LP Magazine

SEP-OCT 2017

LP magazine publishes articles for loss prevention, asset protection, and retail professionals covering shrinkage, investigations, shoplifting, internal theft, fraud, technology, best practices, and career development.

Issue link: http://digital.lpportal.com/i/874445

Contents of this Issue

Navigation

Page 18 of 79

SECURITY'S SECURITY on a regular basis, including during times of attrition whether it's from resignations or layoffs, according to Christian Romero, a former LP executive at Neiman Marcus and now data privacy and protection associate at the Technocracy Group. Another problem is perhaps more basic than poor password management. "I think, unfortunately, it's common that LP or security will add these devices without duly informing the information security people," Morin told LP Magazine. "So these devices exist on the network, but the people in charge of protecting the network infrastructure are unaware of them." To address that gap, some retailers are changing both the "how" and "who" of device management. Terry Sullivan, LPC, president of the Loss Prevention Foundation, was part of such an evolution during his stint at Lowe's, from when LP would vet its own purchases and occasionally butt heads with IT to having every piece of LP technology—right down to a new printer in the LP office—being vetted by the IT group and tested in its lab. "It was a big change in the last five years. It used to be if we liked it, we'd test it, and we bought it," explained Sullivan, who encouraged the change after becoming director of LP operations at Lowe's. "I told our people to put down their swords and their shields, and that it makes sense, so let's do it." Although it may require ceding authority and responsibility to IT, collaboration with IT is vital to implement new LP technology safely, Sullivan suggested. Ongoing management of LP technology is also an area fraught with risk, Romero told LP Magazine. Although LP is typically the owner of security devices, the focus of LP practitioners is often elsewhere. "From a management standpoint, LP looks primarily at the function of the device and how a camera or system is working," he said. "Rather than taking a more holistic view of what management of that device should look like." Cyber Solutions Even basic security precautions may be ignored in the manufacture and installation of security devices. Although retailers can push vendors and integrators to give greater attention to the security of security devices, LP practitioners—since they live with the consequences—must own the responsibility. LP executives that oversee network-connected security systems and devices need to assess the risk of those systems to cyber attack and must take steps to reduce the risk. "The crux of the issue is that not much energy or effort is put toward properly managing the life cycle of these devices," explained Morin. "We're happy with the video we're getting, so we forget about them. There is this impression that a device will last five, seven, or ten years, and that is when we'll touch it again," he said. Success starts, then, with a strategy. When the GAO examined the cyber risk to security systems at the Department of Homeland Security (DHS), it found that select protection solutions had been deployed but that the broader effort was hampered—and vulnerabilities weren't addressed—because DHS lacked a clearly defined strategy to maintain its focus. Worse, it found a lack of agreement on exactly who was responsible for addressing the integrity of the systems, which is a precursor to taking action, the report concluded. A viable overall strategy to address cyber risk to security systems should entail defining the problem, identifying the roles and responsibilities for securing systems and devices, analyzing the resources needed, and identifying a methodology for assessing cyber risk to security devices. Such a programmatic approach is important as other LP issues can easily divert attention and cause retailers to lose focus from what may seem like the abstract risk of a cyber attack on an IP camera. LP operations must be deliberate when selecting, testing, and adding new security devices to the network. Not all network security, devices are designed for security, and there is no guarantee, if a flaw is found, that a manufacturer will roll out a timely fix. Additionally, not all vendors do the same amount of testing. Consequently, choosing trusted manufacturers and integrators is critical. LP operations must be deliberate when selecting, testing, and adding new security devices to the network. Not all network security devices are designed for security, and there is no guarantee, if a flaw is found, that a manufacturer will roll out a timely fix. Additionally, not all vendors do the same amount of testing. Consequently, choosing trusted manufacturers and integrators is critical. Terry Sullivan Christian Romero 19 LP MAGAZINE | SEPTEMBER-OCTOBER 2017

Articles in this issue

Archives of this issue

view archives of LP Magazine - SEP-OCT 2017