| https://sm.asisonline.org/Pages/Book-Review---Misbehavior.aspx | Book Review: Misbehavior in Organizations | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>Routledge; <a href="https://www.routledge.com/Misbehavior-in-Organizations-A-Dynamic-Approach-2nd-Edition/Vardi-Weitz/p/book/9781138840980" target="_blank">routledge.com</a>; 334 pages; $59.95.</p><p>Employee behavior in the workplace has always been difficult to assess and interpret for management. Understanding employee misbehavior can be even more baffling. </p><p>The second edition of <em>Misbehavior in Organizations: A Dynamic Approach</em> offers an in-depth and scholarly view on key issues such as harassment, academic fraud, bullying, negative workplace interactions, and organizational misbehavior. The research described outlines a truly dynamic approach to organizational misbehavior—this literature is rarely discussed openly, and is often tiptoed around in today’s workplaces.</p><p>The authors of this book developed an original integrative organizational misbehavior (OMB) framework in previous academic works. This text looks at the empirical literature that has become available over the past 10 years. It begins by providing readers with an overview of the general framework for OMB analysis, describing research that directly relates to the phenomenon of critical and negative behavior at work.</p><p>The advantage of this work is its foundation in evidence-based research, both conceptual and theoretical. One of the most engaging parts of the book, “Measurement Dilemmas in OMB Research,” highlights key cases illustrating incidents ranging from minor misbehavior to serious violence.</p><p>One shortcoming is the sparse content on cyberbullying and bullying, which the authors indicate are on the rise. It is imperative for employees to feel safe and accepted in the workplace. They must believe that management, human resources, and others will discuss issues as they arise. The book does describe management’s role in managing these behaviors both by words and exemplary conduct; surprisingly, managers are sometimes the bullies.</p><p>Ultimately, this advanced book will educate researchers, organizational leaders, and practitioners in a wide variety of fields, from law enforcement to human resources. <em>Routledge; routledge.com; 334 pages; $59.95.</em></p><p><em><strong>Reviewer: Thomas Rzemyk,</strong> Ed.D., is a professor of criminal justice at Columbia Southern University and director of technology and cybersecurity instructor at Mount Michael Benedictine School. He is a criminology discipline reviewer in the Fulbright Scholar Program and a member of ASIS.</em></p> | | |
| https://sm.asisonline.org/Pages/Book-Review---Hijacking.aspx | Book Review: Hijacking: Violence in the Skies | GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><em>Summersdale; available from Amazon.com; 320 pages; $14.95</em></p><p>A captivating read, <em>Violence in the Skie</em>s is a fascinating history of aviation hijackings over the last century. Two recurring themes put forward by author Philip Baum are that there are many significant aviation incidents that don’t make it to mainstream news, and that many hijackers don’t serve extended jail sentences. </p><p>The book provides stories from a wide range of worldwide hijackings and security incidents. The bulk of them are politically based, but there are quite a few where mentally unstable and disturbed people have brought terror to the skies.</p><p>Baum writes that the last successful hijacking—of an El Al flight—took place in 1968. While the Israeli airline has experienced many attempts since, none have been successful. This is because Israel’s aviation security system is the gold standard, and it has an effective counterterrorist response. Much of the approach—counter to that of the U.S. Transportation Security Administration—relies on trying to find the bomber, not the bomb.</p><p>When it comes to information security, the insider threat is often ignored. The book describes cases, such as the Chechen Black Widows hijackings, where insiders facilitated the hijackings by terrorists. </p><p>Although hundreds of billions of dollars have been spent on aviation security over the past decade, the book notes that there’s no indication that the threat to aviation is in any way diminishing. The events of the post-9/11 era have clearly demonstrated that while the frequency of attacks may not be as high, the impact and death tolls can be monumental. </p><p>Reading about aviation violence is not pleasant, but this book is an indispensable read for anyone who wants to understand this history of aviation attacks. Baum, who is editor-in-chief of <em>Aviation Security </em><em>International, </em>is an expert in the field and brings that to every chapter in this appealing book. <em></em></p><p><em><strong>Reviewer: Ben Rothke</strong>, CISSP (Certified Information Systems Security Professional), PCI QSA (Qualified Security Assessor), is a principal eGRC consultant with the Nettitude Group.</em></p> | | |
| https://sm.asisonline.org/Pages/The-Unique-Threat-of-Insiders.aspx | The Unique Threat of Insiders | GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>It’s perhaps the most infamous incident of an insider threat in modern times. During the spring and summer of 2013, then-National Security Agency (NSA) contractor and Sharepoint administrator Edward Snowden downloaded thousands of documents about the NSA’s telephone metadata mass surveillance program onto USB drives, booked a flight to Hong Kong, and leaked those documents to the media.</p><p>An international manhunt was launched, Snowden fled to Moscow, hearings were held in the U.S. Congress, and new policies were created to prevent another insider breach. The damage a trusted insider can do to an organization became painfully obvious.</p><p>“If you’d asked me in the spring of 2013…what’s the state of your defense of the business proposition as it validates the technology, people, and procedures? I would have said, ‘Good. Not perfect,’” said Chris Inglis, former deputy director and senior civilian leader of the NSA during the Snowden leaks, in a presentation at the 2017 RSA Conference in San Francisco.</p><p>“I would have said that ‘we believe, given our origins and foundations, and folks from information assurance, that that’s a necessary accommodation,” he explained. “We make it such that this architecture—people, procedure, and technology—is defensible.”