|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Constructing Resilience2015-11-01T04:00:00Z0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Urban Security In Paris2015-11-19T05:00:00Z|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Strategy for Fusion Centers2015-11-17T05:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465To Ensure A Safe Haven2015-11-20T05:00:00Z|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465EMV Gets U.S. Debut2015-11-23T05:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Medical emergency response training2015-04-07T04:00:00Z|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465How to Manage a Merger2015-10-06T04:00:00Z|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The IOT Revolution2015-10-26T04:00:00Z|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Video preview: Chemical Emergency Response 2015-03-03T05:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465To Ensure A Safe Haven2015-11-20T05:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now Ensure A Safe HavenGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">When the 15-year-old access control system at Calvary Chapel Fort Lauder­dale (CCFL) in Florida began to fail, Senior Systems Administrator Benny Brown knew it was time for a change. Repairing and maintaining the current access control system in the eight buildings that make up the CCFL megachurch and the pre-K to 12th grade school was costing too much, and the system was so old that manufacturers said the new system would have to be designed from scratch.</span></p><p>“That opened the door for us to shop the whole market for access control products,” says Brown, who started looking for a new solution in May 2014.</p><p>CCFL wanted to move beyond a network-based system to a Web-based portal for programming and management, as well as to find something that could take advantage of the extensive network structure across the sprawling 75-acre campus. </p><p>“Our campuses use Macs, PCs, and even Linux, and compatibility with client applications is always a little bit of a concern,” Brown says. “Having the management be Web-based alleviated a little bit of that.”</p><p>Brown also wanted to find a solution that would help CCFL maintain its open-campus feel for both students and parishioners. About 2,500 students attend the school, 20,000 worshippers come to services on the weekends, and 1,000 faculty and staff keep the operations running. “We try to keep the campus open and inviting, we want people to come make use of the facilities and feel comfortable being here,” he notes. “During the school hours, we typically need to keep the areas where the kids are a little more locked down and strict.”</p><p>In 2013, Brown met a Viscount representative at the ASIS International Seminar and Exhibits in Chicago, and he reached out to him when it became clear that CCFL needed a new access control system. After working with Viscount, CCFL settled on purchasing the company’s Freedom platform, a server-based software application that communicates over IP. “It checked all the boxes for us,” Brown says. </p><p>Brown notes that the Viscount Freedom encryption bridges are compact and function through power over Ethernet. Since the application software is completely Web-based, Brown was able to set up multiple access groups and schedules—he can control the access of certain badgeholders throughout different parts of the campus at different times of the day. This flexibility is important on an open campus like CCFL.</p><p>“We need our schedules to be dynamic and have the ability to mark certain controlled areas and lock them at a particular time, and even have temporary unlocked periods within that schedule for certain areas, depending on whether the school is having a function where parents will be coming in,” Brown explains. </p><p>Viscount’s platform makes receiving real- time updates much easier and more consistent, he says. With CCFL’s old solution, each building’s system would have to be updated individually, which could take hours. </p><p>“A lot of times the log on our control panels didn’t get updated until that controller decided to communicate everything back across the network, or the controllers would just lose contact with the server,” Brown explains. </p><p>This was a problem when CCFL enabled or disabled a badge for access, because it took up to two hours for the changes to be pushed out to all of the control panels. </p><p>“The beauty with Viscount is their encryption bridges literally only act as a translator between the reader and the IP network, so their server makes all the decisions,” Brown says. “We make changes on the database in the server, and it’s instantaneous—we don’t need to worry about pushing that information out all over the campus.”</p><p>Brown says his team was able to install 60 Viscount Freedom encryption bridges on the new system by the start of 2015. He has set up 105 controlled areas throughout the campus and church on 31-week schedules to correspond with the school year, and about 1,625 cardholders are in the access control system. </p><p>Right now it’s mainly staff that use the badges, although Brown says he’d eventually like to extend their usage to students as well. Badges are also given out to vendors and contractors who come to the campus on a regular basis and have passed background checks. </p><p>The system was installed throughout both the school campus and the church, and Brown says it has less to do with letting people in than keeping unwanted criminals out in an emergency. The solution allows Brown, or anyone with enhanced credentials, to swipe their card and lock down every single door in a certain building or hallway, or even throughout the entire campus. </p><p>“It’s unique and allows you to be creative for whatever situation or policy your security team wants to implement,” Brown explains. “It’s very flexible, and you can pretty much tailor the access control system around what you need. I have controlled areas for each of our buildings, so I can lock each building in its entirety or conversely unlock each building from the management portal itself.”</p><p>Brown also says that the access control system comes in handy when there is a special event or after-hours gathering, because he can keep all but a few entrances secure to control the flow of visitors. And if a staff member needs access to a building after hours, he can unlock specific doors from an app on his mobile phone. </p><p>Overall, everyone who has been involved in the installation, management, and use of the Viscount Freedom platform has been pleased, Brown says. Compared to the old system, there is virtually no downtime. CCFL’s security team has quickly been able to learn the system, and can view constantly-updating access logs as well as control access points through the management portal.</p><p>Brown says he’s hoping to work with Viscount to take advantage of technology, such as QR codes or near field communication (NFC), which would enable staff, students, and visitors to use their smartphones to gain access to the campus. </p><p>“That would allow us to keep the schools locked a little more consistently during events, and we would have a better idea of who is on campus at any given time,” Brown notes. “We can pretty much limit access to parents, family members, and known volunteers without actually having to issue a badge. I’m looking forward to when they have that perfected.”    ​</p> Plan for Polite ProtectionGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">We had waited a long time for this vacation and the whole family was filled with excitement as we drove into the park. But when we </span><span style="line-height:1.5em;">walked to the entrance and approached the security checkpoint, my wife and I became confused. Where, exactly, did we need to go after the checkpoint?  