More Headlines

 

 

https://sm.asisonline.org/Pages/Britain-To-Remain-at-‘Critical’-Threat-Level-Over-Weekend.aspxBritain To Remain at ‘Critical’ Threat Level Over WeekendGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Britain will remain at its highest terror alert level—critical—throughout the holiday weekend, authorities said. This means that another attack "is expected imminently."</p><p>The threat level remains at critical because of concerns about copycat attacks and attacks by a possible network that may have aided Manchester Arena bomber Salman Abedi, the <a href="http://www.bbc.com/news/uk-40056102" target="_blank">BBC News reports.</a></p><p>Detectives confirmed that they had "got hold of a large part of the network" and made "immense" progress arresting people suspected of aiding Abedi, <em></em><a href="https://www.theguardian.com/uk-news/2017/may/26/manchester-attack-police-arrest-man-and-search-barber-shop-moss-side-st-helens" target="_blank"><em>The Guardian</em> reports.</a></p><p>"Clearly, we haven't covered all the territory we want to but we have covered a large part of it so our confidence has been increasing in recent days," said Britain's top counter-terrorism officer, Mark Rowley. "But there's still more to do."</p><p>As of Friday afternoon, authorities had arrested eight men in connection to the Manchester Arena bombing. Their names have not been released to the public. </p><p>Detectives are also focusing on how the bomb used in the attack was made.<br></p><p>"Investigators believe aspects of the way the bomb was built point towards the maker having made improvised explosive devices before," according to <em>The Guardian.</em> "It showed considerable power and the nuts and bolts had been packed to maximize their murderous effect."</p><p>Immediately after the bombing, authorities were attempting to determine if Abedi had made the device himself or if someone else made it for him. </p><p>New information, reported by media outlets including <em><a href="https://www.nytimes.com/2017/05/26/world/europe/manchester-attack-uk-bomber.html?rref=collection/sectioncollection/europe" target="_blank">The New York Times,</a></em> revealed that Abedi "opened a bank account about a year ago, drew money from it to buy nails and screws from two hardware stores, and rented an apartment where he built the explosive device" he eventually detonated at the arena.</p><p>U.S. Representative and Chair of the House Homeland Security Committee Michael McCaul (R-TX) also confirmed that Abedi's backpack—which he used to carry the bomb in—contained triacetone triperoxide, the same explosive used in the London 2005, Paris 2015, and Brussels 2016 attacks.</p><p>While the threat level remains at critical, Britain is preparing to hold 1,300 events across the country this weekend for a bank holiday. Police have reviewed security procedures and increased patrols in areas where more boots on the ground are needed, <em>The Guardian</em> reports.​</p><p>"Extra armed police will patrol the FA Cup final at Wembley, where armored vehicles will be deployed, and the rugby premiership final at Twickenham," <em>The Guardian</em> said. "Fifty percent more firearms officers have been deployed on the streets, including some who were seen patrolling on Scarborough beach on Friday."</p>
https://sm.asisonline.org/Pages/Soft-Targets---What-Security-Professionals-Can-Learn-From-the-Manchester-Attack.aspxSoft Targets: What Security Professionals Can Learn From the Manchester AttackGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>Michael J. Fagel is a crisis management expert with more than 30 years of experience in emergency planning and response. He has written several books and is co-author of </em>Soft Targets and Crisis Management: What Emergency Planners and Security Professionals Need to Know<em>. He is a member of the ASIS School Safety and Security Council. </em></p><p>Security Management <em>Associate Editor Holly Gilbert Stowell</em> <em>spoke to Fagel about the recent terror attack in Manchester, England, and what security professionals can do to prevent soft target attacks. Their conversation has been lightly edited for clarity.</em></p><p><strong>Stowell: From what we've seen over the last few months, attacks on soft targets—places of worship, study, and leisure—seem increasingly commonplace. What type of target is the Manchester Arena—a typical soft target, or some sort of hybrid with unique features? </strong></p><p><strong>Fagel: </strong>It is a typical soft target, given the fact that there are more and more security measures in place as people get closer to the venue. It's a pretty common occurrence in stadiums, to have nonsecure areas where people are approaching the building. Just think of an airport, think of a baggage claim, think of queuing up before you get in the airport. Everybody's milling about in these commons spaces before they go through security. </p><p><strong>Stowell: The Manchester attacker detonated a suicide bomb on the perimeter of the event as people were filing out of the concert. Do you think the perimeter is actually a bigger concern for a soft target than inside the venue itself? </strong></p><p><strong></strong><strong></strong><strong></strong><strong></strong><strong></strong><strong></strong><strong>Fagel:</strong>I think they're equally as critical. The perimeter is of equal significance and of equal danger as inside, because nobody knows who's walking about the perimeter and the nonsecure area. A backpack looks innocuous, a lunchbox, a briefcase, a shopping bag—any one of those things would be very common in a place of commerce and wouldn't look out of the ordinary. So anybody could be wandering with that object, and you would never know that they were engaging in malicious activity. </p><p><strong>Stowell: Are U.S. arenas, and other facilities similar to the Manchester Arena in the United States, now vulnerable to attack? If so, in what ways? </strong></p><p><strong>Fagel: </strong>I don't want to be an alarmist, I want to be a realist. Nothing is invulnerable to this type of attack. I've worked in the Middle East and all over the world. Our society right now is not prepared for this type of event. I've been training police officers, firefighters, and rescue personnel for the last 20 years, and we are continually striving to be better than we are, but the bad guys learn from each incident. Every time something occurs, they will get better, and if you look at the terrorist propaganda, there are explicit instructions on how to carry out these sort of events. These elements are cookbooks for the bad guys. </p><p>Terrorists take advantage of our openness, of our fairness, and our way of life, which they don't like for whatever reason. They use that against us. Do we want to change that? No. We're built on freedoms, but we have to be cautious that the bad guys are learning minute by minute—and nothing is off limits now. </p><p><strong>Stowell: Speaking of limits, this was an attack on a venue containing children and teenagers. Do we have a moral boundary in our minds that causes us to treat security differently for events concerning younger people? </strong></p><p><strong>Fagel: </strong>Have the bad guys crossed a line? The answer is yes. Have they done something that is heinous? Yes. I worked the Oklahoma City bombing in 1995 and carried out rescue and recovery during the attacks. I thought that was the worst thing I had ever seen, and having been a medic, firefighter, and police officer for many years, and seeing infants killed—I thought that crossed a line. </p><p>But bad guys now targeting the concert with a younger crowd, people as young as eight years old, to me that crosses every moral boundary. After September 11, people were really vigilant about security for the first few months, but then they started to get more lax. You can never let your guard down. As soon as you start to relax and think the threat is over with, the bad guys are watching our behaviors and will seize ​on that opportunity. They're watching our security postures. They're watching how we react to things. </p><p><strong>Stowell: What lessons can security professionals take away from this attack to help increase security at soft target venues? </strong></p><p><strong>Fagel: </strong>Think of soft targets like a bullseye with rings around it. Picture an airport where security needs to start prior to the secure area. If the airport is the bullseye, security needs to start in the parking lot, baggage delivery, at ticket counters. It needs to start way before you approach the secure zone, so that security is the culture of the entire area. </p><p>You have layers of defense, layers that protect you as you move closer and closer to the soft target in the middle. Let's say in an office building there's a security server for the Internet. If that's the bullseye—I have to prevent people from ever getting there. And an office​ worker is the softest target with Internet access and passwords. It's the concept and culture of hardening people, and hardening your venues so that you're more aware, and preventing something before it even gets close to your bullseye. </p><p>There must be a personal awareness. It's not somebody else's job, it's our responsibility as alert citizens to be cognizant of our surroundings, see something say something. If it doesn't look right, it probably isn't right. </p><p>Finally, the solution is having an attitude and an awareness for things that may be out of place. I'm not talking about profiling people, I'm talking about profiling behaviors and actions. The Virginia Tech shooter, [Seung-Hui​] Cho, was at the gun range, shooting holes in paper targets face down. That's a behavior. Omar Mateen wanted to buy body armor in Florida before carrying out the Pulse Nightclub massacre. Is the person acquiring weaponry? Are they buying precursory devices and material? Are they buying powder for explosives? Are they buying ammunition? Are they taking shotgun shells apart? Are they asking weird questions at the gun range, the gun shop, or the fireworks store? </p><p>Use commonly available tools and information to develop your intelligence quotient and your ability to see what may be happening. It's all about awareness. ​</p>
https://sm.asisonline.org/Pages/Terror-Attack-Strikes-Manchester-Arena—What-We-Know.aspxTerror Attack Strikes Manchester Arena: What We KnowGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>what we know<br></h4><ul><li><p>A bomb exploded outside Manchester Arena on Monday as an Ariana Grande concert was ending, killing at least 22 people and wounding 59 others.</p></li><li><p>The bomber, who was killed in the explosion, was identified as Salman Abedi, 22, of Manchester.</p></li><li><p>ISIS claimed responsibility for the bombing, but officials have not verified that claim.</p></li><li><p><em>Security Management</em> created a master list of references and resources for security professionals on stadium and soft target security. Access them, for free, <a href="/Pages/Stadium-and-Soft-Target-Security-Resources.aspx">here.</a></p></li><li><p>The United Kingdom raised its terror threat level from severe to critical, meaning that a further attack may be imminent.</p></li></ul><h4>Ariana Grande puts 'dangerous woman' tour on hold</h4><p><strong>Update: 3:10 p.m., May 24, 2017</strong></p><p>Ariana Grande is putting her "Dangerous Woman" tour on hold following the Manchester Arena bombing, the pop star said in a statement.</p><p>"Due to the tragic events in Manchester the 'Dangerous Woman' tour with Ariana Grande has been suspended until we can further assess the situation and pay our proper respects to those lost," the singer's management team said in a <a href="http://money.cnn.com/2017/05/24/media/ariana-grande-cancels-shows-tour/index.html?sr=twcnni052417ariana-grande-cancels-shows-tour0701PMVODtopPhoto&linkId=37975750" target="_blank">statement obtained by CNN.</a></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 53e3cc06-f932-44d7-88de-e618f8f3b3b2" id="div_53e3cc06-f932-44d7-88de-e618f8f3b3b2"></div><div id="vid_53e3cc06-f932-44d7-88de-e618f8f3b3b2" style="display:none;"></div></div><p>The postponement means Grande's performances scheduled for tomorrow and Friday in London will be canceled, along with a show in Switzerland on June 5.</p><p>"We ask at thsi time that we all continue to support the city of Manchester and all those families affected by this cowardice and senseless act of violence," the statement continued. "Our way of life has once again been threatened but we will overcome this together."</p><h4>Bomber's Brother, Father, arrested abroad</h4><p><strong>Update: 3:00 p.m., May 24, 2017</strong></p><p>Authorities have arrested two family members of the Manchester Arena bomber, Salman Abedi, as they continue to investigate whether he was working with a network to carry out the attack.</p><p>Libya counterterrorism officials arrested Abedi's younger brother, Hashem Abedi, who<em> </em><a href="https://www.washingtonpost.com/world/british-prime-minister-raises-nations-threat-level-saying-another-attackmay-be-imminent/2017/05/24/dd5367e8-3fec-11e7-b29f-f40ffced2ddb_story.html?utm_term=.8da72f106f0b&wpisrc=al_alert-COMBO-world%252Bnation&wpmk=1" target="_blank"><em>The Washington Post</em> reports</a> was suspected of planning an attak in Tripoli.</p><p>The Post spoke to Ahmed Dagdoug, a spokesman for Libya's counterterrorism Reda Force, who said Hashem was in "frequent contact with his brother Salman in Manchester and was aware of the plans to attack the concert."</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read d901b6ac-a7e5-4479-922a-5d3e9a15760a" id="div_d901b6ac-a7e5-4479-922a-5d3e9a15760a"></div><div id="vid_d901b6ac-a7e5-4479-922a-5d3e9a15760a" style="display:none;"></div></div><p>Authorities also arrested Abedi's father, Ramadan, on Wednesday. Ramadan, known as Abu Ismail,<a href="https://www.nytimes.com/2017/05/24/world/europe/manchester-uk-bombing-live.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=b-lede-package-region&region=top-news&WT.nav=top-news" target="_blank"> spoke to <em>The New York Times</em></a><em> </em>earlier this week and said that he did not believe his son carried out the attack at the arena.</p><p>"His ideas and his ideology were not like that," Abu Ismail said. "He was born and raised in Britain. He's a British citizen and he does not hold such ideologies."</p><h4>What security professionals can learn from the Manchester attack</h4><p><strong>Update: 12:35 p.m., May 24, 2017</strong></p><p>Following the Manchester Arena bombing, <em>Security Management </em>reached out to several crisis management and soft target security experts to find out what security professionals can learn from the attack. </p><p>One of those experts was Michael J. Fagel, a crisis management expert with more than 30 years of experience in emergency planning and response. He sat down with Associate Editor Holly Gilbert Stowell to talk about the attack and what security professionals can do to prevent future similar attacks.</p><p><strong>Stowell: From what we've seen over the last few months, attacks on soft targets--places of worship, study, and leisure--seem increasingly commonplace. What type of target is the Manchester Arena--a typical soft target, or some sort of hybrid with unique features?</strong></p><p><strong>Fagel:</strong><strong> </strong>It is a typical soft target, given the fact that there are more and more security measures in place as people get closer to the venue. It's a pretty common occurrence in stadiums, to have nonsecure areas where people are approaching the building. Just think of an airport, think of a baggage claim, think of queuing up before you get in the airport. Everybody's milling about in these commons spaces before they go through security.</p><p><em>Continue reading their conversation by clicking </em><a href="/Pages/Soft-Targets---What-Security-Professionals-Can-Learn-From-the-Manchester-Attack.aspx"><em>here.</em></a></p><h4>Manchester Attack Victims' named</h4><p><strong>Update: 11:00 a.m., May 24, 2017</strong></p><p>Twenty-two people were killed in the Manchester Arena bombing, and the Greater Manchester Police Department said it is "confident" it knows the identity of all of the individuals.</p><p><a href="https://www.theguardian.com/uk-news/2017/may/24/go-sing-with-the-angels-families-and-friends-pay-tribute-to-manchester-victims">Twelve victims </a>have been named by their families, <a href="https://www.theguardian.com/uk-news/live/2017/may/24/manchester-arena-bombing-terror-attack-victims-threat-critical-ariana-grande-concert-live-news?page=with:block-592582cfe4b0e2555d2b2b40#block-592582cfe4b0e2555d2b2b40"><em>The Guardian</em> reports:</a></p><ul><li><p>Jane Tweddle-Taylor, 51</p></li><li><p>Nell Jones, 14</p></li><li><p>Martyn Hett, 29</p></li><li><p>Angelika Klis, 40</p></li><li><p>Marcin Klis, 42</p></li><li><p>Georgina Callander, 18</p></li><li><p>Saffie Rose Roussos, 8</p></li><li><p>John Atkinson, 28</p></li><li><p>Kelly Brewster, 32</p></li><li><p>Olivia Campbell, 15</p></li><li><p>Alison Howe, 45</p></li><li><p>Lisa Lees, 47</p></li></ul><p>The National Casualty Burea has an emergency number available for those concerned about anyone who may have been impacted by the Manchester Arena bombing. The number to call is: 0800 096 0095.</p><h4>details begin to emerge about Arena bomber</h4><p><strong>Update: 10:45 a.m., May 24, 2017</strong></p><p>Two days after the Manchester Arena bombing, new details have emerged about Salman Abedi, the man who carried out the attack on Monday night. </p><p>Abedi was born in Manchester and was the son of Libyan immigrants, who moved back to Libya after spending decades in the United Kingdom, <a href="https://www.nytimes.com/2017/05/24/world/europe/manchester-bomber-salman-abedi.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news&_r=0" target="_blank"><em>The New York Times</em> reports. </a></p><p>Abedi had visited Syria and also went to visit his parents in Libya, who raised concerns to him about his radicalization, according to an individual who spoke with The Times.</p><p>He was known to security services, <a href="https://www.theguardian.com/uk-news/2017/may/23/manchester-arena-attacker-named-salman-abedi-suicide-attack-ariana-grande" target="_blank"><em>The Guardian</em> reports</a>, but Abedi was "not part of any active investigation or regarded as a high risk." Instead, he was "viewed as a peripheral figure in much the same way as the Westminster attacker, Khalid Masood."</p><p>Authorities are still working to determine where the bomb Abedi used was created, and if he had help assembling the device. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 1fe616f0-5455-4efc-921e-05300bf59981" id="div_1fe616f0-5455-4efc-921e-05300bf59981"></div><div id="vid_1fe616f0-5455-4efc-921e-05300bf59981" style="display:none;"></div></div><p>"It seems likely--possible--that he wasn't doing this on his own," said Britain's Home Secretary Amber Rudd.</p><h4>SM is Signing off for the night</h4><p><strong>Update: 5:15 p.m., May 23, 2017</strong></p><p><em>Security Management</em> is signing off for the night and will not be providing updates to this post until tomorrow morning at approximately 10 a.m. EST.</p><p>For live updates, follow feeds from<a href="https://www.theguardian.com/uk-news/live/2017/may/22/manchester-arena-ariana-grande-concert-explosion-england"> <em>The Guardian</em></a> and the <a href="http://www.bbc.com/news/live/uk-england-manchester-40007967">BBC.</a></p><h4><span>UK Raises Terror Level from severe to critical</span></h4><p><strong>Update: 5 p.m., May 23, 2017</strong></p><p>The United Kingdom is increasing its terror threat level from severe to critical.</p><p>"It is a possibility that we cannot ignore that there is a wider group of individuals linked to this attack," said UK Prime Minister Theresa May. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 4714a6c9-3a8f-4f7e-a847-54612fdb1457" id="div_4714a6c9-3a8f-4f7e-a847-54612fdb1457"></div><div id="vid_4714a6c9-3a8f-4f7e-a847-54612fdb1457" style="display:none;"></div></div><p>The Joint Terrorism Analysis Center has been monitoring intelligence throughout the day, and based on its findings May said it is raising the threat level.</p><p>"This means not only that an attack remains highly likely but that a further attack may be imminent," May said.</p><p>With the raising of the threat level, Operation Temperer is now in force, <a href="https://www.theguardian.com/uk-news/live/2017/may/22/manchester-arena-ariana-grande-concert-explosion-england?page=with:block-59249e1de4b0533caf41a9f4#block-59249e1de4b0533caf41a9f4"><em>The Guardian</em> reports, </a>and armed police who normally protect the Houses of Parliament and other sites in the United Kingdom will be replaced with military personnel. </p><h4>DHS official: no plan to make security changes due to manchester arena bombing</h4><p><strong>Update: 3:20 p.m., May 23, 2017</strong><br><br>A U.S. Department of Homeland Security (DHS) official who spoke to ABC News said there are currently no plans in place to make <a href="http://abcnews.go.com/Politics/dhs-official-plans-change-security-measures-manchester-attack/story?id=47589691" target="_blank">"significant security changes"</a> in the United States in response to the Manchester Arena bombing.</p><p>"The DHS official said that the federal security posture in the U.S. is already at high levels and that there is not much more to be done in the aftermath of the attack," ABC News reports.</p><p><a href="https://www.dhs.gov/news/2017/05/22/dhs-statement-incident-manchester-arena" target="_blank">DHS issued a statement</a> hours after the attack on Monday, saying it was closely monitoring the situation and is working with its foreign counterparts to obtain additional information about the incident. </p><p>"At this time, we have no information to indicate a specific credible threat involving music venues in the United States," DHS said. "However, the public may experience increased security in and around public places and events as officials take additional precautions."</p><h4>Manchester Arena to remain closed</h4><p><strong>Update: 2:10 p.m., May 23, 2017</strong></p><p>Manchester Arena announced that it will postpone two concerts scheduled for later this week due to the bombing on Monday. </p><p>In a statement via Twitter, the arena said it will postpone two shows by Take That, an English pop group, on Thursday and Friday. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 55f58b8d-107b-497e-a18b-744a6670ce82" id="div_55f58b8d-107b-497e-a18b-744a6670ce82"></div><div id="vid_55f58b8d-107b-497e-a18b-744a6670ce82" style="display:none;"></div></div><p>"We are assisting the police in any way we can," Manchester Arena said on Twitter. "We cannot praise the emergency services enough for their response and have been inspired by the way the people of this great city of Manchester rallied round last night and have continued to respond today. It shows the very best of this city."</p><p>Take That  was scheduled to perform in Liverpool tonight, but announced that it would be <a href="https://twitter.com/takethat?ref_src=twsrc%5egoogle%7ctwcamp%5eserp%7ctwgr%5eauthor" target="_blank">postponing the show </a>as a sign of respect to those affected by the Manchester Arena bombing. <br><br>Ariana Grande has not cancelled any future dates for her Dangerous Woman Tour, but <a href="http://ew.com/music/2017/05/23/ariana-grande-tour-not-canceled/"><em>Entertainment Weekly</em> reported</a> that her team is assessing whether to continue. </p><p>"Right now, the focus is on the victims and grieving for them. We're not focused on the tour," a source told EW. <br><br>Grande's next performances are scheduled for London's O2 arena on Thursday and Friday. The venue released a statement earlier today saying that it is working with Grande's promoters and will provide an update on whether the concerts will go on as planned.<br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 559052de-3dbf-4053-8811-28b936306441" id="div_559052de-3dbf-4053-8811-28b936306441"></div><div id="vid_559052de-3dbf-4053-8811-28b936306441" style="display:none;"></div></div><p><strong></strong> </p><h4>Authorities Identify Manchester Arena Suspected Bomber</h4><p><strong>Update: 1:30 p.m., May 23, 2017</strong><br><br>UK authorities identified the suspected bomber who carried out the attack on Manchester Arena as Salman Abedi, 22, who was born in Manchester, the <a href="http://www.bbc.com/news/uk-40020168">BBC reports.</a></p><p>"Abedi, who had at least three siblings, and lived at several addresses in Manchester, including a property at Elsmore Road, Fallowfield, which was earlier raided by police," according to the BBC.</p><p>Police are still working to confirm if Abedi planned the bombing alone, or was working with others to carry out the attack. Greater Manchester Police Chief Constable Ian Hopkins declined to provide further details about Abedi to <a href="https://www.nytimes.com/2017/05/23/world/europe/manchester-arena-attack-ariana-grande.html" target="_blank"><em>The New York Times,</em></a> and also said that a coroner has not officially identified him.</p><p>"The priority remains to establish whether he was acting alone or as part of a network," Hopkins said.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 499524ec-fde7-4b66-8eff-6ee419f433cb" id="div_499524ec-fde7-4b66-8eff-6ee419f433cb"></div><div id="vid_499524ec-fde7-4b66-8eff-6ee419f433cb" style="display:none;"></div></div><p><strong></strong> </p><h4>experts say bombing points to vulnerabilities</h4><p> <strong>U</strong><strong>pdate: 12:15 p.m., May 23, 2017</strong><br><br>Stadiums and event spaces often have metal detectors, bomb detection technology, cameras, and security guards inside. But the attack at Manchester Arena shows the need for more vigilance in areas outside security zones, an expert told <a href="http://www.latimes.com/local/lanow/la-me-security-manchester-local-20170522-story.html" target="_blank"><em>The Los Angeles Times.</em></a></p><p>Michael Downing, executive vice president of security for Prevent Advisors, told the Times that extra attention needs to be paid to transportation centers, walkways, and parking lots at event spaces. </p><p>"Obviously, we are going to have to look at ingress and egress," he said, because terrorists tend to target areas where large crowds gather.</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 81290113-5d11-4d25-8947-34b014d6add3" id="div_81290113-5d11-4d25-8947-34b014d6add3"></div><div id="vid_81290113-5d11-4d25-8947-34b014d6add3" style="display:none;"></div></div><p>Other security experts who spoke with Reuters said they expect countries around the world to tighten security ahead of major cultural and sporting events following the bombing. However, they do not anticipate that these measures will stop determined attackers.</p><p>"Whatever is done--and in this case it's British intelligence which is considered among the best in the world--it won't prevent such incidents happening," said Jean-Charles Brisard, president of the Centre for the Analysis of Terrorism.</p><p>"You can bring back the perimeter, add security gates, and as many controls as you want, but that will not change the fact that a determined individual will carry out his act if he is not caught before."<br> </p><h4>Bombing at Manchester Arena Kills at Least 22 People, Injures Scores More</h4><p><strong>Update: 11:15 a.m., May 23, 2017</strong></p><p>A man detonated a bomb at Manchester Arena Monday night, killing at least 22 people and injuring scores more in the deadliest terror attack in Britain since 2005.</p><p>The bomber—who has not been identified—was killed in the blast, and ISIS has claimed responsibility for the bombing; however, the terrorist organization's claim has not been verified.</p><p>ISIS claimed the attack as revenge against "Crusaders," <a href="http://www.reuters.com/article/us-britain-security-manchester-idUSKBN18I2OP">according to Reuters.</a> "But Western experts were skeptical, noting it had offered two accounts of the attack partly contradicting each other and the British police version."</p><p>The 21,000-seat Manchester Arena was full of teenagers and their families on Monday night for a concert by American pop star Ariana Grande. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 42752f1a-16d7-48bb-a046-f0bffe8e5966" id="div_42752f1a-16d7-48bb-a046-f0bffe8e5966"></div><div id="vid_42752f1a-16d7-48bb-a046-f0bffe8e5966" style="display:none;"></div></div><p>As the concert was ending, around 10:30 p.m. local time, a blast tore through the entrance hall next to the Victoria Station and concertgoers panicked to exit.</p><p>"There was this massive bang. And then everyone just went really quiet. And that's when the screaming started," Ryan Molloy, a concert goer, <a href="https://www.apnews.com/e0112659f579401a93a769517d7d8d89/Islamic-State-group-claims-deadly-Manchester-concert-bombing">told the AP</a>. "As we came outside to Victoria Station, there were just people all over the floor covered in blood."</p><p>Authorities closed the station and shut down public transportation from the arena, so many Manchester residents offered to allow concertgoers stay in their homes overnight.</p><p>Authorities are actively working to determine if the bomber acted alone, and if not, to identify and arrest his accomplices.</p><p>"The police said that they were canvassing leads and poring over surveillance footage to determine if the assailant—who died in the assault—had acted with any accomplices," <em></em><a href="https://www.nytimes.com/2017/05/23/world/europe/manchester-arena-attack-ariana-grande.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=a-lede-package-region&region=top-news&WT.nav=top-news">The New York Times reports.</a> "Shortly before noon on Tuesday, the police announced that they had arrested a 23-year-old man southwest of the city center 'with regards to last night's incident,' but they did not provide additional details."</p><p>Manchester Mayor Andy Burnham has also made plans to host a vigil on Tuesday night in Albert Square. "Whilst the area around Manchester Arena is still cordoned off, we want to remind people that Manchester will not be defeated—the city is open for business," Greater Manchester Police said.​</p><div class="ms-rtestate-read ms-rte-wpbox" unselectable="on"><div class="ms-rtestate-notify ms-rtestate-read 82c98c15-7b7e-461f-b205-a61760dfca22" id="div_82c98c15-7b7e-461f-b205-a61760dfca22" unselectable="on"></div><div id="vid_82c98c15-7b7e-461f-b205-a61760dfca22" unselectable="on" style="display:none;"></div></div><p>This is an ongoing story. <em>Security Management</em> will continue to update this post as more information is confirmed and becomes available. ​ ​</p>
https://sm.asisonline.org/Pages/Stadium-and-Soft-Target-Security-Resources.aspxStadium and Soft Target Security ResourcesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>In the wake of the Manchester bombing, <em>Security Management </em>​is committed to providing resources and expertise that address ​the protection of soft targets such as stadiums and public venues. Following are articles, reviews, and reports that can be used to understand the attack in a wider context as well as strengthen security measures. <a href="/Pages/Terror-Attack-Strikes-Manchester-Arena—What-We-Know.aspx" target="_blank">Click here​</a> for <em>Security Management'</em>​s coverage of the attack.</p><h4>​Articles<br></h4><ul><li><p>​Last night's attack took place exactly two months after <a href="/Pages/Four-Killed-In-U.K.-Parliament-Attack.aspx">a man drove into a crowd of people​</a> then stabbed a police officer outside of the UK parliament, killing four. </p></li><li><p>The incident was reminiscent ​of the November 2015 attacks in Paris, which occurred outside of a stadium as well as in a concert venue.​​ <a href="/Pages/A-Defensive-Stance.aspx" target="_blank">This ​2016 article discusses stadium security and the fan experience.</a><br></p></li><li><p><a href="/Pages/Vehicle-Access-at-Stadiums.aspx" target="_blank">Vehicle access to stadiums</a> is another vulnerability that could be taken advantage of by attackers.</p></li><li><p>There are a number of <a href="/Pages/Securing-the-Fan-Experience.aspx">government resources and checklists ​</a>for securing stadiums.</p></li></ul><div><br></div><h4>ASIS Toolkits and reports<br></h4><ul><li><p>​​ASIS-curated resources for<a href="https://www.asisonline.org/Membership/Member-Center/Security-Spotlight/Pages/Protecting-Soft-Targets.aspx" target="_blank"> protecting soft targets​</a></p></li><li><p>Crisis management and <a href="https://www.asisonline.org/Membership/Member-Center/Security-Spotlight/Pages/Crisis-Management.aspx" target="_blank">emergency preparedness toolkit​</a></p></li><li><p><a href="https://foundation.asisonline.org/FoundationResearch/CRISP-Reports/CRISP-Report-Library/sports-team-travel-security/Pages/default.aspx">CRISP Stadium Security report​</a></p></li></ul><h4>Book Reviews​</h4><p></p><ul><li><p><a href="/Pages/Book-Review---Disaster-Management.aspx">Introduction to International Disaster Management , 3rd edition​</a><br></p></li><li><p><a href="/Pages/ASIS-News-April-2017.aspx" target="_blank">Managing Critical Incidents and Large-Scale Event Security</a><br></p></li><li><p><a href="/Pages/Book-Review---Counterterrorism.aspx" target="_blank">Counter-terrorism: Reassessing the Policy Response</a><br></p></li><li><p><a href="/Pages/Book-Review---Active-Shooter.aspx">Active Shooter: Preparing for and Responding to a Growing Threat</a><br></p></li><li><p><a href="/Pages/Book-Review---Emergency-Management-and-Social-Intelligence.aspx" target="_blank">Emergency Management and Social Intelligence: A Comprehensive All-Hazards Approach</a></p></li><li><p><a href="/Pages/Book-Review---Bomb-Threats.aspx">A Law Enforcement and Security Officers' Guide to Responding to Bomb Threats, 3rd Edition</a></p></li><li><p><a href="/Pages/custom-search-results.aspx?k=Soft%20Target%20Hardening" target="_blank">Soft Target Hardening​</a><br></p></li></ul><h4>Podcasts<br></h4><p></p><div><ul><li><p><a href="https://soundcloud.com/security-management/bonus-soft-targets-continued" target="_blank">Securing Soft Targets</a> <br></p></li><li><p><a href="https://soundcloud.com/security-management/bonus-fighting-isis-in-europe" target="_blank">Fighting ISIS in Europe</a><br></p></li><li><p><a href="https://soundcloud.com/security-management/special-edition-london-terror-attacks">London Terror Attacks</a>​ ​<br></p></li></ul></div><div></div><a href="https://soundcloud.com/security-management/special-edition-london-terror-attacks"><em></em><p></p><p><em></em></p><div><em></em></div></a><a href="/Pages/Book-Review---Emergency-Management-and-Social-Intelligence.aspx" target="_blank"></a>
https://sm.asisonline.org/Pages/On-Site-and-Cloud-Access-Control-Systems.aspxOn-Site and Cloud Access Control SystemsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Back in the 1970s, electronic access control systems were rudimentary by today’s standards. Those early systems consisted primarily of simple keypads for inputting PIN (personal identification number) codes, or ID cards and readers using magnetic stripe or Wiegand technology to grant or deny access while also maintaining a record of user access. There were few choices when it came to options, integration, and vendors.</p><p>Fast forward to today: now access control systems are frequently the main control platform in a physical security system. These evolved systems allow authorized staff to move freely while keeping a facility or an area secure—and they do much more. Network connectivity allows integration with security subsystems, as well as with business and operational systems such as retail and HR functions. Open architecture designs allow for compatibility with multiple technologies. Smartphones are becoming a mainstream tool in access control systems, and they can sometimes be used in place of an access card. </p><p>Even the most basic access control solution provides some level of tracking, auditing, and reporting. The combination of advanced functionality, flexible features, and integration with other systems allows current systems to provide in-depth information that far exceeds the capabilities of earlier systems.</p><p>Considering these many sophisticated features and functions can be a challenge for the end user, who must not only select an access control system but also determine how and where it will be managed and which solution best meets the organization’s financial and operational needs. Because physical security is vital to the protection of people, premises, and assets, it’s a decision that requires understanding of the technology and the applications. Following are a few examples of the options available for managing an access control system and where they are best suited.</p><h4>Credential Type</h4><p>In addition to incorporating biometrics and other advanced access credentials, today’s solutions can support PIN pads, magnetic stripe and/or Wiegand cards, proximity readers, and other technologies that organizations already use. This provides customers with the flexibility to select the credential type that best suits their needs. </p><p>For example, magnetic stripe and Wiegand access cards offer the convenience of embedding user-specific information in addition to access privileges. Because they incorporate embedded wires as opposed to magnetic material and can be used with contactless sensors, Wiegand technologies are less susceptible to extreme temperatures and other hostile environments. Cards used in systems that require contact with readers suffer from wear and tear and therefore must be replaced on a regular basis.</p><p>Proximity readers offer tremendous ease of use and the ability to quickly deactivate lost cards and issue new credentials. Because no contact is required between card and reader, credentials don’t suffer from the wear and tear common with magnetic stripe and Wiegand systems. </p><p>PIN pads are often employed for single-door applications, and their lower cost makes them attractive to organizations with limited budgets. They are extremely easy to use but also less secure, because users can easily share their codes with others.</p><p>In addition to cost, security level, and system size, organizations must also consider each technology’s ability to work with a range of access control software, as well as the ability to deploy and manage the solution using any or all of the below models.</p><h4>User-Managed on Site</h4><p>In this scenario, the customer purchases or leases equipment from an authorized reseller/integrator, who installs the system and provides training. A service contract may be included in the sale or lease. The customer is responsible for all programming activity on the dedicated PC, including data entry and updating for names, scheduling, reports, backup, and software updates. Depending on the system, badging may also be included. Other than the installation and training and any service agreement, the reseller/integrator has no additional responsibility.</p><p>Systems managed by the user on site are ideal for small to medium-sized businesses, local government offices, sporting facilities, and the like, where one or two individuals are tasked with maintaining the database, software upgrades, and infrastructure maintenance.  </p><h4>User-Managed Cloud </h4><p>Like the on-site user-managed scenario, this version starts with equipment that is purchased or leased from an authorized reseller/integrator, who installs the hardware and provides training. The difference is that the software is in the cloud and is managed, along with the supporting infrastructure, by the integrator or service provider. All backup, software upgrades, system monitoring, programming, scheduled door locking and unlocking, and other vital access control actions are performed remotely by professional monitoring providers. The user may manage only the simple functions of entering, deleting, and modifying names, and possibly badging via a Web portal.</p><p>User-managed cloud systems work well for sites with few or no IT staff—such as franchise locations or property management sites. Each location can handle the day-to-day functions of database maintenance and scheduling via a Web portal, but reports, applying patches and updates, backup, and other group functions are handled in the cloud by the integrator. One useful advantage of this scenario is that the browser application can be accessed at any time and from any device by the user. </p><h4>Remotely Managed Cloud   </h4><p>The user has little or no access to the head end software in this scenario, and all activity is performed by the service provider. Sometimes known as ACaaS (Access Control as a Service), this service is popular with enterprise-level organizations. Hardware can be new or legacy, owned or leased. When modifications are required, the service provider makes the changes. Reports can be run and sent to the end user on a scheduled or as-requested basis. Credentialing is also handled by the service provider.</p><p>Access control systems for several organizations may be hosted in the cloud by the service provider, and the security of the data is ensured with AES encryption. Multilayered filtering and partitioning allows end users to access only their own information (cardholders, access groups, hardware, etc.), while the service provider has full access to all customers’ data.</p><p>By working with a knowledgeable technology partner, such as an integrator or vendor, users will find the help they need to identify which of these solutions best meet their needs. Expertise and experience can help the end user make better and more confident decisions about an access control installation.</p><p><em>Robert Laughlin is president at Galaxy Control Systems. </em></p>
https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspxTrump’s Cybersecurity Executive Order Well Received by ExpertsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​After months of waiting and leaked drafts, U.S. President Donald Trump signed a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal" target="_blank">cybersecurity executive order </a>yesterday that aims to strengthen U.S. government networks and critical infrastructure.</p><p>The executive order is broken into three parts—securing U.S. government networks, enhancing critical infrastructure cybersecurity, and cybersecurity for the nation—and is an effort to change the course of the U.S. government’s cyber posture, said Tom Bossert, White House homeland security advisor, in a <a href="https://www.whitehouse.gov/the-press-office/2017/05/11/press-briefing-principal-deputy-press-secretary-sarah-sanders-and">press briefing on the order.</a><br></p><p>A key element of the executive order is looking at the U.S. government’s cybersecurity as a whole—not as 190 separate agencies, Bossert explained.<br></p><p>“We need to look at the federal government as an enterprise, so that we no longer look at the Office of Personnel Management (OPM) and think, ‘Well, you can defend your OPM network with the money commensurate for the OPM responsibility,’” he said. “OPM, as you know, had the crown jewel, so to speak, of our information and all of our background and security clearances.<br></p><p>“What we’d like to do is look at that and say, ‘That is a very high risk, high cost for us to bear. Maybe we should look at this as an enterprise and put collectively more information in protecting them than we would otherwise put into OPM looking at their relevant importance to the entire government.”​<br></p><h4>Government Networks</h4><p>“The first priority for the president and for our federal government is protecting our federal networks,” Bossert explained. “I think it’s important to start by explaining that we operate those federal networks on behalf of the American people, and they often contain the American people’s information and data, so not defending them is no longer an option. We’ve seen past hacks and past efforts that have succeeded, and we need to do everything we can to prevent that from happening in the future.”</p><p>As part of that effort, the executive order said the president will hold executive department and agency heads accountable for managing cybersecurity risk to their enterprises. Under the order, they will implement risk management measures “commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”<br></p><p>Anthony J. Ferrante, senior managing director in the Global Risk & Investigations Practice at FTI Consulting and former director for cyber incident response at the National Security Council, says he’s glad to see this change in the federal government’s posture.<br></p><p>“In the years following the OPM attack, it is nice to see that the administration recognizes that it operates federal networks on behalf of the American people, and it is a strong move to say that the president is going to hold the heads of departments and agencies accountable for the cybersecurity of their networks,” Ferrante adds.<br></p><p>Additionally, agency and department heads are required to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage their respective organization’s risk. Each agency has been instructed to provide a risk management report to the secretary of the Department of ​​Homeland Security and the director of the Office of Management and Budget (OMB) within 90 days.<br></p><p>“We have practiced one thing and preached another,” Bossert said. “It’s time for us now…to implement the NIST framework. It’s a risk-reduction framework.”<br></p><p>Requiring government agencies to adopt the NIST framework—like the private sector has been encouraged to do—is a positive step, says Brian Harrell, CPP, director of security and risk management for Navigant Consulting and former director of critical infrastructure protection programs at the North American Electric Reliability Corporation (NERC).<br></p><p>“The acknowledgement of risk acceptance is significant,” Harrell explains. “Within all IT systems, we have the ability to accept, avoid, mitigate, or transfer risk.”<br></p><p>Also part of the executive order’s plan to modernize government IT and manage risk is a directive that agency heads show preference in their procurement for shared IT services, including e-mail, cloud, and cybersecurity services.<br></p><p>“We have 190 agencies that are all trying to develop their own defenses against advanced protection and collection efforts,” Bossert said. “I don’t think that that’s a wise approach.”<br></p><p>Utilizing shared IT services does come with risk, but it will put the federal government in a better position to manage those risks, Bossert added.<br></p><p>“I’m not here to promote for you that the president has signed an executive order and created a cybersecure world in a fortress USA,” he said. “That’s not the answer. But if we don’t move to secure services and shared services, we’re going to be behind the eight ball for a very long time.”<br></p><p>This is a positive step, says Will Ackerly, chief technology officer at Virtru and former lead security architect for the National Security Agency’s (NSA’s) first cross-domain cloud. <br></p><p>“It’s positive if managed well. The risk and threat change with on-premise to cloud,” Ackerly explains. “When you move to Google, you now all of a sudden have many security engineers online on a real-time basis available to essentially protect your data. The trade is, you don’t have the same kind of direct control or insight…into how your data is being accessed.”<br></p><p>Agencies and departments will also have to avoid creating a monoculture, or choosing the same platform across the board,​​ because if there is a problem with the technology or an attack on it, there could be a “massive issue,” Ackerly adds.<br></p><p>Overall, however, utilizing shared services is a step in the right direction as it will free agencies up to “focus on what they’re good at—their core mission—instead of having to figure out over and over the same IT programs,” he says.<br></p><p>The government’s ability to do this successfully, however, will depend on its ability to secure funding and change its purchasing constraints around technology—which may require Congressional action.<br></p><p>“The majority of [these agencies’] budget is spent on legacy systems,” says John Dickson, CISSP, principal at Denim Group and former U.S. Air Force officer who served in the Air Force Information Warfare Center. “If you are spending a lot of money, and 75 percent of that is to maintain what you have, you simply are not going to be able to put a dint in this problem.”<br></p><p>Another area that gives some experts pause, however, is that the agency risk management reports may be classified in full—or in part—and not available to the public. <br></p><p>“Particularly when you’re talking about trying to manage risk across many, many agencies, that requires good information sharing,” Ackerly adds. “I think it can be a lot harder when there isn’t transparency, at least at the core level.”<br></p><p>He also raised concerns about the number of reports and assessments the executive order has asked government officials to compile to analyze the federal government’s cybersecurity posture and path forward. <br></p><p>“A lot of these reports end up sitting on shelves; a lot of work is going to go into producing these things and updating them,” Ackerly says, adding that it might have been a better idea to create a position of a cybersecurity czar to manage this process so there’s “clear central authority that coordinates actions that the CISOs are accountable to…I worry that this might be another paper exercise.”​<br></p><h4>Critical Infrastructure</h4><p>The second portion of the executive order focuses on critical infrastructure cybersecurity and calls for reports to identify ways that agencies could support the cybersecurity efforts of critical infrastructure entities that are at “greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” according to the order.</p><p>In particular, the order asks for the secretaries of energy and homeland security, with the director of national intelligence and local authorities, to assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident.<br></p><p>Harrell says electric utilities are well positioned to aid the government in this effort and provide a report to the president. <br></p><p>“The NERC Grid Security Exercise is a notable example of how the industry has taken cyber threats seriously, and while many lessons have been derived from the national exercise, industry understands the magnitude of a wide-area disruption due to a security event,” Harrell explains. “I would strongly recommend that the Department of Energy reach out to NERC, utilities, and industry trade associations to compile their findings as many lessons-learned have already been documented and acted upon.”<br></p><p>The executive order also calls for the secretaries of commerce and homeland security to identify and promote action by stakeholders to improve the resilience of the telecommunications industry to “dramatically” reduce the number of botnet attacks in the United States. <br></p><p>This will require cooperation from the private sector, particularly from Sprint, AT&T, Verizon, and other carriers, Dickson says. “All the people that are essentially providing Internet and phone connectivity, because there’s certain things they can do in real-time to make it harder for those types of attacks to propagate.”<br></p><p>Not to be ignored, however, are potential strides the government could make with device manufacturers, Ackerly says, who could be encouraged to create devices that are inherently more secure and less likely to be compromised and part of a botnet.​<br></p><p>One action Ackerly says he thinks would be a risky choice for the government would be to encourage active attacks to prevent botnet attacks.</p><p>“The military has authority to do active attacks,” he explains. “I don’t think we want to encourage companies to break the law and respond directly to take down systems that are not their own that are trying to interfere with their services.”</p><h4>National Security</h4><p>The final section of the executive order deals with ensuring that the Internet remains valuable for future generations by deterring cyberattacks and investing in the nation’s future workforce. </p><p>The order calls for the secretaries of state, treasury, defense, commerce, homeland security, and the attorney general, amongst others, to submit a report to the president on the nation’s strategic options for deterring adversaries and protecting Americans from cyber threats. It also requires the secretaries to document a strategy for international cooperation in cybersecurity.<br></p><p>“The Russians are not our only adversary on the Internet, and the Russians are not the only people that operate in a negative way on the Internet,” Bossert said. “The Russians, the Chinese, the Iranians, other nation states are motivated to use cyber capacity and cyber tools to attack our people and our governments and their data.<br></p><p>“That’s something we can no longer abide. We need to establish the rules of the road for proper behavior on the Internet, but we also then need to deter those who don’t want to abide by those rules,” he said.<br></p><p>The executive order also calls for an assessment of the scope of current efforts to educate and train the American cybersecurity workforce of the future to maintain the United States’ competitive advantage.<br></p><p>Harrell says he found this inclusion in the executive order encouraging. “In a world of constant cyberattacks and massive data breaches, cybersecurity is more important today than ever before,” he adds. “As Americans become more dependent on modern technology, the demand to protect the nation’s digital infrastructure will continue to grow. Many organizations are desperate to find qualified security professionals and fill key staff positions. Promoting professional education, training, and STEM classes will start to bridge the cybersecurity workforce gap.”</p>
