Protecting Your Brand with Network-Wide Security Measures
Whether your business is fast food or cleaning services, your brand represents what your company ultimately stands for. Security measures and data breach prevention plans should be part of the equation too.
By Joe Durfey
Logo? Check. Signage? Check. Uniforms, food portions, cleaning routines? Check, check, check. Most franchisors today take the task of “duplication” seriously across their locations.
When it comes to protecting a brand, franchisors can be perfectionists for quality control. After all, without proper care, a brand can quickly become damaged or destroyed forever. Whether in Tampa or Tokyo, corporate franchise guidelines make sure the customer experience matches the brand message, from quality of materials, to cooking temperatures and serving sizes.
If the brand is the most valuable piece of an organization, why hasn’t security risk management — an increasingly critical issue —been added to most franchisor checklists?
Data is Vulnerable
Data breaches, not inconsistent brand issues, are endangering some of the largest franchises. According to one report, approximately 74 percent of data crimes occur at multi-location businesses. Surprisingly, many franchisors leave decisions about data security to individual franchisees, which have no corporate top-down security policy.
The franchise world often uses technology networks for customer credit card info, sales tracking, and loyalty programs. However, the data collected throughout these systems is vulnerable from numerous entry points — each franchisee office, each franchisee location, and each computer terminal or POS at a franchised location; the computer terminals and
POS at each company-owned outlet; corporate headquarters; and all third-party vendors to the system.
Attackers are smart. They are searching outside a company’s headquarters to get the data they want. They attack the most vulnerable targets, the “low-hanging fruit,” or smaller locations. And when one of these locations gets breached, the domino effect can occur, negatively impacting everyone representing the brand, from the bottom to the top.
Data breaches can have severe consequences for a franchise. Effects include a loss of customer trust, lawsuits, and a decline in sales and stock prices. Additionally, a franchisor can end up with major fines owed to merchant banks and for card reinstatements, costly forensic investigation fees, and sometimes, closed doors forever.
There’s also the negative press that almost always follows a breach. Unfortunately, most customers don’t understand the distinction between the brand and franchisee ownership. The media noise that follows a breach begs the question of “who is responsible?” — an essentially irrelevant issue to the general public.
What can a franchisor do to lower the risk of a breach? There is no quick fix, especially because each franchise system
has its own methods of operation. However, there are steps you can take to assess your franchise’s potential exposure, and ways to mitigate risks:
Take a top-down approach. Implement a secure, centrally managed remote support system available for use by franchisees and any vendors that support those individual retail locations. With this approach, all remote access to local franchise point-of-sale systems can be centrally audited.
Perform a data privacy and security compliance audit. Analyze the process by which customer data is collected, stored, accessed, shared, and controlled by your franchisees, and the extent to which information in this process is communicated to customers. The audit should consider the policies, procedures, and practices necessary for your business, relative to the collection, use, and sharing of personal information.
Take PCI DSS seriously. You must help franchisees comply with Payment Card Industry Data Security Standard requirements, and also make it a requirement within your contract. Rather than having an arms’length relationship with these partners, urge PCI DSS enforcement across the board.
Watch third-party vendors. Verify the security procedures of vendors handling maintenance of your POS systems, management of firewalls, and the hosting of websites. This is critical for ensuring such service providers fully understand how your company operates.
Ensure remote management apps are secure. Apps used to gather information, sales polls, and survey inventory are not always secure from hackers. Some of these programs come with default or blank passwords. For protection, create user IDs and complex passwords, which should be unique to each franchise location. PCI DSS requirements include guarding against physical modifications to swipe machines, introduced by hackers to copy card information. To prevent this, franchises with POS machines should check them regularly — and your employees need to know how to take this step themselves.
Hire a consultant to test your systemsfor vulnerabilities. Experts approach this task by thinking like hackers and using the same tools to get into a franchise. The testing should include automated systems that test out default passwords.
Create an incident response plan. Hopefully, your franchise will never face a serious data breach. But if it does, you'll need to be ready to respond very quickly. Don’t wait for a breach to make the plan, and be sure all key stakeholders know what to do. Designate a single position within the company who is responsible for data security, and developing and managing
policies and procedures.
Treat risk management as an ongoing task. You need to continually enforce policies as well as review your risk profile and the security measures you have in place to manage risk. It’s simply not enough to have a sound policy if it’s not carried out in a consistent manner.
It’s up to franchisors to enforce the protection of their brand. And while some individual franchisees may attempt their own methods of security measures, if there’s no support from the top, it likely won’t get done. Franchisors must take the first steps to protect their brand, their systems, and their franchisees, making data security part of the way they conduct business every day. While it can be daunting, more companies must realize they need to be less reactive and more proactive in order to ultimately succeed.
Joseph Durfey is a director of enterprise sales at SecurityMetrics. Find him at fransocial.franchise.org.