It’s 7:42pm on a Friday in a 120-cover restaurant in central London. The floor is full, there’s a queue at the door, and two private dining rooms are mid-service. Then the EPOS freezes. Tickets stop printing in the kitchen. Card terminals throw a connection error. The manager reboots the server in the back office, but the box takes nine minutes to come back, and when it does the integration to the payment provider won’t reauthenticate. By 8:15pm the team is writing orders on paper, the kitchen is 40 minutes behind, and the first table has asked for the bill and walked without paying because nobody can process the card.

That’s not a worst-case scenario. That’s a Friday I’ve heard described, in slightly different forms, by three different operations directors in the last six months. And in every case, the root cause wasn’t a freak event. It was an old, unpatched server running an EPOS version the vendor stopped supporting eighteen months ago, sitting on a flat network with no monitoring, quietly waiting to fail at the worst possible moment.

This is the thing about outdated IT in hospitality: it doesn’t show up on the P&L until it costs you a service. Then it costs you a lot.

The risk that doesn’t appear on any report

Hospitality runs on thin margins and tight operations. Every line in the management accounts gets scrutinised - food cost, labour, rent, utilities, marketing spend. IT usually sits in a single line called “IT & telecoms” and gets reviewed once a year, if that. As long as the number isn’t going up, nobody asks questions.

The problem is that the cost of current IT is visible, and the cost of outdated IT is invisible - right up until the moment it isn’t. A four-year-old EPOS server that’s been quietly working through a thousand covers a week looks free. It’s depreciated, it’s paid for, the maintenance contract lapsed years ago. On paper it’s a win. In reality it’s a liability accruing interest every week it stays in service.

I’ve sat across the table from finance directors who can tell me to the penny what their wine GP was last month but can’t tell me when their kitchen display system last received a firmware update, or whether their guest WiFi controller is still supported by the manufacturer. That gap is where the risk lives.

The four hidden risks I see most often

When we audit a hospitality estate for the first time, we tend to find the same four problems repeated across sites. Not because operators are careless - they’re not - but because the systems crept in over years, the people who installed them moved on, and nobody’s job has been to step back and look at the whole picture.

1. Unpatched systems and ransomware exposure

Most of the EPOS back-office boxes I see in the field are running an operating system that’s either out of mainstream support or one version away from it. Windows Server 2012 R2 is still out there in surprising numbers. Workstations on Windows 10 with patching disabled because “the update broke the printer driver in 2022 and we never turned it back on.”

That’s an open door. Hospitality is now a top-five target sector for ransomware in the UK because attackers know two things: operators can’t tolerate downtime, and the systems are often soft. A ransomware incident in a multi-site group doesn’t just take down one restaurant - it can take down the whole estate, the central reporting, the rota system, the supplier integrations, all at once. The recovery cost is rarely under six figures, and that’s before you factor in the ICO notification, the PCI forensic investigation, and the reputational damage. If you want to understand where this fits into a wider security posture, our cyber security page lays out what mature looks like.

2. EPOS and payment terminal end-of-life

Oracle Micros, Zonal, Tevalis, Lightspeed - all of them have lifecycle policies, and all of them eventually stop supporting old hardware and old software versions. When the vendor support window closes, two things happen. First, you stop getting security patches. Second, your PCI DSS compliance position starts to wobble, because you’re running unsupported software in your cardholder data environment.

I’ve walked into sites where the chip and PIN terminals were three generations behind, the integration to the EPOS was held together by a bespoke script written by a contractor who left the business in 2021, and nobody could tell me which version of the payment application was actually running. That’s a PCI finding waiting to happen, and it’s also a service outage waiting to happen, because old kit fails more often.

3. Guest WiFi designed for 20 covers, running 200

This one is almost universal. A site opens, the original fit-out includes a couple of consumer-grade access points in the ceiling, and they work fine for the first year. Then the venue gets popular. Covers double. Staff start using tablets for table-side ordering. A delivery aggregator turns up with its own hardware. The kitchen display system goes wireless. Suddenly there are 60 devices fighting for airtime on a network designed for 15, and the guest experience is “WiFi connected, no internet.”

The fix isn’t another access point. The fix is a properly designed network with separate VLANs for EPOS, back-of-house, guest, and IoT, with a controller that can actually shape traffic. We cover that under managed network, but the point is that retrofitting this after the fact is significantly more disruptive than getting it right when the site opens.

