Get All Access for $5/mo

Why Franchisees Are on Cybercriminals' Radar With big-name corporations making headlines for data breaches, small franchisees may feel like they wouldn't be a target for hackers. This couldn't be further from the truth.

By Phil Smith Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.


As we have seen from the string of data breaches this past year, any business -- no matter the size -- can fall victim to a data breach. Yet, many small and medium-sized businesses (SMBs) still have that "it won't happen to me" mentality. They assume criminals are after the "big guys," the businesses that store, process and transmit thousands of payment cards daily.

That false assumption actually makes SMBs more susceptible to being breached because it hinders them from making security a top priority.

Many franchisees fall under that umbrella, and unfortunately, they also face their own set of security challenges. Franchisees have different options when it comes to securing their information: They either implement the same security strategy as the corporate office, an association they are connected to (i.e. a grocer's association) or they use their own. All of these options may create challenges for the franchisee when it comes to protecting their valuable information.

Below are the disadvantages of each option:

Using the same strategy as corporate headquarters

To fill the gap, the franchisee uses the same security strategy as the corporate. However, some of those organizations may have their own security weak spots that are then passed down to the franchisees. If franchisors use a web application that has unpatched security vulnerabilities and their franchisees use that same application, they are both opening the door to a criminal.

Related: Why These Two Best Friends Opened a Franchise Together at Age 28

Going the in-house route

Some franchisees choose to manage their own security because of their lack of resources. By going this route, they may unknowingly make mistakes or simply overlook security due to other revenue-generating priorities.

For example, when our experts conduct a risk assessment for a franchisee, often, we see the POS system being used as just another computer. The cashier will use the same system to accept payment cards and browse the web. That kind of set up significantly elevates the business's risk of getting breached because a criminal can craft a targeted email to an employee that contains a malicious link. Once the employee clicks on the link, malware is downloaded onto the machine which, because it's also the POS system, gives the criminal access to all of the customers' payment card information.

Related: How This Ex-Subway Conductor Became an Expert in Franchising

Third-party companies

Many franchisees outsource their point-of-sale (POS) systems to a third-party service provider. However, unbeknownst to the franchisee, many third -party service providers do not adhere to best security practices.

For example, they use the same default, weak password to remotely access all of their customers' POS systems. The criminals know that by simply guessing one third party provider's remote access password, they can gain access to all of its customers' systems. This pitfall makes franchisees more appealing targets.

How to overcome these challenges

No matter which model franchisees choose, they should ensure certain security best practices are in place to minimize their risk of a breach. Their security program should begin with a risk assessment, so they can identify where their valuable data lives and moves. They should also conduct vulnerability scanning across all assets followed by penetration testing the most critical assets to identify and remediate security weaknesses. This kind of scanning and testing should be performed on a regular basis and especially if they make any changes to their environment (i.e. adding a new POS system). Franchisees should then deploy security technologies to protect all of their attack vectors. These include anti-malware technologies that can detect and filter out malware in real time, network access control so that only those who need access to the franchisee's most valuable data get it, web application firewalls to segment the critical data from non-critical data and intrusion detection technologies, among others.

Related: Being in Business for More Than Just a Balance Sheet

They should also incorporate basic security best practices such as using their POS systems only for payment transactions, using complex passwords or passphrases to access their applications, networks and databases and making sure their anti-virus is up-to-date and all software is patched.

If they use a third-party provider, they should build into their contracts security measures the providers must take to better protect their information. The new version of the payment card industry data security standard (PCI DSS 3.0) which any business that stores, processes or transmits payment card data is required to follow, also helps strengthen security between businesses and third- party providers by mandating providers use different passwords to access each customer and two factor authentication.

Security technologies and services are only as effective as the people who manage them. If franchisees do not have enough manpower and skillsets to make sure their controls are installed, fine-tuned, monitored and working properly at all times they should consider augmenting their in-house staff by partnering with experts.

All of these steps can help franchisees strengthen their security and prevent a breach. However, there is no silver bullet to security. That's why franchisees need to be prepared for a breach by creating and testing an incident response readiness plan. If they know how to detect and respond to a breach, they can significantly minimize the damage and get back to "business as usual" as quickly as possible.

Related: Moving Cities to Jump From Manager to Franchisee

Phil Smith

SVP of Government Solutions and Special Investigations at Trustwave

Phil Smith is Senior Vice President of Government Solutions and Special Investigations at information security company Trustwave. In addition to leading the company’s strategy for the government sector, he has global responsibility for incident response and data breach investigations conducted on behalf of both corporate and government clients. He has more than 15 years of data security and forensic investigation experience, and 14 years of federal criminal investigative and prosecutorial experience.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick


This Car Dash Display Is Only $90 Through June 26

Compatible with Apple CarPlay and Android Auto, this display is designed to make your commute safer.

Side Hustle

Top Secrets to Starting a 6-Figure Etsy Side Hustle That Earns Passive Income, According to 3 People Who Did It

Etsy remains a popular ecommerce platfrom for sellers — and can be incredibly lucrative for those who know how to use it.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

Amazon Is Thinking About Charging Extra for AI Alexa

"Hey Alexa, how much are you going to cost?"

Thought Leaders

10 Simple, Productive Activities You Can Do When You Aren't Motivated to Work

Quick note: This article is birthed out of the urge to do something productive when I am not in a working mood. It can also inspire you on simple yet productive things to do when you're not motivated to work.

Business News

Olive Garden Is Planning to Increase Prices at a 'More Consistent' Rate Due to Inflation

The fast-casual chain saw a slight decrease in same-store sales during fiscal Q4 2024.