By Laura Haight
Originally published as the Digital Maven in Upstate Business Journal
A guy walked into a bar… No, it’s not a joke, it’s a LinkedIn post that got some attention and a lot of kudos online last week.
So.. a guy walked into a bar. Shortly after arriving chaos erupts: the music stops playing, the credit card machine stops working, the TV goes down. Yes, the entire technology infrastructure was out. The restaurant had a remote IT company (no full time employee or smart hands on staff) and they got them working on the problem. Meanwhile, the guy who walked into the bar offered his services to the manager. He worked, he said, for a technology company and would be happy to see if he could help.
Great. The manager takes him into the back, gives him passwords and access. He talked to the IT guys on the phone and together they get things back up and running.
The manager is very happy, the guy who walked into the bar makes a potential sale of some new hardware, and he is hailed a hero by everyone in the place as well as now, a number of new LinkedIn fans. “Great job, man.”, “Way to set yourself above the rest!”
It is to take this story at face value and accept it as just a good deed with a positive result. In this specific case, that appears to be the case. But it could just as easily have turned out far differently, which means there are some lessons to be learned.
Lesson One: Every business is at risk
Retail businesses have a lot to offer, especially if a hacker or scammer can obtain administrative credentials. The big “get” would, of course, be credit card numbers. If your establishment uses wireless internet connections (don’t, by the way), they can be scraped via a packet sniffer. But if I can get onto your server, I can easily install a key logger that will capture your logins and passwords as you go about your regular business. Eventually, you will log into your merchant account and… Well, you know what happens from here.
Lesson Two: Be suspicious of coincidence
What are the odds that a scammer just happened to be in the restaurant when this happened? Pretty slim. But most likely, if this was a scam, the guy who walked into the bar also caused the crash. Probably through malware previously installed on the system. Presenting a business card as a form of validation and introduction is an easy scam, that is often successful. I can print up business cards tomorrow that say I am the Senior Technology editor of The New York Times. But, sadly, it doesn’t make it so.
Lesson Three: Backup processes offer protection
Have backup systems tested and ready. In the case of this scenario, and for most retail sites, the most critical issue is capturing credit card information and receipting to the customer. Redundant hardware, a secondary internet connection, or a backup solution that utilizes the tethering capability from a personal hotspot or even your smartphone to keep you up and running, with some tradeoffs, like speed, are possible. With a backup method immediately accessible, a scam like this fails.
Lesson Four: Procedures protect you from yourself
Do not panic. And do not throw your best practices out when they are really tested. In this case, the restaurant had remote IT guys working on the issue. The manager, apparently without the confidence of a backup solution and hoping to speed up the resolution, gave away the farm, opening the door for a far bigger problem. Never give anyone administrative access to your servers, computers or cloud services. Not only is it possible for someone to infect your systems or steal your data, but they can also have taken a minute to install a dummy account for themselves with admin rights. So even if the manager or the IT company had the presence of mind to change the administrative password after this episode (something I would give about a 50-50 chance to), they would not stop the scammer from getting in through the dummy account.
Lesson Five: Preparedness = Confidence
One way to avoid panicking and handing over your tech keys to a guy in the bar, is to have confidence in your backup solutions and your staff’s ability to get them online quickly. That comes from testing. You have just half a disaster plan if it exists only on paper. It is a bit of a pain to test, but it is well worth it. That’s where you find out that the plan depends on getting into something that is locked and no one but the owner has the key.
Was the guy who walked into this bar just a good guy trying to help out? Probably. Was the manager just in over his head, trying to be creative in resolving the problem quickly? Most likely.
Situations like this really aren’t that unusual. I myself have offered to help people with problems and I am always amazed how quick they are to give up administrator credentials, and how unlikely they are to change them afterward. We tend to take people at their word, and to be grateful for a helping hand when needed. But hope is not a strategy and real security that protects your customers and your business is based on often harsh realities.
Prepare for the worst and hope you never need it.