In our capacity as a PCI DSS QSA Company (QSAC), we work with a high number of UK retailers (in fact, if you walk down your local Highstreet, chances are you’ll probably see at least one of our clients stores). Like any framework, PCI DSS is a series of controls that baseline a security strategy, but it is not a guarantee that you will not be attacked, nobody is bulletproof.
Fortunately, most people have moved away from just trying to throw tech at a problem. Tech is required but it’s imperative that the correct processes are in place before tech is used to wrap around said processes.
The rumours seem to be pointing at attack group “Scattered Spider” (aka UNC3944, 0ktapus, Scatter Swine, Starfrad). Their usual tactics are Sim Swapping and phishing (amongst others…).
So, the so-called ambulance chasing bit*:
First, yes, it is true, retailers have been targeted this time around, but it was only a short while ago (Christmas ’23) we did several instant response jobs within Manufacturing, incidentally all in the same area of the country. Point being, is your sector next?
Where can we help?
Well, various areas:
- Tabletop exercises – test your processes, we’ll simulate a breach and ensure that your policies & processes work!
- Incident Response retainers – if you get hit – who are you gonna call? Us.
- Compromise Assessments – Understand whether you have undetonated malware within your environment.
- Regular Penetration Testing – we will perform regular assessments to highlight exploitable vulnerabilities and provide detailed remediation advice.
- Leaked Credentials: “threat actors don’t hack in, they log in” – how are you monitoring for leaked creds?
- Social Engineering: vishing, phishing and even physical, onsite attacks.
- Security Awareness Training. Does what it says on the tin.
Nobody is immune to attacks, but everybody can mitigate their risk and have processes in place to respond more robustly in these tough times.
As an aside, our sales team hear a lot of “we’ve got cyber insurance” – rightio, good luck with that. Insurers are not exactly known for willingly paying out on claims, are they? And even if they do, how many customers/clients have you lost? How’s your reputation holding up? What’s next for your company?
