⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Restaurant Technology and the Law of Unintended Consequences

Order a reprint of this story
Close (X)


To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


March 01, 2003
Restaurant | Network Security
Mark Hamilton - MHamilton@hospitalitytrc.com

View Magazine Version of This Article

© 2003 Hospitality Upgrade. No reproduction without written permission.

The restaurant industry is no longer a business of cigar boxes and order pads; we have sophisticated computing devices, in most cases, with more computing capability in a single restaurant than was used to launch the first mission to the moon. These systems do not maintain themselves and are not infallible. Attention to data security and system integrity is important to ensure the maximum possible up time. System security addresses all aspects of system management that prevent system downtime. This includes, data security and backup, intrusion protection, virus protection, policies and procedures.

As we add features and functions, we also add complexity to the systems we employ. As the Law of Unintended Consequences alludes, as a system becomes complex, each additional action generates an increasing number of unintended consequences. The following are suggestions related to systems management and security based on common findings in restaurants. Implementing any of these suggestions may help to curtail unintended consequences experienced with systems in your operation.

Backup and Storage
Most restaurant operations follow some sort of data backup procedure. Unfortunately, most of these procedures are conducted just as outlined in training by the original installer of the POS system. In these cases the operation has a backup system, usually enabled by a tape drive or writeable CD media that performs a backup of data files each night following the closing of the day on the system. In many cases the tape is never verified, rotated or removed from the backup drive, making successful data recovery extremely unlikely. Some ideas to strengthen this component of data security include:

Tape rotation: Establish the practice of a tape rotation plan that includes daily and weekly incremental data backups and a monthly complete backup of data. Tapes should be rotated with frequency depending on the critical nature of the data being backed up. For instance, a single unit operation should keep at least three month’s worth of data backed up at all times. This can be accomplished with a series of a minimum of 11 tapes or CDs, one for each daily backup (Monday through Sunday), one weekly and three monthly. With such a rotation plan, the time between full backups is never more than one month, with less than a day or so between incremental backups. In the event of a disaster, data loss will be restricted to the time between backups. The more frequent you create incremental backups the better. For example, if your system is infected by a virus and the infection goes undetected for some time you will be backing up the virus and its effects over that time. The more backups you keep, the further back you can go to restore uninfected files. Finally, when using magnetic tape media, the entire set of backups should be replaced annually to ensure their physical integrity.

Offsite storage: Leaving the tape in the tape drive is not good practice. In the event of theft or disaster, the backup will be lost with the machine. Offsite storage is always a better option. Establish a system that rotates the tapes to an offsite facility on a daily basis. This could be as easy as sending the tape to the bank with the deposit, or home with the owner or general manager. If this is impossible, at least provide heat-proof media storage onsite to store your backup sets. Heatproof media storage is not the same as a fire safe. A fire safe will keep paper from burning for a period of time based on the rating of the safe (about 450 degrees Fahrenheit), while magnetic tape will melt at just over 180 degrees Fahrenheit (about the same as leaving a cassette tape on your dashboard in the summer). Make sure the storage box is for magnetic media.

Backup verification: It is not enough to just let the backup run and then put the media away until the next backup. It is important to verify what was supposed to be backed up was actually backed up. This process entails comparing the contents of the backup to the files on the computer and it should be done daily. The backup log file should also be checked daily to ensure that the process went smoothly. More often is better, but never is unacceptable.

System Imaging: Even with data backups, system recovery can take a long time. The purpose of a system image is to provide an easy to restore copy of an entire system setup. Programs like Norton’s Ghost or DriveImage from Powerquest are two leaders in this area. Basically, these applications allow you to create an image of a system including all installed software. In the event that the system needs to be completely restored, an image can be installed on the machine in about 15 to 20 minutes as opposed to days of trying to get the baseline applications installed and configured. When using imaging, a separate image needs to be created for each machine type: one image for the server, one for office workstations and one for POS workstations. This ensures that the image is compatible with each specific piece of hardware and contains only the applications needed in each case.

Password Security
How many times have you been in someone else’s restaurant and heard one waiter say to another, “I need the manager’s code so that I can void,” or, “Loan me your password.” If you have not heard it, you have not listened long enough. POS passwords are the most overlooked component of internal system security that there is. Passwords are only as good as the policy that governs their existence. Here are some pointers:

Forced change on login: Passwords should be changed frequently. The only way to ensure that this happens is to force it to happen. Most systems allow the administrator to schedule a forced password change on login at some regular interval. Monthly is good, weekly is better. Managers’ passwords should be changed regularly as well. If you use magnetic strip readers and key cards for server verification, lost cards should be treated as a security breech and cancelled immediately.

Report: Periodically run an audit report on the POS system. This report will show every transaction over a specific period of time. Review of this data will allow discovery of anomalies.

Access levels: Access to managers’ workstations should be limited to managers. Each manager should have his or her own user name and password for this purpose. The application server should be similarly restricted, with separate user names and passwords for all authorized users with appropriate access for each.

Virus Protection
All computers on any network should run adequate, updated and licensed virus protection software. Even if a computer is purchased with a virus package installed, the database of virus attributes must be updated monthly. Symantec reports that there are over 50,000 known viruses and more and popping up everyday.

The database that houses information about these viruses is a component of anti-virus software. In order to maintain protection, these files must be updated regularly. Your anti-virus software subscription is very cheap insurance against virus threats. However, even with the latest software and updates, viruses may still be launched on your system. Here are some suggestions to assist in deterring infection.

