| https://sm.asisonline.org/Pages/The-Disengagement-Dilemma.aspx | The Disengagement Dilemma | GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">Bob works for a large company but he feels small—more like a number than a person. Like any employee, Bob needs to feel valued, like someone who matters to his managers and the company. He wants his supervisors to know him as an individual, and to understand what he wants in his career. He wants to feel like he is part of something bigger than himself. </span></p><p>Instead, Bob feels expendable. While he would like to develop his career with the organization, his loyalty to the company is challenged by the perceived indifference of management. In a word, Bob is disengaged.</p><p>He is not alone in feeling this way. In a recent study, Build a Better Workplace: Employee Engagement Edition, conducted by the Canadian Management Centre (CMC) and Ipsos Reid, only 27 percent of employees surveyed said they were highly engaged, and one in five reported they were not engaged at all. These statistics are consistent with an older Gallup survey, which found that 71 percent of American workers are either “not engaged” or “actively disengaged.” </p><p>Every business benefits from the buy-in of its employees, as employee engagement leads to a motivated, productive, and committed workforce. And yet, high disengagement rates persist across industries and continents. This is the disengagement dilemma, and it is one of the biggest challenges facing companies today. Organizations around the globe, and HR departments in particular, have struggled to address this difficult problem.</p><p>Disengaged employees are more likely to leave an organization, proving that engagement and retention are directly linked. Businesses suffer when this happens. The cost of hiring and training new employees is high—not only in monetary value, but in morale. Only a distinct minority of organizations have a truly engaged workforce. </p><p>How can an organization in the security industry make engagement a priority? To answer this question, we explored the research and studies conducted on this topic, and we discussed these issues with human resources experts, who offered some advice and best practices. </p><h4>Motivation<br></h4><p>“Does Money Really Affect Motivation?” is a 2013 Harvard Business Review article by Tomas Chamorro-Premuzic, a professor of business psychology at University College London, that examines the allure of lucre by reviewing 120 years of research and synthesizing the findings from 92 quantitative studies. The combined dataset includes more than 15,000 individuals.</p><p>The results indicate that the connection between salary and job satisfaction is weak. In addition, a cross-cultural comparison included in the article revealed that the relationship of pay with job satisfaction is pretty much the same everywhere. For example, researchers discovered the same results in Australia, India, Taiwan, the United Kingdom, and the United States.</p><p>The finding is consistent with Gallup’s previous global surveys on engagement, which in 2011 found no significant difference in employee engagement by pay level. Moreover, Gallup’s findings were based on 1.4 million employees from 192 organizations across 49 industries and 34 nations.</p><p>Clearly, money is not the answer. In fact, if managers want employees to be happy with their compensation, more money is still not the answer. </p><p>If money does not drive engagement, what does? In the CMC-Ipsos Reid study, trust and confidence in senior leadership proved to be crucial in sustaining engagement. </p><p>The study covered 1,200 Canadian workers, including a parallel study of 484 professionals that offered side-by- side comparisons of professional occupations. Only four in 10 employees surveyed believed that the leadership in their workplaces did a good job communicating what was happening in the organization. A full 61 percent reported that they did not trust their senior leader; that distrust was most prevalent among Generation X employees and baby boomers. The highest level of confidence in senior leadership was reported by employees in the high-tech/IT sector at 55 percent, while employees in retail (39 percent), government (35 percent), and transportation (32 percent) reported the lowest levels of confidence.</p><p>Clearly, managers must be considered trustworthy to retain an engaged workforce. But being trustworthy, in and of itself, does not automatically generate commitment. It takes active effort on behalf of management. </p><p>“The most effective way leaders can retain their top employees is to create loyalty by strengthening their emotional connection to their job, environment, leader, and organization,” says Bernadette Smith, vice president of talent development solutions at the CMC. </p><p>According to Smith, the Build a Better Workplace study lays out an engagement model that cites three contributing factors for fostering the type of connection that creates loyalty to an organization. The first is involvement. “Employees want to make a meaningful contribution to the organization and want to know that their input is valued,” says Smith.</p><p>The second is alignment. Some companies support this through an effective performance management program that aligns an employee’s individual work with organizational goals. The key to success with these programs is ensuring an effective communication process at all levels to make everyone aware of the objectives. </p><p>“Employees need to support the direction of the organization and understand how they contribute to achieving its objectives,” she explains.</p><p>The third is satisfaction. “Satisfaction indicates how content an employee is with their role and everyday environment. All three factors need to work together to create highly committed and engaged employees,” she adds.</p><h4>The Management Effect</h4><p>Naturally, most managers want a dedicated workforce, and they can expect heightened productivity and performance if they succeed in keeping their employees truly committed. But what engagement strategies are effective, and what should managers focus on when approaching the issue? </p><p>These questions are touched on by another Gallup survey, in which the polling organization asked more than 8,000 employees about their relationship with their manager. The results were discussed last August in an article: “Should Managers Focus on Performance or Engagement?” by Annamarie Mann and Ryan Darby in the Gallup Business Journal. </p><p>The questions Gallup asked included: Can the employee approach his or her manager with nonwork-related issues, and talk about anything? Can they get prompt responses to requests? Gallup also asked questions related to how managers inspire performance and accountability. Does their manager know what projects or tasks employees are working on? Does he or she help set work priorities or set performance goals and hold them accountable to those goals? </p><p>Through these surveys, Gallup found that managers do not have to choose between focusing on creating strong and committed teams and focusing on maximizing performance and accountability. High-performance managers focus on both; they are engagement-focused, but they are also strengths-based and performance-oriented. They develop deep interpersonal relationships with their employees and focus on performance. In contrast, managers who emphasize one approach and ignore the other risk both lowering engagement and damaging their team’s performance. </p><p>According to Amelia Chan, founder of Higher Options Consulting in Vancouver, British Columbia, such a dual-focus managerial approach is crucial to sustaining even the best laid strategies. As a Canadian immigration and HR specialist with experience in small to mid-sized businesses, as well as governmental, private, and nonprofit sectors, Chan is unequivocal in her support of managers as the sustaining link to abiding engagement.