The highest compliment we can get is when an engagement comes to us via a referral, and that’s how we connected with the CFO for a grocery chain. He explained that while the stores were in the midst of working with their Point-of-Sale vendor on updating the systems and confirming that those aspects of the Payment Card Industry (PCI) requirements were being met, he was concerned that it didn’t necessarily mean that the systems and headquarters outside of the scope of the Cardholder Data Environment (CDE) were also being reviewed to confirm if they were following cybersecurity best practices.
In a follow up meeting with the Stakeholders, we confirmed that they were looking for a baseline to measure their overall cybersecurity posture, identify areas of risk, and obtain guidance on how they should address any findings that were of concern. We also discussed the risks from staff not understanding or following the procedures they had been trained on – particularly in a high-turnover retail environment.
Once we completed our testing and review of their documentation, we were able to point them to the areas of risk. The social engineering campaigns showed that their physical security procedures were being followed at the targeted stores, but the email and telephone phishing resulted in several staff members providing us with their full credentials to access the network, so more focus was needed on security awareness training and additional technical controls to limit remote access for non-essential staff and to make sure sensitive data access is provided on a “need to know” basis only, not via company-wide shares. We also found that while investments had been made to keep the perimeter hardware refreshed, there were many known vulnerabilities left unpatched. A formal patching policy was added to scan monthly and remediate high and critical vulnerabilities within 30 days.
An effective cybersecurity program is not a one-time project, so we remain a resource for as needed consulting as the business continues to mature and the threats and compliance requirements keep evolving.
Do these challenges sound familiar? While you may not be a grocery store chain, you can view the full case study and others on our website to get a sense of how we have helped others in a variety of business sectors. And you can always speak to a Foresite consultant without charge or obligation.