Rhett Asher is the executive vice president and director of retail solutions for Fortalice Solutions. He has over 25 years of leadership experience in the fields of retail, sales, and business development. Prior to joining Fortalice, Asher served as the director of business development for CONTROLTEK, USA and was vice president of several national industry trade associations. He can be reached at rhett [at] fortalicesolutions.com.
How does cyber security impact the retail industry?
Fundamentally, we view cyber security as a brand-protection issue. Many people get lost in the technicality of the cyber world and forget that, at its core, cyber is about protecting people, their data, their privacy, and, ultimately, their choices. This is especially true in the retail industry when cyber criminals can extrapolate patterns about someone’s life from their purchase history, which could be used to exploit or victimize them. Retailers who protect their customers’ choices ultimately provide a superior customer experience and are able to maintain the level of credibility, loyalty, and trust they’ve built. Unfortunately, it only takes one data breach to cause significant, and sometimes irreparable, damage to a company’s reputation.
How do retailers know what to protect first?
For smaller businesses, adding cyber security to the list of things to be worried about may seem overwhelming. I get it. But the reality is that cyber security is so deeply intertwined with the rest of asset protection and loss prevention-think about things like gift card fraud, supply-chain management, social engineering, credentialing theft, skimming, and so forth-that you may already be tackling it unknowingly. The most important thing is to determine what your two or three most precious digital assets are and devise a strategy to protect those first, then move down your list as time and resources allow. For some businesses, it could be customer financial data or buying history; for others it will be merchandise integrity and employee access. I highly recommend partnering with a cyber-security professional-services firm that allows you to customize offerings that tailor to your specific needs.
How do we integrate different teams within the company on cyber security?
I hear this a lot and know that diverse organizations, especially those with multiple locations like retail, struggle with how to best communicate cyber-security policies and procedures across the company. The first thing I’d suggest is to hold a one- or two-day tabletop exercise where all parties involved come together and practice a digital disaster. Think of this as your dress rehearsal if you ever find yourself in the middle of a breach. You certainly don’t want to be figuring which teams do what when you’re in the midst of a crisis. This way, everyone from legal, marketing, C-suite, loss prevention, IT, and so forth all know what part they are to play. They can practice how to communicate effectively and ultimately can mitigate damage quickly and efficiently.
Where do you think retailers should start in fighting cyber crime?
I am a big believer in the fact that you can’t know what to do to stop a breach until you know where you are vulnerable, and for that reason I highly recommend every company complete a full-scale cyber-risk assessment with a penetration test. Basically, that is an audit of places in which your company is vulnerable and where a cyber criminal could exploit you most easily. A fascinating example I tell often is that the Target breach-one of the most notorious in recent years-happened because a cyber criminal was able to find a vulnerability in one store’s HVAC system and move from there into the main network. That’s how they got all the customer financial information! Cyber criminals and hackers thrive on being able to outsmart their adversaries, so it’s up to us in the asset protection and loss prevention industry to partner with our cyber-security teams in an effort to outmaneuver criminals and think one step ahead.
What is your advice to LP professionals to translate their expertise in loss prevention into the technical or cyber-security world?
There are a lot of correlations from the physical security world to the cyber-security world, so many loss prevention and asset protection professionals are more in touch with cyber security than they may give themselves credit for. These men and women are natural investigators, so they already have that creative “criminal posture” critical thinking needed to assist and get involved. They are always searching for the criminal’s end game, anticipating their attack vectors and how to plan for and mitigate them. As their companies and the world becomes more digitally interconnected, I see it as a natural progression for their unique “brand protection” skills and expertise.