Cyber Risks for Restaurants

While all industries are susceptible to a cyber attack, where data is involved, the cyber risks for restaurants are particularly vast. The combination of new technology, ever-changing business relationships, and high volumes of credit card transactions, sets the stage for small businesses to encounter both financial and reputational losses. From business interruption to fines, notification monitoring, loss of customer faith, and even legal penalties can lead to astronomical losses. As part of completing his Certified Cyber Insurance Specialist (CCIS) training, Nicholas Coppola has delved into and analyzed the cybersecurity risks in the restaurant industry.  

Uninformed Employees are the Biggest Cyber Security Risk

The biggest cyber security risk in the restaurant industry is uninformed, low-tech employees. Due to the fact that restaurants are always looking for competitive advantages and the addition of new technologies, it is highly likely that low-tech people are unable to be cyber-aware in such a setting. In other words, the staff conducting the business of restaurant operations, in a high-stress environment, are not going to necessarily notice a threat and this is a problem. A threat will likely come in the form of identity theft, fraudulent ordering, and compromised IoT credit card processing making internal actors the most dangerous.

Common Attack Vectors for  Restaurants 

A threat will likely come in the form of identity theft, fraudulent ordering, and compromised IoT credit card processing. While owners in the restaurant industry might be as susceptible to a phishing exploit, the modularity, tech vendors, the use of third-party apps, and the IoT devices in a setting where the public is both front and center in conjunction with high employee turnover rate and low pay, expands the options for where and how a threat actor might gain access. It is possible that a targeted attack might seek to compromise a restaurant’s reputation by impacting ingredient levels and reordering, altering recipes (if stored digitally), or simply overloading the system with bogus orders. This might be a concern for larger restaurant chains. For example, on August 2, 2017, Panera was notified that its delivery portal was “leaking” data. The web service used by the restaurant was accessed and could be manipulated. The breach took at least eight months to resolve resulting in the exposure of data and loyalty information of potentially 37 million records. 

In conclusion, the cyber security risk in the restaurant industry is never-ending. The drive to grow a restaurant’s business and reduce overhead through technology, partnerships with 3rd party apps, tabletop payment solutions, and more, needs to be balanced with increased cyber security. The restaurant industry often depends on low-paid, low-tech staff, creating an attack surface that is going to be ever-changing and challenging to manage. The cost could be high and convincing this industry to invest in cybersecurity is extremely challenging despite its importance.