The Quick Serve Restaurant (QSR) industry is built on consistency and shared resources. National chains like McDonald’s and regional chains like Cracker Barrel grow faster by reusing the same business model, décor, and menus, with little change from one location to the next.
The QSR technology stack reflects the consistency of each store’s front end. Although each franchise is independently owned and operated, they share subscriptions to SaaS applications, or use multiple tenants of the same application. Each app is usually segmented by store. IT and Corporate Security have access to the entire database, while each franchise has visibility into its own data.
These SaaS applications cover everything from CRM to supply chain to marketing and HR. The data in it is used to understand consumer habits, improve marketing campaigns and manage employees. Like every other industry, QSR SaaS applications contain a lot of data that needs to be secured.
At the same time, we see the food chain being attacked. Although it is not clear whether the recent violations in fast food chain involving SaaS applications, it is clear threat actors are increasingly turning their attention to restaurant chains. QSRs have unique challenges and must take specific and significant security measures to protect their SaaS applications.
Franchising Presents Unique SaaS Challenges
Like all businesses, QSR needs to prevent their data from falling into the hands of threat actors. In addition, QSR has a secondary concern experienced by several other businesses.
Burger King has about 7,000 franchises in the United States. These individually owned and operated restaurants are often in competition with one another. Different franchises can store data within the same SaaS application. However, the data is segmented to prevent stores from viewing intra-chain competitor data.
Segmenting data so that corporate CISO teams have a full view of their applications, regional management offices have access to aggregated data within their region, and individual franchisees can only view data they require sensitive configurations via role-based access tools.
If misconfigured, data can easily be exposed in the chain. System administrators should continuously monitor their configuration to ensure this does not occur.
Securing Multiple Application Tenants
In addition to sharing segmented applications, multiple QSRs use different tenants of the same application. Each tenant must be secured separately, with the configuration following the chain guidelines.
Some stores may have very secure examples of apps, while others may have poor security postures. Ensuring that each branch maintains strict security standards in an environment like this is a herculean task.
Identity and Access Governance Is Critical in SaaS QSR
Another unique challenge for QSR today stems from the fact that they have been one of the major players impacted by COVID-19 and their incredible retirement. Many restaurants have reduced hours, returned to drive-thru only, or are operating with skeleton crews trying to serve their customers.
Shortages of employees mean more employees are given access to systems that should have been controlled by managers in the past. Shortages are also fueled by employees staying at work for short periods of time. These employees are not “cybertrained”, and are far more vulnerable to social engineering attacks such as phishing. Also, they tend to be younger, and don’t always appreciate the impact of sharing their login credentials with friends and social networks.
As a result, the onboarding and deprovisioning of employees from thousands of chains around the world is more important than ever. Former employees need their access revoked as soon as possible to limit the possibility of data leaks, breaches and other cyber attacks.
Protect Against SaaS Threats
To counter this unique challenge, a SaaS Security Posture Management (SSPM) could come into the picture. SSPM helps restaurants manage settings that disaggregate data by store. It also compares different tenants, telling enterprise CISO teams which stores, regions, and countries have secured their applications, and which have misconfigurations that could result in data leaks or breaches.
In addition, SSPM notifies restaurants when they connect high-risk third-party applications to the core hub, or if their employees access SaaS applications with low-cleanliness devices. It manages users and access, ensures that security tools such as MFA are in place, and reviews user activity to detect threats that could lead to breaches.
When security settings are misconfigured, it notifies application administrators and security teams when configuration deviations have made data accessible to other stores, and offers repair guides to help them reseal data walls between franchises.
With effective SSPM tools, QSR can manage their restaurants using SaaS applications with the confidence that their data is safe.