In order to optimise the success and operation of a franchising model, which could be an organization with affiliate or agent offices, we recommend there should be IT security standards set that the franchisee adheres to. Whilst generic standards and criteria are usually set out as contractual obligations, for example, livery and uniforms, operating hours, employee’s terms and conditions, codes of conduct and business interaction between franchise and the parent organisation, some standards are not so apparent or perhaps never even specified.
Take, for example, the computer infrastructure used to operate a franchise’s Point of Sale (POS) systems. It is often the case that we see a franchise model that is succeeding in profits but putting the parent company at risk due to a shortfall in the management and security of the franchise’s IT infrastructure. Sometimes systems are not standardised, centrally managed, kept up to date with end-point protection, or even utilising security software.
In order for a franchise model to be protected and secured from security breaches, the franchise outlet ought to be thought of and treated as part of the organisation itself, even if it is not connected to, or using resources from the franchising company infrastructure. We suggest the franchise be operated as though it were part of the regular enterprise, aligned with the parent infrastructure to include the following:
Monitoring - The franchise outlets should be continually monitored for security events (Twenty-Four by Seven) by a competent Managed Security Service or Security Operations Centre, requiring the same attention as entities within the enterprise system. An agreement for Incident Response Services would undoubtedly help support the growth and security of the franchise system.
Operating Systems (OSs) - In our experience we have noticed that there are still many POS systems that are not using supported OSs. Organisations that use outdated and unsupported OSs, such as Windows XP, are at an increased risk of attack and exploitation. Migrating to a modern operating system helps in reducing the likelihood of an attack.
Patch Management – Security patches for POS systems are critical, the subject of patch management has been visited many times before, but cannot be over emphasised. Enabling the centralised management of POS systems or any system that conducts payment processing by the franchiser, we suggest is a key strategy to help franchise stores in reducing the attack surface area and therefore overall risk to data security and the brand.
Principle of Least Privilege (POLP) - POS systems should have layers of security, which include accessing the system as restricted privilege users to enable general functions. In addition to customised local and global security policies, configured to protect what actions can be undertaken on the system itself only by authorised personnel.
Application Whitelisting – If available, application whitelisting for the POS system will only allow those programs essential to operation of the processing system to be installed and run and in order to minimise the attack surface of the POS system. Only PCI PA-DSS compliant (Payment Card Industry Payment Application Data Security Standard) applications should be installed on the POS system. Full compliance and security assessments must also be strictly adhered to.
Network Segregation – We suggest it is preferable to locate the POS system behind a separate Next-Generation Firewall (NGFW), which has strict access control lists (ACLs). Segmenting the system from other (non-payment) processing devices and / or databases is especially important when configuring and controlling remote network access.
Remote Access Controls - Controlling remote access to the POS system is one of the quick IT security wins that many franchises fail to implement in order to afford a higher degree of protection. These include configuring account lockout settings, limiting the number of users who can remotely authenticate to the system and enabling two-factor authentication (2FA). These controls would all assist in preventing security breaches.
User Behaviour – Like any other enterprise, the franchise system has an unintended human weakness in that users may not always regard their job from an IT security perspective. POS systems should be only used for their intended purpose and not for other uses, such as surfing the Internet, accessing email and social networking sites. End-user education and awareness about the importance and sensitivity of the POS system is vital and should be integrated in employee induction and subsequent training programmes.
In general, we propose it is important to view the franchise outlet, from an IT security standpoint, as though it were part of the enterprise, an extension of the parent company network. The same security policies, architecture and user protocols should be applied across the infrastructure. These factors all play a vital role to ensure that systems are properly protected and the likelihood of data breaches minimised, protecting not only data assets but also the brand itself and consumer trust.