It’s one of the busiest times of year for Jeremy McCourt, the IT security officer at UK value retailer Poundland. But it will all be OK because he just learned he’s getting SOCs for Christmas.
We must add that it is not the bargain variety you might find on the discount store’s own shelves, or the branded variety that cyber security vendors dispense at trade shows — although he does admit to liking these — but an external Security Operations Centre that can monitor and respond to security incidents around the clock.
“I’m finally getting my SOC! It was approved last week, so I’m happy to be getting a team for 24/7 coverage from a firm already very knowledgeable about our environment,” he says.
McCourt adds that having “eyes on the glass” 24/7 all year round will ensure that alerts are promptly addressed overnight and that triage is handled.
“It’s about having that staff augmentation and those extra capabilities and 24/7 coverage that I’m excited about. Especially leading up to Christmas when staff are off for a period. I want to take time off, too.”
For McCourt, the SOC means he might also have time to reflect on what has been an eventful year for his organisation.
Parent company Pepco acquired rival retailer Poundshop last year and inherited an e-commerce platform, creating new security challenges.
Last month, the retailer also introduced an online web and mobile loyalty programme, Poundland Perks, which has given the team additional GDPR, data protection, and data security issues to manage.
“These developments mean that we have taken a new step in terms of what we’ve had to manage and maintain, and it’s really putting the focus on the digital side of our business,” he says.
“It’s made us look at where we have visibility from in terms of a basic GDPR perspective and whether we have the processes and procedures in place to accommodate these protections.
“It’s also introduced a lot of new challenges not only from a capability perspective but from a capacity perspective,” he adds.
Given the organisation’s size, McCourt says he manages a relatively small security team. The London-based Pepco Group encompasses 850 Poundland stores in the UK, along with Dealz stores in Ireland and Poland.
The Pepco brand also has 4,500 value stores in 20+ European countries. Another part of the business is China-based PGS, which helps with supply chain management and product acquisition.
“My role is specifically at Poundland and Dealz, and I have counterparts that work independently at Pepco and PGS. We all help support our parent company,” McCourt explains.
“Compared to other categories of business, we have a relatively small IT team for what we manage and maintain. So really, it’s a prioritisation of products and projects as well as ensuring that we dedicate time to increase the resiliency of our internal processes,” he says.
“It all boils down to that security triad of ‘confidentiality, integrity and availability’ into the digital estate,” he adds.
According to McCourt, cyber awareness training has always been central to Poundland’s security posture — even before Pepco disclosed that a phishing attack earlier this year caused one of its European branches to lose €15.5 million (roughly $16.8 million).
Initial reports suggested it was a BEC (Business Email Compromise) attack. In contrast, others claim it was a sophisticated phishing attack, in which scammers impersonated trusted entities to trick people into revealing sensitive information.
Because the incident is still being investigated by the Hungarian police, Interpol, and other law enforcement agencies, McCourt says he can’t provide details.
“I can’t comment on what happened, but I can say what it wasn’t; it wasn’t a BEC attack. But ultimately, there were elements of phishing and communication through nonstandard company protocols, which resulted in quite a loss overall,” he says.
In terms of lessons learned, McCourt says the group has added more processes and procedures around how transactions occur.
The key message he wants to convey to staff is that if something doesn’t feel right, they should try and verify it “because, in this case, as well as the issues caused by the attackers, there was also some breakdown in the process,” he adds.
Verification may even involve picking up one of those old-fashioned devices called ‘telephones’ and checking with a line manager or CFO before making large or unusual transactions.
Poundland has been working with KnowBe4, a security awareness training platform that increases awareness through regular security exercises, for about a year.
Initially, McCourt used the platform for small-scale phishing exercises, but it recently expanded to 1,600 users.
The intention now, he adds, is to roll these regular training exercises out at a group level and add the training to its physical retail store environment, bringing the total number of Pepco users to 10,000.
A coffee with…Erich Kron, security awareness advocate, KnowBe4
According to Javvad Malik, Knowbe4’s lead security awareness advocate, most exercises can be reduced to empowering staff to say no to something and ensuring they verify requests.
“That is probably your biggest defence. And if the phone isn’t the norm, it should be the norm.
“Or, some other process needs to be put in place because while it’s true that AI and deepfakes are on the rise, ultimately, they still target human emotion and trigger someone into doing something within a short time while trying to establish some authority.”
Malik says that nearly every work-based social engineering attack has three core components. The first is the attacker asserting an authoritative identity. “They will either try to claim to be your boss, a partner, or someone important.”
Then, he says, there is ‘the ask’: “This is often strange or not business as usual, like ‘we’ve just swapped banks’ or something that is not a regular occurrence.”
The third aspect is time pressure: “The tone usually is ‘I’m the CEO, and we need to make this payment to a new partner, and we need this to happen within the next two hours, or we’re going to lose the deal.”
Malik says the only way to avoid falling for such scams — whether it’s an apparent physical likeness of a CEO on a video conference call or an urgent email sent from an official-looking address — is “to slow down, take a deep breath, and reevaluate.”
The security expert cites a book by Nobel Prize-winning psychologist Daniel Kahneman, Thinking Fast and Slow, categorising thinking and decision-making into two systems.
“System 1 is your reactive brain, which is saying, ‘I’m pressured, I’m angry, I’m depressed, so I must react quickly,’ and that’s where most mistakes happen,” Malik explains.
System 2 results from slower, more rational thinking, which tends to occur when one takes a step back or consults with someone else.
“So, when you get an email or a video call asking for something unusual. Take a moment, or better still, pass it on to someone else to have another pair of eyes on it. Or validate it, and your perspective becomes much more rational,” says Malik.
“For instance, if you get a letter through the door from HMRC informing you that you owe tax and need to pay immediately, your heart rate will immediately start to increase.
“But if your neighbour comes around and takes a look, they will be much calmer and can say, ‘Oh, look, this is a scam because of this, this, and this.’ It’s easier if you have someone else to bounce off.”
According to McCourt, Poundland is sending out phishing simulations once every few weeks.
“Sometimes the response is ‘You almost caught me with that one!’ but that’s not what this exercise is about. It’s about understanding the red flags and knowing what to do with them,” he says.
“The chances are the scam is going to more than one staff member, so if they know how to use that phishing alert button or to report it to IT Security, then that puts us in a good position to get those alarm bells going,” he adds.
When asked if Poundland has become a target since a store within its group fell prey to an attack, McCourt said: “We’ve had a couple of similar attacks that we could identify rather quickly, which all had the same M.O.
“We identified them very quickly and nipped them in the bud.”
Regarding other preventive measures Poundland takes, McCourt adds that the company continues to use technologies that identify malicious emails using Microsoft and other third-party tools.
Both Poundland and KnowBe4 (which itself was almost infiltrated by a fake employee/North Korean hacker earlier this year) have been publicly open about the security incidents they have experienced.
Do they think there needs to be more openness and information exchange about such attacks between companies rather than a secretive approach that might stem from concerns over reputational damage or loss of consumer or client trust?
McCourt says it would make his Christmas if firms shared a little more. “I think it’s important, especially for those CIOs and CFOs who do horizon scanning. It’s those individuals who start asking questions that I get involved with and start to answer.
“If there were more details in those reports that said, ‘These were the failings, and this is where people need to enhance their security footprint’, I’d be up for that.
“We all want to learn from each other. I don’t care if I’m talking to B&M or my other competitors because it’s all about keeping people safe. As soon as we lose trust in people, the threat field becomes more valuable for other criminals to get involved.”
Subscribe to our Editor's weekly newsletter
Share
