Earlier this year, the overhauled EU data protection took effect. The premise of the General Data Protection Regulation (GDPR) is to ensure any business handling an EU customer’s personal data – anywhere in the world – takes appropriate steps to safeguard that information. Breaches of the regulation will incur hefty fines – €20m (£17.5m) or up to 4% of annual turnover, whichever is greater and compliance with GDPR will be vital.
In April, the UK’s National Cyber Security Agency (NCSA), part of Government Communications Headquarters (GCHQ), held its flagship summit, CYBERUK 2018. During the event, the NCSA launched The Cyber Threat to UK Business, a report jointly authored with the National Crime Agency.
The NCSA specifically mentions restaurants as one of the myriad business sectors at real risk of data security breaches. This got me thinking, customers really do tell restaurants quite a bit – not just payment details, but birthdays, anniversaries, dietary requirements, lifestyle and nutritional choices. Quite a rich resource for the criminally minded.
Data and general cyber security – we’ve got this – right? Well, apparently, a firewall is no longer enough. Remember last year, when a hacker infiltrated thousands of unsecured EPoS printers? Restaurant after restaurant started to receive pictures of giant robots and a printed message ‘with love from the hacker god’. The public-spirited perpetrator said it was done to highlight widespread network vulnerability and, with the GDPR deadline fast approaching, it does hammer home the point that businesses large and small need to check they’ve taken appropriate data security measures.
Frankly, experts believe that it’s not a case of if you’ll be hacked, but when. Restaurants process masses of customer details, which are usually held for certain periods of time. Industry research has identified that the average hack is able to sit unnoticed inside a victim’s network for more than 200 days before detection. That’s more than enough time to take whatever they’ve come for. So, if you can’t reliably keep them out, the best defence is to spot them quickly once they’re in, and practise damage limitation.
This sounds like a tall order for the restaurant industry - we do food, not IT. But I’ve heard about software that can sit inside networks, watching for intruders from without. Think of it as your digital doorman, a bouncer just inside the network perimeter, ready to back up your firewall and your password locks should a hacker still bust your defences. The systems are based on machine-learning and watch for anomalies in network behaviour before alerting businesses to anything suspicious, so action can quickly be taken. Prevention is a big part of regulatory compliance, and adding this layer to data security is a sensible move.
I’m a great believer in the power of technology. If restaurant tech is sophisticated enough to receive customer details via mobile device, process the information internally and feed it into various systems from order to delivery, the mainstay of shielding that data should also be digital.