As the retail threat landscape evolves, the role of loss prevention is changing — but not consistently in every retail organization. Gus Downing, president and publisher of the D&D Daily, thinks LP employees in both cyber threat analysis and incident response are not as involved as they should be — most of the time, they are brought in after the fact. “The speed of change and the number of new cybercrime risks alone is like nothing we’ve ever seen before,” he said at NRF PROTECT 2019. Downing went on to say that in the last 18 months, eight international cases identified 140,000 fraudsters for a total of $750 million in losses. In this environment, it is paramount that LP teams work in tandem with their company’s technology teams to stay ahead.
NRF’s 2019 National Retail Security Survey found that 89 percent of LP executives saw increasing overlap between retail LP teams and cybersecurity teams, but only 30 percent said they were regularly involved in cybersecurity issues. At NRF PROTECT, Downing and executives from Williams-Sonoma Inc., Dunkin' Brands and Jack in the Box discussed practical ways retail LP teams can work with technology teams.
Converging functions
“IT security has always protected the perimeter of our business from outsiders coming in — whether that’s malware or compromised emails,” said Gail Morris, Williams-Sonoma’s director of loss prevention, “and the loss prevention department has always protected the interior perimeter of the business.” As the two functions converge, Morris sees companies employing joint incident responses where both teams will be called upon.
David Johnston, senior director of loss prevention and corporate security at Dunkin Brands, said IT and LP are already working together. Johnston has seen transactional fraud incidents evolve from just credit card fraud to other forms including user authentication fraud, synthetic accounts, account takeover and credential stuffing both online and in the Dunkin mobile app. “If you don’t have that connection now [with the IT team],” Johnston said, “go out and extend the hand.”
Playing to strengths
LP can help IT understand company assets — for example, how store associates and call center employees use software and hardware — to aid deep dive investigations and ensure recommended solutions are relevant. Education is key to making a combined team work effectively: Johnston encourages his LP team to go through cybersecurity training and certification programs so they are well-versed in terminology and tactics. The IT teams at Dunkin Brands are also educated in interview tactics and investigation techniques, training that is normally designated for LP professionals. “The partnership needs to continue to grow,” said Jason Painter, enterprise security manager for Williams-Sonoma.
What’s in the future?
Morris said cybersecurity within an LP career path is still “untapped territory” for most, but the field is evolving and changing. “As everything goes more and more digital and online,” she said, “it’s going to be necessary for a lot of LP professionals to get on board with it.”
With increased access to electronics and more advanced tools that make it easier to steal or cause harm, “we’re having to ramp up our tools, tactics and procedures to keep up with the threat,” said Jack in the Box’s Chief Information Security Officer Terrence Weekes. The winning solutions will consolidate tools to perform both IT and LP functions at once.
For more coverage of NRF PROTECT, check out the recap including videos and news stories.