Fighting the New Breed of POS: Targeting Cyber Attacks
By Jason Fredrickson, Guidance Software
The recent cyber attacks on Target, Neiman Marcus and Michaels Stores had an immediate and profound impact on sales, as well as a widespread and ongoing ripple effect on consumer confidence in the safety of credit-card information at point-of-sale (POS) terminals.
Retail executives are now faced with increasing scrutiny by standards councils, the U.S. Securities and Exchange Commission and even Homeland Security, as well as the potential for personal liability for data breaches and a long-term blow to corporate reputation.
But there’s good news. Most retail organizations already have the right mindset to deal with this security problem. Aside from law enforcement, perhaps no industry understands the importance of security better than the retail industry, which excels at practicing due diligence in theft detection in the physical world. It’s just a matter of applying the same attitude to the network side.
Network ‘Cameras’ Should Face both Outward and Inward
The bottom line for all these breaches is this: it’s all credit-card fraud, regardless of whether it was millions of customers’ credit-card data exposed as a result of a third-party vendor losing control of an authentic login and password (as was the case at Target), or a cashier swiping a single customer card into her iPad.
According to one of the computer security industry’s most trusted annual reports, the Ponemon Institute’s Cost of Cyber Crime Study released in 2013, it takes an organization an average of 80 days to detect a breach and 123 days to remediate it. Visa’s move to chip-and-PIN technology by 2014 for most North American cardholders will help, but it will only get us part of the way toward stronger security.
Let’s examine the problem by drawing a parallel to the “real world.” To prevent theft from occurring within your bricks-and-mortar stores, you no doubt have a theft detector at every door. And you have cameras covering the interior of the store itself.
But if you have theft detectors, why do you need cameras? Because theft detectors are not sufficient in and of themselves. Some thieves are clever and prepared enough to find ways around the detectors, whether by breaking them, removing the tags or other approaches. The systems prevent some theft some of the time, but experience has shown that your teams must supplement that methodology by watching for theft within the store itself!
Most Security Has Already Been Breached
Information security professionals take the same layered approach by architecting security systems that provide different perspectives and defensive methods in the fight to keep hackers out. This is what we in the industry call “defense in depth.”
The Ponemon Cost of Cyber Crime Study also reported the disturbing statistic that 15% all cyber attacks originate with the assistance of corporate partners or other insiders. And, all too often, the signs of impending attacks go undetected by traditional network alerting systems. In the same way that human resources professionals would not consider a good interview with a future employee to be sufficient information for a permanent judgment of his or her trustworthiness, information security teams in retail organizations cannot afford to assume that everyone with an accepted login and password at network security checkpoints is operating above board.
The bottom line is this: a single point of evaluation – what information security teams call “perimeter defense” – is simply not enough.
How Target’s Well-Designed Data Protection Systems were Foiled
At Target, the now infamous attack began with the cyber attackers logging in with valid and authorized login credentials that had been issued to a trusted HVAC vendor, who either willingly or inadvertently shared them with the attackers. This means that the login was considered authentic to network security systems, and the hacker gained entry with no resistance. The alerting systems set up by Target’s highly regarded information security team did not fail. The user login and password were on the “good list.”
If the attackers can penetrate the perimeter, is there any hope? Of course, but it means adopting the same mindset we use in the physical world. Just as your employees watch for strange behavior in their stores, security teams must operate under the assumption of compromise. If we assume the invaders are past the gates, we must now gain visibility to every endpoint — every laptop, data server and POS terminal — within our organizational networks in order to proactively hunt for signs of unauthorized or anomalous behavior.
Television shows like CSI and NCIS illustrate what many law enforcement forensic investigators refer to as “Locard’s Principle,” which is that every contact leaves a trace. The same can be applied directly to network security, as perpetrators will always leave behind some indication of his or her presence. The challenge is to find evidence of the compromise before the initial phase of the attack has been completed and while potential evidence can be captured from volatile data on affected endpoints, then preserved for analysis and possibly for delivery to relevant legal authorities.
Recommended Steps for the New Age of Cyber Attacks
My recommendations to retail chain executives and their information security teams to help ward off POS cyber security attacks are as follows:
• Create an incident response plan and regularly test your plan.
