More Headlines Protocols and Practices Put the IoT Revolution at RiskGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Linking physical objects in the real world to the virtual world, enabling “anytime, anyplace, and anything” communication was once the stuff of science fiction. However, it is made real today with the Internet of Things (IoT), which is widely considered to be the next phase of the Internet revolution.​</p><p>Knowing this, it could be expected that the protocols and infrastructure supporting the IoT would be just as advanced—but this is not the case. Instead, the technology underpinning the IoT is straight out of the 1990s or early 2000s—more Sega Dreamcast than PlayStation 4.</p><p>It’s no surprise that the tech industry and the public are falling head-over-heels for the possibility to connect everything, from our toothbrushes to our city infrastructure, to the Internet. However, the more devices we connect, the more opportunities there are for cyber criminals. </p><p>By getting carried away by the opportunity technology brings, we are charging ahead without considering the risks and without securing the technology. Before organizations continue to connect devices to the network, there needs to be a secure foundation to build up from. </p><p>The fundamental standards, which IoT devices have to comply to, must be secure so no one device can be breached and used as an entry point for the whole system. In 2015, the U.S. Federal Trade Commission recommended that security be baked into devices from the beginning—not as an afterthought. </p><p>Yet research from HP in its Internet of Things Research Study showed that 70 percent of the commonly used IoT devices had severe security issues. And there are critical vulnerabilities at the very core of many IoT networks. </p><p><strong>Smart Homes and Buildings</strong><br>The trend of automated buildings and making homes smarter by leveraging the IoT to save energy, increase comfort, or add capabilities for remote monitoring and control is on the rise. However, there are issues with the development of smart buildings and homes.​</p><p>A smart home using home automation is likely to have IoT devices that cover the following areas:</p><p><strong>HVAC Control. </strong>Smart HVAC units control room temperature, as well as automated ventilation systems, which can be switched on to replenish clean air based on temperature, moisture, smoke, heat, dust, or carbon dioxide levels in the unit.</p><p><strong>Light Control.</strong> In conjunction with smart bulbs, these units can adjust lighting behavior according to the presence of people in a designated space. Smart lights can be automatically switched off when the unit is empty and dimmed when there is natural light.</p><p><strong>Smart Surveillance. </strong>Intelligent surveillance systems record activity in the smart home, allowing authorities to remotely monitor where individuals are inside.</p><p><strong>Smart Door Locks. </strong>Smart door locks can be opened or locked remotely by a user. They can also track people entering or leaving the premises, and can act upon this by notifying the inhabitants or authorities. Researchers have found fundamental flaws in this automation system that leave people at risk, such as hackers using simple attacks to open and unlock the doors.</p><p>These systems often utilize wireless IoT protocols, such as ZigBee and Zwave, which have become their greatest asset and their greatest weakness. Wireless networks are prone to jamming (attackers try to prevent sensors from contacting the central hub by blocking the signal), the communication can be eavesdropped on to gather secret keying material, and is vulnerable to replay attacks (attackers inject recorded packets, e.g. a “door open” command to a door lock, or a “no-motion” command to a motion sensor, into the communication destined for the connected device or sensor).</p><p><strong>The ZigBee Wireless Communication Standard</strong><br>ZigBee is a standard for personal area networks developed by the ZigBee Alliance, which includes companies like Samsung, Philips, Motorola, Texas Instruments, and many others. ​</p><p>ZigBee’s aim is to provide a low cost, low power consumption, two-way, reliable, wireless communication standard for short-range applications. ZigBee is used for: remote controls, input devices, home automation, healthcare, and smart energy.</p><p>Devices on a ZigBee network communicate using application profiles. Those profiles are agreements for messages, like a common alphabet and language, that enable developers to create an interoperable, distributed application employing application entities that reside on separate devices. If a manufacturer wants a device to be compatible with certified devices from other manufacturers, the device must implement the standard interfaces and practices of certain profiles, such as the Home Automation profile.</p><p>The Home Automation profile relies on secrecy of key material and secure initialization and transport of its encryption keys. Recent research by Cognosec shows that keys can be compromised by attackers by passively sniffing and using weaknesses in the standard. </p><p>Sniffing in this context is best described as passively eavesdropping on wireless communication. An attacker could compromise the key by either listening to the initial setup of the devices or by imitating a legitimate device trying to "rejoin" a network.</p><p>During this rejoin the attacker would pretend to have lost key material needed to communicate with the management hub and send an unencrypted rejoin request there. This causes the hub to send out new keys, a process that should be protected by another key. But, crucially, that key is publicly known. Ultimately using the approach an attacker could request the active encryption key on network level.</p><p>As the Home Automation profile covers devices from lights to HVAC systems and door locks, this compromise might lead to serious security issues. This security issue was shown by Cognosec during the DeepSec Conference in Vienna in 2015 by opening a Yale Door lock using ZigBee without having the proper key. Security vulnerabilities from this kind of compromise are made worse because the fallback mechanism is the standard has to be implemented by every vendor that wants to market certified devices.</p><p>To remain compatible with devices that have not been pre-configured or are unknown to a ZigBee network, a default fallback mechanism was implemented that is considered a critical risk.</p><p>This fallback is used if devices from different vendors are connected to each other initially, or new devices are joined to an existing ZigBee network and they have not been pre-configured in the same way.</p><p>A single smart home or building with vulnerabilities may not seem like a problem at first, but a network of smart buildings—or a smart city—being breached could prove to be disastrous.</p><p><strong>ZWave Wireless Communication Standard</strong><br>ZWave also stands on the forefront of the IoT revolution. It was designed in 2001 by Zen-Sys, which was later acquired by Sigma Systems. ​</p><p>The Zwave standard does not require encryption support, so one can safely assume that vendors will only implement the bare minimum needed to get their products to market. This makes ZWave networks vulnerable to replay and eavesdropping attacks.</p><p>Two security researchers—Joseph Hall and Ben Ramsey—showed that few IoT devices are using encryption, and for those that are used for critical applications—like door locks—security is an opt-in feature that has to be enabled by the user.</p><p>In a demonstration at the ShmooCon 2016 Security Conference, ZWave-controlled light bulbs were physically destroyed in less than 24 hours by an attacker who gained access to the ZWave network using openly available information and some technical know-how.</p><p>It should be noted, though, that starting on April 2, 2017, the ZWave Security Framework S2 will be mandated on all devices. However, this will not fix issues on the devices that are already on the market and in stock. Future security research on the S2 framework should be conducted.</p><p>Besides this threat, implementation errors have been found in the firmware controlling door locks that allow an attacker to control the lock and prevent it from reporting its state to a central controller unit.</p><p><strong>Connecting to the World</strong><br>The adoption of IoT technology and increased outside connectivity in critical infrastructure could pose more critical risks to the energy and water supply, as well as to industrial control systems. </p><p>Recent research from Germany conducted in 2016 by shows that the water supply infrastructure is vulnerable and could be controlled by hackers because it’s not properly secured against outside attacks. In this particular case, it was not the lack of a security feature or faulty implementations of a wireless protocol that made the system vulnerable. Instead, it was a software vendor used to manage Germany’s water supply plants that did not implement security, instead leaving security configurations up to the plants themselves.​​<br></p><p>This an example of a new threat to critical infrastructure as it evolves from closed to open systems. Historically, industrial control systems (ICS) were designed to operate on an isolated network to protect them from security threats. Well-established physical security measures and the need to be physically present to harm the system provided a decent level of security to the systems, even if their IT systems were not sufficiently secure.</p><p>Now, as more devices are connected to the Internet they are communicating to each other and forming huge networks with machine-to-machine communication. The result is a massive growth of the attack surface and an increase in the potential effect an attack could have. By making systems interoperable, as is the current trend with the IoT, hacking one device could open up a Pandora’s box of security breaches.</p><p>Another fact making this problem worse is that some software vendors used by critical infrastructure—like in Germany—delegate security to the customer; a customer that normally has neither the necessary awareness nor know-how to property implement the now open infrastructure as IT is not its core business.</p><p><strong>Conclusion</strong><br>Security issues affecting buildings, power, and water supply plants—or even door locks—have been around for years. Still, every few months new threats arise and the situation is worsened by adding network connectivity to devices that broaden the attack surface. ​</p><p>Security must be built-in to devices and configured to be the default, not the exception or the responsibility of the end-user. The U.S. National Institute of Standards and Technology released a publication on this issue in 2016, which called for assigning a level of trustworthiness to a device and applying security considerations to it from the very beginning. </p><p>By integrating security from the design phase to the product development and life-cycle management phase, instead of adding security features or monitoring hardware after the device has been purchased, devices will be more resilient against attacks than they are now. <br><br>Until we can resolve these issues, and create new, secure protocols, IoT hacks will increase exponentially in volume and severity.</p><p><em>Florian Eichelberger is an information systems auditor at Cognosec. </em><br></p> Killed In U.K. Parliament AttackGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<strong>Update: 23 March 2017, 11:50 a.m.</strong></p><p>​British authorities identified the man responsible for Wednesday's terror attack as 52-year-old Khalid Masood, according to a<a href="" target="_blank"> press release from the London Metropolitan Police.​</a><br></p><p>Masood was born in Kent, and authorities believe he was recently living in the West Midlands in England. </p><p>"Masood was not the subject of any current investigations and there was no prior intelligence about his intent to mount a terrorist attack," the Met said. "However, he was known to police and has a range of previous convictions for assaults, including GBH, possession of offensive weapons, and public order offenses."</p><p><strong>Update: 23 March 201​7, 10:50 a.m.</strong></p><p>The Islamic State claimed responsibility for Wednesday's terrorist attack in London outside the U.K. Houses of Parliament. The assailant--whose identity has not been released--was a British-born man known to the U.K.'s domestic intelligence agency and previously investigated for connections to violent extremism.<br></p><p>U.K. Prime Minister Theresa May said the assailant was a "peripheral figure" that was examined by MI5, but was not "part of the current intelligence picture," according to <em>​<a href="" target="_blank">The New York Times. </a></em><em></em></p><p>Authorities believe the assailant​ acted alone, but continue to investigate the incident while Britain remains at a "severe" threat level.</p><p>"Yesterday, an act of terrorism tried to silence our democracy," May said. "We are not afraid, and our resolve will never waver in the face of terrorism."</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 47879554-d7fa-4c6d-80ff-5853f98067e7" id="div_47879554-d7fa-4c6d-80ff-5853f98067e7"></div><div id="vid_47879554-d7fa-4c6d-80ff-5853f98067e7" style="display:none;"></div></div><p>Two of the victims killed in Wednesday's attack have also been identified. A Mormon church official <a href="">told the AP</a> that one of its members--Kurt W. Cochran--was killed in the attack while in London to celebrate his 25th wedding anniversary.​<br></p><p>Officials also released the name of the police officer who was killed in the incident: Constable Keith Palmer, a 48-year-old police officer who formerly served in the Royal Artillery.</p><p><strong>Update: 22 March 2017, 4:00 p.m.</strong><br></p><p>Four people were killed in a terror attack outside the U.K. Houses of Parliament on Wednesday afternoon. Police shot and killed one assailant involved in the attack, but a major security operation remains underway in London. </p><p>Details of the attack—being called a terrorist incident—remain unclear, but <em><a href="" target="_blank">The New York Times</a></em> reports that security officers shot an assailant outside of Parliament after the individual stabbed a police officer. A motorist on an adjacent bridge also hit at least five pedestrians. However, it remains unknown if the assailant—whose name has not been released—and the motorist were the same individual.<br></p><p>At least 20 people were injured in the attack, in addition to the four casualties that included the police officer. Three French schoolchildren were among those injured, <a href="" target="_blank">according to Reuters.</a><br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 59a66d03-5516-4786-bdd2-d5cdc347d2ff" id="div_59a66d03-5516-4786-bdd2-d5cdc347d2ff"></div><div id="vid_59a66d03-5516-4786-bdd2-d5cdc347d2ff" style="display:none;"></div></div><p>​“This is a day we’ve planned for but hoped would never happen. Sadly, it’s now a reality,” said Mark Rowley, head of counterterrorism at the Met, in an interview with <em><a href="" target="_blank">The Guardian​</a></em>. “The attack started when a car was driven over Westminster Bridge hitting and injuring a number of members of the public, also including three police officers on their way back from a commendation ceremony.</p><p>“The car then crashed near to Parliament and at least one man armed with a knife continued the attack and tried to enter Parliament.”<br></p><p>Authorities are now conducting a full counterterrorism investigation into the incident, and are asking the public to stay away from an area of central London, report suspicious activity, and share any video or images of the attack.<br></p><p>"Londoners should be aware that there will be additional armed and unarmed police officers on our streets from tonight in order to keep Londoners, and all those visiting our city, safe," said London Mayor Sadiq Khan in a statement posted to his Twitter feed.</p><p></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 75cd54f2-dfa4-4bd7-9e23-4ca16192d225" id="div_75cd54f2-dfa4-4bd7-9e23-4ca16192d225"></div><div id="vid_75cd54f2-dfa4-4bd7-9e23-4ca16192d225" style="display:none;"></div></div><p>​Parliament was in session when the attack occurred at roughly 2:40 p.m. local time, and those in the House of Commons chambers were told to stay in place as officers searched the facility. </p><p>The attack occurred on the one-year anniversary of the <a href="/Pages/Terrorist-Attacks-in-Brussels-Leave-Numerous-Dead.aspx" target="_blank">Brussels attacks</a>, where terrorists bombed the Brussels airport and a metro station.<br></p><p>This is a developing story. <em>Security Management </em>will continue to update this post as more information is confirmed. <br></p><p><br>​</p> in Executive ProtectionGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Although plenty of women enjoy the benefits of executive protection (EP), not many actually work in the field. And that’s a shame—because women have plenty to give in this growing industry. Following are four lessons I have learned from the real world as a woman working in executive protection. ​</p><h4>Women bring a different perspective (and go-bag gear) to EP. </h4><p>And that’s a good thing. Looking at things differently has advantages in any situation, but it can be especially important when protecting a female client. </p><p>Case in point: Like most EP agents, I carry a “go bag” wherever I travel with a client. Of course, I always bring along my personal medical kit, phone chargers, and so forth. But I also add a few things that leave my male coworkers wondering: clear nail polish, super glue, and hair ties. Really? Yes, really. Clear nail polish is worth its weight in gold if a client gets a run in her pantyhose. Super glue is invaluable if a heel snaps. Hair ties? You always need an extra hair tie. </p><p>A lot of men in EP think that it’s not our job to take care of little things like these—that they distract from the core mission to keep the client safe and secure. I’d like to add a few things to our job description as EP professionals. Beyond keeping clients safe, it’s also up to us to make sure they stay happy and productive.</p><p>Carrying a bag with items someone might need helps across the board. In addition to reducing unproductive delays and preventing embarrassment or children’s tears, it also has security advantages: we don’t need to enter unknown areas for last-minute purchases. Women are more likely to consider these needs in advance.​</p><h4>Women blend in better than men.</h4><p>Two male coworkers and I once worked a detail for a family with small children. Whenever we advanced a location, our point of contact would invariably look at the men and ask what they needed to know for security purposes. After they toured us all around, they would ask me if I had any questions pertaining to the itinerary. </p><p>I told them I had no issues, but if they had any itinerary questions they should contact the assistant who was handling the schedule. “But aren’t you the assistant?” they’d blurt. This happens nearly every time I’m with a male coworker conducting an advance. Outsiders see them as the security detail and assume that I am the assistant. </p><p>While some may find this insulting, I use it to my advantage. It’s fine with me if people think I am the nanny or assistant. This prevents them from asking too many questions or getting anxious about why security is around. It helps me blend into the background. It’s also a welcome relief to clients who sometimes want to keep a low profile and just feel “normal” instead of being surrounded by security wherever they go.​</p><h4>Women can go places men can’t.</h4><p>I can easily walk into a women’s restroom to wash my hands and find out whether the client needs help or is just chatting with someone. There’s no need to awkwardly walk into the opposite sex bathroom and look around for the principal. It’s important that protective agents can sometimes be with the principal in bathrooms, dressing rooms, and hotel suites without being inappropriate. By not disrupting the client and by blending into surroundings, female agents raise fewer eyebrows and inspire less suspicion. ​</p><h4>It’s all about the team.</h4><p>I have been extremely fortunate to work with an amazing group of people—mostly men, because there are very few other women working in the industry. The importance of having a good team cannot be exaggerated. EP is not a one-person show, it’s a team effort.</p><p>Coming into a new company and working with a new client can be daunting enough. If you have the added burden of proving your worth to male coworkers, it just gets harder. </p><p>Fortunately, all the men that I work with have been supportive, kind, and understanding of the struggles women have in the industry. They’ve helped me achieve my career goals. I have also been blessed with a team leader who works extremely hard to actualize the team. Encouraging and managing team diversity isn’t always easy, but it’s worth it. Better and stronger teams rely on each other, help each other, and support each other to keep our principals safe, productive, and happy. </p><p>It is possible to create amazing, cohesive teams that include both women and men. I hope that other women will find rewarding careers in EP with both male and female coworkers that encourage everyone on the team to grow. </p><p><em><strong>Rachael Paskvan </strong>is an executive protection agent with AS Solution and a member of the ASIS San Francisco Bay Area Chapter.</em></p> Leader Counterpoint: President TrumpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​U.S. President Donald J. Trump is no servant leader. He does not invert the traditional power model to put his staff at the top, and hi​mself at the bottom.</p><p>“He puts himself at the center. He’s not about the group,” says leadership expert Barry Strauss, a professor of history and classics and humanistic studies at Cornell University.</p><p>Nonetheless, Trump now holds the top public leadership position in the United States. By dint of that status alone, his leadership will be influential. The constant media attention, scrutiny, and television time that a president generates ensures this. </p><p>However, trying to contextualize Trump in the broader field of leadership is a tricky task, says Strauss, who is also a military historian and author of The Death of Caesar, Masters of Command, and other volumes. “Various people come to mind, but he’s not a perfect fit for any one of them,” says Strauss. Instead, Trump seems to possess “bits and pieces” of leadership traits of historically famous leaders.    </p><p>On one hand, Trump is visibly self-confident, a leader who has a tendency to “go with his gut,” and in the process sometimes ignore advice from advisors. President Franklin Roosevelt had a similar tendency, Strauss says.  </p><p>Trump also clearly places great stock in the idea that practical wisdom, more than knowledge accumulated from voracious book reading or a formal education, is tremendously important. Trump also touts his own strength, and is invested in being perceived as tough, and as someone who drives the hardest of bargains. In this, he is like Gaius Julius Caesar, the legendary Roman politician and general who was self-promotional in his political career, Strauss says.  </p><p>In fact, both Trump and Caesar are leaders who achieved part of their fame as authors, writing books that were, among other things, vehicles for self-promotion. While campaigning for president, Trump often pointed to his bestselling The Art of the Deal book as evidence that he could negotiate extraordinary trade deals as president.  </p><p>However, Strauss also emphasizes the clear difference between the two. Caesar was regarded as a masterful orator and prose stylist; by most accounts Trump is neither. And Caesar had an acclaimed military career, while Trump never served.  </p><p>But while clearly not a servant leader, Trump’s leadership style is in the mold of another recognizable type of leader–the charismatic leader, whose authority is built partly on personal charisma (and in Trump’s case, a “charismatic lifestyle” filled with opulence). That gives Trump’s leadership style some affinity with President Ronald Reagan’s, but there is a difference. Reagan used acting techniques to enhance his speaking style, which earned him the nickname “The Great Communicator.” Trump is a specific type of charismatic leader–not a galvanizing communicator, but a showman, Strauss says. </p><p>Trump is forthcoming in his interest in showmanship. To illustrate, Strauss cites remarks Trump made during a revealing interview in the 1990s with Playboy magazine. When asked about his heroes, Trump cited Broadway impresario Flo Ziegfeld and Metro-Goldwyn-Mayer studio cofounder Louis B. Mayer. “The ultimate job for me would have been running MGM in the 30s and 40s,” Trump told the magazine. Indeed, Trump described his opulent assets of casinos and Trump Towers as “props for the show.”</p><p>In the same interview, Trump also discusses his relationship with his staff. He prizes loyalty, but unlike a servant leader, who is focused on empowering and uplifting employees, Trump favors testing staffers to see if they will stay loyal and make good decisions. </p><p>“I am always testing people who work for me,” Trump said. “I will send people around to my buyers to test their honesty by offering them trips and other things. I’ve been surprised that some people least likely to accept a trip from a contractor did and some of the most likely did not. You can never tell until you test.”</p><p>Whether Trump’s leadership style will trickle down into the executive suites of U.S. workplaces will ultimately depend on his success, Strauss argues. Trump himself derides many as “losers,” so if his administration runs into serious problems, he could be deemed a loser by those looking to emulate a leader. But peace and prosperity in a Trump administration, Strauss says, will likely mean that more U.S. business leaders will be asking themselves, “Is there something I can learn from this?” ​ ​</p> Picture of U.S. Crime GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​“We need more transparency and accountability in law enforcement. We also need better, more informed conversations about crime and policing in this country,” ​U.S. FBI Director James Comey said when his agency issued its most recent national crime statistics late last year.</p><p>And so, the FBI is moving forward on two major initiatives toward this goal. The agency has started collecting information for its first nationwide use-of-force database. This will be an online database containing information on interactions—both nonfatal and deadly—that U.S. law enforcement officers have with the public.   </p><p>Back in 2014, the U.S. Congress passed the Death in Custody Reporting Act (DCRA), which required states and federal law enforcement agencies to report data to the U.S. Department of Justice (DOJ) when civilians died during interactions with law enforcement. The DCRA also authorizes the U.S. attorney general to impose financial penalties on noncompliant states.</p><p>However, the DCRA did not require reporting for nonfatal interactions. In the absence of such a mandate, the FBI has been partnering with local, state, tribal, and federal law enforcement to set up a system for national data collection about nonlethal incidents. Comey himself had repeatedly advocated for a more comprehensive use-of-force database, as he called the lack of national data on the use of force “embarrassing and ridiculous.” </p><p>The second initiative is a change in the agency’s primary crime reporting system. For years, the FBI’s Uniform Crime Reporting (UCR) program has played this role, but five years down the road, the agency plans to replace it with the National Incident-Based Reporting System (NIBRS).</p><p>Although the UCR system keeps track of the number of homicides, armed robberies, aggravated assaults, and other crimes, agency officials say it does not go far enough in collecting information that could give indications of why crimes occur, and what can be done to prevent them. </p><p>In contrast to the UCR, the NIBRS offers a fuller picture of incidents of crime, with information about what exactly transpired, demographic information about the people involved, the relationship between the perpetrators and victims, and specific location and time coordinates. </p><p>But as of a few months ago, only roughly a third of law enforcement agencies were reporting into NIBRIS. The FBI’s goal is to have all enforcement agencies doing so by 2021, if not sooner. To help lead the way, the FBI has started to publish more data from its field offices about such offenses as human trafficking, hate crimes, and cyber intrusions.</p><p>“Information that is accurate, reliable, complete, and timely will help all of us learn where we have problems and how to get better,” Comey said. ​ ​</p> Up ResilienceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​America’s national defense has many components. Some of the lesser known pieces are utilities—the nearly 2,000 electric, water, wastewater, and natural gas systems that help the U.S. Department of Defense (DoD) accomplish its mission. When these systems fail, military operations can be disrupted, and national defense can become a bit weaker. </p><p>In recent years, these systems have failed thousands of times, according to a recent study conducted by the U.S. Government Accountability Office (GAO), which examined a representative sample of 453 DoD-owned utilities. The survey found that 4,393 instances of disruption occurred in fiscal years 2009 through 2015, resulting in a financial impact of $29 million. </p><p>These disruptions take many forms. At Joint Base McGuire-Dix-Lakehurst in New Jersey, operations were shut down for an entire week after a power line exploded. The power line had been installed in 1945, and was past its expected service life, base officials explained to GAO researchers. After the shutdown, the facility ran on generator power for the next three weeks while repairs to the line were completed.</p><p>At Naval Auxiliary Landing Field San Clemente Island in California, seven utility poles caught fire and caused an eight-hour islandwide electrical disruption. The fire occurred because the poles’ insulators, which are used to attach lines to the pole so that the electricity will not flow through the pole itself, were corroded and covered with salt, dust, and debris, the report found. This debris formed a conductive layer on the insulator that created an electricity flashpoint that resulted in a fire. </p><p>And there are disruptions due to weather. At Naval Weapons Station Earle in New Jersey, Hurricane Sandy’s storm surge in 2012 destroyed utility infrastructure, disrupting potable and wastewater service and resulting in almost $26 million in estimated repair costs.</p><p>Of those 4,393 disruptions, 1,942 involved water utility systems, 1,838 involved electric utility systems, 343 involved wastewater systems, and 270 involved natural gas utility systems. The Air Force suffered the most frequent disruptions, with 2,036. Next came the Navy (1,487), the Army (784), and the Marines (86). </p><p>The equipment failures that led to the disruptions were often caused by one of three main factors, the study found: the equipment was operating beyond its intended lifespan; the equipment was within its lifespan, but still in generally poor condition; or the equipment’s performance suffered because it had not been properly maintained. </p><p>This finding points to a fundamental challenge for DoD and other federal agencies: real-world budget constraints mean that DoD does not have the funding to upgrade every single system that has outdated equipment. Building resilience under such circumstances is not easy, and it sometimes requires a strategic plan with an achievable baseline goal, says Jason Black, director of analytic insights for Huntington National Bank and a utility policy expert who is also a former U.S. military officer. </p><p>A strategic plan with a goal of sustaining round-the-clock operations every day of the year would be difficult to achieve. A more realistic plan, however, could allow for some disruptions, with a goal of limiting them. For example, the goal could be to limit disruptions to 10 times a year, with each disruption lasting no more than an hour, Black says.</p><p>In striving for this goal, the plan may sketch out how older and more vulnerable utilities would be supported by back-up systems or localized generators, and other special configurations that would be needed to deal with different scenarios. “It’s one thing if a whole base goes out. It’s another thing if just one maintenance facility goes out,” Black says.</p><p>This type of strategic resilience plan could be designed across DoD’s entire fleet of utilities. Some systems only play a crucial role a few times a year, when certain situations are occurring. System resources can also be pooled; if there are four airfields located in one state, it might not be necessary for disruptions on one field to be immediately rectified. “It doesn’t have to be the case that every base has to be sustained all the time,” Black says. “In some cases, it may be cheaper and easier to move people.” </p><p>Instead of simply being reactive and replacing equipment as it breaks, officials could also incorporate utility equipment updates into the strategic plan, to best support operational goals. Incorporating an equipment plan can also serve as an incentive for investment when funding is limited: it illustrates how small investments in certain key systems will put operations in a better position over time, Black says.   </p><p>However, a strategic resilience plan must be based on good information about where disruptions are occurring, their frequencies and patterns, and other data that could be analyzed. In this area, DoD is falling down, the GAO found. Specifically, 151 out of 364 survey respondents in GAO’s study said they did not have information on utility disruptions during the 2009–2015 time period of the study. </p><p>The reason for this lack of in­formation, GAO found, is that the military services are inconsistent in issuing guidance on collecting and retaining utility disruption data. The study found that the Air Force and Marine Corps did not have current guidance on tracking utility disruption information; the Army had some guidance, but it was not available at all installations. </p><p>“Without guidance directing installations to collect information about all types of utility disruptions, service officials may not have the information needed to make informed decisions or to compete effectively for limited repair funds,” the study found. The exception among the services was the Navy, which had recently issued new guidance, auguring well for future data collection within that service, the study found.   </p><p>Given this, the GAO recommended that the Army, Air Force, and Marine Corps take steps to consistently collect disruption information, and issue better guidance on doing so. DoD concurred with these recommendations. </p><p>Finally, Black says there is another tool that DoD may use to boost its utility resilience–partnerships with the private sector. Here, DoD has some advantages at its disposal; some of its sites include significant amounts of land, and they have more zoning and use flexibility because they are government owned. Given these resources, DoD may be able to partner with private sector companies on utility projects, ranging from wind turbines to solar panels. “They may have the room, and they may not have zoning concerns,” Black says. </p><p>Shared resources could also be leveraged in such partnerships, he adds. For example, a generator could be built on a DoD site that would power the local area, but could also be used as a backup in case of power failure at the DoD facility.   ​ ​</p> News March 2017GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Museum Video</h4><p>Visitors to the USS Midway Museum in San Diego experience a floating city at sea with exhibits, flight simulators, restored aircraft, a gift shop, and more on its 18 decks. The aircraft carrier was an important tool in the U.S. military missions during the Cold War, the Vietnam War, and the Gulf War. Each year, 100,000 visitors come aboard to learn about the ship and its history.</p><p>A recent security upgrade included improving the museum’s video surveillance system. Integrator Layer3 Security Services selected cameras from VIVOTEK for the entire installation. The wide range of cameras used includes fixed domes, pan-tilt-zoom models, and box cameras. Units that withstand inclement weather and vandalism protect the outer areas of the museum. Speed dome cameras are used in the parking lots and on the deck. The cameras operate with ExacqVision software from Tyco Security Products.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Orchard Place, a provider of children’s mental health services, is using infinias access control from 3xLOGIC, Inc., for most of its facilities.</p><p>Pensacola Christian College installed 12 waist-high turnstiles from Boon Edam Inc. to manage entry into two of its dining halls. </p><p>Covenant Security Services and Covenant Aviation Security formed a strategic partnership with the Risk Services Division of HUB International Limited to provide sophisticated risk management services.</p><p>Criterion Healthcare Security will help members of Vizient, Inc., achieve a standardized security approach in compliance with industry and regulatory standards.</p><p>JRN, Inc., a Kentucky Fried Chicken franchisee in Tennessee, reduced employee theft after partnering with Delaget, LLC.</p><p>DSI Security Services and Viewpoint Monitoring are partnering to provide a wider array of security services for clients across all industries. </p><p>A global collaboration between Evidence Talks and Schatz Forensic will enable investigators to create forensic images using the SPEKTOR forensic intelligence product suite.</p><p>IPC joined the Equinix Cloud Exchange.</p><p>LaView entered a partnership with InstallerNet.</p><p>Nuvias Group became a member of the HID Advantage Partner Program.</p><p>Praetorian became a global auditing partner with Microsoft under the new Security Program for Azure IoT.</p><p>PrecyseTech Corporation teamed with Blackhawk Imaging, LLC, to launch the InPALM Enhanced Video Exchange for law enforcement and security applications.</p><p>RiskIQ is working with Evry as a key reseller in the Nordic region. </p><p>Many DVRs and NVRs from Speco Technologies are now integrated with Immix CC and CS platforms from SureView Systems.</p><p>Security-Net, Inc., formed a strategic partnership with Vector Firm to develop an enhanced sales training program.</p><p>Sony Corporation signed a partnership agreement with Bosch Security Systems to develop pioneering video security applications.</p><p>Suprema entered into partnership with Egis Technology Inc. to produce mobile fingerprint authentication for smartphones.</p><p>The University of Washington, Seattle, is using the unified parking management platform from TagMaster North America, Inc., and T2 Systems. </p><p>Hult International Business School is implementing Touchless Biometric Systems 3D technology to record class attendance in Dubai, London, Boston, and San Francisco.</p><p>Tyco Security Products helped Kiwanis Village Lodge in British Columbia upgrade to an IP-based access control system using Kantech EntraPass Security Software and KT-1 Door Controllers.</p><p>Universal Security staff working at Chicago O’Hare and Chicago Midway Airports received active shooter response training from Archway Defense. </p><p>Dutch mobile-only bank bunq partnered with Veridium to provide secure mobile banking using Veridium ID hand recognition software.​</p><h4>GOVERNMENT CONTRACTS</h4><p>BICSI signed a memorandum of understanding (MOU) with the Engineering Institute of Thailand under H.M. The King’s Patronage to develop engineering practices and solve national problems in engineering through collaboration and information-sharing on events, education, marketing, and standards development.</p><p>BICSI also signed an MOU with La Asociación Mexicana de Empresas del Ramo de Instalaciones para la Construcción (AMERIC) in Mexico.</p><p>Montgomery County Public Schools in Virginia will implement the COPsync911 threat-alert system.</p><p>Farpointe Data announced that its proximity/keypad reader was installed by Cameras Networking and Security of Vermont at the Morristown Fire and EMS building, also in Vermont.</p><p>Magal Security Systems Ltd. announced that Senstar, its North American subsidiary, delivered perimeter electronic security systems to the North Atlantic Treaty Organization for its rapidly deployable military camps.</p><p>NAPCO Security Technologies, Inc., was chosen by the Houston Independent School District to supply security motion detection in all its schools. </p><p>Parabon NanoLabs won a U.S. Department of Defense contract to develop a software platform for forensic analysis of DNA evidence.</p><p>Qognify, formerly NICE Security, announced that the Navi Mumbai Metro selected its mass transit solution to ensure the safety and security of passengers and assets.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>The U.S. Department of Homeland Security granted Safety Act designation protections to Databuoy Corporation for its ShotPoint shooter localization system.</p><p>The DERMALOG AFIS was confirmed as the fastest automated fingerprint identification system in the world by test body SGS-TÜV Saar; the software allows the processing of almost a billion matches per second.</p><p>Farpointe Data announced that three of its card readers with keypads meet the impending requirements for two-factor authentication as described by the U.S. National Institute of Standards and Technology.</p><p>Galaxy Control Systems received new FICAM certification for its System Galaxy Software and its CS Infrastructure System Galaxy Software, now listed on GSA’s approved product list.</p><p>GhangorCloud was named DLP Solution of the Year-2016 and won the Editor’s Choice Award from Computing Security Magazine.</p><p>The New Jersey Tech Council named Lumeta Corporation the winner of its Innovative Technology Company award for 2016. The council selected Princeton Identity Inc. to receive the Outstanding Technology Development Company Award for 2016. </p><p>Reltio earned HITRUST CSF certification status for information security from the Health Information Trust Alliance for its Reltio Cloud. </p><p>Send Word Now was awarded a U.S. patent for the technology inherent in SWN Direct, its new mobile app for alert recipients. </p><p>Winners of the 2016 Detektor International Awards included ILOQ NFC in the access control category; SpotterRF A2000 drone detection in the alarm and detection category; and Sony SNC-VB770 camera in the CCTV category. Suprema, Inc., won the Innovative Achievement Award with BioEntry W2, a fingerprint access control device.​</p><h4>ANNOUNCEMENTS</h4><p>Allied Universal purchased Source Security & Investigations of Halifax, Nova Scotia.</p><p>AT&T and the National Aeronautics and Space Administration are researching traffic management solutions for unmanned aircraft systems. </p><p>Boon Edam Inc. is expanding its training programs to include factory trainings, roadshow trainings, and technical workshops.</p><p>Carnival Corporation announced that it will be the first maritime company to partner with INTERPOL for advanced security screening across its global operations.</p><p>Confidex Ltd. opened a new office in Nice, France, to better serve its global customers.</p><p>International SOS and Control Risks launched the Travel Risk Map for 2017. </p><p>Mesker Openings Group will be acquired by dormakaba to increase product offerings in North America. </p><p>Hitachi, Ltd., established an open laboratory within the Yokohama Research Laboratory to conduct prototyping and proof-of-value. </p><p>Insurance Bureau of Canada participated in Project Cyclone, a joint auto theft investigation involving York Regional Police, Peel Regional Police, the Toronto Police Service, and Canada Border Services Agency, which led to 24 arrests, seizures of property, and recovery of 60 stolen vehicles.</p><p>The Medical Identity Fraud Alliance released a paper to help businesses within the healthcare industry better understand how to deal with medical identity fraud. </p><p>Middle Atlantic Products is participating in UL’s Standard Technical Panel for UL 2416, helping develop future requirements of the standard for audio/video, information, and communication technology featured in cabinet, enclosure, and rack systems.</p><p>Nortek Security & Control will expand its manufacturing capacity by 25 percent.</p><p>OneLogin acquired Sphere Secure Workspace, Inc., to help provide a unified endpoint management solution for enterprises.</p><p>PSA will expand its market footprint to include the professional audio-visual and communications market. </p><p>Smartrac is selling its Secure ID & Transactions Business Division to the Linxens Group. </p><p>SOS Security LLC acquired Eastern Security Inc. of Waltham, Massachusetts. </p><p>The University of California-Berkeley School of Information is partnering with 2U, Inc., to deliver cybersecurity@berkeley, a new online master of information and cybersecurity program.</p><p>Vertx announced the winners of its 5 Days of Thanks campaign: Concerns of Police Survivors; the Special Operations Warrior Foundation; K9s for Warriors; the National Law Enforcement Officers Memorial Fund; and the Sua Sponte Foundation. ​</p> TensionGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When the U.S. Department of Justice (DOJ) announced last August that it planned to phase out and eventually close 13 private prisons, it was seen as a victory for the prison reform movement. Privately run prisons “incurred more safety and security incidents per capita” than those run by the government, according to a DOJ report released shortly before the announcement. </p><p>Numerous critical investigations on private prisons, as well as the DOJ report and decision, inspired other federal agencies, including the U.S. Department of Homeland Security (DHS), to reassess their use of the facilities. But, despite allegations of inhumane conditions and dissention among DHS advisors, it appears immigration detention centers will continue to be contracted out to private corporations.</p><p>In an unusual series of events, a DHS Homeland Security Advisory Council (HSAC) subcommittee issued a report finding that federally run facilities used for the civil detention of immigrants during immigration hearings are more beneficial, but less cost effective. “Much could be said for a fully government-owned and government-operated detention model, if one were starting a new detention system from scratch,” the report noted. “But of course we are not starting anew.” Just one of the six subcommittee members dissented with the report’s recommendation to continue using private detention facilities, but when the issue was brought to the broader council for a vote, HSAC recommended that DHS oppose the report’s conclusion and close private facilities.</p><p>However, the vote may be more symbol than substance because the HSAC serves in an advisory role to DHS decision makers. Any action on the matter now rests with U.S. Immigration and Customs Enforcement (ICE) officials. In the interim, ICE has already renewed or expanded 15 private and local prison contracts to add 3,600 beds to its arsenal, including reopening a private correctional center in New Mexico that was shut down last year following a series of inmate deaths and reports of deficient medical care.</p><p>The HSAC report’s recommendation appears to be out of necessity—as of November 2016, ICE held more than 40,000 people in 197 immigrant detention centers, even though Congress has currently approved and funded the use of 32,000 beds, according to ICE. Individuals confined in ICE facilities can be held only for the purpose of detaining and removing them from the country. Immigrant detention numbers have already reached record-breaking levels and are expected to continue growing–U.S. President Donald Trump has pledged to deport 2 to 3 million immigrants, further straining the facilities. </p><p>“Capacity to handle such surges, when policymakers determine that detention will be part of the response, cannot reasonably be maintained solely through the use of facilities staffed and operated by federal officers,” the report states. “Fiscal considerations, combined with the need for realistic capacity to handle sudden increases in detention, indicate that DHS’s use of private for-profit detention will continue.”</p><p>The cost of building and operating enough federally run detention facilities to phase out private detention centers, which make up two-thirds of all immigration centers, would cost billions of dollars and not be a good use of government resources, the report notes.</p><p>There have been numerous contributing factors to the increase in detainees held by ICE. A controversial 2009 addition to ICE’s detention budget stating that funding would be made available to “maintain a level of not less than 33,400 detention beds” was interpreted by ICE as a mandate to contract for and to fill that number of beds on a daily basis. This so-called immigrant detention quota has correlated with the expanded detainee population, as well as the involvement of private prison corporations in ICE facility operations, according to Payoff: How Congress Ensures Private Prison Profit with an Immigrant Detention Quota, a 2015 report by nonprofit Grassroots Leadership. The quota system is unique to ICE—no other law enforcement agency operates in such a fashion.</p><p>“Since just before the onset of the quota, the private prison industry has increased its share of immigrant detention beds by 13 percent,” the report states. “Nine of the ten largest ICE detention centers are private. This is particularly noteworthy in light of the expansion of the entire ICE detention system by nearly 47 percent in the last decade.” </p><p>Immigration patterns have also bloated the number of immigrants held in detention centers. An unprecedented surge of Central American women and children to the United States in 2014 created overcrowding, resulting in the construction of the nation’s largest immigration detention center by a private prison corporation. A more recent influx of asylum seekers and immigrants who have been in the United States for years but are now facing exile has continued to strain the facilities.</p><p>Holding immigrants in privately run detention centers is easier on taxpayers’ wallets, ICE says. More than $2 billion in taxes goes to the country’s prison system each year, and lowering that cost is a big incentive to use private facilities, the report notes. Federally run detention centers are notoriously more expensive than their private counterparts—it costs about $127 a day to hold a person in a private facility, versus more than $180 in a government facility. And completely doing away with private facilities and replacing them with federally run ones would cost up to $6 billion, according to the HSAC report. </p><p>Despite the lower price tag for private facilities, prison corporations have seen their profits rise over the past six years—GEO Group, which owns a quarter of all ICE immigrant detention centers, has seen a 244 percent profit increase from 2010 to 2014, the Grassroots Leadership report found. The private prison companies have also spent millions of dollars lobbying on immigration issues and DHS appropriations, according to Grassroots Leadership.</p><p>To civil rights organizations, the increase in private detention facilities means not only the monetization of detainees but centers that do not have to abide by federal quality control. The DOJ report on private facilities notes that contract compliance checklists do not address federal health and correctional services requirements.</p><p>“The observation steps do not include checks on whether inmates received initial examinations, immunizations, and tuberculosis tests…[and] does not include observation steps to ensure searches of certain areas of the prison, such as inmate housing units or recreation, work, and medical areas, or for validating actual correctional officer staffing levels and the daily correctional officer duty rosters,” the DOJ report notes.</p><p>The nonprofit Human Rights Watch website stresses that those kept in immigrant detention centers are not criminals—they are often legal permanent residents, families with young children, or asylum seekers in the midst of civil immigration proceedings. For years, Human Rights Watch and similar organizations have documented abuse and substandard medical care in privately run detention facilities. For example, three people died in detention facilities between October and December 2016. </p><p>While the future of ICE immigration facilities will continue to involve privately run centers despite HSAC dissent, the council did agree with portions of the report’s recommendations that ICE must increase oversight of nonfederal detention facilities. The report found that county jails, which are often used for initial detention and staging, do not have to follow ICE facility standards and should be used for detaining immigrants for no more than 72 hours before moving them to a federal facility. The document also outlined the need for more stringent inspections of nonfederal facilities, including unannounced inspections and meaningful evaluations of conditions in each facility.</p><p>“U.S. Immigration and Customs Enforcement appreciates the Homeland Security Advisory Council’s recent review of the agency’s use of private contract detention facilities,” says ICE spokesperson Danielle Bennett. “The council’s report recognizes ICE’s ongoing commitment to providing a secure and humane environment for those in our custody while making the best use of agency resources. ICE’s civil detention system aims to reduce transfers, maximize access to counsel and visitation, promote recreation, improve conditions of confinement and ensure quality medical, mental health and dental care. ICE leadership will review and consider the council’s recommendations and will implement any changes, as appropriate.” ​ ​</p> the Cyber BuckGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​While a wonderful tool, Spell Check is not always available. And sometimes a misspelling can have a major ramification. That’s what hackers found out in 2016 when a spelling mistake in an online bank transfer instruction prevented them from stealing nearly $1 billion from the Bangladesh central bank and the New York Federal Reserve.</p><p>The hackers, now believed to belong to three separate groups that planned the heist for more than a year, breached the Bangladesh bank’s systems, stole its credentials for payment transfers, and then bombarded the Federal Reserve bank of New York with almost 36 requests to move money from a Bangladesh bank account to accounts in the Philippines and Sri Lanka.