Frasers Group heads off Log4j and streamlines acquisitions with endpoint security
Tooling from Tanium is protecting the firm form zero day vulnerabilities and is now key to Frasers’ IT due diligence
The use of a new endpoint security tool Tanium has allowed major British retailer Frasers Group to gain better visibility and control of both its own IT environment, and those of the brands it regularly acquires.
The software has also been estimated to have reduced overall vulnerabilities by 36%.
It also proved particularly useful over the important Christmas 2021 trading season, as it was employed in identifying and helping to quickly resolve Log4j vulnerabilities.
Log4j affected several players in Frasers’ market, including e-commerce giant Alibaba.
Frasers also believes it has decreased the overall time required to scan its constantly-expanding entire IT estate - which now totals around 15,000 devices - by two hours.
Frasers is a £3.6bn ($4.4bn) UK-headquartered retail, sportswear, and intellectual property group, which markets brick-and-mortar and online operations through a number of brands such as Sports Direct, Jack Wills, USC, House of Fraser, and No Fear. It currently employs 25,000 people in 25 countries.
That spread of famous trading names indicates just how important to its growth strategy well-planned M&A (mergers and acquisitions) activity is to the Group’s commercial operations.
The company’s group head of information security, Matthew Wilmot said:
Some M&A activities do happen quite quickly, especially when organizations are rolling into bankruptcy. That means we can end up with a lot of older IT assets and in the past, we've not known where and what all those were.
But since December, this tool is part of all our M&A due diligence, like for when we bought Studio Retail and Missguided. Now, it really supports us in knowing what we've bought, and then supports us on that journey to make sure any known vulnerabilities are removed as soon as possible.
Wilmot now requires all newly acquired Frasers Group companies to install the product on all its devices as part of the onboarding process.
Pre this adoption of centralized endpoint management like this, Wilmot believes he only had visibility of about 75% of all devices across the Group.
Mergers and acquisitions become much easier from an IT and security viewpoint, he said, as knowing exactly what you need to support makes key decisions about whether to adopt the processes and practices of an acquired organization, or instead mandate the main organization, which can be a tricky process otherwise.
Endpoint management and cybersecurity specialist called Tanium claims to offer a one-console unified approach to endpoint IT, compliance, security, and risk management.
Wilmot had become familiar with the software in a pre-Frasers role at PwC, so when Log4j was identified as a potential threat, he decided to investigate its potential. He said:
We had some tooling across the environment, and it wasn't really fit for purpose in terms of establishing and discovering where the vulnerabilities were. I didn’t want to be blind to this zero day vulnerability, especially on any third party devices.
This really supported us at a possibly troublesome period, as it allowed us to talk to third parties and tell them where to patch and support accurately.
Security by design
The new tool was initially tested with 250 stores and the online business of the Group’s gaming division late in 2021, before a further rollout to 200 more stories once it had proven it could deliver on this promise, he said.
Just buying product is not all Frasers is doing in terms of cybersecurity, however.
Wilmot - who has extensive experience in management consulting in the retail sector and financial services - was specifically hired to head up a new dedicated global security function for the Group immediately prior to the Log4j crisis.
Creating such a group was an innovation for this sector of the economy, which has traditionally been slow when it comes to significant IT investment. He said:
Retailers have predominantly been behind the curve here and playing catch up, and have been for probably the last 10, probably 15 years. I was recruited because the company realized it was just enough to put all security off the back of PCI payment card standard; that’s really just your baseline of what security should be in a retail business, and we want to do much more than that.
Since onboarding, Wilmot has grown the new security function to a team of 12.
These specialist work as business architects and advisors across the Group’s businesses to ensure security by design was considered as a core value for each Frasers project, he said.
In addition, Frasers has built out a 24/7 security operations center.
It’s also introduced information security risk and governance for both the business and the board—and since the start of 2022, has also started to help manage data protection, turning what has been just an information security-focused group into a combined data privacy department. He confirmed:
There are just certain things a FTSE 250 retailer should be doing from a security perspective but hasn't done in the past.
You have to have some form of strategy and roadmap in order to push these capabilities out, which I think we have got now.
To bed those capabilities in, he said, the constant message to the business is that information security is everyone's responsibility and what they should be doing as individuals to support the Group. Wilmot added:
We've grown through acquisition, and we're going to continue to grow through acquisition, so the education of our frontline people in the stores and who deal with customers on a regular basis are the ones which we need to really focus our attention on and make sure they're fully au fait with Frasers’ new baseline security requirements.
Given the new responsibility of his team, Wilmot said that next steps for tech under his remit will be data loss prevention.
This work will involve both endpoint security but also use of Microsoft technologies. He said:
At the moment, all we're doing is detecting data and telling the user that we found some information which we deem as personally identifiable information, but we're moving to establish what people are storing locally, then just removing that automatically in the 30 day window after notifying them.
Other new technologies, like AI and machine learning, will soon round out the security and privacy picture at Frasers. He concluded:
I want to build a secure digital ecosystem where I'm using technologies that work well together, that have linkage, but also there's a single pane of glass to manage it all to get to my ultimate aim of knowing where all of my issues might be.