Since 1966, Biscuitville Fresh Southern has been a family-owned company known for serving up authentic Southern breakfast food. Headquartered in Greensboro, North Carolina, Biscuitville has more than 80 corporate-owned restaurant locations in North Carolina, South Carolina, and Virginia. The company has experienced unprecedented growth in the last several years, including a new distribution center and opening locations in a third state.
With this growth came an opportunity to reorganize the IT team. Over the past three years, John Brittain, Biscuitville Vice President of Information Technology, has reshaped the IT team and their focus on several issues, including cybersecurity.
Challenge
Since 2021, Biscuitville’s IT has been rebuilt with an improved infrastructure. Their in-house IT team of 10 members manages their systems and partners and works with third parties for IT development and support.
Enhancing cybersecurity at Biscuitville had been a long-term goal for Brittain. Achieving both budget and executive-level support took some time. “We had previously proposed implementing a SOC or other security solutions, but those initiatives didn’t gain traction. What ultimately secured support for our cybersecurity efforts was a nearby company experiencing a significant cybersecurity incident, which highlighted the urgency and importance of taking action.”
In addition to recognizing the need for threat protection and detection, Biscuitville must comply with PCI DSS which can be challenging for an internal team to manage on its own.
“In the past, we really didn’t have any record or logs or the ability to check our logs, which is a big PCI DSS component. Now, we can show our logs are monitored and we’re covered for our required scans. With PCI DSS 4.0 upcoming, I’m glad to get ahead of the compliance deadline.”
John Brittain | Biscuitville VP of Information Technology
Solution
At the outset, Biscuitville initiated an RFP process and evaluated the cybersecurity solution used by their network provider. However, a proof of concept (POC) revealed this other solution fell short of meeting Biscuitville’s unique needs.
By selecting Fortra’s Alert Logic Managed Detection and Response (MDR), Biscuitville gained a robust security toolkit tailored to their unique needs, including seamless data ingestion from multiple sources. Their priority for a hands-on, collaborative approach to security has been met, establishing a true, proactive partnership focused on safeguarding their organization.
“While corporate owned, our individual stores are set up to be independent, and they are not connected to each other or our headquarters,” explained Brittain. “So, having a solution like Alert Logic MDR whose agents can be installed locally at each site which allows those stores to stand alone and be independent was big for us. With some of the other solutions, the way they called out from a local appliance would have meant redoing all our network and then pen testing again to make sure everything was still secure.”
Another advantage for Biscuitville in using Alert Logic MDR is Fortra’s status as a PCI Approved Scanning Vendor (ASV), enhancing their security posture and trustworthiness in the industry. These external vulnerability scans assist organizations in maintaining a secure payment card environment and defending against cyber threats by identifying vulnerabilities that could be exploited by threat actors. With PCI DSS 4.0, ASV scans will need to be carried out more frequently in that Requirement 11.3.2 requires running external vulnerability scans at a minimum of once every three months and encourages scanning more often “depending on the network complexity, frequency of change, and types of devices, software, and operating systems used.”
“In the past, we really didn’t have any record or logs or the ability to check our logs, which is a big PCI DSS component,” said Brittain. “Now, we can show our logs are monitored and we’re covered for our required scans. With PCI DSS 4.0 upcoming, I’m glad to get ahead of the compliance deadline.”
Summary
Since partnering with Fortra, Biscuitville has benefited from the collaborative relationship to strengthen their IT posture. “The most significant aspect of the implementation process was navigating our many questions, given that this was our first experience with an MDR solution. Their support throughout the process was invaluable, ensuring we felt confident and well-guided every step of the way,” said Brittain.
The enhancement to Biscuitville’s cybersecurity posture has resulted in a ton of visibility into vulnerabilities and feedback that they weren’t getting previously. “This cybersecurity work had to be done. I honestly don’t think the implementation could have been any better,” said Brittain.