retail news in context, analysis with attitude

MNB Archive Search

Please Note: Some MNB articles contain special formatting characters, and may cause your search to produce fewer results than expected.

    Published on: January 10, 2006

    Technology provides enormous advantages. But at the same time, it also creates an environment of considerable risk.

    To assess the current state of “corporate insecurity,” MNB engaged in an exclusive e-interview with Gordon Smith, president/CEO of Canaudit and a speaker at the upcoming Food Marketing Institute (FMI) Marketechnics conference in San Diego, scheduled for January 30-February 1.

    MNB: In 2006, are we more or less vulnerable to high-tech crime than we were, say, pre-9/11?

    Gordon Smith: We are far more vulnerable today than at any other time in history. In the aftermath of 9/11, the emphasis was on physical security not on securing corporate information and IT infrastructure. Sarbanes Oxley made the situation worse as executives and auditors were scrambling to comply with this legislation. Efforts were focused on traditional general controls. These controls consist of polices, procedures, application level controls and supervisory and management review. This enabled many organizations to be SOX complaint, yet major IT risks still remained. The overemphasis on the general controls came at the expense of database, operating system and network controls. IT staff, security analysts and auditors were so consumed by SOX compliance that simple procedures such as critical patches were not applied and database export files (backups) were not properly secured.

    The critical flaw was the failure to link the SOX work to the preventive non-discretionary controls available in the operating systems and databases. While the debates raged over how complex a password should be, new password crackers, such as Rainbowcrack, enabled hackers to crack a Windows LanMan password in less than 30 minutes. New exploits that give an attacker complete control of a server are discovered every day. These exploits are created and passed around the Internet in a matter of hours. The vendors are hard pressed to develop, test and distribute patches before hackers take control of entire corporate domains. For examples of organizations that have had a serious information technology security issues go to ChronDataBreaches.htm.

    MNB: What accounts for this change?

    Gordon Smith: I believe that the lack of change is caused by shifting corporate priorities. In 2005, Sarbanes Oxley was the hot button. My quest for 2006 is to make information protection the most pressing issue in IT audit and security shops throughout America.

    MNB: We asked this question of Marianne Jennings, who is speaking at Marketechnics about ethics, and we’re curious what your answer would be: Does technology create ethical lapses, or just make them easier? In other words, would the people who are ethically challenged be behaving badly even if we were typing on manual typewriters and riding horses to work?

    Gordon Smith: Business ethics is a binary condition. People either have ethics or they do not. Those who want to steal will steal. Those who are honest cannot be bought. Opportunities for malfeasance will only increase as business systems become more complex and customers demand more self-driven interactivity or greater access through the Internet. Technology facilitates easier access, enabling dishonest groups and individuals to take advantage of control gaps for their own personal gain.

    MNB: Are retailing companies spending the time and money they need to in order to secure their databases, especially considering how much customer data may be at risk?

    Gordon Smith: Retailing companies are spending more time and effort than ever before to secure customer data. It is not how much you spend, but how effectively you deploy your information protection assets. At Canaudit, we specialize in penetration audits and vulnerability assessments. Many of our clients have spent millions on information security products only to find that these products, as installed, did not detect or prevent our efforts. In some cases, their trust in their investment and the hours invested in installing security caused them to have an unrealistic belief that they were secure. They dropped their guard and our penetration team penetrated their networks and servers like a hot knife slicing through butter.

    Twenty-eight years ago when I started on the lecture circuit, one of my key themes was that you could not purchase security, rather it is a mindset. This is even truer today. It is not the investment that is important; it is the effectiveness of the protection efforts that is essential. Some of our clients are resource starved, yet their security is better than those with much deeper pockets. These resource-poor clients look after the basics: limiting administrator access, automated security alerts, eradicating service accounts with default passwords, removing trust relationships, implementing selective two-factor authentication and other inexpensive yet proven techniques to protect the environment. Let me reemphasize my point: it is not the investment in security that is important; it is the effectiveness of the installed controls.

    MNB: Are there things that individuals/consumers can do in order to secure themselves and their personal information?

    Gordon Smith: Consumers will be at risk as long as they provide their information to organizations that do not have a secure processing environment. One would think that your data stored at Bank of America would be secure. Yet there have been at least three incidents in 2005 where BofA customer data was exposed. Wal-Mart made the Hall of Shame on December 12, 2005 when credit card customers at their Sam’s Club / Wal Mart gas stations were exposed. I have been using gas stations as a primary example of credit card vulnerabilities for over seven years, yet the controls are still not in place. Management often does not perceive the reality of a specific threat until after it happens. Then they scramble to do damage control.

