Guarding, the fight against online fraud, and training are among the topics covered in a morning’s visit to Shop Direct Group. But first, an advert from editor Mark Rowe for the online retailer’s black sofas.
The sofa was comfortable throughout the near three hours I talked with Group Security Director Mike Marshall and group security training and development manager Gary Summersgill. It had a price tag for £679 – a neat idea, to put tags on Shop Direct’s own furnishings in the reception area of their head office building Skyways, a wonderfully refurbished, airy former aircraft hangar from Speke Airport days, now Liverpool John Lennon Airport. To explain briefly, group security provides services to various of the companies owned by the Barclay brothers. Shop Direct – among its brand names are Littlewoods, and, recently acquired, Woolworths, though that did not crop up in our talk – is a home shopping retailer, selling over the internet or by telephone through call centres. It still has some high street stores – Littlewoods Clearance runs 25 outlets across the UK. So it has the same asset protection tasks as any other retailer, with a particular need to secure the online customer, whose order is processed and ‘picked’ at a warehouse, then distributed to the doorstep. "The security of customer data is our number one issue," Mike Marshall said early on. And that goes for data even when it goes to a third party: "It’s our responsibility no matter where it is in the UK, or the world. Our customer data is important to us." He brings up the horror stories of people’s print-outs containing another company’s customer data he once found left outside a building – it could be anyone’s, public or private sector. He thinks a lot of security of such paperwork – statements and the like – is a matter of ‘back to basics’. At a site, one of the first things he will do is go through the bin. Literally?! "Yes. It’s simple things like that, that companies tend to fall down on; somebody will be throwing something in the bin, and the next thing is, it doesn’t go in the confidential waste, it goes in the wrong bin. And the next thing is, God forbid, we get a customer suffering from identity theft. Identity fraud is huge across all companies, not just ours. It’s a real burning issue and we are having massive success. We have arrested well over 100 people in the last year and some of those have been external fraudsters. It isn’t people in our company that are compromising data, it’s criminal gangs, basically; that are targeting large organisations." When Mike speaks of arrests, he means strictly speaking that police make the arrest after taking a sledgehammer to the suspect’s door if necessary. "We work with the City of London Police a lot. We have a cracking relationship. We get all the evidence, with work with them [police] and go out on the job with them, end up locking these people up."
Priorities
Later, however, Mike admits to frustration and disappointment with many police forces for not taking on reported fraud cases, ‘that aren’t just basic theft; but substantial’. He echoes many when he says that, to police and Government, business crime is still not a priority, compared with, say, street robbery. Mike says he can understand where the Government is coming from. But, as he adds, business crime is a threat to jobs. We need to get to grips with business crime: "It’s huge, far, far bigger, I am convinced than domestic crime. The difficulty is that most businesses don’t report it." It’s not practical for a retailer, no more than any other business, to have its security staff off site reporting a crime at a police station. To return to police reluctance to take fraud cases. While files may be many inches thick, Mike speaks of even CID officers saying they are too busy. Or if police do take a case, they may no more than log it and do not get back to you; even, Mike says, for six-figure, highly detectable crimes, ‘and it’s so frustrating. I am sure everybody has the same frustration. We need to get the police on board, to take seriously business crime.’
Shifting challenge
Mike adds that it turns out that offenders are doing the same to other e-tailers. "It’s a shifting challenge all the time; we have to try to keep one step ahead of the fraudsters.” Or, as he adds, the other way round is: the fraudsters trying to get ahead of you. He likens it to blocking the holes in a watering can: "You have really got to be on your toes." As he points out, this is due to the explosion in e-commerce. It’s worth taking a step back to recall the attractions of online retailing. Over the road from Skyways is the New Mersey Retail Park. It has all the high street names in edge of town-style sheds: MFI, Comet, JD Sports, Boots, Pizza Hut, McDonalds, Gap, Mamas & Papas. What was striking about the park at 8.40am on a weekday; it was about deserted. Yet an online retailer, without the expense of park rent and so on, is always open for business. That said, a retailer can have the most secure e-commerce, and yet can find itself in difficulty if another e-tailer is compromised. As Mike says, a customer shopping with say 20 e-tailers is not going to use 20 IDs and 20 passwords: "Human nature says you will use the same email address; and most of the time the same password." So if a list of compromised addresses from one of those 20 retailers is sold on the black market, the criminal buyer can try to get into Shop Direct, or any of the other 19.
