|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Top Five Hacks From Mr. Robot—And How You Can Prevent Them0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Spoofing the CEO|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Two-Way Manager|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465How to Build a Better Security Space|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Refuge from Terror?|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Tech Trends2016-09-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Harrassment Lawsuits and Lessons2006-04-01T05:00:00Z|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465SM Online February 20162016-02-01T05:00:00Z|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Bottleneck at the Border2016-03-01T05:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465How to Build a Better Security Space2016-10-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now to Build a Better Security SpaceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Like many campus law enforcement agencies, the University of North Carolina at Greensboro (UNCG) Police Department spent years relegated to locations that were not conducive to providing quality service.</p><p>The department was housed in four separate locations that were formerly a bank, a dentist’s office, a cannery, and a warehouse that had served as a hardware distribution facility. For the 36 sworn police officers and 28 nonsworn staff, being spread across multiple locations made daily communications and operations burdensome.</p><p>The need for a new, unified facility had been apparent for years, but it always seemed to be “next on the list.” A convergence of events, however, moved the need to the top of the list in 2011 as the university began an expansion into an area previously thought to be inaccessible because it was on the other side of a large rail corridor to the south of campus.</p><p>The expansion included a pedestrian underpass connecting the two sides of campus and a student recreation center that would require the demolition of the old cannery building, one of the department’s four sites.</p><p>University administration believed that a new police facility on the south side of campus, next to the new underpass, would be a visual assurance of safety. Additionally, the old dentist’s office had originally been purchased as a transition space for departments whose facilities were under renovation. Having the police department in that transitional space was adversely affecting other campus projects.</p><p>Finally, the need became most apparent when conducting critical incident response exercises. No space on campus satisfied the needs of the university during times of crisis. Several exercises, including active shooter, tornado strike, and hazardous material spills, resulted in the same after-action item: the university needed a space designed for critical incident response.</p><p>Selecting an architect was the most critical part of the new facility planning. During the interview process for designers, the university looked to a firm with experience in designing public safety facilities. </p><p>The university spoke with a variety of clients about ADW Architects of Charlotte, North Carolina, including state construction officials. What impressed the university most was the reputation the firm had for spending time with the employees who would work in the new facility, and mapping out their daily operations. </p><p>While other firms interviewed provided presentations, only ADW spoke from experience about needs assessments of public safety agencies.​</p><h4>Programming</h4><p>The first step in the design process was programming—the process of determining space needs for each individual function in the organization and how to use that space most effectively. The process helped determine how much space the UNCG Police Department needed to conduct its business most effectively. </p><p>To begin programming, a design team was created. Representatives from the police department, the designer, purchasing, the agency construction and design staff, and a university technology team served as the core decision makers in the design process.</p><p>Members of the design team spent many hours with various members of the department. They followed officers on assignments and observed the arrest process. They sat with communications personnel to note how dispatchers interacted with the public, the officers, and each other. They shadowed detectives as they interviewed suspects and conducted case follow-up. And they tracked evidence through collection, initial storage, processing, and final storage.</p><p>The programming process provided the first opportunity for input by the department on design. A detailed report on each room included the square footage, number of outlets, necessary data and phone ports, lighting, and probable furnishings. </p><p>It was critical at this stage to involve those employees who would be occupying or controlling specific areas because decisions made early on would influence actions during construction. </p><p>For instance, the type and placement of furniture in a conference room might determine the location of floor boxes for electric and data outlets. An office would need a carpet, while a canine kennel would need a nonslip, epoxy floor. Based on input, the individual programming reports were adjusted to reflect final room and space configurations.</p><p>Another important part of programming included visiting recently constructed facilities that served a similar function. One of the main advantages of this process was to discover what the agency would have done differently. An evaluation of the positive aspects of their design is important, but the list of “I wish we had…” items helps designers avoid mistakes.</p><p>Additionally, visiting recently constructed facilities allowed for an evaluation of the most current technology. During a visit to the police department in Apex, North Carolina, the design team observed an interview room recording system activated by the use of a key. The team had already discussed the concept of using card access throughout the new UNCG Police facility. Discussions with the Apex department’s vendor revealed that they were introducing a card-activated system that could integrate UNCG’s card access technology.</p><p>The result of the programming process was a list of spaces that were needed to perform daily operations along with the space needed for each one. The initial estimate of the building needs was 31,000 square feet, but university construction officials stepped in and required that 4,000 square feet be eliminated to match the budget. This reduced the final area of the facility to 27,000 square feet.​</p><h4>Design</h4><p>After programming was complete, the architects turned individual room reports into a building concept. For architects, the process is more “art meets engineering,” but to everyone else, there is a sense of mystery as to how all the pieces are put together to create an aesthetically pleasing design. </p><p>A significant part of the process was the input of the governing body and the senior management of the university. Designers at this stage must navigate an often politically charged environment while maintaining the original overall concept.</p><p>For example, designers did not want to have “UNCG Police” on the façade of the building because that did not conform with university specifications. The Board of Trustees for the university, however, wanted the nature of the building clearly visible to the public. The end result was backlit lettering with “UNCG Police” on both the east and west rooflines. </p><p>It was at this point in the process that interior design and furniture selection took place. Most architects have experienced interior-design professionals on the payroll, and they should be consulted because this can be—by far—the most confusing and mentally taxing part of the process. The combinations of colors and finishes were almost infinite. </p><p>The design team asked the interior designer to select two to four schemes and present them. This took the form of design boards that had small samples of paint colors, tiles, carpet, and counter tops. The department then selected the most desirable interior and made modifications based on that design.​</p><h4>Construction</h4><p>The next step was to begin the bidding process—required under North Carolina law—and select a construction company. To allow maximum flexibility in budgeting, the bid asked for pricing on several “add-alternate” items. These add-alternate items were above minimum bid, but were preferred by the designers. Some examples included polished block walls instead of plain block walls or poured terrazzo flooring instead of tile. UNCG was fortunate that all add-alternate items were included in the final bid and covered by the original budget.</p><p>In construction, the phrase “timing is everything” is true. Ground was broken on the construction site in December with a plan to schedule most of the concrete and masonry work during the summer months. </p><p>But the first scoop of earth from the backhoe brought bad news; the initial site testing missed significant soil contamination. Research uncovered that the site had once been a petroleum distillery. The resulting delay put masonry and concrete work in the cold winter months, and cleanup cost $600,000 in soil removal and remediation. </p><p>This one oversight led to a one-year delay in construction. An important lesson learned was to insist on the most detailed soil testing available before beginning construction.</p><p>Once construction begins, the most important advice to any chief or department head is to be there, on site, every day. If you are not there, decisions will be made without your input that may have repercussions in daily operations.</p><p>When you are on site, pay attention to every detail. Once a concrete floor is poured, it is difficult to go back and install a floor box with electricity. Blueprints are created with best practices in engineering, but there are times when those designs are not practical for operations. Observation during construction is the best way to catch those inconsistencies between form and function, such as when wiring conduit and air ductwork needed to occupy the same space. </p><p>After construction begins, changes can be made to the design, but there will be a cost. Construction companies charge a premium for change orders. Construction budgets contain contingency funds for changes, but those funds are limited. A cost-benefit analysis must take place when considering change orders.​</p><h4>Transition</h4><p>Making the transition from previous facilities to the new one required a great deal of coordination. Moving a modern public safety agency required considerations for emergency phone lines, alarm monitoring, radio communications, and a host of other critical infrastructure items. The UNCG Police Department created operational plans, much like those drafted for a large-scale event, to structure and schedule the move.</p><p>Even with advanced planning, critical errors can have a profound effect. A scheduling error in the phone company’s computer system caused the department’s phones to go off-line for nearly 16 hours. Emergency text and e-mail messages to the community notified members to call 911 for emergencies. The county 911 center then notified the department of a call over radio or via cell phone.</p><p>To help avoid these problems, a transition team is critical. Key areas, such as field operations, communications, and IT, should all have assigned roles. </p><p>One role that might be overlooked is that of delivery manager. The department was fortunate to have all new furniture purchased for the building. That meant multiple companies making multiple deliveries, each needing set times for installation. </p><p>In addition, the North Carolina State Construction office had strict guidelines for the receipt and inspection of furniture at the university. Every item had to be inspected as it was unpacked and installed to avoid accusations that damages occurred after installation. A secondary check occurred to doc­ument damage that occurred dur­ing installation. </p><p>The transition plan should also prioritize the scheduling of who moves and when. In the UNCG transition, communications personnel moved first, then field operations, and finally, administration and support functions. </p><p>Considerations should be given to the times when equipment becomes operational. For instance, the timing of the switch-over of fire alarm monitoring dictated that communications be the first in line for transition.</p><p>The final transition step was to begin tracking correction items. Defects in construction or flaws in design began to reveal themselves as people begin to occupy the space. </p><p>UNCG used a Google spreadsheet that was shared with the designer and builder to do this. Each entry tracked the location, a brief description of the issue, the party responsible for remediation, the date reported, current status, and the date of completion.​</p><h4>Celebration</h4><p>Once the construction and transition were complete, it was important to mark the occasion. When the building was open for business in 2015, it was a milestone for the agency, its personnel, and the people they serve. It was also an opportunity to thank those involved and challenge the employees to demonstrate that the time, money, and effort spent on the building be repaid with excellent service.</p><p>It is rare to have the opportunity to design and construct a new facility from the ground up. Careful planning and attention to detail will make the process rewarding, and those rewards will be appreciated for many years to come.  </p><p>--<br></p><p><em><strong>James C. Herring, Jr.,</strong> is the chief of police and director of public safety and emergency management at Murray State University in Murray, Kentucky. He retired as chief of police for the University of North Carolina at Greensboro (UNCG). He has a master of public affairs from UNCG and is a member of the faculty in the College of Security and Criminal Justice at the University of Phoenix.</em></p> Two-Way ManagerGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A common problem plagues many organizations—the rift pitting employers against employees. This perspective of us versus them is not new; it has been around since the beginning of business. But in the current age of rising income inequality and corporate mergers and acquisitions, the dynamic remains in many firms, even if the situational details have changed.  </p><p>This problem is relevant to security organizations of all types—whether they be private sector companies, public agencies, in-house departments, or contract security firms. That’s because the disruptive conflicts resulting from the employer versus employee cleft can easily distract from the critical mission of offering quality security services.</p><p>Sometimes, the rift is worsened by the prevalent forces shaping today’s workplace. These forces include growing diversity and the values revolution that accompanies it; exponentially exploding information, to the degree that everyone seems to be an expert on everything; and the rapid pace of change, which taxes even the most adaptable, forward-looking managers.  </p><p>The challenge for security managers, then, is how to move away from the unproductive paradigm of employers versus employees to a more mission-supportive dynamic of unified team versus obstacles to the security mission. </p><p>Smart security managers who are acutely sensitive to this challenge understand how they can help close this rift: by shifting from the traditional one-way management system—in which managers give directives to employees under a command-and-control model—to a two-way management, communication, and decision-making approach.</p><p>The heart and soul of two-way management is that it recognizes the importance of listening to, learning about, and assimilating competing values and ideas from all members of the organization. When management consistently demonstrates that the views and perspectives of employees are valued and sought after, staffers feel enfranchised and empowered, rather than disengaged and alienated. </p><p>Two-way management allows the organization to make best use of some of its most valuable resources—the ideas, opinions, and skill sets of its employees. It also leads to a greater professional understanding of employees’ capabilities and concerns, which goes a long way toward retaining talent. With resources used wisely and talent engaged, the two-way organization can go from merely surviving to thriving. </p><p>The following are case studies showing how security leaders have successfully used two-way management methods to resolve workplace conflicts. These true-to-life examples of security professionals we’ll call Jones, Smith, Hamilton, and Roberts can serve as a roadmap and best practice guide for those security managers who are interested in exploring two-way management practices.​</p><h4>Soliciting Staff Perspective</h4><p>Under the traditional management model, the leaders of an organization determined its core values, and then it was up to the employees to support or not support those values. </p><p>Similarly, leaders determined the “what” of work, while the employees determined the “how” of work. The growth of diversity in the workplace has prompted a values revolution—values are no longer imposed on employees from above. </p><p>Security Manager Jones, who works in a government agency, is a two-way manager who understands how this dissemination of values has changed. She understands the importance of listening to all members of her organization, learning about their competing values, and accepting ideas from employees on all levels.  </p><p>One important project Jones initiated was to form a team to find out the most important success factors in meeting her agency’s operational and financial goals. Under Jones’s leadership, the team took an active listening approach, and solicited information and perspective from all corners of the agency. </p><p>Employees were glad to provide such information and perspective, and it facilitated their sense of progress and accomplishment in contributing to the agency’s operational and financial success. This included the security officers in Jones’s division, who were successfully doing their jobs. </p><p>Equally important, the two-way communication allowed Jones to discover how employees wanted to be rewarded for their contributions in different ways. Some wanted salary increases or bonuses; others valued things like more time off, greater flextime, and wellness benefit reimbursements. Some desired more personal involvement in arranging their schedules, duties, and performance reviews. A few simply wanted sincere private recognition. </p><p>This last discovery highlights one of the key advantages of two-way management. Instead of imposing a one-size-fits-all system onto employees from above, the perspective solicited from individual employees allows managers to tailor rewards to staff members in meaningful ways. Such a practice pays greats dividends for organizations interested in keeping employees engaged, and in retaining talent, management experts say.</p><p>And so it went in the case of Jones. Not only did the information gained in the process help Jones improve the sustainability of successful operations processes, but it also turned out to be instrumental in a spinoff effort to reorganize and improve the hiring process, reducing costly turnover through better retention efforts.​</p><h4>Improving Feedback</h4><p>As the previous example illustrates, soliciting feedback is a crucial component to successful two-way management. Jones realized this, and it led her to undertake another, somewhat related, project: improving the methods by which her organization received and processed feedback.</p><p>Jones’s effort involved a program her organization had in place in which stakeholders provided feedback on security performance report cards. When the report cards were returned, Jones had employees review the completed cards and recommend potential action by management.</p><p>This new practice had several benefits. It further opened the door for obtaining and using honest feedback from team members so that a wide range of work processes could be improved. It also allowed Jones to find out about, and then mitigate, any concerns employees had that could potentially pollute the employee-employer relationship.</p><p>With the door to more honest feedback now open, Jones pressed on with creative solutions, and another exercise in two-way communication. She organized a team of supervisors and tasked them with gathering an accurate assessment of the quality of the organization’s workplace culture, which would take into account both employees’ perceptions and management’s intentions. </p><p>The feedback solicited in the culture assessment revealed an incongruence—management’s intentions and actions to sustain a strong workplace culture were not succeeding based on employee perceptions of the culture, which were often negative.  The team of supervisors then served as a neutral party in delivering this “bad news” assessment to agency leadership.</p><p>Once delivered and processed, the assessment led to positive changes. Management took various actions to improve the quality of the organization’s culture. </p><p>For example, one important solution was to reinvent the organization’s training initiative, so that it functioned as an open-ended, interactive, online platform through the website. In addition, the job application form was streamlined so that it was more user-friendly. </p><p>Finally, certain worksites were criticized as being unsafe, so a system was started that would ensure monthly safety inspections completed by security personnel, with inspection results turned over to the safety committee so identified hazards could be mitigated.</p><p>In light of the disconnect between management’s intentions and employee perceptions, these actions included an effort to sustain better two-way communication and be more responsive to employee issues.