As many in the industry know, NCR, a payments processor offering point-of-sale systems to restaurants and retailers, suffered a ransomware attack that began impacting the Aloha point-of-sale system and NCR’s Back Office application. Restaurants, many of them small operators, could not access back office tools, process payroll or accept loyalty points and gift cards. Lost functionality meant that some restaurants may have also lost access to their staffing schedules and inventory systems while NCR systems were offline.
BlackCat/AlphaV, a ransomware gang, claimed responsibility, suggesting that the group had taken login credentials in addition to the encryption of NCR systems and ransom demands. BlackCat/ALphaV did not claim to have taken confidential information, and NCR assured customers in their communications that no confidential data was lost. In many cases of ransomware, however, data is ransacked – removed from the environment – held hostage for an additional ransom, and released into the dark web if payment is not made. BlackCat/AlphaV in other instances has exhibited that behavior, so the NCR breach was not as bad as it could have been.
BlackCat/AlphaV is an advanced persistent threat or APT. The APT has a varied target profile regarding the organizations it attacks. It aggressively follows known vulnerabilities, scanning the Internet for organizations that have not patched them yet. This means any organization with poor patching processes, regardless of size or industry, could fall victim.
It goes without saying that if your restaurant uses NCR’s services, we recommend changing all your passwords in those accounts. But that’s not all we recommend as there are other lessons to be learned.
Two lessons the restaurant industry should take to heart in the aftermath:
- Every company, no matter the size, is susceptible to ransomware. Over half of BlackCat/AlphaV’s victims are small businesses that were only attacked because their systems were vulnerable. In today’s interconnected world, the presence of those vulnerabilities can be identified from anywhere on the Internet. Restaurants must address the potential threat of ransomware attacks targeting their company-owned systems and implement strategies to mitigate this risk.
- As restaurants outsource key functionality, like point-of-sale systems, inventory, scheduling, gift card and other loyalty programs, delivery services, accounting, IT managed services, marketing, and so on, a program should be in place to measure and manage the risks that exist from those key third parties.
There are many actions an organization can take to defend against ransomware. While the full scope of that discussion is beyond this article, GBQ IT Services works with clients to manage cybersecurity risks with a layered defense approach:
- Maintain backups: The best defense against ransomware is to have frequent backups in a system that is not directly connected to your company network. The backup system should be tested regularly.
- Plan for trouble: A written incident response plan that defines the who, why, what, and how a company responds to an incident is an invaluable resource in the event of a cyber attack. Without a plan, management and IT teams scramble and make mistakes lengthening the duration of the attack which expands losses.
- Harden your endpoints: endpoint systems such as computers, handheld devices, servers, and other systems, should be hardened before being used for work. Hardening a system means removing default passwords, requiring stronger forms of authentication, and removing unneeded services.
- Keep systems up-to-date: Systems being used should be updated with regular patching.
- Scan for vulnerabilities: Regular vulnerability scans identify when weak systems or unpatched systems are on the company network. Restaurant operators may be familiar with the scanning required for PCI compliance but many times scanners are only implemented to meet compliance and not to cover all the systems in an operation. All systems should be scanned on a routine basis.
- Train the team: The best return on investment – bang for the buck – is training employees on acceptable use, proper information handling, and safe computer use. This should include a self-phishing program.
- Monitor the network: Use a managed security services provider to monitor endpoints. The data that flows in and out of the organization raises the chance of catching an attack before the ransomware detonates. For many, a company’s first notice of an attack is when large amounts of data are seen leaving the network.
- Implement Multi-Factor Authentication (MFA): Your cyber insurance carrier likely has already required multi-factor authentication on critical systems. Beyond just a user ID and password, MFA requires you to authorize access by entering additional information at login from something you have such as a token generated on a cell phone.
- Cyber liability insurance: Talk to your insurance broker about your cyber exposure. Ensure you have coverage for those cyber risks that are most likely to impact you. Cyber insurance is an important tool in the restoration and recovery process for companies that have been attacked.
If you want to go it alone, the Cybersecurity and Infrastructure Security Agency is an agency of the United States Department of Homeland Security responsible for, among other things, strengthening cybersecurity and infrastructure, including sharing tips on protecting against ransomware.
GBQ IT Services comes alongside clients to help assess their cyber and other IT risks, put plans in place to reduce the risk to levels management can tolerate, and stay connected in case something bad happens. Our baseline service now includes a ransomware simulation that can be safely run on your network to measure vulnerability to a ransomware attack.
While there are many benefits to outsourcing key business processes, risks also need to be measured and managed. At its simplest, a third-party risk management or vendor risk management program is a formal process where an organization:
- Lists all the key third-party providers
- Ranks those companies by criticality to the business
- Engages in conversation with the provider about its cyber security program
- Considers alternatives or contingencies to losing that provider
A more sophisticated approach is to take that list of providers and conduct a formal business impact assessment to identify the financial impact to the restaurant based on how long it takes to return the service to operate in the case of an event like the NCR breach.
The more formal approach includes annual security reviews of the key third parties, typically including a questionnaire asking for key information about the third party’s cyber security program. Cloud service providers often have a SOC 2 report that should be reviewed. Tools are also available, such as Security Scorecard, that can help monitor key provider security posture.
You may recall when the national meat supply was impacted when JBS’s meat packing facilities were ransomed and knocked offline in 2021. Some large restaurant operators are extending their third-party risk activities beyond their business process providers to include key supply chain providers as well. After all, if your secret ingredient comes from only one source, and the source is offline, your killer entrée or dessert is just food.
GBQ IT Services helps companies measure and manage third-party risk by calculating its exposure and building a program right-sized for the operation. Who is empowering your growth by protecting what matters most? Contact IT Services Director Doug Davidson today.
Article written by:
Director of IT Services