A Partnership Between Loss Prevention and IT
If the nature of retail crime is evolving, so, too, is the relationship between loss prevention teams and IT departments. The increasing overlap of cybercrime and physical theft has made it increasingly important for loss prevention professionals to partner with IT decision-makers to reduce risk and the dreaded retail shrinkage.
“It’s about having compensating controls,” Beckner explains, “whether it’s deploying multifactor authentication for consumer transactions” or authenticating new device sign-ins. “A lot of this really comes down to having tools in place that can provide information about who is doing this, what their patterns are, and how we can detect and prevent it.”
It’s also important, Beckner says, for IT teams to partner with their security and loss prevention counterparts to ensure cohesion and alignment. “You want to know that you’re making the right investments and that they’re integrated with the rest of the company’s technology,” he says. That means not only investing in traditional physical security solutions, such as security cameras, but also protecting those assets with robust cybersecurity. Solutions to consider might include:
- Next-generation firewalls: Combining traditional firewall technology with application-level protection, next-gen firewalls protect against advanced security threats through intelligent, context-driven features.
- Endpoint detection and response: Continuously monitor all of the end-user devices on your network to detect and respond to cyberthreats such as malware and ransomware, which has become an increasing threat to retailers.
- Identity and access management: The rise in customer account theft means that it’s not enough for businesses to implement IAM solutions for their employees; their customers need protection too. That’s why many retailers have been investing in IAM solutions, including multifactor authentication solutions.
- Third-party security assessments: In some cases, it’s not enough to invest in new products; you may need to bring in help. Retailers determined to shore up any potential weaknesses might consider investing in third-party support services, including providers who can test your network for holes using red-team techniques.
EXPLORE: What trends are retailers leaning into this year?
How Cybersecurity and Physical Security Overlap in Retail
Bell notes that retailers are increasingly deploying automation technology inside stores to improve customer service. Some of these, such as advanced video surveillance systems, are designed to improve security. But others, like self-checkout technology, can complicate security.
In addition to the more obvious ways criminals can undermine such technology — by using tags from lower-priced items to ring up more-expensive merchandise, for example — Bell says it’s vital that retailers clearly understand what software is inside those machines, should the machines themselves be compromised.
“The IoT attack surface isn’t new, but it’s been a major attack vector for breaches in the past, as it comes from third-party point-of-sale systems,” he said. “In this case, the risk is straight up from the point-of-sale systems. There could be 20 or 30 third parties that have software that are part of the point-of-sale system. And many of the retailers out there do not have sophisticated software bills of materials for these systems, so they’re not sure, for instance, what open-source solutions are in there. So when the Log4j exploit hit, for example, many businesses had no idea what third-party providers might have leveraged Log4j in their systems, and they had no way to measure their exposure.”
Building a thorough software bill of materials for such technology is a critical component of any cybersecurity incident response plan, Bell says, because retailers can effectively respond to an incident only when they have clarity on what technology they have that might be compromised.
Modern retailers must fight a two-front security battle, both in their stores and on their networks. That’s why it’s imperative that they take a holistic approach to their security posture with the right mix of robust cybersecurity and physical security technology solutions to keep their employees, customers and merchandise safe.