</p><p>Inglis also would have said that the NSA vetted insiders to ensure trustworthiness, gave them authority to conduct their jobs, and followed up with them if they exceeded that authority—intentionally or unintentionally—to remediate it. </p><p>“We made a critical mistake. We assumed that outsider external threats were different in kind than insider threats,” Inglis said. “My view today is they are exactly the same. All of those are the exercise of privilege.”</p><p>Inglis’ perspective mirrors similar findings from the recent SANS survey Defending Against the Wrong Enemy: 2017 Sans Insider Threat Survey by Eric Cole, SANS faculty fellow and former CTO of McAfee and chief scientist at Lockheed Martin.</p><p>The SANS survey of organizations with 100 to 100,000 employees found that it can be easy to conclude that external attacks should be the main focus for organizations. </p><p>“This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage,” Cole wrote. “Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.”</p><h4>Insider Threat Programs</h4><p>Incidents like the Snowden leaks and the more recent case of Harold Thomas Martin III, an NSA contractor accused of taking top secret information home with him, along with other incidents of economic espionage have raised awareness of the impact insider threats can have. However, many organizations have not adjusted their security posture to mitigate those threats.</p><p>In its survey, SANS found that organizations recognize insider threat as the “most potentially damaging component of their individual threat environments,” according to the survey. “Interestingly, there is little indication that most organizations have realigned budgets and staff to coincide with that recognition.”</p><p>Of the organizations surveyed, 49 percent said they are in the process of creating an insider threat program, but 31 percent still do not have a plan and are not addressing insider threats through such a plan. </p><p>“Unfortunately, organizations that lack effective insider threat programs are also unable to detect attacks in a timely manner, which makes the connection difficult to quantify,” SANS found. “From experience, however, there is a direct correlation between entities that ignore the problem and those that have major incidents.”</p><p>Additionally, because many are not monitoring for insider threats, most organizations claim that they have never experienced an insider threat. “More than 60 percent of the respondents claim they have never experienced an insider threat attack,” Cole wrote. “This result is very misleading. It is important to note that 38 percent of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening.”</p><p>The survey also found that the losses from insider threats are relatively unknown because they are not monitored or detected. Due to this, organizations cannot put losses from insider threats into financial terms and may not devote resources to addressing the issue, making it difficult or impossible to determine the cost of an insider attack.</p><p>For instance, an insider could steal intellectual property and product plans and sell them to a competitor without being detected.</p><p>“Subsequent failure of that product might be attributed to market conditions or other factors, rather than someone ‘stealing it,’” Cole wrote. “Many organizations, in my experience, are likely to blame external factors and only discover after detailed investigation that the true cause is linked back to an insider.”</p><p>And when organizations do discover that an insider attack has occurred, most have no formal internal incident response plan to address it.</p><p>“Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20 percent of respondents reported having a formal incident response plan that deals with insider threat,” according to the SANS survey. </p><p>Instead, most incident response plans are focused on external threats, Cole wrote, which may explain why companies struggle to respond to insider threats.</p><p>Organizations are also struggling to deal with both malicious and accidental insider threats—a legitimate user whose credentials were stolen or who has been manipulated into giving an external attacker access to the organization. “Unintentional insider involvement can pose a greater risk, and considerably more damage, by allowing adversaries to sneak into a network undetected,” the survey found. “Lack of visibility and monitoring capability are possible explanations for the emphasis on malicious insiders.</p><p>To begin to address these vulnerabilities, SANS recommends that organizations identify their most critical data, determine who has access to that data, and restrict access to only those who need it. Then, organizations should focus on increasing visibility into users’ behavior to be proactive about insider threats. </p><p>“We were surprised to see 60 percent of respondents say they had not experienced an insider attack,” said Cole in a press release. “While the confidence is great, the rest of our survey data illustrates organizations are still not quite effective at proactively detecting insider threats, and that increased focus on individuals’ behaviors will result in better early detection and remediation.”</p><h4>Trusted People</h4><p>When the NSA recruits and hires people, it vets them thoroughly to ensure their trustworthiness, according to Inglis.</p><p>“We ultimately want to bring somebody into the enterprise who we can trust, give them some authority to operate within an envelope that doesn’t monitor their tests item by item,” he explained. “Why? Because it’s within that envelope that they can exceed your expectations and the adversary’s expectations, your competitors’ expectations, and hopefully the customers’ expectations. </p><p>You want them to be agile, creative, and innovative.”</p><p>To do this, the NSA would go to great lengths to find people with technical ability and possible trustworthiness. Then it or a third party would vet them, looking at their finances and their background, conducting interviews with people who knew them, and requiring polygraph examinations.</p><p>After the Snowden leaks, the U.S. federal government examined the work of its contract background screening firm—United States Investigations Services (USIS). USIS had cleared both Snowden and the Washington Navy Yard shooter Aaron Alexis. The government decided to reduce its contracted work with the company.