    In today’s world, the customer can take all the precautions (using only secure web sites, monitoring their credit reports, etc.) but somehow still have their information stolen or abused. I believe the focus should be on the trust a customer places on the organizations they do business with. It is up to businesses to ensure that customer transactions are secure and that customer data is protected. Responsibility should be placed where it belongs, on the merchants, vendors, universities and other organizations that have a fiduciary responsibility to protect their customers.

    MNB: Is the biggest threat for cyber-terrorists with political agendas, or old fashioned hackers with nothing other than mischief and/or personal/financial gain on their minds?

    Gordon Smith: This is like asking if it is better to be killed in a plane crash or to get hit by an 18-wheeler. Either way you are dead. No one can predict with accuracy the threat that will be the next reality. Cyber-terrorists will go for infrastructure, power grids, nuclear plants, refineries, shipping and rail lines, cities, etc. Hackers will go after simpler targets. Our primary job today is to look at all risks and protect our clients against those that are most likely to occur. Our secondary task is to ensure that we are prepared when a cyber-event occurs so that we can contain the damage, quickly repair the networks and databases, and focus on prosecuting the perpetrators. Prevention is always best. Prosecution ensures that the message gets out to those contemplating nefarious acts: Do the crime and you will do a lot of time.

    MNB: When people leave your presentation at FMI’s Marketechnics, what will their marching orders be?

    Gordon Smith: Don’t believe your own staff when they say the network and databases are secure. Demand proof! Have a real vulnerability assessment completed by qualified teams to assess your initial risk. Develop a plan to mitigate the risk. Create a team empowered to correct existing issues and to identify and remediate new issues. I believe in a proactive security approach that resembles painting the San Francisco Bridge. As soon as you finish painting it, it is time to start over again. With networks, as soon as you implement a security program, it is time to go back to the beginning, analyze new threats and roll out a new security implementation that responds to real current and future threats.

    Gordon Smith is scheduled to speak at FMI’s Marketechnics conference on Wednesday, February 1, from 8-9 a.m.
    KC's View:
    We were looking at our Marketechnics details the other day, and noticed that this year’s conference deviates from previous years in one important way – whereas past Marketechnics ran from Sunday to Tuesday, this year runs from Monday to Wednesday.

    We only mention this because we’ve now spoken to a couple of people who were planning to attend the show and who were surprised by the scheduling. So we thought it worth mentioning here.

    Published on: January 10, 2006

    Retailers continued to have strong representation on this year’s Fortune “Best Companies To Work For” list, with Wegmans garnering the number two spot on the list. Other retailers making the list are The Container Store (#6), Whole Foods (#15), Starbucks (#29), Nugget Markets (#33), Nordstrom (#46), Publix (#56), Stew Leonard’s (#58), Men’s Wearhouse (#92), and Ikea US (#96).

    Other food industry companies making the annual list were JM Smucker (#8), SC Johnson (#10), Valassis (#69), and Wrigley (#95).
    KC's View:
    It is noteworthy, we think, that 10 percent of the spaces on the top 100 list is taken up by retailing companies – since retailers are uniquely dependent on the relationships established between employees and customers for their success and growth.

    Good for them.

    The question that has to be asked, however, is why there aren’t more retailers on the list. Being a “best company to work for,” whether they go through the application process or not, ought to be every retailer’s goal – precisely because happy and fulfilled employees are so critical to success.

    One of the important things about applying for the Fortune list, by the way, is that it makes companies go through a level of self-examination…to celebrate what they do right and seek ways to improve where there are opportunities. This is good for the company and good for employees.

    Published on: January 10, 2006

    The East Bay Business Times reports that having decided that $9.4 billion wasn’t enough to sell the company, Albertsons’ management “may find it difficult to rekindle its relationship with investors and the buying public.”

    The problem is that even though Albertsons says it has recommitted itself to its business, its customers and its employees, it continues to be interested in selling off pieces of the company. And, according to analysts, even a sale of pieces of the company won’t solve Albertsons’ structural problems, fueled by a growth strategy that was keyed to 1) cost cutting and 2) acquisitions of regional chains such as Shaw’s.

    "You can't grow just by cutting costs and making acquisitions," Ted Taft of the retail consulting firm Meridian Consulting Group tells the Business Times. "Trimming costs might help a bit. And some of the divisions are actually outperforming the company as a whole. But what is the company's overall growth strategy? There doesn't appear to be one. (Albertson's) has become kind of a plain vanilla retailer."
    KC's View:
    “Plain vanilla,” it seems to us, is the worst kind of criticism to be trained on a retailer.

