Results of the National Restaurant Association’s “Restaurant Technology Landscape Report 2024”—its first assessment of restaurant technology integration since 2016—confirm that data management is an integral part of restaurant chains’ and groups’ operations as state-of-the-art kitchen appliances, safety equipment, and loyalty programs. Restaurant operators surveyed for the report revealed they used data to push customers’ buttons to keep sales, promotions, and their bottom line up. 76% of this group also affirmed that technology gives them a competitive edge, and they believe they should take advantage of industry technology’s benefits more extensively.
However, there’s the omnipresent dark side of data collection and maintenance. A bar/restaurant group with a high profile or multiple locations can have the most effective anti-data theft software or service in place to reap all of those benefits. And yet, one small slip-up can wreak havoc. Little mistakes—a stolen or misplaced smartphone or laptop, personnel and vendors getting access to sensitive information, a confidential email sent to the wrong person, unwittingly opening an email with a virus that corrupts your system—are behind an estimated 90% of data breaches according to some sources.
The Inconvenient Truths of Advancing Technology
“I have seen surveys that suggest 80% of problems are created by humans, but in my view, 100% of the data breach problems are created by humans,” says Sharon Polsky, president of AMINACorp.ca, privacy and data protection specialists. “Somebody neglected to do something or did something intentionally or inadvertently somewhere along the line. Whether it’s implementing a new system, an app, or a new component to a program, not taking proper security measures or talking about sensitive information with the wrong person or in the wrong location can be a recipe for disaster.”
Polsky notes it used to be relatively easy to discern if there was a problem thanks to telltale signs like a computer system running slowly, a pop-up message saying the system had been hacked, or a “denial of service” attack preventing users from getting access to a function or website. Today, the first sign that something is amiss may be getting a ransom notice threatening an organization that company and customer data will be released on the dark web unless an exorbitant amount of money is paid by a certain deadline.
“Virus attacks are much more sophisticated, and the frequency of attack is much greater because we've got automated bot farms bombarding,” she says. “At the time of 'Y2K,' a breach could cost a company a few thousand dollars. Today, the ‘cheap’ attacks can run a company four or five million. Whether it's your website or employees being enticed with bogus emails, it’s a matter of psychology and an appeal to action that gets people to do something (on impulse). Although patrons will not initially know that their information has been breached, when they do find out, it's the business that pays the penalty in terms of reputation, trust, and regulatory fines.”
Suzie Squier, President of Retail & Hospitality ISAC (RH-ISAC), a retail and hospitality focused cyber intelligence community, points to not budgeting for important updates and not staying on top of current hacker trends as causes of falling down the data breach rabbit hole. “While pricy updates often contain critical fixes for known vulnerabilities, many restaurants operate on tight margins that leave them unable to update their software or security patches as often as needed,” she says. “Additionally, simple passwords, shared login credentials, and a lack of frontline employee training on cybersecurity best practices can create easy access points for attackers. Phishing emails can trick employees into revealing sensitive information.”
The Data Breach that Came to Dinner
Squier believes that the most common problem is that restaurant owners and employees underestimate the importance of cybersecurity. More proactivity is required to spot signs of data breach clues, from surges in network traffic to unexplained slowdowns (i.e., a POS/point-of-sale system lagging during peak hours) or missing or altered files with the earmarks of outside tampering. Managers also need to realize customers can also provide valuable insights, such as suspicious charges on their credit cards linked to a loyalty program. If management is contacted directly by attackers demanding ransom, it may be too late by then.
“The landscape of cybersecurity breaches in the restaurant industry has dramatically transformed over the past decade,” says Squier. “A decade ago, POS systems were prime targets as they stored credit card information. Today, attackers target a broader range of systems, including loyalty programs, reservation databases, and even internet of things (IOT)-enabled devices such as refrigeration controls. Hackers have also become more sophisticated, using techniques like social engineering and phishing attacks to gain access to systems. They're also constantly developing new tools and exploits to target vulnerabilities. The rise of mobile ordering and payment apps has introduced new entry points for attackers.”
While the frequency of checking systems depends on the size and complexity of the restaurant group's network, Squier recommends a combination of continuous automated monitoring to catch suspicious activity (especially anomaly-based alerting), coupled with regular vulnerability scans to identify weaknesses before they're exploited. Penetration testing, where ethical hackers mimic real-world attacks, can be conducted periodically to further strengthen defenses, as well as periodic security control reviews. Regular training by management, in turn, can remind staff to be skeptical of emails from unrecognized sources, use secure passwords that are encrypted and strong, and keep tabs on the constantly proliferating numbers of Bluetooth scanners, RAM scrapers, and malware programs.
