Taiwan’s leading retail brand protects hundreds of users across 70 nationwide stores with CyberArk

Summary

As a leading retail business in Taiwan, Heng Leong Hang is a bigger target than many other businesses because it has hundreds of staff in remote locations throughout the country. These employees are often unaware of the growing risk of identity theft. As part of its strategy to strengthen security, the company selected the CyberArk Identity Security Platform to provide the most comprehensive intelligent privilege controls available, and significantly reduce the risk of compromised identities.

Company profile

Founded in 1960, Heng Leong Hang is a retail and wholesale distribution business in Taipei, Taiwan, with three distribution centers. It provides a range of products from traditional cameras and peripherals, batteries to modern small home appliances and housewares, to many well-known online retail e-commerce companies in Taiwan. Key brands include Dyson, Braun, Honeywell, Lexon and Panasonic. Complementing its B2B operations, the company also has an official direct e-commerce company.

Employees:  600

Challenges

Retail businesses are some of the most targeted by cyber-attacks. Heng Leong Hang, one of the oldest and best-known retail brands in Taiwan, is no exception. Faced with hundreds of employees in 70 stores across the country and a high staff turnover ratio, the threat of a breach and impact on customers, staff and business operations was significant. One of the weakest points was the staff’s susceptibility to phishing and identity theft. “My biggest difficulty is that people are the biggest variable,” explained Timo Lu, Head of Information Technology at Heng Leong Hang. “If I want to solve the problem of information security, I must first solve the issue of people and privileges, and that is all about identity security.”

Protecting identities is one of the most important facets of building a robust and effective cybersecurity strategy. The business had suffered several major cyber-attacks in the past and it wanted to do everything possible to prevent it from happening again. However, it was proving difficult to lock down personnel control and privilege identity management, in addition to patching and protecting vulnerabilities. Management did not have a clear view of the privileged accounts that were not effectively controlled and the corresponding password management that needed to be strengthened.

Another challenge is that the company was undergoing a major digital transformation. Alongside its traditional on-premises IT infrastructure, the company needed to consider its comprehensive information security framework which integrated various business services such as websites, e-commerce services, and cloud platforms such as AWS cloud resource environments. The core systems that Heng Leong Hang relies on include data collection and analysis platforms, sales and customer information, and extends to important ERP systems. As well as strengthening the protection of the company’s overall systems and operations, protecting ERP and customer data was critical.

To reduce cyber risk and secure Heng Leong Hang’s digital transformation, the company has embarked on a major overhaul of its IT network, security, and systems. This involved restructuring the company’s network architecture and putting in place several security layers. The company selected Timo Lu, Head of Information Technology at Heng Leong Hang Co, to give themselves a unique competitive advantage and drive this strategic initiative.  Timo has vast experience delivering the best IT solutions to customers as a CyberArk certified professional and a member of Taiwan’s 4A creative award team.

The next phase of the cybersecurity strategy was addressing identity security. Heng Leong Hang conducted a detailed review of various solutions and decided to partner with CyberArk. “Selecting CyberArk was a clear choice for Heng Leong Hang,” said Timo. “Our big risk has always been phishing, and with the advent of generative AI we can only rely so much on cyber security training and protection mechanisms such as anti-spam and anti-phishing. Some phishing emails will still get through, and there’s a high chance when an email arrives to the inbox, employees would make a mistake. CyberArk provides a great multi-layered solution that defuses the attack and ensures identity security to help us protect vulnerable staff across our nation-wide business. CyberArk also supports the multiple platforms that exist in our IT environment, and it has great management features, enabling operational efficiencies.”

Timo joined Heng Leong Hang to help the business improve identity security. “My experience is in online gaming, third-party payment gateways, hybrid cloud architecture planning, migration, and maintenance, as well as regulatory ISO27001 and PCIDSS compliance solutions. Therefore, I have experience in information security planning and architecture design. I used my experience to introduce pragmatic practical control capabilities to our security measures,” shared Timo. “In the information security management space we face many of the same challenges across different industries and fields, so I was able to bring that experience and security awareness and strength to the retail field. We work with the end user, protect sales channels and related B2B and B2C connections, and I want to give the same level of protection and technology as more technical industries.”

Solutions

Heng Leong Hang has implemented multiple capabilities of the CyberArk Identity Security Platform comprising CyberArk Privileged Access Manager Self-Hosted (PAM), CyberArk Endpoint Privilege Manager (EPM) and CyberArk Adaptive Multifactor Authentication (MFA). The platform is used by the company’s entire workforce, including developers, extended IT and third-party vendors. The CyberArk Adaptive MFA solution alone safeguards the access of multiple privileged account staff, almost a thousand workstation endpoints and hundreds of users across the workforce.