• Perform a sensitive data audit to find out which and how many instances of sensitive data, such as personally identifiable information (PII), credit-card data and intellectual property, exist on the network, and where they’re stored. This gives you an idea of where the valuable goods are on your network. For instance, you’re probably a lot more concerned about theft at the jewelry counter than in the sock aisle.
• Remove any unauthorized instances of that sensitive data according to your information- governance policies, so that you minimize your exposure.
• Create and regularly update baselines of normal activity for each of those endpoints.
• Assign information security specialists to proactively hunt for anomalies in near-real-time reports of endpoint activity. These are the signs that your network has been breached and the attackers are inside.
Only when you can track and report on endpoint activity in concert with perimeter network security can you close the loop on your security defense strategy. Doing this is the best way to prevent the bad guys from succeeding at their ultimate goals — access to your sensitive, valuable data.
Jason Fredrickson is the senior director of enterprise application development at Guidance Software. He hires, trains and runs software teams turning developers into leads, leads into managers and managers into developers. He can be reached at [email protected].
Real Estate’s 10 Under 40
Ten years ago, demographic experts predicted a looming talent shortage: When the massive baby boom generation retired, the small Generation X would not have enough experienced leaders and managers to fill the positions that boomers would vacate.
Today, that prediction is coming true. The solution? The under-40 millennial generation will have to pick up the slack. In the retail real estate world, at least, millennials are stepping up. Based on a nationwide search and nominations from their peers, Chain Store Age has selected 10 of these rising stars to watch and to emulate.
Brian Strickland, age 39
Division VP – Portfolio Management
Brian Strickland and his Family Dollar team will touch 2,375 stores — plus or minus — during this fiscal year. They will open 525 new stores; relocate, renovate or expand 750 to 800 stores; and renew leases on 1,100 stores.
That seems impossible.
“The most challenging part of our work is the volume of deals we evaluate and decide on each week,” said Strickland, division VP – portfolio management. “What makes it possible is excellent team members and excellent technology.”
Strickland had a hand in developing the technology used by his 60-member internal real estate team and approximately 15 external developers.
He pushed to develop an enterprise real estate solution that enabled users to acquire, display and map demographics. It facilitates data editing, captures notes and photos and attaches them to specific stores on the map retrieval system.
Designed by Attleboro, Mass.-based Trade Area Systems, the enterprise application went operational about two years ago. Since then, Family Dollar has reduced site evaluation times by 67%.
When reviewing stores, a user can click on a store in, say, the Charlotte, N.C., market. Within seconds, the system pulls up real estate characteristics, lease terms, financials P&Ls and more.
“Combine that with the really good team we have here, and life is good,” smiled Strickland. “As an analyst, you want to make solid, fact-based decisions. My vision here is to provide our decision-makers with access to data and analytics that will help them answer questions fast and make the right decisions.”
In addition to analyzing and making decisions about thousands of Family Dollar stores every year, Strickland is an instructor in the graduate level course on real estate market analytics at the University of North Carolina at Charlotte.
Makes you wonder what he does in his spare time.
Larry Sajdak, age 34
Inland National Real Estate Services
Oak Brook, Ill.
Larry Sajdak first joined The Inland Real Estate Group of Companies as a college intern in 1998. He was 18 and considering careers in chemistry and business.
Business won. After college, Sajdak returned to Inland and blasted off. After two years, in 2004, he moved into retail real estate, earned three promotions in two years and ended up as VP asset management for Retail Properties of America in 2006.
Today, as president of Inland National Real Estate Services since 2011, he directs property management for the retail real estate portfolio owned by Inland Real Estate Income Trust. The relatively new IREIT is still raising money to invest. Current holdings include 16 necessity-based grocery-anchored centers and big-box centers.
Sajdak emphasizes due diligence to make sure the trust acquires properties that fit today’s environment — limited new shopping center development and lots of online competition.
“We buy centers leased to retailers that can compete with online,” he said.
On the operations side, Sajdak is proactive without micromanaging. He wants his team to run the assets. He asks for national credit tenants and promising local tenants. He retains consultants to provide local tenants with the marketing and operational tools central to retail success.
Sajdak also helps local tenants with mobile marketing. IREIT centers have websites with mobile apps that can push out promotional notices to mobile phones.
Success came quickly to Sajdak perhaps because he doesn’t take all the credit. “One reason I’m sitting here at 34 is the quality of the IREIT team,” he said. “Our director of leasing, for instance, spent most of her career working for large national retailers. Now she has five years on the landlord side. There are other similar examples. I’m lucky to have that level of experience around me.”
