Countering ransomware attacks to restaurants and retail


Bolster cybersecurity by addressing three operational domains


The high-profile April 12 cyber attack on NCR, a company responsible for data operations in the restaurant and retail sectors, resulted in businesses receiving a fresh warning regarding an escalating vulnerability: ransomware attacks. In this environment, understanding why certain businesses are targets can help them decide how best to adopt a prevention strategy that saves money and thwarts reputational damage.


Caesar Sedek, a managing director in Grant Thornton LLP’s Cybersecurity and Privacy practice, said that ransomware is just malware, and malware has been around almost as long as the computer operating systems they target. However, ransomware has emerged as a significant threat primarily within the last two decades, coinciding with the rise of increased connectivity and digitalization. This includes the widespread adoption of cloud computing, Internet of Things (IoT) devices, interconnected networks and the exponential growth of data, all of which have greatly expanded the attack surface for ransomware.






Dissecting the NCR ransomware attack


The April cyber attack against NCR was unusual for two reasons: one was that the attack was not on a restaurant chain or retailer but on a company that provides financial services for these companies — particularly point-of-sale (POS) processing. Second, NCR publicized the attack after their incident response process required it to shut down systems functionality for its clients. But in other ways, it was very typical — the criminals who hacked into the system didn’t steal money directly, but blackmailed NCR to pay them with the threat of releasing information on customers gleaned from the POS software. This attack naturally concerned restaurants and retailers whose customer information is housed in the software.


Due to the sophistication of the attacks, they are less likely to be perpetrated by lone wolf-type criminals. Instead, cyber criminal gangs have arisen, such as Wizard Spider, LockBit, Royal, Vice Society and the perpetrator of the NCR attack, BlackCat, almost to the level of being considered international cartels. But there also are plenty of smaller gangs that go after smaller targets, Sedek said, so not being a giant company isn’t an automatic protection.


“These types of ransomware gangs typically want to go where they can extract the most damage or, at least, extract the biggest payment,” Sedek said. For that reason, “mom-and-pop”-type single-location restaurants and retail stores are not as desired as targets. More likely, a business with a chain of locations is a more desirable target.


Many ransomware attacks often go unreported, Sedek said, because of the damage in reputation it can cause a business — which might be more detrimental than the theft. Sedek said studies have shown that the reputational damage of a known data breach costs a company 4% worldwide in lost customers, and that that percentage is higher for U.S. companies. If the ransoming criminal keeps the demand for money low enough, a business might decide that it may make more sense for it to pay the ransom and receive back the stolen data. However, that approach only emboldens the criminals and oftentimes results in them striking back, asking for larger sums.



Related resources











Operational steps to countering cyber attacks


Restaurants and retailers aiming to counter cybersecurity thefts and ransoms should address three key operations domains.

Caesar Sedek

“Companies need to understand that they're going to have to devote a certain part of their budget to protecting their data,”

Caesar Sedek

Managing Director, Cybersecurity Risk

  1. Strengthen security controls. The first of these is addressing access controls, data governance and end-point security, Sedek said. Organizations in these industries need to invest in a cybersecurity infrastructure, containing firewalls, intrusion detection systems and anti-malware software. The systems must be regularly patched and updated to stay ahead, when possible, of vulnerabilities that have been discovered. “Companies need to understand that they're going to have to devote a certain part of their budget to protecting their data,” Sedek said. “They can't just say, ‘We haven't been hit before, so I don't see why we have to spend money to create this backup system.’”
  2. Invest in backup and recovery. The second key is to invest in a well-structured backup and recovery plan for data, one that regularly backs up data off-site or to a cloud location not accessible from the internal network. What is important to consider here is being able not only to access data completely if it is stolen or compromised but also to do so quickly and minimize downtime for a business. Even closing for a short period like a day to download backup data could lead to reputational damage.
  3. Educate the workforce. The third key is the education of employees on how to recognize and deal with cybersecurity attacks. Workers’ training should involve alerting them to what ransomware is, what phishing is and how to recognize it, and what steps an employee should take if there is a suspicion of an attack. This should involve training that recreates scenarios where these attacks can happen, Sedek said, since many of attacks rely on employees making an error that triggers the malware.

Implementation of these controls takes commitment from both the business owners and security leaders. “Most importantly,” Sedek said, “realize that a company’s cybersecurity efforts aren’t the sole domain of a company’s IT department, but should involve the entire company.” One useful method, Sedek said, is to perform “tabletop” exercises, where employees from cross-functional teams encounter simulated cyber attack scenarios and are instructed on the correct response. Also, while having a robust cybersecurity infrastructure might seem like attractive marketing, companies should probably refrain from doing so as it may serve to make them a target. Finally, implementing and maintaining protections against ransomware can be a complex undertaking, and often a discussion with a third-party advisor familiar with cybersecurity assessments, systems and practices in the retail and restaurant industries can be a productive way to protect the business.





Our cybersecurity and privacy insights