    There’s no room for plain vanilla in 2006 retailing. None.

    Published on: January 10, 2006

    The Atlanta Journal-Constitution reports that Winn-Dixie CEO Peter Lynch has been losing a number of bets lately. But that these are bets that he likes to lose.

    Lynch reportedly bets store managers that they can increase sales – and when they do so, he takes them and their entire management team to lunch.

    The paper says that Lynch now has lunch dates booked through July 2006, and that he believes this represents a significant turnaround in Winn-Dixie’s fortunes.

    "People now are proud about what they're doing," he tells the paper. "Before, they had their heads hanging down."

    While Winn-Dixie has closed more than 300 stores and eliminated more than $100 million from its annual expenses, analysts remain concerned that the company simply is losing too much money to feel confident about its prospects.
    KC's View:
    It isn’t how many lunches Lynch has with store managers that counts.

    It is whether bigger and better chains such as Wal-Mart and Publix will, in the end, gobble up its future.

    Burt Flickinger III, managing director of Strategic Resources Group, tells the Journal-Constitution that Winn-Dixie "continues to lose massive amounts of money with no signs of stopping the bleeding on the operating loss."

    Perhaps even more important is the fact that the company doesn’t seem to be reinventing itself in terms of creating a compelling shopping experience that breaks the rules. Mere fixes may not be enough.

    Published on: January 10, 2006

    There is a proposal in front of the Missouri state senate that would make it illegal for supermarkets and convenience stores to sell cold beer.

    The reason: State Sen. Bill Alter believes that if people had to chill their beer before drinking it, there would be fewer cases of drunk driving because the act of beer drinking would be delayed.

    Alter, who also is a police officer, says he got the idea from a fifth grade student.

    Retailers are objecting to the proposal, saying that it will be ineffective in stopping people from driving while impaired if they are so inclined.
    KC's View:
    We have to be honest here. Our first reaction to this was that it was a silly idea.

    But then we saw that it was actually generated by a fifth grader, and we gave it another thought – since fifth graders generally are more sensible about things than politicians.

    Here’s the question we’d want answered before agreeing to such a legislative solution: How many people who get stopped for drunk driving bought their beer at a supermarket or convenience store, vs. having consumed it at a bar?

    Published on: January 10, 2006

    The Buffalo News reports that Ahold-owned Tops Markets plans to close six stores in the Adirondacks and the Utica area that it wanted to sell off, but for which it was unable to find buyers.

    The company also said it would eliminate 22 administrative positions in order to cut costs, but that none of these cuts would be at store level.
    KC's View:

    Published on: January 10, 2006

    Business Week profiles Elliot Entis, who “has created a breed of salmon that grows twice as fast as normal farmed salmon, because they carry part of the genetic code of another type of fish, the ocean pout.”

    Entis’ company, Aqua Bounty, reportedly “is in the final stages of a five-year battle to get the product approved by the Food & Drug Administration, which has yet to approve any transgenic animal for human consumption. If the company succeeds, Entis' salmon could become the first such product on the market.”

    The genetically engineered salmon should allow producers to cut costs by more than a third while doubling output, according to Entis’ projections.

    Entis says he has no problem with the long approval process, that if it isn’t an extensive and comprehensive procedure, consumers won’t have the requisite faith in the product.
    KC's View:
    While we don’t have an immediate prejudice against genetically engineered food, we’re not sure that even an extensive and comprehensive approval process will be enough to reassure consumers.

    Published on: January 10, 2006

    Published reports say that McDonald’s has filed comments with the US Food and Drug Administration (FDA) saying that proposed changes in mad cow disease-oriented regulations – restricting the ingredients in cattle feed – don’t go far enough.
    KC's View:
    When Mickey D’s expresses concern about mad cow safeguards, you have to give those worries a lot of attention.

    Also worrisome is the fact that McDonald’s filed its comments with FDA during the public comment period that ended last month, but the comments reportedly were not posted on FDA’s website, which would normally be the procedure.

    Pretending these objections don’t exist won’t make it so.

    Published on: January 10, 2006

    • Publix has announced that one of its Sarasota stores will now house Carrabba's Italian Market, which will featured prepared foods such as grilled food, pizza, and other Italian specialties. "This partnership allows us to offer our customers something beyond what our Publix Delis traditionally provide,” says Maria Brous, director of media and community relations for Publix.

    There are currently 200 Carrabba's Italian Grill locations around the country with another 25 planned for 2006.

