Cyber Security Starts with Physical Security

(This article originally appeared in Loss Prevention Magazine)

When you think of cyber security, what comes to mind? For most it’s software, hackers, and computers in general. According to the FBI, “A cyber incident is a past, ongoing, or threatened intrusion, disruption, or other event that impairs or is likely to impair the confidentiality, integrity, or availability of electronic information, information systems, services, or networks.”

However, a largely neglected part of cyber security is the human component. A significant majority of cyber incidents originate from within the companies themselves, with 80 percent of cyber incidents coming from human interaction. Forty percent of threats, whether they were inadvertent or malicious, come from employees alone. Therefore, it is important to not ignore the physical security practices we know protect brick-and-mortar stores from human theft and instead apply these concepts to cyber security.

Physical Security

It is well known that education and awareness are the first line of defense in physical security—and it’s the same for cyber security. For example, you control and audit keys in a brick-and-mortar store; the same must be done for passwords. You have policy and procedure to prevent people from sharing keys; the same is done for passwords.

This also applies to access, opportunity, and supervision (or the lack thereof). In a brick-and-mortar store, this could be locking the doors, setting the alarm, and storing cash in a safe. For cyber security, it means ensuring ports are blocked, using endpoint software, and locking the server room.

You may read or hear about the “death” of traditional security methods for cyber security. Most of those articles are followed by marketing messages from companies trying to sell their software. In reality, cyber security techniques and traditional security methods are very closely related.

These are the top five cyber security practices and their physical security counterparts:

  • Use a firewall = ensure your alarm is on
  • Document your cyber security policies = document your loss prevention policies
  • Plan for mobile devices = plan how to protect your mobile devices
  • Enforce safe password practices = enforce key controls and access standards
  • Back up all data on a regular schedule = retain and backup surveillance video according to policy

Many retailers are combining physical security functions with cyber security. Almost all big box retail organizations have a loss prevention professional who is directly responsible for asset protection technology and ensures everyone’s security priorities align with the company’s best interest. Today we have more Internet-connected devices, cameras, speakers, emergency-management systems, and video-management systems than ever before. Loss prevention has a ton of connected devices in the store, and it all must kept safe from hackers, just as a company’s computer network should be.

According to a 2018 report from the Dow Jones, cyber security firm Darktrace Ltd. reported that in 2017 a North American casino suffered a cyber attack via a digitally controlled fish tank. Webcams were instrumental in the massive denial of service attack that brought down Internet hosting giant Dyn Inc. in 2016. In January 2018, the US Department of Defense removed surveillance cameras manufactured by a Chinese company because of their concerns about security. The 2013 breach of Target Corp. was executed through an insecure air-conditioning system.

ORC and Cyber Crime

There is also a great deal of crossover in organized retail crime (ORC) and cyber crime. Today a shoplifter turns booster, then moves to fraud, then easily jumps right into cyber crime. The dark web and the Internet in general have a host of tutorials and manuals on how to commit cyber crime. For example, the darknet has groups like The Shadow Brokers (TSB), which allows people with little to no computer skills to purchase malicious software and instructions on how to deploy it. TSB even offers a subscription-like service to its members for access to new releases of the latest and greatest tools to commit the nefarious actions via computer. Put simply: anyone can search the web to learn how to become a hacker, or they can pay a subscription fee and have someone provide them all the tools.

Cyber crime is a global issue, certainly much larger than any individual retailer. If it hasn’t already, your company will have a cyber incident. Training and awareness are the keys to prevention. As loss prevention professionals, we must remain vigilant and take a balanced approach that focuses on prevention and response to a cyber incident. When an event occurs, you may be called to the table to do the criminal investigation. Forging those partnerships early will help when and if this occurs, and as an expert in physical security, you have a great deal of value to add to the investigation.

All the technology in the world won’t solve human behavior elements in cyber security or physical security. You are already a physical-security expert. You have valuable insight to help your information technology teams better protect the company. Using these examples of the similarities between cyber security and physical security, we can better learn how to use our existing skillsets in an increasingly digital security landscape.


Tom’s column regularly appears on every issue of LP Magazine. To subscribe to the printed version of the magazine and enjoy other great content visit losspreventionmedia.com

What is Your Old Smartphone Worth?

