How Lush could have protected its till system

In November, Lush – the high-street store known for its fragrant, eco-friendly beauty products – temporarily lost the ability to take card transactions after a member of the IT team “deleted the till system by accident”.

As a result, Lush stores across the country could only take cash payments until the till system was restored.

Announced via Twitter, the story fizzed and quickly dissolved – much like one of the company’s bath bombs. However, although it has not been confirmed, it’s highly likely that Lush’s takings were hit hard by its inability to process card payments.

The value of an effective ISMS

Lush could have avoided this predicament by implementing an ISMS (information security management system) aligned to ISO 27001, the international standard for information security. The systematic approach of an ISMS aligns processes, technology and people, enabling an organisation to manage all of its information through effective risk management.

Considering Lush, the following ISO 27001 controls are of direct relevance:

  • Segregation of duties
    Control 6.1.2 of the Standard states that “segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organisation’s assets”. In Lush’s case, segregating duties would have meant that an individual couldn’t delete the till system.
  • Risk assessments
    Control 6.1.2 recommends that organisations carry out risk assessments to identify potential vulnerabilities. Lush should have:

    • Identified the information security risks associated with loss of availability;
    • Assessed the potential consequences if the risk identified were to materialise;
    • Assessed the realistic likelihood of the risk occurring; and
    • Determined if this was within its risk assessment criteria.

Alternatively, Lush could have put controls in place to reduce the risk, such as a two-step process for deletion, or limited the ability to delete via management of privileged access rights (control A.9.2.3).

  • Business continuity management
    Although Lush’s till system was restored, there was further downtime the following day. This suggests that the company hadn’t effectively tested its business continuity processes. Control A.17.1.3 defines business continuity management: “The organisation shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.”

Reduce your risks

ISO 27001 is the internationally recognised standard that provides the specification for a best-practice information security management system, and the approach can be applied to any organisation, regardless of size or type.

Our website offers a host of information and free resources, including our popular webinar Five steps to a successful ISO 27001 risk assessment, which will help you understand how to effectively apply the Standard in your organisation.

For more information, or advice specific to your organisation, email our team. They’re always happy to help.