The crowds were getting larger by the second, and if we went the wrong way, we would be doomed to stand in a formidable line.</span></p><p>We saw two security officers nearby, and were relieved—they would know. As I approached them to ask for directions, I could hear that they were involved in their own conversation, so I smiled and nodded to make sure that they knew that I needed their help. They looked over at me for a split second, then ignored me and continued talking. Irritated, I cleared my throat and said, “Excuse me.” They finally stopped talking but looked at me with annoyance.      </p><p>When I asked them for directions, they sarcastically pointed out that I could have just looked at a nearby sign for my answer. And so, with one rude exchange, my family’s feelings of excitement and anticipation had quickly changed into ones of aggravation and disappointment.​</p><h4>Hosting</h4><p>We all have similar stories of substandard customer service, and we all should never forget that security plays a key role in being a good host to guests. Managers know that visitors commonly perceive security officers as approachable and knowledgeable. Although many customer service-centered businesses place information booths and hosts at strategic entry locations to greet and inform guests, most people also see security officers as safe, informed employees whose job description includes helping others.</p><p>As a result, security officers often get more customer inquiries than those designated as hosts. If you are a security manager, you are fully aware of this, and you know it is one of the key reasons that managers need officers to emphasize customer service. The fallout from not doing so, both on the reputation of the business and its ultimate economic success, can be devastating. Numerous articles and studies, including a November 2011 article from Inc. Magazine, indicate that it can cost more than five times as much to obtain a new customer than to keep an existing one.</p><p>With the bottom-line focus of today’s business world, many security managers come under great pressure trying to justify maintaining—let alone increasing—their budgets.  This becomes an impossible task if the company is spending that money on acquiring new customers to replace the ones that were lost. And of course, security managers never want their department to be the cause of a lost customer, or the source of a bad company reputation.  </p><p>Moreover, the importance of customer service is magnified by the word-of-mouth factor. Here the common adage usually holds true: if someone enjoys their experience at your facility, you may not hear anything about it. If someone has a negative experience, they will tell 100 of their friends.</p><p>It is important to remember that negative experiences can have a damaging effect on internal staff as well. Some security managers prefer to maintain a barrier between the security department and other employees to ensure that security officers will act appropriately if there is a theft or other internal incident. Although this may be appropriate when properly balanced, it is also important to avoid an adversarial relationship between security and other departments.  </p><p>When your colleagues believe they can trust security with important concerns and sensitive issues, it makes for a more cohesive team. If security officers are known to act abrasively, or in an uninterested manner, it can stain the department with a bad reputation or even result in liability.​</p><h4>Support</h4><p>How can an organization build a superior customer-service-focused security department, including all the tools necessary to maintain such a team?</p><p>First, the full support of the executive staff is required. Everyone, including the CEO and other members of the C-suite, must believe in and support the company’s customer service goals and initiatives.</p><p>Once these goals and initiatives are set, the executive staff must use their authority to influence the employees who will put these plans into motion. Executives must also continuously monitor the execution of the plan to ensure that the goals and initiatives are current, relevant, and achievable, and that they continue to be acceptable to the customers. It is important that these customer service standards be clearly defined in writing and repeatedly communicated to employees.</p><p>In addition, it is crucial for executives to create and maintain an atmosphere that is conducive to these standards and initiatives. It can be harmful for management to create standards but then not give employees the tools and the environment necessary to carry them out.</p><p>In July 2014, both The Verge news website and Forbes magazine reported on companies said to provide the worst customer service. Comcast was at the top of both lists. Reporters of those news agencies, after investigating, found out that one of the main problems was with communication. The executives at the top were concerned about good customer service and had relayed service standards to management, but these standards were lost before they could filter down to the employees.</p><p>Another issue for these poorly performing companies was the duties of the customer care representatives. A manager thought it was a good idea for these representatives to sell services as well as provide customer service, and they were given sales quotas. As it turned out, the representatives became more focused on reaching their sales goals than providing excellent customer service. In essence, the manager changed the customer care representative’s environment so that it became difficult to carry out proper standards.​</p><h4>Training</h4><p>Besides executive support, it is crucial for security officers to undergo specific, professional customer service training. Various companies offer seminars and training on customer service; some organizations train in-house. Regardless of who is arranging the training (whether it be the security director, a training manager, or an HR department), the program needs to be reviewed to ensure it is the right fit for the specific organization.</p><p>Customer service training, at a minimum, should cover the following:</p><ul><li><span style="line-height:1.5em;">Proper customer service attitude, covering verbal and nonverbal communication</span><br></li><li><span style="line-height:1.5em;">Active listening</span><br></li><li><span style="line-height:1.5em;">Proper responses to complaints</span><br></li><li><span style="line-height:1.5em;">Working knowledge of the business and products</span><br></li><li><span style="line-height:1.5em;">Basic problem solving</span><br></li><li><span style="line-height:1.5em;">Knowing when to involve a </span><span style="line-height:1.5em;">supervisor</span></li><li><span style="line-height:1.5em;">Incident review and looking for ways to improve</span><br></li></ul><p><br></p><p>As the above implies, if the problem gets too involved or if the officer is unable to resolve the issue with the customary steps, the next step should be to involve a supervisor. For this reason, supervisors need to have intermediate customer service training at a minimum, and advanced training is preferred. Supervisors should also have options available to them that may help defuse tense situations, such as the ability to give refunds or discounts.​</p><h4>Implementation</h4><p>Proper training and executive support are both crucial, but they are not sufficient to ensure superior customer service. The principles must be properly executed, on a day-to-day basis, by all employees.