Retail Resilience: On Cybersecurity and Recovery

Ashif Samnani: Withretail, I think, for end user, I see there's different attack scenarios, attacksurface. One that resonates to me is around loyalty. Loyalty cyber risk is abig, big area within the retail space that is targeted frequently. The idealcompany has an end-to-end cybersecurity program put into place, so they havethe proper governance, risk, and compliance processes put into place. They dohave the right technical controls put into place, the right administrativecontrols put into place. But one of the things that successful organizationscan do is actually measure the operational effectiveness of their cybersecuritycontrols, and that's tied directly to the KPIs that they have.

So if organizations can actually measure the effectiveness oftheir cybersecurity program, and it ties directly to their controls which areput into place, then you know that risk is actually being mitigated in aquantitative manner.

Well, the incident response plan is critical because when anincident occurs, an organization should know how to respond to something suchas a ransomware attack. That's a simple way of looking at it. If organizationsdon't know how to respond to it, then what happens is they'll end up in a darkstate. And when you're in a dark state, you're going to end up in a situationsuch as London Drugs, where your organization will be out for three to fourweeks and there's a loss of revenue. So, making sure that organizations knowhow to respond in a timely manner, so that it doesn't get out of hand and leadto more operational downtime.

Marc LeBlanc: This isSolving for Change, the podcast where you'll hear stories from business leadersand technology industry expert about how they executed bold businesstransformations in response to shift in the market or advances in technology.In every episode, we'll explore real world strategies and technologies thatfuel successful evolution.

I'm your host this month, Marc LeBlanc.

In this episode, we'll explore how to secure Canadian retailagainst rising cyber threats. I'm really excited to welcome Ashif Samnani tohelp us dig into this important topic. Ashif is our Principal SecurityArchitect and a member of the Office of CTO here at MOBIA. A security expertwith over 18 years of experience in the information security space, Ashif has awealth of experience in governance, risk, and compliance; security operations;application security; incident response; and forensics.

He has worked in a variety of industries including IT, oil andgas, financial services, and insurance. And he also has an academic backgroundin information security and cryptography.

Thank you for joining us and solving for change, Ashif.

Ashif Samnani: Thankyou. It's a great being here. And, I'm sure today we'll have a good discussionaround retail cybersecurity and some of the threats associated with it and howwe can assist organizations to protect themselves.

Marc LeBlanc: Yeah.So there's quite a bit in the news and it seems every week or every day,there's more and more information about the types of attacks that are outthere. We hear about ransomware. We hear about retail organizations being hit.We hear about data being compromised. I think probably one of the most recentin the Canadian news space was the attack on London Drugs, where the data wascompromised and employee data was taken.

What are your thoughts on what happened there? I think that wasreally interesting because we actually saw a retail outlet get shut down for asignificant amount of time.

Ashif Samnani: That'sa good question and a good topic to discuss. When I think about ransomwareattacks, they're very simple and intuitive, and sometimes organizations maymiss deploying a cybersecurity control, such as an endpoint detection andresponse capability within the organization. And sometimes there arevulnerabilities out there that cannot be detected using these technologies.Ransomware typically occurs when an individual is phished. We know aboutphishing attacks. Educating end users is very critical to making sure that theydon't click on links. Because that can download payloads into the environmentthat can trigger ransomware traversing through the environment and that's atypical scenario you would see . But if you're looking at phishing, if you'relooking at ransomware attacks, it's all about the end user educating them andmaking sure that you have the proper cyber security controls put into place.

Sometimes organizations may miss deploying an agent wheresometimes a proper firewall rules haven't been implemented on the firewall andproper detection mechanisms are not put into place. So, it's fairlystraightforward, easy to implement these controls and educating users to makesure that they don't click on links, things like that.

Marc LeBlanc: So Iagree. I think that education has to be part of the solution that has to bemaybe the biggest part. Talk to me about beyond the education. What else shouldretailers be taking into consideration? Talk to me a little bit about maybe theresponse or the prevention beyond the education.

Ashif Samnani: Soonce again, making sure, from a proactive standpoint, making sure that they dotheir risk assessments, making sure they have proper architecture reviews doneto ensure that cybersecurity controls are put into place.

From a detect standpoint, making sure that there are proper usecases put into place, having a security incident event monitoring capability isvery important.

I know within industry we're talking about continuous threatexposure management. That's important to implement, so making sure that you doyour proactive pen testing, making sure that you do proactive vulnerabilitymanagement. That's critical because we know that traditional vulnerabilitymanagement can still lead to attacks happening within the organization.

So, making sure that we have automation and orchestration putinto place so that we can protect the environment in a repeatable fashion.