https://sm.asisonline.org/Pages/The-Most-Resilient-Countries-in-the-World.aspxThe Most Resilient Countries in the WorldGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Property loss prevention consultant FM Global released its <a href="http://www.fmglobal.com/research-and-resources/tools-and-resources/resilienceindex/explore-the-data/?&sn=1" target="_blank">fifth annual <em>Resilience Index</em></a><em>,</em> which ranks 130 countries on their enterprise resilience to disruptive events. The ranking is data-driven and assesses categories such as economic factors, risk quality, and supply chain. It allows executives to plan supply chain and expansion strategies based on insight regarding risks and opportunities, according to the FM Global website. </p><p>Giving a nod to new trends that affect supply chain resilience, FM Global introduced three new drivers of resilience to its assessment: supply chain visibility, urbanization rate, and inherent cyber risk. Supply chain visibility addresses the ease of tracking goods across a country’s supply chain. “The more visible and robust the supply chain and the faster it can begin functioning as normal following a major local event, the greater its resilience,” the report notes.</p><p>The urbanization rate is based on the percentage of the country’s population that lives in urban areas. While urbanization is typically associated with a country’s development, it can prove to be risky in an area with high natural hazards. And rapid and unplanned urbanization can create pressure on utilities and infrastructure, which can be a significant threat to the country’s resilience, according to the report.</p><p>2017 is also the first year that the threat of cyberattacks has been acknowledged in the report. The inherent cyber risk driver is defined as “a blend of a country’s vulnerability to cyberattack, combined equally with the country’s ability to recover.” This is calculated by determining the percentage of citizens with access to the Internet, as well as how the government responds to cyberattacks. “Countries that recover well from major events are those with a thriving industry in malware or cybersecurity, and where governments are willing to step in and help citizens in the event of a nationwide hacking,” the report says.</p><p>At the top of the list for the fifth year is Switzerland, an “acknowledged area of stability for generations” with infrastructure and political stability that makes its supply chain reliable and resilient. However, natural disasters and cyberattacks remain a threat to the country. </p><p>Also notable is Luxembourg, which was ranked eighth in 2013 but placed second this year. A growth in the country’s services sector, combined with its reduced economic reliance on oil and its business-friendly regulations, makes Luxembourg a safe place to expand operations to, the report finds. And due to its location, Luxembourg may serve as a new home for companies following the United Kingdom’s departure from the European Union.</p><p>At the other end of the spectrum, Haiti is ranked last due to its lack of supply chain and standards and its high rate of poverty. Similarly, Venezuela fared poorly due to corruption, natural disasters, poor infrastructure, and ill-perceived quality of local suppliers.  ​</p>
https://sm.asisonline.org/Pages/IT-Security-Professionals-Admit-To-Hiding-Data-Breaches,-Survey-Finds--.aspxIT Security Professionals Admit To Hiding Data Breaches in New SurveyGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>IT security professionals admit they've quietly paid hackers a ransom for their data without telling anyone, according to a survey by cybersecurity company Bromium. In ransomware attacks, cyber thieves obtain users' data and threaten to destroy or not return it if a certain amount of money isn't paid within a set timeframe. The<a href="http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/" target="_blank"><em> 2017 Verizon Data Breach Investigations Report </em>found there was a 50 percent increase in ransomware attacks over the last year. </a>​</p><p>An average of ten percent of IT security professionals said they've silently met hackers' ransomware demands, or hidden a security breach without telling their team. In a blog post, Bromium says the re​search began as a survey at the RSA Conference in San Francisco in February, but it was so surprised by the findings, it expanded on the research by talking to more IT professionals in both the United States and the United Kingdom.  </p><p>At RSA, five percent of IT security professionals said they had hidden a breach from their corporate security team; fifteen percent in the extended study admitted the same. In addition, 38 percent of those at RSA and 32 percent from around the United States and the U.K. admitted to going around, turning off, or bypassing corporate security settings to get their job done. </p><p>"While we expect employees to find workarounds to corporate security…we don't expect it from the very people overseeing the operation," said Simon Crosby, cofounder and chief technology officer of Bromium, <a href="https://blogs.bromium.com/security-pros-pay-ransom-hide-breaches/" target="_blank">in the blog post. </a>"Security professionals go to great lengths to protect their companies, but to learn that their decisions don't protect the business is frankly rather shocking. To find that security pros have actually paid ransoms or hidden breaches speaks to the human- factor in cybersecurity."</p>
https://sm.asisonline.org/Pages/Solar-Technology-Can-Help-Secure-Military-Grids,-New-Paper-Finds.aspxSolar Technology Can Help Secure Military Grids, New Paper FindsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Distributed microgrid systems, using solar technology, can help secure the electric grids at military bases to reduce the impact of cyberattacks, physical attacks from terrorists, and natural disasters, researchers say in a new paper.</p><p>Vulnerabilities in the power grid are one of the most prevalent national security threats. The technical community has called for building up the resiliency of the grid using distributed energy and microgrids for stabilization. This is because power production from multiple sources increases the difficulty of triggering cascading blackouts. In addition, following an attack or natural disaster, microgrids can provide localized energy security.<br></p><p>In a new paper published in the scholarly journal <em>Renewable and Sustainable Energy Reviews</em>, an interdisciplinary team of engineering and energy policy experts from Michigan Technological University says the first step is to outfit military infrastructure with solar photovoltaic (PV)-powered microgrid systems. <br></p><p>Currently, only 27 of the more than 400 domestic U.S. military sites have either fortified PV microgrids running now or have plans to do so. This means the majority are vulnerable to long-term power disruptions. Most military backup systems rely on generators, which are also vulnerable to fuel supply disruption.<br></p><p>The researchers found that the military would need 17 gigawatts of PV to fortify all its domestic bases. <br></p><p>An abstract of the new paper, and instructions for obtaining a complete copy, can be found here: <a href="http://www.sciencedirect.com/science/article/pii/S1364032117306081">http://www.sciencedirect.com/science/article/pii/S1364032117306081</a></p><p>For more on U.S. Department of Defense utilities, read <a href="/Pages/Ramping-Up-Resilience.aspx" target="_blank">"Ramping Up Resilience"</a> from the March 2017 issue of <em>Security Management. ​</em></p>
https://sm.asisonline.org/Pages/DHS-Warns-Congress-Of-Security-Threats-to-Government-Mobile-Devices.aspxDHS Warns Congress Of Security Threats to Government Mobile DevicesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The U.S. Department of Homeland Security (DHS) sent Congress a study on Thursday warning it of security threats to members’ mobile devices and a need for increased device security. </p><p>“The study found that the threats to the federal government’s use of mobile devices—smartphones and tablet computers running mobile operating systems—exist across all elements of the mobile ecosystem,” according to a <a href="https://www.dhs.gov/science-and-technology/news/2017/05/04/news-release-dhs-delivers-study-government-mobile-device" target="_blank">DHS press release.</a> “These threats require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections, and have evolved independently of desktop architectures.”<br></p><p>The report, <em></em><a href="https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf" target="_blank"><em>Study on Mobile Device Security, </em></a>was mandated by the Cybersecurity Act of 2015 and compiled by the DHS Science and Technology Directorate with the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence. <br></p><p>The study reveals that the threat to the mobile device ecosystem—smartphones and tablets—is growing. These threats range from those perpetrated by nation states to organized criminal gangs to hackers to regular loss or theft of mobile devices. <br></p><p>U.S. government mobile device users are also susceptible to threats that target consumers, including social engineering, ransomware, and identity theft. “Further, federal government mobile device users may be targeted with additional threats simply because they are public-sector employees,” DHS said.<br></p><p>The study also warns that government employees’ mobile devices might be targeted to give attackers access to sensitive computer systems.<br></p><p>“Government mobile devices—despite being a minor share of the overall market—represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions,” according to the report. “Systems managed by the Department of Defense, DHS, the Department of the Treasury, the Department of Veterans Affairs, Health and Human Services, the Office of Personnel Management, and others hold significant amounts of sensitive but unclassified information, whose compromise could adversely impact the organization’s operations, assets, or individuals.”<br></p><p>To address these threats, the report recommends that the federal government—and DHS in particular—take action to enhance mobile device security for government employees. <br></p><p>“DHS has a responsibility to not only secure the means of communication used by department and agencies, but to safeguard the nation against emerging threats in both the physical and cyber domains,” DHS said. “Mobile technology is essential to the United States not just for government use, but also for the security and integrity of communications for businesses and citizens.”<br></p><p>The study recommended the government take the following actions:<br></p><ul><li><p>Adopting a framework for mobile device security based on existing standards and best practices<br></p></li><li><p>Enhancing the Federal Information Security Modernization Act metrics to focus on securing mobile devices, applications, and network infrastructure<br></p></li><li><p>Including mobility within the Continuous Diagnostics and Mitigation program to address mobile device security <br></p></li><li><p>Continue the DHS Science and Technology applied research program on Mobile Application Security <br></p></li><li><p>Establishing a new program on mobile threat information sharing <br></p></li><li><p>Coordinating the adoption and advancement of mobile security technologies into operational programs<br></p></li><li><p>Developing cooperative arrangements and capabilities with mobile network operators to detect, protect against, and respond to threats<br></p></li><li><p>Creating a defensive security research program to address mobile network infrastructure vulnerabilities<br></p></li><li><p>Increasing active participation in mobile-related standards bodies and industry associations<br></p></li><li><p>Developing policies and procedures on government use of mobile devices overseas based on threat intelligence and emerging threats.​<br></p></li></ul>
https://sm.asisonline.org/Pages/How-Smugglers-and-High-Risk-Travelers-Enter-the-US.aspxHow Smugglers and High Risk Travelers Enter the United StatesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It’s no secret that transnational crime organizations get creative when it comes to smuggling contraband from Mexico to the United States, but with increased security along the border comes increasingly extravagant efforts by criminals to avoid security measures, a new U.S. Government Accountability Office (GAO) report released earlier this week found. </p><p>Smugglers build cross-border tunnels, which range from rudimentary, shallow tunnels to interconnected tunnels with lighting, railways, and ventilation and connect to existing municipal infrastructure such as sewer systems. Single seat, ultralight aircraft weighing 250 pounds or less can carry large baskets of drugs across the border. And a variety of boats, pangas, and submarines can shuttle large quantities of contraband. </p><p>In its report, titled <em><a href="http://www.gao.gov/assets/690/684408.pdf">Border Security: Additional Actions Could Strengthen DHS Efforts to Address Subterranean, Aerial, and Maritime Smuggling</a></em>, GAO discovered 67 cross-border tunnels, 54 of which were sophisticated and interconnected. The U.S. Customs and Border Protection (CBP) and U.S. Immigration and Customs Enforcement (ICE) share responsibility for countering tunnel threats and found that the drug most confiscated in the tunnels was marijuana—from 2011 to 2016, more than 106,600 pounds of marijuana was seized, the report found. Smuggling rates via tunnels, air, and boats have generally decreased since 2011, although GAO found an increase in migrant smuggling via panga and recreational boats off the Florida coast.</p><p>The GAO report concluded that CBP and ICE should increase their use of technology, performance measuring, and agency collaboration to better address the smuggling threat. “By establishing performance measures and regularly monitoring performance against targets, managers could obtain valuable information on successful approaches and areas that could be improved to help ensure that both technology investments and operational responses to address smuggling through cross-border tunnels, ultralight aircraft, panga boats, and recreational vessels are effective,” according to the report.</p><p>But what about identifying high-risk travelers that could pose a threat to the United States? DHS has a number of programs in place to identify and interdict high-risk travelers seeking to arrive in the United States via airplane, such as foreign fighters and potential terrorists, human traffickers, and drug smugglers. CBP identified and prohibited more than 22,000 travelers from flying to the United States in 2015 alone, but there is no way to evaluate the overall effectiveness of the high-risk traveler programs, GAO found in its report <em><a href="http://www.gao.gov/assets/690/684443.pdf">Progress and Challenges in DHS's Efforts to Address High-Risk Travelers and Strengthen Visa Security</a></em>, released yesterday.</p><p>The report also addressed the Visa Waiver Program (VWP), which allows nationals from 38 countries to apply for a temporary visa to travel to the United States. The VWP has been around since 1986, but was updated in 2015 to address the modern-day terrorist threat. ​As part of the agreement, countries participating in the U.S. VWP agreed to share information regarding lost or stolen passports, identity information about known or suspected terrorists, and criminal history information. </p><p>However, GAO found that a third of the countries are not sharing terrorist identity information, which the report noted “has enhanced U.S. traveler screening capabilities and improved U.S. agencies’ ability to prevent known and suspected terrorists from traveling to the United States.” DHS has agreed to continue to work with VWP companies to implement all program requirements.</p>
https://sm.asisonline.org/Pages/Insuring-Data-Loss.aspxInsuring Data LossGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Historically, one of the most catastrophic risks to cities was fire. Prior to the modern concept of fire departments, most businesses and residents relied on private departments that they funded to come put out the blaze, should the need arise.</p><p>In 1751, Benjamin Franklin created the first fire company in the U.S. colonies to sell fire insurance: the Philadelphia Contributionship. </p><p>Participants in Philadelphia paid fees that were then used to cover other participants’ fire-related losses, according to Allstate. The first year of the contributionship, 143 policies were purchased to cover a seven-year period. None of the insured properties caught fire during that time. </p><p>As time went on, society made greater strides in fire prevention, and insurance carriers gathered data on these measures to assess how they reduced or increased the risk of fire, adjusting premiums accordingly.</p><p>However, one of the newest forms of insurance on the market has forged a different path. Cyber insurers are still in the process of amassing data to price risks for a cyber incident that results in data theft—and no company has data to price risk for destructive attacks, according to Robert Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations (CFR). </p><p><img src="/ASIS%20SM%20Product%20Images/0517%20Cybersecurity%20Facts.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:257px;" />“Moreov​er, insurers do not typically offer premium reductions in exchange for improving cybersecurity practices,” Knake wrote in a cyber brief for CFR’s Digital and Cyberspace Policy Program. “This market decision reflects a sad reality for the cybersecurity industry: there is no clear consensus on which cybersecurity practices work and which do not, though some insurers are developing closer relationships with cybersecurity providers in order to access information necessary to accurately price risk.”</p><p>Despite being unable to accurately price risks associated with cyberattacks, the cyber insurance market is projected to grow from approximately $2.75 billion to $7.5 billion by 2020, according to PricewaterhouseCoopers’ (PwC) Insurance 2020 & Beyond: Reaping the Dividends of Cyber Resilience. </p><p>“Businesses across all sectors are beginning to recognize the importance of cyber insurance in today’s increasingly complex and high risk digital landscape,” the report explained. But this awareness has been coupled with skepticism about the true value of cyber insurance.</p><p>“Given the high costs of coverage, the limits imposed, the tight terms and conditions, and the restrictions on whether policyholders can claim, many policyholders are questioning whether their policies are delivering real value,” said Paul Delbridge, an insurance partner at PwC, in a statement on the report. </p><p>Cyber insurance is a  relatively new concept in the insurance world that got its start in the 1990s. Businesses started to look to the insurance market to cover risks associated with e-commerce, but found that none of the existing insurance models were relevant, says Graeme Newman, chief innovation officer at CFC Underwriting.</p><p>“The worry wasn’t that the building would burn down, or that they wouldn’t be able to trade on their physical premises, it was that their systems would go down and they wouldn’t be able to trade,” he explains. “Their biggest asset was their data…. They wanted a product they could use to insure that data—and that’s where cyber insurance was born.”</p><p>Cyber liability policies were created to cover identity theft, business interruptions when hackers shut down a network, damage to a business’s reputation, and costs associated with damage to data records caused by a hacker. Policies can also cover the theft of digital assets, malicious attacks via computer code, human errors that disclose sensitive information, credit monitoring services, and lawsuits, according to the National Association of Insurance Commissioners.</p><p>In the late 2000s, society began to see a major shift in crime with physical crime morphing into cybercrime—phishing scams, business email compromise, ransomware, and more. This helped push cyber insurance as more of a mainstream line of insurance, Newman says, and health institutions are leading the way.</p><p>Hospitals generally have “lots of sensitive patient data on generally old, legacy IT systems with good risk management departments but little idea about IT security and really high penalties from regulators,” Newman adds, especially in the United States under the Health Insurance Portability and Accountability Act (HIPAA).</p><p>Retailers were the next major vertical to begin purchasing cyber insurance following the string of mega breaches at Target, Home Depot, and Neiman Marcus in 2013 and 2014 when hackers targeted retailers to acquire customer payment card information.</p><p>“That got the retailers to purchase cyber insurance, and we saw financial institutions buying cyber insurance,” Newman says.</p><p>This activity has created a cyber insurance market worth roughly $3 billion today, with 90 percent of all cyber insurance purchased in the United States. This is for a variety of reasons, including the aggressive class action lawsuit culture in the United States, state attorneys general who have taken a tough stance against businesses that compromise consumer data, and regulators who can levy fines under the law.</p><p>“When a business loses data, you’ve got a whole load of ambulance chasers trying to make a buck out of it,” Newman says. “They’ll bring lawsuits against businesses that lose data.” </p><p>Despite these motivators, however, only 25 percent of U.S. businesses and 2 percent of U.K. businesses have purchased cyber insurance policies. This could be because of the price of premiums due to the limited data on the scale and financial impact of attacks, according to the PwC report.</p><p>“Insurers and reinsurers are charging high prices for cyber insurance relative to other types of liability coverage to cushion some of the uncertainty,” the report explained. </p><p>PwC’s former U.S. Cybercrime and Breach Response Senior Managing Director Don Ulsch saw this in action just two years ago. One of his clients, a global manufacturing firm, attempted to buy cyber insurance and found that the carrier would only provide $1 of coverage for each $1 in premiums. The client ultimately purchased the policy because it felt it was necessary to meet U.S. Securities and Exchange Commission (SEC) guidelines, Ulsch says.</p><p>“As you start looking at what your requirements are as an SEC registrant, you will likely start looking at cyber insurance,” he explains. This is because in 2011, the SEC released guidance on cyber insurance and has since adopted a prebreach‑centric approach to managing cyber risks—meaning that boards have informed investors and shareholders how they will manage a cyber risk in the event of a cyber breach. </p><p>And for those carriers that do issue cyber insurance policies, PwC found that they are putting a ceiling on potential losses through restrictive limits, exclusions, and conditions. For instance, common conditions include state-of-the-art data encryption or 100 percent updated security patch clauses, which are difficult for businesses to maintain.</p><p>Another area that may be stalling actual growth is confusion over how to cover new risks associated with cybersecurity. One area that Ulsch says carriers are still assessing is how to cover a physical event that stems from a cyber incident.</p><p>For instance, Internet of Things devices at a restaurant could be compromised, allowing a hacker to leverage them in an attack that causes a gas line in the restaurant to malfunction, resulting in an explosion.</p><p>Since an incident like this would cause bodily injury and property damage, “should that be an extension of cyber insurance?” Ulsch asks. “Or should it be part of your commercial general liability insurance? How does it get covered?”</p><p>This is one of the big questions that insurers have today in response to new kinds of cyberattacks that are emerging on an almost daily basis. “This is something that is relatively new, but it’s growing in significance,” he adds.</p><p>One development that might help spur the adoption of cyber insurance policies, however, came in December 2016 when the U.S. Department of the Treasury issued guidance in the Federal Register that included these policies in the Terrorism Risk Insurance Program (TRIP).</p><p>TRIP was initially created in the aftermath of 9/11 as part of the Terrorism Risk Insurance Act (TRIA) as a federal stopgap to allow private companies to purchase terrorism insurance. Under the program, the U.S. treasury secretary and the attorney general can certify an event as an act of terrorism. If damages from the act exceed $200 million, TRIP is triggered to cover the remaining losses. </p><p>Before 2016, there was confusion as to whether TRIP would be triggered for cyber incidents. To clarify, Treasury issued the new guidance confirming that “stand-alone cyber insurance policies” reported as “Cyber Liability” are included in the “property and casualty insurance” under TRIP. </p><p>Security Management reached out to Treasury for further explanation about the guidance, but it did not return requests for comment.</p><p>Adding cyber insurance to TRIP is a step that Knake recommended in his cyber brief, published prior to Treasury’s guidance. He advocated for the creation of a federally sponsored cyber insurance program.</p><p>“The federal cyber insurance program should be developed under TRIP…given that much like terrorist attacks, catastrophic cyber incidents affecting the United States will be rare,” Knake wrote. “TRIP should be expanded to cover cyber events and renamed to allow for coverage of all catastrophic cyberattacks—whether they are carried out by terrorists, state actors, or criminals—including cases in which attribution cannot be determined.”</p><p>One way that TRIP falls short, Knake tells Security Management, is that it doesn’t place requirements on insurance policies and on companies themselves to improve their own security. Knake, who is the former U.S. National Security Council director for cybersecurity policy, says this was discussed at the time that TRIP was created but ultimately decided against.</p><p>When it comes to cybersecurity, where the threat and the fundamental responsibility is on companies to protect themselves, a “model that is like TRIA but creates a situation in which the insurance is being used to promote cyber hygiene, better practices, and information sharing makes a lot of sense,” he says.</p><p>For instance, Knake recommends that regulators set minimum requirements for cyber insurance for companies that want to take advantage of TRIP’s protections. One example of this is the approach that U.S. financial regulators have taken to cybersecurity to address the potential of systemic risk throughout the entire system should a major financial institution be hit with a cyberattack.</p><p>“Being able to quantify that risk and then say, ‘You need to have insurance up to that amount,’” Knake says. “It’s like car insurance. You need to have car insurance, as the minimum standard.”</p><p>Ultimately, a federally sponsored cyber insurance program should be used to limit financial liability and promote participation in “initiatives that benefit the security of the Internet as a whole and reduce systemic risk,” Knake wrote. </p><p>“Initially, the government’s goal should be to use the program to promote the sharing of data on incidents so that insurers can accurately price risk and set premiums. Doing so could provide the data necessary to judge the effectiveness of existing best practices and identify new practices that should be widely adopted.” </p><p>Whether that happens remains to be seen, but insurance carriers are already projecting that the international market for cyber insurance will grow by 400 percent. Most forms of insurance typically only see 1 to 2 percent growth year over year, Newman says.</p><p>“Cyber insurance is exciting,” Newman adds. “Cyber is the class of insurance that is growing in the world.” ​</p>
https://sm.asisonline.org/Pages/Cyber-Travel-Tips.aspxCyber Travel TipsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Security managers must be aware of their physical surroundings when they travel, but electronic devices frequently place employees and their companies at risk. To help keep devices and corporate data secure while traveling, Security Management reached out to several security experts to learn about their own travel best practices.​</p><h4>Do a Cleanse</h4><p>Before packing your laptop, Bruce McIndoe, CEO of integrated risk management company iJET, recommends doing some device cleansing. </p><p>“That’s the first level of defense when you are getting ready to leave on a trip—slim down and remove as much data as you can,” he says.</p><p>This means assessing whether you actually need to take a laptop with you and, if so, removing all the sensitive data from it that you can. “That way if the laptop is stolen or infiltrated or lost, you’re not going to have all that data exposed,” McIndoe says.</p><p>Take the same approach with your smartphone, and pare down your USB devices to the essentials. Then make sure that all your devices are encrypted in case they are lost or stolen.​</p><h4>Talk to IT</h4><p>After you’ve assessed what you need to take with you, it’s a good rule of thumb to check with your IT department to see if they have travel devices for you to take with you, such as travel laptops, phones, and even routers.</p><p>IT can also review with you any policies or procedures in case your devices are lost, stolen, or breached while you’re away from the office.​</p><h4>Take the Right Bag</h4><p>When traveling, sometimes your devices are out of your sight—whether they’re tucked in your checked bag or stowed in the hotel while you’re out at dinner. This is when a zippered bank bag comes in handy, says former U.S. Secret Service Agent John Toney. He and other agents used zippered bank bags, such as an A. Rifkin bag, to store guns, electronic equipment, and anything else they wanted to keep away from prying eyes.</p><p>“When agents go en masse overseas, everyone throws their bag into the same Pelican case for customs,” says Toney, who is now senior manager of forensic technology and discovery services at Ernst & Young LLP. “That way, customs agents can scan the outer carrier but don’t get inside the bags.” ​</p><h4>Avoid Free Wi-Fi</h4><p>While a wonderful invention, Wi-Fi does come with risks, which is why McIndoe says he doesn’t connect to airport Wi-Fi or pub­lic Wi-Fi. </p><p>“What I try to do is use Gogo and AT&T hotspots,” McIndoe explains. “I can use Gogo on flights and get onto Wi-Fi only from access points that I know about.”</p><p>He also says travelers should be cautious about connecting to hotel Wi-Fi. As a precaution, consider using a VPN to access systems at work and ensure that you have an HTTPS connection. If you do access a website without an HTTPS connection, McIndoe says you should not consider that information private.​</p><h4>Talk to IT, Again</h4><p>After you’ve returned from your trip and before you connect any of your devices to your company’s network, go talk to IT. They can scan the devices to make sure you didn’t pick up any malware while you were abroad. Many companies require employees who have been in designated countries to have their laptops scanned before connecting them to the network.</p><p>“A lot of companies have more sophisticated malware detection on the company network than on your laptop and will detect a virus that your local virus scan did not detect,” McIndoe says.  ​</p>
https://sm.asisonline.org/Pages/Terrorists-Check-In.aspxTerrorists Check InGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Just after 8:00 a.m. on January 25, attackers detonated a truck bomb outside the gates of the Dayah Hotel in the Somali capital of Mogadishu before storming inside. Fifteen minutes later, another truck bomb exploded, and security forces were dispatched to take control of the hotel. </p><p>The hotel, located near Somalia’s Parliament building, was said to be popular with lawmakers and government officials. That may have made it a target for the attackers—later identified as al-Shabaab, an extremist group linked to al Qaeda, whose attacks are designed to turn Somalia into a fundamentalist Islamic state.</p><p>The attack in January killed at least 21 people and injured more than 50, according to CNN. It was just the latest in a succession of recent attacks on soft targets in Africa and Europe, and it raised awareness of a global and shifting threat that no international business can ignore: the risk of an attack on a hotel where a traveling employee is staying.</p><p>Since 2002, more than 30 major terrorist attacks have targeted hotels across the world. Because of this outbreak of attacks, businesses, tourism professionals, and hoteliers themselves are calling hotel risk procedures into question.​</p><h4>Hotels as Soft Targets</h4><p>Hotels became major targets for bomb attacks by terrorists in Asia in the 2000s, and the threat has since moved to Africa. Attacks against hotels in 2015 and 2016 accounted for a third of all major terrorist attacks in the world, likely because they are considered to be soft targets.</p><p>Some hotels make more attractive targets than others, for a variety of reasons. One of these is the opportunity to harm a large number of people. Hotels are gathering places, and in addition to guests there are visitors for banquets, as well as bar, restaurant, and leisure facility customers.</p><p>Another reason a hotel might be an attractive target is that it is likely to garner international media attention. The more victims there are from different countries, the more media attention the attack is likely to generate. </p><p>Attacks on hotels also express an ideology: international luxury hotels symbolize Western culture. Jihadists often consider hotels immoral places where men and women interact, and where alcohol is easily accessible.​</p><h4>Attack Strategies</h4><p>Terrorists used three attack strategies when targeting hotels between 2002 and 2015: explosives (44.4 percent), firearms (25 percent), and a combination of the two (30.6 percent), according to the Global Terrorism Database.</p><p><strong>Explosives.</strong> There are two varieties of attacks on hotels using explosives: the human bomb and the vehicular bomb. These tend to cause the most physical destruction and injure the most people, making them effective for terrorists.</p><p>Human bombs tend to have geographically restricted limits and are mainly used in spaces that are open to guests. For instance, in November 2005 in Amman, Jordan, terrorists detonated explosive belts in the ballroom of the Radisson SAS, near the coffee shop of the Grand Hyatt Hotel, and in the entrance of a Days Inn. Fifty-seven people were killed in the attacks, and more than 100 people were wounded, according to The New York Times.</p><p>In contrast, vehicular bombs account for 31 percent of terrorist attacks on hotels. This technique is used to cause large-scale material destruction and potential chain reactions from the explosion—such as gas line bursts, fire, structural collapse, and destruction of guest and staff lists.</p><p>In 2008, for example, terrorists packed a truck with a ton of explosives and drove it into the Islamabad Marriott’s security gate. The vehicle exploded, killing 53 people and injuring 271, and officials were concerned that the building itself might collapse and cause even more injuries and damage, The Telegraph reported.</p><p>Occasionally, the two techniques are used together. One such case was in 2005 in Sharm El Sheikh, Egypt, when terrorists set off a truck bomb near the Iberotel Palace hotel while simultaneously discharging a bomb in the façade of the Ghazala Gardens Hotel. They also detonated a third bomb in a parking lot of one of the city’s tourist areas. The coordinated attacks killed 88 people, most of whom were Egyptian instead of the targeted Western tourists, according to the Times’ analysis of the attack.</p><p><strong>Assaults. </strong>Terrorists often use the assault technique, armed with automatic rifles and hand grenades, to target hotels. This method makes it easier for the terrorists to damage a wider area while also killing a large number of people as they move through the hotel and its floors.</p><p>This kind of attack occurred in November 2015 when heavily armed and well-trained gunmen drove into the Bamako, Mali, Radisson Blu hotel compound. They detonated grenades and opened fire on security guards before taking 170 people hostage, according to The Guardian. Twenty-one people, including two militants, were killed in the attack and seven were wounded.</p><p>Terrorists will also move from one hotel to another, not hesitating to take clients hostage to make the operation last longer. The duration of the siege often has a direct impact on the amount of international media coverage the attack receives.</p><p>Additionally, some assault-style attacks show that terrorists had knowledge of the hotels before attacking them. For example, in the 2009 attacks on the Ritz-Carlton and the JW Marriott in Jakarta, the attackers blew themselves up—one in a parking garage at the Marriott and the other at a restaurant at the Ritz-Carlton. Authorities later discovered, according to the BBC, an unexploded bomb and materials in a Marriott guest room that was dubbed the “control center” for the attacks.</p><p>Terrorists also may plan to conduct attacks during a hotel’s peak operation times—such as during meals or organized events. For example, the attack in Bamako took place around 7:00 a.m. when breakfast, checkouts, and security officer shift changes were taking place.​</p><h4>Travel Policies</h4><p>Not all companies have well-developed travel security policies. Predictably, companies with employees who travel more frequently for work have a more advanced travel security program, as do companies that operate in countries with elevated security risks or in remote areas.</p><p>Companies also tend to have a more highly developed travel security program if one of their employees has been affected by a security incident, such as a hotel bombing, in the past. In this current threat environment, however, all international companies should review their travel risk policies because they have a duty to protect employees when they travel for work.</p><p>The European Directive on the Safety and Health of Workers at Work mentions this obligation, as do national regulations: Germany’s Civil Code, France’s Labor Code and a judgment by the Court of Cassation, and the United Kingdom’s Health and Safety at Work Act of 1974 and the Corporate Manslaughter and Corporate Homicide Act of 2007.</p><p>The United States also addresses this responsibility through its statutory duty of care obligations detailed in the Occupational Safety and Health Act of 1970. The act requires large and medium-sized companies to define basic emergency planning requirements.</p><p>Also, depending on the U.S. state, workers’ compensation laws may have provisions for American business travelers abroad. Similar obligations apply in Australia, Belgium, The Netherlands, and Spain. And case law has reinforced this legal arsenal addressing the security of employees traveling abroad.</p><p>Under these frameworks, employers must assess foreseeable risks, inform employees of these risks, and train them to respond.</p><p>And these risks are no longer reserved for employees traveling to Africa or the Middle East; the succession of terrorist attacks in countries qualified as low-risk destinations—Berlin, Brussels, Nice, and Paris—means that many companies need to address these locations in their crisis management preparation for employees traveling abroad.</p><p>Some companies have already changed their internal procedures to address these risks, including changing the way that hotels are chosen for business travel. ​</p><h4>Choosing Hotels</h4><p>Given the current threat environment and duty of care obligations for traveling employees, corporate security managers and travel managers need to work together to choose the right hotels. No matter the choice of accommodation, security and travel managers must conduct their own risk analysis to adopt the best strategy for choosing hotels for their employees. The analysis should include the destination, the profile of the business traveler, the duration of the employee’s stay, the company’s image, and the potentially controversial nature of the project in that destination.</p><p>Once the analysis is complete, companies have four options for choosing accommodations for traveling employees: international brand hotels, regional chain hotels, apartment or house sharing, or residences that are owned and operated by the company.</p><p>The most common option is to choose hotels with an international brand whose rates have been negotiated by the company. These big-name hotels can be reassuring. However, these institutions—described by some specialists as high-profile—tend to meet terrorists’ selection criteria for targets.</p><p>These hotels are also often franchise hotels, meaning they are independent institutions, master of their own investment decisions and the management of their staff. This can make it difficult for security professionals and travel managers to get answers to important questions during the vetting process: What security procedures does the hotel have in place and what is its staff management policy? Does it subcontract its security to a guard company or have its own security team?</p><p>The second option is to choose less emblematic hotels that some would consider low-profile, such as regional chain hotels—like Azalaï, City Blue, Serena, and Tsogo Sun in Pan-Africa—or independent boutique hotels. </p><p>Hotels such as these may provide more discretion than an international brand hotel, but may come with slightly lower levels of security, which could become a problem should a crisis develop. Lesser-known hotels, for instance, may not receive as rapid a response from security forces as a luxury hotel frequented by public figures and politicians. And for travel managers, this second option could be a difficult sell to employees who might be used to staying at international brand hotels.</p><p>Another option that companies might choose is to have employees stay at a private residence through the sharing economy, such as Airbnb. Google and Morgan Stanley recently began allowing employees to use Airbnb for business travel, and the company saw 14,000 new companies sign up each week in 2016 for its business travel services, according to CNBC. </p><p>For some destinations, this is not a viable option because of the lack of accommodations, but for other locations Airbnb has numerous places to stay and even offers a dedicated website for business travelers, which make up 30 percent of its overall sales.</p><p>One location where Airbnb is a pop­ular choice is in sub-Saharan Africa where a major influx of young expatriates used to traveling and staying in Airbnbs have rooms, apartments, and houses available for business travelers.</p><p>However, this option has collateral risks, and many companies forbid employees from staying at an Airbnb while traveling because of the lack of verification and vetting of the residences, which may not allow them to meet many companies’ duty of care obligations. </p><p>Also problematic is the risk that employees will get lost while trying to locate their Airbnb, as opposed to an easily identifiable hotel. And the traveler might be unable to check in when the host is unavailable to let them in or provide a key. </p><p>The Airbnb option also raises questions for security professionals: If it’s attacked, how will local law enforcement respond? Who is responsible for contacting law enforcement?</p><p>The final option is for the company itself to provide private accommodations for its travelers. This is only cost effective, though, for high-risk destinations where companies frequently send employees to work. With this option, companies have full control over the security of the accommodations. However, this level of security comes with a high operational cost—purchasing or renting the accommodation, ensuring the maintenance of the location, and supervising essential service providers, such as housekeeping and security.</p><p>Additionally, companies that choose to provide a private accommodation for traveling employees would have the responsibility to secure the property—creating a security plan; purchasing, installing, and implementing security equipment, such as access control, CCTV, and fences; and providing security staff, either in-house or through a contract.​</p><h4>Improving Security</h4><p>In 2002, a Palestinian suicide bomber killed 30 people at a Passover Seder at the Park Hotel in Netanya, Israel, in the deadliest attack during the Second Intifada. Following the attack, Israel’s hotel industry led the charge to address security threats by tightening security regulations. These regulations required the hospitality industry to staff a chief security officer in each hotel, led to the development of dedicated educational programs on security with recognized diplomas, and ultimately provided career opportunities for skilled and motivated security professionals.    </p><p>This model is one where companies can support hoteliers by including security as a key element when choosing which hotels can be used by employees on business trips.  </p><p><em><strong>Alexandre Masraff </strong>is a security and crisis management senior advisor at Onyx International Consulting & Services Ltd. and the cofounder of the InSCeHo certification program that focuses on hotel security. He is a member of ASIS International. <strong>Aude Drevon</strong> is a security analyst with a master’s degree in geopolitics and international security. <strong>Emma Villard</strong> is a regional security advisor based in Vienna, Austria, and a member of ASIS.     ​</em></p>
