32 minute read
PARTNERING WITH RETAILERS
Basic Training in Network Security
Irecently participated in a network security training program in order to better understand how criminals gain access to network systems. The trainer and network security consultant agreed to provide tips, but wanted to remain anonymous.
Overview
While the playbook for network penetrations varies from attacker to attacker, there are some consistent patterns that emerge from each enterprise-level incident. Network penetrations can be broken down into three steps, each with distinct signatures. 1. On-Ramp to the Network. Attackers have to get a foothold in the network, and this is most often done by social engineering targets to download malware or submit credentials to a phishing site. Additional on-ramps include watering holes, compromised logins, third-party hacks, and exploiting vulnerable third-party apps, particularly content management systems. 2. Navigating the Network. Once inside, attackers will use internal documentation to further their attack, pivoting from corporate user to corporate user via compromises to eventually gain access to documents and databases. 3. Exfiltration. Data exits the system in surprisingly simple fashions. Sometimes it is hidden in traffic, but more often than not, it is zipped or encrypted and moved off the network to a drop site before detection systems can alert users and leakage can be stopped.
Human Error
Nearly all of the network attacks involve the following failures, oversights, or policy breakdowns: ■ Human error is almost always involved. Whether attackers enter through the front door or move laterally through the network, the attackers need employees to take some sort of action, whether it is entering credentials into a phishing site or opening a malicious attachment. ■ Employees use corporate emails to register for third-party sites that have been hacked and, even worse, reused passwords. ■ Lack of two-factor authentication for access to VPN networks, databases, and shares contribute to many of the breaches and magnify password reuse problems. ■ WordPress plugins are exploited for credentials to access servers or to create phishing pages. In general, servers running CMS applications are hackers’ on-ramp of choice. ■ Once inside networks, reconnaissance is performed through corporate directories, wikis, and share sites. Attackers find targets with desired accesses and move laterally using malware or phishing sites sent from internal email. ■ Network traffic monitors fail or are evaded during exfiltration.
By Dave DiSilva
DiSilva is senior manager of global asset protection for eBay where he oversees eBay’s tools and PROACT teams. Prior to joining eBay in 2010, he held retail leadership roles in analytics, investigations, corporate LP, shortage control, e-commerce, and supply chain. DiSilva is an active member of the Loss Prevention Research Council, serving as co-chair of the predictive analytics group. Since 2011 he has been an LP Magazine contributor. DiSilva can be reached at 408-332-8666 or dadislva@ebay.com.
Best Practices
■ Monitor access to corporate directories and create algorithms that set off alerts if there are a large number of searches coming from an employee. Pay particular attention to searches for sys admins and help desk employees in rules, as well as search strings for customer databases and network credentials. ■ Run ad-blocking applications on corporate machines. ■ Evangelize security to everyone in the company, from InfoSec to HR to sales. Follow up with red team events, like setting up phishing pages and targeting employees with spoofed emails to ensure that people are taking security seriously. Pay special attention to help desk and sys admins. ■ Document all third-party dependencies, how they are integrated, and evaluate their need while understanding how they are vulnerable. ■ Ensure that two-factor authentication is enabled for all key accesses. ■ Monitor Pastebin and other typical “dump” sites for employee
Twitter credentials and continue to react accordingly when stolen credentials are recovered by vendors. ■ Map publicly available VPN services and proxy services, both underground and commercial, to add to firewall rules.
Social Engineering
The most vulnerable components of any corporate network are humans. Most breaches start with an employee electing to open the door for an attacker after being socially engineered.
The most basic social engineering attacks still take place by spoofing email addresses of known colleagues or contacts found during initial reconnaissance on sites like LinkedIn or Facebook and sending malicious content. The Syrian Electronic Army has used this method with surprisingly effective results to access web-based work email accounts that can then be used to subsequently cause more damage, like changing DNS and accessing social media accounts or document theft. Hacktivist groups like Anonymous will often use similar reconnaissance to take advantage of call centers and customer support to reset passwords in order to gain access to corporate servers and inboxes.
Unsurprisingly, other social engineering campaigns have leveraged the global connectedness that social media offers. A China-linked campaign in late 2014 targeted employees of male-dominated sectors like technology and nuclear engineering. Attractive women “friended” engineers using Facebook and then passed along links to malicious files in chat messages.
