September - October 2017 by Loss Prevention Magazine

SPEPTEMBER–OCTOBER 2017 | V16.5 LOSSPREVENTIONMEDIA.COM

LOSS PREVENTION MAGAZINE THE AUTHORITY ON ALL THINGS ASSET PROTECTION

SECURITY’S SECURITY

ARE YOUR SOLUTIONS PART OF THE PROBLEM? SMART PEOPLE SAY SMART THINGS AND IT’S WORTH REPEATING A MALL WITHIN A STORE? BRICK-AND-MORTAR RETAIL REIMAGINED TURNING STORE TRAFFIC INSIGHTS INTO BETTER BUSINESS RESULTS

@USS

MINI PATRIOT & RFID MINI PATBIO�

Operate in the Present, Invest In The Future

Mitigate Shrink Exposure While Investing In Your Future RFID Platform

�-- .

.;.

The fact is, omni channel initiatives are driving the majority of retailer enterprise business decisions. Tracking inventory, reduction of out of stocks & e-commerce fulfillment are all key initiatives that must be met either now or in the near future. So, why not invest... in both NOW & the FUTURE?

• • • • • • Contact an expert today: 1.800.488.9097 I www.ussinnovate.com

Ever wish for a giant megaphone deliver important messages to guards nationwide? We’ve got that!

Under Protos management, every post is controlled by the best technology in the industry. Our proprietary electronic work order & timekeeping system allows for two way communication with the guards. With just a few clicks, we are able to broadcast your message to every guard on duty. . . in one location in one city in one state in one region or the entire nation.

866.403.9630 • www.protossecurity.com

TABLE OF CONTENTS 6 EDITOR’S LETTER

Retailers’ Response to Hurricanes Harvey and Irma By Jack Trlica

10 RETAIL SPONSORS 12 INTERVIEWING

Security’s Security Are your solutions

Random Lessons from the Room: Part Two

By David E. Zulawski, CFI, CFE and Shane G. Sturman, CFI, CPP

24 FUTURE OF LP

The Danger of Forced Innovation in Retail

part of the problem?

By Garett Seivold, Contributing Writer

By Tom Meehan, CFI

26 LPM EXCELLENCE

LPM “Magpie” Award: Applauding Excellence

36 BENCHMARKING

Understanding Data Analytics in Loss Prevention

By Adrian Beck, Walter Palmer, and Colin Peacock

46 EVIDENCE-BASED LP

Smart People Say Smart Things Excerpts from interviews

Footprints and Flea Markets By Read Hayes, PhD, CPP

56 CERTIFICATION

Expand Your Knowledge

worth repeating

Interview with Eric Rode, LPC, CFI

By James Lee, LPC, Executive Editor

58 ASK THE EXPERT

The Win-Win of Retailer-Led Offender Rehabilitation

Interview with Caroline Kochman

61 SOLUTIONS SHOWCASE - Appriss Retail - AFA Protective Systems - Detex - InstaKey

A Mall within a Store? Brick-and-mortar

66 INDUSTRY NEWS

- Walmart Asset Protection 2017 - LP Foundation Announces New President - RLPSA Goes Big in Las Vegas - Cargo Theft Statistics

retail reimagined

70 LPM DIGITAL

By Maurizio Scrofani, CCSP, LPC, Contributing Writer

New Approaches to Retailing—Online and In-Store By Jacque Brittain, LPC, and Kelsey Seidler

71 CALENDAR 73 PRODUCT SHOWCASE 74 PEOPLE ON THE MOVE 76 ADVERTISERS 76 SUBSCRIPTION FORM 77 VENDOR SPONSORS 78 PARTING WORDS

Conversion Rate Optimization Turning store traffic insights

Not Having a Good Day By Jim Lee, LPC

into better business results

By Mark Ryski, Headcount Corporation

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

A Powerful Combination The Retail Equation and Sysrepublic are Appriss Retail Predictive retail analytics across a global footprint.

The Retail Equation - +1 (888) 371-1616 Sysrepublic - +1 (310) 802-3044 apprissretail.com

EDITOR’S LETTER

Retailers’ Response to Hurricanes Harvey and Irma A s I write this column, Hurricane Irma is bearing down on Florida just two weeks after Hurricane Harvey devastated southeast Texas and southwest Louisiana. Both storms have exacted extreme damage termed “unprecedented,” “800-year event,” “largest ever in the Atlantic,” and other superlatives that seem to have become the new normal. At the same time, we are seeing tremendous response to these disasters from all parts of the local, state, and national communities, especially from retail. Retailers have always been on the front line of disaster response be it home centers providing materials for hurricane preparation and then rebuilding, convenience stores and service stations providing fuel and ice, and especially supermarkets providing fresh and prepared food, water, and other essentials to both first responders and victims. With Hurricane Harvey, we heard about the great efforts put forth by HEB, Walmart, Kohl’s, and others. Just as we did with Hurricane Katrina in 2005, we want to tell the story of how retailers handled their crisis management and business recovery with these storms. Please contact me directly if you want to be included in this story.

LPM Online

In August we premiered a new digital magazine called LPM Online. We plan to publish our digital magazine bimonthly on even-numbered months in between our print editions. We are excited about this

digital publication because of the dynamic elements that can be added to both the editorial as well as the advertising—things like videos, podcasts, and animations that will bring the information alive.

We are also planning to use this vehicle for focused editorial. For example, in the August edition, the majority of topics were on the broad subject of surveillance. Articles included: ■■ Adapting LP Strategy to Retail’s Revolution, ■■ Feature Recognition as a Sales and Marketing Tool, ■■ Why You Need Complete Video Coverage for Your Store, ■■ Retail Technologies and Privacy, and ■■ Surveillance-related news from solutions providers. In the future we will focus on subjects like safety, data analytics, e-commerce, and organized retail crime (ORC). We hope the focus we choose will reflect your interests. As always, we welcome your suggestions for topics for LPM Online. Please send suggestions to editor@LPportal.com.

SEPTEMBER-OCTOBER 2017

The digital magazine is accessible on the LPM Online tab on our website, LossPreventionMedia.com, or by going directly to LPM-online.com. The digital magazine is optimized to view on any device, from smartphone to tablet to desktop. To receive notification of all editions of LPM Online, you need to be a digital subscriber of LPM. It’s free and gives you access to all our digital content, including our extensive website, print magazine archives, special reports, and much more. If you are not a subscriber, use the SUBSCRIBE NOW link on our website. If you are a solution provider and want to reach the loss prevention audience with a medium that allows you to demo your technology, show a corporate video, or showcase your products and services in other ways, please contact our advertising manager Ben Skidmore at BenS@LPportal.com. We have always prided ourselves in being on the forefront of the LP and publication industries. After all, we were the first magazine to exclusively serve the retail loss prevention professional. We hope you enjoy our new digital-only publication as much as you do our print edition. Let us know what you think. We’re always interested in hearing from you. Contact me at JackT@LPportal.com.

Jack Trlica Managing Editor

LOSSPREVENTIONMEDIA.COM

V I S I T U S AT A S I S I N T E R N AT I O N A L · D A L L A S , T X · S E P T E M B E R 2 6 -2 8 · B O O T H 2 7 2 3

EVERY CUSTOMER’S situation is unique. That’s why custom solutions

Advantex line of exit devices & electrical functions

are a big part of what we offer. We relish the opportunity to think

Super heavy duty low energy ADA operator

outside the box. Whether you need guidance with a challenging

Automatically operated door easykits

installation, are inquiring about training or want help making a

Weatherized delayed egress easykits

hardware decision, knowledgeable technicians, with nearly 50

Tailgate detection

years combined experience, are eager to help you think through your specific issues. Just call 800-729-3839.

W W W. D E T E X .C O M/G E N E Y U S S 8

LISTEN • DESIGN • BUILD • SUPPORT

EDITORIAL BOARD Jim Carr, CFI Senior Director, Global Asset Protection, Rent-A-Center

John Matas Vice President, Asset Protection, Investigations & ORC, Macy’s

Ray Cloud Senior Vice President, Loss Prevention, Ross Stores

Chris McDonald Senior Vice President, Loss Prevention, Compass Group NA

Francis D’Addario, CPP, CFE Emeritus Faculty Member, Strategic Influence and Innovation, Security Executive Council

Randy Meadows Senior Vice President, Loss Prevention, Kohl’s

Charles Delgado, LPC Regional Vice President, Store Operations, Academy Sports Scott Draher, LPC Vice President, Loss Prevention, Safety, and Operations, Lowe’s Scott Glenn, LPC Chief Security Officer, Sears Holdings

EXECUTIVE EDITOR James Lee, LPC JimL@LPportal.com EDITORIAL DIRECTOR, DIGITAL Jacque Brittain, LPC JacB@LPportal.com

Melissa Mitchell, CFI Director of Asset Protection and Retail Supply Chain, LifeWay Christian Stores Dan Provost, LPC Vice President, Global Loss Prevention, Staples Joe Schrauder Vice President of Asset Protection, Walmart Stores

MANAGING EDITOR, DIGITAL Kelsey Seidler KelseyS@LPportal.com CONTRIBUTING WRITERS Adrian Beck Read Hayes, PhD, CPP Tom Meehan, CFI Walter Palmer, CFI, CPP, CFE Colin Peacock Maurizio P. Scrofani, CCSP, LPC Garett Seivold Gene Smith, LPC Shane G. Sturman, CFI, CPP Bill Turner, LPC David E. Zulawski, CFI, CFE CHIEF OPERATING OFFICER Kevin McMenimen, LPC KevinM@LPportal.com

Tina Sellers, LPC Director of Loss Prevention, Retail Business Services LLC, an Ahold-Delhaize Company

Bill Heine Senior Director, Global Security, Brinker International

Mark Stinde, LPC Vice President, Asset Protection, 7-Eleven

Frank Johns, LPC Chairman, The Loss Prevention Foundation

Paul Stone, LPC Vice President, Loss Prevention and Risk Management, Best Buy

David Lund, LPC Vice President of Loss Prevention, DICK’S Sporting Goods

700 Matthews Mint Hill Rd, Ste C Matthews, NC 28105 704-365-5226 office, 704-365-1026 fax MANAGING EDITOR Jack Trlica JackT@LPportal.com

Barry Grant Chief Operating Officer, Canadian Images

Mike Lamb, LPC Vice President, Asset Protection, The Kroger Co.

LOSS PREVENTION MAGAZINE

DIRECTOR OF CLIENT RELATIONS Lisa Carroll LisaC@LPportal.com DIRECTOR OF DIGITAL OPERATIONS John Selevitch JohnS@LPportal.com SPECIAL PROJECTS MANAGERS Justin Kemp, LPQ Karen Rondeau DESIGN & PRODUCTION SPARK Publications info@SPARKpublications.com CREATIVE DIRECTOR Larry Preslar ADVERTISING MANAGER Ben Skidmore 972-587-9064 office, 972-692-8138 fax BenS@LPportal.com

Robert Vranek Vice President, Loss Prevention, Belk

SUBSCRIPTION SERVICES

Keith White, LPC Senior Vice President, Loss Prevention and Corporate Administration, Gap Inc.

Loss Prevention, LP Magazine, LP Magazine Europe, and LPM are service marks owned by the publishers and their use is restricted. All editorial content is copyrighted. No article may be reproduced by any means without expressed, written permission from the publisher. Reprints or PDF versions of articles are available by contacting the publisher. Statements of fact or opinion are the responsibility of the authors and do not necessarily represent the opinion of the publishers. Advertising in the publication does not imply endorsement by the publishers. The editor reserves the right to accept or reject any article or advertisement.

NEW OR CHANGE OF ADDRESS myLPmag.com POSTMASTER Send change of address forms to Loss Prevention Magazine P.O. Box 92558 Long Beach, CA 90809-2558 Loss Prevention aka LP Magazine aka LPM (USPS 000-710) is published bimonthly by Loss Prevention Magazine, Inc., 700 Matthews Mint Hill Rd, Ste C, Matthews, NC 28105. Print subscriptions are available free to qualified loss prevention and associated professionals in the U.S. and Canada at LPMsubscription.com. The publisher reserves the right to determine qualification standards. International print subscriptions are available for $99 per year payable in U.S. funds at circulation@LPportal.com. For questions about subscriptions, contact circulation@LPportal.com or call 888-881-5861. Periodicals postage paid at Matthews, NC, and additional mailing offices.

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

A STRATEGIC PARTNERSHIP BUILT ON ENGAGEMENT. APU AND THE LOSS PREVENTION FOUNDATION

As a strategic partner, American Public University is proud to oﬀer the following to The Loss Prevention Foundation members: • B.A. in Security Management with a concentration in Retail Loss Prevention • Transfer Credits for LPC and LPQ certiﬁcations • 5% Tuition Grant • 100% online convenience and monthly course starts • Ebooks and other required course reading materials at no cost for undergraduate-level courses for credit*

Visit us at www.StudyatAPU.com/LPF SM

*Print textbooks may require additional costs. If an ebook version is unavailable, textbooks may be included as part of the grant coverage.

RETAIL SPONSORS

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

Join these great companies as an LP Magazine corporate sponsor. Email JackT@LPportal.com for more information. LP MAGAZINE | SEPTEMBER-OCTOBER 2017

INTERVIEWING

Random Lessons from the Room: Part Two T

by David E. Zulawski, CFI, CFE and Shane G. Sturman, CFI, CPP

unpleasant situations. If the interviewer can determine with some accuracy what this strategy is, it can then be planned for during the interview. This prediction can often prepare the interviewer for the most likely response a subject may make to an investigatory interview.

his is the second in a series of articles where we will discuss lessons that we have learned over the years while interviewing tens of thousands of individuals.

Profile of the Subject

Anticipate Problems and Plan for Them

While the word “profile” has some negative connotations, we use it as a generic term to organize our thoughts and make some broad generalizations about individuals whom we are planning to interview. Our goal is to determine in general terms how an individual might act during an interview or upon discovering an investigation of them is underway. We can come to many accurate conclusions of a person by looking at their lifestyle, relationships, interests, or other choices they make in life. Where they choose to live or shop may speak volumes about their self-image and how they evaluate themselves

Once the subject has been profiled to determine their likely response to the interview or investigation, the investigator can then anticipate likely problems and prepare a plan for how to handle them. The investigator now goes through a series of what ifs and thinks about the resources and strategies that will be necessary to counter them. For example, what if the subject decides to get up and walk out of the interview? First, the investigator should consider the evidence available indicating the subject’s guilt and whether it is sufficient to terminate the individual’s employment or perhaps bring criminal charges. Depending on the company’s policy, there may be a requirement that clear evidence of the individual’s guilt is available before an interview can take place. In other organizations, circumstantial evidence or even a location’s high shrinkage may be enough to initiate an investigative interview. Depending on the organization’s policy, it is often useful to partner with a human resource representative or senior manager to determine what admissions from the subject are necessary to terminate the individual’s employment. Get a line in the sand on the decision and a commitment to an outcome. This upfront commitment can save much anguish for the decision maker. In addition, human resources can tell the investigator what will happen if the subject simply decides to end the interview and walk out. If the evidence is sufficient that action may result in termination, will HR suspend employment pending the conclusion of the investigation, or should the subject be returned to their work assignment? Clearly understanding the options before the interview allows the investigator to have a plan in place with clear outcomes that do not require improvised decisions or solutions on the spur of the moment. Other possible subject actions to be considered are: ■■ What if the subject wants to record the interview? ■■ What if the subject wants to have a parent or lawyer present during the interview?

Depending on the organization’s policy, it is often useful to partner with a human resource representative or senior manager to determine what admissions from the subject are necessary to terminate the individual’s employment. and others. Clearly, examining relationships and how they interact with friends, acquaintances, or strangers can lead to assumptions about loyalty and commitment to others. One important question to always ask about an individual who might be interviewed or become a target in an investigation is how the person reacted if they had ever been questioned or disciplined before. The interviewer could also include a broader question relating to how the individual handles conflict. In general, people have developed a strategy that either works for them or that they return to when faced with conflict or

SEPTEMBER-OCTOBER 2017

Zulawski and Sturman are executives in the investigative and training firm of Wicklander-Zulawski & Associates (w-z.com). Zulawski is a senior partner, and Sturman is president. Sturman is also a member of ASIS International’s Retail Loss Prevention Council. They can be reached at 800-222-7789 or via email at dzulawski@w-z.com and ssturman@w-z.com.

continued on page 14 |

LOSSPREVENTIONMEDIA.COM

continued from page 12

termination of an associate’s employment. The ultimate penalty decision will be made based on the investigative findings and the employee’s explanations regarding the facts established in the investigation. One of the more common violations in a retail setting is related to the discount policy. Many organizations will offer employees an opportunity to purchase company product at a discount, which may extend to certain family members or others as set by the policy. If an investigator revealed the investigative findings to an employee establishing the individual’s violation of the discount policy, then the associate might be able to just say, “I didn’t know the policy.” HR might view this as a training issue rather than an act of dishonesty by the associate. The issue then becomes a failure by the investigator to establish the employee’s intent to purposefully violate the policy. If the investigator had the associate tell his understanding of the policy, HR would now know whether the act was a training issue or an attempt to defraud the company.

What if the subject wants to delay the interview to a later date or time? ■■ What if the subject explains away the evidence available to the investigator? The questions might seem endless, but the prepared investigator can often anticipate the most likely problem areas and develop a plan of action or a strategy that can be employed if needed. ■■

Ask What the Fact Giver Wants to Know Another stumbling block for an investigator is assuming he knows what the fact giver, human resources, or management wants to know about. Don’t assume. Ask. While it might seem straightforward, what areas should be covered during an interview? It never hurts to ask the decision makers involved in the investigation. The information needs of the different parties can be varied and often far afield from one another. The director of human resources might be interested in the various trainings the individual received and whether they understood them. They might also want to establish that the person knew what they were doing was wrong and in violation of the organization’s policies. Someone from operations might be interested in the procedures currently in place and management adherence to them at the subject’s location. Legal, on the other hand, might have other information needs from the investigator since they will be responsible for defending the organization’s decisions or potentially litigating civil or criminal actions. There’s nothing worse than the investigator returning from interviews only to discover they didn’t ask the right questions or explore areas of particular interest, which didn’t occur to them at the time. The failure to inquire was really a failure to plan the interviews and to account for the needs and interests of the other parties involved.

