Information security and public catering: how managers think about IT products

Hi Habr! I am a person who consumes IT products through the App Store, Sberbank Online, Delivery Club and is related to the IT industry insofar as. In short, the specificity of my professional activity is to provide consulting services to catering enterprises for the optimization and development of business processes. Recently, a large number of orders from owners of institutions whose goal is to build an information security system at enterprises has been received.

Let's start with a couple of fun stories. Story number one. In one cafe of the casual dining format, the managers changed every three months. Once the very first manager, being a big fan of Soviet history, created the password “07111917” and pointed it out to all the resources with which he was somehow in touch with his duty: the automated accounting program IIKO, access to the Plazius loyalty program, installation of systems security and fire safety. One day this manager was caught selling personal data to guests to competitors, and was safely dismissed. However, the revolutionary password "07111917" continued to live and passed from one manager to another. As a result, every waiter in the establishment knew how to connect to the office Wi-Fi. Moreover, the guests also learned this password, because the waiters, out of the kindness of their soul, recommended that they connect to a faster Internet called internet_office.


In public catering, staff often use information security weaknesses for their own selfish purposes.
')
Story number two. A handsome young man in a cornflower jacket meets with the CEO of a large restaurant holding. The following dialogue takes place between them:

- Our company specializes in information products. Today I invite you to consider the possibility of acquiring the Hawkeye's new-generation password manager [1]. It is unique in that it has a high degree of reliability, both for the cloud version and for the box version. Encryption is done using the AES-256 algorithm. In addition to the standard functions of any password manager, Hawkeye has advanced backups and security audits. What do you say?
- Konstantin, thanks for the information, and what is the difference between the boxed and cloud versions and why do I need all this?

The two stories cited concern one problem - low awareness of managers about the role and importance of information security in the life of enterprises. But there is an additional nuance. How representatives of IT companies make their proposals also contributes little to understanding among managers, for which they need IT products. For several years of my consulting practice, I came to the firm conviction that the HoReCa segment is a little-used market among suppliers of IT tools for implementing and maintaining information security principles. In this text, I would like to share a fragment of a small study that we conducted among the managers of catering establishments in order to determine the degree of their awareness regarding the introduction and application of IT products. First of all, I want to focus on the use of password managers. I would add that the conduct of the study was dictated by the desire to better understand the thinking of managers in order to more effectively promote their consulting services.

Briefly about the methodology. A qualitative strategy for data acquisition (qualitative data) was chosen. We conducted twelve non-formalized interviews with managers and their deputies in six catering establishments. The interview questionnaire contained twenty questions that related to the general philosophy of information security, knowledge of the regulatory framework, work with personal data, technical capabilities of the protection system in individual enterprises, used IT products, including work with password managers. All interviews were transcribed, and the results were summarized.


Everyone was in a situation where they could not remember the password to their account.

If you start with conceptual questions, the majority of respondents associate the information security of enterprises solely with the storage of personal data of their employees. Managers do not go into the details of the technical side of the issue. They are concerned about how much this or that software will effectively save time, assist in safe data storage, and how convenient it will be to use. Moreover, the priorities are placed in this order: (1) - time - (2) - security - (3) - usability.

“Listen, I need to compile time sheets, schedules, prepare reports to the owners. The restaurant is constantly breaking something. I sorely lack the time to do program settings, reinstallations. IT people in our state do not. If there is something quick and convenient, then you can try. " (male, 41 years old)

“Information security here is limited by the fact that labor records are kept in a safe, and passport data is on the top shelf next to the accountant. This is all bad and I understand that. But adjusting security by the mind takes time, but now I don’t have it. We had experience in buying an advanced antivirus program, even bought a license. Constantly some notifications came, it was uncomfortable, distracted from work "(male, 35 years old)

“About six months ago, a business incubator for us organized a seminar on 152 Federal Law. Then, and now, I do not understand much about personal data. The main thing, and I said this to the owner, you need to restore order in our personnel records. I have access to these data, an accountant, as agreed with me, and that’s all. Now we have a mess here of course ”(female, 34 years old).

As the results of the interviews showed, in five of the six institutions there are no standards and procedures for ensuring information security, no responsible persons. Moreover, there is no full-time unit or specialist in outsourcing, which would be engaged in setting up and controlling the security system. As one of the respondents said:

“We have a boy who adds information to the restaurant’s website. In theory, he could do this for everyone ”(woman, 35 years old).

The concern of managers with the safety of personal data is understandable. Administrative and criminal penalties are starting up more and more, requirements for checks of personal data operators are changing . In the restaurant sphere, this topic is becoming increasingly relevant, since in addition to internal access to accounts, most establishments have loyalty programs, where the number of residents goes to thousands.