</p><p>“Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan nonprofit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation,” Reuters reported. Instead of spelling “foundation,” the hackers wrote “fandation,” which grabbed the attention of the Deutsche Bank employee routing the transaction and led to the suspension of the transfer.</p><p>The hackers, however, managed to get away with about $80 million, making the heist one of the largest bank thefts in history. A later investigation determined that Bangladesh central bank officials “deliberately exposed its computer systems and enabled hackers” to steal the money, a top police investigator told Reuters.</p><p>The heist also brought new attention to financial institutions’ cybersecurity practices and the effects a cyberattack on a major institution could have on the rest of the economy. To address these concerns at the U.S. state level, the New York State Department of Financial Services (DFS) proposed cybersecurity regulations for financial institutions operating in the state.</p><p>The rules were initially slated to go into effect on January 1, but were delayed and went into effect on March 1 to allow time for revisions and industry input. The rules, as of Security Management’s press time, apply to any “person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York banking law, the insurance law, or the financial services law.”</p><p>Those covered by the rules are required to have written policies and procedures that identify and assess the data security practices of third parties that access or hold their nonpublic information. Third parties must meet minimum requirements for cybersecurity practices, and periodic assessments (at least annually) of third parties and their cybersecurity practices are required. </p><p>Additionally, the rules require covered entities to designate a qualified chief information security officer (CISO) to be responsible for overseeing and implementing their cybersecurity program and enforcing cybersecurity policy. They also must hire cybersecurity personnel to perform cybersecurity functions, such as identifying cyber risks, responding to cyber events, and recovering from them.</p><p>While these seem like good polices on paper, Vice President of Technology and Risk Strategy for BITS and member of the Financial Services Roundtable Heather E. Hogsett said the rules are proscriptive and present a one-size-fits- all solution that doesn’t work for the New York financial industry, which is made up of international firms, as well as medium-sized and small banks.</p><p>The DFS rules also conflict with other regulatory measures, making it difficult for organizations to comply with them, Hogsett explained in an appearance at the New America Foundation in December.</p><p>“The question is, where does this end? And we do run the risk…the more you require information to be reported to different places in different formats, you’re taking your security professional’s eye off the ball and focusing more on compliance instead,” Hogsett said. “And it’s a national security concern. You’re creating honeypots of really sensitive information for a critical sector of the economy for attackers to really go hard at.”</p><p>New America recently called this out in a report, something Hogsett said she appreciated, and requested that all federal agencies follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It called for regulatory bodies to go back through their frameworks and harmonize them to the NIST framework.</p><p>One recent effort by the U.S. federal government to do this is an advanced notice of proposed rulemaking (ANPR) on Enhanced Cyber Risk Management Standards by the U.S. Federal Reserve Board, the U.S. Federal Deposit Insurance Corporation (FDIC), and the U.S. Office of the Comptroller of the Currency (OCC).</p><p> “As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyberattacks,” the ANPR says. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.”</p><p>The three agencies are considering applying the new standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board. The standards, however, would not apply to community banks.</p><p>“This ANPR would build on the existing framework of information technology guidance already in place,” said FDIC Chairman Martin J. Gruenberg in a statement. “The enhanced standards for large and interconnected entities would be aimed at increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities.”</p><p>The ANPR addresses five categories of cyber standards: cyber risk governance, cyber risk management, internal dependency management, external dependency management, and incident response, cyber resilience, and situational awareness.</p><p>The agencies are considering a two-tiered approach for an additional, higher set of expectations that would apply to covered entities that are critical to the financial sector. Security Management reached out to both the FDIC and the OCC for comment and was referred to the Federal Reserve, which did not return requests for comment for this article.</p><p>As part of the proposed rulemaking process, the agencies had asked for extensive feedback from stakeholders before the open comment period closed on January 17, 2017.</p><p>However, as of Security Management’s press time, only one person had submitted a comment on the ANPR: Reginald P. Best, president and chief product officer of the Lumeta Corporation, which provides network situational awareness services.</p><p>Lumeta has worked with the financial community for the past decade and has provided network-based cyber situational awareness analytics tools and services to seven of the largest financial institutions with more than $50 billion in assets that may be covered by the ANPR. </p><p>“We’ve had a fair amount of experience in some of the underlying issues that we think are problems that may potentially lead to more substantive breaches,” Best explains. “As I looked at the proposed rule, we wanted to provide some of our insights to help the industry in figuring out what they need to do and what they should be doing.”</p><p>In his comment, Best focused on responding to three of the agencies’ questions that asked for information on how entities evaluate their situational awareness which forms the core of a strong cybersecurity program.</p><p>“Without fundamental situational awareness of the network infrastructure, which is easy to say and hard to do, nothing else that you do will matter or be as complete as it needs to be,” Best tells Security Management.</p><p>One of the biggest problems right now, however, is that many large financial institutions have a false sense of security about their situational awareness—they feel like they know what is happening on their networks. </p><p>“Despite investment in multiple tools at various places in the enterprise ‘security stack’…the very basic understanding of what constitutes the network, how it changes in real time, what the infrastructure comprises (approved versus rogue), what the authoritative topology of the network and network edge is, remains elusive and is often an afterthought,” Best wrote.</p><p>Some financial institutions miss this infrastructure because they forget to document it, aren’t aware of it, and aren’t hunting for network state changes to validate that they have an accurate understanding of their network.</p><p>With his feedback, Best says he hopes that if a proposed rule is created from the ANPR process, it will include a mandate for covered financial institutions to have an automated way of understanding their infrastructure. </p><p>However, Best adds that it would be a mistake for the agencies to require all processes of monitoring, identifying, and remediating cyber threats be automated. </p><p>“I think that could be challenging for most organizations to do today,” he says. “Ultimately, that may be required in the future—that networks be self-healing. But it might be a mistake to enforce that extent in the proposed rulemaking.”</p><p>Instead, Best says he hopes that the agencies focus on getting the basics right when it comes to cybersecurity—like NIST did in its Cybersecurity Framework. </p><p>“Because if you get the foundation right, then all the other stuff in the stack can come on and take care of itself in the fullness of time,” he says.   ​</p> to the MassesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Sanofi is a global pharmaceuticals business that manufactures and distributes vaccines and medications worldwide. The organization provides diabetes solutions, consumer healthcare services, animal health products, and other therapies. Sanofi Pasteur, the vaccines division of Sanofi, provides more than 1 billion doses of vaccines each year, which immunize more than 500 million people across the globe.<img src="/ASIS%20SM%20Callout%20Images/0317%20Case%20Study%20Stats%20Sidebar.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:296px;" /></p><p>With more than 100 locations in the United States, Sanofi has approximately 25,000 employees domestically, and a global workforce of more than 125,000. Keeping track of those workers and ensuring their safety is of utmost concern to the company, says Joe Blakeslee, security systems manager at Sanofi. </p><p>For its North American sector, the organization incorporates several solutions as part of its overall security profile, including access control, CCTV, and emergency notification. For many years, Sanofi had several mass notification platforms that were disparate, without a centralized way to manage alerts for all employees. </p><p>In late 2014, Sanofi put out a request for proposal to find a product that could unify its many mass notification platforms into one seamless solution. Near the beginning of 2015, it chose Everbridge Mass Notification, a Web-based application that allows for distribution of messages to a large audience. </p><p>“The biggest part about Everbridge that stood out was the user interface,” Blakeslee says. “It provided everything we needed, and we were also impressed with how easy the system was to use.” The Sanofi North America security team started rolling out the application at the beginning of 2015 for internal security purposes, and in June of that year began registering all North American employees into the system.</p><p>He adds that the variety of options for reaching employees was paramount, given Sanofi’s mobile workforce. “Everbridge has multiple modalities in which you can actually send the message,” he says. “We use all the modalities whether it’s cell phone, SMS, home phone, or email. We give all of our employees the ability to elect whatever modality they would like.” Employees rank their preferred communication modalities in order when registering for the system; that way, if one method fails to contact the worker, notifications will automatically be sent via other methods until the party is reached.  </p><p>Everbridge is used on a daily basis at Sanofi, he adds. “Every day we use the application to alert various groups within the company, whether it’s related to fire alarms, evacuations, hazmat response, or other incidents.” </p><p>Sanofi has a central security services center (SSC). There, analysts monitor the business locations across the country for alarms and alerts using various security management software. Only designated individuals within the SSC can access the Everbridge platform and administrate messages through the platform. When there is an incident, such as a fire alarm, analysts send out alerts to the affected employees to give them situational awareness through the Everbridge Web portal. In the fire example, employees would be alerted to evacuate the building and await further instruction. The messages being sent can be selected from a set of prewritten options, or modified based on the particular event; normally in an emergency, the messages are written at the time by the security team. </p><p>“Say you have a building with 3,000 people in it. We want to reach them wherever they may be,” he says, “and reach as many people as we can in as little amount of time as possible.” </p><p>The Everbridge application is used to notify workers that it is safe to return to their desks. It also displays in real-time the status of employees involved in the incident. Employee status can either be confirmed or unconfirmed. If someone is unconfirmed, the Everbridge system allows the SCC to resend the message or try a new contact path based on the order of the employee’s preferred contact methods to try to get a response. For example, if sending an SMS to a cell phone doesn’t work, the system will make a telephone call, then send an email, and so forth. The confirmation lets the security team determine which employees are safe. </p><p>The system helps get employees back to work more quickly, because people aren’t wondering whether it’s safe to return to their desks. </p><p>Everbridge can also be used for incident management. For example, in the case of a trespasser, security would get an alarm or a phone call. “From there, SSC would send out a notification from Everbridge to the local emergency response personnel, asking for them to respond to the occurrence,” Blakeslee says. “After the message is sent to all the recipients’ devices, the SSC would, in real time, monitor the responses from the recipients’ confirmations and determine how many people are responding to the event.” </p><p>Everbridge isn’t just used for reactionary purposes. It provides proactive security measures as well. Sanofi has security officers at each of its locations, and the organization conducts daily check-ins with those personnel who are patrolling alone to ensure they are safe and accounted for. Sanofi expects a message back, and “if they don’t respond, we escalate that to the SSC and they handle it from there,” Blakeslee says.  </p><p>He adds that the mobile nature of the modern workforce means that employees won’t always be working from their primary location. “Our workforce is dynamic. One day I may be working in Pennsylvania, the next day I might be in New Jersey,” he says, noting that several employees and contractors travel frequently. To help keep track of its mobile workforce, Sanofi rolled out a newer feature from Everbridge called Safety Connection in the second quarter of 2016. The solution aggregates geo-location data from multiple systems so Sanofi knows where its employees are at any given time.  </p><p>Blakeslee says that given the sensitivity of materials they manufacture and distribute, as well as the importance of their services to customers, the culture at Sanofi is safety oriented. “Anything dealing with safety we’re really reactive to, so Everbridge provides us another means of communicating to keep our employees safe.”</p><p>--<br></p><p>For more information: Jeff Benanto,,, 781.373.9879 ​</p> TroubleGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The insider fraud that took place at Wells Fargo is still being investigated, but experts say the scam that involved the creation of 2 million unauthorized customer accounts is unprecedented. Beginning as early as 2011, thousands of Wells Fargo employees created bank accounts for existing customers without authorization, and generated millions of dollars in fees that profited the company along the way. </p><p>“Wells Fargo employees secretly opened unauthorized accounts to hit sales targets and receive bonuses,” said Richard Cordray, director of the Consumer Financial Protection Bureau (CFPB) in a statement. </p><p>The CFPB went onto say that workers even created fake PIN numbers and phony email addresses to fraudulently create the accounts. The bank will pay $185 million in fines to the bureau and $5 million to customers for their losses.</p><p>During a U.S. Congressional hearing in which then-Wells Fargo Chairman and CEO John Stumpf testified before lawmakers, U.S. Rep. Maxine Waters (D-CA) called the event “some of the most egregious fraud we have seen since the foreclosure crisis.”</p><p>Stumpf stepped down in October 2016 as leader of Wells Fargo, and forfeited $41 million in stock awards and part of his 2016 salary and bonus. Since the scandal was uncovered, the bank has fired at least 5,300 employees.</p><p>While the ethics scandal at Wells Fargo garnered international attention, insider fraud and theft by employees has become increasingly prevalent at financial institutions. In 2014, New York Attorney General Eric T. Schneiderman announced the arrest of an identity theft ring that had siphoned $850,000 from a bank’s customer accounts with the help of several tellers at banks in New York City and surrounding counties. </p><p>In 2015, two private bankers with J.P. Morgan Chase were indicted for funneling $400,000 from Social Security accounts of 15 people, some of whom were deceased, according to court documents from the Brooklyn District Attorney’s office. </p><p>Schneiderman later sent a letter to several large banks, including J.P. Morgan Chase, Bank of America, and Wells Fargo, urging the financial institutions to rein in their employees’ access to customer data. The Wall Street Journal first reported on the letter, which it obtained in June 2015. Schneiderman said that teller theft was the number three cause of data breaches in the state of New York, just behind poor cybersecurity and lost or stolen equipment. </p><p>Schneiderman concluded that “much of the wrongdoing could have been caught if the banks had noticed and shared red flags; for example, an employee accessing an unusually large number of accounts or looking up accounts without dealing with those customers,” according to the article. ​</p><h4>Access to Information</h4><p>Experts say that an increase in theft and fraud has been accompanied by an evolution in the banker’s role. The traditional role of the teller who sits behind a desk counting dollar bills has progressed with the proliferation of the Internet and other digital tools. </p><p>“Technology now handles so many of the traditional teller transactions, like checking your balance or moving your money,” says Dr. Kevin Streff, associate professor and director of the Center for Information Assurance at Dakota State University. “Those kinds of transactions that used to be handled by people are now handled by automation for a large part, so the teller’s responsibility then moves up to the next level of service to the customer.” </p><p>Such transactions include changing personally identifiable information details on accounts, all available to tellers with the click of a button. </p><p>“Technology in general makes it so much easier to get the information that we’re talking about; there’s no question that’s increased the risk for internal theft cases,” says Kevin Smith, CPP, former senior vice president and corporate security director at Chevy Chase Bank and member of the ASIS International Banking and Financial Services Council. </p><p>But with the proliferation of ATMs and online banking services, this increased access to information is coupled with a diminished demand for tellers. They don’t garner the largest salaries—on average, tellers make about $13 an hour, or $27,000 a year, according to 2015 statistics from the U.S. Bureau of Labor. Experts say these low wages, combined with tempting sales-goal incentives, can create a formula for theft and fraud. </p><p><strong>Theft.</strong> Streff notes that the black market for customer records, credit card information, and other sensitive data is based on supply and demand, and the current supply is high. Therefore, employees will be tempted to steal more records to make the most money. </p><p>“It’s still very motivating to get 1,000 payment cards from a bank, and even if you can only get $25 a card, that’s still $25,000,” he says.</p><p>And there are plenty of bad actors waiting on the other side of the Web to help them carry out the crime. “The bad guy externally has the skill, the insider has the access privileges and the rights and trust, and that together creates the perfect storm to be able to complete that cybercrime,” Streff explains.</p><p>He recounts such a situation investigated by his firm Secure Banking Solutions, a cybersecurity company focused exclusively on the banking sector. </p><p>“We saw a situation at a Midwestern bank where a couple of tellers were printing about eight customer records each per day for about a year, and then they were putting them in their bags or purses and walking out the door,” Streff says. “So eight customer records a day is about $200 a day—there’s a nice little augmentation to their salary.”  </p><p>During his long tenure as a security director and vice president at banks across the country, Smith says he dealt with a similar situation during a merger and acquisition. </p><p>“The criminals were focused on the fact that the employees would no longer have allegiance to the company” that was being acquired, he says. “We apprehended one of our employees working at a call center that was selling customer information in the parking lot to someone that had approached them and said, ‘I’ll give you $50 for every name, address, telephone number, and date of birth that you can give me.’” </p><p><strong>Incentives.</strong> Scamming customers with help from the outside is just one of many risks faced by financial institutions. Corporate culture can become the catalyst for bad behavior as well. </p><p>During the U.S. House Congressional Services Committee hearing on Wells Fargo, lawmakers criticized the sales incentives that offered rewards to employees who opened a certain number of accounts. CNN Money reported in September 2016 that Wells Fargo employees had complained about the “pressure cooker environment” created by these “wildly unrealistic” sales goals. </p><p>Stumpf testified before the committee that sales goals were being eliminated companywide in January 2017 as a result of the scandal. </p><p>While this practice had become toxic at Wells Fargo, other banks rely heavily on the motivation behind such goals. </p><p>“The reality is that many companies, particularly smaller companies, survive on those sales goals,” says Smith, adding that common practice is to reward not only tellers, but managers and senior executives when their employees reach those goals. </p><p>This practice can lead to fraudulent behavior when employees are pressured to meet goals or face negative repercussions for not doing so. “When you dangle the guillotine over someone’s head and say ‘If you don’t do this, this thing is going to happen to you.’ Well come on, leadership gets exactly what they deserve,” says Clint Hilbert, owner of Corporate Protection Technologies, LLC. “They’re actually promoting that behavior.” </p><p>Hilbert says that a series of checks and balances within the company will help prevent fraud from occurring. </p><p>“The checks and balances have to be built in from the time you’re pursuing a market to the time you’re reinvesting your profits,” he says. “All of those stages in between have to have checks and balances that can be independently surveyed.” </p><p>Smith echoes the concern regarding a competitive sales environment, and notes that management can often become a part of the problem. </p><p>“Hypothetically, I think what happens in those situations is people are incented to sell, sell, sell,” he says. “And if the person monitoring that activity is also gaining from the sell, sell, sell, they’re disincentivized from identifying any problems.” </p><p>Having an independent third party or group outside the management chain to audit sales activity ensures that banks aren’t engaging in fraudulent behavior.​</p><h4>Management </h4><p>Experts say that engaging employees and giving them a sense of buy-in at the company is a first step to keeping them from becoming an insider threat, and treating whistleblowers with fairness and exercising transparency can help leadership build trust. </p><p><strong>Whistleblowers.</strong> Since the Wells Fargo scandal came to light, employees have come forward saying that they were fired or punished for blowing the whistle on the fraudulent activity taking place. </p><p>In a November 2016 letter to new Wells Fargo President and CEO Timothy Sloan, U.S. Senators Elizabeth Warren (D-MA), Robert Menendez (D-NJ), and Ron Wyden (D-OR) inquired about the firing of certain employees, writing that “the bank may have done so to retaliate against whistleblowers.” </p><p>Former employees told NPR News that they received bad marks on their U5 forms—a system set up and operated by the Financial Industry Regulatory Authority—after pointing out the fraudulent behavior. Those forms are essentially used as a permanent record of their employment history as a banker. Wells Fargo says it is investigating those claims.  </p><p>Hilbert says that anyone who raises a red flag about company practices should be treated with fairness, whether they are right or wrong. </p><p>“The first time you publicly fry a whistleblower, you no longer have ownership by the employees,” Hilbert says. “Even if the whistleblower is 100 percent wrong, there has to be transparency because that’s where you’re going to lose trust.” </p><p>Rather than creating a culture where managers are pitted against employees, Hilbert says, creating mutual respect will fuel the two-way relationship. He adds that employees essentially should respect the company more than they respect their coworkers who engage in bad behavior so that they report any incidents. </p><p> “You have to be transparent, you have to be honest, and you have to communicate—therein lies the basis of every relationship,” he says. “That trust today is such an important factor for the C-suite to embrace.”</p><p><strong>Hiring and training.</strong> Increasing levels of responsibility for tellers ought to be supplemented with more security training and better hiring practices, Smith says. And security compliance and training programs should be ongoing to keep employees engaged with banking best practices. </p><p>“Those types of training programs on ethics in the workplace really have to be an integral part of the program coming through the door, and they have to be emphasized on a regular basis,” he notes.  </p><p>For many bank workers, it may be their first job, meaning they haven’t had exposure to security or compliance training in the past. </p><p>“These tellers and call center employees can be right out of high school,” Smith says. “It’s an entry-level position, and you really need to drive that point home about ethics in the workplace because they’ve never had that training before.” </p><p>Hiring people with the right background is critical for employees that will be handling sensitive customer information. Banks can take advantage of access to law enforcement to conduct background checks. </p><p>“In the financial services industry, background investigations are critical,” Smith says. Under Federal Deposit Insurance Corporation (FDIC) rule number 19, banks can get permission to go directly to the FBI for such background screening. </p><p>Smith adds that under these regulations, banks are also prohibited from hiring someone who has been convicted of a theft or a breach of trust offense. </p><p><strong>Monitoring.</strong> Supervisors need to be the first line of defense when it comes to ensuring their employees aren’t engaging in bad behavior, Smith says. He explains that several technological tools are available to help produce reports using data from employee transactions. Using those reports, supervisors “ought to identify what the typical pattern is for their employees…and develop a report that would alert to out-of-pattern activity.”  </p><p>A worker accessing unusual amounts of customer information could be a tipoff to fraudulent behavior. “Let’s say typical daily activity for a teller is servicing about 50 accounts,” Smith says. “If you find that they’re looking at 300 accounts, that’s out-of-pattern activity and should be investigated.” </p><p>Streff adds that while technology is a great tool, creating awareness within the company is invaluable. “Certainly you want controls in place that lock things down, you want sensors to identify anomalous behavior, but you want to create an awareness in your workforce to be a protection as well,” he says.  </p><p>And employees at all levels can be the best tools for fighting insider threats, Hilbert says. “If you have 100 employees, you have 200 eyes,” he notes. “And if you can motivate those employees to do your camera work for you, you’ve got the best camera system that money can buy.”  ​ ​</p> in LiabilityGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Yvonne Hiller was not having a good day. On September 9, 2010, Hiller had a quarrel with her coworkers—Tanya Renee Wilson, LaTonya Brown, and Bryant Dalton—at the Kraft Foods plant in Northeast Philadelphia where she had worked for 15 years. At a union stewards and supervisors meeting that evening, a decision was made. She was suspended and had to vacate the facility immediately.</p><p>Kraft had contracted U.S. Security Associates, a private-sector firm, to provide security for the plant, and U.S. Security Site Supervisor Damon Harris was called to escort Hiller to her vehicle and ensure that she left the property.</p><p>However, Harris did not walk Hiller to her car. He left her at the guard booth at the security gate at the entrance to the plant and allowed Hiller to walk to her vehicle, alone. But Hiller did not drive away.</p><p>Instead, she retrieved a firearm from her car and drove back to the security gate where she pointed her gun at U.S. Security Officer Marc Bentley, who was inside the guard booth, and demanded to be allowed back into the plant.</p><p>When Bentley did not open the gate, Hiller drove through it. Bentley then paced back and forth inside the guard booth, while his supervisor—Harris—ran away. Both security officers called 911 after several minutes of panic and confusion, but they failed to alert anyone else in the plant that Hiller was inside, and that she was armed.</p><p>Hiller made her way through the plant to where the union meeting had taken place earlier that evening, opened fire, and shot Wilson, Brown, and Dalton. Wilson and Brown were killed, but Dalton survived the attack.</p><p>Local law enforcement responded to the scene, taking Hiller into custody. She was eventually convicted of two counts of first-degree murder and one count of attempted murder. She is currently serving a life sentence in prison.</p><p>The estates of Wilson and Brown filed a civil suit against U.S. Security and Hiller in 2015, alleging that the security company was guilty of negligence for failing to protect the people at the plant during the shooting and for failing to warn employees that Hiller was in the plant, armed with a gun.</p><p>The First Judicial District Court of Pennsylvania agreed with them, granting the estates more than $46.5 million in damages—$8.02 million in compensatory damages and $38.5 million in punitive damages.</p><p>“The verdict is an important message to U.S. Security that their guards can’t simply run away in the middle of a crisis,” said Shanin Specter of Kline & Specter, P.C., which represented the Wilson and Brown families in the civil suit, in an interview with Philadelphia’s NBC local affiliate. U.S. Security did not return requests for comment on this article. </p><p>The case served as a lesson for the contract security industry that negligent behavior by officers can be a form of premises liability. Premises liability is a legal concept typically associated with personal injury cases where someone is injured by an unsafe or defective condition on someone else’s property. The classic example is a slip-and-fall case.</p><p>Kraft had contracted with U.S. Security and set forth the service agreement in written documents, outlining the security officers’ guide and post orders. </p><p>The service agreement explained that U.S. Security personnel would have administrative and operations experience in security services at a level adequate to the scope of work and would be “responsible for maintaining high standards of performance, personal appearance, and conduct,” according to court documents. </p><p>Personnel would be responsible for duties such as access control; escort services; incident reports; in-depth knowledge of facility-specific requirements, expectations, and emergency procedures; patrol service duties; alarm response; emergency and accident response; and security gate control.</p><p>The service agreement also outlined what was expected of security personnel in response to an emergency at the Kraft plant in Philadelphia. The nine-step procedure included remaining calm if the officer was witness to a threatening situation, contacting a Kraft representative immediately, calling 911 if the threat was immediate, being prepared to assist if the situation became confrontational, and noting all facts about the incident in the security log.</p><p>However, the U.S. Security officers on site that day did not follow the emergency response protocol or the service agreement to escort Hiller from the plant to her vehicle, which is why the jury sided with the plaintiffs, says Eddie Sorrells, CPP, PCI, PSP, chief operating officer and general counsel for DSI Security Services, a contract security provider based in Dothan, Alabama.</p><p>The jury initially said to U.S. Security “you failed in your responsibility contractually to make sure that this bad person got off the premises,” Sorrells explains. “You didn’t do your job. And then when the person came back and started making threats and ultimately shooting, you didn’t communicate it. You didn’t do your job to warn the people inside; you didn’t communicate there was an emergency or a shooter on the premises. All you did was call 911 and hide. And we’re going to say that wasn’t enough.”</p><p>This is why it is critical for contract security providers and their clients to draft and review policies related to security officer duties and emergency response.</p><p>“Any plans, procedures, and policies that you had in place are going to be front and center when a tragedy like the Kraft case happens—or even something far less tragic,” Sorrells says. </p><p>For contract security providers, the case illustrates the importance of reviewing background screening and training processes for security guards. One criticism in the U.S. Security case, according to court documents, was that Bentley—a relatively new security officer—was not adequately trained to know how to use the available technology to communicate that Hiller had reentered the plant with a gun.</p><p>“One of the most important lessons learned from this case is how critical training is for the security officer,” Sorrells explains. “That’s not a suggestion that U.S. Security didn’t have that; it just reinforces the need to have real policies and procedures that can be…exercised and trained on.”</p><p>The case also shines a light on another security risk that can sometimes be overlooked by contract security: high-risk terminations. While Hiller was suspended from Kraft—not fired—the same principles apply, and contract security providers should make sure that their clients know the warning signs for an individual who might be a high-risk termination and require a security escort from the facility.</p><p>The client hiring a contract security firm also has a responsibility to make sure the firm has the background, resources, and knowledge to advise them on best security practices.</p><p>“I’m fond of saying that corporations are not hiring a staffing agency; they’re hopefully hiring security experts who can come in and advise them on what is needed in terms of emergency communications, training, and internal education for your employees,” Sorrells adds. </p><p>“We have to make sure that training is there to hopefully prevent these things from happening; and even if all those efforts fail, once someone does show up with a weapon, we need to have procedures in place to make sure emergency notifications are sent out,” Sorrells says. ​</p><h4>Insider Threats</h4><p>Around 10:09 a.m. on September 8, 2013, Yale University doctoral student Annie Le swiped her security card and entered the research lab on Yale’s campus where she conducted experiments into enzymes that could have implications for cancer, diabetes, and muscular dystrophy treatments. </p><p>Later that day, a fire alarm went off in the lab, requiring everyone to evacuate the facility. But Le did not leave. And Yale University did not search the building to locate her. Eventually, when Le did not come home that night, her roommate called the authorities at Yale to report her missing.</p><p>However, authorities did not begin looking for Le until the following morning. They would not find her until five days later—on the day she was scheduled to be married—when they discovered her body stuffed into a wall in the basement of the lab facility.</p><p>Authorities would later determine that fellow laboratory technician Raymond J. Clark III had brutally assaulted and strangled Le on Sep­tember 8. He pleaded guilty to her murder and is currently serving a 44-year prison sentence.</p><p>Following his sentencing, Le’s family filed suit against Yale, alleging that it was negligent and failed to use reasonable care by hiring Clark for a position that allowed him unsupervised access to students and staff; by retaining Clark in that position; by failing to adequately supervise and monitor Clark’s activities; and by permitting Clark to work alone in remote areas of the building with Le and others.</p><p>The family also claimed that Yale was negligent for failing to inform and warn Le about the potential threat Clark posed; failing to take “reasonable steps” to provide a safe and secure environment for Le to work at the facility; failing to maintain a properly qualified and trained security staff at the lab; failing to respond to a fire alarm that sounded the same day Le was murdered; fostering an atmosphere of tolerance of sexual harassment and sexual assaults that emboldened Clark; failing to investigate Le’s unexplained disappearance; and failing to detect, prevent, or intervene in Clark’s attack and murder of Le.  </p><p>Yale denied the allegations, ABC News reported. “Yale had no information indicating that Raymond Clark was capable of committing this terrible crime, and no reasonable security measures could have prevented his unforeseeable act,” the university said. Yale later agreed to pay the Le family $3 million to settle the suit in 2016, according to the Associated Press.</p><p>Paul Slager, a lawyer for Le’s family and a partner at Silver Golub & Teitell LLP, declined to comment on the settlement but did say that the case was part of a broader trend he’s seen in negligent security cases. </p><p>“Ten years ago when people talked about negligent security it was ‘How do you keep unauthorized intruders out?’” he explains. “As a lawyer, the issues have shifted now that there has to be recognition by security professionals that just keeping intruders out doesn’t mean you’re maintaining a safe and secure environment.”</p><p>For instance, the security precautions that Yale had taken—installing security cameras and using a card access control system—were designed to keep unauthorized individuals from entering the laboratory that Le worked in. However, they were not designed </p><p>to address insider threats from those who had authorized access to the facility.</p><p>Now, there is a greater acknowledgment that sometimes the threat to employees and students is an insider threat, and there may be other ways to prevent those crimes or acts of workplace violence from taking place, Slager explains.</p><p>“Workplace violence is such a big issue, and this case had layers of workplace violence to it,” he says. “These people (Le and Clark) knew each other really well.”</p><p>One security method Slager says he’s seen more of recently is the rise in portable personal protective devices, which are designed to be carried by individuals and allow them to request help immediately.</p><p>For instance, the University of Bridgeport in Connecticut began giving all new students National Protective Systems’ Personal Alarm Locators (PALs) in 2003. When pressed, the device can pinpoint a student’s location on campus and alert campus security. </p><p>“The PAL system is only used on the main campus of the university. Your picture and location will automatically appear on two screens at the security office,” according to the university’s 2016 Annual Security and Fire Report. “Security will then respond to the location of your PAL, even if it is in motion.”</p><p>The device also provides critical health information about students in the event of an emergency. The university won the Jeanne Clery Campus Safety Award in 2003 for its use of the technology to improve campus safety.</p><p>The devices have been effective at deterring crimes, and in one instance prevented a crime when there was a conflict between a man and a woman on campus, Slager says. </p><p>Because of this, Slager explains that he argued in the Le family’s suit against Yale that giving this type of personal protective device to students and employees would have been an effective way to deter or interrupt the assault on Le, which killed her.</p><p>Le worked in an isolated part of the lab facility and Yale “didn’t offer sufficient protections from coworkers or people who had proper authority to be there,” Slager says. </p><p>Because Yale and the Le family settled their suit, no damages were awarded. But in the U.S. Security Services case, the damages the jury awarded the plaintiffs were significant. The case was being appealed at the time Security Management went to press, so they may be reduced, but the high amount was initially awarded, Sorrells says, due to the loss of life and the perception that more could have been done to prevent it. ​ ​ </p> Art of Servant LeadershipGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Servant leaders are a revolutionary bunch–they take the traditional power leadership model and turn it completely upside down. This new hierarchy puts the people–or employees, in a business context–at the very top, and the leader at the bottom, charged with serving the employees above them. And that’s just the way servant leaders like it.</p><p>That’s because these leaders possess a serve-first mindset, and they are focused on empowering and uplifting those who work for them. They are serving instead of commanding, showing humility instead of brandishing authority, and always looking to enhance the development of their staff members in ways that unlock potential, creativity, and sense of purpose.  </p><p>The end result? “Performance goes through the roof,” says Art Barter, founder and CEO of the Servant Leadership Institute and former CEO of Datron World Communications, Inc.</p><p>“Magic happens,” agrees Pat Falotico, a former executive leader at IBM who is now CEO of the Robert K. Greenleaf Center for Servant Leadership. </p><p>Experts often describe the majority of traditional business leaders as managers who mainly function as overseers of a transaction: employees maintain desired performance levels, and in exchange they receive salary and benefits. Generally, these managers are positional leaders–they derive authority simply from the fact that they are the boss.</p><p>The servant leader moves beyond the transactional aspects of management, and instead actively seeks to develop and align an employee’s sense of purpose with the company mission.</p><p>The fruits of these labors are bountiful, servant leadership advocates say. Empowered staff will perform at a high, innovative level. Employees feel more engaged and purpose-driven, which in turn increases the organization’s retention and lowers turnover costs. Well-trained and trusted staffers continue to develop as future leaders, thus helping to ensure the long-term viability of the organization. </p><p>To reap these fruits, several things need to happen, experts say. Servant leadership ultimately starts with an unselfish mindset. “If you have selfish motivations, then you are not going to be a good servant leader. It has to be less about you,” Falotico says. Moreover, the organization at large needs to sustain a workplace culture in which this type of leadership can thrive. Finally, there are behaviors that the servant leaders themselves must practice on a regular basis. “As leaders, we can say anything we want, but we’re going to be judged on our behavior,” Barter says. And for the servant leader, behavior isn’t just what gets done, but how it gets done.</p><p>This article, based on several expert and practitioner interviews and recent research in the leadership field, explores the art and practice of servant leadership–its philosophy and goals, as well as best practice guidance for security leaders who aspire to become great servant leaders. We also take a look forward, and explore servant leadership’s impact on the future of leadership.​</p><h4>Origins and Applications</h4><p>Servant leadership can be considered something of a universal concept, because it has roots in both Eastern and Western cultures, researchers say. In the East, leadership scholars point to Chinese philosophers in 5th century BC such as Laozi, who asserted that when the best leaders finished their work, their people would say, “we did it ourselves.”</p><p>In modern-day leadership circles, the concept gained much currency with Robert Greenleaf’s 1971 essay, The Servant as Leader. Greenleaf, who passed away in 1990, went on to found the Atlanta-based Greenleaf Center for Servant Leadership. Falotico now leads the center, after spending 31 years at IBM.</p><p>In practice, Southwest Airlines, under the direction of founder Herb Kelleher, is frequently cited as the model servant leadership corporation. Kelleher’s philosophy of putting employees first resulted in a highly engaged, low-turnover workforce and 35-plus consecutive years of profitability, an unheard-of record in the turbulent airline industry </p><p>Barter, who now leads the California-based Servant Leadership Institute, came to the concept by a circuitous path–working for companies that did not follow its practices. “I spent 20 to 25 years working at public companies that believed in the power model–it was all about what you could do for me in this quarter,” he says. He then became acquainted with the work of management expert and servant leader advocate Ken Blanchard. In 2004, when Barter became the CEO of Datron, a tactical communications equipment supplier, he was determined to head the firm as a servant leader. The results were dramatic. The company’s revenue grew from $10 million to $200 million in six years.</p><p>As a veteran business executive for many different companies, Barter is familiar with corporate security operations and departments, and he believes that the servant leadership model is a great fit for security leaders who are charged with protecting people and assets. He explains it this way: security managers must sometimes make quick and informed operational decisions, such as when a breach is suspected. A servant leader will do this, and will then use those decisions as educational tools, analyzing them in discussions with staff, and soliciting their opinions and ideas. This becomes a win-win-win situation: it builds trust between manager and staff, it helps employees develop as security professionals, and it enables the manager to gain new perspectives on security issues.  ​</p><h4>Best Practices</h4><p>Experts offer a range of best practice suggestions for security leaders who aspire to become successful servant leaders. Most experts agree, however, on one bedrock principle: successful servant leadership starts with a leader’s desire to serve his or her staff, which in turn serves and benefits the organization at large. This serve-first mindset can be put into practice from the beginning, during an employee’s onboarding phase, says Michael Timmes, a leadership expert and consultant and coach with the national human resources provider Insperity.</p><p>During onboarding, after the initial introductions, getting-acquainted conversations, and explanations about how security operations work, the servant leader should solicit the new hire’s observations, impressions, and opinions, Timmes says. This conveys the message, from the onset, that the employee’s thoughts are valued. </p><p>And from that point, the servant leader keeps a continual focus on talent development. “They take folks early in their careers, and think of them as the leaders of the future,” Timmes explains. He approvingly cites one expert’s view that if a manager is not spending at least 25 percent of his or her time developing future leaders, then “you’re really not fulfilling your responsibilities as a leader.” </p><p>The servant leader can enhance this talent development process in several ways. For Barter, one of the keys is to leverage the employees’ strengths. Often, an employee’s highest performance is on tasks they are most passionate about, yet some managers never find this out. “We don’t take the time to ask them—‘What do you really want to do? What really excites you?’” Barter says. </p><p> Another way to enhance the talent development process is to selectively relinquish power, so that employees can lead certain projects and take ownership of initiatives. “Giving up power, and having others lead—that builds confidence in people,” Timmes says. </p><p>This can be tricky for some leaders because they equate leadership with control and they feel they should be responsible for everything. But therein lies a paradox—leaders that are able to let go often find that they are actually in more control, because they have harnessed the resources and talents of their staff, which collectively can guide operations more effectively than one person can, he explains.</p><p>This is a crucial requirement for effective servant leadership, says Falotico. She tells leaders to “get over yourself” and realize that business objectives, whatever they are, will not be reached without sharing the load and responsibility. “You are no longer an individual performer–you are a leader,” she says. “Leaders are enablers. That’s your work.” ​</p><h4>Question Close, Listen Closer</h4><p>If serving staff is the bedrock principle of servant leadership, two core practices toward achieving that goal are close listening and searching questions.  </p><p>Darryl Spivey, a senior faculty member at the Center for Creative Leadership (CCL) who coaches executives on servant leadership, says that asking the right questions is the “secret sauce” of great coaching, and is crucial for servant leaders. CCL is a leadership development institute with offices around the world, including China, Ethiopia, India, Russia, and several U.S. cities.  </p><p>Servant leaders build relationships with staff primarily by listening closely and by asking many questions—on anything from the employee’s background to detailed queries about their assessment of the firm’s business environment, Spivey explains. If an employee is struggling, leaders should ask questions about what might be impeding his or her progress. Even questions about smaller aspects of operations, such as the best use of time during meetings, are helpful. “The message this sends to the individual is that their opinion does matter, and that [leaders] want their feedback,” he says. </p><p>And the emphasis on questions works both ways. Employees should feel comfortable asking the servant leader questions without worrying that the leader will feel badgered, threatened, or implicitly criticized, Spivey says. Such questions help drive the development and growth of the employee. </p><p>Carefully asking questions is related to another crucial practice–listening to understand. This means listening to the employee silently and making an active effort to understand his or her point of view. Even if the leader feels the need to disagree or interject, they will wait until the person is finished speaking. If need be, the leader can briefly summarize what the employee has just expressed, as a way to communicate understanding. </p><p>While this may strike some as merely common courtesy, listening to understand is becoming harder with the rise of technology and the decrease of attention spans, experts say. For example, a leader who keeps the iPhone on the desk, and glances at it repeatedly during conversations, is not listening to understand. ​</p><h4>Encouragement, Humility, Trust </h4><p>Servant leaders can do more than listen to staff: they can encourage them. Indeed, in many ways encouragement is the hallmark expression of a servant leader, and it is a tremendously powerful tool, experts say. </p><p>Whatever the type of interaction with staff, servant leaders are consistent in showing encouragement and humility with an egalitarian attitude. “They don’t think of themselves as any better than anybody else,” Timmes says. In practice, this means that when employees make mistakes, the leader isn’t treating them as children who need to be scolded. “Some say, ‘aren’t you going to sit down and discipline them?’ But that’s not really a good leadership approach,” he explains. </p><p>Instead, the servant leader engages in respectful conversation which demonstrates trust in the employee to make the needed adjustments.</p><p>Trust is both a defining characteristic and defining outcome of servant leadership, says Stephen M.R. Covey, former CEO of the Covey Leadership Center and author of The Speed of Trust. </p><p>To Covey, it’s important to remember that servant leaders are both servants and leaders. “You do serve, but it still requires the other dimensions of leadership–character and competence,” he says. Competence means that the leader has a track record of high ability and achieving results, with skills that are relevant. Character means that results and accomplishments are achieved with integrity and ethics. </p><p>Trust is a prerequisite for servant leaders, because the leaders must trust that the employees are worth serving, and that they, and the organization, will benefit from their service. Practicing servant leadership generates trust in the employees, who may be inspired by their manager’s competence and character and convinced by their manager’s serve-first practice that he or she has their best interests at heart. “Trust is one of the means to achieve servant leadership, and it is also an end that is achieved by servant leadership,” Covey says.   ​ ​​</p> and the Private SectorGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The news media focuses primarily on kidnapping cases involving high-profile targets such as captured journalists and soldiers, high-net-worth individuals, and children. </p><p>However, sensational depictions in film and television have created a popular perception of kidnapping that is often at odds with the reality. Kidnaps-for-ransom happen every day around the world, with rates influenced by geography, conflict, and political, economic, and social issues. Many cases go unreported and unnoticed outside their local setting. </p><p>In some parts of the world, law enforcement and security services are too ineffective to properly guide kidnap victims to a safe resolution. Eager to project strength, and frequently lacking effective training in how to peacefully resolve the situation, security forces often prioritize tactical interventions that may jeopardize the lives of the victims. And, in rare cases, they have been found to be complicit in the kidnapping. </p><p>It is into this space that third-party actors and private sector organizations can step in to offer support and assist in securing the safe release of the victim. Otherwise, absent advisory and duty-of-care structures compound the trauma of the ordeal for victims and their families. Structure provided by experts can help guide financial negotiations, manage family and employer liaisons, and arrange post-incident support, such as counseling or medical care. There may also be jurisdictional conflicts that preclude victims from getting the full support of their home or host country, or governments could simply be unable or unwilling to provide consular or legal support abroad. </p><p>Debunking the common myths surrounding kidnap-for-ransom enables a clear understanding of where there is an opening for private sector engagement and where third-party support is most required. ​</p><h4>The Kidnappers</h4><p>Although there is a common perception that militant groups carry out a large proportion of kidnaps, data from global risk consultancy Control Risks shows that only 14 percent of the kidnapping incidents that took place worldwide last year involved these groups. </p><p>This is despite the concerted kidnapping activity accompanying insecurity in places such as Libya, Iraq, and Syria, attributed particularly to ISIS, as well as renewed kidnapping activity by al Qaeda in the Islamic Maghreb (AQIM) in the Sahel region and the Abu Sayyaf Group in the Philippines.  </p><p>Instead, some 85 percent of the kidnaps recorded this year by Control Risks were perpetrated by criminal elements such as organized networks, small gangs, or individuals. These are not exclusive, with current or former members of militant groups sometimes using their resources to carry out kidnaps-for-ransom purely for personal financial gain.​</p><h4>Targeted Victims</h4><p>Corporate security managers considering their organization’s exposure to kidnap risk at home and overseas often approach the issue with their employees’ specific profile in mind. </p><p>While managers may assume that a foreign or Western employee is more likely to be targeted in higher-risk regions abroad, this is not borne out by Control Risks’ kidnapping data, which shows that 97 percent of all kidnaps last year involved local victims. Furthermore, the professionals or businesspeople among those victims represented 54 different industries and were targeted in 77 different countries, illustrating the pervasiveness of the threat and lack of focus on a limited spectrum of sectors. </p><p>There are local nuances to the way in which kidnappers target victims in every state or province in a given country—the kidnapping group’s capability and the general security environment largely dictate target selection. Kidnappers often take into consideration the victim’s apparent wealth to draw a high ransom, the abduction’s chance of success, and other aspects of the victim’s profile.</p><p><strong>Wealth. </strong>Criminals who make their living from kidnapping want to maximize the income from each abduction. Individuals employed by multinational companies or in high-revenue sectors might attract the attention of kidnappers because they appear to be wealthy in the local context. Kidnappers will make assumptions about a potential victim’s social and economic standing based on simple things, such as material displays of wealth like new vehicles, whether they live in a wealthy suburb, or if their children go to a fee-paying school, for example. </p><p>Alternatively, they may have insider information. A fashion heiress kidnapped in Hong Kong in April 2015, for instance, was targeted after one of the suspects carried out renovations of the property and noticed the presence of luxury cars and goods. In another case in Nigeria in 2015, a large wedding celebration hosted by the victim was enough to prove his financial value to the kidnappers, who abducted him within the month. </p><p><strong>Risk.</strong> Having selected a target, the kidnappers could put the potential victim under surveillance to ascertain any weaknesses in his or her security. The simplest option is always to abduct the victims while they are in the open. Those who have a predictable daily routine are easy to target because the kidnappers know when and where they will be traveling. The daily commute, school run, or other regular travel can give kidnappers a variety of options. </p><p>Control Risks’ data shows that abductions most commonly occur during a routine journey to or from work, school, or home, with 35 percent of all kidnaps in 2016 taking place at this time. In southern Nigeria, for instance, kidnappers frequently strike on Sundays when families travel to and from church services at a regular time and are vulnerable in transit. </p><p>Nevertheless, kidnappers can often be deterred by even rudimentary security provisions. Anything that makes the abduction more difficult may convince them to move on to a new target.  </p><p><strong>Profiling.</strong> In some places, criminally motivated kidnappers are more likely to target local junior or middle management employees than CEOs or foreigners in the corporate context. The calculation is that, while the latter would probably yield a higher ransom, the increased risk of arrest that follows the abduction of a high-profile figure could outweigh the potential financial benefit. </p><p>However, foreign nationals are also often harder to abduct because those present in higher-risk areas generally employ more stringent security precautions and represent a much smaller slice of the population. </p><p>In other regions, usually those prone to militancy, the victim’s unique profile will not act as a deterrent, and foreigners are often the most highly sought captives. Some groups have significant capability to kidnap high-profile victims and, by taking advantage of difficult terrain and ungoverned spaces, can hold them for long periods without fear of arrest while they negotiate a ransom. </p><p>Indeed, for some of these kidnappers, increased attention, both from the government and the media, is part of their motivation to kidnap a high-profile victim for leverage and propaganda purposes.  ​</p><h4>Abduction Locations<img src="/ASIS%20SM%20Callout%20Images/0317%20Feature%204%20Infographic.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:610px;" /></h4><p>When preplanning an abduction, kidnappers look for an easy means of escape from the immediate vicinity of the abduction and a viable safe space for the period of captivity. </p><p>The partition of Mali in 2012 and the accompanying establishment of operating space for jihadist groups in the remote northern half of the country, for instance, emboldened and enabled AQIM to significantly ramp up its kidnapping activity. The group and its affiliates operating in the western Sahel have since carried out several high-profile kidnaps of foreign nationals, including in northern Burkina Faso and Niger, within a day’s drive of safe zones in northern Mali. </p><p>The porous border and weak security presence in the area create a permissive climate in which to conduct operations, and afford AQIM and its satellite groups the time and space to plan kidnaps. In 2016 alone, at least three separate kidnaps targeting foreign nationals and launched from northern Mali were attributed to the network, including that of an Australian couple in northern Burkina Faso last January and an American aid worker in Niger in October.  </p><p>In an opportunistic abduction, the targeting process is accelerated. A typical method is to set up a roadblock and screen victims as they drive through. The kidnappers will make snap assumptions about the victims’ wealth based on the car they are driving and whether they have a driver. </p><p>They can then further question the victims and search the vehicle for confirmation of their wealth. Often people will carry some detail of their employment, such as an identity or access card, that might alert the kidnappers to their potential worth. Visibly branded vehicles, particularly in remote or poor areas, indicate that the occupants may have a higher comparative income or that there is a chance their employer would be willing to pay a ransom for their freedom, increasing the risk. </p><p>Opportunistic, ambush-style abductions are particularly common in the eastern provinces of Congo (DRC)—for example. In North Kivu province—home to a plethora of armed groups, including Rwandan rebels, local militias, and army defectors—almost all kidnaps take place at improvised roadblocks and fake checkpoints, and they frequently target convoys of vehicles. More than half of all kidnaps recorded in Congo take place in the province. Many target nongovernmental organizations and other organizations with projects in the hinterland, including construction and telecommunications firms. ​</p><h4>The Ransom</h4><p>While a ransom is not limited to a financial payment to release the victims, financial demands are most commonly made to the victims’ families or employers and can also extend to the victims’ national government or the victims themselves. </p><p>The type of ransom sought can vary greatly depending on the kidnapper’s profile—for example, militant groups often take hostages with the intention of trading them for group members in custody in a prisoner exchange. They have also been known to make other demands, such as a cessation of drone strikes or the withdrawal of enemy troops. </p><p>In a January 2016 hostage video featuring a Swiss missionary kid­napped from her residence in Timbuktu, for example, an al Qaeda–linked group specifically demanded the release of Ahmad al-Faqi al-Hadi, a militant on trial at the international criminal court in Brussels for ordering the destruction of ancient monuments and shrines in the city during its occupation by Islamist militants in 2012. Other armed groups routinely include in their demands materials useful for their future operations, such as satellite telephones, foodstuffs, vehicles, and weapons. </p><p>Sometimes less-straightforward concessions are demanded. Kidnapping is occasionally used as a last resort in cases of industrial action or as a result of a personal, business, or criminal dispute in which one party is kidnapped to compel them to pay a debt or agree to some stipulation for their release. </p><p>Control Risks has recorded several cases in Asia where kidnap is used to apply pressure on a company or vendor; these often revolve around contracting. In one 2013 case in India, for example, employees of a company kidnapped a junior staff member at another company to compel his employer to pay them money that was unforthcoming but contractually owed. </p><p>In China, the kidnap or detention of executives is a relatively common way for employees to extract concessions from their employers during labor unrest or disputes. In one such case in 2013, Chinese factory workers held their U.S. manager for five days amid a dispute over severance pay.​</p><h4>Express and Virtual Kidnappings</h4><p>Classic kidnap-for-ransom is not the only crime that companies or security managers need to consider when thinking about risks to their staff, nor is it the sole extortive crime covered by insurance policies. New forms of extortive crime have accompanied the advent of new technology. These include cyber extortion, virtual kid­napping, and express kidnapping. </p><p>Virtual kidnapping is the name given to a form of extortion that emerged in Latin America in 2004 and has since spread to many parts of the world. Notably, it has become increasingly common in Asia, particularly China.</p><p>In a virtual kidnap, a criminal typically contacts a family and claims to have abducted one of their loved ones. The criminal threatens to harm or kill the victim if a ransom is not paid. In fact, the supposed victim of a virtual kidnap is never actually held captive, but may have been forced to cooperate with the criminals or may be completely unaware of the incident. </p><p>In many cases in Mexico, the alleged kidnap victims are contacted by the extortionists and forced to isolate themselves by checking into a hotel or another location, and remaining there until told to leave. </p><p>In most countries, the crime affects local nationals, but in Latin America, particularly in Mexico, Spanish-speaking business travelers are in­creasingly falling victim to the crime. Knowledge of the prevalence of this crime, and adequate preparation and training for employees who travel to areas where it is common, are crucial to mitigating the financial risk to both the individual and the company. </p><p>Express kidnapping generally involves the abduction of a victim who is forced, under threat of injury or death, to withdraw funds from ATMs. It is generally opportunistic and carried out by individuals or small, dedicated, and well-organized gangs that are often armed. </p><p>In Mexico, for example, they frequently use taxis to carry out kidnaps, posing as taxi drivers to rob the passenger. The average gain made by an express kidnapper is relatively small and the duration of captivity is generally between two and four hours. Kidnappers are attracted to express kidnapping because it allows them to avoid protracted negotiations with the victims’ families, involves little risk, and is a quick way of making money. </p><p>Foreign nationals are a favored target for express kidnappers because of their presumed wealth and the assumption that they are less likely to remain in the area during a police investigation or be able to identify the offenders. In countries like Brazil, Ecuador, and Tanzania, express kidnapping has overtaken traditional kidnapping-for-ransom. ​</p><h4>Response and Insurance </h4><p>Most reputable insurance companies that offer kidnap-for-ransom insurance have an exclusive partnership with a specialist response firm, guaranteeing their clients immediate access to expert consultants and advice in a crisis incident. </p><p>Although insurance companies offering kidnap-for-ransom coverage and private response companies have been working hand-in-hand for decades, the confidentiality inherent in the business precludes transparency around the specifics of the insurers’ role and the services the responders provide. </p><p>Good responders are defined by their independence and are trusted by their insurance partner to work towards the best possible outcome in each kidnap: the safe and timely release of the victim. It is imperative that the insurer maintains a reputation as a reliable provider, further incentivizing the safe release of a victim or successful resolution of the case. The role of the insurer should simply be to reimburse costs and expenses the responder incurs during the process of supporting and advising the policyholder. Kidnap-for-ransom policies sold by leading insurers can also include coverage for extortion, threats, missing persons, and wrongful detention cases.  </p><p>Experienced responders can provide invaluable support to the victims, their families, and their employers, particularly in places where law enforcement and crisis management institutions are unequipped or under-resourced. Above all, the private responder has an obligation to respect the wishes of the victim, their family, or the employer, and a duty to provide them with the best possible advice and course of action. The client is free to take or ignore that advice and is always the final decision maker. Responsible responders will never act unilaterally outside the course of action agreed with the client, or outside the law. </p><p>Kidnap-for-ransom is not confined to the world’s most dangerous locations or perpetrated principally by jihadis or guerrillas, nor does it predominantly target those wealthy enough to pay a large ransom. </p><p>The crime is constantly evolving and adapting to the changing security environment, and security professionals must understand the nuances and risks involved for all forms of kidnap and extortive crime to practice successful mitigation.   ​</p><p>--<br></p><p><em>Sebastian Boe is a special risks analyst responsible for conducting research and analysis on kidnapping and extortion trends in Africa within Control Risks’ Response department. ​</em></p> on EmptyGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In this age of overload, with organizations trying to do more with less, employees buried in information, and devices that call for round-the-clock urgency, burnout is a malady ripe for our times. Burnout can strike even the most productive workers and the most consistent performers, as well as those who seem to have the greatest capacity for hard work, experts say. </p><p>One reason burnout is such a pernicious problem is that it does not have to be total for its effects to be devastating.</p><p>“Burnout tends to plateau rather than peak,” says Paula Davis-Laack, specialist in burnout prevention programs, founder and CEO of the Stress and Resilience Institute, and author of Addicted To Busy: Your Blueprint for Burnout Prevention. “Burnout exists on a continuum. You don’t have to be completely mentally broken down and barely able to get out of bed to feel major effects.”</p><p>In other words, employees suffering mid-level burnout may still be able to power through and complete an adequate amount of work by sheer force of will, but their partially depleted state greatly hinders their performance and productivity, and it keeps them from realizing their full potential. </p><p>“That can go on for months, or even years, depending on the person’s work ethic,” says management expert Brady Wilson, cofounder of Juice Inc. and author of Beyond Engagement and other business performance books. </p><p>In a field like security, workers can be especially vulnerable to burnout, given the continual pressure and stress that go into protecting people and assets, and the high stakes involved if a breach does occur. </p><p>“Constant job pressure, especially when some of the factors are out of your control like they are with security, is definitely one of the causes of burnout in employees,” says Carlos Morales, vice president of global sales, engineering, and operations at Arbor Networks, which specializes in network security. </p><p>The consequences of burnout are varied; in some cases, they involve serious health issues. Davis-Laack, who became a specialist in the field after burning out as a practicing attorney, says she experienced weekly panic attacks and a few stomachaches that were so painful they sent her to the emergency room. Coronary disease, depression, and alcohol abuse are other possible consequences. </p><p>For the employer, burnout can significantly compromise workplace quality, causing more absenteeism, turnover, accident risk, and cynicism, while lowering morale and commitment and reducing willingness among workers to help others.</p><p>Fortunately, in many cases burnout can either be avoided, with deft management and a supportive organization, or significantly alleviated using various strategic methods. But like most maladies, it must be understood before it can be properly addressed. ​</p><h4>Symptoms and Conditions</h4><p>Burnout occurs when the demands people face on the job outstrip the resources they possess to meet them. Psychologists who study burnout as a condition divide it into it three dimensions: exhaustion, depersonalization, and reduced personal accomplishment.</p><p>When the first aspect—exhaustion—hits, the employee may feel emotionally, physically, and cognitively depleted. This often spurs feelings of diminished powers; challenges that were formerly manageable can seem insurmountable. As Davis-Laack describes her own experience of this condition: “Every curveball seems like a crisis.”</p><p>When depersonalization occurs, an employee may start to feel alienated from his or her own job, and more cynical and resentful toward the organization. Work and its mission lose meaning; feelings of going-through-the-motions increase. Detached and numb, the employee tries to plow ahead. </p><p>Exhaustion and depersonalization often combine to produce the third component of reduced personal accomplishment. As Wilson explains, the depleted employee possesses considerably less “executive function,” or the ability to focus, self-regulate, connect the dots between ideas, strategize, analyze, execute smoothly, and follow through—all of which can be thought of as “the power tools of innovation.” </p><p>“Nuanced thinking and value-added thinking are the first to go when employees are exhausted,” he says. “Instead, they rely on duct-tape fixes, reactivity, firefighting. They don’t get to the root causes of problems and issues.” </p><p>The state of mind that burnout can elicit sometimes leads to self-blame, where the employee feels that he or she is professionally inadequate. But that is unfair, says Davis-Laack: “I don’t want individual workers to feel that it’s all their fault.” </p><p>The root causes of burnout, she explains, are usually a product of what employees bring to the table—work ethic, how closely they tie work to self-worth, their level of perfectionism—and how the organization itself functions, which can be an important factor. </p><p>Understanding key organizational conditions, experts say, will help managers maintain a culture that protects employees from burning out. One of these conditions involves what the organization chooses to reward. </p><p>Wilson explains this as follows. For many years, many organizations stressed the importance of keeping employees engaged. But the definition of engagement has shifted, so that many firms now define engaged workers as those with clear dedication and commitment, who come to work early and stay late. “What’s missing from this definition is passion, enthusiasm, verve, and spirit,” he says. </p><p>When engagement is so defined, increased effort, such as working more hours and taking on more projects, is rewarded. But simply increasing hours at the office does not produce high performance, Wilson says. </p><p>“We get our epiphanies in the shower—we don’t get them when we are determined and gritting our teeth around a board room table. It’s not effort that produces brilliance, it’s energy,” he explains. But sometimes, the more-rewards-for-more-work philosophy can function as an unintentional incentive to burn out.</p><p>The organization’s day-to-day working conditions are also a crucial here. Research has found that two factors can be deadly in sapping an employee’s resources, according to Davis-Laack. </p><p>One is role conflict and ambiguity, which can occur when employees are never clear on exactly what is expected of them, and on what part they should be playing in active projects. “That’s very wearing on people,” she says. </p><p>Another is unfairness, which is often related to office politics. This can include favoritism, failure to recognize contributions, being undermined, or dealing with the demands of never-satisfied supervisors.</p><p>Such stressful conditions push some employees into “gas guzzling” energy mode, because they require so much emotional effort just to cope with them, Wilson says. </p><p>“Substances generated by stress, such as cortisol and adrenaline, have a beautiful utilitarian use—to get us out of trouble, to keep us safe,” he explains. “But we are not as productive when we have a brain that is bathed in those things day in and day out.”  ​</p><h4>Detection</h4><p>Although it is vital for managers to strive to maintain a positive office culture, it’s also important to recognize that burnout can happen even in the healthiest of environments. Given this, Morales encourages attempts at early detection.  </p><p>“As a manager or executive, it is important to first note the factors that tend to cause burnout even before employees begin to show signs,” he says. “This gives you the opportunity to address issues proactively with employees.” </p><p>These factors, he explains, include a very travel-heavy schedule (50 percent or more of total work time); consistently logging work weeks of 60-plus hours; unrelenting expectations of working off-hours and on weekends; and constant deadline time pressure. </p><p>But since early detection is not always successful or even possible in some cases, managers should also be looking for common signs of burnout that their employees might be exhibiting. Morales advises security managers to look for combinations of the following characteristics that are different from usual behaviors:</p><ul><li><p> General lack of energy and enthusiasm around job functions and projects.<br></p></li><li><p> Extreme sensitivity and irritability towards coworkers, management, and work situations.<br></p></li><li><p> Constant signs of stress and anxiety.<br></p></li><li><p>Significant changes in social patterns with coworkers.<br></p></li><li><p>Sharp drop in quantity and timeliness of output.​<br></p></li></ul><p>When looking for signs of burnout, it’s important for a manager to have a high degree of familiarity with the employee in question, a familiarity which is a byproduct of a strong manager-staff relationship. </p><p>“You’ve got to know your people,” Davis-Laack says. “When someone seems more checked out and disengaged than usual, if you know your people well enough, you can spot it.” ​</p><h4>Treatment</h4><p>When it becomes clear that an employee is suffering from burnout, managers have several options for treatment and alleviation, experts say. Morales says he believes that managers must first come to an understanding of the underlying factors, so that they can be addressed.   </p><p>“If there is a workload issue, a manager may be able to spread out the workload with other workers to alleviate the issue,” he says. “It’s important to let the employees know that this is being done to gain more scale, and to reinforce that they are doing a good job.”</p><p>Indeed, crushing workloads are now common in many workplaces, experts say, as many companies are actively cost cutting while attempting to raise productivity and output. And for employees who work with data, such as security employees who use analytics, benchmarks, or some form of metrics, the information explosion is requiring more and more staff hours to keep up with the processing and analysis. Managers must be cognizant of this, Davis-Laack says. </p><p>“If you do nothing but pile work on people—well, people are not robots and they are not computers. They are going to wear out,” she explains.</p><p>To combat this, managers should employ a strategic and honest operations analysis, she advises. The department may be generating more output with increasing workloads, but burnout and turnover risk is also increasing, as is the likelihood of costly mistakes. Is it worth the risk? Hiring additional help or outsourcing some tasks may be cheaper in the long run than the costs due to turnover and errors. </p><p>When a department conducts a strategic review of operations, the focus is often on fixing glitches in process, experts say. A focus on reducing workload is less common, but when it is adopted, it often reveals that certain time-consuming tasks are unnecessary.</p><p>If the burnout is caused by a stressful job function, such as a security position in which the worker is protecting assets of great value, the manager can discuss the situation with the employee and ensure that support is available, Morales says. “This may help them feel less alone or helpless in situations,” he says.   </p><p>Another key strategy for managers is to add extra focus and energy to the resources part of the puzzle, Davis-Laack says. “Help them to build up their energy bank account, so they are not always feeling depleted.” </p><p>She offers five ways for managers to do so:  </p><ul><li><p> Maintain and ensure high-quality relationships between managers and staff members, and between team members themselves. This fosters a healthy and safe environment where problems can be discussed and addressed.  <br></p></li><li><p> Whenever possible, give team members some decision authority. This gives them a sense of autonomy and strength when dealing with issues, and helps avoid feelings of powerlessness. <br></p></li><li><p> Follow the FAST system of respectful feedback—give frequent, accurate, specific, and timely feedback. This helps employees make tweaks and adjustments, and lets them know they are on the right course.  <br></p></li><li><p> Demonstrate that you have the employees’ backs, and always be willing to go to bat for them. Don’t point fingers or complain to higher ups when mistakes are made. This is crucial in building trust.  <br></p></li><li><p> Identify and encourage skills that will help your team members build resilience. These will vary depending on the specific job and situation, but include any skill or resource that can be used when challenges arise, as well as those that help manage stress.  ​<br></p></li></ul><p>In working toward the previous point, managers may want to brainstorm with staff to find ways to make everyone more resourceful. For instance, managers could periodically check in with staff members to determine the team’s overall level of resources, so they can replenish them when they’re low.</p><p>Indeed, soliciting solutions from staff is an excellent practice for managers, because it shows they are partnering with employees, not parenting them, Wilson says. The parenting style of management assumes that the manager has knowledge that the worker will never have, and it sets up the employee for helplessness. The partnering style cultivates the employees’ decision-making skills, so they can skillfully meet their own needs. ​</p><h4>Touchy Subject</h4><p>Burnout can be a sensitive subject. Some workers attach great self-worth to their productivity and performance, and do not like to concede that they are struggling. </p><p>“It is very difficult for some high performers to admit that their engagement is lacking. There’s a sense of judgment associated with that,” Wilson says. </p><p>Some of these workers truly are burned out despite their failure to admit it, and they may be in a precarious state. “I have seen cases where the hardest and most productive workers will not admit to burnout,” Morales says. “In these situations, burnout occurs quite suddenly, without many of the behavioral warning signs.”</p><p>Other employees fear that admitting burnout is disclosing a weakness, one that could prevent them from future promotions or ultimately cost them their job. “They like their work and they don’t want to change jobs, or </p><p>they can’t change jobs because they have monetary obligations,” Davis-Laack says. </p><p>Here, management can go a long way by being proactive and soliciting feedback from workers regarding their state of mind. “It’s important to have regular discussions with employees about the impact of the workload on them personally, and give them every opportunity to talk through their situation, and vent if necessary,” Morales says. “It’s important for management to recognize the potential for burnout and approach employees proactively to discuss it. It provides employees a safe environment in which to talk through the situation.”</p><p>In these situations, a manager can approach an employee with a proactive goal—how can workload and workplace environment be shaped so that the employee is energized in the office, and still has energy left at the end of the day and on weekends for a life outside of work, Wilson explains.  </p><p>Using this framework, Wilson adds that it is often easier for the manager to then ask, “What’s getting in the way of that? Is it bureaucratic interference? Is there too much on your plate? Is there bullying going on, or other workplace environment problems?”  ​</p><h4>More Recognition</h4><p>But while burnout is still a sensitive subject among some workers, there is also a growing recognition that it is a serious issue that needs to be dealt with, experts say. This may be partly driven by recent research in fields like healthcare and finance, where findings suggest that burnout and overwork are causing costly mistakes that are detrimental to a company’s bottom line. </p><p>Moreover, more business leaders see that the problem, if left unchecked, will just get worse in the future, due to factors such as globalization and a web of technology that is becoming more and more complex. “The perfect storm is upon us,” Wilson says.</p><p>Davis-Laack says she is heartened by the fact that the burnout issue, which was frequently dismissed as too “soft” to be a subject at business conferences, is appearing on more agendas. </p><p>“It’s finally starting to get attention across different professions and different sectors,” she says. “Managers are taking it more seriously.” ​​</p> Lichtenstein Leaves ASIS, Offers Insights on TrumpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>At this, the end of my 22 years as staff executive for ASIS International’s legislative and public policy work, I have been asked to provide some insights into the political near-future of security.   </p><p>These are unnerving times. Rarely has there been such uncertainty about America’s direction at home and abroad as there is at the end of 2016.  All this is in the face of mounting threats to our security and to that of our friends.</p><p>Eventually, Americans will sort it out; they always have. But there are dangers. The sorting may be long and uncertain.  And uncertainty is not the friend of security. Security requires planning, analysis, and agility, none of which can be done well in an environment filled with unknowns. Security is the antithesis of politics, which tends to be careless and messy in democracies. </p><p>The new American administration will be led by a man without credentials in government, who has pledged to change how Washington works. He was elected not as much to keep America secure but because so many Americans feel alienated from their own political and governmental institutions. They see their standard of living in decline; they sense that they have been overlooked, even disdained. More than anything, that explains the election of Donald Trump.</p><p>Trump seems to espouse two overarching themes, both recurring repeatedly in his pronouncements and appointments. One is to restore the U.S. economy to a position of world leadership. The other is to keep America and Americans secure.</p><p>The president has tools to invigorate the economy. His early aims will include accelerating job creation via infrastructure programs and tax and regulatory relief. Nearly all avenues will be aimed at job creation in the United States, despite many economic factors that are out of his control.</p><p>Security is more manageable by the White House, a result not only of presidential control of the bureaucracy but of strong (some would say excessive) executive actions in the form of Presidential Directives issued by the George W. Bush and Barack Obama administrations.</p><p>It is too early to tell which of Trump’s positions—many of which have been incomplete, infeasible, or conflicting—will find their way into practice. But I offer the following recommendations based on what is possible and likely:</p><p>• Pay attention to what he does, not what he says. Trump is known for impromptu statements, which get attention but are not always useful to understanding.</p><p>• Expect emphasis to be on U.S. domestic issues during the first two years. Trump will enjoy a Republican majority in Congress for that long, which he will need to get his domestic agenda passed. He is most comfortable with economic and infrastructure issues, including job creation. He knows he was elected by Americans who want first to restore their country’s economic vitality.</p><p>• “The Wall” is a metaphor, but border security will be real. U. S. Department of Homeland Security selectee and retired U.S. Marine Corps General John F. Kelly commanded the U.S. Southern Command. He understands border issues and security and will be charged with assessing vulnerabilities and determining the right combinations of physical, technological, and personnel means for dramatically reducing illegal immigration.</p><p>• In other matters of security, America will continue to be a reliable ally if for no other reason than that conflict disrupts growth. Trump will expect U.S. allies to invest heavily in their own security. This means that there will be more spending on prevention and response programs, but also avoidance of political positions, for example immigration policies, that lay bare their vulnerabilities.</p><p>• Finally, in any dealings between the United States and other countries, America must emerge a winner. That does not mean the only winner; there can be many. But the United States will not be a loser. As those familiar with Trump’s pronouncements know so well, he abhors the very thought of being a loser.</p><p>As I move on to new professional challenges, I believe more than ever that government relations is an essential role for security professionals. Its aim must be creation and maintenance of effective public-private partnerships in security. This should be part of the mission not only of ASIS but of every ASIS chapter in every country.</p><p>The people of democracies expect those overseeing government and corporate security to coordinate in the public interest. Failure to do so is unacceptable. It not only weakens security, it leaves private practitioners exposed to needless government oversight and overreaction when politicians respond, as they will, to security failures that are sometimes unforeseeable.</p><p>I thank the membership of ASIS International for the privileges of being their counsel and representing their interests these many years. Few pursuits are more vital, and few professions more important. </p><p>--<br></p><p><em>Jack Lichtenstein, former vice president, ASIS Government Affairs and Public Policy ​</em></p> Virtual LineupGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​U.S. State and federal agencies are amassing databases of American citizens’ fingerprints and images. The programs were largely under the public radar until a governmental watchdog organization conducted an audit on them. The so-called “virtual lineups” include two FBI programs that use facial recognition technology to search a database containing 64 million images and fingerprints.</p><p>In May 2016, the U.S. Government Accountability Office (GAO) released Face Recognition Technology: FBI Should Better Ensure Privacy and Accuracy, a report on the FBI programs. Since 1999, the FBI has been using the Integrated Automated Fingerprint Identification System (IAFIS), which digitized the fingerprints of arrestees. In 2010, a $1.2 billion project began that would replace IAFIS with Next Generation Identification (NGI), a program that would include both fingerprint data and facial recognition technology using the Interstate Photo System (IPS). The FBI began a pilot version of the NGI-IPS program in 2011, and it became fully operational in April 2015. </p><p>The NGI-IPS draws most of its photos from some 18,000 federal, state, and local law enforcement entities, and consists of two categories: criminal and civil identities. More than 80 percent of the photos are criminal—obtained during an arrest—while the rest are civil and include photos from driver’s licenses, security clearances, and other photo-based civil applications. The FBI, which is the only agency able to directly access the NGI-IPS, can use facial recognition technology to support active criminal investigations by searching the database and finding potential matches to the image of a suspected criminal. </p><p>Diana Maurer, the director of justice and law enforcement issues on the homeland security and justice team at GAO, explains to Security Management that the FBI can conduct a search for an active investigation based on images from a variety of sources—camera footage of a bank robber, for example. Officials input the image to the NGI-IPS, and the facial recognition software will return as many as 50 possible matches. The results are investigative leads, the report notes, and cannot be used to charge an individual with a crime. A year ago, the FBI began to allow seven states—Arkansas, Florida, Maine, Maryland, Michigan, New Mexico, and Texas—to submit photos to be run through the NGI-IPS. The FBI is working with eight additional states to grant them access, and another 24 states have expressed interest in using the database.</p><p>“The fingerprints and images are all one package of information,” Maurer says. “If you’ve been arrested, you can assume that you’re in, at a minimum, the fingerprint database. You may or may not be in the facial recognition database, because different states have different levels of cooperation with the FBI on the facial images.”</p><p>The FBI has a second, internal investigative tool called Facial Analysis, Comparison, and Evaluation (FACE) Services. The more extensive program runs similar automated searches using NGI-IPS as well as external partners’ face recognition systems that contain primarily civil photos from state and federal government databases, such as driver’s license photos and visa applicant photos. </p><p>“The total number of face photos available in all searchable repositories is over 411 million, and the FBI is interested in adding additional federal and state face recognition systems to their search capabilities,” the GAO report notes.</p><p>Maurer, who authored the GAO report, says researchers found a number of privacy, transparency, and accuracy concerns over the two programs. Under federal privacy laws, agencies must publish a Systems of Records Notice (SORN) or Privacy Impact Assessments (PIAs) in the Federal Register identifying the categories of individuals whose information is being collected. Maurer notes that the information on such regulations is “typically very wonky and very detailed” and is “not something the general public is likely aware of, but it’s certainly something that people who are active in the privacy and transparency worlds are aware of.” </p><p>GAO found that the FBI did not issue timely or accurate SORNs or PIAs for its two facial recognition programs. In 2008, the FBI published a PIA of its plans for NGI-IPS but didn’t update the assessment after the program underwent significant changes during the pilot phase—including the significant addition of facial recognition services. Additionally, the FBI did not release a PIA for FACE Services until May 2015—three years after the program began. </p><p>“We were very concerned that the Department of Justice didn’t issue the required SORN or PIA until after FBI started using the facial recognition technology for real world work,” Maurer notes. </p><p>Maurer says the U.S. Department of Justice (DOJ)—which oversees the FBI—disagreed with the GAO’s concerns over the notifications. Officials say the programs didn’t need PIAs until they became fully operational, but the GAO report noted that the FBI conducted more than 20,000 investigative searches during the three-year pilot phase of the NGI-IPS program. </p><p>“The DOJ felt the earlier version of the PIA was sufficient, but we said it didn’t mention facial recognition technology at all,” Maurer notes. </p><p>Similarly, the DOJ did not publish a SORN that addressed the collection of citizens’ photos for facial recognition capabilities until GAO completed its review. Even though the facial recognition component of NGI-IPS has been in use since 2011, the DOJ said the existing version of the SORN—the 1999 version that addressed only legacy fingerprint collection activities—was sufficient. </p><p>“Throughout this period, the agency collected and maintained personal information for these capabilities without the required explanation of what information it is collecting or how it is used,” the GAO report states.</p><p>It wasn’t until May 2016—after the DOJ received the GAO draft report—that an updated SORN was published, Maurer notes. “So they did it very late in the game, and the bottom line for both programs is the same: they did not issue the SORNs until after both of those systems were being used for real world investigations,” Maurer explains. </p><p>In the United States, there are no federally mandated repercussions for skirting privacy laws, Maurer says. “The penalty that they will continue to pay is public transparency and scrutiny. The public has very legitimate questions about DOJ and FBI’s commitment to protecting the privacy of people in their use of facial recognition technology.”</p><p>Another concern the GAO identified is the lack of oversight or audits for using facial recognition services in active investigations. The FBI has not completed an audit on the effectiveness of the NGI-IPS because it says the program has not been fully operational long enough. As with the PIA and SORN disagreements, the FBI says the NGI-IPS has only been fully operational since it completed pilot testing in April 2015, while the GAO notes that parts of the system have been used in investigations since the pilot program began in 2011. </p><p>The FBI faces a different problem when it comes to auditing its FACE Services databases. Since FACE Services uses up to 18 different databases, the FBI does not have the primary authority or obligation to audit the external databases—the responsibility lies with the owners of the databases, DOJ officials stated. “We understand the FBI may not have authority to audit the maintenance or operation of databases owned and managed by other agencies,” the report notes. “However, the FBI does have a responsibility to oversee the use of the information by its employees.” </p><p>Audits and operational testing on the face recognition technology are all the more important because the FBI has conducted limited assessments on the accuracy of the searches, Maurer notes. FBI requires the NGI-IPS to return a correct match of an existing person at least 85 percent of the time, which was met during initial testing. However, Maurer points out that this detection rate was based on a list of 50 photos returned by the system, when sometimes investigators may request fewer results. Additionally, the FBI’s testing database contained 926,000 photos, while NGI-IPS contains about 30 million photos.</p><p>“Although the FBI has tested the detection rate for a candidate list of 50 photos, NGI-IPS users are able to request smaller candidate lists—specifically between two and 50 photos,” the report states. “FBI officials stated that they do not know, and have not tested, the detection rate for other candidate list sizes.” </p><p>Maurer notes that the GAO recommendation to conduct more extensive operational tests for accuracy in real-world situations was the only recommendation the FBI agreed with fully. “It’s a start,” she says. </p><p>The FBI also has not tested the false positive rate—how often NGI-IPS searches erroneously match a person to the database. Because the results are not intended to serve as positive identifications, just investigative leads, the false positive rates are not relevant, FBI officials stated.</p><p>“There was one thing they seemed to miss,” Maurer says. “The FBI kept saying, ‘if it’s a false positive, what’s the harm? We’re just investigating someone, they’re cleared right away.’ From our perspective, the FBI shows up at your home or place of business, thinks you’re a terrorist or a bank robber, that could have a really significant impact on people’s lives, and that’s why it’s important to make sure this is accurate.”</p><p>The GAO report notes that the collection of Americans’ biometric information combined with facial recognition technology will continue to grow both at the federal investigative level as well as in state and local police departments.</p><p>“Even though we definitely had some concerns about the accuracy of these systems and the protections they have in place to ensure the privacy of the individuals who are included in these searches, we do recognize that this is an important tool for law enforcement in helping solve cases,” Maurer says. “We just want to make sure it’s done in a way that protects people’s privacy, and that these searches are done accurately.”</p><p>This type of technology isn’t just limited to law enforcement, according to Bloomberg’s Hello World video series. A new Russian app, FindFace, by NTechLab allows its users to photograph anyone they come across and learn their identity. Like the FBI databases, the app uses facial recognition technology to search a popular Russian social network and other public sources with a 70 percent accuracy rate—the creators of the app boast a database with 1 billion photographs. Moscow officials are currently working with FindFace to integrate the city’s 150,000 surveillance cameras into the existing database to help solve criminal investigations. But privacy advocates are raising concerns about other ways the technology could be used. For example, a user could learn the identity of a stranger on the street and later contact that person. And retailers and advertisers have already expressed interest in using FindFace to target shoppers with ads or sales based on their interests. </p><p>  Whether it’s a complete shutdown to Internet access or careful monitoring of potentially dangerous content, countries and companies around the world are taking advantage of the possibilities—and power—inherent in controlling what citizens see online. As criminals and extremists move their activities from land and sea to technology, governments must figure out how to counter digital warfare while simultaneously respecting and protecting citizens’ basic human right to Internet access.​ ​</p> One at the WheelGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Jeffrey Zients, director of the U.S. National Economic Council, has some advice for workers who are worn out by their daily car commute: simply take your hands off the wheel and turn your attention to something other than driving. “Your commute becomes restful or productive, instead of frustrating and exhausting,” Zients said at a recent press conference.</p><p>Of course, Zients’ vision assumes that the commuter is in a driverless car—or in industry parlance, a highly automated vehicle (HAV). A few months ago, the development of such driverless cars received a jumpstart from U.S. officials, who released new guidelines for operating the vehicles while promoting the government’s position that American highways will be safer when more cars are machine-driven. </p><p>“Too many people die on our roads—35,200 last year alone–with 94 percent of those the result of human error or choice. Automated vehicles have the potential to save tens of thousands of lives each year,” U.S. President Barack Obama wrote in a Pittsburgh Post-Gazette op-ed article about the new guidelines. “And right now, for too many senior citizens and Americans with disabilities, driving isn’t an option. Automated vehicles could change their lives.”</p><p>Global consulting firm McKinsey & Company has predicted that consumers will begin to adopt driverless cars starting in 2020—and that their popularity will overtake conventional cars by 2050. </p><p>But not everyone shares the government’s rosy view about these developments. In some quarters, security and safety concerns about driverless cars abound. Those that are concerned argue that the cars themselves, and the roads they will drive on, will both be too vulnerable once automated vehicles become more common.  </p><p>Despite these concerns, industry is speeding forward, and carmakers are vying to enter the driverless car market first. Tesla has already sold tens of thousands of cars with a self-driving feature known as Autopilot. The company says it aims to be the first to put a fully driverless car on the road, although it hasn’t set a specific date. </p><p>Both the Ford Motor Company and Nissan have said they plan to release driverless car models within the next five years. Driverless taxis may come sooner. General Motors Company, working with taxi service startup company Lyft, said it plans to start testing a fleet of driverless taxis soon. </p><p>Internationally, the NuTonomy company has said it will provide self-driving taxi services in Singapore by 2018, and expand to 10 cities around the world by 2020. And Nissan expects to release a feature called SuperCruise that will allow for hands-free highway driving. </p><p>Given this frenzy of market activity, Zients and U.S. Secretary of Transportation Anthony Foxx released the new U.S. federal guidelines at a press conference last September. The guidelines represent best practice guidance rather than rulemaking, and they outline the government’s expectations in terms of safety and how the new technologies should be regulated. </p><p>The guidelines are broken up into four main areas. The first part is a 15-point safety standard for the design and development of autonomous vehicles. The second part is guidance for states developing their own driverless car policies. The third consists of information on how current regulations can be applied to driverless cars. The fourth is a discussion of specific new regulatory tools and authorities that transportation officials believe might be needed for proper development of driverless cars.</p><p>The safety standards address questions such as: How will driverless cars react if their technology fails? How will occupants be protected in crashes? What measures should be put in place to preserve passenger privacy? </p><p>Also included is guidance on how automakers should approach cybersecurity issues in driverless vehicles. U.S. federal officials encourage carmakers “to design their HAV systems following established best practices for cyber physical vehicle systems.” The guidance calls on manufacturers to use best practice principles published by U.S. agencies and organizations, such as the National Institute for Standards and Technology, the Alliance of Automobile Manufacturers, and the Automotive Information Sharing and Analysis Center.</p><p>“The identification, protection, detection, response, and recovery functions should be used to enable risk management decisions, address risks and threats, and enable quick response to and learning from cybersecurity events,” the guidance reads. </p><p>The guidance adds, however, that “this is an evolving area and more research is necessary before proposing a regulatory standard.” And the view that more research is necessary is shared by many, including those who argue that driverless cars have a long way to go before security and safety concerns are satisfied. </p><p>Cybersecurity is the biggest concern for companies now evaluating risk in the developing driverless car industry, according to a recent survey conducted by Munich Re, the German reinsurance and risk management firm. </p><p>In the study, 55 percent of corporate risk managers surveyed named cybersecurity as their top concern regarding driverless cars. In the cybersecurity category, respondents said they believed the greatest threats were auto theft by an unknown individual hacking into and overtaking vehicle data systems (42 percent) and the failure of smart road infrastructure technologies (36 percent).</p><p>Researchers have demonstrated how a hacker can remotely take over the brakes, engine, or other components of a standard car. The attack surface for a driverless car is even larger, experts say, because it contains extra computers, sensors, and more extensive Internet connectivity.