While it may seem that the cybersecurity menu has too many choices to know where to start, there are basic cybersecurity protections that every company in the restaurant industry, regardless of size, should have in place. Ironically, when GBQ conducts cybersecurity risk assessments, our findings often identify that these basic building blocks are missing.
Must-Have Basics
In no particular order, we consider the following safeguards as essential. Your cyber liability insurance carrier likely agrees with us!
Employee Training: Educate employees on cybersecurity risks and best practices to create a security-conscious culture within the organization. Include self-phishing testing as a part of your training program to train employees to recognize and avoid phishing attempts, a common method cybercriminals use to gain unauthorized access to sensitive information. Fake phishing messages that look real are sent to employees to help them learn to identify and report real phishing messages. A service like KnowBe4 provides both web-based training and self-phishing capabilities.
Strong Passwords and Authentication: We lock our homes and cars to protect our valuable things. We need to have the same approach with our digital valuables. Require employees to use unique passwords and implement multi-factor authentication (MFA) for added security. GBQ strongly recommends the following password policy recommendations:
|
Without MFA |
With MFA |
Administration Account |
Microsoft 365 |
|
| Multi-factor Authentication | — | Required | Required | Enforce registration for multi-factor authentication and enable risk-based multi-factor authentication challenges |
| Min Password Length | 6 or more | 12 or more | 16 or more | 12 or more |
| Password Complexity | Required | Required | Required | Required |
| Max Password Age | 90 days | 180 days | 180 days | 180 days |
| Min Password Age | 5 days | 5 days | 5 days | 5 days |
| Password History | 10 passwords | 10 passwords | 10 passwords | 10 passwords |
| Lockout | 3 attempts | 5 attempts | 5 attempts | 5 attempts |
| Lockout Duration | 0 minutes (require admin to unlock) | 30 minutes | 30 minutes | 30 minutes |
| Use of Password Policy Tool / Filter / Password Dictionary (e.g., nFront) | Recommend | Recommend | Recommend | Recommend |
Someday, someone on your team is going to make a mistake. The systems your team works on must be secure to reduce that mistake’s impact. Though there are many things to be done to protect work on computers properly, two must-haves are keeping systems patched and implementing antivirus software.
Patch Systems: Ensure your IT program has a consistent process of keeping systems up to date. They should have a regular cadence of patching Microsoft products as well as third-party applications on your company computers. Ideally, they should be using vulnerability scanning technology to identify vulnerable systems that might be at risk. It is recommended for management to ask their IT department or managed service to provide those scan results as a way to have oversight of the process.
Protect Your Endpoints: Endpoint protection software includes antivirus, anti-malware, and potentially advanced threat protection solutions that work together to protect the network and individual devices.
Beyond the endpoints, the entire environment needs to be protected, too.
Firewalls: Firewalls are a critical component of cybersecurity. They act as a barrier between the internal network and external networks, filtering both incoming and outgoing traffic to prevent unauthorized access and cyber threats. Firewalls should be up to date and patched regularly as well.
Data Protection: Implement measures such as regular data backups and encryption to protect customer, financial, operating and employee data. We recommend a 3-2-1 backup strategy for data protection. A 3-2-1 strategy means you keep three copies of your data, using two different media types for the backups and ensuring that at least one copy is stored off-site. This method is designed to provide a robust safeguard against data loss due to various risks such as hardware failure, natural disasters, or accidental deletion. Secure backups are the last line of defense against a ransomware attack.
While training and crucial technical controls go a long way toward protecting a company, many find that is not enough to give true protection or provide peace of mind. The basics of a more formal risk management and cybersecurity program include the following:
- Risk Assessment: A risk assessment is a formal way to identify what is important to your operation and what is at risk, given the threats to it and the weaknesses in your technological environment. A well-done risk assessment will take into account your business model. A franchise operator has different cybersecurity risks to address compared to independent restaurants. Fast casual, which may depend on significant digital relationships with its customers to drive traffic, differs from a fine dining format that has significant gift card revenue. A risk assessment that takes into account the business model will help you fine-tune what other controls may need to be in place beyond the basics.
- Establish Security Policies: Establish basic security practices and policies for employees, such as appropriate internet use guidelines and rules of behavior and management expectations for IT to meet. Policies should include written policies or narratives for how finance and accounting professionals address account banking changes, payroll direct deposit requests and other financial activities.
- Third-Party Risk Assessment: Take the time to understand the vendors that are critical to your operation. The NCR ransomware in 2023 took some restaurant operations offline as POS, back-office tools and gift card processing suddenly went offline. Identify the risks vendors pose to your success and have a plan to adjust should you lose one of them.
- Cyber Insurance: Consider obtaining cyber liability coverage to protect the business in the event of a cyberattack or data breach. Your broker should assist you in finding an appropriate carrier. You’ll be presented with an underwriting form that will ask if you do many of the must-have basics listed in this article. Some carriers may have expectations beyond these basics. Insurance is a crucial tool in recovering from a successful cyber-attack.
While these are fundamental measures, it’s important for those in the restaurant industry to stay informed about the evolving cyber threat landscape and continuously adapt their cybersecurity strategies to address new challenges.
To learn more, contact a member of our IT team.