Another stumbling block for an investigator is assuming he knows what the fact giver, human resources, or management wants to know about. Don’t assume. Ask. In other situations, a violation of policy might be tempered by the general practices of the facility. While an associate might be acting outside of policy, there may be legitimate reasons why he or she is doing so. On occasion, we have conducted investigations that exonerated employees’ rule violations. In one instance, the employees had been directed by the general manager to ignore safety rules to speed production and shipping at the facility. The investigative interviews corroborated the general manager’s directives and established his intent to violate policy while mitigating the employees’ violation of policy. This resulted in retraining the associates at the facility in current safety protocols and termination of the general manager for his blatant disregard for his employees’ safety. It is critical for the investigator to know what must be proved in any investigation so that a clear decision can be made on the facts of the case. At the same time, knowing the information needs of the various parties involved in the decision-making process can make the eventual finding easier and more satisfying for all involved. Finally, having the evidence of the individual’s intent and guilt limits the likelihood of future litigation or complaints of mistreatment by the subject. We will continue our lessons from the room in our next column. If you have any lessons you would like to share, send us a note, and we will try to include them in our future articles.

Know What Must Be Proved

The investigator must have a clear idea of what must be proven to establish a case to terminate employment or prosecute. In a criminal case, this relates to the elements of the crime set out by statute, while a policy violation may not be as detailed. For example, in a theft case the investigator must prove the ownership of the property. This can be done using company documents such as a purchase order, which establishes the organization’s ownership of the asset. If the ownership of the merchandise is in question, then the criminal charge might be the theft of lost or mislaid property. Second, the investigator must prove the individual had the intent to permanently deprive the organization of its asset. This intent might be established by video, documents, witnesses, interviews, or some combination of these and other investigative findings. An organization’s policies are generally not set by statute but rather the company’s employee handbook. The handbook covers a variety of areas relating to employment, benefits, safety, and expectations relating to employee behavior. Typically, violation of a company policy can result in anything from a verbal reprimand up to and including

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

FEATURE

SECURITY’S SECURITY

ARE YOUR SOLUTIONS PART OF THE PROBLEM? By Garett Seivold, Contributing Writer

SECURITY’S SECURITY

here may be no better symbol of the nation’s modern, high-tech military—not to mention US military might—as its fleet of predator drones. So it surely caused a few red faces at the Pentagon when it was discovered that insurgents in both Afghanistan and Iraq had used $26 software to intercept live video feeds from the unmanned planes. Oops. Or consider a story relayed by the Alliance for Enterprise Security Risk Management about an interruption to an organization’s computer network. Initially thought to be a server crash, it turned out to be the result of RAM being physically stolen from servers in the data center by thieves who couldn’t be identified because building surveillance cameras were malfunctioning. The organization in question? A police department. Again, oops. All industries have had similar oops moments. Security experienced one in October 2016 when network-connected surveillance cameras and DVRs were implicated as a primary distributor of the Mirai botnet, which enabled DDoS attacks on eighteen data centers around the world and disrupted activities at some of the Internet’s biggest names, including Amazon, Spotify, and Twitter.

solution to become a threat vector,” warned Gavin Bortles, president of Kepler Networks, a network engineering services provider. David Tyburski, chief information security officer for Wynn Resorts, echoed that view. “We can’t be injecting risk—we are supposed to be about reducing risk,” he said. As for why it does happen, why at any given time you can monitor nearly a million private security cameras online, or why a recent multimillion-dollar security install at a massive theme park had IP addresses written right on the security cameras, there is blame to go around. It’s wrong to assume just because they are security systems that manufacturers have made them secure, according to a study by the Government Accountability Office (GAO) on vulnerabilities in federal facilities. It noted, “Cyber-security experts that we interviewed generally said that building and access-control systems are vulnerable to cyber attacks. One expert, for example, noted that control systems were not designed with cyber security in mind.” The US government has said connected devices pose “substantial safety and economic

Securing Loss Prevention Technology

The cyber vulnerability of security devices is a hot topic at security conference roundtables and in industry webinars these days. It’s not hard to see why. There is growing pressure on loss prevention to enhance store operations and boost sales. We’re in an environment of high—and growing—expectations. So a security device that doesn’t clear an even lower bar—by failing to provide payback as promised—is not likely to go over well with the senior team. And a security investment that doesn’t actually deliver security or, worse, a security device that actually introduces security risk? Well, that seems like a career killer. LP executives must ensure that connected security devices do not provide hackers a new way to enter the company network. “You can’t allow your security

The security marketplace is crowded with vendors hoping to take advantage of a hot market, and not all of them do proper due diligence with respect to the security and safety of their products, warn experts.

SEPTEMBER-OCTOBER 2017

risks” and has called for immediate action to improve the security of Internet of Things (IoT) devices—but has proposed no specific penalties for manufacturers that fail to comply. Bill Bozeman, president and CEO of PSA Network, an organization of 200-plus electronic security systems integrators, thinks manufacturers of security products need to do a better job of ensuring their safety. “They get a D in my book,” he said in a recent conference address. The security marketplace is crowded with vendors hoping to take advantage of a hot market, and not all of them do proper due diligence with respect to the security and safety of their products, warn experts. Even product testing can’t always offer the same safety assurance it used to, a representative from Underwriters Laboratories told LP Magazine, because today’s software-driven products are dynamic and update functions and features on the fly. Roger Johnston, PhD, founder and CEO of Right Brain Sekurity, a firm that conducts vulnerability assessments, believes that vulnerabilities—in the very security devices that are designed to offer a company protection—are more common than security and LP practitioners think. According to Roger Johnston Johnston, engineers and manufacturers focus on simplifying user operation and the service of devices. These very conveniences, however, often make it simple to tamper with them. Vendors aren’t the only ones criticized of cutting corners. Integrators have also been in the hot seat for, among other things, calling a system install complete with default passwords still in place. Joe McDonald, chief security officer for Switch, an information technology and services firm, said “integrators have to do a better job” to ask clients about their password protocol and to not leave a project until it’s secure. The risk from

LOSSPREVENTIONMEDIA.COM

SECURITY’S SECURITY connected devices is simply too great, he warned. “A camera is a network port hanging on your perimeter.” Ultimately though, the problem—and the solution—is in the hands of end users, said Johnston. “If customers don’t demand good security, why would a manufacturer provide it? It simply puts them at a competitive disadvantage. The problem is that customers have been absolutely happy to simply believe salespeople when they say that their devices are completely secure.” That attitude can get organizations into trouble, according Chris Nickerson, founder of information security (infosec) firm Lares Consulting and an expert in red teaming Chris Nickerson and adversarial modeling. “Most companies probably put too much faith in vendors and security products,” he noted in an ISC West conference address. No security device is 100 percent secure, according to Johnston. “The manufacturer might look briefly at security and send engineers for a quick look, but the vast majority of security devices in use, including in loss prevention, have not undergone a true vulnerability assessment in an effort to understand how they can be attacked,” he told LP Magazine. “So LP continues to field devices without understanding their level of security or, in many cases, without understanding them well enough to use them to their optimal effectiveness.” Johnston recommends that LP executives cut through the crowded vendor field by asking them to explain how their products can be defeated. “The first thing to do is to ask your vendor, ‘How do you defeat this thing?’ And if they say you can’t, then they either don’t understand security or aren’t being up front. They should be able to tell you, these are the possible attack security scenarios, and these are the ones you should expect most,” said Johnston. “Only when manufacturers are pressured by customers to answer questions about how their products can be defeated will they start to feel pressure to pay attention to their security,” he added.

The optics of LP deploying insecure security devices is plainly terrible—but perhaps understandable. LP and asset protection departments implement systems and devices to address immediate problems and risks, so addressing the vulnerability or risks in those very solutions can seem like a secondary exercise. But as LP relies more on technology, and security devices are increasingly connected to the network,

In a study presented at the 2016 International Workshop on Trustworthy Embedded Devices, researchers noted that 39.7 percent of cameras and surveillance systems analyzed on the Internet in 2010 were running with default credentials. “This basically means they are completely exposed to any kind of attack such as video-feed eavesdropping, malicious firmware updates, and DNS hijacking,” concluded the study. LP MAGAZINE | SEPTEMBER-OCTOBER 2017

LP needs to be extremely confident in the efficacy and security of those systems. When technology serves at LP’s core—with procedures and staffing built around it—a flaw in the technology or system design creates a vulnerability that can persist undetected. It takes an average of six months before a network intrusion is detected, noted Christian Morin, vice president of cloud services and chief security officer at Genetec. “That’s six months of free roaming for a hacker, which could be because a surveillance camera never had its firmware updated,” he said. In this specific way, it’s riskier to rely on Christian Morin security technology than people, the oft-perceived weak link. While it’s true that security personnel can create vulnerability when they lose focus or make a mistake, the risk is transitory. A system or device flaw creates a constant opening, one that attackers may be able to exploit repeatedly.

Dangerous Connections

For years, the most retailers worried about with respect to a surveillance camera was whether it was positioned to mistakenly capture customer cardholder information. Now, networked security cameras present the greatest risk to enterprises from the array of IoT devices, according to a November 2016 report by researchers at Zscaler, a cloud-based information security company. “Now that [cameras] are a network device that can be the subject of attack, you need to take the possibility into consideration,” said John Bartolac, cyber-security expert and senior manager for cyber strategy at Axis Communications. “Imagine what a day without online sales could do to a retailer. It is devastating.” Connected devices can provide substantial benefits to retailers and loss prevention practitioners. Effective use of these devices can cut expenses, John Bartolac

SECURITY’S SECURITY improve operational efficiency, reduce loss, and drive business. Connectivity allows for building automation and centralized control and can simplify cumbersome tasks such as installing software patches and updates. And it’s flexible—allowing a system to grow and scale—and a web-based control platform allows users to manage from any web browser, anywhere with Internet access. With connection, however, comes risk. For example, Zscaler researchers found one security camera brand communicated with its parent company in plain text and without authentication tokens, giving attackers the opportunity to introduce their own firmware; another camera transmitted user credentials for its streaming capability in plain text; and another had an unprotected remote-management console. An infected video camera could allow intruders to monitor an environment and plan physical attacks as well as cyber attacks, explained Deepen Desai, director of security research at Zscaler. In a recent FBI bulletin to private companies, the agency warned that exploitation of connected devices to conduct attacks “will very likely continue,” and some cyber-security experts warn that ransomware tactics may soon extend to IoT, locking critical devices until an organization pays a ransom. In the 2017 Black Hat Conference Attendee Survey, digital attacks on noncomputer systems ranked tenth on attendees’ current list of worries; however, it was identified as the risk that they think will be their number one concern in two years’ time. “The reality is that each and every one of those security cameras, network video recorders, and IP-enabled controllers are small computers—and as you add more computers and widgets to the mix, you greatly expand the surface of attack,” explained Morin. If not deployed and maintained properly, networked-enabled operational technology, such as point-of-sale (POS) terminals, fire-suppression systems, video surveillance cameras, building control, and access-control systems, can provide

One issue is that manufacturers with a background in the physical security industry have traditionally built them, which means they focus on features important to building managers and may not give systems a thorough code review. Consequently, applications may not have been hardened against known software vulnerabilities to reduce or eliminate the risk of network attack.

hackers an avenue into an organization’s network. “Connected devices offer great benefits, but you need to be sure these things are protected,” said Bartolac. One issue is that manufacturers with a background in the physical security industry have traditionally built them, which means they focus on features important to building managers and may not give systems a thorough code review. Consequently, applications may not have been hardened against known software

SEPTEMBER-OCTOBER 2017

vulnerabilities to reduce or eliminate the risk of network attack. It seems illogical, but there has traditionally been very little focus on the security aspects of networking physical security systems. In a study of the typical components, communication protocols, and deployments for the most common physical security systems being put on the network, researchers concluded that “physical security systems are inherently vulnerable to traditional network-based attacks.” The risk is something that retailers have started to recognize. “I’m seeing retailers making themselves more aware of the risks, probably because of the marriage of LP with IT,” said Bartolac. “They’re starting to look into what kinds of things can create risk and what kinds of solutions are appropriate, especially as systems are getting more complex.” Still, only 30 percent of organizations say that managing third-party IoT risks is a priority for them, according to a 2017 survey by the Ponemon Institute, The Internet of Things: A New Era of Third-Party Risk. And the most basic of mistakes continues to provide hackers with a reliable way into company networks. “It blows my mind that some companies will keep out-of-box passwords for every device and never change them,” said Bartolac. In a study presented at the 2016 International Workshop on Trustworthy Embedded Devices, researchers noted that 39.7 percent of cameras and surveillance systems analyzed on the Internet in 2010 were running with default credentials. “This basically means they are completely exposed to any kind of attack such as video-feed eavesdropping, malicious firmware updates, and DNS hijacking,” concluded the study Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations. The researchers said the 2010 figure still accurately suggests “the scale at which video surveillance systems are exposed and vulnerable to cyber-security threats.” To address this basic but persistent vulnerability, LP needs to ensure use of complex passwords that are rotated

LOSSPREVENTIONMEDIA.COM

SECURITY’S SECURITY on a regular basis, including during times of attrition whether it’s from resignations or layoffs, according to Christian Romero, a former LP executive Christian Romero at Neiman Marcus and now data privacy and protection associate at the Technocracy Group. Another problem is perhaps more basic than poor password management. “I think, unfortunately, it’s common that LP or security will add these devices without duly informing the information security people,” Morin told LP Magazine. “So these devices exist on the network, but the people in charge of protecting the network infrastructure are unaware of them.” To address that gap, some retailers are changing both the “how” and “who” of device management. Terry Sullivan, LPC, president of the Loss Prevention Foundation, Terry Sullivan was part of such an evolution during his stint at Lowe’s, from when LP would vet its own purchases and occasionally butt heads with IT to having every piece of LP technology—right down to a new printer in the LP office—being vetted by the IT group and tested in its lab. “It was a big change in the last five years. It used to be if we liked it, we’d test it, and we bought it,” explained Sullivan, who encouraged the change after becoming director of LP operations at Lowe’s. “I told our people to put down their swords and their shields, and that it makes sense, so let’s do it.” Although it may require ceding authority and responsibility to IT, collaboration with IT is vital to implement new LP technology safely, Sullivan suggested. Ongoing management of LP technology is also an area fraught with risk, Romero told LP Magazine. Although LP is typically the owner of security devices, the focus of LP practitioners is often elsewhere. “From

LP operations must be deliberate when selecting, testing, and adding new security devices to the network. Not all network security devices are designed for security, and there is no guarantee, if a flaw is found, that a manufacturer will roll out a timely fix. Additionally, not all vendors do the same amount of testing. Consequently, choosing trusted manufacturers and integrators is critical.

a management standpoint, LP looks primarily at the function of the device and how a camera or system is working,” he said. “Rather than taking a more holistic view of what management of that device should look like.”

Cyber Solutions

Even basic security precautions may be ignored in the manufacture and installation of security devices. Although LP MAGAZINE | SEPTEMBER-OCTOBER 2017

retailers can push vendors and integrators to give greater attention to the security of security devices, LP practitioners—since they live with the consequences—must own the responsibility. LP executives that oversee network-connected security systems and devices need to assess the risk of those systems to cyber attack and must take steps to reduce the risk. “The crux of the issue is that not much energy or effort is put toward properly managing the life cycle of these devices,” explained Morin. “We’re happy with the video we’re getting, so we forget about them. There is this impression that a device will last five, seven, or ten years, and that is when we’ll touch it again,” he said. Success starts, then, with a strategy. When the GAO examined the cyber risk to security systems at the Department of Homeland Security (DHS), it found that select protection solutions had been deployed but that the broader effort was hampered—and vulnerabilities weren’t addressed—because DHS lacked a clearly defined strategy to maintain its focus. Worse, it found a lack of agreement on exactly who was responsible for addressing the integrity of the systems, which is a precursor to taking action, the report concluded. A viable overall strategy to address cyber risk to security systems should entail defining the problem, identifying the roles and responsibilities for securing systems and devices, analyzing the resources needed, and identifying a methodology for assessing cyber risk to security devices. Such a programmatic approach is important as other LP issues can easily divert attention and cause retailers to lose focus from what may seem like the abstract risk of a cyber attack on an IP camera. LP operations must be deliberate when selecting, testing, and adding new security devices to the network. Not all network security, devices are designed for security, and there is no guarantee, if a flaw is found, that a manufacturer will roll out a timely fix. Additionally, not all vendors do the same amount of testing. Consequently, choosing trusted manufacturers and integrators is critical.

SECURITY’S SECURITY “What are their security practices? Do you trust the company in general? Who is writing the software? You have to be careful of a backdoor into your network,” said Genetec’s Morin. “I don’t want to say you need the more expensive cameras, but you want to get something that, out of the box, offers you a more hardened device,” added Romero. LP magazine interviews with industry experts elicited additional advice, which will not only help LP address vulnerabilities but may also help to improve the operational efficiency of devices and systems: ■■ Adopt a suspicious attitude about the cyber security of devices, advised David Willson, CEO of Titan Info Security Group, a risk management and cyber-security consulting firm. ■■ Go beyond the sales pitch. Evaluate the security of a security device as closely you do other criteria, such as compatibility, features, and price. ■■ Be flexible when evaluating products. Studies have shown that more than half of security end users have their minds made up on the products they want when entering a project. But rigidity can result in overlooking vulnerabilities, warn experts. ■■ Work exclusively with vendors who offer a road map for security; provide specific hardening guides for its network security devices, such as IP cameras; proactively post common vulnerabilities and exposures on their websites; and regularly issue software and firmware updates. Unless you see a road map for security for a vendor’s product you should skip it, said Bozeman. ■■ Limit authorization and access to LP network devices and ensure that appliances maintain a log of all activity to facilitate forensic review. ■■ Look for technology partners that carry liability insurance. Insurance will require that an integrator or vendor undergoes an audit by the carrier to make sure they have continuity plans in place and the like. It provides at least a minimum amount of assurance that the company’s security has been examined, according to Morin.

