If you’re like me, chances are you’ve probably ordered food online or through an app at least once in the last couple of weeks. Curbside pickup, takeout and delivery have become buzzwords in the past week. We’re not alone — market research company Frost & Sullivan projects that online/mobile ordering will be a $200 billion dollar industry by 2025.
With every online order, millions of customers are entrusting restaurant owner/operators with their most essential information. While beneficial in many ways, housing mass amounts of data leaves restaurants wide open to potential breaches — and hackers aren’t always the culprit. As the number of online ordering options continues to grow and expand, human error breaches are only going to become a more dangerous cybersecurity risk.
Thanks to the advent of chipped credit cards, virtually all restaurants have at least some cybersecurity safeguards. However, thanks to the explosion of online ordering, owner/operators are left managing massive data sets — without any experience in doing so. Their expertise is running a restaurant, yet now they are responsible for information ranging from customer names to physical addresses to debit card numbers. The same can be said for their employees, who oftentimes aren’t properly trained in managing data threats.
In a security context, human error constitutes unintentional actions – or lack of action – by employees and users that cause, spread or allow a security breach to take place. Following suspicious email links and attachments, for example, falls precisely into that definition. These emails are usually not filtered as spam and can pose a threat to owner/operators’ cybersecurity, while links can lead to the fake websites and attachments that can contain malicious scripts.
Equally devastating are failures to properly configure online servers. In fact, global research and advisory firm Gartner Inc. estimates that 95 percent of online server breaches occur due to human errors such as configuration mistakes, and these experts expect the trend to continue. In 2017, Pizza Hut reported a “temporary security intrusion” that affected about 60,000 customers who tried to order from the company website. A year later, hackers were able to breach Dunkin Donuts online loyalty rewards program, stealing and subsequently selling thousands of user accounts on the dark web.
Of course, these types of phishing emails and configuration errors are a major problem for businesses of all stripes — not merely restaurants. But there are two notable factors that make the restaurant industry’s human error problem particularly unique.
Firstly, hampered by a whopping 75 percent annual turnover rate according to The United States Bureau of Labor Statistics, owner/operators can have difficulty training a revolving door of new employees. When new hires are starting that often, there's a whole host of training procedures that need to be conducted and cybersecurity warnings may very well fall by the wayside.
Furthermore, Franchise Direct, as of 2018, determined that there were nearly 275,000 franchised restaurants in the United States. And at each and every one of them, operators and franchisees are entirely beholden to the security provided by that franchise brand.
That came back to bite franchisees at Panera Bread just a few years ago. In 2018, Panerabread.com, a website where customers sign up to order food online for pickup in stores or for delivery, leaked millions of customer records. This included names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number. Franchisees were left to deal with a massive human error debacle, that they themselves had nothing to do with.
But regardless of who’s to blame, cybersecurity costs add up quickly in the event of a breach. A 2018 study conducted by IBM found that a single piece of breached data can cost an average of nearly 150 dollars. Restaurants, in particular, often fit the bill for fees and penalties, forensic audits to find out what happened, remediation costs, breach notification, lawsuits, brand damage and more, according to the National Restaurant Association.
When these costs begin to pile up, it can be devastating for owner/operators. That’s why it is so important for them to seek out comprehensive cybersecurity insurance solutions — created specifically to protect their business. Without it, just one breach could spell the end.