RCS Secure and DUMAC recently held a webinar with The Shelby Report to help educate retailers on the importance of cybersecurity. Members of the organizations presented case studies of other retailers that have fallen victim to a cyber attack, best practices to secure customers’ transactional data and best practices for businesses to secure their network.
The two brands are partnering together to offer an around-the-clock solution that will help detect any cybersecurity threat attempting to compromise a store client’s computer systems, according to Randal Asay, president and CEO at RCS.
Asay began the webinar with a “reality check,” saying that “no business of any kind is immune to risk.”
“The message that I try to get across to companies is that security is not an option, it’s not something that you can bolt on. It’s something that you need to bake into your business so your business can run. Security is an enablement of your business.”
Secondly, presenters from both organizations discussed a case study concerning a large retailer that was found to have malware running within its POS systems. Occurring between April and December 2019, 34 million payment cards were suspected to have been compromised by the retailer. John Woods, VP of operations and CISO with RCS Secure, explained that it was discovered by the Payment Card Industry Data Security Standards Council to have originated most likely from a “phishing email” opened by an employee.
“For a few months, the hackers performed reconnaissance, laterally moved across (the) network to discover resources and then installed malware to collect magnetic stripe data from cards processed…In investigating the incident, the PCI DSS claimed that it found three violations of their standards,” Woods said.
Following the breach, the retailer accrued $62.7 million in lawsuits, penalties and settlements to date. Some settlements and other legal actions are ongoing, according to Woods. He also pointed out that maintaining the practices laid out by the PCI DSS can help to eliminate the possibility of being breached and avoiding “brand damage.”
Dave Foster, VP of information technology at DUMAC explained that these types of breaches can happen for a myriad of reasons, including governance issues, incorrect data security configuration, incorrect security information management logs or a lack of response from security personnel.
“These are probably some of the most popular tactics, techniques and procedures that are used by bad actors and cybercriminals. When the PCI investigator came in to investigate, the first thing they went to look for were the logs and they were gone. You can invest a lot into security, but it comes down to security professionals following the right procedures, setting up the systems, tuning them correctly and how to respond to threats,” Foster said.
To defend against cyber threats, there is “no single strategy” and a “defense in depth” approach is required, according to Woods. He continued to expound further on maintaining PCI DSS compliance.
“Some of the most well-known grocery store cyber incidents involve customers’ payment information…It’s for these very reasons that the PCI DSS exists. They put the PCI DSS structure together to help reduce fraud, reduce loss and to protect all the merchants who accept credit cards,” Woods said.
The presenters outlined 12 requirements from the PCI DSS to ensure operational and technical security while protecting cardholder data:
- Install and maintain a firewall configuration to protect cardholder date;
- Do not use vendor-supplied defaults for system passwords and other security parameters;
- Protect stored cardholder data;
- Encrypt transmission of cardholder data across open, public networks;
- Use and regularly update anti-virus software or programs;
- Develop and maintain secure systems and applications;
- Restrict access to cardholder data by business need to know;
- Assign a unique ID to each person with computer access;
- Restrict physical access to cardholder data;
- Track and monitor all access to network resources and cardholder data;
- Regularly test security systems and processes; and
- Maintain a policy that addresses information security for all personnel.
They ended their presentations by recommending some best practices including email security, identity management, PCI DSS compliance and managed security operations. RCS Secure and DUMAC offered their own services for those in attendance.
“RCS Secure is founded on more than 20 years of Fortune 500 experience, offering a full spectrum of cybersecurity safeguards and services…We are proud to partner with DUMAC for today’s webinar to ensure clients are both secure and compliant,” Asay said.
Foster said, “This layer of security will not affect the performance of the store network or the customer check-out experience. Employees and customers won’t even know that the active protection over their business and transactions is happening.
Their software installation will take “proactive action when threats are identified to stop them,” according to their presentation and provided an example of a real-world industrial stone supplier that was saved from an estimated $500,000 fraud which was discovered thanks to preventative measures their software services provided, according to Woods.
The presentation concluded with questions directed toward the services RCS and DUMAC provides.
For more information, visit dumac.com.
To view the on-demand webinar recording presented by The Shelby Report, click here.