</p><p>USIS later agreed to pay $30 million to settle U.S. federal fraud charges, forgoing payments that it was owed by the U.S. Office of Personnel Management for conducting background checks. The charges included carrying out a plot to “flush” or “dump” individual cases that it deemed to be low level to meet internal USIS goals, according to The Hill’s coverage of the case.</p><p>“Shortcuts taken by any company that we have entrusted to conduct background investigations of future and current federal employees are unacceptable,” said Benjamin Mizer, then head of the U.S. Department of Justice’s Civil Division, in a statement. “The Justice Department will ensure that those who do business with the government provide all of the services for which we bargained.”</p><p>This part of the process—vetting potential employees and conducting background checks—is where many private companies go wrong, according to Sandra Stibbards, owner and president of Camelot Investigations and chair of the ASIS International Investigations Council.</p><p>“What I’ve come across many times is companies are not doing thorough backgrounds, even if they think they are doing a background check—they are not doing it properly,” she says. </p><p>For instance, many companies will hire a background screening agency to do a check on a prospective employee. The agency, Stibbards says, will often say it’s doing a national criminal search when really it’s just running a name through a database that has access to U.S. state and county criminal and court records that are online.</p><p>“But the majority of counties and states don’t have their criminal records accessible online,” she adds. “To really be aware of the people that you’re getting and the problem with the human element, you need to have somebody who specializes and you need to…invest the money in doing proper background checks.”</p><p>To do this, a company should have prospective employees sign a waiver that informs them that it will be conducting a background check on them. This check, Stibbards says, should involve looking at criminal records in every county and state the individual has lived in, many of which will need to be visited in person.</p><p>She also recommends looking into any excessive federal court filings the prospective employee may have made.</p><p>“I’ll look for civil litigation, especially in the federal court because you get people that are listed as a plaintiff and they are filing suits against companies for civil rights discrimination, or something like that, so they can burn the company and get money out of it,” Stibbards adds.</p><p>Additionally, Stibbards suggests looking for judgments, tax liens, and bankruptcies, because that gives her perspective on whether a person is reliable and dependable.</p><p>“It’s not necessarily a case breaker, but you want to have the full perspective of if this person is capable of managing themselves, because if they are not capable of managing themselves, they may not make the greatest employee,” she says.</p><p>Companies should ensure that their background screenings also investigate the publicly available social media presence of potential employees. Companies can include information about this part of the process in the waiver that applicants sign agreeing to a background check to avoid legal complications later on. </p><p>“I’m going to be going online to see if I see chatter about them, or if they chat a lot, make comments on posts that maybe are inappropriate, if they maintain Facebook, LinkedIn, and Twitter,” Stibbards says. </p><p>Posting frequently to social media might be a red flag. “If you find somebody on Facebook that’s posting seven, eight, nine, or 10 times a day, this is a trigger point because social media is more important to them than anything else they are doing,” Stibbards adds.</p><p>And just because a prospective employee is hired doesn’t mean that the company should discontinue monitoring his or her social media. While ongoing review is typically a routine measure, it can lead to disciplinary action for an employee who made it through the initial vetting process. For instance, Stibbards was hired by a firm to investigate an employee after the company had some misgivings about certain behaviors.</p><p>“Not only did we find criminal records that weren’t reported, but we then found social media that indicated that the employee was basically a gang member—pictures of guns and the whole bit,” Stibbards says.</p><p>It’s also critical, once a new employee has been brought on board, to introduce him or her to the culture of the organization—an aspect that was missing in Snowden’s onboarding process, Inglis said. This is because, as a contractor working for the NSA, regulations prohibited the U.S. government from training him. </p><p>“You show up as a commodity on whatever day you show up, and you’re supposed to sit down, do your work—sit down, shut up, and color within the lines,” Inglis explained.</p><p>So on Snowden’s first day at the NSA, he was not taken to the NSA Museum like other employees and taught about the agency’s history, the meaning of the oath new employees take, and the contributions the NSA makes to the United States.</p><p>“Hopefully there are no dry eyes at that moment in time, having had a history lesson laying out the sense of the vitality and importance of this organization going forward,” Inglis explained. “We don’t do that with contractors. We just assume that they already got that lesson.”</p><p>If companies fail to introduce contractors and other employees to the mission of the organization and its culture, those employees will not feel that they are part of the organization.</p><h4>Trusted Technology</h4><p>Once trusted people are onboarded, companies need to evaluate their data—who has access to it, what controls are placed on it to prevent unwarranted access, and how that access is monitored across the network.</p><p>“The one thing I always recommend to any company is to have a monitoring system for all of their networks; that is one of the biggest ways to avoid having issues,” Stibbards says. “Whether it’s five people working for you or 100, if you let everybody know and they are aware when they are hired that all systems—whether they are laptops or whatever on the network—are all monitored by the company, then you have a much better chance of them not doing anything inappropriate or…taking information.”