Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Top 5 Security Risks to Your Franchise Organization
Quick Take
On this week’s Compliance Unfiltered, the CU guys have another Top 5 episode coming your way. That’s right it’s the Top 5 Security Risks to Your Franchise Organization episode! Of course, Adam will cover the biggest risk to franchises, but the guys will also go over topics like the dangers of not taking security and compliance seriously from the top down.
Curious about the value of security and compliance training? Wondering about how the physical security of your organization comes into play? Well, the CU Guys have got you covered.
All these topics and more on this week’s Top 5 edition of Compliance Unfiltered!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside one of the top five solutions to your compliance ailments, Mr. Adam Goslin. How the heck are you, sir? I am doing great, Todd. How about yourself? I can’t complain. I cannot complain. Today, we’re going to talk about the top five security risks to your franchise organization.
Adam. T this one up for the folks out there. Well, maintaining a secure organization is an uphill battle, period. It doesn’t matter what type of business you’re in. But for franchise organizations, CSOs are really forced to earn their stripes if you will. There’s a lot of complexity in a franchise model that makes the task of cybersecurity and data protection a lot more overwhelming than in most businesses. You go add in the fact that you’re dealing with a continuous stream of turnover, which introduces its own myriad of new risks, etc. And now the uphill battle is pretty much like staring over the edge of a cliff. So staring up the face of a cliff, if you will. So in order to kind of help these organizations better protect… their franchise organization. That’s why we’re gonna hit up all of the top five risks, if you will.
I like it. Now, tell us more about the security, or excuse me, tell us, let’s get started with the biggest risk here. Bar none. Biggest risk from the franchise organization is the employees. Reality is that human beings make mistakes, and you can’t ever eliminate the human factor risk within the organization. Whether it’s simple forgetfulness, being too trusting, or just outright disregarding policies, your employees are the greatest security liability to a franchise -style organization. I’ve done onsite visits with multi -location franchise -style businesses. where somebody have accidentally left the safe unlocked, you know, or accidentally went home without setting the alarm or locking the doors, you know, appropriately or at all. You know, I’ve seen passwords written on sticky notes. I’ve seen printed sheets with customer credit cards on them. I mean, you name it, I’ve seen it. You know, at the end of the day, people are gonna do, you know, even the well -meaning employees. So, you know, you’re not gonna be able to eliminate human error, but, you know, certainly, you know, there are some steps that one can take to greatly minimize, you know, the frequency, you know, and the impact through, you know, frequent training and accountability.
Well, now tell us more about security and compliance training, because I know that’s a big thing for you. Well, you know, you can’t reduce the risk, you know, to your franchise organization without, you know, the recurring security awareness training and security reminders for all of your employees. And this doesn’t extend just to the frontline employees. A lot of times, you know, the organizations look, you know, just focus on them, but, you know, you wanna hit everybody, people like corporate and executive leadership, and, you know, everybody, you know, needs to, you know, kind of share in the, you know, share in the training so that we can, you know, present, you know, kind of a well -rounded front for, you know, our efforts towards security and compliance. You know, one of the major challenges in a franchise business is that turnover volume, I was talking about earlier, you know, the corporate, you know, level of the organization certainly carries a certain level of turnover, but, you know, typically the highest levels are at the franchise level where there’s just a continuous turn of employees. So that means that you constantly have new people that are cycling into, you know, into the equation that, need to be trained at higher and need to be trained at least annually and periodically throughout the year on their security and compliance responsibilities. So you wanna put out security awareness training reminders on a frequent basis, retraining them on a regular basis. People need those continuous reminders and reinforcement flowing through. So you wanna keep franchise owners and their employees accountable for the security best practices and certainly find ways to reward those that are showing kind of exceptional diligence. You need those folks within the organization to kind of show the others the way, if you will. Well, what about organizations that don’t take security and compliance seriously from the top? I mean, you got a lot of folks in this space, Adam, where people at the C level go, well, that’s something that the IT folks handle, right?