</p><p>This can be challenging. As experienced managers know, some employees will embrace such execution, while others see any change as bad or scary. Take, for example, a veteran officer whose initial job training took place a long time ago, and who has been doing his or her job the same way for years. This officer may have the attitude of, “you don’t pay me to be nice” or “that’s not my job.”</p><p>When the Nevada Museum of Art in Reno, Nevada, instituted a customer service focus with its security team, most of the officers embraced the change and carried out the new directive with enthusiasm. There were a few officers, however, who had been in the security field for quite some time and were more comfortable with curt rule enforcement and using an abrasive demeanor to deter anyone from breaking the rules. So, this smaller second group of officers was given additional training and coaching on how to conduct themselves according to the customer service standards.</p><p>For cases in which officers need additional instruction, security managers should do their best to gently change the mindset of those who are holding on to the old way of doing things.  The best way to succeed with these officers is to ensure that the program is fully supported, as detailed above, and that security leaders put the customer service concept in a positive light. For example, enforce the message that great customer service makes a business successful, and security is only successful when the business succeeds. Once these officers have completed the additional training, watch them engage with business visitors and the public, and give them pointers on how to fine-tune their newly formed skills.</p><p>The most difficult implementation situations often occur when customer service is not within the officer’s skill set, or when the officer decides to completely resist the training.  In these instances, security managers may have to make hard choices on whether these officers are still a good fit for their team.  The above mentioned security team at the Nevada Museum of Art was successful at getting all officers trained in customer service and having them successfully and properly use their skills on the public. The results were happier visitors, happier officers, and a huge drop in complaints.</p><p>A colleague at a nearby company recently instituted a customer service program in its security department. After the initial training was completed, one officer would not engage with the public in a customer service manner. The security supervisor spent additional time with the officer, and critiqued the officer’s interactions with visitors in an attempt to assist with improvement. After a reasonable amount of guidance and retraining, the officer was still not able to meet the new customer service standards, and he was ultimately transferred out of the security department.​</p><h4>Balance</h4><p>When adding a strong customer service component to a security program, one of the most important focal points should be ensuring that the customer service program complements—and is in balance with—security procedures, and does not detract from them. If an officer is engaged in a lengthy customer service interaction, he or she must ensure that it does not distract from security duties.</p><p>There are a few possible solutions to this issue. The first is to either have officers notify their supervisor before lengthy customer service engagements, or have supervisors look out for officers who are being taken away from their security duties. The supervisor can then gauge whether they should take over the interaction with the customer, or take over the officer’s security duties until the officer is free.</p><p>A second solution is for the officer to clearly communicate with the customer that he or she is happy to help them, but while they are talking about the issue, the officer will also be looking around for safety and security issues during the conversation. In addition, officers must always understand that urgent safety and security issues take priority. So, they should also be trained on how to politely but quickly remove themselves from a customer service exchange to take care of a pressing issue.</p><p>For example, an officer who sees an urgent safety issue while answering a guest’s questions might say, “I’m sorry, I have to take care of an issue but I will be right back.” This quick communication allows the officer to disengage to handle an exigent problem, but also informs the customer that the officer will re-engage as soon as the problem is solved.  Additionally, it lets customers know they are not being ignored, and helps them understand that an issue took priority for a moment.</p><p>In balancing security with customer service, it is also important for officers to understand when they need to adjust the tone of the interaction from a friendly customer service attitude to more of an authoritative response. Unfortunately, there are times when an officer’s kind request for a guest to follow a rule is met with a contrary attitude, or the request is simply ignored.  Although it is never advisable for an officer to respond rudely or with anger, there will be times when an officer will need to address the situation in a courteous-but-stern manner. This is especially true when a person’s safety is in jeopardy, or when damage to a high-value item is possible.</p><p>When a negative interaction with a customer gets to a certain point, the officer will need to involve a supervisor to bring about the best possible result for both the guest and the company. This is where a supervisor’s intermediate or advanced customer service skills will become invaluable. For example, a supervisor’s customer service skills may come into play in apologizing, even though the problem may not be the officer’s or the supervisor’s fault; in separating the customer from the employee they are upset with; or in offering the customer free passes or discounts in an effort to resolve the issue to everyone’s satisfaction.​</p><h4>Maintenance</h4><p>Once an organization has accomplished all these steps and has implemented a well-trained and balanced customer service team, a few practices can help maintain and fine-tune the program.</p><p>Regular meetings should be held with leaders of other departments to go over any customer service problems. At these meetings, leaders and officers should share ideas on how to resolve problems and institute the best solutions. Security managers who oversee the program should be flexible and understand that small changes might be needed to maintain the most effective customer service security program possible. In addition, supervisors should be actively looking for any issues that can be improved upon, so the program continues to make progress.</p><p>A complaint process can also be established, in the form of a suggestion box or a comment section on the facility’s website. This gives employees and members of the public an opportunity, anonymously if they prefer, to make program managers aware of issues and give them an opportunity to quickly fix them. And instituting a continuing education program in customer service will keep officers abreast of current techniques and introduce them to new methods.</p><p>Establishing a customer service program takes a significant investment in time, in effort, and in resources. But the rewards of the investment—in happier customers, a more effective security department, and a more profitable business—will likely be even more significant.   </p><p>--</p><p><em><strong>James “Jes” Stewart, CPP,</strong> is the director of operations and human resources for the Nevada Museum of Art in Reno, Nevada.