Physical security: Restrict access to company computing assets. The smaller the pool of users, the lower the risk of infection. It is always a good idea to restrict the use of managers’ workstations to managers only. The best way to do this is to keep the office under lock and key. This will protect against unauthorized use of computing assets, and also protect other sensitive documents stored in this area.

Practice safe computing: Innuendo aside, floppy diskettes are a high-risk medium. Just think of the average college student working in a restaurant. He or she uses computers at school that are used by countless other students on a daily basis. The floppy disk containing their report or letter, or even inventory spreadsheet, carries with it a strong possibility of infection. Enable virus protection to scan each disk before accessing it to write files to the office PC. Even better, don’t accept files from outside the system under any circumstances. Abstinence is understandably severe, but certainly a way to fend off infection.

E-mail: Simply, do not accept e-mail file attachments unless you are expecting them. If you receive one unexpectedly from a known user, delete it and e-mail back for confirmation that it was intended and clean. Never open an attachment from an unknown user. Delete it immediately.

Network Security
If you operate with an always-on connection to the Internet, you must take additional precautions to protect your network and the software and data that reside on it. This type of connectivity is enabled through the assignment of static Internet Protocol (IP) addresses. Although some providers enable users to manually change their IP address, this is seldom done and is an additional hassle. Therefore in most cases, IP addresses in cable and DSL networks are static, creating greater vulnerability to the Internet and the hacker community. If you have multiple units connected to a remote location, the security risks grow with each unit added to this connection.

Cable vs. DSL: Contrary to popular opinion, security should be on the minds of DSL users as much as those who use cable modems. Most believe that DSL is more secure because it provides a dedicated connection to the Internet, while cable is less secure because it provides a shared connection. In the case of DSL, users are connected directly to a telephone company (telco) central office (CO), while cable users share a pool of bandwidth that originates at a neighborhood hub. Because cable providers basically implement neighborhood LANs, there exists a very real fear that those on the network can intrude into each other’s systems. However, DSL connectivity also carries risk of compromise. A static IP address creates a stationary target for would-be intruders and security measures should be implemented to reduce the risk of intrusion in this case as well.

To curtail this problem in either scenario (cable or DSL), restaurant operators that are connecting numerous units are encouraged to implement a corporate VPN or virtual private network. Such networks can either be created in-house using customer premise equipment (CPE) or may be created as a service through the broadband provider. In any case a VPN creates a private network within a public network like the Internet by securing transmissions between network nodes (locations) using a combination of firewalls, digital certificates, encryption and user authentication.

In any case where broadband connectivity is utilized, the following should be considered as a minimum defensive arsenal.

Firewall: A firewall is a system designed to prevent unauthorized access to or from a private network. A firewall is considered a first line of defense in protecting private information. Firewalls can be implemented through hardware or software, or a combination of both. All messages entering or leaving the network pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Intrusion Detection System (IDS): In addition to a firewall, those employing broadband solutions should implement some magnitude of an intrusion detection system. These systems are software applications that continually monitor the network for incoming traffic and alert the systems administrator of unauthorized attempts to enter the network, monitors system log files, and monitors file changes, all in efforts to secure the system from unauthorized use.

These are only suggestions for a more stable computing environment. Any improvement will lead to less downtime and increased security. Do what you can to avoid unintended consequences that might include lost revenue, productivity or the inability to recover from a disaster.

Mark Hamilton is the founder of H@milton and Associates, which provides technology research and consulting services to the hospitality industry. He can be reached by calling (937) 299-7033 or at MHamilton@hospitalitytrc.com.

10 Steps to a More Secure Restaurant Network

1. | Anti-virus (AV) software. This should be a no-brainer. Every desktop PC should have some sort of licensed AV program installed and configured for auto-update.

2. | Backup and recovery. How important is your data? Do you backup your data on a daily, weekly or monthly basis? Do you practice restoring from backup media? Simply said, back it up and store it offsite.

3. | Business continuity plan. If you lose access to your business applications, corporate systems or operational systems, what will you do? Create a plan for continuing business transactions. Gather and keep handy the necessary equipment to be able to keep working.

4. | E-mail: Simple. Do not accept files with attachments that you are not expecting, regardless of who sends them.

5. | Firewalls. If you don’t have a firewall, get one – that is if you have enabled any type of broadband connectivity in your restaurant operation.

6. | Intrusion detection systems (IDS). If you operate a connection to the public Internet, you should employ some measure of intrusion detection. This software is installed on your network and allows tracking of all attempts to access your system from the outside.

7. | Keeping software up to date (Patching Strategy). Every software package ever developed publishes updates. Some updates are to enhance functionality and performance and other updates are to correct deficiencies and security holes. Keep as current as fiscally possible.

8. | Physical security. Keeping the office door locked and avoiding traffic in the area is a good start to physical security in a restaurant operation.

9. | Roles and responsibilities. In absence of a full-time tech, assign system responsibilities to a staff member. Look for a junior manager with strong computer skills and designate him/her as your systems go-to person.

10. | When to call an expert. Although your 12-year-old may be an expert at home networking, he or she may not be the person to call to assist in creating a secure network for your restaurant operation. Once you find someone that is experienced and provides a workable solution, pass the name along to your restaurant community. Most operators face the same issues.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.