[BreachExchange] Cyber-Safety First!: Protecting the Integrity of Your Brand

[Audrey McNeil]

https://www.franchising.com/articles/cybersafety_first_
protecting_the_integrity_of_your_brand.html

By now everyone is painfully aware that even a modest data breach at a
medium-sized company can cause a world of pain. Cyber response costs alone
(including reimbursing credit card companies for having to issue
replacement cards) can run into the millions. There also are costs
associated with discovering and fixing the breach and instituting
appropriate security and administrative controls to ensure that such a
breach "never happens again" (an optimistic statement, but there you have
it). And once a breach becomes public, reputational costs leading to a loss
of customer trust and related goodwill are impossible to predict.

Franchises are not immune from this type of reputational devastation. In
recent years, big names like Home Depot, Dairy Queen, Goodwill, Supervalu,
UPS, and Wendy's have all suffered massive, costly data breaches. In fact,
because of their large consumer base and the potentially decentralized
nature of their IT operations, franchises are prime targets for hackers.
While response costs are likely not much different than at other
businesses, the reputational fallout for a franchise that suffers a data
breach is potentially far worse.

Franchisors routinely require franchisees to adhere to design guidelines on
the look and feel of their retail stores and often mandate that supplies be
purchased from a list of reputable providers, all in the name of
maintaining brand reputation. Privacy and cybersecurity should be no
different. By requiring franchisees to comply with a firm set of data
protection requirements and ensuring compliance through routine audits, the
chances of a breach, and the concomitant reputational loss, can be greatly
reduced.

Imagine that a hacker decides to target four or five Dallas-based units of
a national franchise, all owned by a single franchisee. Because the
franchisee's POS devices are not compliant with PCI-DSS, the hacker is able
to steal the credit card information of thousands of the local franchisee's
customers. Once the breach becomes public (and state breach notification
requirements make public disclosure a virtual certainty), the name of the
franchise becomes associated with the breach--even if the franchisor did
nothing wrong.

This affects not only the franchisor, but also every other franchisee whose
data was not compromised because the brand takes the hit through "guilt by
association." A good PR firm may be able to help confine the negative
impact to only the careless franchisee and its units, but the cost to do so
may be prohibitively expensive. Moreover, the franchisor is forced to react
to the situation after it has occurred, instead of trying to get out in
front with preventive measures.

What you can do

While there is no guarantee that preventive measures, however stringent,
will stop a data breach from occurring (indeed, the worn cliche is that
it's not "if" but "when"), there are several options that franchisors
should consider to minimize the chances of an illegal intrusion and thus be
able to credibly declare that "We did everything we could" to prevent the
loss of personal information.

1 - Consider centralizing credit card processing and payroll functions
through a single server housed at corporate headquarters. Although this
option puts the franchisor in the driver's seat in terms of consistency of
security measures, it does have the potential to magnify the effect of a
data breach if the hacker penetrates that corporate server: they would then
have access to customer information from all franchisees. Hence,
maintenance of stringent security protocols, including encryption, access
limitations, and dual authentication procedures, would fall to the
franchisor to implement and enforce through a thorough audit program (see
item 4).
2 - Alternatively, consider outsourcing these functions to two or three
trusted data security firms that you have thoroughly vetted and researched.
And require franchisees, through contractual provisions in the franchise
agreement, to use one of them. This front loads the franchisor's due
diligence, but it allows day-to-day security to be handled off-site (for a
price, of course).
3 - As a corollary to item 2, franchisors should require all franchisees to
comply with PCI-DSS. As mentioned, many franchisee data infiltrations come
through the POS devices used to accept credit card payments at the
individual units. Since part of PCI-DSS involves hardware requirements for
POS devices, requiring franchisees to comply with these requirements will
minimize the risk of a data breach (and they must do it anyway if they want
to process credit card payments at all).
4 - With all of the above items, franchisee compliance with data security
requirements must be rigorously enforced through regular privacy audits.
Whether the franchisor employs outside vendors or does the job in-house, a
thorough audit of each franchisee should be conducted at least once a year
and should include a review of adherence to set access controls, encryption
and password protocols, software updates, employee training, and the
documentation of any security anomalies or incidents. Noncompliance (or the
failure to cure any defects within a reasonable time) should prompt severe
sanctions, including possible termination.
5 - You can never be too prepared, but instituting and regularly testing a
PCI-DSS Incident Response Plan would help reduce the fallout after a data
breach occurs. When you do have a cyber intrusion, it is also a good idea
to let your lawyers hire the outside forensic consultants to keep the
investigation confidential as work product.

Franchisors go to great lengths to ensure the consistency of their brand
across franchisees and locations, yet this diligence may not extend to
information systems and cybersecurity. Fix that oversight and your system
stands a better chance of weathering the storm when a data breach occurs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180611/f502440f/attachment.html>