Author: Anthony Michael
In mid 2019 TLM was called in to work for a SMB (Small/Medium Business) that was in some serious trouble for failing to comply with several commercial, legal, and statutory requirements. Specifically, they were having pressure put on them by their bank for failing to meet their agreed upon PCI DSS standards. This failure to comply was very close to costing the business up to $100,000 AUD in fines per month until compliance was met. In this case study we will look at how this company fell into the position they found themselves in, the Compliance Assessment and Risk Management work that TLM provided, and the lessons learned from the experience.
This article is the first of a four part case study for this business, to find out more about the Board Strategy, Solution Management, and Labour Hire and Management parts of this story, just click on the links provided.
First let look at how this SMB found themselves in this position. The Payment Card Industry Data Security Standards (PCI DSS) were launched in 2007 as a way to manage the ongoing and evolving security concerns of the Payment Card Industry; and is managed by the Payment Card Industry Security Standards Council – an independent body created by major payment card brands (Visa, Mastercard, American Express, etc).
When you sign up – no matter the size of your organisation – to accept payment via card or e-commerce you become obliged to adhere to the PCI DSS. You are sorted into a Merchant Level depending on the volume of your transactions, how you accept those transactions, how you transmit the card data, and what card data you store in your system. From there you are assigned a specific level of requirements for your business to adhere to.
The key problem in this SMB was a lack of awareness of this information. Being a family run business that had grown fairly rapidly in the last few years all of a sudden there were a large number of requirements that they were obliged via commercial contract to be fulfilling that they were completely unaware of. Unfortunately, ignorance of the law is not a justifiable excuse for not following it. So following a major data breach that was combined with a ransomware attack using the WannaCry virus (a ransom that the company was forced to pay in order to retrieve their data) the business’ Payment Card Provider took serious notice of the lack of compliance that this SMB was delivering.
As well as this the Office of the Australian Information Commissioner was made aware of the fact that this SMB was not operating in accordance with the Australian Privacy Act (1998) and the Notifiable Data Breach Scheme (2018). The upshot of all of this was that the SMB was wide open to both legal prosecution from the Australian Government, enormous commercial fines from their Payment Card Provider, and a possible termination of their ability to use the Payment Services offered by that provider. Which would have halted their operations entirely.
All of this culminated in the bank sending a letter that gave a 6-month window in order to rectify their business and provide a signed Attestation of Compliance, or they would face the above repercussions.
Unfortunately, this letter was received by a member of the company that did not understand the request being made, it was left ignored for months, until contact was made by the banks third party assessors months later to the Director of the company. While they also did not quite grasp the severity of the situation, they were referred to TLM and we were engaged to help solve their issue.
This left us with only 6 weeks bring them up to standard, rather than the full 6 months they would have had if they had taken notice of the bank’s letter right away.
Next lets talk about the Compliance Assessment and Risk Management work that TLM provided.
The first step in this process was to understand the “As-Is” setup of the SMB in order to understand where they currently stood. To do this we look at the 3 pillars of Cyber Security. Their People, Process, and Technology.
Unfortunately, this was made more difficult by the fact that there was no pre-existing documentation for any of the requirements.
So TLM set off to do a full-scale audit of their business.
We had one of our employee’s interview each of the 50 staff members to understand their role in the company, when they interacted with company technology, if any hard copy records existed and how they were stored, what information they had access to, and what process they followed when doing so. The end result of this procedure was a series of flow charts that outlined the End To End flow of their business. Showing which areas of the company were most vulnerable and where payment card data and personal information could be seen, inserted, or extracted.
Next, we had our IT expert perform an audit of the corporation's network environment. This involved walking through each of the three buildings and cataloguing every single piece of hardware that was used in the organisation – taking photos, noting serial numbers, getting model numbers, locations, and names of the employee’s that used those machines. This gave us a Hardware register.
Then they performed the software audit. This involved scanning each piece of hardware to look at what software was installed, inspecting the source code used for servers and other critical technologies, checking how passwords were set up, what firewalls were installed, what third party services were being used in the network, inspecting their purchase records to make sure no technology was missed, and performing Vulnerability Scans on each of the business’ external facing IP addresses. This gave us a software register, a view of digital security, and a Network Diagram.
By overlaying the Network Diagram with the with End To End process flow we were able to build a data flow diagram that accurately showed the company’s biggest vulnerabilities, where their data was being kept/accessed from, their processes around that access, and what needed to change in order to meet compliance standards.
Using all of this information we put together a Risk Matrix to outline the biggest risks. We assessed the impact that those risks would have were they to happen, what the probability of them happening would be, and some options to either Avoid, Transfer, Mitigate, or Accept those risks. Many of those options being very low cost changes to Process and Procedure, rather than pushing for expensive technology based solutions to achieve the same effect. We then presented these to the company director in order for them to make an informed decision around their Cyber Security Strategy going forward.
Then we took a look at the Merchant Level they had been assigned and which level of requirements they were being measured against. Because of the recent data breach, the bank had been a little overcautious and placed them in the highest possible category of merchant. After we had assessed their People, Process, and Technology we were able to make contact with the bank and argue a case for a significantly lower level of requirements. Making the amount of work that needed to be carried out in the provided 6 weeks a far more manageable prospect. We were also able to have an extension granted based on the fact that we were able to prove that significant steps were being taken to rectify the SMB’s issues.
This concludes the Risk Management and Compliance Assessment portion of our work, please click through to see Part 2 - Board Strategy
Next lets take a quick look at some of the lessons learned from this situation: