Franchisor IT Admin’s Cyber Security Recommendations for Franchisees
Joshua Nelson
Dynamic CXO & CMO | Sales & Marketing Consultant | Driving Innovative Cybersecurity Solutions & Empowering Business Growth
It was probably the most emotionally charged presentation I’ve given in my twenty years in business.
There is no doubt that every meeting is a sales meeting and Cyber Security Risk Assessment Reviews are no different. Some clients and prospects view these meetings as a scare tactic to get them to buy more services for cyber security, but when vulnerabilities are identified, they should be mitigated. Mitigations cost money. Thus, SMB leaders sometimes need to buy more services to mitigate! I’ll even confess to the scare tactic accusation - it’s a scary thing to be a soft target!
The prospect is a SMB franchisee of a very large multi-billion-dollar franchisor. They had recently experienced a substantial increase in employee turnover rate after the COVID pandemic and they were working to find their place in this new world making the necessary pivots and adjustments.
Two weeks before this meeting our prospect had cancelled our cyber security risk assessment review and wasn’t eager to reschedule. The discovery of several major vulnerabilities and the unsecured PII coupled with an upcoming renewal for their $1M cyber liability policy was giving our team a sense of urgency that I felt necessary to articulate to the CEO by giving him a preview of the results. To encourage them to reschedule as soon as possible, I pulled the curtain back a bit and showed him some of our findings. We always do our CSRA reviews in person, but I made an exception and gave him an abbreviated review to encourage him to schedule the in-person meeting. To some extent it worked as planned.
We found $4.6M of PII data?
on the CFO’s desktop hard drive, but the CEO was under the impression that all their important data was in the cloud. They were of the mindset that all their information was safe and sound on the popular and fantastic SaaS application known as AppFolio.??
Before the meeting the CEO did his research. I emailed him a bullet list of our recommended security measures and he was on his way to get his ducks in a row to tell us “No” when we came to the review meeting. I encourage our prospects to do plenty of research on the topic of small business cyber threats and security measures ahead of meeting with us. The more they know, the more likely they are to take action.?
\The day of the meeting, myself and our Business Development Coordinator arrived and took our places at the conference room table. When the CEO and CFO joined us, the CEO kicked off the meeting with his own 20-minute presentation on the research he had done. They were not going to go ahead with our recommendations for two reasons:
The franchisee-franchisor relationship is often a love-hate relationship. This CEO had fallen into a situation very common to this type of relationship. The goal of the franchisor is simple - the bottom line. The source of the bottom line of the franchisor is primarily the franchise fees collected from the local franchise operations who bear their branding. While the IT admin in this situation means well, he doesn’t work for the franchisee, he works for the corporate franchisor whose focus is on collecting franchise fees. They aren’t in the business of adding expenses to running their franchise, so they think it’s good for them if the franchises keep low operating costs.?However, if the franchise gets hit with a crippling cyber-attack and they go out of business – no more franchise fees.
领英推荐
The recommendations from the corporate office weren’t based in the new reality of a cybercrime landscape that has collected enough ransomware payments to be the third richest country on the planet. What the IT admin missed in his own brief (and uninformed) assessment is the fact that this franchise had a cyber insurance plan with a $1M coverage limit. Two separate third-party risk assessment calculations brought their breach recovery cost to nearly $2M meaning they’re underinsured in the first place.
Furthermore, in the event of a breach, the insurance would almost certainly deny their claim because of “failure to follow” or “failure to maintain”. This is the terminology used when a breach occurs, and the obligatory forensic investigation reveals a lack of compliance with the insurance carrier. In short, constant monitoring and review for the sake of insurance compliance is imperative or cyber insurance is useless.?
At the beginning of the CSRA review presentation, we included a slide with excerpts from the franchise disclosure document showing what the corporate franchisor required of their franchisees. The document stated that the franchisees are responsible to carry a minimum of a $1M cyber insurance policy (which they were compliant with) and that franchisees adhered to the requirements of the insurance policy (which they were NOT compliant with). The document also stated that the franchisees were required to follow best practices and guidelines when handling personal identification information (PII) right down to first and last names (again, not compliant).]
It was not far into the review presentation that the franchisee CEO realized that he was lacking compliance with both the franchisor and his insurance carrier.?The CEO’s reaction was emotionally charged enough to drive the otherwise laid back and successful 60-year-old to storm out of the conference room, but he did return a few minutes later and finished the meeting. The feeling of betrayal after learning that the IT admin had given him some grossly incorrect and possibly negligent information was more than enough to make anyone angry.?
Here are some takeaways:
Cyber Risk Managers, such as WOM Technology Management Group, look at the data and findings provided by the third-party cyber security specialists, work with IT admins to map out the SMB infrastructure and complete information gathering interviews with C-Level employees and department heads. With all this information, Cyber Risk Managers must:
Make sure all your bases are covered. If you’re running a business and plan to continue to, it’s on you to make sure your business doesn’t become a helpless victim to cybercrime.?