In the spring of 2017, Chipotle announced “most” of its more than 2,200 locations were affected by a malware hack that exposed customer credit card information. The company was already in “brand management” mode after experiencing food-borne illness outbreaks, and the hack was another crisis that the company wished never occurred.
While companies cannot prevent every single attack, especially against sophisticated and dedicated hackers, there are several steps franchises can take to make them a less inviting target. Hackers are focusing on franchises because they have so many data entry points. The corporate office manages data, as does the individual franchises, and there is a security risk with every computer terminal or POS system.
Proper data management practices are essential for keeping proprietary internal and customer data away from the hands of hackers. Here are steps every franchise operator should take to organize, store, and protect data:
- Create a plan. Both franchisees and the corporate management need a formal data plan. For the individual franchise, this plan should detail the various sources of data and denote which people are responsible for handling that data. With a written plan the franchise creates transparency and accountability, and gives every employee a role in keeping information safe. The plan should be as comprehensive as possible and could include for example: how often the POS system should be updated, who sets system passwords, and how franchises should submit data to corporate.
- Organize the information. Franchises generate a considerable amount of data, and it should be very clear where this information is routed and how it is stored. There’s data coming through the POS systems, as well as inventory info, internal marketing data, and financials on the franchise’s performance metrics. Storing all of this information at a centralized location is imperative. It’s not only a safer approach, but also more efficient. Organization also encourages transparency and helps the company protect data from loss. And the costs of loss can be great. Wendy’s experienced a data breach and not only lost the faith of some customers, but was then subject to lawsuits from various financial institutions.
- Backup the backup data – and back it up again. Organizing the data into a central location is useful for productivity and accessibility, but not protection. Franchises should use a mix of physical storage (such as external hard drives) and cloud storage to keep all of this information. They should work closely with corporate to understand any requirements on data storage and rules about backing up important information. Storage is exceedingly inexpensive, and is a classic “risk/reward” where the risk of a small amount of cash and some operational time is greatly outweighed by the risks of data loss. Franchise managers should utilize secure cloud-based storage instead of placing sensitive information on their laptops. And they can then duplicate the information onto another provider’s cloud platform for extra peace of mind.
- Use and update virus and malware protection. Franchises and the corporate office should both employ the latest virus and malware tools, so their systems can detect and proactively stop breach attempts. Franchisees should ensure their POS solutions are auto-updating so they can be certain the system will be covered under security patches or the latest virus definitions.
- Manage data access. Preventing breaches is often a people problem. A disgruntled employee might decide to give an outside agent their credentials. Or an employee forgets their training and makes a password of “1234” for their POS login. The franchise owner should work under corporate guidelines to restrict data access and have the ability to revoke access credentials as needed. If an employee quits, then the franchise manager must be able to remove their login info immediately. It’s another aspect of security that requires transparency. Franchise owners must have an understanding of who is accessing the company’s information and whether or not that access is appropriate.
Both individual franchise owners and the corporate management should be concerned about data management and preventing security breaches. Even if a data-loss event occurs at just only one franchise, the consumers in another state might lose faith in the franchise brand as a whole.
David Zimmerman is the CEO of LC Technology International Inc, a global leader in data recovery, file system utilities and data security technology. Clients include original equipment manufacturers, local, state and federal law enforcement agencies, corporate security specialists and IT consultants, among others. Available worldwide and published in more than 24 different languages, LC Technology products are available direct or through several major manufacturers. Founded in 1997, LC Technology is based in Clearwater, Florida.