LP Magazine

JUL-AUG 2014

LP magazine publishes articles for loss prevention, asset protection, and retail professionals covering shrinkage, investigations, shoplifting, internal theft, fraud, technology, best practices, and career development.

Issue link: http://digital.lpportal.com/i/352439

Contents of this Issue

Navigation

Page 20 of 68

continued on page 22 dissimilar in origin, structure, balance and purpose. In many ways, they even speak different languages. However, there is also common ground and a working relationship based upon shared tasks and accountabilities. It is this relationship that must continue to evolve. "When dealing with data risks in the retail environment, there's increasingly a link back to the LP teams. The investigation function is particularly valuable, and a unified strategy only makes good sense. For our security functions to be most effective, our professionals must be a collective enterprise," says White. This requires a comprehensive approach as described here: ■ Recognizing our vulnerabilities to mitigate the risks. This may also include consulting with specialized professionals to establish controls, ascertain roles and responsibilities, and determine effective and efficient protocols. ■ Increased communication and enhanced cooperation. This is a shared responsibility, and must flow both ways. There must be shared perspectives and open channels to build these bridges. ■ Additional training. Everyone responsible for protecting this information must have a strong awareness of the tools and the power of the data, along with the knowledge and skills to manage the risks. With the depth, magnitude, and global reach of several recent breaches as well as the repercussions for the businesses and their brands, there is clearly greater awareness to the point that companies have become much more sensitive to the threat. But this awareness must be coupled with continuing education, proactive controls, and actionable plans. "Every company should start with the proactive assumption that their perimeters can and will be breached," states White. There must be a layered defense that would include the following: ■ Appropriate tagging and classifying of data based on importance and sensitivity. ■ Robust policies and procedures that clearly identify security expectations. ■ Strong password policies, network controls, and access controls to include third-party controls. ■ Maintenance protocols and keeping software up-to-date. ■ Appropriate education and awareness to keep our teams current and informed. ■ A quick and diligent response-and-recovery plan in the event of an intrusion. ■ Continuing and persistent evaluation and updates as necessary and appropriate. Every organization must evaluate their risks and exposures and establish best practices based upon their specific business needs. However, that approach should not focus solely on compliance. What you really have to do is take an active, functional approach to the business, determine the risks, and then make informed, intelligent decisions based on the needs, vulnerabilities, and resources available to the organization. Perception versus Reality Recent attacks on retailers, including Target, Neiman Marcus, Michaels, P.F. Chang's, and others, have focused the attention of the entire retail community on these cyber-incidents over recent months, and all have an important connection in cybersecurity expert and noted blogger Brian Krebs. A journalist and investigative reporter who broke the news on these and several other prominent breaches, Krebs is best known for his coverage of profit-seeking cybercriminals. However, beyond his experience, it is his sharp instincts and insightful approach that help him stand apart. Recently he gave a presentation at the 2014 NRF loss prevention conference and shared some thoughts that should make all of us take notice. When it comes to protecting our critical information, Krebs stressed the concept of perception versus reality—how secure you actually are versus how secure that you think you are. "Most companies think that the automated tools that they have do a pretty good job at protecting them from these attacks," he says. "But where they really need to focus more of their security budgets is on the people to help them interpret all of the stuff that's being put out, and how to respond to it. Too many organizations spend way too much emphasis on the tools, and not enough on the people." Reflecting on several of the incidents that have garnered his energy and attention, Krebs feels that companies typically have all of the information that they need to figure out that they've had a breach, but no one is looking at and interpreting that information. He emphasized the importance of communication, teamwork, and talent. He then proposed the following model to guide those efforts: ■ Identify and protect your soft spots—Determine what information that you feel is vital to protect. ■ Know your enemy—Figure out who you're likely to be targeted by and what information they want. ■ Invest in talent—Too many organizations rely on automation for security rather than talent. Get smarter BUILDING A NEW DEFENSE TEAM "Most companies think that the automated tools that they have do a pretty good job at protecting them from these attacks. But where they really need to focus more of their security budgets is on the people to help them interpret all of the stuff that's being put out, and how to respond to it. Too many organizations spend way too much emphasis on the tools, and not enough on the people." – Brian Krebs 20 JULY - AUGUST 2014 | LPPORTAL.COM

Articles in this issue

Links on this page

Archives of this issue

view archives of LP Magazine - JUL-AUG 2014