CYBERSECURITY AND FRANCHISING : PROTECTING THE BRAND WHILE AVOIDING VICARIOUS LIABILITY (PART 2)

By F. Georges Sayegh

F. Georges Sayegh, A.S.D., C.Adm, FCMC of Quebec and Ontario, is a franchise and technology transfer consultant and author of 18 books on franchising and associated businesses. One of his books is entitled "Trade Secrets and Confidential Information” written in French. To reach him: gsayegh@gsayegh.com; Tel: (514) 216-8458.

This publication is the second and last part of an article published last month. Click here to view the first part.

Franchise strategy for strengthening cybersecurity

An overview of cybersecurity preparedness:

1. Dedicate specific human resources to data security and privacy compliance.

2. Conduct a risk assessment/audit. Map franchise system data by asking the following questions: what information is stored? Who has access? Is it essential? If essential, is it properly encrypted? If it's not essential, should it continue to be stored? Companies should get rid of unnecessary data if it is a reasonable business decision.

3. Involve experts to determine what laws and contractual requirements apply to the franchised system and the data obtained through mapping.

4. Have specialists review the franchise system's data security and privacy policies, create them if necessary or modify them to comply with applicable laws. Ensure consistency between internal policies and policies shared with the public.

5. Select suitable cyber insurance policies for the franchisor and require franchisees to obtain appropriate insurance. Experienced franchise, cybersecurity and insurance consultants as well as risk managers play a critical role here.

6. At the same time, review and update commercial contracts with third parties (e.g., point-of-sale vendors, custom software package providers for a particular franchise network) to ensure consistent and appropriate protection in light of the types of data involved.

7. Review the franchise agreement, operations manual, franchisor manual, training manual, network franchise consultant manual, information technology manual, security manual, and any other system documentation for appropriate protections and policies.

8. Adopt a cybersecurity incident response plan.

In conclusion,

With digital transformation and hyperconvergence creating unintended gateways to risk, vulnerabilities, attacks and failures, a cyber resilience strategy is quickly becoming a necessity for any enterprise. A cyber resilience strategy helps the business reduce risk, financial impact and reputational damage.

Malware often changes configurations before corrupting the data itself. Therefore, it is critical to detect any configuration changes before the actual data is infected. Cyber Incident Recovery's platform configuration feature and others protect configuration data for virtual and physical workloads, applications, storage systems and network devices in onsite, public cloud, hybrid and multi-cloud environments.

Protecting a franchise network is an ongoing process, requiring careful planning. But with the right people, technology and policies in place, every franchisor will have a better chance of finding and fixing vulnerabilities, detecting and thwarting threats and avoiding disasters.

The company should create response plan templates that take into consideration, among other things:

1. Sample Incident Response Plan

• Incident Response Team Responsibilities;
• Testing and Updating Response Models;
• Incident Response Process Overview;
• Incident Response Checklists: Incident Discovery and Confirmation, Containment and Continuity, Eradication, Recovery, Lessons Learned.

2. Incident Response Plan

• Incident Response Team;
• Incident Response Notifications;
• Employee Responsibilities;
• Incident Types;
• Definition of a security breach;
• Procedure for classifying potential incidents;
• Response Procedure;
• Recovery;
• Periodic testing and remediation.

3. Incident Response Model

• Roles, responsibilities, and contact information;
• Threat Classification;
• Compliance and Legal Requirements;
• Incident response phases and actions taken.

4. Security Incident Response Plan

• How to recognize a security incident;
• Roles and responsibilities;
• External contacts;
• Payment cards - what to do if compromised;
• Steps to respond to an incident:

- Report, Investigate, Inform;

- Maintain continuity;

- Resolve and recover;

- Review;

• Specific types of incident response:

- Malware;

- Payment terminal tampering;

- Unauthorized wireless access points;

- Equipment Loss;

- Non-compliance with security policies;

• Periodic testing and updates of IR plan.

5. Technology Department Incident Response Plan.

• Incident response procedure referencing more detailed plans for specific types of incidents such as malware, system outages, active intrusion attempts.

6. Incident Response Model

• Objective;
• Scope;
• Incident definitions and examples;
• Roles and Responsibilities;
• Incident response steps and procedures.

Finally, a cybersecurity awareness training program should be created with practical steps to build a culture of security throughout the organization, including how to:

• Develop a security awareness strategy first;
• Leverage advocates to create an effective awareness program;
• Establish a specific budget covering cyber security programs;
• Present cyber security awareness training to senior managers;
• Promote and strengthen the security awareness program;
• Know where other organizations stand with information and benchmarks;
• Uncover best practices and essential components of an effective program;
• Define your team's roles and responsibilities;
• Develop a more mature incident response plan with actionable steps;
• Connect to industry-leading resources on incident management.

These are just a few things that franchise network managers need to address to move their entire organization toward a safety mindset.