Why Franchisees Are on Cybercriminals' Radar

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.entrepreneur.com/article/241164

As we have seen from the string of data breaches this past year, any
business -- no matter the size -- can fall victim to a data breach.  Yet,
many small and medium-sized businesses (SMBs) still have that “it won’t
happen to me” mentality.  They assume criminals are after the “big guys,”
the businesses that store, process and transmit thousands of payment cards
daily.

That false assumption actually makes SMBs more susceptible to being
breached because it hinders them from making security a top priority.

Many franchisees fall under that umbrella, and unfortunately, they also
face their own set of security challenges. Franchisees have different
options when it comes to securing their information: They either implement
the same security strategy as the corporate office, an association they are
connected to (i.e. a grocer’s association) or they use their own. All of
these options may create challenges for the franchisee when it comes to
protecting their valuable information.

Below are the disadvantages of each option:

Using the same strategy as corporate headquarters

To fill the gap, the franchisee uses the same security strategy as the
corporate. However, some of those organizations may have their own security
weak spots that are then passed down to the franchisees. If franchisors use
a web application that has unpatched security vulnerabilities and their
franchisees use that same application, they are both opening the door to a
criminal.

Going the in-house route

Some franchisees choose to manage their own security because of their lack
of resources. By going this route, they may unknowingly make mistakes or
simply overlook security due to other revenue-generating priorities.

For example, when our experts conduct a risk assessment for a franchisee,
often, we see the POS system being used as just another computer. The
cashier will use the same system to accept payment cards and browse the
web. That kind of set up significantly elevates the business’s risk of
getting breached because a criminal can craft a targeted email to an
employee that contains a malicious link. Once the employee clicks on the
link, malware is downloaded onto the machine which, because it’s also the
POS system, gives the criminal access to all of the customers’ payment card
information.

Third-party companies

Many franchisees outsource their point-of-sale (POS) systems to a
third-party service provider. However, unbeknownst to the franchisee, many
third -party service providers do not adhere to best security practices.

For example, they use the same default, weak password to remotely access
all of their customers’ POS systems. The criminals know that by simply
guessing one third party provider’s remote access password, they can gain
access to all of its customers’ systems. This pitfall makes franchisees
more appealing targets.

How to overcome these challenges

No matter which model franchisees choose, they should ensure certain
security best practices are in place to minimize their risk of a breach.
Their security program should begin with a risk assessment, so they can
identify where their valuable data lives and moves. They should also
conduct vulnerability scanning across all assets followed by penetration
testing the most critical assets to identify and remediate security
weaknesses. This kind of scanning and testing should be performed on a
regular basis and especially if they make any changes to their environment
(i.e. adding a new POS system). Franchisees should then deploy security
technologies to protect all of their attack vectors. These include
anti-malware technologies that can detect and filter out malware in real
time, network access control so that only those who need access to the
franchisee’s most valuable data get it, web application firewalls to
segment the critical data from non-critical data and intrusion detection
technologies, among others.

They should also incorporate basic security best practices such as using
their POS systems only for payment transactions, using complex passwords or
passphrases to access their applications, networks and databases and making
sure their anti-virus is up-to-date and all software is patched.

If they use a third-party provider, they should build into their contracts
security measures the providers must take to better protect their
information. The new version of the payment card industry data security
standard (PCI DSS 3.0) which any business that stores, processes or
transmits payment card data is required to follow, also helps strengthen
security between businesses and third- party providers by mandating
providers use different passwords to access each customer and two factor
authentication.

Security technologies and services are only as effective as the people who
manage them. If franchisees do not have enough manpower and skillsets to
make sure their controls are installed, fine-tuned, monitored and working
properly at all times they should consider augmenting their in-house staff
by partnering with experts.

All of these steps can help franchisees strengthen their security and
prevent a breach. However, there is no silver bullet to security. That’s
why franchisees need to be prepared for a breach by creating and testing an
incident response readiness plan. If they know how to detect and respond to
a breach, they can significantly minimize the damage and get back to
"business as usual" as quickly as possible.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!