Canada

Manitoba Liquor and Lotteries 'not giving up' as weekly thefts reach hundreds

Vigilante justice, filming thefts ‘just not worth it,’ says MLL spokesperson

Bartley Kives, Caitlyn Gowriluk · CBC News · Posted: Oct 28, 2019 4:58 PM CT | Last Updated: October 28

liquor-store.png.jpeg

Liquor stores in this province are getting robbed hundreds of times a week, only months after Manitoba Liquor and Lotteries unveiled a strategy to reduce the incidence of theft.

The provincial Crown corporation conceded Monday it is still trying to find ways to mitigate a robbery problem that primarily afflicts liquor marts in Winnipeg, several of which have been altered to improve security and staffed with armed security.

"We have police officers in our stores and they're robbing us while an armed officer with a gun and a Taser is standing there, so I'm not sure what is supposed to fix this," Liquor and Lotteries' corporate and public affairs director Andrea Kowal said Monday at a news conference.

"Our extreme frustration is the media has focused on this as a liquor mart theft problem. Every single story is about a liquor theft problem and I'm afraid this diminishes how serious this is as a retail theft problem and a crime problem in our city," Kowal said.

In response to rising theft in 2018 and earlier this year, the corporation placed loss-prevention officers in stores during peak times, started checking customers' ID at the front door of Liquor Marts, using bottle locks and lockable shelf cases and started requiring customers to ask staff for high-value bottles.

Liquor store theft rate 'high as its ever been': Manitoba Liquor and Lotteries

Kowal said thefts continue to occur at a rate of hundreds per week. Liquor Marts in Winnipeg are robbed a total of 10 to 20 times a day, said Const. Jay Murray of the Winnipeg Police Service.

"It's almost like liquor has become a form of currency in the criminal underworld here in Winnipeg. It's certainly being shopped as such on social media platforms," Murray said.

As videos of people robbing liquor marts continue to spread on social media, Liquor and Lotteries is urging people not to try to be a hero when they see a crime in progress.

"No one's life or safety is worth a bottle," Kowal said. "It's just not worth it."

Winnipeg police issued a similar warning over the weekend asking customers not to take video of the thefts, either. Liquor and Lotteries operates state-of-the-art video systems and does not need anyone to use their iPhones to capture images of thefts, Murray said.

"It seems like every day another video is being shared on social media of someone intervening," he said, adding he understands customers are frustrated and wish to help.

The union representing 1,000 liquor store employees said its members are also frustrated.

"There's a feeling of trepidation when people walk into the store, and that's not how people want to go to work every day," said Janet Kehler, member services director of the Manitoba Government and General Employees' Union.

Kowal said there's no silver bullet to stop the problem, but she said they're still looking at more steps they can take to try to mitigate theft.

"We're not giving up," said Kowal. "Every time we put something in place, it works for a little while and then they figure out how to get around it."

She said she would not share what measures are and are not working because that would assist thieves.

Kowal said while liquor mart thefts have gotten a lot of attention in Winnipeg, the issue is much larger than what's happening in their stores.

"It's not going to be solved by law enforcement and security. This is a city-wide, maybe North America-wide problem that's going to involve groups that work with families, addictions groups, public health, social agencies," she said.

"If we closed the liquor marts — whether we closed them to make a Consumers Distributing model, or literally closed them and said, 'we're not gonna be in this business anymore' — this issue is still going to exist."

Consumers Distributing, a retail chain that closed in 1996, used a shopping model where customers browsed through a catalogue to select items and then an attendant retrieved the items from the warehouse.

Kowal said the thefts are taking a toll on liquor mart staff, and asked people to be empathetic to them.

It world Canada

UK minimum cyber security standard should be followed in Canada, says expert

There’s no shortage of advice to infosec leaders about what they ought to be doing to tighten the IT security of their organization, starting with the Center for Internet Security’s critical security controls . But what if the board and C-suite wants to tell departments what they must do?

The recently-issued minimum cyber security standard for U.K. government departments is a good place to start. In seven pages the government sets out what it expects departments to adhere to — and exceed wherever possible.

This concise document goes along with the more detailed best practices security policy framework for protecting government assets, first published in 2014, to comply with the U.K. national cyber security strategy.

Those two documents can be granular, and in some ways ‘here’s how you do it’. The minimum cyber security standard is ‘here’s what you better be doing.’

So, for example, one of the first standards is “Departments shall identify and manage the significant risks to sensitive information and key operational services.”

Here’s another notable must: “Access shall be removed when individuals leave their role or the organization. Periodic reviews should also take place to ensure appropriate access is maintained.”

And another: “Multi-factor authentication shall be used where technically possible, such as where administrative consoles provide access to manage cloud based infrastructure, platforms or services. Multi-factor authentication shall be used for access to enterprise level social media accounts.”

Four sections

The standard is broken down into four sections infosec pros will recognize for creating a strategy: Identify, Protect, Detect and Respond. Within each department heads are mandated to take certain action. This means if there is a failure the government can ask, ‘Why wasn’t this done?”

“This is a  useful starting point for Canadian authorities,” said David Swan, the Alberta-based director of cyber intelligence at the Centre for Strategic Cyberspace + Security Science, an international consultancy. “All levels of government can use it. The requirements of the standard can be integrated into any regulatory framework. The standard can be expanded or included in other guidance. In the corporate environment, this level of knowledge should be required by boards of directors, CEOs, CSOs and CISOs. Organizations that don’t require this level of knowledge are essentially ‘co-operative victims’, unaware of their risk, cyber threat and consequences.”

The standard does allow some implementation flexibility. So the definition of ‘sensitive’, ‘essential’, ‘important’ and ‘appropriate’ are left open. “However , the document adds, “departments are accountable for the effectiveness of these decisions.”

U.K. departments “shall understand and manage security issues that arise because of dependencies on external suppliers or through their supply chain,” the standard says. That includes ensuring that the standards are met by the suppliers of third party services, such as hardware, software, consulting or cloud providers  However, those third parties could meet compliance in one of several ways. One is if the supplier holds a valid Cyber Essentials2 certificate as a minimum.

The U.K. Cyber Essentials program has accredited bodies issue certificates to private sector companies attesting they have met certain minimum security standards. Last month, when it released the latest Canadian cyber security standard Ottawa said it is looking to set up a similar program here.

Related Articles

Ottawa vows to make Canada a global leader in cyber security

Ottawa has released its long-awaited update to its national cyber security strategy, promising to better protect Canadians from cyber crime,...

June 12th, 2018 Howard Solomon @howarditwc

However, the Canadian program may take some time. The government said it will first consult with the private sector and potential certification bodies.  At this point it isn’t known who those certification firms could be. In the U.K. they include many IT security consulting companies, who have expertise in the area. The department of Innovation, Science and Economic Development (ISED) will be responsible for approving the Canadian program. The Communications Security Establishment (CSE), which oversees security for federal systems, will define a basic set of measures SMEs would have to follow. And the Standards Council of Canada will approve certification bodies to assure evaluate SMEs have met the standard.

Note where the U.K. mimimum standard starts: “There shall be clear lines of responsibility and accountability to named individuals for the security of
sensitive information and key operational services.”