You're Only as Strong as Your Weakest Link

Nuspire Saylor2

11/11/2014  Wired Magazine Blog

Cybercriminals have discovered just how lucrative – and relatively easy – it is to penetrate the lackluster defenses of franchise organizations. UPS Stores, P.F. Chang’s and Jimmy John’s are among the retailers whose IT networks have recently been breached. The reason: They often possess weak or neglected franchise security approaches, leading hackers to easily exploit vulnerabilities at individual locations.

Today’s hackers are looking outside of a company’s headquarters to get the data they want and are attacking the most vulnerable targets to succeed.

Franchises have and will continue to prove to be increasingly popular security targets for a number of reasons:

  • Franchise organizations are fertile playgrounds for hackers. They possess multiple sites and individual network computing devices spread all over. Their cut-costs-to-the-bone operating philosophy and inadequate funding for security make them easy targets as well.
  • Central headquarters generally do not educate their franchisees on network security adequately.
  • Franchisees, unless they are huge operations, don’t have an IT professional on staff and, if they do, security is not in their skillset.
  • Many franchise operations fail to realize what successful cyberattacks can do to their bottom line – and, more importantly, their reputation. While not a franchise operation, Target stores’ recent data-breach disaster illuminates the fallout from a cyberattacks financially and reputationally – with lost customers, purchases and a black eye to their brand.

In the news, we’re seeing more hackers target franchises. At P.F. Chang’s China Bistro, the Secret Service first alerted the company of the breach that involved its card-processing systems and led to the announcement that an intruder compromised 33 locations and, perhaps, the credit-card information of customers at those restaurants. At Jimmy John’s, point-of-sale terminals were the entry point, according to authorities. At other franchises, “card-present” fraud occurred, with the use of stolen credit card information that usually is sold on the black market.

Retail and security leaders increasingly contend that the damage of a data breach is a top threat to the ongoing viability of a franchise system. With a trend that shows no signs of slowing down, how can franchisees protect themselves against cyberattacks?

What Needs to Be Done

Franchise organizations must pay more attention to security because inherent challenges in there network and support structure puts the entire organization at risk. Here are some tips that will help:
Be hard-nosed about security: Franchisor (Corporate) should assess the threat landscape at headquarters, at franchisees and at warehouses and other vulnerable facilities. Establish an aggressive, uncompromising security posture and a proactive mindset. This approach must apply to all aspects of security throughout the franchisor and franchisee’s network and physical locations.

It’s a team effort: Between franchisor and franchisee. Develop a program where the corporate office acts as a facilitator to educate and train franchisees on security, including packaged resources franchisees can subscribe to, to monitor end points and gateways that hackers often use. Having a singular security operation solution for log collection, and remediation will help strengthen the efficiency with which real security threats can be detected by having access to a boarded data set to correlated alerts from. This tactic can even help to thwart the most complicated advanced persistent threats like the many used in current breaches at franchise companies.

Communicate: Franchise organizations don’t always keep franchisees apprised of new security approaches and how they can help the franchisees’ operations. Franchisees must be proactive to educate themselves about security and talk to IT professionals within the franchisor who often are eager to talk about such issues. In turn Corporate should first publish detailed “standards” around what is required and deploy dedicated resources to support network security programs. Make security part of the regular business strategy communication.

Get help: Headquarters should consider hiring a chief security information officer. This leader can help ensure the organization has a strong security architecture, understands the importance of monitoring and analyzing the network, and then communicates what is found throughout the organization and the franchisee community. This leader’s responsibility and purview should extent to the franchisee community as well, since the risk to the organization and the brand are shared between both entities.

Review and update franchise agreements: Understanding who owns the data and who is responsible for compliance with data privacy rules and best practices is vital to the success of a franchise security operation. These agreement should include minimum security standards that must be deployed at the various endpoints much like any other business critical items dictated by a franchisor.

Hackers are getting more ubiquitous and cunning, especially against susceptible franchise systems. To avoid ending up like some of the recent 2014 franchise security victims, franchisees and franchisors alike must be relentless, aggressive and proactive about all aspects of security.

Saylor X. Frase is the co-founder and President of Nuspire Networks.