https://sm.asisonline.org/Pages/After-an-Active-Shooter.aspxAfter an Active ShooterGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Organizations affected by an active shooter event will face extraordinary challenges from the moment the first shot is fired. Even if the company is able to maintain business operations in the aftermath, the physical and emotional recovery can go on for months and years after the event. Besides reevaluating physical security measures, updating business continuity plans, and dealing with possible lawsuits, companies also have a responsibility toward their employees who have suffered severe emotional trauma. </p><p>To recover from an active shooter event, restore business operations, and retain employees, experts say that business continuity planning, communication strategies, and personnel issues should be among the top priorities for organizations. In this article, experts discuss what security professionals can do in the aftermath of an incident to recover as quickly and effectively as possible.​</p><h4>Business Response </h4><p>Business operations will be devastated by an active shooter situation, experts say. Access to the building, or at least the floors where the incident occurred, will be virtually impossible.  </p><p>“Law enforcement is going to lock down the building, and it may not be given back for many days,” says Dave Hunt, senior instructor at Kiernan Group Holdings, a consulting firm that assists companies in planning for and responding to active shooter events. “It depends entirely on the extent of the incident–how many injured, dead, how many bullets? Every single trajectory of every single bullet, every shell casing, is all going to be essentially recovered.” </p><p>Communication. Having a well-prepared crisis communications plan in place before an incident is crucial, but executing that strategy is inevitably more difficult when faced with a real-life tragedy. Experts say that an organization needs to maintain open communication with various groups following an active shooter event.</p><p>Because news travels at lightning speed, any organization affected by an active shooter event can expect the media to pick up on it almost immediately. “When an incident occurs, local media, newspapers, and TV stations are going to hear about it and they’re going to descend on that campus or facility,” says Josh Sinai, principal analyst at Kiernan Group Holdings, “and this will happen within 30 minutes.”</p><p>Talking to the media and the public can be one in the same, says Hunt, and he recommends that companies put a message on their social accounts and websites, and have a skilled speaker to talk to the press. “The media is one avenue through which the public can be communicated to,” he says, “but today we can also communicate with the public directly via Twitter, websites–there are all kinds of different social media options.” </p><p>Larry Barton, a crisis management consultant, echoes this sentiment: “Get to the media before they get to you.” He recommends that leadership have several preplanned responses to rely upon and modify, as needed. </p><p>“This is where a company can really distinguish itself by being crisis-prepared. Have your frequently asked questions ready, and start filling in the blanks from the moment the incident occurs,” Barton says. “You can keep refining them, you can keep massaging them, but get them started.”</p><p>These communication techniques work in the case of any crisis, says Darryl Armstrong, crisis communications expert at Armstrong and Associates. For example, one of his clients, a company responsible for large cleanup jobs after natural disasters and other hazardous events, used prewritten statements for large-scale incidents to quickly communicate with the media. </p><p>“On the front end, they sat down as a core team and had put together an extensive set of media holding statements,” he says. These holding statements are prewritten messages that refer to specific event types, such as active shooter, fire, or medical hazard, for example. The documents can be easily accessed and modified during a crisis, then quickly sent out to the media and the public. </p><p>He adds that the company also took the time to think about “every single question imaginable” that could come up in a press conference for any given disaster. “There was not a single question in the press conference they were not prepared to handle,” Armstrong says. </p><p>Stakeholders. Communicating with family members of employees, especially those who are killed or wounded, should be a priority for companies after an active shooter event. </p><p>Barton, who helps clients prepare for and respond to active shooter and workplace violence events, tells Security Management that he recently worked for an industrial facility in Tennessee that lost three employees in a workplace shooting. Within an hour after the incident, the employer had contacted all the victims’ families. This should be a standard practice for any company that finds itself in a similar crisis, he says. </p><p>“There is not an ounce of liability associated with being kind to a family after an active shooter event,” he notes. “We have to say to our legal colleagues in HR, ‘This is not about the handbook, this is about the Golden Rule. We have to do the right thing.’”</p><p>Small and family-owned businesses tend to handle these events with more empathy, making for a faster overall recovery, says Armstrong. “In the recovery phase, they make themselves available. They go out of their way to do what they can to help the victims’ families, and the communities rally around them,” he notes. </p><p>He adds that universities are another sector that handle communicating with stakeholders well, given that there are usually guidance counselors and psychologists on staff. “Their crisis management teams typically include people who are interacting daily with students and parents, so they are able to empathize.” </p><p>Barton adds that while social media makes a great tool for communicating with the public post-incident, the platform is not appropriate for informing family members of any details. “Shame on any company where an employee’s loss of life is shared with the family by Twitter. That has happened, it will continue to happen, and you must never allow that to happen on your watch.”</p><p>Organizations may consider using “dark websites” that go live in the event of an emergency. When someone types in the main URL for the organization, they are redirected to a ghost site that has the latest information available. Armstrong recommends that organizations set up these pages to have at least 10 times the bandwidth as their normal site to accommodate heavy traffic. ​</p><h4>Recovery</h4><p>A well-prepared organization can continue business operations in the event of a range of hazards, such as bad weather or a fire, and it can build off those same crisis continuity plans when recovering from an active shooter event. “This is one more threat that your organization should be preparing for to determine how you can continue operations,” Hunt says. </p><p><strong>Business operations. </strong>Hunt recommends identifying an off-site location where operations can take place while the building is still being evaluated by law enforcement or damage is being repaired. IT systems should be backed up so they can be accessed from anywhere. </p><p>“You need redundancy for roles,” adds Sinai, who says that at least one additional person should be trained in each major position at an organization. That way if someone in a leadership role is killed or injured, their job function is not completely lost. </p><p>Company leaders will still be addressing basic questions of business operations that could easily be overlooked in the aftermath of a tragedy. Barton notes that employees who survive an incident are still worried about their livelihood. “Besides asking who got hurt or was killed, the second thing is, ‘Are we going to be paid?’” he notes. “So we have to have our leadership rehearse and train on a wide variety of questions that will come up.”</p><p>As a benchmark for business recovery, Sinai cites the example of a beer distribution plant in Manchester, Connecticut, that suffered an active shooter event. On August 3, 2010, eight employees of Hartford Distributors were killed by another worker at the facility who was being escorted out of the building after resigning. “It was a small business, it didn’t have the resources of a big company,” Barton says. But this distributor reached out to surrounding companies for help. </p><p>The beer distributor didn’t have a trained counselor on staff, so Manchester law enforcement contacted area businesses to get trauma counselors and ministers onsite. “Know the community resources that can be at your site within an hour after any catastrophe,” Barton says. </p><p>An offsite location was being set up for business operations, but employees protested, saying they felt strongly about returning to the original facility as soon as possible. In the days following the shooting, 100 employees from other beer distribution plants in Connecticut, as well as in Rhode Island, came to assist the company in keeping business operations on track. A memorial service was held for the employees who lost their lives. The company president addressed workers on the front lawn, in front of a makeshift mem­orial, before they reopened their doors. </p><p>Just two months after the tragedy, Hartford Distributors merged with another beer company, Franklin Distributors, forming a larger organization. “The shooting was a very tough thing for all of us to go through,” Jim Stack, president of the new business, said to the Hartford Business Journal in a January 2011 article. “It certainly slowed some things down for us in coming together, but it did not stop us.”</p><p><strong>Emotional response.</strong> The trauma inflicted on those who survive an active shooter incident can be enormous, and experts say that businesses ought to prepare in advance to provide mental health assistance for affected employees. This will help businesses recovery more quickly by retaining experienced workers, and provide employees with the emotional help they need. </p><p>Hunt cites the Navy Yard shooting in Washington, D.C., in September 2013, when a shooter killed 13 employees. He says that employees were shaken that an active shooter could breach a secure military installation. “People who were interviewed following that incident were asked, ‘Do you feel safe going back to work?’ and the answer was, ‘No, I don’t feel safe going back to work.’” Hunt notes. “So you have the potential of losing employees, which are your most valuable asset, as a result of this incident.” </p><p>Employees may not show immediate signs of trauma–negative emotions could surface months later. “Depression and PTSD are rarely going to emerge in the first hour. Your body is still in shock,” Barton says.  </p><p>Experts stress the importance of employee assistance programs (EAPs), which are confidential and provide counseling, assessments, and referrals for workers with personal or work-related concerns. </p><p>“In all 50 states you can mandate that an employee actually go to an EAP program if there was a critical incident,” Barton notes, though he doesn’t recommend it in every case. </p><p>To order an employee to seek counseling, the worker must demonstrate tangible evidence that they may pose a risk of harming themselves or others, Barton says, such as mentioning suicide, a desire to hurt others, or talking about weapons. Employers may decide instead to have a sit-down with that worker and have them sign a letter acknowledging they made the remarks, but understand doing it again could result in termination. “EAP is not your human resources department, they are there to support your HR department,” he emphasizes. </p><p>There will also be organizations indirectly affected by shootings. For example, Barton worked with one financial firm that had a worker lose a family member in a high-profile mass shooting. The other employees struggled with how to respond to him emotionally. The company asked Barton to hold a debriefing to address people’s concerns. </p><p>“I heard it all,” Barton says. “Do you leave a card on the desk? Do you kind of ignore him and just look the other way? Do you come up and say, ‘I have no idea what you went through but my prayers are with you?’” Ultimately, he says you can expect a variety of emotions expressed by employees at businesses both directly and indirectly impacted by these events, including fear, sadness, and even anger. </p><p><strong>Outlook. </strong>Conducting an after-action report may be a good idea for organizations that have suffered an active shooter event, experts say. It not only helps evaluate what worked and what did not in response to an incident, but other practitioners can turn to these documents for their own planning. “It’s very important for a security officer to look at after-action reports and to get best practices out of it,” Sinai says. </p><p>He cites the after-action report completed by the U.S. Fire Administration on Northern Illinois University (NIU) after a classroom shooting on campus in 2008. That tragedy left six people dead, including the perpetrator. </p><p>The report cites that NIU had studied the official report on the Virginia Tech Shooting and was prepared for the tragedy that occurred in its own building just a year later. “The value of that report, their training, and their joint planning was apparent in the excellent response to Cole Hall,” the after-action report stated of the university. </p><p>While organizations may recover from a business standpoint, there may be significant changes implemented afterwards. For example, the building that formerly housed Sandy Hook elementary was torn down, and a new facility was constructed at the same site. That building reopened in August of last year, nearly four years after the shooting. In the case of Virginia Tech, the classroom building where the second shootings took place was turned into a dormitory hall. </p><p>Overall, Hunt says that while organizations can never fully prepare themselves for a tragedy, they can learn from even the worst of situations. “You’re going to identify a lot of areas that can be improved,” he says. “There’s never going to be a perfect plan or a perfect response.” </p><p><em>​To read how the city of San Bernardino ​recovered from the 2015 holiday party shooting that killed 14 people, <a href="/Pages/Responding-to-San-Bernardino.aspx" target="_blank">click here.​</a></em><br></p><p>--</p><h2>Active Shooter Liability<br><br></h2><p>​In the case of an active shooter, U.S. companies are liable for protecting their employees as in any workplace violence incident. Under the U.S. Occupational Safety and Health Act of 1970, every U.S. employer is required to “furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees.” U.S. state and local provinces may also have their own relevant laws.</p><p>Hunt says companies that suffer a shooting can expect lawsuits. “If a family member is killed or injured here, there’s a high likelihood there will be a lawsuit alleging that not enough was done to prevent the incident, or to protect them during the incident,” he says. The case of disabled workers can also come up. “Someone who is disabled may feel they weren’t appropriately accommodated,” a requirement under the U.S. Americans with Disabilities Act. </p><p>Barton says he believes a little effort and communication goes a long way in helping reduce the severity of a lawsuit when employees are killed. “If you can, reach out to the family with the support of your legal department to simply say, ‘We are here for you,’” he notes.</p><p>In addition to advanced planning, organizations need to carefully document the steps they take in the aftermath to help their case “There’s going to be a lot of holes in there. But at least say, ‘Here are the steps that we did proactively take to try to manage the incident.’”​​ ​</p>
https://sm.asisonline.org/Pages/Minor-Migrants.aspxMinor MigrantsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Germany isn’t the only country switching its focus from accommodating migrants to deporting them. The European Commission ruled at the beginning of the year that European Union (EU) countries will be able to return migrants to Greece, where many of them traveled before moving on. And in October, the EU and Afghanistan signed a joint agreement allowing member states to deport unlimited numbers of Afghan refugees to their home country, despite concerns raised by human rights organizations.</p><p>In the middle of this arduous back-and-forth are thousands of migrant children—often unaccompanied. Thirty-five percent of asylum seekers in Europe last year were minors, according to the United Nations (UN)High Commissioner for Refugees, and 10,000 children have gone missing after arriving in Europe. </p><p>“It is feared that some of these children are being exploited by criminal gangs, due to the often-close ties between human smugglers, who facilitate travel for around 90 percent of the migrants, and criminal networks,” according to an EU Civil Liberties Committee debate on the topic. “These children may be sexually exploited, used for begging, or forced to commit crimes.”</p><p>A lesser-known but equally con­cern­ing threat to child refugees is induction into extremist organi­za­tions, according to Refuge: Pathways of Youth Fleeing Extremism, a report by counterextremism organization Quilliam. This issue is expected to worsen as more refugees are sent back to stopover nations or to their home countries. </p><p>“Some of these areas have extremely dangerous terrorist organizations operating and seeking to prey on and poach these young people, who are being forced back and may be exhausted by the political systems that have let them down,” says Nikita Malik, the leading author of the Quilliam report. She explains that the journey from a country of origin to an asylum country—especially for young people—“isn’t a process from A to Z, it’s multiple nexuses of risk on this journey.” </p><p>Whether it’s in their home countries or along their travels to a safer destination, children are prized as potential recruits, the report shows. “In the eight-month analysis of extremist propaganda, we saw 263 references to refugee youth, so there is an obsession amongst these groups over young people: young boys to become soldiers, and young girls to become mothers for the next generation,” Malik says.</p><p>And while many minors are leaving their home countries due to the threat of being abducted or coerced by these extremist groups, they sometimes end up joining them out of necessity. “We see young people joining up with these groups because of lack of other opportunities,” Malik explains. “It’s not really a theological or educational indoctrination—that tends to come much later. These short-term needs—the fulfillment of basic services such as water, food, and a little money—can sometimes be all it takes for young people to join these groups.”</p><p>When a person leaves his or her country of origin, it’s often not easy to travel straight to a final destination country, Malik explains. Most refugees will take a boat or pay smugglers to get them to a safe third country—where they will be registered and often kept in refugee camps for extended periods—before they are put into a system to enter a country of destination, such as the United Kingdom.</p><p>“Many young people who are separated from their parents are put in the hands of smugglers, simply because they tend to show that they know how to take these young people out of areas of conflict into safety zones,” Malik says. “A lot of money and trust is put in these individuals who often abuse this, and then tend to work with radical and extremist networks during the journey.” Most people are forced to pay to make the journey to Europe, and extremist groups often allow refugees to join them to waive the payment. This creates a sense of debt and loyalty to these groups, she explains.</p><p>Because many refugees arrive in sanctuary countries through smuggling networks, they may not register in refugee camps and instead join urban camps or seek illegal employment. This is often a point in the journey where underage refugees “disappear” with no official paper trail, and can easily and unwittingly become involved in human trafficking, child labor, or extremist organizations, Malik says.</p><p> If individuals are able to reach their destination country, they are often put into detention centers and eventually moved to an immigration removal center for long periods of time while their paperwork is processed. Between 2010 and 2015, 853 minors were put in detention centers, Malik notes. Quilliam found that this portion of the journey finds minors most susceptible to recruitment. </p><p>“Extremists try to establish contact with refugees inside refugee centers and at local mosques under the guise of providing aid, using opportunities to preach and proselytize among refugees, warning them about Western values and norms whilst promoting negative attitudes towards officials and the public,” the Quilliam report notes. </p><p>Malik explains that at this point in their journey, minors are often suffering from what she calls the politics of exhaustion—they are “simply so exhausted and violated at this point, there aren’t systems or processes in place to include or integrate them, that they just give up or go back right into the hands of these groups they may have wanted not to join in the first place,” she says.</p><p>Even after getting settled at one of the immigration centers, some refugees are still turned away because they are unable to prove that their lives were at stake in their home country, Malik explains.</p><p>“The burden of proof lies on the refugees themselves,” Malik notes. “This can be an incredibly tall order to ask of someone under the age of 18 who is not fluent in the language, who has gone through extreme trauma and violence during their journey, and in the case of women, there might be a cultural stigma that prevents them from talking about sexual violence. As a result, being unable to prove persecution and threats to life will then lead to a refugee being sent back and repatriated.”</p><p>Malik explains that when European countries reject or deport migrants, they are sent back to the sanctuary country they came from, and often those countries repatriate the migrants in the countries they were originally fleeing. This is especially alarming in light of the recent revocation of the Dubs Amendment, a commitment by the United Kingdom to take in 3,000 child refugees. Only 350 children will be accepted before the law phases out.</p><p>The Quilliam report identified a number of ways to counteract the recruitment of minor asylum seekers, focusing on training and integration. Malik explains that Safeguarding and Resilience against Extremism (SRE) training is critical for frontline workers in both destination and sanctuary countries to understand what underage asylum seekers have gone through and the threats they face. </p><p>“In conversations I’ve had with [the UN refugee agency] and individuals who work in housing units or refugee camps, they have very little education on radicalization or extremism,” Malik explains. “They simply don’t know when a young person may be preyed upon or groomed by extremist or radical groups.”</p><p>The training would promote better understanding of what refugees have been through and provide officials with the skills to properly document the experiences of refugees, especially children. “SRE training and implementation must treat children as children first,” the Quilliam report notes. “Treating refugee children as asylum seekers first and foremost means that they are not afforded the same rights and protection as any other child in the United Kingdom.”</p><p>If child refugees are eventually accepted in a destination country, it’s imperative to create a strong support system and provide them with basic necessities, including the ability to integrate and contribute to society.   </p><p>“There are extremist organizations in the United Kingdom that can give a sense of solidarity to a refugee, feeding into these negative grievances against foreign policy,” Malik explains. “They’re saying, ‘isn’t it terrible that you had to make this journey, you don’t speak the language, people here are unfriendly, the United Kingdom is responsible for what happened in your country in the first place, which is why you had to be separated from your family.’ This is a common tactic to create a sense of community and engagement and friendship. And we should be, as government actors, frontline practitioners, foster parents, teachers, and nurses, filling this gap, but we simply don’t have enough resources or capability to do so.”</p><p>Both the Quilliam report and Malik say that the populist movement has had a major negative impact on what resources are available to refugee settlement organizations, making it more difficult for officials to build these safety nets for children.</p><p>“I think the discourse and rhetoric we’re seeing in political organizations and individuals who have voted for very anti-immigrant policies, starting in the EU with Brexit but also with Trump’s refugee ban, have become incredibly mainstream,” Malik says. “As a result, politicians are tending to have a kneejerk reaction to the integration of refugees.”</p><p>This type of “reciprocal radicalization” can also turn refugees into scapegoats by both the far right and Islamic extremist groups to radicalize others, the report notes.</p><p>“Radicalization and extremism go hand-in-hand with smuggling and trafficking groups and the normalization of violence against young people,” Malik explains. “We have to be focusing on effective policy and programmatic approaches on the ground to provide the right resources to be able to socially integrate individuals. Instead it’s been very much the view that we just won’t take anybody in, and by locking these doors we’re leaving them with little alternative but to return to areas of extreme conflict and be poached by radical and extremist groups.”</p>
https://sm.asisonline.org/Pages/Access-Via-App.aspxAccess Via AppGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Virgin Money, part of the Virgin Group, is a U.K.–based bank with the goal of innovating how customers experience financial services. Founded in 2007, the bank has several lounges around the United Kingdom that offer free Wi-Fi and coffee for customers, as well as tellers and ATM machines for their banking needs. One of Virgin Money’s newest lounges even has a bowling alley inside.</p><p>“We’re about changing the face of banking…by providing fantastic customer service and facilities,” says Brian Shepherdson, property and facilities manager at Virgin Money.</p><p>With a multibuilding headquarters campus housing nearly 3,000 employees, the bank is always looking for ways to streamline its access control, enhance physical security, and improve the overall flow of business. </p><p>“We have nearly 3 millio​n customers, and one of our key priorities is to make sure their data is safe,” Shepherdson notes. “Knowing who’s in the building and making sure the right people have access is fundamentally important to our business and our customers, as well as to protecting our brand.” </p><p> The bank has used the Honeywell EBI building management software suite since it first opened its campus about 10 years ago. EBI allows the company to manage various aspects of building efficiency and security, including access control. </p><p>In early 2016, Honeywell was looking to conduct testing around the globe of its new Vector Occupant app, which has several building automation and business efficiency components. The app can be used for everything from temperature control to booking meeting rooms. </p><p>Shepherdson says the bank was excited to be a part of a test group, and conversations about installation began in February 2016. “As part of the Virgin Group, we’re always looking to innovate and do things differently,” he adds.</p><p><img src="/ASIS%20SM%20Product%20Images/0517%20Case%20Study%20Stats.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:560px;" />Virgin Money was particularly interested in enhancing its access control with the Vector app. While the bank uses physical access control cards for headquarters employees to move throughout buildings on campus, it wanted to provide more convenience for users by supplying digital credentials directly on their smartphones. </p><p>Shepherdson notes that the company’s process for replacing lost badges is burdensome, involving multiple steps and various departments. It also leaves the building vulnerable if an employee fails to promptly report a lost badge. </p><p>“Whereas if you lose your cellphone, you’ll probably be aware quite quickly and you can report that,” he says. </p><p>The Honeywell Vector Occupant App is available for download in app stores for smart devices. From the administrative side, Virgin Money provides a unique username and password for employees to enter once they’ve downloaded the app. </p><p>“Once Vector is set up on a person’s device, the Bluetooth pairing on the device opens the door without contact. You don’t have to swipe a card,” he says. “If my phone is in my pocket, it will open the door when I’m near it.”</p><p>For the past year, about 30 people have been testing the Vector app, and Virgin Money is preparing to launch the app with a final, larger test group, before deploying it across the entire campus. </p><p>“We need to get a reaction to the technology, and use the learning from that to roll it out further,” he notes. </p><p>Testing the technology with a smaller group has had benefits, Shepherdson says. He explains that the Bluetooth access control feature was putting a huge strain on smartphone batteries, which would die quickly when using the app. </p><p>“Initially we did experience a high level of drain on the battery, so Honeywell has developed the technology to solve that problem,” he notes. “Honeywell has made various improvements in the background to get through teething problems.” </p><p>From a security standpoint, Shepherdson says there are several benefits to having access control on a phone rather than a physical card. “If you lost your access card on a Friday, you’ll probably wait until Monday to deal with that when you get back at the office,” he notes. “If we lose our smartphone we feel like we’ve lost our hand—that’s how possessive and reliant people are on a smartphone.” </p><p>Virgin Money’s company-issued smartphones already come with an added layer of security around them that the company can control, including strong passcode requirements. Through Honeywell EBI, Shepherdson can add and revoke access to employees using the active directory. </p><p>“If somebody loses a cellphone and reports it quickly, we can then disable their credentials more quickly...we can take away their access,” he says. </p><p>And Vector integrates completely with Honeywell EBI, giving Shepherdson a full administrative picture of who is going where throughout the building. </p><p>“We know who has authorized access to an area and who’s tried to get into an area where they don’t have authorization,” he explains. “A transit report would tell us exactly where they have been, what time they came in, where they went, and what doors they went through.” </p><p>The bank is also testing the temperature control aspect of Vector, a portion of the app that allows building occupants to report their comfort level to building engineers in real time. </p><p>“The Vector app recognizes where you are in the building—for example, meeting room 1—and when you’re in that space, it will give you the option to provide feedback in real time about the temperature,” Shepherdson says. </p><p>If there is a general trend from occupants in a particular part of the building, an engineer will further investigate whether something is wrong with the HVAC system. If everything is running fine but several people report feeling hot or cold, the engineer will adjust the temperature. </p><p>Later this year, the organization plans to roll out EasyLobby, a visitor management system through Honeywell EBI that prints a barcode for visitors or contractors. </p><p>“Similar to when you get a boarding pass for air travel—an email with a barcode in it—we are looking to migrate our visitor and contractor experience to receive a notification linked to Honeywell’s access control system,” Shepherdson notes. They can present that barcode and receive access to the specific buildings they need on campus. </p><p>Shepherdson says that the Vector app not only improves security, but also increases business efficiency for Virgin Money employees. “This product is very much a convenience for people, rather than a barrier.”</p><p><br></p><p>For more information: Julio Ampuero, julio.ampuero@honeywell.com, www.honeywell.com, 480/606-9569 ​</p>
https://sm.asisonline.org/Pages/Senegal-Steps-Up.aspxSenegal Steps UpGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A few years ago, the Rockefeller Foundation initiated the international resilience project Resilient Cities (100RC), which was aimed at building resilience in cities around the world. Close to 70 cities were selected as members, and 20 of these cities released their own resilience strategies. </p><p>Now Dakar, Senegal, has become the first city in Africa to release its own city resilience strategy. The move is significant because it shows how even economically struggling cities may be looking toward resilience practices, not only to be prepared in a crisis, but also to help with their development process. </p><p>“The implementation of the resilience strategy [will] enable the city to not only anticipate and resist shocks, risks, and constraints, but to act on the socio-economic dimension in order to improve the living conditions of its citizens,” Dakar Mayor Khalifa Ababacar Sall said in the new 100RC report. </p><p>Overall, 100RC member cities take a broad approach to resilience. The approach includes not just preparing for recovery from natural disasters, like storms, earthquakes, and fires, but also the stresses that weaken the fabric of a city on a day-to-day or cyclical basis.</p><p>Dakar, Senegal’s capital city, is located at the westernmost part of the African continent, and so it serves as a geographic junction point between Africa, Europe, and the Americas. It is also the fifth most populated city in West Africa, with a population estimated at 3.3 million in 2015. At the current rate of growth, Dakar’s population is expected to double by 2025. Residents younger than 35 make up 72 percent of the city’s population.</p><p>The city’s challenges include a youth unemployment rate of nearly 17 percent; roughly 30,000 child beggars, many of whom live on the streets; and rising sea levels that will threaten more than 300 buildings and 60 percent of this coastal city’s beaches by 2080.   </p><p>Given these problems, Dakar’s resilience strategy is starting from square one, with one of its first planned initiatives aimed at raising awareness of the concept of resilience in Dakar. It plans to do this by introducing the concept in schools, creating a system for citizen feedback on resilience efforts, and exploring early warning tools that would provide residents with access to information in real time about imminent shocks. </p><p>Other primary objectives of Dakar’s resilience program are to improve the physical environment for residents, position the private sector as a resilience partner, and leverage energy-efficient technologies to support the city. </p><p>Since Dakar is a microcosm of the challenges faced by many African cities, it could serve as a prototype and testing ground for local solutions to problems posed by rapid and complex urbanization. </p><p>“Dakar hopes to accelerate its evolution to become a model African city, which will have successfully aligned its rich heritage to opportunities that the 21st century offers,” the report says. ​</p>
https://sm.asisonline.org/Pages/Facebook-Takes-Action-To-Limit-Spread-of-Propaganda.aspxFacebook Takes Action To Limit Spread of PropagandaGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Government exploitation of Facebook to spread propaganda is causing the social media titan to change its security posture to limit the practice, the company announced in a whitepaper.<br> <br>On Thursday, Facebook published <em><a href="https://fbnewsroomus.files.wordpress.com/2017/04/facebook-and-information-operations-v1.pdf?utm_source=MIT+Technology+Review&utm_campaign=b88621b487-The_Download&utm_medium=email&utm_term=0_997ed6f472-b88621b487-154388589">Information Operations and Facebook</a></em> to address the increasing role it’s playing in facilitating civil discourse and the changes its making to detect and respond to information operations—actions taken by organized actors, such as governments, to distort domestic or foreign political sentiment to achieve a strategic or geopolitical outcome. This is done by spreading false news, disinformation, or using a network of fake accounts to manipulate public opinion (false amplifiers).</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read f4ce3318-91b8-487b-9144-929eac3101da" id="div_f4ce3318-91b8-487b-9144-929eac3101da"></div><div id="vid_f4ce3318-91b8-487b-9144-929eac3101da" style="display:none;"></div></div><p>“In brief, we have had to expand our security focus from traditional abusive behavior, such as account hacking, malware, spam and financial scams, to include more subtle and insidious forms of misuse, including attempts to manipulate civic discourse and deceive people,” the white paper said. “These are complicated issues and our responses will constantly evolve, but we wanted to be transparent about our approach.” <br> <br>Facebook is taking this step because it’s observed three major features of online information operations on its platform: targeted data collection, content creation, and false amplification. <br> <br><ul><li><strong>Targeted data collection: </strong>Goal of stealing, and often exposing, non-public information to provide opportunities for controlling public discourse.<br></li><li><strong>Content creation:</strong> False or real, either directly by the information operator or by seeding stories to journalists and other third-parties, such as through fake online personas.<br></li><li><strong>​False amplification: </strong>Coordinated activity by inauthentic accounts with the intent of manipulating political discussion. <br></li></ul> <br><strong>Targeted Data Collection</strong><br>During the past few years, Facebook said it has seen an increase of malicious actors targeting individual’s personal email and social media accounts to steal information from them. <br> <br>“While recent information operations utilized stolen data taken from individuals’ personal email accounts and organizations’ networks, we are also mindful that any person’s Facebook account could also become the target of malicious actors,” the whitepaper explained. “Without adequate defenses in place, malicious actors who were able to gain access to Facebook user account data could potentially access sensitive information that might help them more effectively target spear phishing campaigns or otherwise advance harmful information operations.”<br> <br>To prevent targeted data collection, Facebook is providing a security and privacy features to users—including two-factor authentication. It’s also sending notifications to individuals—that Facebook is aware of—who have been targeted by sophisticated attackers, sending proactive notifications to people Facebook thinks might be targeted by malicious actors in the future, communicating directly with likely targets, and working with government bodies responsible for election protections to notify and educate users who might be at risk.<br> <br><strong>False Amplifiers</strong><br>False amplifiers are motivated by ideological, rather than financial, incentives. Sometimes their goal is to push a specific narrative, but other times their true motivations are more complex and can involve promoting or denigrating a specific cause or issue, sowing distrust in political institutions, or spreading confusion.<br> <br>“There is some public discussion of false amplifiers being solely driven by ‘social bots,’ which suggests automation,” Facebook said. “In the case of Facebook, we have observed that most false amplification in the context of information operations is not driven by automated processes, but by coordinated people who are dedicated to operating inauthentic accounts.”<br> <br>To tackle this problem, Facebook is increasing its protections against manually created fake accounts and using analytic techniques—including machine learning—to find and disrupt abuse. It’s also enhancing its capability to respond to reports of abuse, to detect and remove spam, to identify and eliminate fake accounts, and to prevent accounts from being compromised. Additionally, Facebook is improving its ability to recognize inauthentic accounts by identifying patterns of activity.<br> <br>“For example, our systems may detect repeated posting of the same content, or aberrations in the volume of content creation,” the whitepaper explained. “In France, for example, as of April 13, these improvements recently enabled us to take action against over 30,000 fake accounts.”</p>
https://sm.asisonline.org/Pages/Cinco-Acontecimientos-que-Moldearon-la-Gestión-de-Crisis.aspxCinco Acontecimientos que Moldearon la Gestión de CrisisGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><strong>1) Deepwater Horizon.</strong> Cuando la plataforma Deepwater Horizon explotó en la costa de Luisiana en 2010, murieron 11 trabajadores y fueron derramados más de 5 millones de barriles de petróleo en el Golfo de México. El empeño de British Petroleum en culpar a otras partes resultó en su propia contra, y las diferentes entidades involucradas se tornaron adversarias. La estrategia de BP fue vista como un intento de escapar de sus responsabilidades. Recuerda: ensaya, practica, entrena; especialmente con tus socios.<br> <br><strong>2) Exxon Valdez.</strong> El derrame de 10 millones de galones de petróleo en el Estrecho del Príncipe Guillermo causado por el buque Exxon Valdez en 1989 continúa siendo fuente de litigios y disputas. ExxonMobil inicialmente rechazó las solicitudes de la prensa, hasta que finalmente su presidente decidió dar una entrevista. Cuando lo hizo, se mostró mediocre y sin preparación. Recuerda: las compañías deben tener un banco de portavoces entrenados y preparados para responder a las inevitables peticiones de la prensa. Rehusarse a hablar con los medios nunca es una opción.<br><strong> </strong><br><strong>3) Piper Alpha. </strong>En Julio de 1988, una explosión en la plataforma Piper Alpha, en el Mar del Norte, les quitó la vida a 167 hombres. Occidental Petroleum Corporation no tenía  un equipo local de respuesta, por lo que la policía asumió el rol de informar las fatalidades, así como las lesiones acontecidas (aún cuando la legislación del Reino Unido sólo demanda que la policía notifique las muertes, no las lesiones). La lentitud del proceso causó que Occidental sea acusada de no preocuparse por sus empleados y sus familias. Recuerda: los grandes incidentes requieren una respuesta coordinada.<br> <br><strong>4) Pan Am</strong><strong>.</strong> El bombardeo del Vuelo 103 de Pan American World Airways sobre la ciudad de Lockerbie, en Escocia, mató en 1988 a 243 pasajeros, 16 miembros de tripulación, y 11 personas en tierra. Como se trataba de un ​​​ataque terrorista, Pan Am tomó la decisión deliberada de que no comunicaría el desastre, porque se consideraba la víctima y no “el villano”. Los medios acudieron a los parientes afligidos en reemplazo de la compañía, cuyo silencio garantizó que finalmente se convertiría en el villano. Recuerda: sin importar la causa del incidente, las instituciones debe participar en todos los intentos de rescate y respuesta. Las organizaciones no pueden ser víctimas.<br></p><p><strong>5) Milagro en el Hudson.</strong> ​En 2009, el Vuelo 1549 de US Airways realizó un aterrizaje de emergencia en el Río Hudson, permitiendo que 150 pasajeros y 5 tripulantes pudieran ser evacuados de forma segura. La aerolínea eligió hacer foco en las heroicas acciones de su tripulación y tomó ventaja del suceso al elogiar públicamente sus “cinco destacados profesionales de la aviación”.​ Aunque la historia podría haber sido diferente de haber existido fatalidades, el incidente realzó la reputación de la organización. Recuerda: tú puedes establecer la narrativa de tu crisis.​​</p><p><em>Andrew Griffin, CEO, es el director ejecutivo de la consultora global de gestión de crisis Regester Larkin. ​</em><br></p>
https://sm.asisonline.org/Pages/Book-Review---Disasters-and-Public-Health.aspxBook Review: Disasters and Public HealthGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>This book represents the rare case where the sequel is better than the original. The second edition of<em> Disasters and Public Health: Planning and Response </em>is a good primer for public health, emergency management, and security professionals. In particular, security officers also responsible for safety may find this book helpful in understanding common threats and hazards, applicable alert and warning conditions, and rudimentary mitigation, preparedness, and immediate actions. </p><p>Like a textbook, the book organizes each chapter into the same structure: a brief case study to introduce the topic, learning objectives, an explanation of the threat or hazards discussed in the chapter, definitions, health considerations, and preparedness and immediate response and recovery actions. The consistent format makes the book easy to use as a reference. Where applicable, the authors insert additional sections. For example, they include a discussion of medical countermeasures for nuclear and radiological hazards, a discussion of labeling systems for chemical hazards, and recommended warning messages for different groups during winter weather hazards. </p><p>The second edition adds several new chapters on threats and hazards not addressed in the earlier edition, including chapters on emerging infectious diseases and foodborne illnesses. Several original chapters have been updated, and many examples have been updated to reflect recent historical events. There are also new chapters reflective of recent concerns for public health and emergency managers, considering topics such as resilience, at-risk populations, and disaster behavioral health. </p><p>While many of the discussions related to public health are United States–centric, the recommendations and messages may be applied globally. The chapter on community disaster resilience introduces a number of international sources to support the development of resilience strategies, and the examples, likewise, are broader, discussing Chernobyl, the early 2000s European heat waves, and the 1991 eruption of Mount Pinatubo, among others.  </p><p>The case studies that open each chapter, while illustrative and applicable, are not intended as in-depth analyses, often providing only short summaries of the responses. Preparedness and response, however, are thoroughly addressed in the detailed explanations of the hazards and threats themselves, and more detailed cases are often included in the chapters. </p><p>The material is informative, simple, and easy to understand for the non-expert. For example, the chapter on at-risk populations provides simple examples of populations that might be at risk and why. The list is comprehensive, if not complete, and while much of the information is common sense, it is an extremely useful list to have on hand as a reminder of who might be affected, by what, and why. Similarly, most chapters provide a list of hazard-related definitions to help the reader understand, for example, the differences between corrosive and oxidizing chemical agents.</p><p><em>Disasters and Public Health: Planning and Response </em>purports to detail lessons learned. Lessons are there, but the reader will have to look for them because they are often buried in the text. The lessons are geared towards preparedness and response and include both general public guidance and information for the response communities. For example, lessons learned in the chapter on Tornadoes and Thunderstorms are provided as messages for the community, including “Do not try to outrun a tornado in a car.” Similarly, lessons from previous foodborne outbreaks are listed as food safety measures. All in all, this text provides both useful threat and hazard introductions and lessons and actions that even seasoned security professionals can benefit from.</p><p><em><strong>Reviewer: Dr. Deena Disraelly</strong> is a research staff member at the Institute for Defense Analyses and an adjunct professor at The George Washington University School of Engineering and Applied Science. She has more than 20 years of experience in emergency management and serves as the chair of the ASIS Global Terrorism, Political Instability, and International Crime Council.</em></p>