</p><p>These systems can be set up to flag when certain data is accessed or if an unusual file type is emailed out of the network to another address. </p><p>Simon Gibson, fellow security architect at Gigamon and former CISO at Bloomberg LP, had a system like this set up at Bloomberg, which alerted security staff to an email sent out with an Adobe PDF of an executive’s signature.</p><p>“He’s a guy who could write a check for a few billion dollars,” Gibson explains. “His signature was detected in an email being sent in an Adobe PDF, and it was just his signature…of course the only reason you would do that is to forge it, right?”</p><p>So, the security team alerted the business unit to the potential fraud. But after a quick discussion, the team found that the executive’s signature was being sent by a contractor to create welcome letters for new employees.</p><p>“From an insider perspective, we didn’t know if this was good or bad,” Gibson says. “We just knew that this guy’s signature probably ought not be flying in an email unless there’s a really good reason for it.”</p><p>Thankfully, Bloomberg had a system designed to detect when that kind of activity was taking place in its network and was able to quickly determine whether it was malicious. Not all companies are in the same position, says Brian Vecci, technical evangelist at Varonis, an enterprise data security provider.</p><p>In his role as a security advocate, Vecci goes out to companies and conducts risk assessments to look at what kinds of sensitive data they have. Forty-seven percent of companies he’s looked at have had more than 1,000 sensitive data files that were open to everyone on their network. “I think 22 percent had more than 10,000 or 12,000 files that were open to everybody,” Vecci explains. “The controls are just broken because there’s so much data and it’s so complex.”</p><p>To begin to address the problem, companies need to identify what their most sensitive data is and do a risk assessment to understand what level of risk the organization is exposed to. “You can’t put a plan into place for reducing risk unless you know what you’ve got, where it is, and start to put some metrics or get your arms around what is the risk associated to this data,” Vecci says. </p><p>Then, companies need to evaluate who should have access to what kinds of data, and create controls to enforce that level of access. </p><p>This is one area that allowed Snowden to gain access to the thousands of documents that he was then able to leak. Snowden was a Sharepoint administrator who populated a server so thousands of analysts could use that information to chase threats. His job was to understand how the NSA collects, processes, stores, queries, and produces information.</p><p>“That’s a pretty rich, dangerous set of information, which we now know,” Inglis said. “And the controls were relatively low on that—not missing—but low because we wanted that crowd to run at that speed, to exceed their expectations.”</p><p>Following the leaks, the NSA realized that it needed to place more controls on data access because, while a major leak like Snowden’s had a low probability of happening, when it did happen the consequences were extremely high. </p><p>“Is performance less sufficient than it was before these maneuvers? Absolutely,” Inglis explained. “But is it a necessary alignment of those two great goods—trust and capability? Absolutely.”</p><p>Additionally, companies should have a system in place to monitor employees’ physical access at work to detect anomalies in behavior. For instance, if a system administrator who normally comes to work at 8:00 a.m. and leaves at 5:00 p.m. every day, suddenly comes into the office at 2:00 a.m. or shows up at a workplace with a data storage unit that’s not in his normal rotation, his activity should be a red flag.</p><p>“That ought to be a clue, but if you’re not connecting the dots, you’re going to miss that,” Inglis said. </p><h4>Trusted Processes</h4><p>To truly enable the technology in place to monitor network traffic, however, companies need to have processes to respond to anomalies. This is especially critical because often the security team is not completely aware of what business units in the company are doing, Gibson says.</p><p>While at Bloomberg, his team would occasionally get alerts that someone had sent software—such as a document marked confidential—to a private email address. “When the alert would fire, it would hit the security team’s office and my team would be the first people to open it and look at it and try analyze it,” Gibson explains. “The problem is, the security team has no way of knowing what’s proprietary and valuable, and what isn’t.”</p><p>To gather this information, the security team needs to have a healthy relationship with the rest of the organization, so it can reach out to others in the company—when necessary—to quickly determine if an alert is a true threat or legitimate business, like the signature email. </p><p>Companies also need to have a process in place to determine when an employee uses his or her credentials to inappropriately access data on the network, or whether those credentials were compromised and used by a malicious actor. </p><p>Gibson says this is one of the main threats he examines at Gigamon from an insider threat perspective because most attacks are carried out using people’s credentials. “For the most part, on the network, everything looks like an insider threat,” he adds. “Take our IT administrator—someone used his username and password to login to a domain controller and steal some data…I’m not looking at the action taken on the network, which may or may not be a bad thing, I’m actually looking to decide, are these credentials being used properly?”</p><p>The security team also needs to work with the human resources department to be aware of potential problem employees who might have exceptional access to corporate data, such as a system administrator like Snowden.</p><p>For instance, Inglis said that Snowden was involved in a workplace incident that might have changed the way he felt about his work at the NSA. As a systems administrator with incredible access to the NSA’s systems, Inglis said it would have made sense to put a closer watch on him after that incident in 2012, because the consequences if Snowden attacked the NSA’s network were high.</p><p>“You cannot treat HR, information technology, and physical systems as three discrete domains that are not somehow connected,” Inglis said.</p><p>Taking all of these actions to ensure that companies are hiring trusted people, using network monitoring technology, and using procedures to respond to alerts, can help prevent insider threats. But, as Inglis knows, there is no guarantee.</p><p>“Hindsight is 20/20. You have to look and say, ‘Would I theoretically catch the nuances from this?’” </p> | | |
