Keeping Stores Safe & Reducing Crime Takes a Layered Approach
Retail security threats continue to grow and become more complex

Navigating retail security challenges: A comprehensive approach

Protecting retail spaces requires a thorough security approach to keep employees and guests safe.

In the dynamic landscape of the retail industry, loss prevention professionals continually grapple with a diverse range of challenges that evolve with the times. From internal threats like employee theft and collusion with organized retail criminals to external challenges such as organized retail crime (ORC), flash mobs and smash-and-dash incidents, retailers face a complex security environment. This article investigates these complicated issues, highlighting the necessity for innovative solutions and an initiative-taking, technology-driven approach to enhance security measures.

Employee theft and collusion

Employee theft and collusion with organized criminal elements present significant risks to retailers. The National Retail Federation's (NRF) 2023 National Retail Security Survey disclosed that approximately one third of retail theft losses were attributed to employee theft, including instances of collaboration with organized retail criminals.

Recent findings reported in a 2023 article in Security Magazine emphasize the urgent need for robust pre-employment screening. This article revealed that ORC leaders strategically recruit employees without criminal backgrounds and target disgruntled individuals within the workforce. A promising solution gaining traction in the industry is the use of automated behavior assessment software, exemplified by tools that select out undesirable applicants.

A landscape of challenges

Organized retail crime has witnessed a surge driven by various factors such as social unrest, an increase in felony theft limits and the ancillary fallout from the COVID-19 pandemic. ORC groups have become more violent, and political changes in power have added another layer of complexity to the situation.

To combat external threats, retailers are adopting intelligence-gathering methods monitoring social media and implementing physical barriers like nylon mesh, crash-resistant window coverings, bollards and video analytics linked to point of sale with exception-based reporting. Additionally, retailer cooperative groups, such as the Organized Retail Crime Associations and the Coalition of Law Enforcement and Retailers, play a crucial role in information sharing and collaboration.

A layered approach: securitymagazine.com
 

UK: 850 Violent & Abusive Attacks on Retail Staff Per Day
Calls for more police action as violence and abuse towards retail staff doubles
Violent and abusive attacks on retail staff have almost doubled since pre-pandemic levels, a new crime survey can reveal. More than 850 incidents have been recorded daily in the UK between 2021 and 2022, which include racial and sexual abuse, physical assault, and threats with weapons.

This is a jump from the 450 attacks per day that happened in the year 2019 to 2020, before Covid hit.

While campaigners secured new protection for workers in the Police, Crime, Sentencing and Courts Act last year, the latest grim statistics have prompted calls on the Home Office to do more to ensure this is properly enforced, and that there is adequate police resources for protection.

Senior police officers have said they fear the anti-social behaviour is becoming "normalised." The latest figures were released in the British Retail Consortium's (BRC) Crime Survey, published on Thursday.

Some 70 out of the 850 daily incidents are occurring in Scotland, according to Ewan MacDonald-Russell, deputy head of the Scottish Retail Consortium (SRC).

He said the figures are "utterly unacceptable", and insisted "police and courts make tackling retail crime a priority".

The study also found the total cost of retail crime stood at £1.76 billion in the last year. A total of £953 million was lost to customer theft, with eight million incidents of theft reported from the retail sector over the year.

In the same year, retailers spent £715 million on crime prevention, according to the report.

While some costs are critical in protecting colleagues, the BRC said this meant higher prices for customers because of the retailers' increasing operating costs for safety.  uk.movies.yahoo.com


Small Towns & Big Cities Alike Fight Theft
Clinton County, IA has new tool to fight retail theft
"It isn't just shoplifting and it is more than professional shoplifting." That was theme of a recent seminar that Clinton County Attorney Mike Wolf, County Attorney Investigator Tom Bohle, and I attended in Des Moines for an Organized Retail Theft Conference. The seminar was hosted by Hy-Vee and featured security teams from Kohl's, Home Depot, WalMart, Caseys, and more.

Every year, Iowans lose an average of $500 per person to organized retail theft. In addition, it results in higher prices for consumers, loss tax revenue, closed businesses, and then unsafe goods on the underground market. Nationwide, grocery stores lose over $100 billion in product to organized retail theft.

In response, the Legislature gave Clinton County's Attorney Office a new tool to address this trend of organized retail theft with a specific law with teeth aimed at organized retail thieves. We want to get the word out among retailers what we may bring to bear to prevent and punish this crime.

This is not just a Clinton issue, but it does impact our local stores. They can be rural locations hit for their lack of staff, dollar stores, pharmacies, box stores, electronics, and more.

Every case filed with the Attorney's office have been prosecuted. One issue is that sometimes it's the low person on the totem pole and/or we haven't been able to link a theft at one of our stores with a wider conspiracy.

There are also prosecution strategies that will be discussed. At the state level, our corporate partners will continue their conferences and create a consortium to tackle the issues.

