As seen on Inside Retail.
The expanding digitisation of retail enterprises means that theft 2.0 has the potential to deal a mortal wound to unprepared retailers.
Theft has been ever-present since the beginning of retail and continues to be a huge burden the industry must carry. The latest statistics from the US indicate that one in 11 people steal, costing US retailers around $50 billion each year. This implies that Australian retailers proportionally lose between $3 and $4 billion to theft per annum. Yet, very few Australian retailers take proactive measures to protect their profits from pilfering.
Larger retailers have loss prevention departments, but smaller chains often do nothing, or only react when hit with a major loss. I doubt that such a tactic results from a structured assessment of estimated losses versus the cost of running a loss prevention function. But, even if such analysis took place, it may no longer be relevant as no savings on loss prevention can be justified in the face of an Extinction Level Event (ELE).
In the past, thanks to a distributed network of stores and operations, retail businesses had built-in resilience. Even if a warehouse burnt down, stock already in the field provided a cushion, giving the organisation time to recover. Furthermore, everyone within the organisation could contribute to physical security, even if by sheer presence on site.
The rapid proliferation of digital across retail enterprises has changed all that. Today, if someone sabotaged your systems you couldn’t trade. Additionally, if hackers infiltrated your systems and compromised information about your customers, legal liabilities and reputation damage could be lethal. US insurance company, Anthem Inc. agreed to pay US$150 million in compensation for a security breach in 2015 that exposed its customers’ data.
New legislation in the US and EU forces organisations to disclose security breaches that result in the exposure of customer data. I expect that Australia will follow suit. This can then lead to individual lawsuits. As such, special care must be taken to secure customer data.
Bottom line, modern retail enterprise must recognise that protection against cyber threats has to be an important part of the modern loss prevention agenda. I felt compelled to write this article, as in my assessment, many retailers still don’t appreciate the severity of the looming danger.
Let’s explore the reason why active loss prevention in retail still hasn’t become the rule and then take a deeper look at the nature of the digital threats and what can be done about them.
Ignoring the clear and present danger
One of the key reasons why retail organisations don’t have a loss prevention department relates to the very nature of the human mind. Like other people, retailers routinely fail to take precautions due to thenormalcy bias. About a hundred of such cognitive biases exist and they undermine our ability to optimally function in this world – at a personal level, within our social circle, and commercially.
The normalcy bias means the reluctance to plan for a disaster that has never happened to us before. As a consequence, we routinely fail to expect and prepare for highly likely calamities, including ELEs. This needs to change in the era of an increasingly connected world. We face a clear and present danger.
Massive escalation of threats
Over the last few years, our reliance on technology has increased exponentially, resulting in never before seen levels of exposure at a digital level. A cyber catastrophe can now obliterate a business or cause massive personal grief and the probability of such an event keeps growing.
The criminal economy develops faster than the lawful one can evolve its means of defence. The cybercrime ‘industry’ keeps expanding and becoming more sophisticated. The growing availability of computer crime tools allows more people to engage in illicit cyber activity, with much fewer technical skills than previously required. Furthermore, cybercrime activities have now expanded from individual hackers to organised syndicates. Criminal acts are also increasingly committed by specialised software (‘crimeware’) rather than by people – for example, autonomous software that encrypts infected hard drives so a ransom can be demanded, obviously in bitcoin, to protect the anonymity of the perpetrators.
But, recently the situation got even worse. State agencies now commit cyber acts of industrial espionage and sabotage. For example, in January 2016 Russia brought down the Ukraine’s electricity grid. As a cover up, state agencies frequently present themselves as competitors or even criminals rather than intelligence organisations. Realistically, no one can persecute such perpetrators as they operate from within foreign jurisdictions.
Digital damage to many businesses and individuals occurs daily. An estimate from 2015 predicted that cybercrime will cost businesses $2 trillion a year globally by 2019. Our exposure will increase as more and more hardware devices morph into internet-connected computer code – and all code can be hacked. In July 2015, a hacker took control of a Jeep Cherokee as it drove on the highway in Saint Louis at over 100 kilometres per hour. Malicious people can now manipulate physical objects half a world away.
Experts estimate that 50 billion new devices, from TVs to refrigerators and pacemakers, will be connected to the internet by 2020, almost all of them without proper security setup. As promising as it is, The Internet of Things (IOT) opens another Pandora’s Box of digital security issues.
