This October is the 17th annual National Cybersecurity Awareness Month, a joint venture put together by CISA and the National Cyber Security Alliance. These two organizations have made this year’s theme, “Do Your Part. #BeCyberSmart.” With that in mind, the team at Walmart Global Tech wanted to demonstrate how we’re doing our part to help keep customer and employee information safe, whether it’s online or in-store.

The NCSA’s slogan is, “if you connect it, protect it,” and that’s exactly what we aim to do for our 265 million customers and members, and 2.2 million associates around the world. Here’s what we’re doing to #BeCyberSmart:

1. A cutting-edge bug bounty program

At their most benign, bugs can lead to bad user experiences and lost opportunities. At worst, they can be major vulnerabilities that expose sensitive data to bad actors. This makes it essential that all bugs be zapped, swatted, or squished quickly and efficiently. While Walmart has hundreds of skilled engineers and pen testers combing through its code for errors, a fresh set of eyes and an outsider perspective often proves invaluable. That’s why we, like all leading tech companies, offer standing bounties for anyone who successfully rounds up a bug and brings it to the attention of the cybersecurity team.

Walmart’s Bug Bounty program first started in 2016, as a private, invite-only affair, but in 2018, it was opened up to white hats and bug bounty hunters everywhere. Our goal was to make things as frictionless as possible by putting our responsible disclosure form on a single, dedicated URL. Since its inception, the bug bounty program has made our entire platform safer, helped engineers develop internal tools to find and fix bugs faster, and has even led to some prolific bounty hunters joining our Information Security team.

For more on the development and implementation of our bug bounty program, check out this talk led by members of Walmart’s Information Security team, including former professional bug hunter turned head of our Bug Bounty program Stanko Jankovic:

2. Furthering the technical education of our associates through LiveBetterU

We know that strengthening teams and improving organizations starts with investing in individuals. That’s why we launched LiveBetterU, our continuing education program designed for working adults. LiveBetterU allows active part-time and full-time associates to pursue a high school diploma, skilled trade diploma, professional certificate, or college degree for just $1 a day. This includes bachelor’s or associate degrees in fields such as cybersecurity, computer science and network security.

LiveBetterU not only allows Walmart to promote and grow the skills of the people who already understand the inner workings of our systems, it also allows our associates to pursue goals that were previously out of reach. Take Susan Graves, for example, a Walmart associate for 16 years (you might recognize her if you watched the video above). Susan started in our Field Services Helpdesk and now works as a Cybersecurity Risk Expert supporting the Bug Bounty program. She’s currently pursuing a degree in cybersecurity and had this to say about LiveBetterU:

“Juggling family, work, school, and taking care of my youngest along with helping my 2nd grader with virtual school every single day is challenging, but the reward of looking at all I have done after each term while still maintaining a 4.0 just makes it worth it all. I’m grateful but also proud that I work for a company that is investing in its associates.”

3. Making trust a goal, internally and externally

Whether the customer is online, in a store or shopping across channels, our goal is the same: to be the most trusted retailer in the world. To earn that trust, we know we have to go beyond the low prices and customer service we offer every day. We have to earn consumer trust in ways the customer will never see — by making it part of our internal culture.

To make trust a fundamental aspect of what we do, we take intentional steps internally to create a security-minded culture — not only in October, but all year long. We make sure that associates hear from our InfoSec department not just when there’s a new aspect of compliance to adhere to or a required training to complete — we also make information security fun. One of the ways we do this is through gamification — including phishing simulations, virtual escape rooms, and capture the flag competitions. We also try to reach associates in surprising and unexpected ways — from pop-up booths with security-related swag, to music videos about multi-factor verification and the importance of strong passwords, to Valentine’s Day cards with security tips written as poems.

4. Monitoring traffic on the Walmart network 24/7/365

As a retailer operating in 27 countries and offering e-commerce in 10, Walmart’s network is massive in both size and scope. That makes monitoring it a Herculean task, but it’s one that we take on every day. In fact, at literally any given moment of the day, members of our Dynamic Defense Engineering team are monitoring the Walmart network.

The Dynamic Defense Engineering (DDE) team monitors all activity on the Walmart network, whether it originates from outside of it or from within. In order to protect customer information and help ensure safe transactions, they’re watching for any malicious or suspicious activity, and tracking data leaving the Walmart network to ensure that sensitive information is not being exfiltrated.

5. Staying current on the latest cyber threats

Maintaining a safe, trustworthy network is an ongoing battle. In order to stay one step ahead of attackers, Walmart’s engineers and information security teams have to keep up to date on the latest cyber threats. That means understanding new threats as they develop by researching newly published attacks from around the world. This allows the Dynamic Defense Engineering team to develop new custom software and techniques for identifying and blocking these attacks.

In addition to the DDE team, the Technical Vulnerability Assessment (TVA) team is charged with implementing a cohesive, highly prioritized cybersecurity program. TVA works to understand complex vulnerabilities and how they relate to compensating controls within the network environment. With proper risk assessment and prioritization, the TVA team can develop a defensible risk-based methodology that incorporates a global view of the company and the threats it faces.

Exercising your own information security

So how can you #BeCyberSmart? Whether it’s using a password manager, removing account permissions from old accounts or devices, or just keeping all your connected gadgets up to date, tweet to us about it, or tell us on Linkedin. We’d love to hear your tips!

Full Story >