OPERATIONAL STANDARDS SUPPORT
A HOLISTIC APPROACH TO LP AND SAFETY IN THE QUICK-SERVICE RESTAURANT SEGMENT
EDITOR’S NOTE: Anne Sullivan is vice president of asset protection and safety at CKE Restaurants Holdings, Inc. She has twenty-five-plus years of experience in multiple roles in loss prevention, safety, and retail operations with Kmart, Charlotte Russe, and Pacific Sunwear. Sullivan is a board member of the Restaurant Loss Prevention and Safety Association.
EDITOR: How did you get started in your loss prevention career?
SULLIVAN: My first experience with loss prevention was when I was fourteen, when I started working for my uncle’s Hallmark store. That was where I had my first experience in customer service and actually caught my first shoplifter. I joined Kmart in the early ‘90s when Ben Guffey was in charge and Kmart truly was seen as a leader in LP. Their policies and procedures, their standards, how everybody conducted themselves, were very buttoned down. This really was an era when a lot of companies looked at LP as a cops-and-robbers game. A lot of LP folks were seen as the people who wanted to be cops, but maybe didn’t get on the force. The focus was on catching thieves, and that’s how a lot of people were reviewed, but Ben really tried to drive LP focus toward being business professionals.
One thing that Ben left me with is he was always so driven on making sure that his people could relate to all levels in the company, that they could manage up, down, and across. He taught us that the only way we as a team were going to be successful was if we understood what senior management was looking at and what their goals were. And also being able to make sure that we connect with the folks we’re working for, so if you’re in the store, you need to connect with that operator, that general manager, and understand their vision and align your vision with it. That was probably the real eye opener for me, and I carried that throughout my career.
This was also when I was first introduced to organized retail crime, which nobody called ORC back then. It was just people who stole endless amounts of your videos and DVDs and refunded from location to location. These were the days before refund management and tracking systems. By leveraging our video platform and in-house proprietary reporting, tracking, and trending software, Operational Standards Support delivers focus around areas of opportunity as well as positive behaviors in the areas of customer service, speed of service, productivity, deployment, QA, safety, and security. While the ability to identify behaviors is important, more important is our ability to provide tangible video training examples that allow for more effective coaching and praise.
EDITOR: Were there any career moves that stand out between Kmart and Charlotte Russe?
SULLIVAN: Pacific Sunwear. That was where I coauthored the company’s C-TPAT program. I was senior manager of distribution and corporate loss prevention at the time handling e-commerce, supply chain, and security. I was offered two options—to become the director of loss prevention or to start working on the C-TPAT program and focusing on supply-chain security. Customs and Border Protection were just coming out with the C-TPAT tiered structure, which looked exciting. I very much wanted to travel internationally, and it was an area of security I had not focused on, so I ended up taking on that challenge.
EDITOR: Remind us what C-TPAT is.
SULLIVAN: C-TPAT is the Customs-Trade Partnership Against Terrorism program. It was implemented after 9/11. The idea behind it was to minimize security risks by requiring importers, both small and large, to meet certain standards to protect freight that was coming into the United States. While that sounds great, it’s expensive and incredibly time consuming to launch a company C-TPAT program.
What would the company get from it? You got expedited clearance through customs, but the big incentive behind it was that if there was another terrorist attack in the US, your containers would be the first out of customs. Of course, an attack could hold up customs for weeks or even months. So to be able to get your merchandise and freight moving, especially in the retail world, is absolutely crucial. If you have a container of holiday freight sitting in port that you can’t get to market, you’re pretty much out those sales for the season.
It took nine-and-a-half months to write the program, because you have to identify your vulnerabilities, write a plan for each of those vulnerabilities, and then identify what you will do to mitigate each risk should a breach occur. Then you have to document it and make sure any of your people who will have any access to shipping or inbound freight are trained in the right protocols. Then you get tested on it. Not only do you get interviewed, but customs will actually send people to try to breach your security. So let’s say you tell them you have 24-hour alarms and a 10-minute response to our distribution center if there is a breach, they will come activate an alarm and be sitting there when you show up.
EDITOR: Did you ever experience any breaches or violations that you had to react to?
