As we have seen from the string of data breaches this past year, any business -- no matter the size -- can fall victim to a data breach. Yet, many small and medium-sized businesses (SMBs) still have that “it won’t happen to me” mentality. They assume criminals are after the “big guys,” the businesses that store, process and transmit thousands of payment cards daily.
That false assumption actually makes SMBs more susceptible to being breached because it hinders them from making security a top priority.
Many franchisees fall under that umbrella, and unfortunately, they also face their own set of security challenges. Franchisees have different options when it comes to securing their information: They either implement the same security strategy as the corporate office, an association they are connected to (i.e. a grocer’s association) or they use their own. All of these options may create challenges for the franchisee when it comes to protecting their valuable information.
Below are the disadvantages of each option:
Using the same strategy as corporate headquarters
To fill the gap, the franchisee uses the same security strategy as the corporate. However, some of those organizations may have their own security weak spots that are then passed down to the franchisees. If franchisors use a web application that has unpatched security vulnerabilities and their franchisees use that same application, they are both opening the door to a criminal.
Going the in-house route
Some franchisees choose to manage their own security because of their lack of resources. By going this route, they may unknowingly make mistakes or simply overlook security due to other revenue-generating priorities.
For example, when our experts conduct a risk assessment for a franchisee, often, we see the POS system being used as just another computer. The cashier will use the same system to accept payment cards and browse the web. That kind of set up significantly elevates the business’s risk of getting breached because a criminal can craft a targeted email to an employee that contains a malicious link. Once the employee clicks on the link, malware is downloaded onto the machine which, because it’s also the POS system, gives the criminal access to all of the customers’ payment card information.
Many franchisees outsource their point-of-sale (POS) systems to a third-party service provider. However, unbeknownst to the franchisee, many third -party service providers do not adhere to best security practices.
For example, they use the same default, weak password to remotely access all of their customers’ POS systems. The criminals know that by simply guessing one third party provider’s remote access password, they can gain access to all of its customers’ systems. This pitfall makes franchisees more appealing targets.
How to overcome these challenges
No matter which model franchisees choose, they should ensure certain security best practices are in place to minimize their risk of a breach. Their security program should begin with a risk assessment, so they can identify where their valuable data lives and moves. They should also conduct vulnerability scanning across all assets followed by penetration testing the most critical assets to identify and remediate security weaknesses. This kind of scanning and testing should be performed on a regular basis and especially if they make any changes to their environment (i.e. adding a new POS system). Franchisees should then deploy security technologies to protect all of their attack vectors. These include anti-malware technologies that can detect and filter out malware in real time, network access control so that only those who need access to the franchisee’s most valuable data get it, web application firewalls to segment the critical data from non-critical data and intrusion detection technologies, among others.
They should also incorporate basic security best practices such as using their POS systems only for payment transactions, using complex passwords or passphrases to access their applications, networks and databases and making sure their anti-virus is up-to-date and all software is patched.
If they use a third-party provider, they should build into their contracts security measures the providers must take to better protect their information. The new version of the payment card industry data security standard (PCI DSS 3.0) which any business that stores, processes or transmits payment card data is required to follow, also helps strengthen security between businesses and third- party providers by mandating providers use different passwords to access each customer and two factor authentication.
Security technologies and services are only as effective as the people who manage them. If franchisees do not have enough manpower and skillsets to make sure their controls are installed, fine-tuned, monitored and working properly at all times they should consider augmenting their in-house staff by partnering with experts.
All of these steps can help franchisees strengthen their security and prevent a breach. However, there is no silver bullet to security. That’s why franchisees need to be prepared for a breach by creating and testing an incident response readiness plan. If they know how to detect and respond to a breach, they can significantly minimize the damage and get back to "business as usual" as quickly as possible.