Now that’s a lot of hamburgers…
But at $4.19 for a Dave’s Hot ’n Juicy 1/4lb Single with Cheese, that’s exactly how many hamburgers disappear from Wendy’s top-line revenue thanks to a $50M settlement they agreed yesterday.
Those 12 million burgers represent about 4% of the company’s 2018 revenue, and would roughly equate to the kind of impact GDPR fines threaten.
As a bit of history, the incident impacted over 1,000 locations in the US and involved malware installed on their cash registers. According to the reports at the time, this was due to compromised remote administration services operated by a service provider supporting franchise locations.
Thanks to the terms of the card companies insulating the fraudulent transactions from their customers, the financial institutions ended up with the bill for 12 million burgers, and they understandably wanted their money back.
The root cause of the attack seems to be related to successful social engineering attacks against the employees operating the remote admin tools, and these attacks resulted in the 3rd-party service provider employees installing the malicious software.
And this kind of attack is quite common in the retail space, so I ask you: if you’re a retail Security Leader, how do you have confidence that you’re not going to be accountable for a 4% revenue hit by the same type of attack?
Do you know what your real risk exposure is?
Can you measure it on a daily, weekly and monthly basis?
Do you know how much your control investments are going to change that risk exposure in practical terms?
Do you know which of your security strategy components cover you in this particular scenario?
So you might be able to answer a resounding “yes!” to some or all of the above. And that’s fantastic!
If you did, I bet you can also draw a traceable line from the social engineering risk event back through everything you’re doing and connect it clearly to business objectives from the executive team that say things like:
“Grow our top-line revenue”…”Maintain and enhance our reputation and customer base”…and ”Avoid visible public litigation” right?
That’s amazing! Not many people can do that today.
If you didn’t, and you want to change that situation, check out our Security Leadership coaching program here: https://archistry.com/go/SecurityLeader
The whole point of it is to help you build the capabilities so you know exactly where you stand in relation to these kinds of incidents and that you also understand each link in the control chain, the value it brings you and prove you have the means to prevent, detect and recover gracefully if it does.
Cheers,
ast
—
Andrew S. Townley
Archistry Chief Executive
