LPRC - CrimeScience – The Weekly Review – Episode 77 with Dr. Read Hayes, Tom Meehan & Tony D’Onofrio
Episode Date: October 28, 2021LPRC Goes To Europe! October is Cyber Security Awareness Month! In this week’s episode, our co-hosts discuss these topics and more, including the Top 5 Trusted Groups of People, Supply Chain Bottlen...ecking Continues, Scarcity Could Affect the Holiday Seasons, and Countries are Joining Forces to attack Ransomware Criminals. Listen in to stay updated on hot topics in the industry and more! The post CrimeScience – The Weekly Review – Episode 77 with Dr. Read Hayes, Tom Meehan & Tony D’Onofrio appeared first on Loss Prevention Research Council.
Transcript
Discussion (0)
Hi, everyone, and welcome to Crime Science.
In this podcast, we explore the science of crime and the practical application of this
science for loss prevention and asset protection practitioners, as well as other professionals.
We would like to thank Bosch for making this episode possible.
Take advantage of the advanced video capabilities offered by Bosch to help reduce your shrink
risk.
Integrate video recordings with point-of-s sale data for visual verification of transactions and exception reporting. Use video analytics for immediate notification of important
AP related events and leverage analytics metadata for fast forensic searches for evidence and to
improve merchandising and operations. Learn more about extending your video system beyond simple
surveillance in zones one through four of LPRC's zones of influence by visiting Bosch
online at boschsecurity.com. Welcome everybody to another episode of Crime Science, the podcast.
This is the latest in our weekly update series from the LPRC. And I want to welcome our co-host
and speakers, Tony D'Onofrio, Tom Meehan, and our producer, Diego Rodriguez, and of course, all of you all listening
out there across the globe. We want to welcome you and do some quick updates. So with no further
ado, let me head over to Tony D'Onofrio. Tony, if you can kind of light us up, let us know what's
going on around the world. I appreciate it. Thank you, Reid. It's good to be here in Europe,
launching Loss Prevention Research Council Europe.
Tomorrow, we got about 10 retailers joining us here at the Hilton Curio, right next to the
Parliament Building. It's five minutes from the Parliament Building in central London,
and it's good to get off a new part of the world. And I know from speaking to multiple of the
retailers that are joining us
here tomorrow, they are excited on this journey of science-led loss prevention. Let me jump in
on some other data that to me was very interesting this week. And let me start with actually the
pain of the pandemic and what the pandemic has done to the world. And these are the last months of the coronavirus pandemic
as reported or summarized by statistics.
So these are the top five areas in the world
with the largest cumulative lockdowns in days.
And surprisingly, Australia's number one,
or not surprisingly, Melbourne, Australia,
was locked down for 262 days. Greater Buenos Aires in
Argentina was locked down for 245 days. The entire country of Ireland was locked down for 227 days.
And then it's interesting, all the regions in England, and I'm only going to mention a couple
because I tend to focus on the top five. They actually have very long lockdowns.
Northern Ireland, 223 days.
And England, 213 days, which is where we're at.
So the lockdowns have been painful in terms of shutdown in economies and everything else.
And for fun this week, I found, again, from Statista, some interesting data in terms of who do we trust in the world.
So what are the top five trusted groups of people for 2021?
So doctors are number one, followed by scientists, teachers, ordinary people, and the armed forces.
Those are the five that we trust the most.
Now here's the five that we trust the most. Now, here's the five that we trust the least. Number one is interesting with journalists. Number two is bankers, ad execs,
government ministers, and politicians in general are the most distrusted. And for the five that I
just mentioned, that was in the rank order with politicians being the highest not trusted.
And then finally, let me give a whole bunch of data in terms of what's happening with the holiday season and where we're going with the holiday season.
This is from Deloitte and has published in Retail Dive in terms of what they expect, Deloitte expects. So as supply chain bottlenecks continue to haunt retailers,
three-fourths of consumers are worried about products running out of stock,
prompting them to make their purchases earlier this year.
