Safety First!: Preventing Cyber Intrusions
Every day, headlines around the world report cyber intrusions exposing credit card data and personally identifiable information (PII) and causing business disruptions. If you think your franchise system has not been affected, you may be living in a fantasy world! As the FBI has said, most businesses fall into one of two categories: 1) those who already know they've had a cyber intrusion, and 2) those who don't know they've already been the victim of one.
We use the term "intrusion," even though the news media use the term "cyberattack." Intrusions can describe multiple events, ranging from unauthorized access to PII or credit card data, to an attacker using your computer systems as a proxy to attack other entities, to a competitor obtaining access to your franchise system's most valuable trade secrets.
The FBI estimates that the time of intrusion to detection is about 8 months. What happens during those 8 months will be telling as to how bad the damage could be. What the franchisor does upon detection--and how quickly the franchisor acts--may well determine the severity of the damage and the extent of the franchisor's exposure to claims from customers, franchisees, and federal and state enforcers.
What are they trying to steal?
Like other businesses, franchisors do (and should!) worry about theft of credit card data and PII. This is the type of intrusion that receives the most headlines. Most IT departments are familiar with the need to comply with Payment Card Industry Data Security Standard (PCI-DSS). What many do not realize, however, is that PCI-DSS is not law. Rather, it is a set of requirements established by the credit card companies to reduce credit card fraud. PCI-DSS is not truly voluntary, however, because failure to comply may jeopardize a franchise system's ability to process credit cards.
Once a breach involving credit cards has been discovered, the credit card numbers can be cancelled or changed. But who pays for monies stolen? Cyber insurance is one answer for mitigating this and other consequences of an intrusion. Obtaining the right cyber insurance policy is a separate subject of great importance that is beyond the scope of this discussion.
Unlike changing a credit card number, changing PII can be much more difficult--if not impossible. Once a Social Security number has been stolen, it is virtually impossible to change. Health records are a particularly attractive target for attackers because they can be used to defraud private insurance carriers and Medicaid alike. Outside the health care industry, most franchisors and franchisees do not have health records for anyone besides their own employees. But health records are just one of many types of records containing PII that can be used for identity theft.
Most franchisors have some of their most valuable trade secrets stored on the Internet, or is otherwise accessible online. These can include the "secret sauce" for the franchise concept itself. They can also include plans to go public, plans to go private (think Tesla), and potential merger or acquisition talks. Most franchisors have proprietary software used by both the franchisor and franchisees that is vulnerable to attack. This happened with Wyndham's hotel reservation system a few years ago. And most franchisors have a "franchisee only" portal that no competing franchise system should access--making it a very attractive target for attack.
Franchisees: the weakest link?
Potential attackers may think so. And they may be right, since franchisees may not have the budget for security and be less sophisticated about technology. The massive data breach that Target suffered in 2013 resulted from an attack through a vendor. Similarly, an intruder's access to a franchise system's "mother ship"--including not only customer credit card data and PII, but also the franchisor's trade secrets--may come through franchisees. But the trade secrets put at risk are the franchisor's to lose. And the potential liability for breach of credit card data and PII may fall on the franchisor, regardless of where the intruder gained access.
It should come as no surprise to anyone that cybercriminals are getting more and more sophisticated. Gone are the days where the biggest threat is teenagers defacing websites. The threats today come from organized crime, nation-state actors, and competitors--especially as employees leave the franchisor or a franchisee, or the franchisee leaves the system.
The vast amounts of data and intellectual property available through franchise system websites provide a lot of "bang for the buck." When Willie Sutton was asked why he robbed banks, he reportedly answered, "Because that's where the money is." Today, the robbers on the Internet still go where the money is. That could be your franchise system.
Share this Feature
Comments:comments powered by Disqus
- Multi-Unit Franchising
- Get Started in Franchising
- Open New Units
- Featured Franchise Stories