Establish best practices for low, medium, or high device protection, and then follow the appropriate measures depending on the risk level associated with a specific device, advised Bartolac. ■■ Solicit the help of IT to select trustworthy vendors and integration partners. Factors such as who built the hardware, where the software was developed, what security practices are in place to protect the source code—these are all security assessments that infosec departments are accustomed to doing, noted Morin. “LP should get their help to select a vendor and leverage their expertise,” he recommended. ■■ Disable unused services and only install trusted applications to reduce the chances that a would-be perpetrator could exploit a system vulnerability, advised Bartolac. Also, place cameras where they’re out of reach of a potential attacker’s tampering, he added. ■■ Segment security devices from other company data to the fullest extent possible. “Keeping CCTV wholly separate or segmented from payments ■■

True security requires a secure chain of custody right from the factory, effective tamper detection built into devices, and manufacturers conducting independent and imaginative vulnerability assessments.

SEPTEMBER-OCTOBER 2017

absolutely would be a best practice to limit your exposure,” said Romero. ■■ Develop internal technology expertise so that your team can ask necessary questions and knows issues to look for, such as core protocols that lack security mechanisms, vendors that employ proper encryption methods and mechanisms, and devices lacking secure configuration. LP must possess a skill set that is commensurate with the level of responsibility they have for device IT security, cautioned Romero. ■■ Consult best practices. In addition to vendors’ hardening guides, security groups and associations have put forth technical guides and best practices to follow, such as basic safeguards suggested by the Security Industry Association Cyber Security Advisory Board’s Beginners Guide to Product and System Hardening.

Physical Frailties

While connection vulnerabilities provide armchair hackers an easy inroad, physically infiltrating a facility to facilitate data theft or destruction is still “crazy easy” for a skilled adversary, according to Nickerson. Access control, badge systems, and other intrusion prevention and detection systems rarely stop his team from getting where they want in a facility and doing what they would need to do to compromise its network. Johnston holds a similar view of device vulnerability. As the former head of the vulnerability assessment team at Argonne National Laboratory, he has conducted vulnerability assessments on more than 1,000 physical security and nuclear safeguard devices, systems, and programs, and it’s his opinion that all security technologies and devices can be defeated—usually “fairly easily.” In addition to not undergoing a rigorous vulnerability assessment by the manufacturer, there is a problem with chain of custody, which fails to get much attention, according to Johnston. “The typical security manufacturer isn’t likely to have good insider threat security,” so product tampering at the source is a risk. In November, for example, it was discovered that preinstalled software in

LOSSPREVENTIONMEDIA.COM

SECURITY’S SECURITY some Android phones was sending data to China, including information on where users went, whom they talked to, and text message content. “Then [the security device] will sit on loading docks, and then sit again, sometimes for months, somewhere at the end user, and only then is it installed,” said Johnston. “But no one knows what the interior is supposed to look like, and manufacturers don’t supply pictures, so it’s impossible to tell signs of tampering.” A skilled adversary can install a man-in-the-middle (MiM) attack or compromise a device in some other way with just a few minutes of access, he noted. Additionally, security product design often facilitates tampering by using housing that is thicker than necessary in order to make servicing devices easier. “So there is all kinds of physical room inside it for someone to put in a device to capture data and conduct MiM attacks. And end users don’t usually go around and check for alien material inside their

security devices, so you have successful attacks,” said Johnston. When physical devices fail, it can often render other security investment moot. For example, organizations are putting a lot of faith in encryption and authentication technologies. But companies often remain vulnerable because encryption can’t correct underlying vulnerabilities. “Data encryption and authentication provides reliable security if and only if the sender and the receiver are physically secure, the insider threat has been mitigated, and there’s a secure cradle-to-grave chain of custody on the hardware and software; usually none of these is true,” Johnston explained. True security requires a secure chain of custody right from the factory, effective tamper detection built into devices, and manufacturers conducting independent and imaginative vulnerability assessments. But all three are almost universally lacking for most security devices, Johnston warns.

Vulnerabilities of some kind extend to all popular security technologies—prox cards, biometrics, even emerging retail favorites like RFID, says Johnston. RFID attacks can be performed at each stage: during communication, at the tag level, and on the tag reader. “It’s easy to shield from an RFID device. You can block, jam, or counterfeit RFID signature. People are sometimes regarding RFID as a higher-security approach, but it’s just a bar code and maybe worse because it’s not hard to hard to spoof RFID from across the room or from the parking lot,” he said. The vulnerability of RFID relates to what Johnston thinks is the most common mistake in retail—confusing inventory with security. “It’s thinking that, because they know where parts and pallets are and can keep track of things, that it can act as a security system,” said Johnston. “You can have both security and inventory with the same system, but you need to analyze it as an inventory system and then separately analyze it as a security system. Too often retailers will just look at it as an

What’s New in Merchandise Protection? Designed to withstand tearing, the uniquely versatile MicroFlex black lock tag maximizes deterrence while minimizing the impact on the customer experience and product display.

The flexible Bug Tag 2 Snare from Alpha®, is an innovative display solution that integrates three working components to provide comprehensive protection while enhancing the customer experience.

MicroFlex Tag

Bug Tag 2 Snare

CheckpointSystems.com 800.257. 5540

LP MAGAZINE | SEPTEMBER-OCTOBER 2017

SECURITY’S SECURITY inventory system but also use it for security. Or else retailers buy it for inventory, and there is a case of mission creep, and they start to use it for security.” Compounding the problem is that inventory folks often have the money to buy all the hardware, with security being an afterthought. “But you need to build the security piece in from scratch,” said Johnston. “You can’t Band-Aid security onto an inventory system.” More broadly, he says that LP executives need to be careful not to assign security technology powers it doesn’t possess and must recognize that security devices themselves are often not secure, which makes them vulnerable to spoofing.

Accept Defeat—And Win

Although device security is a technology problem, both Johnston and Nickerson suggested the need to address it culturally. Their domains are different—Johnston’s is vulnerability assessments, and Nickerson’s is penetration exercises—but both strategies require a retailer to be OK with learning about their weaknesses. And that can be a struggle. “Even if you can’t redesign a product, if you understand its vulnerabilities, you can at least enact some simple countermeasures, and you don’t have to spend a ton of money,” said Johnston, who recommends that organizations perform their own frequent, imaginative, independent vulnerability assessments to find security weaknesses. He suggested picking individuals from outside the LP department who seem psychologically predisposed to finding problems and suggesting solutions. “Pick people from the mailroom or the graphic arts department, the smart, creative types who are always finding loopholes.” These are just the kind of people who in a vulnerability assessment (VA) can provide fresh insight into how creative adversaries might defeat your security systems, said Johnston. “The problem at a lot of organizations is that they’re afraid to encourage employees to think about these kinds of things, and they’re also afraid of what they’ll find,” Johnston added. It doesn’t help that in physical security, unlike cyber

“Even if you can’t redesign a product, if you understand its vulnerabilities, you can at least enact some simple countermeasures, and you don’t have to spend a ton of money.” – Roger Johnston, PhD, Right Brain Sekurity

security, making changes is sometimes viewed as admitting to past negligence. “Some organizations will even halt a VA once they find vulnerabilities because really what they wanted was to rubber stamp their program and to say they looked at it,” he said. Johnston said retailers should strive to develop a culture where uncovering vulnerabilities is seen as positive—and to be willing to accept that a legitimate vulnerability assessment will always find attack possibilities. “And you don’t have to find every vulnerability for it to be worthwhile,” he added. “At least you can go after the low-hanging fruit, and say that this attack and this attack are the most likely, so you can make some valuable, practical changes.” Nickerson sees a similar mindset holding organizations back from undertaking much-needed physical penetration testing; many don’t want to see the expensive technology they bought easily compromised. But it’s a shortsighted attitude that practitioners and their organization’s need to rid themselves of,

SEPTEMBER-OCTOBER 2017

Nickerson suggested. Don’t think of a red team’s success as security’s failure. Instead, see it as new information to help adjust and improve security. “The more we think from an adversarial perspective, the more we can know if we’re getting what we want out of our systems,” he advised in his conference presentation “Breaking Physical Access.” Looking at your security devices from the perspective of attackers will always point out flaws, but knowing whether it’s worth addressing them requires a detailed risk assessment, something else Johnston thinks that LP practitioners could do better. “There aren’t good or bad security devices. It depends on what you need. However, ‘we don’t want stuff stolen’ is sometimes the extent of the risk assessment,” said Johnston. “But when you’re looking for the best car, it depends on what you want the car to do. Is it to win the Indianapolis 500? Is it to impress the neighbors?” So even though a security system will have its vulnerabilities, “it may be the right system given the adversaries you have, the budget you’ve got, and what you’re protecting,” said Johnston. Johnston and Nickerson suggest that to successfully harden a security system or device against attack requires LP to first acknowledge that it’s a possibility and then be willing to gain a deeper, more honest, understanding of their technology. Learn how it can be attacked. Understand the intricacies of what systems can—and can’t—do. And appreciate which threats devices can and can’t protect against. “But it’s often way less thought out than that,” said Johnston. “It’s people in charge of security buying something because the salesperson says it’s good. I actually see the whole thing more as a security culture deficit rather than a device security issue.” GARETT SEIVOLD is a journalist who has covered corporate security for nearly twenty years. He has been recognized for outstanding writing, investigative reporting, and instructional journalism. He has authored dozens of survey-based research reports and best-practice manuals on security-related topics. Seivold can be reached at GarettS@LPportal.com.

LOSSPREVENTIONMEDIA.COM

FUTURE OF LPVIEWPOINT ACADEMIC By Tom Meehan, CFI

The Danger of Forced Innovation in Retail

solution for self-checkout, which was unlikely. The physical restrictions of the store design, power, and cabling were limiting. The next technical challenge was how associates would remove a sensor tag, provide the customer a bag, or assist the customer in a short time if a problem or question arose. I asked my former colleague, “So what did you do?” His answer was simple, “My CEO and my EVP told me to figure it out, so I did the best I could.” When I asked how it went, he described a plethora of obstacles and problems. And in the end, the company changed direction and decided self-checkout wasn’t a good idea for them. Should it be a surprise that in an upscale environment that sells $5,000 handbags, the customers didn’t want to use self-checkout? This real-life example shows just some of the challenges of forced innovation. Slightly less obvious are these additional risks: an exposure to higher shrink, lower morale, and a strain on IT resources. If your IT, LP, and sales teams are focused on the innovation

hen planned, innovation is an essential part of the evolution of retail. But when innovation is forced on a retailer, it can be a toxic time burglar. In this article, I will review two types of forced innovation: “keeping up with the Joneses” and “can it be done?”

Do Customers Really Want It?

Have you ever been in a meeting where someone says, “Why don’t we have self-checkout or mobile POS (point of sale)?” Sometimes, the pressures of Amazon and other more technologically advanced retailers force innovation. This is an example of keeping up with the Joneses. The other question I often hear is, “Can we track our customers in-store, or can’t we use data to tackle our return problem? Others are doing it; I am sure we can too.” This is an example of “can it be done” forced innovation. One of the challenges with the “can it be done” question is that just about anything can be done. MIT has teleported grains of sand from one space to another. Rockets can be built and sent to the moon. Our cell phones have more computing power than the computer that ran Apollo 1. Virtually any retail demand could be accomplished with technology, provided you had unlimited money and resources. But no one has that. So the more important question than, “Can it be done?” is, “Why do we want to do it? Is it scalable? Will it enhance the customer experience? Will we earn more?” A former retail colleague of mine shared with me his company’s desire to implement self-checkout in an upscale environment. There were several obstacles before we even got to the technology challenges. First, the store physically was not built to accommodate more equipment, such as automatic removers for security EAS tags. Second, because it was an upscale specialty store, all of the locations were different. The wrap stands and fixtures were custom-built, making changes problematic. Third, the store staff was limited to three to four high-performing sales professionals who already had multiple systems to deal with. The introduction of a new technology would require a lot of training and support. Fourth, their IT department was outsourced, and their call center was too. They had several projects going on. Now, let’s get into the technical obstacles. The first one had to do with network wiring and power: it just wasn’t available, even if they could find an out-of-the-box

SEPTEMBER-OCTOBER 2017

Meehan is the chief strategy officer and chief information security officer for CONTROLTEK. Previously he was director of technology and investigations with Bloomingdale’s, where he was responsible for physical security, investigations, systems, and data analytics. He currently serves as the chair of the Loss Prevention Research Council’s innovations working group. Prior to his 13-year tenure at Bloomingdale’s, he worked for Home Depot in loss prevention, and has had various technology, loss prevention, and operational roles at several other companies. He can be reached at tom.meehan@controltekusa.com.

One of the challenges with the “can it be done” question is that just about anything can be done. MIT has teleported grains of sand from one space to another. Rockets can be built and sent to the moon. Our cell phones have more computing power than the computer that ran Apollo 1. Virtually any retail demand could be accomplished with technology, provided you had unlimited money and resources. |

LOSSPREVENTIONMEDIA.COM

forced on them, what are they missing? Servicing the customer could take a back seat.

But Amazon Is Doing It

If your CEO or senior leaders ask you to do something, you may not have an option but to do it in the end. In the past, I’ve been asked to do many things that I suspected wouldn’t work or that would have enormous obstacles. I learned that it was okay to question the necessity of the project. Why are we trying this? Further, I would lay out a strategic plan with a timeline and a clear list of the risk to other projects. I also found that by putting a strategic plan together, looking at the true ROI, and documenting the risk, sometimes it would become very apparent that the request was either not scalable or too risky. “But we have to do it—Amazon is doing it!” Some of the most common demands I hear are related to omni-channel: buy online, pick up in store, same-day delivery, and creating a fulfillment center in the back room. Isn’t this a prime example of keeping up with the Joneses? Imagine you’re in a meeting and very excited to be there because you’re sitting at a table with the top executives in your organization. Your company is a couple of years into its dot-com business, and it’s growing at a faster rate than any of the other verticals. You are a retailer with an off-price presence, full-line stores, seasonal pop-ups, and other brands under a large corporation. In the meeting, a high-level executive says, “I think we need to start doing same-day delivery.” Another high-level executive says, “I think we need to start doing buy online, pick up in store.” Several other recommendations are brought up, all related to chasing Amazon or another com petitor. All, at face value, sound simple but are very complex both technically and from a process standpoint. In that meeting, if you were asked your opinion, what would it be? What are some concerns you could raise? For buy online, pick up in store, a few things come to mind. What are some of my direct competitors doing? Do they have exclusions on product categories or limits on quantities ordered? How will they handle returns? What are the chargebacks going to look like? These are just a few of the loss prevention risks. In today’s evolving world of retail, innovation is necessary for survival. Sometimes keeping up with the Joneses or forced innovation can be taking something someone did and making it better; other times, it could be simply about not falling behind. Forced innovation could also be taking something that was originally planned on a roadmap for the next year and just adjusting the timeline with a higher degree of urgency. Whichever of these situations you encounter, make sure you have a plan, assess risk, and look at the ROI. Ask the why question, and make sure the proposed project enhances the customer experience.

Advanced Analytics Actionable Insights

Profoundly impact profits with fully-informed decisions for the retail enterprise Customer and Market Insights

Customers, wallet-share, media-spend

Location Analysis

Crime, demographics, customers

Predictive Risk and Shrink Analytics

Store, associate, SKU insights

Performance Benchmarking

Geographic, store-level performance

Compliance Auditing

Manage challenging compliance issues

Advanced POS Analytics

Prevent risk and enhance profits

Start getting valuable insights Schedule a demo with us today.

888-777-0585

Learn more about our retail solutions.

veriskretail.com

LPM EXCELLENCE

LPM “Magpie” Awards: Applauding Excellence

The LPM “Magpie” Awards offer a means to celebrate industry accomplishments on an ongoing basis, recognizing the loss prevention professionals, teams, solution providers, law enforcement partners, and others that demonstrate a stellar contribution to the profession. The ability to influence change is a product of drive, creativity, and determination, but

it also requires a unique ability to create a shared vision that others will understand, respect, support, and pursue. Each of the following recipients reflects that standard of excellence, representing the quality and spirit of leadership that makes a difference in our lives, our people, and our programs. Please join us in celebrating the accomplishments of our latest honorees.

Excellence in Partnerships

Excellence in Leadership

“As I was climbing the career ladder, the one thing that always seemed to be at the core of wherever I found myself was a strong sense of doing the right thing for my customer,” said Bartol. “Through the years, I truly believe that what’s helped me advance my career has been my desire to not sell my customers anything, but rather help them get what they need. Always do right by your customer and serve their best interest and not your own. If you do that, your customers will be your partners, and you will have a long-lasting, mutual relationship. “We have to listen, learn, and respond—on both sides of the relationship. A business partnership is a two-way street. There has to be trust. Once you’ve established that trust, stay with it and realize that it is the keystone of the whole thing. “This industry and community has been a real home for me and is like no other. I am honored and flattered to receive this recognition, but the only reason that I received it is because of the folks in this community. They’ve always made sure that the equation balances.”