Marc LeBlanc: Youknow, we talked about London Drugs. I think a large number of folks last weekor the week before would've gotten an email from Ticketmaster. How does thatdiffer to what happened with London Drugs?

Ashif Samnani: Well,London Drugs was more of a first-party breach, where Ticketmaster I see is morewith third-party breach. So, the database was compromised. So, there'sfundamentally two different issues here: one the organization had a lot ofcontrol over, where the other the organization didn't have too much controlover.

As for our Ticketmaster third-party breach, making sure that weconduct those third party assessments against organizations before we bring onsystems because we need to ensure that, or the organizations need to ensurethat those systems aren't compromised or they have the proper cyber securitycontrols in place.

So, this is all around supply chain security. So conductingyour risk assessments against a third party, making sure that we're monitoringthe attack surface on the third party to see if there's any securityvulnerabilities associated with it, and building it into your contractualobligations and making sure that they satisfy compliance requirements. The goldstandard is around ISO 27001, making sure that they demonstrate that they haveproper cybersecurity controls in place. That's that's the issue and contentionaround supply chain security. So, making sure that proper controls are put intoplace and ensuring compliance when you bring on new vendors to support some ofyour applications and your data.

Marc LeBlanc: So, ifI can just recap really quickly there, the way I understand you explained it,with London Drugs there was more in their control, it was within theenvironment. The attack surface was within their environment, someone got in.With Ticketmaster, it was a service, a third party service they were using thatwas attacked. Ticketmaster had little to no control because it wasn't anenvironment that they actually had control over. Did I get that right?

Ashif Samnani: Yep,that is correct. One's a first-party breach where the other one is athird-party breach.

Marc LeBlanc: Youknow, so we see these attacks are on the rise. Ransomware is definitely on therise. There's an interesting statistic from the Retail Council suggesting thatthe average cost of a data breach in Canada is somewhere around $5.64 million,which is actually a million higher than global averages. What do you think isdriving these attacks, this increase in attacks, and why is it particularlyinteresting or critical in the retail sector?

Ashif Samnani: Well,most of the attacks are financially driven. Threat actors such as FIN6, FIN7have been in the environment and the whole purpose around driving these attacksis financial.

For instance, credit card information, getting loyaltyinformation–that's money in the bank for the attacker. So once they gain accessto this data, they can sell it on the dark web. And some of this data can gofor thousands of dollars and up to millions of dollars. So, it's financiallydriven.

Marc LeBlanc: So tellme, sometimes we see that it's not always just customer information, sometimeswe see it's employee information. Is there a difference in the type of datathat's being attacked or pursued?

Ashif Samnani: Well,when you look at customer information and employee information, it all ties topersonally identifiable information. This information can be leveraged toconduct fraudulent activities. So for instance, if you have an employee socialinsurance number you could potentially perform some level of fraud. Like, forinstance, get access to purchasing a credit card or using information toconduct any sort of fraud activities.

I think the difference between customer information andemployee information–once again, both are financially driven–but with customerinformation, you might get additional information that may include loyaltyinformation and potentially additional like credit card information. Whereemployee information I think what it comes down to is you can get theirpersonal information that can be leveraged to conduct fraudulent activities.

So, customer information has more value associated thanemployee information in this case.

Marc LeBlanc: Do youthink the retailers are aware that they're vulnerable, or does it typicallytake a wake up call or an incident that forces them to address vulnerabilities?

Ashif Samnani: I'mpretty sure in the back of their head, they know they're vulnerable. To provideassurance that they aren't vulnerable, sometimes they don't employ propersecurity controls, such as pen tests. They, they, they know for a fact,cybersecurity, it's only. A form of insurance, and we know it's about riskreduction. There's always that likelihood organizations will be attacked atsome point. It's just about when and how to recover from it.

We always talk about cyber resiliency these days, because weknow that organizations are being attacked and we can see that happening on adaily basis. So, I'm sure the boards, the CISOs, cybersecurity managers,they're fully aware of it. It's just about mitigating risk.

Marc LeBlanc: Youknow, I think there's two other follow-up questions to that. The first one I'llask, when they're thinking about things they need to put into place, what arethe primary objectives that these companies should be thinking about? Whatshould they be thinking through when they're trying to come up with a solution?

Ashif Samnani: Well,first of all, looking at it holistically, so making sure that they conducttheir initial risk assessment and making sure that they conduct their initialarchitecture. So assessing the environment, which includes conducting apenetration test. After that, looking at it more holistically, not just saying,"Hey, let's just put an endpoint solution into place." There areother areas that they need to focus on. For instance, network securitycontrols, security controls within the cloud, making sure that they have properprivilege access management in place. Most importantly, especially aroundransomware training end users in terms of making sure that they understand howto detect for phishing attacks.

