“Would you like to supersize that?”
Ah, remember the days when that was a simple question about the size of your fries or soda? Now, that question is fraught with cybersecurity issues that can lead to supersized cybersecurity issues.
MSPs that have, up until now, not pursued food-service clients, but now might find this to be a good time to do that. It sounds counterintuitive; after all, restaurants are struggling during the pandemic. Yet, MSPs can play a role in ushering in a new normal for the food-service industry while tapping into a new revenue stream.
Restaurants, like many businesses, are experiencing fallout from COVID-19. There are has been a surge in phishing attacks and ransomware incidents involving restaurants. Many restaurants had to simply shut-down during April and May, and that left cash registers and coffers empty unless they could transition to carry-out or drive-thru.
Now, as restaurants start to ramp back up, they are adjusting to a new normal of curbside, carry-out, drive-thru, and socially-distanced dining areas. Food is more likely to be ordered by an app so that the only thing a customer touches is their own phone (although in some cases, the opposite is true, some restaurants have gone retro by offering old-fashioned disposable paper menus).
The COVID-19 crisis created a surge of online traffic for restaurants. They rolled out apps, online ordering, and electronic menus all in the name of finding a revenue stream since their dining rooms were shut-down. But, all of this new online traffic provides a new attack vector for bad actors.
Smarter MSP caught up with Scott Shackelford, associate professor of business law and ethics at the Indiana University (IU) Kelley School of Business. He is a senior fellow at Indiana University’s Center for Applied Cybersecurity Research and academic director of the IU Cybersecurity Clinic.
Cybersecurity dilemmas and opportunities restaurants face
Shackelford says that for restaurants that are quickly trying to pivot from booths to virtual, there are a couple of dangers lurking.
“First, in a rush to partially reopen and stay afloat, they might inadvertently introduce gaps and vulnerabilities in their systems that hackers can exploit,” Shackelford states. “Cybersecurity is more than a checklist – it’s an ongoing process demanding proactive due diligence.” The expertise and resources may be in short supply at many restaurants and does leave an opening for MSPs.
But, Shackelford adds, the technology itself isn’t a panacea; there can be issues.
“The technology itself is problematic. Touchscreens, in particular, are vulnerable,” he says. “A hacker in Australia, for example, was able to manipulate a McDonald’s self-service kiosk to lower the price of his lunch.”
A lower-priced Big Mac may not sound like a big deal, but if that happened repeatedly, it’d show up on the bottom line.
The pandemic will also separate restaurants by economic bracket, because of the expense of the touchless systems. Shackelford says many franchisees have had to shell out $750K or more to update their systems. And even if a restaurant can afford it, and it may be a foolproof way to make sure COVID-19 doesn’t spread, it’s no guarantee of good cybersecurity.
“Most small restaurants will not be able to afford such expensive upgrades, but even those that can like Panera and Chili’s have still faced massive cybersecurity incidents in recent years with millions of peoples’ personally identifiable information (PII) breached,” Shackelford notes.
Steps to protect restaurant cybersecurity
Shackelford advises that restaurant owners and their MSPs should set up separate guest wi-fi services and put systems in place so users cannot move laterally to other networks. This ensures that signing on to the wi-fi network will not enable them to access other connected devices on-site like kiosks and payment systems.
“That may be easier said than done, especially given the desire during the pandemic to make online ordering as seamless and easy as possible. A big target for many hackers, though, are loyalty programs since they are a treasure trove of PII,” Shackelford says, adding that these databases should be protected as much as possible, including through multi-factor authentication and end-to-end encryption.
Shackelford does see MSPs playing a muscular role in helping restaurants through the pandemic and in getting their cybersecurity acts in order.
“MSPs can and should play a larger role here, but the extent to which they are responsible for cybersecurity boils down to the contracts at issue, including the existence of any insurance policies,” Shackelford says.
Shackelford also advises that restaurants consider cyber insurance as an added layer of protection while still investing in the proactive policies needed to ensure that they can both stay afloat and protect their customers’ personal and cyber hygiene.
Because restaurants are public facilities, they are considered an aspect of U.S. critical infrastructure. As such, MSPs can turn to the Department of Homeland Security for assistance. Another valuable resource Shackelford pointed to is the Federal Trade Commission’s ‘Cybersecurity for Small Business’ Guide.
Needless to say, good cybersecurity practices need to part of the “main course” for restaurants; not just a side dish. And, MSPs can make for the perfect pairing.
Photo: TZIDO SUN / Shutterstock