“When I think about the true leaders that I’ve known or worked with, I’ve found that they drive for results and have a passion for what they do,” said Arigi. “But they were also resilient. They had the ability shed setbacks quickly and move on, celebrating even the small wins along the way. They inspired their teams to do better, setting the bar higher—but not so high it’s unrealistic. “Leaders know it’s all about the team. In today’s rapidly changing world, our leaders must have imagination. They have to be innovators without ego. That approach allows us to be great listeners, embracing other perspectives and giving credit where credit is due. That attitude builds trust and helps develop future leaders. “For young leaders, my advice would be to take some chances, both in your current role and when thinking about the next opportunity. Volunteer to take on the tough projects. Diversify your resume. Not every move has to be a promotion. Consider developmental opportunities as part of your long-term success strategy. Realize that some of the best ways to prepare for your ultimate career goal in AP may be outside of AP.”

Hedgie Bartol, Retail Business Development Manager, Axis Communications

Tom Arigi, Senior Director of Safety and Security, Walmart US

Nominations Are Encouraged at Excellence@LPportal.com We want this to be your program. Those of you working as LP practitioners witness these exceptional performances on a regular and ongoing basis, and we strongly encourage you to provide us with nominees for each of the award categories. We encourage creative nominations and want the program to cast a positive light on the many tremendous contributions of the loss prevention community. Nominations can be submitted via email to excellence@LPportal.com. 26

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

INTERVIEW

SMART PEOPLE SAY SMART THINGS AND IT IS WORTH REPEATING By James Lee, LPC, Executive Editor LP MAGAZINE | SEPTEMBER-OCTOBER 2017

SMART PEOPLE SAY SMART THINGS

In every issue of the

INTERVIEW

print magazine since 2001—and now in our digital magazine LPM Online—we have conducted an executive interview with some of the top professionals in loss prevention, retail, and a few outside the industry. These exceptional individuals have much to say about a wide range of subjects. And much of what they say is well worth paying attention to. I recently took a stroll through the past few years of interviews and have pulled together some excerpts that I believe deserve repeating. Please take a few minutes to reread the quotes. And if you haven’t read the full interviews recently, we’ve given you the information to find the interviews in your print library or on our website, LossPreventionMedia.com.

INTERVIEW

The Need to

DATA-DRIVEN

REINVENT LOSS PREVENTION

RESULTS AT RITE AID Delivered with Leadership,

The Success Story of Belk’s Bob Vranek

Hunger, and Passion By James Lee, Executive Editor

By James Lee, LPC, Executive Editor SEPTEMBER LP MAGAZINE - OCTOBER | MARCH 2012 -|APRIL LPPORTAL.COM 2012

LPM 0312-B.indd 31

3/23/12 2:49 PM

Robert “Bob” Oberosler, group vice president of loss prevention for Rite Aid, from March–April 2012 OBEROSLER: I’m not the zero-shrink guy. If you want to try to get zero shrink, hire somebody else. I’m going to aim at getting shrink down below a certain percentage number where we have that careful balance between maximizing sales and controlling shrink. You have to understand the customer shopping experience. You are going to have some shrink if you want your customers to have a great shopping experience. I tell my people, “There’s not a mistake you can make in doing your job that I can’t help fix. So, don’t be afraid to go out and push the edge of the envelope. That’s how you learn and make an impact.” In addition to being smart, I really want someone who has a very strong voice. Having a strong voice, being able to express yourself, having confidence in your data, and having the ability to motivate people are all important components of leadership, which, when it comes down to it, is one of the most important characteristics for success—leadership, hunger, and passion.

SEPTEMBER-OCTOBER 2017

LPM 0912-A.indd 29

10/2/12 2:37 PM

Bob Vranek, vice president of loss prevention for Belk, Inc., from September–October 2012 VRANEK: Belk has changed dramatically over the years, and the LP department has evolved dramatically with those changes. We have literally reinvented ourselves three or four different times. So, I’ve not been running the same program for twenty years. The program we run now looks nothing like the program we originally started with. If we hadn’t changed LP as the business changed, I likely wouldn’t still be running the LP organization. Certainly one of the most noticeable changes in our industry is the pure professionalism of the LP team. Everyone acknowledges that we’ve moved past the focus on catching shoplifters—the old cops-and-robbers mentality. We go through cycles. We’ll focus on shoplifting, then it’s on internal theft, then it’s to ORC. In a year or two, I think we’ll be talking about the omni-channel challenges that will have remade our retail operations and opened up new vulnerabilities for us to manage. The LP team we had twenty years ago couldn’t handle the current challenges today. They couldn’t understand the technology. They wouldn’t be able to master the technology and develop the tools we would need to control losses. Not so with the people we have now. They are very professional. They understand the inventory systems. They understand the technology. I have a great deal of confidence in them dealing with unusual situations and being able to step in and drive shortage down.

LOSSPREVENTIONMEDIA.COM

-edge. That’s what at the Retail nce is all about. ry for delivering ail conference e full spectrum otection, the cuses on emerging facing industry ls. No stone is left

TIONS DERS

day’s asset executives address top challenges. Hall at the Retail nce will showcase echnologies used try challenges. See

SMART PEOPLE SAY SMART THINGS

INTERVIEW

HOW WILL YOU BE

MEASURED? Get certified through the Loss Prevention Foundation. Set yourself apart with credentials that are the standard for the loss prevention profession.

FROM RUNNING AN LP ORGANIZATION TO RUNNING A MARATHON POWERED BY THE LOSS PREVENTION FOUNDATION

A CONVERSATION WITH DAVID LUND more information visit losspreventionfoundation.org OFFor DICK’S SPORTING GOODS or call (866) 433–5545 By James Lee, LPC, Executive Editor

ASSET PROTECTION IN A CONVENIENCE-STORE ENVIRONMENT

REORGANIZING THE LP AND AP TEAMS AT STAPLES

A CONVERSATION WITH MARK STINDE OF 7-ELEVEN

A DISCUSSION WITH DAN PROVOST AND STEVE BACICA

By James Lee, LPC, Executive Editor

Educating an Industry, One Leader at a Time LPM 0313-B.indd 29

3/22/13 11:23 AM

David Lund, CFI, LPC, vice president of loss prevention for DICK’S Sporting Goods, from March–April 2013 LUND: From a leadership perspective, I try to provide opportunities for people to grow through certification and education inside or outside of our department, because I want people not only to feel valued, but I know that education will translate to happier people and bigger dividends in what they can do for our company. I would tell you that anybody on this planet can run a 26-mile marathon. They might not run it in two and a half hours, but they’ll definitely be able to finish if they put in the time and energy to training. Like almost anything in life, if you create a plan, you’re dedicated to that plan, and you stick to it, you can do it.

LPM 0513-B.indd 29

5/8/13 2:56 PM

Mark Stinde, LPC, vice president of asset protection for 7-Eleven, from May–June 2013 STINDE: The expectations of an asset protection executive in this organization will consist of three things. First, you must be a great leader, be good to people, and work well with others. Second, you must have a strong business acumen; not just asset protection acumen. You have to understand why it’s important for the operator to be selling fresh food, understand margin, and understand what a P&L looks like and how to contribute to the P&L. And third, and least important of the three, is that you are a highly functioning asset protection practitioner. Early on in my career, I learned to distinguish between a relationship and a partnership. You can have a relationship with someone, and yet you’re not always mutually committed to the resolution of something. For me a partnership consists of shared goals, shared responsibility, and shared accountability. To get there you have to both understand what you’re trying to accomplish, to make sure everyone buys in and is committed to their role in success, and to make sure we are holding each other accountable for the outcomes.

LP MAGAZINE | SEPTEMBER-OCTOBER 2017

LPM 0713-B.indd 27

Dan Provost, LPC, vice president of global loss prevention for Staples (right), from July–August 2013

7/18/13 10:22 AM

PROVOST: The thing that I love the most about loss prevention is the ability to be strategic. In store operations, it can be really difficult to plan a five-year strategy and see it through, but in LP, you really can create a solid five-year plan, execute it, and witness the results. It’s very rewarding. We’ve had a lot of success over the years as an organization. The LP Foundation is the only industry organization that focuses solely on the personal and professional development of the individual. Once I understood that, I was hooked. I am a true believer in the mission and goals of the Foundation. I am extremely proud to be a member of the board of directors, and I preach the word everywhere I go.

SMART PEOPLE SAY SMART THINGS

INTERVIEW

ENTREPRENEUR

INTERVIEW RETAILER

SUPPLIER

THE FIRST PERSON YOU MUST LEAD IS YOU AN INTERVIEW WITH

25 YEARS AT SAKS FIFTH AVENUE

ASSESSING TODAY’S LP INDUSTRY THREE VIEWPOINTS FROM A RETAILER,

BRIGADIER GENERAL (RETIRED) BECKY HALSTEAD

THE EVOLUTION OF ROSAMARIA SOSTILIO

A SUPPLIER, AND AN ENTREPRENEUR

By James Lee, LPC, Executive Editor

By James Lee, LPC, Executive Editor SEPTEMBER - OCTOBER 2014

LPM 0514-A.indd 27

By James Lee, LPC, Executive Editor

LPPORTAL.COM

NOVEMBER - DECEMBER 2014

Rosamaria Sostilio, vice president of asset protection for Hudson’s Bay Company, from May–June 2014

5/12/14 9:32 AM

SOSTILIO: Diversity is defined in so many different ways. I like people with diverse backgrounds on my team. I have a woman on my team that runs investigations who is a former prosecutor. I have a woman on my team who is a CPA. I have a gentleman on my team who is getting his masters in technology. I try to bring in people with all different types of backgrounds. I can teach anyone the fundamentals of asset protection and how it fits into our team and into our company. That’s easy for me to do. I’ve been doing it for twenty-five years. I want people who think differently than I think. I like to be challenged. I focus on diversity in thought, and that’s very, very important. There are still challenges for women in asset protection. There are people who still don’t want to take you seriously. That’s something that I’ve always had to overcome. I dig my heels in deeper and just move forward. I don’t focus on negativity. I surround myself with people who are positive. You need to have faith in yourself.

LPM 0914-A.indd 27

LPPORTAL.COM

9/8/14 2:13 PM LPM 1114 Book.indb 27

Rebecca “Becky” Halstead, retired US Army Brigadier General, from September–October 2014

HALSTEAD: The reason I say that we all have at least one person to lead and that’s yourself is because I’ve run into a lot of people who say that leadership doesn’t come naturally to them. They’re not comfortable with it. I’ve always believed that that was a bit of a copout. I think that people fail to own their decisions and their choices and they just say, “I’m not a leader.” But in reality, they are, because everyone has to lead themself. Most surveys say that the number one thing that people want to see in their leaders is integrity. That’s true, but the only way to have integrity is to be disciplined, because it’s too easy to not have integrity. It’s too easy to take a shortcut. It’s too easy to not quite tell the whole truth. Integrity can be inconvenient. It can be uncomfortable. But choosing this harder right is what we’re supposed to do as leaders. I think that more of us should think about the legacy that we want to leave, and the legacy that we are leaving. Because I think what happens is it makes you start to think about your values, and whether your behaviors are reflecting those values. Because if they are, you’re going to touch lives. And when you touch lives you’re going to make a difference. That brings purpose to your life, and what greater position is there to be in than to have purpose?

SEPTEMBER-OCTOBER 2017

11/24/14 3:35 PM

Three long-time loss prevention industry veterans representing a retailer, a solutions provider, and an entrepreneur, from November–December 2014 RETAILER: Another dynamic is how young people think about jobs differently today and have different motivations than we may have had years ago. You can’t just say, “Well, they’re not like me, so they can’t be good.” That’s not true at all. You have to be open to that difference. Anybody who’s in a senior position better pay attention, because this is the wave of the future. You have to keep up. SUPPLIER: One of the things that I would advise, as a mentor of salespeople, is to always understand and embrace who’s coming up the food chain. The person you have a great relationship with is not always going to be there. When I talk to an LP executive, I always ask, “Who are your best people?” Then I try to build a relationship with their direct reports, their up-and-comers, because someday, I will probably be selling to one of them. ENTREPRENEUR: I think that it’s critical to have a strong IT partner, just as it’s critical to have a strong procurement partner. Because most of the things that are being installed and purchased today are connected to the internal networks, you have to have a strong IT partner who understands what it is you’re trying to do and can support you in getting the solutions implemented.

LOSSPREVENTIONMEDIA.COM

continued on page 32

UNPARALLELED EXPERTISE IN RETAIL LOSS PREVENTION Securitas Electronic Security (SES) is a leader in retail loss prevention solutions. Our centralized programmatic process eliminates variance and delivers a consistent experience from one to many locations. Discover unparalleled security expertise for your business with SES.

VISIT US AT ASIS 2017 BOOTH #2708

Securitas Electronic Security, Inc Formerly Diebold Security

SECURITASES.COM • 855.331.0359

SMART PEOPLE SAY SMART THINGS continued from page 30 INTERVIEW

THE MAGAZINE, CERTIFICATION, BASEBALL, AND C-SUITE ARROGANCE

oss prevention

d specifically to

LAZO: The last several years have shown that companies continue to assess their LP programs. It is the role of LP leadership to continue Art Lazo to seek out opportunities to address challenges that may be outside of the normal LP channels. Retail is constantly changing, and we need to be able to adapt accordingly and show value in our roles.

CHANGING ROLES AND CHALLENGES IN LOSS PREVENTION

A CANDID CONVERSATION WITH JIM LEE, LPC

to elite savings

would have benefited the industry to aggressively pursue diversity of thought and background to make us more effective and relevant.

INTERVIEW

Senior Executives Discuss Professional Development and Career Growth

By Jack Trlica, Managing Editor

By James Lee, LPC, Executive Editor

LPM 0916-A.indd 31

James “Jim” Lee, LPC, executive editor and cofounder of LP Magazine, from September–October 2016

9/9/16 12:14 PM

LEE: An LP executive who is successful understands why, not just what. Knowing what to do is completely different than knowing why we do something. I think LP executives who understand why you do something are successful. I think being the top LP executive in any retail company is a hard job, and I think clearly it is often an underappreciated job and often misunderstood by the C-suite. It’s primarily misunderstood because most of the C-level folks don’t take time to get to know their LP executive and understand the strategy behind running an LP program. And as a result, sometimes C-level people change their LP executive out of an arrogance or out of a self-serving motivation on their part because maybe the results aren’t as good as they would like. But it clearly is out of a lack of understanding the LP executive. And sometimes they make a change that gets them no further ahead. They were just as well off having the previous regime in power.

LPM 0316-A.indd 29

Stacie Bearden, director of asset protection, field for The Home Depot; Tim Belka, senior director of global security for Walgreens; Art Lazo, director of asset protection for 7-Eleven; and Brian Peacock, director of asset protection, US operations for Rent-A-Center, from March–April 2016

3/11/16 9:35 AM

PEACOCK: Today I see a lot of great educational programs for someone starting out in a loss prevention career. I think it is critical to Brian Peacock continue to push yourself to stay in tune with what is trending in your field and to be aware of the changing landscape of retail and the new skills sets needed to stay relevant.

BEARDEN: Broader business experience is extremely valuable within the organization. While there is a significant piece of what we impact that is theft Stacie Bearden and fraud related, there are other completely controllable operational factors. Business acumen is not only beneficial but also necessary as one seeks to change processes and vie for funding. BELKA: Our profession has progressed significantly in the development of diverse thought and background of Tim Belka the people who pursue loss prevention careers. However, in retrospect it

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

continued on page 34

After A Robbery

It Can Be Business As Usual . . .

When you have 3SI GPS Trackers! Our specialized technology uses GPS to automatically detect a robbery and silently alert law enforcement to TRACK and RECOVER your stolen assets.

Recover Stolen Assets. Apprehend Criminals. Visit us at ASIS, LPRC Impact, and Retail Risk NY

#SaferWorld info@3sisecurity.com

3sisecurity.com/retail

SMART PEOPLE SAY SMART THINGS continued from page 32 INTERVIEW

INTERVIEW

BUILDING AN ORGANIZATION AROUND DATA AND TECHNOLOGY

FORTY YEARS OF RESEARCHING

RETAIL LOSS PREVENTION

A RETROSPECTIVE WITH PROFESSOR DICK HOLLINGER

BUILDING A SUPPLY-CHAIN AP TEAM FROM TEE TO GREEN

AN INTERVIEW WITH SCOTT GLENN, CSO AT SEARS HOLDINGS By James Lee, LPC, Executive Editor

A CONVERSATION WITH MIKE COMBS OF THE HOME DEPOT By James Lee, LPC, Executive Editor

By James Lee, LPC, Executive Editor

LPM 0516-A.indd 33

Richard “Dick” Hollinger, PhD, professor at the University of Florida, Gainesville, from May–June 2016

5/6/16 3:46 PM

HOLLINGER: The main trend that I’ve seen over the years—leveraging technology, moving away from people catching people toward technology catching people—has been geared primarily toward the shoplifter. I think employee theft is the hardest of the pieces of the pie to have a direct impact on because of that. When retailers have a highly ethical management team, pay a living wage, give sick leave, provide daycare, provide their employees with the kinds of expectations that one gets in a genuine career, then shrinkage is under control, and profitability goes up. C-level executives oftentimes tend to look at “what have you done for me lately” or maybe “what have you done for me in the last hour” as opposed to “what is the overall trend” and looking at the bigger picture of how to reduce shrinkage.

LPM 0317-B.indd 27

3/13/17 9:47 AM

Scott Glenn, JD, LPC, chief security officer for Sears Holdings, from March–April 2017

GLENN: As well rounded as many of our retail LP and AP leaders are today on the operational aspects of the business—certainly more so than ten or twenty years ago—it’s still a completely different perspective when you have a mentor who is a merchant, CFO, or an operator, somebody that has four-wall accountability and is making corporate-wide decisions. Speaking of planning and discipline, it’s more than a talking point. People in our industry deal with a lot of high-stress, high-risk situations day in and day out, especially our field and store personnel. As important as everything seems to us at work, which of course it is, you must have a level of work-life balance, or you will not be long for this industry. So my parting advice would be to make time for your family; make time for yourself. You have to make time for the things that you like to do to be able to decompress and have a life outside of work.

