May 13, 2017: "Computer-security agencies across the globe Saturday raced to contain the cyber pandemic that spread from a global attack..."
(Wall Street Journal)
May 16, 2017: "Wanted: Chief information security officers with board-level management skills, tech knowledge, and low blood pressure."
(Wall Street Journal)
While the threat of that particular attack appeared to be subsiding a few days later, variations were still a possibility--and new, future attacks are a certainty, whether from state-sponsored hackers, cybercriminals, or teenagers out to impress their friends.
No company likes to publicly report a data breach, but these days it seems they're in the news daily. The reason is simple: it reflects badly on the brand as a whole if a customer's data is compromised--even if it was the mistake of a single low-level employee in a remote back office. In 2017, no brand, company, or government is safe. It was a hack of the NSA that unleashed May's massive ransomware attack.
We could try to scare you--for your own good--into acting yesterday to protect your customer and corporate data by publishing a list of the dozens of franchise brands, from restaurants to hotels, that reported data breaches in the past few years. Instead, we'll focus on what we've learned about how to practice safe computing, whether it's at the point of sale, over a mobile device, online ordering, or from as-yet undiscovered attacks.
We spoke with a cross-section of people involved in cybersecurity and franchising to learn about clear and present dangers and how to safeguard your data--and that of your customers!
And we found the "perfect" person: Armando D'Accordo, a franchisee and area representative for CMIT Solutions, which manages IT systems for small businesses. With his own territory in Long Island and responsibility for 10 franchisees in New York City and Long Island, he hears a lot about the cybersecurity worries keeping SMB customers up at night.
One big picture shift he's seen is the evolution of MSPs (managed service providers) to MSSPs (managed security service providers). Months before the recent "WannaCry" global attack, his newsletter warned specifically about ransomware and cited the following statistics: "Barely one month into 2017, cybercrime is already making headlines.... 2016 shattered all previous data breach records, with more than 4 billion records compromised worldwide."
Many, if not most, security experts expect each year to set new records as both the number and sophistication of hackers and attacks continue to rise. In the face of this onslaught, one of his mantras is "layers of security."
D'Accordo recommends three actions franchisors can take to minimize the chances that they'll be victims of a data breach (note that the first has to do with people, not technology):
"These three things are really important," he says. "You can have all the technology, but if your employees are not trained to be really careful there's not much we can do about it. With phishing and social engineering, it's like having a bouncer at the door who lets everybody in."
MJ Worsham is the corporate IT manager for The Plamondon Companies, the franchisor of Roy Rogers Restaurants. He oversees all aspects of technology for the company, from internal networks to PCI compliance and POS management, including the recent integration of the Roy's Rewards loyalty app.
First, he says, educate your staff about the things they can control--most importantly, their own actions. But someone's bound to slip up, especially as phishing scams become more devious and clever. Thus the importance of securing your system on the technology side.
"As a franchisor, I highly suggest that the most important thing is to standardize, to get everybody on the same platform so you know everybody's behind the same fence and has the same protection," he says. "This helps mitigate the human factor." On the hardware side, that includes the network itself, a secure firewall, not having guest wifi on the same network as your system, and restricting access to your back office computer.
"All these things can be done and are easy to enable, but we see large companies breached every day," he says. "The biggest thing we've learned, and one of the first things I did when I came on board," he says, was to standardize the software and hardware across all 50 Roy Rogers units. "All our ports on our firewall are consistent in every store," he says. And afall the stores use NCR's Aloha POS system.
"From there it becomes a task of getting buy-in from your franchisees without making it a mandate. You can make it a mandate in the franchise agreement, but we wanted to look at it more as an educational experience," he says. "We have a fantastic relationship with our franchisees, with a lot of mutual trust. We see it as an advisement, not a mandate."
Worsham says that with the brand's close relationship with its franchisees, this may have been easier than at larger franchise brands, or those with legacy systems or acquired units with their own technologies. One way to make the medicine go down and get that buy-in was to "kill nine birds with one stone," he says, by adding features and showing the franchisees the ROI.