Theft of retail goods may include a human touch, at the final stage of delivery. Any e-tailer has to decide how trusting it is of its customers. If someone pays for an item but asks for it to be posted to an address other than the credit card holder’s, that could be a legitimate gift for your son at college, say. Or: it could be a law-abiding person, but the fraudster waits outside the property – which isn’t his – until the delivery arrives, then pretends to be leaving the house, and, having given the van driver the impression that it’s his home, the fraudster signs for the goods.
Even before the official Fraud Review and developments – the City of London Police as a national lead force against fraud, for instance – businesses had grumbles about how slowly or if at all police took fraud cases. Mike speaks of how, thanks to police backgrounds among his staff, there is trust and co-operation from the police, and more practically, the retailer’s investigators know how to write a statement as required by police. The retailer can do surveillance beforehand, so that the police can get a warrant. Backing for the group security work comes from the top of the company: "Our owners believe we should be prosecuting people, no matter who it is, internal or external." The message that Mike hopes is getting through to the criminals: try and defraud Shop Direct and there’s a good possibility the police will come knocking on your door.
Other problems for e-tailers that Mike mentions, beyond the power of any retailer, are the lack of security on people’s home PCs; and the complacency of people about their personal details, ‘the crown jewels when it comes to e-tailing’. On websites such as Myspace, people place their date of birth, yet that’s a key verification detail an on-line trader requires when an order is placed. "And people are actually posting it on the internet for everyone to see; coupled with the fact that people aren’t really switched on to virus protection on their home PCs; and the next thing you know is, everything they type is effectively copied, including their passwords, compromised, and lists are compiled and sold on of hundreds and thousands of people. And it’s lucrative for the criminals." People are becoming better at shredding their personal papers at home, and careful about what they throw away. But fall behind with your PC’s virus protection and within seconds you could be compromised: "And you wouldn’t know about it until your bank account is empty; or you get an invoice for something you have never bought. And you only know six or nine weeks after the crimes and the trail is cold."
A way for the retailer to combat such losses is through software, to spot unusual buying patterns. If you only ever buy clothes, for example, the retailer can flag up and ring you if suddenly you – or someone in your name – is buying several TVs. Hence training in security is part of the induction for call centre staff, so they know how to alert supervisers if they see unusual activity on a customer’s account.
Which brings us to confidential reporting. Shop Direct use the InTouch whistle-blowing service, mainly for its own staff to report concerns, suspicions of wrong-doing, whether crime or health and safety. "Confidential reporting only works if it’s well publicised," Mike says. "We are just about to launch another campaign to remind everybody. You can remain completely anonymous." If staff (or suppliers) are comfortable with raising the matter with their line manager, they should do; if not, there is the helpline. Posters are everywhere giving the message to staff: Caught Red-Handed, showing a red hand. Mike does add that a retail (or any other) user of such a line has to be wary, that staff don’t make allegations against their line manager: "You can’t take verbatim the information you get every time." That said, Mike adds that he was quite surprised by how many people rang the confidential line – and left their details. "That’s good because it immediately allows us to go back to the individual and gives us a far better chance to validate." As Mike says, when some people report a suspicion, they do not give enough information that the specialist investigator would like. "But the thing I like about InTouch; if you reported it [a concern] confidentially, you get a case number given." So: that user of the service can ask InTouch to ask the caller for specifics. The security department will not hear the voice recording nor know who the caller is; InTouch is the middle party allowing a conversation between confidential caller and his or her employer. Eventually, within reason, the user can go back to InTouch and pass on to the caller what the result is, and whether for instance procedures have changed as a result of the whistle-blower. As Mike Marshall adds, there has to be a culture so that if something is wrong, people feel safe to report it: "We are encouraging suppliers to report confidentially issues to us that they may have with our employees." Speaking so fully about such reporting, Mike comes across as, and says he is, enthusiastic about confidential reporting, and indeed feels it hasn’t been used to the full. As he says, the gain from one crime or welfare report dealt with can pay for the annual cost of the line.
Turning to training
Gary Summersgill goes through the training and audits given lately to security staff and general employees of Shop Direct Group companies, and the other companies owned by the Barclays and served by Group Security. It’s taken ex-Army man Gary around Britain; and Northern Ireland, for instance, to give search training courses for HDN NI, the Carrickfergus-based Home Delivery Network parcel delivery firm.
