The hospitality industry is more digitized and automated than ever before. And that’s a great thing — because the right solutions can save crazy amounts of time, cut costs, and generally make everyone’s life a whole lot easier.
But with new technology comes new best practices, especially when it comes to cybersecurity.
Kickfin, like many other software companies, keeps this top of mind. Our product team has built a platform that takes security insanely seriously — in fact, it’s our number-one priority.
And on the Customer Success side, we do everything in our power to ensure Kickfin users are trained to recognize and avoid any potential risks before they ever log in to the platform.
Of course, some of those things are easy to forget even for the most tech-savvy customer — especially when you’re short-staffed and over-booked. But to make things more challenging: best practices are always evolving.
That’s why, periodically, we recommend customers assess the overall strength of their cybersecurity to help prevent any unwanted threats to their businesses. Below is a rundown of the most important and effective ways that Kickfin users can protect themselves and their companies from cybersecurity threats.
(Keep in mind: these are coming from your friends at Kickfin, but most apply to any software solution or platform that’s linked to personal, financial or otherwise sensitive information.)
Why should I care about cybersecurity?
According to a report by Cisco Systems, phishing accounted for the second most common threat against business. It’s “popular due to its simplicity and effectiveness…, accounting for 90% of data breaches.”
Typically, with phishing, a perpetrator will:
- Target your end users, bypassing any system-based protections you have in place.
- Contact your users via email, though some phishing attacks also occur by phone.
- Try to get access to your system by getting your end users to provide a password or to click on a link that will install malicious software on your computer systems.
Phishing scams can generally happen to anyone or on any software platform, regardless of how airtight the security mechanisms are. In many ways, it’s like a thief gaining access to a safe. They’re not breaking into it; they’re tricking the owner into opening it for them.
The Tech Support Phishing scam is on the rise – and one that we think you are most likely to see in the hospitality industry. As recently as October 2022, the FBI issued a warning to business regarding scammers targeting financial accounts by claiming to be customer or tech support representatives from tech companies. One key method they employ is the installation of remote desktop software on the victims’s computer in order to gain control of the computer and, ultimately, of the financial accounts. In 2021, there was $347 million in losses due to tech support scams, impacting almost 24,000 victims.
Fortunately, there are several things you can do to ensure this doesn’t happen.
How to protect your restaurant from cybersecurity threats
At the end of the day, you really can’t control whether you’re the target of a phishing scam — but you can control how you react and whether they’re successful. As always, knowledge is power.
Here’s how to ensure phishers aren’t given the “keys to your safe,” so to speak.
1. Use the principle of least leverage
Only give users the absolute minimal access they need to do their jobs. Again, that goes for any software you’re using, but within Kickfin, there are four user roles with varying privileges:
- Org Admin: Has access to all locations in the organization; can add/edit/delete users and make payments at any of the locations. We recommend that the number of org admins be kept to the bare minimum of who needs access.
- Site Admin: Has access only to those worksites to which they are assigned; can add/edit/delete users and make payments at those locations. We recommend that the number of site admins be kept to the bare minimum of who needs access.
- Manager: Has access only to those worksites to which they are assigned; can only make payments at those locations; cannot add/edit/delete users.
- Employees: can only receive payments from those worksites to which they are assigned. They have no access to the administrative areas of Kickfin. Most of your staff should be in the Employee role.
Again (just for the folks in the back!): the majority of your staff should not have Org Admin, Site Admin, or Manager privileges.
2. Educate your staff on proper password management.
Many people are well aware of proper password management, but it’s easy for anyone to get complacent, especially if you’ve never before been the target of a phishing scam. Top things to know about password security:
- Kickfin will never call you and ask for your password. Legitimate service providers will not ask you for your password to assist you with their system. This is a common tactic of phishing scam artists in order to gain access to your accounts.
- Do not share your password with anyone. (Ever.) Managers should not share their passwords with others in the organization, and we do not recommend using a generic login (such as generalmanager@restaurant.com).
- Passwords should be unique to the individual. Make it something you can remember, but that is not easy to guess. They should not include any commonly used catch-phrases or mottos belonging to your organization.
- Passwords should contain multiple character types. Consider using numbers and symbols to replace letters in a word, for example D3liciou$Eats!
- Use a passphrase instead of a password. A long phrase (the longer the better!) is much more difficult to crack, such as !tal!an Food !$ my Favor!t3
- Do not use the same password for multiple systems. If your password is compromised, you can limit the harm caused by only using it for one system.
- Do not make your password accessible. For example: do not write the password on a post-it note stuck to the monitor or under the keyboard or mousepad.
- Consider a password generator. Your team may want to consider using automatic password generators that are available through most operating systems, or using a password manager that will generate a site-specific password that is randomly generated and virtually impossible to guess.
3. Clean up your user list.
Remove any employees (particularly Admins and Managers) who are no longer with your organization. Make sure everyone has the right role for their job (see #1 above!).
4. Take extra steps to protect shared computers.
If your team members are using a shared computer, encourage your users to log out of important systems and applications each time they step away from the computer to avoid someone using their account session for illicit purposes.
5. Educate your staff on how to avoid phishing scams and social engineering hacks.
Provide them with training on common phishing and social engineering techniques, how to avoid them, and how to respond to them.
6. Develop a cybersecurity action plan.
Know who to contact in the event of a breach and how best to protect your business. Make sure all managers know your company’s protocol for reporting an incident should one occur.
What to do if you’re the victim of a phishing scam
Chances are, you’re already doing a lot of things right.
If you, an employee or your business becomes a victim of a phishing scam, please do the following:
- If it involves your Kickfin account, notify our support team immediately. We can help minimize the loss and help you recover your account.
- Report the incident to your local law enforcement agency, the FBI’s Internet Crime Complaint Center at www.ic3.gov, and FTC’s Report Fraud site at www.reportfraud.ftc.gov
- Make sure all passwords are updated with new passwords that include letters, numbers and symbols.
- Scan your computer to make sure any malicious or unknown software has been removed.
And as always, we’re here to help. If you’d like a security review of your account, please contact us at support@kickfin.com. We’ll work with you to ensure that all your users are in the appropriate role for their needed level of access.