​</p><h4>Closing the Gap</h4><p>Traditionally, there has been a knowledge and performance gap between highly skilled, experienced security managers and their much less experienced employees. </p><p>However, the staggering amount of information that is now available to anyone with Internet access is in some cases quickly closing the information gap, and sometimes the performance gap as well. This may present credibility issues for security managers. </p><p>And so, savvy two-way security managers like Smith, an operations manager for a large contract security firm in the Midwest, do not ponder how wide this gap might be. Instead, they roll-up their sleeves, jump in, and get their hands dirty to find out from first-hand experience.</p><p>While working in the trenches with their staff, they learn about employee capabilities and knowledge levels by asking questions, actively listening, and observing—in short, by maintaining two-way communication. </p><p>In Smith’s case, one of the key conclusions he learned from this approach is that sometimes performance baselines, and compliance with the firm’s day-to-day work rules, can turn out to be much lower or higher than expected. </p><p>Résumés and interviews during the hiring process may not accurately reflect working knowledge or actual skill levels. A prize hire may have some working knowledge deficiencies; conversely, an employee may have a certain skill that managers are unaware of. When this happens, seasoned two-way managers, like Smith, are able to accept the fact that all they thought they knew about an employee may not necessarily be so. </p><p>Smith’s active approach also taught him another lesson: not all gaps can be closed, and some may not even need closing, given the particular position and staff member. As a result, Smith learned that it is crucial to identify which particular gaps will have the highest return on investment if they are closed. </p><p>For example, in one particular case Smith worked with an employee who broke one of the firm’s conduct rules involving the documentation of real-time area patrols, and who had problems in providing detailed answers to basic questions when writing up security reports. </p><p>Smith ascertained that the conduct violation represented a temporary gap in office behavior—it was not part of a pattern—so he decided against disciplining the employee for misconduct. However, Smith did decide to send the employee for remedial training in report writing, which later paid off in improved performance in an important component of the employee’s job.  ​</p><h4>The First Deadly Sin</h4><p>Sometimes, being a two-way manager does not come easy for seasoned leaders. Take the case of Hamilton, a veteran security executive with 40 years of experience who has worked in both contract and in-house security. </p><p>Hamilton was a traditional, one-way security manager who was reluctant to concede that some of his hard-earned knowledge and experience was in danger of becoming obsolete. </p><p>He was not completely cut off from contemporary ideas on managing; he had read Marshall Goldsmith’s seminal management work What Got You Here Won’t Get You There, as well as other books that advocated for continual professional self-improvement. </p><p>Still, he took much professional pride in his previous success with traditional command-and-control management practices. As a result, he was emotionally invested in the old system and highly conflicted about change.  </p><p>But Hamilton’s traditional view became more and more dissonant with his growing awareness that each of his younger employees possessed a base of knowledge and a skill set that were impressively deep. </p><p>He also realized that these employees wanted their professional attributes to be respected and valued. In that way, they reminded Hamilton of himself; he remembered being in their shoes early on in his career. This empathetic identification led to an epiphany, and he decided to explore two-way management practices. </p><p>He then began to investigate how to work with employees to reshape his traditional one-way management process into a true two-way practice that incorporated the perspectives and ideas of all employees, ultimately leading to better results.</p><p>The most effective changes he made involved what he called “P” Points. The name came from the engineering term perturbation point, which Hamilton translated into small, well-placed, and well-timed interventions that yielded significant results. </p><p>Here are some of Hamilton’s small actions: At weekly meetings, he moved from the head of the table to a seat at the side, like any other team member. He also changed the meetings from Monday to Tuesday, which was easier on employees because it allowed them to recover from the weekend’s work problems.</p><p>Before setting the agenda on weekly project goals and evaluations, he asked for input from the team. It then became the team’s agenda, not just his.</p><p>Although it was difficult at first, he stopped doing most of the talking in meetings and listened more. He also made an effort to ask good questions, rather than assuming he knew the answer.</p><p>He worked to control his impatience when he did not get quick problem descriptions and solutions from staff. He listened patiently to the detailed perspectives that sometimes accompanied them.</p><p>Finally, he realized that he was expecting excellent work from his employees as the norm, so he wasn’t acknowledging or thanking them for their excellent contributions. He implemented a program to recognize exemplary performance.  ​</p><h4>The 360-System</h4><p>Unlike Hamilton, security manager Roberts was a longtime believer in two-way management. She led a Fortune 100 company’s security program into a two-way reorganization which has now been adopted by the rest of the company. </p><p>The first thing Roberts decided to do was to assess the degree of confidence the security officers had in the organization’s integrity and trustworthiness and the necessary transparency they thought they enjoyed to prove these things. She used a 360-degree feedback system, involving all the department’s stakeholders, to do this. </p><p>She found out that the status quo was far from ideal. So Roberts then established a project team to conduct a survey, recommend ways to improve trust and integrity, and then implement the most cost-effective solutions from their recommendations.</p><p>The survey results showed that the organization had a defensive climate, not an open culture, which caused all sides to revert to one-way communication, which only aggravated the us-versus-them rift. </p><p>From here, the challenge Roberts had was to create a nondefensive climate with open, two-way communication from all directions, including herself. This required her to listen to what her team members had to say about their conversations with employees. </p><p>This process of relaying relevant points from the field was a positive one; it helped relieve the intimidation factor of “meeting with the boss,” and discussions brought more depth to the information. Roberts and the team then hashed out the aspects of the organization that most needed to be changed. </p><p>These changes included some common sense basic behavioral guidelines, such as treating all workers equally, fairly, and respectfully; allowing everyone a reasonable degree of freedom to have a say in organizational matters; and having more sensitivity to competing values and perspectives among employees. </p><p>Also on the list was better “two-eared” listening to what is being said and how it is said; greater attention to nonverbal communication, more frequent helpful feedback; more help in dealing with complex problems; and less blaming and fault-finding.  </p><p>To establish this kind of nondefensive communication, some advance work needed to be done. Thus, Roberts made a focused effort to rebuild rapport, which required her to get to know all of her employees better so that she could deal with them more positively and productively. </p><p>To build more honesty and integrity in her department, Roberts followed an important principle: be honest with yourself, own at least part of the responsibility for the way the organization is, and then look to change it from the inside out. </p><p>This introspection was not easy; often, managers do not like to accept responsibility for the uncomfortable places in which they find their organizations. But it led to valuable changes for Roberts. She learned how to better control her own bad habits, such as expecting certain outcomes; how to be more mentally flexible in seeing how something that doesn’t seem to fit can fit; and how to take action without being completely certain of the results. ​</p><h4>Managers: An Endangered Species?</h4><p>Of course, most security managers know from experience that even the best management strategies are not a cure-all for dealing with all employer-employee conflicts. Two-way management is not exempt from this caveat. </p><p>For example, two-way management will not work in cases where employers or employees are unwilling or unable to engage in true two-way communication. Unmanageable obstacles may involve a lack of communication practices, poor listening skills, immutable resistance to change in general, or hidden or competing agendas and values. </p><p>Thus, a few failed applications of two-way management may be an inevitable side effect of using this method of managing. But these speedbumps do not negate its overall usefulness. Moreover, for some, two-way management may also ultimately serve as the best transition to what may be on the horizon: the end of management as we know it.</p><p>The practice of two-way management is in line with the evolution of management away from hierarchy and toward teams of equals. For example, in Smith’s two-way management of a medium-sized private security company in California, several employees worked as equals to improve an obsolete access control system. Each team member visited a frequent user of the access system; members then compiled the information and used it to inform improvements to the system.   </p><p>Overall, two-way management maximizes a security manager’s chances of keeping up with change, as managing itself is progressively redefined. Two-way management is an effective way for a security manager to organize his or her tool box—to deal with the existing conflicts inherent in the employer-employee rift, and with the risk of failure that can come from a lack of focus on the security mission.</p><p>--</p><p><strong><em>William Cottringer, PhD</em></strong><em>, Certified Homeland Security (CHS) level III, is executive vice-president for employee relations for Puget Sound Security Patrol, Inc., in Bellevue, Washington, and adjunct professor at Northwest University. He is author of several business and self-development books, including </em>You Can Have Your Cheese & Eat It Too, The Bow-Wow Secrets, Do What Matters Most, ‘P’ Point Management, Reality Repair RX,<em> and</em> If Pictures Could Talk,<em> coming soon.</em></p> the CEOGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It’s a normal Monday and you’re at your desk in the accounting department, checking your email as you drink your morning coffee, when you see a message from your chief financial officer (CFO) in your inbox.</p><p>Without a thought, you open it and read that she needs a wire transfer to pay an invoice immediately. So, naturally when your CFO asks you to do something, you do it and initiate the transfer. </p><p>But instead of paying the invoice, the funds go to the account of a cybercriminal who has compromised your corporate email system in a business email compromise (BEC) scam. While the cybercriminal makes off with the money, you’re left wondering whether you can trust emails from your C-suite.</p><p>And you’re not the only one. BEC scams have affected more than 2,126 victims globally and cost nearly $21.5 million, according to an FBI public service announcement (PSA) issued in January 2015. </p><p>“The BEC is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments,” the announcement explained. “Formerly known as the Man-in-the-Email Scam, the BEC was renamed to focus on the ‘business angle’ of this scam and to avoid confusion with another un­related scam.”</p><p>The wire transfer payments in these scams are typically sent to foreign banks, the PSA added, and can be transferred several times before being quickly dispersed. “Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers.”</p><p>This type of scam is becoming a major problem because email users sent and received more than 205 billion emails in 2015. Business email users send and receive approximately 122 per person per day, according to technology market research firm The Radicati Group, Inc.</p><p>“In most every organization, email is as central to work as the Internet is,” says Gary Miller, director of information security for business process outsourcing firm TaskUs. “It’s the core collaboration and documentation tool, so you have to be able to give your employees assurance that it’s a secure system.”</p><p>BEC first came onto the scene in 2013. It typically involves fraudsters who impersonate high-level executives, sending phishing emails from what appears to be a legitimate address, and requesting wire transfers to alternate, fraudulent accounts. </p><p>“BEC scams often begin with an attacker compromising a business executive’s email account or any publicly listed email,” according to a news alert by cybersecurity firm Trend Micro. “This is usually done using keylogger malware or phishing methods, where attackers create a domain that’s similar to the company they’re targeting or a spoofed email that tricks the target into providing account details.”</p><p>Fraudsters will then monitor the compromised email account to determine who initiates and requests wire transfers at a company. </p><p>“The perpetrators often perform a fair amount of research, looking for a company that has had a change in leadership in the C-suite of the finance function, or companies where executives are traveling, or by leading an investor conference call and using this as an opportunity to execute the scheme,” Trend Micro explains.</p><p>Fraudsters then usually pursue one of three options in a BEC scam. The first is known as “The Bogus Invoice Scheme,” “The Supplier Swindle,” or the “Invoice Modification Scheme.” This version of BEC usually involves a business that has an established relationship with a supplier, Trend Micro says. The fraudster asks for funds to be wired to him for invoice payment to a fraudulent account via spoofed email.