Lost in space


As cybercriminals get savvier, companies risk more than their reputation by neglecting data and privacy measures. Meg Crawford reports

Once upon a time, a restaurant’s biggest security risk was an intruder absconding with the takings. These days, the security landscape for the hospitality industry is radically different. While the physical security of a premises remains critical, the necessity to protect data is just as important. In fact, a recent PwC report indicated that 85 per cent of consumers wouldn’t engage in business with a company at risk of a cyber breach.

A spate of high-profile data breaches reinforces that the risk is real. For instance, take food delivery company DoorDash’s data breach in which 4.9 million customers, delivery workers and merchants had their information stolen in May 2019 by hackers, including names, email and delivery addresses, partial credit card numbers and licence plate details. “ The question of a breach by cybercriminals is no longer an ‘if’, it’s a ‘when’,” says Ahmed Khanji, CEO and founder of cybersecurity firm Gridware.

Possible security breaches 

One of the biggest risks to an establishment’s cybersecurity is still insider threat. “It’s always our starting point,” Khanji says. “People tend to think of cybercrime as the hacker in the basement, but it could just as easily be a disgruntled ex-employee or a contractor going rogue.”  

Andrew Gordon, a partner in PwC Australia’s cybersecurity practice, also makes the point that the insider threat can be inadvertent. “We’re still seeing people making mistakes that cause data breach issues, like adding a recipient to an email, which has sensitive information, and sending it to people beyond those who should be receiving it” he says.  

“The question of a breach by cybercriminals is no longer an ‘if’, it’s a ‘when’.” 

Ahmed Khanji, CEO/ founder, Gridware

Another area of weakness is insufficient security controls when it comes to data storage. In this regard, Khanji urges businesses to consider where they’re storing data and who has access. “Just because you’re storing information in the Cloud or Dropbox, doesn’t mean it’s secure,” Khanji notes. “It’s about what controls you’ve put in place to make sure that a hacker can’t gain unauthorised access to those critical assets.” Gordon cites security of payment information as another example of where sufficient security controls are crucial. “If people are making any form of card payment and the restaurant is keeping a copy, are they keeping it securely?” he queries.   

Poor management of passwords also poses a significant threat. “The point of sale might have a password, which is shared with another employee, who gives it to a new employee and so on, or, an employee leaves and the passwords don’t change—it’s a huge risk,” observes Khanji.

Insufficient backup also leaves restaurants open to risk. Ransomware attacks are a prime example—a system is hacked with a virus that locks files, which will be released only subject to payment. “It’s not a problem if a business has appropriate backups,” Khanji explains. “In that case, you can clean the environment, restore everything from a backup and fix the holes that let the hacker in. Unfortunately, many organisations have plenty of critical business documents, but they’re storing them all over the place and not regularly backing up.”

Preventing a cyber breach

While many organisations now appreciate the need to prioritise cybersecurity and privacy, it’s important to remember that it’s not a one-time exercise. “It’s not enough to buy software once and leave the rest to chance,” Khanji notes. “ Cybersecurity risks change all the time.”

“People think this is a technology problem, but it’s really now an organisation-wide risk.” 

Andrew Gordon, partner, PwC Australia’s cybersecurity practice

As part of this ongoing analysis, Khanji encourages business to audit where they might be exposed to risk. For instance, while the risks will differ for every establishment, have you introduced a new delivery app or loyalty program serviced by a third-party provider? If so, what security measures does the app or provider have in place, and do you need to engage a cybersecurity expert to assess their adequacy?

Gordon adds that it’s crucial not to leave management of these issues just to the technology team. “People think this is a technology problem, but it’s really now an organisation-wide risk and everybody has a role to play in managing that risk.” 

Restaurants also need to be thinking about an incident response scenario—who will do what and what’s the contingency plan? “Say a restaurant takes orders on mobile devices, have you thought about the backup plan?” Gordon queries. “If you need to return to paper, have you got enough pads and pens? Can the kitchen still take those orders on? How much will that delay you?” 

Finally, Khanji implores every establishment to obtain cybersecurity insurance, which can cover everything from a cybersecurity firm coming in to respond to a breach to public relations management following the event. Khanji makes a pithy observation. “It’s the fastest growing insurance product in the world for a reason.”