</p><p>“The greatest impact on engagement is the direct management relationship. The cliche about how ‘employees don’t leave their jobs, they leave their managers’ endures for good reason,” says Chan. “Studies show that the attitude and actions of the immediate supervisor can enhance employee engagement or can create an atmosphere where an employee becomes disengaged,” she points out.</p><p>Chan is clear in her view that improving employee relations is something any manager can do simply by listening and accepting input from staff, by being clear about the organization’s direction, and by providing consistent, open communication.</p><p>“It’s in any business’s best interest for managers to develop an HR mindset. Businesses that retain a sustainable competitive advantage realize that employees are its biggest assets,” says Chan.</p><p>Ironically, while engagement is most often a topic broached in relation to large businesses, Chan sees it affecting smaller organizations, as they are the ones who can least afford to lose quality employees or to receive negative feedback from previous and existing employees. “Economies of scale put an even greater pressure on small businesses to adopt more strategic HR thinking in regards to retaining, engaging, and getting the most out of their teams,” she says.</p><h4>Career development</h4><p>Engagement strategies may vary from company to company, and may depend on how much the organization invests in developing company culture. Besides managerial initiatives, the reputation of an organization also helps with engagement—particularly when even those who do not work for the organization believe that it is a great place to work. </p><p>According to Jamie Read, HR director of Commissionaires BC, a provider of security officers, such perceptions are powerful tools. However, those perceptions are unlikely to take hold unless they are internally supported by progressive practices and processes.</p><p>That investment in the workforce is ongoing, and returns come in the form of engagement and goodwill. “Throughout their careers, we continue to support personal development, career planning, and a sense of community. Promoting from within is our practice for supervisory positions,” she explains. She elaborates that career development at her firm is driven by spotting high potential from within, and then tailoring training programs to encourage growth and loyalty. Following this practice helps keep staff interested in growing with the company.</p><p>Virgin is another company whose reputation is enhanced by supportive workplace practices. Virgin CEO Richard Branson recently made headlines with an engagement strategy that points to a loosening of control as key to boosting corporate culture. Branson said that his staff of 170 could take off whenever they want for as long as they want. He added that there was no need to ask for approval, nor say when they planned to return, the assumption being that the absence would not damage the firm.</p><p>Branson said he was inspired by his daughter, who read about a similar plan at Netflix. “It is left to the employee alone to decide if and when he or she feels like taking a few hours, a day, a week or a month off,” Branson wrote in his recent book The Virgin Way: Everything I Know About Leadership. “The assumption being that they are only going to do it when they feel 100 percent comfortable that they and their team are up to date on every project and that their absence will not in any way damage the business—or, for that matter, their careers!”</p><p>He added that he had introduced the policy in the United Kingdom and the United States “where vacation policies can be particularly draconian.” If it goes well there, Branson said he would encourage subsidiaries to follow suit. “We should focus on what people get done, not on how many hours or days worked,” he said. </p><p><span style="line-height:1.5em;"><em><strong>Andrew </strong></em></span><span style="line-height:1.5em;"><em><strong>Woods, MBA</strong>, is based in Vancouver, British Columbia, Canada. He facilitates management development programs and has presented workshops, including security-related courses, in 18 countries. He is the author of BOOM! Engaging and Inspiring employees Across Cultures. Woods is a member of ASIS International.</em></span><br></p> | | |
| https://sm.asisonline.org/Pages/Strategic-Shrink-Reduction.aspx | Strategic Shrink Reduction | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">Security’s long battle against retail theft continues, and it is far from won, but some retailers are making gains. Loss prevention strategies are becoming increasingly more sophisticated, with some retailers leveraging cutting-edge technology, analytics, and an even more engaged workforce to fight thieves and stay one step ahead of always-evolving shoplifting methods.</span></p><p> Global shrink has declined by 4.8 percent in the last year, due in part to an increased focus on loss prevention measures, according to a recent study of retail theft across the world. The report, The Global Retail Theft Barometer 2013-2014, examined the cost of merchandise theft in the global retail industry in 24 countries spread throughout Asia, Europe, North America, and South America.</p><p>What’s driving the progress? One major factor is increased investment in loss prevention programs. The study found clear correlations between how much a country’s retail industry spent on loss prevention and the retail loss rate in that country. Countries with the best shrink reduction rates had spent the most on preventive countermeasures, while those with the highest losses spent the least on prevention.