SULLIVAN: We did not. The only attempted breach that they tried was on the morning of our interview. They showed up at the corporate office two hours early with the intent of walking in and saying that they were there to meet somebody and seeing if they could get past the receptionist. But they didn’t even get out of their car before they were approached by security.
To get this all to work I had to have the buy-in of not only executives and distribution employees, but also the 15,000 employees who were responsible for receiving freight through direct shipments. It was a very intricate plan, and the bringing people together aspect was the biggest lesson I took away—truly understanding how to gain buy-in from large groups and helping them to understand why you do things and what’s in it for them. The reward was I gained a vast amount of knowledge, and we did achieve tier-3 status.
EDITOR: Then you moved to Charlotte Russe and back into more traditional retailing?
SULLIVAN: I was laid off from Pacific Sunwear and hired by Charlotte Russe as a consultant to handle a major distribution investigation. I resolved that, identified the problem, and was then offered the position of director of supply-chain security for Charlotte Russe. During that time, crazy as this sounds, I actually had the opportunity to be the interim director of distribution; the actual operator of a distribution center. And this was during the holiday season, because the previous director had quit just before the holidays. I remember the VP of distribution showing up and telling me, “We need you to get out 350,000 units a
䐀漀 夀漀甀 䔀瘀攀爀 圀椀猀栀 夀漀甀 挀漀甀氀搀⸀⸀⸀
䌀愀␀栀圀椀稀愀爀搀글
匀洀愀爀琀 匀愀昀攀 匀漀氀甀琀椀漀渀
day.” I thought how hard can that be? But it was really an eye opener, both in terms of truly learning the operations piece of the business, how each area supports the other, and also learning how to motivate the employees.
When I took over, I had a meeting with all the employees. I asked them to share with me any concerns that they had; whatever they did not like. I told them my door was always open. I told the managers we were going to walk the floor twice a day to thank the employees for working so hard and then I started buying them ice cream. Distribution centers are consistently hot or cold. Ice cream, hot chocolate, and simple thank you go along way for motivating employees. Twice a week I would spend $50 to $70 on treats and share with them what our numbers were and our goals. We never missed a goal.
EDITOR: Later you became the director of LP for Charlotte Russe?
SULLIVAN: I did. I became the senior director of asset protection. I took on the field loss prevention for the company, in addition to safety and supply-chain security. And with the role, I inherited the companies ten-year high in shrink. That was my first 100 percent role having field loss prevention reporting to me. I was reporting to the SVP of operations, Sandra Tillett, who was a mentor and had a major influence on my career. During our first meeting, she and I realized that we shared a holistic approach for loss prevention and operations partnership.
My approach to loss prevention is you should never have to discuss theft in the store. We hire store associates at all levels, and then we try to throw fifty different messages at them. “You need to sell like this.” “You need to up sell like this.” “You need to cut loss like this.” “You need to set your store like this.” We send too many messages to people, and sometimes the message is just the next flavor of the day.
Sandra and I came up with a holistic approach such that loss prevention would be 100 percent threaded through the operations message. And the message was, basically, that we’re going to drive sales and reduce shrinkage through conversion. When a customer enters the store, we want you to greet them immediately, because customers love to be greeted while shoplifters don’t. We want to determine the reason for the visit. If they’re a customer looking for an outfit, we obviously want to convert them to the biggest possible sale and add on to that sale. If you identify they’re a potential shoplifter, we want to service them out of the store. We’re not here to sneak around and peek around racks to catch shoplifters. We’re here to provide great service to our customers and also to our shoplifters. And this attitude really made a big change in sales and in reducing shrink.
EDITOR: How did you drive the message home to store-level employees?
SULLIVAN: I think it’s very important to make connections with employees. I, for one, will travel constantly. To me being in the field and talking to every level of employee makes all the difference. Reality is they are the true subject-matter experts on what’s going on in their stores.
So many times I would talk with a district manager or a regional loss prevention manager, and they’ll say, “Well, I visited the store and talked to the GM.” So you touched one person. If you had talked to the shift leaders, you would have touched three of our leaders that run the store. And if you talk to the crew, you’re touching everybody. So at Charlotte Russe we started implementing this three-to-five-minute rule. Every regional loss prevention manager was required to spend three to five minutes with every single employee in that store listening, coaching, and sharing with them. It made them feel connected to our department, and we gained their partnership in driving our goals.
