The Retailer Autumn Edition 2022

THE RE TA I L ER

3 8

HOW CAN YOU PROTECT YOURSELF FROM A CYBER-ATTACK? THINK LIKE A CRIMINAL

Sandeep Sharma Director - Ethical Hacking Mazars

Alexandra Miller Manager – Ethical Hacking Mazars

N ot so long ago, Mazars tricked their way into the head office of a High Street retailer Tailgating workers through two security doors, the team set up to work on vacant desks, as if they were employees, and spent the day col lecting computer passwords and intellectual property, including materials relating to new services and products. Later in the day, on an unchallenged tour of the building, the Mazars team walked into the HR director’s office (the door had been propped open) to find an open laptop. They took pho tographs of documents open on the screen and placed malware on the device that gave them remote access to themachine and the company’s corporate network for the next month. Files relating to employees, their contracts, ongoing disciplinary actions and other sensitive company material, were also recovered. Later, a third colleague tricked their way into one of the retailer’s stores telling staff he was there to service a POS (point of sale, or till). Malware was placed on the machine allowing further remote access, this time to customer credit card details. Fortunately for the retailer, the Mazars staff were cyber security experts engaged in a “red team” commission to see if they could hack into a client’s systems. The commission was designed to see if they could obtain intellec tual property, customer details and credit card informationwithout detection. Theyachieved all their objectives, revealing evident weaknesses in the retailer’s security measures.

Alongwith regular news headlines, the exercise demonstrates howcyber security remains an ever present concern for UK companies. Statistics gathered for the Department of CultureMedia and Sport reveal around 39%of UK businesses say they had been the target of a cyber security attacks in the previous 12 months. Of those targeted, 31% say they are on the receiving end of assault at least once a week. One in five companies say they have experienced a “negative outcome”, as a result of being attacked. Some of the largest brands find themselves in the crosshairs of cyber criminals. Just last month the New York Times revealed the systems of Uber, the international taxi hailing service, had been breached by tricking an employee to give up passwords. The success of theMazars red team in breaching the retailer’s systems may seem shocking, but “ethical hackers”—those employed to test com puter networks—succeed in breaching security more often than business leaders might expect. Indeed, Mazars has undertaken many engage ments, across a multitude of sectors, and have never failed to breach systems security. The key message is that it doesn’t matter how big or small a retailer may be, the risk of a cyber security breach is ever present. And that is partly because security lapses come inmany forms. The two breaches detailed above seem alarming but the company also suffered a thirdwhich involved circumventing “multi-factor” authentication. Using techniques remarkably similar to events at Uber, an under-pressure employee was persuaded on a phone call to recite a security code he had just been emailed. The call was made by a red teammember posing as an IT staffer. Once armedwith the code, the company’s networks were easily accessed. It’s worth bearing in mind that these breaches did not involve remotewhizz-kid style computer hacking butwhat is known as “social engineering” — persuading employees to ignore established processes or simply give up security information.

Social engineering tends to exploit individu als under stress or the perception of authority. The person targeted by the Mazars team—in a so called “vishing attack”—was a single father rushing to do the school run. Other attackers fake being trusted senior staff or, indeed, trick managers into ordering lower level employees to do things they may not otherwise do during normal processes, such as making a payment. Retailers may bemore exposed than companies in other sectors because they havemore points of vulnerability. Indeed, they suffer from what experts call a wide “attack surface”. Offices, stores and websites all represent opportuni ties to criminals. But the red team exercise, along with many others, offers a set of important insights for retail companies. As implied, cyber security places a premium on processes that have integrity, even those applying to guests in offices and stores. ISO27001, the recognised standard for information security, makes explicit mention of “visitor management”. Retailers therefor need specific processes addressing the way sensitive information is protected, including controls on howpeoplevisit their stores, and the waywebsites are secured. Company culture is also a key component of security andmust support workforce discipline around the use of processes. That is not always easy. UK corporate culture tends to place great store in trusting employees and helpfulness at work. But both need to be combined with knowledge of security processes. Many busi nesses fail to invest in training and, without training, cultural characteristics like “trust” and “helpfulness” can morph into weakness. Moulding or forming culture means elevating cyber security to the boardroom. It is a mistake to restrict cyber security to ITor technology silos because it is about behaviour and that is formed by corporate culture established from the top. Leaders at the topmake the greatest difference. It iswidely accepted that cyber attackswill only increase in number and complexity in the near future. That makes processes, company culture and boardroom leadership on cyber security a priority. Red teaming proves that time and again.

‘‘

Retailers must ask themselves: are infor mation security controls reviewed and updated regularly and are they adequately tested?”