It is the “RRROLL UP THE RIM TO WIN” promotion time again at Tim Hortons! To grab a coffee, you often have to line up a long line. But yesterday, the waiting time seemed to become forever. A computer virus knocked down the cash registers at so many Tim Hortons locations that they had to literally close the door!

This wide-spread security incident has frustrated not only coffee drinkers but also restaurant owners. They have suffered lost employee wages, lost sales, and food spoilage. As a result, a group representing many Tim Hortons franchisees is threatening legal action against the coffee chain’s parent company.

While the detailed investigation result is still pending, we can see some obvious problems regarding the incident handling process, such as:

  • Incident Notification – the initial incident appeared to happen a week ago, but most of the restaurant owners knew zero about it until their cash register stopped working.
  • Incident Containment – the computer virus was not contained immediately and effectively after it first popped up at a couple of restaurants. It then affected hundreds of Point-Of-Sale systems.
  • Incident Communication – Tim Horton has not disclosed this incident with a clear message on time, which leaves the media and the public to guess the incident causes, impacts, and remediation plan. So it inevitably creates the FUD (Fear, Uncertainty, and Doubt) among people.

Unfortunately, many companies make the same mistakes again and again when coming to the cybersecurity program and incident handling process.  This brings an important question to all businesses big or small: do you really include the cyber risk in your business strategy? 

Cybersecurity cannot be an after-thought! The loss of money, time, and trust is often too expensive for a business. Tim Hortons, about the cybersecurity program, PLEASE PLAY AGAIN, just like what you print on your coffee cups, although your winning odd is so low at this moment.