Or there can be a lone hacker at home, who can do a lot of damage. Someone who wasn’t happy with their meal, perhaps. “It is online vandalism,” says Faber. “Instead of throwing rocks through windows, they might hack and take down or get into the menu log and online ordering system and post derogatory, inflammatory comments through the system so it appears that the restaurant itself is saying certain things or making certain comments online.” Faber believes this can result in loss of reputation, loss of income, loss of revenue, loss of clients. “What is the impact to your business if someone were to take away your rating on Menulog or Google ranking? If you disappear off that Google front page, customers will just go to the next one off the Menulog.”
It can be very expensive to get an expert to recode and reload all your data. “The average loss to business in Australia is $180,000, not just the initial attack but the loss of income as a result,” says Faber, who believes it is worth engaging digital and computer security system experts to come in and review the business. And to work with the banks and the providers of the software and hardware being used. “Have strong staff security policies and procedures around the hardware and software. Make sure the staff are aware of what they need to do to make the access minimal, in the same way that you tell your staff to lock up the building [and turn on the] security alarm.”
Make sure your antivirus software is up to date, that there is firewall encryption on the servers and password protection. Do regular backups, or back up with a USB stick that can be taken off the premises.
While most restaurants are insured for burglary and contents, less than one per cent are insured for cyber crime, which is far more likely to happen, according to Faber.
“It is something [restaurateurs] should absolutely be considering, to work out what their exposure is and what is the cost benefit of having the insurance program,” he says. Particularly “if you are a business that is heavily dependent on a mature, web-based profile and you are heavily dependent on electronic point of sale and an integrated computer system. Because if you take away either of those things it could get very costly. And for the couple of grand it might cost to cover the insurance, you get paid back in truck loads if you do have a claim.”