Whether to do some specialism yourself or to bring specialists in is a question for Shop Direct as any business. Take guarding for instance; or counter-surveillance. Mike feels it’s cost-effective to train even a few of your own staff to do building sweeps. His security department does have equipment from counter-eavesdropping device product company Audiotel, and Gary praises the relationship with that manufacturer. There is the cost of bringing in a contractor to do a sweep of a boardroom or executive suite; and the question of wanting it done promptly. A contractor may have to delay, whereas sometimes it has to be done overnight. So Shop Direct do their own, regular sweeps; no hostile devices located to date. Mike and Gary go into some of the hypotheticals. Devices have become so small that they can be hard to spot; and so cheap you can buy them from your shopping centre. Thanks to mobile phone technology and lithium batteries to give long life, you – or a cleaner or a building contractor? – can insert a listening device and, in theory, you can listen in on the UK meeting while sat in Barbados. And we really enter corporate counter-espionage if a device is found. Do you extract it? Or leave it and feed it misinformation? Or wait to see who tries to extract it?!
Shop Direct group security plans to bring in Neal portable tape management equipment so, with retail union agreement, investigators do interviews consistently, nationally, and complying with the Police and Criminal Evidence Act (PACE). As for the cost of the specialist tape recorders, it’s repaid in court convictions and the recovery of goods. Mike adds: "There’s a deterrent factor as well." Group security managers go for refresher training in PACE with barrister and corporate law lecturer Jim Duke. With Merseyside Police, Shop Direct have put together a BTEC level two for corporate investigators, a four-day, residential course delivered by serving police officers. It covers evidence gathering, interviewing; ‘and the key word’, Gary Summersgill says, ‘is reliability of the evidence and the way it is presented’. Planned is a more advanced BTEC level three, which Merseyside Police could market commercially.
As for guarding, Shop Direct is going from a mix of in-house and contract staff to all-contract. Group security stresses that security officers are not losing jobs, nor are they having to go to different sites; the aim, rather, is to put every guard under the same cap badge, and all that implies. Mike is adamant that this change is for cultural not financial reasons – the culture being, to quote the group security slogan, ‘help us to protect all our futures’. In other words, officers working side by side, no ‘them and us’ arising from different pay and conditions. While Mike does not go into detail, it is plain that 1) the decision was an important one and 2) the decision was made not merely for strictly security reasons – looking after assets in the best way – but, to repeat, to move towards the right culture, where all are colleagues, without self-imposed barriers. Not only of the ‘it’s not my job to do that’ variety but well-meaning ones; for example, security officers at a gate not wanting to stop drivers to ask to see company identity badges, for fear of a traffic queue building up. The counter-argument is, even senior managers will be glad to be stopped and (politely, by someone properly turned-out, whatever the weather) asked for their ID.
Shop Direct Group Security, not the guarding contractor, will give security guards the basic job training and what the specific business requires and expects. For example group security plans to give warehousing and returns security awareness courses. HDNL (Home Delivery Network Ltd) is not part of Shop Direct Group but a separate company, so group security is contracted to give training; in driver safety for example. The audiences are senior managers at each depots, with the aim that HDNL’s trainers return to their depots and give the same training to their (non-security) staff. The training will include conflict management; Hicom’s incident escalation reporting software; and health and safety. As group security says, the Hicom software is for depots to report crime or safety incidents. Reporting incidents on a robust database – that is simple to input data into, that you can’t damage by innocent error – comes back to company culture; rather than things being passed on by word of mouth (or not), people take responsibility, report things properly, the same across the company. As Mike and Gary say, and it’s the same for any security team, no matter how hard you work, and no matter how good your job, anything that goes wrong is noticed. Things do go wrong, you cannot micro-manage; hence the need to learn, so that the same thing does not go wrong again. To return to that Hicom software; to learn from a failure, you do need to be told of the thing going wrong in the first place!? As Mike says: "Security is everybody’s responsibility; and this is what we have been trying to drive home, in the couple of years Gary has been doing this training. I have only got 11 investigators through the whole of the UK; we have a cast of tens of thousands of staff. Every person in the company is a security manager; we need to have tens of thousands of eyes and ears. We supply specialist [security] services as and when required." Mike gave the example of an office worker seeing someone who he does not recognise; that colleague – because group security is probably not physically going to be there – has to politely challenge that unknown person, and ask who the person is wanting to see.