According to Deloitte, 6 in 10 retailer executives
are also worried about receiving holiday orders on time.
Deloitte predicted that holiday spending will increase 5% from last year to $1,463 per household
on average.
Higher income households will spend on average $2,624.
Lower income households will spend less than last year at $536. According to the report, 40% of shoppers remain
anxious about shopping in stores, which is down for 51% in 2020. And even though we're
more comfortable shopping in stores, consumers expect to spend $924 online, which is an increase from $892.
And actually, I've been spending a lot on this topic, and I just actually published a new blog,
a new article, which I titled, With Santa Claus, All the Grinch Show Up This Holiday Season.
So with Santa Claus, all the Grinch show up this holiday season.
And this is, again, a summary of more forecasts in terms of what's going to happen this holiday season.
Salesforce predicted a 7% growth in digital commerce for November through December,
which is a dramatic slowdown for the 50% year-on-year growth in 2020. This is, again, for digital commerce.
For the USA, digital growth is projected at 10% in 2021,
slowing down from 43% last year.
Note that there are headwinds coming in rising consumer prices,
which are going to be up 20% according to Salesforce.
And those are actually, as a result, in general, there's going to be less orders overall.
They're projecting a negative 2% global holiday orders worldwide and a negative 4% for the
United States.
Another one that I follow closely every year is Bain. They actually
issue a very nice infographic. And again, they're projecting a seven percent increase
in holiday sales for this year, which is the highest, second highest in 20 years. The highest
was actually last year when we were all locked down, but this year will be the second highest in terms of growth.
Interesting, though, that the growth mix is changing.
In 2020, 8.6% of the growth came from online.
Out of the 8.6% growth, 5.3% was from e-commerce and 3.3% was from physical stores. For this year,
we're going back into stores. The 7% growth is made up by 5% coming from physical stores
and 2% coming from e-commerce. Bain is projecting that how their spending will reach $800 billion in this year, with 75% of that volume being fulfilled in stores.
They do see some still wins that are pushing sales forward.
They include inflation rates, employment levels,
wage growth, saving and credit availability,
and pent-up demand in some categories.
They also see some headwinds, which may slow down growth, which are product
availability, labor supply, non-retail spending, year-on-year compatible, comparable retail sales,
and the COVID waves that might happen. Although, as I said in the article, I'm cheering for all these forecasts. Other people are more conservative.
The IHL group expect only a 5% to 6% growth, and I quote directly from them,
and it's important to realize that this is historically great in terms of an increase over previous years.
About 3% of the growth that the other forecasts are projecting
will be left on the table due to the mandates,
unemployment, increases and shortages of products,
labor shortages as they ripple to the industry.
So scarcity remains the operative issues.
Computer chips, for example, are not expected to recover, fully recover, according to Forrester, from being in the short supply until 2023.
Costco's already started rationing toilet paper, and I was just actually there about a week or so ago, and they were totally out of toilet paper.
So we're back into hoarding toilet paper.
And then U.S. gasoline prices are dramatically going up,
which is a challenge for us.
So as I summarize, it's not the end of the world.
Retail sales will be strong,
but we are going to have some headwinds that we'll have to go through.
Santa Claus is still going to arrive,
but the Grinch is going to plan more surprises for us
as we get through the holiday
season. So I'm looking forward to a good end to this holiday retail year and see what happens
next year. So with that, let me turn it over to Tom. Well, thank you, Tony. And I hope you read
and chat and enjoy Europe. And I'm excited to hear how it goes with the meetings this week.
I'll start off actually with just you know because you're there kind of a story in Britain. So
Britain has a new cyber command very similar to the US cyber command and they've formed this to go
against all the cyber security issues and just, there was a comment made from Britain that they'll use this to help hunt ransomware gangs.
