Focus on what counts
Insights

Can Your Restaurant Afford to Skate on Security?

August 11, 2017
view all archive
Authored by Laura Crowley, Manager

It’s such a common occurrence that we almost don’t pay attention any more – another day, another security breach at some company. But for a business owner, the cost of a cyber breach can be devastating. The National Restaurant Association estimates that the average small business pays $36,000 to $50,000 for a single data breach. And the damage to the business’s reputation can be even more severe. Can your restaurant afford that?

Few restaurants today operate without electronic data. The days of a single register tape and cash only transactions are long gone. Today’s restaurants have exposure to a cyber-attack from many areas – customer credit card data and gift cards, information stored and transmitted by the point-of-sale system, employee personal information and payroll data, banking information and e-mail and electronic communications - are all opportunities for a data breach.

Keeping your credit card transaction secure

Restaurants that accept credit card as a form of payment need to ensure that its payment processing system is PCI-DSS Compliant. These standards are designed to ensure that the consumer data associated with credit card payments is protected through firewalls, password protocols and encrypted data transmission. Restaurants should maintain documentation to verify compliance; be sure to submit any PCI-related evidence to your card processor or bank, and update the documentation at least annually. Gift cards, too, might be vulnerable to theft. Using a service provider to track gift cards might help mitigate this risk.

Protected POS

In addition to the payment processing, most restaurants utilize a point-of-sale (POS) system to accumulate and track data about specific retail transactions, and may include additional features to cater for different functionality, such as inventory management, CRM, financials, or warehousing. The restaurateur should consider how the data from the point-of-sale is stored (local back-up, cloud-based, etc.), transmitted, and who has access to the information. Access should only be granted to individuals who need the data to perform a business function. Each user should have a uniquely assigned username and password. If employees are allowed remote access, take steps to ensure they are on a secure connection. All data transmissions should be sent via encrypted files to reduce the risk of a breach. Since employee turnover is not uncommon in this industry, it is important to monitor authorized users and remove their access immediately after separation.

Safeguarding employee information 

Employees’ personal information should always be treated with care. Businesses owners should make sure that there are adequate protocols in place for anyone that can access employee information, including vendors, services providers, and other employees who do not have a business need for the information. Using locked physical storage and password protected digital storage can help to protect the sensitive information.

Electronic communications and software

E-mail and electronic communication of sensitive business information should always be monitored.  Employees should only use a company issued e-mail address, and the e-mail server should be maintained and backed-up on a regular basis. Use secure file transfer applications and protocols to ensure that the information is not vulnerable to attack during transmission. 

Commercially available software can help protect against malware and ransomware attacks. Such software should be updated continually to ensure that it is ready for the latest scheme. Using these tools along with firewalls, encryption, password protections and user management can go a long way in preventing a compromise of your important data. Working with vendors who have strong digital protections is also important in ensuring the safety of your customer, employee and sensitive business information.

One of the best defenses a business has against a data breach is preparedness; have a plan in place in the event of a disaster or breach so that there is minimal interruption to the business during the recovery process. Having well-informed employees is also essential. Training employees to be alert for phishing schemes and signs of identity theft will go a long way in protecting important information. 
If you have any questions, please consult your client relationship partner or contact one of the members of Citrin Cooperman’s Technology and Risk Advisory Consulting practice (TRAC).