</p><p>The second version is similar and is known as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” or “Financial Industry Wire Frauds.” A fraudster identifies himself as a high-level executive, lawyer, or a legal representative and then initiates a wire transfer to an account he controls. </p><p>“In some cases, the fraudulent request for wire transfer is sent directly to the financial institution with instructions to urgently send funds to a bank,” Trend Micro adds. </p><p>In the third version, fraudsters hack an employee’s email account and use it to request invoice payments to fraudster-controlled bank accounts. “Messages are sent to multiple vendors identified from the employee’s contact list,” Trend Micro explains. “The business may not become aware of the scheme until their vendors follow up to check for the status of the invoice payment.”</p><p>While 2,126 victims were hit with the scam between 2013 and 2015, the FBI says it’s still largely unknown how victims are selected. However, the Internet Crime Complaint Center (IC3), a partnership between the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance, has noted some common characteristics of BEC complaints.</p><p>For instance, businesses and personnel using open source email are most targeted, and individuals responsible for handling wire transfers within a specific business are targeted. BEC scam emails also tend to mimic a legitimate email request, are well-worded, are specific to the business being victimized, and do not raise suspicions as to the legitimacy of the request.</p><p>“The amount of the fraudulent wire transfer request is business specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt,” the IC3 said.</p><p>The IC3 has a number of recommendations on how companies can protect themselves from BEC, including exercising caution when posting certain information to social media and company websites, such as job duties and descriptions, organizational charts, and out-of-office details.</p><p>It also suggests being suspicious of requests for secrecy or pressure to take action quickly, like those seen in BEC scams, and to consider additional IT and financial security procedures, such as two-step verification processes.</p><p>In addition to following these recommendations, companies can purchase products that will help make their email more secure. This is the approach that TaskUs took after Miller joined the company in October 2015 and realized that the company was receiving roughly 25 targeted phishing emails per week, like those seen with BEC.</p><p>“At TaskUs, we were seeing a lot of phishing emails, many of them with our email addresses, so it looked like it was coming from one of our internal vendors,” Miller tells Security Management. “We were getting sent phish requests to pay invoices that appeared to come from our CEO.”</p><p>This was a major concern because TaskUs is a business process outsourcing provider that works with larger tech companies, relying on email communications from their C-suites and customer support leadership.</p><p>So the company began looking for a technology that would allow it to implement better identity within email, without losing emails that were critical to its business function. What it found was ValiMail, which provides email authentication services using Domain-based Message Authentication, Reporting and Conformance (DMARC).</p><p>DMARC is a technical specification adopted by major email providers, like Gmail, Microsoft, and Yahoo!, that “effectively stops unauthorized email uses of a domain, thwarting the majority of email domain attacks,” according to a white paper by ValiMail. </p><p>To provide email authentication as a service, ValiMail works with clients to set up DMARC for their systems and keep it up to date for clients and clients’ partners and vendors who may send email on their behalf. This ability to include vendors was critical for TaskUs, because it has partners that send email on its behalf to its own clients. </p><p>After learning about ValiMail in December 2015, TaskUs purchased its email-as-a-service product and began working with ValiMail to implement it. </p><p>TaskUs used a two-month period for full implementation of ValiMail because it wanted to initially begin using the service and monitor its impact on emails to see if it was blocking phishing emails or if it was preventing legitimate emails from getting through.</p><p>Once it was clear that ValiMail was working, Miller says TaskUs then moved to have detected phishing and unauthorized emails sent to the quarantine (spam) portion of email users’ inboxes. </p><p>“We had a few curious employees go into their spam boxes and say, ‘Hey, I got a message. It looks legit.’ And I’d have to say, ‘No, that was put into quarantine,’” Miller explains. “So we knew that we had to go into block mode.”</p><p>Now, with ValiMail operating in block mode, no unauthorized phishing emails have made it through the system as spoofs of legitimate TaskUs emails.</p><p>“They still come through, they’re just not spoofs anymore so they don’t look like they’re coming from a legitimate party,” Miller says. “Now it’s easier for our users to detect phish. So on top of training, on top of awareness exercises, we’ve also taken away some of the more complex attacks from the attackers and are protecting our users in that way now.”</p><p>By ensuring that only authentic emails from TaskUs and its vendors are coming through, ValiMail is also helping TaskUs protect its brand image, Miller explains. “To misrepresent the email coming from your C-level is something that should never be considered acceptable risk within any company.” ​</p> Next Tase PhaseGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Tasers may pose some health risks, depending on how they are used, and on whom. But in many cases, they can be used as an effective enforcement tool that may ultimately reduce the number of violent assaults, and sometimes even save lives.</p><p>Both of these assertions are supported by recent studies, and together they form what may be the consensus view of Tasers—a useful tool with some risk attached. And the view naturally suggests a follow-up question: Given the usefulness and the risks, when are Tasers best used? </p><p>A new landmark study, released by the state of Connecticut, begins to explore that question through an extensive examination of how Tasers were used over the course of one full year. </p><p>The study, Electronic Defense Weapon Analysis and Findings 2015, was issued a few months ago by the Central Connecticut State University's Institute for Municipal and Regional Policy. Connecticut was the first state to require law enforcement to document Taser use, and the report represents </p><p>the first statewide study on how police use them. </p><p>According to the new report, police in Connecticut used Tasers 650 times last year. In an interview with Security Management, Ken Barone, project manager and coauthor of the report, says "two big interesting findings" stood out to him after the study was completed. </p><p>One was that one-third (33 percent) of the persons involved in Taser incidents were described in police reports as "emotionally disturbed." </p><p>The second finding that Barone flagged was that nearly half (49 percent) of those involved in Taser incidents were identified as either possibly intoxicated, or clearly under the influence of alcohol or drugs.