Franchisor IT Admin’s Cyber Security Recommendations for Franchisees

It was probably the most emotionally charged presentation I’ve given in my twenty years in business.

There is no doubt that every meeting is a sales meeting and Cyber Security Risk Assessment Reviews are no different. Some clients and prospects view these meetings as a scare tactic to get them to buy more services for cyber security, but when vulnerabilities are identified, they should be mitigated. Mitigations cost money. Thus, SMB leaders sometimes need to buy more services to mitigate! I’ll even confess to the scare tactic accusation - it’s a scary thing to be a soft target!

The prospect is a SMB franchisee of a very large multi-billion-dollar franchisor. They had recently experienced a substantial increase in employee turnover rate after the COVID pandemic and they were working to find their place in this new world making the necessary pivots and adjustments.

Two weeks before this meeting our prospect had cancelled our cyber security risk assessment review and wasn’t eager to reschedule. The discovery of several major vulnerabilities and the unsecured PII coupled with an upcoming renewal for their $1M cyber liability policy was giving our team a sense of urgency that I felt necessary to articulate to the CEO by giving him a preview of the results. To encourage them to reschedule as soon as possible, I pulled the curtain back a bit and showed him some of our findings. We always do our CSRA reviews in person, but I made an exception and gave him an abbreviated review to encourage him to schedule the in-person meeting. To some extent it worked as planned.

We found $4.6M of PII data?

on the CFO’s desktop hard drive, but the CEO was under the impression that all their important data was in the cloud. They were of the mindset that all their information was safe and sound on the popular and fantastic SaaS application known as AppFolio.??

Before the meeting the CEO did his research. I emailed him a bullet list of our recommended security measures and he was on his way to get his ducks in a row to tell us “No” when we came to the review meeting. I encourage our prospects to do plenty of research on the topic of small business cyber threats and security measures ahead of meeting with us. The more they know, the more likely they are to take action.?

\The day of the meeting, myself and our Business Development Coordinator arrived and took our places at the conference room table. When the CEO and CFO joined us, the CEO kicked off the meeting with his own 20-minute presentation on the research he had done. They were not going to go ahead with our recommendations for two reasons:

1. They didn’t have the money in the budget for the additional expenses brought about by the new security measures.
2. The CEO had consulted with the IT admin at the corporate office of the franchisor. The IT admin had recommended that they really only needed Windows Defender, 2FA and a good password manager.

The franchisee-franchisor relationship is often a love-hate relationship. This CEO had fallen into a situation very common to this type of relationship. The goal of the franchisor is simple - the bottom line. The source of the bottom line of the franchisor is primarily the franchise fees collected from the local franchise operations who bear their branding. While the IT admin in this situation means well, he doesn’t work for the franchisee, he works for the corporate franchisor whose focus is on collecting franchise fees. They aren’t in the business of adding expenses to running their franchise, so they think it’s good for them if the franchises keep low operating costs.?However, if the franchise gets hit with a crippling cyber-attack and they go out of business – no more franchise fees.

The recommendations from the corporate office weren’t based in the new reality of a cybercrime landscape that has collected enough ransomware payments to be the third richest country on the planet. What the IT admin missed in his own brief (and uninformed) assessment is the fact that this franchise had a cyber insurance plan with a $1M coverage limit. Two separate third-party risk assessment calculations brought their breach recovery cost to nearly $2M meaning they’re underinsured in the first place.

Furthermore, in the event of a breach, the insurance would almost certainly deny their claim because of “failure to follow” or “failure to maintain”. This is the terminology used when a breach occurs, and the obligatory forensic investigation reveals a lack of compliance with the insurance carrier. In short, constant monitoring and review for the sake of insurance compliance is imperative or cyber insurance is useless.?

At the beginning of the CSRA review presentation, we included a slide with excerpts from the franchise disclosure document showing what the corporate franchisor required of their franchisees. The document stated that the franchisees are responsible to carry a minimum of a $1M cyber insurance policy (which they were compliant with) and that franchisees adhered to the requirements of the insurance policy (which they were NOT compliant with). The document also stated that the franchisees were required to follow best practices and guidelines when handling personal identification information (PII) right down to first and last names (again, not compliant).]

It was not far into the review presentation that the franchisee CEO realized that he was lacking compliance with both the franchisor and his insurance carrier.?The CEO’s reaction was emotionally charged enough to drive the otherwise laid back and successful 60-year-old to storm out of the conference room, but he did return a few minutes later and finished the meeting. The feeling of betrayal after learning that the IT admin had given him some grossly incorrect and possibly negligent information was more than enough to make anyone angry.?

Here are some takeaways:

1. The franchisor is not always looking out for the best interests of the franchisee. If you’re a franchisee, you need to make your own educated decisions. Remember, YOU are footing the bill during a breach recovery, not the corporate franchisor.
2. IT guys are rarely cyber security experts. Cyber security is a highly specialized field. Like the medical field, information technology has many specialties. The IT admin is like your family doctor. If you had a neurological issue, your family doctor would send you to a neurologist. In the same sense, in a cyber security scenario, the IT admin would bring in a third-party cyber security specialist.??
3. Moving beyond cyber security, cyber risk management is even more specialized.

Cyber Risk Managers, such as WOM Technology Management Group, look at the data and findings provided by the third-party cyber security specialists, work with IT admins to map out the SMB infrastructure and complete information gathering interviews with C-Level employees and department heads. With all this information, Cyber Risk Managers must:

1. Help to eliminate unnecessary risk by recommending mitigation solutions put forth by cyber security risk assessments.
2. Calculate insurance coverages for unavoidable risk to ensure that the insurance carrier will cover all possible costs associated with a cyber incident response.
3. Devise response and continuity plans for disasters or cyber-attacks that get through even though your company has done all the “right things”.

Make sure all your bases are covered. If you’re running a business and plan to continue to, it’s on you to make sure your business doesn’t become a helpless victim to cybercrime.?