Key Challenges
Key Results
Background
With more than 1,000 locations from Vancouver to Newfoundland, MOBIA’s client has become an iconic Canadian brand with a rich history. But supporting a growing number of franchise locations in a rapidly evolving market looks different than it did when the company’s first restaurant opened its doors in the 1950s and the company owes its continued success, in part, to its ability to adapt.
Today, IT represents a strategic priority for the popular franchise and, in response to the rise in cyberthreats and emerging trends in the field, it established an internal cybersecurity team. Aware that his lean team would need support, the company’s Director of Technology Security and Infrastructure, engaged MOBIA.
Objectives
Early on, the cybersecurity team identified that with a sprawling network of vendors and suppliers, it would be difficult to develop a clear picture of the company’s risk landscape. In IT alone, the franchise relied on 21 vendors. Without a complete understanding of exposure, the security team couldn’t effectively secure the franchise’s operations. Doing it efficiently was out of the question.
The IT team was also working on building an app to enable convenient mobile ordering at launch. Eventually, the app would be updated with a loyalty program. With high-profile loyalty program breaches making headlines, securing the app to protect the brand and its customers is critical to the success of the program.
Solution
As the cybersecurity team began to unravel the web of vendors and suppliers, they engaged MOBIA on several smaller initiatives. The expertise the MOBIA team brought to these smaller projects proved to be invaluable and working with them was easy. “We worked with other partners where everything felt like a negotiation and where there were a lot of gotchas,” said the Director of Technology Security and Infrastructure. “MOBIA is much more flexible and easier to work with. They feel like much more of a partner.”
MOBIA quickly became the team’s primary cybersecurity partner, helping the franchise build a solid foundation to secure future strategic initiatives.
Developing a clear picture of the threat landscape with a risk register
For the popular fast food franchise’s cybersecurity team, understanding its cybersecurity risk was a critical step in safeguarding the organization from threats and data breaches. Without this holistic view, the team wouldn’t be able to prioritize security initiatives, take proactive steps to mitigate risks, or streamline security practices.
With help from MOBIA, the team built a comprehensive risk register, cataloging every potential security risk. More than executional support, the cybersecurity experts at MOBIA were instrumental in identifying and quantifying the risk each vendor, system, and application introduced into the environment. For instance, they discovered that an internet service provider had deployed misconfigured routers to approximately 15 restaurant locations, opening them up to attacks.
Addressing threats systematically with security governance
As the company continued to improve its security posture, it leaned on MOBIA’s team for support and expertise to develop a structured approach to managing cybersecurity risk tailored to its goals and environment. Laying a foundation of security governance, the MOBIA team drew on its expertise with NIST and CIS frameworks to advise on policies and processes to defend against cyberthreats.
As part of this governance work, MOBIA led the company through a series of penetration tests, analyzing gaps in disaster response and recovery and recommending ways to close them.
As a result of this governance work, the popular fast food franchise has put more CIS V8 controls in place, achieving a double digit percentage increase in implemented controls over just one year.
Improving efficiency with streamlined supply chain security
By cataloging vulnerabilities and quantifying the risk vendors and suppliers introduced in its environment, the iconic franchise had taken a big step to streamline its supply chain cybersecurity. Next, its team worked with MOBIA to build a set of best practices and guardrails to help franchise locations protect themselves from vulnerabilities. With documented guidance for franchises to follow, the security team took another important step towards streamlining supply chain security.
Securing the brand loyalty program with a shift left approach
With the launch of its app, the brand made it easy for customers to place mobile orders. Next, its technology team turned its attention to integrating a loyalty program into the successful application. Recognizing that security is paramount for any system that handles customer data, the cybersecurity team engaged MOBIA to secure the app’s loyalty program functionality. With a deep understanding of the benefits of using a shift left approach, MOBIA has worked with the development team to secure the new app features as they’re developed. By building in security during development, the teams working on the application and loyalty program can identify flaws early and fix them faster, speeding launch and ensuring the application code remains streamlined.
Benefits
Outcome
Over the course of two short years, this popular franchise has improved its security posture significantly with MOBIA’s support and expertise. With a clear picture of its risk landscape and a solid foundation of governance, the company has developed a comprehensive and systematic approach to security and addressing supply chain risk. In addition, these changes have helped the cybersecurity team implement more CIS V8 controls, improving the company’s overall security posture.
There’s another notable benefit to these changes: reducing the time it takes the cybersecurity team to prepare for annual audits. The Director of Technology Security and Infrastructure estimates that he and one other member of his team would invest a week preparing documentation for auditors. Today, they’re able to provide governance and security posture documentation to meet auditor’s needs quickly and with minimal effort.
With a more focused approach to cybersecurity, the franchise has been able to integrate cybersecurity into its new loyalty program mobile app features as they’re being developed. This ensures development is efficient and that security is built into the core of the application.
Looking at the work the franchise’s cybersecurity team has done together with MOBIA from a high-level strategic perspective, the Director of Technology Security and Infrastructure had this to say, “Our work with MOBIA doesn’t help us sell more burgers, but we have a goal of zero cybersecurity incidents that lead to lost revenue or downtime, and I believe that work has contributed to achieving this goal so far.”
The future of cybersecurity for the franchise
In a highly competitive industry like fast food, responding to changes in the market and your customer’s needs requires constant evolution. In turn, being able to evolve successfully relies on a solid foundation. With MOBIA’s help, this popular Canadian franchise’s cybersecurity team continues to refine that foundation, protecting the brand and its customers from cyberthreats. The cybersecurity team will continue to focus its efforts on meeting more of the CIS V8 controls. As the company rolls out the new loyalty features within its mobile application, the team will monitor security with support from MOBIA to ensure its locations and customers are protected.