</p><p>This is a lesson that some retailers in the United States could benefit from, says Ernie Deyle, former vice president of loss prevention for CVS/Caremark who now leads the shrink reduction and margin recovery practice for SD Retail Consulting. Deyle says that when he does “triage” work in the field, some stores consider loss prevention an expense area, a place where they minimize spending in hopes of minimizing costs. So the idea that loss prevention is actually a competitive asset area is “usually overlooked,” often to the detriment of the store’s financial bottom line. “When you control loss, you improve your profit,” says Deyle, who helped conduct the study in conjunction with The Smart Cube, a research and analytics firm. </p><p>However, simply spending more money on prevention is not the sole answer to the problem, Deyle adds. The report found that the most effective loss prevention programs are multifaceted: they often combine the strategic use of technology and physical security measures with data analytics.</p><p>For example, a multifaceted program might employ electronic article surveillance (EAS). EAS devices have been shown to be among the most effective of retail security technologies, the report found. But relying on one tactic or device, even one as effective as EAS, is “like putting up a gate with no fence,” Deyle says. </p><p>Instead, multifaceted loss prevention programs may couple an EAS system with a merchandising plan that covers product placement strategies to avoid theft. The merchandising plan might use analytics on loss data to determine things like what shelves are most vulnerable to theft, which items are most likely to be stolen, and when peak theft occurs. Product placement strategies might include the best arrangements and facings for items to minimize theft, Deyle explains. For example, arranging products in a way that takes longer to lift them off the shelf can deter some shoplifters. “They want quick in, quick out, without being noticed,” Deyle says. </p><p>Moreover, loss prevention plans should be constantly evolving. Shoplifters who are foiled will change their practices accordingly, so retailers need to continually change their tactics as well. “It’s about being strategically positioned,” Deyle says. “You need to stay ahead of the curve.” </p><p>While the 4.8 percent global shrink decline is encouraging, retail shrink still costs an estimated $128 billion worldwide, evidence that theft is still a serious problem for the industry, according to the report. The loss is the equivalent of 1.29 percent of sales in each of the 24 countries examined in the study. The annual cost of shrink to households, as passed on from retailers, ranges from $74 to $541, depending on the country. </p><p>Roughly two-thirds of shrinkage worldwide (slightly more than 65 percent) is due to shoplifting, followed by employee theft. In most countries (16 of 24), shoplifting is the biggest cause of shrinkage, but this can vary. For example, in the United States, employee theft ranked first at 43 percent, with shoplifting next at 37 percent. In Norway, a low shrinkage country, administrative losses are the major source of shrinkage.</p><p>Comparatively, shrinkage rates across the 24 countries in the report range from 0.83 percent to 1.7 percent. Mexico recorded the highest rate—1.7 percent—followed by China with 1.53 percent. The lowest shrinkage rates were in Japan, Norway, the United Kingdom, and Turkey. </p><p>In the United States alone, retail theft costs $42 billion annually, equal to an average of $403 per household. Shoplifters and dishonest employees most commonly target products that are easy to conceal and then resell. Some of the most frequently pilfered items include mobile phones, spirits, fashion accessories and jewelry, makeup products, and computer tablets. </p><p>Almost all types of U.S. retail stores were hit by employee theft and shoplifting, but the most affected were U.S. discounters, with losses equaling 2.78 percent of sales; pharmacies/drugstores, 2.16 percent; and supermarkets/grocery retailers, 1.38 percent. These three types of stores witnessed the highest shrink rates because of the widespread prevalence of organized retail crime combined with relatively lower loss prevention spending, according to the report. </p><p>While retailers are making progress with sophisticated loss prevention programs, another recent report points the way toward an alternate means of reducing retail shrinkage—by improving the engagement level of the workforce. </p><p>This report, Making the Link: the Role of Employee Engagement in Controlling Retail Losses, surveyed more than 200,000 staff members in 1,570 stores under three European retail chains. Employee engagement was measured across 18 factors, such as “staff believe their ideas and suggestions are taken seriously” and “staff feel appreciated and valued.” Four indicators of retail loss were examined: shrinkage, waste, cash loss, and lost sales driven by out-of-stock merchandise. The report was conducted by ECR Europe’s Shrinkage and On-Shelf Availability Group, with support from the University of Leicester. </p><p>The study found that 15 of the 18 employee engagement factors influenced store loss. It also found that the stores that had the highest loss rate could significantly reduce that rate with a more engaged workforce. The report “graphically highlights the difference that engaged and valued staff can make to retail profitability—not just by providing excellent customer service, but also through a reduction in the many and varied losses retailers experience,” write the authors of the report. (For more on employee engagement best practices, see “The Disengagement Dilemma” on page 52). </p><p>Like the previous report, Making the Link also found that managers played a pivotal role in keeping employees engaged. To heighten engagement levels and reduce loss, the authors recommended that managers provide more opportunities for staff development, keep staff informed about the organization, solicit staff ideas, and make sure that staff have satisfying, manageable roles. </p><p>“For all the advances in technology and analytics, the importance of employees must not be minimized,” the authors write. “Retailing is fundamentally about people—principally the customer but also the employees tasked to service their needs.”</p> | | |
