A Case Study of Best Buy: Fundamental Basics of Corporate Security

Introduction

The purpose of this writing is to provide a security assessment and analysis for a national retail chain, Best Buy. An interview with a Best Buy security officer was conducted, revealing that Best Buy already employs a number of security measures aimed at reducing or eliminating pilferage, preventing harm to employees and customers, maintaining security of its inventory, and keeping the physical building secure (Officer, 2016). These measures include limited and controlled access with metal detectors, security devices inside packages, employees retrieving actual merchandise from the back, anti-theft devices that can only be removed by retailers after payment has been made, package checkers who examine receipts, and security cameras. A good security plan needs to include vetted and trained staff, policies that are legal and reasonable, and a cost-effective security implementation.

Physical Plant Intrusion

Given that Best Buy deals in expensive electronics that are highly desirable and have street value, Best Buy does have a higher risk for burglary. This is why Best Buy controls their single entrance, windows and rooftop access in the hopes of reducing it. Thankfully, much of the most valuable Best Buy merchandise is heavy and bulky; a single thief would not be able to take much. The security officer declined to comment on vulnerable areas, but the front entrance is glass and the steel barriers are highly visible, as shown in figure 1. Breaching the front would provide access to low-value assets; the probability of a front security breach is moderate, but the criticality is low. The loading dock in the rear of the building, shown in figure 2, provides access to the back inventory room. The inventory room would be at greatest risk, but with a heavier security door that can be reinforced, a door that cannot be picked open or broken easily, the effort required to breach the door would be high. The probability of breaking into a heavy, secure back door is low. If the door is breached, the criticality would be very high. If the door holds, the criticality of that threat is mitigated.

Property Damage, Interior and Exterior

Property damage is of concern to any business, and costs to repair or replace merchandise or make repairs to the structure of a building could be extremely costly. During an interview with a security officer, he revealed that Best Buy worries about theft. Their approach is to rely on deterrence, focusing on having a large amount of employees walking the floor, metal detectors like shown in figure 3, a front security desk, and security cameras like the one shown in figure 4. This creates a low probability and criticality of theft. As the floor contains smaller valuable items, such as phones, USB drives or other small electronic devices, there could be a significant threat of theft and profit loss if many of those items are stolen. The criticality of the threat of small items being pilfered could be moderate. However, the probability of this threat can be mitigated entirely by the fact that most if not all of these items are packed in a large amount of packaging, which would make it difficult to steal. Not only would it be difficult to cut through the packaging to get to the merchandise, with all the staff and cameras around, it would be nearly impossible to do this without being caught. The thief could take the entire package and hide it within their clothing, but the shape of the package would likely be noticeable underneath clothing. This is known as “printing”, where an item creates an outline of itself under fabric. This would be a dead giveaway to trained staff that items have been stolen.

Personal Security

Mitigating the probability of any assault within the building is the responsibility of both security and staff managers. Staff managers have a responsibility to lead and inspire their employees to work together well. The officer notes that the staff are “like family”, as such the safety of customers and staff are a priority. The safety of human lives in this case is the “asset” needing to be guarded, with injury or lives lost being the risk in question. With effective staff leadership, the probability of employee violence should be reduced. The criticality of employee violence could be high if injuries lead to lawsuit, but the sheer number of employees on the floor would mean that any fight would be broken up quickly. Of greater probability and criticality would be if a customer intended to shoot up the store. The probability and criticality of this event relies entirely upon detection by the metal detector and the vigilance of security to notice odd behavior. The security officer noted that they are not permitted to be armed.

Information/Record Security

Best Buy maintains information on their inventory, employees, and customers, management reports, business analysis, and more. The asset in this case is the human data, referred to as PII (Personally Identifiable Information). PII is information used to identify persons such as employees and customers. The security of this PII is of paramount concern to any company; as companies cannot operate without this information. And yet, criticisms have been raised of Best Buy for their third party handling of PII.

In “Data Breach at Epsilon Underscores Key Cyber Risk”, author Judy Greenwald writes: “…March 30, 2011. Epsilon has yet to identify how the breach was made, how much damage will result and what parties will be held liable. The company said that two percent of its database had been hacked, including data from dozens of major companies such as Citigroup Inc., Best Buy Co Inc. and Target Corp…” (Greenwald, 2011). These kinds of cyber-attacks are very likely and very devastating without any cybersecurity at all. Having proper security lowers this risk, but does not eliminate it. However, reducing the probability of data compromise occurring does not in any way lessen the effects; the criticality of hacking is always high. The breach in security made customers uneasy shopping at Best Buy, leading to less quarterly growth and affecting Best Buy’s profit margins. Keeping loyal customers can increase bottom line profits anywhere from 25 to 50%. Protecting customer and employee PII can lead to greater profits, thus the success of a company is based upon a customer’s trust in that company.

