Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 AM
Connect Directly

Burger, Fries & Security

Wendy's franchisee outsources Internet access, security of its seven stores to BHI

Whipping out that credit or debit card at your local fast-food restaurant may be convenient, but it has also put the so-called quick-service restaurant (QSR) sector under the Payment Card Industry (PCI) standard microscope.

Just ask Wendy's franchisee Paul Haire, who co-owns seven Wendy's restaurants in the Monroe, La., area. Haire's restaurants were some of the first to accept credit cards. The Wendy's stores had also been rife with email-borne malware that spread from the manager's XP-based workstation in the back office to the XP-based electronic point-of-sale (POS) systems in the front of the stores.

"That would bring the whole system down and step these restaurants back into the 60s, with hand-written orders and checks," he says. "We had a huge issue with viruses."

So Haire outsourced his franchises' Internet and security services to BHI . The Eden Prairie, Minn.-based Internet hosting and managed services security provider for SMBs provides a turnkey service for QSRs like Wendy's. He's been using the MSSP for nearly two years now.

Even as security issues increase for fast-food outlets, small-business franchise owners like Haire are still basically on their own when it comes to IT and security. Like other franchised chains, Wendy's corporate IT department serves more in an advisory role to its restaurant owners, providing recommendations and resources for securing their transaction and financial data.

Haire says he's ultimately responsible for securing his business. "At risk is my cash," he says.

Haire learned of BHI through Wendy's corporate IT, which researches and recommends products and providers to its franchisees. BHI set up an IPSec-based VPN for Haire's seven stores, and provides security monitoring, anti-spam, anti-malware, anti-spyware, content filtering, IDS, firewalling, and reporting services for the stores.

Each store has its own Fortinet Inc. FortiGate-60M box, a VPN gateway that acts as an all-in-one security device, with a firewall, antivirus, anti-spyware, content control, VPN connectivity to Haire's central office, and a dialup modem in case the store's broadband DSL connection is down.

"It's an all-in-one approach. We are taking care of the whole gamut" of security, says Dave Perrill, president of BHI. "In our solution, we lock down the Web traffic to food-ordering and a few back-office things."

But Perrill admits this poses the risk of a single point of failure, especially in the harsh conditions of a QSR, where fires, grease, food, and even theft can damage equipment and compromise security. "[Single point of failure] is a very real risk," he says. "But we obviously have a number of devices on standby, and we can get one shipped out next-day air" if one fails.

Another security challenge is that Haire's Wendy's outlets offer free WiFi to their customers. "When it comes to their customer side, there's little we can do" security-wise, Perrill says. "But we are ensuring their networks aren't exposed as the result of a hotspot."

Wendy's Haire says he doesn't worry about the WiFi service hurting the VPN, since it's separate and secured, he says. He notes that the restaurants do a batch upload of their Wand POS systems in the middle of the night, which eliminates having sensitive data sitting around locally. "And at no time in our organization does anyone have access to a whole credit-card number. What resides here is not even a last name, just the last four digits."

Haire says his biggest vulnerability is an internal one. "Our next step is to routinely have a way for passwords to be randomly generated and updated," he says. His stores already use secure token cards on the POS systems.

And the Fortinet VPN gateways are installed in the back office, where only the manager and assistant managers have access. The stores are also monitored by a digital camera system over the VPN, so Haire can keep an eye on any potential problems remotely, although he visits the stores in person regularly.

SMBs like Wendy's franchise owners are increasingly looking for help in securing their Internet exposure. BHI's Perrill, whose company does business with Wendy's, Boston Market, Skipper's, and other QSRs, says his company generates about 65 percent of its over $3 million in revenue from security services, which also run Fortinet's FortiGate-50, FortiWifi-60AM, and FortiGate-800 series security appliances.

"They are looking for a partner who will implement it for them and give them a piece of mind," he says. "Wendy's is one of the more proactive and progressive organizations."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.