There is no single front in the battle against retail crime, and recent surveys pinpoint the significant degree to which merchants are vulnerable to loss.

More than eight in 10 retailers responding to the 2008 NRF Organized Retail Crime Survey indicated they had been victims of organized retail crime in the previous 12 months. According to the FBI, those attacks represent as much as $30 billion in annual losses.

Organized criminal organizations also are attacking retailers online and are largely responsible for the 245 million electronic personal records that have been stolen since January 2005, according to Attrition.org, an online research service that reports on data loss incidents.

So when LP executives look for ways to become pro-active against criminals, they need "a thousand eyes" to scout out threats and vulnerabilities from any and all sides. It makes sense, then, that some merchants are working with IBM on solutions for the store and corporate levels.

To make it easier for LP executives to take a holistic approach to loss prevention, IBM has developed the Security Solutions for Retail business framework. Retailers work with IBM security consultants to examine all of their IT processes and then they choose those solutions and/or services that address their specific vulnerabilities in an integrated manner, rather than applying one Band-Aid at a time.

In one recent incident, criminals breached the customer data security systems of Express Scripts, the nation's third-largest pharmacy benefits manager. The hackers threatened to make private customer data public if their ransom demands were not met. Express Scripts responded by reporting the breach and the extortion threat to the authorities and the press and offering a $1 million reward to anyone who could help break the case. Express Scripts also hired a security consultant company to help any customer whose personal data becomes compromised.

It was the desire to avoid being victimized in a similar manner that motivated Montreal-based La Senza, a chain of 600 intimate apparel stores operating under a variety of banners, to take pro-active action.

Now owned by Limited Brands, La Senza has been working with IBM's security specialists and with elements of the Security Solutions framework, focusing on the compliance, auditing and verification processes that protect and secure data as it moves through its servers and network systems.

"Retail is about a high volume of people, products and transactions going through stores and systems," says Daniel Marcotte, La Senza's director of systems and data security. "We have to control access to the data such a business model generates and prevent its theft. Our customers' confidence is critical to us."

La Senza has been working regularly with IBM for more than seven years, but as the framework for Security Solutions developed over the past two years, the partnership has become particularly close.

Marcotte says he collaborates with his IBM consulting representative "every time I have a question. Whether I am acquiring new hardware or new software, my IBM rep lets me know what the impact will be of any sort."

Framework categories
Conceived as a holistic approach to retail loss prevention, the IBM Security Solutions for Retail program is a framework of products and services divided into four categories:

• Compliance Management, which includes, but is not limited to, PCI Data Security Standard compliance.

• Secure Network, which focuses on bringing together IBM's comprehensive security offerings from IBM's Internet Security Systems (ISS), Rational and Tivoli business units to help protect databases and applications from network-based threats.

• Secure Assets, which focuses on IBM's next-generation Smart Surveillance and item-level RFID systems designed to help protect physical assets from internal and external threats. The IBM Security Solutions for Retail framework also provides solutions to help track, manage and monitor the movement of inventory and the maintenance of fixed assets.

• Secure Transactions, which provides comprehensive security technologies to protect online and in-store transactions. IBM also can deliver service-oriented architecture (SOA)-based electronic transaction solutions for the entire retail supply chain.

La Senza is in the process of upgrading from Level 2 PCI compliance (fewer than six million transactions annually) to Level 1 compliance, and will not invest in any technology — no matter how many efficiencies it promises — if it could potentially compromise the security of its systems.

There are "always a lot of people asking for technical solutions — maybe it is for stores to have access to the Internet so they can post jobs on the Internet and receive resumes directly to the store — but sometimes what they are asking for cannot, at that time, be made secure from data breaches," Marcotte says. So in instances where "I may not see or may not be sure a potential problem exists, it is wonderful to have IBM give a second opinion.".

Next