The Identity Blog

Background image

Why Fast-Food Organizations Need to Biggie-Size Their Identity Security

Perhaps the trendiest topic in the fast food industry (other than Taco Bell bringing back the Mexican Pizza) is that franchises are being actively targeted by cybercriminals. Franchisors were put on notice in 2018 when a popular Canadian donut chain was badly breached and had to temporarily close hundreds of stores, resulting in a damaged reputation and franchisees who lost substantial revenue. Since then, threats have exponentially risen as it was recently reported that there was a meteoric rise in cyberattacks during 2021, with expectations that the rising tide of cybercrime is still in early innings.

So why are fast food franchises being targeted?  Simply put, they have an exceptionally large attack surface.  Fast food franchisors often add their franchisee’s employees into their identity programs, even though they are technically external non-employees.  They also rely heavily on a vast network of third-party suppliers, vendors, contractors, and even non-humans to operate. This reliance, combined with the franchisee’s employees, means franchisors must provision access to their systems and data to hundreds – sometimes even tens of thousands – external individuals.

All it takes is for a bad actor to compromise one of these identities to do significant damage to a fast food franchise.  And with employee turnover in the U.S. fast food industry averaging 150% per annum (and as high as 300% for hourly paid employees), most franchisors are left spending excessive amounts of time and money managing an identity process that is both inefficient and risky.


Here are the identity challenges that are unfortunately always on the menu for Fast Food Franchisors: 


  1. Complex Franchise Relationships: Each fast food franchise organization can have owners, operators, managers, regional managers, customer relationship managers…the list goes on. Each of these relationships and their identity data provides valuable insight to provisioning accurate access. Unfortunately, most identity solutions are limited in scope when it comes to defining and tracking multi-level or matrixed relationships. This limitation often means these details are tracked outside of the solution, and any changes to the relationships are handled manually via tiresome and error prone processes.


  1. User Friendliness Issues: Fast food franchise owners don’t like using solutions that are designed for more tech-savvy administrators. They often fumble through the convoluted identity and access request process and, at times, do whatever they need to avoid having to use it altogether. Without a single source of truth or central management of non-employee identities, it’s easy for orphaned or forgotten accounts to pile up, leading to significant security risks.


  1. Visibility & Control Limitations: Each franchise owner should only be able to control franchisee employees that are employed in their group, but most identity or ticketing solutions don’t allow for that type of segregation of data or workflow permissions.


  1. Untimely (or Non-existent) Maintenance of Data: Franchise owners are busy. They might make it a priority to trudge through the tedious onboarding process because it means getting more help in the door. But when it comes to updating or maintaining the information via cobbled together processes, franchise owners have better things to do. That means the franchisor is seldom made aware if a franchisee employee’s status changes – which means their access to the franchisor’s systems and networks may persist indefinitely.


  1. Missteps with Vendors/Suppliers/Contractors: Most franchisors and franchisees utilize the same vendors, suppliers, and support platforms. It’s smart, leading to deeper discounts, better service, and consolidation of information for everyone involved. However, this requires franchisors to provision access to their systems and data to hundreds or thousands of non-employees from their third-party suppliers, vendors, and contractors. Franchisors usually don’t centrally track these third-party relationships, nor the system access or data points that they require. This leads to an inaccurate user count and a murky understanding of which information third-party users can access, change, or collect. Franchisors are also guilty of utilizing a “green light/red light” approach to managing risk, rather than implementing different risk levels with appropriate security controls designed for each level.


Fast food franchisors that utilize manual processes or homegrown systems (and/or IGA tools) to administer non-employee access face the tough task of accomplishing a time-consuming, expensive, and complex process within a system that isn’t built for the unique needs of the fast-food franchise business model. They deal with slow and convoluted processes to onboard, offboard, and grant access for third parties, and often lack the staff and resources required to manually manage hundreds or thousands of identities.  This lack of visibility at the identity level is appealing to bad actors, who target chaos so they can create even more.

Luckily, franchisors have resources at their disposal that’ll make them less appetizing to cybercriminals.  SecZetta’s Third-Party Identity Risk solution solves the business problems franchisors face by providing complete identity control of their entire non-employee population.  SecZetta is the only commercial solution on the market that natively supports the identity needs of a fast food franchisor’s non-employees without requiring extensive customization.

The solution automates identity lifecycle processes based on the non-employee’s role, as well as segregates identity information for each franchise, vendor, and supplier, which ensures swift, accurate onboarding, revalidation, and termination.

Download SecZetta’s Fast Food Use Case to learn how to reduce the chaos, cost, and risk of providing access to third-party suppliers and non-employees, or take a self-guided tour to see how easy it is to onboard a new franchisee employee with SecZetta’s Third-Party Identity Risk Solution