| https://sm.asisonline.org/Pages/Port-Protection.aspx | Port Protection | GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">It was Christmas Eve in Tampa, Florida, and Laura Hains, CPP, a Customs and Border Protection (CBP) supervisor, was awoken by a phone call: “Laura, we have an anomaly. You need to come in.” She drove to Port Tampa Bay, the largest port in Florida, where she worked as a cargo and port security specialist. When she arrived, the crew filled her in on the details: a shipping container of crackers from Italy had arrived at the port, and a standard scan had revealed a large, dark mass in the center of the container. The mass was recorded on the scanners as possible radiological material.</span></p><p><em>Oh gosh, this is it,</em> Hains thought.</p><p>By the time Hains had called all the people who needed to know, it was Christmas Day. Officials were hopping on expensive last-minute flights to Tampa, and local law enforcement was called to the scene. Hains and her team opened the back of the container and began unloading it. As the supervisor, Hains offered to climb in first. It took almost two hours of rearranging and removing boxes to reach the center of the container, and each step Hains took destroyed the cargo beneath her feet. She dug down, looking for the anomaly…and discovered a crate of wine the shippers had sent as a Christmas present. </p><p>Hains has seen a lot in her 20-plus years in the port security industry, and fortunately most of her experiences have been as benign as the Christmas incident. However, she says it’s only a matter of time until some group takes advantage of the maritime supply chain to debilitate a U.S. port, or worse.</p><p>“The fear is that out of the 4 million containers that arrive in U.S. ports each year from around the world, all it takes is one to bring a dirty bomb,” Hains said during a maritime security session at the ASIS International 60th Annual Seminar and Exhibits.</p><p>And Hains is not the only one with concerns about port security. The Government Accountability Office (GAO) recently published reports and testified before Congress about the challenges faced by port security programs, as well as the need for the U.S. Department of Homeland Security (DHS) to address port cybersecurity. </p><p>Stephen Caldwell—who last month retired as director of homeland security and justice at GAO—spearheaded the two reports, Progress and Challenges with Selected Port Security Programs and DHS Needs to Better Address Port Cybersecurity. He says that one issue plaguing U.S. ports is the failure to assess various security programs.</p><p> “There are a lot of challenges in developing meaningful performance measures,” Caldwell says. “In terms of the security measures you have in place and your ability to measure the things you have in place, there are real difficulties in measuring things like deterrents and security.”</p><p>That’s not surprising, considering the activity that takes place at U.S. maritime ports. More than $1.3 trillion in cargo enters the country by sea annually, and approximately 90 percent of the goods consumed in the United States come by vessel, Hains said. Two ports, the Port of New York and New Jersey and the Port of Los Angeles and Long Beach, receive half of all those containers.</p><p>“As security experts, that should be a little alarming to you, because that means that if those two ports got hit, 50 percent of our container traffic would go down,” Hains noted.</p><p>DHS is the lead federal department when it comes to port security. The Transportation Security Administration (TSA) controls who can enter the ports. The U.S. Coast Guard conducts facility and vessel inspections at ports, and the CBP is involved in screening throughout the global supply chain process.</p><p>Port security, and maritime supply chain security in particular, is dictated by a number of laws and regulations intended to enhance security. Some of these regulations were analyzed in the GAO reports. The Security and Accountability for Every Port Act (SAFE), along with the 9/11 Commission Act, requires DHS to implement 100 percent screening of all cargo that enters U.S. ports, as well as 100 percent physical scanning of high-risk cargo. And the Container Security Initiative (CSI) places CBP officials at selected foreign ports to assess the risks of shipping out of that country. </p><p>Here’s how a shipping container moves from overseas to a U.S. port under the various shipping regulations: Before the cargo container is loaded onto a vessel, its manifest—the list of cargo in the container—is screened by CBP and a risk score is assigned to the container by an automated targeting system. Where it’s coming from, whether it’s from a trusted shipping company, and the type of cargo being shipped are all factors considered. If the score passes a certain threshold, it’s flagged for extra radiation and x-ray scanning, in accordance with the SAFE Port Act. If it passes, the vessel is then sent on its way and eventually arrives in a U.S. port, where, depending on the targeting system score, it may undergo another x-ray or radiation scan. </p><p>This current method concerns Hains. The risk score is based on the manifest, not the cargo itself, and it doesn’t necessarily account for a stop in another country before arriving in the United States. For example, a container could be shipped from Pakistan to Spain, then from Spain to England, put on a new boat in England, and sent to the United States. The CBP officials at the receiving port will only know that the container came from England and may not screen it as thoroughly, Hains explained. </p><p>“These containers and ships move by trust, based on what’s on the manifest, passenger list, and port assessments,” Hains said. “Every day in the United States, vessels arrive and containers arrive, and we believe what it says on the manifest.”</p><p>The GAO also found flaws in the current system. The agency notes that the automated targeting system used to rate containers is based on outdated intelligence information, and Caldwell says the organization is auditing the ranking program to learn more about how effective the practice is. </p><p>Another concern the GAO raised in its reports is the effectiveness of screening mandated by the SAFE Port Act. The law was initially supposed to be implemented in July 2012, but in May 2014 the secretary of homeland security extended the deadline until May 2016. However, only an estimated 4.1 percent of containers are currently x-rayed before they come to the United States. </p><p>“DHS’s position is that this is not doable and not something that really makes sense, but it’s still a statutory requirement and will remain so until the law is revised,” Caldwell explains.</p><p>GAO found that some international privacy laws prevent the sharing of screening information, which makes the SAFE Port Act challenging to implement, Caldwell says. After a container is scanned overseas, communicating the findings becomes difficult due to issues such as who owns the data, whether it can be shared with the United States, and even whether CBP, a private company, or the host government should do the scanning. DHS believes that scanning all cargo, including trusted or low-risk containers, is not the best use of its resources, he explains. </p><p>“Even if you went to that 100 percent scanning, until you look at the details of the implementation, it’s hard to know if it would even improve security,” Caldwell asserts. “If there’s no training standard, then you get the Pakistanis or Indonesians, as well as others, like the Brits and New Zealand, and do they have the same training? Do they have the same level of skill in interpreting those x-ray images?”</p><p>The CSI, which places border patrol officials in foreign ports to conduct risk assessments, is “the biggest boondoggle that the CBP has,” Hains said. According to the GAO report, CBP has not assessed the risks posed by foreign ports that ship cargo to the United States since 2005, which means that many of the 58 foreign ports that participate in the initiative haven’t been assessed for threats in a decade. Both Caldwell and Hains question how well the foreign ports are managed by CBP officials.