| https://sm.asisonline.org/Pages/Driving-a-Security-Transition.aspx | Driving a Security Transition | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>When Christopher Martini, CPP, took the wheel as Jaguar Land Rover North America’s regional manager for corporate security and business protection in 2013, he knew he had a long road ahead of him. He was the first person to serve in the role, which focused on keeping the British automotive company’s American and Canadian administrative facilities safe. Jaguar Land Rover North America had been previously owned by Ford, which provided general security functions but did not have an onsite security professional dedicated specifically to Jaguar Land Rover. After Ford sold the company, a few years passed without a leader to organize safety, security, or asset protection. “Security functions were under the stewardship of the site services facilities department but there was no functioning security department,” Martini notes.</p><p>Jaguar Land Rover North America has more than a dozen facilities, including service and sales training academies, regional offices, and driving experience centers throughout the United States and Canada. “We’re not the manufacturing company but we directly help facilitate the sale of our products and the ongoing use of our products through training dealer personnel, and importing vehicle parts and accessories,” Martini says.</p><p>After years without any organized security approach, Martini faced two distinct challenges: building a culture of security and equipping facilities with up-to-date access control and perimeter protection technology. </p><p>“It was a mature organization—people had been operating in a certain way without the influence of an organized security and safety and asset protection structure around them,” Martini explains. “Those behaviors were set because people had been here for a while, and there was a lot of organizational resistance to having a security professional start to change how people did things, even something as simple as accessing the building.”</p><p>Similarly, Jaguar Land Rover North America facilities were equipped with legacy security systems so out of date that facilities personnel had been buying spare parts from eBay because they were no longer produced or supported by the manufacturer. The access control system had an inaccessible database, so some employees had multiple access control cards in multiple formats. “It was exactly what you would imagine—it had been left to decay,” Martini notes.</p><h4>Technology Tune-Up</h4><p>Martini had a lot of work to do, and quickly. A brand new facility in Portland, Oregon, was scheduled to be built within six months of Martini’s arrival at the company—and he knew whatever security solution he chose would ultimately be used at other facilities, including the company’s regional headquarters in New Jersey. “What I didn’t want to do was deploy the solution that was currently in place at the other locations—it was out of date and not supported,” he says. He was familiar with S2 Security Corporation from visiting its booth at ASIS International seminar and exhibits, and he ultimately decided on its platform for regional security monitoring, administration, and operations management, as well as for standardizing access control and video. </p><p>“What really guided my selection was the fact that I knew that I wasn’t going to have a tremendous ability to call upon internal resources for maintenance, upkeep, or even operation of the system, so it had to be something that was easy to train people on—resilient and very reliable—and that didn’t require constant updates to stay current with desktop and operations software,” Martini explains. The S2 system is accessed via Internet browser and does not require any dedicated client software. Martini said it was the “perfect fit” for the Jaguar Land Rover North America environment.</p><p>The new, cutting-edge infrastructure—including HID access cards and Axis cameras that integrated with S2’s Enterprise access control and NetVR video management systems—was installed at the Portland location. After that successful deployment, the solution was installed in the Irvine, California, training office; the Mahwah, New Jersey, headquarters; and a new facility in Mississauga, Canada, that opened in 2016. The New Jersey facility has an enterprise-level system that allows for round-the-clock monitoring of the other three locations.</p><p>“We do all the administration here in New Jersey, and we do monitoring for those other locations,” Martini says. “I have 24-hour staff that is interacting with the system, and any alarm or information that comes back to us requiring a response gets escalated from here out to the location.”</p><p>Martini’s responsibility to protect Jaguar Land Rover’s American and Canadian facilities and fleet of more than 900 high-end vehicles was made easier with the new technology. “The most direct benefit that I get is I now know what’s happening at my facilities,” he notes. “Prior to having this technological capability, I had to rely on people in those locations to report issues and incidents to me as they occurred. Now I have more direct visibility to what’s happening to those sites in real time, which gives me a much better sense of situational awareness to what’s really happening.”</p><p>At the remote facilities, an intrusion panel—integrated with the S2 system—allows the first employee to arrive at the facility and the last to leave the ability to deactivate or activate the alarm system with a swipe of an access control badge. After the system is armed, it will dial out to a third-party monitoring company if an alarm is triggered, as well as alert the security officer on duty at the company’s New Jersey headquarters. </p><p>Martini explains that the local monitoring company will call headquarters to discuss what action to take. “The officer starts looking for video associated with that alarm, and the alarm company will call in and ask whether it should dispatch police,” he says. “The officer can see if it’s just the new housekeeper who forgot to use the control panel, or whether there is evidence of intrusion.” Then the officer can tell the company to send police. </p><p>The officer would then go through an escalation process, which could involve reaching out to staff at headquarters or a local site contact, depending on the situation. “Officers have a detailed escalation list as to who they need to notify about the range of things they may notice or be called about for one of those remote locations,” Martini says.