In Focus: Cybersecurity Risk for Restaurants

By Ian J. Lewis

During our recent technology advisory restaurant CFO roundtable held in Cincinnati, Ohio, our team had the pleasure of networking with industry finance executives and gleaning great insights into the issues keeping restaurant owners and franchisees awake at night. What's atop their list of concerns? Cybersecurity. Here's a high-level look at what was discussed: 

What exactly is cybersecurity? 
First and foremost, cybersecurity is more than just information technology assets like servers or databases. It's defined as the process of implementing and operating controls and other risk management activities to protect information and systems by detecting, responding to, and mitigating security events that compromise information in any form during use, processing, transmission, and storage or the systems that use this information. 

Assessing risk associated with cybersecurity begins with determining a set of scenarios based on the impact of potential threats and hackers' abilities to leverage vulnerabilities to a business' assets. Assets include processes, information and systems that have varying degrees of value to the organization. Threats are defined as actors that are motivated to attack or misuse assets. And flaws or exposures of an asset that can be comprised are considered vulnerabilities. 

What are the primary cybersecurity concerns for restaurant executives? 
As hackers become more sophisticated, restaurants are bracing for greater impact and frequency of breaches. Today's hackers go to new lengths and depths to cover their tracks, allowing them to do more damage over longer periods of time before breaches are even detected. Landry’s Brand restaurants, for example, recently launched an investigation into a payment card data breach reaching back to May 2014 that affects restaurant, gaming and hotel brands in more than 30 states and Canada. 

How can restaurants ensure they're striking the right balance in cybersecurity investments? 
Effective cybersecurity governance models take into account investments in insurance, protection, assessment and detection. While the investment in cyber insurance may seem attractive, it is typically invoked in a reactive fashion—after a breach has occurred and a business' reputation is at risk among customers and stakeholders. Investing in assessment and protection, on the other hand, can help restaurants proactively identify where potential threats and vulnerabilities exist, allowing adequate defense strategies to be implemented before a breach occurs. Once potential threats and vulnerabilities are revealed by assessment tools, detection and insurance controls can then be implemented to help minimize potential damage.

There will never be a fully preventative model to protect any business completely, so striking the right balance means determining the best mix of proactive and reactive investments for your restaurant.

What other risk considerations should restaurants keep in mind?
The size of the network of partner relationships that exist for any given restaurant to operate efficiently impacts risk as well.  For restaurants, it's important to also consider the universe of exposures that exist from internal operations as well as external vendors, such as cloud providers and other third parties. Asking outsource providers about the assessment, protection, detection and insurance methods they have in place can help restaurants get a holistic sense of where vulnerabilities lie and where additional caution could be taken.

The cyber landscape is constantly and rapidly evolving. But while hackers are improving their skills and growing their toolsets, new technologies for protection and detection are being developed just as fast. 

For more information about cybersecurity risk for restaurants, contact Ian Lewis at

And be sure to keep up with the Restaurant Practice’s latest thoughts by subscribing to our blog on the Selections homepage here and following us on Twitter at @BDORestaurant.


Ian LewisIan Lewis | BDO Consulting Director
Ian J. Lewis is a Director in BDO Consulting’s Technology Advisory Services practice. He has more than 15 years of experience leading complex IT and business-facing initiatives, including enterprise-level solutions involving cybersecurity, strategy, operations, organization and governance, infrastructure, and risk and compliance management related to Sarbanes-Oxley, the Gramm-Leach-Bliley Act, business continuity, disaster recovery, and program/project management.  Full Bio