</p><p>Another concern Caldwell has is the sustainability of the current port security systems. Budget cuts have caused both CBP and Coast Guard personnel to be pulled from port security. </p><p>In June of last year, the GAO released an entire report on port cybersecurity. Like most critical infrastructure, maritime stakeholders rely on numerous types of information and communications technologies to manage cargo, the report states. Port owners and operators are responsible for the cybersecurity of their operations, but the report found that ports are receiving little to no guidance from the federal government. </p><p>The report cites a 2011 cyberattack on the Port of Antwerp as an illustration. In that incident, hackers accessed the computer systems of two container terminals, which allowed them to track and control the movements of certain containers. Criminals in another country would place illegal goods in a container, and once it arrived in Antwerp the hackers could divert it so it would not be screened before it left the port. This went on for two full years until officials arrested nine members of the criminal group in 2013 and seized almost a ton of heroin, as well as firearms and other contraband. </p><p>Caldwell says he was surprised at how weak maritime cybersecurity initiatives are. “There have been national-level strategies and presidential directives that have clearly said, ‘Hey, federal government, you need to start looking at the cyber as well as the physical aspects of security.’ And yet the Coast Guard was not moving smartly.” Since the cybersecurity report came out, Caldwell says the Coast Guard has agreed to take steps to address the cybersecurity threat. </p><p>One way to make the supply chain more secure and consistent is proper training, Hains said. Due to budget cuts and CBP reorganization, it’s increasingly common for immigration officials with little to no customs and shipping training to be put in charge of interpreting the cargo risk assessments. </p><p>A well-trained official should be able to consider not only the manifest and the automated risk assessment score, but the origin of the products, the weight of the crate, and more. Hains said that an experienced official may notice that the container weighs more than it should as indicated by the manifest, or that it’s from a first-time shipping company, even though it’s from a trusted country. These would make the container high-risk, and officials could further scan the cargo before it gets to U.S. shores.</p><p>Another solution Hains advocates for is the implementation of container security devices. She notes that the technology is still new and expensive, but the sensors can be retrofitted onto any container and would alert officials to the presence of numerous chemical tracers, as well as carbon dioxide to detect humans, light sensors to detect whether the container has been compromised, and geofencing to make sure the container or its contents aren’t stolen. </p><p>“It’s the only way we’re going to make ourselves safe,” Hains said.</p> | | |
| https://sm.asisonline.org/Pages/Cyberthreat-Glossary.aspx | Cyberthreat Glossary | GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">Hackers are using increasingly sophisticated methods to plunder assets, gain attention, and line their pockets—all while wreaking possible havoc on your organization. Cybersecurity experts give an overview of some of the biggest threats currently on the cyberscape.</span></p><h4>What's the Difference?<br><br></h4><p><strong class="ms-rteStyle-Accent1">Malware: </strong>The term malware is derived from the phrase “malicious software.” Malware is written to damage or perform unwanted actions on a computer machine. Worms, viruses, and Trojans are among the common types of malware. Hackers can install malware on machines in a number of ways, including through spear-phishing e-mails, infected Web pages, and Web downloads. Once malware has infected a machine or site, the hacker can gain access or control and move through the network. </p><p><span style="line-height:1.5em;"><span class="ms-rteStyle-Accent1"><strong>Vulnerability: </strong></span>A weakness in an operating system or network that can be exploited for the hacker’s gain. These flaws permit hazardous situations to occur, and software updates known as patches are used to fix them. Heartbleed and Shellshock are notable vulnerabilities that emerged in the past year. Injection attacks also occur when a server contains a vulnerability, allowing the attacker to “inject” malicious code in a website’s script even though the page appears innocuous.</span></p><p><span style="line-height:1.5em;"><em>Sources: National Initiative for Cybersecurity Careers and Studies/U.S. Department of Homeland Security, FortiGuard Labs</em></span></p><p><span class="ms-rteStyle-Accent1" style="line-height:1.5em;"><strong>Bitcoin-Mining Malware</strong></span><br></p><p>A cyberattack where computing devices are hacked to run code that solves complex algorithms to generate Bitcoin currency. Cryptocurrencies, like Bitcoin, are “mined” by solving complex algorithms, a process that gets harder as it goes on, requiring more and more computing power, and electricity, to generate new currency. The hacker uses malware to infect the computer drives, harnessing their collective power to generate Bitcoins. This type of attack can occur on both computers and smartphones and has been used in surveillance cameras. Criminals typically focus on machines with enough number-crunching power to generate Bitcoins quickly. </p><p><span style="line-height:1.5em;"><em>Stephen Cobb, Senior Security Researcher, ESET</em></span><br></p><p><span class="ms-rteStyle-Accent1" style="line-height:1.5em;"><strong>Point-of-Sale Malware</strong></span><br></p><p>Retailers use point-of-sale (POS) systems to ring up orders and collect credit card information for in-store retail purchases. POS malware was instrumental in several major public breaches such as those at UPS, Target, and Home Depot. These represent millions of compromised credit card numbers and tremendous losses associated with investigating and remediating the underlying issues. This will likely continue to be a focus area for attackers due to the easy availability of valuable credit card data, as well as retailers’ reluctance to overhaul their POS systems. </p><p><span style="line-height:1.5em;"><em>Dan Cornell, </em></span><span style="line-height:1.5em;"><em>Principal, </em></span><span style="line-height:1.5em;"><em>Denim Group</em></span></p><p><span class="ms-rteStyle-Accent1" style="line-height:1.5em;"><strong>Darkhotel</strong></span><br></p><p>The targets of this advanced persistent threat campaign, which has been in operation for almost a decade but has recently grown larger, are top executives and high-tech entrepreneurs from companies around the world. The attacks happen when executives stay at certain luxury hotels in different countries in the Asia-Pacific region. The actor uses a set of three attack techniques, including compromising specific hotel networks, then staging attacks from those networks on selected high-profile victims. Another Darkhotel offensive technique is to spread malware indiscriminately via peer-to-peer file-sharing sites. The attackers also use spear-phishing e-mails to infiltrate organizations from different sectors. </p><p><span style="line-height:1.5em;"><em>Kurt Baumgartner, </em></span><em style="line-height:1.5em;">Principal Security Researcher, </em><em style="line-height:1.5em;">Kaspersky Lab</em></p><p><span class="ms-rteStyle-Accent1" style="line-height:1.5em;"><strong>Advertising Malware</strong></span><br></p><p>There are two schemes by which systems infected with malware can make money for their bot owners through the exploitation of digital advertising.