Another big impact to our success in loss reduction at Charlotte Russe was our focus on the inventory numbers. In retail loss prevention so many times we focus on the fifty or seventy-five worst stores. The problem is we spend so much time on these “target” stores, we forget about those stores that are doing the right thing and those stores that are on the verge of becoming a target store. So what we did was flip the focus around. We designed a new category, the VIP stores, which were the best of the best—the stores that got below the shrink target of the company, which at that time was 2 percent, which would have been over a 50-percent reduction in overall shrink.
Our holistic approach to LP at Charlotte Russe was 100 percent threaded through the operations message. We were going to drive sales and reduce shrinkage through conversion. When a customer enters the store, we wanted to greet them immediately, because customers love to be greeted while shoplifters don’t. If they were a customer looking for an outfit, we obviously wanted to convert them to the biggest possible sale. If they were identified as a potential shoplifter, we wanted to service them out of the store.
EDITOR: How did that program work?
SULLIVAN: We put stores into three categories. Stores that were 2 percent and below became VIPs. The worst fifty stores
“We have worked with our safe vendor to deliver a smart safe that puts control back into our hands—the client. It provides a true end-user friendly product that allows our store employees more time to focus on their responsibilities and our customers.” were target stores. Then we had WIPs or work-in-progress stores, which were in the middle. While we did focus on our target stores, we mainly focused on the majority of the stores that were sitting in the middle. We wanted to push them toward the VIP stores by giving them the tools they needed. It was about checking your inventory, getting it out to the floor fast, servicing your customers, controlling the fitting rooms, greeting and servicing your customers when they walked in, converting them to a sale, and converting the shoplifters out of the store. The “who wants to be a VIP” came about as a result of the excitement around the program. It became a badge of honor to be a VIP, a who’s who.
EDITOR: What was the biggest incentive for being a VIP?
SULLIVAN: Any store that became a VIP was put into a drawing every shrink cycle. We would choose two or three store managers as winners and send them to New York City or Chicago or San Francisco. They would spend two days traveling stores with me and the SVP of operations learning about operations and loss prevention through our eyes as executives. They were truly able to see stores from a customer’s point of view and understand the why behind various processes. When they went back to their stores, we launched a newsletter talking about what their experience was like and what they learned, and shared that with their peers throughout the company. It became such a success that everyone wanted to be a VIP and have this opportunity. The cool thing is that all those GMs that ended up traveling with Sandra and me went on to become district managers, and the company exceeded their shrink goals and improved sales.
EDITOR: That’s terrific, Anne. So that was the background that eventually led you to CKE. How did you become director of LP at CKE?
SULLIVAN: Carl’s had always been one of my favorite brands. It’s basically the only fast food I’ve eaten over the years. The reason for that is my mother worked in
a Hallmark store when I was a kid, and during the summer she would pretty much use the mall as a babysitter for my brother and me. We’d run around the mall all day, and every day we would get a dollar for lunch, and every day we would go to Carl’s Jr. One day I actually got to meet Carl Karcher, the man who started the whole company. He ended up giving my brother and me two small fries to go with our lunch along with a little Carl’s Jr. pin.
After Charlotte Russe, I started looking for new opportunities and happened to see a director of loss prevention opening at Carl Karcher Enterprises. And like I said, I’ve always loved Carl’s Jr. While I had never been in the quick-service restaurant segment before, I applied, went in, did a couple of interviews, and landed the role in May of 2012.
EDITOR: Give our readers some background into how Carl’s Jr. originated.
SULLIVAN: It originated back in 1941, when Carl Karcher purchased a hot dog stand at Florence and Central in California. His wife, Margaret, and he took out a $311 loan on their Plymouth automobile and had $15 in their savings to make this purchase. We still have a hot dog stand in the corporate office. They sold hot dogs, chili dogs, and tamales for a dime and soda for a nickel. Within a couple of years they ended up buying and operating four hot dog stands in Los Angeles. In 1945 they moved to Anaheim and opened the first full-service restaurant. It was a Carl’s drive-in barbeque restaurant. Later they added hamburgers to the menu for the first time. Carl believed in his customers coming in, ordering their food, paying, and receiving their orders by the time they put away their wallet.
