When Retail Fraud Is An Inside Job

The traditional view of cybercrime is that it is conducted by shadowy figures far removed from the businesses they attack. But, as a number of recent surveys show, that’s not always the case. Threats from within are as serious as ever for retail companies, and not as many as you think are giving them the necessary weight.

SHUTTERSTOCK

When it comes to a retailer protecting its assets — digital and otherwise — the intrinsic assumption might be that the focus ought to look outward. But the reality is that the greatest security threat facing retail companies, according to a number of recent surveys, often comes from within.

And we’re not just talking about sales floor employees with occasionally sticky fingers (although we are talking about that, to some degree); we’re talking about advanced cybercrime.

In a story posted yesterday (Feb. 23), the National Retail Federation (NRF) reviewed various research efforts that mete out how serious the threat against companies’ digital data from their own internal employees is — as well as, perhaps even more seriously, the fact that many retailers might not be considering that threat.

The outlet points to a recent survey from global background screening firm First Advantage showing that 60 percent of respondents (out of 337 business professionals) cite employee background screening as the most important security control that can be put in place to protect organizations — more than anti-malware (at 53 percent) and physical security (at 39 percent).

As the NRF story points out, although the fact that 98 percent of respondents to the First Advantage survey stated that it was important to screen employees indicates a general awareness of the threat of internal fraud, not nearly as many companies take action regarding it. Sixty-one percent of those that employ the survey respondents never rescreen employees, and, of those that do, only 13 percent engage in the practice annually, with 10 percent of companies doing so every other year.

It would appear, then, that not a lot of retailers are putting their money where their mouth is when it comes to protecting against cybercrime from within their own operations.

That kind of disconnect is reflected in another survey that the NRF story shares — the U.S. State of Cybercrime survey, conducted by PricewaterhouseCoopers.

In that particular piece of research, 28 percent of respondents acknowledged the possibility of company insiders engaging in digital data theft against their own employers. However, only 49 percent of them stated that their companies had a plan for dealing with those very threats — a potentially damaging oversight that PricewaterhouseCoopers accounts to the likelihood that such incidents, in practice, “typically fly under the media radar.”

Indeed they do, particularly in comparison to the high-visibility data breaches that befell Home Depot and Target a couple years back — instances where, of course, the cybercriminals responsible came from outside the company, thereby fitting the popular notion of how such fraud typically operates.

But, as Bob Goodwin, vice president of sales at First Advantage, warned: “It only takes one large dramatic incident to land a company’s brand name on the front page of major newspapers, not only creating significant financial losses and legal liabilities but also eroding consumer trust in that company’s brand.”

And, at that point, it doesn’t matter where the cyberattack originated; if anything, consumers may be more likely to distrust a retail brand moving forward if it’s revealed that it can’t protect itself — and, thereby, its customers’ data — against threats that exist under its own roof (as it were).

In the relative good news department, the NRF highlights one retailer in particular that is on the right track in addressing potential internal fraud: IKEA. The outlet shares that the furniture and home accessories seller has, since 2009, employed the practice of screening and rescreening third-party contractors in two-year intervals.

Vic Jacinto, deputy risk manager for IKEA North America Services, explained to the NRF that his company began doing so “after realizing that our contracts with various contractors included demands for background checks, but we had no way of controlling the quality or depth of those checks and no legal way of viewing the results.”

“We wanted to implement a background screening program that was consistent,” he continued, “and would create more customer assurance when our contractors were entering their homes.”

Jacinto further remarked that IKEA’s rescreening policy has “greatly reduced our risk of negative incidents.”

The NRF story connects that positive impact to advice that Goodwin shares regarding the potentially significant return on investment that retailers can benefit from should they implement more rigorous employee screenings as a means of self-protection.

The practice is “not people-intensive. It can be done online,” he told the NRF. “It does not cover as many areas as a screening for a new employee. It only focuses on changes over time that we should know about, primarily criminal offenses. Ideally, rescreenings should be done once a year or, at least, once every two years.”

“If a retailer is typically losing even just 1 percent of their sales to shrink, they are suffering an enormous expense,” continued Goodwin. “Investing in what has been identified as their greatest area of vulnerability, by rescreening employees, retailers can reduce their risks. At the same time, their ability to protect their brand and keep the trust and confidence of their customers will be significantly strengthened.”

While any customer would be keen to avoid shopping at a retailer that has recently suffered a data breach, they would find even greater cause to take their business elsewhere if it turned out that breach came from within.

After all, if a retailer can’t even protect itself from its own people, how are customers supposed to expect it to protect them?