</p><p>The bot owners can sell ad space to purveyors of highly questionable and sometimes fraudulent products or services and present the resulting ads to the user of the infected system. This often results in pop-up ads—the malware can disable the browser’s pop-up blocker—and can make the system nearly unusable. </p><p>In the second scheme, the bot owners can instruct the system to click on ads served up at fake websites that the bot owners control and thereby defraud the legitimate companies placing these ads. This is done without any visible sign to the end user. The ad clicks emulate what a browser would do if a user clicked on the ad, but without actually using a browser.</p><p><span style="line-height:1.5em;"><em>Oliver Tavakoli, </em></span><em style="line-height:1.5em;">Chief Technology Officer, </em><em style="line-height:1.5em;">Vectra Networks</em></p><p><span class="ms-rteStyle-Accent1" style="line-height:1.5em;"><strong>Shellshock</strong></span><br></p><p>In this cyberattack, computing devices are hacked to run code that affects Bash, one of the most commonly used Linux shells in the world. Any Linux service that interacted with Bash, allowing settings to be imported, was vulnerable. The vulnerability was particularly problematic because it allowed remote code access, meaning that hackers could interact with a service remotely as if they were on the server. The attack was widespread—most people running Linux were affected. The bug was uncovered in September 2014, and software companies began releasing patches to fix the vulnerability. </p><p><span style="line-height:1.5em;"><em>James Foster, </em></span><em style="line-height:1.5em;">Chief Executive Officer, </em><em style="line-height:1.5em;">ZeroFOX</em></p><p><span class="ms-rteStyle-Accent1" style="line-height:1.5em;"><strong>SQL Injection Attacks</strong></span><br></p><p>SQL (structured query language) is the “language” used in modern relational databases like MySQL, Microsoft SQL Server, and Oracle. In today’s data-driven world, many Web applications and services rely upon SQL databases to store countless gigabytes of information. Everything from sensitive financial information to usernames and passwords can be stored in back-end databases that are integrated into the Web applications and sites everyone uses on a daily basis. A successful SQL injection attack can allow an attacker free rein over the data stored in the database. </p><p><span style="line-height:1.5em;"><em>Richard Henderson, </em></span><span style="line-height:1.5em;"><em>Security Strategist, </em></span><span style="line-height:1.5em;"><em>FortiGuard Labs</em></span></p><p><span class="ms-rteStyle-Accent1" style="line-height:1.5em;"><strong>Heartbleed</strong></span><br></p><p>A flaw in OpenSSL’s session “keep alive” function allows remote users to read random chunks of a Web server’s memory. Using this attack, a persistent attacker can even obtain the server’s private keys, which are what keeps most encrypted connections private on the Internet. Heartbleed made the news in a big way, and it led to expedited patching by system administrators worldwide. </p><p><span style="line-height:1.5em;"><em>George Baker, </em></span><span style="line-height:1.5em;"><em>Director of Professional Services, </em></span><span style="line-height:1.5em;"><em>F</em></span><span style="line-height:1.5em;"><em>oreground Security</em></span></p> | | |
| https://sm.asisonline.org/Pages/Signal-Stoppers.aspx | Signal Stoppers | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">GPS, owned by the federal government as a national resource, was originally developed in 1973 by the U.S. Department of Defense to overcome the limitations of previous navigation systems. In 1983, after Korean Air Lines Flight 007 was shot down after straying into the USSR’s prohibited airspace, President Ronald Reagan issued a directive making GPS freely available for civilian use. Initially, the highest quality GPS signal was reserved for military use, with the signal available for civilian use intentionally degraded—a move known as selective availability. However, President Bill Clinton ordered that selective availability be turned off in 2000.</span></p><p>Since then, GPS has been periodically improved, and now provides location and time information in all weather conditions anywhere on earth, as long as there is an unobstructed line of sight to four or more GPS satellites. Nonetheless, GPS signals are faint, which makes it relatively easy for a GPS jamming device to swamp the circuitry in the receiving hardware so it cannot detect the GPS signal. As one expert described it, trying to use jammed GPS is like trying to spot a firefly in the distance with a searchlight shining in your eyes. </p><p>For the Federal Communications Commission (FCC), GPS jamming is a serious issue. Last June, the agency issued a $34.9 million fine, the largest monetary penalty in agency history, against the Chinese electronics manufacturer and online retailer C.T.S. Technology for allegedly marketing 280 models of signal jamming devices to U.S. consumers for more than two years. </p><p>“Jamming devices pose tangible threats to the integrity of U.S. communications infrastructure. They can endanger life and property by preventing individuals from making 911 or other emergency calls or disrupting the basic communications essential to aviation and marine safety,” the FCC said in the fine notice.</p><p>The fine came after an extensive undercover operation conducted by the FCC’s own enforcement bureau. The agency has charged that devices made by C.T.S. Technology not only jammed the communications signals as advertised, but blocked communications beyond the scope of those listed in their advertisements and marketing materials, which is potentially more harmful. The agency also alleged that C.T.S. Technology misled consumers: the company claimed on its website that certain signal jammers were approved by the FCC for consumer use.