‘Critical’-Threat-Level-Over-Weekend.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Britain To Remain at ‘Critical’ Threat Level Over Weekend0—What-We-Know.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Terror Attack Strikes Manchester Arena: What We Know|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Soft Targets: What Security Professionals Can Learn From the Manchester Attack|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Insuring Data Loss|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465After an Active Shooter‘Critical’-Threat-Level-Over-Weekend.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Britain To Remain at ‘Critical’ Threat Level Over Weekend2017-05-26T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Access Under Control2015-08-10T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Q&A: Soft Targets2016-04-01T04:00:00Z|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Security Gender Gap2016-05-01T04:00:00Z|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Book Review: Disasters and Public Health2017-04-10T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now an Active ShooterGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Organizations affected by an active shooter event will face extraordinary challenges from the moment the first shot is fired. Even if the company is able to maintain business operations in the aftermath, the physical and emotional recovery can go on for months and years after the event. Besides reevaluating physical security measures, updating business continuity plans, and dealing with possible lawsuits, companies also have a responsibility toward their employees who have suffered severe emotional trauma. </p><p>To recover from an active shooter event, restore business operations, and retain employees, experts say that business continuity planning, communication strategies, and personnel issues should be among the top priorities for organizations. In this article, experts discuss what security professionals can do in the aftermath of an incident to recover as quickly and effectively as possible.​</p><h4>Business Response </h4><p>Business operations will be devastated by an active shooter situation, experts say. Access to the building, or at least the floors where the incident occurred, will be virtually impossible.  </p><p>“Law enforcement is going to lock down the building, and it may not be given back for many days,” says Dave Hunt, senior instructor at Kiernan Group Holdings, a consulting firm that assists companies in planning for and responding to active shooter events. “It depends entirely on the extent of the incident–how many injured, dead, how many bullets? Every single trajectory of every single bullet, every shell casing, is all going to be essentially recovered.” </p><p>Communication. Having a well-prepared crisis communications plan in place before an incident is crucial, but executing that strategy is inevitably more difficult when faced with a real-life tragedy. Experts say that an organization needs to maintain open communication with various groups following an active shooter event.</p><p>Because news travels at lightning speed, any organization affected by an active shooter event can expect the media to pick up on it almost immediately. “When an incident occurs, local media, newspapers, and TV stations are going to hear about it and they’re going to descend on that campus or facility,” says Josh Sinai, principal analyst at Kiernan Group Holdings, “and this will happen within 30 minutes.”</p><p>Talking to the media and the public can be one in the same, says Hunt, and he recommends that companies put a message on their social accounts and websites, and have a skilled speaker to talk to the press. “The media is one avenue through which the public can be communicated to,” he says, “but today we can also communicate with the public directly via Twitter, websites–there are all kinds of different social media options.” </p><p>Larry Barton, a crisis management consultant, echoes this sentiment: “Get to the media before they get to you.” He recommends that leadership have several preplanned responses to rely upon and modify, as needed. </p><p>“This is where a company can really distinguish itself by being crisis-prepared. Have your frequently asked questions ready, and start filling in the blanks from the moment the incident occurs,” Barton says. “You can keep refining them, you can keep massaging them, but get them started.”</p><p>These communication techniques work in the case of any crisis, says Darryl Armstrong, crisis communications expert at Armstrong and Associates. For example, one of his clients, a company responsible for large cleanup jobs after natural disasters and other hazardous events, used prewritten statements for large-scale incidents to quickly communicate with the media. </p><p>“On the front end, they sat down as a core team and had put together an extensive set of media holding statements,” he says. These holding statements are prewritten messages that refer to specific event types, such as active shooter, fire, or medical hazard, for example. The documents can be easily accessed and modified during a crisis, then quickly sent out to the media and the public. </p><p>He adds that the company also took the time to think about “every single question imaginable” that could come up in a press conference for any given disaster. “There was not a single question in the press conference they were not prepared to handle,” Armstrong says. </p><p>Stakeholders. Communicating with family members of employees, especially those who are killed or wounded, should be a priority for companies after an active shooter event. </p><p>Barton, who helps clients prepare for and respond to active shooter and workplace violence events, tells Security Management that he recently worked for an industrial facility in Tennessee that lost three employees in a workplace shooting. Within an hour after the incident, the employer had contacted all the victims’ families. This should be a standard practice for any company that finds itself in a similar crisis, he says. </p><p>“There is not an ounce of liability associated with being kind to a family after an active shooter event,” he notes. “We have to say to our legal colleagues in HR, ‘This is not about the handbook, this is about the Golden Rule. We have to do the right thing.’”</p><p>Small and family-owned businesses tend to handle these events with more empathy, making for a faster overall recovery, says Armstrong. “In the recovery phase, they make themselves available. They go out of their way to do what they can to help the victims’ families, and the communities rally around them,” he notes. </p><p>He adds that universities are another sector that handle communicating with stakeholders well, given that there are usually guidance counselors and psychologists on staff. “Their crisis management teams typically include people who are interacting daily with students and parents, so they are able to empathize.” </p><p>Barton adds that while social media makes a great tool for communicating with the public post-incident, the platform is not appropriate for informing family members of any details. “Shame on any company where an employee’s loss of life is shared with the family by Twitter. That has happened, it will continue to happen, and you must never allow that to happen on your watch.”