Canadian Retailer - Fall 2016 - 39

LOSS PREVENTION

LOSS Prevention has changed a lot over the last two decades.

Just ask Stephen O'Keefe; he's been in the business for more
than 30 years, overseeing security and risk management for
such retailers as Sears, The Bay, and most notably Walmart.
During that time, he's seen the digital revolution transform
the traditional marketplace, providing today's retailers with
more opportunity than ever before. But as the nature of assets,
inventory, and even loss itself have changed, he notes, that
transformation has proved a fertile breeding ground for a new
generation of online criminals.
Today, O'Keefe runs Gristmill Solutions-a retail consulting
firm that specializes in operations and loss. And he says that
with respect to criminal activity, retailers need to recognize
the evolution that's taken place over the past number of years.
"The game has changed," he explains. "It's changed, and
it continues to change. Bad guys are saying: 'Wait a minute.
The greatest asset that's out there outside of
people is information. And I don't have to
physically steal anything. The risk is so much
lower.' There are nefarious people out there.
So you have to do whatever you can to protect
that information."
"Ten years ago, it wasn't happening at all
unless you were a big business like a Walmart," agrees Chester Wisniewski, Principal
Research Scientist with data security company Sophos, and a 30-year veteran in the
business (and also a regular consultant for CNN, NPR, and
The New York Times). "But now we're getting to a point where
even small businesses have to look at this like any other crime
against them. If you have money, or something equally valuable, it's only a matter of time before a thief tries to steal it from
you. And you're probably a lot better at locking your physical
building down than your digital assets."
While hard numbers are scarce, the 2016 Verizon Data Breach
Information Report, which tracks trends in more than 80 countries, estimates that corporate data breach attempts number
well into the hundreds of thousands each year. And although
the victims of those breaches are most often in the entertainment, finance, or public sector, retailers-with their reams of
customer credit and personal information-are a particularly
compelling target. Attacks can take many forms, from stealing
customer payment information, to pilfering trade secrets, to
using email hacks to initiate fraudulent wire transfers. Hackers
will use virtually every tool at their disposal-phony PINpads
with keystroke logging technology, phishing emails (messages
with phony attachments that grant a scammer access to corporate email servers), and even Ransomware attacks (locking companies out of their own files until a ransom is paid) to get what
they want. And, as the 2013 hack of American retailer Target
proved, the costs of such an attack can be disastrous. To date,
that breach-which exposed 40 million credit and debit cards
to fraud-has cost the company upwards of $100 million; $67

million to Visa, $39 million to the banks, and
$10 million to the customers themselves. Other
high-profile hacks have affected Sony, Ubisoft,
TJX, Home Depot, and even EBay. And while
there's little evidence that such breaches have
much impact on long-term share prices, they
do have an effect on one area that's even more
crucial: customer trust.
"First and foremost is the trust of the consumer," O'Keefe notes. "And that goes handin-hand with the reputation of the retailer.
Consumers need to be able to trust those who
are presenting them with a product. And if,
within that transaction, I'm going to be negligent in safeguarding your personal information, that trust is gone."

"The game has changed. It's changed, and
it continues to change. Bad guys are saying:
'Wait a minute. The greatest asset that's out
there outside of people is information. And I
don't have to physically steal anything. The
risk is so much lower.'"

www.retailcouncil.org/cdnretailer

- STEPHEN O'KEEFE, Gristmill Solutions
Weathering the storm

The total cost to a business is virtually impossible to estimate. Unlike a physical theft,
the true cost of a data breach can take weeks-
if not months to fully understand; on top of
the loss of assets or information, there is also
the potential for fines, damage to reputation,
and lawsuits, not to mention the money spent
hiring security experts to repair systems and
find vulnerabilities.
"It's extremely difficult to estimate," explains
Bill Bradley, Director of Product Marketing at
Digital Guardian, a Massachusetts-based Data
Protection company. "At the end of every breach,
I suppose I could come up with a mathematical
calculation, but over time that number's going
to grow. The more you learn about a breach, the
more things come to light, and the greater the
cost. Ultimately, yeah, I can get it down to a costper-record. But does that help me predict anything? Maybe. Maybe not."
Even for experts like O'Keefe and Wisniewski, there is a frustrating lack of information on
corporate data breaches-in terms of both cost
and frequency (even the Verizon DBIR, with
its 100,000 incidents, acknowledges a lack of

FALL 2016 | CANADIAN RETAILER

| 39

http://www.retailcouncil.org/cdnretailer

Table of Contents for the Digital Edition of Canadian Retailer - Fall 2016