For many hospitality businesses, tech isn’t a strength and cyber criminals know it. While you’re busy creating great customer experiences, bad actors are looking for entry points to nab credit card data and gain access to your financial accounts. Here are cyber scenarios from restaurants and hotels, along with tips for improving cybersecurity hygiene.
Takeaways:
1. Train your whole team to recognize cybercrime warning signs
2. Implement a formal process to verify requests for data or funds
3. Establish cyber safeguards for mobile point-of-sale devices
4. Secure your customer Wi-Fi so it’s not a highway for cybercriminals
5. Recognize that cyber threats can come from inside your business
A restaurateur, building out a kitchen area, ordered several pieces of new equipment. With the grand opening date quickly approaching, the owners were eager to get everything completed on time. This enthusiasm led to haste and caused the CFO to miss warning signs of a cybercrime.
A criminal had accessed the equipment supplier’s ordering system and sent the CFO a message saying a supply chain issue was going to cause a shipment delay. However, there was one piece of equipment available if he was able to pay the same day. The email came from a recognized address, and the CFO jumped on the opportunity. He replied to the message, followed the payment instructions, and ended up sending the funds to a bad actor. Money gone. No equipment.
Cybersecurity professionals talk about “zero trust.” For hospitality businesses, this means slowing down enough to verify requests. If someone asks for money by email or text message, be skeptical. Verify the request by calling a known contact. And if you can’t verify it, err on the side of caution. Do not send a payment, banking information, or credit card details unless you are certain where the money is going.
Further, examine emails for hints of foul play. Maybe the email address is wrong by one letter, or the time stamp is 2:00 a.m. Be wary if the wording sounds urgent, requesting a quick reply.
A payroll clerk received an email that appeared to be from the CFO. It said, “I’m working on a tax issue and need to get a list of all the Medicare withholding by employee. Can you send me a spreadsheet this afternoon?” The clerk did not question the request and unwittingly sent confidential data to a cybercriminal.
Bad actors can make an email look as if it is coming from a legitimate internal or external email address. Often, there are signals that something isn’t quite right, but these emails can be very convincing. Employees and managers need training in how to spot suspicious emails and phone calls, as well as detailed protocols on how to handle financial and data requests.
They need to develop the “zero trust” muscle. Vigilant employees who know what to watch for can stop cybercrime. Most cyber losses trace back to an employee error such as clicking on a malicious link in an email or failure to verify that a request is legitimate.
In many restaurants today, servers use handheld payment terminals to process credit card transactions. Often, they leave a mobile point-of-sale device with the customer for a few minutes while checking on other tables. That moment away can provide enough time for a bad actor to tamper with the equipment.
As a business, you are responsible for securing your customers’ data. So, as you choose and implement a point-of-sale system, you need to interview vendors about their cybersecurity practices. What security have they built into their product? Do they continuously monitor their system for suspicious activity? What breaches have they experienced in the past 24 months? Document your due diligence process when selecting a vendor.
Next, create formal policies in your workplace for handling the point-of-sale system. Who has access to the payment devices? How and where do you store them? How frequently do you check for signs of tampering, and who performs these inspections?
Finally, hire with care. Check references and do a criminal background check before extending a job offer. Cybercrime often involves an internal threat actor, not just outsiders. A thorough hiring process shows an insurance company you made a good faith effort to vet your workforce.
Many cafés, hotels, and other establishments offer free Wi-Fi for customers. Without proper protections, attackers can “listen in” on users’ activities, steal data, and even take over a mobile device.
Keep the customer wi-fi separate from the connection you use for your business, and make sure your guest system has a complex password.
If you are not a tech expert, consider contracting with a specialist to set up your Wi-Fi and ensure correct configuration. Sometimes, the default settings on routers and other equipment can leave you vulnerable to a cyberattack.
Also, ask your legal counsel for guidance. They may recommend incorporating an online “use at your own risk” disclaimer that customers need to accept before accessing the Wi-Fi. Also, some hospitality establishments post a warning along these lines: “No public wi-fi is entirely safe. While we’ve taken precautions to secure this one, please be vigilant. Here are some recommended best practices.”
Using a VPN and avoiding sensitive transactions (such as banking or online purchases) are a few of the many ways customers can help secure their data. Posting safety tips is a friendly way to help customers become more cyber-aware.
The scenarios above aren’t the only ways cyber criminals can harm your enterprise. "Bad actors" prey on businesses that seem distracted and less cyber savvy, so it’s important to educate yourself on the risks and learn the precautions you can take.
For example, does your team use two-factor authentication? Do employees understand the importance of good password hygiene? Is your guest wi-fi separate from your business-critical systems? Cyber insurance underwriters will ask detailed questions about your security measures.
To learn more about strengthening cybersecurity in the hospitality industry, please join us for our April 25 webinar, Cybersecurity in Hospitality: Don’t get blindsided.
Or reach out to one of the specialists below.
Stay safe.
Send us a message on LinkedIn: Rob Hoover, Allen Blount, and Rob Rosenzweig
About the Authors:
Rob Hoover is a national expert on restaurant and hotel employee safety, as well as liquor service safety. At 15, Rob started as a potato peeler in a small, family-owned diner. Today, he’s an industry insider with deep knowledge of day-to-day hospitality challenges. For the past 20 years, he’s helped hospitality businesses as a risk management and insurance advisor.
Allen Blount leads the Cyber Team at Risk Strategies. He specializes in both cyber insurance and tech E&O (errors and omissions). Prior to this role, he spent 12 years with Zurich North America, gaining extensive experience as a Cyber and Professional Liability Underwriting Manager. Before his insurance career, he practiced law.