Embed Size (px)
Citation preview
ASIS InternationalSeminar & Exhibits
September 28-October 1, 2015Anaheim, California
Core Elements of Retail Loss Prevention
Sponsored by: The Retail Loss Prevention CouncilSeptember 28, 2015
Organized Retail Crime (ORC)Survey Summary
– $30 Billion/Year problem!– ORC Fencing Operations– 8 of 10 retailers-victimized– Need for Federal Laws for ORC-interstate
transport– Retailers’ financial investment in fighting
organized retail crime tops $400,000 on average
– Concerns over store merchandise credit and gift card fraud schemes remain high
Survey Summary
– Top Cities for ORC: Houston, Los Angeles, New York and Miami and new – Detroit
– Impact of Cargo Theft: 24% of retailers reported store-level theft
– 33% of retailers noticed a reduction in ORC activity where state laws exist
ORC Actions• Law Enforcement
Collaboration• Federal• State • Local
• Legislative Activity/ Capitol Hill• State Legislative Activity• Retail Relationships• Industry ORD Groups
Example ORC Law
• Michigan enacted in 2013 (5 year felony)– Knowingly commits organized retail crime – steals with intent
to sell or redistribute– Assists another in committing – organizes, finances, manages– Affecting anti-theft device from activating– Knowingly purchasing cell phone with intent to defraud or
break service contract
Tools For Battle• Aforementioned Industry
Collaboration• CCTV Analytics • Facial Recognition• Anti-Shelf Sweeping
Technology• License Plate Recognition• RFID Tools• Greeters• Shopping Cart Lockdown
DevicesToday many retailers have established and dedicated ORC Teams that are focused on stemming ORC’s foothold
Organized Retail Crime
• Triangulation Fraud Schemes• Ranked 9th in 2012; now #1 in impactful
and frequency fraud type by the Merchant Risk Council and Cybersource
• Fraudster buys stolen credit cards, advertises phantom product and orders product with stolen credit card
• Three victims: person whose card is stolen, person who orders product and merchant who drop ships the goods
• Combating the Triangulation Scheme• Use screening algorithm to identify red flags• Shipping address differs from billing address• First time card used on this site?• First and last names capitalization• Possible language from high-fraud foreign
country • Originate from proxy address• Device fingerprinting analysis• Transfer transaction over to human fraud
analyst
E-Commerce Fraud
Crisis Management and Response
• Undesired and unexpected event
• Disrupts the business and/or jeopardizes employee and customer safety
• Likely to last for an extended period
• Requires unplanned commitment of resources
'CRISIS' DEFINED
Crisis Examples• Natural disaster (fire; tornado; flood;
earthquake)• Political event (riot; demonstration;
civil unrest)• Product tampering• Kidnapping (abduction; hostage
event)• Criminal event (mass murder; drive-
by shooting; active shooter)• Terrorist event (bombing; WMD)• Network breach/sabotage
Objectives of the Crisis Management Team Effective and efficient resolution
Centralizes authority and responsibility
Minimizes organizational impact
Provides structure and discipline to the effort
Crisis Management Team (CMT)
• Wrong:o Reactive not proactiveo Just select some 'good people' and
turn them loose
• Right:o Identify needed area of coverageo Select appropriate personnel
Important Characteristics of a CMT
•Temporary task force
• Fewest members possible (only those needed)
• Diversity of members
• Members present a unified 'front'
• It is the only part of the business working on the crisis
Responsibilities of the CMT Assessing the crisiso Ensuring the situation
is sufficiently understood to begin resolution
Containing the crisiso Protecting the
company’s employees and assets
Planning the response Resolving the crisis
Case Study- Baltimore Riots
Protecting PII (Privately Identifiable Information)
• 66% Of Respondent named malware attacks as number one threat
• Based on the 2014 survey viruses, worms, Trojans, and other malware were problems for 61% of respondents
• About 12% of respondents had run ins with targeted attacks
• The protection of confidential data against leakage is now the top priority of most companies (38%)
• Damages from one data security incident were estimated at an average $720,000
• Damages from one successful targeted attack could cost a company as much as $2.54 million.
• As Loss Prevention and Asset Protection leaders, we have responsibility to protect our business from these types of attacks- where we have ability and controls.
Kaspersky Lab IT Security Risks Survey 2014:
Protecting PIIAn estimated 39% of incidents involving data breaches and systems failures come from inside an organization.
Questions We Should Ask Of Our IT Security Partners In Retail
Organizations•What’s the status of the PCI audit or IT
security audit?•Who has access to your company’s
Technology•Do third parties access your equipment
and or information?•What Control Mechanisms are in place?• Can we audit session activity?•What are the loose ends?
The Cost of a Security IncidentoLoss of faith in the retaileroDamage to the brand oLoss in sales revenueoCost of PR Firms, LawyersoCost of lost time your
executive spend meeting about breach restoration efforts
oScramble to satisfy States Attorneys General
oCost of identity theft monitoring and restorative services to all customers effected
Are Our Employees Properly Trained?
• Malware can be installed by insiders; your Employees• Clicking on malicious links/
attachments• Sensitive Customer Data• No password sharing• Control password changes• If point of sale software is
installed on computer, ensure no web browsing or email
What does the physical Loss Prevention professional bring to the table?
Security Risk AssessmentAccess Control Audits to all controlled area
doors Camera coverage to all server room,
electrical, mechanical and telecommunications rooms
Minimum of 90 days video retentionVisitor & lobby controlsManagement of physical technology
security (laptop locks) especially after hoursMobile POS device lock down and usage
loggingIncident Reporting ManagementInvestigations ExpertiseTraining on handling PII
Internal Theft Controls• Retailers have reported to
researchers that internal theft tops their list of drains on profitability; up to 42% of what makes up retail shrinkage dollars nationally.• Internal theft is most serious
because employees have far wider access and longer access to company assets once they decide to steal. Thefts can go on for years if undetected and cause hundreds of thousands, even millions of dollars.
Preventing Internal Theft
CBT Application Process Screens Applicants Early Prevents Bad Hires
Pre – Employment Screening
Trust, But Verify - Ronald Reagan
Preventing Internal TheftBackground Checks• Sensitive Positions• Day Care• Pharmacy• Finance• Manager Positions and Above• Loss Prevention Agents
• Mandatory Pre-hire Drug Testing• Testing for Cause• Post Accident Injury
Drug Screening
Internal Theft Controls• Employee Orientation and
Employee Handbook Statements about Integrity and Ethics in the Workplace• Employee Package Checks
(On the Clock)• Camera Surveillance • Store Level Loss Prevention
Presence• Point of Sale Data Mining• Solid Employee Management
Internal Theft ControlsMetrics• Relationship between audit
scores & shrink• Measure performance not
compliance• Are your programs working ?• Root Causes• Operational• Systemic
Computer Based Training• Consistent Message• Reoccurring Training• Waste & Loss• Integrity• Satisfies certain regulatory
requirements• Ability to track progress &
participation
Internal Theft Controls
• Pay Employees Well• Performance Recognition• Employee Coaching as
Needed• Ensure Management is Fair
and Free of Harassment and Retaliation
Preventing Internal TheftGPS-Group Problem Solving
• Facilitates Team Atmosphere• Provides “Buy In” for
Associates• Ideas to Implementation
Preventing Internal TheftOpen Door Policy• Encourage an Open Door
Policy Where Employees Have a Hotline, or Many Phone Numbers and Email Addresses for Reporting Violations
Gather Feedback and Act on it• Employee Engagement
Annual Survey