</p><p>This chain of response went according to plan when someone tried to break into the company’s Irvine location. The security officer on duty in New Jersey was watching the remote video feeds and noticed a man walking around the outside of the facility after hours, trying to open the doors. The officer was able to switch the view to pull up all feeds of the site to gain better situational awareness and observed the man trying to pry open one of the patio doors with a crowbar. </p><p>“Irvine is a regional office collocated with a training center,” Martini notes. “Training centers are like really nice, clean automotive garages where we bring service technicians and train them on our cars. The first level has a nice main lobby and a couple automotive bays and things like that, and the second level is basically office space. Likely what was drawing this guy was that there was a vintage Jaguar just inside those doors.”</p><p>The man had not triggered any alarms because he hadn’t yet managed to open the door, but the security officer contacted the local alarm company and had it call the police, who responded within a minute. </p><p>“It’s not a huge incident, but the quality of the video is so excellent and the ability for the officer to quickly switch and bring up everything associated with the site and get a better sense of where the guy was located and what his target was going to be is really quite interesting to see,” Martini says.</p><h4>Culture Change</h4><p>The changes at Jaguar Land Rover North America facilities haven’t just boosted situational awareness—they have helped change the employee culture as well. While Martini was upgrading the physical security, he was also striving to get employees on board with working together to create a more secure workplace. </p><p>“It’s really difficult, in my experience, to create a controls-based environment if the environment doesn’t have good controls,” Martini explains. “It’s one thing to tell people ‘It’s important that you wear your badge, you don’t leave doors propped open.’ If the system doesn’t provide you with the information necessary to know when those problems are happening, then it’s difficult to address the behaviors.”</p><p>Understanding that employees were not used to wearing access control badges, Martini solicited employee feedback and created a team to help design the look and feel of the new badges. As part of the rebadging strategy, employees were encouraged with contests and could take selfies to use as their badge photos.</p><p>“Rather than us taking your photo and making it like getting a driver’s license, people took their own, as long as they met the criteria—it was a really fun experience,” Martini says. “It allowed people to send me the photos they were the happiest with, and my opinion is that if I want you to wear the badge, then you should be happy with the photo.”</p><p>Once the S2 system was in place, it was easy for Martini’s officers to be alerted when doors were propped open or other security protocols were not followed and make a call to the facility and correct the behavior in real time. “It sends a subtle message, not that Big Brother is out there watching, but it reinforces the behaviors you’re expecting from your employees, and lets them know that as an organization we take it seriously,” Martini says. “The messaging has been augmented by the fact that we now have an environment and infrastructure that supports the application of administrative and policy controls. That’s a huge benefit.”</p><p>It’s been almost a year since the updated S2 solution was installed at the facility in Canada, and the organization is planning a second rollout to several facilities across North America. Martini says he considers the first deployment a success—both in tightening the physical security at the facilities, and in evolving company culture. Jaguar Land Rover North America conducts pulse surveys among its employees, and Martini says that during the last two years employees’ perception of health and safety has increased. He also notes that, anecdotally, false alarms greatly decreased because employees are following protocol. “It’s a good indicator that we’re on the right path and people understand the organization is making an effort, and what we’re doing is effective,” he notes.</p><p>When he started at Jaguar Land Rover North America, Martini approached security as an amenity to the business and hoped that a stronger physical security footprint would benefit company culture—and vice versa.</p><p>“We have really talented people and we hire you to apply your talent to the work, not to be worried about security or personal safety,” Martini says. “Your job is to come in and contribute all your talent and energy to the task at hand. Because the system is providing us with intelligence about what’s happening at our sites, we can let people know that our sites are secure and we’re taking security seriously. Employees feel more secure in the workspace, they have a better understanding of what their individual responsibility is to contribute to the security program, and that reinforces the kind of culture I was trying to build.” </p><p><em>(Editor's note: At press time, Martini began a new position as an area security and safety manager for PayPal.) </em></p> | | |