EDITOR: When did Hardee’s come into the picture?
SULLIVAN: They acquired the Hardee’s brand in the early 1990s when CKE began its next series of acquisitions. At the time Hardee’s was the nation’s fourth-largest quick-service restaurant chain with 2,500 locations. Now owned by Roark capital, CKE operates over 3,400 stores in forty-two states and thirty-five countries.
Probably the biggest differences between traditional retail and quick-service restaurant are how loss is audited and controlled and how the company views the return on investment for loss prevention. In the retail world you have quarterly, twice-yearly, or yearly inventories. You get hard numbers back and are held accountable to that. But when I switched over to QSR, there wasn’t a true metric or standard in place that I could see to really know what the starting point of loss was and what the tier percentage of loss was.
EDITOR: How many of those are company owned and how many are franchises?
SULLIVAN: Approximately 600 are company owned with about 2,800 operator owned.
EDITOR: Are your field LP managers aligned by brand, or do they manage all the brands?
SULLIVAN: We’re aligned by brand. There is the Hardee’s loss prevention team and a Carl’s Jr. team. They are divided up by region within each team.
EDITOR: Are the Hardee’s locations mostly east of the Mississippi and the Carl’s Jr. mostly west of the Mississippi River?
SULLIVAN: Correct.
EDITOR: Upon your arrival at CKE, what did you find that required immediate attention?
SULLIVAN: With all three of the companies I worked for, when I arrived I found what I would call a basically poor perception of what LP was about. I have seen where LP is considered a cost to the company. I have seen where LP is viewed as the people who come in to fire someone. When I joined CKE, what I heard from all levels of the company was, “She’s the leader of the camera people. If your camera breaks, you should call LP to fix it.”
My first thirty days I spent in the stores, just talking to employees, asking basic questions. Who would you call for a loss prevention issue? Who is your loss prevention manager? What would you do if such-and-such happened? I came to realize that there was a very minimal LP understanding or presence in the stores.
EDITOR: What differences did you find in the quick-service restaurant [QSR] segment compared to your days in more traditional retail?
SULLIVAN: Probably the biggest differences are how shrink or loss is audited and controlled and how the company views the return on investment for loss prevention. In the retail world you have quarterly, twice-yearly, or yearly inventories. You get hard numbers back, and you are held accountable to that. But when I switched over to QSR, there wasn’t a true metric or standard in place that I could see to really know what the starting point of loss was and what
Get the most out of your video Get the most out of your video Get the most out of your video Get the most out of your video
Record it... analyze it... manage it! Record it... analyze it... manage it! Chances are, your business has systems in place for many different things including Record it... analyze it... manage it! Chances are, your business has systems in place for many different things including Record it... analyze it... manage it! Chances are, your business has systems in place for many different things including Chances are, your business has systems in place for many different things including POS, marketing, human resources, security, marketing, weather monitoring. ClickItPOS, marketing, human resources, security, marketing, weather monitoring. ClickIt POS, marketing, human resources, security, marketing, weather monitoring. ClickItPOS, marketing, human resources, security, marketing, weather monitoring. ClickItoffers a complete line of NVR, HVR, DVR and Embedded video solutions that col-offers a complete line of NVR, HVR, DVR and Embedded video solutions that coloffers a complete line of NVR, HVR, DVR and Embedded video solutions that col-offers a complete line of NVR, HVR, DVR and Embedded video solutions that col-lect and manage your data in the most demanding environments. Our Analytics lect and manage your data in the most demanding environments. Our Analytics lect and manage your data in the most demanding environments. Our Analytics lect and manage your data in the most demanding environments. Our Analytics at the Edge releases untapped potential of your video data to deliver value to at the Edge releases untapped potential of your video data to deliver value to at the Edge releases untapped potential of your video data to deliver value to at the Edge releases untapped potential of your video data to deliver value to all levels of your organization. ClickIt’s Central Managementall levels of your organization. ClickIt’s Central Management all levels of your organization. ClickIt’s Central Managementall levels of your organization. ClickIt’s Central Management provides a unique opportunity to truly manage your video systems by monitoring the health and provides a unique opportunity to truly manage your video systems by monitoring the health and provides a unique opportunity to truly manage your video systems by monitoring the health and provides a unique opportunity to truly manage your video systems by monitoring the health and well being of your video assets right down to the camera level. And, our Smart360 now provides well being of your video assets right down to the camera level. And, our Smart360 now provides well being of your video assets right down to the camera level. And, our well being of your video assets right down to the camera level. And, our H.264 support making 360 video an excellent alternative.H.264 support making 360 video an excellent alternative. Smart360 Smart360 now provides now provides H.264 H.264 support making 360 video an excellent alternative. support making 360 video an excellent alternative.
