Data security continues to concern restaurateurs, says Laura Knapp Chadwick, the National Restaurant Association’s director of commerce and entrepreneurship.
Recent research, she says, indicates that 90 percent of all restaurant-industry data breaches occur at the point-of-sale, but other data security issues exist as well. Chadwick and Daniel Eliot, the National Cybersecurity Alliance’s director of small business programs, recently addressed the issue and advised operators on how to deal with it.
It’s not enough to protect payment card information, Eliot says. Yes, operators must be PCI compliant, but there’s also other information that could get into the wrong hands, like employee data, sensitive financial documents and intellectual property like recipes, loyalty program details and supplier contracts.
How do you protect that information? Eliot says the short answer is education and preparation. And, the definition of cybersecurity must be clear. “That’s the goal, really, a positive and empowering definition,” he says. Cybersecurity, he notes, enables people and businesses to do more online with trust and confidence.
Operators must think of cybersecurity as a risk management issue and include it in risk management planning. He advises businesses to focus specifically on people, profits and technology, and stresses the following:
- Teach employees how to identify risks. If they don’t know how to identify potentially malicious email, then any technologies in place have little to no chance of protecting the business. Equip your workforce with an understanding of how to use systems appropriately before providing access to them.
- Establish and communicate effective policies and procedures. Provide employees with proper knowledge and tools. Guide behavior with effective policies and procedures. If you don’t have appropriate procedures in place and then implement too many, that, too can hinder the operation.
- Deploy technologies that help catch bad actors. Any technology you use must be able to make the policies and procedures you implement more efficient and effective.
Eliot also offered a framework of five functions to keep your organization in business in the event of a breach:
- Identify assets you need to protect. Payment card data, payment terminals and employee information should be on top of the list, as should physical devices and classified information, like recipes or intellectual property
- Protect assets and limit the impact of a breach. Have strong email authentication, train your staff often and with onboarding, have data backup procedures in place, and create and enforce policies and procedures. Know where your physical devices are stored and who has access to them. Also, evaluate if you need cybersecurity insurance.
- Detect security problems. This includes anything from a ransomware message on a computer screen to your network running slowly or technology blocking emails. And, don’t dismiss customer feedback, especially if they tell you your company is continually calling them for personal information. Also, look for suspicious behaviors by customers and/or employees.
- Respond to an incident. Follow the plan you’ve put into place. Disconnect or isolate the affected computer from the network and connect with IT and legal leadership. Contact local law enforcement and comply with your state’s data breach law.
- Recover from the breach once it happens. Get your business back in business. Document lessons learned, and improve policies and procedures. Train and retrain employees, and take steps to repair your reputation.
Chadwick advises operators to download the Association’s Cybersecurity 101 and 201 toolkits, which provide information on protecting yourself against a breach.
Logos, product and company names mentioned are the property of their respective owners.