In my opinion, now representatives of the IT industry have a good chance to gain access to the market, where there is a clearly defined problem and the need for its solution. In the next three years, the demand for building an information security system in the food service will only increase. Especially in the regions.

Nevertheless, with all the superficial understanding of how the information security system should be arranged, all respondents use password managers. Moreover, some oblige them to use their deputies, chefs and administrators. The first thing we asked the respondents was which password managers you use in your business:

“I don’t know if I will say correctly or not, but now I use Zoho [2]. Surprisingly, I can see the password even from the phone and from the work computer. The only thing I need to do is not to forget the base password for access. Therefore, I wrote it down in the diary ”(female, 32 years old).

“Listen, the password manager began to be used randomly. A friend at the university works in a bank and gave to use it. Paswork is called [3], it seems so far convenient, it saves time. We had a problem when the dismissed employee connected to the accounting system and watched our revenues. Quite by chance, we learned that the passwords in the restaurant were created by him. I urgently had to redo everything. Thus, the need for a manager arose ”(man, 41 years old).

“I studied a little at IT in our technical. When I was thinking about the password manager, I stopped at CommonKey [4], as he copes well with the function of administering personal profiles of employees. It’s very convenient for our pizza chain ”(male, 38 years old).

I note that I chose the most meaningful comments from respondents. Most of the respondents could not remember the exact name of their managers. For some, the password manager is exclusively concerned with storing data on the browser. In general, the respondents, when choosing a product, do not ask about the cryptography mechanism that underlies the password manager. Priorities for them is speed and ease of use.

Despite the fact that among the respondents there is a general understanding of why they need a password manager, respondents use them occasionally. As the respondent woman said:

“When on one side you are banned by a customer of banquets, on the other supplier, and on the third side, who asks when the salary will be, and at this time you are creating an account for a new employee, the only thing that remains is to record your login and password a piece of paper ”(woman, 41 years old).

However, there are certain practices. There are a number of problems due to which password managers have found application in the catering industry. What are these problems?

First, access to loyalty programs. It is not a secret for insiders that the staff is “muddled” with discounts, cashbacks are credited to plastic cards attached to relatives and friends of staff, etc. The most effective way to prevent fraud is to regularly review account activity on the loyalty program backups. The situation is complicated by the fact that you need to have access to the program for at least three people: a manager, a marketer (for SMS and push mail) and an operator who serves the loyalty program (in case of technical failures or additional options).

“The only thing when I try not to forget about the password manager is when working with our guest database. In addition to access to personal data of guests, through this database, you can enroll or withdraw virtual money. Once a month, I change the password, and make the ranking of access depending on the status of the user. Therefore, the information must be constantly updated. The password manager facilitates the work in this regard ”(male, 48 years old).

Secondly, at each enterprise there are personnel magnetic cards for access to the automated accounting system (for example, IIKO or R-Keeper). There are interesting cases. The waiter quits and leaves with the card. In fact, the departed waiter knows the access password to the system, which reflects the financial performance of the enterprise, removes and discards food, records the working time of the staff.

“There was a story when a dismissed employee colluded with a bartender and punched alcohol for hospitality. In some strange way this comrade had an unblocked card and he used it ”(man, 38 years old)

Thirdly, managers come and go, but accounts remain. The professional adaptation of the new manager slows down when he sits at the monitor screen and tries to reach the previous manager in order to find out the login and password from email, Mercury systems and Unified State Automated Information System, personal account on the company METRO etc.

“I could not properly resolve issues when there is not a single access to existing records. The previous manager did not sell well to the owner and did not give me anything. I had to restore everything, sort through her drafts, persuade a person to share information. After that, I firmly decided for myself that I would keep all passwords in a special program ”(female, 29 years old).

Do not repeat the mistake of the President of Kosovo , use the password manager

All of these situations can be useful to representatives of IT-developers for the formulation of competent commercial proposals to representatives of the restaurant sector. Once again, the HoReCa market is ready for the consumption of IT products. This concerns not only password managers, but also anti-virus software, video surveillance systems and business process optimization.

When writing the text, I realized the serious commercial prospects for the implementation of information security standards for restaurants, cafes and bars. Therefore, I would ask all those interested to write in the comments what software you would advise HoReCa representatives to build a reliable information security system. At the end of the topic of password managers, please participate in the survey below. I would be very grateful for detailed comments regarding your choice.

[1] The name is fictitious. Any similarities with other password managers are only similarities and nothing more.
[2] The respondent is referring to the Zoho Vault password manager: www.zoho.com/vault
[3] The respondent has in mind the password manager Passwork: passwork.ru
[4] The respondent has in mind the CommonKey password manager: www.commonkey.com