https://sm.asisonline.org/Pages/Cultivate-Engagement.aspxCultivate EngagementGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Each day, pollsters at the Gallup company monitor the upticks and downticks of America’s pulse. They track large-scale indicators like the country’s unemployment rate, the citizenry’s economic confidence, and the president’s approval rating. But among these tracked statistics at Gallup.com Daily lies a less publicized marker: what percentage of U.S. workers say they are engaged at their jobs? </p><p>For managers, the answer may be discouraging: only about one-third of American workers are engaged on the job, Gallup now finds. The employee engagement rate has stayed in that low range for the last 15 years—from 26 percent (on a yearly average basis) in 2000 to 33 percent in 2016, according to Jim Harter, chief scientist of Gallup’s international workplace management and well-being practices.</p><p>Actively disengaged employees cost the United States $450 billion to $550 billion per year, according to Gallup’s research. Employee disengagement can increase turnover, pollute office culture, and lead to more mistakes in the workplace—the last of which can be dangerous in the security industry, where oversights and errors can result in damaging breaches.   </p><p>Conversely, Gallup researchers found that organizations that successfully sustain high employee engagement reap serious benefits. On average, profitability is 22 percent higher; productivity, 21 percent higher; absenteeism, 37 percent lower; and there are 48 percent fewer staff safety incidents.</p><p>Moreover, experts say there are many best practices that organizations and managers can follow to maximize employee engagement. From strength building to safe-space dialogue to stronger mission connection, a security manager’s approach and an organization’s leadership can make all the difference.​</p><h4>Energy and Flow</h4><p>Employee engagement is not a new workplace concept; it has been discussed and studied for more than 25 years. But with more and more recent research illustrating its benefits, and the hazards of disengagement, the concept of employee engagement is now “much more integrated into how we look at work,” says management expert David Zinger, a Canada-based consultant who runs The Employee Engagement Network, an online resource. </p><p>Zinger and other experts argue that Gallup’s methodology (a 12-question survey that poses core value questions such as “at work, do I have the opportunity to do what I do best every day”), leads to exceedingly low engagement scores. Other methodologies put the U.S. employee engagement rate at about 50 percent, these experts say. Still, almost all agree that whatever metric is used, the rate is still too low.   </p><p>By definition, employees who are engaged are usually involved in and enthusiastic about their work, and are making valuable contributions to their organization. Bob Kelleher, an expert who runs The Employee Engagement Group consultancy, says he thinks of engagement as a successful partnership between an employer and employee.</p><p>“The employer is helping the employee reach his or her potential, while the employee is helping the employer reach its potential,” he explains. “It’s the ultimate win–win. The byproduct is this partnership is a discretionary effort.”</p><p>And that discretionary effort from the employee often comes naturally, because of the positive energy generated by simply being engaged. </p><p>“When an employee is engaged, they experience a state of flow. They are energized. They are learning. They have fun,” says Pi Wen Looi, a workplace expert who heads the Novacrea consulting firm. “As a result, they are more likely to recommend their company as a great place to work, stay longer with the company, and go above and beyond their role.”​</p><h4>Natural Selection</h4><p>Managers play a crucial role in maximizing employee engagement in the workplace—and that management effort should start with the hiring process, experts say. </p><p>Looi mentions recent research she was involved in that was aimed at identifying employees’ sense of purpose to help them find jobs that were in tune with their personal values. The research showed how an employee-employer values alignment at the start led to greater engagement. </p><p>“If you want to have engaged employees, you’ll need to make sure you are recruiting the right talent—a passion and value match, a culture fit, and with the right skills,” she says.</p><p>In part, that’s because high salaries are ultimately not enough to ensure high engagement, she adds. “What motivates employees comes from their own heart. You may have market competitive pay and benefits, but these extrinsic motivators are not sufficient to propel employees forward,” she explains. “It’s the intrinsic motivators such as pursuing their values and passion, continual learning, and building good relationships with peers that will keep a person going and thriving.”  </p><p>Kelleher illustrates this by using the acronym BEST. Employers tend to hire for the middle two letters, education (E) and skills (S), in hopes that they will be the most reflective of performance. But it is the first and last letters, behaviors (B) and traits (T), that best reflect employees’ values. </p><p>Since a values alignment is key to engagement, employers should also focus on behaviors and traits in the hiring process. Sometimes, disengagement is the result of the fact that the values of the company and the employee were never a match. “I often tell clients, ‘You don’t have an engagement issue, you have a selection issue,’” Kelleher says. </p><p>The importance of the hiring and selection process also applies to managers, Gallup’s Harter says. Many who become managers don’t yet have the skills and training to be effective. </p><p>“A lot of people are put into the role because they are successful in a previous position, but that position was not a managerial one,” he says. “Or, they are selected because they have been around a long time in the organization, so it becomes a rite of passage.”</p><p>Indeed, based on his decades-long study of engagement and the U.S. workplace, Harter says that sound manager selection is one of the three most effective ways an organization can increase engagement. The other two ways are managerial practices—a focus on building employee strengths, and a sustained two-way coaching dialogue between managers and employees.  </p><p>These last two ways are effective in part because they are being driven from below, Harter explains. Newer workers, the 20- and early 30-somethings who are members of the millennial generation, “want a coach type of manager who focuses on strength-based development, as opposed to a manager who is an expert in their weaknesses,” he says. </p><p>In a strengths-based workplace culture, employees often learn their roles more quickly, produce better work, and are more engaged, he adds.</p><p>In its own recent research, Gallup found that 67 percent of employees who say that their manager focuses on their strengths are engaged, compared with only 31 percent of the employees who say that their manager focuses on their weaknesses.​</p><h4>Continual Conversation</h4><p>Besides a strength-based approach, younger workers are also asking for a managerial approach that does not focus on a once-a-year performance review, but features a continuous two-way conversation in a coaching manner, Harter says. </p><p>Other experts agree. Zinger, who consults on employee engagement around the world, says that one commonality he has noticed is that employees in virtually every country want their managers to care about them. Kelleher also stresses this. </p><p>“Empathy is a significant leadership competency—especially in 2017,” Kelleher says. “Employees who think their employers care about them as people are more likely to give above and beyond.”  </p><p>A 2016 Gallup report, What Great Managers Do to Engage Employees, drew the same conclusion. </p><p>“A productive workplace is one in which people feel safe…enough to experiment, to challenge, to share information, and to support one another,” the study finds. “In this type of workplace, team members are prepared to give the manager and their organization the benefit of the doubt. But none of this can happen if employees do not feel cared about.”</p><p>This feeling of being cared about is built through regular conversation, during which the manager learns about the values, goals, and passions of the employee. </p><p>“Conversations are in many ways the lifeblood of the organization,” Zinger says. But they do not have to take up hours and hours every week. Some days, brief check-ins are fine, and help maintain engagement.  </p><p>“Some managers may think, ‘Oh my gosh, I have so much on my plate. Now you want me to have these conversations?’ But it can be as quick as 45 seconds,” Zinger explains. Even a short text or email can be productive, he adds. </p><p>Gallup’s Great Managers study confirmed this link. It found that consistent communication—whether it occurs in person, over the phone, or electronically—is linked to higher engagement. Employees who have regular meetings with their managers are almost three times as likely to be engaged, compared with workers who don’t, the report found. </p><p>Moreover, these conversations are a good opportunity for managers to draw attention to employees’ accomplishments. Here, Kelleher’s advice to managers is simple: “Recognize, recognize, and recognize.”</p><p>“Recognition is a significant engagement driver. It is almost always free, has lasting impact, and managers tend to see a replication of the positive results that they are looking to recognize,” he says. “There is simply no downside.”  </p><p>In addition to conversation, a manager’s behavior is also important because it can have a mirroring effect, Zinger says. Based on that behavior, it’s easy for employees to see how connected a manager is to his or her own work, and the organization at large. A manager who encourages engagement, but is cynical or uncaring in his or her own work relationship will be quickly seen as inauthentic. </p><p>And the mirroring effect can work both ways, he adds. Let’s say a security manager has a staff of 10, and two of the 10 workers seem disengaged. Out of frustration, the manager may start avoiding and minimizing his or her conversations and interactions with them. In effect, the manager is following the employee’s lead; from the employee’s point of view, the manager is becoming disengaged.  </p><p>Finally, Kelleher advises managers to establish what he calls “a line of sight” between an employee’s work and the mission of the organization. To do this, managers need to explain where the company is going and its vision for the future; the strategy for how the company intends to get there; and how the employee’s work is a part of that. </p><p>“Line of sight is critically important to engagement. Employees should not be working in a vacuum,” he explains. ​</p><h4>What Organizations Can Do</h4><p>Managers are not the only ones who influence employee engagement. Organizations as a whole, through both their policies and executive leadership, can also have a significant effect, experts say. </p><p>For example, a company may want to consider reworking its performance review process so that engagement is discussed during reviews. These should be two-way, safe-space conversations, in which employees are comfortable talking about when they feel disengaged, for what reasons, and what could be done differently. </p><p>“Frame performance conversations as a way to look forward and help employees grow, not as a backward-looking, punitive means,” Looi says.</p><p>Some organizations may even want to consider replacing annual performance reviews with robust monthly check-in conversations that focus on the development of the employee. </p><p>“Get rid of the intimidating phrase ‘performance appraisals’ and replace it with a new forward-looking phrase—‘the employee development planning process,’” Kelleher says. </p><p>The organization’s executive leadership, not just middle managers and human resources staff, should also be focused on engagement. Successful companies, experts say, are often proactive on engagement; their leaders are focused on making their firm more attractive in the eyes of the employees, so that more workers will be committed to their jobs. </p><p>Some of these successful companies conduct informal stay interviews with staff. Instead of an exit interview, in which managers try to find out why employees are leaving, managers conducting stay interviews try to find out what it would take for an employee to stay. ​</p><h4>The Future Is Now</h4><p>While Gallup’s U.S. engagement rate has been at or below 33 percent for most of the last 15 years, some experts do see signs that employment engagement may improve in upcoming years. </p><p>Looi points to research advances in behavior economics and nudge theory, which can be used to improve workplace cultures so that greater engagement is inherently encouraged. </p><p>“When applied appropriately and ethically, you can use nudges to increase employee learning, performance, and engagement,” she says. (For more details on nudge theory see “Management Trends,” by Sean Benson, CPP, in the September 2016 issue of Sec­urity Management.)</p><p>Zinger explains that Fitbit-like devices that measure engagement, by way of physical indicators that signal when employees are holding their phones or sitting in a chair, may become more commonplace.  </p><p>And Harter, who describes himself as “hopeful,” sees new workers continuing to transform the U.S. workplace. The millennial generation, which has been driving an increased focus on engagement, will make up three-quarters of the nation’s workforce in just over a decade, according to demographic projections. This generation is keen on being engaged with work that has a purpose, and that is a positive reflection on their values. Studies show, for example, that recent MBAs with high earning power will work for a significantly lower salary if they truly believe in their jobs.</p><p>“There’s not as much separation between work and life. People want their work to be representations of who they are,” Harter says.   ​</p>
https://sm.asisonline.org/Pages/The-Evolution-of-Airport-Attacks.aspxThe Evolution of Airport AttacksGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The bustling Brussels Airport in Zaventem, Belgium, handles more than 500 flights a day, bringing more than 27,000 passengers into the facility with approximately the same number departing. Mornings are particularly busy at the airport, and amid the flurry of activity, it is little wonder that on March 22, 2016, three men emerging from a taxi outside of the departures hall passed through unnoticed. </p><p>The trio loaded their heavy suitcases onto baggage carts and entered the flow of people heading through the doors toward the ticket desks. Shortly after they entered the departures hall, the three split up to take their places in separate ticket lines.</p><p>Three minutes later, one of the men detonated his suitcase bomb, which had been packed with nails, as he stood in one of the check-in lanes. Approximately nine seconds after that, the second man detonated his suitcase bomb in another lane. The third suitcase bomb did not detonate immediately; surveillance camera footage showed that after being thrown to the ground by the second blast, the third man, Mohamed Abrini, simply got up and walked away from the airport toward the city center. </p><p>It is unknown whether he left because he got cold feet or because his device failed to detonate, but he was later arrested and charged with participation in the attack. Police bomb technicians destroyed Abrini’s bomb-filled suitcase, which they report may have been the largest of the three, in a controlled explosion. </p><p>The attack at Zaventem resulted in 17 deaths. Another 14 victims were killed when a fourth suicide bomb was detonated an hour later in a subway train at the Maalbeek metro station in Brussels. The coordinated attack was the deadliest in Belgian history. It was also a lethal reminder of the continuing threat to the soft parts of airports outside security checkpoints. ​</p><h4>Evolving Tactics<img src="/ASIS%20SM%20Callout%20Images/0417%20Feeature%204%20Infographic.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:466px;" /></h4><p>The air transit system has been considered a prime target since the beginning of the modern era of terrorism. From a terrorist’s perspective, hundreds of people trapped inside a pressurized metal tube at 30,000 feet are ideal targets not only because the victims are so vulnerable, but because of the heavy media coverage such attacks generate. </p><p>For example, the photos of TWA 847 pilot John Testrake in the plane’s cockpit window being held at gunpoint by a Hezbollah hijacker became some of the most iconic images of 1980s terrorism.</p><p>Terrorist threats to aircraft spurred a series of security improvements, which were in turn answered by changes in terrorist weapons and tactics. The evolutionary—and deadly—game of cat-and-mouse between terrorist planners and aviation security officials has been occurring since the 1960s.</p><p>Initially there was very little security provided to the air transportation system, but a sharp increase in commercial airline hijackings in the 1960s and early 1970s led to enhanced airline security in the United States and Europe. High-profile hijackings led to greater and more widespread improvements to aviation security worldwide. </p><p>As hijackings became more difficult to conduct, terrorists began to direct their attention to aircraft bombings. Palestinian bombmakers created plastic explosives to look like everyday items in increasingly elaborate efforts to bring them onto aircraft undetected. The result was a number of airline bombing plots in the 1980s using concealed devices. </p><p>In 1987, North Korean agents destroyed a plane using a device hidden inside a radio to set off liquid explosives hidden in a liquor bottle. In another incident in 1986, explosives and the detonating device were hidden in a suitcase under a false bottom and a pocket calculator. Security detected the device before it could be taken aboard the plane. </p><p>Perhaps the most famous of these bombings was Pan Am Flight 103 in 1988, a bombing that killed 243 passengers, including two of my colleagues, U.S. Diplomatic Security Service Special Agents Dan O’Connor and Ron Lariviere. </p><p>Despite security improvements, terrorists continued to focus on attacking aircraft. In 1994, an attacker assembled a bomb in the aircraft lavatory and left it on board when he deplaned at an intermediate stop on the flight’s course. The bombing was a dry run for a more complex strike against multiple airlines. </p><p>When security measures were improved in the 1990s to defend against this style of attack, terrorists adapted once again. While planning the 9/11 attack, hijackers used permissible carry-on items—like box cutters—to hijack planes and turn them into human-guided cruise missiles. </p><p>In response to post-2001 security crackdowns to protect against that type of attack, jihadists again shifted their tactics toward onboard suicide attacks with hidden bombs. The first of these was the failed December 2001 shoe bomb attack. When security officers began screening shoes routinely, aspiring airline bombers then shifted to a plot to fill camouflaged toiletry containers in carry-on baggage with liquid explosives.</p><p>The U.S. Transportation Security Administration subsequently intro­duced restrictions on the quantity of liquids that passengers could bring aboard an aircraft, and, in turn, a jihadist attempted an attack with a device that was sewn into a suicide operative’s underwear. </p><p>Once security measures were amend­ed to address the threat of underwear bombs, attackers turned to cargo aircraft, hiding improvised explosive devices in printer cartridges bound for the United States. </p><p>And the deadly escalation continues today. In November 2015, a bomb concealed in a soda can was smuggled onto an airliner in Egypt, killing 217. Three months later, another bomb, this one disguised in a laptop, was smuggled aboard a flight in Somalia. Fortunately, that bomb only killed the suicide operative when it detonated and the aircraft was able to return to the airport for an emergency landing.</p><p>However, not all attacks on aviation involve hijacking or smuggling bombs aboard aircraft. Just as terrorists adjusted for heightened security at embassies by targeting traveling diplomats, attackers have found ways to attack airline passengers even as it has become more difficult to attack aircraft. </p><p>Back in the mid-1980s, terrorists attacked crowds of airline passengers beyond the confines of airport security at ticket counters in Rome and Vienna. In November 2002, al Qaeda operatives attempted to attack an Israeli airliner in Kenya with a surface-to-air missile. A 2011 attack at Moscow’s Domodedovo airport took advantage of the facility’s soft areas, as did the Brussels attack. </p><p>In the wake of the Rome and Vienna attacks, perimeter security at airports in Europe was temporarily increased, but due to the cost and effort involved, soon reverted to business as usual. </p><p>Similar short-term increases in security posture at airports across the globe were seen in the wake of the 9/11 attacks and to a lesser extent following Domodedovo.  </p><p>The targeting of the soft side of airports is especially attractive to grassroots groups and individuals who lack the ability to construct bombs sophisticated enough to be smuggled through security. </p><p>The July 4, 2002, armed assault against a ticket counter at Los Angeles International Airport and the June 2007 attack against the Glasgow Airport using a poorly constructed vehicle bomb are examples of attacks against the soft side of airports by poorly trained grassroots jihadists.​</p><h4>Expanding Danger</h4><p>In response to recent attacks in Brussels and Istanbul against the soft side of airports, security has again been increased. However, in many places this increased security is not much more than a show of force intended to reassure the traveling public and to perhaps deter poorly trained would-be terrorists. Without names or bag checks, it is difficult to keep a professional terrorist—especially one who has a ticket—away from the facility. </p><p>In some places, more thorough checkpoints have been established away from the airport to conduct initial screening. This tactic can be quite effective at smaller airports, but cumbersome at larger, busier airports where the heavy volume of travelers causes a backlog at the inspection point, thus effectively pushing the target away from the building to the crowd of people awaiting screening.   </p><p>It is important to remember that the objective of terrorist planners is to create a high body count and a large amount of publicity. This means that an attack against the soft side of an airport can be almost as good as an attack against an aircraft, and a successful attack against an airport is better than a failed or thwarted attack against a harder target. </p><p>As the security at airports is pushed outward in response to attacks against the soft sides of airports, and checkpoints are established away from the building, this merely moves the real target—the vulnerable group of people awaiting screening from inside the building—to an area outside of it.   </p><p>This principle was demonstrated during the June 28, 2016, attack against Istanbul’s Ataturk International Airport. In that attack, three operatives armed with AK-47s and suicide vests launched an attack on the soft side of the airport. Coming in the wake of the Brussels attack, and due to the overall high terrorist threat inside of Turkey, security was increased at Turkish airports, and armed security checkpoints were established at the entrances to the departure hall to prevent terrorists from entering the hall like they did in Brussels. </p><p>Shortly after the three attackers exited their cab outside the departure hall, they were confronted by police and a firefight erupted between the police and the attackers. The first operative was able to approach the security checkpoint and detonate his device amid the crowd. This device shattered a large window that permitted the second attacker to enter the building and begin searching for a crowd of people to target with his suicide bomb. </p><p>Fortunately, the second attacker was shot and immobilized before he could do so. The third attacker was pursued by the authorities and detonated his device in a parking lot, causing minimal damage like the second bomber. Between the gunfire and the first bomb, however, 45 victims were killed—nearly three times more than in Brussels. The bulk of the victims were outside the security checkpoint at the door to the departure hall. ​</p><h4>Staying Ahead of the Game</h4><p>Moving the security checkpoint outward from the airport simply moves the chokepoint outward, and the crowd of people waiting to get through that checkpoint remains vulnerable. This principle applies to many circumstances and locations beyond airports as well, posing a significant challenge to security professionals. While not an easy problem to address, some methods exist to mitigate the threat.</p><p>First, static security checkpoints themselves are not enough. It is necessary to establish outward-looking protective surveillance that extends beyond the property line. This surveillance also needs to focus on preoperational surveillance rather than just attack recognition. Once the attackers start shooting or detonating bombs, it can be helpful to quickly counter them and limit their access to additional victims, but it is far better to catch them at an earlier phase of the terrorist attack cycle. </p><p>Many large international airports are using surveillance technology that identifies suspicious behavior and alerts operators. The information collected by these programs can be shared with nearby airports, allowing them to keep an eye out for similar activity on their premises. </p><p>Terrorists often follow an attack planning cycle and are vulnerable to detection as they conduct the surveillance they require to carry out an attack. Terrorist operatives generally possess poor surveillance tradecraft and are not difficult to spot if people are looking for them. </p><p>But cops or soldiers manning a checkpoint at a door are not normally well positioned to spot such activity. This, ideally, needs to be accomplished by specialized units that have been trained in the craft of detecting surveillance and who are not tasked with manning checkpoints. Teams such as these will patrol parking areas and other spaces further away from the airport to identify potential threats.</p><p>This type of technology and information sharing between airports is imperative because attackers may scope out multiple facilities in a region. It is important for security teams at different airports to foster information sharing by alerting their counterparts to anomalous behavior.</p><p>Surveillance must also go beyond the use of cameras and should use a combination of human agents and cameras integrated with analytic software that can be used to help expand and direct the efforts of the humans. Cameras with nobody watching them are little better than no cameras at all. They may be useful for investigating an attack after the fact, but will be of little help in preventing an attack.  </p><p>Even in a case where the preoperational surveillance is missed and an attack is underway, personnel located beyond checkpoints can help to see problems as they are developing rather than allowing attackers to gain tactical surprise by permitting them to have free rein in areas where they can assemble and coordinate their attack.  </p><p>Furthermore, undercover operators can enjoy tactical surprise themselves and are in a great position to turn the tables on the attackers. Action is always faster than reaction, and if the attackers are permitted to draw and shoot first, it gives them a significant advantage over security forces. </p><p>A failed attack against a soft target venue in Garland, Texas, in May 2015, showed that security personnel manning the door of a facility can gain a life-or-death advantage in a firefight if they have advanced warning and a description of a potential threat. </p><p>In the Garland case, the FBI alerted local authorities of a potential threat to the event and provided the suspect’s vehicle description. This passing of critical intelligence prepared local officers for an impending attack. It also highlights the importance of intelligence sharing both horizontally and vertically within the law enforcement and security communities as they seek to secure airports and other soft targets.  </p><p><em><strong>Scott Stewart </strong>is vice president of tactical analysis at Stratfor.com and lead analyst for Stratfor Threat Lens. ​</em></p>
https://sm.asisonline.org/Pages/Redefining-Loss.aspxRedefining LossGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The world of retail has relied on the word “shrinkage” for more than 100 years to describe the losses companies experience as they go about their business. Shrinkage, however, is almost a euphemistic term describing a simple contraction in the size of the stock held by a company, without offering any real sense of what the cause might be. </p><p>In this way, the term is similar to “shoplifting”—a rather benign term often used by the industry to describe people actively engaging in criminal acts of theft in stores. For comparison’s sake, you rarely see burglars or robbers described as houselifters or purselifters.</p><p>Four buckets of loss tend to be included in survey descriptions of what shrinkage is: external theft, internal theft, administrative or process errors, and vendor fraud. The term “administrative error or process failures” is particularly vague; depending upon the type of retailer and the types of products sold, it can potentially cover an enormous array of types of loss, including damage, spoilage, product going out of date, and incorrect price adjustments. </p><p>A retailer selling food and using a shrink­age definition that includes food spoilage will have a dif­ferent level of loss compared to a retailer selling clothing or auto parts; yet, many shrinkage surveys continue to combine this data together to generate an overall figure for the industry. </p><p>To date, there is no consistent, detailed definition or typology of shrinkage. It is a term that is used throughout the industry, but interpreted in different ways depending on the retail environment and the prevailing organizational culture and practices.</p><p>There is a constant desire to understand what the root causes of shrinkage are: Is it mainly external thieves? Is it the staff employed by retailers helping themselves to the stock? Is it due to organizational inefficiencies? Or is it caused by retail suppliers wrongly delivering on purpose or through error?</p><p>Surveys will often provide numbers that supposedly apportion the total shrinkage losses to each of these types of losses, with external theft frequently—but not exclusively—seen as causing the largest amount. </p><p>The reality is that what these reported shrinkage numbers are actually measuring is what respondents think the causes of shrinkage might be. They are much more a gauge of how the loss prevention industry is feeling than any true measure of the breakdown of losses within the retail industry.</p><p>This is because the vast majority of current shrinkage data collected by retailers is based on periodic audit data collected in stores and sometimes in parts of the distribution network. This data captures the difference between the value of stock retailers think they have and the amount that can be physically counted. The difference between the two is how most companies measure their shrinkage.</p><p>But all this data does is provide a value of how much stock is not there. What it does not do is offer an explanation as to why it has gone missing: Was the stock delivered to the retailer? Did a customer steal it? Was it damaged or stolen in the supply chain? Did an employee steal it? </p><p>The causes could be many and varied, but what is clear is that audit data is rarely good at explaining why discrepancies exist; it simply captures the value of losses where the cause is unknown. Attempts to apportion causes to this data will always involve a high degree of guesswork and personal prejudice.</p><p>Retailing has gone through some profound changes since shrinkage was first used back in the 19th century, not least the introduction of open displays, the growth of branding, greater consumer choice, introduction of credit cards and debit cards, the rise of online shopping, and the widespread use of various types of self-service checkout systems, to name a few. </p><p>Yet, throughout this time of enormous change, the retail industry has continued to use a term that vaguely captures the difference between expected and actual stock values as the core measure of loss in their businesses.</p><p>Given this, it’s time to reconsider how retail companies understand and measure the losses they experience and to develop a more consistent approach to enable future benchmarking activities to offer more meaningful and applicable information.​</p><h4>Total Retail Loss<img src="/ASIS%20SM%20Callout%20Images/0417%20Cover%20Story%20Infographic.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:652px;" /></h4><p>Both the Retail Industry Leaders Association’s Asset Protection Leaders Council, based in the United States, and the ECR Community Shrinkage and On-shelf Availability Group, headquartered in Europe, supported a research project led by the author to explore how retailers currently view the problem of loss across their business and develop a new definition and typology that might better capture their impact. </p><p>The research, detailed in the report Beyond Shrinkage: Introducing Total Retail Loss, used several different methodologies: an extensive literature review; a questionnaire to a group of large European retailers; 100 face-to-face interviews with senior directors of 10 of the largest U.S. retailers; and a series of workshops and focus groups with loss prevention representatives from a range of European retailers and manufacturers.</p><p><strong>Loss versus cost. </strong>One of the difficulties of benchmarking any retail business using shrinkage is understanding what categories of retail loss are included or excluded. </p><p>Some companies taking part in this research adopted strict criteria: shrinkage is only the value of their unknown losses based upon the difference be­tween expected and actual values; anything else is regarded as known and, therefore, not included in the calculation.</p><p>Other companies were much more inclusive, incorporating other types of loss ranging from damages, wastage, spoilage, and price markdowns to the costs of burglaries and robberies.</p><p>Part of this definitional variance seemed to be based on how respondents interpreted the difference between what could be considered a “loss” compared with a “cost,” the latter being viewed as an everyday planned and necessary expenditure for the business to achieve its profit goals. Respondents varied considerably in how they interpreted the difference, although many made a key distinction between the value of the outcome and how this differentiated costs from losses.</p><p>“Costs—they bring value to the business; they are incurred because there is a perceived positive purpose in having them. They are part of the revenue generation process and without them, profits would be negatively impacted,” one respondent said. “Losses are things which, if they didn’t happen, there would be no negative impact upon profitability. They do not offer any real value to the business and simply act as a drain on profitability.”</p><p>It was also instructive to hear how some respondents adopted a process of normalizing what some considered to be losses into costs. One respondent explained that “we plan a lot of those costs [possible types of losses], so when we’re looking at it from a planning perspective, we have that built in—anything that we can account for and process and know what it is, we take more so as a cost rather than a loss when we’re defining it.”</p><p>Another respondent talked about how the planning and budgeting process enabled many losses to be redefined as costs. “If it goes above budget, then it becomes a loss; otherwise it is a cost,” the individual explained, while another respondent was blunter: “We try and convert as much of [losses] to costs; it’s then not on my agenda anymore. I deal with shrink.”</p><p><strong>Definition. </strong>From the interviews with senior U.S. retail executives and feedback from the roundtables held in Europe, definitions of costs and losses were eventually developed.</p><p>Costs were defined as “expenditure on activities and investments that are considered to make some form of recognizable contribution to generating current or future retail income.”</p><p>Losses were defined as “events and outcomes that negatively impact retail profitability and make no positive, identifiable and intrinsic contribution to generating income.” Using these definitions, various types of events and activities could then begin to be categorized accordingly. </p><p>For example, incidents of customer theft can be considered a loss—the event and outcome play no intrinsic role in generating retail profits—because it makes no identifiable contribution and were it not to happen, the business would only benefit.</p><p>Alternatively, incidents of customer compensation, such as providing a disgruntled shopper with a discounted price, can be seen as a cost. In this case, the business is incurring the cost because it believes compensating the aggrieved consumer makes the individual more likely to shop with the business in the future. The policy of compensating is an investment in future profit generation and is categorized as a cost—not a loss.</p><p>Another example of a loss is workers’ compensation, where a retailer will cover the legal, medical, and other costs associated with an accident at work, such as falling off a ladder. There is no intrinsic value to the business if an employee is injured at work; if it had not happened, the business would only benefit by not having to pay for the consequences of the event. Therefore, workers’ compensation is a loss.</p><p>While some respondents to this research argued that workers’ compensation is a predictable problem that can be—and is—budgeted for, it still remains an event that the retailer would prefer not happen because it negatively impacts overall profitability.</p><p>In contrast, expenditure on loss prevention activities and approaches, such as employing security officers or installing tagging systems, can be seen as a cost. The retailer has committed to this expenditure because it feels there will be some form of payback from the investment: lower levels of loss, which in turn will boost profits. Whether this payback is measured or achieved is open to debate.</p><p>What these examples focus on is not whether an activity or event can be controlled or whether the incurred cost was planned, but its fundamental role in generating current or future retail income. If a clearly identifiable link can be made between an activity and the generation of retail income, then it should be regarded as a cost; all those activities and events where no link can be found should be viewed as a loss.</p><p><strong>Categorizing losses</strong>. In developing the categories of the Total Retail Loss Typology, it was important to draw a distinction between the types of loss that can be measured in a way that is manageable for modern retail business, and those that cannot. </p><p>Additionally, it was important to consider the value of collecting data on a given loss indicator. Is it meaningful for the business to monitor a category of loss? Will its analysis offer potentially actionable outcomes that may help the business meet its objectives?</p><p>There is little point in developing a typology made up of a series of categories that are either impossible or implausibly difficult to measure or once measured offer little benefit to the business undertaking the exercise.</p><p>For example, most retailers would be keen to understand how often items are not scanned at a checkout. While it is theoretically possible to measure this, the reality for most retailers is that the ongoing cost would probably be prohibitive. </p><p>Determining whether proposed loss categories met the three M’s test (manageable, measurable, and meaningful) was an important part of creating a typology likely to achieve any form of adoption across a broad range of retail formats.</p><p><strong>Typology.</strong> The research identified 31 types of known loss that are included in the Total Retail Loss Typology covering a wide range of losses across the retail enterprise and incorporating events and outcomes beyond just the loss of merchandise. The typology is broken down into four locations of loss: store, retail supply chain, e-commerce, and corporate. Each location then has a variety of subcategories divided between malicious and nonmalicious. </p><p>For example, a malicious corporate retail loss would be fraud; a nonmalicious corporate retail loss would be workers’ compensation, regulatory fines, or bad debt. </p><p>However, the term does not encompass every form of loss that a retailer could conceivably experience. The word “total” is being used in this context to represent a much broader and more detailed interpretation of what can be regarded as a retail loss, rather than necessarily claiming to reflect the entirety of events and activities that could constitute a loss. In the future, the scope and range of the Total Retail Loss Typology will change to accommodate new forms of loss, and this is welcomed.</p><p>The typology is designed to enable the calculation of the value of retail losses, not necessarily the number of events; where an associated value cannot be calculated or there is no loss of value associated with an incident, it should not be included.</p><p>For instance, if shop thieves are apprehended leaving a retail store and the goods they were attempting to steal are successfully recovered and can be sold at full value at a later date, there is no financial loss associated with the incident. The retailer may still want to record that the attempted theft took place and was successfully dealt with, but that it would not be recorded in the Total Retail Loss Typology.​</p><h4>Potential </h4><p>The proposed Total Retail Loss Typology is a radical departure from how most retail companies have understood and defined the problem of loss within their companies, moving away from a definition focused primarily on unknown stock loss to one that encompasses a broader range of risks across a wider spectrum of locations.</p><p>While there is a simple elegance about the approach adopted in the past, based upon the four traditional buckets of shrinkage, it is increasingly recognized that these broad brush and ambiguously defined categories are no longer capable of accurately capturing the increasingly complex risk picture now found in modern retailing. Instead, the Total Retail Loss Typology has the potential to benefit retail organizations by managing complexity, encouraging transparency, creating opportunities, and maximizing loss prevention.</p><p><strong>Managing complexity. </strong>The retail landscape in which shrinkage was first described has been transformed by innovation and change. Simply relying upon the traditional four buckets of estimated losses to fully reflect and properly convey the scale, nature, and impact of retail losses is no longer appropriate, particularly as the retail environment becomes more dynamic and fast changing.</p><p><strong>Encouraging transp</strong><strong>arency.</strong> The ambiguous nature of most shrinkage calculations and the difficulty of understanding its root causes generate a lack of accountability, particularly within retail stores.</p><p>Store managers question the reliability of the number, especially where there is a pervasive sense that the supply chain may be foisting losses upon stores that are actually caused by inefficiencies. Unknown store losses can conveniently be blamed upon short shipments or roaming bands of organized thieves, rather than being apportioned to actual events taking place in the store.</p><p>Losses can also be moved between different categories, depending upon the performance measures in place—wastage can quickly become shrinkage if the former is identified as a key performance indicator. </p><p>By measuring a broader range of categories of loss, it becomes much more difficult to play this game; most losses will be measured somewhere, improving transparency and accountability throughout the organization.</p><p><strong>Creating opportunities.</strong> A recurring theme from the research was the lack of prioritization and urgency associated with categories of loss that had already been measured or for which a budget had been allocated.</p><p>Many respondents were quick to view these factors as a cost; therefore, not requiring any remedial action by the business. In effect, the process of capturing the loss or planning for it through budget allocation rendered them immune from concern over the actual loss.</p><p>By adopting a systematic approach and agreeing on the definition of a retail loss and bringing these together under a single typology, opportunities may arise to minimize the overall impact of loss upon the business.</p><p><strong>Maximizing loss prevention.</strong> Dealing with an unknown loss, which is what most loss prevention practitioners typically focus on, is probably one of the hardest challenges faced by a management team in retail. This requires the team to develop a high level of analytical and problem solving capacity.</p><p>Trying to solve problems where the cause is typically unknown is also at the hard end of the management spectrum. It requires creative thinking, imaginative use of data, and considerable experience. Imagine if these capabilities were used on the broader range of known problems encapsulated in the Total Retail Loss Typology. The impact could be profound.</p><p><strong>Using resources. </strong>By generating a broader, more detailed understanding of how losses are impacting a retail organization, it may be possible to take a more strategic approach to the allocation and use of existing resources.</p><p>The Total Retail Loss Typology could offer value in how businesses not only respond to existing loss-related challenges, but also use it to review the implication of any future business decisions. </p><p>The interplay between sales and losses needs to be viewed in the round and not as a series of cross-functional trade-offs where losses and profits are allocated separately, driving behaviors that are unlikely to benefit the business.</p><p>It’s within this context that the Total Retail Loss Typology has been developed—to enable retail organizations to better understand the nature, scale, and extent of losses across the entire business, and to use this information to make more informed choices about how to grow profits and improve customer satisfaction.</p><p>As the pace of change in retail con­tinues to intensify, it’s time for the loss prevention industry to begin to move away from a notion of loss developed in the 19th century to one that better reflects and recognizes the complexities and challenges found in the 21st century.  </p><p><em><strong>Adrian Beck </strong>is a professor of criminology in the Department of Criminology at the University of Leicester in Leicester, United Kingdom. Beck undertook the study Beyond Shrinkage: Introducing Total Retail Loss commissioned by the Retail Industry Leaders Association’s Asset Protection Leaders Council and is an academic advisor to the ECR Community Shrinkage and On-Shelf Availability Group. ​ ​</em></p>
https://sm.asisonline.org/Pages/ERM-Best-Practices.aspxERM Best PracticesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​With the rise of Enterprise Risk Management (ERM) programs in the security field, some leaders are on the hunt for ERM best practice guidance resources. One recent report, courtesy of the U.S. government, contains guidance that may be applicable to private sector security operations.​</p><p>Last year, the U.S. Office of Manage­ment and Budget (OMB) called on federal ag­encies to implement ERM so that federal managers could more effectively manage risks that could affect agency strategic objectives. Given OMB’s call, the U.S. Government Accountability Office decided to update the government’s risk management framework and identify good practices that some agencies have been using. </p><p>The new report, <em>Enterprise Risk Man­age­ment: Selected Agencies’ Experiences Illustrate Good Practices in Managing Risk,</em> identifies six components of successful ERM programs, and then describes best practices that apply to each.  <img src="/ASIS%20SM%20Callout%20Images/0417%20NT%20Safety_FB.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:479px;" /></p><p>The six components and their best practices are as follows:</p><p><strong>Element One: Align the ERM process to goals and objectives.</strong></p><p>Senior leaders are fully engaged and committed to the ERM process, and they support how ERM contributes to the agency’s goal-setting process. This engagement helps demonstrate the importance of ERM to agency staff. </p><p><strong>Element Two: Identify risks.</strong></p><p>Successful agencies develop an organizational “risk-informed” culture in which employees are encouraged to identify and discuss risks openly. This openness is critical to ERM success.</p><p><strong>Element Three: Assess risks.</strong></p><p>Successful agencies can integrate prioritized risk assessments into their strategic planning and organizational performance management processes. This integration of risk assessments helps improve the budget process, resource allocation planning, and other aspects of operations. </p><p><strong>Element Four: Select risk response</strong>. </p><p>Successful agencies establish an ERM program that is customized to fit their particular operations. Once established, risk factors are regularly considered, and leaders select the risk response that is most appropriate for the structure and the culture of the agency. </p><p><strong>Element Five:</strong> <strong>Monitor risks.</strong></p><p>Successful agencies are able to continuously manage risk by conducting the ERM reviews on a regular basis. Leaders also monitor the selected risk response with performance indicators that allow the agency to track results and the response’s impact on the mission. Leaders can then determine if the risk response is successful or if it requires additional actions.</p><p><strong>Element Six</strong>: Communicate and report on risks. </p><p>Sharing risk information and in­corporating feedback from internal and external stakeholders helps organizations better identify and manage risks. It also increases trans­parency and accountability to Congress and taxpayers. ​</p>
https://sm.asisonline.org/Pages/ASIS-News-April-2017.aspxASIS News April 2017GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Volunteers Plan for the Future</h4><p>More than 250 ASIS International volunteer leaders from across the globe gathered in Arlington, Virginia, for the January leadership meetings and strategic planning workshop. The program launched with member awards, followed by an organizational update from CEO Peter J. O’Neil, CAE. He explained the changes taking place to better align staff and technology investments with organizational priorities. </p><p>The workshop component of the program opened with a discussion on the Society’s new strategic plan. Attendees broke into working groups to provide input on aligning their volunteer areas of work with the new plan. Many innovative ideas emerged and results are being used by ASIS staff and the Board of Directors to shape deliverables and metrics. At the end of the day, attendees and HQ staff came together for fun-filled, sports pub-themed networking. </p><p>“The opportunity to collaborate with ASIS staff and the Board of Directors, have concerns heard, and be involved in developing solutions for change was an unparalleled volunteer leadership experience that was on point, transparent, and highly appreciated,” said Senior Regional Vice President Jeffrey A. Slotnick, CPP, PSP. “The Sports Night was a terrific end to a full day of camaraderie and information sharing.”</p><p>Day two included the annual business meeting address to the membership from ASIS President Thomas J. Langer, CPP, who noted that the past two years have been “the stage setting and execution years for the Society’s refreshed direction.” He recapped past-year milestones, citing new leadership at headquarters, a renewed focus on member value, new strategic priorities (including ESRM and comprehensive mobile access to Society programs and services), and increased global growth and inclusion so all members can reap the full rewards of their membership. He noted that the board has addressed many tough realities—both financial and structural—and is fully aligned with the Society’s path forward. “In 2017, expect to see positive changes in member engagement, website design and experience, educational offerings and learning formats, and more responsiveness to chapters, councils, and regions.” Go to www.asisonline.org/volunteer to listen to Langer’s full address.</p><p>The program wrapped up with the Society’s first town hall of 2017, an interactive Q&A between volunteer leaders, board members, and ASIS executive leadership. The positive response from this exchange continued with the launch of bimonthly virtual town halls beginning in March. Share your thoughts on the Society’s new direction via email to asisfuture@asisonline.org.</p><h4>ASIS 2017: WHAT’S NEW? </h4><p>Get ready to experience the best in security networking, education, and technology. The ASIS International 63rd Annual Seminar and Exhibits (ASIS 2017) is coming to Dallas, Texas, September 25–28.</p><p>The finest global security event in the industry is getting better. Some events will be expanded and new ones will be launched. The calendar is shifting some popular activities to new times. These changes will lay the foundation for what is sure to remain an outstanding event for years to come. </p><p>Some of what’s new for 2017 includes:</p><p><strong>New hours for exhibits.</strong> Expo days will shift from the traditional Monday through Wednesday schedule to Tuesday through Thursday, creating more noncompeting hours so attendees can maximize their educational and networking experiences. Tuesday and Wednesday, the exhibit hall will be open from 10:00 am to 5:30 pm; Thursday’s hours are 10:00 am to 1:00 pm.</p><p><strong>Opening night celebration.</strong> Join peers and colleagues from around the globe and across the profession to kick off ASIS 2017 on Sunday, September 24, with a big Texas welcome. Mechanical bull riding, armadillo races, good food, live music...you’ll find it all at the ASIS 2017 Opening Night Celebration. This event, which will be held from 7:00 pm to 10:00 pm, was formerly known as the Welcome Reception.</p><p><strong>ASIS Happy Hour. </strong>Connect with peers and clients on Tuesday, September 26, from 4:30 pm to 5:30 pm. This gathering, which will be held in the exhibit hall, is designed to help you learn more about a wide range of security solutions and innovations.  </p><p><strong>President’s Reception.</strong> This event is moving from Monday night to Wednesday night. It is always one of the most anticipated events at Seminar—and this year will be no different! Be sure to stay in town for this one-of-a-kind experience.</p><p>New educational offerings. Watch for new learning formats, plus more education on the exhibit hall floor. Visit www.securityexpo.org for the latest announcements and updates. Use #ASIS17 on Facebook and Twitter to connect with ASIS show management staff, exhibitors, and fellow attendees. </p><h4>NEW CHAIR OF THE S&G COMMISSION</h4><p>For the first time in a decade, the ASIS International Standards and Guidelines (S&G) Commission has a new chairman. Michael Knoke, CPP, takes on the role vacated by F. Mark Geraci, CPP, at the start of 2017. Serving alongside Knoke is Vice Chair Bernard Greenawalt, CPP. The Commission has a full plate in the year ahead, including the upcoming release of the Security and Resilience in Organizations and their Supply Chain Standard. In addition, work is well underway on a joint ASIS/(ISC)2/ISACA Security Awareness Standard and a Private Security Officer Selection and Training Standard. Keep current on S&G news and activities at www.asisonline.org/standards. </p><h4>CSO SUMMIT</h4><p>Nearly 75 senior security executives from across the globe are expected to attend the 10th Annual CSO Summit April 23–25 at the Ritz Carlton at Pentagon City in Arlington, Virginia. The high-level program features sessions on cyber risk, community stakeholder engagement, and metrics for the C-suite. Attendees will also get a behind-the-scenes tour of the U.S. Capitol and gain insights on public-private partnerships from event keynoter John Walsh, who created the television program America’s Most Wanted and now anchors The Hunt with John Walsh on CNN. Summit updates can be found on the CSO Center website, www.cso.asisonline.org.</p><h4>Member Book Review</h4><p><em>Managing Critical Incidents and Large-Scale Event Security</em>. By Eloy Nuñez and Ernest G. Vendrell. Published by CRC Press; 314 pages, $89.95. </p><p>Examining case studies and after-action reports for valuable lessons, <em>Managing Critical Incidents and Large-Scale Event Security</em> provides a timely resource for understanding effective critical incident management. Effectively conveying their knowledge and experience, the authors use vignettes to provide real-world examples of hurricane response planning and recovery; planning and post-action events for several Super Bowls; and responses to various riots and other incidents from the 1980s to 2015. While walking the reader through known and familiar concepts and practices, Nuñez and Vendrell deliver a fresh perspective on successful critical incident management, explaining how to attain fiscal resources for planning, exercising, executing, and recovering from security events.</p><p>The authors challenge Federal Emergency Management Agency (FEMA) precepts of four phases of critical incident management. Advocating for a three-phase model, Nuñez and Vendrell suggest that mitigation is intrinsic throughout all stages and therefore is not a phase in and of itself. Throughout the text, the authors advocate for mitigation during the preparedness, response, and recovery phases of critical incident management.  </p><p>Written with the critical incident manager in mind, the book delivers sound advice, providing readers with several checklists for effective training and management of such events. Managing Critical Incidents is ideal as a go-to reference for incident managers, as well as a valuable textbook for instructing future practitioners.  </p><p><em><strong>Reviewer: Dr. Will Morrison, CPP, </strong>is a security management professional with more than 35 years of service in the U.S. federal government that includes work in national and homeland security. He has been a member of ASIS International since 2004.</em></p><h4>Lifetime Members</h4><p>The ASIS Board of Directors granted life membership to the following individuals:</p><p>• Ira M. Weiss, CPP</p><p>• Thomas M. Seamon, CPP</p><p>• Brian N. Goldsworthy, CPP</p><p>• Robert C. Anderton, CPP</p><p>• Richard F. Williams, CPP</p><p>Lifetime Certificants</p><p>Congratulations to the following security professionals who have achieved lifetime certification status:</p><p>• James V. Clarke, CPP</p><p>• John W. Collins, Jr., CPP</p><p>• Harold F. Crawford, CPP</p><p>• Daniel R. Devine, CPP</p><p>• Richard C. Hofmann, CPP</p><p>• Lester E. McFarland, CPP</p><p>• Margaret Nix, CPP</p><p>• Michael J. Pepe, CPP</p><p>• Robert W. Riley, CPP</p><p>• Fergus P. Ross, CPP</p><p>• Dennis J. Urban, CPP</p><p>• Jose Luis Zepeda, CPP ​</p>