What needs to happen for retailers to recognise the digital danger as real and start planning for the moment when, not if, an adverse event will occur?
Imagine if a severe cyberattack crippled your business systems and you had to switch to using paper records and handheld calculators. For how long would your business survive?
If you can operate like this i.e. without the internet and without computers for a week, then you can consider yourself prepared. When the digital tsunami comes, you will endure and like in the movie, Forrest Gump, when all the other shrimp boats sink, you will do exceptionally well when the things come back online. Bubba Gump Shrimp Co. got lucky, you can make your own luck.
How could such resilience be achieved? To begin with, you must assume that every computerised system can be and has been infiltrated. Yours included. And, don’t think for a moment that the government can help. Businesses and individuals must protect themselves on their own, because governments don’t have the resources to make a meaningful difference.
IBM claims that 95 per cent of all data-security breaches involve some form of human error. This highlights the essential importance of security measures that go well beyond the technical sphere. Building awareness, training and simulated cyber-attacks must become a routine part of personnel management.
The term ‘social engineering’ means eliciting or otherwise acquiring seemingly harmless personal information, to build a profile of a target, and then use the information to illegally obtain funds or access to networks. People within your business need to be well versed in understanding these threats and the business must continually work on detecting and handling them.
Let’s review the most commonly used social engineering techniques:
A special form of spear-phishing, known as whale-phishing, targets C-level executives and has been used to steal money directly. The perpetrators use emails that appear to be genuine communications e.g. from the CEO to the finance department, instructing them to transfer money to a specific overseas account.
While emails are often used to spread viruses and malware, merely accessing a malicious website can infect the system. Seemingly innocent websites can be doctored to infect computers that visit them.
On top of the social engineering threat, hacking attempts continually hit your networks, occurring quietly in the background. Unfortunately, many networks have no means of detecting a breach. Old-style cyber-security tools generate too many ‘false positives’. When a burglar alarm sounds constantly, people ignore it.
Current industry statistics indicate that it takes organisations (on average) two hundred days to become aware of a breach. I would recommend that if you don’t already, you should immediately engage the necessary resources to start monitoring your systems so you can be aware of all attacks. When a breach occurs, you will then be able to react swiftly.
Fundamental (and often simple) precautions
While a coherent cyber defence system requires a multipronged approach, many measures can be implemented rapidly at practically no or little cost. Some require more effort. The key areas to consider:
Government agencies in Singapore have already adopted the concept of the internal and external data networks.
What about insurance?
With the growing digital threat, should you consider an additional measure of protection i.e. cyber-insurance? The topic has been gaining attention in the media, within the business community and among insurers. Yet, the rate of the policy take up has been much slower than expected.
Two issues undermine the ability to put in place effective insurance. Firstly, how can one estimate the likelihood and the magnitude of loss? This leads to the second point: with poorly defined potential loses and the likelihood of an adverse event, insurance premiums must be high.
I wouldn’t be surprised if going forward, a cyber-insurance model emerged providing fixed-amount compensation in case of a well-defined adverse event, replacing attempts to explicitly quantify the expected damages.
The way forward
Every retail organisation that doesn’t have a loss prevention team needs to establish one as a matter of priority and make it responsible for cyber-security as the first order of the day. Such a team can then expand their brief to start looking into corporate data, to identify staff and customer fraud patterns. Ultimately, they need to engage in field activities as well.
If your retail chain already operates a loss prevention team, unless they already handle the cyber-space, it needs to be handed over to them. Retailers must recognise that cyber-security only partially belongs to the technology realm. You can’t expect your IT Department to provide secure systems if a spear-phishing email brings in malware to the entire network, simply because the staff member who opened the attachment didn’t know better. You need to treat cybersecurity as an organisation-wide problem.
IT departments can’t screen potential employees either, yet retailers must watch out for potential ‘access agents’ looking to join their organisation. Hence, the new generation, empowered loss prevention department must handle all aspects of business security, including formalised risk management, cyber-security, employee screening, business continuity planning and even the management of insurance.
To be ready for digital fire, you must have a great fire department. Many spot fires already burn within the digital world and one day they will spread in your direction. You’ve been warned. Prepare yourself.