MJ Worsham
to get everybody on the same platform so you know everybody ’ s behind the same fence and has the same protection ,” he says .“ This helps mitigate the human factor .” On the hardware side , that includes the network itself , a secure firewall , not having guest wifi on the same network as your system , and restricting access to your back office computer .
“ All these things can be done and are easy to enable , but we see large companies breached every day ,” he says . “ The biggest thing we ’ ve learned , and one of the first things I did when I came on board ,” he says , was to standardize the software and hardware across all 50 Roy Rogers units . “ All our ports on our firewall are consistent in every store ,” he says . And all the stores use NCR ’ s Aloha POS system .
“ From there it becomes a task of getting buy-in from your franchisees without making it a mandate . You can make it a mandate in the franchise agreement , but we wanted to look at it more as an educational experience ,” he says . “ We have a fantastic relationship with our franchisees , with a lot of mutual trust . We see it as an advisement , not a mandate .”
Worsham says that with the brand ’ s close relationship with its franchisees , this may have been easier than at larger franchise brands , or those with legacy systems or acquired units with their own technologies . One way to make the medicine go down and get that buy-in was to “ kill nine birds with one stone ,” he says , by adding features and showing the franchisees the ROI .
When the brand launched its loyalty app , something the franchisees asked for , it had to be on the same system across the brand .“ It ’ s a lot easier when you show the ROI in the conversation : a more secure system that is up to date , PCI compliant , ready for EMV , and with online ordering ,” he says .“ Network management and security was not the most important part of the conversation .” Instead , he says , it was the new features and capabilities . “ Everything was important . It was just easier to pile it together .”
When it comes to advice for other franchisors , “ Centralization is really the key ,” he says . So is limiting the number of people who have access to the system , and the level of that access . Store managers , for example , have access to the POS system at their store — and no others .
“ Standardization and centralization allowed us to have a tight leash on who has access ,” he says . “ It limits the points of failure if you have one person doing it .”
He recommends starting with the low-hanging fruit and offers four pieces of advice :
1 ) Keep your software and hardware up to date . Microsoft released a patch in March to fix the vulnerability that resulted in May ’ s ransomware epidemic . Companies that did not install it were vulnerable .
2 ) When evaluating vendors , look at their PCI standards and compliance level . Are they innovative or reactive to PCI ? While you never want to be guinea pig , he says , you also want to keep up with the latest security technology .
3 ) If you ’ re going mobile ( and it seems everyone is ), segment your network . Keeping everything separate is the easiest way to maintain network security and stability .
4 ) Finally , he says read to stay on top of security issues , which are a moving target as people find innovative ways to breach a system .
Hire out for help At Jersey Mike ’ s Subs , CIO Scott Scherer prefers do it all in-house — well , almost . “ This will probably go against what I ’ ve said in the past ,” says Scherer , who was an outside vendor before joining the brand ( see Franchise Update Q3 2015 ). However , when it comes to data security , he says , “ That would be one thing I ’ d outsource .” And he does .
As he sees it , either plan on spending a lot of money and hiring a lot of people internally , or find a third-party partner ( or partners ) who are expert at protecting corporate and consumer data . “ Though we like to do things in-house ,” he says , when it comes to security , “ there are too many smart people going against us .”
Jersey Mike ’ s is getting help from Charlotte-based Global Linking Solutions , which provides 24x7 monitoring , management , and security services . Part of the brand ’ s strategy , says Scherer , was “ to make sure all our franchisees were on our network .” The plan for that network ( now international ), which includes everything from its home-grown POS system to bar code scanners and terminals , was for it to reside on a private network managed by Jersey Mike ’ s through GLS .
For every new store opening , he says , GLS stages all of the firewalls and network equipment . Jersey Mike ’ s calls its POS vendor , orders a hardware package , and GLS sends a tech to configure the equipment . “ They deal with all that on their end ,” says Scherer . “ The hardware gets installed and appears on our network .” GLS monitors all the firewalls , routers , and switches and is authorized to speak with the ISP to resolve any issues . “ On the networking side , they keep our system up and running .”
When it comes to getting franchisees to cooperate to ensure the network is secure and compliant , he says , the franchise agreement dictates who to buy software , hardware , and networking equipment from — and the company ’ s national credit card processing plan with First Data requires that all franchisees are PCI compliant .
PCI , standards , and tips In January , John Christly , global chief information security officer for Netsurion and EventTracker , was named to the PCI SSC Small Merchant Task Force , where he plans to serve as a voice for SMBs and multi-location merchants to help make PCI compliance more achievable and payment data more secure .
Christly says the top five threats to restaurants are hackers , POS malware , ransomware , internal threats , and wifi security . For brands with 5 to 500 or more locations , he says , “ If you want to protect the brand you have to take it seriously at the brand level .” He says PCI compliance is a good place to begin .
His recommendation for franchisors is to have a rock-hard policy stating : “ If you want to be a franchisee , you must prove you ’ re PCI compliant .” And , he adds , it must be legitimately true to avoid being whacked by penalties if a breach does occur . People will just check the boxes on the PCI Self-Assessment Questionnaire ( SAQ ), even if they ’ re not compliant . “ It will come out and be discovered ,” he says , but it usually takes a breach , and then it ’ s too late . And thinking “ We ’ re insured for that ” won ’ t cut it , even for companies with cyber insurance .
“ I think a lot of the requirements are a bit onerous on small businesses ,” says Christly . “ But the rules are what they are . This is yet another cost of doing business you cannot ignore .”
Franchiseupdate ISSUE II , 2017 41