Skip to Content



Cybersecurity essentials for franchises: Prevent, respond, comply

August 30, 2022 Article 6 min read
Authors:
Scott Petree Sarah Pavelek
It’s not news that franchises are at major risk of cyberattacks, but many in the industry fail to give cybersecurity the attention it deserves. Fortify your data protection with these three activities that offer strong payoff for your efforts.
Two business professionals in casual clothing using a handheld tablet device together while standing.The factors that make a franchise successful — multiple locations, a variety of franchisees, and loads of customers — are the same that make it an attractive target for cyber scammers. Large amounts of customer data held in multiple locations, coupled with a lack of clarity around franchisor and franchisee responsibilities, present a huge cybersecurity risk to franchises.

A data breach threatens your reputation and your finances — both areas that have significant influence on the success or failure of your business. And the financial impact of a cyberattack is rising; according to the 2021 IBM Security Cost of a Data Breach Report, over the last year alone, the cost of an incident increased by nearly 10%.

Over the last year alone, the cost of an incident increased by nearly 10%.

Not sure how to start protecting your business? Focus on these three items first: risk assessments, incident response plans, and PCI compliance. There are many ways to improve your cybersecurity program, but our experience working with franchise clients shows these three will give you the biggest return on your investment. 

Risk assessments

When’s the last time you’ve assessed your cybersecurity risk? If you can’t remember (or your answer is never), this should be step one. A risk assessment will allow you to determine where your biggest threats are and help you develop solutions to protect your organization. Your goal is to figure out how well you’re protecting yourself and make a plan to fill the gaps.

Risk assessments aren’t something to hand off to your IT team and forget about — key C-suite members should be involved as well. Chief financial officers (CFOs) in particular will want to be involved so they can understand the cost of the controls in place compared to the cost of being ill-prepared or unprotected. It’s also an important exercise to make sure you’re spending money in the right places. In essence, don’t waste resources on low-risk areas while neglecting the higher-risk areas.

A good risk assessment will answer these questions:

  • What data are you trying to protect (e.g., credit card information, employee data)?
  • Where is the data stored (e.g., systems/applications and physical devices such as servers and mobile devices)?
  • What are the risks to data and systems, and how likely are they to result in an incident (e.g., unauthorized access, malware or ransomware, your point-of-sale (POS) becoming unavailable)?
  • What will the impact be if data and systems are breached?
  • What are the controls currently in place to protect them?
  • Who’s responsible for the data, systems, and controls (between the franchisor and franchisee)?
  • What’s the residual risk — the risk left over after determining existing controls in place — and is it acceptable? 

If you can’t answer any of these questions, you’ve found your next step. As you work through filling in any gaps, keep in mind that you can never mitigate 100% of the risk. Some level of risk will always be present, which is why incident response planning — our next action item — is so important.

Note: PCI DSS compliance requires a risk assessment. Avoid doubling your workload by considering PCI DSS compliance rules as you go through your primary risk assessment. Find more on this below.

Incident response planning

Do you know what to do if you’re hit by a cyberattack? Who to call? What to tell customers if a hacker gets access to their data? Will you even recognize when you’ve had a cybersecurity breach?

The worst time to determine your incident response plan (IRP) is once that incident has already happened — but it’s a story we hear over and over. Simply planning out what you’ll do during a cyberattack before it happens can streamline the response process in the midst of an event — when it’s most critical to act swiftly and strategically.

The worst time to determine your incident response plan (IRP) is once that incident has already happened.

Your IRP needs to address:

  • How people will know when an event has occurred (it’s not always obvious immediately.)
  • Who needs to be notified of the event.
  • Who’s responsible for what roles.
    • What are IT staff responsible for?
    • What are non-IT staff responsible for?
  • When an event gets elevated to the level of an incident.
  • What third parties you’ll call on if IT lacks the resources to analyze the incident. (Note: Cyber forensics services are an effective way to handle damage control.)
    • Third parties should be cleared with your cyber insurance before you add them to your list.
  • How you’ll contain the incident.
  • How you plan to remove the bad actors and any malicious tools they’ve left behind.

Once you have your incident response plan in place, test it — then retest annually. The most important factor here is communication. Everyone needs to understand their roles and responsibilities, tests should be discussed thoroughly, and incident debriefs are a must. These tests and discussions will help you refine, improve, and modernize your plan as needed.

PCI DSS compliance

One of the biggest risks of a cybersecurity event — and one that could be most fatal to your business — is the potential financial fallout. And with the volume of data franchises store and process, the risk of a cyber event is even higher. Couple that with stringent data security requirements (and thus, penalties) imposed by leading credit card companies, and franchises are especially vulnerable to financial strain caused by a cyberattack.

Enter Payment Card Industry (PCI) Data Security Standards (DSS). Put simply, PCI DSS are rules to ensure any company that accepts credit card payments has a secure environment to limit credit card issuers’ risk exposure. While PCI DSS compliance isn’t required, merchants and service providers are subject to severe action from credit card companies if they fail to comply. As such, not only does it pay to be proactive, PCI DSS compliance should be a top priority for your cybersecurity program.

The starting point for implementing this framework is the PCI DSS compliance assessment. The assessment has six main goals:

  1. Build and maintain a secure network.
  2. Protect cardholder data.
  3. Maintain a vulnerability management program.
  4. Implement strong access control measures.
  5. Regularly monitor and test networks.
  6. Maintain an information security policy.

However, these six goals cover 12 requirements and over 300 controls, so it can be somewhat complex and timely to complete. That’s why we recommend having someone outside of your IT team verify compliance, whether it’s a CFO, COO, compliance officer, or third-party QSA firm.  Further, the latest iteration — PCI DSS 4.0 — has even stronger requirements to help keep your data safe, including risk assessments that must be conducted by organizations to evaluate your payment card risks and verify that you’re compliant.

Not only will a PCI DSS framework help you control risk and safeguard data, it’ll also help you avoid fines, lawsuits, and other debilitating disruptions due to noncompliance — like insurance issues, damage to your brand, or even losing the right to process major credit cards. PCI DSS compliance may not be your first thought when it comes to cybersecurity, but if you want to be conservative with your time, avoid financial strain, and get the most out of your cybersecurity investments, it’s a smart choice.

Not only will a PCI DSS framework help you control risk and safeguard data, it’ll also help you avoid fines, lawsuits, and other debilitating disruptions.

Get started

Think of cybersecurity like insurance — a small investment now can prevent a major financial blow later. When it comes to cyberthreats, it’s not a matter of if, but when. As the cost of an attack rises, franchisors and franchisees need to come together to implement a plan and follow through. Remember, the cost isn’t just financial — a breach of your customer data can cause irreparable damage to your brand. If your current IT team lacks the resources to act now, engage the right experts to get the support you need as soon as possible.

Related Thinking

August 26, 2022

Professional services playbook: Questions to consider in an evolving industry

White Paper 10 min read
July 1, 2022

Taxation of pool advertising funds

Article 2 min read
June 21, 2022

Cybersecurity risk in the franchise industry: Don’t wait until it’s too late

Webinar 49 min watch