SEPTEMBER-OCTOBER 2017

Mike Combs, director of asset protection, global supply chain for The Home Depot, from May–June 2017

LPM 0517 Book.indb 29

5/9/17 3:35 PM

COMBS: I would agree that nine years ago there were probably only a few places doing much more than physical security. To some extent there’s still a lot of focus on security. But absolutely now things are much more automated. There’s much more data. There are more systems. Now there are more people trying to leverage those to craft a better strategy to look at everything end to end versus just the four walls of that warehouse. I think that Millennials might possibly change the world for the better. I’m not as pessimistic as other people looking at this new generation. I see things in them that really make me proud. They love their work-life balance, and they see the big picture there. Everybody loves hard work, and they’ll work hard, but they also appreciate friendship and compassion because usually a lot of their relationships have been strong.

LOSSPREVENTIONMEDIA.COM

BENCHMARKING

Understanding Data Analytics in Loss Prevention

he focus of our next benchmarking survey will be data analytics. In our survey of loss prevention practitioners, this topic was ranked second highest after emerging technologies in terms of interest. Prior to undertaking the survey, we thought it important to first map out what the term “data analytics” may mean to the loss prevention industry—it is certainly a phrase now widely used but is open to a wide range of interpretations and definitions. Equally, the way in which data analytics is performed can vary enormously, ranging from something as simple as an Excel spreadsheet sent to store managers to the development and use of customized systems that integrate data flows from across the entire retail business. Moreover, understanding the range and breadth of data sources that can be used as part of data analytics performed by the loss prevention function is also important.

Working in a Data Lake

In the not too distant past, loss prevention was often described as “living in a data desert” with inventory-driven shrinkage numbers, which were only available a few times a year, being the primary driver of most business intelligence. Fast forward to today, and instead of deserts, retailers now refer to having “data lakes,” vast quantities and types of data covering many aspects of the operation. While undoubtedly preferable, moving from a state of data famine to data feast presents its own challenges in terms of prioritization, management, and control of the data. The term data analytics is typically used to describe the collection, interpretation, and dissemination of data in order to describe, predict, and improve the performance of a business. Analytics can be undertaken in many ways, but it is important to distinguish the difference between it and other forms of data-driven systems that provide routine alerts and responses, such as exception-based CCTV systems and EAS alarms. These types of systems routinely generate “data” upon which individuals may react, such as a security guard responding to an alarm at a store exit triggered by an active EAS tag or a member of staff approaching a customer who has triggered an alert at a smart shelf. However, the process typically lacks any form of analytical interpretation. Certainly though, the aggregation and subsequent analysis of this type of data would be data analytics—the key difference being the steps taken beyond simply responding or reacting to data-based prompts. It is also important to distinguish the difference between data analysis and data analytics—the former is the interrogation of data sets, while the latter is viewed more broadly as the analysis, interpretation, and use of data sets to make better informed

SEPTEMBER-OCTOBER 2017

Beck is a professor in the criminality department of the University of Leicester in the UK where he is primarily focused on research on retail crime and shrinkage issues. He can be reached at bna@le.ac.uk. Palmer is CEO/president of PCG Solutions, a loss prevention consulting, training, and education firm. He can be reached at wpalmer@pcgsolutions.com. Peacock is a visiting fellow at the University of Leicester and strategic coordinator for both the ECR Europe Shrinkage and On-shelf Availability Group and the Retail Industry Leaders Association Asset Protection Leaders Council in the US. He can be reached at colinpeacock@hotmail.co.uk. All are frequent contributors to both LP Magazine US and European editions.

business decisions. In addition, while data analytics can be used on single data sources, it is normally associated with multiple data sources and the use of advanced statistics and predictive models. In this respect, data analytics moves beyond simply answering simple questions from data sources—how many refunds store X performed yesterday—to using the data sources to enable the business to make better and more-informed decisions—is the current refund policy being applied correctly across the business, and if not, what changes need to be made to ensure that it is?

In the not too distant past, loss prevention was often described as “living in a data desert” with inventory-driven shrinkage numbers being the primary driver of most business intelligence. Fast forward to today, and instead of deserts, retailers now refer to having “data lakes,” vast quantities and types of data covering many aspects of the operation. How the process of data analytics is performed varies enormously across the retail industry. Some companies prefer to “build” their own analytics capability internally, using the expertise and resources available within their businesses, while others opt for using third-party technologies. A visit to any of the major retail loss prevention conferences and associated exhibit halls reveals a plethora of providers now offering a wide array of data-analytics packages. Others adopt a blended approach using internal resources for some analytical functionality and continued on page 38 LOSSPREVENTIONMEDIA.COM

simply the best

WATCH

LATEST ATTEMPTED BREAK-IN OF A REAR DOOR WITH A TRIDENT LOCK INSTALLED WWW.SECURITECH.COM/TRIDENT-LOCKS See it to believe it!

More Features & Options Than Any Other Exit Lock Access Control Integration •Thru-Bolted Modules Bolts Project Into Frame • Forced Entry Protection Anti-Pry Plates • Free Spinning Bolts Prevent Cutting Customizable • Self-Locking • Code Compliant Fire Rated Models • Miami-Dade NOA Rated Easy Installation • Wall Mounted Alarm Options Protected Moving Parts • Captive Key Alarms No Bolting Into The Floor • Propped Door Alarms Door Reinforcement Kits • Alarm Signal Output Extended Paddles • Nationwide Retailer Use Non-Handed • Non-Sized • Aluminum Paddles Shown with optional 5th hinge side bolt

And Many More To Come . . .

Apply For Our Toughest Locations Program! Sign up at www.securitech.com/trident-locks to receive a free Trident to install at one store* *Some restrictions may apply.

Manufactured in the USA

54-60 46th St. Maspeth, NY 11378

718.392.9000

www.securitech.com

continued from page 36

external systems for other elements. In addition, the location and availability of the human resource to perform the analysis and interpretation steps of data analytics varies considerably—this may reside in the IT department, it could be a specialist function within the loss prevention team, or it could be a service provided by a third party. It could also be a task carried out by a full-time specialist or be something tagged on to the duties of staff employed to perform a range of tasks.

Analytics Uses

Preliminary analysis of how LP teams are using data analytics suggests it is being used in at least three ways, based on the type of analysis being performed, the frequency with which it is done, and the type of employees using it. ■■ Operational data analytics—Typically, automated systems based on multiple data sources and computer algorithms designed to push results to a given audience to trigger organizational responses. This can take the form of data dashboards where the intended audience is guided both in the interpretation of the results and how they might best react to them in order to make business improvements. Frequency of use: daily or weekly. Typical user: store managers or LP associates in field or store-based roles. ■■ Tactical data analytics—The use of data streams that can be interrogated by LP teams to resolve specific issues more quickly and efficiently, for instance the investigation of specific anomalies such as above-average rates of refund frauds or out of stocks. This type of analytics is typically pulling data from business systems. Frequency of use: on an ad hoc basis. Typical user: LP investigators or regional management. ■■ Strategic data analytics—The assessment and review of multiple data sources to enable the LP senior management team to develop medium- and long-term strategic decisions for the business. This type of analytics is typically pulling data from business systems. Frequency of use: quarterly or yearly. Typical user: senior LP executives. One of the key elements in these three types of analytics is the extent to

which the systems employed are used to push or pull data to recipients. As can be seen, a functionality increasingly offered by third-party analytics providers is the collation, interpretation, and dissemination of operational data analytics, typically to store managers, that will not only give them data specific to their situation but also potential interventions that may improve their performance. This data is largely generated automatically and is “pushed” out by the system. For some, this is increasingly being described as “prescriptive analytics”—in effect data analytics but with greater emphasis placed on helping the end user improve business performance. At the strategic data analytics level, where the data is more likely to be “pulled” from the system, some companies refer to the use of “predictive analytics”—another variation on data analytics where the various data streams are collated and analyzed with an end goal of making predictions about what future key data indicators are likely to be. For instance, stores may be offered estimates of what their levels of shrinkage, refunds, or cash losses are likely to be based upon historical data and other changes to their environment.

Data Sources

As mentioned earlier, the range and depth of data sources used in data analytics by LP teams can vary enormously depending on the scope and nature of the department, the data streams readily available within the company, and the type of IT hardware and software being used. Detailed below are various data streams most likely to be used in data analytics: ■■ Security systems and operations— CCTV images; EAS data; access control and alarm records; investigation results; records of internal and external theft; safety incidents; workers compensation; general liability. ■■ Store operations data—Stock audit results, stock adjustments; product damages data, spoilage data. ■■ Point-of-sale data—Transaction data, refund information, self-scan audit data. ■■ Payment data/cash control—Cash over/shorts; deposit shortages; check write-offs; gift card/SVC-losses or fraud; credit card write-off; card payment information; credit card charge backs. ■■ Employees—Staff turnover; performance reviews; management and employee

SEPTEMBER-OCTOBER 2017

tenure; staff engagement/morale survey results; number of full-time versus part-time staff. ■■ Crime data—Local police crime statistics; third-party risk models. ■■ Store profile—Type; size; sales volume; mall, strip, or street; layout; number of entrances; age of store. ■■ E-commerce data—Customers frauds; credit card charge backs; damages; errors; rate of returns. ■■ Supply-chain data—Unknown losses; vendor short shipping; picking accuracy; in-transit losses. As can be seen, the potential data sources are many and varied—the data lake is increasingly fed by myriad data tributaries. Undoubtedly, these suggestions are but a snap shot of what some companies are now using, but the power of data analytics is to enable retail executives to begin to make sense of this wealth of data to improve the quality of the decision-making in the business. Over the next few weeks, we will be reaching out to those companies that have previously contributed to the loss prevention benchmark series to gather information, based upon the framework outlined above, to understand how they are thinking about and using data analytics. In particular, we will be asking about: ■■ The types of data analytics they are using (operational, tactical, or strategic). ■■ How they are delivering data analytics in their business (internal, third-party provider, and so forth). ■■ What human resource they are employing. ■■ The types of data they are making use of when undertaking data analytics. As with all the loss prevention benchmark surveys, the results will be made freely available to the US loss prevention community. As we design the survey instrument, based upon the discussion points above, we would very much welcome any comments and suggestions you might have to help us navigate your retail data lake and how you use data analytics. The topic is hard to define but potentially of significant interest as more and more data points become available to those working in the loss prevention function. For as the old sage Edwards Deming put it, “Without data, you’re just another person with an opinion.”

LOSSPREVENTIONMEDIA.COM

FEATURE

A MALL WITHIN A STORE?

BRICK-AND-MORTAR RETAIL REIMAGINED By Maurizio Scofani, CCSP, LPC

A MALL WITHIN A STORE

nce the symbol of American retail strength that was exported across the globe, the mall is seeing a hazy future. As people shop more online and want something different from their downtime, the mall has become a destination that is approached as a last resort rather than a first choice. There isn’t a great deal to do at the mall other than spend money on goods. Shoppers’ attention spans are short. If you want to grab their attention, then online is the way to do this with low prices and great offers. It feels so easy to order online and get it delivered to home or work. Add in the fear of crime from pickpockets, robberies, and assaults, and you have a place that holds no attraction for a growing number of Americans. Malls are becoming dinosaurs. There is real danger of becoming extinct as the declining numbers of visitors leaves stores unwilling to take vacant units. The future looks bleak in many ways. But it doesn’t have to be this way. The future of offline shopping must look different from the past. Consumers have changed. It is time for retail to change too. What if we have a mall within a store?

is big money spent on wellness, and this ever-growing market of people with disposable income should be the target market for the “new” retail. It has become stale and not kept up with the trend for dealing online. This must change and deliver consumers something that they will tell all their friends about.

What Are the Benefits?

People are spending more on themselves. A busy work life and the stresses of balancing the work-life person they want to be means that there is a desire to keep fit, feel great, and follow a better lifestyle. As more baby boomers leave the workplace, they have a lot of disposable income and heaps of time to spend on anything they like. They are conscious of their health and are looking for sound advice.

What Happens to the Rest of the Mall?

We create some empty space with this concept. The mall within a store can lead to many other aspects of the mall becoming duplicated, then redundant, and then vacant. Obviously, this isn’t the long-term

What Is a Mall within a Store?

A mall within a store brings the experience into play. People may be shopping online, but expenditure on experiential shopping is growing and looks to be the future of healthy retail. You may be able to get items online from a retailer with much lower overheads, but you can’t get a spa experience, a manicure, a workout at a gym, or the latest juice mix at a juice bar. The old model was to build a mall, add on a cinema and a few restaurants, and watch the money roll in. Modern retailers need to be smarter than this. People want to feel good about themselves. There

This is where the mall within a store comes in. It appeals to people who want that experience. While they are in-store, they more often than not will spend money there too. It is a win-win for the retailer that can make the most of their space (so many traditional retailers have large stores that are underutilized) while attracting a loyal audience. In Seth Godin Purple Cow speak, these are the sneezers that will let the rest of the world know what you are all about. We are looking at making a mall a safe haven for the right audience. People will flock to a location that can provide protection from the weather, a reason to visit, and a variety of experiences. Imagine the whole family of several generations arriving at a mall and all having a reason to spend time there. Now the mall must move to within the confines of the shop. But the next question is what to do with all the space that has been generated in this move.

Communication is at the center of any effective change. All stakeholders want to know what is going on. Those that are already in the mall will understand the current way of thinking but will need to be nurtured along the way to the fresh operation.

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

A MALL WITHIN A STORE

solution to delivering a safe place for people to shop. The solution of what to do with the rest of the mall must come from somewhere. There are other services that fit perfectly into this model and provide people with even more reason to visit the location. Thinking about the auxiliary services (for some, these will primary services), one could imagine using the space to cater to those with pets, which is often a no-no in malls, perhaps providing pet health services or an indoor dog park. People use a variety of other services on a regular basis. Making the mall a destination in itself will generate more foot traffic. Adding other options, such as media stations,

pickpocketing or antisocial behavior. The result is that the loss prevention team needs to beef up its presence and provide a different model to protect the assets of all stakeholders. The new mall will meet different challenges from a diverse clientele, possibly longer access hours and a transient custom. The loss prevention services across the mall must evolve.

What Are the Details Behind This?

You may be able to get items online from a retailer with much lower overheads, but you can’t get a spa experience, a manicure, a workout at a gym, or the latest juice mix at a juice bar financial institutions, health services, education provision, and an indoor play area, will make the mall a more attractive place for the whole family to visit together. Giving a wide range of reasons to make a visit to the mall, coupled with the experiences that online shopping simply cannot deliver, will make it a destination. Attracting the whole family and catering to pet owners changes the dynamic.

How Does This Feel for Loss Prevention?

Sadly, a greater footprint can bring with it more potential issues for security and loss prevention. Criminals could see the new mall as a place where they can practice more

service model, along the lines of how the legal industry operates, will give the best asset protection cover at the best value point. Designing something from the ground up that is fit for purpose wins over adapting current (and possibly outdated) models every time. This will lead to a tiered functional matrix that will provide financial stewardship for the mall within a store where all parties can contribute and benefit from this resource.

As the rules of the game change, the different departments of a retail organization must keep up. To think this is just a challenge for operations or marketing isn’t looking at the whole picture. The skills used by the asset protection team will have to develop to meet these demands. Analysis will need to be carried out to see the new pinch points for losses as the customer profile and habits change over time. Doing things the old way just won’t do any more. A mall within a store will have more licenced vendors—third parties that pay for a slice of the space. This means that costs and services will need to be shared, and the vendors will benefit from training and support in this area. A shared

LP MAGAZINE | SEPTEMBER-OCTOBER 2017

It’s all well and good stating that a change must happen, but an active loss prevention team needs to know what this looks like on the ground. Diverse areas of the operation will look very different if we have a mall within a store. One of the first considerations in any change is communication. How the asset protection team connects with the new clientele of the mall within a store can have a massive impact on behavior. Attracting new customers means that you also attract new age groups and dialects that will need to be integrated into communication. This is often dealt with in recruitment and training, so the emphasis on making sure the team is ready to help the new foot traffic and understand their space is all-important. This is extended with the fact that the outside world will now be looking over the asset protection team’s shoulder. Every move will be scrutinized. This has positive and negative elements. The decision-making process must be more transparent and open, so people can see the mall has changed. If we want to attract clients back through the front doors, then they need to understand what protections are in place that were lacking when they decided the mall wasn’t for them. Social media and online reviews

A MALL WITHIN A STORE

show that word of mouth can boost or harm the foot traffic to a leisure activity. Making the new mall a place where the word of mouth is positive takes engagement. With change comes an assessment of where we are now and where we need to be. With the asset protection team, this takes the form of managing the risk. Moving from one formula to another is filled with potential risk if a plan isn’t assessed and enacted properly. The very bottom line of this thinking is the protection of life. People need to be safe and feel safe in the new and unfamiliar environment. The current mall is associated with antisocial behavior and crime in many parts of the country. Creating a safe haven in the

alters the potential risks involved. Tracking people can become the main issue. There will simply be more of them to track, and the protection of the vulnerable offers new challenges to teams that might have been looking in another direction in the past. Don’t forget that criminals will also be looking at this new dynamic and how they can exploit it. Keeping

What New Skills Are Needed?

Thinking about the auxiliary services (for some, these will primary services), one could imagine using the space to cater to those with pets, which is often a no-no in malls, perhaps providing pet health services or an indoor dog park. new mall is paramount. The perfect time to change perception (and it will be perception that persuades people back to this environment) is at the time the mall goes through the conversion. The customer base will change dramatically in this model and precedes a change in managing this new crowd. Older and younger visitors will be present in greater numbers as will the dog friendly environment proposed above. This changes the dynamic of how asset protection works with the public and

A potential change in race that visits the mall (moving to being in a situation where this doesn’t become a discussion). ■■ The LGBT community and having the right knowledge base to interact. This again will take the form of training and monitoring because the team you have will need to adapt to this new way of doing business. Change can be frightening for some, so think about the support and guidance that you can give people in the asset protection team to ensure that they transition effectively. ■■

the safe-haven approach takes a new breed of thinking. This new group of visitors may also necessitate a revolution in the political sensitivity of the personnel employed by loss prevention teams. The cohort of customers will change, almost overnight, so consideration must be made on: ■■ A change in the gender makeup of visitors. ■■ The increasing number of baby boomers with spare time and money visiting.