</em></p> Strategy for Fusion CentersGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">What do a spike in copper wiring thefts in Indiana and a pattern of attempted break-ins at utilities in Ohio have in common? Potentially, quite a lot, say security officials involved with fusion centers around the United States. Copper wiring theft from cell phone towers can disable emergency notification systems, and patterns of criminals testing the perimeter security at utilities can signal a larger, malicious plan.</span></p><p>The goal of the 78 intelligence-sharing fusion centers across the nation is to take note of seemingly isolated events and connect the dots to identify sinister plots before they come to fruition. A post-9-11 initiative to increase intelligence sharing among federal, state, local, and private sector entities, while providing both federal and state funding, resulted in the creation of the centers over the last decade. </p><p>Fusion centers are owned and operated by state and local governments, but they receive funding from the U.S. Department of Homeland Security (DHS) and other federal agencies. Each governor designates a primary fusion center in his or her state and can appoint designated fusion centers in major metropolitan areas, as well. The nationwide system of fusion centers is known as the National Network. </p><p>In 2014, operational costs for the National Network increased by 6.5 percent to more than $328 million. Fusion centers are primarily funded by state expenditures, but also through local support as well as federal grants. There is no direct federal oversight of the individual fusion centers, but DHS conducts an annual assessment of the National Network to make sure the programs comply with grant requirements. Each center has a coordinating body that offers oversight, as well.</p><p>Although DHS has supported the initiative through funding and manpower, the centers have received criticism. Advocacy groups such as the American Civil Liberties Union and the Electronic Privacy Information Center contend that the information collection and sharing, as well as initiatives such as Suspicious Activity Reporting, infringe on the privacy of citizens. In 2014, DHS increased the amount of classified information available to fusion centers, and experts say centers need more clarification regarding who has access to such information, since private sector partners may not legally be allowed to access classified data.</p><p>In 2012, the Senate Permanent Subcommittee on Investigations released the results of a two-year investigation into the centers’ operations, finding that the centers had not uncovered any terrorist attacks, lacked procedures for sharing intelligence, and spent federal grant money on frivolous technology. </p><p>“The subcommittee investigation found that the fusion centers often produced irrelevant, useless, or inappropriate intelligence reporting to DHS,” the report found. Anonymous DHS officials interviewed by the subcommittee called the centers “pools of ineptitude” that produced “a bunch of crap.”</p><p>Since then, fusion centers have developed guidelines, strategies, and regulations to improve both individually and as a network, says W. Ross Ashley, III, executive director of the National Fusion Center Association (NFCA). The association helps coordinate, advocate, and educate people across the government about the value of the centers, he says.</p><p>“We are simply here to help give a voice to fusion centers from a national network perspective,” Ashley tells Security Management. “Each individual fusion center serves its own constituency, but also participates as part of a nationwide network as a national resource.”</p><p>Last year, NFCA worked with stakeholders from the intelligence community, public safety, emergency management, and public health sectors to develop the National Strategy of the National Network of Fusion Centers, a three-year program intended to “systematically improve intelligence information sharing beyond existing and successful criminal intelligence in support of law enforcement investigations,” the strategy states.</p><p>Ashley stresses that each fusion center is unique in its capabilities and activities, but NFCA saw a need to produce a coherent national strategy that spells out the overarching goals of the programs. The first goal—and the most important, says Ashley—is to uphold public confidence through the safeguarding of information and the protection of privacy and civil liberties.</p><p>“In order for fusion centers to be successful, they have to have the inherent trust of the communities they serve,” Ashley explains. “The only way they do that is to ensure that privacy protections are in place, and that civil rights and civil liberties are being adhered to in every step of the process.” As a part of this goal, every fusion center must have a federally approved privacy policy in place, as well as an assigned privacy officer. </p><p>The other goals include supporting engagement with federal, state, local, and private partners to improve information sharing; strengthening the connections among fusion centers; and increasing connectivity between fusion centers and the federal government. </p><p>Bill Vedra, the former head of Ohio’s Homeland Security Division, says that when he helped start Ohio’s primary fusion center in 2007, creating a strong privacy policy was a priority. </p><p>“It’s a partnership of understanding,” Vedra explains. “We all want safe cities, states, and country, and it requires the sharing of information, but how you handle that information is critical to preserving the freedoms that we enjoy. So it’s a balance, and I think Ohio was, and still is, very cognizant of the need to share information in a way that protects the civil liberties of everyone.”</p><p>Early on, Vedra says that strengthening the trust between public and private partnerships was imperative to the centers’ goals. </p><p>“Everyone had the right motive, but it was building that trust to enable that cooperation and collaboration to get people to share information,” he explains. “The whole premise was, we need to prevent if at all possible another 9-11, and part of the 9/11 Commission directive was to share information better and build this platform where the right people at the right levels get the right information.”</p><p>For example, Vedra says a challenge was getting the private sector to report seemingly innocuous events, such as failed break-ins, to the fusion center. “Suspicious activity is an example that a utility may see, and we could share it with other utility members in the community,” he says. “When there was a theft or attempt at gaining access to a utility facility, we could tell whether it was an isolated event or something more criminal, such as terrorism. The other utilities, for example, could be on the lookout for the same thing.”</p><p>An important aspect of the fusion center program is the lateral sharing it enables, Vedra notes. Beyond the vertical local-state-federal collaboration in one community, localities can share information with other communities in their region to detect large-scale patterns. Ohio’s fusion center also focused on creating more community involvement, so information sharing became a full-circle process.</p><p>“One of the drivers of the fusion center concept was being able to get actionable information up to decision makers, to get the bigger view of what’s happening across the country, and then being able to get that back down so it can be shared with locals,” Vedra explains.