Like compliance. Yeah, that’s true. I was thinking about it as you were saying that. I wanted to go back to the training for a minute and then I’ll tee that one back up again. But back to the training, too often the revolving door of these employees, it just means security training is getting truncated for the sake of efficiency. And why should we spend this valuable time training people when they’re just gonna leave in a few months type of thing? And can’t we just try to get as much work out of them for while they’re here as we can?
And while they may not stick around for a long period of time, the reality is that the damage they could do could well outlast their stay with the organization. It’s a good way themselves, yeah. Yeah, I mean, the franchisees are… Franchises are a prime target for bad actors and certainly an untrained workforce makes that a whole hell of a lot easier for the bad guys. So you wanna just make sure that you’ve got that training kind of across the entire organization so you can keep a good track and a good handle on all the comings and goings. There’s certain tasks that need to be done related to security and compliance with that flow and a centralized system for kind of training tracking for everybody from the execs down to the frontliners is certainly important.
So you were leading me on to the next realm, which was kind of displaying the importance of security and compliance right from the top. The reality is that security and compliance for many organizations. It’s seen as a cost center. It just drains money out of the organization, pulls people away from valuable and productive work. And I found it’s not unusual for organizations to do, you know, scant more than the bare minimum, just to say that they’re compliant with a, you know, with a particular standard. They take this, you know, kind of check the box approach so they can get back to the real work, you know, type of a thing. And, you know, if you’re only looking at the bottom line, then security compliance might appear to be nothing more than a cost center. But, you know, what a lot of the franchise businesses don’t realize is your company is continuously being attacked by malicious attackers. If you go have a chit chat with your IT crew and just go to the network logs for, you know, for what the perimeter of the network is seeing alone, you’re going to see bot activity, you know, literally all day long. Um, everybody that has an email address within the organizations, getting phishing emails or the continuous stream, um, you know, bad actors are, you know, now leveraging AI to find, you know, new and inventive and, and more efficient ways to, you know, just smatter the company with, you know, with phishing emails, you know, at some point in the game, you know, the dam’s going to breach and unless the organization has this commitment to a culture of compliance, you know, then they’re going to be in trouble, you know, the, the, the executive leadership at the organization, they really set the tone, you know, if nobody at the top is taking this stuff seriously, then nobody else is going to, you know, give two craps. Um, you know, they’ve got to take it seriously. They’ve got to make it a, uh, you know, security and compliance best practice as a priority, you know, if they see it coming from there, you know, then, you know, then your, your path, if you will, is a whole heck of a lot easier. Um, you know, some of the keys to, to getting that culture of compliance, you know, in the franchise style organization is, you know, get it from the top down. It has to be priority at the top levels of the food chain so that everybody else is, you know, kind of is now on notice that, yay, we’re going to be taking this stuff seriously. And it’s important, you know, integration of, you know, security and compliance measures into everything that you’re doing. Um, we talked about doing the training for, you know, for personnel, uh, making sure that you’re keeping, uh, you know, the, the staff members, uh, accountable, um, creating ownership, uh, providing recognition, you know, and certainly, uh, you know, taking advantage of your best use of technology, you know, in this space, uh, is certainly going to go a long way to, you know, to assisting and helping. Well, how does a lack of visibility and accountability plague these organizations, Well, in a franchise system, you know, you’ve got individual store owners that have a certain degree of freedom, but they need to coordinate their activities with corporate. Corporate needs to keep track of all of the various stores and ensuring that they’re doing the due diligence for security. You know, it’s a huge task to make sure the protective measures of the organization are being performed at both the corporate and the franchise level. And oftentimes what’s going on at the franchisee level stays at the franchisee level, unless the organization has some way of monitoring and keeping all of these various locations accountable. So at the end of the day, you know, it’s not easy to know, you know, it’s, You know, in the end, it’s easy not to know for sure if your individual stores are doing enough for security and compliance. And one of these franchisees that, you know, kind of misses an item, misses a boat, doesn’t do what they’re supposed to be doing, you know, could be given the attackers the keys to the entire kingdom. So, you know, every single one of these franchise locations, they need a solid way to manage their security and compliance engagements. You need to know what’s done, you know, what, you know, what’s done, what is left and what remains, you know, have we, you know, done some type of a QA process on evidence that’s being provisioned to make sure it’s being done correctly, you know, are all of these proactive measures being executed everywhere that they’re supposed to be.
I mean, it’s really important to be able to,to track these items all the way down to the individual franchise, franchise locations. You know, certainly having a strong compliance management system makes it immediately and fully clear who needs to do what is it done yet?
You know, was it validated? Was it done properly, etc. So, you know, as the as the makers of the TCT portal, you know, with the TCT portal, you’ve got your finger on the pulse across corporate and visibility into all of the franchise locations, evidence flowing up and into your, you know, kind of into your overall, you know, structured approach to compliance. So the cool part is, is that you can go through, you can see all of these stores at a glance, you don’t have to spend, you know, hours of wasted time tracking activities and updating spreadsheets and, you know, blah, only to find out that by the time that you by the time you start trying to figure out what the status is, it’s already out of date because somebody started submitting evidence, you know, two minutes after you started making the status report. So it’s, it’s definitely a challenge. And I hate like hell for organizations to, you know, to be in a position where they’re basically blowing time that they could be spending, you know, justifiably let the system do the work for it.
Sure, sure. Now, you can’t have a conversation about franchise organizations without talking about where physical security fits into the mix here. Every time that I’m going in and doing on -sites for franchise organizations, I’ll find physical security issues. Cameras that aren’t working and doors that aren’t matching properly and sensitive information for employees being in unlocked filing cabinets or the safe isn’t even working properly. There’s a number of examples of things that I’ll run across. None of these instances are trivial. Any one of them is going to be good enough to put the brand and the national headlines for the wrong reason. There’s major franchise corporations that suffered millions of dollars in losses because their HVAC vendor had access to the manager’s office. Physical security is hugely important. You want to make sure that you’ve got responsibilities appropriately lined up, that the franchise locations have some form of partial oversight from corporate. And then ensuring that you’ve got appropriate reporting and oversight of the physical security measures, including validation of the measures that are supposed to be in place on a regular and recurring basis across the board. You want to make sure you’ve got a mechanism for reporting any of these physical security deficiencies. If your badge access system to get into the manager’s office stops working and or it’s not appropriately controlling access, we need to get that addressed. One of the things that these franchise locations and the corporate locations need to do is make sure that they’ve got a way for centralized oversight of the various controls that need to be in place as well as a centralized system where you can go and log those physical security issues. issues and get them addressed expediently through, you know, so typically some form of a ticketing system, you know, that the, you know, that the organizations have parting shots and thoughts for the folks this weekend. Well, I love the expression, you know, trust, but verify and that that definitely that definitely applies in the franchise in the franchisee, you know, arena, you know, when you’re when you are responsible for, you know, security and compliance of the franchise organization, you know, you don’t have the luxury of assuming anything, you know, if you can’t monitor it and track it, you don’t know it. And if you don’t know it, then you can’t assume that all is well, you’ve got to go with the trust, but verify, you know, style of approach, you know, leveraging tooling, especially in a in a franchise style organization. leveling, leveraging, compliance management tools like the TCT portal, it will go a long way to giving you that complete visibility so that you know exactly what the franchisees are doing, where they need to step up their game.
And certainly just overall orchestration of your security and compliance engagement has made a whole hell of a lot easier. It creates a certain amount of freedom for the franchisees to operate really with a greater level of independence while still maintaining that accountability, right? If you’ve got everything systematically and you’ve got an internal QA process for validation of the evidence that’s coming up from the franchisee locations, now it doesn’t need to feel like corporate big brothers breathing down their neck and staring over their shoulders and da, da, da, da because everybody’s using the system. You don’t need to nag the end franchisee locations that have it together because they’re doing their job and they’re doing it when they’re supposed to. All that fun stuff, it really, the TCT portal bar none was designed from the start to make compliance management suck less for everybody involved. And that includes folks at corporate and folks that are down at that franchisee level.
And that right there, that’s the good stuff. Thank you. Well, that’s all the time we have for this episode of Compliance Unfiltered.
I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
