Note: This is an auto-generated transcript, which may contain errors.
Suzie Squier: It's a little bit interesting because I actually formed the ISAC, which was then known as the Retail Cyber Intelligence Sharing Center back in 2014. I worked with the Trade Association after the retail industry experienced some large incidents that year. And we felt that we needed to build something for not just for the Trade Association, but for the sector overall. And I had worked with the CIO council that we had, and so I was kind of charged with putting this together. So, built it and left in like 2000, maybe early 16, once we put the board together, we had hired somebody, then we were letting it go on its own. And then in 2000, probably toward the end of 16, early 17, the board just asked me if I'd come back and run it and went to talk to my... current boss and she said, yes, you should have run it all along. So and that's how I came back to being a part of the our SISC at the time. And then in 2019, we changed our name to retail and hospitality, ISAC to better reflect our membership.
Audra Streetman: And, in retail and hospitality, that's a pretty broad sector, right? What types of companies are encompassed within the RH-ISAC?
Suzie Squier: Yeah, and it's even broader than our name entails, because we have travel, you know, we have folks like, you know, TripAdvisor, Bookings.com, we have CBG companies, we've got some great, well-known brands that are members of ours, who obviously are suppliers to the retail industry, but also have a lot of e-commerce on their own. And then within just retail and hospitality, we have We have food, we have food retailers, we have restaurants, mostly what we call quick service restaurants. And then we also have gaming casinos as part of like in the hospitality world. So it does encompass a lot. And at the time, retail and hospitality did encompass the majority of who we had. And now we've just kind of grown and expanded to really any consumer facing company.
Audra Streetman: How do RH-ISAC members contribute to threat information sharing? What services are available to them in the ISAC?
Suzie Squier: The major thing that we do is our member companies share the threats that they're seeing, the indicators of compromise, the TTPs that they see with the community. And then we have a MISP instance that we use and we have a Splunk TrueStar instance that we use and that's where our indicators go and then members can ingest those and put them into their environment and then block their more block what you know others have seen and reported and then others also report back on top of that you know like okay we've seen this and add some more information and intelligence to it but we also have um you know special groups like ATO is huge in our area. So we have people who share specifically on account takeover information. And other types of fraud are also just obviously very large in this sector. So we have fraud indicators that we're just starting up a fraud group and really figuring out what is the difference in the information regarding fraud that needs to be shared. And then we have working groups. So we have, you know, from, you know, dark web working groups to like I was talking about small teams or identity and access management, where we have tool-based, we have a Splunk users group. And then other member companies can ask questions. And it's just really to help everybody on their journey. And we always say, you may not be able to make their implementations as smooth as silk, but at least you can help them avoid a couple of pitfalls that you ran into. And then last of all, we have instant messaging that members can just get quick, easy responses to questions. And that's just a game changer for a lot of our member companies, especially the small ones. You know, they get the rewards of these mature companies providing insight and help and guidance on what they do.
Audra Streetman: So, RH-ISAC released a 2022 CISO benchmark report with a lot of really interesting findings. Fishing and credential harvesting were named as the two top threats within the industry. Does that align with what you’re currently seeing?
Suzie Squier: Yeah, they're always the top ones. It's just the nature of what everybody deals with as far as the fishing that goes on. And of course, with the member companies, the credential harvesting, I would say that we've seen a huge uptick in account takeovers recently. And with members with a lot of loyalty programs, they can be a lucrative, uh, when someone gets access to that. So that's what a lot of the threat actors are looking for. So that I would say has risen a good deal.
Audra Streetman: The benchmark report also cited a 2022 fishing report from Zscaler, which found a 436% increase in fishing attacks targeting the retail and wholesale industries. There’s also a lot of talk right now about how generative AI could help adversaries create more sophisticated phishing emails. Is that a concern you’re hearing about as well?
Suzie Squier: Yeah, I just got back from a workshop in Barcelona. IAnd we talked a bit about AI and this exact thing that you're mentioning. And they have already started to see that the phishing emails are, you know, better English, better grammar, a lot harder to detect in the line. So I think we're already starting to see the effects of AI and large machine learning and things like that, and how the risks that they can pose as well. I think the other thing that is the voice AI that we don't really think a lot about, but with call centers. And as you know, with fake phone calls to, you know, this, hey, this is a CEO calling. I want you to make a deposit or a transfer or whatever the case may be. So that's another thing that our members are aware of. The other key threat to AI is probably just inadvertent, which we saw in a recent Samsung, is just inadvertently exposing your company's information. And I think a lot of it is just a lot of, you know, a lot of our members are putting guidelines trying to put just this really education behind it. So when their employees do tend to use it, they are aware of what and what not to include in there. Many are not trying to just ban it outright because I know that that just doesn't work. So they're really trying to put some guardrails around it and as with all that they do with security awaren ess, this is gonna be another key area where they're gonna have to keep educating their employees.
Audra Streetman: Are you also hearing conversations about how generative AI could be used from a network defense point of view?
Suzie Squier: Yeah, there definitely are opportunities. And I think that's what a lot of our members are seeing. I think a lot of it is how can you replace low-lying work, you know, that you can then take your staff and elevate the work that they're doing. So what are the opportunities there that you can use with it? And I think just like you're saying, how can you, you know, just increase your speed of production and things, but do it in a secure way? So there's still, there is opportunity. A lot of our members see the opportunity there for them and their business, but it really just comes with understanding, as we just said before, what the guardrails and what the risks are and how do you stay within those parameters.