SEPTEMBER-OCTOBER 2017

A new way of working for the whole mall looks to the future with anticipation. New skills will be needed to accommodate and welcome the diverse client base that will walk through the doors. With the old mall a thing of the past, you will see customers arrive that maybe have never had the mall experience before. The loss prevention team must be ready for the new challenges that lie ahead. Simply operating the same model in a new environment doesn’t account for the changing nature of the safe-haven mall with all the new components and different sectors this will attract. Different dialects or languages may well be used by the new visitors. The radius new visitors will be drawn from will increase significantly, leading to potential communication issues if your team hasn’t been prepared for this. An academic center might bring visitors who don’t have English as their primary language. We already know that effective communication drives higher levels of security and lower shrinkage. The asset protection team must take this into account when devising an effective communication strategy with visitors to the new mall. This includes all forms of

LOSSPREVENTIONMEDIA.COM

A MALL WITHIN A STORE

communications—signage around the mall, face-to-face communications between team members and the public, and public announcements. The safety of all the people in the mall is of paramount importance. Letting people know when they must move from one area to another (in fire drills for example) or that they may be subject to additional security measures from time to time is an essential part of welcoming new visitors to the mall. If this new model is to work, then the users of the facilities should feel comfortable and safe at all times. The old mall that leaves people feeling vulnerable has driven away visitors in droves. This must change when the environment alters. Communication is at the center of any effective change. All stakeholders want to know what is going on. Those that are already in the mall will understand the current way of

thinking but will need to be nurtured along the way to the fresh operation. Those that are using the mall for the first time will walk into an experience with their own expectations. The way you guide them through the structures will make the difference between a future where all parties work together for the good of the mall and a future where there is conflict and separation of interests. The licenced vendors in the store and the additional service providers in the mall are vital in the effective management of the mall and the risks that may be faced in this new environment. Buy-in at all levels before the mall is opened in its new entity will see a smooth transition. Thinking about how this communication can be delivered in different languages or dialects in an effective manner will be the first step on the road. Communication that is planned with a clear goal in mind

LP MAGAZINE | SEPTEMBER-OCTOBER 2017

will provide a structure to work with. Delivering it in language that is understood by the recipient will make the goals of this communication come true. The old may well replace the young in the new mall. A place where teens and preteens hang out to harass people and maybe get involved in low-level crime should be replaced by the safe-haven approach. Communicating with troublemakers has its own language—one of authority and low tolerance is seen as the most effective way to remove this potential threat and move it down the road. But this isn’t the kind of language that will appeal to the older clientele that the new mall will attract. Your asset protection team will need to be coached to have nurturing and positive conversations with these new visitors. The current

A MALL WITHIN A STORE

perception of the asset protection team as policemen should be replaced with the image of enablers and facilitators. Language is at the very heart of this approach. This may take time as the visitor profile changes, but with support and guidance, you can all work together to make the safe-haven mall feel like a natural home away from home for the patrons who will now enter the doors.

Where Does Technology Come into This?

Adopting the latest technology can be seen as the answer to many questions in retail, especially when it comes to asset protection. But there is a large investment here, and it must be considered carefully before hands go into pockets and money comes out. The right technology will become

an effective tool in monitoring all the potential pinch points that we have already outlined in this article. Predicting the way loss may happen in a new environment is vitally important. Collecting data to develop modes of behavior is

Moving from one formula to another is filled with potential risk if a plan isn’t assessed and enacted properly. The very bottom line of this thinking is the protection of life. People need to be safe and feel safe in the new and unfamiliar environment.

Introducing LPM Online An All Digital Companion to LP Magazine’s Print Edition

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

A MALL WITHIN A STORE going to help move resources to the most effective places in the future. The asset protection team must consider what forecast and situational planning demands and alerts will be needed. Effective communication between team members is vital, but formalizing this communication and collating the data is just as important when deciding where precious resources are allocated from then on. In the early days of the new concept of a mall within a store, this will be a huge learning curve for the team. New behaviors, new flows of people, and new customers will inhabit the space, and we will all need to learn from each other. Regular team meetings at that point will bring together shared best practice. The technology systems will allow the team to understand through qualitative and quantitative data interpretation, which will require stochastic tools to predict event

probability. This puts them on the forefront when it comes to dealing with potential problems. Going into a new situation blind increases the scare factor many times over. This is all part of the support process. A mall within a store can change the way people interact with a retail environment. The past and current model of “if you build it they will probably come” isn’t working. Online shopping is over its days of feeling like the Wild West and is now seen as a safer option by many consumers. In contrast, the mall feels like a risk in terms of having a higher price than online stores, putting their person or possessions in harm’s way, and being a hassle in terms of travel.

Making the mall a place where experiences happen, those that you cannot even contemplate online, and adding in vital services creates a mall that can become its own place, almost like an enclosed community or town. The future can look bright if we understand the demands of the consumer. A race to the bottom on price drags other elements of the offline retail space down with it. Service suffers, security takes a hit, and people stay away in droves. A mall within a store looks to provide a space where current and future consumers want to hang out. This feels like a pretty cool place to visit. I hope we get there.

MAURIZIO P. SCROFANI, CCSP, LPC is a well-known supply-chain asset protection professional with over twenty-five years’ experience in retail and manufacturing. He is a prolific writer and frequent speaker at regional and national conferences. Scrofani is a consultant and general partner with MPS Ventures. He was recently named vice president of supply-chain security and intelligence for ALTO US. Scrofani can be reached at maurizio@mpsconsultants.com.

CUT SHRINK IN HALF Reduce Labor Up to 80%

Turtle is a multi-function device that is proven to reduce theft, reduce labor costs, and a ROI of 6 months! Learn more @ www.intelligentlossprevention.com 800.747.4665 or 815.877.7464 visit us online at www.southernimperial.com

LP MAGAZINE | SEPTEMBER-OCTOBER 2017

EVIDENCE-BASED LP

Footprints and Flea Markets E

by Read Hayes, PhD, CPP Dr. Hayes is director of the Loss Prevention Research Council and coordinator of the Loss Prevention Research Team at the University of Florida. He can be reached at 321-303-6193 or via email at rhayes@lpresearch.org. © 2017 Loss Prevention Research Council

anti-robbery, anti-burglary, anti-theft, our Security Operations Center (or SOCLab), and signatures.

very living person generates signals, signatures, and noise, if you will. As we move through time and space, we shed DNA, talk on phones, travel, register for, apply for, and purchase things—all the while texting, emailing, tweeting, posting, and so on.

LPRC Innovation Chains

An LPRC innovation chain often starts with initial research and development at the LPRC and University of Florida (UF) innovation lab. Subsequent trials can be conducted in actual physical test stores and distribution centers provided by member retailers to fine-tune the program based on shopper, employee, and offender feedback. Finally, adjusted anti-crime and loss processes are frequently rigorously evaluated in randomized, controlled trials across larger samples of locations to estimate their efficacy and cost-effectiveness. The chart below is the current iteration of the LPRC UF Anti-Robbery Innovation Chain.

Human Footprints

This biological and digital exhaust and our literal and digital footprints are with us now and in the future. And so it goes with our retail customers and criminal offenders. This phenomenon is a huge opportunity for us to leverage these bio-digital signatures to attract and keep more good shoppers, as well as to deter, disrupt, and detain those attempting to defraud, attack, and steal from our organizations and people. To further build cost-effective, protective packages (integrated tactics and technologies), executives from over forty-five Loss Prevention Research Council (LPRC) member retail chains and sixty-five technology partners are working in focused innovation chains (ICs). Current ICs include

Zones of Influence

As many readers may have heard by now, the LPRC and UF teams are working hard to help our retail, manufacturing,

Anti-Robbery Innovation Chain iLab > Gainsville > Baltimore

Zone 4

✓

Slack channel

✓

Map large

✓

Cap index

✓

Captis intel

✓

MOOD parking lot music system

✓

Interface GPS trackers with photo imaging

✓ ✓

Mosquito

✓

Outside exit face cameras License plate reader Mac address sensor

✓ ✓ ✓ ✓ ✓ ✓

Outside camera with bllinking LED lights

Signage

Retailer 1 Retailer 2

Zone 5

(Parking Lot Control Innovation Chain) SelectaDNA exit mist LiveView video platform trailer Security guard/ vehicle options Entry/exit barrier options

Signage

Zone 3 Inside exit barrier (Blue Line) Facial recognition Entry ePVM options

Zone 2 SelectaDNA apply to assett Duress words detection Anti-counter jump solutions Multi-view ePVM

Signage

Cash drop

Smart safe

Zone 1

✓

Retailer 3 Retailer 4

✓

Retailer 5 Retailer 6

✓

Retailer 7

✓

Retailer 8 Retailer 9

✓

SEPTEMBER-OCTOBER 2017

✓ |

✓

LOSSPREVENTIONMEDIA.COM

✓

and solution partners obtain and provide accurate and actionable information and solutions from and to all five “zones of influence.” Below is a generalized zones of influence graphic:

ZONE 5

ZONE 4

ZONE 3

ZONE 2

ZONE 1

Cyber / Public

Parking Lot

Interior

Category Area

Point / Asset

The LPRC team works closely with the University of Florida’s Center for Retailing Education and Research to craft holistic initiatives that simultaneously boost sales, lower costs, and reduce crime and losses. In his September 4, 2017, post on his extensively read retail blog at tonydonofrio.com, noted Tyco/Johnson Controls executive Tony D’Onofrio made the following observation on how a precision LP/AP framework using effort-risk-reward, see-get-fear concepts deployed in the five zones of influence can help improve all retailing facets: “Brand differentiation and immersive customer experience are the two critical elements that will drive the future of retail. Physical and digital variations of these critical elements need to converge into a seamless unified commerce or [omni-channel] ecosystem. “There is a compelling correlation between [UF and LPRC’s] research and the future of retail. Digital empowerment of today’s consumers leads to multiple ‘zones of influence’ towards the actual purchase. Focusing only on the product on the shelf [or even just the in-store experience] is not a recipe for retail success. “The value is derived by the intertwined connections between the zones of influence. Think of the power today of new voices such as social media / online reviews (Zone 5) and their impact on legacy retail models. “Discerning the ‘zones of influence’ leads to deeper consumer engagements. Innovation chains can be leveraged to shape a positive, engaging shopper experience.”

SOCLab and Tabletop Exercises

The LPRC SOCLab team and advisors conducted the initial shakedown, tabletop exercise on September 8, 2017. It concluded successfully and brought lessons learned on how to improve the lab and conduct progressively more challenging and realistic exercises, as well as needed situational awareness and decision-support apps. Kevin Coleman, senior VP of asset protection at Macy’s, and CCI/Protection 1’s Garret King subsequently presented an active-attack scenario with lessons learned, along with SOCLab upcoming tactics and technology improvements at the LPRC Impact Conference upcoming in October. We strongly encourage your organization to assign someone to the SOCLab steering team to work with us as we strive

RIGHT ON THE

MONEY.

Secures your cash. And your future. Ascent Validating, Note Deposit, Coin and Note Dispensing safe components let you build the ultimate expandable system to secure, track, and account for your cash – dramatically reducing loss, while ensuring employees handle cash less and customers more. See how Ascent can take you to the top now, and even farther as you grow in the future. Call 800-452-4655 x. 3001 today, or visit www.fireking.com.

Call (800) 342-3033 ext. 3001 today, or email info@fireking.com.

continued on page 48 LP MAGAZINE | SEPTEMBER-OCTOBER 2017

FSG-0011_Ascent_STORES_Ad_3.333x9.5_v4_final.indd 1

47 7/27/17 3:19 PM

continued from page 47

Retailers should continue experimenting with innovative ways to devalue stolen goods (benefit denial), as well as investigative enhancements like synthetic DNA marking.

to enhance “Detect-Define-Decide” capabilities for storms, disturbances, and active crimes in progress.

UF Now and Next Update

The UF online “Evidence-Based LP Online Certificate” course is completed and ready for enrollment. The course is designed for entry-level to experienced LP/security practitioners, technology designers, and interested parties to participate online in a very informative and challenging University of Florida course. More information is available by searching “evidence-based loss prevention” on the university website at ufl.edu. Further, UF is placing student interns into retail and technology companies this spring and summer. For more information, please contact operations@lpresearch.org or ufcrer@warrington.ufl.edu.

products activity. Approximately one third of the markets had the shaving items for sale, with a handful offering the item for sale with EAS or store stickers on them. A second phase of the research involved our teams offering premium blade replacement packs for sale to twenty-eight booth operators in several markets in Florida that had Gillette blades on display. The product was offered for sale in pristine condition, in torn packaging, with store logo-stickered packages, and out of the packaging to determine the effects of these conditions on the price offered by operators. Twenty-one of twenty-eight booth operators who were offered the shaving product (which was described as stolen) also purchased the items. There was no real difference in “wholesale” pricing with all the items other than a slightly lower price offered for the completely out-of-package items or competing or store brand. One booth operator placed the packs with retailer-specific stickers in front of other non-stickered items claiming the retailer logo marketed that it was “legit.” The following are action steps to consider: ■■ Certain flea markets appear to present a compelling threat to some stores. It is difficult to determine a robust method for determining whether a local market is a threat without periodic surveillance by store staff, by law enforcement partners, and by debriefing detained shoplifters. ■■ Product marking with secured retailer-specific logos did not appear to deter flea market operators from buying the goods, nor did they diminish the price in this relatively small pilot test. Evidence from this study supports the hypothesis that marking may not always deter boosters or fences, but does significantly aid in recovery and mapping organized retail crime (ORC) networks and stolen goods’ flow. Please let me know any questions you might have on this very abbreviated study summary.

Product marking with secured retailer-specific logos did not appear to deter flea market operators from buying the goods, nor did they diminish the price in this relatively small pilot test. Featured LPRC Study

Each edition of LP Magazine, our team will feature a past LPRC or UF study that typically includes the topic, research method, research findings, and implications. This study looked at some flea market (noted theft demand centers) dynamics. There are over 5,000 flea market type operations in North America, of which at least 1,000 are considered semipermanent. These markets are also referred to as swap meets, trash and treasure, boot sales, and outdoor markets. Many studies across the globe have demonstrated some booth operators in some flea markets do deal in stolen property. However, most booth operators and even most markets do not have stolen items available. Of special note, flea markets can be good selling channels for stolen property, but there are often easier ways to convert stolen product to cash online via small stores, other small business and street fences, drug dealers, friends and coworkers, and by exploiting liberal or poorly executed store refund policies and practices. Almost 100 flea markets were randomly selected from a guide of 1,000 locations and visited by our teams to assess the availability, pricing, and condition of a high-loss men’s shaving product as example of flea markets and stolen

SEPTEMBER-OCTOBER 2017

Sponsored Editorial

Interview with Caroline Kochman

The Win-Win of Retailer-Led Offender Rehabilitation

Caroline Kochman is executive director of the National Association of Shoplifting Prevention (NASP). She began her tenure with NASP in 1993 as director of court services where she played an integral role in the development and distribution of NASP’s court- ordered prevention programs. NASP now works with all stakeholders in the shoplifting problem providing its educational solutions at all levels from individual offenders to retail victims to the criminal justice system.

What’s the value of education-based programs, and how do they work? Education-based programs offering offense-specific, age-appropriate programming for shoplifting offenders are proven to reduce repeat offenses, which is not only the imperative of the criminal justice system but also the goal of the retailers as the victims. Moreover, education will reduce recidivism regardless of where in the offender process it is provided. Whether immediately upon apprehension as part of a police or prosecutor pretrial diversion program or as a formal sanction of the court, education is the key. At what point in the process it happens is not relevant, only that it in fact happens and is a proven-effective and offense-specific program. Traditionally the court system provides sanctions for offenders, but it’s very expensive to process offenders through the system, often costing $2,000 to $3,000 per offender. Even then, there’s no guarantee that education will be part of the resulting sanctions. Pretrial diversion programs provide an alternative to the formal court trial process but consume significant police and prosecutor resources and still don’t guarantee education as a sanction. If the mutual goal is to conserve police, court, and criminal justice resources, to hold offenders accountable, and to build the competency to make better choices, then it’s not about when or who provides the education, just that it’s provided and that the offender successfully completes the program.

the educational option and live up to its requirements or to follow the traditional path through the formal court system and accept the sanctions and consequences. The key is using a properly modeled program executed in partnership with local criminal justice that has policies and processes to protect the offender’s choice—as well as the interests of all stakeholders. Especially in a nontraditional program, it’s critical that every stakeholder, including the offender, invests effort and reaps benefits in equal measure. This is the key to a successful and sustainable program.

Do you have any hard facts that show these programs actually work? For example, the recidivism studies are the only proof of effectiveness of any legitimate criminal justice program. Independent studies, as opposed to self-conducted evaluations, are the best proof of the effectiveness of a program. However, while recidivism rates—the rates at which offenders are involved in repeat offenses—are a vital measure of a program’s success, they are often misrepresented. Recidivism studies are tricky, and their inevitable limitations must be recognized. For example, the criminal justice system doesn’t share case information across jurisdictions, and thus each study can only record reoffenses within the same jurisdiction. So even lengthy studies are limited in scope. Make sure you know the limitation and scope of any study cited.

Why should retailers embrace these programs? With the lack of resources in the criminal justice system, retailers can no longer rely on the traditional process to accomplish their goals—the most vital of which is to reduce recidivism. This isn’t an indictment of the court system, but simply the current state of affairs. Since retailers are most directly affected by retail theft, they simply cannot afford to be ineffective at changing behaviors to reduce recidivism. Nontraditional, retailer-led, pre-arrest programs have the same goals and accomplish the same thing as traditional programs, only faster, cheaper, and with better outcomes for all involved. They provide the offender an opportunity to avoid being arrested, entering the criminal justice system, and ultimately having a criminal record that can have devastating, life-long consequences.