</p><p>There are also security and safety concerns regarding the roads that the driverless cars will travel on, says Howard Jennings, managing director of Mobility Lab, a transportation research firm. </p><p>Early testing shows that driverless cars will be able to drive with less space between them compared with conventional cars. But in areas that are meant to be village-type developments with many pedestrians, and with densely packed cars driving down narrow streets, this feature could create safety hazards. “We could have an unintended consequence here,” Jennings says.</p><p>Related to this issue is what some call the Waze effect, named after the community-based traffic application. When suggesting alternate routes, the Waze app sometimes sends many drivers down the same small street, causing logjams on narrow roads. Driverless cars could wind up doing this as well.</p><p>Finally, Jennings says that people make transportation choices based partially on the “hassle factor”—they take public transportation downtown because they think parking will be a problem, for example. If driverless cars make car commuting less stressful and take the hassle out of parking, many people may choose them over public transportation. This could put a huge unanticipated strain on road networks, causing infrastructure safety issues due to overuse.   </p><p>Finally, some fear that these significant concerns are not being addressed quickly enough, given that driverless cars for consumer purchase may be only a few years down the road.  </p><p>“It’s no longer a matter of if, but rather when the time will come for the widescale adoption of automated vehicles,” said Munich Re President and CEO Tony Kuczinski when the survey was issued. “The timeline for adoption may be sooner than many realize.” ​ </p> News February 2017GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​CAMPUS SURVEILLANCE</h4><p>Two universities in Utah partnered with Stone Security to upgrade their existing surveillance systems. Utah State University and Salt Lake Community College both had standalone analog systems with few cameras that could be monitored from only one location. Both schools chose to implement open platform, IP-based solutions built with Milestone XProtect VMS and network cameras from Axis Communications. Axis encoders integrate older analog cameras into the system, allowing the schools to continue using them.</p><p>Utah State University has campuses in every county in the state, and nine of those locations are integrated with the Milestone system. Video data is fed to the main campus in Logan, Utah.</p><p>Better video monitoring has improved coordination with campus police, reducing the time for incident response, as well as mitigating theft in the campus bookstores. The video system has also been leveraged to include watching over livestock in an animal science department, so researchers can respond when a birth is imminent, for example. Another innovative way officials are using the video is to prioritize snow removal based on the accumulations seen in the images.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>ADT announced a new affiliation with MetLife Auto & Home for small business customers in New Jersey and California.</p><p>Dell EMC chose BlueTalon to deliver data security and governance for the newly announced Dell EMC Analytic Insights Module. </p><p>G4S will deploy ThruVis from Digital Barriers at major events in the United Kingdom.</p><p>Federal Signal Corporation’s Safety and Security Systems Group formed a strategic partnership with Edesix Ltd. to offer IndiCue products that collect, distribute, and manage video evidence. </p><p>FinalCode, Inc., appointed DNA Connect as its distributor for Australia.</p><p>Genetec and Point Blank announced a direct integration between the IRIS CAM body-worn camera and the Genetec Clearance case management system.</p><p>Hanwha Techwin America formed a partnership with Security-Net Inc., allowing Security-Net’s partners to source the full line of Hanwha Techwin’s surveillance solutions as a gold level dealer.</p><p>ISONAS Inc. selected two new manufacturers’ representatives: Wilens Professional Sales, Inc., in New York and The Tronex Group in Florida.</p><p>Kwikset formed a partnership with Horizon Global to expand its SmartKey security to the automotive accessories industry, including hitches, fifth wheels, ball mounts, bike racks, cargo management products, and more.</p><p>Louroe Electronics signed with Tech Sales & Marketing and expanded its partnership with Thomasson Marketing Group to strengthen its presence across the United States.</p><p>Oceanscan is using iland’s DRaaS with Veeam to reduce incident response time.</p><p>OnSSI integrated its Ocularis 5 Video Management System with Vidsys’s Converged Security and Information Management software. </p><p>OnX Enterprise Solutions and Splunk collaborated on the new OnX Security Intelligence Appliance that implements both the hardware and software needed to combat attackers.</p><p>Open Options partnered with Mercury Security to offer two new bridge technology integrations with Software House iSTAR Pro and Vanderbilt SMS. </p><p>Red Hawk Fire & Security U.S. announced that Affiliated Monitoring will manage central station monitoring for Red Hawk customers. </p><p>SeQent has been accepted into the Schneider Electric/Wonderware Technology Partner program. </p><p>FC TecNrgy will market SFC Energy’s defense and industry portfolio of off-grid power sources to the Indian defense, homeland security, and oil and gas markets. </p><p>ZKAccess retained manufacturers’ rep firm ISM Southeast.​</p><h4>GOVERNMENT CONTRACTS</h4><p>The U.S. Federal Trade Commission selected AMAG Technology and its Symmetry Homeland Access Control System to secure its Office of the Executive Director.</p><p>Convergint Technologies and BriefCam announced that Austin-Bergstrom International Airport in Texas expanded its use of BriefCam Syndex.</p><p>For the Las Vegas presidential debate, the Las Vegas Metropolitan Police Department deployed a drone detection and counter-drone solution from Dedrone. Dedrone also joined forces with Nassau County Police and Hofstra University to protect the first presidential debate in New York.</p><p>The Payne County Sheriff’s Office in Oklahoma selected Digi Security Systems to design and install a new video system for its jail and courthouse.</p><p>Electronic Control Security, Inc., received an award from prime contractor Hudson Valley EC&M Inc. for an entry control system and support services for the Sullivan County and Eastern Correctional Facilities in New York.</p><p>Exiger was chosen by the University of Cincinnati to act as the independent monitor of its police department.</p><p>Port St. Lucie, Florida, worked with SecurPoint to install a wireless, IP-based video surveillance system from FLIR.</p><p>Johnson Controls announced a Cooperative Research and Development Agreement with the U.S. Department of Homeland Security to help secure critical infrastructure.</p><p>Leidos won a prime contract from U.S. Customs and Border Protection to provide systems administration and maintenance services for x-ray and imaging technology.</p><p>MacDonald, Dettwiler and Associates Ltd. will provide space-based synthetic aperture radar capabilities for the Canadian Department of National Defence.</p><p>NAPCO Security Technologies, Inc., announced that the San Diego Unified School District will use NAPCO’s Continental Access control system.</p><p>NC4 announced that the Fulton County Police Department in California chose NC4 Street Smart to help fight crime.</p><p>Palo Alto Networks signed a memorandum of collaboration with the Cyber Security Agency of Singapore to exchange ideas, insights, and expertise on cybersecurity. </p><p>Saab announced that its Airport Surface Surveillance Capability is operational for the U.S. Federal Aviation Administration at San Francisco International Airport.</p><p>Salient CRGT, Inc., won a contract from the U.S. Department of Homeland Security Science and Technology Directorate to provide development, integration, and evaluation in support of BorderRITE.</p><p>SDI Presence LLC is a key subcontractor to Saab Sensis in deploying an advanced event management system for Phoenix Sky Harbor International Airport.</p><p>TASER International received an order for 900 TASER X2 Smart Weapons from the Kentucky State Police.</p><p>Unisys Corporation won a contract from U.S. Customs and Border Protection to modernize the agency’s technology for identifying people and vehicles entering and exiting the country.</p><p>Veridos is providing the Republic of Kosovo with ePassports in addition to a solution to personalize the ePassports. Veridos is responsible for data management, as well as service and maintenance for the software and</p><p>hardware infrastructure.</p><p>Veteran Corps of America will perform contractor logistics support for the Joint United States Forces Korea Portal and Integrated Threat Recognition (JUPITR) system.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>AMAG Technology announced that its Federal Identity, Credential, and Access Management (FICAM)/FIPS 201–compliant solution was approved by the U.S. General Services Administration.</p><p>Legrand North America achieved Excellence within the Industry Data Exchange Association’s data certification program.</p><p>Middle Atlantic Products secured a patent from the U.S. Patent and Trademark Office for its Essex QAR Series Rack.</p><p>Passport Systems, Inc., received the Security Innovation Award from Massachusetts Port Authority for helping to revitalize the Port of Boston with state-of-the-art detection systems.</p><p>Qognify received Lenel Factory Certification Under Lenel’s OpenAccess Alliance Program.</p><p>Safran Identity & Security announced that its Airpass mobile payment solution, with a cryptographic security component, was certified by Visa and Mastercard.</p><p>SecurityScorecard received the Most Promising Company Award for its sophisticated technology and strategic implementation during PricewaterhouseCoopers’ Inaugural Cyber Security Day.</p><p>Tosibox won the Finnish Security Company of the Year award. The Turvallisuus ja Riskienhallinta magazine annual award was presented at the Finnish Security Awards. ​</p><h4>ANNOUNCEMENTS</h4><p>As part of its product rebranding, 3xLOGIC launched an updated website.</p><p>Aite Group’s report, Biometrics: The Time Has Come, examines biometrics capabilities that are deployed across the globe. </p><p>Allied Universal announced the purchase of FJC Security Services of Floral Park, New York.</p><p>Anixter International Inc. is opening a customized flagship facility in Houston, Texas.</p><p>Illinois Joining Forces, a public-private network of veteran and military service organizations, received a $125,000 grant for veteran outreach from Boeing.</p><p>CGL Electronic Security, Inc., moved its corporate headquarters to Westwood, Massachusetts. The new facility includes a customer training area, demonstration space, warehouse, and testing area.</p><p>CNL Software expanded its U.S. operations with new regional offices and a demonstration area in Ashburn, Virginia.</p><p>College Choice published its 2016 ranking of the safest large colleges in America.</p><p>The Financial Services Information Sharing and Analysis Center established the Financial Systemic Analysis & Resilience Center to mitigate risk to the U.S. financial system.</p><p>Modern Tools To Achieve Excellence In Video Security is a new white paper from Geutebrück.</p><p>Implant Sciences will sell its explosives trace detection assets to L-3 Communications where they will be integrated into L-3’s Security & Detection Systems Division.</p><p>Milestone Systems is making its XProtect Essential 2016 R3 available as a free download to users worldwide.</p><p>The National Electrical Manufacturers Association published NEMA WD 7-2011 (R2016) Occupancy Motion Sensors Standard.</p><p>Safran Identity & Security opened a location in the Silicon Valley that features an innovation center with a specific focus on digital payment, digital identity, and the Internet of Things.</p><p>Nonprofit SecureTheVillage (STV) launched a weekly news podcast, SecureTheVillage’s Cybersecurity News of the Week, available on the STV website, iTunes, SoundCloud, and other podcast sites. </p><p>SightLogix published a new design guide to assist integrators, architects, and engineers in planning, selecting, and installing video-based security systems. Securing Outdoor Assets with Trusted Alerts offers practical advice about using outdoor video.</p><p>The Smart Card Alliance released a mobile payments workshop video for understanding mobile wallets.</p><p>The Tyco Security Products Cyber Protection Team is offering security advisories on its website. The team generates a security notification about which products might be vulnerable, along with mitigation steps. </p><p>The U.S. Office of Management and Budget will create a new privacy office to oversee the development and implementation of new federal privacy policies, strategies, and practices across the federal government. ​</p> Road to ResilienceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Of course, 100RC had neither the resources nor staff to partner with 10,000 cities. But organization leaders argued that its 100 member cities could be models for institutionalizing resilience—that is, embedding resilience thinking into all the decisions city leaders make on a day-to-day basis, so that resilience is mainstreamed into the city government's policies and practices. Other cities could then adapt the model to fit their own parameters, and institutionalized resilience would spread throughout the world. </p><p>Toward this aim, 100RC recently released a report that discusses three case studies of institutionalizing resilience in New Orleans, Louisiana; Melbourne, Australia; and Semarang, Indonesia. </p><p>For all cities that 100RC works with, the organization provides funding to hire a new executive, the chief resilience officer (CRO). The group also advocates that member cities take the "10% Resilience Pledge," under which 10 percent of the city's annual budget goes toward resilience-building goals and projects. So far, nearly 30 member cities have taken the pledge, which has focused more than $5 billion toward resilience projects.</p><p>Of the three case study cities, New Orleans may be most known as a jurisdiction that has had to recover from repeated recent disasters, including Hurricanes Katrina and Isaac and the Deepwater Horizon oil spill. Given these experiences, New Orleans was one of the first cities to release a holistic resilience strategy, which connected resilience practices to almost all sectors of the city, including equity, energy, education, and emergency planning.</p><p>The strategy, Resilient New Orleans, has three underlying goals: strengthen the city's infrastructure, embrace the changing environment instead of resisting it, and create equal opportunities for all residents. </p><p>To better implement the strategy, New Orleans CRO Jeff Hebert was promoted to the level of first deputy mayor, and departments were joined to unite resilience planning with key sectors like water management, energy, transportation, coastal protection, and climate change.</p><p>Once this reconfiguration was complete, the city took several actions. It created the Gentilly Resilience District, which is aimed at reducing flood risk, slowing land subsidence, and encouraging neighborhood revitalization. The resilience district combines various approaches to water and land management to move forward on projects that will make the area more resilient. The city will also train some underemployed residents to work on the projects. </p><p>In addition, New Orleans leaders are developing and implementing new resilience design standards for public works and infrastructure, so that efforts to improve management of storm water and multi-modal transit systems will be included as standard design components.</p><p>Melbourne has its own challenges. Situated on the boundary of a hot inland area and a cool Southern Ocean, it can be subject to severe weather, such as gales, thunderstorms and hail, and large temperature drops. Governmentally, it is a "city of cities" made up of 32 local councils from around the region, so critical issues such as transportation, energy, and water systems are managed by various bodies, complicating decision making.</p><p>City leaders created the Resilient Melbourne Delivery Office, which will be hosted by the City of Melbourne for five years, jointly funded by both local and state governments. The office—an interdisciplinary team of at least 12 people, led by the CRO Toby Kent—is responsible for overseeing the delivery of the resilience strategy.</p><p>The strategy has four main goals: empower communities to take active responsibility for their own well-being; create sustainable infrastructure that will also promote social cohesion; provide diverse local employment opportunities to support an adaptable workforce; and ensure support for strong natural assets.</p><p>For Semarang, a coastal city in an archipelago, water is the main focus of sustainability. Factors like a rise in sea levels and coastal erosion have increased the negative impact of floods.</p><p>These impacts can challenge the city in many ways. Thus, for its resilience strategy, Semarang leaders focused on building capacities, including more economic opportunity, disaster risk management, integrated mobility, and sustainable water strategies.</p><p>In Indonesia, like many other Asian countries, the national government sets the goals and parameters for much of the development that takes place at the local level. Thus, Semarang leaders worked with members of the Indonesian Parliament to educate them on the city's existing resilience strategy, and to integrate the city's findings and insights into Indonesia's National Development Plan.</p><p>These coordination efforts bore fruit in the establishment of projects like a bus rapid transit system, which had strong support from the national government. The system has already been implemented in several main corridors and will be expanded. It is expected to offer insight and experience in cross-boundary resilience-related travel.</p><p>As 100RC cities look to institutionalize resiliency, the organization is also helping members improve their emergency management programs. The group is partnering with the Intermedix Corporation, which will help some member cities assess their current emergency management programs, and develop a blueprint for addressing gaps in the program and meeting resiliency goals.</p><p>"As new and complex problems and challenges arise, it's becoming more and more important for cities to look outside of their own organizations for the expertise and solutions required to meet and overcome these challenges," says Michael Berkowitz, president of 100RC. ​​</p> Secrets 2.0GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The enactment of the Defend Trade Secrets Act (DTSA) of 2016 in the United States creates a new paradigm and is a watershed event in intellectual property law. U.S. President Barack Obama signed the bill into law on May 11, 2016, and the DTSA now applies to any misappropriation that occurred on or after that date.</p><p>A trade secret is any technical or nontechnical information that can be used in the operation of a business or other enterprise and that is sufficiently valuable and secret to afford an actual or potential economic advantage over others.</p><p>The law allows trade secret owners to file a civil action in a U.S. district court for trade secret misappropriation related to a product or service in interstate or foreign commerce. The term “owner” is a defined statutory term. It means “the person or entity in whom or in which rightful legal or equitable title to, or license in, the trade secret is reposed,” according to the DTSA.</p><p>Under the DTSA, in extraordinary circumstances, a trade secret owner can apply for and a court may grant an ex parte seizure order (allowing property to be seized, such as a computer that a stolen trade secret might be saved on) to prevent a stolen trade secret from being disseminated.</p><p>With this development in the law, trade secret assets are no longer stepchild intellectual property rights. Trade secret assets are now on the same playing field as patents, copyrights, and trademarks. The DTSA reinforces that a trade secret asset is a property asset by creating this new federal civil cause of action.</p><p>And there is no preemption. The U.S. district courts have original jurisdiction over a DTSA civil cause of action, which coexists with a private civil cause of action under the Uniform Trade Secrets Act (UTSA). The UTSA—most recently amended in 1985—codified common law standards and remedies for trade secret misappropriation at the state level.</p><p>The DTSA also coexists with criminal prosecutions under the U.S. Economic Espionage Act of 1996 (EEA), which makes it a federal crime to steal or misappropriate commercial trade secrets with the intention to benefit a foreign power.​</p><h4>What the DTSA Means</h4><p>A trade secret asset must be managed like other property assets. However, trade secret asset management differs because it first requires the identification of the alleged trade secret asset. Because millions of bits of information within a company can qualify as proprietary trade secrets, it is critical to classify and rank trade secret assets.</p><p>Most companies focus on the protection phase of trade secret asset management without first identifying and classifying their trade secrets. This approach is doomed to fail without a thorough analysis. Unless the company knows what it’s protecting, there can be no effective protection. And all three phases—identification, classification, and protection—must occur before an accurate valuation of trade secret assets can be determined.</p><p><strong>Proof. </strong>Additionally, information assets must be validated in a court of law as statutory trade secret assets. There is no public registry for trade secret assets. The courts require proof of four things: existence, ownership, notice, and access. </p><p>The first element requires proof of existence of the trade secret asset. The litmus test for proving the existence of a trade secret has six factors: the extent to which the information is known outside the business; the extent to which the information is known inside the business; the extent of measures taken to guard the secrecy of the information; the value of the information to the business and to competitors; the amount of time, effort, and money expended to develop the information; and the ease or difficulty with which the information could be properly acquired or duplicated by others.</p><p>The plaintiff must show that he or she owns the trade secret. A misappropriator cannot be the owner of a trade secret.</p><p>However, a person who independently develops or independently reverse engineers the trade secret can be the owner of the trade secret. By using reverse engineering, an employee who has not been granted intellectual property rights in the trade secret asset may also be the lawful owner—instead of the employer.</p><p>For proof of notice, the plaintiff must show that the defendants had actual, constructive, or implied notice of the alleged trade secret. A former employee may use his or her general knowledge, skills, and experience. However, a former employee may not disclose or use the trade secrets of the former employer. Also, the former employer is prohibited from claiming that “everything we do is a trade secret.”</p><p>The court will take judicial notice that there is both unprotected and protected trade secret information in every company. If the line is unclear, the court will draw the line in favor of the former employee. </p><p>For proof of access, the plaintiff must prove that the defendant had access to the alleged trade secret. If the evidence shows that the defendant never had direct or indirect access to the trade secret, and there is no conspiracy claim, there cannot be misappropriation. This is because misappropriation requires proof of unauthorized acquisition, disclosure, or use of the trade secret by the alleged trade secret thief.</p><p><strong>Protection. </strong>The DTSA also requires that the trade secret owner take reasonable measures to protect the secrecy of trade secret assets. This is a much more challenging task today because trade secret assets are no longer at rest in a locked file cabinet in an engineer’s office. Today, trade secrets are in motion and in use via computer systems and networks with access points all over the world.</p><p>Companies must actively monitor the access and movement of critical trade secret assets throughout the corporate enterprise, or risk the serious consequences of forfeiting trade secret assets by failing to take the reasonable efforts necessary to protect these assets.</p><p>The point is illustrated by U.S. v. Lee (U.S. District Court for the Northern District of Illinois, 2009). A 52-year-old senior scientist, David Yen Lee, suddenly resigned from his job at Valspar on March 19, 2009, and bought a one-way ticket to Shanghai, scheduled to leave on March 27.</p><p>One of Lee’s coworkers discovered irregularities in Lee’s work computer. Upon further investigation, an unauthorized program called “Sync Toy” was uncovered in invisible Windows files. It showed that Lee downloaded 44 gigabytes of paint and coating formulas, product and raw material data, sales and cost data, and product development and test information.</p><p>The FBI was informed and brought in to investigate. The bureau raided Lee’s apartment and recovered the stolen trade secret assets before Lee’s flight left for Shanghai. Valspar’s security readiness was directed to protection against outside intrusions. However, there was little security in place to guard against trade secret theft by insiders and trusted employees. </p><p>To mitigate against future insider theft, Valspar set up an internal identification and classification system for trade secrets called the CPR (classify, protect, report) model. Valspar now tracks the movement of all critical trade secret assets within the various computer environments with triggers that are activated if unauthorized activities are detected.</p><p>The reasonable measures necessary for the protection of trade secret assets continues to grow as the risk of sensitive data loss increases by various means: unauthorized uploading of trade secret assets to an insecure cloud or Web application; unauthorized email communications disclosing trade secret information; unauthorized acquisition of highly classified trade secret assets onto USB drives; and undetected incoming malware, phishing emails, and corrupted Web software all facilitate foreign economic espionage and theft of corporate trade secret assets.</p><p><strong>Seizures. </strong>Companies cannot take advantage of the DTSA’s powerful seizure provisions unless effective trade secret asset management protocols are in place before the actual or threatened misappropriation occurs.</p><p>First, the owner must demonstrate, in a sworn affidavit or a verified complaint, that the ex parte seizure order is necessary and that a temporary restraining order is inadequate. Second, that immediate and irreparable injury will occur if the seizure is not ordered. Third, that the person the seizure would be ordered against has possession of the trade secret and property that is to be seized.</p><p>Once the ex parte seizure order is granted, the court must take custody of and secure the seized property and hold a seizure hearing within seven days. Individuals can also file a motion to have the seized material encrypted.</p><p>A court can issue an ex parte seizure order, according to the DTSA, “in extraordinary circumstances” to “prevent the propagation or dissemination of the trade secret” or to “preserve evidence.”</p><p>These circumstances exist when a trade secret thief is attempting to flee the country, if he or she is planning to disclose the trade secret to a third party, or if it can be shown that he or she will not comply with court orders. </p><p>The Valspar case is an excellent example of the necessity for ex parte seizure orders. However, the FBI will not always be there, and the window of time to protect against the loss of trade secret assets and destruction of the evidence will often be shorter than the eight-day period in the Valspar case. This is why a DTSA civil cause of action and an ex parte seizure order are so important to protect U.S. trade secret assets.</p><p>The protection of trade secret assets in these circumstances requires emergency actions. Once lost, a trade secret is lost forever. The DTSA requires that the trade secret Owner file suit, and provide verified pleadings and affidavits to successfully obtain a DTSA ex parte seizure order before the de­f­en­dants know the suit has been filed. </p><p>Otherwise, without the element of surprise, the defendants—often with several clicks of a computer mouse—can transfer the trade secrets outside the country and destroy the evidence of trade secret theft by running data and file destruction software.</p><p>Therefore, to take advantage of the robust provisions of the DTSA, the trade secret owner must be able to move faster than the trade secret thief. This will require that companies develop internal trade secret asset management policies, practices, and procedures. </p><p>The DTSA creates a new paradigm. If management waits until the trade secret theft occurs to identify what the trade secret is and investigate the evidence of misappropriation, the actual trade secret assets will be long gone before counsel can provide the U.S. district court with the proof necessary to obtain an ex parte seizure order.</p><p>The result: if the losses from the trade secret theft are severe, both the board of directors and senior executives of the company can be charged with malfeasance, including the willful failure to take reasonable measures to protect the corporate trade secret assets from insider theft or foreign economic espionage.​</p><h4>DTSA Application</h4><p>What are the next steps in view of the DTSA? Every organization is different. There are no one-size-fits-all solutions. Each trade secret asset manager must audit existing approaches to protecting trade secret assets, the resource allocations within the organization, and any budgeting issues with protecting trade secrets.</p><p>A fundamental first step should be the creation of An internal trade secret control committee (TSCC). The TSCC should be charged with the responsibility to adopt policies and procedures for the identification, classification, protection, and valuation of the company’s trade secret assets.</p><p>The next step should be the creation of an internal trade secret registry (TSR). This is a trade secret asset management system that can be deployed as a cloud-based solution, on a corporate server, or on a standalone work station. </p><p>The TSR should operate like a library card catalog storing necessary trade secret asset information with hash codes and block chaining (a database that sequences bits of encrypted information—blocks—with a key that applies to the entire database) to ensure the authenticity of the data stored in the TSR and to meet the required evidentiary standards in a trade secret misappropriation lawsuit.</p><p>Another necessary step is trade secret asset classification, the foundation of a successful trade secret asset management program. Asset classification allows trade secret assets to be identified and ranked, so that the level of security matches the level of importance of the trade secret asset. There are now automated trade secret asset management tools available to assist companies with the classification and ranking of trade secret assets.</p><p>Security, without identification and classification, is doomed to fail. In contrast, securing data after identification and classification of the trade secret assets makes it much easier for the internal security ecosystem to enforce trade secret protection policies and to prohibit unauthorized access, disclosure, or use.</p><p>Today, software tools can protect the company from mistakes that lead to the forfeiture of classified trade secret assets. If a user attempts to email a trade secret document to unauthorized recipients, the software program will immediately alert the user so the mistake can be corrected. Further, classified trade secret assets can be monitored. Administrators can track abnormal or risky behavior that otherwise cannot be tracked until the trade secret is compromised.</p><p>Developing a trade secret incident response plan (TSIRP) is another critical requirement. The flow of trade secret assets throughout the corporate enterprise should be tracked with built-in red flags, designed to trigger the TSIRP and notify outside counsel to proceed immediately to the courthouse to seek a DTSA ex parte seizure order before the bad actors can destroy the evidence or transfer the stolen trade secret assets outside the court’s jurisdiction.​</p><h4>Employee Management</h4><p>There are other best practices for trade secret assets now that companies are focusing on the various stages of identification, classification, protection, and valuation.</p><p>Building a trade secret culture from the top down, with required training and compliance with TSCC policies, practices, and procedures, is at the top of the list. Companies must promote a trade secret culture by prompting employees and users to stop, think, and consider the business value of proprietary, internal information they are creating, handling, and reviewing.</p><p>The new employee hiring process should include an investigation and certification by the new employee that no proprietary trade secret information of any previous employer is being brought to the company or is being stored electronically in his or her personal email system or other electronic storage locations.</p><p>The prospective new employee should sign an employment agreement with patent and trade secret assignment provisions. He or she should also receive and review the company’s required trade secret policies and procedures.</p><p>When an employee leaves the company, off-boarding procedures should include a mandatory trade secret exit interview. The interview should be conducted under strict procedures adopted by the TSCC, including execution of a trade secret acknowledgement at the conclusion of the interview certifying that all company devices, documents, and materials, including electronic copies, paper copies, and physical embodiments have been returned. It should also certify that all proprietary and confidential information, stored on any personal computer or mobile device, has been identified and preserved, returned, or deleted under the company’s instructions.</p><p>The enactment of the DTSA will usher in a new era. It requires trade secret owners to identify, classify, and protect trade secret assets as property assets. In time, the DTSA will become a precursor for new accounting systems that will provide valuations for trade secret property assets.  </p><p>--<br></p><p><em><strong>R. Mark Halligan</strong>, partner at FisherBroyles LLP, is recognized as one of the leading lawyers in trade secrets litigation in the United States by Legal 500 and Chambers USA: America’s Leading Lawyers for Business. He is also the lead author of the Defend Trade Secrets Act of 2016 Handbook and coauthor of Trade Secret Asset Management 2016: A Guide to Information Asset Management Including the Defend Trade Secrets Act of 2016.  ​</em></p> Chain StrategiesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Take almost any product you have purchased in a store or used at home or work in the last week. Chances are, that object moved thousands of miles from where it was originally manufactured to the place where it was ultimately purchased or delivered to you. Organizations have intricate supply chain networks that are constantly moving every day around the world, and having an efficient supply chain security program ensures that movement of goods is not interrupted or compromised. </p><p>Security professionals must take a detailed look at the vendors who supply their assets and understand how those goods will be handled and ultimately implemented into their company’s operations or services. Following is a look at how a children’s hospital in Alabama applied supply chain security best practices to weather an unexpected storm, as well as provide for day-to-day operations. In addition, supply chain experts discuss lessons learned from their own experience of conducting risk assessments, following standards, and vetting suppliers and transporters to better protect company property. ​</p><h4>Alabama Children’s </h4><p>When a snowstorm hit Birmingham, Alabama, on January 28, 2014, the city was caught unawares. The snowfall, which quickly turned to ice, left thousands stranded on highways or in their offices. Children were stuck at school, their parents unable to pick them up. The event became known as “Snowpocalypse,” and news service called it “the winter storm that brought Birmingham to its knees.” </p><p>Hospitals were affected by the storm as well, including Children’s of Alabama. The pediatric center encountered vulnerabilities in its supply chain during that event it hadn’t previously considered, says Dennis Blass, CPP, PSP, director of safety and security at the hospital. </p><p><strong>Lessons learned. </strong>Every year the hospital conducts a hazards vulnerability assessment for its supply chain to find out where it can improve safety and security. “Once you identify your hazards and your vulnerabilities–the things that are dangerous to you or the things that you’re weak in–then you start peeling those back,” he says. “If we identify hazards that we need to correct, then we probably are going to create a management plan to correct those issues.” </p><p>Many displaced people in the community turned to the hospital for shelter when they had nowhere else to go. “We have a very prominent position in the Birmingham skyline, so if things look bad, the hospital looks like a place to go and get help–as it is,” Blass says. There were also clinic patients who had come to the hospital that morning for a routine checkup, planning to leave; many of them were stuck because of the snowstorm, which began around 10:30 a.m. local time.</p><p>Instead of being filled to the normal capacity of 300 people—the number of beds in the hospital—there were roughly  about 600 people who spent about 48 hours at the facility to ride out the storm.</p><p>The number of people at the hospital exposed one unforeseen vulnerability—obtaining clean linens from its supplier, which is separated from the hospital by a chain of mountains. “The supplier can wash the linens, but they can’t deliver them to us…we ended up making it, but that was a close call,” says Blass.</p><p>“We could handle supplies for patients, but we had a lot of people who just came to the hospital because it was a warm place to be,” according to Blass. “That had impacts on the amount of food that got consumed, and it had impacts on the amount of linens we went through. Just things that people need, supplies like toilet paper, things you don’t think a lot of.” </p><p>For those who weren’t patients, the hospital served smaller meals than normal; “sandwiches and soup, as opposed to meat and potatoes,” Blass says, to stretch resources. </p><p>The main drug supplier for the hospital is located in the same region, so obtaining critical medicine was not a concern during the storm. The hospital also has plenty of diesel fuel tanks, and can go for days without restocking. Only the insufficient linens, which must be sent off to a facility for proper sanitation before being returned to the hospital, turned out to be an issue.</p><p>“We did an after-action report on that experience, so we…put it in our emergency management plans for the future,” he notes.</p><p>The hospital’s emergency plans help ease any supply chain shortages. The institution follows the hospital incident command system (HICS) which assigns temporary duties to leadership during an emergency. For example, during the snowstorm, the chief operating officer of the hospital assumes the role of incident commander; an information officer is assigned to keep the community informed of hospital activities; and the plan also incorporates a medical officer, logistics chief, and planning chief. </p><p>During the incident, this system helped ensure proper patient care and as few gaps in the supply chain as possible. “Food was getting tight,” Blass says, and the food warehouses are not located near the hospital. “Because of the command structure, leadership can say, ‘okay you have a company credit card, we’ll contact the bank and raise your limit from $500 to $5,000 or whatever you need.’”</p><p>The U.S. Joint Commission, which certifies and accredits healthcare bodies, requires that hospitals have a group with representatives from various divisions that evaluates the standard of care they are providing to patients. Alabama Children’s has an environment of care committee that meets once a month to complete this requirement. “Our environment of care committee looks at things like safety, security, and resource management,” says Blass. “We have to meet the Joint Commission’s standard, and it surveys us every three years.” </p><p>Representatives on the team at Alabama Children’s include staff from the pharmacy, medical team, facilities, human resources, dining services, and more. This team ensures that there aren’t any gaps in the supply chain that would interrupt the hospital’s daily operations. As a rule, Blass says that having enough supplies for 96 hours will allow the facility to continue operating smoothly and efficiently. This includes a variety of items that the environment of care team must carefully think through and document. “You’re talking about water, fuel, basic sanitary supplies, and then you start talking about medicine and those things necessary for a hospital to run,” he says. </p><p>And there can be more than one type of each supply, a detail that, if overlooked, could mean life or death. “We have pumps that pump air, we have pumps that pump blood, we have pumps that pump saline, we have pumps that do many different things. You have to have all the things needed to make those supplies work for 96 hours,” he notes. </p><p>Keeping track of inventory is critical to determine whether the hospital has a sufficient supply of each item. Blass says that the hospital is moving toward a perpetual inventory system, where a new item is ordered as soon as one is pulled off the shelf. </p><p>There is a downside to stocking too many items, which is why it’s a delicate balance between having 96 hours’ worth of supplies and more than enough. “Space is expensive. And if you want to have enough water for four days, how much water is that? Where do you put it? How do you keep it fresh?” He adds that the hospital must be thoughtful in its policies and procedures on maintaining its inventory to avoid any issues.  </p><p>Thankfully, Blass notes, t​he 2014 snowstorm only lasted 48 hours. “The size of the surge exceeded our plan, but the length of the surge was shorter than our plans, so it all worked out,” he says. </p><p>And not every element of securing the supply chain is tangible; the information and communication pieces are also critical. “Every day we’re getting blood supplies in, and other kinds of materials that must be treated very carefully,” he says. Special instructions need to be followed in many cases. For example, there may be medicine that must be stored at a precise temperature until 30 minutes before it’s dispensed. That information must be communicated from the pharmacist to the supplier, and sometimes to security, who can give special access to the supplier when it delivers the drugs. </p><p>Blass is a member of the ASIS International Supply Chain and Transportation Security Council. He helped develop an American National Standards Institute (ANSI)/ASIS standard for supply chain security, Supply Chain Risk Management: A Compilation of Best Practices Standard (SCRM), which was released in July 2014. The standard provides supply chain security guidelines for companies, and has illustrations of what exemplary supply chain models look like.</p><p><strong>Best practices.</strong> Marc Siegel, former chair of the ASIS Global Standards Initiative, also participated in the creation of the ANSI/ASIS standard, which provides explanations of how to look at managing risk in the supply chain. “It’s based on the experiences of companies that have very sophisticated supply chain operations,” he tells Security Management. “The companies that put it together were really looking at having a document that they could give to their suppliers, to help them look at themselves and think of things that they should be doing and preparing for.” </p><p>Siegel is now director of security and resilience projects for the homeland security graduate program at San Diego State University. He promotes supply chain mapping, which takes a risk management–based approach to supply chain security. “Traditionally, a lot of security people have looked at supply chain as logistics security,” he says, “whereas companies with major supply chain considerations have been moving more into an enterprise risk management perspective.” These organizations take an across-the-board look at risks that could create a disruption in the supply chain, asking themselves what the specific things are that could interrupt or prevent them from manufacturing or delivering their product. </p><p>Siegel says there is a disproportionate focus on bad actors and intentional acts as threats to the supply chain, when more often it’s a natural disaster or accident that causes the most significant disruptions. “The broader risk management perspective is also looking at, ‘Is there a potential for a storm, is there a potential for political disorder, or instability in a region, that can cause a delay in processing?’” Only then, he says, are companies efficiently mapping out all the factors that could introduce uncertainty.</p><p>Maintaining a broader perspective will keep organizations from fixating on two of the most common hangups in supply chain security. “You have people who fixate on ‘everything is a threat,’ and you have people who fixate on ‘everything is a vulnerability,’ and if you only fixate on those two things you’re going to miss a lot of stuff,” Siegel says.</p><p>Blass agrees. “When we start that annual hazards vulnerability assessment, I’m going to look through the standard and notes I’ve written myself to make sure I’ve got everything covered,” he notes. “You can never rest and say, ‘well, we’re safe and secure and we don’t have to do anything else,’ because the threats keep changing.”   ​</p><p>--</p><h4>Sidebar: assess risk<br></h4><p> </p><div>​For the co​rporation that produces the F-35 fighter jet and other advanced technologies for the U.S. government, supply chain security is of utmost importance. “The threats that we face are universal in nature due to the size and the complexity of our supply chain,” says Vicki Nichols, supply chain security lead for Lockheed Martin’s Aeronautics business. </div><div><br> </div><div>Lockheed Martin Aeronautics assesses the supply chain in a number of categories, but Nichols works most closely with cargo security. “The threats there are cargo disruption, unmanifested cargo, and anti-Western terrorism,” she notes. </div><div><br> </div><div>The division conducts a risk assessment of its international suppliers. “We look at what type of products they provide us and how vulnerable that product is to manipulation or intellectual property theft, and we look at country risk,” she says.  </div><div><br> </div><div>The company sends a questionnaire to its suppliers, and comes up with an overall score for each of them based on 10 criteria, including country risk and transportation mode. In many cases, it also sends field personnel to evaluate the supplier’s facility. “If we know we have eyes and ears going in and out of the facility, and those people are trained to recognize red flags, then we know we have a lower threat because of our presence,” she says. </div><div><br> </div><div>After one such site check at a facility in Italy, Lockheed Martin Aeronautics determined that the use of technology was warranted to further enhance security. “The concern was that the area was known for introduction of unmanifested cargo—weapons, cargo disruption,” she notes. “We began to look at tamper-evident technologies, and track-and-trace devices that would allow us to know if someone had opened or tampered with the freight.”  </div><div><br> </div><div>Lockheed Martin has a corporate supply chain security council that meets at least once a month to provide updates and discuss any issues that arise. Representatives from the company include human resources, personnel security, physical security, and counterintelligence. Stakeholders from major partner organizations are also invited to participate.</div><div><br> </div><div>Lockheed Martin Aeronautics also works closely with law enforcement and federal intelligence sources who disseminate relevant information to the company. “We subscribe to some intelligence data that is cargo-specific, so we issue a spotlight report about three times a week just to keep people engaged and aware of the threats in the supply chain,” she notes. </div><div><br> </div><div>Supplier engagement is also critical, Nichols says, so the company stays in touch with about 120 suppliers internationally. </div><div><br> </div><div>Sometime in 2017, Lockheed Martin Aeronautics plans to purchase a software management tool that will release supplier questionnaires in the native language for countries it does business with. It will tap existing resources such as “Supplier Wire” to offer training to the supply base. “This will be another evolution on how we can engage, rather than just sending them to a website,” Nichols says. “I think it’s important for our supply base to see how seriously we take security, so they will take it seriously as well.”​</div><div><br> </div><h4>sidebar: consult standards<br></h4><p> </p><p>​Laura Hains, CPP, operations manager, supply chain security and consulting at Pinkerton, member of the ASIS International Supply Chain and​ Transportation Security Council, says that companies should research whether their partners and suppliers are following major supply chain security protocols, like those put out by ASIS, and others such as the Transported Asset Protection Association (TAPA) standards for trucking companies. “TAPA is one of the big authorities on trucking, so if a company says they are TAPA certified, that to me says that they follow protocol,” she says. </p><p>Other standards include the National Strategy for Global Supply Chain Security which U.S. President Barack Obama signed in 2012 and was designed to enhance public-private partnerships. Arthur Arway, CPP, author of Supply Chain Security: A Comprehensive Approach, says the framework seeks to combine input from government and industry on protecting the transport of goods to and from the United States. “I think the government is far more willing to seek out subject matter experts and all the different modes and companies that may transport goods into the United States for their help,” he says. Arway adds the document is relatively recent, and that it could take a while before it is widely adopted. </p><p>Though terrorism is an uncommon threat to the supply chain, it must always be a consideration. Hains gives the example of vehicular attacks. In Nice, France, on July 14, 2016, Tunisia native Mohamed Lahouaiej Bouhlel drove a 19-ton cargo truck into a crowd of Bastille Day festival-goers. That attack killed 86 people and injured more than 400. New York police also warned of possible vehicular terrorism against the 2016 Macy’s Thanksgiving Day Parade. “A small company truck—that could be a target,” notes Hains. “So everybody has to think about terrorism because it’s out there.”</p><p>Another standard at the national level seeking to combat terrorism within the supply chain is the U.S. Customs Trade Partnership Against Terrorism (C-TPAT). The program is voluntary for private industry, but Arway says the national standards as a whole are seeing global adoption.​</p><p>“Standards have come a long way in how they’ve been able to incorporate security into the movement of goods,” he notes. “Many countries have accepted these programs into their own supply chain security programs.”​</p> RemediesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In 2013 and 2014, there were 325 reported incidents of lost, missing, or stolen nuclear and radioactive material worldwide. And about 85 percent of those incidents involved non-nuclear radioactive material, which is used to make dirty bombs, according to the<em> 2016 Radiological Security Progress Report</em> by the Nuclear Threat Initiative.</p><p>In recent years, the fear that a terrorist would detonate a dirty bomb—use conventional explosives to blow up radiological material—has outpaced concerns about a full-scale nuclear bomb, because nuclear materials are so heavily regulated. Radiological material, on the other hand, is used in more than 100 countries around the world for research, agriculture, and life-saving medical procedures in hospitals. While a dirty bomb wouldn’t cause destruction on the scale of a nuclear weapon, it would contaminate property, cause fear and panic, and require costly cleanup, in addition to the damage caused by the conventional explosion. This type of bomb is appealing to terrorists because it adds a negative psychological response to the normal destruction of an explosive, according to the U.S. Nuclear Regulatory Commission (NRC). <img class="ms-rtePosition-2" src="/ASIS%20SM%20Callout%20Images/0217%20Chapa%20Feature%20Sidebar.jpg" alt="" style="margin:5px;width:323px;" /></p><p>The NRC, along with partners in 37 U.S. states, licenses, monitors, tracks, and enforces security regulations for nuclear and radioactive material to protect those who work with the material and the public from potentially harmful exposure. </p><p>A July investigation by the U.S. Government Accountability Office (GAO) led the NRC to strengthen its licensing processes after the GAO was able to obtain a license under false pretenses and purchase a dangerous quantity of radioactive materials—for the second time in less than a decade. (See November 2016’s “News and Trends” department for more on this issue.)</p><p>After researchers alerted NRC officials about their investigation, the organization began making corrective actions, including enhanced training, increased scrutiny during site visits, and evaluating license verification.</p><p>This isn’t the first time the NRC has made significant changes to its practices due to a GAO report. In 2012, the watchdog organization focused on radioactive materials in medical facilities—a unique environment because, unlike research facilities, medical facilities are open to the public and don’t have the hardened environment inherent in facilities dedicated to working with high-risk materials.