Canadian Retailer - Holiday 2015 - 21

"Your company is going to be compromised at
some point. You may not prevent it, but you've
got to be able to detect it when it happens."
- DOUGLAS DOMIN, FBI's Toronto office

fered Shelley Holmes, The Shopping Channel's senior manager of
risk and loss prevention. "We're
trying to keep up with them, and
they're always ahead of us. It's very
difficult with all the new technology,
all of the new payment options."
LP CONFERENCE INSIGHT #1

ON PROTECTING DATA WITH
PASSWORDS:

"Last year we needed
about a 15-character
password in order to defeat the computational
capabilities of breaking
a password. Every year
you can add about 3
characters to that."
- CHRISTIAN LEUPRECHT,
National security expert

Loss prevention's new breed

Emerging from this daunting state
is a new breed of loss prevention professional tasked with devising more
fluid game plans to take on violators
on their own shifting turfs. It means
moving away from a strict adherence to the traditional-often reactive-bricks-and-mortar LP model to
one that also embraces a more sophisticated and savvy understanding of digital and cyber security.
"In loss prevention, we've always
been asked to wear many hats," said
Colin Kennedy, Gap Inc.'s digital loss
prevention leader-Banana Republic
Global. "As we go forward into the future we're going to be wearing many
more hats, some of which we could
be very unfamiliar with today."
Analytical agility combined with
a detective's acumen are hallmarks
of the evolving LP model, noted a
number of conference speakers.
www.retailcouncil.org/cdnretailer

"Your company is going to be compromised at some point," warned
Douglas Domin, assistant legal attaché with the FBI's Toronto office.
"You may not prevent it, but you've
got to have safeguards to be able to
detect it when it happens."
"We need to learn to live in compromised environments," added
national security expert Christian
Leuprecht, Professor of Political
Science at the Royal Military College of Canada. "Loss prevention ultimately is about trying to manage
different types of risk and trying to
figure out where it is we're going to
invest our efforts."
Minimizing the risk

The solution, suggested Home
Depot's Farshchi, is to implement
strategies, "not to eliminate the
risk, but to minimize the risk." Having a solid fix on your most at-risk
vulnerabilities is critical. "I've seen
so many organizations try to focus
on everything at once. What really
matters is being able to prioritize
your activities based on risk."
What decidedly is not the answer, Farshchi cautioned, is locking all your systems down by
putting controls and firewalls in
everywhere. "You're going to limit
your business from actually doing
anything," he said. "And there's no
point in having a security program
in place if there is no business that
it is actually protecting."
He added: "It creates this interesting push and pull-you've got
this threat, and you've got all these
controls in place to manage the
risk. But we need to be able to find
unique ways to implement and fit
controls so the business can do its
thing. That's the challenge that we
face right now."

LP CONFERENCE INSIGHT #2

ON HOW MUCH HACKERS PAY
RE-SHIPPERS:

"We call them re-shippers, because that's
all they do. He takes in
product and re-ships it.
He doesn't know where
things are coming from
or where they go. He
just knows he's making
$100 a week for slapping a label on a box."
- DOUGLAS DOMIN,
assistant legal attaché,
FBI's Toronto Office

Payment fraud-good news
and bad

That challenge of today's loss prevention professional is especially
evident in the slippery realm of payment fraud.
On the plus side, there's been the
highly touted success of EMV technology. "We're seeing chip doing exactly
what we thought it would do," said
Gord Jamieson, Visa's head of Canada
risk services and North America acquirer risk services. "Our counterfeit is
at all-time lows domestically."
But, another mole pops up to darken the celebratory mood.
"Card Not Present has become our
dominant category of fraud," confirmed Kristen Palmer, Canadian Tire
Bank's manager of fraud prevention
and strategy. "A lot of it's driven by
the availability of data breached from
e-commerce merchants in Canada,
the U.S. and internationally. It's essentially malware on the other person's e-commerce site. It's streaming all of that form data.
"They have your name, your address, your phone number and
postal code-all the information you
need to do some more [fraudulent]
shopping. The data is readily available, and it's cheap."
Help is at hand, said Jamieson. "We
have a suite of [security] tools out

HOLIDAY 2015 | CANADIAN RETAILER

| 21

http://www.retailcouncil.org/cdnretailer

Table of Contents for the Digital Edition of Canadian Retailer - Holiday 2015