</p><p>Organizations may consider using “dark websites” that go live in the event of an emergency. When someone types in the main URL for the organization, they are redirected to a ghost site that has the latest information available. Armstrong recommends that organizations set up these pages to have at least 10 times the bandwidth as their normal site to accommodate heavy traffic. ​</p><h4>Recovery</h4><p>A well-prepared organization can continue business operations in the event of a range of hazards, such as bad weather or a fire, and it can build off those same crisis continuity plans when recovering from an active shooter event. “This is one more threat that your organization should be preparing for to determine how you can continue operations,” Hunt says. </p><p><strong>Business operations. </strong>Hunt recommends identifying an off-site location where operations can take place while the building is still being evaluated by law enforcement or damage is being repaired. IT systems should be backed up so they can be accessed from anywhere. </p><p>“You need redundancy for roles,” adds Sinai, who says that at least one additional person should be trained in each major position at an organization. That way if someone in a leadership role is killed or injured, their job function is not completely lost. </p><p>Company leaders will still be addressing basic questions of business operations that could easily be overlooked in the aftermath of a tragedy. Barton notes that employees who survive an incident are still worried about their livelihood. “Besides asking who got hurt or was killed, the second thing is, ‘Are we going to be paid?’” he notes. “So we have to have our leadership rehearse and train on a wide variety of questions that will come up.”</p><p>As a benchmark for business recovery, Sinai cites the example of a beer distribution plant in Manchester, Connecticut, that suffered an active shooter event. On August 3, 2010, eight employees of Hartford Distributors were killed by another worker at the facility who was being escorted out of the building after resigning. “It was a small business, it didn’t have the resources of a big company,” Barton says. But this distributor reached out to surrounding companies for help. </p><p>The beer distributor didn’t have a trained counselor on staff, so Manchester law enforcement contacted area businesses to get trauma counselors and ministers onsite. “Know the community resources that can be at your site within an hour after any catastrophe,” Barton says. </p><p>An offsite location was being set up for business operations, but employees protested, saying they felt strongly about returning to the original facility as soon as possible. In the days following the shooting, 100 employees from other beer distribution plants in Connecticut, as well as in Rhode Island, came to assist the company in keeping business operations on track. A memorial service was held for the employees who lost their lives. The company president addressed workers on the front lawn, in front of a makeshift mem­orial, before they reopened their doors. </p><p>Just two months after the tragedy, Hartford Distributors merged with another beer company, Franklin Distributors, forming a larger organization. “The shooting was a very tough thing for all of us to go through,” Jim Stack, president of the new business, said to the Hartford Business Journal in a January 2011 article. “It certainly slowed some things down for us in coming together, but it did not stop us.”</p><p><strong>Emotional response.</strong> The trauma inflicted on those who survive an active shooter incident can be enormous, and experts say that businesses ought to prepare in advance to provide mental health assistance for affected employees. This will help businesses recovery more quickly by retaining experienced workers, and provide employees with the emotional help they need. </p><p>Hunt cites the Navy Yard shooting in Washington, D.C., in September 2013, when a shooter killed 13 employees. He says that employees were shaken that an active shooter could breach a secure military installation. “People who were interviewed following that incident were asked, ‘Do you feel safe going back to work?’ and the answer was, ‘No, I don’t feel safe going back to work.’” Hunt notes. “So you have the potential of losing employees, which are your most valuable asset, as a result of this incident.” </p><p>Employees may not show immediate signs of trauma–negative emotions could surface months later. “Depression and PTSD are rarely going to emerge in the first hour. Your body is still in shock,” Barton says.  </p><p>Experts stress the importance of employee assistance programs (EAPs), which are confidential and provide counseling, assessments, and referrals for workers with personal or work-related concerns. </p><p>“In all 50 states you can mandate that an employee actually go to an EAP program if there was a critical incident,” Barton notes, though he doesn’t recommend it in every case. </p><p>To order an employee to seek counseling, the worker must demonstrate tangible evidence that they may pose a risk of harming themselves or others, Barton says, such as mentioning suicide, a desire to hurt others, or talking about weapons. Employers may decide instead to have a sit-down with that worker and have them sign a letter acknowledging they made the remarks, but understand doing it again could result in termination. “EAP is not your human resources department, they are there to support your HR department,” he emphasizes. </p><p>There will also be organizations indirectly affected by shootings. For example, Barton worked with one financial firm that had a worker lose a family member in a high-profile mass shooting. The other employees struggled with how to respond to him emotionally. The company asked Barton to hold a debriefing to address people’s concerns. </p><p>“I heard it all,” Barton says. “Do you leave a card on the desk? Do you kind of ignore him and just look the other way? Do you come up and say, ‘I have no idea what you went through but my prayers are with you?’” Ultimately, he says you can expect a variety of emotions expressed by employees at businesses both directly and indirectly impacted by these events, including fear, sadness, and even anger. </p><p><strong>Outlook. </strong>Conducting an after-action report may be a good idea for organizations that have suffered an active shooter event, experts say. It not only helps evaluate what worked and what did not in response to an incident, but other practitioners can turn to these documents for their own planning. “It’s very important for a security officer to look at after-action reports and to get best practices out of it,” Sinai says. </p><p>He cites the after-action report completed by the U.S. Fire Administration on Northern Illinois University (NIU) after a classroom shooting on campus in 2008. That tragedy left six people dead, including the perpetrator. </p><p>The report cites that NIU had studied the official report on the Virginia Tech Shooting and was prepared