</p><p>“These apparent violations are egregious, escalated over more than two years, and continue as of the date of this action. We therefore propose the maximum penalty permitted by statute,” the FCC said. An FCC spokesman demurred when asked about the current status of the action: “I can’t speak to any active enforcement actions [or] investigations under way, but can confirm the FCC is vigilant in pursuing jamming enforcement,” he told Security Management. </p><p>As the C.T.S. Technology case shows, GPS jammers can be purchased over the Internet, often for a modest price. Since jamming technology generally does not discriminate between modes of communication, the same jammer can prevent a cell phone from making or receiving calls; prevent a Wi-Fi enabled device from connecting to the Internet; prevent a GPS unit from receiving correct location positioning signals; and prevent a first responder from locating someone needing assistance in an emergency.</p><p>While the GPS jammers purchased over the Internet are mainly for land use, GPS manipulation is also on the rise on the high seas. Over the past two years, there has been a 59 percent increase in the number of ships transmitting incorrect positioning information, which allows these ships to obscure their locations, according to a recent report by the data and analytics firm Windward. </p><p>Many of these seaborne GPS manipulators are fishing vessels, and they do so for economic or competitive reasons, says Windward CEO Ami Daniel. (Chinese fishing vessels account for 44 percent of these GPS manipulators, the report found.) Some of these boats may have exceeded their catch quota and want to fish without anyone knowing. Others may have found a great fishing spot and don’t want competitors finding out where it is. </p><p>And some vessels manipulate GPS data for criminal reasons, such as a smuggling mission. One common method of manipulation at sea is to cross the cables that relay positioning information, so that the latitude cable is actually reporting the ship’s longitude, and vice-versa, Daniel explains. Nonetheless, such manipulation on the high seas is especially troubling because of the reach of global seaborne commerce—roughly 90 percent of the world’s trade is transported by sea. “The oceans remain one of the last Wild West frontiers,” he says. </p><p>Other GPS manipulations have come to light recently. In the last few years, South Korean officials have reported that the North Korean government is using large-scale GPS jammers to interfere with South Korean GPS military and civilian receivers on land and at sea. On a smaller scale, criminals in the United States have hijacked trucks filled with high-value goods by jamming GPS and mobile phone signals, so drivers cannot specify their location and call for help during the attack.</p><p>And there’s always the possibility that terrorists could try to disable the GPS signal for an entire American city. Given this and other concerns, development efforts for a back-up system continue. The Defense Advanced Research Projects Agency (DARPA) has been developing a single-chip timing and inertial measurement unit (TIMU) that uses tiny gyroscopes and accelerometers to track position without the aid of satellites or radio towers. The TIMU prototype is smaller than a penny and works by measuring orientation, acceleration, and time.</p><p>In the meantime, the FCC is still on the hunt for GPS jammers. Any security practitioners or executives who suspect that their company or operations may have experienced GPS signal jamming can call the FCC’s jammer tip line at 1-855-55-NOJAM. </p> | | |
| https://sm.asisonline.org/Pages/Shots-Fired.aspx | Shots Fired | GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 | <p><span style="line-height:1.5em;">A 3-square-mile patch of South Bend, Indiana, is home to approximately 38 percent of the city’s overall gun crime and about 57 percent of its murders. Historically, about 8 percent of these were reported to police via a 911 phone call, putting the community significantly below the 20 percent national reporting average.</span></p><p>For Chief of Police Ron Teachman, who relocated to the city in January 2013 after a 30-year career in law enforcement in Massachusetts, the numbers were shocking. </p><p>The number of shootings, coupled with the low reporting, raised a number of concerns. Did individuals not recognize the sound of gun shots? Were they convinced that someone else would report the gunshot? Did they fear retaliation for reporting the incident?</p><p>The low reporting also raised safety concerns for the police officers who patrol the area. “My officers were riding around in their squad cars on their beats, deaf and blind to the threat level that they may encounter,” Teachman explains.</p><p>And when incidents were reported, officers often weren’t able to get to the scene quickly enough to catch the shooter and had difficulty tracking down evidence, because they didn’t have a specific location where the shooting took place. </p><p>This lack of success also contributed to community mistrust, possibly further decreasing the likelihood that someone would report gunfire. </p><p>Teachman decided to implement a gunshot detection location technology. He had used ShotSpotter (SST) during his tenure as police chief in New Bedford, Massachusetts. ShotSpotter had recently updated its product to a flex system (SST Flex), allowing police departments to contract its services for two-year periods instead of buying the technology outright. SST Flex went live in South Bend in January 2014, in the most violence-prone part of the city.</p><p>The SST Flex solution works by using sensors that are installed on the exteriors of buildings. Three sensors work together each time a gun is fired to triangulate the location of the shooter within a 25-meter area, which is then sent to a real-time incident review center operated by SST. It is then forwarded to the South Bend Police Department (SBPD) if it’s a qualified alert, not a false positive—such as a firework or a car backfiring. This enables police to respond to incidents more quickly.</p><p>The installation has had numerous benefits for SBPD, the most obvious being that officers now have a specific location to begin their search when an SST alert is issued. Because the notifications are sent out at a 20- to 30-second delay to filter out false positives, officers are less complacent when they are notified of a possible shooting, Teachman notes.</p><p>Additionally, officers are increasingly more likely to be able to gather evidence from shootings when they’re alerted to an incident via SST. According to Teachman’s records, officers find evidence in 50 percent of incidents when they’re alerted via SST and 911. Previously, officers found evidence in only about 5 percent of cases when they were dispatched following a 911 call alone. </p><p>This increase in evidence gathering has also improved the relationship between law enforcement and the community. Teachman says that the public has embraced the new system. “They feel more engaged, they’re willing to give information out because they think it will go someplace. And that’s huge. You solve cases,” he says.