So looking at it very holistically, there are frameworks likeISO 27001, NIST 800-53, NIST CSF, which gives a broad overview in terms of whatcontrols need to be put in place to prevent such a ransomware attack. So, notjust looking at it from an endpoint standpoint, but looking at it moreholistically and looking at it from a risk-based standpoint in terms of how toreduce risk in a defined and repeatable manner.

Marc LeBlanc: So,there's, there's more follow-up questions there, but one thing I want to makesure we touch on, because you've touched on it a little bit around cyberresiliency response: how does the response plan factor into this as well?

Ashif Samnani: Well,the incident response plan is critical because when an incident occurs, anorganization should know how to respond to something such as a ransomwareattack. That's a simple way of looking at it.

If organizations don't know how to respond to it, then whathappens is they'll end up in a dark state. And when you're in a dark state,you're going to end up in a situation, such as London Drugs, where yourorganization will be out for three to four weeks and there's a loss of revenue.So making sure that organizations know how to respond in a timely manner, sothat it doesn't get out of hand and lead to more operational downtime.

On the contrary, when the organization is in a dark state, theyneed to understand how to recover from that dark state. So for instance, whatshould they establish right away? Is it communication? Is it the networkingtechnologies? Is it certain applications? So, making sure that you have theproper BCP and DR plans put into place, making sure that they're tested andwell understood. It's very critical to ensure that organizations can recoverfrom a cyberattack such as a ransomware attack.

Marc LeBlanc: In youropinion, what does a good response plan entail? If there were three or fourpillars that it would stand up on, what would that look like to you?

Ashif Samnani: A goodresponse plan would include roles and responsibilities, making sure everyoneknows what they need to do as it relates to an incident response plan. Makingsure that the organization has proper playbooks–playbooks are critical–andthey're tested. Making sure that everyone knows who to communicate with, sothat's about, once again, roles and responsibilities. And most importantly,making sure that you have the right technologies in place to address thatincident response plan.

So for instance, if you need to collect evidence for forensicsand making sure that you have write blockers put into place, making sure thatyou have a SIEM solution to monitor for ongoing changes within the environment.And making sure that you have the right cyber security controls in place tocontain the cyber incident. So that's very, very critical to ensure that wehave that as part of the incident response plan. Otherwise, you're going to endup in a dark state and that's where things can become quite messy from a PRcommunications standpoint. If it's a publicly traded company, it could evenimpact stock prices.

So there's considerations and also legal ramifications ofstaying in the dark state for such a long time that could lead to lawsuits orother things. Things to consider.

Marc LeBlanc: I wantto switch gears a little bit and talk a little bit more around the solutioning.I know there's a couple of topics I've often heard you speak of that are comingin to help give more guidance. One area would be Bill C-27. The other areaswould be things like NIST. You touched on ISO a few times in this call already.But tell me, what's the impact of Bill C-27? Why is this interesting? What doyou think it means for businesses in the near term?

Ashif Samnani: Well,Bill C-27, I always state that this is the Canadian version of GDPR. It'saround the protection of end user data, so individuals. It's critical thatorganizations implement proper data protection mechanisms, such as encryptionand other capabilities. Now, the thing is with Bill C-27 there are finesassociated with it if organizations do get breached.

There isn't any data per se on what the fines are going to bejust yet. But if you think about GDPR, for instance, that's 4 percent ofrevenue. So for instance, if an organization gets breached and personalidentifiable information gets breached, the consequences can lead to impactingthe organization's financial statements because if you look at the Europeanexample, that's GDPR, it's 4 percent of the global revenue.

So with the Bill C-27, we'll probably see some similarconsequences as it relates to organizations facing fines and sanctions.

Marc LeBlanc: Couldyou maybe just for the listeners, just give a quick high-level: what is GDPR?What does it stand for?

Ashif Samnani: Sopretty much GDPR is the European data protection laws, which protectsindividuals from data breaches.

One of the areas is around making sure that organizations dohave a proper incident response plan, and making sure that they do their bestto protect data on a system. For instance, making sure that data is encryptedat transit or at rest. So that's one of the key cybersecurity controls thatthere is. It's all about protection of personal identifiable data and makingsure that individuals data is accessed in a proper manner and making sure thatthere's the least information. So, making sure that organizations are notleveraging too much of the data. So data minimization policies are verycritical. That's a sum of the things that we need to look at from a GDPRstandpoint.