When the brand launched its loyalty app, something the franchisees asked for, it had to be on the same system across the brand. "It's a lot easier when you show the ROI in the conversation: a more secure system that is up to date, PCI compliant, ready for EMV, and with online ordering," he says. "Network management and security was not the most important part of the conversation." Instead, he says, it was the new features and capabilities. "Everything was important. It was just easier to pile it together."
When it comes to advice for other franchisors, "Centralization is really the key," he says. So is limiting the number of people who have access to the system, and the level of that access. Store managers, for example, have access to the POS system at their store--and no others.
"Standardization and centralization allowed us to have a tight leash on who has access," he says. "It limits the points of failure if you have one person doing it."
He recommends starting with the low-hanging fruit and offers four pieces of advice:
At Jersey Mike's Subs, CIO Scott Scherer prefers do it all in-house--well, almost. "This will probably go against what I've said in the past," says Scherer, who was an outside vendor before joining the brand (see Franchise Update Q3 2015). However, when it comes to data security, he says, "That would be one thing I'd outsource." And he does.
As he sees it, either plan on spending a lot of money and hiring a lot of people internally, or find a third-party partner (or partners) who are expert at protecting corporate and consumer data. "Though we like to do things in-house," he says, when it comes to security, "There are too many smart people going against us."
Jersey Mike's is getting help from Charlotte-based Global Linking Solutions, which provides 24x7 monitoring, management, and security services. Part of the brand's strategy, says Scherer, was "to make sure all our franchisees were on our network." The plan for that network (now international), which includes everything from its home-grown POS system to bar code scanners and terminals, was for it to reside on a private network managed by Jersey Mike's through GLS.
For every new store opening, he says, GLS stages all of the firewalls and network equipment. Jersey Mike's calls its POS vendor, orders a hardware package, and GLS sends a tech to configure the equipment. "They deal with all that on their end," says Scherer. "The hardware gets installed and appears on our network." GLS monitors all the firewalls, routers, and switches and is authorized to speak with the ISP to resolve any issues. "On the networking side, they keep our system up and running."
When it comes to getting franchisees to cooperate to ensure the network is secure and compliant, he says, the franchise agreement dictates who to buy software, hardware, and networking equipment from--and the company's national credit card processing plan with First Data requires that all franchisees are PCI compliant.
In January, John Christly, global chief information security officer for Netsurion and EventTracker, was named to the PCI SSC Small Merchant Task Force, where he plans to serve as a voice for SMBs and multi-location merchants to help make PCI compliance more achievable and payment data more secure.
Christly says the top five threats to restaurants are hackers, POS malware, ransomware, internal threats, and wifi security. For brands with 5 to 500 or more locations, he says, "If you want to protect the brand you have to take it seriously at the brand level." He says PCI compliance is a good place to begin.
His recommendation for franchisors is to have a rock-hard policy stating: "If you want to be a franchisee, you must prove you're PCI compliant." And, he adds, it must be legitimately true to avoid being whacked by penalties if a breach does occur. People will just check the boxes on the PCI Self-Assessment Questionnaire (SAQ), even if they're not compliant. "It will come out and be discovered," he says, but it usually takes a breach, and then it's too late. And thinking "We're insured for that" won't cut it, even for companies with cyber insurance.
"I think a lot of the requirements are a bit onerous on small businesses," says Christly. "But the rules are what they are. This is yet another cost of doing business you cannot ignore."
For the franchisor, he says, the challenge is how to make sure its franchisees know how important this is to the brand. "They know they need to protect the brand. How to do that is a different story," he says. "PCI is not enough--people will do only what they need to do."
His advice to franchisors? "You should not go at this alone. There are a lot of third-party providers like us you can work with for a fixed monthly fee," he says. Besides the cost of hiring and hardware involved in doing it in-house, there's also the burden of maintenance and around-the-clock monitoring.