Or: the e-tailing equivalent may be in a call centre; it’s against the rules for instance for a member of staff to take a call on their mobile phone. So if somebody does, another colleague should assertively – but knowing where they stand legally – point it out. Because – and it comes back to culture, to that slogan ‘help us protect all our futures’ – if that call centre worker is passing on confidential customer data to an outsider, it’s in everyone’s interest to do the right thing and report it. Equally over the phone, call centre staff may face intelligent, well-spoken and well-researched callers, who are looking for snippets to make possible identity thefts. For the e-tailer, the call centre is central; a parcel doesn’t move without its say-so. So call centre operators, never seeing a caller’s face, have to look out for fluctuations in a customer’s account; and, when they do, report it through the correct channels so that, if required, a loss prevention investigator in the region will look into it.
Those security staff have to know their criminal law; and keep it fresh. Hence accreditation from Edexcel for a BTEC level two course in criminal law, offered on a night school basis. The 16 who signed up in April 2008 passed their exams in January 2009. Ron Peel, national security manager North was the lecturer. For those not able to attend the training room in Oldham, there was video conferencing. Another level two course is running this year; and Gary is writing a BTEC level three course in the subject. "As far as I am concerned, training is key to a security department," Mike says of Gary’s work. And while he speaks of it being cost-effective and Gary speaks of it being rewarding to deliver, it’s striking that the benefits are definite, measurable. Take this criminal law. As Gary says: "The key to an investigation is the initial few telephone conversations; or the initial capture of evidence. For an investigation, it’s like a hospital’s golden hour. There’s a golden hour in security investigations, when you need to capture as much as you can, and professionally, in the right manner, so it’s acceptable at a later date. And people are doing the things in the golden hour that previously only an experienced investigator would have done."
For those Littlewoods Clearance stores around the country, that sell returned and end of line goods, group security gives to floor managers or their deputies what you could call traditional high street retail security training; in conflict management for instance, as those managers will be the first called to the scene of shop theft, and (depending on the crime rate in the area of the store), an outlet may not have security officers. Though Shop Direct has embraced online retailing, physical assets – buildings and staff remain. Each retailer has to decide how it responds to e-commerce. Shop Direct has decided: it’s no longer the Littlewoods department store chain. As with any retailer, the balance has to be between welcoming staff to work and being friendly to genuine customers; and securing assets against theft. Take the approach to Skyways, next door to the Liverpool Airport Crowne Plaza Hotel. You can walk off Speke Road and through the car parking spaces – the footpath salted on a frosty March morning – to the building entrance. Above us, as John Lennon once sang, only sky (though the building is covered by CCTV and passive infra-red detectors).
In February 2008 Shop Direct unveiled its national security operations centre at Shaw in Lancashire. The group is doing more remote monitoring of sites. The real-time quality of the video has led to capture of dozens of intruders. Mike says: "The thing we find; when we phone the police, we can say to them, ‘we are looking at somebody breaking into our premises; now he is wearing a yellow bomber jacket; his car is ABCD waiting outside’; and that generates almost on every occasion an immediate police response. They [police] are starting to get to know us, they know it’s a call worth going to." Again, like training, while the control room comes at a cost, there can be a greater saving on guarding. What is striking is again the pains that group security goes to, to do the right thing on training. Officers are still going through the BTEC level two public space surveillance course towards the Security Industry Authority licence in public space monitoring, that is, besides the contract security officer SIA licence; even though you could at least dispute that Shop Direct Group’s control room is not monitoring public space. All right, maybe some of its cameras can look beyond the perimeter, but surely the retailer is only wanting to watch for what intrudes? That said, the SIA, Mike reflects, are not giving a definite ruling on who needs and does not need a CCTV licence. He also make the point that using remote CCTV monitoring does mean you rely on a key-holding service. Or rather, the key-holding company’s response. Mike says: "There’s nobody I think in the industry that hand on heart can give you a key-holding service that provides a guaranteed response within an hour at every single site in the UK. We have had occasions where it’s taken two or three or four hours, because they [the key-holders] are dealing with an incident." For those thinking of giving up on a police response to intruder alarms altogether, and having only a private security response; Mike calls that a dangerous step to take.
