Recent headlines illustrate that the slew of retail data breaches continue, and are unlikely to abate in the near future. Among the latest news items, the Payment Card Industry Security Standards Council issued a bulletin advising retailers to review security controls to ensure protection against Backoff malware, and Krebs on Security reported a possible Dairy Queen breach at a number of stores in several states. While the latter event has yet to be confirmed, it sheds light on a key security challenge of the franchise model.
When contacted by security blogger Brian Krebs, Dairy Queen acknowledged that it has no established policy requiring its franchisees to alert corporate headquarters to card breaches or other security issues. While Dairy Queen is currently in the spotlight it is by no means alone in this practice. The distributed nature of the franchise model means that it often undercuts many of the security standards implemented by larger enterprises. Franchise locations bear the same name and branding as the corporate entity, but often manage their own technology operations and IT investments separately from the brand itself. This means not only are corporate headquarters often not alerted when a breach occurs, it also lacks insight and control over the tools its franchisees are using that could be contributing to the security threat.
To cut costs, many franchises utilize remote access tools with simple and/or shared credentials with no multi-factor requirement—making them an easy target for hackers. In fact, according to the 2014 Verizon Data Breach Investigations Report the shared vector for major point of sale (POS) attacks is third-party remote access software. Krebs' article quotes a director at an advisory firm stressing the importance of a corporate-wide policy for data breach notification, but I encourage retailers to take it a step further.
In order to truly protect the brand — and its customers — franchisors should implement a secure, centrally managed in-house remote support system.
As part of this, franchisors should:
- Ensure the remote support solution can capture and store session logs of all activity, providing a record of how the technology is being utilized — and by whom. That way, all remote access to individual store POS systems is centrally audited and recorded as a condition of the franchise agreement.
- Require separate, unique credentials for every technician.
- Configure the remote support solution to require multi-factor authentication.
- Block access to unauthorized remote access tools.