Franchisors and franchisees, he says, should be particularly receptive to the idea of standardization in the context of security. If you take the same approach to your security as you do the your operations manual, store design uniforms, and food, he says, it should be a no-brainer to understand why this is so important to the brand as a whole.
Best practices for system-wide security, he says, should see every site have its firewall set up by the same company, its computers all a certain brand, etc. Also, he adds, it's extremely efficient to run standardized operations--and if things go wrong, this makes it easier for auditors or forensic investigators.
Even doing all these things and more is no guarantee. "Does this mean I can't be hacked?" he says. "No, unfortunately. Anyone can be hacked."
Another important tip: grill your vendor about their security practices. "Vendors can be really good at installation, but don't know a thing about security," he says, and will leave a back door open, or leave the password as "admin" when they're done. "That's how the majority of breaches happen."
He offers three tips for franchisors:
Then, again, there's the people factor. "I can't make people take 15 minutes to watch a video or pay them to do it at home," is something he hears way too often. If you don't require and enforce education, he says, "You're asking for trouble and should not be surprised when it happens."
Another tip: give each employee their own IDs to access your system. Otherwise, if an event occurs you can't tell who was involved.
"In my experience, franchisors have different models in how they push out technology to their franchisees," says Robert Martin, vice president of security solutions at Ingenico Group, a Paris-based company that supplies technology for secure electronic transactions. In the past some would require their franchisees to accept credit cards but not specify how. Others would say, "This is the technology package you must use and must order it from us."
Martin says the latter model is the one that should be pursued. The benefit of taking away some of the choice and flexibility, he says, is that it protects the brand--which is the job of the franchisor. When a breach happens, he says, "It's the franchisor's brand. Nobody cares who the franchisee is."
"What's important in protecting the credit card data is removing the points of attack," says Martin. In the 2013 Target breach, which affected roughly 40 million cardholders and resulted in a $39 million settlement, criminals installed memory scrapers at the point of sale to steal credit card data.
The way to prevent that, says Martin, is to make it so there is no credit card data flowing "in the clear" (unencrypted). "What's important for franchisors is that they require a system that encrypts at the point of the card, at the terminal." That terminal, he says, should meet the high-level security standards that have been put out for the industry, specifically the PCI PTS (Point of Sale Pin Transaction Security Standard).
The key to securing customer credit card data with this system is that the decryption keys are in a remote location--which is the only place the data can be decrypted. In the past, he says, merchants would decrypt at the back of the store before sending the card data to a processor. "But the merchant location is still part of the attack surface," he says.
In the discussion about PCI compliance, says Martin, it's common for a very important distinction to be lost. "Compliance is something you do for the audits. Security is something you do to protect your brand, your franchisees, and your customers."
Another reason to do the encryption in the terminal is that the security configurations of the terminals are controlled remotely so franchisees can't change them. And the gold standard for encryption is a PCI Point-to-Point Encryption (P2PE) solution.
And there's a benefit that franchisees have to love: compliance becomes significantly easier. Instead of having to answer several hundred "questions of joy" on the PCI SAQ, franchisees are faced with just a few dozen.
Then there's the question of securing stored cardholder data. This allows customers the convenience of quick and easy ordering. Think Pizza Hut, for example, which even stores customers' favorite pies, saving time on both ends of the transaction. That data, explains Martin, is protected through "tokenization." Rather than encrypting the data each time before sending it, a customer's purchasing data is stored remotely at a "token vault" behind layers of security.
An order made through a mobile device, for instance, results in a token being sent to the high-security system where the data is stored. And there is only that one point where "detokenization" occurs before the data is sent to a payment card processor. Voila, a secure pizza delivered to your door! "For a franchisor that does mobile ordering, having a tokenization system as part of their mobile strategy is a very good answer for protecting the cardholder data," says Martin.
A targeted, quarterly magazine that takes CEO's, VPs and Sales Executives to the cutting edge of franchise development.