</p><p>Medical facilities use material produced in nuclear reactors to treat cancer and blood diseases. These uses create another unique threat: the materials are often sealed in metal capsules small enough to be portable. “In the hands of terrorists, these sealed sources could be used to produce a simple and crude but potentially dangerous weapon, known as a dirty bomb, by packaging explosives with the radioactive material for dispersal when the bomb goes off,” notes the 2012 report, Additional Actions Needed to Improve Security of Radiological Sources at U.S. Medical Facilities. </p><p>Daniel Yaross, CPP, who sits on the ASIS International Healthcare Security Council, has worked in the healthcare security field for more than 15 years and understands the importance of adhering to NRC regulations to secure nuclear materials. He recalls when the 1,503 U.S. hospitals and medical facilities holding nuclear materials had to update their security practices—at times a costly undertaking—to comply with the newly released NRC standards in 2012. </p><p>“Finance could be a hurdle that slows down the progress of providing enhanced security and safety for protective materials,” Yaross tells Security Management.</p><p>Yaross notes that it can be expensive for medical facilities to comply with NRC regulations, especially after the overhaul in 2012, which required biometrics updates and constant monitoring. At the time, the U.S. National Nuclear Security Administration (NNSA) had spent more than $100 million in helping hospitals meet NRC compliance. NNSA has reported that, due to the expense of the upgrades, the 2012 mandate will not be completed until 2025. </p><p> The NRC agreements with their U.S. state partners require that states adopt regulations that are compatible with the NRC’s. Hospitals in these states will be visited biannually to make sure they are compliant with the regulations. Based on the most recent NRC regulation updates, licensed medical facilities are required to ensure security when the radioactive material is being transported; secure the material once it is at its designated storage location; maintain records of transfer and disposal of any radioactive material; and conduct physical inventories of the material. </p><p>After the 2012 GAO report, the NRC has provided more specific guidance to licensed facilities, including how cameras, alarms, and 24-hour human monitoring should be implemented. The regulations also specify how radioactive material should be trans­ferred, who is allowed to access sen­sitive machinery, and what type of storage is required.</p><p>“When we look at nuclear compliance, just like anything else in our security world, it’s not just physical security but cybersecurity too—it’s concentric rings of defense,” Yaross says. “That’s how we handle security for these nuclear materials: concentric rings to make it harder and harder for someone who does not have the authority to get into that specific area unaccompanied.” </p><p>Those rings of security typically include basic security measures such as perimeter security and access control, as well as specified measures such as round-the-clock surveillance of the radioactive material and a dedicated radiation safety officer, which are all dictated by the NRC. </p><p>While most nuclear materials in hospitals are hidden in plain sight—as small masses of radioactive material buried in large, complicated machines—Yaross says the main goal is to reduce unaccompanied access as much as possible. To this end, the insider threat is taken seriously—few people are allowed to access the radioactive materials unaccompanied, which is emphasized in the NRC regulations. Those allowed to have unaccompanied access to sensitive machinery must undergo a full FBI background check going back seven years.</p><p>“A big part of the program is ensuring that the first line of defense, the operational side, is not increasing risk to that material by not vetting our employees that we grant unaccompanied access to,” Yaross explains. “We narrow down the number of people of who actually need to gain unaccompanied access into the facility. It includes security and police officers, as well as the lab technicians and the radiation safety officer.”</p><p>Yaross says that while the NRC regulations are generally straightforward and proper compliance looks similar at most medical facilities, it’s still important to have low-profile, highly targeted security systems and processes dedicated to radioactive materials that also mesh with the rest of the hospital’s security standards. </p><p>“Most people don’t even know it’s there, and frankly, most would not have a clue of how to access it, or how to separate the material from the actual piece of equipment,” Yaross explains. “Again, we have so many concentric rings of security, it gets harder and harder to get through each layer. That’s not just technology but background and operational procedures, such as how the floor plan is laid out.”   ​ ​</p> is InstrumentalGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Where can you go to see the iconic black suit worn by Johnny Cash, a guitar strummed by Eric Clapton, and instruments from sub-Saharan Africa, all under one roof? The Musical Instrument Museum (MIM) in Phoenix, Arizona, a 200,000 square-foot facility, is home to these and thousands of other legendary and significant instruments from around the world. ​<br></p><p>The collection is made up of more than 16,000 instruments, 6,000 of which are on display at any given time. Each year, upwards of 220,000 people visit the museum, which also has a 300-seat theater where notable musicians make regular headlines. The museum, which opened in 2010, is an affiliate of the Smithsonian Institution. “We’re constantly updating exhibits, changing things out, telling new stories,” says David Burger, security manager at the facility. ​</p><p>Securing this wealth of cultural items, as well as keeping the museum’s visitors safe, are top priorities for MIM, Burger says. “Very few of the exhibitions are under glass, so that creates a unique security concern between providing our guests with the world-class experience that we strive for, but also maintaining the safety of the instruments and making sure that everything is here for generations to come,” he says. </p><p>The museum employs contract security officers, in addition to police from the local precinct who act as “boots on the ground” security. “The local police are an invaluable asset to our security operations, both for the visibility and deterrence that they bring, but also their wealth of experience and knowledge,” Burger says. <img src="/ASIS%20SM%20Callout%20Images/0217%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:495px;" /></p><p>The security operations center is another vital piece of the puzzle at MIM, where contract officers monitor the approximately 200 cameras that cover the premises, as well as manage alarms and access control, and dispatch help in the case of an incident. “Our video is not just for forensics use, we actually do a lot of training and work with our security operators to be more proactive—live-monitoring the video, identifying issues before they become incidents,” Burger notes. </p><p>A couple of years ago, MIM was in the process of upgrading its existing cameras for increased situational awareness and improved analytics across the entire property. “We reached out to several manufacturers, talked to their local representatives, and found out more about their products,” he says.</p><p>After narrowing it down to a few products, MIM chose Hanwha Techwin America, formerly Samsung, and selected a variety of its camera models. “This was a multiphase project of refreshing all our cameras and getting them up to a certain standard,” says Burger. “Hanwha was selected for this portion of it, which covered all of the main public spaces, employee areas, and building perimeters.” </p><p>Approximately 70 Hanwha cameras were installed, including fisheye and pan-tilt-zoom (PTZ) cameras. For sensitive places, such as loading docks and cash-handling areas, higher megapixel cameras were deployed. Burger says MIM was attracted to Hanwha for several reasons. “The integration the Hanwha cameras had with our Genetec VMS was a big deciding factor,” he notes, explaining that the alarms, motion detection, and other features of the existing video management system are easily tied into the Hanwha cameras. There is also “plenty” of storage space on the cameras, he adds, allowing for additional analytics or other processes to be run on the edge.</p><p>The installation began in early 2015 and was completed in March 2016. With the Hanwha cameras, MIM can set video analytics to detect motion and set off alarms if appropriate. With facial detection, the analytics can differentiate a human from other moving objects like debris and small animals that would not necessarily warrant the triggering of an alarm. If the system detects unwanted motion or people, an alarm goes off in the control center to alert operators to pay attention to the monitor showing that camera. “It’s an improved efficiency, being able to automate those features so the operator isn’t constrained with watching hundreds of cameras at once, and having to make all of those decisions himself,” Burger says.  </p><p>When an incident occurs that requires dispatch, control room operators notify the police at the main security desk in the front lobby. Those officers have a few monitors at their station for viewing any relevant video, as well as smartphones to receive images or video in the field. </p><p>Burger notes that, thankfully, no notable security incidents have occurred at the museum since installing the cameras. However, the day-to-day issues are easily resolved thanks to the cameras and ease of reviewing video on the Genetec VMS. “A common scenario is locating lost family members, and we’re able to pretty quickly backtrack and do some forensic searches [with the video],” he says. </p><p>Locating lost bags or spotting unattended packages is another routine event, as well as dealing with visitors’ slips, trips, and falls. “We can identify cases where somebody says things happened a certain way, and we were able to find that it wasn’t exactly the case,” notes Burger. On average, MIM keeps the video for 30 days before overwriting it, unless an incident warrants holding onto the footage longer.</p><p>Eventually Burger says MIM will integrate access control with video as well, so that alerts and alarms for doors can be tied to the appropriate cameras. </p><p>“The cameras have really increased our situational awareness, reducing potential blind spots or areas where there could have been a gap before,” he says.</p><p>--<br></p><p>For more information: Tom Cook,,, 201.325.2623 ​</p> of the IoT BotnetsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​There are many doomsday cyber scenarios that keep security professionals awake at night. Vint Cerf, one of the fathers of the Internet and current vice president and chief Internet evangelist for Google, speaking at an event in Washington, D.C., in 2015, shared his: waking up to the headline that 1,000 smart refrigerators were used to conduct a distributed denial of service (DDoS) attack to take down a critical piece of U.S. infrastructure.</p><p>Cerf’s nightmare scenario hasn’t happened, yet. But in 2016 thousands of compromised surveillance cameras and DVRs were used in a DDoS attack against domain name server provider Dyn to take down major websites on the East Coast of the United States. It was a massive Internet outage and, for many, a true wake-up call.</p><p> At approximately 7:00 a.m. on October 21, Dyn was hit by a DDoS attack, and it quickly became clear that this attack was different from the DDoS attacks the company had seen before. </p><p>It was targeting all of Dyn’s 18 data centers throughout the world, disrupting tens of millions of Internet Protocol (IP) addresses, and resulting in outages to millions of brand-name Internet services, including Twitter, Amazon, Spotify, and Netflix.</p><p>Two hours later, Dyn’s Network Operations Center (NOC) team mitigated the attack and restored service to its customers. </p><p>“Unfortunately, during that time, Internet users directed to Dyn servers on the East Coast of the United States were unable to reach some of our customers’ sites, including some of the marquee brands of the Internet,” Dyn Chief Strategy Officer Kyle York wrote in a statement for the company. </p><p>A second attack then hit Dyn several hours later. Dyn mitigated the attack in just over an hour, and some customers experienced extended latency delays during that time. A third wave of attacks hit Dyn, but it successfully mitigated the attack without affecting customers.</p><p>“Dyn’s operations and security teams initiated our mitigation and customer communications process through our incident management system,” York explained. “We practice and prepare for scenarios like this on a regular basis, and we run constantly evolving playbooks and work with mitigation partners to address scenarios like this.”</p><p>The attacks caused an estimated lost revenue and sales of up to $110 million, according to a letter by U.S. Representative Bennie G. Thompson (D-MS) sent to former U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson.</p><p>“While DDoS attacks are not uncommon, these attacks were unprecedented not only insofar as they appear to have been executed through malware exploiting tens of thousands of Internet of Things (IoT) devices, but also because they were carried out against a firm that provides services that, by all accounts, are essential to the operation of the Internet,” the letter explained.</p><p>These devices were part of the Mirai botnet, which is made up of at least 500,000 IoT devices, including DVRs and surveillance cameras, that are known to be in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain, among other nations.</p><p>The botnet, which was created in 2016, has been used to conduct high-profile, high-impact DDoS attacks, including the attack on security researcher Brian Krebs’ website, Krebs on Security—one of the largest DDoS attacks known to date. </p><p>“Mirai serves as the basis of an ongoing DDoS-for-hire…service, which allows attackers to launch DDoS attacks against the targets of their choice in exchange for monetary compensation, generally in the form of Bitcoin payments,” according to Arbor Networks’s Security Engineering and Response Team (ASERT) threat intelligence report on Mirai. “While the original Mirai botnet is still in active use as of this writing, multiple threat actors have been observed customizing and improving the attack capabilities of the original botnet code, and additional Mirai-based DDoS botnets have been observed in the wild.”</p><p>This is because shortly after the Dyn attack, Mirai’s source code was published on the Internet, and “everyone and their dog tried to get their hands on it and run it in some form or another,” says Javvad Malik, a security advocate at AlienVault, a cybersecurity management provider.</p><p>Mirai is “out there and the problem is, there isn’t any easy mitigation against it,” Malik explains. “A camera or a webcam, there’s no real, easy way to patch it or update it, or there’s no non-technical way your average user could patch it. And most users aren’t even aware that their device was part of the attack.”</p><p>There are more than 25 billion connected devices in use worldwide now, and that amount is expected to increase to 50 billion by 2020 as consumer goods companies, auto manufacturers, healthcare providers, and other businesses invest in IoT devices, according to the U.S. Federal Trade Commission.</p><p>But many of the devices already on the market are not designed with security in mind. Many do not allow consumers to change default passwords on the devices or patch them to prevent vulnerabilities.</p><p>The Mirai botnet—and others like it—take advantage of these insecurities in IoT devices. Mirai constantly scans devices for vulnerabilities and then introduces malware to compromise them. Once compromised, those devices scan others and the cycle continues. These devices can then be used by an attacker to launch DDoS attacks, like the one on Dyn.</p><p>Some manufacturers have sought to remedy vulnerabilities in their devices by issuing voluntary recalls when they discover that they’ve been used in a botnet attack. But for many other manufacturers, there’s not enough incentive to address the problem and most consumers are unaware of the issue, says Gary Sockrider, principal security technologist at Arbor Networks.</p><p>“Consumers are largely unaware. Their devices may be compromised and taking part in a botnet, and most consumers are completely oblivious to that,” he explains. “They don’t even know how to go about checking to see if they have a problem, nor do they have a lot of motivation unless it’s affecting their Internet connection.”</p><p>DHS and the U.S. National Institute of Standards and Technology (NIST) both recently released guidance on developing IoT devices and systems with security built in. In fact, NIST accelerated the release of its guidance—Special Publication 800-160—in response to the Dyn attack.</p><p>But some experts say more than guidance is needed. Instead, they say that regulations are needed to require IoT devices to allow default passwords to be changed, to be patchable, and to have support from their manufacturers through a designated end-of-life time period.</p><p>“The market can’t fix this,” said Bruce Schneier, fellow of the Berkman Klein Center at Harvard University, in a congressional hearing on the Dyn attack. “The buyer and seller don’t care…so I argue that government needs to get involved. That this is a market failure. And what I need are some good regulations.”</p><p>However, regulations may not solve the problem. If the United States, for instance, issues regulations, they would apply only to future devices that are made and sold in the United States. And regulations can have other impacts, Sockrider cautions.</p><p>“It’s difficult to craft legislation that can foresee potential problems or vulnerabilities,” he explains. “If you make it vague enough, it’s hard to enforce compliance. And if you make it too specific, then it may not have the desired effect.”</p><p>Regulations can also drive up cost and hinder development if they are not designed to foster innovation. “Compliance does not equal security, necessarily,” Sockrider says. “Part of compliance may mean doing things to secure your products and services and networks, but there could always be vulnerabilities that aren’t covered…. You’ve got to be careful that you’re covering beyond just compliance and getting to true security as much as possible.” </p><p>So, what steps should organizations take in the meantime to reduce the risk of their devices being compromised and used to launch attacks on innocent parties?</p><p>If a company already has IoT devices, such as security cameras or access control card readers, in its facilities, the first step is segmentation, says Morey Haber, vice president of technology for security vendor BeyondTrust. </p><p>“Get them off your main network,” he adds. “Keep them on a completely isolated network and control access to them; that’s the best recourse.”</p><p>If the organization can’t do that and it’s in a highly regulated environment, such as a financial firm subject to PCI compliance, it should replace the devices and reinstall them on a segmented network, Haber says.</p><p>Organizations should also change all default user accounts and passwords for IoT devices, Sockrider says. “Disable them if possible. If you can’t, then change them. If you can’t change them, then block them.”</p><p>For organizations that are looking to install IoT devices, Haber says they should plan to install them on a segmented network and ask integrators about the security of the devices. </p><p>Sample questions include: Do they maintain a service level agreement for critical vulnerabilities? What is the lifespan of the device? How often will patches be released? </p><p>“And the last thing that becomes even more critical: What is the procedure for updating?” Haber says. “Because if you have to physically go to each one and stick an SD card in with a binary to do the upload, that’s unfeasible if you’re buying thousands of cameras to distribute to your retail stores worldwide. There’s no way of doing that.”</p><p>Organizations should also look at their policies around allowing employees to bring in their own devices to the workplace and allowing them to connect to the network. </p><p>For instance, employers should be wary when an employee who brings in a new toaster connects it to the company Wi-Fi without anyone else’s knowledge. “That type of Shadow IT using IoT devices is where the high risk comes from,” Haber explains. </p><p>And organizations should also look to see what they can do to block inside traffic from their network getting out. </p><p>“Think about it in the reverse; normally we’re trying to keep bad stuff out of our network, but in this case, we want to keep the bad stuff from leaving our network,” Sockrider says. “Because in this case, if an IoT device on your network is compromised, it’s not necessarily trying to attack you, it’s trying to attack someone else and you can be a good citizen by blocking that outbound traffic and preventing it from doing so.”</p><p>While companies can take steps to reduce the likelihood that their devices will be compromised by a botnet and used to attack others, attacks—like the Dyn attack—are likely to continue, Malik says.</p><p>“We’ll probably only see more creative ways of these attacks going forward,” he explains. “At the moment, it’s primarily the webcams and DVRs, but you’re probably going to see different attacks that are more tailored towards specific devices and maybe even a change of tactics. Instead of going after Dyn…taking down a smaller competitor.”</p><p>Malik also says he anticipates that cyber criminals will conduct these more creative attacks through purchasing DDoS as a service, a growing industry over the past few years. </p><p>“Some providers are just as good, if not better than, professional legitimate services,” Malik says. “It’s very easy; they offer support. You just go there, you click buy, send the Bitcoins, enter your target, and job done. You don’t even need any technical expertise to do this. It’s very, very convenient.”   ​ ​</p> 101: What to Expect at the U.S. Presidential InaugurationGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Almost 1 million people are estimated to descend on Washington, D.C., on Friday for the inauguration of U.S. President-elect Donald Trump. Many of those individuals are part of 63 groups planning demonstrations at the inauguration, presenting a unique security challenge for the U.S. federal government, D.C. officials, and other stakeholders.</p><p>“Anytime you have coming together such large numbers of people, such large numbers of groups that intend to demonstrate and exercise their First Amendment rights, you’ve got to be vigilant; you’ve got to plan; you’ve got to prepare,” said U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson in a press conference. <br></p><p>This is why the inauguration was designated as a National Special Security Event (NSSE), allowing federal officials to begin crafting a security plan for the event 180 days before it was to take place. <br></p><p></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read af4e0b24-c744-4f11-a407-cfd54f64d3ec" id="div_af4e0b24-c744-4f11-a407-cfd54f64d3ec"></div><div id="vid_af4e0b24-c744-4f11-a407-cfd54f64d3ec" style="display:none;"></div></div><p>​The U.S. Secret Service led the planning, working with other federal partners, such as the U.S. Department of Defense and the Federal Emergency Management Agency, and local partners such as the Metropolitan Police Department (MPD)—Washington, D.C.’s local police force.</p><p>Given the unique scope of a U.S. presidential inauguration where heads of state and numerous U.S. leaders will be in attendance, along with between 700,000 to 900,000 civilians, there will be an enormous security presence in the nation’s capital. <br></p><p>Johnson said that approximately 35,800 security personnel will be involved over the course of inauguration weekend—10,000 DHS personnel, 12,000 other federal personnel, 7,800 National Guard personnel, and 6,000 police officers from MPD and other local police departments.<br></p><p><strong>Security Measures for the Inauguration </strong><br></p><p>On Wednesday at 5 p.m., U.S. Capitol Police will begin <a href="" target="_blank">closing street access</a> to the Capitol complex and continue closing streets on Thursday at 11 p.m. local time. Streets access is expected to resume at 5 p.m. on Friday, and in the meantime the police are encouraging people to walk or take public transportation.<br></p><p>"Inaugural events attendees are encouraged to use public transportation, as many streets in and around the Capitol Grounds and the National Mall will be closed to private automobiles for much of the day," Capitol Police said in a statement. </p><p>Security personnel will establish two different types of perimeters for the event: soft vehicle perimeters where those who live or work inside the perimeter will be given access, and hard vehicle perimeters where only official vehicles will be allowed to pass through. The hard vehicle perimeter will also be heavily fortified by trucks and dumpsters, “given the current threat environment,” Johnson added.<br></p><p>The <a href="" target="_blank">Washington Metropolitan Area Transit Authority​</a> (WMATA) will open at 4 a.m. on Friday and run through midnight. It plans to run at peak service from 4 a.m. until 9 p.m. that evening to service riders, but the Navy Archives, Federal Triangle, Mount Vernon Plaza, Pentagon, and Smithsonian stations will be closed.<br></p><p>Security personnel will have bag checks and 300 magnetometers set up to screen individuals planning on attending the inauguration festivities.<br></p><p>Washington, D.C., is also a <a href="" target="_blank">no fly zone​</a> for unmanned aircraft (drones), and Johnson said security measures have been taken to ensure that no drones are able to fly within the District during the inauguration weekend. <br></p><p>“Christmas was just a few weeks ago,” Johnson added. “I suspect a lot of people got drones for Christmas…this is something we’ve thought about, we have planned for, and we have technology to deal with it.”<br></p><p>Officials have also issued permits to 99 groups planning to demonstrate on inauguration weekend—63 of which plan to demonstrate on Friday. These permits were issued to help security plan for how it will handle these protesters—such as where protestors will be allowed to demonstrate to ensure that they are not crossing paths with groups that might hold opposing views. <br></p><p>This helps security personnel ensure that opposing groups do not disrupt the festivities and it helps prevent demonstrations from escalating. Security personnel will also monitor these groups for disruption and to make sure they remain separated, Johnson explained.<br></p><p>There is no specific threat to the inauguration, Johnson said, but security personnel will remain vigilant as the global terrorist environment is very different in 2017 than it was in 2013—the last time an inauguration was held in the United States. <br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 9c55b8b2-304d-46c0-8e24-aa44e28ebc64" id="div_9c55b8b2-304d-46c0-8e24-aa44e28ebc64"></div><div id="vid_9c55b8b2-304d-46c0-8e24-aa44e28ebc64" style="display:none;"></div></div><p>​Officials have to be concerned about homegrown violent extremism and lone wolves, Johnson explained, along with the “larger picture of general security and general public safety when you have a large public gathering with estimates of 700,000 to 900,000 people in close proximity of each other.”</p><p><strong>Securing Local Businesses</strong><br></p><p>While U.S. federal and local officials will be handling the security of public spaces in and around the inauguration, business owners will be responsible for securing their own facilities throughout the festivities. <br></p><p>One precaution these individuals should take is to map concealment areas in their facilities and regularly conduct routine sweeps of them—particularly the exterior—for weapons of convenience or cached weapons, says Ross Bulla, CPP, PSP, founder and president of The Treadstone Group, Inc., which advises clients on security solutions and best practices for protecting people, property, and information.<br></p><p>This is because a group who might be planning a violent demonstration may try to leave supplies at a local business on a parade route or nearby the National Mall to access them later. If facility owners find these kind of items, Bulla says they should contact law enforcement immediately and post security—if possible—in the area that the items were stowed in.<br></p><p>Bulla also recommends businesses in the immediate vicinity of the inauguration and its parade route assess their physical security, their food and safety handling, water supplies, electrical systems, and shelter in place procedures. This is especially critical for hotels, which might require hundreds of people—both guests and staff—to shelter in place should an emergency occur.<br></p><p>“You also may need to determine a way to re-credential people,” Bulla explains. “Guests who’ve left the facility and need to get back inside, you need to be able to quickly identify them as a guest and get them inside, while not allowing non-guests in.”<br></p><p>And for high-rise facilities, Bulla says it’s critical to limit or prevent rooftop access. <br></p><p>“Check door locks and secure windows that face the inauguration and parade route because on of the main or favored activities of protest groups is to get on a roof and unfurl banners or throw objects,” he explains. “Your roofs’ become focal points. Newspapers see them, and they’re a great place to throw rocks at law enforcement.”<br></p><p><strong>Securing your Person</strong><br></p><p>Individuals planning to attend the inauguration should <a href="" target="_blank">review the reference materials</a> provided by officials on prohibited items, which include animals other than service or guide animals, oversized backpacks and bags (18” by 13” by 7”), coolers, mace, selfie sticks, bicycles, and more.<br></p><p>While small bags and purses will be allowed in secure areas, Bulla recommends individuals planning to attend the inauguration try not to carry a bag at all as it will slow them down going through security screenings. <br></p><p>“If you go to an officially sanctioned event or any unsanctioned or related event, there will be security screening in place,” Bulla says. “Don’t carry an oversized camera, don’t carry an oversized purse—or even carry one…just pack lightly, or nothing more than your wallet if possible.”<br></p><p>Those traveling to Washington, D.C., for inauguration festivities can also sign up for free emergency text alerts and notifications by texting the word “INAUG” to 888777, according to the Secret Service.<br></p><p>Bulla also suggests creating a muster point plan if you’re attending the event with several people should an emergency occur and you need to evacuate quickly.<br></p><p>“It’s one thing to evacuate quickly and protect yourself if there is an incident,” Bulla ​says. “It’s entirely different to be one of 100,000 people running. You’re not going to be able to stay with your husband, your wife, your children.”<br></p><p>Instead of attempting to stay with your party, Bulla says you should plan to run with the crowd and exit the area as quickly as possible. Then, when you’re away from danger, head to the muster point you agreed on beforehand, such as a hotel lobby.<br></p><p>“One of the primary reasons that people are injured or killed is because they panic and don’t have an escape route,” he adds. “Just always know and be aware of your surroundings, and where you’d go if something happened.”<br></p><p>For more on inauguration security, listen to a special edition of the <em></em><a href=""><em>Security Management </em>podcast</a> with a former U.S. Secret Service agent.<br></p><p><br></p>;-Authorities-Say-Multiple-Dead.aspxGunman Opens Fire at Fort Lauderdale Airport; Authorities Say Multiple DeadGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A gunman opened fire at a Fort Lauderdale, Florida, airport, killing five and wounding at least eight people in a shooting Friday afternoon, authorities said.​</p><p>The Broward County Sheriff's Department confirmed on Twitter that it had a subject in custody, but had not released any further information about the individual.</p><p>The department received a call at 12:55 p.m. local time that shots were fired at Fort Lauderdale-Hollywood International Airport near the baggage claim for Terminal 2—the baggage claim used by Delta Air Lines and Air Canada.<br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 8ac4e3b3-5843-431b-8b91-436f708a3458" id="div_8ac4e3b3-5843-431b-8b91-436f708a3458"></div><div id="vid_8ac4e3b3-5843-431b-8b91-436f708a3458" style="display:none;"></div></div><p>​Local authorities responded to the scene, where five people had been killed and eight others were wounded. Authorities have not released names of the victims as they are continuing to identify them and notify their first of kin.</p><p>In a press conference, Broward County Sheriff Scott Israel said the suspected gunman surrendered to a sheriff's deputy and was taken into custody without incident.</p><p>The suspect--who's identity was not released or confirmed by Israel--is being interrogated by local law enforcement and members of the FBI Miami field office.</p><p>Israel also declined to answer questions about whether the gunman was on a flight that arrived at the airport, or if he had entered the baggage claim area from outside the airport.</p><p><a href="" target="_blank">CNN spoke to Broward County Mayor Barbara Sharief, </a>who said the terminal was an active crime scene. The gunman was a “lone shooter,” Sharief said, “and we have no evidence at this time that he was acting with anyone else.”<br></p><p>Reports on social media showed the airport evacuating individuals in response to the gunfire. The airport has temporarily suspended all services and is encouraging travelers to contact their air carriers about their flight information.<br></p><p>SWAT teams are currently clearing the entire airport, and Israel said that the airport will not reopen until they give the all clear that the scene is secure.</p><p>"My concern right now is with the citizens of Broward County," Israel said. "And until myself and the director [of the airport] believe this airport is a safe place and people can move about, it won't be open."<br></p><p>The Fort Lauderdale-Hollywood International Airport (FLL) forms an airport system with North Perry Airport (HWO) and serves the needs of roughly 26.9 million passengers in south Florida, with more than 73,000 travelers passing through its four terminals every day.<br></p><p>“FLL is ranked 21st in the United States in total passenger traffic and 13th in domestic origin and destination passengers,” according to <a href="" target="_blank">FLL’s website. </a>“There are more than 325 departure and 325 arrival flights a day.”<br></p><p><br></p> Water WoesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Our most basic common link is that we all inhabit this small planet. We all breathe the same air. We all cherish our children’s future. And we are all mortal.” U.S. President John F. Kennedy’s 1963 commencement speech, titled “A Strategy of Peace,” foreshadowed the vulnerability of nonrenewable resources around the world today.</p><p>Human beings require approximately 50 liters (about 13 gallons) of fresh water per day. But in North America, the average citizen uses more than 300 liters (almost 80 gallons) of fresh water every day, more than twice the world average. At least 75 percent of the water consumed in North America has been acquired, transported, treated, and distributed through municipal or regional water treatment systems, at a significant cost. </p><p>Water treatment systems in North America are vital—and make tempting targets for terrorists. Between 1994 and 2014, 138 attacks targeting food and water supplies were recorded in the Global Terrorism Database maintained by the University of Maryland. As a vital asset and symbol of democratic societies, water is and will continue to be considered a high-value target for terrorists.</p><p>More evidence of threats to these critical systems can be found in the water conflict chronology list, compiled by the Pacific Institute in the United States. </p><p>In 2014, three men in the U.S. state of Georgia were arrested for planning to attack water treatment plants, power grids, and other infrastructure. And, in 2011, a hacker targeted a water plant in Houston, Texas, following earlier news of an electronic attack on an Illinois water plant. The breach occurred after the attacker hacked into supervisory control and data acquisition software used by the utility.</p><p>The relative scarcity of water around the world may lead to global conflict. In 2012, the U.S. Office of the Director of National Intelligence (ODNI) issued Global Water Security, an assessment that concluded that the safety, security, and sustainability of Canada’s water supply may soon become a source of conflicts between nations. </p><p>“Several regions of the world will face major challenges coping with water problems,” according to the report. “Between now and 2040, fresh water availability will not keep up with demand, absent more effective management of water resources. These findings reinforce the view that water is not just a human health issue, not just an economic development or environmental issue, but a peace and security issue.”</p><p>Water rights may also impact the relations between countries, as exemplified by disputes that arose recently when municipalities in the United States began replenishing their aquifers by withdrawing water from the Great Lakes. Canada and the United States not only share the longest unprotected border in the world, but also the Great Lakes—the largest surface freshwater system on earth.  </p><p>The United States and Canada have identified water and wastewater systems as critical infrastructure, and the protection of this infrastructure raises significant challenges, including a less-than-ideal governance model. </p><p>There are no federal standards or agreed-upon practices within the water infrastructure sector to govern readiness, response to security incidents, or recovery in the United States or Canada. By providing the industry with an adequate governance framework, the governments could promote resilience along the entire water supply chain.  </p><p>Given these governance issues, the aging water infrastructure, dwindling expertise, complex and open systems, and the lack of standards in protection, North America’s vulnerabilities to potential attacks may be considered high to very high. </p><p> “Although the frequency of warfare, particularly in developed countries, may be decreasing, advances in technology, including increased global mobility and communication, have heightened the threat posed by individuals and small groups, including decentralized terrorist organizations,” according to the 2014 book Drinking Water Security for Engineers, Planners, and Managers by Ravi Jain. </p><p>By assessing and revisiting the security risks associated to water and wastewater, the effectiveness of current layers of protection can be determined by using a standard equation where risk is calculated as the product of the likelihood, the consequences, and the vulnerabilities.​</p><h4>Likelihood </h4><p>Many nations are engaged in a war of ideas and values with terrorist organizations that export their concepts to individual citizens. Recent events confirmed the fact that no one is immune to terrorist attacks and that these organizations will go to great lengths to carry out attacks on the most vulnerable contingents of society. Security professionals must learn from past events while building on this knowledge to identify how and where the next attack may occur.  </p><p>Conflicts have begun to emerge between nations over water issues in Africa and the Middle East. These isolated events may increase in number as the world population continues to grow. Geopolitical, environmental, and economic factors will contribute to migrations, adding to the size of large metropolitan areas—by 2050, seven out of 10 people will live in cities.</p><p>These changes will spur new pressing demands for water services, which may affect public and national security as well. For example, while the likelihood of a terrorist attack in parts of Africa may currently be low, this level could be elevated rapidly based on intelligence gathered by national and international authorities. ​</p><h4>Consequences</h4><p>Attacks directed at water infrastructure can be categorized as rare events that occur with a low frequency. However, the consequences could be severe. Researchers have attempted to identify and even quantify just what those consequences could be. </p><p>“The potential economic fallout from accidental or deliberate contamination in a water system is significant,” Jain notes in his book. J.W. Porco with the American Water Works Association estimates that “the cost for radiological contamination in a water system serving a population of 10,000 could be as high as $26 billion; for a population of 100,000, the estimated economic impact could be $100 billion.” </p><p>Although biological, chemical, and radiological detection systems protecting water sources are becoming more sophisticated and effective, they can only protect against known forms of attacks and may not fare as well against zero-day vectors. Considering the severe impact that could be generated by similar scenarios, the consequences of such attacks can be estimated as very high. ​</p><h4>Vulnerabilities</h4><p>To identify a nation’s vulnerabilities, officials must start by assessing the governance model to determine how effectively the procedures and the equipment associated with the protection of water and wastewater systems are managed. </p><p>The U.S. governance model provides a significant level of coordination and oversight from the federal government under the leadership of the U.S. Environmental Protection Agency (EPA), supported by the U.S. Department of Homeland Security (DHS). </p><p>The objective of the EPA is to build resilience at drinking and wastewater utilities, notably by providing section-specific plans including security, which are found on the DHS website. It is unclear how the new U.S. administration will approach water infrastructure.</p><p>In Canada, most of the investments and practical managing issues are delegated to municipal and regional authorities under distinct provincial and federal legislation. There is not as much coordination or oversight from the central government, which may explain the lack of national standards for water protection.</p><p>The newly-elected liberal government in Canada has pledged to provide provincial and municipal authorities in the country with infrastructure funding in the coming years. This may allow municipal and regional authorities to invest in water and wastewater infrastructure, which in many cases is old and fragile. The aging infrastructure is further compounded by a North American demographic trend where experienced workers are leaving the workforce in record numbers. It is unknown whether current succession planning and training efforts are sufficient to counter this trend.  ​</p><h4>Managing the Threat</h4><p>Terrorist organizations are determined to exploit weaknesses, either physically or virtually, to create chaos and terror, usually accompanied by a significant impact on national economies. This is their raison d’être, and to remain relevant and to attract more followers, they will continue their attacks. </p><p>Simple and minimal resources on the part of the terrorists are inflicting major damages, whereas the means to prevent and protect against those attacks are both complex and costly, creating an asymmetric conflict. It is difficult to determine how much to spend on reducing the risk of attacks to critical infrastructure when measured against other forms of security risks, as well as whether the resources invested in the protection of this infrastructure are delivering the desired outcome.</p><p>As part of a diligent approach, the risk level associated with critical infrastructure must be regularly assessed to prevent accidents and incidents that could put North America’s respective populations at risk.</p><p>It may be beneficial for Canada and the United States to develop—in collaboration with provincial and state regulators—an all-hazards approach to water security based on existing models, such as the American Water Works Association Risk and Resilience Management of Water and Wastewater Systems. Although the countries’ regulations may differ, it may be beneficial to develop measures that could be mutually recognized and accredited by central, provincial, and state governments. To do otherwise may lead to duplication, confusion, and wasted resources. </p><p>Building resilience will also require an increased awareness of the issue on the part of the public. In this regard, Canada should copy and adapt the Water Sentinel project that was launched by the EPA in 2006. </p><p>   Considering the cross-jurisdictional situation of watershed management, more regulatory clarity, increased oversight, and audits to build resilient water and wastewater systems are necessary to instill a higher level of accountability and readiness among the various stakeholders.​</p><h4>Collaboration</h4><p>Demographic trends for the next 30 years show a significant growth in urban populations in the world, including North America. As the population grows so will the need for food and water, which are intimately intertwined. Along with the continent’s disturbing consuming habits and changing weather patterns, this will further stress fresh water supplies. </p><p>The scarcity of fresh water in the future will make this infrastructure even more critical and attractive for terrorist organizations. It will be imperative to effectively respond to unforeseen events, from using collaboration across national and organizational boundaries to resuming operations once the threat has been eliminated.</p><p>Collaboration fosters resilience, and actions such as providing stakeholders with standards, training, and common communication and information sharing platforms will help accomplish that.  </p><p>--<br></p><p><i><strong>Yves Duguay</strong><b></b>, ICD.D (Institute of Corporate Directors, Director), CSSP (Certified Sport Security Professional), is the president of HCI World.</i></p> to Bank OnGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The intersection of cyber and physical security is a critical consideration for banks with brick and mortar buildings, who also offer many of their services to customers online. To protect these assets, financial institutions have increased their information technology security spending by 67 percent since 2013, according to a recent survey by PricewaterhouseCoopers.</p><p class="p1">Zions Bancorporation is one such institution that has taken steps to converge its physical and cybersecurity systems to protect its customers and assets, which total approximately $60 billion. One of its affiliates, Nevada State Bank, recently upgraded its access control system to provide enhanced security, as well as convenience, for its workers.</p><p class="p1">To workers at Nevada State Bank, the old system of physical keys and hard locks was both a security concern and a nuisance. For example, an employee was at the park playing with her child when someone broke into her car. Along with the employee’s purse, the robber got away with a physical key to the bank’s branch where she worked. She made a phone call to corporate security, and the entire building had to be rekeyed that weekend. </p><p class="p1">“To rekey all the locks and replace keys could cost $3,000–or it could be even more costly if it’s a master key that’s lost,” says Bob Shandle, regional security officer for Zions Bancorporation. He adds that when employees lose their keys, “it almost always happens over the weekend,” an inconvenience to the security staff.  </p><p class="p1">Replacing physical keys with cards was one of the biggest advantages to upgrading access control at three Nevada State Bank branches, says Shandle, who introduced new security cameras and alarm systems as well. “Card access is just a small part of the big picture of what we’re trying to accomplish” in terms of security, he notes. </p><p class="p1">Zions worked with an integrator to find the best choice for an access control platform for the bank. In March 2015, it chose Sielox Pinnacle, the software that serves as the hub for the overall access control system. Sielox 1700 Network Controllers are used to support card readers installed at door locations, including hardwired doors located in the branch’s vault.</p><p class="p1">At the majority of its entryways, the bank first chose Allegion AD-400 wireless locks that integrated with the Sielox system. Because the locks are large and require drilling holes for installation, the AD-400 locks were functional but not ideal. In March 2016, Shandle purchased Schlage NDE locks, which have a smaller form factor and are more affordable. Both Schlage and Allegion are owned by manufacturer Ingersoll Rand, so the microchips inside employee access cards did not change. The cards were simply updated through the Pinnacle software. </p><p class="p1">“The NDE lock requires no special modifications to the door. It goes right on top of where your old lock used to be,” Shandle explains. This is especially useful given the “bandit barriers,” or bulletproof glass walls, that run throughout the branch to protect tellers from potential shooters. With a wired system, “you’d basically have to disassemble the entire door area” for installation, Shandle says. “With the NDE lock I was able to get the mount right on top of that heavy-duty Plexiglas, and it worked really well.” </p><p class="p1">He adds that the locks resulted in a “huge cost savings,” and says the price of the wireless access control system was roughly one-third the cost of a hard-wired one. Commissioning the lock to work with existing cards was also fairly seamless. Using a smartphone and tablet app from Allegion that integrates with the Sielox software, administrators create a username and password, and then link the wireless locks to Pinnacle. This enables the chips in the card to work with the control boards in the door readers. “Sielox is the only access controller provider in the market that seamlessly integrates the NDE locks from Allegion, so it really did work out well,” he adds.</p><p class="p1">In addition, someone at the bank is responsible for going through the card access database every day to ensure that it reflects employees who have been terminated, are on temporary leave, or have returned from leave. Changes can be managed within the Sielox Pinnacle online Web portal. Additionally, all actions are recorded and reported on every card, so security personnel can track activity and spot abnormalities in the log files. </p><p class="p1">Vendors who spend an extended period of time at a branch are assigned a bank employee who is responsible for their access card. “That supervisor or person from the bank would have to request the card in writing from us, and then we would issue it on a temporary basis,” he says. The assigned person from the bank is responsible for eventually getting the card back to security. </p><p class="p1">Currently three Nevada State Bank branches have card access throughout the building, as well as the central vault. Eventually Shandle says they hope to implement the system organization-wide. “We are trying to consolidate all of the branches under the Sielox Pinnacle card access system and eliminate the need for employees to carry keys altogether,” he notes. </p><p class="p1">The biggest concern with wireless access control readers is battery life, Shandle says, so Pinnacle has an application that tells security how long until the batteries on individual door readers are exhausted. And there is a small time-delay between putting the card up to the reader and when the door unlocks. “When it comes to presenting your credentials, the readers don’t always respond immediately like the hardwired ones do,” he notes. </p><p class="p1">However, these concerns are outweighed by the convenience of the overall system. A key can be disabled within minutes, no longer requiring an expensive and timely rekeying of the building. “It costs about $5, and I can have a key card removed from the system in a number of seconds,” Shandle says. “Even if you lose it on a Friday night, we can have that card disabled, so that the missing fob that grants access to our branch doesn’t work anymore.”</p><p class="p1"><i>For more information: Karen Evans,,, 856.861.4568​ ​</i></p> Intelligent SolutionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A large, international finance company was recently planning to fire one of its employees, but the company’s leadership was concerned. The employee, whom we’ll call John, had a history of being aggressive towards his supervisors.</p><p>Thankfully, the actual termination went smoothly and without incident, but that’s where the company’s good fortune ended. During the days that followed John’s termination, several employees received notes from him on social media instructing them to “consider not going to work” on a specified day.</p><p>As a precautionary measure, the company contracted for additional physical security at its main office building. However, when it became aware of the social media threats, the company reached out to the author’s international protection, investigations, and consulting firm for advice on how to handle this new challenge.</p><p>The firm immediately began conducting physical surveillance, following John’s movements. It also started analyzing his social media accounts and noticed that he had made several posts about the company’s vice president of human resources. </p><p>Upon further observation, the firm discovered that John had recently driven to an intersection about one mile from the company’s building. This location was also on the route that the vice president took to get to work every day.</p><p>Using the intelligence gathered from social media and physical surveillance, the firm observed John’s behavior in real time and contacted law enforcement to prevent him from causing any harm to the vice president or to the company’s facility.</p><p>Not all workplace violence threats are so successfully mitigated. An average of 551 workers were killed each year between 2006 and 2010 as a result of work-related homicides, according to the most recent numbers from the U.S. Bureau of Labor Statistics (BLS). And as many as 2 million workers report having experienced workplace violence each year, according to the Census of Fatal Occupational Injuries.