If you’re looking at selling that old iPhone you have, Bidvoy is a quick and easy way to find the going price. Bidvoy looks at selling prices on sites like eBay and Craigslist so you know how much you should list your device for when you decide to sell it online.

CONTROLTEK Offers New Concealed EAS System

Bridgewater, N.J., (April 25, 2019)CONTROLTEK, an emerging leader in retail loss prevention, now offers a new AM EAS system, in addition to their floor and door systems. The SAM-I is an “invisible” system installed inside the door frame, which makes this system completely hidden from view and complies with possible restrictions for a retail space.

“The SAM-I system is our solution for retailers who cannot install standard EAS floor antennae,” said Tom Meehan, chief strategy officer at CONTROLTEK. “This loop system is made to be hidden underneath the floor, so as not to interfere with regulations for the retail space.”

“With the launch of our loop system, we can now proudly say we offer an AM system for every retailer,” said Steve Sell, vice president of global sales and marketing at CONTROLTEK. “Our customers can choose an AM system based on their aesthetic and installation needs.”

The SAM-I was originally released as a soft launch for select customers, and it is now fully available for purchase. More information about SAM-I, along with photos and product sheet, can be obtained on the company’s website.

##

About CONTROLTEK
Since 1976 CONTROLTEK has been a global leader in tamper-evident security packaging, helping banks, armored couriers and retailers transport cash safely and securely.  The company’s expanding line of inventory protection and visibility solutions also helps retailers protect their merchandise better and run their operations more efficiently.  As a second-generation family owned business, with a history of stable growth and a reputation for strong customer focus, CONTROLTEK continues to deliver on its mission every single day: to provide solutions that protect and to always deliver on our promises.

Media Contact
Nathalie Schrans
Content and Social Media Manager
(908) 603-2704
Nathalie.Schrans@controltekusa.com

College Admissions Scammers: Scumbags or Science?

Scandal! Cheating! Pay to play! Bribery!

These words, which were once ominous and held such weight and gravity, are now in our faces seemingly every minute in curated news feeds. Does anyone feel shocked anymore when they see them? I may have been slightly shocked for a minute or two by these words in the story that just broke about the investigation into rigging college admissions and cheating on the SAT and ACT.

The FBI investigation into racketeering, among other crimes, has involved some folks who would typically not have their names found in stories like this. As of this writing, the story broke yesterday, and I’ve already read enough about it to have lost the initial shock. I have entered the numb stage I like to call “Meh.”

After all, can you really be shocked that people cheat and try to finagle a system to get what they want? Some of these people remind me of helicopter parents on steroids, like an Apache or a Blackhawk, ready to swoop in and do battle so little Suzy can get into an Ivy League school without actually putting in the effort.

Ten thousand dollars? A hundred and fifty thousand dollars? Pictures of my kid rowing in a racing boat? No problem! Whoosh, let the helicopter fly to the rescue! From my tone here, I may sound a little jaded. I have worked in loss prevention for a long time and have entered the cynical phase. I’ve come to understand that whenever a system has been put in place to regulate access to something people want, people will always find a way to get around these rules.

From the beginning of time, people (and animals) have stolen and taken shortcuts. Once an object gains intrinsic value, like Eve’s apple did once it was deemed forbidden, people will attempt to procure it by any means necessary. Has this been part of our evolution from primate to human being? Was this a way for primitive humans to save energy? It was probably a lot easier for Grog the caveman to wait until Gronk killed a gazelle, bash him on the head with a rock and steal the tasty gazelle, rather than spend the time and energy to hunt it himself.

We have spent eons perfecting our cheating ways. Just listen to any song by Loretta Lynn, and she’ll fill you in. If you’ve raised kids, you get the picture: it’s like they’re born with these innate abilities, or at least, they learn them quickly. According to Quartz, in a study on why children lie, the qualities we want our kids to have, like higher levels of executive functioning, are actually correlated with being a good liar. I’m not making excuses for this behavior. I’m just saying it doesn’t shock me.

Something I have struggled with over the years is how to not be jaded. It’s hard to spend years catching bad guys, observing behavior, doing interviews, and therefore being lied to, and not be a little cynical. When you work case after case and become invested in the time and effort you’ve put in, it’s easy to let it affect your view of the suspect.