Even with awareness of new breach culprits coming to light, breaches may take even the most experienced restaurateurs, managers, and chefs by surprise. Adonis Ouano Icalina, chef and expert author at beef-focused restaurant trade site Carnivore Style was caught off guard when a security breach hit his restaurant on a busy Friday night. At around 10:00pm, its POS system suddenly crashed, but when his staff tried to restart it, it wouldn't boot up. While it was assumed a technical glitch caused the problem, it was later learned a sophisticated malware attack derailed the system. Hackers had gained access to it through a phishing email that one of his employees inadvertently opened, thinking it was a legitimate message from a credit card processor.
“We had to notify our customers and offer them free credit monitoring services for a year, which cost us around $50,000,” Icalina said, looking back at the damage. “We also had to pay for a forensic analysis to determine the scope of the breach, which set us back another $20,000. We also lost customer trust and loyalty, which took us months to rebuild, [and had to offer] discounts and promotions to win back our customers' confidence, which hurt our bottom line. I learned the hard way that cybersecurity is not merely an IT matter, but a business concern demanding attention throughout the organization. Employee training is very important, and this is why we now conduct regular training sessions, ensuring our employees are well-informed and are enforcing stricter security measures, including two-factor authentication and regular software updates.”
Moving forward, Icalina thoroughly researched different cybersecurity service providers, taking into account the firms’ experience in the hospitality industry, certifications, and incident response plans. He also checked client reviews, requested references, and evaluated their pricing model. His goal was to find a system that encompassed advanced network monitoring, threat detection, incident response capabilities, and assistance with industry compliance and regulatory issues.
Business-Saving Strategies
“Innovations in data protection shouldn't solely focus on technological advancements,” affirms Michael E. Mastin, founder of San Gabriel, CA-based BowlakeChinese, an information blog aimed at Chinese restaurant owners, managers, and customers. While it provides information on current food trends (such as the latest vegan and keto dish recipes), it also addresses business concerns affecting the readership.
“The most overlooked security threat in our industry isn't external hacking...it is the internal mishandling of customer data,” he says. “Understanding that the greatest risks often come from within our trusted circles has shaped our approach to data protection. Staff training is indeed pivotal, but the effectiveness of such programs often hinges on their relevance and engagement. We advocate for a radical rethink: challenging the traditional one-size-fits-all training modules in favor of personalized, scenario-based simulations that mirror real-world threats.”
“In the hospitality industry, reservation and guest management platforms offer tremendous convenience, allowing [restaurants] to collect a wealth of client information from their names, to emails, phone numbers, and their credit card details,” warns Polsky, drawing upon her 30-plus year career advising North American corporations and government agencies about information risk management.
From a business perspective, she says the type and amount of information collected and disclosed might be reasonable, but from an employer or customer perspective, it can be problematic as everything connected with a restaurant or a restaurant chain can be at risk, from the employees’ privacy, to customers’ personal details such as social security and taxpayer information, to third-party vendors.
“Businesses don’t understand the potential risks to privacy, so they’ll rely on whatever the vendor says,” Polsky details. “The business—not the vendor—will face the consequences when problems occur. Monitoring for anomalous activity should be an ongoing, automatic thing with reports automatically generated [to management]. Cyber crime is a multi-billion dollar industry, and hackers will typically go after organizations that can pay up, have a lot to lose, and have good insurance...all of which have made some restaurant groups vulnerable to being hit multiple times.”
Shrav Mehta, CEO and Founder of Secureframe—a company that provides end-to-end automated security, privacy and compliance solutions—stresses that as the presence of AI and tech (self check-in kiosks, RFID hotel room doors, fingerprint scanning, tabletop POS systems, and so on) increases in hospitality, it amplifies the need for restaurant groups to be more proactive in how they protect themselves, their staff, and their customers' data. “[Training is essential to] ensure new staff don't fall victim to phishing, from the employee onboarding stage to vital steps hiring managers must take to offering all staff industry-specific steps and best practices to remain up-to-date on emerging tech regulations, security vulnerabilities, and compliance,” he says.
Vikas Khorana, president, CTO and co-founder of Ntooitive, an Inc. 5000 company that helps businesses grow revenue by creating efficiency and speed through the application of technology solutions, advises that beyond employee training, it is also wise to keep multiple copies of the business infrastructure in a cloud or external hard drive not tied to the firm’s existing infrastructure. Another good strategy for better security is getting employees to reflect upon how they react to certain things in their emails and web activities. “We all use our office emails to do personal stuff and react to things not important to our jobs,” he says. “For this reason, I believe [breach prevention is] all about training your staff and getting them to recognize that a lot of a company’s data is also intellectual property (IP) that needs to be protected.”
He cites Landry’s, which owns Macaroni Grill, Chart House, and other restaurants across the U.S., which all have specific branding strategies and loyalty programs attracting a variety of customer bases. He also points to the recent CrowdStrike crisis disrupting travel over the summer. Solutions that can be implemented and frequently updated include different WiFI setups for business, employee use, and customer communications to ensure hackers can’t get to the more sensitive data. He also likes the idea of having regular backups of important data to a cloud or even an external hard drive to get as much restored as possible if a breach means having to clean the slate to protect sensitive information.”
“Cybersecurity isn't just about technology solutions.” affirms Squier. “It is a team effort, and building a culture of security awareness is paramount. Through engaging training programs, team members can be equipped with the knowledge and skills to be our first line of defense. This starts with fostering strong password hygiene, recognizing and reporting suspicious emails, and handling sensitive customer information with utmost care. It continues with training updates to keep staff informed about evolving threats, and bite-sized security reminders throughout the year to reinforce best practices. By empowering staff, restaurants can create a stronger, more resilient defense against cyber threats.”
Cybersecurity Solutions: Stepping Up to the Challenge
Luke Fryer, CEO of Harri, an HR tech vendor that handles the most sensitive payroll and related data for any restaurant or bar, suggests combining automated systems with regular manual checks and audits to effectively mitigate the risk of security breaches and ensure ongoing protection of data and operations. Furthermore, a robust security strategy for a restaurant group involves continuous monitoring of systems to detect and respond to potential breaches in real-time.
“These steps cover data security in general, as it pertains to operational security for restaurants,” he says, adding his firm provides live monitoring to such areas through multiple products, including Risk Analysis Dashboard and Liveshift View. “It's important to highlight wage theft (buddy punching), also known as ‘bad egg attendance’ behavior.”
“By focusing on these aspects, restaurant groups and hospitality businesses can better protect themselves from security breaches that can compromise customer trust, operational efficiency, and regulatory compliance,” Fryer adds, recommending venues implement the following protocols into regular operations:
- Automated Monitoring: Implement systems that perform continuous automatic checks, employing tools such as intrusion detection systems (IDS), intrusion prevention systems (IPS), and security information and event management (SIEM) solutions. These systems can identify unusual activity and potential threats, triggering immediate alerts.
- Alerts and Manual Checks: When automated systems detect anomalies, alerts should trigger manual investigations by specialized security team members. These experts can assess and address potential threats that automated systems flag.
- Regular Audits and Assessments: In addition to ongoing monitoring, schedule regular security audits and vulnerability assessments.
- Data Security Focus: Ensure data security by continuously monitoring for unauthorized access, data integrity issues, and availability concerns. Regularly test disaster recovery plans to ensure quick data recovery in case of a breach.
- Selecting the Right Technology Partners: Regulations change all the time, often with little notice. Ensuring that technology partners are maintaining the critical levels of data privacy and security protocols and certifications (i.e., International Organization for Standardization (ISO), Service Organization Control Type 2 (SOC2), etc.) can help remove the burden of keeping up to date.
- Compliance Assurance: Adhering to regulations and standards to avoid penalties and reduce risks associated with non-compliance (e.g., FWW regulations & financial calculations, food safety regulations, privacy laws).
- Workforce Stability: Maintaining a stable and satisfied workforce, which is crucial in an industry known for high employee turnover. This includes ensuring employee enablement and engagement to maintain employee morale and productivity.
Are you registered for our Crave and Crave on the Menu newsletters? Sign up today!
Plan to Attend or Participate in Our Events:
- 2024 Bar & Restaurant Expo Texas, October 28-30, 2024 in San Antonio, TX. Register today!
- 2025 Bar & Restaurant Expo, March 24-26, 2025, Las Vegas, Nevada
To learn about the latest trends, issues and hot topics, and to experience and taste the best products within the bar, restaurant and hospitality industry, plan to attend Bar & Restaurant Expo 2025 in Las Vegas. Visit BarandRestaurantExpo.com.
To book your sponsorship or exhibit space at our events, fill out our form.
Also, be sure to follow Bar & Restaurant on Facebook and Instagram for all the latest industry news and trends.