Rules: 1st person to name all team members in a picture gets entered into the drawing. Once we reach 10 correct answers, we'll pick one winner for a GLPS team pizza party with drinks - delivered to your door by Domino's. All parties must be for retail LP or AP teams. Submit your answers here.

Visit Memory Lane - see previous pics

 

The Necessity of an ERM Approach - Risk's Evolution
Governance, Risk, Compliance and Security: Together or Apart?

Organizational risks are expanding with digital transformation, so enterprise risk management has become essential.

The interconnected nature of modern business necessitates a holistic approach to risk. When an organization's governance, risk, compliance (GRC) and security functions are siloed, it's difficult to deal effectively with the total scope and potentially cascading effects of that which can harm the company, its customers and partners. As the pace of business accelerates and operations become increasingly digital, more organizations are forming enterprise risk management (ERM) groups or committees. Not surprisingly, new platforms are helping to facilitate the shift.

"Digital transformation requires a very tightly knit coordination between all of these functions," said Forrester Research Analyst Alla Valente. "We're seeing the growth of an enterprise risk management function and they're taking on responsibility for operational risk, for financial risks, in many cases compliance, and business continuity as well."

Why the various risk functions are fragmented

Company structures tend to differ based on the industry in which they operate, their size and their organizational philosophy. Many businesses have expanded the C-suite over the past couple of decades to include some combination of chief security officer (CSO)/chief information security officer (CISO) chief privacy officer (CPO) and chief risk officer (CRO).

Whom those positions report to also varies. For example, the CPO may report to the chief legal officer (CLO) or the CSO/CISO. The CSO/CISO may report to the CIO, COO or CEO.

Many risk functions were created in response to a major event like the 2008 financial crisis or a regulation such as Sarbanes-Oxley (SOX) or GDPR. Similarly, computer, network and cybersecurity were created as the result of technologically enabled threats. Now, companies without ERM groups or committees are feeling the effects of organizationally and technologically siloed efforts. Specifically, each risk-related function is using its own GRC system when the effects of many risks are cross-functional. For example, when a hacker steals data, the security team probably isn't the only team impacted. Other groups may include compliance, governance, legal and traditional risk management (financial risks).

"[P]articularly between compliance, privacy and security there's sometimes an underlying assumption that a specific area is being covered by one of the others and sometimes we see things slip through the cracks," said Joe Nocera, a principal in PwC's Cybersecurity and Privacy practice. "They tend to use different scales of measuring risks and they tend to use different workflows and mechanisms for risk acceptance and mitigation activities."

Why enterprise risk management is critical: Continue Reading

Google, Apple Reveal More Contact-Tracing Details

Describe Limits on How APIs Can Be Put to Use for Apps

Google and Apple on Monday released privacy and security guidelines for their jointly developed contact-tracing infrastructure. The tech companies note that apps developed using their APIs can only be developed by or for public health authorities - and solely to collect limited information to help trace COVID-19 infections.

The APIs developed by Google and Apple will not use location tracking data, according to the developer guidelines released Monday. Users of the apps buit with the APIs will be able to turn off the contact-tracing technology at any time. Plus, the apps must limit how much data they can collect from the physical contacts of other app users who report that they are infected.

The two tech giants have been jointly developing their contact-tracing infrastructure, now called Exposure Notification, since March. On Monday, they released the first samples of the APIs to developers, who will use them to create apps.

Exposure Notification - Addressing Privacy - How Data Is Shared

Google and Apple also stressed that neither company has plans to monetize any data collected through the Exposure Notification system.

"Consistent with well-established privacy principles, both companies are minimizing data used by the system and relying on users' devices to process information," according to the developer document. govinfosecurity.com

Wooing Washington
Cybersecurity Lobbying Spending Mounts as Privacy, Security Laws Take Shape
From traditional advocacy on specific bills to advising lawmakers on the security dimensions of current events, including the coronavirus pandemic.

Cybersecurity companies are spending millions of dollars on lobbying efforts in Washington, seeking to influence policy makers as they reshape privacy and security laws.

As the cybersecurity industry has grown, these companies have increasingly sought to get time with lawmakers and help shape bills and issues in their early stages, including standards for the security of the Internet of Things, a potential federal privacy law and the rollout of 5G networks.

The uptick in lobbying by the industry appears designed to capture commercial opportunities stemming from heightened awareness of cybersecurity threats, said John Pescatore, director of emerging security trends at the SANS Institute, a cybersecurity research and training organization.

The collective lobbying spending of 12 large publicly traded cybersecurity firms more than tripled to $3.94 million in 2019 from $1.21 million in 2015. wsj.com

Attackers Adapt Techniques to Pandemic Reality

U.S. is Getting Pounded By 1/3 of All Malicious Domains

Over the past several months, threat actors have quickly shifted their tactics to take advantage of interest in the coronavirus, two studies find.

Attackers continue to use the theme of the coronavirus pandemic to create more convincing phishing lures and impersonate legitimate domains in an attempt to get past the strained cybersecurity of work-from-home employees, according to two reports released this week.

On average, almost 1,800 malicious or risky domains with coronavirus-related names have been registered every day. A third of the malicious domains - by far the largest share - targeted the United States, while other countries each accounted for less than 4% of the total.

With coronavirus themed spam and impersonation attacks having more success with remote workers. The number of URLs that were blocked following a user click rose 56% over the period, he says.

From fake Microsoft Teams e-mails to massive COVID-19-related domain registration, cybercriminals and fraudsters are betting that remote workers will be more likely to click on coronavirus-themed content. In early April, Microsoft noted the attackers were capitalizing on the fear of the virus to tempt users into clicking on links and parting with sensitive information, such as login credentials.

"Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time," the company noted. "It's overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they're taking advantage of that. That's why we're seeing an increase in the success of phishing and social engineering attacks."

"With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud," the report stated, adding that "[t]hreats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack."

Hosted on AWS

Amazon Web Services hosted an outsized share of the malicious and suspicious domains. While the provider hosted about 70% of all newly registered coronavirus-related domains, it hosted nearly 80% of the malicious or risky domains. darkreading.com

SAP notifying 9% of customers about security bugs in some cloud products

SAP says an internal security review found issues with seven of its cloud products.

German software group SAP announced on Monday plans to notify approximately 9% of its 440,000 customer base about security holes identified in some of its cloud-based products.

According to SAP, the issues were discovered following an internal review of its platform, which found that some of its cloud products did not meet one or more contractually or statutory security standards.

The German company said it already initiated and prioritized remediation efforts to patch all impacted products, which include the likes of SAP Success Factors, SAP Concur, SAP/CallidusCloud Commissions, SAP/Callidus Cloud CPQ, SAP C4C/Sales Cloud, SAP Cloud Platform, and SAP Analytics Cloud. zdnet.com

Cequence Security Releases EMA Findings on Detecting and Thwarting Automated Bot Attacks
Findings Provide Fresh Insight into Automated Bot Attacks, and the New Mitigation Strategies Succeeding for Major Organizations.

Cequence Security today published research findings on automated bot attacks, developed with Enterprise Management Associates (EMA), focusing on the automated malicious bot attacks targeting public-facing API and web-based applications. Cequence will discuss the findings in a webinar, Winning the Imitation Game: Separating Human Traffic from Automated Bot Attacks on Tuesday, May 19th at 11:00AM PST. businesswire.com

ORC in the Retail Industry

Scott Sanford, Director of Loss Prevention, goPuff

Filmed in January 2014 at the Daily's 'Live in NYC at the NRF Big Show 2014' event

Scott Sanford, Director of Loss Prevention for goPuff, discusses where he thinks the loss prevention industry is going and how we're making progress in the fight against Organized Retail Crime. A subject matter expert on the topic, Scott has a unique gift and ability at resolving ORC cases and has been extremely involved in the national effort for many years. Learn how you can be better prepared to combat the North American epidemic that is ORC.

 

Amazon, Alibaba team with Homeland Security to prevent COVID-19 fraud

The world's two biggest e-tailers are cooperating with a new partner in response to pandemic-related e-commerce crime.

Amazon and Alibaba are working with Homeland Security Investigations (HSI) National Intellectual Property Rights Coordination Center (IPR Center) criminal investigators in a new public-private partnership to combat fraud and other illegal activity surrounding COVID-19.

"Since the beginning of the COVID-19 crisis, Amazon has proactively stopped more than 6.5 million products with inaccurate claims, removed over 1 million offers for suspected price gouging, suspended more than 10,000 selling accounts for suspected price gouging and referred the most egregious offenders to federal and state law enforcement across the country," said Dharmesh Mehta, Amazon VP, customer trust and partner support.

"Amazon welcomes HSI's partnership in holding counterfeiters and bad actors accountable, and we look forward to building on our long-standing relationship to protect customers and ensure a trusted shopping experience,"

"Consumer health and safety is Alibaba's top priority. We will continue to enforce a zero-tolerance policy against those engaged in illicit activity, especially with respect to products and services related to COVID-19," said Michael Evans, president of Alibaba Group. "We are proud to be part of this important collaboration and value our long-standing partnership with the Department of Homeland Security." iprcenter.gov

Beware of Online Skimming Threats During the COVID-19 Crisis
PCI SSC and the U.S. Chamber of Commerce shares guidance and information on protecting against online skimming attacks in the face of the COVID-19 crisis. On this blog Troy Leach, Senior Vice President, Engagement Officer for the PCI Security Standards Council and Christopher Roberti, Senior Vice President, Cyber, Intelligence and Security Policy & Chief of Staff of the U.S. Chamber of Commerce discuss this important topic. blog.pcisecuritystandards.org

Experian releases new version of its integrated digital identity and fraud risk platform
The ability to confidently recognize consumers and safeguard their digital transactions is becoming increasingly challenging for businesses. In addition, fraud threats continue to rise across the globe as fraudsters take advantage of the COVID-19 global health crisis and rapidly shifting economic conditions.

Experian's CrossCore® combines risk-based authentication, identity proofing and fraud detection into a single cloud platform, which means businesses can more quickly respond to an ever-changing environment. And with flexible decisioning orchestration and advanced analytics, businesses can make real-time risk decisions throughout the customer lifecycle. The newly released version of CrossCore will allow businesses to limit fraud losses and reduce unnecessary customer friction which can impact the bottom line. experianpic.com

XPO Logistics Stock Jumps 13% on Cost-Cutting, e-Commerce Growth
 

D&D Daily Survey:
How will COVID-19 impact Loss Prevention & Organized Retail Crime at your stores as the nation prepares to reopen?

The industry values your input! The D&D Daily wants to hear your thoughts as retail prepares to reopen following mass closures due to the COVID-19 pandemic.

Given the past seven weeks, we've all had a chance to think about what is going to happen as we reopen the doors, but are we prepared for the impact the pandemic will have on Loss Prevention and Organized Retail Crime?

What does ORC look like in the coming months? How are your stores preparing?

Click here to take a two-minute survey and share your thoughts!