Emergency Planning and Response

Emergency planning and response refers to a company’s recognition that threats beyond control could happen that compromise the building’s integrity or endanger the lives of customers or employees, such as flooding, fires, earthquakes or power outages, bomb threats, medical emergencies, and terrorist acts. These all require an emergency evacuation plan, because the goal is to save lives. In “Enhancing Evacuation Plans with a Situation Awareness System Based on End-User Knowledge Provision”, authors Morales, Alcarria, Martin and Robles write: “…Recent disasters have shown that having clearly defined preventive procedures and decisions is a critical component that minimizes evacuation hazards and ensures a rapid and successful evolution of evacuation plans.” (Morales, Alcarria, Martin, & Robles, 2014).

A successful evacuation plan relies upon a cool-headed leader, a trusted and well-trained security staff, regular training drills, and dedication to evacuate a building quickly and safely, to minimize harm to staff and customers. The probability of natural disasters or crime related events varies based upon geography. But without an emergency plan, the criticality is much higher. If people panic, there is a greater chance that lives will be lost. The officer notes that in Best Buy’s emergency plan training, security are told not to secure the building or merchandise at all; their only priority is to save lives.

OSHA Standards and Violations

OSHA standards have to do with the safety of the workplace for the employees, the administering of breaks, lunch breaks and overtime. Within Best Buy, the handling of heavy merchandise is the most critical concern; the asset is the safety of the employees and the issue of concern is the probability of workplace accidents. OSHA also requires reasonable hours with breaks, and to that end the security officer stated that an “employee hub” exists for employees to take breaks. OSHA allows employers to access employee medical records, if it satisfies an OSHA requirement. OSHA standards are intended to prevent accidents from occurring with proper equipment, the probability of an OSHA violation can be reduced, but the criticality is still high. If an OSHA violation happens, it can result in fines or shutdown of the store until it is fixed.

Hiring Practices

Best Buy’s priority is to hire skilled, trustworthy employees. The asset needing to be protected in this case is inventory, and customer relations. Best Buy employees are expected to handle valuable merchandise, money, and have access to customer and employee PII, and in this case the threat is of a lousy employee that may misuse customer information, steal it, or steal merchandise. The probability of employees stealing merchandise, money, or information is high, and the criticality is also high. This is why detailed background checks and stringent practices are needed. According to Business Insider: “…information that will be included in your report include: credit reports, social security number trace, criminal records checks, public court records checks, driving records checks, educational records checks, verification of employment positions held, personal and professional references checks, and licensing and certification checks…” (Detweiler, 2011).

Training Practices

There is always a possibility that a poorly trained employee may make a mistake that could be detrimental to themselves, another employee, a customer, or inventory. This risk could lead to an employee being fired, or worse, a lawsuit to the company. Having skilled, knowledgeable, and trained employees mitigates issues in the workplace, they are the asset. According to the security officer, monthly training meetings take place where employees receive general training, and training relevant to their responsibilities online. The officer called this “e-learning”, which is monitored by staff managers. Without proper training, the probability of an injury or OSHA violation can be high, with a resulting high criticality because the store is likely to be closed. Proper training reduces the probability, but the criticality of legal action is always high.

Legal Issues Unique to the Site

In all cases of lawsuit, Best Buy wants to protect its business locations from being shut down, or protect its monetary revenue from the threat of lawsuit. In December 2005, a class action lawsuit was filed against Best Buy, a case called Holloway v. Best Buy, where plaintiff(s): “…alleged that Best Buy discriminates against women, African-American, and Latino employees of Best Buy retail stores in the United States by denying them promotions and more lucrative sales positions. Best Buy has denied any wrongdoing throughout the litigation.” On June 17, 2011 the case was settled, and the District Court of Northern California approved the settlement on November 9th (Holloway v. Best Buy, 2005). This is just one example of a lawsuit that Best Buy has endured, former or currently. The probability of a lawsuit relies upon Best Buy’s knowledge, training and adherence to the law, but the criticality of a lawsuit depends upon the strength of Best Buy’s legal team. If Best Buy can defend themselves successfully in court, or get the plaintiff to drop their charges, the criticality of a lawsuit is low. In the case of successful suit or monetary settlement, the criticality can be very high; in some cases leading to a location being shut down.

Recommended Policies and Procedures

To prevent the breach of the inventory room, it is recommended that Best Buy fences in its loading dock area, and locks the fence. To prevent property damage, current security measures should continue to be implemented to their fullest extent, and subject to routine security review. To prevent personal property loss or damage, employees should be provided a locker room wherein they can secure their personal property. Personal differences need to be immediately mediated to ensure that employees cooperate. Trained security staff need to be on the lookout for suspicious customers, and be aware of indicators of violence. Metal detectors at the entrances should go off if anyone brings a gun into the store, security cameras hopefully catching the suspect’s face. To prevent property damage, it is recommended as part of an effective supply chain management system to keep detailed records of the inventory that goes in and the merchandise sold. If there is a discrepancy, a computer system ought to be able to alert management.