| https://sm.asisonline.org/Pages/Driving-the-Business.aspx | Driving the Business | GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>The top speed of a Model S Tesla is 155 miles per hour, which can be reached in approximately 29 seconds. It’s one of the fastest cars in the world, with one of the most powerful sets of brakes on the market. </p><p>“Tesla has a set of brakes on that car that are so oversized and overpowered, that they can stop the car cold even if the engine malfunctions and spikes at full throttle,” says Ryan LaSalle, security growth and strategy lead at Accenture. “The only reason you have a car that goes that fast is because you have a set of brakes that can control it. To be able to corner at speed, you need good controls. That’s supposed to be the partnership between security and innovation.” </p><p>The challenge for many companies, though, is how to develop this partnership so when the CEO goes to the board, he or she is effectively communicating what the cyber risks are to the business and how they are being addressed—ensuring that security is enabling the business to drive smoothly, and safely, towards its goals.</p><p>According to the National Assoc-</p><p>iation of Corporate Directors (NACD), only 15 percent of boards are satisfied with the information they are getting from executives on cyber risk management. This could be because many CEOs only recently began discussing cybersecurity regularly with their boards—within the last two years—and were initially unprepared for these important conversations. </p><p>To prepare for these conversations, CEOs turned to their CISOs or vice presidents of information security, but many of those experts struggled to explain cybersecurity in a way that the CEO could understand.</p><p>“Most security professionals have a hard time articulating and conveying not only risk, but also the benefit of what they are doing,” LaSalle says. “And if they continue to have a hard time articulating that, they will struggle to be relevant and be part of the strategic plan of the business.”</p><p>Matt Appler is now the CEO of Corsec Security Inc., which assists companies with security certification and validation processes, but he once was a software developer. When it came to learning how to communicate with executives about cybersecurity, Appler says it was not an easy process.</p><p>“Unfortunately, it was mostly through the school of hard knocks and finding ways to talk about security given that it’s already a subject that’s highly technical, which by its nature makes it extremely difficult to communicate with others about,” he explains. </p><p>The other aspect that made communicating to executives about cybersecurity difficult is that security is not an absolute. Appler compares it to the risks of getting in a car with airbags, seatbelts, and back-up cameras. </p><p>“But ultimately, you’re going to choose how you operate that car, how fast you drive…you’re making choices based on your perception of risk around you,” he says. “But all of us understand that we could be in an automobile accident. The same is true in information security. It’s not an absolute…the only way to eliminate the risk is to not get in the car.”</p><p>Focusing on risk and why that risk matters is the key to communicating with executives—and boards—about cybersecurity, Appler adds.</p><p>“I found very early on that it was more effective to explain why you would care about protecting information—why that would matter—than about the technology,” he says.</p><p>For instance, during the summer of 2017 the WannaCrypt ransomware attack hit companies that were running old or out-of-date operating systems, or unpatched systems. When companies were asked why they had not upgraded their systems, Appler says, many said they hadn’t taken action because it was too expensive.</p><p>“But when they suffered the problem, they were unable to provide service for potentially days. They took a financial hit, a brand hit, and a reputational hit,” Appler says. “I would question whether they truly understood what risk they were taking by not upgrading.”</p><p>To clearly communicate that risk, Appler says that CISOs should avoid reverting to “scary stories” to make boards fearfully invest in security. Instead, they should focus on quantifying risk in terms of dollars to allow the board and CEO to evaluate what they would pay to mitigate risk.</p><p>“There are many things you can do to mitigate that risk, but at the end of the day they are going to have a cost and the return is likely risk mitigation—not features or benefits directly to your company,” Appler adds.</p><p>LaSalle echoes these sentiments and says that CISOs need to prepare their CEOs about the risks the business is taking on in terms of cybersecurity, what needs to be done to address that risk before creating greater exposure, the potential costs of not taking action, and how addressing risks helps the business achieve its goals.</p><p>“That’s where, at the board level, when you’re telling stories around the biggest threats to what the business is trying to do, you’re using the language of business—not the language of hackers—when you talk about threats,” LaSalle says, “when you’re trying to talk about programs you have in place and how effective they are at managing those risks.”</p><p>For instance, a client that LaSalle works with put this into practice a few years ago just before the Sony hack occurred. The client had recognized through a threat intelligence function that destructive malware was one of the biggest threats to the business’s operational resiliency.</p><p>The client went through a process to examine how a destructive worm would impact the business. It then changed its investment portfolio, implemented a solution to create more operational resiliency and increase its defenses, and then briefed its board. </p><p>The client, LaSalle explains, told the board that it was tracking destructive malware because of the risk it posed to the business and explained how it was mitigating that risk. It also described past failures to mitigate that risk and the market indicators it was tracking that could change its perception of its readiness to handle the risk.</p><p>A few quarters later, during the Sony attack, the client went back to the board. The briefing included details on how IT would repel a similar attack, why those actions would be warranted, and what new threats were looming. </p><p>“That’s the kind of example I use to explain this because it had a tremendous business impact,” LaSalle says. “It demonstrates the effectiveness of the investment, and it provides clarity from a risk perspective, to a bunch of business owners who aren’t really worried about what the vulnerability is or how it propagates—but they are very worried about the business outcome.”</p><p>Taking this approach of regularly briefing the board and providing benchmarks of where the business is in addressing cyber risks is a best practice approach, says Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton & Williams LLP and former chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.