The factors that make franchises successful — multiple locations, a variety of franchisees, and loads of customers — also make them an attractive target for cyber scammers. Large amounts of customer data held in multiple locations, coupled with a lack of clarity around franchisor and franchisee responsibilities, present a huge cybersecurity risk to franchises.
A data breach threatens both your reputation and your finances — areas that critically impact the success of your business. And the financial impact of a cyberattack is rising; according to the 2023 IBM Security Cost of a Data Breach Report, the average cost of a data breach rose to USD 4.45 million, a 15.3% increase since 2020.
Not sure how to start protecting your business? Focus on these three items first: risk assessments, incident response plans, and PCI compliance. There are many ways to improve cybersecurity for companies, but our experience working with franchise clients shows these three will give you the biggest return on your investment.
Risk assessments
When’s the last time you performed a cybersecurity risk analysis? If you can’t remember (or your answer is never), this should be step one. A cybersecurity risk assessment allows you to determine where your biggest threats are and helps you develop solutions to protect your organization. Your goal is to figure out how well you’re protecting yourself and to fill the gaps. Take our seven-point cybersecurity assessment to identify your organization’s risks.
Cybersecurity risk assessments aren’t something to hand off to your IT team and forget about — key C-suite members should be involved as well. Chief financial officers (CFOs) in particular will want to be involved so they can understand the cost of the controls in place compared to the cost of being ill-prepared or unprotected. It’s also an important exercise to make sure you’re spending money in the right places. In essence, don’t waste resources on low-risk areas while neglecting the higher-risk areas.
A good risk assessment answers these questions:
- What data are you trying to protect (e.g., credit card information, employee data)?
- Where is the data stored (e.g., systems/applications and physical devices such as servers and mobile devices)?
- Are you storing the data, or is it being stored by a third-party cloud provider or data center?
- What are the risks to data and systems, and how likely are they to result in an incident (e.g., unauthorized access, malware or ransomware, your point-of-sale (POS) becoming unavailable)?
- What will the impact be if data and systems are breached?
- What are the controls currently in place to protect them?
- Who’s responsible for the data, systems, and controls between the franchisor and franchisee?
- What’s the residual risk — the risk left over after determining existing controls in place — and is it acceptable?
If you can’t answer any of these questions, you’ve found your next step. As you work through filling in any gaps, keep in mind that you can never mitigate 100% of the risk. Some level of risk will always be present, which is why incident response planning — our next action item — is so important.
Note: if a PCI DSS compliance assessment is in your future, you’ll be required to do a risk assessment as part of that process. You can avoid doubling your workload by considering PCI DSS compliance rules as you go through your primary risk assessment. Find more on this below.
Incident response planning
Do you know what to do if you’re hit by a cyberattack? Who to call? What to tell customers if a hacker gets access to their data? Will you even recognize when you’ve had a cybersecurity breach?
The worst time to determine your incident response plan (IRP) is once that incident has already happened — but it’s a story we hear over and over. Simply planning out what you’ll do during a cyberattack before it happens can streamline the response process during an unwanted event — when it’s most critical to act swiftly and strategically.
Your IRP needs to address:
- How people will know when an event has occurred (it’s not always obvious immediately.)
- Who needs to be notified of the event.
- Who’s responsible for what roles.
- What are IT staff responsible for?
- What are non-IT staff responsible for?
- When an event gets elevated to the level of an incident.
- What third parties you’ll call on if IT lacks the resources to analyze the incident. (Note: Cyber forensics services are an effective way to handle damage control.)
- Third parties should be cleared with your cyber insurance before you add them to your list.
- How you’ll contain the incident.
- How you plan to remove the bad actors and any malicious tools they’ve left behind.
Once you have your cyber incident response plan in place, test it — then retest annually. The most important factor here is communication. Everyone needs to understand their roles and responsibilities, tests should be discussed thoroughly, and incident debriefs are a must. These tests and discussions will help you refine, improve, and modernize your plan as needed.
PCI DSS compliance
One of the biggest risks of a cybersecurity event — and one that could be most fatal to your business — is the potential financial fallout. And with the volume of data franchises store and process, the risk of a cyber event is even higher. Couple that with stringent data security requirements (and thus, penalties) imposed by leading credit card companies, and franchises are especially vulnerable to financial strain caused by a cyberattack.
This is where Payment Card Industry (PCI) Data Security Standards (DSS) come in. Put simply, PCI DSS are rules to ensure any company that accepts credit card payments has a secure environment to limit credit card issuers’ risk exposure. While PCI DSS compliance may not be required, merchants and service providers are subject to severe action from credit card companies if they fail to comply. As such, not only does it pay to be proactive, PCI DSS compliance should be a top priority for your cybersecurity program.
The starting point for implementing this framework is the PCI DSS compliance assessment. The assessment has six main goals:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
These six goals cover 12 requirements and over 300 controls, making it somewhat complex and timely to complete. That’s why we recommend having someone outside of your IT team verify compliance, whether it’s a CFO, COO, compliance officer, or third-party qualified security assessor (QSA) firm.
Moreover, as your organization turns its focus on the new requirements for PCI DSS 4.0 (as of March 31, 2024), you should also consider the implementation plan for data safety requirements that are optional until March 31, 2025. This includes risk assessments that must be conducted by organizations to evaluate your payment card risks and verify that you’re compliant.
A PCI DSS framework not only helps you control risk and safeguard data, it’ll also help you avoid fines, lawsuits, and other debilitating disruptions due to noncompliance — like insurance issues, damage to your brand, or even losing the right to process major credit cards. PCI DSS compliance may not be your first thought when it comes to cybersecurity strategy, but if you want to be conservative with your time, avoid financial strain, and get the most out of your cybersecurity investments, it’s a smart choice.
Get started
Think of cybersecurity risk management like insurance — a small investment now can prevent a major financial blow later. When it comes to cyberthreats, it’s not a matter of if, but when. As the cost of an attack rises, franchisors and franchisees need to come together to implement a plan to manage risk — and follow through. Remember, the cost isn’t just financial; a breach of your customer data can cause irreparable damage to your brand. If your current IT team lacks the resources to act now, engage the right experts to get the support you need as soon as possible.