</p><p>Since installing the system and becoming involved in the National Network for Safe Communities, which is a group violence intervention strategy, South Bend saw a 40 percent decrease in persons shot during the summer of 2014 and a 38 percent decrease overall to date. The number of 911 calls has also increased in the SST coverage area, up to 25 percent from the 8 percent rate in previous years. “I think that’s pretty strong evidence that this technology works,” Teachman says.</p><h4>Enhancing 911<br></h4><p><span style="line-height:1.5em;">A gunman has penetrated the school’s perimeter, and while the principal calls 911 to report an emergency, the call goes to a dispatch center, is put on hold, then transferred to another call center before being relayed to police officers in the area to respond. Precious minutes tick away, time that could be the difference between life and death for the students in the building.</span><br></p><p><span style="line-height:1.5em;">While this scenario might seem unreal, it happens in rural areas of the United States where police officers and emergency dispatch centers are spread thin. One state where this is a concern is New Hampshire, which covers 9,350 square miles and where 275 police departments protect 1.3 million people and more than 600 public schools, says Kensington Police Chief Michael Sielicki. </span><br></p><p>Sielicki, who just wrapped up a year as president of the New Hampshire Chiefs of Police Association, has worked at various police departments in the state. At these departments, there is frequently only one officer on duty who can respond to an incident. This presents concerns during an active shooter situation.</p><p>In December 2013, Sielicki discovered a product that reduced alert times drastically, from minutes down to seconds. He was at the annual winter conference for the New Hampshire Chiefs of Police Association when he met a representative from COPsync who wanted to pitch a new product to him: an alert system that would almost instantaneously notify law enforcement to the presence of active shooters at a school. </p><p>“That’s a game changer, especially in rural towns—like in New Hampshire and other states where you have a limited response when information gets out,” Sielicki emphasizes.</p><p>Sielicki liked what he saw so much that he convinced the representatives to stay an extra night and pitch the new product, COPsync911, to the entire conference, launching an initiative to install it at police departments and schools throughout New Hampshire.</p><p>COPsync911 is a real-time threat alert system that acts as a bridge between a school and local law enforcement. The system runs through a software program that is installed on police cruiser laptops and on dispatch center and school computers. When a school is under threat, a user can click the COPsync911 icon on the desktop, and 15 seconds later an alert is sent to the five closest patrol cars, officers, and the local dispatch center, notifying them of a threat at the school. They can then respond to the situation without waiting for the alert to be processed through the 911 dispatch center. </p><p>COPsync911 also provides law enforcement with GPS mapping and directions to the threat location, along with target floor plans with labeled classrooms, exits, and entrances. “With COPsync911, those people in the field…are going to get notified simultaneously as to what’s going on in that school, and the alert comes right down to the specific classroom where that alert is taking place,” Sielicki says. </p><p>The system can also be used via a mobile app for smartphones and tablets and will only share information with users who have authorized access. COPsync911 works by allowing schools to designate the individuals they’d like to be part of the alert system, such as faculty, staff, and local law enforcement. The system allows for unlimited users. </p><p>COPsync911 also provides reverse notification. For instance, if law enforcement were to get a 911 call saying that someone’s behind a school with a weapon, it could send an alert from a police cruiser or dispatch center informing the users at that particular school and urging them to take lockdown precautions.</p><p>This feature is customizable so the alert can be sent to everyone in the specified network, or to an individual user. “The superintendent or the principal can say, ‘I want that reverse alert to come to me so I can determine what type of lockdown procedure to take so that it doesn’t show up on every teacher’s smart board as they’re teaching a class,’” Sielicki explains.</p><p>However, Sielicki points out that the system doesn’t reduce the power of traditional 911. “This does not take away 911, this enhances 911,” he says, because it ensures that schools have the ability to immediately alert law enforcement to a scenario, rather than being relayed through a dispatch center and waiting for the information to get out that an active shooter is in the building, for example.</p><p>Because of the popularity of the program with the police chiefs at the winter conference, Sielicki decided to spearhead an effort to get COPsync911 adopted statewide. He worked with the New Hampshire Sheriff’s Association and the New Hampshire Tactical Officers Association to secure grant funding to install it throughout the state.</p><p>The two groups appealed to the New Hampshire Department of Homeland Security, which saw “the power of the system,” Sielicki says, and took it to the governor’s office, working out a program that allows emergency performance grant money to fund installations of COPsync911 in every school, dispatch center, and police cruiser, for localities that choose to apply for it. The program will run through 2017. </p><p>“Ensuring public safety, especially for our schools and our young people, is state government’s most important responsibility,” said Governor Maggie Hassan in a press release on COPsync911. “This enhanced emergency notification system will improve school security, providing a real-time school threat alert solution that notifies dispatch and the closest law enforcement officers.”</p><p>The grants are a 50 percent match and allow applicants to use soft funds to raise their portion. “So if you have somebody in your community that wants to pay for the match, they can do that,” Sielicki says. The turnaround process for grant approval is also quick, typically no more than 30 days with reimbursements to communities for installation in less than 30 days as well.</p><p>As of September 2014, 21 communities in New Hampshire had applied for the grant to install COPsync911, and Londenderry, Stratham, and Kensington have installed the system. Sielicki says he expects more communities to apply for and install COPsync911 as word about the program continues to spread.</p> | | |