Cybersecurity has moved from the server room to the boardroom, and rightly so. The financial, operational, and reputational consequences of a serious cyber incident can be severe — particularly for franchise businesses, where a breach at one location can affect the entire network.
Yet in many of the boardrooms I work with, there is still a gap between awareness and action. Leaders know cybersecurity matters. They are less sure what specific questions to ask, what good looks like, or how to get genuine visibility of their risk posture without needing a computer science degree.
Before we get to the questions, let me address one of the most common misconceptions I encounter.
“We Are Safe Because We Are in the Cloud”
This is something I hear regularly, and it is dangerously wrong.
Cloud providers like Microsoft, AWS, and Google do an excellent job of securing their infrastructure — the physical data centres, the network architecture, the underlying platform. But that is only part of the picture. Under the shared responsibility model that every major cloud provider operates, you are responsible for securing your data, your applications, your user access, and your configurations.
Moving to the cloud does not remove your cybersecurity obligations. It changes where they sit. If your team has misconfigured access permissions, failed to enable multi-factor authentication, or is not managing data properly, being in the cloud will not save you.
With that out of the way, here are five questions that every board — and particularly franchise boards — should be asking.
1. Do We Have a Tested Incident Response Plan?
Not a dusty document sitting in a shared drive that nobody has looked at in two years. A living, practical plan that your team has actually rehearsed.
An incident response plan should cover your critical systems and data, define clear roles and responsibilities, and set out the steps to be taken when — not if — something goes wrong. It should include communication protocols: who needs to be informed, when, and how. It should cover regulatory obligations, particularly around data breach notification under UK GDPR.
The key word is tested. A plan that has never been tested is a theory. You do not want to discover its gaps during an actual incident. Tabletop exercises, where leadership teams walk through realistic scenarios, are one of the most cost-effective investments you can make in cyber resilience.
For franchise businesses, the plan needs to account for the distributed nature of the network. An incident at a single franchise location may have implications for the wider brand and for centrally held data. The plan should be clear on how central and local teams coordinate their response.
2. Are Our Employees Regularly Trained and Tested?
The majority of successful cyberattacks exploit human behaviour, not technical vulnerabilities. Phishing emails, social engineering, weak passwords, accidental data sharing — these are the routes that attackers use most frequently, because they work.
Training needs to be regular, engaging, and relevant. Annual compliance tick-box exercises do not change behaviour. Monthly or quarterly reminders, combined with simulated phishing campaigns that test how people respond in practice, are far more effective.
In a franchise environment, this is particularly important. You may have staff at dozens or hundreds of locations, with varying levels of technical awareness. Building a genuine security culture — where people understand why it matters and feel confident reporting suspicious activity — is one of the most powerful defences you can have.
The board should be asking: what is our phishing simulation click rate? Is it trending in the right direction? How quickly do people report suspicious emails? These are measurable indicators of your human firewall.
3. Do We Have Adequate Cyber Insurance?
Cyber insurance is not just a financial safety net. A good cyber insurance policy gives you access to specialist incident response teams, legal support, and communications expertise when you need it most. Insurers have seen hundreds of incidents and know what works.
Perhaps more importantly, the process of obtaining and renewing cyber insurance forces you to assess your own risk. Insurers will ask detailed questions about your security controls, your processes, and your preparedness. If you struggle to answer those questions, that tells you something valuable about where you need to improve.
The board should understand what the policy covers, what it excludes, and whether the coverage is adequate for the realistic scenarios the business might face. Cyber insurance is not a substitute for good security practice, but it is an important part of a mature risk management approach.
4. Are Our Systems Properly Secured?
This is where you need honest, independent assessment — not just reassurance from your IT team or provider that everything is fine.
Cyber Essentials and Cyber Essentials Plus are UK government-backed certification schemes that provide a solid baseline. Cyber Essentials Plus, in particular, includes an independent technical audit of your systems. If you do not hold this certification, it is worth asking why.
Beyond certification, regular vulnerability scanning and penetration testing give you an objective view of where your weaknesses are. External audits by a qualified third party provide the kind of independent assurance that boards should expect for any material business risk.
For franchise networks, the question extends beyond central systems. What controls are in place at franchisee level? Are franchisees using approved, secured systems? Or are there locations running outdated software, unpatched devices, or unsecured Wi-Fi networks? Every location is a potential entry point, and in a connected network, a compromise at one site can provide a pathway to others.
5. Do Our Suppliers Meet Our Security Standards?
Your cybersecurity is only as strong as your weakest link, and increasingly that weakest link is a third-party supplier. Some of the highest-profile breaches in recent years have come through the supply chain — attackers compromising a smaller, less well-defended supplier to gain access to their larger customers.
The board should be asking: do we know who our critical suppliers are from a cyber perspective? Have we assessed their security posture? Are our security requirements written into supplier agreements, with the right to audit?
This is especially relevant for franchise businesses that rely on third-party technology platforms, marketing agencies, payment processors, and other service providers. Each connection to an external party is a potential vulnerability that needs to be understood and managed.
Getting Board-Level Visibility
Asking the right questions is only useful if you can see the answers clearly. Cybersecurity reporting to the board should be concise, jargon-free, and actionable. A traffic-light dashboard that shows the status of key risk areas — incident readiness, staff training, system security, insurance, supply chain — gives the board what it needs without requiring deep technical knowledge.
The goal is not for every board member to become a cybersecurity expert. It is for the board to have enough visibility to fulfil its governance responsibilities, challenge constructively, and make informed decisions about risk and investment.
A Practical Starting Point
If your board has not systematically addressed these five questions, that is not a cause for alarm — but it is a prompt for action. Start with an honest assessment of where you are today. Identify the gaps. Prioritise the areas of highest risk. And build a roadmap that moves you from reactive to resilient.
At Xpera, we work with franchise businesses and their boards to build practical, proportionate cybersecurity strategies. We help you understand your risk, close the gaps, and put the governance structures in place to maintain visibility as the business grows. No jargon, no fear-mongering — just clear, actionable guidance that fits your business.
If these questions have prompted some thinking, we would welcome the conversation.
Colin Rees is the founder of Xpera, a franchise technology and marketing consultancy. He works with franchise networks and mid-market businesses on technology strategy, cybersecurity, and digital transformation.