https://sm.asisonline.org/Pages/Communal-Protection.aspxCommunal ProtectionGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Domestic terror attack targets are usually not chosen at random, and some populations are targeted more than others. Of all religious groups, Jews continue to be the most targeted in the United States, according to the findings of a new report.   </p><p>The report, Terrorist Incidents and Attacks Against Jews and Israelis in the United States, 1969-2016, examines the FBI’s annual hate crimes report for the years under study. For example, in 2015, 1,354 hate crimes were recorded in the report. Of those, 695 incidents, or 51 percent, targeted Jews. “This is a consistent finding of the FBI report over many years,” writes the report’s author, counterterrorism expert Yehudit Barsky.</p><p>Going deeper, the report catalogs 104 incidents in 2015 to better characterize the attacks. The majority, 51 percent, targeted synagogues, followed by community institutions (14 percent), Jewish persons (13 percent), and educational institutions (10 percent). In terms of means of attack, arson, shootings, and explosive devices were used in about equal frequency. </p><p>Year-over-year, the total number of attacks has been declining, but they have been increasing in severity. “Recent incidents have been increasingly lethal and have…claimed many more victims,” Barsky writes. </p><p>And the threat has been revived several times in the last few years. In October 2015, the Islamic State (ISIS) militant group directed its followers worldwide to kill Jews. ISIS’ Al-Masra Foundation issued a video, The Slaughter of the Jews, which called for followers to “Stab the Jew with a knife or run over him with a car; poison him; bring back explosives, the [use of] explosive belts and IEDs; burn their faces and their houses.”</p><p>Then in 2016, ISIS published an article in its Al-Naba publication that called for followers to help Palestinian Muslims by fighting Jews around the world: “killing them, destroying their property, and harming their interests in any way they can.”</p><p>The report also includes some lessons learned and related recommendations for future security. Jewish targets sometimes serve as precursors to larger attacks. The perpetrators of the 1993 World Trade Center bombing, for example, were previously involved in anti-Jewish attacks. </p><p>And in many of the incidents, the attackers conducted preoperational surveillance. For example, in 2014, neo-Nazi Frazier Glenn Miller carried out preoperational surveillance at two Jewish organizations that he later attacked. </p><p>“This phase of a typical attack cycle is the most likely point for detection, and thus recognizing it can avert or minimize an impending attack,” Barsky writes. “Training and engagement of community members is thus essential.” </p><p>While the U.S. Department of Homeland Security announced that it would step up efforts to support Jewish communities, others are working at the grassroots. </p><p>For example, the concept of the training and engagement of community members is at the heart of operations at Community Security Service (CSS), the nonprofit group that sponsored the report and whose mission is the protection of the people, institutions, and events of the American Jewish community. CSS started in 2007 with a small group of volunteers. It now has more than 3,500. </p><p>“The differentiator is—it is an entirely volunteer organization,” says Don Aviv, CPP, PCI, PSP, who is COO and director of physical security at Interfor International and a founding member of CSS. Aviv is also vice chairman of the ASIS Inter­national Security Services Council.</p><p>CSS serves as a security partner for various Jewish institutions and events, ranging from the National Menorah lighting in Washington, D.C., to an annual sit-down dinner of roughly 6,000 rabbis held in conjunction with a religious conference in Brooklyn. CSS also helps protect smaller events such as weekly services and Shabbat dinners across the country, according to Jason Friedman, the executive director of CSS, who is also an attorney and U.S. Navy officer.</p><p>The founding philosophy of CSS is that security should be rooted within the community. “The idea was, no one can protect your community better than yourself,” Aviv says. And so volunteers from the community are trained in the basics of security, including practices such as recognizing threats and devising a system to report threats or other incidents.</p><p>The training includes aspects like scenario-based exercises and helping volunteers maintain a higher level of security awareness by checking their surroundings daily. An important component is helping volunteers develop a level of comfort with being part of the security effort. “It comes down to motivating the individual member to be a part of their community” in an “empowering and enfranchising” way, Aviv says. </p><p>Community members are treated as partners in security to be worked with, not as people to be ordered around by those leading the security effort. “We don’t enter into a community without being invited. We’re not forcing our way in,” Aviv explains. </p><p>The other key aspect of CSS’s model is that security is achieved through a partnership among community members and volunteers, contract security, and law enforcement. This is accomplished through training and by building up a framework of interaction for all stakeholders.</p><p>For example, community members are advised that, if they decide to use contract security, they should not just hire security officers and then walk away and expect them to take care of everything: “You’re putting too many expectations on their shoulders,” Friedman says. Instead, by working with them, the community will receive a better return on its investment. </p><p>Similarly, volunteers embedded in the community will communicate with law enforcement officers, so that the officers know the community’s concerns and issues and do not have to “parachute in” blindly. “We’re a force multiplier for federal and local law enforcement,” Aviv says.  </p><p>While CSS is dedicated to protecting the Jewish community, its cooperative community-based model of security is replicable for use by other populations as well, Aviv says. “At the end of the day, the threats facing us are similar to those facing other groups,” he says. ​</p>
https://sm.asisonline.org/Pages/Perception-Versus-Reality.aspxPerception Versus RealityGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Terrorism rates dropped in 2015 for the first time in five years, but fears of violent extremism have continued to grow, new reports show. Approximately 82 percent of people polled around the world see the threat of violent extremism increasing in their country, according to the Center for Strategic and International Studies. And while deaths caused by terrorism fell 10 percent overall from 2014, countries in the Organisation for Economic Co-operation and Development (OECD)—including Denmark, France, Germany, Sweden, and Turkey—saw a 650 percent increase in terrorism-related deaths, according to the Institute for Economics and Peace’s Global Terrorism Index.</p><p>This redistribution of terrorist activity, along with less-organized but equally lethal homegrown extremist-style attacks, has kept fears of terrorist attacks high around the world, experts say. According to data from the National Consortium for the Study of Terrorism and Responses to Terrorism (START), the concerns of U.S. citizens when it comes to terrorism have not declined much since the September 11, 2001, attacks. Security Management spoke to Gary LaFree, director of START, to gain insight on these reports. </p><p>“We tracked a decline in worldwide attacks between 2014 and 2015, with fatalities and ISIS attacks reducing,” says LaFree. “You want to say that’s good news, but at the same time, we found there was a terrorist attack somewhere in the world every single day of 2015. You can interpret these statistics in a lot of different ways. It’s pretty easy to get the sense that we’re awash in terrorism, even though it’s still a relatively rare event [in the United States].” </p><p>LaFree tells Security Management that there are many different ways to interpret terrorism trends and the public’s resilience to attacks. On the one hand, he says, one of the goals of terrorism is to frighten and divide citizens, and, as his data shows, the public still thinks about terrorism almost as much as it did in the months after 9/11. However, LaFree says that citizens are more willing to report suspicious activity and be more engaged with the government overall due to their fears.</p><p>“What the data shows is a fairly high level of concern, still, now that we’re more than 15 years from 9/11,” LaFree says. “That has not dissipated. People really are still concerned about terrorist attacks.”</p><p>In 2012, START conducted a survey of more than 1,500 Americans on what LaFree calls “a barometer of how the public was feeling about terrorism.” START found that 15 percent of respondents thought about terrorism at least once a week—significantly higher than those who thought about hospitalization or violent crime victimization—and as part of the survey methodology, the organization planned to conduct three more waves of surveys to track changes in attitude.</p><p>But following the April 15, 2013, Boston Marathon bombings, where two homemade bombs killed three people and injured several hundred others, START realized it had a baseline of behavior before the attack and could leverage that in its ongoing research. “Events in Boston provided us with an unexpected opportunity to examine how public attitudes toward terrorism and counterterrorism policies in the United States changed before and after an actual terrorist attack,” noted one of the resulting reports, U.S. Attitudes toward Terrorism and Counterterrorism before and after the April 2013 Boston Marathon Bombings. </p><p>Surprisingly, the surveys found that many of the attitudes sampled in 2012—such as the frequency at which people thought about terrorist attacks or the likelihood of an attack in respondents’ own communities—did not change after the bombings. Significant changes included a higher percentage of people who believed a terrorist attack could happen on U.S. soil; a decrease in those who thought the government could effectively prevent terrorism; and a willingness to call the police in situations relating to terrorism.</p><p>LaFree says that START continued the surveys to understand how an attack on American soil might affect citizens’ attitudes towards terrorism, including the lasting desire to cooperate with the government when it comes to terrorist threats. </p><p>“What happens with the public is they get more concerned about terrorism when there’s a high-profile event, and they also report greater willingness to cooperate with federal officials to prevent further attacks,” LaFree explains. “That however dissipates over time—the longer you get away from a big attack, the less likely they are to see that, so the original change that’s produced disappears. What’s interesting is that their knowledge of the system doesn’t change over time—they continue looking for information to inform themselves, and that part they keep long after the attack.”</p><p>Despite the sustained public mindfulness of terrorism since 2001, LaFree says that he is heartened by the public’s ability to work with officials while knowing where to draw the line.</p><p>“After Boston, respondents were more likely to say they would cooperate with police and government officials, but they didn’t give carte blanche either,” LaFree explains. “A lot of people said they would report people that look suspicious with regard to bombmaking, but only a tiny minority said they would report someone who had terrorist literature in their possession. We drilled down on those questions, and they said, ‘well this is America, we have freedom to read what we want to read, and it’s not against the law.’ Even their responses in the aggregate were pretty reasonable.”</p><p>While terrorism deaths declined in 2015 for the first time since 2010, it was still the second-deadliest year since 2000, with terrorism claiming the lives of 29,376 people. However, 72 percent of the deaths occurred in five countries: Iraq, Afghanistan, Nigeria, Pakistan, and Syria. But the leap in high-profile terrorism-related deaths in OECD countries, including attacks on Charlie Hebdo in France, a museum in Tunisia, a bombing in Baghdad during Ramadan, and the coordinated attacks on soft targets in Paris, combined with the increased prevalence of social media makes it hard to keep today’s terrorism in perspective. </p><p>“Public opinion in the United States can now be affected by events that happen halfway around the world,” LaFree notes. “The interconnectedness of the United States has really changed, and that probably contributes to the public’s perception of this drumbeat of terrorism.”</p><p>In reality, terrorism-related deaths in the United States are historically low, compared to the 1970s, according to the START global terrorism database. The U.S. rates of terrorism are inversely related to world rates, which have continued to go up since 9/11. </p><p>While LaFree says he doesn’t think the public is being overly concerned, there is a more existential aspect to the sustained level of fear. </p><p>“Your chances of dying from lots of other things are much greater than terrorism, and that’s where we started this conversation,” LaFree states. “What we’re arguing is we need to stay vigilant and do a good job of protecting ourselves from the most serious threats, but we also need to realize that thus far in the history of terrorism, we haven’t faced existential threats of the nature we faced during the Cold War and nuclear annihilation,” according to LaFree. “It’s not a very flashy message if you think about it, but it’s as truthful as I think we can be.”   ​ ​</p>
https://sm.asisonline.org/Pages/Cyber-War-Games.aspxCyber War GamesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In the chaos of World War II, the U.S. Information Agency began a German radio broadcast to counter Nazi propaganda. The Voice of America (VOA) was designed to promote American values abroad, and after the end of the war, the United States enacted the Smith–Mundt Act to continue its broadcasts during peace time.</p><p>During the Cold War, VOA took on a new target—Soviet propaganda—and concentrated its message on communist nations in eastern and central Europe. By 1953, VOA was broadcasting 3,200 programs in 40 languages every week.</p><p>And America was not alone. The Soviet Union soon began adopting similar technology, attempting to influence elections through radio broadcasts, campaign funding, and recruitment efforts. In the 1970s, for example, during a U.S. presidential race, the Soviet KGB recruited a U.S. Democratic party activist to report on Democrat Jimmy Carter’s campaign and foreign policy plans.</p><p>Fast-forward to the present, when influence is no longer restricted to radio broadcasts or recruiting covert agents; it’s now being conducted on social media by nation-states. In an unprecedented unclassified report, the U.S. intelligence community detailed Russia’s most recent efforts to influence the 2016 U.S. presidential election in favor of candidate and eventual president Donald Trump. </p><p>The report, crafted by the U.S. National Security Agency (NSA), the CIA, and the FBI, and released by the U.S. Office of the Director of National Intelligence, found that Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election. </p><p>Putin’s goals, according to the report, were to undermine public faith in the U.S. democratic process, denigrate Democratic candidate former U.S. Secretary of State Hillary Clinton, and harm her electability and potential presidency.</p><p>“In trying to influence the U.S. election, we assess the Kremlin sought to advance its longstanding desire to undermine the U.S.-led liberal democratic order, the promotion of which Putin and other senior Russian leaders view as a threat to Russia and Putin’s regime,” the report explained.</p><p>To carry out this influence campaign, Russia used a messaging strategy that blended covert intelligence operations with overt efforts by Russian government agencies, state-funded media, third-party intermediaries, and paid social media users—known as trolls.</p><p>“The Kremlin’s campaign aimed at the U.S. election featured disclosures of data obtained through Russian cyber operations; intrusions into U.S. state and local electoral boards; and overt propaganda,” the report added. “Russian intelligence collection both informed and enabled the influence campaign.”</p><p>For instance, in July 2015 Russian intelligence organizations gained access to the U.S. Democratic National Committee’s (DNC’s) networks and maintained access to them until June 2016. Using this access, Russia’s General Staff Main Intelligence Directorate (GRU) compromised the personal email accounts of Democratic Party officials and political figures, including Clinton’s campaign chair, John Podesta. </p><p>Then, under the alias Guccifer 2.0, the GRU leaked those emails to DCLeaks.com and WikiLeaks, which shared information with RT—the Kremlin’s principal international propaganda outlet, which has more than 4 million Likes on Facebook and 2 million followers on Twitter. </p><p>“Russia’s state-run propaganda machine…contributed to the influence campaign by serving as a platform for Kremlin messaging to Russian and international audiences,” according to the report. “State-owned Russian media made increasingly favorable comments about President-elect Trump as the 2016 U.S. general and primary election campaigns progressed, while consistently offering negative coverage of Secretary Clinton.”</p><p>For instance, Russian media began to call Trump’s impending victory a “vindication of Putin’s advocacy of global populist movements” and the “latest example of Western liberalism’s collapse.”</p><p>Millions of people viewed these articles and shared them on social media, spreading them among U.S. voters. The U.S. intelligence community did not conduct opinion polls to see how Russian propaganda influenced voting behavior, said former Director of National Intelligence James Clapper in a Senate hearing. But he did reinforce the report’s assessment that Russia will apply lessons it learned from the campaign to future efforts to influence the United States and its allies.</p><p>And, because Americans elected Trump in the 2016 election, Russia is likely to view its influence campaign as a success and continue using similar methods to influence future elections.</p><p>“Putin’s public views of the disclosures suggest the Kremlin and the intelligence services will continue to consider using cyber-enabled disclosure operations because of their belief that these can accomplish Russian goals relatively easily without significant damage to Russian interests,” the report said.</p><p>Putin may hold this view because the United States responded to the influence campaign through targeted sanctions. One week before the U.S. intelligence community’s report was released, former U.S. President Barack Obama sanctioned two Russian intelligence services, four individual intelligence service officers, and three companies that provided material support to the Russian intelligence service’s cyber operations.</p><p>The U.S. Department of the Treasury also sanctioned two Russian individuals for using cyber-enabled means to misappropriate funds and steal personal identifying information. The U.S. Department of State also shut down two Russian compounds in Maryland and New York that were used by Russia for intelligence purposes, and declared 35 Russian intelligence operatives “persona non-grata.”</p><p>“These actions are not the sum total of our response to Russia’s aggressive activities,” Obama said in a statement. “We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized.”</p><p>While some experts are not surprised by Russia’s actions, one expert has said he was surprised at Russia’s willingness to engage in a disruptive cyberattack against U.S. institutions. </p><p>Adam Segal, Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, published The Hacked World Order at the beginning of 2016, saying that he thought states on the periphery—Estonia, Georgia, and Ukraine—would conduct disruptive attacks on each other, but that major nation-states would not.</p><p>“Clearly, I underestimated the willingness of Russia to use disruptive attacks on the United States,” Segal said at an event hosted by the American Bar Association in January. “I never considered disruptive attacks on the United States focused on institutions, even though I thought those might be the most vulnerable to attacks in the future.”</p><p>Disruptive attacks, like the Russian influence campaign, will be a difficult area for the Trump administration moving forward, especially based on the U.S. response to the activity. </p><p>Segal, who had just returned from China before speaking at the event, said that the Chinese “seem to see no deterrent value” in the U.S. response to Russia and that the response needed to be stronger to send a clear message not just to Russia, but to other adversaries who might try something similar.</p><p>That message was further muddled when just weeks into Trump’s presidency, the U.S. Department of the Treasury eased sanctions to end a ban on selling information technology products to Russia. The ban was originally put in place by Obama in 2015 in response to alleged “malicious cyber-enabled activities” by Russia’s security service in the U.S. electoral process.</p><p>Despite the deficient response to the disruptive attack, however, Segal said he still thinks that Russia and China are unlikely to use destructive cyberattacks against the United States—such as targeting critical infrastructure and causing damage—unless their national interests are threatened.</p><p>“The Chinese definition of core interests is unfortunately expanding,” Segal said. “But the Chinese know that the United States is going to attribute an attack to them, so they have to be ready for escalation.”</p><p> An escalation of destructive cyberattacks is something Leo Taddeo, former special agent in charge of the FBI’s New York Cybercrime Office and current CSO of Cryptzone, a network security and compliance software provider, says he sees happening in 2017. In an interview with <em>Security Management</em>, Taddeo says he sees nation-states—including the United States—taking a more aggressive position on international cybersecurity, leading to a cyber escalation between nation-states.</p><p>The U.S. public has an “appetite for more aggressive cyberactivity” and for “striking back” against those who conduct cyberattacks against American interests, according to Taddeo.</p><p>However, Taddeo says he is concerned that the U.S. private sector will be caught in the crossfire of this escalation involving the United States, Russia, China, and possibly Iran, when banks, power companies, and other critical infrastructure—largely controlled by the private sector in the United States—are targeted. </p><p>“The Russians don’t have that problem as much as the United States does because Russia is more autocratic,” Taddeo adds. “The private sector there doesn’t complain without permission from the regime and can tolerate more in a crisis.”</p><p>Those attack methods are also likely to trickle down to regional conflicts between nation-states with less cyber prowess, such as India and Pakistan. For instance, Taddeo says to look at the attack on the Bank of Bangladesh in 2016 when hackers stole $81 million. </p><p>“That type of attack may have been committed by a nation-state to obtain much needed cash resources or to embarrass a smaller state,” Taddeo says. “I think we’ll see more types of cyber conflict…some adopted by nation-states, some by super powers, but with all of these different tools becoming part of the arsenal.”</p><p>Taddeo adds that, with today’s technological advances and hacking services for hire, it doesn’t take a great deal of expertise to steal information and share it with organizations like WikiLeaks.</p><p>Either way, Taddeo says the “genie is out of the bottle” and actors and nation-states are now using cyber methods to conduct influence campaigns for strategic goals. </p><p>For the Kremlin, this includes gathering information and attempting to influence public—and government—opinion via social media in favor of Russia.</p><p>“Immediately after Election Day, we assess Russian intelligence began a spearphishing campaign targeting U.S. government employees and individuals associated with U.S. think tanks and NGOs in national security, defense, and foreign policy fields,” the U.S. intelligence report said. “This campaign could provide material for future influence efforts, as well as foreign intelligence collection on the incoming administration’s goals and plans.”   ​</p>
https://sm.asisonline.org/Pages/Access-and-IRIS-Scans.aspxAccess and Iris ScansGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Next time you fly the friendly skies and take a bite of your airline-provided meal, you may be eating food prepared by Gate Gourmet, a global provider of airline catering and services, which has approximately 130 locations in 28 countries. </p><p>“There’s a great deal of skill and care that goes into producing the food that we provide to our customers,” says Richard Newman, director of corporate security at Gate Gourmet for the United States and Canada. “It’s important to Gate Gourmet that we deliver the highest quality product that we can, in the safest way we can.”</p><p>With approximately 25 catering facilities nationwide, Gate Gourmet serves airline clients that fly out of major U.S. airports. </p><p>One of Gate Gourmet’s larger facilities is located at the Washington Dulles International Airport near Washington, D.C. Employees at the location produce 18,000 to 25,000 meals a day, depending on the season. </p><p>“The busiest fast food restaurant you can think of probably does about 8,000 meals a day,” Newman says. “We’re doing three to four times that just out of the Dulles kitchen.” </p><p>Who gains access to Gate Gourmet facilities is crucial. “As part of a layered approach to security, it’s important that we make sure that the people that are supposed to be on the inside can get inside, and the people that aren’t, don’t,” Newman says. <img src="/ASIS%20SM%20Callout%20Images/0417%20Case%20Study%20Stats.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:505px;" /></p><p>Beyond protecting its product and the customers it serves, Newman adds that the U.S. Transportation Security Administration (TSA) has its own security guidelines Gate Gourmet must adhere to. </p><p>“Because we’re in the aviation industry—and there is a layer of security that the industry puts on everything that goes on an airplane—those rules apply to us as well,” he explains.  </p><p>The operation at a Gate Gourmet kitchen is complex, Newman says. It includes preparing the meals, packing them onto trucks, and delivering them directly to the airplanes and the flight attendants who will ultimately serve the food. </p><p>“When the trucks come back from the airfield, they’ll bring the carts that have the dirty dishes into the kitchen, then we go through the dishwashing process, wash the equipment, and then the whole process starts again,” he says.</p><p>To monitor the employees coming in and out of work, Gate Gourmet had been using hand geometry at its Washington Dulles location. With this biometric technology, a user places his or her hand over a scanner that measures the shape of the palm. </p><p>While the palm method was effective at identifying employees, it wasn’t necessarily efficient for the company. “We wanted to move into something that was faster, easier, and touch-free,” Newman notes.</p><p>In 2013, Gate Gourmet was on the lookout for a new biometric access control solution, and came across the iCAM iris reader from Iris ID at that year’s ASIS International Seminar and Exhibits in Chicago. “I saw their booth at the convention; they gave me a demonstration, and I was impressed,” Newman explains. </p><p>The Iris ID iCAM is a black rectangular box that mounts to the wall with a built-in camera that measures the iris. When a user approaches the scanner, it adjusts to their height; once it enrolls a user, the technology will automatically return to that setting when the employee uses it again. The viewfinder can also be manually adjusted.</p><p> “For many people it can take the picture and recognize your eyes through your glasses, through your contact lenses—that’s helpful to us,” Newman adds. </p><p>When the system is ready for enrollment and iris capture, a user walks up to the reader, standing about an arm’s length away, and a yellow light appears. Once the administrator presses the enroll button, and the user has the camera properly centered on the bridge of his or her nose, the light turns green. The technology also has an automated voiceover that guides the user through the process. </p><p>Once the iris is properly captured, the administrator adds the rest of the enrollee’s information and registers them as a user in the system. “There’s actually not a photograph stored; it’s all reduced to a code through an algorithm and stored in a database,” Newman explains.</p><p>The company evaluated four different solutions from vendors to replace the palm scanner. After narrowing it down to two technologies, including Iris ID’s iCAM, Gate Gourmet began pilot testing the products in February 2014 at Washington Dulles. During the testing, which lasted for two months, the company deployed one technology at the entrance where employees report to work and another at the exit where they leave the premises. </p><p>Gate Gourmet was impressed with the speed of the iCAM, as well as with the price point, which was similar to the palm technology already in place. Newman found that enrollment takes a matter of minutes, and daily use is even faster. </p><p>“It takes one or two seconds to check an employee in, which is four times as fast as the technology it’s replacing,” Newman notes. </p><p>He adds that iris identification results in fewer false positives—when the system thinks the iris belongs to someone else who is registered—than other biometrics like palm reading technology. This is because there are so many unique points within the eye that can be mapped out and recorded by the system, says Newman. </p><p>The company ultimately chose to go with Iris ID, and Newman says the deployment process has been seamless. “Of all the technology that I’ve deployed since I’ve started with the company, this has probably been the easiest rollout just because of the nature of the technology.” </p><p>Employees are granted access in and out of the facilities at the beginning and end of their shifts by having their irises scanned in nearly the same way in which they enrolled. </p><p>To be granted access, Gate Gourmet requires dual authentication. In addition to using the iris scanner, employees must introduce a credential to a card scanner. Newman adds that the iris enrollment process is only for employees. Visitors have a sign-in and escort protocol, and “visitors are issued specific media to identify them,” according to Newman. </p><p>The iris identification registration system is administrated from the Gate Gourmet headquarters in Dulles, Virginia, but each location with iCAMs has the ability to enroll and remove people from the system. This allows the company to keep the registration updated when employees leave Gate Gourmet.</p><p>The iris scanners are still being deployed across many of its locations, and Gate Gourmet hopes to eventually install the Iris ID iCAMs at all of its U.S. locations.</p><p>Newman emphasizes that upgrading from the previous biometric solution has not compromised security, but only enhanced it, for Gate Gourmet. </p><p>“We’re replacing biometrics with biometrics,” Newman says. “We haven’t surrendered anything by having the iris scanners—this is just the next generation for us.”  </p><p><em>For more information: Tom DeWinter, Iris ID, tdewinter@irisid.com, www.irisid.com, 609/819-4724 ​</em></p>
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspxSurveillance and StereotypesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p>
https://sm.asisonline.org/Pages/Book-Review---Enterprise-Risk-Management.aspxBook Review: Enterprise Risk ManagementGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>A curated collection of contributions by many expert authors, <em>Enterprise Risk Management </em>offers a comprehensive look at the risks that can endanger an organization. It covers everything from physical risks (environmental, health and safety, operational risk, project risk management, etc.) to intangible risks like cybersecurity. It has chapters on financial risk management, the role of insurance, global and strategic risk, and more.</p><p>Each chapter of this work can stand alone as a discussion of the risks associated with a particular area, such as supply chain management. Although this book cuts a wide swath, several chapters stand out as being particularly interesting.</p><p>The chapter on the insider threat (what the book calls human capital risk) is outstanding. It covers all of the different types of trouble that employees can get into, and discusses how to manage and avoid those risks. The only shortfall with this section is that it assumes that all of the actions of the insider are malicious; in practice, many well-intentioned employees have damaged their employers merely by clicking on a malicious link. Phishing, in all its forms, has become part of the insider threat spectrum, and should be treated as such.</p><p>The chapter on risk culture contains a fascinating section on how the attempts to control some forms of risk through the use of incentive programs end up exacerbating the very problems they seek to avoid. This section, while interesting, also shows the depth of this book: if you can’t find it here, there’s a good chance you don’t need to worry about it.</p><p>All of the risks discussed are in organized via a common framework: risk context, assessment, treatment, monitoring, and review. This framework will be familiar to anyone with experience in ISO 31000 Risk management—Principles and guidelines, although there is little discussion of the standard in the book, where it appears only in the footnotes.</p><p>Finally, the book ends with a case study on the rise and decline of Blockbuster, the video rental chain, and how it was felled by Netflix. It is relevant because it is an example that most readers are familiar with, and it shows how an incorrect assessment of risk can have catastrophic consequences.</p><p>Because of its breadth and depth, Enterprise Risk Management may have difficult sections for many readers. For example, the areas on financial risk may not be of interest to someone interested in brand risk. This points to a strength in this book: an authoritative work, it best belongs in the enterprise risk management department of an organization, on the chief risk officer’s desk, in internal audit, and most importantly, in the CEO’s office.  </p><p><em><strong>Reviewer: Ross Johnson, CPP</strong>, is the senior manager of security and contingency planning for Capital Power. He is an ASIS Council Vice President and the author of Antiterrorism and Threat Response: Planning and Implementation. He is an executive committee member of the North American Electric Reliability Corporation’s Critical Infrastructure Protection Committee, and is the infrastructure security advisor for Awz Ventures, Inc.</em></p>
https://sm.asisonline.org/Pages/Wells-Fargo-To-Pay-$110-Million-To-Settle-Class-Action-Lawsuits.aspxWells Fargo To Pay $110 Million To Settle Class Action LawsuitsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Wells Fargo & Co. will pay $110 million to settle several class action lawsuits brought in the wake of its mass unauthorized account scam, it announced in a <a href="https://www.wellsfargo.com/about/press/2017/class-action_0328.content" target="_blank">statement. </a></p><p>“This agreement is another step in our journey to make things right with customers and rebuild trust,” said Wells Fargo CEO Tim Sloan in a statement. “We want to ensure that each customer impacted by our sales practices issue has every opportunity for remediation, and this agreement presents an additional option.”<br></p><p>A dozen class action lawsuits were filed against Wells Fargo after it was disclosed in 2016 that employees at the financial institution created almost 2 million unauthorized customer accounts to generate millions in fees that profited the company. <br></p><p>The $110 million will be set aside for customer remediation, and will be used to pay customers for out-of-pocket losses, such as fees incurred due to unauthorized account openings, as well as for attorneys’ fees and administrative costs. <br></p><p>“The settlement class will consist of all persons who claim that Wells Fargo opened an account in their name without consent, enrolled them in a product or service without consent, or submitted an application for a product or service in their name without consent during the period from January 1, 2009, through the date the Settlement Agreement is executed,” according to the Wells Fargo statement.<br></p><p>A court must still approve the settlement agreement before funds can be distributed. <br></p><p>This settlement is the second major settlement Wells Fargo has agreed to related to the scandal. In September 2016, the financial institution agreed to pay $190 million to settle claims brought by government agencies, including the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency, and the city and county of Los Angeles, <a href="http://www.nationallawjournal.com/id=1202782282906?kw=Wells%20Fargo%20Strikes%20$110M%20Settlement%20Deal%20in%20Fake%20Accounts%20Cases&et=editorial&bu=National%20Law%20Journal&cn=20170329&src=EMC-Email&pt=Daily%20Headlines&slreturn=20170229140429" target="_blank">The National Law Journal reports. </a></p><p>“Only $5 million of the payment went to customers, who are the class members in the lawsuits against Wells Fargo,” according to the journal.</p><p>For more on the Wells Fargo scam and fraud trends at financial institutions, read <em>Security Management’s</em> March cover story <a href="/Pages/Teller-Trouble.aspx" target="_blank">"Teller Trouble."</a><a href="/Pages/Teller-Trouble.aspx">​</a></p>
https://sm.asisonline.org/Pages/Outdated-Protocols-and-Practices-Put-the-IoT-Revolution-at-Risk.aspxOutdated Protocols and Practices Put the IoT Revolution at RiskGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Linking physical objects in the real world to the virtual world, enabling “anytime, anyplace, and anything” communication was once the stuff of science fiction. However, it is made real today with the Internet of Things (IoT), which is widely considered to be the next phase of the Internet revolution.​</p><p>Knowing this, it could be expected that the protocols and infrastructure supporting the IoT would be just as advanced—but this is not the case. Instead, the technology underpinning the IoT is straight out of the 1990s or early 2000s—more Sega Dreamcast than PlayStation 4.</p><p>It’s no surprise that the tech industry and the public are falling head-over-heels for the possibility to connect everything, from our toothbrushes to our city infrastructure, to the Internet. However, the more devices we connect, the more opportunities there are for cyber criminals. </p><p>By getting carried away by the opportunity technology brings, we are charging ahead without considering the risks and without securing the technology. Before organizations continue to connect devices to the network, there needs to be a secure foundation to build up from. </p><p>The fundamental standards, which IoT devices have to comply to, must be secure so no one device can be breached and used as an entry point for the whole system. In 2015, the U.S. Federal Trade Commission recommended that security be baked into devices from the beginning—not as an afterthought. </p><p>Yet research from HP in its Internet of Things Research Study showed that 70 percent of the commonly used IoT devices had severe security issues. And there are critical vulnerabilities at the very core of many IoT networks. </p><p><strong>Smart Homes and Buildings</strong><br>The trend of automated buildings and making homes smarter by leveraging the IoT to save energy, increase comfort, or add capabilities for remote monitoring and control is on the rise. However, there are issues with the development of smart buildings and homes.​</p><p>A smart home using home automation is likely to have IoT devices that cover the following areas:</p><p><strong>HVAC Control. </strong>Smart HVAC units control room temperature, as well as automated ventilation systems, which can be switched on to replenish clean air based on temperature, moisture, smoke, heat, dust, or carbon dioxide levels in the unit.</p><p><strong>Light Control.</strong> In conjunction with smart bulbs, these units can adjust lighting behavior according to the presence of people in a designated space. Smart lights can be automatically switched off when the unit is empty and dimmed when there is natural light.</p><p><strong>Smart Surveillance. </strong>Intelligent surveillance systems record activity in the smart home, allowing authorities to remotely monitor where individuals are inside.</p><p><strong>Smart Door Locks. </strong>Smart door locks can be opened or locked remotely by a user. They can also track people entering or leaving the premises, and can act upon this by notifying the inhabitants or authorities. Researchers have found fundamental flaws in this automation system that leave people at risk, such as hackers using simple attacks to open and unlock the doors.</p><p>These systems often utilize wireless IoT protocols, such as ZigBee and Zwave, which have become their greatest asset and their greatest weakness. Wireless networks are prone to jamming (attackers try to prevent sensors from contacting the central hub by blocking the signal), the communication can be eavesdropped on to gather secret keying material, and is vulnerable to replay attacks (attackers inject recorded packets, e.g. a “door open” command to a door lock, or a “no-motion” command to a motion sensor, into the communication destined for the connected device or sensor).</p><p><strong>The ZigBee Wireless Communication Standard</strong><br>ZigBee is a standard for personal area networks developed by the ZigBee Alliance, which includes companies like Samsung, Philips, Motorola, Texas Instruments, and many others. ​</p><p>ZigBee’s aim is to provide a low cost, low power consumption, two-way, reliable, wireless communication standard for short-range applications. ZigBee is used for: remote controls, input devices, home automation, healthcare, and smart energy.</p><p>Devices on a ZigBee network communicate using application profiles. Those profiles are agreements for messages, like a common alphabet and language, that enable developers to create an interoperable, distributed application employing application entities that reside on separate devices. If a manufacturer wants a device to be compatible with certified devices from other manufacturers, the device must implement the standard interfaces and practices of certain profiles, such as the Home Automation profile.</p><p>The Home Automation profile relies on secrecy of key material and secure initialization and transport of its encryption keys. Recent research by Cognosec shows that keys can be compromised by attackers by passively sniffing and using weaknesses in the standard. </p><p>Sniffing in this context is best described as passively eavesdropping on wireless communication. An attacker could compromise the key by either listening to the initial setup of the devices or by imitating a legitimate device trying to "rejoin" a network.</p><p>During this rejoin the attacker would pretend to have lost key material needed to communicate with the management hub and send an unencrypted rejoin request there. This causes the hub to send out new keys, a process that should be protected by another key. But, crucially, that key is publicly known. Ultimately using the approach an attacker could request the active encryption key on network level.</p><p>As the Home Automation profile covers devices from lights to HVAC systems and door locks, this compromise might lead to serious security issues. This security issue was shown by Cognosec during the DeepSec Conference in Vienna in 2015 by opening a Yale Door lock using ZigBee without having the proper key. Security vulnerabilities from this kind of compromise are made worse because the fallback mechanism is the standard has to be implemented by every vendor that wants to market certified devices.</p><p>To remain compatible with devices that have not been pre-configured or are unknown to a ZigBee network, a default fallback mechanism was implemented that is considered a critical risk.</p><p>This fallback is used if devices from different vendors are connected to each other initially, or new devices are joined to an existing ZigBee network and they have not been pre-configured in the same way.</p><p>A single smart home or building with vulnerabilities may not seem like a problem at first, but a network of smart buildings—or a smart city—being breached could prove to be disastrous.</p><p><strong>ZWave Wireless Communication Standard</strong><br>ZWave also stands on the forefront of the IoT revolution. It was designed in 2001 by Zen-Sys, which was later acquired by Sigma Systems. ​</p><p>The Zwave standard does not require encryption support, so one can safely assume that vendors will only implement the bare minimum needed to get their products to market. This makes ZWave networks vulnerable to replay and eavesdropping attacks.</p><p>Two security researchers—Joseph Hall and Ben Ramsey—showed that few IoT devices are using encryption, and for those that are used for critical applications—like door locks—security is an opt-in feature that has to be enabled by the user.</p><p>In a demonstration at the ShmooCon 2016 Security Conference, ZWave-controlled light bulbs were physically destroyed in less than 24 hours by an attacker who gained access to the ZWave network using openly available information and some technical know-how.</p><p>It should be noted, though, that starting on April 2, 2017, the ZWave Security Framework S2 will be mandated on all devices. However, this will not fix issues on the devices that are already on the market and in stock. Future security research on the S2 framework should be conducted.</p><p>Besides this threat, implementation errors have been found in the firmware controlling door locks that allow an attacker to control the lock and prevent it from reporting its state to a central controller unit.</p><p><strong>Connecting to the World</strong><br>The adoption of IoT technology and increased outside connectivity in critical infrastructure could pose more critical risks to the energy and water supply, as well as to industrial control systems. </p><p>Recent research from Germany conducted in 2016 by internetwache.org shows that the water supply infrastructure is vulnerable and could be controlled by hackers because it’s not properly secured against outside attacks. In this particular case, it was not the lack of a security feature or faulty implementations of a wireless protocol that made the system vulnerable. Instead, it was a software vendor used to manage Germany’s water supply plants that did not implement security, instead leaving security configurations up to the plants themselves.​​<br></p><p>This an example of a new threat to critical infrastructure as it evolves from closed to open systems. Historically, industrial control systems (ICS) were designed to operate on an isolated network to protect them from security threats. Well-established physical security measures and the need to be physically present to harm the system provided a decent level of security to the systems, even if their IT systems were not sufficiently secure.</p><p>Now, as more devices are connected to the Internet they are communicating to each other and forming huge networks with machine-to-machine communication. The result is a massive growth of the attack surface and an increase in the potential effect an attack could have. By making systems interoperable, as is the current trend with the IoT, hacking one device could open up a Pandora’s box of security breaches.</p><p>Another fact making this problem worse is that some software vendors used by critical infrastructure—like in Germany—delegate security to the customer; a customer that normally has neither the necessary awareness nor know-how to property implement the now open infrastructure as IT is not its core business.</p><p><strong>Conclusion</strong><br>Security issues affecting buildings, power, and water supply plants—or even door locks—have been around for years. Still, every few months new threats arise and the situation is worsened by adding network connectivity to devices that broaden the attack surface. ​</p><p>Security must be built-in to devices and configured to be the default, not the exception or the responsibility of the end-user. The U.S. National Institute of Standards and Technology released a publication on this issue in 2016, which called for assigning a level of trustworthiness to a device and applying security considerations to it from the very beginning. </p><p>By integrating security from the design phase to the product development and life-cycle management phase, instead of adding security features or monitoring hardware after the device has been purchased, devices will be more resilient against attacks than they are now. <br><br>Until we can resolve these issues, and create new, secure protocols, IoT hacks will increase exponentially in volume and severity.</p><p><em>Florian Eichelberger is an information systems auditor at Cognosec. </em><br></p>