</p><p>Most alarmingly, shootings accounted for 78 percent of all workplace homicides—83 percent of which occurred within the private sector. </p><p>Unfortunately, the traditional corporate climate is reactive because most companies only respond after there’s been a highly publicized workplace violence incident. Furthermore, many do not enact changes at all once the dust settles and the incident is no longer in the media. </p><p>With concern growing over workplace violence from all sectors, there is a demand for protective intelligence, which can avert a crisis instead of reacting after it occurs. To put it simply, you cannot mitigate a risk that you have not anticipated.​</p><h4>Intelligence</h4><p>The primary objective of protective intelligence is to collect information to help determine if an individual demonstrates the intent and capability to formulate and execute a violent plan of action.</p><p>To determine this, most use the intelligence cycle—an important process for investigators or anyone who collects information for assessment or analysis. </p><p>Originally implemented by the U.S. Military Intelligence Division during World War I, this process is leveraged by many government entities and for a wide spectrum of tasks, such as by organizations like the Federation of American Scientists. This process is most notably used in the investigative processes within the FBI and within the U.S. Secret Service, namely the National Threat Assessment Center. </p><p>The FBI defines the intelligence cycle as “the process of developing unrefined data into polished intelligence for the use of policymakers.” Protective intelligence investigations differ from other kinds of investigations because the goal is to prevent violence or a loss, not simply secure the requested facts. </p><p>An individual, group, or organization must collect information that will develop the critical intelligence required to take preventative actions. The U.S. Secret Service defines this process as “gathering and assessing information about persons who may have the interest, motive, intention, and capability of mounting attacks against public officials and figures.”</p><p>The intelligence cycle has six steps. These steps are: identify requirements, plan and provide direction for intelligence that is to come, collect and gather information, process and exploit collected information, analyze and convert that information to produce raw intelligence, and disseminate intelligence to those who will use it for tactical, operational, and strategic decision making.</p><p><b>Identify requirements. </b>The first step is to identify the requirements the information is designed to satisfy. This step will help filter data into the most critical pieces of information and organize them by relevance.</p><p>For workplace violence investigations, investigators should focus on information that will help answer the fundamental question: Does this subject present a threat to protected individuals, groups, or organizations?</p><p>Some companies do designate internal employees as threat response personnel. Protective intelligence investigations are performed most effectively by those who have experience and training doing them and who are also unbiased, such as a third-party consultant. </p><p>Plan and provide direction.<b></b> The second step in the cycle is to create a plan and provide direction for the intelligence that is to come. </p><p><b>Collect and gather information. </b>Gathering of information is the third step and includes researching online databases, performing physical surveillance, and conducting interviews. </p><p><b>Process and exploit. </b>After col­lecting relevant information, the fourth step of the intelligence cycle is to process and exploit that information. This means filtering the data into useable bits for the decision-making processes defined by the requirements in the first step; the bits can be referred to as the dots. </p><p>For example, when conducting an investigation of a subject who may be on the path to violence, social media or other tools may reveal his whereabouts during certain times that may be indicative of a hostile planning process. Critical decision points for likely pathways the subject would take to commit an act of violence could be established, and their correlation with the information that has been revealed would create the dots. </p><p>This can be a time-consuming burden, especially for investigators using social open-source intelligence (SOSINT). To be effective at this task, investigators should combine resources by directly researching on social media sites and by using search engines to do the task. With this methodology, investigators can start to connect the dots, enabling analytical confidence—particularly when dealing with the concern of targeted violence.</p><p><b>Analyze and convert. </b>The fifth step of the process is to analyze and convert these bits of data to produce raw intelligence.</p><p>In the event that a subject’s behavior reveals the impending manifestation of a perceived threat, these connected dots are used to make decisions that will effectively impede the process.</p><p><b>Disseminate. </b>The final step of the cycle is disseminating the intelligence to those who will use it for tactical, operational, or strategic decision making. ​</p><h4>Sources </h4><p>Although most would believe that intelligence is gathered from secret or covert sources, the largest collection of information available to investigators is open-source intelligence (OSINT), or intelligence collected from publicly available resources.</p><p>Within the intelligence community, the term “open” refers to overt, publicly available sources drawn from public resources, such as the Internet, media coverage, photos, and geospatial information. However, it’s important to keep in mind that there is no authority ensuring the accuracy of any information available through OSINT. Because of this, employers who use this collection method have a responsibility to verify—or at least corroborate—its validity. </p><p>SOSINT, the collective term for information from sources such as Facebook, Twitter, blogs, and microblogging sites, is becoming more important within the intelligence community. SOSINT is a content-rich gold mine and a valuable investigative tool when seeking corroborative information about individuals or groups, such as behavioral changes, interests, emulations, gang activity, and general life circumstances.</p><p>Social media is particularly useful to investigators for several reasons. The first is the immediacy in which content is not only created, but disseminated. The Facebook news feed is the epitome of a media outlet for such content because there is no delay in publication and almost no restriction in its ability to spread virally. Social media provides a variety of ways for potential subjects to distribute thoughts or request tactical assistance, along with numerous ways for investigators to gather that information.</p><p>In 2014, LexisNexis published a survey, Social Media Use in Law Enforcement, of federal, state, and local law enforcement professionals in the United States who are users of social media on the job. The survey details how social media can enhance the assessment and threat management process. </p><p>The survey found that “respondents indicated several real-world examples in which they prevented or thwarted pending crime, including stopping an active shooter, mitigating threats toward school students, executing outstanding arrest warrants, and actively tracking gang behavior.” </p><p>For the private investigator seeking information on the behavioral circumstances of a subject, something as quick and easy as analyzing a subject’s status updates, check-ins, and posted photos may provide the information necessary to conclude if a legitimate threat exists.​</p><h4>Surveillance </h4><p>Physical surveillance is one of the oldest and most common practices within investigative services, yet it remains the best option in cases when real-time information is required. To do this, employers must hire a licensed professional who can conduct surveillance legally.</p><p>Surveillance in the investigative field is used mostly as a tool for developing factual evidence to prove or disprove circumstance. However, surveillance can also provide information that is critical to the decision-making pro­cess for a much broader spectrum of investigations than most private detectives recognize.</p><p>In conducting protective intelligence investigations, surveillance is a viable option to gather the necessary information on a subject because not all attackers make direct threats. This increases the difficulty of validating or legitimizing the threat through other sources. </p><p>Using information from OSINT may reveal the threat, such as general ideas and interests, but it is typically not specific. Surveillance can be used to confirm a suspected threat or to find out more details.</p><p>Furthermore, the analytical confidence from deriving conclusions based on direct observations versus assessing the quality and quantity of third-party information is an important factor. This provides the investigator and analyst a more profound confidence in the facts at hand. </p><p>In one such instance, upon investigating a subject who was facing possible termination following a history of unsatisfactory performance and increasingly aggressive behavior, the author’s firm noted a hunting license in the subject’s background investigation. </p><p>Taken in isolation, this is not a threatening piece of information. However, during the day of a contentious announcement of the firing from the company’s CEO, it was decided by the author’s firm—hired to provide executive protection for the company—to restrict access to the facility.</p><p>Local law enforcement helped bar the subject from the property. The former employee had a hunting rifle in his vehicle even though no hunting seasons were in effect. There was no violence that day, but the potential mitigation was worth the effort.</p><p>Once the subject is identified and background information has been collected, the main factors investigators should concentrate on during surveillance are the current living characteristics of the subject and context of the subject’s daily routine. </p><p>Surveillance should focus on factors in the subject’s life and environment that might increase the probability of an outburst or attack, such as living arrangements; actions and behavior; and daily activities and social interactions, particularly compared to possible known historical circumstances and behavior of the subject. This focus on routine can provide valuable information that can help assess the subject’s stability.</p><p>For example, if the subject does not currently have the means to satisfy the basic needs of food, clothing, shelter, or social interaction, then he or she may be in desperate crisis with no option left but to act out. </p><p>Additionally, researching, planning, and coordinating the attack are critical to the attacker’s success. The steps required in developing a plan will reveal the person’s intentions, actions, and acquaintances. </p><p>For instance, this can be seen in the events that led up to the kidnapping of Sidney Reso, former president of Exxon Co. Reso was kidnapped by Irene Seale and her husband Arthur Seale from the end of Reso’s driveway in suburban New Jersey on April 29, 1992. Reso was shot in the arm during the kidnapping, and died a few days later. However, the Seales claimed that he was alive and demanded $18.5 million in ransom before finally being discovered and apprehended.</p><p>Prior to kidnapping Reso, the Seales watched his home from a van parked down the street for almost a month. These preparations were highly visible and could have been easily identified. The Seales could have potentially been intercepted with a counter surveillance effort as part of an executive protection program.</p><p>For violent attackers, the chances of success and escape are the predominant factors in determining the location to attack. Therefore, research and planning efforts on site selection and even tactical decisions pertaining to that site are particularly revealing during physical surveillance. The subject’s behavior and rituals during this process are also extremely revealing because the attacker’s intention may not include any escape plans at all, potentially indicating the worst case scenario of a suicide attack. </p><p>This type of behavior was demonstrated by Khalid al-Mihdhar and Nawaf al-Hazmi who flunked their flying lessons because they were disinterested in the landing process, administrative actions, or flying anything other than Boeing jets. The two individuals failed to obtain their pilot’s license, but ended up being two of the four “muscle men” on American Airlines Flight 77, which flew into the Pentagon on 9/11. </p><p>The potential attacker will want to gain familiarity with the location, how to get there, and—in most cases—how to escape. He or she may even take pictures of the location for reference later in the planning process, and may conduct rehearsals to discover what the security response might be during a crisis or how effective access control is. </p><p>In the investigation that followed the mass shooting in the Aurora, Colorado, movie theater, it was revealed that gunman James Holmes had purchased his ticket for that showing of The Dark Knight Rises more than a week in advance, carefully selecting the time and place for his attack. </p><p>Additionally, he had set explosive traps at his apartment, planning for them to be tripped prior to his attack to send resources to that incident instead of the movie theater. </p><p>Real-time information gathered via surveillance can lead to making preventative decisions sooner and more reliably than other methods of investigation.<span style="color:#222222;font-family:novecentosanswide-bold, sans-serif;font-size:1.1em;text-transform:uppercase;">of investigation.</span></p><p>Examples of behaviors that may indicate the coordination or planning of an attack could be visiting others who share the same ideas and interests, visiting websites linked to the company, obtaining supplies, or purchasing weapons. At this point, the investigator should avoid bias and assumption, concentrating only on facts.</p><p>For example, if a suspect who has no historical interest in firearms obtains weapons and ammunition over the course of an investigation and then proceeds to a target location, investigators conducting the surveillance may be able to involve the authorities immediately. </p><p>To be effective at surveillance, the investigators must anticipate the subject’s actions. Investigators must ask themselves where the subject would have to be and what materials would have to be obtained. To that end, investigators should develop a list of locations and activities that may be part of the subject’s target selection or planning processes. </p><p>For investigators, protectors, and those who conduct threat assessments and evaluations, protective intelligence programs are a critical aspect of proactively preventing workplace violence incidents before they occur. When it comes to reducing workplace violence as a whole, we all share the responsibility of identifying, assessing, and intervening as early as possible.  </p><p>--<br></p><p><i><b>Joseph M. LaSorsa, CPP</b>, is senior partner at LaSorsa & Associates, an international protection, investigations, and consulting firm. He manages and conducts protective operations training courses and specializes in executive and bodyguard services; risk management consultations and seminars; workplace violence prevention seminars and intervention services; security consultations and seminars; private investigations; and technical surveillance countermeasures. ​</i></p> PasswordsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Treat your passwords like your underwear: make them exotic, keep them to yourself, and change them from time to time. That’s the memorable approach that Cisco Chief Privacy Officer Michelle Dennedy takes to creating strong passwords. </p><p>But sadly, most people do not put that much effort into crafting passwords for their online accounts, and this can have dire consequences for corporations. In 2015, 63 percent of confirmed data breaches involved leveraging weak, default, or stolen passwords, according to the 2016 Verizon Data Breach Incident Report. </p><p>“The capture and/or reuse of credentials is used in numerous incident classification patterns,” the report explained. “It is used in highly targeted attacks, as well as in opportunistic malware infections. It is in the standard toolkit of organized criminal groups and state-affiliated attackers alike.”</p><p>The use of stolen, weak, or default credentials in breaches is not a new trend. In 2015, attackers who used stolen credentials in breaches predominantly used them to steal more credentials (1,095 instances), export data using malware (1,031 instances), and to conduct phish­ing (847 instances), among other threat actions, according to the Ver­izon report.</p><p>“We are realists here, we know that implementation of multi-factor authentication is not easy,” the report said. “We know that a standard username and password combo may very well be enough to protect your fantasy football league. We also know that implementation of stronger authentication mechanisms is a bar raise, not a panacea.”</p><p>But just what should those stronger authentication mechanisms be? What approach should you take to make your passwords stronger in 2017?</p><p>Make them exotic. Creating an exotic password can mean something different, depending on who you’re talking to. For Dennedy, having an exotic password means creating a password with different characters that’s not a dictionary word. For instance, pick a favorite book and use the first letters of the first paragraphs of various chapters in that book to create a password. </p><p>“And have some special characters thrown in there,” Dennedy explains. “That’s a great formula, and you don’t have to remember anything more than the book.”</p><p>Or, exotic passwords can be developed from a pattern that is special to a various website. “So having something that reminds you of your shopping list site and then adding on your special paragraph pattern,” Dennedy says. “These are tricks that can make your password exotic enough that it’s not guessable, and yet memorable enough that you actually get use out of it, rather than having to change your password every time because you’ve forgotten it.”</p><p>Another option is to go for length, says Lance Cottrell, chief scientist for Ntrepid’s Passages. “It used to be that if you had an eight-character password, that would be enough, they are not going to be able to guess your password,” he explains. “But realistically these days, that’s not true. They are able to get through much longer passwords, particularly if you’re not using the full breadth of characters available to you.”</p><p>Instead, users should aim for at least 20 characters and use upper case and lower case letters, numbers, and emojis—if that’s an option. </p><p>“You just can’t beat length; the longer your password is, the better off you are,” Cottrell says, adding that 20 characters is long enough because it’s well outside the realm of brute force attack ability, while remaining manageable to type when you need to type it.</p><p>However, Cottrell says he doesn’t type his passwords very often anymore, something he sees as key to creating strong passwords.“People are still in this mindset of ‘I’m going to make up this password and remember and then type them in from memory,’” he explains. “My general rule of thumb is a password that you can remember is probably too simple.”</p><p>That’s because “memory-based” solutions violate what Cottrell thinks of as the prime directive of password security: never reuse passwords.</p><p>“There should never be two websites with the same password from you,” he says. “Because it’s easy to guess your username; it’s probably your name or more often your email address. So if I steal your password on one website, I’m going to try that email address and password on every other website I know of. I’m going to hack it off of some website you don’t care about, and then try it on your bank and every bank out there just to see whether it will work.”</p><p>Instead of using a memory-based solution for his passwords, Cottrell uses a password management application to keep track of the passwords for his hundreds of online accounts created over the years. This application then syncs with his devices, such as his iPhone and iMac, so he doesn’t have to remember them.</p><p>“If there’s one practice that I could say, ‘Go do this thing and it will make your security better,’ it’s to start using a password manager application,” he says, adding that he uses the application 1Password to keep track of his.</p><p>Like most password management applications, 1Password allows you to create a login and then save all of your passwords for your online accounts to the site. It then encrypts your data, securing it from potential hackers who might try to gain access to the site to steal your credentials.</p><p>“I have one really good password for that vault,” Cottrell says. “I have one really big, long passphrase that I have memorized that unlocks that, and then that gives me access to everything else.”</p><p>While you can add passwords you’ve created to the password management application, you can also choose to have it automatically generate a password to your specifications—such as 20 characters in length—to give you completely random passwords for all of your online accounts.</p><p>One downside of password management applications, however, is that they can be inconvenient to use, which is one reason Dennedy adopted the practice and then gave it up. “I’ve tried them and I’ve made the super password easy enough that I’m not inconvenienced, and that makes me nervous,” she says, adding that she’s had trouble finding a solution that scales across all the places she needs to be, especially when traveling.</p><p>“My job is weird; no two days are the same and I’m doing planes, trains, and automobiles, so if my login fails, that’s a real pain,” Dennedy explains. </p><p>Keep them to yourself. Many users have been there before. They have access to a corporate account, such as a Twitter account, and another employee needs access to it. So, they email the other employee the credential. While that might be an efficient way to share access, it is not a secure one and should be avoided if at all possible, Cottrell says.</p><p>Instead, if you’re sharing an account, make sure the password is strong—exotic, long, and possibly generated by a password management application. Also, make sure that you’re not sharing it through email.</p><p>“Even sending it through a text message is better than sending an email,” Cottrell says. “Send it in a path that avoids email and using the computer…as that makes it much more difficult for an attacker to make use of it. An actual physical note with the password on it, that’s shredded later, is going to be even better.”</p><p>Also, when it comes to passwords, make sure you’re not giving information away on social media sites that could be used to compromise your password hint questions, which are often a fixed set of questions with information that’s easily discoverable.</p><p>“Don’t put as your security question the name of your real dog,” Dennedy says. “It’s okay to lie there.”</p><p>Instead, make up an answer such as using the name of a dog that you don’t own to answer your security question. And to keep track of these answers, you can set up a list in most password management applications to store them. This way, you don’t have to remember what your lie on your security question was, Cottrell says.</p><p>“So if the security question says ‘Where did you go to high school?’ Put in something like Richard Nixon High School or a Lord of the Rings reference,” he adds. “Anything you want can go in those slots, and then just add them to the notes section of your password management app.”</p><p>Change them. When it comes to changing your password, how often is too often? And does changing your password regularly make it less secure?</p><p>The answer is complex. U.S. Federal Trade Commission (FTC) Chief Technologist Lorrie Cranor made headlines in 2016 when she suggested that companies rethink mandatory password changes for employees.</p><p>“There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily,” Cranor wrote in a blog post. “Unless there is a reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good.”</p><p>This is why all organizations should consider their risk profile and the security benefits and drawbacks of having employees frequently change their passwords, Cranor added in her post. </p><p>“Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely,” she explained. “Encouraging users to make the effort to create a strong password that they will be able to use for a long time may be a better approach for many organizations, especially combined with slow hash functions, well-chosen salt, limiting login attempts, and password length and complexity requirements.”</p><p>A cryptographic hash takes a message (your password) and computes it into an alphanumeric string, called the hash value, for password storage; this stores the alphanumeric string, instead of the original version of your password—making it more difficult for the password to be stolen. </p><p>Slow hashes are designed to be inefficient, making it harder to crack a password once it’s been exposed. Organizations can also use salt, random characters in the hash, to defend against dictionary attacks.  </p><p>Cranor makes a valid argument, Dennedy says, but only if you don’t follow all of Dennedy’s prescriptions—exotic, secret, and changed often.</p><p>“So if you’re changing passwords often ... between ‘1234567’ and ‘ABCDEFG,’ you’re still going to have an incredibly weak system,” she explains. People who change passwords frequently have trouble remembering them, so they do a lot of password recycling.”</p><p>And from a corporate security standpoint, having employees regularly change passwords is a good idea because it shrinks the window of opportunity for hackers to use stolen credentials to access corporate networks.</p><p>“It’s a real plus in reminding people what’s important [data] and it’s also helpful in that brute force attacks are quite brutal these days with computer power as strong as it is today, so even if you have a semi-exotic password and it’s static over a period of time, it’s that much easier to put the combination together,” Dennedy says. (The FTC did not return requests for comment on this article.)</p><p>But while developing good password habits can help increase security, it’s not a silver-bullet solution.</p><p>“If someone can hack the computer itself, they can probably get access to all of the passwords,” Cottrell says. “So no matter how good your password hygiene is, it’s no better than the security of the device you’re typing it into.” ​</p> Museum of the World and for the WorldGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​On a rainy early spring morning, a group of security professionals made their way along Great Russell Street in fashionable, bustling Bloomsbury, London. They passed vehicle-distancing bollards, entered through the gate of a black iron fence, and crossed a large courtyard to reach a neoclassical building that dates from the Georgian period. </p><p>After a security inspection, the visiting professionals traversed the Queen Elizabeth II Great Court with its soaring, tessellated blue glass roof. Once the open-air courtyard outside the Victorian reading room of the British Library, in 2000, the area was refashioned into an epic enclosure worthy of the treasure in the surrounding galleries.</p><p>“The British Museum is of the world, for the world,” David Bilson, CPP, head of security and visitor services, told the security professionals later, when they were congregated for a special program in the BP Lecture Theatre of the Clore Center for Education. It was the day before the opening of the ASIS International 15th European Security Conference and Exhibition, and Bilson was the host and first presenter.</p><p>“People sometimes think that the museum is about the history of Britain, but it’s not,” he explains. “It’s about the history of mankind.”</p><p>Just a few of humanity’s priceless objects that the British Museum cares for are the Rosetta Stone—a rock stele with the same inscription in three languages that helped crack the puzzle of Egyptian hieroglyphs; the Sutton Hoo Anglo-Saxon burial treasure; the classical Greek Parthenon sculptures; colossal granite heads from the Ramesseum temple in Thebes, Upper Egypt; the 12th-century Lewis chessmen; an Easter Island gigantic figure (Hoa Hakananai’a); and a pair of Assyrian human-headed, winged bulls from Khorsabad, Iraq, which date to about 710 BC. (In February 2015, ISIS extremists destroyed a similar pair from the ancient city of Ninevah.)</p><p>At the British Museum, said Bilson, “We present items that date from 2 million years ago to the present day, in a collection that we are still continuing to build.”</p><p>The 18th century physician and hot-chocolate entrepreneur Dr. Hans Sloane laid the foundation for the collection. When Sloane died in 1753, he left everything to King George II. A public lottery raised funds for the original building. </p><p>“We welcomed our first visitors here in 1759, so it is our 257th birthday,” Bilson added. Since then, the collection has grown to more than 8 million items.</p><p>“We are one of the nation’s treasure houses,” Bilson told his audience. “We now welcome 6.8 million visitors per year, which makes us the U.K.’s leading visitor attraction—and I say that not to be glib, but because it brings us major security and public safety issues. We are one of London’s ‘crowded spaces,’ so therefore we have security risks.”</p><p>Art thieves are also a threat. For example, Chinese art has skyrocketed in price at auction, allowing thieves to easily sell stolen items on the black market.  In 2012, the Metropolitan Police New Scotland Yard intercepted a gang that planned to target objects in one of the museum’s public galleries. Working with law enforcement agencies is a key aspect of security operations at the museum.</p><p>In addition, Bilson said the museum “is a place that transforms at night. If you stand in the front hall of the museum at 5 to 6 o’clock, you’ll see all my security colleagues escorting visitors out and thanking them for coming. At 6 o’clock, all the contractors come in, and by five minutes till 7 p.m., the whole place may be transformed with tables for dinners or corporate events…which is another demand on the security services that we have here.” </p><p>Later that evening, the visiting security professionals would witness just such a transformation when the museum’s Egyptian Sculpture Gallery hosted an ASIS reception. The varied aspects of the museum’s security program were present and working, but even to the security practitioner guests, they were imperceptible.</p><p>Later, Bilson sat down with Security Management to discuss the security program at the museum and its myriad of security concerns.</p><p>The security context has changed tremendously for all museums, Bilson says, naming as examples the May 2014 attack on the Jewish Museum in Brussels, Belgium, the foiled 2014 attack on the Louvre in Paris, and the March 2015 attack on the Bardo National Museum in Tunis, Tunisia.</p><p>During the last four years, the British Museum has invested in various aspects of its security infrastructure. One part of that investment was completed in early April 2016 when security “switched to our new digital radio system with much better coverage across our locations,” Bilson says.</p><p>Also in place now are vehicle defenses. “I hope as you came through the front gate this morning, you admired our vehicle-standoff bollards, which are a substantial upgrade in our protective resilience,” he adds.</p><p>In 2013, the museum became a construction zone with the creation of the World Conservation and Exhibition Centre on the estate’s northwest corner. It comprises scientific laboratories, office facilities, and a major new public exhibition hall, “which gives us a bigger, more flexible space than we have ever had, and below ground, we have a secure collections storage area,” he says.</p><p>Security was involved in the design for the new facility, Bilson notes. “In fact, we upgraded security substantially because of the nature of that building. So that has become our benchmark for security across the rest of the estate. It integrates all the modern technology of cameras, alarms, access control, and now the new radio system.”</p><p>Guard force. Since the Great Court was built 16 years ago, the number of annual visitors to the museum has jumped by nearly 3 million. </p><p>“We are delighted to welcome more visitors but this of course impacts our operations; we want to ensure visitors have an enjoyable and safe visit,” Bilson says. </p><p>Guidance on the management of events in the United Kingdom has changed, too. This has led to an ongoing modernization of the guard force, which comprises 300 full-time, proprietary officers.</p><p>“We are looking to take up the best of that advice, as well as lifting the security standards for all of our officers here, to a high level of professionalism,” he adds. “They are all great people, and we want to lift them up still further into new ways of working.”</p><p>“In the U.K., there are two categories of security officers: you can either be proprietary if you are working in your organization on your site, but if you provide a security service…it has to be licensed,” he explains. “At the moment we are also using licensed support while we go through our improvements.”</p><p>There is a security central command center in the museum that is staffed around the clock. </p><p>“Not only are they doing a security watch, they are watching building systems and the condition of the building overnight, as well as the primary security function of protecting the collection,” Bilson points out.</p><p>Bag checks. While terrorism is a key threat to the museum, “The biggest challenge affecting us at the moment is the searching and screening of visitors,” Bilson says. “I’m not prec­ious about it. We’re working hard to improve upon it, but it is a challenge on a day when 20,000 visitors come through who are not timed in their entry, so we get these peaks in demand. More than 50 percent have some sort of bag with them.”</p><p>Visitor bag searching has been stepped up at the museum, resulting in an increase in the discovery of weapons.</p><p>“The majority of our visitors are of course law-abiding and are here to enjoy the collection,” Bilson says. “But I have been surprised that a minority have brought in inappropriate items that could pose a risk.”</p><p>To ensure that the museum can secure its premises from weapons brought in bags through the entrances, new visitor search facilities were recently installed outside the building.</p><p>The museum’s executive leadership supports decisions such as these. “We have great support here. The trustees, the board that oversees museum operations, are in favor of more security, doing more, but keeping a balance,” Bilson explains. “We want the visitors to know they are coming into a secure space, but to know that they are coming into a welcoming experience as well.”</p><p><b>Perimeter security. </b>Bilson says that perimeter security depends upon the state of the museum at various times of day. </p><p>For example, he explains that when the museum is on lockdown overnight, “we have clear definition of boundaries by way of walls and railings. They are guarded and protected by technology 24 hours per day. We use a range of technology measures, whether it is intrusion detection or surveillance or physical locks and access control.”</p><p>When the museum opens, the perimeter becomes porous, but with public boundaries, he says. “There are layers of defense within the site.” When the visitors leave, the perimeter hardens again.</p><p>“In explaining this to staff, I tell them we act in the same way as an airport—the secure air side and the public side,” he says. “So the status of areas within the museum changes, but broadly the back of house areas stay secure 24/7.”</p><p>Coordination between security and museum staff is “hugely important—that whole preplanning and coordination piece,” Bilson states. “We work very hard with facilities management and with events planning to think through levels of detail.”</p><p><b>Collection protection. </b>Museum security protects its collection in much the same way that businesses protect their own assets. “Security technology helps, but we need people to intervene in situations as well,” Bilson says.</p><p>Like all large museums, temporary major exhibitions are staged at the museum, such as Life and Death: Pompeii and Herculaneum, which ran throughout most of 2013 attracting 400,000 visitors, and the newest, Sunken Cities: Egypt’s Lost Worlds, which closed in November and broke attendance records, according to Bilson.</p><p>The arrival and departure of special exhibitions is ongoing and security plays a large role. Before items are loaned to the museum, “we have to give an account to the lenders of how good our [security and environmental] processes are here,” Bilson says.</p><p>The museum also lends artifacts and even major collections to museums around the globe. </p><p>“We apply all of our own security standards to the venue that the exhibition is going to,” Bilson explains. “Sometimes that is a learning experience for the people borrowing from us, and we try to help them get their security to such a standard that long-term they have a more resilient venue for themselves and can borrow more collections from around the globe.”</p><p><b>Travel.</b> “The museum is constantly changing, always taking on new ideas and new things to do,” Bilson notes. “It is a busy organization that is studying and researching and constantly evolving.”</p><p>Bilson says that the museum’s policies and procedures for staff working in other nations weren’t anywhere near as robust as they should have been. </p><p>An incident involving museum staff in another country caused the museum to rethink. “We asked ourselves, ‘Where are our people today? Do we know what countries they are in? Are they insured? Have we thought about their security and what measures have been taken?’” he explains.</p><p>Bilson discovered that there were free services tied to the museum’s insurance and travel services that had not been previously used, including “risk reports, country reports, access to services that we thought we might need one day…. Now we build emergency plans in case we need to bring teams home from overseas,” he says. “We put in place a good personal emergency plan for everybody, good support from London from the home department, and pre-travel risk assessments, advising staff before they go.”</p><p><b>Partnerships. </b>The museum actively partners with police, “whether at the operational level or counterterrorism level, intelligence services, or security design advisors,” Bilson says. “We have strong links with specialists around art and antiques thefts and crime. We have a national museum security group, and most recently, we have established a European roundtable of CSOs so that we can link with our colleagues. After the terrorist events in Paris and Brussels, we supported our friends in that group, exchanging advice, and helping them with things that could be done in their museums.”</p><p>Security also works with the policing teams in the area around the museum estate. The museum interacts with its neighbors about emergency planning and special events that could affect them, such as when Night at the Mus­eum was filmed on site or movies are shown outside on the lawn on sum­mer evenings.</p><p>Bilson says that as a security case study, the British Museum is different because it houses a world collection that must be protected alongside large numbers of visitors and staff and a 200-year old heritage building.  </p><p>While the museum doesn’t discuss security systems in detail, visitors—he insists—want to know that security is in place. </p><p>“Peaceful, law-abiding visitors to the museum are looking for that kind of protection,” Bilson says. “When we check their bags, we get thanked for doing so and know that it gives them reassurance.”   ​</p>,-Employment,-and-the-Law.aspxBrexit, Employment, and the LawGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The European Union has historically been a driver for the advancement of nondiscrimination and equality employment legislation. The United Kingdom’s first-ever statutory prohibitions of discrimination based on sexual orientation, religion, and age were established in 2000 to comply with the EU Employment Equality Directive. But now that Britain doesn’t technically need to comply with EU employment requirements, what will happen to the current employment legislation?</p><p>Human resources directors don’t have reason to panic quite yet. The United Kingdom has just started the withdrawal process, and it has two years to negotiate the terms of the exit. During that time, the United Kingdom will still be a part of the European Union’s free trade agreement and be bound by all existing laws. Once the separation is complete, EU-driven employment legislation will remain in effect because the majority of it was passed domestically. It will be up to parliament to determine whether to repeal or change current employment legislation. However, if Britain does want to continue with the free trade agreement, the European Union may require that the United Kingdom comply with its employment law. </p><p>Attorneys with law firm Jones Day note that laws more likely to be repealed or amended after Britain’s exit include overly bu­­­reaucratic legislation—EU-enforced agency worker regulations and the required European Works Council, which won’t be relevant once the United Kingdom leaves the European Union. Other controversial legislation includes whether vacation leave is accrued while employees are sick, as well as how vacation pay is calculated. </p><p>However, U.K. employers may be facing more complaints of discrimination and workplace harassment soon. Britain currently abides by the European Union’s free trade and travel agreement, which allows EU nationals to freely live and work in any member country. But U.K. employers know that these rights are unlikely to extend af­ter the withdrawal is complete, bringing up a hiring concern: why hire EU nationals if they may not be able to work in the United Kingdom in two years? </p><p>U.K. employers can refuse employment to anyone who does not have the right to work in the country, but refusing to hire someone because they may not be able to work in the United Kingdom in the future is almost certainly unlawful, according to CIPD, a U.K.-based HR professional body. Most employers know that this type of blanket hiring policy is likely to bring them trouble, CIPD’s website notes, and instead a more likely approach will be to require a potential employee to prove that he or she has indefinite rights to remain and work in the United Kingdom. However, this is grounds for an indirect discrimination lawsuit. </p><p>Instead, CIPD recommends that employers make employment contracts conditional on maintaining the right to work in the United Kingdom. This conditional agreement should be included in all employment contracts to avoid potential discrimination issues. “Although this will not solve the problem of employees’ immigration status changing due to Brexit, it will help with terminating the employee’s employment if that proves necessary,” CIPD notes.</p><p>A more intractable problem facing U.K. employers is discrimination against Muslim women, according to a new report. While 69 percent of all working-age wo­men are employed, just 35 percent of Muslim women have jobs, according to Employment Opportunities for Muslims in the UK, a report issued by the parliamentary Women and Equalities Committee in August. </p><p>Muslim women face a “triple penalty” when trying to find jobs: their race, their gender, and their religion, the report notes. A National Centre for Social Research for the Department for Work and Pensions study last year revealed that a job applicant who appeared on paper to be white would receive a call back after applying to nine jobs, while minority candidates with the same qualifications had to send 16 applications before receiving a response. To address the issue, former Prime Minister David Cameron passed legislation requiring that the government use name-blind recruitment for all positions below a senior level. Several large private sector recruiters adopted the practice as well, but the practice needs to be countrywide, the report recommends.</p><p>“To be fully effective this should form part of a sustained initiative which pro­files those employers which have successfully implemented the policy in order to incentivize others to follow suit,” the report notes “The government should monitor uptake and legislate if progress is not made within this parliament.”</p><p>Forty-one percent of Muslim women are unemployed and not seeking work, compared with 21.8 percent of the total population. However, this statistic should not discount the struggles Muslim women face when trying to find employment, says Maria Miller, the chairwoman of the committee that produced the report.</p><p>“The impact of Islamophobia on Muslim women should not be underestimated,” the report explains. “They are 71 percent more likely than white Christian women to be unemployed, even when they have the same educational level and language skills.” </p><p>The report lists a number of recommendations to help even out the path to employment, including more specific antidiscrimination legislation, professional mentoring programs within Muslim communities, and more generalized language and skills education. However, Miller notes that an unexpected find in the study was that the United Kingdom’s countering violent extremism (CVE) programs seemed to be contributing to discrimination against Muslim women.</p><p>Prevent, Britain’s original antiradi­cal­i­zation program, was implemented af­ter 9/11. In 2015, new legislation was passed that requires public sector workers to report signs of extremism. The program has been decried by Muslim and civil rights groups for discriminating against religious minorities in Britain. It is widely known that Muslims are suspicious of the program, especially after a number of high-profile incidents in which children were interrogated by officials for alleged extremist views. Furthering concerns of discrimination is a National Police Chiefs Council report, which found that last year, at least 90 percent of reports of alleged extremist behavior were made by non-Muslims. </p><p>“The government is making attempts to deal with the problems that Muslim people face in getting work, but our analysis would be that their attempts are being undermined by this clear link that Muslim people are making between government policy on employment and government policy on counterextremism,” Miller told The Guardian.   ​</p> Internet ControlGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Last June, the United Nations Human Rights Council determined that Internet access is a basic human right. However, many countries and organizations continue to limit access to the Internet. Last August, Russia briefly turned off Internet access in Crimea for unclear reasons. Ghana switched off its Internet during the country’s November elections. Bangladesh has been testing Internet lockdowns since August. And countless countries block selected social media platforms, news websites, and other content, often under the auspices of national security.</p><p class="p1">It may be unsurprising that oppressive regimes are throttling Internet access. But national security leaders in many nations around the world are working with social media platforms to restrict content that encourages violent extremism, which privacy advocates say is no different from the Internet censorship taking place in North Africa and the Middle East.</p><p class="p1">ISIS and other extremist groups are using social media platforms excessively—and effectively—to recruit members, raise money, and spread their ideologies. In May, digital platforms, including Face­book, Twitter, YouTube, and Microsoft, signed a Euro­pean Com­mission Code of Conduct agreeing to remove “illegal, online hate speech” from their sites. Since then, Twitter has stepped up its monitoring of users’ content, deleting hundreds of thousands of accounts linked to radical extremism. Facebook will remove any content celebrating terrorism. And Google redirects people searching for information about ISIS to anti-extremism websites. </p><p class="p1">However, privacy advocates note that there is no standing definition of illegal online hate speech, and that there is no way that censorship by social media platforms can be objective. Indeed, Facebook is working with Israeli officials to remove pro-Palestinian posts that incite violence against Israel. In September, Israeli officials noted that Facebook, Google, and YouTube are complying with 95 percent of the government’s requests to delete content. </p><p class="p1">“What is extremist speech? The state doesn’t know,” says Shahid Buttar, director of grassroots advocacy at the Electronic Frontier Foundation, a nonprofit civil liberties defense organization. “And when it’s tried to define it, online or offline, it has always swept up constitutionally protected speech. It’s well documented that people silence themselves when they know they’re being watched.”</p><p class="p1">Buttar points to the recent removal of the famous Napalm Girl photo—depicting the aftermath of a napalm attack on a village during the Vietnam War—from Facebook, which does not permit its users to post content containing nudity. After worldwide backlash, Facebook reinstated the photo on its site. Buttar says sites like Facebook use algorithms to flag content that violates their terms of use, and that the context of the content—in this case, a series of iconic war images—is lost. “There’s a content-based discrimination implicit in the algorithmic approach that is obscured in the security conversation,” he notes.</p><p class="p1">Mark Wallace, the CEO of the Counter Extremism Project (CEP), helped develop one of those algorithms. Wallace explains that the nonprofit CEP “fills the gaps” when it comes to fighting extremists on a theater that has moved from sea, land, and air to online. Wallace worked with Hany Farid, who previously developed an algorithm to identify child pornography online, to find a way to report violent extremist images. The technology uses hashing, which identifies the unique digital signature of audio, video, or images and scans a database for matches—in this case, of violent beheading videos and other powerful extremist recruiting tools. The algorithm will automatically report the content to the host platform, which will ostensibly remove it.</p><p class="p1">“We have collected systematically thousands of video, audio, and photographic items that we think are extremist content,” Wallace tells Security Management. “We can take that database, and it immediately identifies that content wherever it resides on those platforms, including at the Internet Service Provider (ISP) level. The Internet has been a very welcoming place to the cyber jihadi. We hope our algorithm will be the mechanism to make the Internet and social media companies no longer a welcoming place for them.”</p><p class="p1">Wallace notes that researchers are responsible for initially identifying extremist content, but the same content tends to emerge repeatedly. He points to the messages of Anwar al-Awlaki, an al Qaeda recruiter and U.S. citizen who was killed in 2011 by a CIA drone strike. </p><p class="p1">“If you look at the domestic terror prosecutions here in the United States, a majority of those tried were radicalized by al-Awlaki’s videos from the grave,” Wallace says. “That’s content we know, and hopefully will be able to remove from social media platforms instantaneously.”</p><p class="p1">Free speech activists also identify al-Awlaki as a prime example of censorship, but for different reasons. There was a federal court proceeding at the time of al-Awlaki’s death in which his family sought due process for him, but he was killed before the courts could address the situation, experts say.</p><p class="p1">Wallace and the CEP are currently working with social media platforms and governments around the world to deploy their algorithm “in a manner that is effective and responsible,” he says.</p><p class="p1">“I think we can all agree that removing the worst of the worst content is a good starting place and should be uncontroversial,” Wallace says. “Maybe the next Jihadi John will realize that no longer is a video of a terrorist with his knife at the neck of some poor soul used as a tool to glorify a terrorist group, to propagandize, to call others to act, to fundraise, and to recruit.”</p><p class="p1">Meanwhile, the Middle East, North Africa, and Russia are still dealing with an increase in state-mandated Internet shutdowns. William Buchanan, a computing professor at Edinburgh Napier University, explains that Internet traffic goes through a countrywide firewall. In times of crisis, the country’s leaders can control the main firewall and drop service if necessary. He suggests that in the coming years, most countries will articulate plans for when and how they can take over the firewall.</p><p class="p1">“What happens in an emergency is people swamp the network with traffic, so I think many countries will have a plan to cut citizens off the network for a certain amount of time while they cope with something like a cyberattack,” Buchanan says. He says he thinks countries like Bangladesh are testing the network to see if they can take it over and make sure they have priority over the rest of the network.</p><p class="p1">Buchanan sees the use of firewall control during a major event as justified because it allows emergency and first responders to communicate in a timely manner, but he says in countries with high political tensions, blocking the Internet can be done maliciously. For example, when Bangladesh tested its network control, it blocked news outlets that reported on antigovernment organizations, he notes. And during the coup in Turkey last July, the government cut off access to YouTube, Facebook, and Twitter to quell any uprisings.</p><p class="p1">Many countries “play the terrorism card” to justify controlling the Internet or viewing private data, Buchanan says, which isn’t logical because terrorists know how to hide their tracks. “Operating systems that boot from USB sticks and leave no presence on devices, VPNs, and proxies…those are the types of tools that a terrorist or criminal will use, and invest a lot of time and energy to create.”