Integrating video data with business systems. Integrating video data with business systems. Integrating video data with business systems. Integrating video data with business systems. 85 Corporate Drive | Hauppauge, NY 11788 85 Corporate Drive | Hauppauge, NY 11788
85 Corporate Drive | Hauppauge, NY 11788 85 Corporate Drive | Hauppauge, NY 11788
For more information regarding our complete line of Digital Video Solutions For more information regarding our complete line of Digital Video Solutions For more information regarding our complete line of Digital Video Solutions give us a call at 631-686-2949 or email us at info@clickitinc.com For more information regarding our complete line of Digital Video Solutions give us a call at 631-686-2949 or email us at info@clickitinc.com give us a call at 631-686-2949 or email us at info@clickitinc.com give us a call at 631-686-2949 or email us at info@clickitinc.com
continued from page 32
the tier percentage of loss was. That was probably one of the biggest differences.
The other thing was since I came from mall-based retail, I didn’t really have much exposure to robberies. I believe I only had four in my career prior to CKE. Now, with QSR it is a big focus based on the fact that the stores are open 24/7, there is easy freeway access, as well as other factors. The safety issues in QSR are far different than in retail, because we deal every day with being open 24 hours a day and the activity that attracts. There are just so many opportunities that the QSR industry is vulnerable to.
EDITOR: What are those things that you do as an LP organization to respond to robberies?
SULLIVAN: When you review the video after a robbery, probably 70 percent of robberies are triggered by opportunity. The robber comes in, they take a look around and assess the opportunity, they look in the cash drawer when it’s opened, and then they rob the store. So taking away as many opportunities as possible is key.
We train our employees to control the cash levels in drawers. We have to be careful about how we transfer our money. We implemented smart safes, which absolutely had a significant impact on robberies and cash control. Another big thing that we implemented is eliminating back-door openings during night time hours. We took our back-door alarms and set them to activate silent alarms between dusk and dawn, so if the back door is opened at night, my security center gets an alarm. They can check to see why it was opened, and we can then coach in the moment. The store will be called immediately and told to shut the back door. An email will go out to leadership noting the violation. Since we implemented this last year, we only had one back-door robbery, which was a significant decrease. We have also decreased our internal involvement robberies, and we created a safer environment for our employees by training and holding them to a standard.
One other thing we focus on in the field is not only delivering training and prevention, but also training them on how to handle a situation if it occurs. We never want them to engage the robber. We want them to give the robber the money. We want to ensure that people don’t get hurt, but we also want to ensure that we’re there for our employees if it does happen. You will always—100 percent of the time at CKE—have a loss prevention person following up personally within minutes of a robbery. Finally, we want to make sure that person never robs our store again, and the way we do that is we want arrests. We want people to pay for robbing our stores. Last year we had twenty-one robberies and succeeded by assisting with eighteen arrests.
EDITOR: Are those investigations helped by the CCTVs in your restaurant?
SULLIVAN: Absolutely, 100 percent. As soon as a robbery occurs, we get the still shots and the photos into the hands of the police immediately. Additionally, our LP team will start conducting their investigation. They don’t just interview our employees. They go to every business in the general area that has CCTVs or the possibility to trace cars. The assistance they get is almost endless. We take robbery very personal because of the impact it has on our employees and customers.
EDITOR: What other changes have you made in your time at CKE?
