Security Consulting Customer Success Story with A&W Canada

February 20, 2018

With over 850 locations nation-wide, A&W is the second-largest fast food chain in Canada. The firm has two sets of customers - the franchisees that own and operate individual restaurant stores and the restaurant guests. 

Since a majority of the restaurant guests use debit and credit cards to pay (over 50% don’t use cash), the point-of-sale (POS) system is a major attack vector for cyber criminals to steal credit card data. A&W Canada is committed to protecting the sensitive data of their restaurant guests by adhering to the strict corporate governance practices.

A&W Canada engaged Herjavec Group to perform a full technical security assessment consisting of External/Internal Vulnerability Assessments, External/Internal Penetration Tests, and Wireless Assessments for a subset of their restaurant locations across Canada.


Ensure that A&W Canada corporate and all franchises are adhering to security compliance standards, without interruption to normal business operations and quality of service to restaurant guests.


Conduct a full suite of technical security assessments on the current security framework of the locations to identify where each store was vulnerable and how the franchisees can improve their overall cybersecurity posture.


“We've got two sets of customers. We've got the guests who visit our restaurants and we've also got our franchisees. So when we think of cybersecurity, there is a layer for our guests - those individuals who come to our restaurants. Protecting their data and ensuring that our guests do have the confidence to visit A&W is critical. ”
-- Terry A. Taciuk, VP of Information and Business Analytics

Full Suite of Technical Security Assessments

The assessments began with the Security Consultant gathering information through interviews with key stakeholders and performing a documentation review for all policies, procedures, employee training, etc. that A&W had in place for security governance.

A Wireless Assessment is normally done for enterprises, like A&W, that offer free wireless connection services (e.g. free Wi-Fi) for their guests. Since a majority of the wireless connections are free to use for guests, cyber criminals can easily hack into the wireless networks once they’re in range and conduct cyber attacks to compromise other devices connected to the same networks. Within this assessment, the Security Consultant tries to find the various wireless access points, attempts to gain entry into the network, and conducts simulated attacks once they gain the access. The goal of a Wireless Assessment is to offer insight into the vulnerabilities that might exist across the wireless connections.

In addition, Herjavec Group conducted an Internal and External Vulnerability Assessment to satisfy the PCI DSS compliance standards for the restaurant chain. The External Vulnerability Assessment looks for vulnerabilities in the network perimeter and firewalls to pinpoint how attackers can break in. On the other hand, the Internal Vulnerability Assessment is conducted to find flaws internally. 

Lastly, Herjavec Group performed Internal and External Penetration Tests on the networks to exploit vulnerabilities found from the Vulnerability Assessments. The Internal Penetration Test uses a range of social engineering techniques to determine additional weaknesses in the network systems that may result from human error, user access control lapses or malicious activity.  The External Penetration Test attempts to identify flaws that may be present in how the network is connected to the Internet (i.e. firewalls or gateways).

Once the gaps have been analyzed and reported, the Consultant provides an executive summary of the gap analysis as well as a detailed roadmap for remediation and targeted action plan. 

“Herjavec [Group] allowed us to really provide a one-stop shop kind of service, which made life easier for us and I think that will give us an overall better long-term solution to managing our cybersecurity.”
-- Terry A. Taciuk, VP of Information and Business Analytics


After conducting the full security assessment, Herjavec Group was able to provide a list of recommendations to A&W Canada.

Once A&W Canada was able to implement the changes recommended, they were able to maintain compliance with the new PCI DSS industry standards, ensuring that their overall security posture was greatly strengthened.

To engage Herjavec Group for Security Consulting services, please connect with a security consultant today.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn