Theft has been ever-present since the beginning of retail and continues to be a huge burden the industry must carry. The latest statistics from the US indicate that one in 11 people steal, costing US retailers around $50 billion each year. This implies that Australian retailers proportionally lose between $3 and $4 billion to theft per annum. Yet, very few Australian retailers take proactive measures to protect their profits from pilfering.
Larger retailers have loss prevention departments, but smaller chains often do nothing, or only react when hit with a major loss. I doubt that such a tactic results from a structured assessment of estimated losses versus the cost of running a loss prevention function. But, even if such analysis took place, it may no longer be relevant as no savings on loss prevention can be justified in the face of an Extinction Level Event (ELE).
In the past, thanks to a distributed network of stores and operations, retail businesses had built-in resilience. Even if a warehouse burnt down, stock already in the field provided a cushion, giving the organisation time to recover. Furthermore, everyone within the organisation could contribute to physical security, even if by sheer presence on site.
The rapid proliferation of digital across retail enterprises has changed all that. Today, if someone sabotaged your systems you couldn’t trade. Additionally, if hackers infiltrated your systems and compromised information about your customers, legal liabilities and reputation damage could be lethal. US insurance company, Anthem Inc. agreed to pay US$150 million in compensation for a security breach in 2015 that exposed its customers’ data.
New legislation in the US and EU forces organisations to disclose security breaches that result in the exposure of customer data. I expect that Australia will follow suit. This can then lead to individual lawsuits. As such, special care must be taken to secure customer data.
Bottom line, modern retail enterprise must recognise that protection against cyber threats has to be an important part of the modern loss prevention agenda. I felt compelled to write this article, as in my assessment, many retailers still don’t appreciate the severity of the looming danger.
Let’s explore the reason why active loss prevention in retail still hasn’t become the rule and then take a deeper look at the nature of the digital threats and what can be done about them.
Ignoring the clear and present danger
One of the key reasons why retail organisations don’t have a loss prevention department relates to the very nature of the human mind. Like other people, retailers routinely fail to take precautions due to the normalcy bias. About a hundred of such cognitive biases exist and they undermine our ability to optimally function in this world – at a personal level, within our social circle, and commercially.
The normalcy bias means the reluctance to plan for a disaster that has never happened to us before. As a consequence, we routinely fail to expect and prepare for highly likely calamities, including ELEs. This needs to change in the era of an increasingly connected world. We face a clear and present danger.
Massive escalation of threats
Over the last few years, our reliance on technology has increased exponentially, resulting in never before seen levels of exposure at a digital level. A cyber catastrophe can now obliterate a business or cause massive personal grief and the probability of such an event keeps growing.
The criminal economy develops faster than the lawful one can evolve its means of defence. The cybercrime ‘industry’ keeps expanding and becoming more sophisticated. The growing availability of computer crime tools allows more people to engage in illicit cyber activity, with much fewer technical skills than previously required. Furthermore, cybercrime activities have now expanded from individual hackers to organised syndicates. Criminal acts are also increasingly committed by specialised software (‘crimeware’) rather than by people – for example, autonomous software that encrypts infected hard drives so a ransom can be demanded, obviously in bitcoin, to protect the anonymity of the perpetrators.
But, recently the situation got even worse. State agencies now commit cyber acts of industrial espionage and sabotage. For example, in January 2016 Russia brought down the Ukraine’s electricity grid. As a cover up, state agencies frequently present themselves as competitors or even criminals rather than intelligence organisations. Realistically, no one can persecute such perpetrators as they operate from within foreign jurisdictions.
Digital damage to many businesses and individuals occurs daily. An estimate from 2015 predicted that cybercrime will cost businesses $2 trillion a year globally by 2019. Our exposure will increase as more and more hardware devices morph into internet-connected computer code – and all code can be hacked. In July 2015, a hacker took control of a Jeep Cherokee as it drove on the highway in Saint Louis at over 100 kilometres per hour. Malicious people can now manipulate physical objects half a world away.
Experts estimate that 50 billion new devices, from TVs to refrigerators and pacemakers, will be connected to the internet by 2020, almost all of them without proper security setup. As promising as it is, The Internet of Things (IOT) opens another Pandora’s Box of digital security issues.
What needs to happen for retailers to recognise the digital danger as real and start planning for the moment when, not if, an adverse event will occur?
Imagine if a severe cyberattack crippled your business systems and you had to switch to using paper records and handheld calculators. For how long would your business survive?
If you can operate like this i.e. without the internet and without computers for a week, then you can consider yourself prepared. When the digital tsunami comes, you will endure and like in the movie, Forrest Gump, when all the other shrimp boats sink, you will do exceptionally well when the things come back online. Bubba Gump Shrimp Co. got lucky, you can make your own luck.
How could such resilience be achieved? To begin with, you must assume that every computerised system can be and has been infiltrated. Yours included. And, don’t think for a moment that the government can help. Businesses and individuals must protect themselves on their own, because governments don’t have the resources to make a meaningful difference.
IBM claims that 95 per cent of all data-security breaches involve some form of human error. This highlights the essential importance of security measures that go well beyond the technical sphere. Building awareness, training and simulated cyber-attacks must become a routine part of personnel management.
The term ‘social engineering’ means eliciting or otherwise acquiring seemingly harmless personal information, to build a profile of a target, and then use the information to illegally obtain funds or access to networks. People within your business need to be well versed in understanding these threats and the business must continually work on detecting and handling them.
Let’s review the most commonly used social engineering techniques:
- Spear-phishing targets a specific victim and according to the experts, constitutes about 90 per cent of social engineering schemes. It starts with acquiring personal details on the victim: friends, places they visit, employer, what they recently bought online etc. The attackers then disguise themselves as a trustworthy friend or an entity (bank, government institution or insurance company) to acquire sensitive information – through email or social media channels.
A special form of spear-phishing, known as whale-phishing, targets C-level executives and has been used to steal money directly. The perpetrators use emails that appear to be genuine communications e.g. from the CEO to the finance department, instructing them to transfer money to a specific overseas account.
- Phishing means a broader, non-personalised attack launched against a target group. It aims to trick victims into sharing highly sensitive information such as passwords, usernames, and credit card details. The attackers often disguise themselves as e.g. a bank and contact the targets via email or other messaging means. A variant of phishing, known as vishing relies on the use of a phone call to trick the victim.
Phishing emails can include attachments that contain malware, viruses, ransomware and other malicious programs. If opened, these attachments get activated and do the damage they were designed to do. They can seize control of your computer and steal your information, or destroy your files, or use your computer to attack other computers.
- Baiting means a promise of an item or other benefits to entice victims. It can be handled via email, but it can also be launched physically e.g. via a USB storage device with a virus on it, labelled “Executive Salaries”, left for unaware victims to find.
While emails are often used to spread viruses and malware, merely accessing a malicious website can infect the system. Seemingly innocent websites can be doctored to infect computers that visit them.
- Access Agents pose another type of threat. Such people join organisations in cooperation with criminals, to furnish electronic information or assist in providing access. Access agents can also spot co-workers with financial or other vulnerabilities, such as drug use or anger at the employer, and make their criminal bosses aware of potential targets.
On top of the social engineering threat, hacking attempts continually hit your networks, occurring quietly in the background. Unfortunately, many networks have no means of detecting a breach. Old-style cyber-security tools generate too many ‘false positives’. When a burglar alarm sounds constantly, people ignore it.
Current industry statistics indicate that it takes organisations (on average) two hundred days to become aware of a breach. I would recommend that if you don’t already, you should immediately engage the necessary resources to start monitoring your systems so you can be aware of all attacks. When a breach occurs, you will then be able to react swiftly.
Fundamental (and often simple) precautions
While a coherent cyber defence system requires a multipronged approach, many measures can be implemented rapidly at practically no or little cost. Some require more effort. The key areas to consider:
- Power down: A policy can be introduced that any computer equipment not in use must be powered down. A switched off device cannot be hacked. The fewer computers you have active at any given time, the less exposure you have.
- Long passwords: The next easily fortified area relates to your password policy. Experts debate the required length and complexity of passwords, but given that length makes passwords substantially harder to crack than password complexity, you should adopt a policy that requires staff to use long passwords. It could be as simple as adding one’s first name at the end of the currently used password pattern.
- Separate administrative privileges: More work will be needed to deploy this measure, but if it’s not already in place within your organisation, you need to deploy it fast. It requires the imposition of a strict policy that none of your system users can operate with administrative privileges on a daily basis, as this allows their computers to be used as backdoor gateways to install malware. Users should have an alternative account with administrative access, so they can still install software or updates, but it must have a different and long password. Under this model, your users will get prompted for credentials whenever the system detects that something needs to be installed.
- Keep current: Make sure you have processes within your organisation that regularly apply the latest software updates from your vendors, so you can reduce risks related to the newest cybercrime tools.
- Encryption of data: The implementation of data encryption across computer devices within your company (or at least in relation to mobile devices, including laptops) requires effort, but once in place, this will permanently reduce your exposure to data and equipment theft.
- Remote wipe-out: With more and more employees using remote devices, organisations have high risk exposure related to such devices being lost or stolen. Most systems have facilities that allow system administrators to remotely wipe out devices. Such infrastructure takes some effort to implement, but once you lose your iPad with important business information on it, you will definitely appreciate the availability of such a ‘service’.
- Multi-layer data handling: In strategic terms, you should consider the introduction of three-layer data handling model within your organisation. It requires the separation of personal, general business, and highly sensitive data. In many organisations users mix business and personal usage on the same computing device. Companies may have an employee policy defining acceptable use, but in today’s world such sharing must be eliminated.
- A network for internal sharing of all day-to-day business information, handling data such as planned products, cost information, real estate details, personnel records, supplier information etc. You can assume that this network can be made relatively secure.
- A network for external access (including access to the internet). You must assume that this network can be (relatively easily) accessed from outside.
- The third information ‘network’ in your enterprise must be manual. It will rely on paper-only information flow for highly sensitive information. This means limited reintroduction of typewriters or fully isolated computers (be mindful that even those can be breached using a USB stick). A security expert once told me that in order to fully secure my computer I would have to cut the network cable. You need to adopt the same approach in your business when it comes to your most critical, strategic information.
Government agencies in Singapore have already adopted the concept of the internal and external data networks.
- Disaster recovery preparations: While it may sound so obvious that mentioning it seems unnecessary, the importance of a thoroughly tested disaster recovery plan with offsite (detached) backup cannot be stressed enough. Most organisations have backups, but some never bother to check if they will work when needed, hoping for the best. You must have a well-rehearsed plan, so you won’t have to think when the disaster strikes and will be able to focus on the actual restoration work.
What about insurance?
With the growing digital threat, should you consider an additional measure of protection i.e. cyber-insurance? The topic has been gaining attention in the media, within the business community and among insurers. Yet, the rate of the policy take up has been much slower than expected.
Two issues undermine the ability to put in place effective insurance. Firstly, how can one estimate the likelihood and the magnitude of loss? This leads to the second point: with poorly defined potential loses and the likelihood of an adverse event, insurance premiums must be high.
I wouldn’t be surprised if going forward, a cyber-insurance model emerged providing fixed-amount compensation in case of a well-defined adverse event, replacing attempts to explicitly quantify the expected damages.
The way forward
Every retail organisation that doesn’t have a loss prevention team needs to establish one as a matter of priority and make it responsible for cyber-security as the first order of the day. Such a team can then expand their brief to start looking into corporate data, to identify staff and customer fraud patterns. Ultimately, they need to engage in field activities as well.
If your retail chain already operates a loss prevention team, unless they already handle the cyber-space, it needs to be handed over to them. Retailers must recognise that cyber-security only partially belongs to the technology realm. You can’t expect your IT Department to provide secure systems if a spear-phishing email brings in malware to the entire network, simply because the staff member who opened the attachment didn’t know better. You need to treat cybersecurity as an organisation-wide problem.
IT departments can’t screen potential employees either, yet retailers must watch out for potential ‘access agents’ looking to join their organisation. Hence, the new generation, empowered loss prevention department must handle all aspects of business security, including formalised risk management, cyber-security, employee screening, business continuity planning and even the management of insurance.
To be ready for digital fire, you must have a great fire department. Many spot fires already burn within the digital world and one day they will spread in your direction. You’ve been warned. Prepare yourself.