</p><p>These findings touch on the potential health issues of Tasers, which are electroshock weapons manufactured and sold by the Scottsdale, Arizona–based TASER International, Inc. The electrical probes that shoot out of a Taser deliver a pulsing 50,000-volt shock, which causes skeletal muscle contractions and pain. </p><p>TASER International cautions that Taser use may be ineffective against those under the influence of certain drugs. For example, in the last few years there have been various news reports of incidents where Tasers were unsuccessful in incapacitating someone who was high on a drug like PCP and virtually oblivious to pain.</p><p>In addition, medical research cautions that using the weapon on someone experiencing a psychiatric crisis may pose a heightened risk of injury. </p><p>However, the report also notes that "at the same time, circumstances may exist in which a Taser is the most appropriate option for gaining control of people experiencing psychiatric crisis and getting them into treatment."</p><p>For example, tasing a person who is carrying a gun and appears suicidal could ultimately save his or her life, Barone says. (Thirteen percent of Taser incidents in the report involved those described as suicidal.) </p><p>The report also concludes that females were much less likely to be involved in Taser incidents, which involved men 94 percent of the time. Black and Hispanic males were more likely to be tased (as opposed to simply warned) than white males. About 30 percent of those who were tased received more than one shock.  </p><p>Given their findings, the report's authors are calling for further research to aid in the development of evidence-based Taser use policy. </p><p>In particular, the authors are calling for studies aimed at answering the following questions: In which circumstances might Tasers pose health risks for those experiencing an apparent psychiatric crisis? In which circumstances might Taser use be a safe option for the officer, the person in crisis, and other people involved? </p><p>"We're trying to understand—for people in psychiatric crisis, is this the best tool to be using?" Barone says. </p><p>Report authors are also calling for a review of the existing model Taser Use policy that was developed by the state's Police Officer Standards and Training Council. The council's current policy is in many ways less precise than both the Taser use guidelines released by the U.S. Department of Justice a few years ago and the use recommendations that TASER International has made.</p><p>Barone also acknowledges that developing specific Taser policy is tricky; it is likely not possible to have a series of hard-and-fast rules that can be followed in every situation. </p><p>"It can't always be black and white. Each incident is unique and complex," he says.</p><p>However, there does seem to be room in the middle that is more specific than current model policy, but not overly simplistic. The Institute for Municipal and Regional Policy plans on conducting a multi-year study that can track how Taser use in Connecticut is changing year over year, which could be a helpful tool in future policy development efforts, Barone says. </p> Refuge from Terror?GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​“In the old ways of thinking, the plight of the powerless, the plight of refugees, the plight of the marginalized did not matter. They were on the periphery of the world’s concerns. Today, our concern for them is driven not just by conscience, but should also be driven by self-interest. For helping people who have been pushed to the margins of our world is not mere charity, it is a matter of collective security.”</p><p>U.S. President Barack Obama’s statement at last year’s United Nations General Assembly defined the refugee crisis, emphasizing the moral obligation of Western countries to take in migrants while at the same time touching on the potential security issues the situation could cause. </p><p>Much has changed in the year since Obama made that remark. In 2015 alone, more than 1 million displaced persons traveled across Africa, Asia, or the Middle East to seek asylum in Europe—more than six times the number in 2014. And although European countries have attempted to keep their borders open while screening refugees for ties to extremist groups, there has been rising concern that terrorists are slipping in along with migrants from the Middle East.</p><p>Two of the men suspected of carrying out last November’s stadium and concert hall attacks in Paris entered the country as refugees, and at least two attacks in Germany this summer were tied to men with refugee papers. Due in part to the increasing number of high-profile attacks throughout Europe over the past year, many European citizens believe refugees are a major threat to their country and increase the likelihood of terrorist attacks, according to a Pew Research Center report. </p><p>This increased concern over the national security threats refugees might pose has manifested itself in calls for increased scrutiny of asylum seekers. Countries such as Hungary are proposing legislation or holding referendums that seek to stymie the flow of refugees into their borders, and citizens’ concerns about the migrant crisis was one of the leading factors in the Brexit vote that led the United Kingdom  decision to leave the European Union (EU). In Germany, which has one of the most open borders in Europe, politicians and citizens alike are deeply divided about whether allowing unlimited numbers of migrants in is wise. But despite vocal pushback against the open-border policy, organizations such as Human Rights Watch say the European Union isn’t doing enough to help migrants.</p><p>In Human Rights Watch’s World Report 2016, the organization acknowledged that extremist groups, such as ISIS, could take advantage of the mass movement of migrants to Europe. However, that’s not reason enough to enact more stringent security measures that could slow down the asylum process or turn away innocent migrants, the organization notes. </p><p>“The last decade showed Europe that counterterrorism measures that violate rights play into the hands of those who attack us,” says Benjamin Ward, deputy Europe and Central Asia division director at Human Rights Watch. “It’s vital for EU government responses to today’s threats to heed those hard-learned lessons.”</p><p>EU member states are expected to abide by the Common European Asylum System, which is intended to protect the rights of refugees who seek asylum in member states. However, many member states have not implemented EU standards, causing failures in the asylum system, according to the Open Society Initiative for Europe. Individual member states have taken varied approaches—Germany and France have agreed to take in high numbers of migrants, while Greece, Italy, and Hungary have attempted to block refugee transfers and have increased border controls. </p><p>Making the situation all the more complicated is the Schengen Agreement of 1985, which allows citizens of 26 states to travel across borders without passports. Countries that abide by the agreement—most of mainland Europe—must be careful about how they implement temporary border measures or risk violating the agreement. </p><p>But how much of a national security threat do refugees seeking asylum in Europe pose? Frontex, the EU border agency, released a 72-page risk assessment document in early 2016 detailing what it has seen along Europe’s borders over the past year. The report refers to “irregular migratory flows” as a security weakness—two of the Paris attackers exploited the migration wave to gain entry. </p><p>“The Paris attacks in November 2015 clearly demonstrated that irregular migratory flows could be used by terrorists to enter the EU,” the report states. “With no thorough check or penalties in place for those making false declarations, there is a risk that some persons representing a security threat to the EU may be taking advantage of this situation.”