</p><p>Today, the role of fusion centers has evolved. The 2014 National Network report notes that “fusion centers provide the most benefit and have the greatest impact when they can apply their capabilities across the full spectrum of homeland security mission areas.” </p><p>Indeed, in 2014, fusion centers provided an increased amount of direct support to special events and federally declared disasters in their communities, and the National Strategy focuses on formalizing the support of other national security priorities beyond terrorism, such as investigating cyberthreats and criminal activity. And earlier this year, three adults were convicted of sex trafficking after fusion centers in Florida, Louisiana, and California worked together to identify the ringleaders. </p><p>Ashley says that NFCA is using an implementation plan to track how the National Strategy has been applied at the fusion centers across the country over the past year. He says the association hopes to gather metrics about the National Network through the strategy and present the information to legislators to encourage ongoing federal support.  </p> Against ViolenceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">Sixty percent of all documented workplace violence occurs in a healthcare setting, according to the American Nursing Association, which also suggests that the actual percentage is probably much higher. Violence has become an epidemic in healthcare, and I have seen it firsthand in my role at the Athens Regional Medical Center in Athens, Georgia.</span></p><p>Athens Regional offers a full spectrum of medical services to 17 surrounding counties, and its level-2 trauma center treats more than 70,000 patients annually. Despite its small size, Athens is an action-packed city that boasts a vibrant music and arts scene, robust manufacturing, and the University of Georgia, which swells the county population to more than 150,000 when in session.</p><p>The Georgia Bureau of Investigation’s most recent report shows that the Athens metropolitan area has an average crime rate for the state, coming in eighth out of 15 metro areas. However, Athens-Clarke County reports that 33.5 percent of its population lives below the poverty level—more than twice the national average. </p><p>Although the Athens Regional facility sits between two historic Athens districts that have some of the lowest crime rates in the county, the medical center still deals with an operational environment that is increasingly prone to acts of violence against its staff. </p><p>These environmental issues along with the national trends of violence in healthcare have led the security management team at Athens Regional to take steps beyond the “stand your post” and “roving patrol” security models towards a more dynamic approach to healthcare security. </p><p>This move spawned the development of three essential tools designed to com­bat rising violence and shift the strategic paradigm from reactive security strategies to proactive security strategies: putting time into effective internal investigations, conducting comprehensive threat assessments, and crunching the data to identify criminal trends as they occur.​</p><h4>Internal Investigations</h4><p>The reports that security officers write and submit are a gold mine of information for organizations. Security managers can use incident reports for internal trending and criminal activity tracking. They can also be used for threat assessment and analysis, and for instructing staff how to serve customers.</p><p>A thorough initial incident investigation is key to both successful reporting and successful customer service. Every report filed constitutes an initial investigation of the incident. Once the scene is safe, the responding security officer should identify and interview the complainant, subjects, and witnesses. </p><p>At Athens, the security officers make notes of all times, dates, conditions, and other details that may prove important for follow-up investigations. Officers are trained to collect every possible piece of information available to create the most accurate picture of the incident for security, administration, and investigations.</p><p>Additional information may often come after an incident has occurred and the initial report has been filed. It is important to establish a supplemental report process so security officers have a mechanism to add additional information to their incident reports. This ensures that every report is as complete as possible, and that officers are not limited in their ability to gather information about an incident.</p><p>Once an initial report is filed and supplemental information has been gathered, it’s crucial to conduct a follow-up investigation. Handing the report over to a trained investigator allows the organization to look more deeply into an incident, gather evidence, evaluate threats, and conduct complete customer service. </p><p>Investigators have the ability to conduct follow-up interviews, collect photographic and video evidence, and liaise with local law enforcement, if necessary. Investigators are also able to connect the dots across the various departments within the organization.</p><p>For example, at Athens Regional, officers take reports from patients who have lost property. These reports are handed off to an investigator for follow-up. In most cases, the investigator will call the complainant and discover that the individual found the property at home, closing the case.</p><p>Recently, however, investigators be­gan noticing a trend in lost property cases where items went missing from the same floor and were not found. Security began to suspect that an employee was taking these items, and security decided to investigate more intently, gathering lists of employees working on that floor, conducting interviews, and suggesting an increase in security officer patrols on the floor.</p><p>Within a month, Athens Regional went from 30 to zero lost property reports on the floor in question. While security was unable to identify the thief, the unwanted activity stopped, and suspects were identified to monitor for future thefts. </p><p>Athens Regional would never have seen this trend without follow-up investigations carried out by trained investigators. Also, the follow-ups allowed security to take the first step in predictive patrolling, allowing investigators—who have a bird’s eye view of internal incidents within organizations—to aid security in targeting patrolling efforts to mitigate potential criminal trends, like recurring thefts.</p><p>Another key benefit of follow-up investigations is the ability to identify risk and threat potential in an incident. Different security officers working different shifts may not realize they are continually dealing with the same threatening patient, or that the patient’s behavior is escalating with every visit. A follow-up investigation allows the organization to see these patterns more clearly and to determine the level of threat involved.</p><p>Additionally, follow-up investigations on suspicious person reports, theft reports, or lost property reports may expose a risk to the organization that was previously missed, and allow the organization the opportunity to mitigate it.​</p><h4>Threat Assessment</h4><p>Healthcare professionals are all too familiar with patients or visitors who repeatedly attack staff members. Reporting on these individuals is the key to successful threat analysis. Security officers who interact with these subjects can file incident reports based on the situation, and from that baseline the organization can begin tracking all the interactions the individual has within the facility. </p><p>A relevant threat analysis combines internal reports with external criminal background checks to create a more comprehensive picture for security. Many organizations employ outside agencies to conduct external background investigations. However, this strategy can become expensive.