Audra Streetman: So in terms of threats, we have phishing, we have credential harvesting, fraud, those are all near the top of the list. I also wanted to talk a bit about ransomware as well, because there's really no industry that's immune to the threat of ransomware. Have you noticed any trends in terms of the frequency of attacks or who’s being targeted?
Suzie Squier: I think that we're a lot more aware of who's been involved in it because of the kind of naming and shaming. So I think it just seems a lot more prevalent than maybe it was in the past because a lot of it was happening in the back. We didn't see it. Now, in many cases, you're already aware of it. So I wouldn't say that there's anything different that we see. It's just the basics, you know, and how to thwart it is the basics. It's just kind of like... you know, good security hygiene, you know, patching. It's just trying to kind of, you know, just do the basics and keep your defenses as strong as possible that way.
Audra Streetman: What is your stance or recommendation about reporting ransomware attacks to authorities, and also the decision on whether or not to pay the ransom?
Suzie Squier: Yeah, well, as you know, there's the SEC guidelines that are coming out for our publicly traded companies. So a lot of members are preparing for that. Of course we don't have the final word on what is considered and then how long. So there's a lot of conversations still going, but we do have a lot of conversations around that. We do have conversations, as I said, the last workshop I just came from. about whether to pay or not pay. We don't get too much into that with our members. That's their culture and their decision. I think majority of the decision is probably not to pay, but again, it really depends on how quickly you can get back up to business. And so what we really advocate, and this is leading practices coming from our members, is just to make sure that you are backing up and that you're doing tabletop exercises. Like you're practicing this, like you don't just do a backup and not... practice if that backup really works and how quickly is it going to come back up. So I think it's really just focused on resilience that if it does occur, like what is your resilience to countermand that.
Audra Streetman: Back to the RH-ISAC benchmark report - about two-thirds of respondents cited under-staffing as their top challenge to being effective in their job. I'm curious what you think can help these organizations when they're looking to hire, and when they're looking to build their teams. What are you hearing from different companies on how to approach that?
Suzie Squier: Yeah, through our, we have one more workshop, so we're finishing up our workshop series, and we always bring this up. And I have a meeting of our CISOs coming up later, and it's going to be a topic there too. And I think there are a lot of very innovative ways that members are trying to fill that gap. A lot of them, it doesn't start early, it's an investment, you know, it's how do you invest in your community. There's one company or a couple companies in Atlanta that are doing work with single moms and how to train them and provide them opportunities. A lot of work with internships and colleges nearby. So how do you get into that pipeline? A lot of work in diversity. You know, a lot of them are going to their huge retail hospitality pool of employees and see who's interested. And I think that one thing that I've noticed that members are doing is they're really trying to think outside the box, not only in what I was just talking about, but also in what do we really need? There's a lot of conversation in the industry. Do you need a college degree? Do you need this? Or do you need someone who's curious, who has the aptitude? And can you train them for that position? So a lot of members are looking at that. And then there's a great deal of effort. in the industry for diversity, equity and inclusion. And a lot of that is how do you embrace, you know, neural diverse employees, you know, to get them into the cyber world. So it's not easy. There's a lot of competition out there as we know. I'm not quite sure if the layoffs in the tech world are maybe helping. I haven't heard that it's really easing off. I think having a good strategy, a good culture is great as far as retention and keeping. And that's another thing. It's like, you gotta keep the ones you have there as well.
Audra Streetman: I'm also curious about your conversations with CISOs and other executives. You mentioned that you’ve attended some meetings with other CISOs. What topics are top of mind for them right now?
Suzie Squier: You know, before there was a lot on digital transformation, which a lot are still working on that. And now a lot of it is securing hybrid cloud environments. A lot of people now have some on-prem and then some cloud. and multiple clouds. So there's a good conversation on what are some of the leading practices in that space. How do you prevent data loss is another topic of interest to our member companies and our CISOs. And then identity continues to be up there too, but then you just, you still have. vulnerability management and ransomware, the ones that continue to have questions on how folks are best handling it. I'd say obviously another large area of discussion is third-party risk, supply chain risk. We have a risk management working group, and that's really focusing on risk quantification. How do you use risk quantification to help you establish what your major risks are? and what to focus on. And then also the third party risk. How do you best handle and manage, as you can imagine, as many sectors do, the retail and hospitality as a huge number of suppliers. And how do you prioritize and manage those programs effectively with the teams that you have?
Audra Streetman: And my last question is for anyone who might be listening, who works in the retail and hospitality industry, who might be feeling overwhelmed with cybersecurity, with where to start, where to focus their energy. What’s your advice on where to begin?
Suzie Squier: Well, I think the major thing that I learned from our members, because I am not an information security practitioner, but what I learned from our members and what I hear them say is just focus on your crown jewels. Like figure out where your top assets are and work on solidifying your defenses around that. And then just kind of keep working your way out. You know, just... And a lot of it is try to keep it, same thing we were talking about, don't go after the shiny object, just really stay focused, do the clean, hygiene and the basics and a lot of blocking, tackling as much as possible. And then as you continue to mature and have more resources, you can obviously add layers of defense onto that, which is I think the key is to have that ultimately. But when you're starting, I think the big thing is you really have to know your business. when you're in, especially if you're new to the business. But you bring up a good point when people are new, you know, with a lot of stress in the industry. And I think there was an article that came out recently about CISOs. And the thing I love about our community is that our CISOs jumped right on and said, look, this came out, you know, how this is a very stressful job we have. And we, you know, one of, and it was one of our board members who said, look, we're here for you. If anybody's feeling the stress, you know. bring it up, let's talk about it. You can call me, you can call, and everybody kind of chimed in and said the same thing, which is a great thing about having a community like ours.
