Data-Driven Marketing Mayhem:

How to Avoid Unexpected

Cyber Crimes that

Compromise Your Brand

Roger LewisCEO, CMIT Solutions

2

Cyber Attacks make headlines

3

• Data breaches have existed for as long as individuals and

companies have maintained records and stored private

information

• Data breaches began to increase in the 1980s.

– 1984: TRW (now called Experian) was hacked and 90 million records

were stolen

History

4

• 1990s and early 2000s: Public awareness of data breaches

increased

– News media covered more “cyberthefts”

• Lawmakers began to pay attention

• July 2003: California enacted Senate Bill 1386

– First U.S. law protecting the privacy of an individual’s personal

information—especially if it is stolen from a vendor’s database

History…

5

Malware

Types of Attacks

Ransomware Phishing

6

Big Boom Age

• Privacy Rights Clearinghouse begins its chronology of data breaches

• The first data breach to compromise more than 1 million records (DSW Shoe Warehouse;

March 2005; 1.4 million credit card numbers and names on those accounts)

• June 2005: Hackers exposed some 40 million credit card accounts from payment card

processor CardSystems Solutions

Timeline of Attacks

2005

DSW Shoe WarehouseExposure: 1.4 million customers

7

Timeline of Attacks

2013

YahooExposure: 3 billion

user accounts

2014 2015 2016 2017

JP Morgan

ChaseExposure: 76 million

households;

7 million small businesses

Target StoresExposure: 110 million

people’s payment

card info and/or contact info

AnthemExposure: 78.8

million customers

EquifaxExposure: 145.5 million accounts

8

MYSPACEExposure: 360 million users

The Impact of Cyber Attacks on Your Business

• Revenue Loss: Studies show that 29% of businesses that face a data breach end

up losing revenue; 38% experienced a loss of 20% or more

• Damage to Brand Reputation: A security breach can impact much more than just

your short-term revenue. The long-term reputation of your brand is at stake.

• Loss of Intellectual Property: Loss of revenue and damaged reputation can be

catastrophic; 60% of hacks target small businesses

• Hidden Costs: Legal fees, regulatory fines, PR and investigations, insurance

premium hikes

9

Why are franchise brands and their

data attractive to cyber criminals?

10

• A study of companies across 79 countries surveyed 726

organizations in sectors including financial, insurance and retail

revealed number one issue for executives is the threat from hackers,

with 88% of companies included in the survey saying they are “extremely concerned” or “concerned” about the risk

• Franchises are a large and lucrative target for hackers

Why Are Franchise Brands and Their Data Attractive to Cyber Criminals?

11

• Dairy Queen, Marriott, UPS,

Goodwill, Wendy’s and Supervalu

– Hackers infiltrated the point of sale

(POS) system

– Customer information stolen

– Millions of dollars were lost

– Reputation was damaged

• 2016 Noodles & Company breach

resulted in $11 million in costs

Why Are Franchise Brands and their Data Attractive to Cyber Criminals?

12

• Whether a franchise has all of their locations on the same

network, or each store runs their own private network, a

breach is a breach in the eyes of a consumer

– Try explaining to a customer of a breached franchise that their card

data is safe in certain locations, while others it is not

• The company is now questionable in the minds of

consumers

Uniqueness of Franchising

13

• Multiple locations with large amounts of customers racking up multiple

transactions and personal history records

• Massive amounts of customer information stored within the

network creating an attractive target for data thieves

• Discoveries are not made quickly enough - months after breaches

actually occur, giving hackers more time to steal cardholder data while

organizations stumble to clean up the mess

Why Franchises?

14

• After a forensic investigation, Wendy’s reported that

300 of its 5,800 locations were affected by the breach

• By July 2016, the number of impacted stores reached

1,025

• Wendy’s placed the blame for the breach on an

unnamed third-party “service provider” that had

remote access to the POS

• Remote administration tools are used to access and

manage the systems over the Internet

• The damages of the Wendy’s breach reportedly

surpassed the Home Depot and Target breaches,

which were $263 million and $291 million respectively

Wendy’s Breach – May 2016

15

Where have you left your

brand open?

16

• All franchise companies, regardless of their size, are at risk

• Older security solutions are based on technologies that rely on

knowing something about the attack, such as the vulnerability

targeted, the malware used, or the reputation of the email sender

• These tools are incapable of identifying today's dynamic, multi-vector,

multi-stage attacks

Vulnerabilities

17

• 76 percent of breaches on corporate

networks are due to a weak employee

password

• Because most people reuse passwords,

cyber criminals can gain entrance to

email, websites, bank accounts, and

other sources of PII or financial

information

Password Management

18

• Private encryption key resides with the user and encryption occurs at

the device level (your phone, tablet, computer, etc.)

– Only the user is able to decrypt and access their data

• Traditional cloud storage technologies do not practice zero-knowledge

security

• The provider can often access the user's encryption key and

theoretically, decrypt and view information being stored in the cloud

Zero-Knowledge Architecture

19

• Two-Factor authentication in addition to

the use of strong passwords are

important steps to take in prevention

• Implementing 2FA ensures that a user

can confirm access through two

methods, typically something the user

knows (e.g. a password) and something

in their possession (a smartphone)

Two-Factor Authentication

20

• Monitor a variety of intelligence sources to detect and prevent fraud

(such as spam lists, password lists, attack signatures, malware/anti-

virus intelligence feeds, ISP reports)

• A good anti-fraud service should be both preventative and reactive

• Costs can start at less than a few hundred dollars per month and

range into thousands of dollars per month

Anti-Fraud Services

21

How to protect your customer

data and what to do when it is

attacked:

22

• All sensitive data is encrypted

• Proper controls are in place to permit access to that data

• Policy is consistently tested and audited – Review of adherence to set access controls, encryption and password protocols,

software updates, employee training, and the documentation of any security anomalies or

incidents

– Noncompliance (or the failure to cure any defects within a reasonable time) should

prompt severe sanctions, including possible franchise agreement termination

Data Protection Strategy

23

• Franchise organizational centralization and standardization through

each franchisee’s practices and POS systems – Ensures they’re operating securely

– Enforcing the Payment Card Industry Data Security Standard (PCI DSS)

– Use secure payment applications, like encryption, that devalue the card data

Data Protection Strategy

24

THANK YOU!

22

Roger LewisCEO, CMIT Solutions

rlewis@cmitsolutions.com

/roglewis

@cmitsolutions

/cmitsolutions

/cmit-solutions-inc