I have to remember that we are all human and that humans have evolved to take the shortest route to what it is they want. Maybe it’s economy of scale, an evolutionary adaptation, or just laziness: whatever you want to call it, all humans engage in some form of lying, cheating or stealing.

During my career, I would catch myself feeling particularly fed up with this side of humanity, so I had to do things to give myself a break and restore some faith. I’d talk to other LP folks or to my husband, I’d volunteer or do a stretch assignment that took me out of that mindset and helped me hit the restart button.

Training and focusing on helping someone else can really help renew our belief in human beings as essentially good people.

We can’t let ourselves as loss prevention professionals become numb to what the person in front of us is going through. If you find yourself at that point, maybe it’s time for you to take a little time out. Watch some cat videos or read about people giving back—or go give back yourself.

I find the idea of scamming to get your kids into college reprehensible: it undermines all the hard work that legitimate candidates put in and takes a spot away from someone who deserves it. If you can’t get into USC or Stanford on your own merit, go someplace you actually can get into. Hopefully those involved are punished appropriately.

That said, even when the actress from Full House gets caught for (allegedly) committing fraud, it can be hard to stay positive about humanity. Just remember it might be due to human evolution, and then try to hit your own restart button. I know I find myself hitting “restart” a lot lately.


Stefanie is a regular contributor to the work of the International Association of Interviewers. To enjoy other great content from her and other contributors, please visit CertifiedInterviewer.com

Turn Bluetooth Off When You’re Not Using It

There are two reasons you should keep your Bluetooth off when you are not using it. Bluetooth uses up your battery life, so turn it off whenever possible to conserve your battery. Turning Bluetooth off when not using it also minimizes your risk of becoming a victim of hacking via security vulnerabilities. Attacks like BlueBorne are becoming more common. BlueBorne could allow any device with Bluetooth turned on to be attacked. The best way to stay safe is to turn off Bluetooth when not using it.

Internet Hoaxes and What They Teach Us About Using Social Media to Monitor Potential Threats

(This article originally appeared in Loss Prevention Magazine)

The “Momo” challenge is a good lesson for all of us. If it’s on the Internet it must be true, right? If it’s on the global news everywhere in the world it must be true, right? If my child’s school sends home a note with a warning about it, it must be true, right?

Not necessarily. According to The Atlantic, a few weeks ago a Twitter user posted a warning saying, “Warning! Please read, this is real,” with a screenshot of a Facebook post that read, “There is a thing called ‘Momo’ that’s instructing kids to kill themselves. INFORM EVERYONE YOU CAN.” The tweet was retweeted more than 22,000 times and it featured a screenshot of a scary face with the name Momo. It spread across the internet from local news to global news very quickly. Some users with hundreds of millions of followers put this out all over the internet.

Concerned parents all over the globe should not be worried about the Momo challenge; like many viral stories, it is a hoax that has been magnified by news stations and scared parents around the world. Why this hoax gained so much traction may be that it directly targets young children: the Momo challenge talks about children doing horrible things to themselves or people coming in to kill them. Last year there was a similar hoax from South America, claiming that Momo was targeting teens via WhatsApp.

There is no evidence to support that the Momo challenge exists. However, there are still some copycat videos, tons of news articles and several search results for the Momo challenge. This serves as a good reminder for all of us in retail loss prevention who use social media to monitor threats and events for our locations to follow a few basic steps to keep us safe.

Just because it’s in the news, even global news, doesn’t mean it’s true.

Thanks to the internet, today we can read international news just as easily as we can watch our local news television broadcast. However, this ease of access means that news sources must compete against many other sources for a smaller share of the audience’s attention, which leads to sensationalized news stories that always draw readers’ attention: local crime, accidents and disasters and missing children. Because stories about threats against children, like the Momo challenge, attract greater attention, more news sources are likely to cover them and share these stories more quickly, even without fact checking.

Because these news sources are competing for our attention, it is essential that we take one news report with a grain of salt — even better, compare it to other types of news sources. Broadcast news in particular, such as local and national TV news, tends to latch onto more sensationalized stories because they attract a lot of attention without using too much air time. More “traditional” news sources, such as newspapers, are usually more reputable, whether they are in print or online.

Look for evidence that supports what you read online.

In the past there have been major incidents, like active shooters, fires or other events, that gathered media attention, and there was almost always supporting video or photo evidence on social media.

I had personal experience with an active shooter incident from a couple of years ago. It was lunch time on the East Coast, and I received a notification from one of our many social media feeds. It read, “I see three people with guns in the building next to me.” Less than 30 seconds later an alert appeared about a 911 call of an active shooter on the West Coast. My team and I quickly started to analyze the information. We already had local TV news, police report data, 911 calls, live scanner feeds and active social media for the area saved. Within a few minutes we determined that it was a real event and that we had several stores within five miles of the threat. We also determined that the shooters had left the area and knew in what direction they were headed.

By consulting multiple sources of information, we were able to verify that the threat was real and take appropriate action in under 10 minutes to keep our field team informed and focused by providing them with real-time updates. We were even ahead of the local news by four minutes.

When your safety is not at stake, take your time.

When the threat is not immediate or risking human lives, we can take our time to verify the information. For the dozens of news sources that covered the Momo challenge, if only one of them had taken a few minutes to fact check the threat on the internet, the hoax would not have become as widespread as it did. A few moments of critical thinking can be just enough to stop a hoax from creating more panic.

The internet has changed all our lives, including our children’s. Keep in mind that everybody is a reporter, everyone has access to the same platforms to deliver information, and everyone has a high-definition camera and the computing power to create what before seemed impossible. The first reports are often wrong. Sometimes how you communicate and respond to an event is more important than the event itself. Arm your teams with good info and the rest will fall into place.


Tom’s column regularly appears on every issue of LP Magazine. To subscribe to the printed version of the magazine and enjoy other great content visit losspreventionmedia.com

How to Use Google Assistant on your iPhone or iPad

If you love your iPhone and your Google Assistant, now you can get the best of both worlds. If you have iOS 12 or higher, you can use the Siri shortcut feature to add “Ok Google.” Once the shortcut is set up, say, “Hey Siri, Ok Google.” Your Google Assistant will open, and you can perform all your normal commands. It comes in handy if you use Apple and Google products and don’t want to commit to just one.

What Is A Zero-Day Vulnerability?

A zero-day vulnerability is a software vulnerability unknown to the vendor or maker of the target software. Until the vulnerability is known, hackers could exploit it. Google Chrome recently had a zero-day that was exploited by hackers. It is important to always patch or update your software regularly and address zero-days once they are discovered.

CONTROLTEK Offers New Low-Profile AM EAS System

Bridgewater, N.J., (April 3, 2019) – CONTROLTEK, an emerging leader in retail asset protection, launched a door frame-mounted AM EAS system named SAM-D, offering a lower profile option for retailers.

“The SAM-D system is a great choice for retailers who want the power of a high-end AM system with a more inconspicuous aesthetic for their space,” said Tom Meehan, chief strategy officer at CONTROLTEK. “Because of its smaller size, this door system increases available floor space, compared to a typical AM pedestal system.”

“Expanding our solutions offerings to include more AM system options is the natural progression of our growth,” said Steve Sell, vice president of global sales and marketing at CONTROLTEK. “Whether it’s AM, RF or RFID, CONTROLTEK has proven high-performing systems that can be deployed rapidly on almost any scale.”

More information about SAM-D, along with photos and spec sheet, can be obtained on the company’s website.

##

About CONTROLTEK
Since 1976 CONTROLTEK has been a global leader in tamper-evident security packaging, helping banks, armored couriers and retailers transport cash safely and securely.  The company’s expanding line of inventory protection and visibility solutions also helps retailers protect their merchandise better and run their operations more efficiently.  As a second-generation family owned business, with a history of stable growth and a reputation for strong customer focus, CONTROLTEK continues to deliver on its mission every single day: to provide solutions that protect and to always deliver on our promises.

Media Contact
Nathalie Schrans
Content and Social Media Manager
(908) 603-2704
Nathalie.Schrans@controltekusa.com

Don’t Automatically Connect to a Wi-Fi Network

Your smartphone, tablet or laptop is most likely set to automatically connect to any available Wi-Fi network. This could allow your device to connect to public Wi-Fi without you knowing, which has privacy risks. You can disable this feature in the Wi-Fi settings on your device. Hackers set up malicious Wi-Fi networks in order to steal information from users who automatically connect to public networks at hotels, airports and coffee shops. It is generally safe to automatically connect to known networks like home and work.