But it's been there for like six to seven years since GDPR hasoccurred. I know the U. S. has some data privacy regulations. It's just when itcomes to data privacy and cybersecurity, globally, I see Canada not as quick asEuropean laws, not as quick as American laws. When we see things coming out inAmerica or in Europe, we're looking at five to six years down the road inCanada, typically. Legislation here is a little bit slower. I see othercountries are a lot quicker in terms of making sure that personal identifiabledata is being protected.

Marc LeBlanc: Youknow, the other half of that conversation that, I've heard customers say this,"Marc, I want to be doing the minimum. I want to be doing what I'mlegislated to do from a security perspective. But in the absence of that, whatelse should I be doing?"

What would your advice to a company that, you know, they wantto do the requirements, but how do they get started? They don't know what elsethey should be looking at. How do they get started to make sure they have agood cybersecurity solution for their retail business?

Ashif Samnani:There's many things they can do if there's no legislation, like if you'relooking at top controls and looking at your top SANS 18 controls, so makingsure that you have proper asset inventory and knowing what's in yourenvironment, making sure that you're patching, configuring your systemsappropriately. Data protection has become a very, very big piece aroundcritical controls. In fact, it's one of the top five critical controls. Somaking sure that we have proper DLP put into place, making sure that we haveproper data governance programs put into place. So those are the things thatorganizations can do.

So if they refer to the SANS Top 18 controls, it gives you alist of cybersecurity controls that organizations should implement if they havelimited budget. So, I would recommend looking at that.

Marc LeBlanc: Howwould something like NIST or the ISO standards play into this? How can theyhelp?

Maybe let's start withNIST. What is NIST and how could it help in this sort of conversation?

Ashif Samnani: So,NIST and ISO, both of them are there to address cybersecurity challenges acrossvarious sectors. I think with NIST, organizations that are more NorthAmerican-based, they leverage NIST as a framework. It's open source, it'sreadily available.

ISO provides the same level of control recommendations. You canthink about ISO as being the what. As in like what needs to be done, butwithout giving too much specifications. But there are NIST guidelines therethat can actually teach you how to implement these controls.

If you're an internationally-based organization and you'relooking for certification, I would recommend leveraging the ISO framework,especially if you're global because it's recognized globally as being aninternational standard for cyber security.

There was a fundamental difference actually back in theprevious standards where ISO focused a lot on governance, risk, and complianceand NIST was around focusing on control requirements, but that has changed withNIST CSF 2.0 because there's a heavy emphasis on governance. So pretty much thestandards are almost like for like it just comes down to are you moving towardscertification, are you an international based organization? And from there youcan determine whether you take the NIST route or you take the ISO route.

Marc LeBlanc: So wehave some regulation, we have some frameworks that we can leverage to secureretail organizations. What are the main considerations, you know, "I'mgoing to start securing my business, I know I've got all these things."What's the flow a retail business would normally go through to come up withwhat that strategy or what that security solution looks like?

Ashif Samnani: Froman organizational standpoint, we start off with always planning. So the GRCpiece. So, defining what your control framework is, conducting your initial gapassessment to see where are there gaps in terms of how you're complying withthe frameworks. Then conducting the risk assessment of the organization to leadto a corporate TRA to ensure that you identify what risks are there. And thendeveloping that risk treatment plan. So that ties directly to the cybersecurityobjectives, which tie to the strategy and your overall budget. And then fromthere, what it is is you have a cybersecurity strategy and then from there,prioritizing what you need to implement. For instance, a vulnerabilitymanagement program might be something or a continuous threat exposuremanagement program might be something that is of high priority. So prioritizingyour risk treatment plans based off of your organizational needs and yourcybersecurity strategy is critical. So everything starts with GRC and then fromthere it goes into strategy and then eventually to implementation and then tooperations to reduce the risk.

So that's what organizations need to do. They need to investinto GRC and I see a lot of organizations these days, they just don't want tothrow cybersecurity controls without understanding what the big pictures are.So making sure that you have the right strategy in place is critical to ensurethat you're reducing risk in a systematic manner, as opposed to throwing justlike EDR or firewall and hope for the best.

Marc LeBlanc: I havetwo follow up questions on that. Thinking through this, what parts of this areunique to retail that we may not see somewhere else? That'd be the firstquestion.

Ashif Samnani: Well,with retail, I see there's different attack scenarios, attack surface. One thatresonates to me is around loyalty.

Loyalty cyber risk is a big, big area within the retail spacethat is targeted frequently. I've noticed that these are more financiallydriven because loyalty points can be leveraged to purchase items, and these canbe found on the dark web also, and they're being sold for profit. That's oneattack vector, I think on the loyalty side.