for the tragedy that occurred in its own building just a year later. “The value of that report, their training, and their joint planning was apparent in the excellent response to Cole Hall,” the after-action report stated of the university. </p><p>While organizations may recover from a business standpoint, there may be significant changes implemented afterwards. For example, the building that formerly housed Sandy Hook elementary was torn down, and a new facility was constructed at the same site. That building reopened in August of last year, nearly four years after the shooting. In the case of Virginia Tech, the classroom building where the second shootings took place was turned into a dormitory hall. </p><p>Overall, Hunt says that while organizations can never fully prepare themselves for a tragedy, they can learn from even the worst of situations. “You’re going to identify a lot of areas that can be improved,” he says. “There’s never going to be a perfect plan or a perfect response.” </p><p><em>​To read how the city of San Bernardino ​recovered from the 2015 holiday party shooting that killed 14 people, <a href="/Pages/Responding-to-San-Bernardino.aspx" target="_blank">click here.​</a></em><br></p><p>--</p><h2>Active Shooter Liability<br><br></h2><p>​In the case of an active shooter, U.S. companies are liable for protecting their employees as in any workplace violence incident. Under the U.S. Occupational Safety and Health Act of 1970, every U.S. employer is required to “furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees.” U.S. state and local provinces may also have their own relevant laws.</p><p>Hunt says companies that suffer a shooting can expect lawsuits. “If a family member is killed or injured here, there’s a high likelihood there will be a lawsuit alleging that not enough was done to prevent the incident, or to protect them during the incident,” he says. The case of disabled workers can also come up. “Someone who is disabled may feel they weren’t appropriately accommodated,” a requirement under the U.S. Americans with Disabilities Act. </p><p>Barton says he believes a little effort and communication goes a long way in helping reduce the severity of a lawsuit when employees are killed. “If you can, reach out to the family with the support of your legal department to simply say, ‘We are here for you,’” he notes.</p><p>In addition to advanced planning, organizations need to carefully document the steps they take in the aftermath to help their case “There’s going to be a lot of holes in there. But at least say, ‘Here are the steps that we did proactively take to try to manage the incident.’”​​ ​</p> Check InGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Just after 8:00 a.m. on January 25, attackers detonated a truck bomb outside the gates of the Dayah Hotel in the Somali capital of Mogadishu before storming inside. Fifteen minutes later, another truck bomb exploded, and security forces were dispatched to take control of the hotel. </p><p>The hotel, located near Somalia’s Parliament building, was said to be popular with lawmakers and government officials. That may have made it a target for the attackers—later identified as al-Shabaab, an extremist group linked to al Qaeda, whose attacks are designed to turn Somalia into a fundamentalist Islamic state.</p><p>The attack in January killed at least 21 people and injured more than 50, according to CNN. It was just the latest in a succession of recent attacks on soft targets in Africa and Europe, and it raised awareness of a global and shifting threat that no international business can ignore: the risk of an attack on a hotel where a traveling employee is staying.</p><p>Since 2002, more than 30 major terrorist attacks have targeted hotels across the world. Because of this outbreak of attacks, businesses, tourism professionals, and hoteliers themselves are calling hotel risk procedures into question.​</p><h4>Hotels as Soft Targets</h4><p>Hotels became major targets for bomb attacks by terrorists in Asia in the 2000s, and the threat has since moved to Africa. Attacks against hotels in 2015 and 2016 accounted for a third of all major terrorist attacks in the world, likely because they are considered to be soft targets.</p><p>Some hotels make more attractive targets than others, for a variety of reasons. One of these is the opportunity to harm a large number of people. Hotels are gathering places, and in addition to guests there are visitors for banquets, as well as bar, restaurant, and leisure facility customers.</p><p>Another reason a hotel might be an attractive target is that it is likely to garner international media attention. The more victims there are from different countries, the more media attention the attack is likely to generate. </p><p>Attacks on hotels also express an ideology: international luxury hotels symbolize Western culture. Jihadists often consider hotels immoral places where men and women interact, and where alcohol is easily accessible.​</p><h4>Attack Strategies</h4><p>Terrorists used three attack strategies when targeting hotels between 2002 and 2015: explosives (44.4 percent), firearms (25 percent), and a combination of the two (30.6 percent), according to the Global Terrorism Database.</p><p><strong>Explosives.</strong> There are two varieties of attacks on hotels using explosives: the human bomb and the vehicular bomb. These tend to cause the most physical destruction and injure the most people, making them effective for terrorists.</p><p>Human bombs tend to have geographically restricted limits and are mainly used in spaces that are open to guests. For instance, in November 2005 in Amman, Jordan, terrorists detonated explosive belts in the ballroom of the Radisson SAS, near the coffee shop of the Grand Hyatt Hotel, and in the entrance of a Days Inn. Fifty-seven people were killed in the attacks, and more than 100 people were wounded, according to The New York Times.</p><p>In contrast, vehicular bombs account for 31 percent of terrorist attacks on hotels. This technique is used to cause large-scale material destruction and potential chain reactions from the explosion—such as gas line bursts, fire, structural collapse, and destruction of guest and staff lists.</p><p>In 2008, for example, terrorists packed a truck with a ton of explosives and drove it into the Islamabad Marriott’s security gate. The vehicle exploded, killing 53 people and injuring 271, and officials were concerned that the building itself might collapse and cause even more injuries and damage, The Telegraph reported.</p><p>Occasionally, the two techniques are used together. One such case was in 2005 in Sharm El Sheikh, Egypt, when terrorists set off a truck bomb near the Iberotel Palace hotel while simultaneously discharging a bomb in the façade of the Ghazala Gardens Hotel. They also detonated a third bomb in a parking lot of one of the city’s tourist areas. The coordinated attacks killed 88 people, most of whom were Egyptian instead of the targeted Western tourists, according to the Times’ analysis of the attack.</p><p><strong>Assaults. </strong>Terrorists often use the assault technique, armed with automatic rifles and hand grenades, to target hotels. This method makes it easier for the terrorists to damage a wider area while also killing a large number of people as they move through the hotel and its floors.