4. Identity and access debris from staff turnover

Hospitality has high churn. That’s not a criticism, it’s reality. The problem is that most operators have no joiner-mover-leaver process for IT accounts. I’ve audited estates where 40% of the active user accounts in Microsoft 365 belonged to people who left the business more than six months ago. Old EPOS logins still active. Shared manager passwords on sticky notes in the back office. No multi-factor authentication on the email account that receives supplier invoices.

That’s how email compromise happens. That’s how someone walks off with a cashed-up loyalty database. And it’s entirely preventable with a basic identity hygiene process and MFA enforced across the board.

“The honest truth is that nine times out of ten, the breach isn’t clever. It’s an old account, a weak password, and nobody watching the door.”

What good actually looks like

None of this is exotic. The fix for outdated IT in hospitality isn’t a moonshot - it’s discipline. Here’s the shortlist I give operators when they ask what “good” looks like:

  • A documented hardware refresh cycle. EPOS terminals on a 4-5 year clock, back-office servers on a 3-4 year clock, network kit on a 5-7 year clock. Budgeted, not reactive.
  • A patching cadence with someone accountable. Critical patches inside 14 days, everything else inside 30. Tested in one site before it hits the estate.
  • Network segmentation. EPOS does not share a broadcast domain with the guest WiFi. Ever.
  • MFA on every administrative and email account. No exceptions for “the chef who hates phones.”
  • Proactive monitoring - a proper SOC - with alerts that go somewhere a human will see them at 8pm on a Saturday, not into a mailbox nobody checks until Monday.
  • A joiner-mover-leaver process that runs the same week someone’s contract changes.

That’s it. It’s not glamorous. It is the difference between a site that runs for five years without a major incident and a site that loses a Friday service every quarter.

The commercial case nobody wants to do the maths on

Here’s the bit operators rarely sit down and calculate. A mid-size London restaurant doing £40k-£80k a week is generating somewhere between £500 and £2,500 of revenue per hour during peak service. When the EPOS goes down for ninety minutes on a Saturday night, the direct revenue hit is rarely the worst part. The worst part is the table that walked, the review that gets posted on Sunday morning, and the regulars who quietly stop coming back because they had a bad experience and don’t want to risk a second one.

Multiply that across an 8-site group turning over £12m, and one bad incident at one site can move the needle on the whole month. Two incidents in a quarter starts to show up in like-for-like sales. The cost of preventing it - a proper managed service, a refresh budget, a security baseline - is a fraction of what one serious outage costs you, and it’s predictable.

Brand damage is the part that doesn’t appear in any spreadsheet. Hospitality is a trust business. Guests don’t know or care why their card got declined or why their booking confirmation never arrived. They just remember that it happened at your place.

Why a hospitality specialist matters

Generic IT support is fine for a law firm. It is not fine for a restaurant group. The reason is that hospitality has a service window - typically 12pm to 11pm, seven days a week - during which IT problems are not problems, they’re emergencies. A help desk that responds in four hours is useless if the four hours starts at 7pm on a Saturday.

CloudMatters is built specifically for this. We’re based in Fitzrovia, at the top end of Tottenham Court Road, which means we can be on-site in a central London venue inside the hour for most of zone 1 and 2. We know Oracle Micros, Zonal, Tevalis and Lightspeed. We’ve worked with payment integrators, kitchen display vendors, booking platforms and delivery aggregators, and we know which combinations cause problems and which ones don’t. That’s the value of a specialist - we’ve already seen the failure modes in your stack, often more than once.

The bottom line

Outdated IT is the biggest hidden risk in UK hospitality because it’s the one nobody is looking at until it costs them. The systems work, until they don’t. The fix is not complicated, but it does require somebody to take ownership of the whole picture - refresh cycles, patching, network design, identity, monitoring - and run it as a discipline, not a series of reactive call-outs.

If you haven’t had a proper look at your IT estate in the last twelve months, you almost certainly have hidden risk sitting in it right now. The good news is that finding it is straightforward, and fixing it is rarely as expensive as operators expect.

We offer a free, no-obligation IT assessment for hospitality operators across London and the South East. We’ll walk your sites, audit your EPOS, network, security and identity posture, and give you a plain-English report on what’s working, what isn’t, and what to prioritise. No sales pitch in the room - just the findings. If you want to know what’s hiding in your estate before it costs you a service, get in touch via our hospitality IT support page and we’ll book it in.