SULLIVAN: We’ve experienced a significant amount of change. My RLPMs have various backgrounds in areas outside of QSR, including specialty retail, big-box retail, grocery, distribution, and supply chain. That diversity provides us an out-of-the-box approach to the various LP- and QSR-specific challenges. Our success in blending the five various functions under our department into a unified approach to asset protection and safety has allowed us to achieve our goal of strong, focused support for our operations partners. This diversity has really allowed us to drive change, rebrand our asset protection and safety department, and drive some incredible initiatives with great accomplishments in
continued from page 34
only a few years. I believe this stems from three core drivers.
First, as a team we all share an incredible passion and excitement for the jobs we do. Second, we understand that every dollar our company spends on asset protection and safety needs to deliver a significant return on the investment. Many buy a product, open the box, set it up, and that’s it. To us, that new product is an investment, and we are going to work with our vendors to make that investment exceed our expectations in every possible way. Most importantly, we have been successful because of the amazing field partners we work with. Our field partners are the folks who make it all happen, and without them, we would not be able to accomplish our initiatives.
As a department, our most recent initiative has been the launch of our Operational Standards Support (OSS) Division. A typical secret shop can tell us the basic opportunities a store has in the front of house. By leveraging our video platform and in-house proprietary reporting, tracking, and trending software, OSS provides clear visual examples to our store teams and field leadership. OSS delivers focus around areas of opportunity as well as positive behaviors in the areas of customer service, speed of service, productivity, deployment, QA, safety, and security. While the ability to identify behaviors is important, more important is our ability to provide tangible video training examples that allow for more effective coaching and praise.
EDITOR: How did you come up with the OSS concept?
SULLIVAN: It was actually two fold. Operational Standards Support was created when our CFO had a poor experience in a store, which I paired with some additional video observations. In partnership with my operations support partners, I sat down and shared the videos and concept of OSS with the SVP of operations. Of course he was interested in being able to identify opportunities in loss, customer service, service times, order accuracy, cleanliness, and safety. But the true value is the ability to provide quantifiable results with training tools for our field leaders to use.
I have been very lucky to work in an industry I have a passion for, with some great companies, and have met and grown throughout my career because of the amazing mentors I have had. From retail to now QSR, I continue to enjoy the partnerships I am building. Today, I am fortunate to work for a company I love, have a boss who challenges me to grow, and a team that works daily to exceed expectations.
EDITOR: How does OSS work?
SULLIVAN: Most companies conduct secret shops in their stores. The shopper comes in and can tell us if the parking lot is dirty. They can tell us if the dining room is dirty. They can tell us if the person smiles and is scripted when they walked up to the counter. They can tell us if their food is hot and fresh. But if one of those things has failed, they can’t tell us why. That’s what makes OSS a true asset; it does give the why and the ability to follow up and reinforce positive behaviors and coach to our opportunities. Some examples of “why” could be training, deployment, staffing levels, or even a random issue that occurred and just happened to impact that specific timeframe. A very exciting piece of OSS is our opportunity to identify and call out positive behaviors. It allows us to recognize those employees who go the extra mile, who provide great service, or who do the right thing. That is so important.
EDITOR: Tell us about your association with RLPSA.
SULLIVAN: I have had the opportunity to be part of RLPSA [Restaurant Loss Prevention and Safety Association] for three years and collaborate with professionals from all areas of the restaurant industry who have responsibilities for loss prevention, security, risk, asset protection, and safety. I had the privilege to serve as the planning committee chairperson for last year’s conference and continue to serve as a member of our board of directors.
If I could share one thing with a person coming into the QSR loss prevention industry for the first time—join RLPSA. It offers a unique opportunity to its members and a forum to share, discuss, and gain insight into issues impacting our industry today. The annual August conference gives us the chance to network with industry leaders, share knowledge and resources, and meet solution providers who can help to address those unique vulnerabilities we find in the restaurant environment. It’s an organization that drives networking and partnership. Incidently, this year’s conference is August 2–5 in Las Vegas.
EDITOR: By the way, the magazine and our EyeOnLP team will be at the conference. Last question. Looking back over your career, do you have any regrets?
SULLIVAN: No, I have been very lucky to work in an industry I have a passion for, with some great companies, and have met and grown throughout my career because of the amazing mentors I have had. From retail to now QSR, I continue to enjoy the partnerships I am building. Today, I am fortunate to work for a company I love, have a boss who challenges me to grow, and a team that works daily to exceed expectations.