</p><p>This kind of attack occurred in November 2015 when heavily armed and well-trained gunmen drove into the Bamako, Mali, Radisson Blu hotel compound. They detonated grenades and opened fire on security guards before taking 170 people hostage, according to The Guardian. Twenty-one people, including two militants, were killed in the attack and seven were wounded.</p><p>Terrorists will also move from one hotel to another, not hesitating to take clients hostage to make the operation last longer. The duration of the siege often has a direct impact on the amount of international media coverage the attack receives.</p><p>Additionally, some assault-style attacks show that terrorists had knowledge of the hotels before attacking them. For example, in the 2009 attacks on the Ritz-Carlton and the JW Marriott in Jakarta, the attackers blew themselves up—one in a parking garage at the Marriott and the other at a restaurant at the Ritz-Carlton. Authorities later discovered, according to the BBC, an unexploded bomb and materials in a Marriott guest room that was dubbed the “control center” for the attacks.</p><p>Terrorists also may plan to conduct attacks during a hotel’s peak operation times—such as during meals or organized events. For example, the attack in Bamako took place around 7:00 a.m. when breakfast, checkouts, and security officer shift changes were taking place.​</p><h4>Travel Policies</h4><p>Not all companies have well-developed travel security policies. Predictably, companies with employees who travel more frequently for work have a more advanced travel security program, as do companies that operate in countries with elevated security risks or in remote areas.</p><p>Companies also tend to have a more highly developed travel security program if one of their employees has been affected by a security incident, such as a hotel bombing, in the past. In this current threat environment, however, all international companies should review their travel risk policies because they have a duty to protect employees when they travel for work.</p><p>The European Directive on the Safety and Health of Workers at Work mentions this obligation, as do national regulations: Germany’s Civil Code, France’s Labor Code and a judgment by the Court of Cassation, and the United Kingdom’s Health and Safety at Work Act of 1974 and the Corporate Manslaughter and Corporate Homicide Act of 2007.</p><p>The United States also addresses this responsibility through its statutory duty of care obligations detailed in the Occupational Safety and Health Act of 1970. The act requires large and medium-sized companies to define basic emergency planning requirements.</p><p>Also, depending on the U.S. state, workers’ compensation laws may have provisions for American business travelers abroad. Similar obligations apply in Australia, Belgium, The Netherlands, and Spain. And case law has reinforced this legal arsenal addressing the security of employees traveling abroad.</p><p>Under these frameworks, employers must assess foreseeable risks, inform employees of these risks, and train them to respond.</p><p>And these risks are no longer reserved for employees traveling to Africa or the Middle East; the succession of terrorist attacks in countries qualified as low-risk destinations—Berlin, Brussels, Nice, and Paris—means that many companies need to address these locations in their crisis management preparation for employees traveling abroad.</p><p>Some companies have already changed their internal procedures to address these risks, including changing the way that hotels are chosen for business travel. ​</p><h4>Choosing Hotels</h4><p>Given the current threat environment and duty of care obligations for traveling employees, corporate security managers and travel managers need to work together to choose the right hotels. No matter the choice of accommodation, security and travel managers must conduct their own risk analysis to adopt the best strategy for choosing hotels for their employees. The analysis should include the destination, the profile of the business traveler, the duration of the employee’s stay, the company’s image, and the potentially controversial nature of the project in that destination.</p><p>Once the analysis is complete, companies have four options for choosing accommodations for traveling employees: international brand hotels, regional chain hotels, apartment or house sharing, or residences that are owned and operated by the company.</p><p>The most common option is to choose hotels with an international brand whose rates have been negotiated by the company. These big-name hotels can be reassuring. However, these institutions—described by some specialists as high-profile—tend to meet terrorists’ selection criteria for targets.</p><p>These hotels are also often franchise hotels, meaning they are independent institutions, master of their own investment decisions and the management of their staff. This can make it difficult for security professionals and travel managers to get answers to important questions during the vetting process: What security procedures does the hotel have in place and what is its staff management policy? Does it subcontract its security to a guard company or have its own security team?</p><p>The second option is to choose less emblematic hotels that some would consider low-profile, such as regional chain hotels—like Azalaï, City Blue, Serena, and Tsogo Sun in Pan-Africa—or independent boutique hotels. </p><p>Hotels such as these may provide more discretion than an international brand hotel, but may come with slightly lower levels of security, which could become a problem should a crisis develop. Lesser-known hotels, for instance, may not receive as rapid a response from security forces as a luxury hotel frequented by public figures and politicians. And for travel managers, this second option could be a difficult sell to employees who might be used to staying at international brand hotels.</p><p>Another option that companies might choose is to have employees stay at a private residence through the sharing economy, such as Airbnb. Google and Morgan Stanley recently began allowing employees to use Airbnb for business travel, and the company saw 14,000 new companies sign up each week in 2016 for its business travel services, according to CNBC. </p><p>For some destinations, this is not a viable option because of the lack of accommodations, but for other locations Airbnb has numerous places to stay and even offers a dedicated website for business travelers, which make up 30 percent of its overall sales.</p><p>One location where Airbnb is a pop­ular choice is in sub-Saharan Africa where a major influx of young expatriates used to traveling and staying in Airbnbs have rooms, apartments, and houses available for business travelers.