Much of the restaurant industry is dramatically changed by the events of 2020 – 2021. Arguably one of the hardest-hit industries, it is also an industry that has given us tremendous stories of resiliency and adaptation to the “new normal.”
Some of that resiliency and adaptation comes from the implementation of new technologies or the expansive use of services that are able to exist because of technology.
- We see firms pushing their back-office operations into work-from-home stances driven by COVID-19 responses. This is accelerating the adoption of Microsoft 365.
- We see those new working dynamics driving the selection of cloud-based business management tools to better enable remote worker productivity.
- Some restaurants are making investments in web and mobile application technology to improve the customer experience. Older websites and applications were not holding up to the surge of online orders.
- Other restaurants have built their takeout and delivery model on the backs of services such as DoorDash and Uber Eats, putting a third party between their business and their customers.
For many, all of these changes happened in some form almost all at once, as we started social distancing a year ago amid government-mandated capacity restrictions.
This collection of new technologies or older technologies applied in new ways to new problems represents an incredible opportunity for business growth.
In addition to opportunity, these changes also introduce digital risks. The biggest risk to your business is not innovating because of fears of cyber and other risks. The second-in-line risk is that you don’t consider the full array of risks, which we call digital risks, that these new technologies present to your business.
Types of Digital Risks
Cybersecurity Risk – Here, we refer to the risk of cyberattacks. These types of attacks often have the objective of accessing sensitive information and then using that information for malicious acts—for example, extortion and preventing normal business processes from flowing. For the restaurant industry, this translates into defending against wire fraud, business email compromise and ransomware risks as the most likely cyber risks.
Workforce Risk – A workforce risk is any workforce issue that could pose risk to an organization’s goals. In other words, workforce risks are things like skill shortages and high employee turnover. With new technology adoption, workforce attitude regarding the adoption of new technologies presents additional risk.
Cloud Risk – These are risks to changes in technology architecture, implementation deployment or management of new digital business operations or IT systems. Cybersecurity risk is certainly part of this conversation. Cloud architectures present tremendous advantage if managed correctly but poorly managed can create upward cost spirals. In addition, IT teams implementing cloud architecture, as they would premise-based architectures, often create unforeseen weaknesses.
Compliance Risk – This risk refers to any new requirements or rules needed for new technology. When you adopt new technology, your organization is at risk of not complying with regulatory requirements for business operations, data retention, and other business practices. Today, most compliance risk is tied to personnel privacy.
For restaurants, that overwhelmingly means payment card data that must be protected to meet the requirements of the Payment Card Industry (PCI) Data Security Standard (DSS). For others, such as self-insurance models for health care to others who rely on third parties to handle health benefits, that may mean some exposure to Health Insurance Portability and Accountability Act (HIPAA).
However, the coming trend is state-level privacy law. While today only three states have privacy laws on the books – California, Nevada and Maine – eleven more have bills actively in a legislative committee. The State of Ohio is not one of those states. How a restaurant collects, stores, handles and uses customer data may fall under legislative mandates and increased privacy risk in the near future.
Third-Party Risk – These are risks associated with outsourcing to third-party vendors or service providers. For example, vulnerabilities related to intellectual property, data, operations, finances, customer information, or other sensitive information are third-party risks.
Third-party risks in the restaurant industry extend to the delivery services that are such an important part of the customer relationship. In addition, that means the restaurant depends on the third parties’ resiliency and management of their own digital risks.
Third-party also includes the outsourcing of key PCI functions. In the case of third parties, you can shift the effort to secure data to someone, but you cannot shift your obligation to ensure the third parties are being proper stewards of your data.
Automation Risk – Along with automation, there will be a risk of issues such as compatibility problems with other technology, lack of resources, and governance issues, among others.
Resiliency Risk – This type of risk refers to the risk of negative events occurring when adopting new technology and the difficulty of minimizing the damage caused, as well as the risks to the availability of business operations after a disruption.
Data Privacy Risk – This refers to the risks related to the ability to protect personal information. This data usually includes full names, email addresses, passwords, physical addresses, and even dates of birth. Hackers can easily misuse this data as a way of harming or misusing your identity. Loss of data may run afoul of state-level data breach notification laws (Ohio has one in place as do most states). The coming risk exposure associated with privacy legislation (mentioned above) may mean changes to how a restaurant collects, stores, handles and uses customer data and other loyalty information.
Managing Digital Risks
Adoption of new technologies should include a discussion of the digital risks they might introduce. Ask yourself the following basic questions:
- What risks does this technology introduce to our firm?
- How likely are they to happen?
- What is the impact if they do happen?
- How do we manage or mitigate them?
These questions are a good start for someone who has an accurate understanding of the risks involved.
You can build an understanding on your own by scouring the press for reports of issues that have impacted other restaurants like yours, talking to industry experts (such as your state restaurant association or the National Restaurant Association) and to your peers in the industry. If it happened to someone else, it could happen to you.
A more detailed, complete and leading practice approach is to conduct a formal risk analysis as new technologies are selected and adopted. Proper risk management will increase the likelihood of successful adoption, reduce the likelihood of an unintended negative outcome and give you peace of mind.
One deliverable from a risk analysis is a risk matrix from which your company can manage risks on an ongoing basis giving you an agile means to manage risks to the business. GBQ can help you work through a proper risk analysis.
GBQ Information Technology Services is a team of builders, breakers, operators, and auditors experienced in IT strategy, enterprise risk, cybersecurity, productivity solutions such as data analytics, as well as IT audit and assurance.
For more information or assistance with cybersecurity matters, please contact Doug Davidson, Director of Information Technology Services.
Article written by:
Doug Davidson, CISA
Director of Information Technology Services