More Headlines

 

 

https://sm.asisonline.org/Pages/Cinco-Acontecimientos-que-Moldearon-la-Gestión-de-Crisis.aspxCinco Acontecimientos que Moldearon la Gestión de CrisisGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><strong>1) Deepwater Horizon.</strong> Cuando la plataforma Deepwater Horizon explotó en la costa de Luisiana en 2010, murieron 11 trabajadores y fueron derramados más de 5 millones de barriles de petróleo en el Golfo de México. El empeño de British Petroleum en culpar a otras partes resultó en su propia contra, y las diferentes entidades involucradas se tornaron adversarias. La estrategia de BP fue vista como un intento de escapar de sus responsabilidades. Recuerda: ensaya, practica, entrena; especialmente con tus socios.<br> <br><strong>2) Exxon Valdez.</strong> El derrame de 10 millones de galones de petróleo en el Estrecho del Príncipe Guillermo causado por el buque Exxon Valdez en 1989 continúa siendo fuente de litigios y disputas. ExxonMobil inicialmente rechazó las solicitudes de la prensa, hasta que finalmente su presidente decidió dar una entrevista. Cuando lo hizo, se mostró mediocre y sin preparación. Recuerda: las compañías deben tener un banco de portavoces entrenados y preparados para responder a las inevitables peticiones de la prensa. Rehusarse a hablar con los medios nunca es una opción.<br><strong> </strong><br><strong>3) Piper Alpha. </strong>En Julio de 1988, una explosión en la plataforma Piper Alpha, en el Mar del Norte, les quitó la vida a 167 hombres. Occidental Petroleum Corporation no tenía  un equipo local de respuesta, por lo que la policía asumió el rol de informar las fatalidades, así como las lesiones acontecidas (aún cuando la legislación del Reino Unido sólo demanda que la policía notifique las muertes, no las lesiones). La lentitud del proceso causó que Occidental sea acusada de no preocuparse por sus empleados y sus familias. Recuerda: los grandes incidentes requieren una respuesta coordinada.<br> <br><strong>4) Pan Am</strong><strong>.</strong> El bombardeo del Vuelo 103 de Pan American World Airways sobre la ciudad de Lockerbie, en Escocia, mató en 1988 a 243 pasajeros, 16 miembros de tripulación, y 11 personas en tierra. Como se trataba de un ​​​ataque terrorista, Pan Am tomó la decisión deliberada de que no comunicaría el desastre, porque se consideraba la víctima y no “el villano.” Los medios acudieron a los parientes afligidos en reemplazo de la compañía, cuyo silencio garantizó que finalmente se convertiría en el villano. Recuerda: sin importar la causa del incidente, las instituciones debe participar en todos los intentos de rescate y respuesta. Las organizaciones no pueden ser víctimas.<br></p><p><strong>5) Milagro en el Hudson.</strong> ​En 2009, el Vuelo 1549 de US Airways realizó un aterrizaje de emergencia en el Río Hudson, permitiendo que 150 pasajeros y 5 tripulantes pudieran ser evacuados de forma segura. La aerolínea eligió hacer foco en las heroicas acciones de su tripulación y tomó ventaja del suceso al elogiar públicamente sus “cinco destacados profesionales de la aviación.” Aunque la historia podría haber sido diferente de haber existido fatalidades, el incidente realzó la reputación de la organización. Recuerda: tú puedes establecer la narrativa de tu crisis.​​</p><p><em>Andrew Griffin, CEO, es el director ejecutivo de la consultora global de gestión de crisis Regester Larkin. ​</em><br></p>
https://sm.asisonline.org/Pages/Book-Review---Disasters-and-Public-Health.aspxBook Review: Disasters and Public HealthGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>This book represents the rare case where the sequel is better than the original. The second edition of<em> Disasters and Public Health: Planning and Response </em>is a good primer for public health, emergency management, and security professionals. In particular, security officers also responsible for safety may find this book helpful in understanding common threats and hazards, applicable alert and warning conditions, and rudimentary mitigation, preparedness, and immediate actions. </p><p>Like a textbook, the book organizes each chapter into the same structure: a brief case study to introduce the topic, learning objectives, an explanation of the threat or hazards discussed in the chapter, definitions, health considerations, and preparedness and immediate response and recovery actions. The consistent format makes the book easy to use as a reference. Where applicable, the authors insert additional sections. For example, they include a discussion of medical countermeasures for nuclear and radiological hazards, a discussion of labeling systems for chemical hazards, and recommended warning messages for different groups during winter weather hazards. </p><p>The second edition adds several new chapters on threats and hazards not addressed in the earlier edition, including chapters on emerging infectious diseases and foodborne illnesses. Several original chapters have been updated, and many examples have been updated to reflect recent historical events. There are also new chapters reflective of recent concerns for public health and emergency managers, considering topics such as resilience, at-risk populations, and disaster behavioral health. </p><p>While many of the discussions related to public health are United States–centric, the recommendations and messages may be applied globally. The chapter on community disaster resilience introduces a number of international sources to support the development of resilience strategies, and the examples, likewise, are broader, discussing Chernobyl, the early 2000s European heat waves, and the 1991 eruption of Mount Pinatubo, among others.  </p><p>The case studies that open each chapter, while illustrative and applicable, are not intended as in-depth analyses, often providing only short summaries of the responses. Preparedness and response, however, are thoroughly addressed in the detailed explanations of the hazards and threats themselves, and more detailed cases are often included in the chapters. </p><p>The material is informative, simple, and easy to understand for the non-expert. For example, the chapter on at-risk populations provides simple examples of populations that might be at risk and why. The list is comprehensive, if not complete, and while much of the information is common sense, it is an extremely useful list to have on hand as a reminder of who might be affected, by what, and why. Similarly, most chapters provide a list of hazard-related definitions to help the reader understand, for example, the differences between corrosive and oxidizing chemical agents.</p><p><em>Disasters and Public Health: Planning and Response </em>purports to detail lessons learned. Lessons are there, but the reader will have to look for them because they are often buried in the text. The lessons are geared towards preparedness and response and include both general public guidance and information for the response communities. For example, lessons learned in the chapter on Tornadoes and Thunderstorms are provided as messages for the community, including “Do not try to outrun a tornado in a car.” Similarly, lessons from previous foodborne outbreaks are listed as food safety measures. All in all, this text provides both useful threat and hazard introductions and lessons and actions that even seasoned security professionals can benefit from.</p><p><em><strong>Reviewer: Dr. Deena Disraelly</strong> is a research staff member at the Institute for Defense Analyses and an adjunct professor at The George Washington University School of Engineering and Applied Science. She has more than 20 years of experience in emergency management and serves as the chair of the ASIS Global Terrorism, Political Instability, and International Crime Council.</em></p>
https://sm.asisonline.org/Pages/Cultivate-Engagement.aspxCultivate EngagementGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Each day, pollsters at the Gallup company monitor the upticks and downticks of America’s pulse. They track large-scale indicators like the country’s unemployment rate, the citizenry’s economic confidence, and the president’s approval rating. But among these tracked statistics at Gallup.com Daily lies a less publicized marker: what percentage of U.S. workers say they are engaged at their jobs? </p><p>For managers, the answer may be discouraging: only about one-third of American workers are engaged on the job, Gallup now finds. The employee engagement rate has stayed in that low range for the last 15 years—from 26 percent (on a yearly average basis) in 2000 to 33 percent in 2016, according to Jim Harter, chief scientist of Gallup’s international workplace management and well-being practices.</p><p>Actively disengaged employees cost the United States $450 billion to $550 billion per year, according to Gallup’s research. Employee disengagement can increase turnover, pollute office culture, and lead to more mistakes in the workplace—the last of which can be dangerous in the security industry, where oversights and errors can result in damaging breaches.   </p><p>Conversely, Gallup researchers found that organizations that successfully sustain high employee engagement reap serious benefits. On average, profitability is 22 percent higher; productivity, 21 percent higher; absenteeism, 37 percent lower; and there are 48 percent fewer staff safety incidents.</p><p>Moreover, experts say there are many best practices that organizations and managers can follow to maximize employee engagement. From strength building to safe-space dialogue to stronger mission connection, a security manager’s approach and an organization’s leadership can make all the difference.​</p><h4>Energy and Flow</h4><p>Employee engagement is not a new workplace concept; it has been discussed and studied for more than 25 years. But with more and more recent research illustrating its benefits, and the hazards of disengagement, the concept of employee engagement is now “much more integrated into how we look at work,” says management expert David Zinger, a Canada-based consultant who runs The Employee Engagement Network, an online resource. </p><p>Zinger and other experts argue that Gallup’s methodology (a 12-question survey that poses core value questions such as “at work, do I have the opportunity to do what I do best every day”), leads to exceedingly low engagement scores. Other methodologies put the U.S. employee engagement rate at about 50 percent, these experts say. Still, almost all agree that whatever metric is used, the rate is still too low.   </p><p>By definition, employees who are engaged are usually involved in and enthusiastic about their work, and are making valuable contributions to their organization. Bob Kelleher, an expert who runs The Employee Engagement Group consultancy, says he thinks of engagement as a successful partnership between an employer and employee.</p><p>“The employer is helping the employee reach his or her potential, while the employee is helping the employer reach its potential,” he explains. “It’s the ultimate win–win. The byproduct is this partnership is a discretionary effort.”</p><p>And that discretionary effort from the employee often comes naturally, because of the positive energy generated by simply being engaged. </p><p>“When an employee is engaged, they experience a state of flow. They are energized. They are learning. They have fun,” says Pi Wen Looi, a workplace expert who heads the Novacrea consulting firm. “As a result, they are more likely to recommend their company as a great place to work, stay longer with the company, and go above and beyond their role.”​</p><h4>Natural Selection</h4><p>Managers play a crucial role in maximizing employee engagement in the workplace—and that management effort should start with the hiring process, experts say. </p><p>Looi mentions recent research she was involved in that was aimed at identifying employees’ sense of purpose to help them find jobs that were in tune with their personal values. The research showed how an employee-employer values alignment at the start led to greater engagement. </p><p>“If you want to have engaged employees, you’ll need to make sure you are recruiting the right talent—a passion and value match, a culture fit, and with the right skills,” she says.