CyberArk has also been used to remove excessive local admin rights, enforce role-specific least privilege and limit uncontrolled user access to applications. Core business systems and database servers are now monitored and secured, actions and events are logged and privileged access by the IT department managed effectively. Heng Leong Hang also uses CyberArk to support compliance requirements and objectives. The solution automatically logs activities such as when employees request and use privileged access. The company uses this to provide a historical record of actions and incidents which is needed for auditing and compliance. CyberArk has further improved endpoint security because it stops users from downloading and installing unauthorized software onto their local devices.

Heng Leong Hang is planning to expand its use of CyberArk MFA and include CyberArk Single Sign-On (SSO) to achieve password-less access. “CyberArk MFA combined with CyberArk SSO will allow us to enable passwordless access for our workforce. By eliminating the need to remember and enter passwords, we’ll improve the user experience, reduced the risk of credential theft, and simplified the management of identity and access.” said Timo.

Results

The CyberArk platform has enabled Heng Leong Hang to centralize identity and access management, endpoint privilege security, and privileged access management controls into one single source solution, easing the administration of its policies and compliance requirements.

“CyberArk has exceeded my expectations by significantly reducing the cyber risks associated with identity theft. Originally, I wanted to improve and secure password management and control. But now CyberArk takes our security to another level. It protects our endpoints and personal computers joining our domain, it improves legislative compliance, and it supports mixed cloud environments – all while improving staff productivity. Of all the security products we have at Heng Leong Hang, CyberArk is the most crucial and the one that has the most immediate impact.”

– Timo Lu, Head of Information Technology, Heng Leong Hang

As part of its security strategy and requirement to meet specific privileged access regulations, Heng Leong Hang has implemented several standards such as ISO 27001 and ISO 27701. “The compliance capabilities of the CyberArk Identity Security Platform are great, and CyberArk is continuously evolving its regulatory features,” acknowledged Timo. “Some other companies in the industry use tools like Okta or One Identity, but CyberArk’s solutions are designed with a security-first mindset and unified within an identity security platform that provides defense-in-depth protection, secures workstations and servers, implements least privilege and integrates very well with on-premises and cloud environments – all of which was critical for us. It combines single sign-on, MFA, browser security, application and privilege control and it includes record of activity, so it is really thorough and comprehensive.”

Timo sees protecting identity as the key to improving security. “Implementing a comprehensive identity security strategy has allowed us to reduce the cyber risk significantly,” he explained. “A lot of the danger we face comes from phishing. But with a good spam mail service and CyberArk Endpoint Privilege Manager in place, it is not a problem when a user clicks on a phishing email because there is no chance to run a virus or ransomware. It further reduces the risk because it hardens the operating system and secures the browser, and does not let anyone easily steal cookies, credentials, security tokens, account and password information. In fact, with CyberArk EPM, we have almost completely solved the risk of viruses and ransomware coming in from the endpoints. And all of this is against the backdrop of reduced number of IT tickets since we’ve implemented auto-elevation policies with EPM – it saves a lot of time both to our IT administrators since they don’t have to walk to the machines or login remotely, and to our employees since they don’t have to type in passwords to run a program with elevated privileges. This certainly created a lot of operational efficiencies throughout the organization.”

On top of specific protection, CyberArk plays a key role in brand and reputation management. “Heng Leong Hang uses CyberArk to implement least privilege across our entire hybrid infrastructure, making it stronger, and extending intelligent privilege controls to the cloud. Consequently, the overall risk is drastically reduced,” said Timo. “By minimizing security incidents and personal information leakage, the value we bring to customers is reflected in confidence for our brand. This is a major benefit for our customers and business.”

Another main advantage of partnering with CyberArk is reducing the time and effort required by IT staff to manage security and process privileges and access. Many operations that used to be manual are now automated by CyberArk capabilities. When Timo compared CyberArk to alternative solutions, he found it to be a much stronger option, because – in addition to reducing risk – it saves time and reduces manpower needed.

“The value of CyberArk comes from knowing that our people, data and systems are protected,” divulged Timo. “And there is another value rationale: cost. In the past, we either would have to engage a lot of IT personnel to solve the security problem or have a large internal security team. But when I am solving those problems with CyberArk, my IT team can focus on more high-priority activities. The overall value of using CyberArk is that our information security is stronger, and our investment in manpower is reduced.”

As the retail industry transforms, Heng Leong Hang leads in innovation for the good of its customers. And as an increasingly digital and cloud-based enterprise, the company must apply that innovative mindset to how it secures identities against attacks. “Through its platform, products and people, CyberArk has proven to us they are the partner who enables us to achieve our vision for comprehensive identity security,” said Timo. “CyberArk sees our vast range of identities, endpoints and forms of access, and they understand the links between all of these variables – providing controls that ensure each identity has only the right amount of access to do its job effectively and efficiently.

Key benefits

• Secures the entire workforce, including developers and extended IT, as well as third-party vendors and customers
• Secures workstations and servers from malware, including ransomware
• Improves identity protection and privileged access
• Protects hundreds of users across 70 store locations
• Makes it easier to manage and meet compliance regulations
• Automates many previously manual processes
• Frees up staff to focus on more value-added work