Heng Leong Hang makes identity protection center stage in its cybersecurity strategy.
Retail businesses are some of the most targeted by cyber-attacks. Heng Leong Hang, one of the oldest and best-known retail brands in Taiwan, is no exception. Faced with hundreds of employees in 70 stores across the country and a high staff turnover ratio, the threat of a breach and impact on customers, staff and business operations was significant. One of the weakest points was the staff’s susceptibility to phishing and identity theft.
“My biggest difficulty is that people are the biggest variable,” said Timo Lu, Head of Information Technology, Heng Leong Hang.
“If I want to solve the problem of information security, I must first solve the issue of people and privileges – and that is all about identity security.”
Protecting identities is one of the most important facets of building a robust and effective cybersecurity strategy. The business had suffered several major cyber-attacks in the past and it wanted to do everything possible to prevent it from happening again. However, it was proving difficult to lock down personnel control and privilege identity management, in addition to patching and protecting vulnerabilities. Management did not have a clear view of the privileged accounts that were not effectively controlled and the corresponding password management that needed to be strengthened.
Another challenge lay in the company undergoing a major digital transformation. Alongside its traditional on-premises IT infrastructure, the company needed to consider its comprehensive information security framework which integrated various business services such as websites, e-commerce services, and cloud platforms such as AWS cloud resource environments.
The core systems that Heng Leong Hang relies on include data collection and analysis platforms, sales and customer information and extends to important ERP systems. As well as strengthening the protection of the company’s overall systems and operations – protecting ERP and customer data was critical.
Heng Leong Hang conducted a detailed review of various solutions and decided to partner with CyberArk.
“Selecting CyberArk was a clear choice for Heng Leong Hang,” said Lu.
“Our big risk has always been phishing, and with the advent of generative AI we can only rely so much on cyber security training and protection mechanisms such as anti-spam and anti-phishing. Some phishing emails will still get through, and there’s a high chance when an email arrives to the inbox, employees would make a mistake. CyberArk provides a great multi-layered solution that defuses the attack and ensures identity security to help us protect vulnerable staff across our nation-wide business. CyberArk also supports the multiple platforms that exist in our IT environment, and it has great management features, enabling operational efficiencies.”
Heng Leong Hang has implemented multiple capabilities of the CyberArk Identity Security Platform comprising CyberArk Privileged Access Manager Self-Hosted (PAM), CyberArk Endpoint Privilege Manager (EPM) and CyberArk Adaptive Multifactor Authentication (MFA). The platform is used by the company’s entire workforce, including developers, extended IT and third-party vendors. The CyberArk Adaptive MFA solution alone safeguards the access of multiple privileged account staff, almost a thousand workstation endpoints and hundreds of users across the workforce.
CyberArk has also been used to remove excessive local admin rights, enforce role-specific least privilege and limit uncontrolled user access to applications. Core business systems and database servers are now monitored and secured, actions and events are logged and privileged access by the IT department managed effectively. Heng Leong Hang also uses CyberArk to support compliance requirements and objectives. The solution automatically logs activities such as when employees request and use privileged access. The company uses this to provide a historical record of actions and incidents which is needed for auditing and compliance. CyberArk has further improved endpoint security because it stops users from downloading and installing unauthorized software onto their local devices.
Heng Leong Hang is planning to expand its use of CyberArk MFA and include CyberArk Single Sign-On (SSO) to achieve password-less access. “CyberArk MFA combined with CyberArk SSO will allow us to enable passwordless access for our workforce. By eliminating the need to remember and enter passwords, we’ll improve the user experience, reduced the risk of credential theft and simplified the management of identity and access.” said Lu.
“CyberArk has exceeded my expectations by significantly reducing the cyber risks associated with identity theft. Originally, I wanted to improve and secure password management and control. But now CyberArk takes our security to another level. It protects our endpoints and personal computers joining our domain, it improves legislative compliance, and it supports mixed cloud environments – all while improving staff productivity. Of all the security products we have at Heng Leong Hang, CyberArk is the most crucial and the one that has the most immediate impact.”
As part of its security strategy and requirement to meet specific privileged access regulations, Heng Leong Hang has implemented several standards such as ISO 27001 and ISO 27701.
“The compliance capabilities of the CyberArk Identity Security Platform are great and CyberArk is continuously evolving its regulatory features,” said Timo.
“CyberArk’s solutions are designed with a security-first mindset and unified within an identity security platform that provides defense-in-depth protection, secures workstations and servers, implements least privilege and integrates very well with on-premises and cloud environments – all of which was critical for us. It combines single sign-on, MFA, browser security, application and privilege control and it includes record of activity, so it is really thorough and comprehensive.”
Edward Hsieh, Regional Director of CyberArk in North Asia, said: “We are delighted to have the opportunity to assist Heng Leong Hang in successfully strengthening its overall cybersecurity architecture, thereby protecting its employees, customers and business operations. This not only enhances the trust of their employees and customers, but also provides the necessary security foundation for Heng Leong Hang in an increasingly digitalized cloud-based business environment.”