https://sm.asisonline.org/Pages/Four-Killed-In-U.K.-Parliament-Attack.aspxFour Killed In U.K. Parliament AttackGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<strong>Update: 23 March 2017, 11:50 a.m.</strong></p><p>​British authorities identified the man responsible for Wednesday's terror attack as 52-year-old Khalid Masood, according to a<a href="http://news.met.police.uk/news/update-westminster-attack-man-believed-responsible-named-230160" target="_blank"> press release from the London Metropolitan Police.​</a><br></p><p>Masood was born in Kent, and authorities believe he was recently living in the West Midlands in England. </p><p>"Masood was not the subject of any current investigations and there was no prior intelligence about his intent to mount a terrorist attack," the Met said. "However, he was known to police and has a range of previous convictions for assaults, including GBH, possession of offensive weapons, and public order offenses."</p><p><strong>Update: 23 March 201​7, 10:50 a.m.</strong></p><p>The Islamic State claimed responsibility for Wednesday's terrorist attack in London outside the U.K. Houses of Parliament. The assailant--whose identity has not been released--was a British-born man known to the U.K.'s domestic intelligence agency and previously investigated for connections to violent extremism.<br></p><p>U.K. Prime Minister Theresa May said the assailant was a "peripheral figure" that was examined by MI5, but was not "part of the current intelligence picture," according to <em>​<a href="https://www.nytimes.com/2017/03/23/world/europe/london-attack-uk.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=photo-spot-region&region=top-news&WT.nav=top-news" target="_blank">The New York Times. </a></em><em></em></p><p>Authorities believe the assailant​ acted alone, but continue to investigate the incident while Britain remains at a "severe" threat level.</p><p>"Yesterday, an act of terrorism tried to silence our democracy," May said. "We are not afraid, and our resolve will never waver in the face of terrorism."</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 47879554-d7fa-4c6d-80ff-5853f98067e7" id="div_47879554-d7fa-4c6d-80ff-5853f98067e7"></div><div id="vid_47879554-d7fa-4c6d-80ff-5853f98067e7" style="display:none;"></div></div><p>Two of the victims killed in Wednesday's attack have also been identified. A Mormon church official <a href="https://apnews.com/e2b6328601424b8581bddc263b1071a2?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP">told the AP</a> that one of its members--Kurt W. Cochran--was killed in the attack while in London to celebrate his 25th wedding anniversary.​<br></p><p>Officials also released the name of the police officer who was killed in the incident: Constable Keith Palmer, a 48-year-old police officer who formerly served in the Royal Artillery.</p><p><strong>Update: 22 March 2017, 4:00 p.m.</strong><br></p><p>Four people were killed in a terror attack outside the U.K. Houses of Parliament on Wednesday afternoon. Police shot and killed one assailant involved in the attack, but a major security operation remains underway in London. </p><p>Details of the attack—being called a terrorist incident—remain unclear, but <em><a href="https://www.nytimes.com/2017/03/22/world/europe/uk-westminster-parliament-shooting.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=photo-spot-region&region=top-news&WT.nav=top-news&_r=0" target="_blank">The New York Times</a></em> reports that security officers shot an assailant outside of Parliament after the individual stabbed a police officer. A motorist on an adjacent bridge also hit at least five pedestrians. However, it remains unknown if the assailant—whose name has not been released—and the motorist were the same individual.<br></p><p>At least 20 people were injured in the attack, in addition to the four casualties that included the police officer. Three French schoolchildren were among those injured, <a href="http://www.reuters.com/article/us-britain-security-photographer-idUSKBN16T1Y5" target="_blank">according to Reuters.</a><br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 59a66d03-5516-4786-bdd2-d5cdc347d2ff" id="div_59a66d03-5516-4786-bdd2-d5cdc347d2ff"></div><div id="vid_59a66d03-5516-4786-bdd2-d5cdc347d2ff" style="display:none;"></div></div><p>​“This is a day we’ve planned for but hoped would never happen. Sadly, it’s now a reality,” said Mark Rowley, head of counterterrorism at the Met, in an interview with <em><a href="https://www.theguardian.com/uk-news/2017/mar/22/westminster-attack-man-shot-by-police-and-several-hurt-in-nearby-incident" target="_blank">The Guardian​</a></em>. “The attack started when a car was driven over Westminster Bridge hitting and injuring a number of members of the public, also including three police officers on their way back from a commendation ceremony.</p><p>“The car then crashed near to Parliament and at least one man armed with a knife continued the attack and tried to enter Parliament.”<br></p><p>Authorities are now conducting a full counterterrorism investigation into the incident, and are asking the public to stay away from an area of central London, report suspicious activity, and share any video or images of the attack.<br></p><p>"Londoners should be aware that there will be additional armed and unarmed police officers on our streets from tonight in order to keep Londoners, and all those visiting our city, safe," said London Mayor Sadiq Khan in a statement posted to his Twitter feed.</p><p></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 75cd54f2-dfa4-4bd7-9e23-4ca16192d225" id="div_75cd54f2-dfa4-4bd7-9e23-4ca16192d225"></div><div id="vid_75cd54f2-dfa4-4bd7-9e23-4ca16192d225" style="display:none;"></div></div><p>​Parliament was in session when the attack occurred at roughly 2:40 p.m. local time, and those in the House of Commons chambers were told to stay in place as officers searched the facility. </p><p>The attack occurred on the one-year anniversary of the <a href="/Pages/Terrorist-Attacks-in-Brussels-Leave-Numerous-Dead.aspx" target="_blank">Brussels attacks</a>, where terrorists bombed the Brussels airport and a metro station.<br></p><p>This is a developing story. <em>Security Management </em>will continue to update this post as more information is confirmed. <br></p><p><br>​</p>
https://sm.asisonline.org/Pages/Women-in-Executive-Protection.aspxWomen in Executive ProtectionGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Although plenty of women enjoy the benefits of executive protection (EP), not many actually work in the field. And that’s a shame—because women have plenty to give in this growing industry. Following are four lessons I have learned from the real world as a woman working in executive protection. ​</p><h4>Women bring a different perspective (and go-bag gear) to EP. </h4><p>And that’s a good thing. Looking at things differently has advantages in any situation, but it can be especially important when protecting a female client. </p><p>Case in point: Like most EP agents, I carry a “go bag” wherever I travel with a client. Of course, I always bring along my personal medical kit, phone chargers, and so forth. But I also add a few things that leave my male coworkers wondering: clear nail polish, super glue, and hair ties. Really? Yes, really. Clear nail polish is worth its weight in gold if a client gets a run in her pantyhose. Super glue is invaluable if a heel snaps. Hair ties? You always need an extra hair tie. </p><p>A lot of men in EP think that it’s not our job to take care of little things like these—that they distract from the core mission to keep the client safe and secure. I’d like to add a few things to our job description as EP professionals. Beyond keeping clients safe, it’s also up to us to make sure they stay happy and productive.</p><p>Carrying a bag with items someone might need helps across the board. In addition to reducing unproductive delays and preventing embarrassment or children’s tears, it also has security advantages: we don’t need to enter unknown areas for last-minute purchases. Women are more likely to consider these needs in advance.​</p><h4>Women blend in better than men.</h4><p>Two male coworkers and I once worked a detail for a family with small children. Whenever we advanced a location, our point of contact would invariably look at the men and ask what they needed to know for security purposes. After they toured us all around, they would ask me if I had any questions pertaining to the itinerary. </p><p>I told them I had no issues, but if they had any itinerary questions they should contact the assistant who was handling the schedule. “But aren’t you the assistant?” they’d blurt. This happens nearly every time I’m with a male coworker conducting an advance. Outsiders see them as the security detail and assume that I am the assistant. </p><p>While some may find this insulting, I use it to my advantage. It’s fine with me if people think I am the nanny or assistant. This prevents them from asking too many questions or getting anxious about why security is around. It helps me blend into the background. It’s also a welcome relief to clients who sometimes want to keep a low profile and just feel “normal” instead of being surrounded by security wherever they go.​</p><h4>Women can go places men can’t.</h4><p>I can easily walk into a women’s restroom to wash my hands and find out whether the client needs help or is just chatting with someone. There’s no need to awkwardly walk into the opposite sex bathroom and look around for the principal. It’s important that protective agents can sometimes be with the principal in bathrooms, dressing rooms, and hotel suites without being inappropriate. By not disrupting the client and by blending into surroundings, female agents raise fewer eyebrows and inspire less suspicion. ​</p><h4>It’s all about the team.</h4><p>I have been extremely fortunate to work with an amazing group of people—mostly men, because there are very few other women working in the industry. The importance of having a good team cannot be exaggerated. EP is not a one-person show, it’s a team effort.</p><p>Coming into a new company and working with a new client can be daunting enough. If you have the added burden of proving your worth to male coworkers, it just gets harder. </p><p>Fortunately, all the men that I work with have been supportive, kind, and understanding of the struggles women have in the industry. They’ve helped me achieve my career goals. I have also been blessed with a team leader who works extremely hard to actualize the team. Encouraging and managing team diversity isn’t always easy, but it’s worth it. Better and stronger teams rely on each other, help each other, and support each other to keep our principals safe, productive, and happy. </p><p>It is possible to create amazing, cohesive teams that include both women and men. I hope that other women will find rewarding careers in EP with both male and female coworkers that encourage everyone on the team to grow. </p><p><em><strong>Rachael Paskvan </strong>is an executive protection agent with AS Solution and a member of the ASIS San Francisco Bay Area Chapter.</em></p>
https://sm.asisonline.org/Pages/Servant-Leader-Counterpoint---President-Trump.aspxServant Leader Counterpoint: President TrumpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​U.S. President Donald J. Trump is no servant leader. He does not invert the traditional power model to put his staff at the top, and hi​mself at the bottom.</p><p>“He puts himself at the center. He’s not about the group,” says leadership expert Barry Strauss, a professor of history and classics and humanistic studies at Cornell University.</p><p>Nonetheless, Trump now holds the top public leadership position in the United States. By dint of that status alone, his leadership will be influential. The constant media attention, scrutiny, and television time that a president generates ensures this. </p><p>However, trying to contextualize Trump in the broader field of leadership is a tricky task, says Strauss, who is also a military historian and author of The Death of Caesar, Masters of Command, and other volumes. “Various people come to mind, but he’s not a perfect fit for any one of them,” says Strauss. Instead, Trump seems to possess “bits and pieces” of leadership traits of historically famous leaders.    </p><p>On one hand, Trump is visibly self-confident, a leader who has a tendency to “go with his gut,” and in the process sometimes ignore advice from advisors. President Franklin Roosevelt had a similar tendency, Strauss says.  </p><p>Trump also clearly places great stock in the idea that practical wisdom, more than knowledge accumulated from voracious book reading or a formal education, is tremendously important. Trump also touts his own strength, and is invested in being perceived as tough, and as someone who drives the hardest of bargains. In this, he is like Gaius Julius Caesar, the legendary Roman politician and general who was self-promotional in his political career, Strauss says.  </p><p>In fact, both Trump and Caesar are leaders who achieved part of their fame as authors, writing books that were, among other things, vehicles for self-promotion. While campaigning for president, Trump often pointed to his bestselling The Art of the Deal book as evidence that he could negotiate extraordinary trade deals as president.  </p><p>However, Strauss also emphasizes the clear difference between the two. Caesar was regarded as a masterful orator and prose stylist; by most accounts Trump is neither. And Caesar had an acclaimed military career, while Trump never served.  </p><p>But while clearly not a servant leader, Trump’s leadership style is in the mold of another recognizable type of leader–the charismatic leader, whose authority is built partly on personal charisma (and in Trump’s case, a “charismatic lifestyle” filled with opulence). That gives Trump’s leadership style some affinity with President Ronald Reagan’s, but there is a difference. Reagan used acting techniques to enhance his speaking style, which earned him the nickname “The Great Communicator.” Trump is a specific type of charismatic leader–not a galvanizing communicator, but a showman, Strauss says. </p><p>Trump is forthcoming in his interest in showmanship. To illustrate, Strauss cites remarks Trump made during a revealing interview in the 1990s with Playboy magazine. When asked about his heroes, Trump cited Broadway impresario Flo Ziegfeld and Metro-Goldwyn-Mayer studio cofounder Louis B. Mayer. “The ultimate job for me would have been running MGM in the 30s and 40s,” Trump told the magazine. Indeed, Trump described his opulent assets of casinos and Trump Towers as “props for the show.”</p><p>In the same interview, Trump also discusses his relationship with his staff. He prizes loyalty, but unlike a servant leader, who is focused on empowering and uplifting employees, Trump favors testing staffers to see if they will stay loyal and make good decisions. </p><p>“I am always testing people who work for me,” Trump said. “I will send people around to my buyers to test their honesty by offering them trips and other things. I’ve been surprised that some people least likely to accept a trip from a contractor did and some of the most likely did not. You can never tell until you test.”</p><p>Whether Trump’s leadership style will trickle down into the executive suites of U.S. workplaces will ultimately depend on his success, Strauss argues. Trump himself derides many as “losers,” so if his administration runs into serious problems, he could be deemed a loser by those looking to emulate a leader. But peace and prosperity in a Trump administration, Strauss says, will likely mean that more U.S. business leaders will be asking themselves, “Is there something I can learn from this?” ​ ​</p>
https://sm.asisonline.org/Pages/A-Picture-of-U.S.-Crime-.aspxA Picture of U.S. Crime GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​“We need more transparency and accountability in law enforcement. We also need better, more informed conversations about crime and policing in this country,” ​U.S. FBI Director James Comey said when his agency issued its most recent national crime statistics late last year.</p><p>And so, the FBI is moving forward on two major initiatives toward this goal. The agency has started collecting information for its first nationwide use-of-force database. This will be an online database containing information on interactions—both nonfatal and deadly—that U.S. law enforcement officers have with the public.   </p><p>Back in 2014, the U.S. Congress passed the Death in Custody Reporting Act (DCRA), which required states and federal law enforcement agencies to report data to the U.S. Department of Justice (DOJ) when civilians died during interactions with law enforcement. The DCRA also authorizes the U.S. attorney general to impose financial penalties on noncompliant states.</p><p>However, the DCRA did not require reporting for nonfatal interactions. In the absence of such a mandate, the FBI has been partnering with local, state, tribal, and federal law enforcement to set up a system for national data collection about nonlethal incidents. Comey himself had repeatedly advocated for a more comprehensive use-of-force database, as he called the lack of national data on the use of force “embarrassing and ridiculous.” </p><p>The second initiative is a change in the agency’s primary crime reporting system. For years, the FBI’s Uniform Crime Reporting (UCR) program has played this role, but five years down the road, the agency plans to replace it with the National Incident-Based Reporting System (NIBRS).</p><p>Although the UCR system keeps track of the number of homicides, armed robberies, aggravated assaults, and other crimes, agency officials say it does not go far enough in collecting information that could give indications of why crimes occur, and what can be done to prevent them. </p><p>In contrast to the UCR, the NIBRS offers a fuller picture of incidents of crime, with information about what exactly transpired, demographic information about the people involved, the relationship between the perpetrators and victims, and specific location and time coordinates. </p><p>But as of a few months ago, only roughly a third of law enforcement agencies were reporting into NIBRIS. The FBI’s goal is to have all enforcement agencies doing so by 2021, if not sooner. To help lead the way, the FBI has started to publish more data from its field offices about such offenses as human trafficking, hate crimes, and cyber intrusions.</p><p>“Information that is accurate, reliable, complete, and timely will help all of us learn where we have problems and how to get better,” Comey said. ​ ​</p>
https://sm.asisonline.org/Pages/Ramping-Up-Resilience.aspxRamping Up ResilienceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​America’s national defense has many components. Some of the lesser known pieces are utilities—the nearly 2,000 electric, water, wastewater, and natural gas systems that help the U.S. Department of Defense (DoD) accomplish its mission. When these systems fail, military operations can be disrupted, and national defense can become a bit weaker. </p><p>In recent years, these systems have failed thousands of times, according to a recent study conducted by the U.S. Government Accountability Office (GAO), which examined a representative sample of 453 DoD-owned utilities. The survey found that 4,393 instances of disruption occurred in fiscal years 2009 through 2015, resulting in a financial impact of $29 million. </p><p>These disruptions take many forms. At Joint Base McGuire-Dix-Lakehurst in New Jersey, operations were shut down for an entire week after a power line exploded. The power line had been installed in 1945, and was past its expected service life, base officials explained to GAO researchers. After the shutdown, the facility ran on generator power for the next three weeks while repairs to the line were completed.</p><p>At Naval Auxiliary Landing Field San Clemente Island in California, seven utility poles caught fire and caused an eight-hour islandwide electrical disruption. The fire occurred because the poles’ insulators, which are used to attach lines to the pole so that the electricity will not flow through the pole itself, were corroded and covered with salt, dust, and debris, the report found. This debris formed a conductive layer on the insulator that created an electricity flashpoint that resulted in a fire. </p><p>And there are disruptions due to weather. At Naval Weapons Station Earle in New Jersey, Hurricane Sandy’s storm surge in 2012 destroyed utility infrastructure, disrupting potable and wastewater service and resulting in almost $26 million in estimated repair costs.</p><p>Of those 4,393 disruptions, 1,942 involved water utility systems, 1,838 involved electric utility systems, 343 involved wastewater systems, and 270 involved natural gas utility systems. The Air Force suffered the most frequent disruptions, with 2,036. Next came the Navy (1,487), the Army (784), and the Marines (86). </p><p>The equipment failures that led to the disruptions were often caused by one of three main factors, the study found: the equipment was operating beyond its intended lifespan; the equipment was within its lifespan, but still in generally poor condition; or the equipment’s performance suffered because it had not been properly maintained. </p><p>This finding points to a fundamental challenge for DoD and other federal agencies: real-world budget constraints mean that DoD does not have the funding to upgrade every single system that has outdated equipment. Building resilience under such circumstances is not easy, and it sometimes requires a strategic plan with an achievable baseline goal, says Jason Black, director of analytic insights for Huntington National Bank and a utility policy expert who is also a former U.S. military officer. </p><p>A strategic plan with a goal of sustaining round-the-clock operations every day of the year would be difficult to achieve. A more realistic plan, however, could allow for some disruptions, with a goal of limiting them. For example, the goal could be to limit disruptions to 10 times a year, with each disruption lasting no more than an hour, Black says.</p><p>In striving for this goal, the plan may sketch out how older and more vulnerable utilities would be supported by back-up systems or localized generators, and other special configurations that would be needed to deal with different scenarios. “It’s one thing if a whole base goes out. It’s another thing if just one maintenance facility goes out,” Black says.</p><p>This type of strategic resilience plan could be designed across DoD’s entire fleet of utilities. Some systems only play a crucial role a few times a year, when certain situations are occurring. System resources can also be pooled; if there are four airfields located in one state, it might not be necessary for disruptions on one field to be immediately rectified. “It doesn’t have to be the case that every base has to be sustained all the time,” Black says. “In some cases, it may be cheaper and easier to move people.” </p><p>Instead of simply being reactive and replacing equipment as it breaks, officials could also incorporate utility equipment updates into the strategic plan, to best support operational goals. Incorporating an equipment plan can also serve as an incentive for investment when funding is limited: it illustrates how small investments in certain key systems will put operations in a better position over time, Black says.   </p><p>However, a strategic resilience plan must be based on good information about where disruptions are occurring, their frequencies and patterns, and other data that could be analyzed. In this area, DoD is falling down, the GAO found. Specifically, 151 out of 364 survey respondents in GAO’s study said they did not have information on utility disruptions during the 2009–2015 time period of the study. </p><p>The reason for this lack of in­formation, GAO found, is that the military services are inconsistent in issuing guidance on collecting and retaining utility disruption data. The study found that the Air Force and Marine Corps did not have current guidance on tracking utility disruption information; the Army had some guidance, but it was not available at all installations. </p><p>“Without guidance directing installations to collect information about all types of utility disruptions, service officials may not have the information needed to make informed decisions or to compete effectively for limited repair funds,” the study found. The exception among the services was the Navy, which had recently issued new guidance, auguring well for future data collection within that service, the study found.   </p><p>Given this, the GAO recommended that the Army, Air Force, and Marine Corps take steps to consistently collect disruption information, and issue better guidance on doing so. DoD concurred with these recommendations. </p><p>Finally, Black says there is another tool that DoD may use to boost its utility resilience–partnerships with the private sector. Here, DoD has some advantages at its disposal; some of its sites include significant amounts of land, and they have more zoning and use flexibility because they are government owned. Given these resources, DoD may be able to partner with private sector companies on utility projects, ranging from wind turbines to solar panels. “They may have the room, and they may not have zoning concerns,” Black says. </p><p>Shared resources could also be leveraged in such partnerships, he adds. For example, a generator could be built on a DoD site that would power the local area, but could also be used as a backup in case of power failure at the DoD facility.   ​ ​</p>
https://sm.asisonline.org/Pages/Industry-News-March-2017.aspxIndustry News March 2017GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Museum Video</h4><p>Visitors to the USS Midway Museum in San Diego experience a floating city at sea with exhibits, flight simulators, restored aircraft, a gift shop, and more on its 18 decks. The aircraft carrier was an important tool in the U.S. military missions during the Cold War, the Vietnam War, and the Gulf War. Each year, 100,000 visitors come aboard to learn about the ship and its history.</p><p>A recent security upgrade included improving the museum’s video surveillance system. Integrator Layer3 Security Services selected cameras from VIVOTEK for the entire installation. The wide range of cameras used includes fixed domes, pan-tilt-zoom models, and box cameras. Units that withstand inclement weather and vandalism protect the outer areas of the museum. Speed dome cameras are used in the parking lots and on the deck. The cameras operate with ExacqVision software from Tyco Security Products.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Orchard Place, a provider of children’s mental health services, is using infinias access control from 3xLOGIC, Inc., for most of its facilities.</p><p>Pensacola Christian College installed 12 waist-high turnstiles from Boon Edam Inc. to manage entry into two of its dining halls. </p><p>Covenant Security Services and Covenant Aviation Security formed a strategic partnership with the Risk Services Division of HUB International Limited to provide sophisticated risk management services.</p><p>Criterion Healthcare Security will help members of Vizient, Inc., achieve a standardized security approach in compliance with industry and regulatory standards.</p><p>JRN, Inc., a Kentucky Fried Chicken franchisee in Tennessee, reduced employee theft after partnering with Delaget, LLC.</p><p>DSI Security Services and Viewpoint Monitoring are partnering to provide a wider array of security services for clients across all industries. </p><p>A global collaboration between Evidence Talks and Schatz Forensic will enable investigators to create forensic images using the SPEKTOR forensic intelligence product suite.</p><p>IPC joined the Equinix Cloud Exchange.</p><p>LaView entered a partnership with InstallerNet.</p><p>Nuvias Group became a member of the HID Advantage Partner Program.</p><p>Praetorian became a global auditing partner with Microsoft under the new Security Program for Azure IoT.</p><p>PrecyseTech Corporation teamed with Blackhawk Imaging, LLC, to launch the InPALM Enhanced Video Exchange for law enforcement and security applications.</p><p>RiskIQ is working with Evry as a key reseller in the Nordic region. </p><p>Many DVRs and NVRs from Speco Technologies are now integrated with Immix CC and CS platforms from SureView Systems.</p><p>Security-Net, Inc., formed a strategic partnership with Vector Firm to develop an enhanced sales training program.</p><p>Sony Corporation signed a partnership agreement with Bosch Security Systems to develop pioneering video security applications.</p><p>Suprema entered into partnership with Egis Technology Inc. to produce mobile fingerprint authentication for smartphones.</p><p>The University of Washington, Seattle, is using the unified parking management platform from TagMaster North America, Inc., and T2 Systems. </p><p>Hult International Business School is implementing Touchless Biometric Systems 3D technology to record class attendance in Dubai, London, Boston, and San Francisco.</p><p>Tyco Security Products helped Kiwanis Village Lodge in British Columbia upgrade to an IP-based access control system using Kantech EntraPass Security Software and KT-1 Door Controllers.</p><p>Universal Security staff working at Chicago O’Hare and Chicago Midway Airports received active shooter response training from Archway Defense. </p><p>Dutch mobile-only bank bunq partnered with Veridium to provide secure mobile banking using Veridium ID hand recognition software.​</p><h4>GOVERNMENT CONTRACTS</h4><p>BICSI signed a memorandum of understanding (MOU) with the Engineering Institute of Thailand under H.M. The King’s Patronage to develop engineering practices and solve national problems in engineering through collaboration and information-sharing on events, education, marketing, and standards development.</p><p>BICSI also signed an MOU with La Asociación Mexicana de Empresas del Ramo de Instalaciones para la Construcción (AMERIC) in Mexico.</p><p>Montgomery County Public Schools in Virginia will implement the COPsync911 threat-alert system.</p><p>Farpointe Data announced that its proximity/keypad reader was installed by Cameras Networking and Security of Vermont at the Morristown Fire and EMS building, also in Vermont.</p><p>Magal Security Systems Ltd. announced that Senstar, its North American subsidiary, delivered perimeter electronic security systems to the North Atlantic Treaty Organization for its rapidly deployable military camps.</p><p>NAPCO Security Technologies, Inc., was chosen by the Houston Independent School District to supply security motion detection in all its schools. </p><p>Parabon NanoLabs won a U.S. Department of Defense contract to develop a software platform for forensic analysis of DNA evidence.</p><p>Qognify, formerly NICE Security, announced that the Navi Mumbai Metro selected its mass transit solution to ensure the safety and security of passengers and assets.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>The U.S. Department of Homeland Security granted Safety Act designation protections to Databuoy Corporation for its ShotPoint shooter localization system.</p><p>The DERMALOG AFIS was confirmed as the fastest automated fingerprint identification system in the world by test body SGS-TÜV Saar; the software allows the processing of almost a billion matches per second.</p><p>Farpointe Data announced that three of its card readers with keypads meet the impending requirements for two-factor authentication as described by the U.S. National Institute of Standards and Technology.</p><p>Galaxy Control Systems received new FICAM certification for its System Galaxy Software and its CS Infrastructure System Galaxy Software, now listed on GSA’s approved product list.</p><p>GhangorCloud was named DLP Solution of the Year-2016 and won the Editor’s Choice Award from Computing Security Magazine.</p><p>The New Jersey Tech Council named Lumeta Corporation the winner of its Innovative Technology Company award for 2016. The council selected Princeton Identity Inc. to receive the Outstanding Technology Development Company Award for 2016. </p><p>Reltio earned HITRUST CSF certification status for information security from the Health Information Trust Alliance for its Reltio Cloud. </p><p>Send Word Now was awarded a U.S. patent for the technology inherent in SWN Direct, its new mobile app for alert recipients. </p><p>Winners of the 2016 Detektor International Awards included ILOQ NFC in the access control category; SpotterRF A2000 drone detection in the alarm and detection category; and Sony SNC-VB770 camera in the CCTV category. Suprema, Inc., won the Innovative Achievement Award with BioEntry W2, a fingerprint access control device.​</p><h4>ANNOUNCEMENTS</h4><p>Allied Universal purchased Source Security & Investigations of Halifax, Nova Scotia.</p><p>AT&T and the National Aeronautics and Space Administration are researching traffic management solutions for unmanned aircraft systems. </p><p>Boon Edam Inc. is expanding its training programs to include factory trainings, roadshow trainings, and technical workshops.</p><p>Carnival Corporation announced that it will be the first maritime company to partner with INTERPOL for advanced security screening across its global operations.</p><p>Confidex Ltd. opened a new office in Nice, France, to better serve its global customers.</p><p>International SOS and Control Risks launched the Travel Risk Map for 2017. </p><p>Mesker Openings Group will be acquired by dormakaba to increase product offerings in North America. </p><p>Hitachi, Ltd., established an open laboratory within the Yokohama Research Laboratory to conduct prototyping and proof-of-value. </p><p>Insurance Bureau of Canada participated in Project Cyclone, a joint auto theft investigation involving York Regional Police, Peel Regional Police, the Toronto Police Service, and Canada Border Services Agency, which led to 24 arrests, seizures of property, and recovery of 60 stolen vehicles.</p><p>The Medical Identity Fraud Alliance released a paper to help businesses within the healthcare industry better understand how to deal with medical identity fraud. </p><p>Middle Atlantic Products is participating in UL’s Standard Technical Panel for UL 2416, helping develop future requirements of the standard for audio/video, information, and communication technology featured in cabinet, enclosure, and rack systems.</p><p>Nortek Security & Control will expand its manufacturing capacity by 25 percent.</p><p>OneLogin acquired Sphere Secure Workspace, Inc., to help provide a unified endpoint management solution for enterprises.</p><p>PSA will expand its market footprint to include the professional audio-visual and communications market. </p><p>Smartrac is selling its Secure ID & Transactions Business Division to the Linxens Group. </p><p>SOS Security LLC acquired Eastern Security Inc. of Waltham, Massachusetts. </p><p>The University of California-Berkeley School of Information is partnering with 2U, Inc., to deliver cybersecurity@berkeley, a new online master of information and cybersecurity program.</p><p>Vertx announced the winners of its 5 Days of Thanks campaign: Concerns of Police Survivors; the Special Operations Warrior Foundation; K9s for Warriors; the National Law Enforcement Officers Memorial Fund; and the Sua Sponte Foundation. ​</p>
https://sm.asisonline.org/Pages/Detention-Tension.aspxDetention TensionGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When the U.S. Department of Justice (DOJ) announced last August that it planned to phase out and eventually close 13 private prisons, it was seen as a victory for the prison reform movement. Privately run prisons “incurred more safety and security incidents per capita” than those run by the government, according to a DOJ report released shortly before the announcement. </p><p>Numerous critical investigations on private prisons, as well as the DOJ report and decision, inspired other federal agencies, including the U.S. Department of Homeland Security (DHS), to reassess their use of the facilities. But, despite allegations of inhumane conditions and dissention among DHS advisors, it appears immigration detention centers will continue to be contracted out to private corporations.</p><p>In an unusual series of events, a DHS Homeland Security Advisory Council (HSAC) subcommittee issued a report finding that federally run facilities used for the civil detention of immigrants during immigration hearings are more beneficial, but less cost effective. “Much could be said for a fully government-owned and government-operated detention model, if one were starting a new detention system from scratch,” the report noted. “But of course we are not starting anew.” Just one of the six subcommittee members dissented with the report’s recommendation to continue using private detention facilities, but when the issue was brought to the broader council for a vote, HSAC recommended that DHS oppose the report’s conclusion and close private facilities.</p><p>However, the vote may be more symbol than substance because the HSAC serves in an advisory role to DHS decision makers. Any action on the matter now rests with U.S. Immigration and Customs Enforcement (ICE) officials. In the interim, ICE has already renewed or expanded 15 private and local prison contracts to add 3,600 beds to its arsenal, including reopening a private correctional center in New Mexico that was shut down last year following a series of inmate deaths and reports of deficient medical care.</p><p>The HSAC report’s recommendation appears to be out of necessity—as of November 2016, ICE held more than 40,000 people in 197 immigrant detention centers, even though Congress has currently approved and funded the use of 32,000 beds, according to ICE. Individuals confined in ICE facilities can be held only for the purpose of detaining and removing them from the country. Immigrant detention numbers have already reached record-breaking levels and are expected to continue growing–U.S. President Donald Trump has pledged to deport 2 to 3 million immigrants, further straining the facilities. </p><p>“Capacity to handle such surges, when policymakers determine that detention will be part of the response, cannot reasonably be maintained solely through the use of facilities staffed and operated by federal officers,” the report states. “Fiscal considerations, combined with the need for realistic capacity to handle sudden increases in detention, indicate that DHS’s use of private for-profit detention will continue.”</p><p>The cost of building and operating enough federally run detention facilities to phase out private detention centers, which make up two-thirds of all immigration centers, would cost billions of dollars and not be a good use of government resources, the report notes.</p><p>There have been numerous contributing factors to the increase in detainees held by ICE. A controversial 2009 addition to ICE’s detention budget stating that funding would be made available to “maintain a level of not less than 33,400 detention beds” was interpreted by ICE as a mandate to contract for and to fill that number of beds on a daily basis. This so-called immigrant detention quota has correlated with the expanded detainee population, as well as the involvement of private prison corporations in ICE facility operations, according to Payoff: How Congress Ensures Private Prison Profit with an Immigrant Detention Quota, a 2015 report by nonprofit Grassroots Leadership. The quota system is unique to ICE—no other law enforcement agency operates in such a fashion.</p><p>“Since just before the onset of the quota, the private prison industry has increased its share of immigrant detention beds by 13 percent,” the report states. “Nine of the ten largest ICE detention centers are private. This is particularly noteworthy in light of the expansion of the entire ICE detention system by nearly 47 percent in the last decade.” </p><p>Immigration patterns have also bloated the number of immigrants held in detention centers. An unprecedented surge of Central American women and children to the United States in 2014 created overcrowding, resulting in the construction of the nation’s largest immigration detention center by a private prison corporation. A more recent influx of asylum seekers and immigrants who have been in the United States for years but are now facing exile has continued to strain the facilities.</p><p>Holding immigrants in privately run detention centers is easier on taxpayers’ wallets, ICE says. More than $2 billion in taxes goes to the country’s prison system each year, and lowering that cost is a big incentive to use private facilities, the report notes. Federally run detention centers are notoriously more expensive than their private counterparts—it costs about $127 a day to hold a person in a private facility, versus more than $180 in a government facility. And completely doing away with private facilities and replacing them with federally run ones would cost up to $6 billion, according to the HSAC report. </p><p>Despite the lower price tag for private facilities, prison corporations have seen their profits rise over the past six years—GEO Group, which owns a quarter of all ICE immigrant detention centers, has seen a 244 percent profit increase from 2010 to 2014, the Grassroots Leadership report found. The private prison companies have also spent millions of dollars lobbying on immigration issues and DHS appropriations, according to Grassroots Leadership.</p><p>To civil rights organizations, the increase in private detention facilities means not only the monetization of detainees but centers that do not have to abide by federal quality control. The DOJ report on private facilities notes that contract compliance checklists do not address federal health and correctional services requirements.</p><p>“The observation steps do not include checks on whether inmates received initial examinations, immunizations, and tuberculosis tests…[and] does not include observation steps to ensure searches of certain areas of the prison, such as inmate housing units or recreation, work, and medical areas, or for validating actual correctional officer staffing levels and the daily correctional officer duty rosters,” the DOJ report notes.</p><p>The nonprofit Human Rights Watch website stresses that those kept in immigrant detention centers are not criminals—they are often legal permanent residents, families with young children, or asylum seekers in the midst of civil immigration proceedings. For years, Human Rights Watch and similar organizations have documented abuse and substandard medical care in privately run detention facilities. For example, three people died in detention facilities between October and December 2016. </p><p>While the future of ICE immigration facilities will continue to involve privately run centers despite HSAC dissent, the council did agree with portions of the report’s recommendations that ICE must increase oversight of nonfederal detention facilities. The report found that county jails, which are often used for initial detention and staging, do not have to follow ICE facility standards and should be used for detaining immigrants for no more than 72 hours before moving them to a federal facility. The document also outlined the need for more stringent inspections of nonfederal facilities, including unannounced inspections and meaningful evaluations of conditions in each facility.</p><p>“U.S. Immigration and Customs Enforcement appreciates the Homeland Security Advisory Council’s recent review of the agency’s use of private contract detention facilities,” says ICE spokesperson Danielle Bennett. “The council’s report recognizes ICE’s ongoing commitment to providing a secure and humane environment for those in our custody while making the best use of agency resources. ICE’s civil detention system aims to reduce transfers, maximize access to counsel and visitation, promote recreation, improve conditions of confinement and ensure quality medical, mental health and dental care. ICE leadership will review and consider the council’s recommendations and will implement any changes, as appropriate.” ​ ​</p>
https://sm.asisonline.org/Pages/Stopping-the-Cyber-Buck.aspxStopping the Cyber BuckGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​While a wonderful tool, Spell Check is not always available. And sometimes a misspelling can have a major ramification. That’s what hackers found out in 2016 when a spelling mistake in an online bank transfer instruction prevented them from stealing nearly $1 billion from the Bangladesh central bank and the New York Federal Reserve.</p><p>The hackers, now believed to belong to three separate groups that planned the heist for more than a year, breached the Bangladesh bank’s systems, stole its credentials for payment transfers, and then bombarded the Federal Reserve bank of New York with almost 36 requests to move money from a Bangladesh bank account to accounts in the Philippines and Sri Lanka.</p><p>“Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan nonprofit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation,” Reuters reported. Instead of spelling “foundation,” the hackers wrote “fandation,” which grabbed the attention of the Deutsche Bank employee routing the transaction and led to the suspension of the transfer.</p><p>The hackers, however, managed to get away with about $80 million, making the heist one of the largest bank thefts in history. A later investigation determined that Bangladesh central bank officials “deliberately exposed its computer systems and enabled hackers” to steal the money, a top police investigator told Reuters.</p><p>The heist also brought new attention to financial institutions’ cybersecurity practices and the effects a cyberattack on a major institution could have on the rest of the economy. To address these concerns at the U.S. state level, the New York State Department of Financial Services (DFS) proposed cybersecurity regulations for financial institutions operating in the state.</p><p>The rules were initially slated to go into effect on January 1, but were delayed and went into effect on March 1 to allow time for revisions and industry input. The rules, as of Security Management’s press time, apply to any “person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York banking law, the insurance law, or the financial services law.”</p><p>Those covered by the rules are required to have written policies and procedures that identify and assess the data security practices of third parties that access or hold their nonpublic information. Third parties must meet minimum requirements for cybersecurity practices, and periodic assessments (at least annually) of third parties and their cybersecurity practices are required. </p><p>Additionally, the rules require covered entities to designate a qualified chief information security officer (CISO) to be responsible for overseeing and implementing their cybersecurity program and enforcing cybersecurity policy. They also must hire cybersecurity personnel to perform cybersecurity functions, such as identifying cyber risks, responding to cyber events, and recovering from them.</p><p>While these seem like good polices on paper, Vice President of Technology and Risk Strategy for BITS and member of the Financial Services Roundtable Heather E. Hogsett said the rules are proscriptive and present a one-size-fits- all solution that doesn’t work for the New York financial industry, which is made up of international firms, as well as medium-sized and small banks.</p><p>The DFS rules also conflict with other regulatory measures, making it difficult for organizations to comply with them, Hogsett explained in an appearance at the New America Foundation in December.</p><p>“The question is, where does this end? And we do run the risk…the more you require information to be reported to different places in different formats, you’re taking your security professional’s eye off the ball and focusing more on compliance instead,” Hogsett said. “And it’s a national security concern. You’re creating honeypots of really sensitive information for a critical sector of the economy for attackers to really go hard at.”</p><p>New America recently called this out in a report, something Hogsett said she appreciated, and requested that all federal agencies follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It called for regulatory bodies to go back through their frameworks and harmonize them to the NIST framework.</p><p>One recent effort by the U.S. federal government to do this is an advanced notice of proposed rulemaking (ANPR) on Enhanced Cyber Risk Management Standards by the U.S. Federal Reserve Board, the U.S. Federal Deposit Insurance Corporation (FDIC), and the U.S. Office of the Comptroller of the Currency (OCC).</p><p> “As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyberattacks,” the ANPR says. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.”</p><p>The three agencies are considering applying the new standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board. The standards, however, would not apply to community banks.</p><p>“This ANPR would build on the existing framework of information technology guidance already in place,” said FDIC Chairman Martin J. Gruenberg in a statement. “The enhanced standards for large and interconnected entities would be aimed at increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities.”</p><p>The ANPR addresses five categories of cyber standards: cyber risk governance, cyber risk management, internal dependency management, external dependency management, and incident response, cyber resilience, and situational awareness.</p><p>The agencies are considering a two-tiered approach for an additional, higher set of expectations that would apply to covered entities that are critical to the financial sector. Security Management reached out to both the FDIC and the OCC for comment and was referred to the Federal Reserve, which did not return requests for comment for this article.</p><p>As part of the proposed rulemaking process, the agencies had asked for extensive feedback from stakeholders before the open comment period closed on January 17, 2017.</p><p>However, as of Security Management’s press time, only one person had submitted a comment on the ANPR: Reginald P. Best, president and chief product officer of the Lumeta Corporation, which provides network situational awareness services.</p><p>Lumeta has worked with the financial community for the past decade and has provided network-based cyber situational awareness analytics tools and services to seven of the largest financial institutions with more than $50 billion in assets that may be covered by the ANPR. </p><p>“We’ve had a fair amount of experience in some of the underlying issues that we think are problems that may potentially lead to more substantive breaches,” Best explains. “As I looked at the proposed rule, we wanted to provide some of our insights to help the industry in figuring out what they need to do and what they should be doing.”</p><p>In his comment, Best focused on responding to three of the agencies’ questions that asked for information on how entities evaluate their situational awareness which forms the core of a strong cybersecurity program.</p><p>“Without fundamental situational awareness of the network infrastructure, which is easy to say and hard to do, nothing else that you do will matter or be as complete as it needs to be,” Best tells Security Management.</p><p>One of the biggest problems right now, however, is that many large financial institutions have a false sense of security about their situational awareness—they feel like they know what is happening on their networks. </p><p>“Despite investment in multiple tools at various places in the enterprise ‘security stack’…the very basic understanding of what constitutes the network, how it changes in real time, what the infrastructure comprises (approved versus rogue), what the authoritative topology of the network and network edge is, remains elusive and is often an afterthought,” Best wrote.</p><p>Some financial institutions miss this infrastructure because they forget to document it, aren’t aware of it, and aren’t hunting for network state changes to validate that they have an accurate understanding of their network.</p><p>With his feedback, Best says he hopes that if a proposed rule is created from the ANPR process, it will include a mandate for covered financial institutions to have an automated way of understanding their infrastructure. </p><p>However, Best adds that it would be a mistake for the agencies to require all processes of monitoring, identifying, and remediating cyber threats be automated. </p><p>“I think that could be challenging for most organizations to do today,” he says. “Ultimately, that may be required in the future—that networks be self-healing. But it might be a mistake to enforce that extent in the proposed rulemaking.”</p><p>Instead, Best says he hopes that the agencies focus on getting the basics right when it comes to cybersecurity—like NIST did in its Cybersecurity Framework. </p><p>“Because if you get the foundation right, then all the other stuff in the stack can come on and take care of itself in the fullness of time,” he says.   ​</p>
