This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
In February 2016, quick service restaurant The Wendy’s Company reported unusual payment card activity affecting some of its franchise restaurants. The breach was confirmed in May when the company revealed it had found evidence of malware on the affected stores’ point-of-sale systems. Additional malicious activity was later reported in June.
In a statement from the CEO, the company says it believes the cyberattacks resulted from service providers’ remote access credentials being compromised, allowing access – and the ability to deploy malware – to some franchisees’ point-of-sale systems.
It's important to note that Wendy’s doesn’t own the locations that experienced the breaches. But it does own the “Wendy’s” brand on the door, and it’s this brand that suffered a reputation hit because of the data breaches. Wendy’s isn’t alone in its misfortune; Subway, Dairy Queen, Wyndham Hotels, UPS and numerous other organizations have been hurt by franchise locations that experienced a data breach.
This reveals a weak spot in the America business market, where 4% of small businesses are franchises of more than 1,500 brands. There are some 785,000 franchise units of various brands of restaurants, hotels, gyms, car services, home services, personal services, and so on. Typically they are independent small businesses that do not have the resources, knowledge or expertise to implement strong cybersecurity practices to protect not only their own businesses but also the major brands they represent.
In an article published by Franchising.com, attorneys David Zetoony and Louise Nutt recommended to brand owners they require franchisees to notify them of security incidents. The lawyers write, “To protect the brand and to ensure that data security incidents are handled quickly and appropriately, franchisors should consider requiring franchisees to report data security incidents to them immediately, to fully comply with any legal obligation to investigate the incidents, and, if legally required, to report the incident to governmental authorities and consumers.”
Notification after a breach may be the approach to take for legal requirements, but a much better practice would be to put some sort of cybersecurity system in place to aid in prevention, detection and response/remediation. In other words, prevent the breach instead of report it.
Threats are becoming more pervasive and more sophisticated, and small businesses that thought they were below the radar are now prime targets. Just last year, a breach resulting in malware infection of Oracle’s MICROS point-of-sale system, used in more than 330,000 cash registers around the world, put numerous retailers at risk of data theft. Many small businesses have no way to detect a compromise of their systems until banks, credit card companies, or law enforcement notify them of the problem.
The managed data and network security service provider Netsurion has just released a new service targeted at multi-location businesses – like franchises – to provide advanced threat detection solutions. The service, SIEM-at-the-Edge, includes the implementation of EventTracker SIEM technology directly on the local business’s workstations, and combines security event monitoring capabilities with managed detection and response (MDR).
SIEM (security information and event management) is not something that is typically deployed by small businesses due to the complexity and cost. Most small businesses and franchise locations don’t have IT expertise on premise, so there’s rarely anyone there to monitor for security events and respond to incidents as they occur.
Netsurion says its service eliminates those concerns. The only thing installed at the local site is a sensor on existing workstations or servers. The sensor sends event information to Netsurion where it is put into the EventTracker SIEM for collation and analysis. If a security event is suspected or confirmed, Netsurion can take action.
For example, consider a case where malware gets installed on a franchise business’s server. This might not get detected by anti-virus software, depending on when it was last updated with known signatures. Netsurion looks at everything that gets loaded onto a system. When something new pops up it compares a hashed version across 57 different anti-virus systems. If enough of those detection methods raise a red flag, Netsurion identifies the software as problematic. From there it can be quarantined until someone is able to confirm it as good or bad.
Netsurion has a stable of security analysts who do this without any input from the customer location, if desired. If the software is confirmed malicious, it is removed before it can do damage.
A single location can engage with Netsurion for this service, or a brand can recommend to all its franchisees to utilize this service. In the latter case, the data from all locations can be aggregated to see events that affect more than one location. For instance, this could have been helpful in the Wendy’s scenario where numerous (but not all) stores were infected and subsequently breached. A detection of malware in one location could have triggered an immediate investigation at all other locations.
For stores that do have a local IT presence that can respond to events, Netsurion can send alerts and let the business do its own follow-up and response. The customer can choose if it wants an automated response from Netsurion, or if it only wants to receive alerts. Netsurion distills the events to ensure the customer isn’t overwhelmed with too many alerts.
Netsurion says its SIEM-at-the-Edge is a subscription service with monthly fees ranging from $20 to $50.