</p><p>“Some of our clients are appearing before the board on a routine basis and using benchmarking as a way of showing where the company is today as compared with others in their industry sector, and then also showing benchmarking as compared with a point in time—say today versus where the company is two or three months from now,” she explains. “Benchmarking is very helpful in putting the evolution of the cybersecurity program into context.”</p><p>Having this regular dialogue helps build a base of understanding for board members and educates them on the company’s cybersecurity strategy. “The board wants to hear the overall strategy, but they are also going to want to hear about some of the more granular testing, like penetration tests and the results, risk analysis, data flow mapping exercises,” Sotto adds. “High level is very good, but with details waiting in the wings in case board members are interested in going into more detail.”</p><p>This is likely to happen as boards become increasingly interested in cybersecurity and more knowledgeable on the topic. They may also be required to become more knowledgable under new regulations or legislation making its way through the U.S. Congress.</p><p>For instance, U.S. Senators Mark Warner (D-VA), Jack Reed (D-RI), and Susan Collins (R-ME) introduced legislation, the Cybersecurity Disclosure Act (S. 536), that would require publicly traded companies to include information on whether any member of the company’s board of directors is a cybersecurity expert in their Securities and Exchange Commission disclosures to investors. If a company has no cybersecurity experts, it would be required to explain why a greater level of expertise was unnecessary.</p><p>“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process,” Senator Reed explained in a statement. “Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber risk oversight.”</p><p>S. 536 has been introduced and referred to the U.S. Senate Committee on Banking, Housing, and Urban Affairs, but has not advanced.</p><p>“The bill alone is interesting, and, even if the bill doesn’t pass, more efforts like this could have the effect of incentivizing boards to look for cyber savvy directors,” Sotto says.</p><p>And while many companies are struggling with connecting cybersecurity to the mission of the business and articulating the risks associated with it, CEOs are beginning to track the issue and invest in it.</p><p>“If we continue to improve and unlock more of the stories and the business value of what security is doing for the business, I think the population of [cyber-focused] CEOs will grow,” LaSalle says. “I don’t know if they will ever be the majority, but I do think that it will be a best practice for a CEO in five years to be not just interested and involved in the security of their organization, but really committed to it.” </p> | | |
| https://sm.asisonline.org/Pages/Employee-Theft.aspx | Employee Theft | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p>Marianna Perry, CPP, a security consultant with Loss Prevention and Safety Management, LLC, discusses how companies can prevent employee theft of digital and physical assets.</p><p><em><strong>Q. </strong>What steps can employers take to prevent employee theft? </em></p><p><strong>A. </strong>One of the major things that employers can do is hire the right people—honest employees. That sounds very simple, but many times corners are cut during the hiring process. In addition to more than one interview, employers should conduct thorough background investigations, which may include checking criminal records, references, and education. Personality tests can indicate whether the applicant is a good fit for the company. Every employer should have clear policies to deter theft, and employees should know that if they steal, they will be prosecuted. It’s also a good idea to have a hotline where employees can anonymously report suspicious behavior or theft by another employee. </p><p><em><strong>Q. </strong>What about security best practices?</em></p><p><strong>A. </strong>Retailers have traditionally used common practices such as comparing physical inventory against receiving and sales records, auditing cash and payroll records, locking emergency exit doors, installing video surveillance systems, and using security devices to tag inventory. Training employees to recognize common behavior characteristics of thieves is also critical to deterring theft. Business policies and procedures need to be reevaluated on a regular basis and communicated to employees. Best practices include daily bank deposits made by two employees, audits of shipping and receiving records, inventory conducted by an outside firm, verifying time worked against payroll records, auditing cash bank deposits against daily cash receipts, and reconciling the monthly bank statement.</p><p><em><strong>Q. </strong>How can employers prevent personal information from being tampered with by an insider?</em></p><p><strong>A.</strong> A risk assessment may help identify potential vulnerabilities in the IT system, whether it’s theft from employees who are well aware of their access to the goldmine of personally identifiable information (PII) or an inadvertent theft that may be caused by a bring-your-own-device policy. Many employees can access PII with no evidence of intrusion in the company data systems. High turnover and employees that do not undergo effective vetting processes increase the likelihood of insider theft. Access to data files should be restricted and controls and tracking should be in place. Senior management should have current login information and passwords of all employees. Businesses need to have a holistic approach to security by integrating IT security and physical security.</p><p><em><strong>Q. </strong>Should a manager confront an employee about stealing? Are there any legal concerns?</em></p><p><strong>A.</strong> If an employee is confronted with theft, ensure that you have the evidence to support your suspicions. Entrapment techniques should never be used to entice an employee to steal. It’s important not to threaten the employee under suspicion and have a witness present—preferably, a member of management—while you are talking with the employee. Ask the employee to explain how the theft occurred, if other employees are involved, and if the money or company property can be returned. Every theft that occurs should be reported to law enforcement with supporting documentation from the business. </p> | | |