2020 GLPS - Group LP Selfies
Your Team - Your Pride - Our Industry
Building Industry Pride - One Team Selfie at a Time

Sears & Kmart Asset & Profit Protection
Caribbean (Puerto Rico & US Virgin Islands)

Adapt, Improvise and Overcome

Message from Alex Sostre, Market APP Leader, Puerto Rico & Virgin Islands

I would like to recognize all the Asset & Profit Protection Managers from the Caribbean (Puerto Rico & US Virgin Islands) for the excellent job done during these difficult times.

We all know that we as a community are passing through difficult times never seen before and that we never been trained before, so we are learning together to overcome this.

I just wanted to express my gratitude to all of you for giving the extra mile to ensure our associate and member are safe and that we can continue to serve our members every day.

Thank you for your leadership and for been a role model for our organization, communities , we are here giving our best to make a better community and setting the example of what selfless service, indomitable spirits and servant leadership is.

Thank you, Alex, for submitting this photo.
 

Retail & Hospitality- ISAC
Cyber Thursday
Join the RH-ISAC on April 30 for Cyber Thursday featuring webinars from URBN, RH-ISAC and PCI Security Standards Council. URBN will start the day off at 11 a.m. ET with a session on building a culture of cybersecurity in your organization. RH-ISAC will highlight benefits of membership to new members and prospective members at 1 p.m. ET. Finally, PCI SSC will round out the day at 3 p.m. ET with a panel of experts that will explore the issue of software security and what merchants need to know about it. Details and registration below:

CYBER THURSDAY: Security Awareness Training: One Size Does NOT Fit All
Thu, April 30 | 11:10 AM EST

One of the more precarious components of cybersecurity is creating a cyber-aware workforce. How do CISOs and cyber teams engage employees and adapt to the ever-changing landscape of personas and emerging services within the enterprise? When Tony Vitello became the CISO at URBN, his first time in a retail environment, he quickly realized that understanding the employee culture and landscape was the best way to engage with teams and increase awareness around cybersecurity. As Tony began this journey, he leveraged five key tactics: shorten messaging, market cybersecurity as a brand, increase engagement with events and offerings, use gamification for training, and have a persistent presence. In this session, Tony shares details on this innovative approach, successes he's seen, and what he has planned for the future.

Key Takeaways:

1. Understand your audience demographics to create an effective approach to awareness and training
2. Inform leadership to get buy-in for programs and initiatives
3. Find ways to incentivize employees who are more cyber-aware during their day-to-day
4. Make it fun!

Speaker: Tony Vitello, CISO, URBN

ELIGIBILITY: This webinar is open to RH-ISAC Core members and retail and hospitality cybersecurity practitioners eligible for Core Membership. Ineligible registrants will have their registration canceled. To learn about eligibility, visit rhisac.org/membership. Email events@rhisac.org with any questions.
 

NIST Guide: Improving the Cybersecurity of Managed Service Providers

Recommendations to Protect Against Ransomware and Other Data Loss Incidents

Many small- and medium-sized businesses use managed service providers (MSPs) to remotely manage their organization's IT infrastructure, cybersecurity, and related business operations. As a result, MSPs have become an attractive target for cyber criminals. When an MSP is vulnerable to a cyber attack, it also increases the vulnerability to the small- or medium-sized businesses an MSP supports.

The NCCoE published a quick planning guide for MSPs to minimize the impact of data loss incidents - such as ransomware, hardware failure, or accidental or intentional data destruction. The guide provides recommendations to MSPs to conduct, maintain, and test backup files for themselves and their clients.

For more information, visit the NCCoE's Improving Cybersecurity of Managed Service Providers project page. This information is also available on the NIST Small Business Cybersecurity Corner.

PCI: Additional Remote Assessment Considerations During COVID-19
While PCI SSC does not manage compliance programs and therefore cannot comment on compliance impacts, we are working hard to provide useful guidance to help entities and assessors navigate their assessment processes during this time. One effect of the global travel advisories and restrictions currently in place is that assessors may not be able to complete onsite PCI assessments at an entity's location.