</p><p>The report makes the important distinction that the refugees themselves are not entering Europe with malicious intentions, but jihadists may be using the migrant crisis to cross the border with less scrutiny. </p><p>“The staggering number of EU citizens who joined the conflict as jihadists has resulted in a number of returnees opting to use irregular means of traveling,” the report notes. “Islamist extremists will exploit irregular migration flows whenever such movements fit their plans.”</p><p>The large-scale influx of migrants has been a new experience for many member states, the report says, and it has been difficult for border authorities to maintain an efficient, thorough level of control along the borders. Border control agencies have not had time to mobilize the resources required to process the arrival of migrants, including equipment for electronic investigations. </p><p>Most people coming to the border have “simple identity documents,” and fraudulent declarations of nationality are rife. EU regulations require that authorities take the fingerprints of any refugee seeking asylum, but “the reality is that fingerprinting of all persons detected crossing the border illegally is not possible or of poor quality, and in any case, is often not transmitted promptly to the Eurodac central database,” the report states. This lack of reliable biometric data is especially troubling because EU investigators rely on the fingerprints for criminal and terrorist investigations. </p><p>Another point of concern for Frontex is what happens to migrants who are caught illegally entering EU countries or whose asylum applications are refused. Although there has been a significant spike in both asylum applications and illegal border crossings, the number of migrants successfully returning to their countries of origin has remained stagnant. This is due, in part, to the ability of migrants to appeal the rejection of their applications for asylum. However, the report notes that the longer an illegal migrant remains in an EU country, the easier it is for them to abscond.</p><p>Another report by the European Union Institute for Security Studies investigates possible links between refugees and terrorists. It finds that while extremist organizations, such as ISIS, are not interested in radicalizing the refugees themselves, they do want to keep the flow of migrants moving into Europe.</p><p>“The fundamental objective of its terrorism in the West is less to disable strategic targets or kill Westerners per se, than to provoke certain political and social reactions,” according to the report, Refugees Versus Terrorists. “One means of achieving this is to stoke fears about Muslim refugees among European citizens.”</p><p>ISIS can achieve the same effect by spreading misinformation about refugees, and it has—while the two men who were involved in the November Paris attacks crossed into Europe through a border overrun with migrants and had refugee papers on them, they were radicalized European citizens. The refugee papers were likely planted on the men to further the rhetoric against refugees within Europe, the report notes.</p><p>And although many of the migrants fit the profile of those most susceptible to carrying out lone wolf attacks—young, male Muslims—the report notes that most refugees are fleeing Iraq and Syria due to the same attacks European citizens fear. </p><p>“Some refugees will commit violent and criminal acts in Europe, but for reasons other than terrorism: these are young men, fleeing warzones, with a deep distrust of the state, and encountering new cultural norms for the first time,” the report explains. </p> Training ProtocolGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Steve Albrecht, CPP, is a trainer, writer, and speaker on workplace and school violence prevention. His 17 books include Ticking Bombs and Fear and Violence on the Job.​</p><p><strong><em>Q: </em></strong><em>What is the best way to ensure that messages about active-shooter plans are received and understood by the entire organization?  </em></p><p><strong>A: </strong>Use training sessions, staff meetings, and all-staff emails to discuss the many advantages and some potential difficulties of the Run. Hide. Fight. approach to an armed attacker or an active shooter in the building. The benefits of evacuating from the facility or barricading inside the safest room possible are twofold: both approaches avoid contact with the attacker and keep employees out of the way of responding law enforcement officers. </p><p><strong><em>Q: </em></strong><em>Are there any visual aids that security managers should consider including in their training programs? </em></p><p><strong>A: </strong>Use the six-minute “Run. Hide. Fight.” video, cocreated by the U.S. Department of Homeland Security and the City of Houston, Texas, as your training centerpiece. Consider skipping the first 90 seconds of the program, which shows a man with a shotgun blasting people in a company lobby. Some employees may be crime victims and might not want to see that part. The rest of the video is useful, relevant, and instructional. Provide the YouTube link and put it on your company’s Intranet. </p><p><strong><em>Q: </em></strong><em>What is the best way to conduct live scenario training with employees?</em></p><p><strong>A:</strong> Training is critical, but we don’t need to set the build­ing on fire to run a fire drill. Instead of a full-blown SWAT response simulation with frightened employees, fake blood, and real guns, run a 15-minute drill at least once per year. On a designated date and time, a mass notification or PA system announcement starts the drill and asks all employees to leave the building, quickly and safely, for 15 minutes and then return to work. Or, they can choose to move rapidly to a safe room with as many colleagues as possi­ble, lock and barricade that door, and wait there for 15 minutes before returning to work. Remind them that, in a real event, they may need to provide basic first aid to employees until the situation is controlled. </p><p><em><strong>Q: </strong>What is the best way to debrief employees after the drill is over?</em></p><p><strong>A:</strong> A successful drill means that you weren’t able to find any employees in the hallways or open unlocked doors to find them inside. After the drill, get and give feedback from employees as to what worked for them and what improvements could be made. Review how employees could successfully avoid or defeat an attacker by turning off lights, blocking doors with furniture, using defensive weapons inside the room, and staying out of doorways. Determine whether you need to make upgrades to existing door locks or access controls. Be prepared to explain why concealed weapons are not the safest approach and how they complicate the police response.</p>