Retailers Turn to Human ‘Sensors’ to Shore Up Physical and Digital Security
Thirty years ago I worked as a loss prevention officer at a major national retailer. For hours at a time, I walked the aisles, keeping an eye out for suspicious characters. When I spied a shoplifter, I followed them out of the store, confronted them, and either recovered the pilfered goods or contacted the police. I got good at spotting petty thieves. But the truth is I couldn’t have done it without the (sometimes avid) help of all the other employees, scattered throughout the store, who alerted me and my colleagues to suspicious activity.
Shoplifting is still a threat to retailers. However, the biggest threats today have shifted to the digital realm, as thieves attack physical devices like ATMs, point-of-sale (POS) systems and self-service kiosks (as well as attempt to infiltrate networks through phishing and denial of service (DOS) attacks). In fact, Verizon’s 2016 Data Breach Investigation Report (DBIR) illustrated the increasing targeting of such systems, noting that more than 64 percent of retail breaches with confirmed data loss involved POS intrusions. Additionally, Verizon researchers found that more than 70 percent of security incidents went undetected for weeks or more. And just like with shoplifting, retail employees play a critical role in defending their companies against these threats.
In the same way that an entire employee base needs to be regularly trained and continually aware of the physical security of a retail space, they should also be well-versed and aware of the ever-shifting threats to cybersecurity. Today’s loss prevention officers no longer simply walk the floor looking for shoplifters. Under different names, they also patrol IT networks, looking out for a multitude of threats, many of which can do infinitely more reputational and/or financial damage than stolen goods. Consider, if you will, that Verizon’s 2016 DBIR also noted that roughly 90 percent of all security incidents in the retail sector involved DoS, POS or web app attacks, with 79 percent of incidents undetected for weeks or more. The potential not only exists for droves of customers affected by a data breach, but for millions of dollars in lost revenue.
Most retail spaces have a POS system, with many stores rolling out new technologies and outfitting employees with smartphones that process payments on the fly. While helpful for customers, these technologies create more potential threat vectors. That’s why it’s so important that employees remain alert for suspicious activity, in any form.
Retail employees play a bigger role in physical and cyber information security than they might think. They're the ones taking credit cards, observing vendors working near POS or in-store ATM machines, and answering customers via live chat and email. Employees are the human “sensors” who must be called upon and counted upon to identify attempts to breach the physical perimeter and break into a retailer’s IT networks.
How do you enable your employees to act as human sensors? With an ongoing cybersecurity awareness program. This means more than delivering a single course or putting up a couple posters. Enlisting your employees in the fight against cyber threats will take training, continual reinforcement and the vocal support of management.
The many threats facing retailers means that it’s no longer enough to have solely loss prevention officers on the beat. All retail employees must act as loss prevention officers, constantly aware and alert to potential physical or digital security threats. A compelling cybersecurity awareness program is a great place to start.
Tom Pendergast is the chief architect of MediaPro’s Adaptive Awareness Framework™ approach to plan, train, reinforce and analyze workforce learning and awareness in the subjects of information security, privacy and corporate compliance.
Related story: It’s Time for Retailers to Take Cybersecurity Seriously … or Pay the Price