We continuously see ransomware coming up as a challenge.
on this podcast, how the governments are joining forces and taking a more organized approach to attack ransomware. In the United States, we mentioned how the Department of Justice has
treated the investigations the same as terrorism, and we're starting to see several countries
follow a similar suit. The Britain's Intelligence Cybersecurity Agency was already there. It has
been there. This is a more aggressive approach to cybersecurity. And what we'll see is allied
countries working together to both defend against nation state sponsored attacks, but then take a
more organized approach against these criminal gangs that are plaguing us with constant challenges. And honestly, this affects everybody, not just
government, but also retail and everybody in between. So it affects everybody here that we're
faced with. So Revel, this was a ransomware gang that we spoke about several months ago, fairly prolific.
They were responsible for the Colonial Pipeline attack.
If you recall, the FBI actually was able to seize 80% of their $4.4 million ransomware.
Just as a quick recap, the Colonial Pipeline is the pipeline that does about 60% of gas and oil to the east coast of the United States,
and it was down for several days until ransomware attacked. And the interesting part about this
group is, while it was Russian-tied, it was not tied to the government. It was never, ever
considered to be tied to the government. It was just, in fact, in Russia. And with this gang,
in Russia. And with this gang, they vanished for a little while. Interestingly enough,
intelligence channels imply that the reason they vanished was because of the pressure that the United States government had applied on the Russian government. And the Russian government
went out and said, hey, stop that. Stop doing what you're doing. And it's
pretty interesting. In Central Europe and Russia, while these are not nation
state sponsored attacks, oftentimes the government turns a blind eye if it doesn't impact their
government systems.
Revel was interesting because they've just absolutely vanished. They disappeared from
the internet, from the dark web for a little while. And then they resurfaced about a month
ago with heavy, heavy infrastructure attacks
and then just recently have died down as well. And throughout the intelligence channel, the
heavy, heavy scrutinization from the US government and allied governments basically attacking them
back or countermeasures force them to close up shop once again. It's important to note that they
closed up shop once and came back. So's important to note that they closed up shop once
and came back. So it's highly likely that they'll kind of change their modus operandi and they'll
come out. One of the things about Revel is they're a very known group. They advertise,
they do hacking as a service. So a lot of times when these type of events happen in the US
government and allies go after these folks, they don't disappear. They just go quiet for a little while and then wait for an opportunity to seize again. These are, and we've talked about
this, these gangs are largely untouchable because they live in areas that are non-extra D and
sometimes with uncooperative governments. So as long as they stay within those countries,
they're relatively protected.
What we can do is attack their finances and basically counterattack, do counterattack. The other thing that was interesting when we're talking about this report is October is Cybersecurity Awareness Month.
I don't know if this episode will hit in October, but one of the things in cybersecurity awareness months that we're talking about and we're really kind of
prolifically saying is these attacks will happen. So assume that you will be attacked with ransomware.
If you're listening to this podcast, you will be attacked whether or not it actually gets through
or not. We'll see that. Last year, there was about 51% of the people were attacked. This year,
it's down a little bit, but it fluctuates and those numbers are largely inaccurate because
we don't know if everyone is attacked. So one of the things that we're really pushing heavily with
cybersecurity awareness is assume that you'll be attacked private, public, assume you are, and make sure that you have adequate backups to protect yourself.