</p><p>However, this option has collateral risks, and many companies forbid employees from staying at an Airbnb while traveling because of the lack of verification and vetting of the residences, which may not allow them to meet many companies’ duty of care obligations. </p><p>Also problematic is the risk that employees will get lost while trying to locate their Airbnb, as opposed to an easily identifiable hotel. And the traveler might be unable to check in when the host is unavailable to let them in or provide a key. </p><p>The Airbnb option also raises questions for security professionals: If it’s attacked, how will local law enforcement respond? Who is responsible for contacting law enforcement?</p><p>The final option is for the company itself to provide private accommodations for its travelers. This is only cost effective, though, for high-risk destinations where companies frequently send employees to work. With this option, companies have full control over the security of the accommodations. However, this level of security comes with a high operational cost—purchasing or renting the accommodation, ensuring the maintenance of the location, and supervising essential service providers, such as housekeeping and security.</p><p>Additionally, companies that choose to provide a private accommodation for traveling employees would have the responsibility to secure the property—creating a security plan; purchasing, installing, and implementing security equipment, such as access control, CCTV, and fences; and providing security staff, either in-house or through a contract.​</p><h4>Improving Security</h4><p>In 2002, a Palestinian suicide bomber killed 30 people at a Passover Seder at the Park Hotel in Netanya, Israel, in the deadliest attack during the Second Intifada. Following the attack, Israel’s hotel industry led the charge to address security threats by tightening security regulations. These regulations required the hospitality industry to staff a chief security officer in each hotel, led to the development of dedicated educational programs on security with recognized diplomas, and ultimately provided career opportunities for skilled and motivated security professionals.    </p><p>This model is one where companies can support hoteliers by including security as a key element when choosing which hotels can be used by employees on business trips.  </p><p><em><strong>Alexandre Masraff </strong>is a security and crisis management senior advisor at Onyx International Consulting & Services Ltd. and the cofounder of the InSCeHo certification program that focuses on hotel security. He is a member of ASIS International. <strong>Aude Drevon</strong> is a security analyst with a master’s degree in geopolitics and international security. <strong>Emma Villard</strong> is a regional security advisor based in Vienna, Austria, and a member of ASIS.     ​</em></p> Review: Info RiskGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Butterworth-Heinemann;; 408 pages; $49.95.</p><p>Factor analysis of information risk (FAIR) is a methodology for understanding and analyzing information risk.<em> Measuring and Managing Information Risk: A FAIR Approach</em> provides extraordinary detail, explaining both the essentials and fine details of the FAIR process.</p><p>This book is informative and insightful—and surprisingly engaging. Using examples, anecdotes, and metaphors, the writers keep this educational work from becoming difficult.</p><p>Comprehensively explaining FAIR ontology in all its layers and complexities, the book includes thorough definitions of the terminology, many examples for applying the concepts, and detailed explanations of each step of the process from preparation through presentation and implementation. It examines challenges and common mistakes and suggests multiple solutions to suit different cultures, leadership, and scope of work. Diagrams and tables provide specific examples and a thorough index allows for quick reference to key words and concepts.</p><p>This is advanced material presented in a style that’s often humorous while still focused. The authors’ expertise is obvious in their detailed explanations of fact and theory, and in their relaxed approach to this complex subject matter. Professionals new to thorough information risk analysis or using more simplified approaches will find this book extremely useful.</p><p><em><strong>Reviewer: Lex Holloway, CPP</strong>, is director of security for Caris Life Sciences. He is a member of ASIS and serves on the ASIS Healthcare Security Council.</em></p> SoloGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Senior executives routinely travel the globe without security and rarely are there any incidents of concern, but when things go wrong from a protective security perspective, they usually go wrong quickly and can snowball into disaster. </p><p>Most failures stem from a lack of proper advance work, logistical foul-ups, and lost luggage. Robust protective intelligence and countersurveillance programs, along with comprehensive threat assessments, can greatly reduce the risk to executives who travel. But when a security detail will not be included in the trip, basic training and preparedness for those executives can go a long way.</p><p>Many executives want to run under the radar, whether they are attending a meeting on the other side of town or traveling around the world. Few CEOs travel surrounded by visible security personnel with earpieces and shoulder holsters because the optics are deemed bad for business. Few executives need or seek that level of security. And although it’s rare for an armed robbery or a Kardashian-style hotel invasion to occur, it’s on every protection officer’s mind.</p><p>A more thoughtful approach to protection for senior government personnel, executives, and high-net-worth families was created by a group of former government agents in the private sector. They adopted a different model of protection, focused heavily on protective intelligence and countersurveillance. </p><p>The model is now used by many Fortune 500 companies and takes a nuanced approach to empower the executives themselves. Even though security staff may not be in tow on any given trip, there are several key principles that executives can practice that will dramatically increase their level of safety and security wherever they are in the world. ​</p><h4>Situational Awareness</h4><p>With enough will and discipline, executives can use situational awareness to stay ahead of threats while traveling. To successfully practice situational awareness, executives must be mindful of a few basic facts. </p><p>First, they must acknowledge that a threat exists, because bad things do happen to good people. Executives traveling solo must also take care of themselves because they are ultimately responsible for their own safety and welfare. Finally, they must heed their instincts. If something doesn’t look or seem right, chances are it’s not, and executives need to be comfortable identifying and acting on that intuition. </p><p>When discussing situational awareness with an executive, it is important to stress that this does not mean being paranoid or obsessively concerned about security. Still, there are periods where enhanced awareness levels are needed. </p><p>Solo executives can learn to practice enhanced observation skills with simple exercises, like paying attention to the cars behind them in traffic, or by challenging themselves to see if they can remember automobile license plate letters and numbers. </p><p>One best practice is to have executives pay special attention to their departure points and destinations, scanning the area with an eye for vehicles and people that could be watching. If the same vehicle, bicycle, or person is spotted over time and distance, someone may be conducting surveillance. </p><p>For example, a blue van glimpsed at the point of departure and then seen later near a business meeting means someone could be watching. Not all watchers are criminals or possible kidnappers—in some locations, the watchers could be state security services or private detectives hired by competitors.