Inventory ought to be kept in a back room with locked doors when the business closes. Security cameras should be placed around the building perimeter, toward exits, with one in the inventory room, and more in the main area where the retail occurs. There should be only one controlled entrance and exit for the public, monitored both by trained security staff and security cameras. When merchandise is bought and handed to a customer, a salesperson should remove the security device, and carry the merchandise to the customer’s car. An alarm system should be present to detect unauthorized breaches of building security during off hours. These measures will not only prevent external threat of burglary and theft, but also internal pilferage from employees.

The recommendations for information and records security to reduce the chance of external hacking attempts, are for a strong, professionally built firewall and antivirus system. To reduce the probability of internal data compromise, a permission levels system must be implemented, with regularly updated passwords and usernames. At the employee level, only customer PII and employee scheduling should be accessible. At manager level, inventory records, shipping information, and other information related to the supply chain management should be accessible, on top of the previous level information. At administrative level all information, including financial records, business analytics, and manager reports needs to be accessible. The permission levels system ensures that only what is necessary for an employee or manager to know is available.

It is recommended that managers and other administrative staff be trained to take control of a situation in an emergency, know which emergency services to call, have security staff secure the building, and lead people to safety. It is also recommended that a company model their evacuation plan after an existing plan developed by a state or federal agency, or create their own, but either way research has shown the effectiveness of these plans, and to have a plan in place is recommended because it will save lives. It is recommended that a hiring director for a company conducts an interview, a full criminal background check, compiles an applicant’s references and follows up on them, and makes sure that the applicant has skills and a personality relevant to the job. It is also recommended that all federal OSHA regulations, as well as state laws are followed with regard to plant safety, safety equipment, and training and hiring practices. Adhering to the law in all ways will prevent lawsuits and other damaging events from shutting down Best Buy.

Conclusion

In conclusion, Best Buy employs a number of measures with security and safety in mind. From preventing theft and burglary to maintaining the training of the staff, Best Buy has many reasonable policies that would show effective security. But no security plan is perfect, however, and Best Buy has suffered a number of lawsuits for varying reasons. As a result, several recommendations have been detailed, and through cost benefit analysis it can be said with confidence that the cost of implementing these recommendations would be less than the potentially millions of dollars of assets that would be lost with a large-scale burglary, or a terrible accident that leads to a successful lawsuit. A well thought out, comprehensive, realistic and cost effective security plan should reduce incidents like injury, negligence, and theft, but as people sometimes make mistakes, one weakness of any security plan is one that can never be removed; the human element. This is why measures must be undertaken, and while not able to be perfectly mitigated, undesired outcomes can be reduced with planning, training, and vigilance.

Fig. 1: Controlled Front Entrance, security barriers visible

Fig. 2: Loading dock in back

Fig. 3, Sensormatic brand of metal detectors at entrance

Fig. 4, example of the ceiling security cameras throughout store

References

Demuijnck, G. (2009). Non-Discrimination in Human Resources Management as a Moral Obligation. Journal of Business Ethics, 88(1), 83-101. Retrieved from http://eds.b.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer/pdfviewer?sid=99b5b842-45dd-4b4f-bf4b-89e93a95f0f6%40sessionmgr102&vid=3&hid=114

Detweiler, G. (2011, January 31). Future Hires: Here's Everything You Need To Know About Employee Background And Credit Checks - Business Insider. Retrieved from businessinsider.com: http://www.businessinsider.com/specialty-consumer-reports-employment-reports-2011-1

Greenwald, J. (2011, April 11). Data Breach at Epsilon Underscores Key Cyber Risk. Business Insurance, 45(15), 1-21. Retrieved from http://eds.b.ebscohost.com.ezproxy.umuc.edu/eds/detail/detail?sid=14b8181f-891c-4052-b89e-1d814119701e%40sessionmgr111&vid=3&hid=108&bdata=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#AN=60312923&db=bth

Holloway v. Best Buy, 3:05-cv-05056-PJH (United States District Court, Northern District of California December 2005). Retrieved from http://www.lieffcabraser.com/Case-Center/Best-Buy-Employment-Discrimination.shtml

Morales, A., Alcarria, R., Martin, D., & Robles, T. (2014). Enhancing Evacuation Plans with a Situation Awareness System Based on End-User Knowledge Provision. Sensors, 14(6), 11153-11178. Retrieved from http://eds.b.ebscohost.com.ezproxy.umuc.edu/eds/pdfviewer/pdfviewer?sid=59174836-c5b5-4a87-b29a-d6f76aec69ab%40sessionmgr111&vid=4&hid=114

Officer, B. B. (2016, February 18). Best Buy Security Interview. (J. Punchak, Interviewer)

Tyco Integrated Security, Tyco Retail Solutions. (2015). Sensormatic Ultra Post Self-Contained Pedestal. Retrieved from sensormatic.com: http://www.sensormatic.com/Products/EAS/DetectionSystems/PedestalSystems/UltraPostSelfContainedPedestal.aspx#