This blog post builds on the guidance provided in an earlier post, Remote Assessments and the Coronavirus, to provide additional direction for entities and assessors in these unusual circumstances. pcisecuritystandards.org

IT Security Helped Get Remote Workforce Up & Working Securely
47% of Security Pros Reassigned to IT Tasks (Remote Workers) During COVID-19
Most security practitioners surveyed say their job functions have changed during the pandemic, and 90% are now working remotely full time.

Nearly half (47%) of security practitioners surveyed say they've been temporarily removed from cybersecurity responsibilities to assist with IT-related tasks as businesses shift to remote work.

(ISC)² polled 256 security pros to learn how the coronavirus pandemic has changed their work. Its "COVID-19 Cybersecurity Pulse Survey" found 81% of respondents, all of whom are tasked with protecting their businesses' assets, saying their job functions have changed during the outbreak. Most (96%) say their organizations have closed physical work environments in favor of work-from-home policies. Nearly half (47%) say all employees are now remote, and 49% say at least some are. Ninety percent of respondents say they themselves are now working remotely full time.

Best Practices vs. Expediency

Overall, 81% of respondents indicate their organizations view security as an essential function, and an even greater number (92%) say their organizations are using best practices in securing their remote workforce. Still, the survey found that half of respondents believe their companies could do more to secure remote workers.

"Security at this point is a best-effort scenario," said one respondent. "Speed has become the primary decision-making factor. This has led to more than a few conversations about how doing it insecurely will result in a worse situation than not doing it at all."

Another respondent says companies are rushing to implement VPN, remote access and collaboration tools without due diligence or taking security into account. Yet another said: "IT wants to relax security controls without due process and analysis, and the times we are in are exactly the WORST time to do that." isc2.org

Opinion: Contact Tracing Won't Ever Take Off In the U.S.
Apps to Track the New Coronavirus Have an Old Problem: Getting the Downloads

60% of population has to opt in for contact-tracing apps to work well

"Below that would still have an impact, but it'd be less of an impact," But the looming challenge will be to convince enough people to hit the download button.

Bluetooth can provide privacy features that might entice more people to opt in because the technology measures a user's proximity to infected people, Ms. Wanger said. GPS data, on the other hand, shows physical locations with a centralized server and can more easily point back to individual users.

Instant notifications of at-risk users, coupled with other measures like quarantines, could reduce the estimated number of people a contagious person infects from as many as three without public health interventions to below one, the replacement rate.

"Our models show we can stop the epidemic if approximately 60% of the whole U.K.

Singapore's TraceTogether app had a 20% download and Australia's COVIDSafe only 8% when they rolled out contact tracing apps in mid-April. wsj.com

Editor's Note: So the issue is does the U.S. and or the states have a better download outcome and are the American citizens really ready to be traced?

5-Year-Long Cyber Espionage Campaign Hid in Google Play

OceanLotus targeted Android devices in the so-called PhantomLance campaign.

A targeted cyber-spying mission waged by a notorious hacking team out of Vietnam preyed mainly on Android users in Southeast Asia and evaded detection in Google Play, APKpure, and other app markets for five years. Researchers at Kaspersky today revealed details of their study of the attack campaign they call PhantomLance, which they believe is the handiwork of OceanLotus. darkreading.com

Overview of the latest AWS Security Service - Amazon Detective

Facebook Restructures Its Security Teams - Increasing Automation
The social network displaced more than two dozen employees who work on security, as the company fights threats such as cyberattacks.

The changes, which took place last week, affected Facebook's detection-engineering and alert-response teams. The employees, whose duties included anticipating cyberattacks and preventing hackers from breaching the platform, were in Facebook's offices in London, Seattle and Menlo Park, Calif.