​</p><h4>Countersurveillance</h4><p>Burglars, kidnappers, assassins, and any manner of criminals all follow an attack cycle, including some level of preoperational surveillance. Attacks don’t happen in a vacuum. In most cases, criminal and terrorist surveillance tradecraft is the least well-developed skill in the hostile operator’s toolbox. </p><p>When persons with hostile intentions are engaged in preoperational surveillance, they are also highly vulnerable to detection. Professional countersurveillance teams are trained to recognize operatives conducting surveillance on a target. However, an individual practicing good situational awareness can often spot preoperational surveillance on his or her own, especially if the surveillant is sloppy, as many are. </p><p>If suspects realize that their surveillance efforts have been detected, they will become anxious and may decide against acting—or at least redirect their attention to an easier target. The detection also lets the executive know he or she must take further protective steps, such as changing routes or vehicles, switching hotel rooms, notifying local authorities or staff, alerting corporate headquarters, and calling for backup. Monitoring for surveillance needs to be part of executives’ ongoing situational awareness practice. </p><p>One terrorist plot uncovered in 2003 revealed how an al Qaeda cell used preoperational surveillance when targeting financial institutions in Washington, D.C.; New York City; Newark, New Jersey; and potential targets in Singapore. In one instance, several operatives sat in a Starbucks cafe across from their intended target, recording information like security measures and building access. Their notes, videos, and practices were uncovered when the terrorist cell was broken up by authorities­—fortunately before an attack took place.​</p><h4>Fire Safety</h4><p>While traveling, executives may obsess over the potential threat posed by terrorist attacks, political violence, or other incidents that result in news headlines, but they tend to discount the less exciting but more likely threat posed by fire. </p><p>Fire kills thousands of people every year, and there are instances where fire has been used as a weapon in terrorist attacks. During the November 2008 Mumbai attacks, a group of attackers holed up in the Taj Mahal Palace Hotel started fires in various parts of the hotel. </p><p>Anarchists and radical environmental and animal rights activists have conducted arson attacks against a variety of targets, including banks, department stores, ski resorts, and the homes and vehicles of research scientists.</p><p>It is common to find items stored in emergency stairwells that render them obstructed or sometimes impassable. This is especially true outside the United States, where fire codes may not be strictly enforced, if they exist at all. In some instances, fire doors have been chained shut due to criminal threats.</p><p>To mitigate the threat from fire, executives should note whether emergency exits at their hotel are passable. This applies to apartments and office buildings as well. </p><p>In the August 2011 Casino Royale attack in Monterrey, Mexico, the attackers ordered the occupants out of the building before dousing it with gasoline and lighting it on fire, but 52 people died because they were trapped inside the building by a fire exit that had been chained shut.</p><p>Travelers staying at hotels in countries with lax fire codes should stay above the second floor to avoid break-ins, but not above the sixth floor. That puts them within range of most fire department rescue ladders. </p><p>Smoke inhalation is also a concern. It is the primary cause of fire deaths and accounts for 50 to 80 percent of all deaths from indoor fires. </p><p>The U.S. diplomatic facility in Benghazi, Libya, that was attacked on September 11, 2012, is an apt example. A video of the building after the attack showed that fire had not badly damaged the building’s structure. The two diplomats killed in the attack did not die from gunfire or even rocket-propelled grenade strikes—they died from smoke inhalation. </p><p>At minimum, a smoke hood should be a key piece of safety equipment carried by the executive while traveling. These hoods can be easily carried in a purse or briefcase and can provide the wearer with 15 to 30 minutes of safe air to breathe. That time makes a world of difference when caught in a burning building, a subway tunnel, or an aircraft while trying to escape. </p><p>Many executive protection experts encourage executives to place smoke hoods next to their hotel bed. Another useful tool in such situations is a small, high-intensity flashlight to help them find their way through the smoke or dark once they have donned their smoke hood. ​</p><h4>Identifying Risks</h4><p>While executives may not appreciate the security team’s efforts to scare them ahead of a trip, they do need to know the inherent risks during travel and after reaching their destination. This will require advanced research by protective intelligence analysts to gather hard data on a range of issues appropriate to the destination. Alternatively, security can use a service that consistently tracks that data. This type of research involves analyzing everything from the latest street crime trends in London to the prevalence and nature of recent express kidnappings in certain Latin American cities, and incorporates that data into the executive briefing.</p><p>The briefing can also include the advance work of the corporate security team: analyzing the executive’s schedule, transportation routes, and destinations to determine the times and places where he or she is most vulnerable. By identifying the moments most likely to be used by a hostile actor, an executive can understand when to raise his or her level of situational awareness for greatest effect. This will also make it more difficult for assailants to conduct preoperational surveillance without detection.