How do you respond to claims that these programs “violate California’s extortion and false imprisonment laws?" The ruling in California was very clearly about one particular program’s process and not necessarily about the value or even the validity of this type of program to the offender or the community. These programs are designed to give an offender a choice. Even traditional diversion programs in the court system provide a choice for offenders. In both cases, offenders can choose to participate in

SEPTEMBER-OCTOBER 2017

What is the potential benefit to the shoplifter involved in a retailer-led program? Reduced recidivism benefits all stakeholders—including the offender. Ongoing involvement in shoplifting is no better for the offender than it is for the store or the community. Each offender benefits from a one-time opportunity to avoid a permanent criminal record if they wish to take responsibility for their actions, make reparation to the store, and participate in an appropriate education program.

How do retailer-led diversion-style programs benefit the public sector? The Crime Accountability Partnership Program has already reduced retailer calls to police by up to 60 percent in hundreds of jurisdictions across the country, saving $100 million in criminal justice resources based on the average cost to process an offender through the traditional criminal justice system. In any community where these programs are in place, police not only benefit from the reduced calls but also gain the advantage of knowing that when a participating retailer does call for a police response, it’s because they have an offender who requires police-level intervention for the safety of the store, the offender, and the community. LOSSPREVENTIONMEDIA.COM

Connect With Your Crew Let your audience choose their preferred platform to increase awareness and participation. Offer engaging e-learning and communication tools to inspire exploration and growth. Feature built-in feedback applications to obtain their creative input. At LPM Media Group, our mobile and digital solutions move meaningful connections from possibility to reality.

Online Learning Management

Mobile Awareness Solutions Digital Magazines

Digital Signage

Custom Animation & Video

#connectwithyourcrew | www.LPMmediagroup.com

SOLUTIONS SHOWCASE APPRISS RETAIL

Controlling Shrink by Monitoring Sales-Reducing Activities

oss prevention departments have, for some time, successfully examined risk flags within point-of-sale (POS) transactions to identify exceptions that may indicate theft or loss. These risk flags, many of which decrease potential revenue, are increasingly categorized as SRAs or sales reducing activities. Today, monitoring SRAs to drive shrink reduction is attractive for several reasons: ■■ They are identifiable with analytics. ■■ They can be indicators for both fraud and unintentional loss. ■■ They are controllable through policy, procedure, and systemic changes. ■■ Remediation delivers ongoing profit protection. In this article, Appriss Retail will review some common retail POS SRA events and their connection to shrink.

Common POS SRA Categories

Many activities that generate SRAs exist to improve customer service and to correct errors that occur occasionally in the normal course of conducting a sales transaction. The goal of analyzing high-level SRAs is not to eliminate all instances of the activity but rather to determine the natural frequency at which these events occur within the organization and to identify behavioral outliers from the baseline. Some SRA categories commonly seen across retail verticals are: ■■ Line voids and error corrects ■■ Post voids ■■ Suspends ■■ Coupons ■■ Price modifies ■■ Refunds ■■ Tender swaps ■■ Tax override ■■ Manual entries Your retail business process may not encounter all categories, but your point-of-sale captures any SRA events and records them in the t-log. From there, exception-based reporting (EBR) solutions, like Appriss Retail’s Secure™ Analytics, can be used to analyze SRAs in detail and combine them with additional risk variables at any level within the store operational organization. Individuals with store-level responsibilities can find hotspots and resolve root causes in individual locations or request retraining for specific associates. Regional and corporate-level personnel can find and address the broader issues and causes using similar analyses for the whole organization. An uptick in SRA frequency can indicate fraudulent activity, but when employee fraud is not found, the analyst

should look for systemic or execution problems, as store employees may have developed a work-around for a problem that is not readily visible to the corporate office.

Shrink, Loss, and SRAs

Fraud—The Short-Term Concern Even before there was a specific term, loss prevention pros monitored what we now call SRAs to find fraudulent activity. This works well when the EBR system is in the hands of a skilled user. In the course of a year, a retailer can save hundreds of thousands—even millions—of dollars and achieve excellent results by focusing on the largest cases. Independent research by graduate students at the University of Texas at Austin showed a strong relationship between SRAs and fraud. The researchers ranked a national convenience retailer’s stores against each other for SRAs and calculated a risk factor. The 20 percent of stores with the highest risk factors were considered likely to have experienced fraudulent activity. Systems and Processes—The Long View A report from LP Magazine stated that in one retail chain, 77 percent of the employees who were terminated for stealing from their employers took advantage of an opportunity the employer created. As the cost for criminal prosecution continues to rise, retailers are increasingly likely to overlook petty theft and focus only on the big cases. While a justifiable use of resources, this approach should not exclude the methodical analysis of these SRAs, which offer a better opportunity for success. By tracking SRAs and remediating the weaknesses they reveal, retailers enjoy immediate savings as well as ongoing profit protection. Consider these scenarios: ■■ A retailer attempts to install a software modification to block expired coupons from being redeemed, but a software bug prevents the modification from taking place, and the coupons continue to be accepted. ■■ Confusion over a new employee discount policy leads to the sale of merchandise below cost. ■■ Professional discounts are extended to shoppers based on their appearance instead of through identification. Those examples make it easy to understand how using SRAs to find and fix systemic problems can deliver lasting margin-protection results. As an added benefit, resolving these issues clears the clutter from transaction analysis, which makes it easier to identify employees who intended to defraud.

LP MAGAZINE | SEPTEMBER-OCTOBER 2017

SOLUTIONS SHOWCASE APPRISS RETAIL Seasonal Impact SRAs and shrink trend together, and they peak during the holiday season. Research from 2016 stated that 37 percent of shrink in the US and 38 percent of shrink in the UK occurred during the fourth quarter. The SRA distribution for both countries exceeded 40 percent at that time—roughly double that of other quarters. Margins dropped by about 9 percent during this period. One SRA in particular, returns, peaks during the fourth quarter holiday season. According to the National Retail Federation, returns as a percent of sales were 2 percent higher than the annual rate in 2015. This tendency has been recorded for years in NRF’s annual reports.

Monitoring SRAs for Improved Financial Performance Both “good” and “bad” SRAs impact shrink. They should be monitored on a corporate level to identify emerging problems quickly, before annual shrink is calculated. In addition, people with store and regional responsibilities can use them to spot unusual activities at store level. An LP professional, for example, will make better use of the time spent on a store audit by running an SRA report in advance.

Controlling Shrink SRAs not only indicate where shrink may have taken place but also can be used as an early indicator of future shrink. By analyzing the transactions from Appriss Retail’s install base of tens of thousands of retail stores in a variety of retail verticals, the company calculated the correlation between current SRA volume and future shrink. The SRA to Shrink Trend table shows the relationship across the industry. (Results vary by individual retailer.) The more transactions containing SRAs, the higher the shrink percentage. Therefore, reducing SRAs will help reduce shrink. SRA to Shrink Trend > 3%

Shrink

2.501 to 3% 2.01 to 2.5% 1.501 to 2% 1.01 to 1.5% < 1% fewer

Analyzing the SRAs with Appriss Retail’s Secure Analytics is a quick and effective way to learn where to focus efforts to reduce shrink and ultimately improve profits. Visit apprissretail.com for more information.

Transactions Containing SRAs

The table clearly shows the correlation of SRAs and shrink. By monitoring SRAs throughout the year, retailers can detect problem stores and resolve root causes before it is too late. Erosion of Net Sales The errors or other situations that instigate legitimate POS SRAs diminish the customer experience for everyone waiting to check out—whether it is a pricing error that leads to a line void, the need to adjust tax for a professional contractor, suspending a sale while the consumer returns to the car for a wallet, or any number of other issues slow transaction times. The flow chart above right shows some of the common impacts.

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

SOLUTIONS SHOWCASE AFA PROTECTIVE SYSTEMS

Ensuring the Safety and Security of Your Most Important Assets

hen was the last time you thought about the integrity and function of your fire alarm and security systems? Have you ever considered what would happen if your life-safety and security systems didn’t work properly in the event of an emergency? If a fire occurs, you expect all systems will function properly, alerting staff and customers to get to safety. You trust that your burglar alarm systems will function properly during a break in. However, if these systems fail to operate as intended, the consequences can be dire. It’s easy to take the effectiveness of your fire alarm and security system for granted. Therefore, you need a fire alarm vendor and security partner with experience, reliability, and dedication to your system’s performance. For a busy retail or corporate manager, you can’t afford to make a mistake regarding your fire alarm vendor or security provider—a mistake that could mean the difference between all or nothing. Founded in 1873, AFA has delivered best-in-class solutions for installing, monitoring, and servicing fire alarm and security systems. AFA’s story began almost 150 years ago, under the name of Automatic Signal Telegraph Co. of NYC, with authorization from the city mayor to automatically transfer fire alarm signals to the headquarters of the city’s fire department. Over the next century and a half, AFA continued to innovate. AFA was one of the first companies to transfer alarm signals over telephone lines. AFA developed the first multiplex signal transmission system. AFA also pioneered computerized fire alarm and security monitoring. As a leader in fire alarm and security services for over a century, AFA has earned the trust of its customers by delivering exceptional levels of responsiveness, dependability, and thoroughness across the scope of its services, including: ■■ Fire Alarm Services—installation, maintenance, and test and inspection. ■■ Security Systems Integration—burglar alarms, video surveillance, and access control. ■■ Central Station Monitoring Services—including UL-listed and FM-approved fire alarm monitoring and burglar alarm monitoring.

When it comes to the safety of your staff and your customers, the security of your assets, and the overall protection of your company, you can’t afford to take anything for granted. Choose a fire alarm and security partner with a rich history in life safety and loss prevention. Choose a partner with a reputation for excellence and leadership. Choose AFA Protective Systems, Inc. to protect your people, property, and assets. Visit afap.com for more information.

LP MAGAZINE | SEPTEMBER-OCTOBER 2017

SOLUTIONS SHOWCASE DETEX

Is Your Back Door Protected?

break ins. Even if the exterior door hinges are compromised, the DX bolts keep the door locked and secure. These passive deadbolts are easy to install and offer another layer of attack resistance. Through-bolt mounting installation improves the door’s holding strength. You choose the right application and level of protection by choosing one, two, or three bolts for a total of four, five, or six locking points. Other 230X models include: ■■ ECL-230X (dead bolt only) ■■ ECL-230X-W (weatherized dead bolt) ■■ ECL-230X-TB (top and bottom bolt) ■■ ECL-230X-W-TB (weatherized top and bottom bolt) ■■ ECL-230X-TD (top and dead bolt) ■■ ECL-230X-W-TD (weatherized top and dead bolt) ■■ ECL-230X-W-TDB (weatherized top bolt, dead bolt, and bottom bolt) Additional benefits include: ■■ The lock body is made from a corrosion-resistant alloy. ■■ It offers surface or flush reversible strike. ■■ The durable photo-luminescent sign absorbs light, then “glows in the dark” when lights are dimmed. ■ I t offers non-handed door handling. ■ R esetting the alarm can only be accomplished with a control key. ■ L ocking and unlocking the dead bolt always arms and disarms the alarm. ■ I t accepts five-pin through seven-pin standard and interchangeable core rim cylinders without using a cylinder collar. ■ An optional inside pull handle is available. Almost all hardware and accessories can be customized with different finishes, colors, sizes, and more. Ask us how this new generation of life-safety and security hardware can make a powerful difference at your back door. For more than a century, Detex has earned the trust of architects and owners who rely on Detex products for the life safety and security of people and property. A USA company, Detex designs, manufactures, markets, and ships products from New Braunfels, Texas. Detex is known internationally for life-safety and security-door hardware, loss prevention and architectural hardware, integrated door-security systems, and guard tour verification. Visit Detex’s website at detex.com or call (800) 729-3839.

etex introduces a maximum security, multipoint lock so big and strong that it stands up to assault by the bad guys and reduces employee and customer theft. Exclusive to Detex, the ECL-230X-TDB is a heavy-duty, easy-to-install, three-bolt, multipoint lock. Its construction takes panic hardware to a whole new level of toughness and eases your back-door security worries about the bad guys peeling the bottom of your back door to gain entry. Built for maximum strength, it is designed with a larger deadbolt that goes deeper into the frame than other locks in the category. Connecting rods are solid steel rather than the less reliable, hollow rod or cable construction. Life-safety and code compliant, the new Detex ECL-230X-TDB serves as both panic hardware and a maximum-strength locking device.

The ECL-230X-TDB includes a photo-luminescent sign available in more than ten color and language combinations, a 100-decibel alarm, and three locking points per door. Together, the three bolts withstand 16,000 pounds of pull force. ■■ Top deadbolt—approximately 1” wide by ½” thick, the top bolt provides additional stability to the top corner of the door. ■■ Side deadbolt—2¼” tall by ½” thick deadbolt with a 1” throw allows for 3/4” penetration into strike. (Detex recommends flush installation for maximum security.) With more than 1½ square inches of bolt engagement, the side deadbolt provides superior defense against pulling and prying on the side of the door. ■■ Bottom bolt—a 5/8” HEX bolt with 3/4” throw engaging the floor with 5/8” penetration provides better attack resistance and superior defense against the “peeling up” of the bottom of the door. Add suffix DX3 (ECL-230X-TDB-DX3) for six locking points for even stronger security, providing an additional line of defense against

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

SOLUTIONS SHOWCASE INSTAKEY

Great Partnerships Strengthen the Core of Business

hen it comes to physical fitness, it’s important to build a strong core foundation. A strong core gives you that coveted beach body, but it’s also important to overall health. The core is the body’s powerhouse and is important for balance and stability. It facilitates movement and keeps your organs and central nervous system operating at peak performance. When a body’s core is weak, it can cause back pain, heart disease, and several other preventable ailments. The same can be said for the core of a business. Without a strong core, inefficiencies run rampant, and profitability is less easily attained. Behind every successful business are strong partnerships. Strong partnerships strengthen the core of a business like nothing else. This is true of the partnership between lululemon athletica and InstaKey Security Systems. Just over ten years ago, it came to the attention of lululemon’s facilities department that there had to be a better way to secure its stores rather than having to rely on a core-swap program that was no longer feasible due to inefficient turnaround and growing budgetary costs. That is when they identified InstaKey’s KeyControl® program as a strong solution Greg Brumley, Vice President, Asset for the store’s security. Protection and Facilities, lululemon

Streamlining for Cost Efficiency

InstaKey’s program approach streamlined the ordering and delivery processes and significantly reduced the costs associated with managing a mechanical lock program. Before partnering with InstaKey, the cost of each core swap, due to employee transition, was around $140. (Today’s cost is closer to $240.) With InstaKey’s unique, turnkey, rekeying solution, each event now costs lululemon $70. That’s an immediate ROI upon the second rekey event. When it came to streamlining the ordering and delivery processes, lululemon maximizes on best practices by retaining the Rekeying Kit on site (in a safe) for when a key is lost, stolen, or unaccounted for. This solution allows for an immediate rekey response to the loss of a key, instead of waiting on a locksmith or cores and keys from a supplier. Additionally, freight costs are dramatically reduced because shipping the next Rekeying Kit delivers standard ground instead of overnight. In September 2014, lululemon’s facilities team wanted to further tighten their key control and began to work more closely with InstaKey and store operations, teaching stricter key-management practices. By teaching stores to get the keys back upon employee separation, they began to reduce the need for the rekey events themselves. Later in 2015, Greg Brumley, vice president of asset protection and facilities, joined lululemon and reevaluated the KeyControl® program again. He believes that strong partnerships are critical for any company

to achieve success. He added, “It’s kind of like your core strength; nothing works right without it.” Brumley went on to explain, “From a facilities standpoint, the InstaKey solution allows us to quickly respond to the needs of the store regarding initial basic security. We can rekey the store immediately at a fraction of the cost compared to locksmiths or managing a core-swap program. Also, having InstaKey manage the program for us is a huge benefit because it allows us to focus on other important facilities responsibilities. From an asset protection perspective, we can also be assured that keys aren’t copied, get managed at store level, and are changed quickly when lost, keeping our locations secure.” George Woodruff, InstaKey’s client services manager, explained, “By establishing a close working relationship with asset protection and facilities, our team has a clearer picture of its goals in assisting the stores, has better visibility for what is coming, and has a core of trust that guides a seamless program.” He also added, “Through sharing of corporate culture, many personnel have now become lululemon brand loyalists and personally own their responsibilities for their partner’s overall satisfaction.” For example, the graph below illustrates how a consistent evaluation and sharing of key-control data can result in dramatic cost reductions. In this case, lululemon’s rekey events have reduced 120 100 80

280 stores 28% rekeying

Rekeys Over Time

Program Evaluation 320 stores 24%rekeying

340 stores 31%rekeying

40 Today 340 stores 10%rekeying

20 0 2006

2008

2010

2012

2014

2016

significantly due to the open communication, access to information, and shared goals with assisting the stores. The strength of any partnership is always evident in the results. InstaKey strives to support all clients with prompt order turnaround, solutions at store level, a professionally managed program dedicated to implementing and maintaining best practices, and training designed to keep the program efficient and secure. Together with its clients, they build strong, core, key-control partnerships that provide simple and cost-effective security for any organization. Visit instakey.com for more information.

LP MAGAZINE | SEPTEMBER-OCTOBER 2017

INDUSTRY NEWS

Walmart Asset Protection 2017: Problem Solvers and Business Partners By Karen Rondeau, LPM Media Group

PM Media Group was on site in August at Walmart’s Asset Protection National Meeting in Rogers, Arkansas, where the theme of the event was problem solving—simplification, embracing change, embracing the uncomfortable, and engineering out the complexities. Joe Schrauder, vice president of asset protection and safety, emphasized that “preventing loss becomes even more important if we can stay relevant. If we change and if we figure out new ways to leverage technology and to serve customers the way they want to be served, while making the company profitable, we think there’s a bright future for AP to be more relevant than they are today.”

event at Fast Lanes, where the great-big-extended-family feeling of Walmart’s asset protection organization was truly evident.