Facebook has dissolved and dispersed its security group over the last two years, the people said. The latest cuts are part of a change in philosophy on security efforts, spurred by infighting and long-running issues within the department, they said.

Facebook has said that it continued to invest heavily in security, and that the restructuring was designed to update its methodology.

Its security operations were previously housed together in one large group under Alex Stamos, the chief information security officer. After Mr. Stamos left Facebook in 2018, the security teams were reassigned and reported into different parts of the company, such as engineering and policy. Facebook has since eliminated the chief information security officer position. nytimes.com

Google Will Require Proof of Identity From All Advertisers

A slew of scams and misleading ads pushed the search giant to expand its verification policy

In an effort to fight off fraudulent or misleading online ads, Google will require that all advertisers across its sprawling network prove who they are and where they operate, the company said in a blog post on Thursday.

The names of the companies or people behind ads, as well as their countries of origin, will begin appearing on Google ads this summer, starting with several thousand advertisers a month in the United States before expanding worldwide. The measure, which could take years to implement, is designed as a defense against businesses and individuals who misrepresent themselves in paid online promotions, Google said. nytimes.com

Instacart to hire 250,000 new shoppers; adds new safety measures

Online grocery sales up 37% in April

UPS, CVS to launch drone delivery service in Fla.

D&D Daily Survey:
How will COVID-19 impact Loss Prevention & Organized Retail Crime at your stores as the nation prepares to reopen?

The industry values your input! The D&D Daily wants to hear your thoughts as retail prepares to reopen following mass closures due to the COVID-19 pandemic.

Given the past seven weeks, we've all had a chance to think about what is going to happen as we reopen the doors, but are we prepared for the impact the pandemic will have on Loss Prevention and Organized Retail Crime?

What does ORC look like in the coming months? How are your stores preparing?

Click here to take a two-minute survey and share your thoughts!
 

Top ORC Cases from 2017 - By Dollar Amount

We at the D&D Daily compiled the top ORC cases we reported in 2017, ranked by dollar amount. Here is the #1 case of the year, with the full 2017 countdown coming Thursday and Friday.

1. $170M - Russian National Confesses to Major $170M Credit Card Fraud in Letter to US Court
A Russian national has pled guilty to a US District Court in the state of Washington on credit card theft amounting to some $170 million in losses to businesses and individuals, according to a handwritten confession letter to the court obtained by Sputnik.

David Burghardt - Roman Seleznev, a native from Russia's Far Eastern region of Vladivostok, was arrested by US Secret Service agents in the Maldives in 2014 and transported to Seattle, Washington to face court on suspicions of cybercrimes that affected hundreds of businesses and thousands of individuals in Washington. Overall some 3 million credit cards were suspected of being stolen by Seleznev, though the court was able to prove only 1.7 million stolen cards.  sputniknews.com
 

Akron, OH: 3rd Family Dollar targeted in theft of cigarettes
The front door of a Family Dollar store was smashed out and cigarettes stolen, police say, the third time a Family Dollar store has been burglarized in two days. The most recent burglary occurred at 2:45 a.m. Tuesday on South Hawkins Ave. Police say an alarm was set off at the Family Dollar and that when officers arrived, they found the glass in the front door had been shattered. An undetermined amount of cigarettes were stolen. cleveland.com

Mountain Home, AR: Man arrested for theft of $12,000 worth of makeup
A Mountain Home man has been arrested for the alleged theft of over $12,000 worth of makeup from the Merle Norman Studio in Mountain Home. Calvin Larry Summers is facing two felony charges in the case. Video surveillance from a nearby business showed an individual preparing to break into the business. On Saturday, Mountain Home Police officers responded to a welfare check call and while at the location, they saw an unusually large amount of Merle Norman cosmetics. An investigator was called to the scene and recognized an individual at the residence, identified as Summers, as the person who was seen in the video. While being questioned by police, Summers admitted to the theft. ktlo.com

Boulder County, CO: $35,000 in bikes stolen from Lyons' Redstone Cyclery