The trend away from on-premises dining to online ordering for takeout or delivery has accelerated over the past few years. Now, with more restaurants engaging customers and accepting orders and payments online, they must also adapt their security strategies to protect their businesses. Restaurant value-added resellers (VARs) and managed services providers may need to educate their clients about what it takes to secure restaurant operations online—and to answer questions including “What does a web application firewall do?”
Tushar Richabadas, Senior Product Marketing Manager—Applications and Cloud Security, Barracuda, provides you with insights into which restaurants in your market will benefit from the protection of a web application firewall (WAF), how to communicate its value, and how VARs and MSPs can provide these solutions to their customers.
Are web application firewalls deployed in most restaurants?
Richabadas: For larger chain restaurants, yes—they operate bigger online properties that need more protection. Think a Dominos or Pizza Hut or Panera Bread—two of which had web application vulnerabilities in the past couple of years.
Single restaurants or smaller chains most often use Software as a Service (SaaS) solutions like OpenTable to provide their online services. So, in many cases, they do not need a full WAF. Most likely, they will either use the protection offered by the SaaS platform or a WAF-as-a-Service solution like Barracuda WAF-as-a-Service.
What does a web application firewall do that makes it so important for restaurants accepting more online orders for takeout or delivery?
Richabadas: If you look at restaurants and chains that have their own web application or mobile app for ordering, then having a WAF or WAF-as-a-Service is quite important to prevent attacks. These attacks could range from trying to order without paying to trying to breach their customer database to spreading ransomware into the restaurant’s network, causing it to shut down completely. Web and mobile application security are moving targets—having a WAF or WAF-as-a-Service in place ensures that attacks are easily blocked and data breaches are stopped.
Is a WAF a PCI requirement?
Richabadas: PCI-DSS does not mandate having a WAF in place, but having a properly configured WAF will satisfy the security requirements for the relevant sections of the standard.
How can VARs and MSPs communicate the value of WAF to their restaurant clients?
Richabadas: VARs can talk to their clients about the threat landscape and the fact that there are a large number of malicious actors trying to make money off of hacking web and mobile applications. Malicious actors vary from a kid in the neighborhood trying to score free pizza to someone trying to hold the organization for ransom by bringing down their POS systems. Defense in depth is important everywhere, and with e-commerce functions, such as online ordering, where the web and mobile applications are the breadwinners, it is especially important.
What advice can you give restaurant VARs about WAF?
Richabadas: VARs should consider recommending a SaaS security solution to their restaurant customers that protects applications, APIs, and mobile app backends against a variety of attacks, including the OWASP Top 10, zero-day threats, data leakage, and application-layer distributed denial of service (DDoS) attacks.
For more information on what a web application firewall does to protect restaurants and Barracuda WAF-as-a-Service, which removes much of the complexity of the configuration and use, visit https://www.barracuda.com/waf-as-a-service.