Chris Littrell, age 39
Director of Real Estate
Nike Factory Stores
Chris Littrell is a consensus builder. “I don’t bring ego or agendas into the workplace,” he said. “I listen and look for common ground and solutions.” That’s Nike’s style, too.
As director of real estate for Nike Factory Stores, Littrell manages 185 stores and plans to add another 15 or so stores this year.
Nike Factory Stores sell closeout merchandise taken from the shelves of full-priced retail partners’ stores. Littrell locates the stores in top-tier centers and in communities where there isn’t any retail. “In those cases, we hire within the community with the goal of helping to spur community development — it’s a way of giving back,” he said.
Littrell comes from Coos Bay, Ore., the home of Steve Prefontaine, a track legend who inspired a generation of runners. “Growing up, I wanted to run like Steve and work for Nike,” Littrell said. He didn’t reach Steve Prefontaine’s level. As for his ambition to work for Nike, though: He’s just doing it.
Jason Plummer, age 31
R.P. Lumber Co.
Jason Plummer enjoys the variety of his family’s businesses, which include 51 lumber company/ home center locations in the Midwest, 16 shopping centers — some with an R.P. Lumber location — as well as truss plants, office buildings and hotels.
“What I like the most is that I wear a lot of different hats,” he said. “On any given day I could work on R.P. Lumber projects, as well as retail, office, residential, hotel, self storage or a variety of other kinds of projects.”
As VP with real estate responsibilities, Plummer watches for quality assets to purchase. The company also develops shopping centers, and Plummer is always on the lookout for leasing opportunities.
“It’s a family business, and everyone is involved,” he said. “My mom and dad were both high school teachers, and my dad started the company in January 1977. My two sisters, Julie and Jennifer, are active in the company as well.”
Brian L. Harper, age 38
Executive VP Leasing
New York City
Brian L. Harper is having the time of his life as executive VP leasing with New York City-based Rouse Properties. “I have a passion for the entrepreneurial possibilities in the industry,” he said.
For two years, Harper has been building Rouse, a collection of 30 shopping centers spun off by General Growth Properties in January 2012. As senior VP leasing with GGP, Harper moved to Rouse when the company formed.
“Since then, we’ve implemented leasing and capital invest ment initiatives that are improving occupancies and tenant mixes,” Harper said.
Harper’s team has amassed 4.4 million sq. ft. of leases, including 1.9 million sq. ft. of new space. The portfolio was 94.5% occupied at the end of 2013, up 190 basis points from 2012. Signed but not yet open, space will eventually bump annual NOI by $13 million. That’s passion at work.
More passion: In his spare time, Harper co-founded the Breaking Ground Foundation, a non-profit that builds sustainable community centers in developing nations. The first will be in Bulawayo, Zimbabwe.
Maria Toliopoulos, age 39
Senior VP, Director of Leasing
Retail Properties of America, Inc.
Oak Brook, Ill.
Maria Toliopoulos learned teamwork, organization and accountability from her hardworking immigrant parents. As a licensed attorney, she believes in understanding each aspect of a job and putting in the time to do it right.
Today, Toliopoulos oversees retail-leasing efforts for RPAI’s entire portfolio of 237 properties, totaling 38 million sq. ft. across 34 states.
“Leasing can’t do it alone,” she said. “It is important to collaborate and promote transparency amongst departments.”
Her accomplishments include helping decentralize RPAI’s leasing group by putting boots on the ground in local markets to collect intelligence and canvas local retailers.
She also emphasizes portfolio reviews with retailers to maintain a proactive dialog and find opportunities.
“In 2013, good relationships with tenants led to 38 early renewals split between PetSmart and another junior anchor,” she said.
Overall in 2013, Toliopoulos’ group inked approximately 5 million sq. ft. in new and renewed leases, the highest annual volume they ever reported.
That’s what putting in the time can do.
Joseph W. Dougherty Jr., age 31
Metro Commercial Real Estate Inc.
Joseph Dougherty is too modest to talk about himself. Here’s how he has described learning the brokerage business: “For two years, I didn’t know what was good or bad. Then 2008 and 2009 were recession, doom and gloom, but I got deals signed.”