    Bloomberg reports that Toys R Us will close 75 stores and eliminate 3,000 jobs – or 11 percent of its workforce - this spring.

    The move comes after the company was acquired by a consortium of three buyout firms last year, and then had a third quarter loss of $126 million.

    • Whole Foods reportedly plans to announce today that it will “become the largest buyer of wind energy credits in North America by purchasing credits equal to 100% of its projected energy use for 2006,” according to a report in this morning’s USA Today.

    KC's View:

    Published on: January 10, 2006

    • Wild Oats has named Sam Martin, the senior vice president of Supply Chain and Corporate Vice President of Logistics at ShopKo Stores, to be its new senior vice president of operations.
    KC's View:

    Published on: January 10, 2006

    We got a number of emails about the decision by former Wal-Mart executive Tom Coughlin to plead guilty to wire fraud and tax evasion, and our questions about what these kinds of ethical lapses say about Coughlin and executives like him.

    MNB user Matthew Smith wrote:

    I think the biggest ethical problem plaguing the business world (and really all of humanity) is that we see people like Ken Lay, Bernard Ebbers, Jack Abramhoff, and Tom Coughlin and think "shame on them" instead of "shame on us." They are by no means alone in their transgressions, not by a long shot. Until we stop projecting our ethical failures onto the few that have been caught, we will never repent of our own lust, anger and greed.

    MNB user David Livingston wrote:

    The only reason we even know about this is because it involves Wal-Mart, which the media goes nuts over. If the same thing had happened at Wegmans perhaps only 5 people in the country would know about it. I think we are going to see more and more bad news from Wal-Mart simply because they have over a million employees and there is just no way that all of them will play nice.

    Just think, one in over a million Wal-Mart employees gets nabbed for scamming $500k. How many of our 535 congressmen and senators have misappropriated at least $500k? I like the odds at Wal-Mart better.

    Two points:

    1) The same thing didn’t happen at Wegmans.
    2) That’s the price you pay for being the biggest company. You’re also the biggest target.

    We also had a story yesterday about a small baker in Italy who managed to send McDonald’s packing simply by offering better food. Writing about his specialties, MNB noted that “anyone who can read the following words - “mortadella, mozzarella and eggs or scamorza cheese, eggs, basil and tomato, as well as fèdda, a local version of bruschetta — toasted bread drizzled with olive oil and salt and covered in chopped tomatoes” - and not get immediately hungry better go see a doctor. Because they’re probably dead. And if they read those words and still have a hankering for a Big Mac, they ought to se a shrink. Because they’re insane.

    One MNB user responded:

    I read this just before I went to lunch and nothing in our cafeteria looked or sounded good. If I could, I would be 'on the road to Altamura' myself right this minute! Good for Luigi and his fellow villagers for showing us Americans that the mouse can fell the elephant!

    But MNB user Al Kober disagreed:

    Doesn't do a thing for me, sorry. But neither does the Big Mac. If it were Burger King or Wendy's .... maybe. But make it a big thick, juicy, flavorful, well-aged, Prime, Certified Angus Beef strip steak..done medium rare, Baked sweet potatoes with butter and brown sugar, (maybe substituting cholesterol free butter and brown sugar twin), fresh asparagus with cheddar cheese sauce, Fresh baked rolls, and my wife's home made cole slaw... Now you’re talking. Add a little warm, peach, bread pudding covered with vanilla sauce for desert and a cup of Melitta coffee, and it’s even better.

    And, we got a few emails about the story concerning Colleen Wegman. MNB user Michael A. Casciano observed:

    Colleen does not mention, but it is clearly a strategic advantage for Wegmans, that they have adopted an EDLP strategy for center-store items.

    Although they have limited their selection to the top items in any particular category, their customers know that their every day price can compete with the promoted and every day shelf pricing of their competitors over the long haul. Fresh, low prices and the best place to work in the US.

    Any questions?

    And another MNB user wrote:

    Being privately held looks good to me. If you grow 3% and are profitable and have solid operations, the Wall Street boobs can't say "not enough growth, cut heads, cut expenses, merge functions" (AKA running your chain into the ground- see the growing list of grocery retailers).

    KC's View:

    Published on: January 10, 2006

    This week’s HartBeat Consumer Pulse from the Hartman Group reports that conventional wisdom to the contrary, manufacturers and retailers that only focus on processed foods’ functional benefits run the risk of missing the mark with consumers.

    What do consumers want from processed foods in 2006?

    To find out, click on the “Consumer Pulse” tile ad on the right hand side of the page, or go to:
    KC's View: