Restaurants are as vulnerable as any business when it comes to cybersecurity and data breaches. We saw that last month, when at least 5 million credit card numbers were swiped from Sonic Drive-In customers.
In a timely move, the National Restaurant Association has responded by publishing an update to its 2016 Cybersecurity 101 guide and tool (PDF), titled “Cybersecurity 201: The Next Step” (PDF).
The tool is a kind of primer on the five steps of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework: Identity, Protect, Detect, Respond, and Recover. Gartner has predicted that half of all U.S. businesses will use this framework by 2020.
Cybersecurity 201 is considerably longer than its predecessor, and is focused specifically on restaurants and the actions they can take to protect themselves. It lays out four hypothetical “attack” scenarios and the actions restaurant owners should take in response.
Not that these types of scenarios are fictional in any way. As new technologies make their way into the hospitality industry, and as establishments accept more and more digital payments, businesses grow more and more vulnerable. Arby’s and Chipotle were both attacked this year, as was Whole Foods. And those were just the big ones. You don’t have to be a nation-wide chain to get hacked. Many of restaurant-industry attacks are focused around the POS system, which also happen to be one of the most difficult types of threats to protect against. And a restaurant without a POS system these days is a rare find.
Cybersecurity 201 was designed for restaurants of all sizes and types. The tool walks readers through restaurant industry-specific action steps around the NIST Framework. Every suggested action is rated on a scale of one to five in terms of importance, with five being “urgent.” Currently, 17 items are considered urgent, including having a consistent response plan, monitoring the physical environment (aka, guidelines for day-to-day operations at the restaurant), and identifying internal and external threats. The guide wraps up with a handy glossary of terms.
Restaurant Business Online, meanwhile, has published six tips for restaurants to consider when it comes to security at their establishments. Of all the tips, “understand that you can’t eliminate risk” highlights one of the most important points about cybersecurity: technology and guidelines may be evolving to combat attacks, but those attacks are evolving right alongside them. Acknowledging that and committing to a plan of constant assessment is perhaps the smartest thing restaurants can do right now.
Sonic eventually acknowledged the attack and posted information on what affected consumers could do. That’s cool and all, but patrons have the least amount of control over the situation when their favorite restaurant gets attacked. Hopefully Cybersecurity 201 can help restaurants assume more of the responsibility for these attacks—before they happen.