</p><p>Instead, for those who want to keep costs at a minimum—like Athens Regional—effective background investigations can include a simple Internet search using background report sites like PeopleSmart or Checkmate, open source sites from a department of cor­rections or local law enforcement agency, or other Internet sites, like Athens Regional has been successfully using this approach to conduct background investigations.</p><p>Background checks, no matter what method is used, fill in more information about the subject and give security a greater understanding of what kind of threat the individual presents. For instance, Athens Regional noticed that it had recurring internal reports on an aggressive female visitor. When a background check was conducted, security realized she had a criminal history that included assault. She may not have been violent in the facility—only disruptive and threatening—but security was now aware that she had been violent in the past, elevating the potential threat.</p><p>Once recurring reports are gathered, background checks completed, and a threat level assigned (see box for more on threat levels), the work has only just begun. Continued tracking now becomes paramount to maintaining a successful watch over this known threat. Athens Regional must continue to monitor the incident reporting from security staff and the subject’s involvement with local law enforcement to maintain an active understanding of the threat the subject presents.</p><p>Lastly, there must be a plan to mitigate the threat. Establishing an interdisciplinary threat team to look at and create plans to address threatening subjects who present themselves for medical treatment or accompany patients is a great way to get buy-in from clinical staff, as well as from administrators. </p><p>At Athens Regional, security chairs an interdisciplinary threat team comprising representatives from public safety, risk management, the emergency department, medical, and administration. This team discusses recurring personalities that present a threat and sets the parameters under which care will be provided, ensuring that the patient’s rights are protected and that the hospital complies with federal laws, such as the Emergency Medical Treatment and Labor Act. This group has been successful in establishing a plan to mitigate any threats presented.</p><p>For example, earlier this year the emergency department at Athens Regional filed a report on a man for disorderly conduct. Two weeks later, an information booth attendant filed another report involving the same man. The same man harassed a social worker a week later. These recurring reports triggered a more comprehensive threat analysis of the individual.</p><p>The threat analysis was then presented to the interdisciplinary threat team. For this subject, the team agreed to assign a high-level threat rating. The team determined that the subject would only be seen in the emergency department, and that registration staff would summon security officers if they spotted him.</p><p>The officers would then respond immediately with multiple personnel, and at least two would stay with the subject throughout treatment. The man would only be treated in a room equipped with video and audio monitoring. He would also be triaged immediately and evaluated by medical staff as quickly as possible.</p><p>The team also decided that if the physician identified no medical issues, the man would be discharged and escorted off the property by security officers. If he issued threats or if other problems occurred during the visit, security would then contact local law enforcement and file a report. Athens Regional would then file charges based on the issues presented by the man during his visit.​</p><h4>Criminal Activity Trending</h4><p>Security managers must have a historical understanding of what crimes have occurred at their facility and in the surrounding area. This is a critical first step in the development of external intelligence, as well as in trending and predicting future criminal activity.</p><p>A simple way that Athens is doing this is by learning about the crimes that have occurred in our area over time. This is done by asking basic questions, such as how many robberies have occurred over the last five years? In which months do most robberies occur? Is that pattern static over the full five years? Does a pattern develop in geographic movement of robberies over time? </p><p>Security managers can obtain this information by using open source reporting by local law enforcement agencies. Access to sites like, local law enforcement media releases, and one-on-one liaising with law enforcement can provide a great deal of information about the criminal trends in the area.</p><p>Athens Regional’s local police department has a Crime Analysis Division with officers dedicated to the analysis of criminal trends in the city. Liaising with these officers has proven invaluable to the organization as Athens conducts assessments of potential new building sites for future facilities.</p><p>This information can then be put together to map crimes and document trends, allowing security managers to take proactive steps to prevent crime. Predicting criminal activity can be difficult, but once security understands what crime is occurring, when it’s occurring, and where it’s occurring, reasonable estimations of future criminal activity can be developed. </p><p>For example, Athens Regional recently focused on robberies in the neighborhood. Studying the robberies over time, the hospital learned that an average of 2.6 robberies occurred per month within a 3-mile radius of the facility over the previous several years. Since February 2015, robberies have spiked from the average of 2.6 per month to an average of 12 per month in February, March, and April.</p><p>This obvious trend points to a new and aggressive offender operating right at the hospital’s doorstep. To study the trend spatially, security managers plotted each robbery on a map and watched how those robberies moved over time—witnessing a pattern of robberies moving east and north, and coalescing in a more concentrated pattern just miles from the facility.</p><p>From this research, the hospital reasonably predicted that the risk of robbery occurring in or around that geographic cluster was significantly elevated, and it adjusted strategies to help mitigate this threat. Having this knowledge allows Athens Regional to provide security for staff and visitors from a proactive standpoint by adjusting patrols, installing more targeted physical barriers, and, most importantly, by educating staff on the threat and giving them the knowledge they need to defeat it. </p><p>One of the most successful ways Athens did this was by issuing a Critical Incident Watch (CIW) to all staff members. This document serves the purpose of a Be On the Look Out (BOLO), but is specific to a circumstance or situation rather than a person or a vehicle. </p><p>The CIW went out to all staff, and was published on Athens’ internal Web page. It offered information about the incident and what steps could be taken to prevent such robberies. It also reminded staff to report suspicious activity.</p><p>Since the implementation of these strategies, the number of robberies has dropped significantly, but more importantly, the customers Athens Regional serves have praised the proactive security approach. The assurance of their personal safety was a critical success for the security program. </p><p>The challenge faced by all security managers in the healthcare environment is learning to include data-driven strategies in their ever-expanding skill sets to see threats in real time and take proactive steps to mitigate those threats. Using these simple strategies, security managers can begin to meet this challenge to provide the kind of information needed for security officers to operate effectively and for their organization’s staff and patients to feel secure.  </p><p>--</p><p><em><strong>Charles Hodges</strong> is a public safety training coordinator and shift supervisor for the Athens Regional Health System in Athens, Georgia. He is a certified healthcare security supervisor and a veteran of the U.S. Army, earning two commendations from the FBI and a Humanitarian Service Medal for operational support after Hurricane Katrina. He is a member of both ASIS International and the International Association for Healthcare Security and Safety.</em></p> Gets U.S. DebutGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<span style="line-height:1.5em;">It’s usually better to show up late to the party than to miss it altogether. In the case of adopting Europay, Mastercard, and Visa (EMV) technology, the United States strained the boundaries of “fashionably late” on this concept by rolling into the party about 10 years behind most of the industrialized world.</span><p>Every time a credit or debit card transaction occurs, two technologies are present: the card itself and the point-of-sale (POS) technology that allows the merchant to process the card’s information. For the last 40 years in the United States, the card technology in the transaction was magnetic stripe, and POS terminals were designed to process the information it held.</p><p>However, magnetic stripe technology had numerous vulnerabilities that fraudsters could easily take advantage of. They could skim the information off cards at POS terminals, steal cards out of the mail, hack into a retailer’s system to gain access to card numbers, or simply copy the card number down to be used at a later date to make a fraudulent purchase online.</p><p>To combat this, Europay, Mastercard, and Visa created a new card technology: EMV. Instead of storing payment information in a magnetic stripe, EMV cards use secure microprocessor chips that store information and perform cryptographic processing during a payment transaction. </p><p>“Unlike a magnetic stripe card, it is virtually impossible to create a counterfeit EMV card that can be used to conduct an EMV payment transaction successfully,” according to the Smart Card Alliance, a multi-industry association that promotes understanding, adoption, and use of smart card technology. </p><p>Along with the chip, EMV cards also require a second consumer authenticator—typically a four-digit PIN—to complete the transaction. This helps ensure that even if the physical card is stolen, it cannot be used to make a fraudulent purchase. As a less secure alternative, EMV cards can also use signatures in place of PINs, requiring consumers to sign that they accept the charge before the transaction is finalized.</p><p>France rolled out EMV technology using chip-and-PIN cards almost 20 years ago, and the rest of Europe and the United Kingdom followed suit in 2006 by implementing a “liability shift” (legally shifting liability for fraud to the party in the transaction—the card issuer or the merchant—with the least secure system). Since then, Canada, Latin America, Africa, the Middle East, and the Asia Pacific have adopted the technology. As of December 2014, there were 3.4 billion chip payment cards in use globally, and most POS terminals in the implementing regions were capable of processing them.</p><p>The United States, however, was left behind until October when it implemented a liability shift similar to Europe’s that is designed to encourage card issuers and merchants to use EMV technology. But some experts are questioning how effective the shift will be and whether the United States is following best practices to prevent credit and debit card fraud.</p><p>For example, if a consumer uses an EMV-enabled card to pay for something, but the merchant doesn’t have an EMV-enabled POS system and instead processes the card as a magnetic stripe transaction, the merchant will be held responsible if the purchase was fraudulent, explains Randy Vanderhoof, executive director of the Smart Card Alliance.</p><p>Some large merchants—like Target and Walmart—rolled out their EMV-enabled POS systems prior to the deadline, but many other vendors did not. In fact, Vanderhoof estimates that only roughly between 35 and 50 percent of U.S. merchant locations were EMV-enabled by October. </p><p>Merchants may not have met the deadline because changing their POS systems is a complex process where they have to physically replace terminals and install the necessary software to process chip card transactions, he says.</p><p>Additionally, this is a once-in-a-lifetime change for most merchants, who’ve used magnetic stripe technology since their inception, Vanderhoof adds. “This is not something they normally do; it’s not something they have a lot of expertise in.”</p><p>By not installing EMV-enabled POS systems before the deadline and continuing to slowly roll them out, however, the United States will likely continue to see hacks into major retailers to obtain card information because merchants will still process transactions using magnetic stripe technology, says Martin Warwick, FICO’s European fraud chief.</p><p>“We’re going to constantly see these hacks into major retailers just to get ahold of card numbers where they can make purchases,” he explains. “I think that’s where the trends will push towards, especially for the United States.”</p><p>And Vanderhoof has a similar assessment, saying that many experts are warning merchants that if they fail to upgrade their systems to the EMV technology, fraudsters who used to have many merchant targets to go after to create counterfeit cards are going to have fewer and fewer locations where they’ll be able to use those stolen credentials.</p><p>These fraudsters “will seek out those merchants that haven’t upgraded their technology because they know they can still get away with those cards working in those retail settings,” Vanderhoof explains. This will create a greater financial incentive for merchants to upgrade, he adds, as more fraud begins to show up in their stores, and which they are liable for if consumers don’t use EMV-enabled cards.</p><p>Despite the limited progress made by merchants, card issuers have done slightly better because replacing cards is a routine aspect of their business. By the end of 2015, 600 million of the 1.1 billion U.S. credit and debit cards in circulation will be EMV-enabled, said William Boger, senior vice president and chief legislative council for the American Bankers Association, at an event hosted by Protect My Data in August. Boger further predicted that card issuers may be able to issue EMV-enabled cards to all U.S. debit and credit card holders by the end of 2017. </p><p>One concern that experts are raising, though, is that most U.S. card issuers are not issuing the more secure chip-and-PIN cards to consumers. Instead, Liz Garner, vice president of Merchant Advisory Group, said at the event with Boger that card issuers are “doing a disservice to the American consumer” and issuing chip-and-signature cards. “That’s a business-driven decision, not a security-driven decision,” she added, as she explained that card issuers are afraid they will lose business because consumers will not use the PIN versions of cards.</p><p>Warwick is familiar with this position; card issuers floated that same concern when the United Kingdom was switching to chip-and-PIN cards in 2004. However, he says that refusing the PIN cards or failing to remember PINs hasn’t been a problem for U.K. consumers.