Not everyone sees it that way. Consider his 10 Under 40 nomination: “Joseph’s ability to climb the ranks to the top of a leading commercial real estate brokerage firm during one of the most devastating recessions in United States history is an incredible example of a determined individual succeeding in a highly competitive business.”
Consistently a top producer at Metro Commercial, Dougherty was the top agent in all three offices in 2013, making 56 lease and sale deals covering 681,462 sq. ft. with a total aggregate value of $70.6 million.
Since 2006, he’s completed 380 lease/sale transactions for 4.8 million sq. ft. with a gross aggregate value of $631 million. Maybe he’s too busy to talk about himself.
Tracy Chiao, age 34
VP Real Estate
Philz Coffee Inc.
Tracy Chiao is excited about becoming a barista. As VP real estate with Philz Coffee, Chiao must work behind a Philz coffee bar once a month — per company policy for all executives. “I love that,” she said.
Chiao joined San Francisco-based Philz, a popular handcrafted coffee purveyor, a month ago. She came from Cornish & Carey Commercial Newmark Knight Frank, where she brokered the CVS entry into San Francisco.
Her assignment: provide the real estate expertise required to help a local family business become a large growing company.
Founded in 2003, Philz operates 14 locations across the San Francisco region. A recent capital infusion by the Menlo Park office of Summit Partners is fueling a Philz rollout. “We’ll be opening stores this year and next, mostly in California,” Chiao said.
Chiao is planning company stores — not franchises. “Company stores will help us to control the brand,” Chiao said. “We’re baristas, and company stores will help us keep it that way.”
Mike Conway, age 38
Phillips Edison & Co.
Mike Conway works awfully fast. He came to real estate in 2004, relatively late — he was 28. He wasted no time, though. As a beginner, he completed back-to-back years with 20-plus new deals.
In the midst of the recession, he became Phillips Edison’s top leasing producer. When he became regional director of leasing in 2010, his region led the company with 110 new deals and 350,000-plus sq. ft. of new leases.
“I found that I have a passion for the calculated risk-taking and entrepreneurial nature of real estate,” said Conway.
Today, as VP leasing, he oversees a national footprint of over 260 shopping centers with a team of 30 people. In 2013, Conway’s group signed 376 new deals and more than 1,600,000 sq. ft.
Wow, that was fast.
While Conway works quickly, he covers all the bases, including charity. Twice a year, through a Boys and Girls Clubs of America program, he and his family adopt and buy gifts for a needy family.
Lindsey Taylor, age 33
Kroger Marketing Area (KMA)
Real Estate Manager
Columbus Division of The Kroger Co.
Lindsey Taylor’s retail real estate future was sealed in elementary school. “The first female judge in our county visited my school when I was in first grade,” she said. “I decided to go to law school that day. In law school, I fell in love with negotiating deals.”
For a well-prepared negotiator, nothing’s better than negotiating retail real estate deals. Taylor joined Kroger’s real estate group in 2007. In 2012, she became department head — KMA real estate manager for Kroger’s 123-store Columbus Division.
Today, she works with her six-person team to develop and execute capital plans — identifying stores to relocate, expand and remodel, finding new store sites and negotiating to get the work done.
Taylor attributes her success to painstaking preparation that gives her confidence. “When you negotiate with people 20 years your senior, you have to know what you’re talking about,” she said.
Taylor does. She’s been preparing to negotiate these deals since first grade.
Lands’ End appoints marketing chief
Nearly two months after Sears set it free, Lands’ End has named Steven Rado as SVP, chief marketing officer.
Rado will guide a team of 50 professionals across marketing operations including consumer insights, forecasting and analytics, catalog, digital marketing, customer acquisition, e-commerce, public relations and advertising.
"I am confident that Steven’s proven success in the marketing vertical will be a great asset to us," said Edgar Huber, CEO and president of Lands’ End. "We look forward to adding a new member to the Lands’ End leadership team who will bring a wealth of knowledge in marketing Lands’ End to current and future consumers."
Rado comes to Lands’ End as an experienced marketer with a strong background in retail and banking. Most recently, he was SVP of marketing and customer strategy for Office Depot, and prior to that he was VP of marketing for Victoria’s Secret Direct. He has an MBA from The Ohio State University and received his J.D. degree from Case Western Reserve University School of Law.
"Steven’s strong experience will be invaluable as we continue to focus on new customer acquisition, driving our digital transformation, increasing our brand presence and advancing our data analytics capabilities," said Huber.