Coronavirus cybercrime can attack your restaurant system, too
Protecting your business from a data breach is a constant struggle, and it’s even more important during a disaster.
Whether it follows a health crisis, hurricane, flood or tornado — businesses usually experience increases in cybercrimes tied to that event, says the National Cyber Security Alliance’s Daniel Eliot.
Eliot, director of education and strategic initiatives for the NCSA, says cyber incidents and attacks, such as coronavirus-themed email phishing scams, increased as much as 300% to 350% in the first quarter of 2020 and adds that cyber scammers are now trying to target restaurant companies in particular.
Cybercriminals have mostly directed malicious emails at telework employees or people donating time and money to those impacted by coronavirus. “We're seeing a huge increase of cyber-related scams promoting coronavirus information or relief efforts. “It’s a big issue.”
The PCI Security Standards Council claims that since March, malicious virus-related reports are up 475%. The reason for the uptick is that cybercriminals are trying to take advantage of rapid changes to the payment-card data environment. In addition, 41% of small businesses have said they’ve suffered breaches costing more than $50,000 to fix.
Contactless payment is one of the big changes within the payment data environment. Several restaurant companies – from chains to independents – are offering it because it reduces customers' physical interaction with the restaurant's POS system. As part of this move, some businesses have eliminated credit-card PIN numbers.
Heartland Payment Systems’ Kristi Kuehn, vice president of Enterprise Compliance, says even though PINs act as a secure cardholder authentication method that can decrease fraudulent transactions and reduce operator liability in fraud-related disputes, contactless payment is one of the most secure transaction methods to use at the point of sale.
Restaurants, particularly those with employees accessing company networks from home, could potentially introduce vulnerabilities into the system, Eliot says. That’s why it’s essential to segment access to networks, especially ones with point-of-sale and financial data. Operators must secure payment information and employee data — all human resources information for that matter.
“Put your point-of-sale and financial data on a different network than the one holding your employee meeting information or shared planning or scheduling documents. And only give access to a few people.”
Eliot also advises operators encrypt all documents that contain social security numbers or personally identifiable information and “lock” them in secure locations. Examples of vulnerable documents include:
- Incorporation documents
- Documents that show your employees’ identification numbers
- Data Universal Numbering System (DUNS) information
- Any HR records
- Tax records
- Insurance records
Eliot says malicious email is usually the easiest way for cybercriminals to access your networks. The emails typically show up as urgent requests for sensitive information, often pretending to be from the Small Business Administration or the Centers for Disease Control and Prevention. When the intended victim types in his or her credentials and clicks on a specific link or downloads an attachment, criminals are in.
The velocity of pandemic-related cybercrime is definitely increasing, says Charlie Tupitza, a cybersecurity specialist for America’s Small Business Development Centers. He, too, says that because phishing is so big right now, operators must be extra careful not to open or click on unverified URLs.
He also suggests isolating email and business systems and encrypting network information, especially if you’ve got employees working remotely. Their laptops need encryption, too.
Anyone looking for easy-to-implement security tips can try these six to start.
- Reduce areas where payment-card data is stored. The best way to protect against a data breach is to avoid storing any card information at all. With many small operators offering curbside pickup and accepting payment over the phone instead of through face-to-face transactions, it’s important they train employees not to write down payment card details. Instead, have them enter numbers directly into a secure terminal.
- Use strong passwords. Using weak and default passwords is one of the leading causes of payment data breaches among businesses. Effective passwords must be strong and updated regularly. The most recent guidance is: the longer, the better. Think of it almost as a “passphrase” rather than a password. Use it in the form of a sentence, but mix in different characters within the phrase. It’s much harder to break a long passphrase than it is a short, complex password. Weak and vendor default passwords often result in small business data breaches. Also, don’t repeat your passwords.
- Update your software often. Criminals look for outdated software to exploit flaws in unpatched systems. Timely installations of security patches are crucial to minimizing the risk of a breach. Whenever updates are available, use them. They will improve performance and close out some of the vulnerabilities cybercriminals are searching for.
- Enable two-factor authentication. It's so important for restaurateurs, especially where their POS systems or any of their sensitive databases are concerned, to have two-factor or multi-factor authentication enabled. If an instance where credentials are stolen occurs, there will be a second layer of verification the operator can rely on to potentially reduce the chances that information will be breached.
- Segment your networks. If you are going to store payment data, make sure your POS system has its own separate, secure network. Do not store sensitive documents on public cloud services such as Google Docs or DropBox. If you’re going to store sensitive documents, house them in an encrypted, locked down location.
- Be hyper-vigilant. Criminals are going to try to take advantage of this pandemic situation as much as possible. You can protect yourself by not giving out sensitive information, especially within unsolicited emails. Don’t click on links you’re not expecting and do everything in your power to protect all sensitive information.