</p><p>Furthermore, by adopting chip-and-PIN cards, the United Kingdom was better able to combat counterfeit card fraud, because fraudsters could no longer steal cards and forge a signature to complete the transaction process. According to FICO’s research, Warwick says, counterfeit fraud in the United Kingdom dropped to £72 million (approximately US$117 million) in 2006 from £218 million (approximately US$335 million) in 2004 after chip-and-PIN cards were adopted. </p><p>The United States will not be as effective in countering this kind of fraud because fraudsters could still steal cards and use them to make purchases. It’s “not really going to be that good for lost and stolen fraud, and it’s not going to be that good if you send the cards out in the post because [fraudsters] could still steal it and use it,” Warwick says.</p><p>Another area of concern with the U.S. adoption of EMV is that, unlike in Europe, U.S. ATMs and automated fuel dispensers—self-serve gas station pumps that accept credit and debit cards—were excluded from the liability shift until 2017. This could make them major targets for fraudsters looking to skim cards, Warwick says.</p><p>“When you think of how criminals go after money, one was they want the cash so they’d love to have the ATM and the cash,” he explains. “And then they like to compromise card details, and petrol stations or gas pumps—especially the automatic ones—are a nice area for people to compromise and that was happening across Europe.”</p><p>FICO also addressed this trend in a recent white paper on EMV card fraud and the rise of skimming in the United States. “The United States has seen an unprecedented increase in attacks on ATMs through skimming,” according to the white paper. “This implies that criminals are making the most of magnetic stripe technology fraud before it becomes far more difficult to get away with in the United States.”</p><p>So why has the United States made an exception? “I’d imagine it’s again commercial reasons with the all the petrol stations saying it costs so much to replace these expensive, unmanned petrol terminal pumps,” Warwick says. “So they’ve negotiated an extra couple of years to get all that done. And the same with ATMs, because nothing in this transition is cheap.”  </p> to Prevent ProfilingGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="line-height:1.5em;">I</span><span style="line-height:1.5em;">n recent years, racial profiling has become more prominent as a potential customer service hazard, particularly in the retail sector. During the past two decades, a who’s who of retail establishments have been accused of targeting racial or ethnic minorities when apprehending shoplifting suspects. These allegations have often resulted in litigation from customers and settlements spearheaded by plaintiffs’ attorneys.</span></p><p>Assessing the possible existence of racial profiling is a vital part of customer service. Retailers should strive to treat all customers as highly valued patrons; customers who believe that they have been mistreated because of their race or ethnicity are less likely to be loyal customers. Racial profiling is simply bad for business.</p><p>In addition, a company is liable for the actions of its employees. Claims of widespread profiling that have not been thoroughly investigated using modern scientific approaches can unduly harm retailers. Consequently, if someone reports that they have been profiled, the allegations should be investigated to the fullest extent possible.</p><p>Those responsible for conducting such investigations have a duty to determine whether there is a widespread problem or if the incident stems from a specific sales associate or loss prevention employee. The following offers some guidance on the proper assessment of racial profiling in a retail setting. </p><p>First, retailers should proactively assess whether racial profiling exists before any allegation of profiling has been made. Taking the proactive approach helps insulate retailers from legal action; perhaps more importantly, it provides retailers an opportunity to remedy profiling before allegations occur and legal action is taken.</p><p>Second, in making an assessment, retailers should be cautious if they choose to use the population benchmark. The population benchmark holds that shopper demographics should mirror shoplifting apprehensions: if racial and ethnic minorities represent 30 percent of a store’s shoppers, the apprehension statistics for these groups should not exceed 30 percent. According to this benchmark, racial profiling is allegedly occurring if the demographic percentage is exceeded by a substantial margin.</p><p>Currently, this population benchmark is still the most frequently used standard to determine the existence of racial profiling in retail settings. Retailers use it as a monitoring tool. Prosecutors’ offices, after receiving allegations of racial profiling, typically use the benchmark to determine whether there is a problem. </p><p>Nonetheless, this approach has recently been discredited for two reasons. Scientific evidence has found that, compared to the general population, racial and ethnic groups do not commit offenses at the same rates for all crimes—which is an underlying assumption of the population benchmark. </p><p>Also, it is often extremely difficult to measure shopper demographics accurately, and inaccurately measuring the demographics of shoppers fundamentally biases the population benchmark method. For these reasons, racial profiling research has generally moved away from the population benchmark; yet, prosecutors investigating retail racial profiling have not yet made this switch. </p><p>Retailers should consider replacing the population benchmark with the violator benchmark or, at the very least, using the two in conjunction. The violator benchmark compares the racial distribution of shoplifting apprehensions in a store to the racial distribution of larceny theft arrests in the immediate area—usually in the same police precinct. </p><p>Thus, if the distribution of apprehensions contains substantially more minorities (say 80 percent) than larceny arrests in the area (say 50 percent), this is considered evidence of racial profiling in the retail setting. On the other hand, if the distributions are the same, there are two possibilities: no profiling is occurring, or retailers and private individuals in the area are all engaged in the same level of profiling as the retailer in question. Either way, the finding suggests that the retailer is not outside the norm in the area. This is a crucial and important discovery, and it is only uncovered by use of the violator benchmark. </p><p>To make sure that a store is not profiling along with other stores in the area, retailers should consider conducting an audit study of the store in question. In an audit study, testers—similar to mystery shoppers—visit stores and determine, through the use of directed shopping episodes, the nature and extent of potential profiling. Experimental studies such as these are the gold standard for investigating discrimination.  </p><p>The audit study approach has benefits for both retailers and prosecutors. Commissioning a study by an independent entity allows retailers to determine the extent of profiling, if it is occurring, and this can lead to proactive measures that will address the problem commensurate with its magnitude. The results can also prove useful to retailers in litigation; if the study finds no evidence of systematic profiling, retailers have concrete scientific evidence to use in court.   </p><p>--</p><p><em><strong>Shaun L. Gabbidon </strong>is distinguished professor of criminal justice at Penn State Harrisburg. He previously worked as a security executive for a Fortune 500 retailer. <strong>Ojmarrh Mitchell </strong>is associate professor in the department of criminology at the University of South Florida.</em></p>