December 2010 Archives

Securing retail environments from the insider threat

| No Comments | No TrackBacks
| More

The retail industry is one that operates under tight profit margins and the recent economic slowdown has seen those margins put under even greater pressure, with many retail chains reporting that the outlook for consumer spending still remains fragile. Key initiatives in the retail sector revolve around cost-cutting activities, drives to improve operational activities and efforts to reduce shrinkage.
Much of these efforts focus on expanding the use of technology within the retail sector. In the past few years, retailing processes have become increasingly automated, including activities at the point of sale, and processes such as promotion management, forecasting and replenishment. The use of automation for processes previously performed manually has led to efficiency and staff productivity improvements that directly impact the bottom line.
However, through automation, many of the old safeguards such as manual inventory checking and management authorisation have disappeared, opening up further chances for shrinkage to occur. According to the Global Retail Theft Barometer 2010, produced by the Centre for Retail Research, retail shrinkage averaged 1.4% of retail sales across the 42 countries that it surveyed. There have been numerous studies concerning losses from shrinkage within the retail sector. They all vary to some extent, but all agree on one point--losses from employee theft or error account for more than half of all shrinkage, more important than shoplifting in almost all the surveys. And employees tend to steal larger amounts. According to the Centre for Retail Research study, average loss though employee theft amounted to US$1,890, compared to US$438 for shoplifters.
Automation can actually make theft or mistakes easier. For example, the University of Florida found in a recent study that "sweethearting" is the most common type of employee theft, whereby cashiers fail to ring up or scan goods for friends and relatives at the point of sale, or scan in a much cheaper item than the one handed to the customer. Another growing problem is organised crime, whereby criminals may falsify receipts to claim unwarranted refunds or pressure employees to slip them goods or, increasingly gift cards, which can be sold through online auctions.
Retailers looking to combat retail shrinkage, measure promotions, manage staff productivity and identify training requirements now have a new tool available--VigilancePro Retail from activity management software vendor Overtis. The tool is built on its flagship VigilancePro Enterprise product, which is used by enterprises and public sector organisations to visually identify and manage exactly how users access, process, store and transmit sensitive information.
Recognising that there is a specific need for such capabilities in the retail sector, Overtis developed VigilancePro Retail for this vertical, with the software integrated with the point of sale terminal to analyse all transactions made to look for unusual patterns of activity that could point to a mistake being made, such as the wrong change tendered, or deliberate acts of fraud. Every transaction entered by the employee is captured for real-time reporting and analysis and a visual record is captured by linkage with CCTV surveillance systems for evidence of which employee performed which actions.
Retailers will see many benefits from integrating this software into their existing security environments, from reducing profit shrinkage and excessive refunds or under-ringing to improving productivity by identifying areas where staff need extra training. However, it could also have extra advantages, such as preventing customers from abusing or harassing staff, helping retailers to meet health and safety objectives.
But not only will VigilancePro Retail be a boon to retailers, it could also be beneficial to other organisations involved in activities where staff handle money, such as bars, restaurants and fast food outlets, petrol forecourts and in the gaming industry, and casinos in particular. By providing a user-centric view of all transactions undertaken, backed up by video evidence, such organisations have a powerful tool available to them to reduce the cost to their business and other problems associated with the insider threat.

Cybercrime, Cyberwars, Cyberterrorism and Hacktivism

| No Comments | No TrackBacks
| More

This month (December 2010) has seen the mainstream media alive with stories of hacktivists attacking payment websites, including Visa, MasterCard and PayPal, in response to those organisations' refusal to take payments in support of the WikiLeaks website. Every day we hear stories of cybercriminals stealing money and cyberterrorists causing mayhem, alongside state sponsored cyberwarfare as nations battle it out on line.

The reality is more complicated. Whilst these stories make good headlines the truth is often more disturbing; but what exactly is the truth behind cybercrime, cyberwarfare, cyberterrorism and hacktivism? What do you need to know and what do you need to do to deal with the problem?

In support of a recent paper I have written I have serialised some insight into these issues here

Nigel Stanley

Practice Leader, Security

Bloor Research

Today's threats require joined-up security

| No Comments | No TrackBacks
| More

The security threats that we face today are complex and sophisticated and are designed to do real harm--stealing data, recruiting computers into botnets and committing fraud. Much of our business and personal lives rely on use of computers, and internet access and electronic messaging systems are considered by many to be essential. But such systems are prime vectors of attack.
More organisations and individuals have installed some level of protection on their computing devices. Most have anti-virus; firewalls are commonplace; and most have some level of email security in place--whether this is administered in-house in an organisation or provided by a service provider such as an ISP that filters spam on behalf of its customers. However, the use of web security tools is far from ubiquitous--yet this is a prime delivery mechanism for malware and other exploits. According to press reports, it is estimated that one in five posts on popular social networking site Facebook is malicious and the Internet Crime Complaint Center estimates that victims of internet-related crimes lost US$559 million in 2009, up 110% over the previous year.
However, it is not only those without web security controls that are putting themselves at risk. Rather, many of the controls that have been deployed for electronic communications are based on outdated technology that is not up to the job of protecting against the complex threats seen today. Many such controls are based on the use of signatures that identify known viruses contained in messages, but this method only enables detection of existing malware. No protection can be provided against zero-day threats that can just be variants of existing malware, but that can still evade signature detection. For example, more than 10,000 variants of the Koobface worm that affects social networking sites are being detected every month.
Given the nature and extent of the threats that we face today--as well as the cost of clearing up after a security incident has occurred which, according to a survey undertaken during Infosec in London in April 2010 can amount to anywhere from £280,000 to £690,000 for a large organisation--it is time for all organisations to reassess the effectiveness of the security controls that they have in place. Those based on outdated technology should be retired and any gaps in protection, such as web security should be closed.
When assessing options, a prime candidate to be considered is the use of cloud-based services where the software needed is delivered as a service. The use of such services has many advantages over in-house deployments. The level of protection that can be provided is higher than many traditional security controls as the service is provided by vendors that offer tools that are designed to be truly integrated so that uniform protection can be provided against threats to email communications and web usage--helping to defend against the blended threats being seen today. Most providers are also in a better position to defend their customers against new, previously unseen threats as they maintain resources that constantly research traffic patterns and new threats seen where the threats are emanating from--in the cloud. They also deploy advanced detection techniques such as heuristics that look for behaviour patterns associated with malicious exploits so that countermeasures can be developed. Those countermeasures can then be pushed out to all customers simultaneously to provide protection against the latest threats before those threats can reach networks and requiring no action to be taken on the part of the user to keep their protection up to date.
There are also cost benefits of using such services, including the lower and more predictable cost of subscribing to a service on a monthly basis versus the cost of purchasing software licences and the hardware needed to support the deployment, plus the cost of maintaining the system and keeping all devices up to date with the latest protection. Lower capital expenditures are a bonus for any organisation as many are operating with tight budgets and the fact that the service is outsourced to a service provider that manages it on behalf of the organisation, there is no need to hire, train and retain resources for administering and managing the system themselves. This makes the use of such services suited to and affordable for organisations of all sizes--from the smallest micro firm to a large, geographically distributed multinational.
An upcoming webinar at 10am UK time 8th December 2010 will discuss this subject in greater detail. It will discuss how combined, integrated web and email protection will provide organisations will greater protection against security threats that could damage reputations and hurt organisations financially. Please click here to register for the webinar: Why web and email security should go hand in hand.

About Archives

This page contains links to all the archived content.

Find recent content on the main index.

-- Advertisement --