</p><p>On September 28, 2016, a group of assailants abducted Abid Abdullah, the executive director of Pakistan’s largest publishing group, during a business trip to Peshawar. Abdullah was in Peshawar to check on the status of a company facility under construction and did not return to his hotel until the early hours of the morning. </p><p>Several armed men in two vehicles stopped Abdullah and his driver around 3:15 a.m. in the city’s industrial area. Peshawar is dangerous even by Pakistan’s standards, and, based on his driver’s statements, Abdullah was traveling without a protective detail to an industrial park where the kidnapping team had likely been watching him while he conducted business late into the night. The industrial area made a good intercept point because it was likely to be deserted at that hour. On such visits, a robust security plan is needed. </p><p>There are always incidents that are more difficult to detect ahead of time. In July 2016, Jeff Shell, chairman of the Universal Filmed Entertainment Group, was briefly detained and forced to leave Russia hours after arriving in the country. </p><p>Russian authorities pulled Shell out of the immigration line shortly after he arrived at Moscow’s Sheremetyevo Airport from Prague. After hours of interrogation, Shell was told he had been barred from Russia and was placed on a flight to Amsterdam. </p><p>The Russian Foreign Ministry later explained that it barred Shell from Russia because of his involvement with the Broadcasting Board of Governors, a group that oversees U.S. government broadcasters. </p><p>Before July 13, there was no indication that Shell or anyone affiliated with the Broadcasting Board of Governors was included on any list. Russia’s lack of transparency on who is barred from the country and why is troubling for traveling corporate executives and can become highly disruptive, embarrassing, or potentially dangerous for those involved. Executives and their protection teams should take these sorts of threats into account long before they begin travel.​</p><h4>Liaisons </h4><p>Once executives are well-versed in these skills and practices, they may feel prepared to travel solo around the world. However, the work of the corporate security team doesn’t end there. </p><p>Whether the protective intelligence team is working for the government or in the private sector, it is critical to maintain frequent contact with the appropriate authorities and security counterparts where executives are likely to travel. </p><p>Beyond maintaining a close liaison with their counterparts and industry partners at the travel destination, corporate security officers should work with local, state, and federal law enforcement agencies that would be called on to prosecute the case should someone commit an illegal act against an executive. </p><p>If an executive is traveling to another city or country on business, be sure to establish a line of communication with the counterpart at that company ahead of time. If an incident does occur, a liaison will provide a shared interest in executive safety or concern about the potential optics around incidents affecting executives who are visiting their company. </p><p>These counterparts should also have efficient lines of communication with their local law enforcement contacts. In that case, they can become an executive protection advocate on-site, or at least connect the team back home with the right people until the situation is fully resolved. </p><p>Executives can travel safely abroad with minimal intrusions on privacy, as long as corporate security teams establish proper procedures and baselines. Building trust with the executives and their administrative staff goes a long way to ensure that business travel functions without security disruptions. </p><p>Not every executive needs visible security officers on travel; however, every executive traveling abroad does require a good security team behind the scenes to properly balance risk and facilitation.  </p><p><em><strong>Fred Burton </strong>is chief security officer at geopolitical intelligence platform and a lead analyst for Stratfor Threat Lens. He has authored three books, including </em>Under Fire: The Untold Story of the Attack in Benghazi.</p> Travel TipsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Security managers must be aware of their physical surroundings when they travel, but electronic devices frequently place employees and their companies at risk. To help keep devices and corporate data secure while traveling, Security Management reached out to several security experts to learn about their own travel best practices.​</p><h4>Do a Cleanse</h4><p>Before packing your laptop, Bruce McIndoe, CEO of integrated risk management company iJET, recommends doing some device cleansing. </p><p>“That’s the first level of defense when you are getting ready to leave on a trip—slim down and remove as much data as you can,” he says.</p><p>This means assessing whether you actually need to take a laptop with you and, if so, removing all the sensitive data from it that you can. “That way if the laptop is stolen or infiltrated or lost, you’re not going to have all that data exposed,” McIndoe says.</p><p>Take the same approach with your smartphone, and pare down your USB devices to the essentials. Then make sure that all your devices are encrypted in case they are lost or stolen.​</p><h4>Talk to IT</h4><p>After you’ve assessed what you need to take with you, it’s a good rule of thumb to check with your IT department to see if they have travel devices for you to take with you, such as travel laptops, phones, and even routers.</p><p>IT can also review with you any policies or procedures in case your devices are lost, stolen, or breached while you’re away from the office.​</p><h4>Take the Right Bag</h4><p>When traveling, sometimes your devices are out of your sight—whether they’re tucked in your checked bag or stowed in the hotel while you’re out at dinner. This is when a zippered bank bag comes in handy, says former U.S. Secret Service Agent John Toney. He and other agents used zippered bank bags, such as an A. Rifkin bag, to store guns, electronic equipment, and anything else they wanted to keep away from prying eyes.</p><p>“When agents go en masse overseas, everyone throws their bag into the same Pelican case for customs,” says Toney, who is now senior manager of forensic technology and discovery services at Ernst & Young LLP. “That way, customs agents can scan the outer carrier but don’t get inside the bags.” ​</p><h4>Avoid Free Wi-Fi</h4><p>While a wonderful invention, Wi-Fi does come with risks, which is why McIndoe says he doesn’t connect to airport Wi-Fi or pub­lic Wi-Fi. </p><p>“What I try to do is use Gogo and AT&T hotspots,” McIndoe explains. “I can use Gogo on flights and get onto Wi-Fi only from access points that I know about.”</p><p>He also says travelers should be cautious about connecting to hotel Wi-Fi. As a precaution, consider using a VPN to access systems at work and ensure that you have an HTTPS connection. If you do access a website without an HTTPS connection, McIndoe says you should not consider that information private.​</p><h4>Talk to IT, Again</h4><p>After you’ve returned from your trip and before you connect any of your devices to your company’s network, go talk to IT. They can scan the devices to make sure you didn’t pick up any malware while you were abroad. Many companies require employees who have been in designated countries to have their laptops scanned before connecting them to the network.</p><p>“A lot of companies have more sophisticated malware detection on the company network than on your laptop and will detect a virus that your local virus scan did not detect,” McIndoe says.  ​</p> Via AppGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Virgin Money, part of the Virgin Group, is a U.K.