2. Core Elements of Retail
Loss Prevention
Sponsored by:The Retail Loss Prevention Council
September 28, 2015
3. Organized Retail Crime (ORC)
Survey Summary
– $30 Billion/Year problem!
– ORC Fencing Operations
– 8 of 10 retailers-victimized
– Need for Federal Laws for ORC-interstate
transport
– Retailers’ financial investment in fighting
organized retail crime tops $400,000 on
average
– Concerns over store merchandise credit
and gift card fraud schemes remain high
4. Survey Summary
– Top Cities for ORC:
Houston, Los Angeles, New
York and Miami and new –
Detroit
– Impact of Cargo Theft:
24% of retailers reported
store-level theft
– 33% of retailers noticed a
reduction in ORC activity
where state laws exist
5. ORC Actions
• Law Enforcement Collaboration
• Federal
• State
• Local
• Legislative Activity/ Capitol Hill
• State Legislative Activity
• Retail Relationships
• Industry ORD Groups
6. Example ORC Law
• Michigan enacted in 2013 (5 year felony)
– Knowingly commits organized retail crime – steals with intent
to sell or redistribute
– Assists another in committing – organizes, finances, manages
– Affecting anti-theft device from activating
– Knowingly purchasing cell phone with intent to defraud or
break service contract
7. Tools For Battle
• Aforementioned Industry
Collaboration
• CCTV Analytics
• Facial Recognition
• Anti-Shelf SweepingTechnology
• License Plate Recognition
• RFIDTools
• Greeters
• Shopping Cart Lockdown Devices
Today many retailers have established and
dedicatedORCTeams that are
focused on stemmingORC’s foothold
8. Organized Retail Crime
• Triangulation Fraud Schemes
• Ranked 9th in 2012; now #1 in impactful and
frequency fraud type by the Merchant Risk
Council and Cybersource
• Fraudster buys stolen credit cards, advertises
phantom product and orders product with stolen
credit card
• Three victims: person whose card is stolen,
person who orders product and merchant who
drop ships the goods
• Combating theTriangulation Scheme
• Use screening algorithm to identify red flags
• Shipping address differs from billing address
• First time card used on this site?
• First and last names capitalization
• Possible language from high-fraud foreign
country
• Originate from proxy address
• Device fingerprinting analysis
• Transfer transaction over to human fraud analyst
E-Commerce Fraud
9. Crisis Management and Response
• Undesired and unexpected event
• Disrupts the business and/or jeopardizes
employee and customer safety
• Likely to last for an extended period
• Requires unplanned commitment of
resources
'CRISIS' DEFINED
11. Objectives of the Crisis ManagementTeam
Effective and efficient resolution
Centralizes authority and responsibility
Minimizes organizational impact
Provides structure and discipline to the effort
12. Crisis ManagementTeam (CMT)
• Wrong:
o Reactive not proactive
o Just select some 'good people' and turn them
loose
• Right:
o Identify needed area of coverage
o Select appropriate personnel
13. Important Characteristics of a CMT
•Temporary task force
• Fewest members possible (only those needed)
• Diversity of members
• Members present a unified 'front'
• It is the only part of the business working on
the crisis
14. Responsibilities of the CMT
Assessing the crisis
o Ensuring the situation is
sufficiently understood to
begin resolution
Containing the crisis
o Protecting the company’s
employees and assets
Planning the response
Resolving the crisis
Case Study- Baltimore Riots
15. Protecting PII
(Privately Identifiable Information)
• 66% Of Respondent named malware attacks as
number one threat
• Based on the 2014 survey viruses, worms, Trojans, and
other malware were problems for 61% of respondents
• About 12% of respondents had run ins with targeted
attacks
• The protection of confidential data against leakage is
now the top priority of most companies (38%)
• Damages from one data security incident were
estimated at an average $720,000
• Damages from one successful targeted attack could
cost a company as much as $2.54 million.
• As Loss Prevention and
Asset Protection leaders, we
have responsibility to
protect our business from
these types of attacks-
where we have ability and
controls.
Kaspersky Lab IT Security Risks
Survey 2014:
16. Protecting PII
An estimated 39%
of incidents
involving data
breaches and
systems failures
come from inside
an organization.
17. Questions We Should Ask Of Our IT Security
Partners In Retail Organizations
• What’s the status of the PCI audit or IT
security audit?
• Who has access to your company’s
Technology
• Do third parties access your equipment and
or information?
• What Control Mechanisms are in place?
• Can we audit session activity?
• What are the loose ends?
18. The Cost of a Security Incident
oLoss of faith in the retailer
oDamage to the brand
oLoss in sales revenue
oCost of PR Firms, Lawyers
oCost of lost time your executive
spend meeting about breach
restoration efforts
oScramble to satisfy States
Attorneys General
oCost of identity theft
monitoring and restorative
services to all customers
effected
19. Are Our Employees ProperlyTrained?
• Malware can be installed by
insiders; your Employees
• Clicking on malicious links/
attachments
• Sensitive Customer Data
• No password sharing
• Control password changes
• If point of sale software is installed
on computer, ensure no web
browsing or email
20. What does the physical Loss Prevention professional
bring to the table?
Security RiskAssessment
Access Control Audits to all controlled area doors
Camera coverage to all server room, electrical,
mechanical and telecommunications rooms
Minimum of 90 days video retention
Visitor & lobby controls
Management of physical technology security
(laptop locks) especially after hours
Mobile POS device lock down and usage logging
Incident Reporting Management
Investigations Expertise
Training on handling PII
21. InternalTheft Controls
• Retailers have reported to
researchers that internal theft tops
their list of drains on profitability;
up to 42% of what makes up retail
shrinkage dollars nationally.
• Internal theft is most serious
because employees have far wider
access and longer access to
company assets once they decide to
steal.Thefts can go on for years if
undetected and cause hundreds of
thousands, even millions of dollars.
22. Preventing InternalTheft
CBT Application Process
Screens Applicants Early
Prevents Bad Hires
Pre – Employment Screening
Trust, ButVerify - Ronald Reagan
23. Preventing InternalTheft
Background Checks
• Sensitive Positions
• Day Care
• Pharmacy
• Finance
• Manager Positions andAbove
• Loss PreventionAgents
• Mandatory Pre-hire DrugTesting
• Testing for Cause
• Post Accident Injury
Drug Screening
24. InternalTheft Controls
• Employee Orientation and
Employee Handbook Statements
about Integrity and Ethics in the
Workplace
• Employee Package Checks (On the
Clock)
• Camera Surveillance
• Store Level Loss Prevention
Presence
• Point of Sale Data Mining
• Solid Employee Management
25. InternalTheft Controls
Metrics
• Relationship between audit scores
& shrink
• Measure performance not
compliance
• Are your programs working ?
• Root Causes
• Operational
• Systemic
Computer BasedTraining
• Consistent Message
• ReoccurringTraining
• Waste & Loss
• Integrity
• Satisfies certain regulatory
requirements
• Ability to track progress &
participation
26. InternalTheft Controls
• Pay EmployeesWell
• Performance Recognition
• Employee Coaching as Needed
• Ensure Management is Fair and
Free of Harassment and
Retaliation
28. Preventing InternalTheft
Open Door Policy
• Encourage an Open Door Policy
Where Employees Have a Hotline,
or Many Phone Numbers and
Email Addresses for Reporting
Violations
Gather Feedback and Act on it
• Employee Engagement Annual
Survey