</p><p class="p1">This kind of reasoning, as well as roundabout laws such as Saudi Arabia’s ban on all use of encrypted traffic, can be a slippery slope for privacy concerns and affects law-abiding citizens more than the troublemakers, Buchanan notes. </p><p class="p1">“The more that we use encryption panels, the less chance that law enforcement will have in actually tracing the real criminals,” Buchanan explains. “What they’ll end up doing is monitoring everyone else for the normal things, and then a data breach at an ISP could release information about the president or prime minister, and everyone else whose information was collected.”</p><p class="p1">Whether it’s a complete shutdown to Internet access or careful monitoring of potentially dangerous content, countries and companies around the world are taking advantage of the possibilities—and power—inherent in controlling what citizens see online. As criminals and extremists move their activities from land and sea to technology, governments must figure out how to counter digital warfare while simultaneously respecting and protecting citizens’ basic human right to Internet access. ​ ​</p> A (Lonely) TestGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When Admiral Jamie Barnett took over as chief of public safety and homeland security at the U.S. Federal Communications Commission (FCC) in 2009, he learned something interesting about the Emergency Alert System (EAS). “It had never been used, and it had never been tested,” he says.</p><p class="p1">The never-been-tested part was surprising, because by that time the EAS had been around since 1997, when it replaced the Emergency Broadcast System. And the importance of having a well-functioning system seemed undeniable. “If the president were concerned that North Korean missiles were headed our way, he would have the ability, in essence, to preempt all the programming in the United States, pick up a mic, and say ‘We are under attack,’” Barnett says. </p><p class="p1">So Barnett sent a memo to the chairman of the FCC, expressing concerns about the viability of a system that had never been tested on a nationwide basis, and in fact had never even been scheduled for such a test. In turn, the FCC chairman sent the message up the chain, and it eventually reached the White House. After input from leading agencies such as the National Association of Broadcasters, the U.S. Federal Emergency Management System, and the White House Military Office, the administration decided to conduct a national EAS test on November 9, 2011.</p><p class="p1">What these officials were testing was a system that is a great-grandchild of the Cold War. Up until 1950, the government had no real method for broadcasting warnings to the nation at large. In 1951, U.S. President Harry S. Truman established an early emergency broadcast system, CONELRAD (Control of Electromagnetic Radiation), that was primarily designed to alert the public in the event of a Soviet attack during the Cold War. When new defense technology reduced the likelihood of a Russian bomber attack, CONELRAD was replaced by the Emergency Broadcast System (EBS) in 1963.</p><p class="p1">The EBS was tested on a weekly basis, with stations broadcasting a distinctive pattern of beeping sounds and a variation of the following announcement: “This is a test. For the next 60 seconds, this station will conduct a test of the Emergency Broadcast System. This is only a test.” While the system was never used for a national emergency (save for a false alarm in 1971), it was activated thousands of times for regional emergency messages such as severe weather warnings. In 1997, the EBS was expanded to include cable stations, and it became the EAS. (More recently, the government created a Wireless Emergency Alert (WEA) system to disseminate emergency alerts on mobile devices; see Security Management’s December issue for more coverage of that system.)  </p><p class="p1">In sum, the EAS sends audio signals–that distinctive pattern of beeps that the EBS testing formerly made familiar–to 77 primary entry point stations. When these primary stations hear the signals, they immediately transmit it to other stations, so that in a matter of seconds the whole country is covered. “That irritating noise that you hear–that’s actually what the stations are listening for,” Barnett says. In fact, the government prohibits anyone from replicating those irritating beeps in a movie or television program or song. “People have been fined. The FCC would contact you,” he adds.</p><p class="p1">Although the sending of audio signals may not be cutting edge in terms of technology, it is resilient. “The system is designed to work when nothing else does. If the power is cut, this system will work,” Barnett explains. Since the security technology around the system is continually updated, hacking incidents have been rare; one of the few occurred in Great Falls, Montana, in 2013, when the EAS system at a television station was hacked to broadcast a zombie apocalypse message: “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living.”</p><p class="p1">The 2011 national test, which went generally well, showed there was room for improvement. An assessment found that there were issues affecting 10 to 20 percent of the national system, such as local equipment problems. </p><p class="p1">For example, some stations experienced a feedback loop in which they started to broadcast the test, but then immediately shut down. One station malfunctioned and went silent during the test, and because dead air is against FCC broadcasting rules, an operator threw on a Lady Gaga CD. “So people heard ‘There is an emergency alert’ and then [the song] Born this Way,” says Barnett, laughing.</p><p class="p1">Despite these problems, the FCC did not run another test until five years later. That test occurred last September. In a response to an inquiry from Security Management, FCC officials said that early reports indicated that the test went well.</p><p class="p1">“We have received over 24,000 initial reports from Emergency Alert System participants. The reports indicate that the vast majority of EAS participants successfully received and retransmitted the test alert,” Rear Admiral (ret.) David Simpson, chief of public safety and homeland security at the FCC, said in a statement. “After EAS participants file their more comprehensive reports, including information on any issues they encountered during the test, we will analyze the data and then work with the Federal Emergency Management Agency (FEMA) and other stakeholders to implement any needed improvements.” </p><p class="p1">However, given that such national testing is vital for maintaining a viable system, Barnett and others argue that it should be done more frequently.</p><p class="p1">“I think five years is too long,” Barnett says. “My thought originally was that it needed to become routine, so every two to three years would be about right.”</p><p class="p1">Nelson Daza, an incident communications expert with Everbridge, argues in favor of annual national testing, to ensure readiness and point out potential infrastructure problems. “FEMA reminds everyone to test local emergency plans and family emergency plans at least once per year, so why does the government not mandate an annual EAS test?” Daza asks. “If we let these systems lie dormant until we need them for an emergency, there’s a very real possibility that we may not be able to get these critical messages out.”</p><p class="p1">Daza also says he feels that some of the devices and protocols of the EAS need to be updated. He says that the hardware maintained by broadcasters is of limited functionality–it can only broadcast text information in ticker-tape style across the top or bottom of a television set. “Since the EAS system is vital to our national security and to our public safety, it should undoubtedly be a state-of-the-art system,” he explains. </p><p class="p1">But Daza does disagree with those who argue that the U.S. population’s general move away from broadcast televisions and radio, in favor of Internet-based programming and wireless communications, is making the EAS obsolete. </p><p class="p1">“WEA, television alerts, and radio alerts are just different channels for delivering a message. Tens of millions of people listen to the radio in their cars every day, and the average person in the U.S. still watches 5 hours of television every day,” he says. “With that many ears and eyes, it would be a mistake to think WEA, which distributes only mobile alerts, will replace emergency alerts broadcast via TV and radio.” ​ ​</p> TraffickingGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Terrorist groups, transnational crime organizations, and even rogue security personnel are all contributing to the growing international problem of illegal trade in wildlife, otherwise known as wildlife trafficking. And the detrimental effects of this multibillion-dollar international criminal activity, one of the costliest forms of illicit trade, are varied and alarming.</p><p class="p2">“Wildlife trafficking can contribute to instability and violence, and harm people as well as animals. According to reports, about 1,000 rangers were killed from 2004 to 2014,” says a recent study on the issue by the U.S. Government Accountability Office (GAO), Combating Wildlife Trafficking. Illegal trade in wildlife also fuels corruption, destabilizes local com­munities that depend on wildlife for ecotourism revenue, and undermines conservation efforts.<br></p><p class="p1">This illegal practice is primarily driven by demand for exotic pets, culinary delicacies, and medicines. In some cases, it has pushed endangered animal species to the brink of extinction; unlawful capture and slaughter have devastated the populations of tigers, elephants, rhinos, turtles, exotic birds, and pangolins. The latter, a prehistoric mammal covered in scales that resembles an anteater clad in armor, is one of the most trafficked animals on earth, with 100,000 pangolins killed every year. Pangolin scales are sold by the bag in Asia, where some believe they can cure cancer, acne, and a host of other maladies. </p><p class="p1">Overall, wildlife trafficking results in revenue losses of anywhere from $7 billion to $23 billion, according to estimates from the United Nations Environment Program. In 2012, the price of rhino horn reached roughly $27,000 per pound, which was twice the value of gold at the time and more valuable on the black market than diamonds and cocaine, according to the World Wildlife Fund. </p><p class="p1">Although the United States is one of the world’s largest end markets for trafficked wildlife, much of the practice relies on an Africa-Asia nexus for supply and sales. For example, illicit elephant ivory is stolen in Africa, and most often comes out of Kenya and Tanzania. It is then shipped to China, Thailand, and Vietnam, with Malaysia and Singapore acting as transshipment hubs, according to a 2014 report, Out of Africa: Mapping the Global Trade in Illicit Elephant Ivory, issued by Born Free USA and C4ADS, two nongovernmental organizations.</p><p class="p1">Of all the bad actors involved in these practices, transnational organized crime networks are driving the trade. Wildlife trafficking is an increasingly popular area of specialization for international organized crime networks, according to the United Nation’s Office on Drugs and Crime 2016 World Wildlife Crime Report. </p><p class="p1">Last July, the U.S. State Depart­ment’s Transnational Organized Crime Rewards Program identified the Xaysavang Network as an international wildlife trafficking syndicate that facilitated the kill­ing of elephants, rhinos, and other protected species. Vixay Keosavang, a Lao national, is believed to be the leader of the network, according to the U.S. State Department, which is offering a reward of up to $1 million for information leading to the dismantling of the Xaysavang Network.</p><p class="p1">Terrorist groups also seem to be involved in wildlife trafficking, but the extent of the involvement is still up for debate. The al-Shabaab militant group is either directly or indirectly (through taxation of illegal goods moving through areas they control) involved with illegal wildlife trade, the GAO report found. There are also some reports that al-Shabaab has been buying and selling ivory to fund military operations, although some argue that evidence of that is inconclusive, the report adds. </p><p class="p1">Finally, wildlife trafficking, enabled by corruption, contributes to instability and violence in many regions. According to a 2013 report from the U.S. Office of the Director of National Intelligence, systemic corruption enables illegal ivory and horn trade, and in turn the trade exacerbates corruption by making high-value illicit products available to influential officials along the supply chain, such as police, customs officers, and local security personnel. </p><p class="p1">The movements of armed poachers and traffickers also increases border insecurity; for example, gun battles at the South African border often occur between law enforcement and poachers from Mozambique who are trying to gain access to rhinos in Kruger National Park. </p><p class="p1">To beef up U.S. efforts to fight wildlife trafficking, President Barack Obama issued an executive order in 2013 that established an interagency task force, with 17 federal agencies as members, charged with developing a strategy to guide the government’s efforts. In 2015, the task force released an Implementation Plan for the National Strategy for Combating Wildlife Trafficking.</p><p class="p1">Task force agencies, following the implementation plan, are helping to fight wildlife trafficking through a variety of efforts, the GAO report found. But it also found that, “at the strategic level, the task force has not identified performance targets. Without such targets, it is unclear whether the task force’s accomplishments are meeting expectations, making it difficult to gauge progress.”</p><p class="p1">Given this, the GAO recommends that the secretary of state, the secretary of the interior, and the attorney general jointly work to develop performance targets for the task force. The agencies agreed with the GAO’s recommendation. ​</p> HQ Closed for the HolidaysGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​ASIS International headquarters are closed from Friday, December 23, through Monday, January 2nd. <em></em>Please look for online updates, including our January 2017 issue, starting January 3. The <em>Security Management </em>staff wishes you happy holidays! ​</p> Christmas Market Attacker Killed in ShootoutGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><br></p><p>UPDATE:</p><p>Anis Amri, the suspect in the Berlin Christmas market attack was killed early Friday  morning by Italian authorities in Milan. When Amri was asked for identification, he pulled a gun out of his backpack and fired on police, injuring one officer. <a href="" target="_blank">Italian police retured fire, killing Amri.</a><br></p><p><br></p><p>​A truck driver drove into a Christmas market in Berlin on Monday, killing nine people and injuring others in what German authorities say they believe was an attack.</p><p>Police arrested a suspicious person near the market, but did not know if this individual was the driver, according to the Berlin Police Department’s official <a href="" target="_blank">Twitter feed.​</a> A passenger in the truck died at the scene.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read fc310958-4a56-422b-b089-f6846df5a42f" id="div_fc310958-4a56-422b-b089-f6846df5a42f"></div><div id="vid_fc310958-4a56-422b-b089-f6846df5a42f" style="display:none;"></div></div><p>​“Currently, there are no indications of further dangerous situations in the city near Breitscheidpltaz,” the department said.</p><p>The incident occurred on Monday evening when a truck jumped the sidewalk and drove into a crowd around wooden stands at the Christmas market set up around the Kaiser Wilhelm Memorial Church, <em></em><a href=""><em>The Guardian</em> reports.</a></p><p>A Polish freight company owns the truck, which is registered in Gdansk, and left Poland Monday afternoon for Berlin. The company, however, lost touch with the driver around 4 p.m. local time. </p><p>Facebook has activated its <a href="" target="_blank">Safety Check​</a> feature to allow individuals in Berlin to mark themselves as safe. Local police are also asking individuals not to spread videos of the crash scene to protect the privacy of the victims.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read efddd64f-32fc-47b6-afd0-b92e581583d7" id="div_efddd64f-32fc-47b6-afd0-b92e581583d7"></div><div id="vid_efddd64f-32fc-47b6-afd0-b92e581583d7" style="display:none;"></div></div><p>​The U.S. State Department cautioned U.S. citizens abroad in November about the heightened risk of terrorist attacks throughout Europe, especially during the holiday season. </p><p>“U.S. citizens should exercise vigilance when attending large holiday events, visiting tourist sites, using public transportation, and frequenting places of worship, restaurants, hotels, etc.,” said the <a href="" target="_blank">travel alert</a>, which expires on February 20, 2017. </p><p>The alert was based on “credible information” that indicated the Islamic State of Iraq and the Levant, al Qaeda, and their affiliates continue to plan terrorist attacks in Europe, with a focus on the holiday season and associated events.</p><p>“U.S. citizens should also be alert to the possibility that extremist sympathizers or self-radicalized extremists may conduct attacks during this period with little or no warning,” the alert said. “Terrorists may employ a wide variety of tactics, using both conventional and non-conventional weapons and targeting both official and private interests.” </p><p>This is a developing story. <em>Security Management </em>will continue to update this post as more information is confirmed.​​</p> False AlarmsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Organized retail crime boosters strike retail stores during their open hours, and most retailers rely on burglar alarms to keep thieves out when their doors are closed. But there’s another side to this level of security: false alarms that stretch police officers’ resources thin.</p><p> Most police departments name alarm alerts as one of their top three calls, and the vast majority of them are false alarms, says Glen Mowrey, national law enforcement liaison for the Security Industry Alarm Coalition (SIAC). In most states, officers have to respond to the automated alarm alerts sent by the services so popular with residential and retail spaces alike. Mowrey, himself a retired deputy police chief of the Charlotte-Mecklenburg, North Carolina, Police Department, understood the strain this could place on dispatchers and police officers.</p><p> While Mowrey was leading a security alarm seminar in Nashville, Tennessee, he discussed the high numbers of false alarms with local officers and people in the alarm industry. An informal roundtable took place, and the concept of alarm management committees was formed: three police chiefs, three alarm industry representatives, and a member of the SIAC would meet quarterly in their state to figure out ways to cut down on false alarm calls.</p><p>An alarm management committee launched in Tennessee, and Mowrey helped start up committees in Georgia and Florida soon after. Today, there are 15 alarm management committees in the United States, and the number is growing. Committees typically focus on creating model alarm ordinances as well as pushing for state legislation. Agencies using the model ordinance have realized reductions of up to​ 70 percent. </p><p>Mowrey says that most alarm management committees look to develop and enforce model ordinances in their communities, which consist of proven best practices, such as requiring residents and businesses to register their alarm services with their local police department. It also creates penalties for repeat offenders: the first two false alarms carry no consequence, while subsequent alarms will result in increasing fees. </p><p>“Those fines get people’s attention,” Mowrey says.</p><p>Such alarm ordinances have resulted in drastic red​uctions of false alarm calls as citizens and businesses alike understand their responsibility to keep their alarm systems working properly. For example, in Fairfax County, Virginia, the robust alarm ordinance was enacted in 2002, and in 2014 resulted in the 112,000 sites registered with the police, and 90 percent of those registrants never had a false alarm, Mowrey notes. </p><p>Alarm management committees also focus on legislation in their perspective states, often focusing on enhanced two-call verification laws. This requires alarm companies to reach out twice to the owner of the site whose alarm was triggered before sending police officers to check on the residence or business. This method has been proven to drop police response to false alarms drastically—in some cases, by 30 percent, Mowrey notes. A number of states have adopted two-call verification laws. </p><p>“It’s efficiency,” Mowrey says. “It’s cutting down calls coming into the communication center when people take responsibility of their alarms. Roughly 90 percent of false alarms are caused by human error. People just don’t pay attention, and it’s needless work for police.”</p> of OpportunityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Over the past decade, retail and grocery stores have been turning to self-service checkout lanes to create a better shopping experience: making purchases will be easier and quicker, while store staff can be mobilized away from checkouts and into more customer-focused roles. However, self-checkouts and mobile shop-and-pay programs generate significantly higher rates of loss, a new report finds. </p><p>Developments in Retail Mobile Scanning Technologies: Understanding the Potential Impact on Shrinkage & Loss Prevention, a report by professors Adrian Beck and Dr. Matt Hopkins of the University of Leicester, analyzed data from nearly 12 million shopping trips from four major British retailers between 2013 and 2015. The researchers found that using self-checkouts in stores increased the rate of loss by 122 percent to an average of 3.9 percent of turnover.​​</p><p><img src="/ASIS%20SM%20Article%20Images/1216-asis-security-management-retail.jpg" alt="" style="margin:5px;" /><br></p><p>​<br></p> 90-Character AlertGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Shortly before 8 a.m. on Monday, September 19, an untold number of New Yorkers were jarred awake by an unusual tone emitting from their cell phones. Passengers on subway cars looked around uneasily as dozens of phones buzzed and sounded off in unison. A short, text-message-like alert had appeared on the screens of every phone in the range of New York City’s cell towers: 28-year-old Ahmad Khan Rahami was wanted in connection to the explosion in Chelsea earlier that weekend. “See media for pic,” the short alert stated. “Call 9-1-1 if seen.”  </p><p>Within three hours of the smartphone broadcast, Rahami was spotted by a local business owner and captured after a shootout with police. While it’s currently unclear whether the emergency alert was the factor that prompted the citizen to notify the authorities about Rahami, the New York Police Department and federal emergency management officials were pleased with the alert’s success. It’s the first time this type of broadcast, called a Wireless Emergency Alert (WEA), has been used to notify citizens about a wanted suspect on a mass scale. </p><p>“I think the alert system is very helpful to the police department and the FBI,” New York City Police Commissioner James O’Neill said during a press conference. “It gets everyone involved. If we can get everyone in the city engaged to help us keep it safe, this is the future.”</p><p>The technology behind the alerts, however, is nowhere near the future. In fact, it was engineered to work for the cellular networks of 15 years ago, according to U.S. Department of Homeland Security (DHS) Science and Technology Directorate (S&T) investigators. Last December, the S&T released a 157-page publication, Opportunities, Options and Enhancements for the Wireless Emergency Alerting Service, with research conducted by three Carnegie Mellon University Silicon Valley (CMU-SV) electrical and computer engineering professors. </p><p>The WEA, which was first deployed in 2012, is an effort supported by the U.S. Federal Communications Commission (FCC), the U.S. Federal Emergency Management Agency (FEMA), and the American wireless communications industry. It is designed to alert people of imminent disasters or emergencies. Mobile users are automatically enrolled to receive WEAs, which are typically AMBER alerts to locate a missing child, imminent threat alerts such as natural disasters, or a presidential alert, which has never occurred. The 90-character alerts are geographically targeted and sent out by federal, state, or local emergency management officials through a FEMA portal. Users can unsubscribe from imminent threat and AMBER alerts, but not presidential alerts. The S&T research focuses on leveraging modern technology to make the alerts more useful and actionable, and to reduce the number of people who unsubscribe from them. </p><p>Although they look like text messages, WEAs are delivered via broadcast through wireless carriers and transmitted from targeted cell towers to reduce the strain on the wireless networks themselves, explains Bob Iannucci, distinguished service professor at CMU-SV. “The way that WEA was engineered was to conserve bandwidth,” he explains. “You couldn’t send out a million SMS messages in a timely way, so instead the messages are sent via broadcast. What the networks were capable of 15 years ago for broadcast was very limited, and nowadays it’s much more possible with rich media.” </p><p>The researchers studied what it would take to send longer alerts that include pictures, links, and even interactive maps, and found that the technology is readily available. Currently, smartphones have built-in software that will activate within range of targeted cell towers. CMU-SV Principal Research Scientist Emeritus Martin Griss says a default, DHS-approved app would seamlessly bring WEA capabilities into the 21st century. </p><p>“The idea is by using the app mechanism, we could have much more powerful and rapidly evolving tools, while the current mechanism has to be installed on deck by the phone providers, and improvement can take a long time,” Griss explains. </p><p>The researchers built a test app with enhanced WEA features. Beyond more detailed information, the researchers found that an app-based alert system could present the messages in a more easily-understood format. It’s not unusual for multiple WEAs to be sent out with updated information, such as shelter-in-place messages during a natural disaster, followed by evacuation notices based on secondary events. “Such a barrage of messages, particularly bearing updates and changes of strategy, require individuals to receive and digest them in the time sequence, maintain a mental model of the latest instructions, and be able to recall these when acting,” the S&T report notes. Instead of individual messages, an app-based alert system could display only the most recent directives to avoid confusion.</p><p>“The basic idea is to build on mechanisms that are already part of the standards and part of cell phones, rather than going through a lengthy process of reengineering a broadcast mechanism,” Iannucci notes.</p><p>The researchers touched on even more expansive abilities with the proposed app-based mechanism. With smartphone technology, it’s possible for the alerting system to dispatch messages based on a user’s current physical activity. “For example, if a person is sleeping at home after midnight, an AMBER alert may not be relevant or actionable to that user, but a similar message arriving while the person is driving or cycling would be welcome,” the report notes. Location history and prediction can also be leveraged: users who visit a location frequently could automatically receive an alert affecting that location even if they aren’t there.</p><p>The use of this data shouldn’t raise privacy concerns because it’s all performed on the client side: “Those actions are done on the user’s phone and the user’s data never leaves the phone,” explains Hakan Erdogmus, an associate teaching professor at CMU-SV. “It’s not like it’s stored in a central server and the phone looks it up—it’s all done inside the phone, because the phone knows its location history, where it is, how far it is from the targeted location.”</p><p>Although the CMU researchers conducted extensive testing on enhanced WEA capabilities, they acknowledge that actually deploying those capabilities won’t happen overnight. “The technology is not as complicated as the agreement to use it,” Griss notes.</p><p>While wireless carriers voluntarily participate in the program, smartphone manufacturers have less say in the process. Iannucci explains that manufacturers build the WEA software into their phones to comply with the carriers. A more robust WEA system will put even more of a burden on manufacturers, he says. </p><p>“It’s a bit of a challenge to engineer this as a well-thought-out end-to-end system where there’s a clear stakeholder and everybody along the chain can perform,” Iannucci says. “Current phone manufacturers are doing what’s required, and we’re arguing for a bit of a higher standard of end-to-end engineering this system for the public good.”</p><p>The FCC issued a Notice of Proposed Rulemaking last November to expand WEA capabilities, although no platform—app or built-in software—was specified. The issuance included a window of time for stakeholders to comment on the proposal, and Erdogmus notes that many major smartphone manufacturers and carriers responded. </p><p>“If you go through the responses, you get the feeling that they’re pretty unwilling to do more than they’re doing right now, even for simple changes that are very feasible,” Erdogmus explains. “That’s why a third-party app could encourage innovation, because otherwise it’s not going to happen easily without some kind of enforcement.”</p><p>Carriers and manufacturers have liability concerns, too. Griss notes that these stakeholders have questions about what happens if a customer doesn’t get a WEA. “What are they actually responsible to do? Is it to guarantee delivery in a particular area? To wake you up?” he asks. All of these concerns will have to be addressed at length with the FCC, FEMA, and private industry stakeholders before WEA capabilities can be expanded.</p><p>“With our experiments, we are proving the feasibility of it all,” Erdogmus says. “The rest boils down to politics and how to draw up agreements and which parts will be enforced, which parts will be voluntary, and who takes responsibility and so on, which is the hardest part.”</p><p>There are bigger questions to answer. If the WEA system gains the capabilities the researchers imagined, what is the overall role of the system during an imminent threat? Is it to alert citizens, or to guide them during a crisis? </p><p>The report found that while some people think of WEA messages as “bell ringers” that rely on the public to use other communication channels to obtain additional information, others believe WEAs should be augmented with additional information and effective incident follow-up. </p><p>There’s also the matter of whether WEAs should be more integrated with social media. In one test, a WEA sent out regarding severe weather did not increase the frequency of weather-related posts on Twitter, which is indicative of poor WEA effectiveness as compared with social media, the report notes. Many alert originators are using both social media and WEAs to alert their communities of threats, and citizens desire WEA messages with links or hashtags for more overlap with traditional forms of social media, the report explains. The researchers recommend the usage of simple hooks, such as hashtags or other forms of outside engagement, to further the reach of WEAs.</p><p>“We say that WEA is part of the social media pantheon and has this nice alarm bell characteristic that other social media don’t,” Iannucci says. “It’s not an either–or, it’s how the two systems complement each other.”</p><p>The researchers noted that September’s WEA in New York contained a simple hook by telling recipients to consult media outlets for a picture of Rahami. However, Iannucci wonders whether the command backfired. “The challenge there is that in a large population, if everyone gets the same ‘see media’ message at the same time, it has the potential to cause serious network issues when everyone tries to browse the media at the same time,” he notes. “We won’t see the statistics for a while, but it will be very interesting to see what happened to network traffic in the 30 to 60 seconds after the alert went out.”</p><p>If the WEA had the capability to include a picture of Rahami, it would have been easier on both users and the network, Iannucci notes. </p><p>“Because the message was short, people tend to validate what’s going on by checking around,” Griss explains. “They talk to friends, they look at social media. People are already using several kinds of media to keep track of whatever is happening. How you coordinate those two needs to be thought through.”</p><p>Even though the New York message showed the shortcomings of the WEA system, the researchers said it was an important use case that could bring to light the issues they wrote about last year.</p><p>“My feeling is this will prompt similar usage of WEA more broadly” for wanted suspects, Iannucci says. “Because of its visibility, it will probably encourage broader use of WEA which is wonderful. That’s when we can raise the subject of how we further enhance it once there’s greater awareness of its value.”   ​</p> SupervisionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Ask the next uniformed security supervisor that you encounter about his or her developmental supervisory training experiences. You may get a blank stare in return. </p><p>Despite the absolutely critical role that site supervisors play on both contract and proprietary security teams, they frequently rise through the ranks as dependable employees. Rarely are they selected, groomed in advance, and developed through structured training. </p><p>After 25 years of managing a family-owned regional security firm, I knew that supervisory training was still in short supply. To break out of this mold, we developed a biannual training program to ensure that our site supervisors knew what was expected of them and what they should expect from the job.</p><p>Developing and implementing this program, however, was not always easy. Following is a case study on the training program, and the various challenges faced along the way. Also included is a breakdown of training session logistics, a summary of course content, and final takeaways. ​</p><h4>Foundation</h4><p>While working in a business develop­ment role several years ago, I completed yet another week of meetings in which frustrated prospects conveyed their dissatisfaction with how their site supervisor—a cherished and vital employee—was “not being supported.”  The situation they described was one I had heard many times before—disappointment with their current security vendor because of a lack of support and development for the site supervisor.   </p><p>For the client, the solution was simple enough: find a company that supports its supervisory team. In the next managerial meeting, I asked the company’s president, general manager, assistant general manager, training director, and HR manager the following question: “How can we best support our site supervisors?”  </p><p>The white board at the end of that first meeting on the topic was filled with honest questions about our site supervisory team, such as “Why do we assume they know how to properly schedule people?” “What leadership skills should they possess, and what if they don’t have them?” “Do they truly know HR’s expectations for disciplinary actions?” and “What is the best method for communicating with management when the support system has failed?”</p><p>We strove to be as honest as possible, and so the answers were often damning and full of assumptions about what we hoped had been communicated. Some attendees responded with defensive statements, such as “Isn’t the account manager doing a briefing on these issues?” and “They do have the employment handbook as a guide.” </p><p>In the end, the group was forced to admit that because too many of the supervisor’s duties involved “winging it,” being the best and the brightest was insufficient.  </p><p>The team began to piece together a framework for a new group training session, to be held biannually. The framework included basic tenets about proper scheduling procedures, baseline knowledge about labor law, and information on recognizing and reporting harassment. The program was dubbed L-3 Training, because L-3 is our company’s designation for a security officer who leads, trains, schedules, verbally disciplines, and has veto power over staff assigned to their site.​</p><h4>Challenges</h4><p>We faced various challenges when we started planning the first training event. First, we had to decide which location would work best for the largest number of supervisors.  </p><p>Second, we had to determine what training time would make the most sense. Holding it after hours raised the possibility that trainees would be tired from having already worked an entire shift. But we thought holding it during regular shift hours might turn into an operational nightmare; account managers would have to find alternative supervisory coverage for every site with a supervisor.</p><p>Third, there were financial factors involved. We would have to absorb the cost of pulling many well-compensated supervisors into a single room for nonbillable time. Once they were all together, it seemed likely that some supervisors would discuss their individual worksites, and even compensation, with each other. This, we thought, could lead to a supervisor’s demoralizing discovery that he or she is not earning as much as the client across town is willing to pay, for a job with the same responsibilities.</p><p>However, we also realized that these types of challenges can lead organizations to give up on a training program before it begins–a key reason why such training turns out to be fairly rare. So we came up with solutions to these challenges that were simple, but seemed to work well for the entire team. </p><p>For the location, we secured a space near the administrative office, since that office was considered the central hub of employment with the firm.</p><p>We decided that it was best for the training to be held during the middle of the day, not after shifts were over. This meant that the supervisors would keep their 40-hour workweeks and still be paid for a full 40 hours (with training accounting for a portion of that time), and not stay later for training. We hoped that this communicated respect for the supervisors. Overall, these positives outweighed the logistical inconveniences that midday training would entail. </p><p>As far as the cost, we adopted the premise that it is always less expensive to spend a few dollars and keep a client then save a few dollars and lose one. Thus, it would be ultimately worth it to the organization to absorb the cost of the program.​</p><h4>Program Specifics</h4><p>We quickly realized that thoughtful planning did not make our program error-proof, and we had to grapple with our share of logistical hazards. The hotel conference room booked for the training turned out to be too small. The parking garage was overfilled. The meal break was marred by cold pizza, delivered 45 minutes late.</p><p>During the training sessions themselves, we occasionally came close to death by PowerPoint, as a few speakers droned on and on about mundane subjects. Once, we failed to schedule a training session because the firm had so much new business to attend to. </p><p>These problems led to several lessons learned. Instead of simply looking up the dimensions of the proposed room, it is important to visit it beforehand and envision it in the configuration you plan to use, to make sure it is the right fit. Sampling the proposed food to be served and checking reviews of the restaurant provider may minimize food and drink challenges.</p><p>We also learned one overriding lesson—the nuts-and-bolts aspects of the event, even some of the smaller details, are in many ways just as important as the subject matter. And so, assigning detail-oriented staffers to manage the training, delegating specific tasks, and meeting several times in advance to “walk though” the event can streamline everything, and smooth out rough edges.</p><p>Despite the challenges, we persisted, and our commitment to site supervisor training has been rewarded. The feedback from site supervisors has been positive, and our clients truly appreciate that the people they work with every day are recognized and supported.​</p><h4>Training Session Subjects</h4><p>The training session, including breaks, lunch, and all presentations and discussion, lasts three hours. The session starts with an introduction and thanks given by the highest-level company official available to participate. Next is a 10-minute overview of the company’s mission, vision, values, ethical expectations, accomplishments, and how it differentiates itself in the marketplace. We have found there is engagement value when an executive not only welcomes everyone, but also advocates for the work of the organization.</p><p>The executive then invites the attending site supervisors to introduce themselves, to include name, rank, what site or sites they supervise, length of time in the position, any unusual duties or responsibilities at the site, and what they did prior to their current role.</p><p>After these remarks, coverage of the main subject areas begins. In our training session this includes leadership, customer service, communication, emergency preparedness, human resources, and supervisory duties.</p><p><strong>Leadership.</strong> In the last few decades, various studies out of Harvard Business School on the subject of employment and engagement have issued different variations of the following finding: what matters most to employees is how they feel about their immediate supervisor. Love them or hate them, this view is crucial in defining performance. </p><p>This finding can be used as a valuable teaching tool—an opportunity to illustrate the crucial role each site supervisor plays in the stability and performance of the workforce. It also can be used to emphasize that supervision and management are not about privileges, but about professional responsibility.   </p><p><strong>Customer service. </strong>Reiterating the components of strong customer service is always valuable, even for the most accomplished supervisors, because it further reinforces their professionalism. Reminders about the importance of first impressions, listening, and seeing issues from the client’s perspective reinforce this important aspect of their roles. Additionally, speakers in this section should remind the supervisors to impress these standards on their security officer team.</p><p><strong>Communication. </strong>Subject matter in this area includes the importance of maintaining the continuous flow of information between the site supervisor and account manager; how to determine the method to be used for this communi­cation, and how to automate it; and en­sur­ing that supervisors regularly communicate to their team members in an effective manner. All these components are key to good site relations.</p><p>Finally, it is important to make clear exactly what a supervisor is supposed to do when something goes unaddressed by their employer. Examples include an unanswered payroll questions or an unaddressed uniform need. This module contains procedures and contact information.</p><p><strong>Emergency preparedness.</strong> The term emergency preparedness may conjure up images of hurricanes, tornados, and flash floods. But in private security, emergencies often occur at a much more individual level. For example, each of these events, and many others, were handled by security professionals on our staff since the last L-3 Training: </p><ul><li><p>An officer observed a fleeing burglary suspect and advised the pursuing police. <br></p></li><li><p>An officer located potentially catastrophic leaks during a rainstorm, and made a 4:17 a.m. phone call to the facilities department. <br></p></li><li><p>An officer talked suicidal individuals off a garage ledge.<br></p></li><li><p>An officer identified an electrical short in a fountain strong enough to severely injure or kill someone. <br></p></li><li><p>An officer recognized a client’s employee from a crime alert. <br></p></li><li><p>An officer responded to a person in cardiac arrest and provided them CPR. <br></p></li></ul><p>Reminding site supervisors about what can go wrong puts them in a proactive position to prepare their staff members for such events. Site supervisors are instructed to examine the most likely emergencies and hazards at their site and collaborate with the client on developing plans should one not already exist. A methodology for creating an Emergency Action Plan is provided.  </p><p><strong>Human resources. </strong>This essential topic is easily overdone. Suggestions for increasing information retention include observing strict time limits, choosing a dynamic presenter, and ensuring that the presenter is prepared.</p><p> The employee handbook should reinforce everything the presenter is saying and any on-duty supervisor who needs clarification should contact HR immediately. In fact, that should be the critical takeaway from this section—call HR early and often. Site supervisors should be made comfortable seeking out advice from HR. Not doing so is where a snowballing problem first starts. </p><p><strong>Supervisory duties.</strong> Despite scheduling’s crucial role in successfully performing supervisory duties, it is often assumed that anyone can figure out and do these tasks. This is a mistaken assumption. Clearly defining responsibilities in training can prevent misunderstandings that can lead to disgruntled supervisors and officers. </p><p>Questions that should be addressed here include: Who will be preparing the weekly schedule? How will changes be conveyed to payroll and for the invoice?  When is overtime a company issue and when might it be a client issue? Who takes calls from absent officers and how do they denote the time spent doing so on their timesheet, if it is their responsibility?  </p><p>Site supervisors need to know who can answer questions such as: “How much vacation time do I have on the books?” or “What if my New Year’s Eve shift starts at 11:45 p.m. but I work 7 hours and 45 minutes on the actual holiday—do I get holiday pay?” When officers have a payroll question, who should the supervisor contact, how should they contact them, and when should they expect an answer? Also important, what should supervisors do if they get no response or cannot reach anyone? Have goals about what you want to convey and stick to them.​</p><h4>Takeaways</h4><p>Below are a few final takeaways, based on numerous site supervisor training sessions.</p><p>Personalizing the event enhances the chances for success. For example, our winter session includes presenting supervisors with their company holiday presents, as well as gifts for the officers they supervise, which they are entrusted to present back at their sites.   </p><p>Whenever possible, invite experienced site supervisors (and former participants of the training program) to teach as many of the sessions as possible. In our last program, all subjects other than human resources and scheduling, payroll, and invoicing were taught by site supervisors.</p><p>Conduct anonymous polling at the end of the event. The absolute honesty of anonymity allows for continuous improvement. Occasionally, some commenters will identify themselves; my favorite evaluation survey response had the following scribbled on the bottom of the form: “I, Lt. Lawson, would like to be a guest speaker during the next training session...”  </p><p>--</p><p><em><strong>Chris Stuart </strong>is the vice president of business development for Top Guard Security. He serves on the ASIS International Leadership and Management Practices Council and the Security Services Council. He is the Past President of the Virginia Security Association and has been employed in the uniformed private security industry since 1988.</em></p> Security Threats and SolutionsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A keynote speaker at the ASIS 2016 Seminar and Exhibits, Edward James Martin “Ted” Koppel was a prominent television journalist for more than 50 years and is best known as the anchor of ABC News’ Nightline from 1980 to 2005. In Koppel’s new book Lights Out, the newsman and veteran reporter argues that the United States is vulnerable to a devastating cyberattack on its power grid. After his remarks, Koppel sat down with <em>Security Management </em>and defended his book’s thesis. </p><p><em><strong>Q.</strong> Having written this book, what would you now say are the odds of a substantial attack happening in the near future–say the next 10 years–on the U.S. power grid?</em></p><p><strong>A.</strong> I’d say better than 50-50. I mean, [former Homeland Security Secretary] Janet Napolitano put it at 80 to 90 percent.</p><p><strong><em>Q. </em></strong><em>Several people in your book say China and Russia definitely have the capability to get in the U.S. electric network. But what is the evidence that they have the capacity to cause a significant outage?</em></p><p><strong>A. </strong>The evidence that they can do it is in Ukraine–they did it. They took out the Ukrainian power system. It only stayed out for a few hours, and the reason for that is the Ukrainian power system is antiquated, and everything is operated manually. So the irony is because the Ukrainian system was old, they were able to get it back up again. </p><p><strong><em>Q.</em></strong><em> Russian President Vladimir Putin has been pushing the envelope in a lot of different ways, and there’s been greater antagonism with the United States. What are the chances that Putin decides to try a grid attack? Maybe it’s not likely, but is it possible? </em></p><p><strong>A.</strong> A cyberattack on one of the U.S. power grids would unambiguously be an act of war. Now, we’ve had all kinds of cyberattacks. The Chinese, a year ago, vacuumed up 22 and a half million personnel files from… </p><p><strong><em>Q.</em></strong><em> …this is the OPM [U.S. Office of Personnel Management] attack? </em></p><p><strong>A. </strong>Yes. You have personnel files from the State Department, Defense Department, CIA, FBI. It’s an intelligence haul the likes of which we have never seen in the history of mankind.  And we have effectively—I mean, I don’t know what we’ve done in terms of counter-cyberattacks that the Chinese don’t want to talk about—but effectively, the U.S. director of central intelligence almost saluted them and said, “You know, pretty good job! If we could have done that to them, we would have done it too!”</p><p><i><strong>Q. </strong>So obviously, not an act of war. </i></p><p><strong>A.</strong> That’s my point. Intelligence gathering is one thing. Hacking into the Democratic National Committee is one thing. Futzing around with U.S. election results, if they find a way to do that? Is that an act of war? Mmm, probably not, but it will require something more than a stern note of admonition. </p><p>But an attack on the power grid is going to cost thousands if not tens of thousands of lives. It’s going to wreak havoc on the American economy. It’s going to be a disaster unlike anything we have experienced in this country before. We’ve never had an attack like that on the United States.</p><p><strong><em>Q. </em></strong><em>You say that terrorist groups like ISIS don’t have the capability yet for an attack on the grid, but you mentioned with ISIS that some of the equipment that would be required for an attack could be bought off the shelf. Is it likely that ISIS would pursue a project like that? From an organizational point of view, that’s not really ISIS’s specialty. </em></p><p><strong>A. </strong>You may know ISIS’s organizational plans better than I do, but all I can tell you is, do you know how it is, and why it is, that the North Koreans have developed nuclear weapons? Because they have several dozen former Soviet nuclear scientists who they hired and who are living in North Korea now and who have developed their program for them. So there are always experts out there. I’m not suggesting that ISIS has its own experts. But can they find someone who wants to make a couple of million dollars…?</p><p><strong><em>Q. </em></strong><em>Your book came out in October 2015. What’s been the reaction from industry security representatives?</em></p><p><strong>A. </strong>I have testified in front of a Senate committee sitting next to the industry representative from NERC (North American Electric Reliability Corporation) and they of course insist that things are not as bad as Koppel says they are, and that they are far more resilient than I give them credit for. But I would be shocked if they said anything else. I mean, what are they going to say–“Koppel’s right, we’re in terrible, terrible shape [laughs]?” </p><p><strong><em>Q. </em></strong><em>I have to ask you–I can remember when, at 11:30 p.m. every night, Nightline was a real event for news junkies. Do you miss it?</em></p><p><strong>A. </strong>No. I did 6,000 of those, thank you. That was enough. </p><p>--</p><p>Senior Fellow for Middle Eastern Studies at the Council on Foreign Relations Elliott Abrams shared what he sees as the main U.S. foreign policy challenges for the next U.S. president. Abrams served as deputy assistant to the president and deputy national security advisor in U.S. President George W. Bush’s administration, where he oversaw U.S. policy in the Middle East for the White House. Following his remarks, Abrams told <em>Security Man­agement</em> more about these challenges.</p><p><strong><em>Q: </em></strong><em>In your speech, you said we’re going to see more terrorist attacks in Europe and the Middle East. Why Europe?</em></p><p><strong>A:</strong> It’s a combination of things. Most of these attacks are coming from the Muslim, and especially Arab, population. That population is much, much larger in Europe than in the United States. </p><p>Most American Arabs are Christians, and most American Muslims are non- Arabs. They’re American blacks, or they’re Pakistanis or Indians, so it’s a very different population. Whereas in Europe, it’s a mostly Arab population from which the terrorists recruit.</p><p>Second, in the United States, the Muslim and Arab populations are very well integrated. We don’t have ghettos like in Paris or Brussels. They have just not been able to do what the United States does, which is to assimilate immigrants so that they become Americans.