–based bank with the goal of innovating how customers experience financial services. Founded in 2007, the bank has several lounges around the United Kingdom that offer free Wi-Fi and coffee for customers, as well as tellers and ATM machines for their banking needs. One of Virgin Money’s newest lounges even has a bowling alley inside.</p><p>“We’re about changing the face of banking…by providing fantastic customer service and facilities,” says Brian Shepherdson, property and facilities manager at Virgin Money.</p><p>With a multibuilding headquarters campus housing nearly 3,000 employees, the bank is always looking for ways to streamline its access control, enhance physical security, and improve the overall flow of business. </p><p>“We have nearly 3 millio​n customers, and one of our key priorities is to make sure their data is safe,” Shepherdson notes. “Knowing who’s in the building and making sure the right people have access is fundamentally important to our business and our customers, as well as to protecting our brand.” </p><p> The bank has used the Honeywell EBI building management software suite since it first opened its campus about 10 years ago. EBI allows the company to manage various aspects of building efficiency and security, including access control. </p><p>In early 2016, Honeywell was looking to conduct testing around the globe of its new Vector Occupant app, which has several building automation and business efficiency components. The app can be used for everything from temperature control to booking meeting rooms. </p><p>Shepherdson says the bank was excited to be a part of a test group, and conversations about installation began in February 2016. “As part of the Virgin Group, we’re always looking to innovate and do things differently,” he adds.</p><p><img src="/ASIS%20SM%20Product%20Images/0517%20Case%20Study%20Stats.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:560px;" />Virgin Money was particularly interested in enhancing its access control with the Vector app. While the bank uses physical access control cards for headquarters employees to move throughout buildings on campus, it wanted to provide more convenience for users by supplying digital credentials directly on their smartphones. </p><p>Shepherdson notes that the company’s process for replacing lost badges is burdensome, involving multiple steps and various departments. It also leaves the building vulnerable if an employee fails to promptly report a lost badge. </p><p>“Whereas if you lose your cellphone, you’ll probably be aware quite quickly and you can report that,” he says. </p><p>The Honeywell Vector Occupant App is available for download in app stores for smart devices. From the administrative side, Virgin Money provides a unique username and password for employees to enter once they’ve downloaded the app. </p><p>“Once Vector is set up on a person’s device, the Bluetooth pairing on the device opens the door without contact. You don’t have to swipe a card,” he says. “If my phone is in my pocket, it will open the door when I’m near it.”</p><p>For the past year, about 30 people have been testing the Vector app, and Virgin Money is preparing to launch the app with a final, larger test group, before deploying it across the entire campus. </p><p>“We need to get a reaction to the technology, and use the learning from that to roll it out further,” he notes. </p><p>Testing the technology with a smaller group has had benefits, Shepherdson says. He explains that the Bluetooth access control feature was putting a huge strain on smartphone batteries, which would die quickly when using the app. </p><p>“Initially we did experience a high level of drain on the battery, so Honeywell has developed the technology to solve that problem,” he notes. “Honeywell has made various improvements in the background to get through teething problems.” </p><p>From a security standpoint, Shepherdson says there are several benefits to having access control on a phone rather than a physical card. “If you lost your access card on a Friday, you’ll probably wait until Monday to deal with that when you get back at the office,” he notes. “If we lose our smartphone we feel like we’ve lost our hand—that’s how possessive and reliant people are on a smartphone.” </p><p>Virgin Money’s company-issued smartphones already come with an added layer of security around them that the company can control, including strong passcode requirements. Through Honeywell EBI, Shepherdson can add and revoke access to employees using the active directory. </p><p>“If somebody loses a cellphone and reports it quickly, we can then disable their credentials more quickly...we can take away their access,” he says. </p><p>And Vector integrates completely with Honeywell EBI, giving Shepherdson a full administrative picture of who is going where throughout the building. </p><p>“We know who has authorized access to an area and who’s tried to get into an area where they don’t have authorization,” he explains. “A transit report would tell us exactly where they have been, what time they came in, where they went, and what doors they went through.” </p><p>The bank is also testing the temperature control aspect of Vector, a portion of the app that allows building occupants to report their comfort level to building engineers in real time. </p><p>“The Vector app recognizes where you are in the building—for example, meeting room 1—and when you’re in that space, it will give you the option to provide feedback in real time about the temperature,” Shepherdson says. </p><p>If there is a general trend from occupants in a particular part of the building, an engineer will further investigate whether something is wrong with the HVAC system. If everything is running fine but several people report feeling hot or cold, the engineer will adjust the temperature. </p><p>Later this year, the organization plans to roll out EasyLobby, a visitor management system through Honeywell EBI that prints a barcode for visitors or contractors. </p><p>“Similar to when you get a boarding pass for air travel—an email with a barcode in it—we are looking to migrate our visitor and contractor experience to receive a notification linked to Honeywell’s access control system,” Shepherdson notes. They can present that barcode and receive access to the specific buildings they need on campus. </p><p>Shepherdson says that the Vector app not only improves security, but also increases business efficiency for Virgin Money employees. “This product is very much a convenience for people, rather than a barrier.”</p><p><br></p><p>For more information: Julio Ampuero,,, 480/606-9569 ​</p>


​03 May 2017
Finance 101 for Security Professionals (Webinar​)​

​08 - 09 May 2017
Active Shooter (Education, Las Vegas, NV)

08 - 09 May 2017
Executive Protection (Education, Las Vegas, NV​)​

08 - 09 May 2017
CPP ​& PSP Review at PSA-TEC (Education, Las Vegas, NV)

​08 - 11 May 2017
ASIS Assets Protection Course (Education, Las Vegas, NV)​​

10 - 11 May 2017
Violence Assessment and Intervention (Education, Las Vegas, NV)

​10 - 12 May 2017
​Physical Security Workshop​ (Education, Las Vegas, NV)

17 May 2017
Protecting Mall of America​ (Webinar)

01 June 2017
Shooter Down Active Shooter Consequence Management (Webinar)

05 - 08 June 2017
IE/ASIS Program​​ (Education, Madrid Spain)

​More Events>>​​​