https://sm.asisonline.org/Pages/Message-to-the-Masses.aspxMessage to the MassesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Sanofi is a global pharmaceuticals business that manufactures and distributes vaccines and medications worldwide. The organization provides diabetes solutions, consumer healthcare services, animal health products, and other therapies. Sanofi Pasteur, the vaccines division of Sanofi, provides more than 1 billion doses of vaccines each year, which immunize more than 500 million people across the globe.<img src="/ASIS%20SM%20Callout%20Images/0317%20Case%20Study%20Stats%20Sidebar.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:296px;" /></p><p>With more than 100 locations in the United States, Sanofi has approximately 25,000 employees domestically, and a global workforce of more than 125,000. Keeping track of those workers and ensuring their safety is of utmost concern to the company, says Joe Blakeslee, security systems manager at Sanofi. </p><p>For its North American sector, the organization incorporates several solutions as part of its overall security profile, including access control, CCTV, and emergency notification. For many years, Sanofi had several mass notification platforms that were disparate, without a centralized way to manage alerts for all employees. </p><p>In late 2014, Sanofi put out a request for proposal to find a product that could unify its many mass notification platforms into one seamless solution. Near the beginning of 2015, it chose Everbridge Mass Notification, a Web-based application that allows for distribution of messages to a large audience. </p><p>“The biggest part about Everbridge that stood out was the user interface,” Blakeslee says. “It provided everything we needed, and we were also impressed with how easy the system was to use.” The Sanofi North America security team started rolling out the application at the beginning of 2015 for internal security purposes, and in June of that year began registering all North American employees into the system.</p><p>He adds that the variety of options for reaching employees was paramount, given Sanofi’s mobile workforce. “Everbridge has multiple modalities in which you can actually send the message,” he says. “We use all the modalities whether it’s cell phone, SMS, home phone, or email. We give all of our employees the ability to elect whatever modality they would like.” Employees rank their preferred communication modalities in order when registering for the system; that way, if one method fails to contact the worker, notifications will automatically be sent via other methods until the party is reached.  </p><p>Everbridge is used on a daily basis at Sanofi, he adds. “Every day we use the application to alert various groups within the company, whether it’s related to fire alarms, evacuations, hazmat response, or other incidents.” </p><p>Sanofi has a central security services center (SSC). There, analysts monitor the business locations across the country for alarms and alerts using various security management software. Only designated individuals within the SSC can access the Everbridge platform and administrate messages through the platform. When there is an incident, such as a fire alarm, analysts send out alerts to the affected employees to give them situational awareness through the Everbridge Web portal. In the fire example, employees would be alerted to evacuate the building and await further instruction. The messages being sent can be selected from a set of prewritten options, or modified based on the particular event; normally in an emergency, the messages are written at the time by the security team. </p><p>“Say you have a building with 3,000 people in it. We want to reach them wherever they may be,” he says, “and reach as many people as we can in as little amount of time as possible.” </p><p>The Everbridge application is used to notify workers that it is safe to return to their desks. It also displays in real-time the status of employees involved in the incident. Employee status can either be confirmed or unconfirmed. If someone is unconfirmed, the Everbridge system allows the SCC to resend the message or try a new contact path based on the order of the employee’s preferred contact methods to try to get a response. For example, if sending an SMS to a cell phone doesn’t work, the system will make a telephone call, then send an email, and so forth. The confirmation lets the security team determine which employees are safe. </p><p>The system helps get employees back to work more quickly, because people aren’t wondering whether it’s safe to return to their desks. </p><p>Everbridge can also be used for incident management. For example, in the case of a trespasser, security would get an alarm or a phone call. “From there, SSC would send out a notification from Everbridge to the local emergency response personnel, asking for them to respond to the occurrence,” Blakeslee says. “After the message is sent to all the recipients’ devices, the SSC would, in real time, monitor the responses from the recipients’ confirmations and determine how many people are responding to the event.” </p><p>Everbridge isn’t just used for reactionary purposes. It provides proactive security measures as well. Sanofi has security officers at each of its locations, and the organization conducts daily check-ins with those personnel who are patrolling alone to ensure they are safe and accounted for. Sanofi expects a message back, and “if they don’t respond, we escalate that to the SSC and they handle it from there,” Blakeslee says.  </p><p>He adds that the mobile nature of the modern workforce means that employees won’t always be working from their primary location. “Our workforce is dynamic. One day I may be working in Pennsylvania, the next day I might be in New Jersey,” he says, noting that several employees and contractors travel frequently. To help keep track of its mobile workforce, Sanofi rolled out a newer feature from Everbridge called Safety Connection in the second quarter of 2016. The solution aggregates geo-location data from multiple systems so Sanofi knows where its employees are at any given time.  </p><p>Blakeslee says that given the sensitivity of materials they manufacture and distribute, as well as the importance of their services to customers, the culture at Sanofi is safety oriented. “Anything dealing with safety we’re really reactive to, so Everbridge provides us another means of communicating to keep our employees safe.”</p><p>--<br></p><p>For more information: Jeff Benanto, jeff.benanto@everbridge.com, www.everbridge.com, 781.373.9879 ​</p>
https://sm.asisonline.org/Pages/Teller-Trouble.aspxTeller TroubleGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The insider fraud that took place at Wells Fargo is still being investigated, but experts say the scam that involved the creation of 2 million unauthorized customer accounts is unprecedented. Beginning as early as 2011, thousands of Wells Fargo employees created bank accounts for existing customers without authorization, and generated millions of dollars in fees that profited the company along the way. </p><p>“Wells Fargo employees secretly opened unauthorized accounts to hit sales targets and receive bonuses,” said Richard Cordray, director of the Consumer Financial Protection Bureau (CFPB) in a statement. </p><p>The CFPB went onto say that workers even created fake PIN numbers and phony email addresses to fraudulently create the accounts. The bank will pay $185 million in fines to the bureau and $5 million to customers for their losses.</p><p>During a U.S. Congressional hearing in which then-Wells Fargo Chairman and CEO John Stumpf testified before lawmakers, U.S. Rep. Maxine Waters (D-CA) called the event “some of the most egregious fraud we have seen since the foreclosure crisis.”</p><p>Stumpf stepped down in October 2016 as leader of Wells Fargo, and forfeited $41 million in stock awards and part of his 2016 salary and bonus. Since the scandal was uncovered, the bank has fired at least 5,300 employees.</p><p>While the ethics scandal at Wells Fargo garnered international attention, insider fraud and theft by employees has become increasingly prevalent at financial institutions. In 2014, New York Attorney General Eric T. Schneiderman announced the arrest of an identity theft ring that had siphoned $850,000 from a bank’s customer accounts with the help of several tellers at banks in New York City and surrounding counties. </p><p>In 2015, two private bankers with J.P. Morgan Chase were indicted for funneling $400,000 from Social Security accounts of 15 people, some of whom were deceased, according to court documents from the Brooklyn District Attorney’s office. </p><p>Schneiderman later sent a letter to several large banks, including J.P. Morgan Chase, Bank of America, and Wells Fargo, urging the financial institutions to rein in their employees’ access to customer data. The Wall Street Journal first reported on the letter, which it obtained in June 2015. Schneiderman said that teller theft was the number three cause of data breaches in the state of New York, just behind poor cybersecurity and lost or stolen equipment. </p><p>Schneiderman concluded that “much of the wrongdoing could have been caught if the banks had noticed and shared red flags; for example, an employee accessing an unusually large number of accounts or looking up accounts without dealing with those customers,” according to the article. ​</p><h4>Access to Information</h4><p>Experts say that an increase in theft and fraud has been accompanied by an evolution in the banker’s role. The traditional role of the teller who sits behind a desk counting dollar bills has progressed with the proliferation of the Internet and other digital tools. </p><p>“Technology now handles so many of the traditional teller transactions, like checking your balance or moving your money,” says Dr. Kevin Streff, associate professor and director of the Center for Information Assurance at Dakota State University. “Those kinds of transactions that used to be handled by people are now handled by automation for a large part, so the teller’s responsibility then moves up to the next level of service to the customer.” </p><p>Such transactions include changing personally identifiable information details on accounts, all available to tellers with the click of a button. </p><p>“Technology in general makes it so much easier to get the information that we’re talking about; there’s no question that’s increased the risk for internal theft cases,” says Kevin Smith, CPP, former senior vice president and corporate security director at Chevy Chase Bank and member of the ASIS International Banking and Financial Services Council. </p><p>But with the proliferation of ATMs and online banking services, this increased access to information is coupled with a diminished demand for tellers. They don’t garner the largest salaries—on average, tellers make about $13 an hour, or $27,000 a year, according to 2015 statistics from the U.S. Bureau of Labor. Experts say these low wages, combined with tempting sales-goal incentives, can create a formula for theft and fraud. </p><p><strong>Theft.</strong> Streff notes that the black market for customer records, credit card information, and other sensitive data is based on supply and demand, and the current supply is high. Therefore, employees will be tempted to steal more records to make the most money. </p><p>“It’s still very motivating to get 1,000 payment cards from a bank, and even if you can only get $25 a card, that’s still $25,000,” he says.</p><p>And there are plenty of bad actors waiting on the other side of the Web to help them carry out the crime. “The bad guy externally has the skill, the insider has the access privileges and the rights and trust, and that together creates the perfect storm to be able to complete that cybercrime,” Streff explains.</p><p>He recounts such a situation investigated by his firm Secure Banking Solutions, a cybersecurity company focused exclusively on the banking sector. </p><p>“We saw a situation at a Midwestern bank where a couple of tellers were printing about eight customer records each per day for about a year, and then they were putting them in their bags or purses and walking out the door,” Streff says. “So eight customer records a day is about $200 a day—there’s a nice little augmentation to their salary.”  </p><p>During his long tenure as a security director and vice president at banks across the country, Smith says he dealt with a similar situation during a merger and acquisition. </p><p>“The criminals were focused on the fact that the employees would no longer have allegiance to the company” that was being acquired, he says. “We apprehended one of our employees working at a call center that was selling customer information in the parking lot to someone that had approached them and said, ‘I’ll give you $50 for every name, address, telephone number, and date of birth that you can give me.’” </p><p><strong>Incentives.</strong> Scamming customers with help from the outside is just one of many risks faced by financial institutions. Corporate culture can become the catalyst for bad behavior as well. </p><p>During the U.S. House Congressional Services Committee hearing on Wells Fargo, lawmakers criticized the sales incentives that offered rewards to employees who opened a certain number of accounts. CNN Money reported in September 2016 that Wells Fargo employees had complained about the “pressure cooker environment” created by these “wildly unrealistic” sales goals. </p><p>Stumpf testified before the committee that sales goals were being eliminated companywide in January 2017 as a result of the scandal. </p><p>While this practice had become toxic at Wells Fargo, other banks rely heavily on the motivation behind such goals. </p><p>“The reality is that many companies, particularly smaller companies, survive on those sales goals,” says Smith, adding that common practice is to reward not only tellers, but managers and senior executives when their employees reach those goals. </p><p>This practice can lead to fraudulent behavior when employees are pressured to meet goals or face negative repercussions for not doing so. “When you dangle the guillotine over someone’s head and say ‘If you don’t do this, this thing is going to happen to you.’ Well come on, leadership gets exactly what they deserve,” says Clint Hilbert, owner of Corporate Protection Technologies, LLC. “They’re actually promoting that behavior.” </p><p>Hilbert says that a series of checks and balances within the company will help prevent fraud from occurring. </p><p>“The checks and balances have to be built in from the time you’re pursuing a market to the time you’re reinvesting your profits,” he says. “All of those stages in between have to have checks and balances that can be independently surveyed.” </p><p>Smith echoes the concern regarding a competitive sales environment, and notes that management can often become a part of the problem. </p><p>“Hypothetically, I think what happens in those situations is people are incented to sell, sell, sell,” he says. “And if the person monitoring that activity is also gaining from the sell, sell, sell, they’re disincentivized from identifying any problems.” </p><p>Having an independent third party or group outside the management chain to audit sales activity ensures that banks aren’t engaging in fraudulent behavior.​</p><h4>Management </h4><p>Experts say that engaging employees and giving them a sense of buy-in at the company is a first step to keeping them from becoming an insider threat, and treating whistleblowers with fairness and exercising transparency can help leadership build trust. </p><p><strong>Whistleblowers.</strong> Since the Wells Fargo scandal came to light, employees have come forward saying that they were fired or punished for blowing the whistle on the fraudulent activity taking place. </p><p>In a November 2016 letter to new Wells Fargo President and CEO Timothy Sloan, U.S. Senators Elizabeth Warren (D-MA), Robert Menendez (D-NJ), and Ron Wyden (D-OR) inquired about the firing of certain employees, writing that “the bank may have done so to retaliate against whistleblowers.” </p><p>Former employees told NPR News that they received bad marks on their U5 forms—a system set up and operated by the Financial Industry Regulatory Authority—after pointing out the fraudulent behavior. Those forms are essentially used as a permanent record of their employment history as a banker. Wells Fargo says it is investigating those claims.  </p><p>Hilbert says that anyone who raises a red flag about company practices should be treated with fairness, whether they are right or wrong. </p><p>“The first time you publicly fry a whistleblower, you no longer have ownership by the employees,” Hilbert says. “Even if the whistleblower is 100 percent wrong, there has to be transparency because that’s where you’re going to lose trust.” </p><p>Rather than creating a culture where managers are pitted against employees, Hilbert says, creating mutual respect will fuel the two-way relationship. He adds that employees essentially should respect the company more than they respect their coworkers who engage in bad behavior so that they report any incidents. </p><p> “You have to be transparent, you have to be honest, and you have to communicate—therein lies the basis of every relationship,” he says. “That trust today is such an important factor for the C-suite to embrace.”</p><p><strong>Hiring and training.</strong> Increasing levels of responsibility for tellers ought to be supplemented with more security training and better hiring practices, Smith says. And security compliance and training programs should be ongoing to keep employees engaged with banking best practices. </p><p>“Those types of training programs on ethics in the workplace really have to be an integral part of the program coming through the door, and they have to be emphasized on a regular basis,” he notes.  </p><p>For many bank workers, it may be their first job, meaning they haven’t had exposure to security or compliance training in the past. </p><p>“These tellers and call center employees can be right out of high school,” Smith says. “It’s an entry-level position, and you really need to drive that point home about ethics in the workplace because they’ve never had that training before.” </p><p>Hiring people with the right background is critical for employees that will be handling sensitive customer information. Banks can take advantage of access to law enforcement to conduct background checks. </p><p>“In the financial services industry, background investigations are critical,” Smith says. Under Federal Deposit Insurance Corporation (FDIC) rule number 19, banks can get permission to go directly to the FBI for such background screening. </p><p>Smith adds that under these regulations, banks are also prohibited from hiring someone who has been convicted of a theft or a breach of trust offense. </p><p><strong>Monitoring.</strong> Supervisors need to be the first line of defense when it comes to ensuring their employees aren’t engaging in bad behavior, Smith says. He explains that several technological tools are available to help produce reports using data from employee transactions. Using those reports, supervisors “ought to identify what the typical pattern is for their employees…and develop a report that would alert to out-of-pattern activity.”  </p><p>A worker accessing unusual amounts of customer information could be a tipoff to fraudulent behavior. “Let’s say typical daily activity for a teller is servicing about 50 accounts,” Smith says. “If you find that they’re looking at 300 accounts, that’s out-of-pattern activity and should be investigated.” </p><p>Streff adds that while technology is a great tool, creating awareness within the company is invaluable. “Certainly you want controls in place that lock things down, you want sensors to identify anomalous behavior, but you want to create an awareness in your workforce to be a protection as well,” he says.  </p><p>And employees at all levels can be the best tools for fighting insider threats, Hilbert says. “If you have 100 employees, you have 200 eyes,” he notes. “And if you can motivate those employees to do your camera work for you, you’ve got the best camera system that money can buy.”  ​ ​</p>
https://sm.asisonline.org/Pages/Lessons-in-Liability.aspxLessons in LiabilityGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p dir="ltr" style="text-align:left;">This article has been updated. Following are comments from Richard Wyckoff, President & CEO, U.S Security Associates, Inc.</p><p dir="ltr" style="text-align:left;">--​</p><p dir="ltr" style="text-align:left;">U.S. Security Associates was disappointed to read the article titled "Lessons in Liability" in the March issue of <em>Security Management</em> magazine. The article contained factual mistakes, omitted key facts, and sensationalized the tragedy of an incident that led to two deaths.<br></p><p dir="ltr" style="text-align:left;">The events of September 9, 2010, were unquestionably tragic. In the security industry, we all pray that an unpreventable incident does not occur on our watch, and we all take great measures to reduce the likelihood and risk of an active shooter. Not even the full force of the federal government and local   authorities, working together, can prevent these senseless acts of violence.</p><p dir="ltr" style="text-align:left;">Our two officers on post at the Kraft client site were well trained, having passed background screening and onboarding employment verification. But they were unarmed and could not defend against an attacker with a .357 Magnum handgun, which was pointed at both of their bodies. Neither guard “ran  away.” Instead, they took cover and each called 911 as soon as possible. Their quick actions may have prevented further loss of life.</p><p dir="ltr" style="text-align:left;">Each officer independently adjudged not to use the general announcement system. Again, this was a split-second decision that may have prevented further loss of life; causing a panic in the manufacturing facility might have sent more employees into the path of the murderer. Indeed, Yvonne Hiller fired her weapon at other Kraft employees as she transited the facility.</p><p dir="ltr" style="text-align:left;">All of this happened in less than five minutes. Emergency response showed up nine minutes after Hiller re-entered the facility, armed and dangerous. It is hard to understand what other actions our guards could have taken to prevent this tragedy.</p><p dir="ltr" style="text-align:left;">And the primary lesson to take away from this tragedy is not one of liability. Certainly a Monday­ morning quarterback’s view is improper; those quoted in the article neither attended the trial nor contacted the company for the details and suppositions made about the incident.</p><p dir="ltr" style="text-align:left;">We believe that the real lessons are ones of leadership and loyalty. U.S. Security Associates took this incident very seriously and pivoted to lead the industry in response to the active shooter problem. The company has added Active Shooter Training to its basic, required training for new employees and trained all existing employees as well. The company also developed Security Stars, an officer professionalism and career development training course above and beyond the minimum Security Officer Basic Training. We recruited Harold Underdown, a Navy Seal Master Chief with 30 years of Naval Service, to join the company as the Senior Vice President of Officer Development. Harold has spearheaded our Security Stars initiative and visits our sites nationwide to lead this unique and forward­ looking program.</p><p dir="ltr" style="text-align:left;">We also know that training programs alone do not prevent future incidents. The company showed that loyalty is part of our core values. We remained on site at Kraft and continued to provide services to the facility until it was shut down in a corporate reorganization. We stood by Kraft at trial, and our founding CEO and Chairman of the Board attended the trial as the company representative. Most tellingly, Kraft recently selected U.S. Security Associates as its single-source security provider nationwide. This loyalty and commitment to excellence is part of the “corporate heartbeat”. And it is this corporate heartbeat that enables U.S. Security Associates to see lessons in leadership where others see lessons in liability.</p><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;"><em>Security Management</em> responds:</p><p dir="ltr" style="text-align:left;">The reporting in the article was based on the written opinion of a state district court. We regret that we were unable to incorporate U.S. Security's comments into the original article.</p><p dir="ltr" style="text-align:left;"><br></p><div dir="ltr" style="text-align:left;"><br>​<em>​Original article</em></div><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;">​Yvonne Hiller was not having a good day. On September 9, 2010, Hiller had a quarrel with her coworkers—Tanya Renee Wilson, LaTonya Brown, and Bryant Dalton—at the Kraft Foods plant in Northeast Philadelphia where she had worked for 15 years. At a union stewards and supervisors meeting that evening, a decision was made. She was suspended and had to vacate the facility immediately.</p><p dir="ltr" style="text-align:left;">Kraft had contracted U.S. Security Associates, a private-sector firm, to provide security for the plant, and U.S. Security Site Supervisor Damon Harris was called to escort Hiller to her vehicle and ensure that she left the property.</p><p dir="ltr" style="text-align:left;">However, Harris did not walk Hiller to her car. He left her at the guard booth at the security gate at the entrance to the plant and allowed Hiller to walk to her vehicle, alone. But Hiller did not drive away.</p><p dir="ltr" style="text-align:left;">Instead, she retrieved a firearm from her car and drove back to the security gate where she pointed her gun at U.S. Security Officer Marc Bentley, who was inside the guard booth, and demanded to be allowed back into the plant.</p><p dir="ltr" style="text-align:left;">When Bentley did not open the gate, Hiller drove through it. Bentley then paced back and forth inside the guard booth, while his supervisor—Harris—ran away. Both security officers called 911 after several minutes of panic and confusion, but they failed to alert anyone else in the plant that Hiller was inside, and that she was armed.</p><p dir="ltr" style="text-align:left;">Hiller made her way through the plant to where the union meeting had taken place earlier that evening, opened fire, and shot Wilson, Brown, and Dalton. Wilson and Brown were killed, but Dalton survived the attack.</p><p dir="ltr" style="text-align:left;">Local law enforcement responded to the scene, taking Hiller into custody. She was eventually convicted of two counts of first-degree murder and one count of attempted murder. She is currently serving a life sentence in prison.</p><p dir="ltr" style="text-align:left;">The estates of Wilson and Brown filed a civil suit against U.S. Security and Hiller in 2015, alleging that the security company was guilty of negligence for failing to protect the people at the plant during the shooting and for failing to warn employees that Hiller was in the plant, armed with a gun.</p><p dir="ltr" style="text-align:left;">The First Judicial District Court of Pennsylvania agreed with them, granting the estates more than $46.5 million in damages—$8.02 million in compensatory damages and $38.5 million in punitive damages.</p><p dir="ltr" style="text-align:left;">“The verdict is an important message to U.S. Security that their guards can’t simply run away in the middle of a crisis,” said Shanin Specter of Kline & Specter, P.C., which represented the Wilson and Brown families in the civil suit, in an interview with Philadelphia’s NBC local affiliate. U.S. Security did not return requests for comment on this article. </p><p dir="ltr" style="text-align:left;">Kraft had contracted with U.S. Security and set forth the service agreement in written documents, outlining the security officers’ guide and post orders. </p><p dir="ltr" style="text-align:left;">The service agreement explained that U.S. Security personnel would have administrative and operations experience in security services at a level adequate to the scope of work and would be “responsible for maintaining high standards of performance, personal appearance, and conduct,” according to court documents. </p><p dir="ltr" style="text-align:left;">Personnel would be responsible for duties such as access control; escort services; incident reports; in-depth knowledge of facility-specific requirements, expectations, and emergency procedures; patrol service duties; alarm response; emergency and accident response; and security gate control.</p><p dir="ltr" style="text-align:left;">The service agreement also outlined what was expected of security personnel in response to an emergency at the Kraft plant in Philadelphia. The nine-step procedure included remaining calm if the officer was witness to a threatening situation, contacting a Kraft representative immediately, calling 911 if the threat was immediate, being prepared to assist if the situation became confrontational, and noting all facts about the incident in the security log.</p><p dir="ltr" style="text-align:left;">This is why it is critical for contract security providers and their clients to draft and review policies related to security officer duties and emergency response.</p><p dir="ltr" style="text-align:left;">“Any plans, procedures, and policies that you had in place are going to be front and center when a tragedy like the Kraft case happens—or even something far less tragic,” <span style="background-color:#ffffff;">s</span><span style="background-color:#ffffff;">ays Eddie Sorrells, CPP, PCI, PSP, chief operating officer and general counsel for DSI Security Services, a contract security provider based in Dothan, Alabama.</span><span style="background-color:#ffffff;">​</span>. </p><p dir="ltr" style="text-align:left;">For contract security providers, the case illustrates the importance of reviewing background screening and training processes for security guards. One criticism in the U.S. Security case, according to court documents, was that Bentley—a relatively new security officer—was not adequately trained to know how to use the available technology to communicate that Hiller had reentered the plant with a gun.</p><p dir="ltr" style="text-align:left;">“One of the most important lessons learned from this case is how critical training is for the security officer,” Sorrells explains. “That’s not a suggestion that U.S. Security didn’t have that; it just reinforces the need to have real policies and procedures that can be…exercised and trained on.”</p><p dir="ltr" style="text-align:left;">“I’m fond of saying that corporations a​re not hiring a staffing agency; they’re hopefully hiring security experts who can come in and advise them on what is needed in terms of emergency communications, training, and internal education for your employees,” Sorrells adds. </p><p dir="ltr" style="text-align:left;">“We have to make sure that training is there to hopefully prevent these things from happening; and even if all those efforts fail, once someone does show up with a weapon, we need to have procedures in place to make sure emergency notifications are sent out,” Sorrells says. ​</p><h4 dir="ltr" style="text-align:left;">Insider Threats</h4><p dir="ltr" style="text-align:left;">Around 10:09 a.m. on September 8, 2013, Yale University doctoral student Annie Le swiped her security card and entered the research lab on Yale’s campus where she conducted experiments into enzymes that could have implications for cancer, diabetes, and muscular dystrophy treatments. </p><p dir="ltr" style="text-align:left;">Later that day, a fire alarm went off in the lab, requiring everyone to evacuate the facility. But Le did not leave. And Yale University did not search the building to locate her. Eventually, when Le did not come home that night, her roommate called the authorities at Yale to report her missing.</p><p dir="ltr" style="text-align:left;">However, authorities did not begin looking for Le until the following morning. They would not find her until five days later—on the day she was scheduled to be married—when they discovered her body stuffed into a wall in the basement of the lab facility.</p><p dir="ltr" style="text-align:left;">Authorities would later determine that fellow laboratory technician Raymond J. Clark III had brutally assaulted and strangled Le on Sep­tember 8. He pleaded guilty to her murder and is currently serving a 44-year prison sentence.</p><p dir="ltr" style="text-align:left;">Following his sentencing, Le’s family filed suit against Yale, alleging that it was negligent and failed to use reasonable care by hiring Clark for a position that allowed him unsupervised access to students and staff; by retaining Clark in that position; by failing to adequately supervise and monitor Clark’s activities; and by permitting Clark to work alone in remote areas of the building with Le and others.</p><p dir="ltr" style="text-align:left;">The family also claimed that Yale was negligent for failing to inform and warn Le about the potential threat Clark posed; failing to take “reasonable steps” to provide a safe and secure environment for Le to work at the facility; failing to maintain a properly qualified and trained security staff at the lab; failing to respond to a fire alarm that sounded the same day Le was murdered; fostering an atmosphere of tolerance of sexual harassment and sexual assaults that emboldened Clark; failing to investigate Le’s unexplained disappearance; and failing to detect, prevent, or intervene in Clark’s attack and murder of Le.  </p><p dir="ltr" style="text-align:left;">Yale denied the allegations, ABC News reported. “Yale had no information indicating that Raymond Clark was capable of committing this terrible crime, and no reasonable security measures could have prevented his unforeseeable act,” the university said. Yale later agreed to pay the Le family $3 million to settle the suit in 2016, according to the Associated Press.</p><p dir="ltr" style="text-align:left;">Paul Slager, a lawyer for Le’s family and a partner at Silver Golub & Teitell LLP, declined to comment on the settlement but did say that the case was part of a broader trend he’s seen in negligent security cases. </p><p dir="ltr" style="text-align:left;">“Ten years ago when people talked about negligent security it was ‘How do you keep unauthorized intruders out?’” he explains. “As a lawyer, the issues have shifted now that there has to be recognition by security professionals that just keeping intruders out doesn’t mean you’re maintaining a safe and secure environment.”</p><p dir="ltr" style="text-align:left;">For instance, the security precautions that Yale had taken—installing security cameras and using a card access control system—were designed to keep unauthorized individuals from entering the laboratory that Le worked in. However, they were not designed </p><p dir="ltr" style="text-align:left;">to address insider threats from those who had authorized access to the facility.</p><p dir="ltr" style="text-align:left;">Now, there is a greater acknowledgment that sometimes the threat to employees and students is an insider threat, and there may be other ways to prevent those crimes or acts of workplace violence from taking place, Slager explains.</p><p dir="ltr" style="text-align:left;">“Workplace violence is such a big issue, and this case had layers of workplace violence to it,” he says. “These people (Le and Clark) knew each other really well.”</p><p dir="ltr" style="text-align:left;">One security method Slager says he’s seen more of recently is the rise in portable personal protective devices, which are designed to be carried by individuals and allow them to request help immediately.</p><p dir="ltr" style="text-align:left;">For instance, the University of Bridgeport in Connecticut began giving all new students National Protective Systems’ Personal Alarm Locators (PALs) in 2003. When pressed, the device can pinpoint a student’s location on campus and alert campus security. </p><p dir="ltr" style="text-align:left;">“The PAL system is only used on the main campus of the university. Your picture and location will automatically appear on two screens at the security office,” according to the university’s 2016 Annual Security and Fire Report. “Security will then respond to the location of your PAL, even if it is in motion.”</p><p dir="ltr" style="text-align:left;">The device also provides critical health information about students in the event of an emergency. The university won the Jeanne Clery Campus Safety Award in 2003 for its use of the technology to improve campus safety.</p><p dir="ltr" style="text-align:left;">The devices have been effective at deterring crimes, and in one instance prevented a crime when there was a conflict between a man and a woman on campus, Slager says. </p><p dir="ltr" style="text-align:left;">Because of this, Slager explains that he argued in the Le family’s suit against Yale that giving this type of personal protective device to students and employees would have been an effective way to deter or interrupt the assault on Le, which killed her.</p><p dir="ltr" style="text-align:left;">Le worked in an isolated part of the lab facility and Yale “didn’t offer sufficient protections from coworkers or people who had proper authority to be there,” Slager says. </p><p dir="ltr" style="text-align:left;">Because Yale and the Le family settled their suit, no damages were awarded. But in the U.S. Security Services case, the damages the jury awarded the plaintiffs were significant. The case was being appealed at the time Security Management went to press, so they may be reduced, but the high amount was initially awarded, Sorrells says, due to the loss of life and the perception that more could have been done to prevent it. ​ ​ </p>
https://sm.asisonline.org/Pages/The-Art-of-Servant-Leadership.aspxThe Art of Servant LeadershipGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Servant leaders are a revolutionary bunch–they take the traditional power leadership model and turn it completely upside down. This new hierarchy puts the people–or employees, in a business context–at the very top, and the leader at the bottom, charged with serving the employees above them. And that’s just the way servant leaders like it.</p><p>That’s because these leaders possess a serve-first mindset, and they are focused on empowering and uplifting those who work for them. They are serving instead of commanding, showing humility instead of brandishing authority, and always looking to enhance the development of their staff members in ways that unlock potential, creativity, and sense of purpose.  </p><p>The end result? “Performance goes through the roof,” says Art Barter, founder and CEO of the Servant Leadership Institute and former CEO of Datron World Communications, Inc.</p><p>“Magic happens,” agrees Pat Falotico, a former executive leader at IBM who is now CEO of the Robert K. Greenleaf Center for Servant Leadership. </p><p>Experts often describe the majority of traditional business leaders as managers who mainly function as overseers of a transaction: employees maintain desired performance levels, and in exchange they receive salary and benefits. Generally, these managers are positional leaders–they derive authority simply from the fact that they are the boss.</p><p>The servant leader moves beyond the transactional aspects of management, and instead actively seeks to develop and align an employee’s sense of purpose with the company mission.</p><p>The fruits of these labors are bountiful, servant leadership advocates say. Empowered staff will perform at a high, innovative level. Employees feel more engaged and purpose-driven, which in turn increases the organization’s retention and lowers turnover costs. Well-trained and trusted staffers continue to develop as future leaders, thus helping to ensure the long-term viability of the organization. </p><p>To reap these fruits, several things need to happen, experts say. Servant leadership ultimately starts with an unselfish mindset. “If you have selfish motivations, then you are not going to be a good servant leader. It has to be less about you,” Falotico says. Moreover, the organization at large needs to sustain a workplace culture in which this type of leadership can thrive. Finally, there are behaviors that the servant leaders themselves must practice on a regular basis. “As leaders, we can say anything we want, but we’re going to be judged on our behavior,” Barter says. And for the servant leader, behavior isn’t just what gets done, but how it gets done.</p><p>This article, based on several expert and practitioner interviews and recent research in the leadership field, explores the art and practice of servant leadership–its philosophy and goals, as well as best practice guidance for security leaders who aspire to become great servant leaders. We also take a look forward, and explore servant leadership’s impact on the future of leadership.​</p><h4>Origins and Applications</h4><p>Servant leadership can be considered something of a universal concept, because it has roots in both Eastern and Western cultures, researchers say. In the East, leadership scholars point to Chinese philosophers in 5th century BC such as Laozi, who asserted that when the best leaders finished their work, their people would say, “we did it ourselves.”</p><p>In modern-day leadership circles, the concept gained much currency with Robert Greenleaf’s 1971 essay, The Servant as Leader. Greenleaf, who passed away in 1990, went on to found the Atlanta-based Greenleaf Center for Servant Leadership. Falotico now leads the center, after spending 31 years at IBM.</p><p>In practice, Southwest Airlines, under the direction of founder Herb Kelleher, is frequently cited as the model servant leadership corporation. Kelleher’s philosophy of putting employees first resulted in a highly engaged, low-turnover workforce and 35-plus consecutive years of profitability, an unheard-of record in the turbulent airline industry </p><p>Barter, who now leads the California-based Servant Leadership Institute, came to the concept by a circuitous path–working for companies that did not follow its practices. “I spent 20 to 25 years working at public companies that believed in the power model–it was all about what you could do for me in this quarter,” he says. He then became acquainted with the work of management expert and servant leader advocate Ken Blanchard. In 2004, when Barter became the CEO of Datron, a tactical communications equipment supplier, he was determined to head the firm as a servant leader. The results were dramatic. The company’s revenue grew from $10 million to $200 million in six years.</p><p>As a veteran business executive for many different companies, Barter is familiar with corporate security operations and departments, and he believes that the servant leadership model is a great fit for security leaders who are charged with protecting people and assets. He explains it this way: security managers must sometimes make quick and informed operational decisions, such as when a breach is suspected. A servant leader will do this, and will then use those decisions as educational tools, analyzing them in discussions with staff, and soliciting their opinions and ideas. This becomes a win-win-win situation: it builds trust between manager and staff, it helps employees develop as security professionals, and it enables the manager to gain new perspectives on security issues.  ​</p><h4>Best Practices</h4><p>Experts offer a range of best practice suggestions for security leaders who aspire to become successful servant leaders. Most experts agree, however, on one bedrock principle: successful servant leadership starts with a leader’s desire to serve his or her staff, which in turn serves and benefits the organization at large. This serve-first mindset can be put into practice from the beginning, during an employee’s onboarding phase, says Michael Timmes, a leadership expert and consultant and coach with the national human resources provider Insperity.</p><p>During onboarding, after the initial introductions, getting-acquainted conversations, and explanations about how security operations work, the servant leader should solicit the new hire’s observations, impressions, and opinions, Timmes says. This conveys the message, from the onset, that the employee’s thoughts are valued. </p><p>And from that point, the servant leader keeps a continual focus on talent development. “They take folks early in their careers, and think of them as the leaders of the future,” Timmes explains. He approvingly cites one expert’s view that if a manager is not spending at least 25 percent of his or her time developing future leaders, then “you’re really not fulfilling your responsibilities as a leader.” </p><p>The servant leader can enhance this talent development process in several ways. For Barter, one of the keys is to leverage the employees’ strengths. Often, an employee’s highest performance is on tasks they are most passionate about, yet some managers never find this out. “We don’t take the time to ask them—‘What do you really want to do? What really excites you?’” Barter says. </p><p> Another way to enhance the talent development process is to selectively relinquish power, so that employees can lead certain projects and take ownership of initiatives. “Giving up power, and having others lead—that builds confidence in people,” Timmes says. </p><p>This can be tricky for some leaders because they equate leadership with control and they feel they should be responsible for everything. But therein lies a paradox—leaders that are able to let go often find that they are actually in more control, because they have harnessed the resources and talents of their staff, which collectively can guide operations more effectively than one person can, he explains.</p><p>This is a crucial requirement for effective servant leadership, says Falotico. She tells leaders to “get over yourself” and realize that business objectives, whatever they are, will not be reached without sharing the load and responsibility. “You are no longer an individual performer–you are a leader,” she says. “Leaders are enablers. That’s your work.” ​</p><h4>Question Close, Listen Closer</h4><p>If serving staff is the bedrock principle of servant leadership, two core practices toward achieving that goal are close listening and searching questions.  </p><p>Darryl Spivey, a senior faculty member at the Center for Creative Leadership (CCL) who coaches executives on servant leadership, says that asking the right questions is the “secret sauce” of great coaching, and is crucial for servant leaders. CCL is a leadership development institute with offices around the world, including China, Ethiopia, India, Russia, and several U.S. cities.  </p><p>Servant leaders build relationships with staff primarily by listening closely and by asking many questions—on anything from the employee’s background to detailed queries about their assessment of the firm’s business environment, Spivey explains. If an employee is struggling, leaders should ask questions about what might be impeding his or her progress. Even questions about smaller aspects of operations, such as the best use of time during meetings, are helpful. “The message this sends to the individual is that their opinion does matter, and that [leaders] want their feedback,” he says. </p><p>And the emphasis on questions works both ways. Employees should feel comfortable asking the servant leader questions without worrying that the leader will feel badgered, threatened, or implicitly criticized, Spivey says. Such questions help drive the development and growth of the employee. </p><p>Carefully asking questions is related to another crucial practice–listening to understand. This means listening to the employee silently and making an active effort to understand his or her point of view. Even if the leader feels the need to disagree or interject, they will wait until the person is finished speaking. If need be, the leader can briefly summarize what the employee has just expressed, as a way to communicate understanding. </p><p>While this may strike some as merely common courtesy, listening to understand is becoming harder with the rise of technology and the decrease of attention spans, experts say. For example, a leader who keeps the iPhone on the desk, and glances at it repeatedly during conversations, is not listening to understand. ​</p><h4>Encouragement, Humility, Trust </h4><p>Servant leaders can do more than listen to staff: they can encourage them. Indeed, in many ways encouragement is the hallmark expression of a servant leader, and it is a tremendously powerful tool, experts say. </p><p>Whatever the type of interaction with staff, servant leaders are consistent in showing encouragement and humility with an egalitarian attitude. “They don’t think of themselves as any better than anybody else,” Timmes says. In practice, this means that when employees make mistakes, the leader isn’t treating them as children who need to be scolded. “Some say, ‘aren’t you going to sit down and discipline them?’ But that’s not really a good leadership approach,” he explains. </p><p>Instead, the servant leader engages in respectful conversation which demonstrates trust in the employee to make the needed adjustments.</p><p>Trust is both a defining characteristic and defining outcome of servant leadership, says Stephen M.R. Covey, former CEO of the Covey Leadership Center and author of The Speed of Trust. </p><p>To Covey, it’s important to remember that servant leaders are both servants and leaders. “You do serve, but it still requires the other dimensions of leadership–character and competence,” he says. Competence means that the leader has a track record of high ability and achieving results, with skills that are relevant. Character means that results and accomplishments are achieved with integrity and ethics. </p><p>Trust is a prerequisite for servant leaders, because the leaders must trust that the employees are worth serving, and that they, and the organization, will benefit from their service. Practicing servant leadership generates trust in the employees, who may be inspired by their manager’s competence and character and convinced by their manager’s serve-first practice that he or she has their best interests at heart. “Trust is one of the means to achieve servant leadership, and it is also an end that is achieved by servant leadership,” Covey says.   ​ ​​</p>