Knowledge is power, and we ask that you update your mental image of shoplifting. It will help us tackle this issue when the public sees our plan to combat organized retail theft as part of public safety. The result will be savings for you the citizen, through lower prices and more tax revenue.  clintonherald.com


Prosecutors Try to Derail Supermarket Mass Shooter's Insanity Defense
Colorado supermarket shooter was sane at time of attack, state experts say

Ahmad Al Aliwi Alissa, who is accused of killing 10 people inside a Boulder King Soopers, had an untreated mental illness at the time of the 2021 attack but was legally sane, lawyers said in court Tuesday

State experts have found the man charged with shooting and killing 10 people at a Colorado supermarket in 2021 had untreated mental illness but was legally sane at the time of the attack, lawyers said Tuesday.

The results of the sanity evaluation of Ahmad Al Aliwi Alissa done at the state mental hospital are not public but were discussed during a court hearing.

According to the defense, the evaluators found that the attack would not have happened but for Alissa's untreated mental illness, which attorney Sam Dunn said was schizophrenia that included "auditory hallucinations." He also said the evaluators were "less confident" in their sanity conclusion than they would be in other cases but did not elaborate on why.

Prosecutors did not provide any details of their own about what the evaluators found during the hearing. District Attorney Michael Dougherty, who said he is limited to commenting on what has been made public about the evaluation, declined to comment on Dunn's description of the evaluation's findings.

Alissa has pleaded not guilty by reason of insanity in the March 22, 2021, shooting at a King Soopers store in the college town of Boulder. The plea means his lawyers are claiming he did not understand the difference between right from wrong at the time of the shooting and therefore should not be convicted of a crime.

Investigators say he researched how to carry out a mass shooting before he launched his own attack and targeted moving people, killing most of the 10 victims in just over a minute using a gun with a high-capacity magazine. coloradosun.com


More Countries Adopt Facial Recognition to Fight Crime
Police in Germany using live facial recognition
Police in Germany are employing high-definition cameras and live facial recognition to catch suspects, raising legal questions in the wake of the European Union's AI Act.

The system, which is deployed by police in the German eastern State of Saxony and in Berlin, can process facial images "with a time delay of a few seconds," the Berlin public prosecutor's office told German media outlet Netzpolitik.

Details of the surveillance system have been kept under wraps but it is thought to be linked to the Personal Identification System (PerIS) used by the Saxony police. The system, created by Bremen-based Opto Precision, was first introduced as a pilot project in 2019 to combat serious cross-border crime. The pilot ended in August 2023 but the system continued to be used in the city of Görlitz near the border with Poland.

In a statement last year, a spokesperson of the Ministry of the Interior said that automatic biometric data is the exception and not the rule in the use of PerIS and can only be carried out if the legal requirements are met.

Mexican tourist spot introduces facial recognition

The Mexican island of Cozumel is beefing up its security with facial recognition. The popular cruise ship destination received its Command and Control Center (C2) which officially became operational last week.

The Center will help manage the island's 262 surveillance cameras outfitted with facial recognition, video analytics and license plate reading (LPR) capabilities, local news outlet Riviera Maya News reports. biometricupdate.com


America's New Mass Shooting Epicenter
Is Florida the nation's epicenter of mass shooting events?
Florida has emerged as the nation's epicenter of mass shootings - with 13 mass shooting events occurring across the state so far this year. That's more than in any other state, according to the Gun Violence Archive.

Defined as any incident in which at least four people are shot or killed with a gun, there already have been 148 mass shooting events across the country in 2024.

Since the beginning of the year, 14 people have died in 13 mass shootings across Florida. According to the Gun Violence Archive, California closely trails the Sunshine State with 12 mass shootings, followed by Texas with 11.

However, in terms of the number of people killed in mass shooting events, so far this year, Illinois leads the nation, with 22 victims killed.  gulflive.com


Maryland One of the Last Progressive States Without ORC Law
Push for stricter laws on organized retail theft in Maryland
Retail theft is now over a $100 billion problem in the United States. Maryland is one of the last blue states that has yet to pass an organized crime law. Retailers and lawmakers are trying to figure out how to fix the problem. baltimorepostexaminer.com


The 10 Most Dangerous States in America

Gun violence takes its toll in Allen beyond a mass shooting
 

Tying Executive Compensation to Cybersecurity Goals
Microsoft Will Hold Executives Accountable for Cybersecurity

At least a portion of executive compensation going forward will be tied to meeting security goals and metrics.

Microsoft will make organizational changes and hold senior leadership directly accountable for cybersecurity as part of an expanded initiative to bolster security across its products and services.

Microsoft's executive vice president of security, Charlie Bell, announced the plans in a blog post last week that appeared designed to reassure customers and the US government of the company's commitment to advancing cybersecurity in the face of a rapidly evolving threat landscape.