</p><p>Thirdly, we just have one country here with one FBI, one Department of Homeland Security. They have thousands of different police forces…and we know from the Bataclan event that the exchange of information between the Belgians and the French was defective. It was inadequate. So they’re going to have to do a lot better at that.</p><p><strong><em> Q:</em></strong><em> The focus is to eliminate ISIS right now. If we do that, but don’t fix the underlying problems in the Middle East, will there be another group that rises up to replace ISIS?</em></p><p><strong></strong><strong>A</strong>: Three years from now there will be some group that either doesn’t exist today, or you and I have never heard of. </p><p>This is a long-term problem of dealing with the origins of this terrorism. And the origins of it are…in these societies that give young men no chance in life so they can be attracted by this ideology.</p><p>Now, it’s not always those people who become extremists. We saw this in the 9/11 attackers; sometimes it’s an engineer or a doctor. Some terrorists don’t fit that profile. But...the cannon fodder generally do. You may recruit a doctor. You’re not going to recruit 1,000 doctors to join ISIS.</p><p><strong><em>Q:</em></strong><em> Switching to cybersecurity, when Chinese President Xi met with U.S. President Obama last year, they agreed to not use their militaries to steal corporate intellectual property. Is this effective?</em> </p><p><strong>A: </strong>No, I think the Chinese are cheating…the Chinese so far have paid no penalty for this. If you’re doing something that you think is of some benefit to you, and all you get from the Americans is the occasional expression of concern, you’re not going to stop until either some penalty is paid or we do it to them.</p><p><strong><em>Q: </em></strong><em>Obama signed an executive order that gives him power to levy economic sanctions for cybercrimes. Do you think those powers will be on the table in the future? </em></p><p><strong>A: </strong>Initially, they’re going to be symbolic. You sanction some piece of the Chinese economy no one’s ever heard of that doesn’t do any trade with us.</p><p>I think we’re going to need to figure out what are the pressure points where you can actually lead the Chinese to say, ‘Cost-benefit analysis, maybe we shouldn’t be doing this.’   </p><p><strong><em>Q: </em></strong><em>A new administration will move into the White House in January. What will be its biggest immediate foreign policy challenges? </em></p><p><strong>A: </strong>North Korea is an early pressing problem. The current policy has basically failed. North Korea’s testing; they’re building. You may have a [nuclear] test in January, February, or March. How are you going to react? </p><p>And Syria. People are going to be dying; people are going to be fleeing. You can’t say, ‘Let’s get to that on Labor Day.’  ​</p><br> DisorderGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Mexico, sometimes maligned during political campaigns, nonetheless remains vital to the economic interests of many nations. For the many companies doing business there, security remains a crucial concern.      </p><p>And that security landscape is becoming more complicated, due in large part to the dynamics of the drug trade, experts say. The homicide rate in Mexico increased by 15 percent during the first six months of 2016 compared with the previous year, with approximately 9,400 people murdered across the country in that time period, according to a recent study, iJET's Quarterly Report: Organized Crime and Drug-Related Violence in Mexico.</p><p>Underlying this rise is a resurgence of activity by drug-trafficking organizations (DTOs), with dozens of DTOs fighting pitched battles for territory. </p><p>“They are engaged in turf wars on multiple fronts,” said Justin Kersey, intelligence manager for iJet’s Americas team, at a recent briefing on Mexico’s security situation.</p><p>Some DTOs are expanding into new territories in Mexico, so that a majority of Mexican states are now seeing organized drug-related crime. Increased demand for methamphetamine and heroin in the United States is another driver for DTO activity. Mexico’s Sinaloa cartel has been particularly successful in penetrating the U.S. drug market, with a significant presence in places like Chicago, Philadelphia, southern California, the Ohio Valley, and portions of West Virginia and Kentucky, Kersey said.</p><p>With their resurgence, DTOs have now become more integrated with legitimate political and business activity in Mexico, iJet Americas expert Sean Wolinsky said at the briefing. Along with this integration comes rising levels of impunity for DTO criminals; roughly 90 percent of DTO crime goes unreported to police, Wolinsky added.  </p><p>While most DTO-related crimes involve gang members rather than expatriates or unaffiliated business people, “that doesn’t mean that larger multinational corporations are completely immune,” Wolinsky said. Those doing business in Mexico for an extended period of time face some degree of elevated risk, especially regarding four major forms of crime: kidnapping, assault, robbery, and extortion. </p><p>“Anyone operating in Mexico is at risk of becoming collateral damage in these crimes,” Wolinsky said. Mining companies have been recently beset by kidnappings, he added, citing the example of several Goldcorp employees who were abducted and later found dead in Mexico’s Guerrero state last year.</p><p>Two more specialized types of abductions—virtual kidnapping and express kidnapping—have become more common in Mexico recently, experts say. In a virtual kidnapping, a kidnapper will use social media to select a “victim” online by looking for someone with an extended virtual network. The criminal will contact the victim’s friends and family and, claiming to hold the victim hostage, threaten to harm him or her if no ransom is provided.  </p><p>In an express kidnapping, the victim is held for only a short time, anywhere from a few hours to a couple of days. Often, the abductors will force the victim to make as many ATM withdrawals as possible during that short period, then let the victim go.</p><p>Whatever form kidnappings take, they are crimes that can affect victims in ways that employers should be aware of, says Rachel Briggs, executive director of Hostage US, a nonprofit organization that supports hostages and their families during and after kidnappings. </p><p>Briggs has personal experience in these matters; in 1996, her uncle was kidnapped while he was working as an engineer in Colombia, and “for seven-and-a-half months, she and her family were thrown into an alien world of fear, isolation and helplessness as others negotiated for his release,” according to her organization’s website.</p><p>When working on a case, Briggs’ group assigns a team member to be the contact person for the victim’s family members, who are often thrust into the daunting situation of trying to deal with authorities, journalists looking for news, and a host of other parties. </p><p>“You’re suddenly dealing with governments and private security companies, and they speak a different language,” she says. </p><p>Later, if the victim is released and returns to work, his or her employer should be aware of various issues that may arise. Take, for example, an employee working in Mexico who is kidnapped and held in captivity in a windowless room for many months. Returning to work in a small windowless office or cubicle may be problematic for the victim, and could potentially trigger traumatic memories. Even commuting in closed-off spaces, such as a crowded underground train, could be difficult for that individual, Briggs says.</p><p>Similarly, a victim who was held for an extended period of time in solitary confinement may have trouble concentrating in a busy office environment or one with an open floor plan, she adds. </p><p>In addition, there is a common mis­perception that the shorter the time a victim is held in captivity, the less traumatic impact there will be on him or her. </p><p>“In my experience, the reverse tends to be true,” Briggs says. That’s because a hostage who was held for a long period has time to mentally come to terms with what is happening, she explains. In small but important ways, the victim can take control of some of his or her actions, such as deciding to walk around the room every hour, or exercise twice a day, or even whether to eat. This helps them adjust. </p><p>In contrast, a 48-hour “express” kidnapping may seem like a violently disruptive experience that was chaotically terrifying from beginning to end. “The prolonged trauma from that can be much greater,” she says. </p><p>Overall, kidnappings do seem to be on the rise, and not only in Mexico, Briggs adds. For example, more terrorists are using short-term hostage situations as a tactic: the Pulse nightclub attack in Orlando, the Bataclan Theater attack in Paris, and the Raddison Hotel attack in Bamako, Mali, all featured short-term hostage taking.</p><p>As tragic as those events were, the less sorrowful news is that the majority of kidnappings end with the victim being released. “Thankfully, most hostages do come back alive,” Briggs says.</p> Opens DoorsGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When an anonymous person phoned in an active shooter threat to Yale University in November 2013, the central campus in New Haven, Connecticut, went into lockdown mode, and everyone was ordered to shelter in place. </p><p>The FBI and several other law enforcement agencies responded to the situation. No gunman was ever located, but Ronnell Higgins, the university’s chief of police and director of public safety, says the incident provided an opportunity for the campus to evaluate its overall safety and security posture. </p><p>“We looked at what happened versus what we want to happen in the future and, by injecting different technology and processes in, how we will improve the narrative if something similar occurs again,” Higgins says. </p><p>Active shooters are a rare occurrence at any university, including Yale, but there are a number of daily challenges the educational institution faces because it’s home to 11,000 students and a 3,200-member faculty.</p><p>“The Yale University campus is truly woven into the tapestry of the city of New Haven,” he notes, adding that there is a balance between creating a welcoming, open environment and providing security. “We don’t want to turn the place into a fortress, but we have to be ever so cognizant of the environment and our obligation to provide safety.” </p><p>While the public safety department had significantly reduced one of its biggest problems—larceny—over the last five years, Higgins says that campus law enforcement wanted to do more to not only reduce crime, but improve overall efficiencies when it came to access control. </p><p>After the active shooter threat, the vendor for Yale’s access control system began phasing out its technology. So, working with its dedicated in-house IT team, the public safety department decided on three major goals to address in updating the access control system. </p><p>They were: have a single point from which to manage access control; increase security around the movement of students, employees, and visitors; and increase overall efficiencies, including mobilizing credentials and streamlining lockdown procedures.</p><p>To determine which access control technology was most appropriate for Yale, the university hired an outside consultant to evaluate proposals, says Dave Boyd, director of information technology for the public safety department. </p><p>The university interviewed the top vendors and, in the end, chose AMAG’s Symmetry SR Solution. Implementation began in July 2014 and is expected to be completed by the end of 2017; currently, more than two-thirds of the university’s buildings have been upgraded.  </p><p>The AMAG solution appealed to Yale for several reasons, including the fact that installers would not have to rip out and replace existing hardware. Instead, Symmetry uses the university’s existing wiring infrastructure, allowing it to keep the door card readers installed around its 450 buildings. </p><p>“That was one of the big selling points, because we have some buildings here that are over 200 years old with three-foot stone walls,” Boyd says. “So not having to do a rip and replace saved us millions of dollars.”</p><p>AMAG Symmetry also allows the university to manage access control for all buildings from a single interface. Eventually, Boyd says, Yale can tie in video and alarms to the system, as well as assign threat levels that will lock down certain parts of campus in the event of an incident. </p><p>AMAG Technology’s professional services team wrote an interface to Yale’s internal database to pull data into Symmetry from the university’s access control database. While Yale had to replace a computer board component within all of its existing door readers, students and faculty kept the same cards–microchips inside them were updated electronically. The credentials the faculty and students use to open the door are the same cards they use for identification, dining, and vending. </p><p>“We didn’t have to change the cards—the end users don’t even know this project is happening, just the building managers,” Boyd says.</p><p>Boyd adds that throughout the installation process, card holders would occasionally find that they did not have proper access levels after the switchover. To remedy this, the IT team went building by building to make sure the right people had access to the right places by comparing its old access control database spreadsheets to the new system. </p><p>AMAG also sent a dedicated engineer to remain on site during the first two years of the installation process. “So even issues that looked like they could have been bigger were resolved very quickly because he was on site,” Boyd adds.</p><p>Having its own public safety IT team allows Yale to tailor its technological solutions to the security needs of the campus, Higgins says. </p><p>“When Dave [Boyd] and his team are a part of our meetings, even if it doesn’t have anything to do with IT at the time, they’re thinking about how they can support us through technology, through the software, through systems like AMAG,” Higgins explains. </p><p>Boyd echoes the partnership’s effectiveness. “Most of the time we’ll sit back and just listen and try to find their pain points. Then we try to come up with technology solutions to take care of those pain points.” </p><p>He adds that the Symmetry Threat Level Manager will be activated at the end of the installation, providing even more security on campus. This feature can remotely lock down certain buildings based on the given emergency. With this feature, “it’s the push of a button” to lock down the campus, Boyd says.  </p><p>Higgins emphasizes that access control is a cornerstone for responding to any emergency. “Responding agencies may not be familiar with our architecture or the layout,” he says. “So when we think about access control…it’s incumbent on us to think about access control in emergency situations for people who aren’t familiar with our campus.” ​</p> and the Maturity MindsetGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Close your eyes and imagine yourself throwing darts at a dartboard. Any wagers on accuracy? </p><p>In the physical security space—that place where guards, gates, and badges once ruled—using metrics alone to measure risk and present value to the enterprise is similar to throwing darts blindfolded. While cybersecurity is critical, the physical security of people and property remains essential to strategic and tactical risk management for most organizations. What security teams often fail to recognize is that it’s essential to understand how mature you want to be in a variety of physical security domains and build an enterprise security risk management strategy around those maturity levels. Measuring metrics alone is simply cataloguing the completion of activity without a view to security risk management maturity or a clearly articulated strategy. That trio—a maturity mindset, a clearly defined strategy, and metrics measurement—is fundamental to effectiveness.</p><p>The Enterprise Security Risk Management team at Caterpillar Inc., headquartered in Peoria, Illinois, has joined forces with security experts at Ernst & Young LLP (EY) to demonstrate the value of having a maturity mindset. (See “Maturity Model 101” on page 38 for more on the process.) Not only does it help protect the people, products, property, information, and brand at Caterpillar, it also is central to making sure the security team and strategy are predictive and poised for future challenges and opportunities.​</p><h4>What’s Wrong with Metrics?</h4><p>Collecting data is valuable, of course, but the emphasis on metrics in the security discipline is sometimes misguided. Security teams can end up doing a good job of executing on a bad process. Metrics may look great, but if they measure an immature or broken process, they really don’t answer the questions that should be asked. For example, IT security might be proud to have cleaned 17,000 viruses out of the system in its efforts to be compliant, when it actually missed 5,000 viruses due to inadequate process or scope. The numbers don’t show the lack of effectiveness because the process is broken. Knowing how mature you want to be is what makes the difference because maturity targets translate into specific activities, programs, and projects to achieve the desired state, and metrics help measure against maturity.</p><p>For example, when Caterpillar Enterprise Security first began using EY’s cybersecurity maturity model, a decision was made not to be extremely mature in terms of evolving prevention technologies. Instead, the team wanted to become best-in-class in detect-and-respond maturity, assuring the ability to quickly recognize any serious network attacks and mitigate risk effectively. The objective was to give management reasonable assurance that the cybersecurity program would not become a money pit, spending wildly to prevent attacks that, frankly, are unavoidable in today’s climate. That picture for executives was literally worth a thousand words—the board and senior executives value the model as an excellent snapshot of where the security function is in time and where it is trying to be, as well as how it compares to peers in other industries such as financial services or transportation. Success in using the cybersecurity maturity model to communicate effectively with the C-suite—something with which physical security professionals often struggle—indicated it was time to apply the same effort and analysis to protecting people and property. ​</p><h4>Why Is a Maturity Model Better?</h4><p>In April 2013, Caterpillar and EY engaged eight CSOs from globally recognized companies and other industry experts in face-to-face and virtual meetings over nearly nine months to agree on domains, subdomains and definitions most relevant to physical security. The varied viewpoints and needs among the group led to interesting discussions—some more complex than others. For example, those with a more global footprint noted that the term “investigations” carries different meaning in some parts of the world and should be changed to “inquiry and investigations.” Some of the subdomains emerged from these discussions, assuring the ability to weight each area with more granularity and better reflect how various security organizations operate in different industries or parts of the world. Ultimately, the group agreed on nine domains, some with subdomains.</p><p>EY then developed a comprehensive questionnaire and interview guide with hundreds of questions related to each area. An independent assessment team executed the model among key stakeholders at Caterpillar for each of the nine domains to plot the first set of physical security maturity results. For example, consider the Crisis Management domain. The interviewer asks a variety of questions, including “Is a Crisis Management Plan in place?”; “Is there an assembled crisis management team?”; and “Does management have sufficient program oversight?” The assessment then follows with the 1–5 ratings. (See “Maturity Levels” 101 on page 38.)</p><p>Leadership visibility or support of the Crisis Management program would indicate a Defined (3) rating, yet only formal engagement from executives will garner an Optimized (5) rating. Having metrics and reporting requirements that are defined and integrated into annual evaluations is an indicator that the program is Managed (4), but not until these are reported to executive leadership on a regular basis is it possible to achieve a rating of Optimized (5).</p><p>With regard to the Crisis Management Team, ratings may vary based on roles and responsibilities, certifications and training, whether or not cross-functional members are included, and who has ultimate decision-making authority. When it comes to integration into the company’s disaster recovery plan, having no processes for integration merits an Initial/Ad Hoc (1) rating; a maturity target of Defined (3) might be sufficient for the security function if these crisis planning areas are handled effectively elsewhere in the enterprise. </p><p>Over the next couple of years, the assessment team refined the questionnaire to clearly delineate the future targets for each subdomain and to make it more Caterpillar-specific where needed to provide a more detailed picture that was still easy to comprehend. Caterpillar continues to raise the bar for various levels of maturity, and this tool also helps adapt to changes in the threat landscape—adjusting capabilities and technology resources as suggested by the desired future state and the output of the tool.</p><p>Caterpillar’s Physical Security Maturity Model has focused attention around two aspects of its physical security programs: First, is the maturity level of each area correct, or do some need additional attention? Secondly, do some areas need additional funding, and, if so, how can it be applied to advance the maturity? In the Crisis Management example, Caterpillar moved from a Managed (4) to Optimized (5) maturity rating by reporting metrics in this area to the executive office on a regular basis. To improve its maturity rating in the General Training and Awareness subdomain of Awareness, Caterpillar Enterprise Security budgeted for an annual Security Awareness Week that promotes awareness of both physical and cybersecurity among employees globally to move the maturity needle.</p><p>The maturity model has created a template for discussion with executive management that is simple to use and visual—it clarifies communication. The tool also is used for discussion with executives and the board to reflect progress and also to highlight areas needing additional investment. The visual representation (see “Maturity Model in Action,” page 38) tells a story quickly, capturing executive attention, and it provides a level of context that management can grasp more immediately. Once the executive office has this picture of where Enterprise Security stands, a detailed discussion follows as a corollary to this picture and facilitates more effective decision making. The tool has reinforced the security team’s emphasis on a risk-based approach to providing security of people and property across the enterprise.​</p><h4>Are There Collateral Benefits?</h4><p>Interestingly, the Enterprise Security team is finding that the maturity model also provides a platform for telling its story—helping executives better understand what the Enterprise Security organization does. Each time the maturity model is presented, it creates an opportunity to talk about the team’s services and the value the team adds to the enterprise. For some CSOs, the maturity model could help to provide a justification for expanding or increasing the portfolio of services or areas of responsibility.</p><p>A physical security maturity model also is an excellent tool for building security risk management collaboration across the enterprise. It helps security teams better understand where there are overlaps and recognize that not everything in the model is owned by the security organization. It presents a picture of security capabilities and needs, regardless of who owns them—from facilities to employee health and safety to human resources to legal. To drive change, stakeholders have to agree to engage annually on what’s needed to move toward the future state and achieve maturity levels.​</p><h4>What’s Next?</h4><p>Caterpillar and EY are still accumulating information and evolving the Caterpillar Physical Security Maturity Model questionnaire and implementation process, expecting it to follow the same path as the cybersecurity maturity model in becoming a slide rule for risk acceptance, risk mitigation, and security investments. It is quickly becoming an effective tool for gaining faster agreement among business leaders about how much risk they are willing to accept for their operations, whether in Illinois, Ireland, or India. Using this tool to present a clear picture of where Enterprise Security was, where it is, and where the function wants to go demonstrates to executives where their investments will have the greatest impact.</p><p>Moving forward, Enterprise Security at Caterpillar will integrate maturity of both physical and information security into these discussions. This will give management a perspective on decisions being made in each area and unified Enterprise Security strategies. In the longer term, the plan is to converge the two models into one to present a unified Enterprise Security Risk Management roadmap. And, as EY collects data over time from other companies using the tool, it will show how Caterpillar security compares against its peers, and eventually provide a broader view across the entire industry.  </p><p>--</p><p><em><strong>Tim Williams, CPP</strong>, is CSO of Caterpillar Inc. He is a current member of ASIS International and a past president. <strong>Tom Schultz </strong>is an executive director at Ernst & Young LLP. ​ ​</em></p> Hunt for TalentGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​FBI Director James Comey was talking to his daughter recently about the Bureau’s struggle to recruit talented cybersecurity professionals amidst a talent shortage when she summed up his problem: He’s the Man. </p><p>“Which I thought was a compliment,” Comey said in an appearance at ASIS 2016 in Orlando, Florida. But then his daughter added, “You’re the Man; who would want to work for the Man? The Man is boring. The Man is crusty. The Man is white and male. Who’d want to work for the Man?”</p><p>To be an FBI cyber agent, candidates have to have integrity, be physically fit, and have a cyber specialty. They also have to want to work for the government, which can make the candidate pool extremely small to choose from because some candidates might not find that attractive.</p><p>Comey’s daughter might be on to something, not only when it comes to the FBI but when it comes to corporate cybersecurity recruitment as a whole. What if there are individuals who are out there with the skills organizations need, but they don’t know how to attract them? Or they are not candidates that fit the typical corporate mold?</p><p>Take Bugcrowd, a crowdsourced security testing company with a community of researchers that finds and reports vulnerabilities for rewards—commonly known as a bug bounty program. CEO and cofounder Casey Ellis launched the community via his Twitter account in 2012. Four years later, more than 45,000 researchers have signed up to be part of the community.</p><p>Seventy-five percent of researchers who responded to a Bugcrowd survey said they were between 18 and 29, and 19 percent of researchers were ages 30 to 44. Most striking, however, was the finding that 88 percent had completed at least one year of college, 55 percent of them had graduated with a bachelor’s or postgraduate degree, and all respondents had at least a high school diploma. </p><p>Furthermore, just 15 percent of these respondents said they participated in bug bounty programs full-time; meaning 85 percent of researchers participate in bug bounty programs as a hobby or as a part-time job.</p><p>“What we’ve seen is a lot of the best, most prolific folk, and best-paid folk that we have on the platform don’t come from a security career background,” Ellis says. Instead, they are often from an engineering, development, or systems administrator background.</p><p>“These are folks that don’t work in security, but, lo and behold, they’ve been sitting up until 3 a.m. every night, chatting with their hacker buddies,” he adds. “The cool thing about especially the bug bounty model is that there’s zero barrier to entry. It’s truly meritocratic. If you can come in and prove the fact that you can do this, as evidenced by the fact that you’ve found something that’s valuable, great.”</p><p>And for some researchers, this process has led to being hired for positions off of the bug bounty platform. “They work their way up the ranks, they’ll get spotted as unique talent, and actually get a job out of it,” Ellis explains. </p><p>“You can teach someone to hack. You can teach someone how to think with that kind of criminal entrepreneurship type of bent, but I think the more efficient path for the industry at large is to identify the people that are already there,” he adds.</p><p>Bugcrowd has done this through word of mouth and actively promoting researchers' work on social media. But how can hiring managers at other companies recruit nontraditional talent? </p><p>First, they might have to take a hard look in the mirror and ask themselves if they are blind to talent that already exists. Winn Schwartau, president and founder of The Security Awareness Company, has written extensively on this topic in his series Hiring the Unhireable: A Rationale Imperative for Protecting Networks & Nations.</p><p>“We don’t have a lack of talent. What we have is a provincial mindset, entrenched over decades, in a flawed Cold War binary philosophy,” Schwartau writes. “Many of the current hiring systems all too often enforce an arbitrary, capricious, and discriminatory set of criteria, which is fundamentally designed to eliminate true, valuable human talent—consciously choosing instead to often default to the center of the Bellcurve; that 68 percent we refer to as ‘normal.’”</p><p>Hiring managers from the United States, the United Kingdom, the European Union, and elsewhere often bemoan that they need tens of thousands of security employees, but can’t find them, he adds.</p><p>But “what they can’t find are good security people who fit into their hard-crusted mold of what corporate and government structures have become,” Schwartau explains. “There is actually a lot of truly great talent out there. But we may not see it in the traditional ways.”</p><p>To better identify this nontraditional talent, hiring managers need to adjust their mindset and expectations about hiring, says Timothy O’Brien, senior manager of security operations at Gigamon, a network visibility and traffic monitoring technology vendor.</p><p>“We are creating this category as hiring managers of talent that we will never hire, yet we’re talking about there’s nobody to hire. In some ways, we’re creating our own problem,” O’Brien explained in his session “Hackers Hiring Hackers” at the 2016 (ISC)² Security Congress, copresented with Magen Wu, senior consultant at software company Rapid7.</p><p>Hiring managers often get in their own way when they list a position with a job description that’s all over the place, such as an entry level position that asks for a Certified Information Systems Security Professional (CISSP) certification and five years of experience.</p><p>“Folks have talked to me and said they are trying to break into information security and they basically apply for everything because they can’t figure out what we, as hiring managers, even want or need,” O’Brien adds.</p><p>This means that it is especially critical for hiring managers to break down what they want versus what they need, and to take a hard look at what skills an individual will need to possess to be successful in that role in the organization.</p><p>“Be clear about what that job will entail, as much as you know, because security changes,” he explains. </p><p>O’Brien also recommends that hiring managers consider whether certifications and college degrees are important, or if they are an HR requirement that’s potentially limiting the pool of candidates managers could draw from.</p><p>“There’s plenty of folks that I’ve met that have been great hackers, great security professionals, but don’t have a degree because they got so bored out of their mind they could not sit through the degree programs, or they didn’t have the financial capabilities to go get a degree,” he says. “So let’s find those folks with that talent, help nurture them, and help them get that degree.”</p><p>If, however, having certifications or degrees is important for filling the position, O’Brien says hiring managers should make sure to vet candidates to make sure they did not just memorize information to pass a test—that they learned and retained the information the certification implies they knew at one time.</p><p>One way of doing this, O’Brien says, is by asking a candidate during phone interviews about how their personal home computer network is set up and what they would like to improve upon in the next six months.</p><p>“I’ve gotten everything from, ‘Well I just have my Cox cable modem and it goes into my computer,’” which is usually the end of the interview, O’Brien says, “to ‘I’ve got this VPN (virtual private network) and a couple of computers…’ and that leads into a series of questions that I have, like ‘On that network, when you open a browser and type in, and like magic Google comes up, how does that work?’”</p><p>The key is to use explanatory questions in interviews to get a feel for whether a candidate can articulate to someone who’s technical, but also to someone who’s from a business background, about information security and how systems work.</p><p>O’Brien also recommends getting involved with the recruiting team and human resources to make sure they understand what you as a hiring manager are looking for. And this doesn’t always mean meeting with these individuals in a conference room.</p><p>For instance, O’Brien says he’s worked with organizations to create computer emergency readiness teams (CERTs) and specifically places a recruiter or a technical person from human resources on the team “so they get more involved and they know what we need, and what roles we’re trying to fill.” </p><p>And when it comes to finding nontraditional talent, Wu says that hiring managers should look to conferences, local meet-ups, and online portals. This is because Wu, like others in the industry, encourages job seekers to use these venues to attract the notice of recruiters.</p><p>“Get involved with the community—we have such a large community with what we do,” she adds. “Start going to conferences, local meet-ups, giving presentations, writing blog posts, and that’ll get your name out there more. That’ll make you look more interesting to hiring managers.”</p><p>While the debate continues to rage as to whether the talent shortage is real and, if so, how bad it is, hiring managers need to reassess their recruiting process to ensure that they are not overlooking qualified candidates who fail to meet their traditional criteria.</p><p>“I strongly feel that there’s a lot of talent out there, and we’re actually not accessing that talent pool right now,” Ellis says. “The challenge is to find something, put something together that actually draws them out. And takes them from where they are right now into something that’s more valuable to them and the industry itself.”</p><p>And the FBI is taking note, Comey said, assessing the way it recruits talent and how it uses cyber agents to better mitigate and investigate cyber threats.</p><p>“We’re not at bean bags and cut-off shorts yet; we do not let people smoke weed,” he explained. “But we’re trying really, really hard to be cooler than we ever were to not only attract great talent, but so when they come to us, they find it an exciting, iterative, agile place to work.”   ​</p> CleanGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>“I love the Olympics, because they enable people from all over the world to come together and…accuse each other of cheating,” comic writer Dave Barry once said. But cheating in sports is no laughing matter; sports corruption is on the rise, and some organizations are stepping up their efforts to fight it.</p><p>Collectively, sports are a huge global enterprise that engage billions of people and generate annual revenues of more than $145 billion, according to Global Corruption Report: Sport, a recent report by Transparency International (TI). </p><p>But many sports organizations operate in an outdated and nontransparent fashion, making them rife for corruption. Moreover, results manipulation, or the “fixing” of some contests for illicit gambling winnings, continues. </p><p>“While corruption in sport is not new, the recent pervasiveness of poor governance and corruption scandals threatens to undermine all the joy that sport brings and the good that it can do,” TI’s Gareth Sweeney writes in the report. “The pace of building integrity in sport has been too slow, and now it must be rapidly accelerated.”</p><p>TI describes the Global Corruption Report: Sport as the most comprehensive analysis of sports corruption to date. The study includes more than 60 contributions from experts in the fields of corruption and sport, including representatives from sports agencies, governments, and multilateral institutions, as well as from athletes, academics, and anticorruption activists. The report analyzes corruption risks in sports, with a focus on sports governance, sports business, sporting events planning, and game and match fixing. </p><p>The report argues that the well publicized U.S. indictments of nine officials from the Federation Internationale de Football (FIFA) on racketeering and money-laundering charges in 2015 changed the sports landscape overnight, because it brought a system of “deep-rooted corruption” into public view. </p><p>And “corruption is not limited to football. Cricket, cycling, badminton, ice hockey, handball, athletics and other sports, including U.S. collegiate sports, suffer similar credibility gaps,” Sweeney writes in the report. </p><p>The reasons for corruption in different sports are often broadly similar, the report finds. Historically, sports are organized on the principle of autonomy, so sports organizations are often afforded nonprofit or nongovernmental organization (NGO) status in most countries. This status, however, often allows them to operate without any effective external oversight. </p><p>In addition, the corporate structures of many sports are archaic, with the administration overseen by ex-athletes with little experience in management. Many international sports organizations (ISOs) have little motivation to change; in fact, nations like Switzerland and the United Arab Emirates give them favorable legal status and lucrative tax breaks to attract and keep them in country.</p><p>To tackle this problem, the report lays out a slew of recommended actions, grouped in five categories: governance, transparency, participation, major events, and match fixing. </p><p>For example, the 11 recommendations in the governance section include ensuring that ISO representatives are elected through an open vote by members; establishing an internal governance committee that has a mandate to review past and present activities; and creating an independent ethics commission that has effective oversight procedures. </p><p>Although the dozens of recommendations vary widely, there are a few underlying common strategies. One is an emphasis on participation—pushing for a wide range of stakeholders, from sponsors to fan clubs to the athletes themselves, to become involved in anticorruption activities. </p><p>For example, in the match-fixing category, the report recommends that sporting associations be required to offer preventative training courses to athletes, coaches, referees, officials, and parents on detecting match-fixing practices. </p><p>Another approach is to make connections between the sports community and the wider movement against corruption. This latter strategy drives TI’s Corruption in Sport Initiative, in which the organization advocates partnerships with experts and attempts to raise awareness of new research, analysis, and opportunities for dialogue. The initiative’s focus areas will include strengthening the integrity of the bidding and awarding process of major sporting events.</p><p>And for those involved in the fight against corruption, more resources have recently become available. Several months ago, the United Nations Office on Drugs and Crime (UNODC) and the International Centre for Sport Security (ICSS) released a new resource guide designed to help law enforcement and sports organizations detect and investigate incidents of match fixing, and combat the criminal groups involved in those incidents. The guide is also aimed at raising awareness among policymakers about the threat of sports corruption.   </p><p>The new guide provides information on approaches and techniques for effective investigations into sports corruption cases. It also provides guidance on how law enforcement agencies and sports organizations, and other relevant stakeholders, can work together to detect corrupt activities across different jurisdictions, and disrupt the international organized crime syndicates that are actively involved in sports.</p><p>Other topics covered in the guide include sources of information, intelligence, allegations and evidence in sports corruption cases; interviewing techniques and evidence issues; how to apply existing legal instruments such as the United Nations Convention against Corruption (UNCAC) and Convention against Transnational Organized Crime (UNTOC); and guidance on the relationship between investigators and prosecutors in sports corruption cases. </p><p>“The investigative skills of both law enforcement agencies and sports organizations around the world, which are needed to identify and apprehend those responsible, are relatively underdeveloped,” John Brandolino, UNODC’s director for treaty affairs, said when the guide was launched earlier this year.</p><p>ICSS officials hope to work with UNODC to develop a series of workshops and training courses on these issues. ​ ​</p> Top Ten Challenges for ED Security in 2016 and BeyondGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The emergency department (ED) is a high-volume traffic area where different situations can arise daily. There are ways to protect your ED and staff, starting with taking a close look at your security program. The ED is one of the most challenging and stressful areas in a hospital where dramatic life-and-death cases can occur at any moment. Following are the top 10 challenges for emergency department security in 2016 and beyond.</p><p><strong>1) Workplace Violence</strong> – The Emergency Department Violence Surveillance Study by the Emergency Nurses Association, which surveyed more than 7,000 emergency department nurses, found that the emergency department is a particularly vulnerable place for workplace violence. In the survey, 25 percent of the respondents reported having experienced physical violence more than 20 times in the past three years, and nearly 20 percent reported experiencing verbal abuse more than 200 times during the same time period. </p><p>Nurses, as well as doctors and other medical professionals, are on the emergency department’s front lines, facing potentially volatile situations. As reported in Potential: Workplace Violence Prevention and Your Organizational Success, in “inner-city areas, the ED will often get gunshot cases following gang violence episodes, with friends and family members of the wounded following them into the facility.”</p><p>Drug and alcohol-induced violence are also common in the emergency department. Domestic violence plays out there as well, with the aggressor following the injured partner to the hospital and attempting to keep them silent on the cause of the injuries. </p><p>The Joint Commission, which accredits and certifies U.S. healthcare organizations, has classified the ED as a sensitive area, noting that hospitals and emergency care facilities must have a well-defined security plan to address violence. The plan should include all ED staff, management, human resources, security, and local law enforcement. A comprehensive assessment of the ED’s safety and security plan should be executed often to identify strengths and uncover areas for improvement.</p><p><strong>2) The Metal Detector Debate</strong> – Hospital administrators and security leaders have a lot to consider when contemplating the use of metal detectors in the ED. The perception of metal detectors in the ED is often debated as it is critical for the community to consider the ED a safe place. The installation of metal detectors may result in some people saying that their very presence implies their community is dangerous. But this type of proactive access control procedure can also be seen as positive security function. </p><p>Another consideration is how effective metal detectors are. Using metal detectors in one location, such as the ED, while other entrances are not similarly monitored, defeats the purpose of the metal detector and provides a false sense of security. There must be strict procedures for confiscated items and use of handheld devices to supplement the walk-through device. In addition, training and maintaining the equipment will need to be addressed. </p><p><strong>3) Armed Security Considerations</strong> – When hospitals evaluate their local crime statistics and review their security programs, they sometimes consider the deployment of armed security officers. Making a decision about the use of firearms or other weapons requires careful consideration of multiple factors including training, supervision, liability, and community response. The decision is not only highly sensitive but also dependent on the needs and culture of the individual facility. There is not an industry-wide recommendation on armed security officers–it must be an individual, facility-specific decision.</p><p>Before incorporating firearms into the hospital environment, other tools such as Taser or pepper foam should be carefully evaluated, data and trends analyzed, and a review team formed to help ensure that all factors are considered and the needs of all stakeholders evaluated. </p><p><strong>4) Staffing Patient Watch Programs</strong> – Patient watch is not to be confused with a “sitter program” where a healthcare attendant watches a patient who is elderly, disabled, or impaired and may be at risk of falling or other non-violent risks. A patient watch is implemented to monitor a patient to protect that patient and others from violent or aggressive behavior. The patient must be identified, as per the laws of the individual state, as a threat to themselves or others and placed in an involuntary patient status by the appropriate authority, which could be law enforcement or clinical staff.</p><p>Well-trained security officers are an excellent resource for patient watches. While medical and security staff must collaborate, the clinical demands of medical staff often prohibit them from being assigned to conduct patient watches. Ensuring the appropriate staffing is the number one priority for effective patient watches. Will a security officer be pulled off their regular post to be assigned to patient watch? Will someone be assigned from outside the organization? Are dedicated patient watch security officers assigned to each shift? If a patient is aggressive and a security officer is responding, back-up security needs to be close at hand. Also, because an aggressive patient is susceptible to adverse health developments, it’s critical that medical staff are prepared to respond quickly.</p><p><strong>5) Maintaining Crowd Control </strong>– A number of extenuating circumstances, from a high-profile shooting victim to an outbreak of the avian flu, can rapidly transform a quiet ED into a very crowded place. Situation-specific protocol needs to be established. For example, the shooting of a police officer will attract scores of media and law enforcement. Protocol for this situation often includes establishing staging areas outside of the ED for the media and police to convene. In the event of a major flu epidemic, a triage area could be set up to address urgently sick patients, isolating these highly contagious people from the rest of the ED population. Advanced identification of potential situations and the development of corresponding plans will allow for seamless response and minimized disruption to hospital operations.</p><p><strong>6) Social Media and Patient Privacy</strong> – The use of social media by medical institutions has increased dramatically and has proven to be an efficient means of sharing information and communication with the community. However, employee social media use while on duty can pose a risk. Anyone who works in the medical environment is just a tweet or Instagram post away from violating federal patient privacy requirements. Health Insurance Portability and Accountability Act (HIPAA) maintains stringent patient privacy standards for everyone who works in the medical field, from doctors, nurses, and administrators to security officers. It is important for all medical facilities to have formal social media policies with clear guidelines on appropriate social media usage and the repercussions for violating them. </p><p><strong>7) Security Awareness Training for ED Staff </strong>– Training for the ED staff, beyond what’s prescribed for a healthcare profession, is vital so they can learn to recognize abnormal behavior and know how to diffuse a violent situation. Staff need to be confident in the plan and understand the major role they play in keeping the ED safe. Make sure that your staff understands that violence against them is never appropriate and establish reporting procedures. A culture of collaboration will help medical and security staff work together, and shared training will foster team work.  </p><p><strong>8) ED Security Team Training</strong> – It is generally understood that training is an essential part of an effective healthcare security program, but how much training is necessary? What if a security officer already has experience? The importance of relevant and ongoing training for security officers working in healthcare facilities cannot be overstated. It is critical to ensuring the safety and security of a hospital’s staff, patients, and visitors.</p><p>Even if a security officer who is new to a facility has previous security experience, or worked in a similar field such as law enforcement, training is still critical. Every healthcare facility is different and security officers must receive the appropriate training. There are three primary categories of training in healthcare security:</p><ul><li><p><span style="text-decoration:underline;">Basic Security Officer Training</span> – Security officers must complete training in standard security procedures such as patrolling, report writing, and access control; as well as training appropriate to their assigned duties. For example, those serving in an ambassador capacity should receive enhanced customer service training.<br></p></li><li><p><span style="text-decoration:underline;">Industry-specific Training</span> – Healthcare security officers must also be trained in state and federal regulations and standards, HIPAA, and infection control. The security team needs training to understand and support the hospital’s compliance efforts. For example, a well-trained security officer who understands the essentials of HIPAA regulations sees a box of discarded papers containing protected health information (PHI) near the trash dumpster and immediately reports it to hospital administration, potentially avoiding fines and/or a loss of accreditation for accidental disclosure. Or, if a visitor is asked to leave the hospital for disruptive behavior and later returns seeking emergency medical treatment, a security officer who is aware of the Emergency Medical Treatment & Labor Act knows that this person cannot be turned away, as that would be a violation of federal law. <br></p></li><li><p><span style="text-decoration:underline;">Hospital-specific Training </span>– Even if security officers are up-to-date on the previous two categories, they must receive training pertinent to the facility. Department-specific codes and procedures can vary by hospital, as will access control and incident reporting processes. <br></p></li></ul><p><strong>9) Emergency Preparedness Planning </strong>– The need for comprehensive emergency preparedness plans in a hospital cannot be overstated. And, establishing a plan that addresses patient, staff and visitor safety–in a range of emergency scenarios–is only the beginning. Ongoing communication, training and drills are critical for the entire facility and especially the ED with its constant flow of people in various medical states. Being unprepared for, or unable to seamlessly respond to an emergency, can create serious concerns if security personnel are therefore unavailable to manage access control, aid distressed patients and otherwise secure the facility as usual. The most effective emergency plans are comprehensive and incorporate the security team who will lead these plans when activated.</p><p><strong>10) Delivering Customer Service through Security – </strong>Security personnel are highly visible and strategically positioned to interact with all individuals entering the ED. With proper training, the security team can become a valuable part of the effort to create a positive patient and visitor experience. If they see someone getting emotional, a well-trained officer will immediately step in to try and calm them down before the situation gets out of control. They may offer the person a coffee or blanket, or simply a friendly ear. </p><p>Part of creating an outstanding ED experience includes producing and maintaining a safe, secure and customer-friendly environment for patients, visitors, and staff. Security officers can take on a customer service role—by combining customer service and security, visitors, patients, and staff feel safe and engaged. </p><p>In an industry as dynamic as healthcare, it’s easy to move existing programs that seem “good enough” to the back burner to focus on more pressing and urgent needs. Even if an ED has already implemented changes to its security program, periodic assessments should be performed to ensure that it remains effective. Regularly evaluating and improving the security program will help keep the ED’s staff, patients, and visitors safer, and will contribute to a more positive atmosphere for the entire facility.</p><p>--</p><p><em><strong>Kenneth Bukowski</strong> is Vice President, Vertical Markets, at Allied Universal and can be reached at ​</em></p> Guns & HealthcareGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<img src="/ASIS%20SM%20Article%20Images/guns-healthcare-infographic-FINAL.jpg" alt="" style="margin:5px;" /></p>