The Loss Prevention Foundation Announces New President

The Loss Prevention Foundation (LPF) announced that Terry Sullivan, LPC, has been named as its next president, effective July 24, 2017. The appointment follows the recently announced retirement of LPF President Gene Smith, LPC. Sullivan, with a long history of success in the loss prevention industry, brings almost thirty years of experience to Terry Sullivan the foundation. “I am extremely excited about having a talent like Terry join the foundation. His experience and enthusiasm for the foundation’s mission will be tremendous assets for us,” said Frank Johns, LPC, LPF’s chairman of the board. Johns continued, “Sullivan joins the foundation after serving most recently as the director of loss prevention operations for Lowe’s Companies, Inc. Terry has held numerous other positions at Lowe’s to include divisional director of loss prevention, safety and hazmat, and regional director of loss prevention. Prior to Lowe’s, Terry served the drug store industry for almost fifteen years with Albertson’s/Sav-on Drugs and American Stores.” Sullivan said, “It’s an honor and a privilege to be able to serve the Loss Prevention Foundation and the loss prevention/ asset protection profession. I am looking forward to leading the continued progress of the foundation and working with the foundation’s board to deliver world-class educational resources.” Sullivan will be responsible for overseeing the administration, revenue generation, marketing, strategic planning, industry outreach, and all programs of the organization, including the internationally sanctioned LPQ and LPC certifications.

At the event, nearly 500 field leadership attendees received a brand-new yellow vest. No, they are not all becoming door greeters. Instead, AP leadership wants to be more accessible when they are out in the stores—for associates and customers alike. “Our program is about deterrence through offering really good customer service,” said Schrauder. “If we want that to happen, the customers need to be able to see us. We [asset protection] want to be seen as problem solvers and business partners, so rather than hiding in the shadows or working behind the scenes, we want to be visible and out on the front lines. We are taking a page from the ‘More at the Door’ program to encourage the interaction.” Leadership at the meeting reinforced that the “Drive to 75” is still Walmart AP’s objective—to reach their .75 shrink goal long term. The teams are making a great impact by continuing to use the Direct-Deter-Detect strategy, leveraging technology, and simplifying processes. Other highlights of the meeting included an annual AP awards banquet on Monday evening and a team-building

SEPTEMBER-OCTOBER 2017

RLPSA Goes Big in Las Vegas

Restaurants of all types descended on Las Vegas, Nevada, for the Restaurant Loss Prevention & Security Association’s (RLPSA) 38th Annual Conference at the M Resort & Casino July 30 to August 2, 2017. RLPSA hosted more restaurant companies than ever before and increased attendance from last year’s conference in San Antonio. continued on page 68 |

LOSSPREVENTIONMEDIA.COM

Introducing LPM Online An All Digital Companion to LP Magazine’s Print Edition

LPM Online is our newest offering for your reading enjoyment. LPM Online will publish every other month on even-numbered months in between our print editions. The inaugural edition went live in August. You can view it on the LPM Online tab on our website, LossPreventionMedia.com, or by entering LPM-online.com in your browser. The exciting feature of LPM Online is how we can use dynamic elements in both the articles and advertising—things like embedded videos, podcasts, and animations that will bring the information alive. Plus, it is optimized to view on smartphones, tablets, and desktop computers.

To receive notice of all editions of LPM Online, you need to be a digital subscriber of LPM. It’s free and gives you access to all our digital content, including our extensive website, print magazine archives, special reports, and much more. If you are not a subscriber, use the SUBSCRIBE NOW link on our website. If you are a solution provider and want to reach the loss prevention audience with a medium that allows you to demo your technology, show a corporate video, or otherwise showcase your products and services, contact our advertising manager Ben Skidmore at BenS@LPportal.com.

LPM Online—A Digital Magazine for LP Professionals

Cargo Theft Statistics: Unreported Incidents Make It Difficult to Grasp Scope

continued from page 66

Cargo theft statistics vary, but it is generally agreed upon that cargo theft is a multibillion-dollar problem each year in the United States. Exact numbers are impossible to determine in that many cargo crime incidents go unreported. The most recent cargo theft statistics available continue to be sobering. Freight Watch International recorded a total of 193 incidents of cargo theft in the United States during the third quarter of 2016. The average value per theft was $120,536. Third-quarter incidents were up 14 percent from the second quarter of 2016, but the average dollar value per theft fell by 26 percent. Compared to the third quarter cargo theft statistics from 2015, incidents rose by 7 percent, while values dropped 38 percent. Fourth quarter 2016 statistics are still forthcoming. For the entire year of 2016, CargoNet, a cargo theft and recovery service provider, reported 1,614 incidents of cargo theft, heavy commercial vehicle theft, supply-chain fraud, and other intelligence events across the United States and Canada. Eight hundred and thirty-six of these were direct cargo thefts. The average loss per theft was placed at $206,837. California continued as the worst state for cargo theft, up 36 percent for the year, followed, once again, by Texas in second place. New Jersey took over the third spot from Florida in 2016. In December 2016, AFN Logistics listed the ten worst counties in the United States for cargo theft: ■■ Los Angeles County, CA ■■ Dallas County, TX ■■ San Bernardino County, CA ■■ Cook County (Chicago), IL ■■ Miami-Dade County, FL ■■ Harris County (Houston), TX ■■ Tarrant County (Fort Worth), TX ■■ Middlesex County (Edison), NJ ■■ Will County (Bolingbrook), IL ■■ Riverside County, CA And, according to AFN, the following location types were the hardest hit: ■■ Warehouse/distribution center ■■ Other ■■ Parking lot ■■ Secured yard ■■ Unsecured yard CargoNet reported that food and beverage commodities remained the most stolen category of cargo in 2016. Alcoholic beverages, meat products, and nonalcoholic beverages were the most stolen items, respectively. Electronics were the next most stolen commodity but the costliest category with $45.6 million in losses reported across the United States and Canada. Cargo theft was the most common on Friday and Saturday. Monday and Tuesday were the most common days to report an incident. Because so many incidents go unreported, quoted cargo theft statistics don’t match exactly. But it is universally agreed that cargo theft is a major economic threat, particularly to the retail industry. And it continues to grow.

This year’s theme was “Results: Reinvented,” which geared keynote speakers, general sessions, and breakout sessions around ensuring restaurant professionals are ready for the changing industry landscape they are facing. The agenda was created primarily from last year’s feedback, and it was stocked with more practitioner-led panels than ever before. The breakouts featured loss prevention, safety, and risk tracks to offer relevant content for numerous roles throughout the restaurant organization. The keynote speakers presented to a packed room. Eric O’Neill, former Federal Bureau of Investigation (FBI) operative and subject of the film Breach, discussed how to identify the insider threat. William Espey, brand visionary with Chipotle Mexican Grill, talked about creating an internal culture that can withstand any crisis. And Shawn VanSlyke, former unit chief of the FBI’s behavioral analysis unit, shared an update on counterterrorism and how it affects restaurants as soft targets. One of the most popular panel-led sessions was “Results, Reinvented: A Panel Discussion” that featured panelists (shown above) Chris McDonald, senior vice president of loss prevention for Compass Group, North America; Anne Sullivan, vice president of asset protection and risk management for CKE Restaurants Holdings; Rick Walker, restaurant security consultant for Chick-fil-A; and Mark Stinde, vice president of asset protection for 7-Eleven, Inc. They discussed a wide range of topics, including how to manage up/down the internal ladders, always being ready to articulate your and your department’s value, and different strategies for tackling their most difficult causes of shrink. Breakout sessions covered catastrophic property damage, delivery driver safety, active-shooter training, risk benchmarking, and behavioral safety programs, just to name a few. Attendees left Vegas packed full of strategies for reinventing their results throughout their organizations—information gleaned from the content but also from meeting with multiple solution providers during exhibit floor hours. An RLPSA Annual Conference wouldn’t be complete without its signature networking event, which did not disappoint in Vegas. Attendees watched the sun set and the infamous strip light up from the fifty-fifth floor open patio at the Palms’ Ghostbar on Tuesday evening. Save the date for RLPSA’s 39th Annual Conference in Dallas, Texas, at the Hyatt Regency on August 5 to 8, 2018. For more wrap-up information, including daily video wrap-ups from Las Vegas, please visit RLPSAannualconference.com.

SEPTEMBER-OCTOBER 2017

LOSSPREVENTIONMEDIA.COM

C- SUI TE & SR . LE V EL EX ECU TIVES ON LY

2017

C YB E R SU MM I T U SA .CO M

2017 The Cyber Security Summit connects C-Suite & Senior Execuuves responsible for proteccng their companies’ criical infrastructures with innovaave soluuon providers and renowned informaaon security experts. CyberSummitUSA.com

Boston, MA Wednesday, November 8 The Wessn Copley Place

Los Angeles, CA Wednesday, November 29 The Beverly Hilton

LPM DIGITAL By Jacque Brittain, LPC, and Kelsey Seidler

New Approaches to Retailing—Online and In-Store

Brittain is editorial director, digital, and Seidler is managing editor, digital. The two manage the magazine’s digital channels that includes multiple daily e-newsletters featuring original content and breaking news as well as vibrant social media conversations. Brittain can be reached at JacB@LPportal.com and Seidler at KelseyS@LPportal.com.

ollowing are a few article summaries that can provide you with a small taste of the original content available to you every day through our daily digital offerings, which are offered free through LossPreventionMedia.com. In addition to our daily newsletter, a comprehensive library of original content is available to our digital subscribers at no cost to you. Visit our website to gain access to all of our content. You can also follow us on Facebook (search LP Voices), Twitter (@LPMag), and LinkedIn.

As an alternative, sellers always have the option of using Amazon’s in-house fulfillment arm. The new policy goes into effect in October. This new policy is just another step by Amazon to make online shopping easier for the consumer. Their existing return policy, as outlined below, has always been one of the most customer friendly: ■■ The consumer has 30 days from the date of purchase to return items for a full refund. ■■ Return labels can be instantly printed using Amazon’s online return center. ■■ Amazon pays the return shipping on all domestic orders. ■■ It doesn’t matter if the item has been open or used. Clearly, their policy is very liberal, but Amazon does have some safeguards built in to identify and track abusers. If a customer has extensive returns, their account may be flagged to prevent further returns. But, in typical Amazon fashion, they will send the potential abuser a nice email to let them know before taking any action. As we have said before, e-commerce will never totally eclipse brick-and-mortar shopping. But Amazon continues to do everything they can to make it easier and easier for consumers to shop online. And it’s working!

Vendors Dismayed at Amazon’s Changes to Return Policy By Bill Turner, LPC

Most people believe that shopping online is easy and convenient. But most also agree that the one of the biggest issues in online shopping is the inability to touch and feel the product. As a result, items “not as expected” cause online return percentages to be high. And everyone knows that returning items bought online can range from inconvenient, to confusing, to downright scary. Once again, Amazon has come to the rescue with its recently announced policy of “automatically authorized returns.” This new policy applies to Amazon’s Marketplace sellers and aligns the return policies of these third-party sellers to the current return policy of Amazon-fulfilled product. Under the new policy, consumers can ship back third-party-fulfilled merchandise to Amazon without contacting the vendor first to work out concerns with the transaction or product prior to a refund being issued. Amazon has also instituted a “returnless refund” policy designed to save sellers time and expense: if an item is small and inexpensive, Amazon will issue a refund—and the seller is forced to just “let the item go” and not get it back. There has been confusion on the part of the sellers who now think Amazon will force them to simply give away items for free. Many sellers are highly upset and have been very vocal about their dissatisfaction regarding the new policy. Amazon is quick to defend the policy, noting that participation is optional for the seller and actually came about due to numerous requests by vendors. Amazon emphasizes that sellers will enjoy reduced time and cost (if they agree to participate) while making the consumer return experience for many products easier and less complicated. Many sellers are not convinced. Some have gone so far as to proclaim that Amazon’s new policy will “crush small businesses that fulfill their own orders.” They believe that scammers will take full advantage of the new policy. Time will tell.

SEPTEMBER-OCTOBER 2017

Preventing Shoplifting and Theft with…Music? By Mike Giblin, LPRC

As a loss prevention agent in 2017, it’s easy to begin to feel helpless. Many retail environments have shifted to no-touch policies, as jurisdictions push legislation to ease the legal ramifications of shoplifting and theft. If you can’t stop the shoplifter as he’s strolling out your door with your merchandise, and you can’t call the police because the crime is no longer treated seriously, Mike Giblin what tools are left in your toolbox? Through the Zones of Influence initiative, the Loss Prevention Research Council (LPRC) has developed a framework for geo-spatially categorizing opportunities in a retail environment. The goal is to provide awareness and action tools for the store’s LP decision maker in each of the five Zones of Influence. This post outlines Weaponizing Music, one of the most popular action tool concepts explored by the LPRC. The following research brief describes a study conducted in Australia/New Zealand involving the use of music as a deterrent and repellent of unwanted loiterers and potential wrong-doers. |

LOSSPREVENTIONMEDIA.COM

Organized Retail Crime in Idaho 3rd Annual Conference

CALENDAR

This practice has seen popularity around government buildings, parks, recreation and performance centers, and retail spaces. Cam Connections/Protection-1 has helped the LPRC to engineer and install a Weaponizing Music unit in the Gainesville LPRC Innovation Lab for further testing.

Washington Group Plaza, Boise orcaid.org

September 12–13, 2017

September 28–29, 2017

Background In any decision process, a surprising number of factors are at play. Here, an organization looks at controllable environmental factors of a retail space and how it can influence shoplifting behavior inexpensively and without alienating customers.

iscpo.org

Town & Country Resort and Conference Center, San Diego cal-orca.org

Findings Government officials in a suburb of Sydney, Australia, ran a six-month deterrent program meant to stop local youth from nighttime loitering. Barry Manilow music was broadcast through loudspeakers located in a local parking lot every night between 9 pm and midnight on Friday, Saturday, and Sunday. The logic was to “use music that doesn’t appeal to these people (the youths).” It was very effective. Other similar studies have tested classical music, with equal success.

September 15, 2017

Elevation or Relocation? While effective, what was the effect of this music? Did the youth just relocate to disrupt a different, Manilow-free parking lot? There exists a prevalent belief in our culture that classical music has the ability to enhance an individual. Parents play classical music in their newborn’s crib in the hope that it will tack a few IQ points on. Some may play classical music to older children or adults with the hope that it will cultivate them in a cultural sense. In this case, however, the children’s behavior was not altered, nor was their character seemingly enhanced. They simply scattered and relocated.

California Organized Retail Crime Association (CAL-ORCA) Curtis Culwell Conference Center, 2017 Annual Training Conference Garland, TX

International Supply Chain Protection Organization 2017 Conference

September 14, 2017

Retail Association of MA 11th Annual New England Loss Prevention Expo

DCU Center, Worcester, MA retailersma.org

Cyber Security Summit

Grand Hyatt New York cybersummitusa.com September 19, 2017

Retail Council of Canada Loss Prevention Conference The International Centre Mississauga, ON rcclpconference.ca September 20–22, 2017

LP Magazine Annual Meeting

The Renaissance Nashville losspreventionmedia.com September 21, 2017

Carolinas Organized Retail Crime Alliance 2nd Annual Conference

Sheraton Imperial Hotel and Convention Center, Durham, NC corca.org September 25–28, 2017

ASIS International 63rd Annual Seminar and Exhibits

Kay Bailey Hutchison Convention Center, Dallas asisonline.org

Mechanisms The music may have been territorial in nature, marking the lot as off limits, or perhaps establishing the impression of the lot being a controlled area. The music may have deterred because it was unexpected. Studies show that music that does not match

October 2–4, 2017

Loss Prevention Research Council Impact 2017 Conference

University of Florida, Gainesville lpresearch.org October 3–5, 2017

Consumer Returns Management 2017

Hutton Hotel Nashville, TN consumerreturns.wbresearch.com October 16–19, 2017

Coalition of Law Enforcement and Retail 8th Annual ORC Training Conference

Menger Hotel, San Antonio, TX clearusa.org October 17, 2017

COORCA 2017 Western US Anti-Organized Crime Conference

Denver (CO) PPA Event Center coorca.org October 18–19, 2017

Cyber Security Chicago

McCormick Place, Chicago, IL cybersecurity-chicago.com November 8, 2017

Cyber Security Summit

The Westin Copley Place, Boston cybersummitusa.com November 29, 2017

Cyber Security Summit

The Beverly Hilton, Los Angeles cybersummitusa.com

continued on page 72 LP MAGAZINE | SEPTEMBER-OCTOBER 2017

continued from page 71

ambiance is off-putting, and may lead to lower satisfaction and increased weariness. The patrons may have simply disliked the music, in a mechanism similar to administering an electric shock or filling the space with an unpleasant odor. Implications for Stopping Shoplifting and Theft Classical music and Barry Manilow seem to be effective deterrents of loitering in empty, outdoor retail spaces. The mechanism responsible for this effect remains generally unknown. Better understanding of this phenomenon is important in order to predict what situations and locations it will be effective in, as well as how it will affect honest customers. The LPRC is also exploring Mosquito units, which emit an unpleasant, high-pitched tone that only individual’s cochlea below a certain age threshold (~18-25) can detect.

3 Ways Bloomingdale’s Prepares Its Associates for the Worst By Chad McIntosh

September - October 2017

Articles inside

PARTING WORDS

LPM DIGITAL

PEOPLE ON THE MOVE

EVIDENCE-BASED LP

INDUSTRY NEWS

SOLUTIONS SHOWCASE

BENCHMARKING

CERTIFICATION

ASK THE EXPERT

EDITOR’S LETTER

INTERVIEWING