Instilling Accountability

"We will instill accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones," Bell said. "We are also taking major steps to elevate security governance, including several organizational changes and additional oversight, controls, and reporting."

The new measures include adding a deputy CISO to each product team, having the company's threat intelligence team report directly to the enterprise CISO, and having engineering teams from across Microsoft Azure, Windows, Microsoft 365, and security groups work together on security.

Bell's comments came roughly a month after the US Department of Homeland Security's Cyber Safety Review Board (CSRB) identified Microsoft as needing to do more at a strategic and cultural level to improve its overall cybersecurity practices. The CSRB found Microsoft could have prevented a high-profile cyber incident last year when Chinese cyber-espionage group Storm-0558 breached the company's Exchange Online environment and accessed user emails from some 25 organizations, including government agencies. A subsequent Microsoft investigation showed the breach had stemmed from a series of avoidable missteps.

In November 2023, Microsoft announced an enterprisewide Secure Future Initiative (SFI) to implement measures for protecting against similar and emerging threats. Under the initiative, Microsoft said it would harness automation, AI, and threat modeling to continuously integrate security during code development, testing, deployment, and in production. Microsoft also promised that it would integrate more secure default settings across its product portfolio so customers would be better protected right out of the box. In addition, Microsoft said it would implement stronger identity protection and improve cloud vulnerability response and mitigation times by half.  darkreading.com


Stricter Security Needed to Fight Insider Threats?
Spies Among Us: Insider Threats in Open Source Environments

Does the open source ecosystem needs stricter security around contributors?

If you have not yet heard about a critical vulnerability found in XZ Utils, you aren't paying attention to critical security news. After all, the discovery of a backdoor in a widely used Linux tool was serious enough to provoke comparisons to the infamous SolarWinds hack. Even Linux creator Linus Torvalds himself talked about it at Open Source Summit North America in Seattle. The malicious code made its way into beta versions of some Linux tools, which means it came very close to being widely propagated. That would have been a flat-out disaster for the entire open source Linux ecosystem.

A New Kind of Espionage

While we've seen sabotage through protestware, this sort of undercover espionage is new to the open source community. In fact, Anjana Rajan, the assistant national cyber director at the White House Office of the National Cyber Director, has likened it to an open source insider threat to open source, similar to the sort of an internal corporate hack we see from a disgruntled employee. Even worse, this insider had access to other projects and, in retrospect, those submissions look suspicious.

And that's a big deal. How does a community built on trust respond effectively to the reality that there are spies in their midst? Because if there is one, there are probably more.

Most maintainers will likely ignore the entire thing, but it's certainly fair to ask whether the open source ecosystem needs stricter security around who contributes. Should there be some sort of external certification process? And if so, how would you get developers to buy into a (likely) pain-in-the-neck process for work that they often do for free?

And more broadly, it highlights an ongoing flaw of open source - maintainers doing often thankless but important tasks without any credit or compensation. According to the earlier cited Politico article, there are some signs that the attacker focused on XZ because the developer was maintaining the project solo and was overworked. That sounds pretty similar to a disgruntled employee to me.

CISOs Should Consider These Security Steps: darkreading.com


Mitigating AI Risk
Feds: Reducing AI Risks Requires Visibility & Better Planning

While attackers have targeted AI systems, failures in AI design and implementation are far more likely to cause headaches, so companies need to prepare.

When the US Department of Energy (DoE) analyzed the use of artificial intelligence and machine learning (AI/ML) models in critical infrastructure last month, the agency came up with a top 10 list of potential beneficial applications of the technology, including simulations, predictive maintenance, and malicious-event detection.

Predictably, the DoE also came up with four broad categories of risk: unintentional failure modes, adversarial attacks against AI, hostile applications of AI, and compromise of the AI supply chain.

The DoE is not alone - the Biden administration is driving an extensive government assessment of the benefits and risks of using AI, especially in the critical infrastructure networks. On May 3, for example, the Department of Transportation issued a request for information asking for interested parties to describe both the benefits and dangers of AI to the transportation system. On April 29, the Department of Homeland Security (DHS) spelled out its own take, describing three broad categories of risk: attacks using AI, attacks targeting AI systems, and failure of design or implementation.

Yet the DHS also gave broad recommendations on how organizations can mitigate the risk of AI, focusing on a four-part strategy: governing by creating policy and a culture of risk management, mapping all the current assets or services using AI, measuring by monitoring the ongoing usage of AI, and managing by implementing a risk management strategy.

It's a good, broad overview of what organizations need to do to mitigate AI risk, but it's just a start, says Malcolm Harkins, chief security and trust officer at HiddenLayer, an AI risk management firm. darkreading.com


68 tech, security vendors commit to secure-by-design practices
CISA said companies ranging from Microsoft to Palo Alto Networks signed the voluntary pledge in an effort to boost resiliency and increase transparency around CVEs and cyberattacks.

Why SMBs are facing significant security, business risks

Regulators are coming for IoT device security