That's the easiest way to do that. And if you're in a business environment and not a personal,
not just a consumer, you probably need to invest in a managed threat response
program where you have an understanding of what to do, whether that be cyber insurance,
engaging with one of the companies out there, but you have to have kind of a more formalized
approach. And just speaking of October being Cybersecurity Awareness Month, I think we talk
about it all the time on this podcast. We're usually a little bit ahead of the curve, probably
because we're smaller and we can move quicker. But when we talk about cybersecurity awareness, very much like the listeners who are
members of the Lost Remembrance Research Council, education and awareness is the key here. There
isn't some magic software. There isn't a magic process that's going to come into play. What's
going to consistently help us is us identifying trends and talking about them openly. We often talk about
password management, two-factor authentication, not clicking on links. All of those things stay
the same. Then when you're traveling, for Tony, Reid, and Chad, you have to be extra special,
careful because you're getting onto other people's networks constantly and you are opening yourself
up to vulnerabilities that you would not traditionally be aware of. We always talk
about that coffee shop vulnerability of when you're on that network, it's a public network,
but when you're traveling internationally, there are a lot of different rules. Luckily,
in the UK, there are strict, strict privacy rules. So most of the challenges you'll have will be actually hacking attempts and they won't be traditional kind of open network issues.
So stay safe when you guys are traveling, stay cyber safe.
And I'll wrap it up with just the last kind of tidbit, which is cyber related, but more on the security side is,
and this comes up every now and then, I don't generally get into these vulnerabilities because
there are so many, but Hikvision, which is the largest security camera company in the world,
who's come under great scrutiny over the last really several years because of the fact that it's a Chinese-made camera
and there's potential government ties, has had yet another significant vulnerability
identified, which allows cameras to be taken over remotely.
Red Packet Security has put out some really specific information, but this is not a new
piece, but it is not a new piece,
but it is a newer vulnerability.
One of the security researcher watchful IP
had identified this and put this out.
And basically it's patched.
If you are using Hikvision cameras, patch them.
This bug receives a 9.8 out of a 10 from a risk standpoint.
That's how risky this is.
This really will allow hackers to get onto your camera system and potentially into your network.
Right now, they could actually go in and open that camera. So without a username and password and see what it is.
And it affects a large range of products.
And one of the other things about Hikvision
that makes it challenging
is that they're a fairly large OEM manufacturer.
So the number of cameras out there are unknown.
We know, we certainly know it's in the millions,
could be in the hundreds of millions that are affected.
But just if you're using Hikvision cameras today,
and I know some of the listeners are
because I've talked to them, make sure that you're patched and you're up to date.
Interestingly enough, unrelated but related, the U.S. government is looking to actually put an outright ban.
They're already GSA banned cameras, but I think we'll see in the next upcoming weeks the ban on Hikvision altogether.
It is actually going to be made into law potentially that comes up.
My personal opinion here is I'm somewhat neutral on this.
I think we have a lot of products from China, but they're certainly with this Hikvision, these are real vulnerabilities that need to be
patched. I think we'll continue to follow it and see if there is an outright ban. A lot of VMS
providers, so video management systems already do not support the Hikvision cameras because of some
of the vulnerabilities that are there. So what we always say, Cybersecurity Awareness Month,
this is just a stark reminder
update and patch update and patch if you have your iphone you have your android phone and there's an
update available update it if you're using windows update it if you have cameras on your system that
need to be updated update them one of the easiest quickest simplest way to keep yourself safe is to
keep your software up to date that gets rid of all of the low-hanging fruit and known vulnerabilities.
And when hackers or nefarious actors are attacking networks, they start with the low-hanging fruit and the known vulnerabilities.
So if you address those first, you're in a great place.
And with that, I will turn it back over to Reid.
All right. Well, thanks so much to you both, Tom and Tony, for all the great content.
We really appreciate it. A lot to think about always, but it's always good to hear the good.
The not so good as we take it all in, process it. So stay safe out there, stay in touch,
and let us know. Keep us posted at operations at lpresearch.org.
Thanks, everybody.
Thanks for listening to the Crime Science Podcast, presented by the Loss Prevention Research Council and sponsored by Bosch Security.
If you enjoyed today's episode, you can find more crime science episodes and valuable
information at lpresearch.org.
The content provided in the Crime Science Podcast is for informational purposes only
and is not a substitute for legal, financial, or other advice.
Views expressed by guests of the Crime Science Podcast are those of the authors
and do not reflect the opinions or positions of the Loss Prevention Research Council.