The word of retail is no doubt a very large one.  When one thinks of it, it is the traditional mom and pop stores, the shopping malls, the grocery stores, and the even the bookstores (such as Barnes and Noble, but this is going to be bought out according to recent news). 

But keep in mind, retail also includes the fast food chains, restaurants, etc.  In other words, wherever you are directly dealing with a customer directly and they make payment goods and services on the spot without signing a contract can be considered to be as retail.

Especially in the restaurant business, Cyberattacks are growing.  We all keep hearing stories about this, and there does not a day that goes by in which you hear about some fast food chain or joint being with hit with some sort of malware that has been designed to steal the credit card information of people.

In fact, there is a special term for financial losses in the retail industry, and this is known as “shrink”.  It can be specifically defined as follows:

“Shrinkage is the loss of inventory that can be attributed to factors such as employee theft, shoplifting, administrative error, vendor fraud, damage in transit or in store, and cashier errors that benefit the customer. Shrinkage is the difference between recorded inventory on a company’s balance sheet and its actual inventory.”


So as you can see, this is a metric that reflects total inventory loss, and the percentage of it that impacts the bottom line to a retail business.  Traditionally, shrink was thought of more as losses causes by employee theft, outside shoplifters, and even robberies.  But now, losses caused by a Cyberattack are now starting to be incorporated into this metric as well.

According to the National Retail Security Survey, which was conducted by the National Retail Federation and the University of Florida, total retail shrink reached a whopping $50.6 Billion in 2018.  This is a nearly a $4 Billion increase from a year ago (which stood at $46.8 Billion).  Here are some of their findings:

*Robberies cost at an average of $2,885.15;

*Employee theft cost an average of $1,264.10;

*Outside shoplifting cost an average of $546.67.

Interestingly enough, although 43% of the retail owners claim that fraud is happening internally in their stores, roughly 52% of them also state that the level of fraud is now happening at the Cybersecurity level.  This means one of two things:

*Some sort of fraud is occurring at the E-Commerce site of the retail store;

*Or, the purchase is made online, but the pickup of the actual product is done at the store (meaning somebody paid for it, but the intended recipient did not pick it up – somebody else did.  Because of this, there is now a heightened level of fear of what a Cyberattack can do to a retail business.  For example, this is what the survey found in this regard as well:

*68% of the respondents feel that Cybersecurity remains a top issue;

*65% are concerned about credit card theft/fraud occurring at their respective E-Commerce sites;

*51% believe that products that are purchased online are picked up at the store by somebody else (as just stated);

*60% of the respondents are afraid of a large-scale Insider Attack from occurring;

*65% are fearful of some sort of Organized Retail Crime (ORC) occurring.

While 89% of the respondents now see that there is an overlap between the job duties between the Loss Prevention (LP) and Cybersecurity teams, many of them feel that the LP teams are brought in only after a Cyberattack has occurred, as reflected by these numbers:

*Only 30% of the LP teams are actually involved with investigating Cybersecurity issues;

*60% of them are only called in for incident response;

*26% of them are actually involved with conducting a threat-based analysis.

My thoughts on this?

I had a short stint in retail many, many years ago, when I was an assistant manager at a Jewel-Osco located here in Naperville.  The fears back then were more about teenagers posing as adults to buy liquor, and of course, theft either caused by employees or customers.  Never did the thought of Cyberattacks exist back then, nor even heard of.

But obviously, we live in a different world today. Rather I should say, a much more different one.  For example, people don’t traditionally visit brick and mortar stores anymore, rather, they love the idea of online shopping, and having stuff straight delivered to their doorsteps. 

But with this, even despite all of the security measures that a retail store can take both on their online and physical premises, Cybersecurity attacks will continue, but worst yet, they will continue to grow.  And because of this, it is of paramount importance that all of the teams in a retail store work together to prevent Cybersecurity issues.  The teams I am talking about are the LP and the IT Security staff. 

Gone are the days when LP just had to worry about physical inventory at the store, and IT Security just had to worry about password resets.  Because of the Cyberthreat landscape that has come out about today, there now has to be a convergence between these two teams.  Intelligence sharing is a must and should be of top priority. 

For example, if LP picks up something about a potential threat vector, they have to communicate that the Cybersecurity team so that they can conduct any threat hunting exercises if needed, and to keep a vigilant eye on the E-Commerce front and backends.  Likewise, if the IT Security team picks up a suspicious looking person on their CCTV cameras, they should be able to immediately contact a person on the LP team to further investigate.

In the end, its all about the bottom line, keeping credibility, and most importantly, keeping existing customers and getting new ones.  After a security breach has occurred and has made the public headlines, it takes only a matter of a few minutes to lose an entire customer base.  Worst yet, it can take years to rebuild that all back up again. 

Finally, the more information about this study can be seen at this link: