Restaurant Security - Hacking the Weakest Link
Hackers. Security breaches. Stolen data. Malware. All this high-tech piracy is the makings of hot headlines in the news and of Hollywood blockbusters. But for all its glory, the biggest security breaches do not lay in some genius coder who can figure out passwords or invent malicious software. The best cyber criminals don't want to waste time figuring out how to steal your information. They want to steal your data in the quickest and easiest way, so they found the weakest link - humans.
According to Social-Engineer.org, 66% of all attacks originate from social engineering, but research shows that only 7% of American companies educate their employees about it. Why? Simple lack of awareness.
Social Engineering
So what is social engineering? It is criminals manipulating people to get confidential information. They prey on our human instinct to trust other humans. The hackers rely on the fact that restaurant employees are notoriously busy and will not have the time to check the facts before sharing information.
The phone is the simplest way for a hacker to get information. Why try to figure out your password when they can just ask for it over the phone? The hacker will typically pose as an authorized user who is responding from someone's "request for help" or saying that they have found a problem in the system and need to access it in order to "fix it." The employee will grant them access to the system thinking that they are helping, when in reality they have just exposed all of your (and most likely your customer's) confidential data.
Playing Defense
The best defense against social engineering is awareness and education. Absolutely every person in your employment needs to be aware of this type of attack in order to prevent it. Anyone with access to a computer needs to be informed (and reminded often) that he or she should not give any information over the phone unless they have permission in advance to do so. The hackers are professionals and will tell their target that they are from accounting, the corporate office, or a vendor and then apply authoritative pressure on them so they don't have time to think about their decision.
Process & Policies
It is extremely important to have an established process regarding the handling of any confidential information or passwords. Below are a few guidelines to safeguard your restaurant:
Create a company policy on how upgrades, service issues, accounting questions, etc. are handled. The policy should firmly state that anyone, internal or external, needing access to any of the computers and/or systems on your premises must notify the IT staff via email and copy the manager (or owner) in advance.
- Should a call be received from anyone seeking confidential information without advanced notice then the employee must get the company's name, the person's first and last name, a call back number and an email address. This information should be verified with the manager/owner before further contact is made. Most hackers will hang up when questioned, while a real employee or vendor will respect company policy. Assure employees that it is important to stick to the policy no matter how persistent or believable the caller may be.
- Remind employees often about your policy and its importance. Bring it up in staff meetings. Post a reminder on every terminal. Whatever it takes to keep social engineering tactics top of mind so that an innocent mistake is not made in the heat of the moment.
Hacking incidents are on the rise. As we have seen through the media, it only takes one security breach to soil your hard-earned reputation and lose the trust of your customers. And while to err is human, knowledge is power. Take preventative measures before you become the next target.
Joining Ctuit in 2015, David Orr brings a breadth of Information Technology experience ranging from the small organization to the large enterprise. David's 24 year career in IT includes the last 15 years focused on Software as a Service (SaaS) solutions and ensuring systems availability on a 24x7x365 basis. He has worked in a variety of industries including software development, data centers, manufacturing, and telecommunications.