https://sm.asisonline.org/Pages/Kidnapping-and-the-Private-Sector.aspxKidnapping and the Private SectorGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The news media focuses primarily on kidnapping cases involving high-profile targets such as captured journalists and soldiers, high-net-worth individuals, and children. </p><p>However, sensational depictions in film and television have created a popular perception of kidnapping that is often at odds with the reality. Kidnaps-for-ransom happen every day around the world, with rates influenced by geography, conflict, and political, economic, and social issues. Many cases go unreported and unnoticed outside their local setting. </p><p>In some parts of the world, law enforcement and security services are too ineffective to properly guide kidnap victims to a safe resolution. Eager to project strength, and frequently lacking effective training in how to peacefully resolve the situation, security forces often prioritize tactical interventions that may jeopardize the lives of the victims. And, in rare cases, they have been found to be complicit in the kidnapping. </p><p>It is into this space that third-party actors and private sector organizations can step in to offer support and assist in securing the safe release of the victim. Otherwise, absent advisory and duty-of-care structures compound the trauma of the ordeal for victims and their families. Structure provided by experts can help guide financial negotiations, manage family and employer liaisons, and arrange post-incident support, such as counseling or medical care. There may also be jurisdictional conflicts that preclude victims from getting the full support of their home or host country, or governments could simply be unable or unwilling to provide consular or legal support abroad. </p><p>Debunking the common myths surrounding kidnap-for-ransom enables a clear understanding of where there is an opening for private sector engagement and where third-party support is most required. ​</p><h4>The Kidnappers</h4><p>Although there is a common perception that militant groups carry out a large proportion of kidnaps, data from global risk consultancy Control Risks shows that only 14 percent of the kidnapping incidents that took place worldwide last year involved these groups. </p><p>This is despite the concerted kidnapping activity accompanying insecurity in places such as Libya, Iraq, and Syria, attributed particularly to ISIS, as well as renewed kidnapping activity by al Qaeda in the Islamic Maghreb (AQIM) in the Sahel region and the Abu Sayyaf Group in the Philippines.  </p><p>Instead, some 85 percent of the kidnaps recorded this year by Control Risks were perpetrated by criminal elements such as organized networks, small gangs, or individuals. These are not exclusive, with current or former members of militant groups sometimes using their resources to carry out kidnaps-for-ransom purely for personal financial gain.​</p><h4>Targeted Victims</h4><p>Corporate security managers considering their organization’s exposure to kidnap risk at home and overseas often approach the issue with their employees’ specific profile in mind. </p><p>While managers may assume that a foreign or Western employee is more likely to be targeted in higher-risk regions abroad, this is not borne out by Control Risks’ kidnapping data, which shows that 97 percent of all kidnaps last year involved local victims. Furthermore, the professionals or businesspeople among those victims represented 54 different industries and were targeted in 77 different countries, illustrating the pervasiveness of the threat and lack of focus on a limited spectrum of sectors. </p><p>There are local nuances to the way in which kidnappers target victims in every state or province in a given country—the kidnapping group’s capability and the general security environment largely dictate target selection. Kidnappers often take into consideration the victim’s apparent wealth to draw a high ransom, the abduction’s chance of success, and other aspects of the victim’s profile.</p><p><strong>Wealth. </strong>Criminals who make their living from kidnapping want to maximize the income from each abduction. Individuals employed by multinational companies or in high-revenue sectors might attract the attention of kidnappers because they appear to be wealthy in the local context. Kidnappers will make assumptions about a potential victim’s social and economic standing based on simple things, such as material displays of wealth like new vehicles, whether they live in a wealthy suburb, or if their children go to a fee-paying school, for example. </p><p>Alternatively, they may have insider information. A fashion heiress kidnapped in Hong Kong in April 2015, for instance, was targeted after one of the suspects carried out renovations of the property and noticed the presence of luxury cars and goods. In another case in Nigeria in 2015, a large wedding celebration hosted by the victim was enough to prove his financial value to the kidnappers, who abducted him within the month. </p><p><strong>Risk.</strong> Having selected a target, the kidnappers could put the potential victim under surveillance to ascertain any weaknesses in his or her security. The simplest option is always to abduct the victims while they are in the open. Those who have a predictable daily routine are easy to target because the kidnappers know when and where they will be traveling. The daily commute, school run, or other regular travel can give kidnappers a variety of options. </p><p>Control Risks’ data shows that abductions most commonly occur during a routine journey to or from work, school, or home, with 35 percent of all kidnaps in 2016 taking place at this time. In southern Nigeria, for instance, kidnappers frequently strike on Sundays when families travel to and from church services at a regular time and are vulnerable in transit. </p><p>Nevertheless, kidnappers can often be deterred by even rudimentary security provisions. Anything that makes the abduction more difficult may convince them to move on to a new target.  </p><p><strong>Profiling.</strong> In some places, criminally motivated kidnappers are more likely to target local junior or middle management employees than CEOs or foreigners in the corporate context. The calculation is that, while the latter would probably yield a higher ransom, the increased risk of arrest that follows the abduction of a high-profile figure could outweigh the potential financial benefit. </p><p>However, foreign nationals are also often harder to abduct because those present in higher-risk areas generally employ more stringent security precautions and represent a much smaller slice of the population. </p><p>In other regions, usually those prone to militancy, the victim’s unique profile will not act as a deterrent, and foreigners are often the most highly sought captives. Some groups have significant capability to kidnap high-profile victims and, by taking advantage of difficult terrain and ungoverned spaces, can hold them for long periods without fear of arrest while they negotiate a ransom. </p><p>Indeed, for some of these kidnappers, increased attention, both from the government and the media, is part of their motivation to kidnap a high-profile victim for leverage and propaganda purposes.  ​</p><h4>Abduction Locations<img src="/ASIS%20SM%20Callout%20Images/0317%20Feature%204%20Infographic.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:610px;" /></h4><p>When preplanning an abduction, kidnappers look for an easy means of escape from the immediate vicinity of the abduction and a viable safe space for the period of captivity. </p><p>The partition of Mali in 2012 and the accompanying establishment of operating space for jihadist groups in the remote northern half of the country, for instance, emboldened and enabled AQIM to significantly ramp up its kidnapping activity. The group and its affiliates operating in the western Sahel have since carried out several high-profile kidnaps of foreign nationals, including in northern Burkina Faso and Niger, within a day’s drive of safe zones in northern Mali. </p><p>The porous border and weak security presence in the area create a permissive climate in which to conduct operations, and afford AQIM and its satellite groups the time and space to plan kidnaps. In 2016 alone, at least three separate kidnaps targeting foreign nationals and launched from northern Mali were attributed to the network, including that of an Australian couple in northern Burkina Faso last January and an American aid worker in Niger in October.  </p><p>In an opportunistic abduction, the targeting process is accelerated. A typical method is to set up a roadblock and screen victims as they drive through. The kidnappers will make snap assumptions about the victims’ wealth based on the car they are driving and whether they have a driver. </p><p>They can then further question the victims and search the vehicle for confirmation of their wealth. Often people will carry some detail of their employment, such as an identity or access card, that might alert the kidnappers to their potential worth. Visibly branded vehicles, particularly in remote or poor areas, indicate that the occupants may have a higher comparative income or that there is a chance their employer would be willing to pay a ransom for their freedom, increasing the risk. </p><p>Opportunistic, ambush-style abductions are particularly common in the eastern provinces of Congo (DRC)—for example. In North Kivu province—home to a plethora of armed groups, including Rwandan rebels, local militias, and army defectors—almost all kidnaps take place at improvised roadblocks and fake checkpoints, and they frequently target convoys of vehicles. More than half of all kidnaps recorded in Congo take place in the province. Many target nongovernmental organizations and other organizations with projects in the hinterland, including construction and telecommunications firms. ​</p><h4>The Ransom</h4><p>While a ransom is not limited to a financial payment to release the victims, financial demands are most commonly made to the victims’ families or employers and can also extend to the victims’ national government or the victims themselves. </p><p>The type of ransom sought can vary greatly depending on the kidnapper’s profile—for example, militant groups often take hostages with the intention of trading them for group members in custody in a prisoner exchange. They have also been known to make other demands, such as a cessation of drone strikes or the withdrawal of enemy troops. </p><p>In a January 2016 hostage video featuring a Swiss missionary kid­napped from her residence in Timbuktu, for example, an al Qaeda–linked group specifically demanded the release of Ahmad al-Faqi al-Hadi, a militant on trial at the international criminal court in Brussels for ordering the destruction of ancient monuments and shrines in the city during its occupation by Islamist militants in 2012. Other armed groups routinely include in their demands materials useful for their future operations, such as satellite telephones, foodstuffs, vehicles, and weapons. </p><p>Sometimes less-straightforward concessions are demanded. Kidnapping is occasionally used as a last resort in cases of industrial action or as a result of a personal, business, or criminal dispute in which one party is kidnapped to compel them to pay a debt or agree to some stipulation for their release. </p><p>Control Risks has recorded several cases in Asia where kidnap is used to apply pressure on a company or vendor; these often revolve around contracting. In one 2013 case in India, for example, employees of a company kidnapped a junior staff member at another company to compel his employer to pay them money that was unforthcoming but contractually owed. </p><p>In China, the kidnap or detention of executives is a relatively common way for employees to extract concessions from their employers during labor unrest or disputes. In one such case in 2013, Chinese factory workers held their U.S. manager for five days amid a dispute over severance pay.​</p><h4>Express and Virtual Kidnappings</h4><p>Classic kidnap-for-ransom is not the only crime that companies or security managers need to consider when thinking about risks to their staff, nor is it the sole extortive crime covered by insurance policies. New forms of extortive crime have accompanied the advent of new technology. These include cyber extortion, virtual kid­napping, and express kidnapping. </p><p>Virtual kidnapping is the name given to a form of extortion that emerged in Latin America in 2004 and has since spread to many parts of the world. Notably, it has become increasingly common in Asia, particularly China.</p><p>In a virtual kidnap, a criminal typically contacts a family and claims to have abducted one of their loved ones. The criminal threatens to harm or kill the victim if a ransom is not paid. In fact, the supposed victim of a virtual kidnap is never actually held captive, but may have been forced to cooperate with the criminals or may be completely unaware of the incident. </p><p>In many cases in Mexico, the alleged kidnap victims are contacted by the extortionists and forced to isolate themselves by checking into a hotel or another location, and remaining there until told to leave. </p><p>In most countries, the crime affects local nationals, but in Latin America, particularly in Mexico, Spanish-speaking business travelers are in­creasingly falling victim to the crime. Knowledge of the prevalence of this crime, and adequate preparation and training for employees who travel to areas where it is common, are crucial to mitigating the financial risk to both the individual and the company. </p><p>Express kidnapping generally involves the abduction of a victim who is forced, under threat of injury or death, to withdraw funds from ATMs. It is generally opportunistic and carried out by individuals or small, dedicated, and well-organized gangs that are often armed. </p><p>In Mexico, for example, they frequently use taxis to carry out kidnaps, posing as taxi drivers to rob the passenger. The average gain made by an express kidnapper is relatively small and the duration of captivity is generally between two and four hours. Kidnappers are attracted to express kidnapping because it allows them to avoid protracted negotiations with the victims’ families, involves little risk, and is a quick way of making money. </p><p>Foreign nationals are a favored target for express kidnappers because of their presumed wealth and the assumption that they are less likely to remain in the area during a police investigation or be able to identify the offenders. In countries like Brazil, Ecuador, and Tanzania, express kidnapping has overtaken traditional kidnapping-for-ransom. ​</p><h4>Response and Insurance </h4><p>Most reputable insurance companies that offer kidnap-for-ransom insurance have an exclusive partnership with a specialist response firm, guaranteeing their clients immediate access to expert consultants and advice in a crisis incident. </p><p>Although insurance companies offering kidnap-for-ransom coverage and private response companies have been working hand-in-hand for decades, the confidentiality inherent in the business precludes transparency around the specifics of the insurers’ role and the services the responders provide. </p><p>Good responders are defined by their independence and are trusted by their insurance partner to work towards the best possible outcome in each kidnap: the safe and timely release of the victim. It is imperative that the insurer maintains a reputation as a reliable provider, further incentivizing the safe release of a victim or successful resolution of the case. The role of the insurer should simply be to reimburse costs and expenses the responder incurs during the process of supporting and advising the policyholder. Kidnap-for-ransom policies sold by leading insurers can also include coverage for extortion, threats, missing persons, and wrongful detention cases.  </p><p>Experienced responders can provide invaluable support to the victims, their families, and their employers, particularly in places where law enforcement and crisis management institutions are unequipped or under-resourced. Above all, the private responder has an obligation to respect the wishes of the victim, their family, or the employer, and a duty to provide them with the best possible advice and course of action. The client is free to take or ignore that advice and is always the final decision maker. Responsible responders will never act unilaterally outside the course of action agreed with the client, or outside the law. </p><p>Kidnap-for-ransom is not confined to the world’s most dangerous locations or perpetrated principally by jihadis or guerrillas, nor does it predominantly target those wealthy enough to pay a large ransom. </p><p>The crime is constantly evolving and adapting to the changing security environment, and security professionals must understand the nuances and risks involved for all forms of kidnap and extortive crime to practice successful mitigation.   ​</p><p>--<br></p><p><em>Sebastian Boe is a special risks analyst responsible for conducting research and analysis on kidnapping and extortion trends in Africa within Control Risks’ Response department. ​</em></p>
https://sm.asisonline.org/Pages/Running-on-Empty.aspxRunning on EmptyGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In this age of overload, with organizations trying to do more with less, employees buried in information, and devices that call for round-the-clock urgency, burnout is a malady ripe for our times. Burnout can strike even the most productive workers and the most consistent performers, as well as those who seem to have the greatest capacity for hard work, experts say. </p><p>One reason burnout is such a pernicious problem is that it does not have to be total for its effects to be devastating.</p><p>“Burnout tends to plateau rather than peak,” says Paula Davis-Laack, specialist in burnout prevention programs, founder and CEO of the Stress and Resilience Institute, and author of Addicted To Busy: Your Blueprint for Burnout Prevention. “Burnout exists on a continuum. You don’t have to be completely mentally broken down and barely able to get out of bed to feel major effects.”</p><p>In other words, employees suffering mid-level burnout may still be able to power through and complete an adequate amount of work by sheer force of will, but their partially depleted state greatly hinders their performance and productivity, and it keeps them from realizing their full potential. </p><p>“That can go on for months, or even years, depending on the person’s work ethic,” says management expert Brady Wilson, cofounder of Juice Inc. and author of Beyond Engagement and other business performance books. </p><p>In a field like security, workers can be especially vulnerable to burnout, given the continual pressure and stress that go into protecting people and assets, and the high stakes involved if a breach does occur. </p><p>“Constant job pressure, especially when some of the factors are out of your control like they are with security, is definitely one of the causes of burnout in employees,” says Carlos Morales, vice president of global sales, engineering, and operations at Arbor Networks, which specializes in network security. </p><p>The consequences of burnout are varied; in some cases, they involve serious health issues. Davis-Laack, who became a specialist in the field after burning out as a practicing attorney, says she experienced weekly panic attacks and a few stomachaches that were so painful they sent her to the emergency room. Coronary disease, depression, and alcohol abuse are other possible consequences. </p><p>For the employer, burnout can significantly compromise workplace quality, causing more absenteeism, turnover, accident risk, and cynicism, while lowering morale and commitment and reducing willingness among workers to help others.</p><p>Fortunately, in many cases burnout can either be avoided, with deft management and a supportive organization, or significantly alleviated using various strategic methods. But like most maladies, it must be understood before it can be properly addressed. ​</p><h4>Symptoms and Conditions</h4><p>Burnout occurs when the demands people face on the job outstrip the resources they possess to meet them. Psychologists who study burnout as a condition divide it into it three dimensions: exhaustion, depersonalization, and reduced personal accomplishment.</p><p>When the first aspect—exhaustion—hits, the employee may feel emotionally, physically, and cognitively depleted. This often spurs feelings of diminished powers; challenges that were formerly manageable can seem insurmountable. As Davis-Laack describes her own experience of this condition: “Every curveball seems like a crisis.”</p><p>When depersonalization occurs, an employee may start to feel alienated from his or her own job, and more cynical and resentful toward the organization. Work and its mission lose meaning; feelings of going-through-the-motions increase. Detached and numb, the employee tries to plow ahead. </p><p>Exhaustion and depersonalization often combine to produce the third component of reduced personal accomplishment. As Wilson explains, the depleted employee possesses considerably less “executive function,” or the ability to focus, self-regulate, connect the dots between ideas, strategize, analyze, execute smoothly, and follow through—all of which can be thought of as “the power tools of innovation.” </p><p>“Nuanced thinking and value-added thinking are the first to go when employees are exhausted,” he says. “Instead, they rely on duct-tape fixes, reactivity, firefighting. They don’t get to the root causes of problems and issues.” </p><p>The state of mind that burnout can elicit sometimes leads to self-blame, where the employee feels that he or she is professionally inadequate. But that is unfair, says Davis-Laack: “I don’t want individual workers to feel that it’s all their fault.” </p><p>The root causes of burnout, she explains, are usually a product of what employees bring to the table—work ethic, how closely they tie work to self-worth, their level of perfectionism—and how the organization itself functions, which can be an important factor. </p><p>Understanding key organizational conditions, experts say, will help managers maintain a culture that protects employees from burning out. One of these conditions involves what the organization chooses to reward. </p><p>Wilson explains this as follows. For many years, many organizations stressed the importance of keeping employees engaged. But the definition of engagement has shifted, so that many firms now define engaged workers as those with clear dedication and commitment, who come to work early and stay late. “What’s missing from this definition is passion, enthusiasm, verve, and spirit,” he says. </p><p>When engagement is so defined, increased effort, such as working more hours and taking on more projects, is rewarded. But simply increasing hours at the office does not produce high performance, Wilson says. </p><p>“We get our epiphanies in the shower—we don’t get them when we are determined and gritting our teeth around a board room table. It’s not effort that produces brilliance, it’s energy,” he explains. But sometimes, the more-rewards-for-more-work philosophy can function as an unintentional incentive to burn out.</p><p>The organization’s day-to-day working conditions are also a crucial here. Research has found that two factors can be deadly in sapping an employee’s resources, according to Davis-Laack. </p><p>One is role conflict and ambiguity, which can occur when employees are never clear on exactly what is expected of them, and on what part they should be playing in active projects. “That’s very wearing on people,” she says. </p><p>Another is unfairness, which is often related to office politics. This can include favoritism, failure to recognize contributions, being undermined, or dealing with the demands of never-satisfied supervisors.</p><p>Such stressful conditions push some employees into “gas guzzling” energy mode, because they require so much emotional effort just to cope with them, Wilson says. </p><p>“Substances generated by stress, such as cortisol and adrenaline, have a beautiful utilitarian use—to get us out of trouble, to keep us safe,” he explains. “But we are not as productive when we have a brain that is bathed in those things day in and day out.”  ​</p><h4>Detection</h4><p>Although it is vital for managers to strive to maintain a positive office culture, it’s also important to recognize that burnout can happen even in the healthiest of environments. Given this, Morales encourages attempts at early detection.  </p><p>“As a manager or executive, it is important to first note the factors that tend to cause burnout even before employees begin to show signs,” he says. “This gives you the opportunity to address issues proactively with employees.” </p><p>These factors, he explains, include a very travel-heavy schedule (50 percent or more of total work time); consistently logging work weeks of 60-plus hours; unrelenting expectations of working off-hours and on weekends; and constant deadline time pressure. </p><p>But since early detection is not always successful or even possible in some cases, managers should also be looking for common signs of burnout that their employees might be exhibiting. Morales advises security managers to look for combinations of the following characteristics that are different from usual behaviors:</p><ul><li><p> General lack of energy and enthusiasm around job functions and projects.<br></p></li><li><p> Extreme sensitivity and irritability towards coworkers, management, and work situations.<br></p></li><li><p> Constant signs of stress and anxiety.<br></p></li><li><p>Significant changes in social patterns with coworkers.<br></p></li><li><p>Sharp drop in quantity and timeliness of output.​<br></p></li></ul><p>When looking for signs of burnout, it’s important for a manager to have a high degree of familiarity with the employee in question, a familiarity which is a byproduct of a strong manager-staff relationship. </p><p>“You’ve got to know your people,” Davis-Laack says. “When someone seems more checked out and disengaged than usual, if you know your people well enough, you can spot it.” ​</p><h4>Treatment</h4><p>When it becomes clear that an employee is suffering from burnout, managers have several options for treatment and alleviation, experts say. Morales says he believes that managers must first come to an understanding of the underlying factors, so that they can be addressed.   </p><p>“If there is a workload issue, a manager may be able to spread out the workload with other workers to alleviate the issue,” he says. “It’s important to let the employees know that this is being done to gain more scale, and to reinforce that they are doing a good job.”</p><p>Indeed, crushing workloads are now common in many workplaces, experts say, as many companies are actively cost cutting while attempting to raise productivity and output. And for employees who work with data, such as security employees who use analytics, benchmarks, or some form of metrics, the information explosion is requiring more and more staff hours to keep up with the processing and analysis. Managers must be cognizant of this, Davis-Laack says. </p><p>“If you do nothing but pile work on people—well, people are not robots and they are not computers. They are going to wear out,” she explains.</p><p>To combat this, managers should employ a strategic and honest operations analysis, she advises. The department may be generating more output with increasing workloads, but burnout and turnover risk is also increasing, as is the likelihood of costly mistakes. Is it worth the risk? Hiring additional help or outsourcing some tasks may be cheaper in the long run than the costs due to turnover and errors. </p><p>When a department conducts a strategic review of operations, the focus is often on fixing glitches in process, experts say. A focus on reducing workload is less common, but when it is adopted, it often reveals that certain time-consuming tasks are unnecessary.</p><p>If the burnout is caused by a stressful job function, such as a security position in which the worker is protecting assets of great value, the manager can discuss the situation with the employee and ensure that support is available, Morales says. “This may help them feel less alone or helpless in situations,” he says.   </p><p>Another key strategy for managers is to add extra focus and energy to the resources part of the puzzle, Davis-Laack says. “Help them to build up their energy bank account, so they are not always feeling depleted.” </p><p>She offers five ways for managers to do so:  </p><ul><li><p> Maintain and ensure high-quality relationships between managers and staff members, and between team members themselves. This fosters a healthy and safe environment where problems can be discussed and addressed.  <br></p></li><li><p> Whenever possible, give team members some decision authority. This gives them a sense of autonomy and strength when dealing with issues, and helps avoid feelings of powerlessness. <br></p></li><li><p> Follow the FAST system of respectful feedback—give frequent, accurate, specific, and timely feedback. This helps employees make tweaks and adjustments, and lets them know they are on the right course.  <br></p></li><li><p> Demonstrate that you have the employees’ backs, and always be willing to go to bat for them. Don’t point fingers or complain to higher ups when mistakes are made. This is crucial in building trust.  <br></p></li><li><p> Identify and encourage skills that will help your team members build resilience. These will vary depending on the specific job and situation, but include any skill or resource that can be used when challenges arise, as well as those that help manage stress.  ​<br></p></li></ul><p>In working toward the previous point, managers may want to brainstorm with staff to find ways to make everyone more resourceful. For instance, managers could periodically check in with staff members to determine the team’s overall level of resources, so they can replenish them when they’re low.</p><p>Indeed, soliciting solutions from staff is an excellent practice for managers, because it shows they are partnering with employees, not parenting them, Wilson says. The parenting style of management assumes that the manager has knowledge that the worker will never have, and it sets up the employee for helplessness. The partnering style cultivates the employees’ decision-making skills, so they can skillfully meet their own needs. ​</p><h4>Touchy Subject</h4><p>Burnout can be a sensitive subject. Some workers attach great self-worth to their productivity and performance, and do not like to concede that they are struggling. </p><p>“It is very difficult for some high performers to admit that their engagement is lacking. There’s a sense of judgment associated with that,” Wilson says. </p><p>Some of these workers truly are burned out despite their failure to admit it, and they may be in a precarious state. “I have seen cases where the hardest and most productive workers will not admit to burnout,” Morales says. “In these situations, burnout occurs quite suddenly, without many of the behavioral warning signs.”</p><p>Other employees fear that admitting burnout is disclosing a weakness, one that could prevent them from future promotions or ultimately cost them their job. “They like their work and they don’t want to change jobs, or </p><p>they can’t change jobs because they have monetary obligations,” Davis-Laack says. </p><p>Here, management can go a long way by being proactive and soliciting feedback from workers regarding their state of mind. “It’s important to have regular discussions with employees about the impact of the workload on them personally, and give them every opportunity to talk through their situation, and vent if necessary,” Morales says. “It’s important for management to recognize the potential for burnout and approach employees proactively to discuss it. It provides employees a safe environment in which to talk through the situation.”</p><p>In these situations, a manager can approach an employee with a proactive goal—how can workload and workplace environment be shaped so that the employee is energized in the office, and still has energy left at the end of the day and on weekends for a life outside of work, Wilson explains.  </p><p>Using this framework, Wilson adds that it is often easier for the manager to then ask, “What’s getting in the way of that? Is it bureaucratic interference? Is there too much on your plate? Is there bullying going on, or other workplace environment problems?”  ​</p><h4>More Recognition</h4><p>But while burnout is still a sensitive subject among some workers, there is also a growing recognition that it is a serious issue that needs to be dealt with, experts say. This may be partly driven by recent research in fields like healthcare and finance, where findings suggest that burnout and overwork are causing costly mistakes that are detrimental to a company’s bottom line. </p><p>Moreover, more business leaders see that the problem, if left unchecked, will just get worse in the future, due to factors such as globalization and a web of technology that is becoming more and more complex. “The perfect storm is upon us,” Wilson says.</p><p>Davis-Laack says she is heartened by the fact that the burnout issue, which was frequently dismissed as too “soft” to be a subject at business conferences, is appearing on more agendas. </p><p>“It’s finally starting to get attention across different professions and different sectors,” she says. “Managers are taking it more seriously.” ​​</p>
https://sm.asisonline.org/Pages/ASIS-News-February-2017.aspxJack Lichtenstein Leaves ASIS, Offers Insights on TrumpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>At this, the end of my 22 years as staff executive for ASIS International’s legislative and public policy work, I have been asked to provide some insights into the political near-future of security.   </p><p>These are unnerving times. Rarely has there been such uncertainty about America’s direction at home and abroad as there is at the end of 2016.  All this is in the face of mounting threats to our security and to that of our friends.</p><p>Eventually, Americans will sort it out; they always have. But there are dangers. The sorting may be long and uncertain.  And uncertainty is not the friend of security. Security requires planning, analysis, and agility, none of which can be done well in an environment filled with unknowns. Security is the antithesis of politics, which tends to be careless and messy in democracies. </p><p>The new American administration will be led by a man without credentials in government, who has pledged to change how Washington works. He was elected not as much to keep America secure but because so many Americans feel alienated from their own political and governmental institutions. They see their standard of living in decline; they sense that they have been overlooked, even disdained. More than anything, that explains the election of Donald Trump.</p><p>Trump seems to espouse two overarching themes, both recurring repeatedly in his pronouncements and appointments. One is to restore the U.S. economy to a position of world leadership. The other is to keep America and Americans secure.</p><p>The president has tools to invigorate the economy. His early aims will include accelerating job creation via infrastructure programs and tax and regulatory relief. Nearly all avenues will be aimed at job creation in the United States, despite many economic factors that are out of his control.</p><p>Security is more manageable by the White House, a result not only of presidential control of the bureaucracy but of strong (some would say excessive) executive actions in the form of Presidential Directives issued by the George W. Bush and Barack Obama administrations.</p><p>It is too early to tell which of Trump’s positions—many of which have been incomplete, infeasible, or conflicting—will find their way into practice. But I offer the following recommendations based on what is possible and likely:</p><p>• Pay attention to what he does, not what he says. Trump is known for impromptu statements, which get attention but are not always useful to understanding.</p><p>• Expect emphasis to be on U.S. domestic issues during the first two years. Trump will enjoy a Republican majority in Congress for that long, which he will need to get his domestic agenda passed. He is most comfortable with economic and infrastructure issues, including job creation. He knows he was elected by Americans who want first to restore their country’s economic vitality.</p><p>• “The Wall” is a metaphor, but border security will be real. U. S. Department of Homeland Security selectee and retired U.S. Marine Corps General John F. Kelly commanded the U.S. Southern Command. He understands border issues and security and will be charged with assessing vulnerabilities and determining the right combinations of physical, technological, and personnel means for dramatically reducing illegal immigration.</p><p>• In other matters of security, America will continue to be a reliable ally if for no other reason than that conflict disrupts growth. Trump will expect U.S. allies to invest heavily in their own security. This means that there will be more spending on prevention and response programs, but also avoidance of political positions, for example immigration policies, that lay bare their vulnerabilities.</p><p>• Finally, in any dealings between the United States and other countries, America must emerge a winner. That does not mean the only winner; there can be many. But the United States will not be a loser. As those familiar with Trump’s pronouncements know so well, he abhors the very thought of being a loser.</p><p>As I move on to new professional challenges, I believe more than ever that government relations is an essential role for security professionals. Its aim must be creation and maintenance of effective public-private partnerships in security. This should be part of the mission not only of ASIS but of every ASIS chapter in every country.</p><p>The people of democracies expect those overseeing government and corporate security to coordinate in the public interest. Failure to do so is unacceptable. It not only weakens security, it leaves private practitioners exposed to needless government oversight and overreaction when politicians respond, as they will, to security failures that are sometimes unforeseeable.</p><p>I thank the membership of ASIS International for the privileges of being their counsel and representing their interests these many years. Few pursuits are more vital, and few professions more important. </p><p>--<br></p><p><em>Jack Lichtenstein, former vice president, ASIS Government Affairs and Public Policy ​</em></p>
https://sm.asisonline.org/Pages/The-Virtual-Lineup.aspxThe Virtual LineupGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​U.S. State and federal agencies are amassing databases of American citizens’ fingerprints and images. The programs were largely under the public radar until a governmental watchdog organization conducted an audit on them. The so-called “virtual lineups” include two FBI programs that use facial recognition technology to search a database containing 64 million images and fingerprints.</p><p>In May 2016, the U.S. Government Accountability Office (GAO) released Face Recognition Technology: FBI Should Better Ensure Privacy and Accuracy, a report on the FBI programs. Since 1999, the FBI has been using the Integrated Automated Fingerprint Identification System (IAFIS), which digitized the fingerprints of arrestees. In 2010, a $1.2 billion project began that would replace IAFIS with Next Generation Identification (NGI), a program that would include both fingerprint data and facial recognition technology using the Interstate Photo System (IPS). The FBI began a pilot version of the NGI-IPS program in 2011, and it became fully operational in April 2015. </p><p>The NGI-IPS draws most of its photos from some 18,000 federal, state, and local law enforcement entities, and consists of two categories: criminal and civil identities. More than 80 percent of the photos are criminal—obtained during an arrest—while the rest are civil and include photos from driver’s licenses, security clearances, and other photo-based civil applications. The FBI, which is the only agency able to directly access the NGI-IPS, can use facial recognition technology to support active criminal investigations by searching the database and finding potential matches to the image of a suspected criminal. </p><p>Diana Maurer, the director of justice and law enforcement issues on the homeland security and justice team at GAO, explains to Security Management that the FBI can conduct a search for an active investigation based on images from a variety of sources—camera footage of a bank robber, for example. Officials input the image to the NGI-IPS, and the facial recognition software will return as many as 50 possible matches. The results are investigative leads, the report notes, and cannot be used to charge an individual with a crime. A year ago, the FBI began to allow seven states—Arkansas, Florida, Maine, Maryland, Michigan, New Mexico, and Texas—to submit photos to be run through the NGI-IPS. The FBI is working with eight additional states to grant them access, and another 24 states have expressed interest in using the database.</p><p>“The fingerprints and images are all one package of information,” Maurer says. “If you’ve been arrested, you can assume that you’re in, at a minimum, the fingerprint database. You may or may not be in the facial recognition database, because different states have different levels of cooperation with the FBI on the facial images.”</p><p>The FBI has a second, internal investigative tool called Facial Analysis, Comparison, and Evaluation (FACE) Services. The more extensive program runs similar automated searches using NGI-IPS as well as external partners’ face recognition systems that contain primarily civil photos from state and federal government databases, such as driver’s license photos and visa applicant photos. </p><p>“The total number of face photos available in all searchable repositories is over 411 million, and the FBI is interested in adding additional federal and state face recognition systems to their search capabilities,” the GAO report notes.</p><p>Maurer, who authored the GAO report, says researchers found a number of privacy, transparency, and accuracy concerns over the two programs. Under federal privacy laws, agencies must publish a Systems of Records Notice (SORN) or Privacy Impact Assessments (PIAs) in the Federal Register identifying the categories of individuals whose information is being collected. Maurer notes that the information on such regulations is “typically very wonky and very detailed” and is “not something the general public is likely aware of, but it’s certainly something that people who are active in the privacy and transparency worlds are aware of.” </p><p>GAO found that the FBI did not issue timely or accurate SORNs or PIAs for its two facial recognition programs. In 2008, the FBI published a PIA of its plans for NGI-IPS but didn’t update the assessment after the program underwent significant changes during the pilot phase—including the significant addition of facial recognition services. Additionally, the FBI did not release a PIA for FACE Services until May 2015—three years after the program began. </p><p>“We were very concerned that the Department of Justice didn’t issue the required SORN or PIA until after FBI started using the facial recognition technology for real world work,” Maurer notes. </p><p>Maurer says the U.S. Department of Justice (DOJ)—which oversees the FBI—disagreed with the GAO’s concerns over the notifications. Officials say the programs didn’t need PIAs until they became fully operational, but the GAO report noted that the FBI conducted more than 20,000 investigative searches during the three-year pilot phase of the NGI-IPS program. </p><p>“The DOJ felt the earlier version of the PIA was sufficient, but we said it didn’t mention facial recognition technology at all,” Maurer notes. </p><p>Similarly, the DOJ did not publish a SORN that addressed the collection of citizens’ photos for facial recognition capabilities until GAO completed its review. Even though the facial recognition component of NGI-IPS has been in use since 2011, the DOJ said the existing version of the SORN—the 1999 version that addressed only legacy fingerprint collection activities—was sufficient. </p><p>“Throughout this period, the agency collected and maintained personal information for these capabilities without the required explanation of what information it is collecting or how it is used,” the GAO report states.</p><p>It wasn’t until May 2016—after the DOJ received the GAO draft report—that an updated SORN was published, Maurer notes. “So they did it very late in the game, and the bottom line for both programs is the same: they did not issue the SORNs until after both of those systems were being used for real world investigations,” Maurer explains. </p><p>In the United States, there are no federally mandated repercussions for skirting privacy laws, Maurer says. “The penalty that they will continue to pay is public transparency and scrutiny. The public has very legitimate questions about DOJ and FBI’s commitment to protecting the privacy of people in their use of facial recognition technology.”</p><p>Another concern the GAO identified is the lack of oversight or audits for using facial recognition services in active investigations. The FBI has not completed an audit on the effectiveness of the NGI-IPS because it says the program has not been fully operational long enough. As with the PIA and SORN disagreements, the FBI says the NGI-IPS has only been fully operational since it completed pilot testing in April 2015, while the GAO notes that parts of the system have been used in investigations since the pilot program began in 2011. </p><p>The FBI faces a different problem when it comes to auditing its FACE Services databases. Since FACE Services uses up to 18 different databases, the FBI does not have the primary authority or obligation to audit the external databases—the responsibility lies with the owners of the databases, DOJ officials stated. “We understand the FBI may not have authority to audit the maintenance or operation of databases owned and managed by other agencies,” the report notes. “However, the FBI does have a responsibility to oversee the use of the information by its employees.” </p><p>Audits and operational testing on the face recognition technology are all the more important because the FBI has conducted limited assessments on the accuracy of the searches, Maurer notes. FBI requires the NGI-IPS to return a correct match of an existing person at least 85 percent of the time, which was met during initial testing. However, Maurer points out that this detection rate was based on a list of 50 photos returned by the system, when sometimes investigators may request fewer results. Additionally, the FBI’s testing database contained 926,000 photos, while NGI-IPS contains about 30 million photos.</p><p>“Although the FBI has tested the detection rate for a candidate list of 50 photos, NGI-IPS users are able to request smaller candidate lists—specifically between two and 50 photos,” the report states. “FBI officials stated that they do not know, and have not tested, the detection rate for other candidate list sizes.” </p><p>Maurer notes that the GAO recommendation to conduct more extensive operational tests for accuracy in real-world situations was the only recommendation the FBI agreed with fully. “It’s a start,” she says. </p><p>The FBI also has not tested the false positive rate—how often NGI-IPS searches erroneously match a person to the database. Because the results are not intended to serve as positive identifications, just investigative leads, the false positive rates are not relevant, FBI officials stated.</p><p>“There was one thing they seemed to miss,” Maurer says. “The FBI kept saying, ‘if it’s a false positive, what’s the harm? We’re just investigating someone, they’re cleared right away.’ From our perspective, the FBI shows up at your home or place of business, thinks you’re a terrorist or a bank robber, that could have a really significant impact on people’s lives, and that’s why it’s important to make sure this is accurate.”</p><p>The GAO report notes that the collection of Americans’ biometric information combined with facial recognition technology will continue to grow both at the federal investigative level as well as in state and local police departments.</p><p>“Even though we definitely had some concerns about the accuracy of these systems and the protections they have in place to ensure the privacy of the individuals who are included in these searches, we do recognize that this is an important tool for law enforcement in helping solve cases,” Maurer says. “We just want to make sure it’s done in a way that protects people’s privacy, and that these searches are done accurately.”</p><p>This type of technology isn’t just limited to law enforcement, according to Bloomberg’s Hello World video series. A new Russian app, FindFace, by NTechLab allows its users to photograph anyone they come across and learn their identity. Like the FBI databases, the app uses facial recognition technology to search a popular Russian social network and other public sources with a 70 percent accuracy rate—the creators of the app boast a database with 1 billion photographs. Moscow officials are currently working with FindFace to integrate the city’s 150,000 surveillance cameras into the existing database to help solve criminal investigations. But privacy advocates are raising concerns about other ways the technology could be used. For example, a user could learn the identity of a stranger on the street and later contact that person. And retailers and advertisers have already expressed interest in using FindFace to target shoppers with ads or sales based on their interests. </p><p>  Whether it’s a complete shutdown to Internet access or careful monitoring of potentially dangerous content, countries and companies around the world are taking advantage of the possibilities—and power—inherent in controlling what citizens see online. As criminals and extremists move their activities from land and sea to technology, governments must figure out how to counter digital warfare while simultaneously respecting and protecting citizens’ basic human right to Internet access.​ ​</p>