The other piece around loyalty, once again, is collection–andthis is general to even healthcare and other areas–is a collection of personalidentifiable information and leveraging that data to commit fraud. That's verycritical because with retail, you're always collecting personal identifiableinformation and there's always ways, like through some of the marketinginitiatives such as loyalty, there's other attack vectors that attackers can gothrough. That's very unique compared to other organizations.

Marc LeBlanc:Thinking about the regulation, thinking about the frameworks, are there othergaps that retailers should be considering as part of their solution?

Ashif Samnani: Thereare other gaps, for instance I'll give you an example with the usage of AI,there isn't that much regulation out there right now and we're seeing thatretailers may be leveraging AI within their systems to make things a loteasier, but there's always risks associated with it, and that's why we haveimpending Bill C-27, which isn't a law just yet. And we have other AIframeworks that are just coming out, and what it is is organizations haven'tquite adhered to that, and have introduced AI into their platforms, which putsadditional risk to the organization if that AI is not implemented properly.

Marc LeBlanc: If youthink of a customer or a company that has done a great job: they've got theright tooling in place, they've got the right culture and processes in place.What does that look like from a successful security program implementation?

Ashif Samnani: Theideal company has an end-to-end cybersecurity program in place. So they havethe proper governance, risk, and compliance processes put into place. They havethe right technical controls put into place, the right administrative controlsput into place.

But one of the things that successful organizations can do isactually measure the operational effectiveness of their cybersecurity controlsand that's tied directly to the KPIs that they have. So if organizations canactually measure the effectiveness of their cybersecurity program and it tiesdirectly to their controls, which are put into place, then you know that riskis actually being mitigated in a quantitative manner.

So we talk about CMMI and maturity. So you think about programsthat are very ad hoc and those are individuals that are putting randomcybersecurity controls put into place where successful programs do it in moreof a defined and repeatable manner, which is also quantitatively managed sothey can demonstrate to the board that they're actually reducing the riskwithin their organization.

So we think about the whole maturity scale at the end of theday.

Marc LeBlanc: Lookingahead to the future, these threats, these attacks are always evolving. They'realways becoming more sophisticated. How do you anticipate this changing in thenear future? What do you think retailers need to think about?

Ashif Samnani: Onceagain, as I mentioned, the usage of AI, AI-based attacks targeting retailers,that's critical. The attack surface and the attack threat landscape isconstantly changing. There's new pieces of malware that are coming out, newthreats that are targeting organizations. It's just to be proactive and makingsure that they have the right controls put into place and making sure thatthose controls are deployed.

Can't list all the controls, but what it is, is making surethat organizations are familiar with the types of attacks that are happeningand what ways they can prevent their organizations from being breached withoutgoing too much into detail.

Marc LeBlanc: And youtouched on it briefly a moment ago, how disruptive do you think AI is going tobe as far as something retailers need to think about?

Ashif Samnani: It'sgoing to be very disruptive because every organization, whether it's a retailor financial services, they see it as an opportunity to streamline and optimizethe workforce and providing answers in a timely and effective manner. But withopportunity comes risk and, for instance, compromising the algorithms, usingAI-based attacks to target organizations on the retail side, it's, it'scritical. And say, for example, if a system is breached and they have startedleveraging AI to harvest information from customers, that's another way oflooking at it. So with introducing AI opens a giant gap for organizations as itrelates to a new attack vector and organizations need to be proactive when itcomes to protecting individuals from AI-based attacks.

Marc LeBlanc: Just torecap, kind of what we've talked about today, three insights or takeaways.Number one that I picked up on, retailers face a unique set of risks. There'sloyalty program risk. There's risks of implementing emerging technologies likeAI.

GRC is critical. There's a regulatory piece with Bill C-27coming out. There's other controls and frameworks to help guide like NIST, likeISO, that can be leveraged in the absence of regulation.

And, the third piece that I think we've touched on almost inevery part of our conversation today is around the resilience and recovery.Retailers can't prevent everything. Example there was Ticketmaster with athird-party breach.

They're aware that they're vulnerable, so we have to haveappropriate response planning. Understanding the roles of responsibilities,tested playbooks, communication plans, and so on.

Thank you so much for joining us today Ashif. It was greathaving a chat around cybersecurity as it pertains to the retail space inCanada.

Ashif Samnani: Thankyou.

Marc LeBlanc: Thankyou for listening to Solving for Change. If you enjoyed this episode, leave usa rating and review on your favourite podcast server and join us for our nextepisode.

‍