</p><p>In part, that’s because high salaries are ultimately not enough to ensure high engagement, she adds. “What motivates employees comes from their own heart. You may have market competitive pay and benefits, but these extrinsic motivators are not sufficient to propel employees forward,” she explains. “It’s the intrinsic motivators such as pursuing their values and passion, continual learning, and building good relationships with peers that will keep a person going and thriving.”  </p><p>Kelleher illustrates this by using the acronym BEST. Employers tend to hire for the middle two letters, education (E) and skills (S), in hopes that they will be the most reflective of performance. But it is the first and last letters, behaviors (B) and traits (T), that best reflect employees’ values. </p><p>Since a values alignment is key to engagement, employers should also focus on behaviors and traits in the hiring process. Sometimes, disengagement is the result of the fact that the values of the company and the employee were never a match. “I often tell clients, ‘You don’t have an engagement issue, you have a selection issue,’” Kelleher says. </p><p>The importance of the hiring and selection process also applies to managers, Gallup’s Harter says. Many who become managers don’t yet have the skills and training to be effective. </p><p>“A lot of people are put into the role because they are successful in a previous position, but that position was not a managerial one,” he says. “Or, they are selected because they have been around a long time in the organization, so it becomes a rite of passage.”</p><p>Indeed, based on his decades-long study of engagement and the U.S. workplace, Harter says that sound manager selection is one of the three most effective ways an organization can increase engagement. The other two ways are managerial practices—a focus on building employee strengths, and a sustained two-way coaching dialogue between managers and employees.  </p><p>These last two ways are effective in part because they are being driven from below, Harter explains. Newer workers, the 20- and early 30-somethings who are members of the millennial generation, “want a coach type of manager who focuses on strength-based development, as opposed to a manager who is an expert in their weaknesses,” he says. </p><p>In a strengths-based workplace culture, employees often learn their roles more quickly, produce better work, and are more engaged, he adds.</p><p>In its own recent research, Gallup found that 67 percent of employees who say that their manager focuses on their strengths are engaged, compared with only 31 percent of the employees who say that their manager focuses on their weaknesses.​</p><h4>Continual Conversation</h4><p>Besides a strength-based approach, younger workers are also asking for a managerial approach that does not focus on a once-a-year performance review, but features a continuous two-way conversation in a coaching manner, Harter says. </p><p>Other experts agree. Zinger, who consults on employee engagement around the world, says that one commonality he has noticed is that employees in virtually every country want their managers to care about them. Kelleher also stresses this. </p><p>“Empathy is a significant leadership competency—especially in 2017,” Kelleher says. “Employees who think their employers care about them as people are more likely to give above and beyond.”  </p><p>A 2016 Gallup report, What Great Managers Do to Engage Employees, drew the same conclusion. </p><p>“A productive workplace is one in which people feel safe…enough to experiment, to challenge, to share information, and to support one another,” the study finds. “In this type of workplace, team members are prepared to give the manager and their organization the benefit of the doubt. But none of this can happen if employees do not feel cared about.”</p><p>This feeling of being cared about is built through regular conversation, during which the manager learns about the values, goals, and passions of the employee. </p><p>“Conversations are in many ways the lifeblood of the organization,” Zinger says. But they do not have to take up hours and hours every week. Some days, brief check-ins are fine, and help maintain engagement.  </p><p>“Some managers may think, ‘Oh my gosh, I have so much on my plate. Now you want me to have these conversations?’ But it can be as quick as 45 seconds,” Zinger explains. Even a short text or email can be productive, he adds. </p><p>Gallup’s Great Managers study confirmed this link. It found that consistent communication—whether it occurs in person, over the phone, or electronically—is linked to higher engagement. Employees who have regular meetings with their managers are almost three times as likely to be engaged, compared with workers who don’t, the report found. </p><p>Moreover, these conversations are a good opportunity for managers to draw attention to employees’ accomplishments. Here, Kelleher’s advice to managers is simple: “Recognize, recognize, and recognize.”</p><p>“Recognition is a significant engagement driver. It is almost always free, has lasting impact, and managers tend to see a replication of the positive results that they are looking to recognize,” he says. “There is simply no downside.”  </p><p>In addition to conversation, a manager’s behavior is also important because it can have a mirroring effect, Zinger says. Based on that behavior, it’s easy for employees to see how connected a manager is to his or her own work, and the organization at large. A manager who encourages engagement, but is cynical or uncaring in his or her own work relationship will be quickly seen as inauthentic. </p><p>And the mirroring effect can work both ways, he adds. Let’s say a security manager has a staff of 10, and two of the 10 workers seem disengaged. Out of frustration, the manager may start avoiding and minimizing his or her conversations and interactions with them. In effect, the manager is following the employee’s lead; from the employee’s point of view, the manager is becoming disengaged.  </p><p>Finally, Kelleher advises managers to establish what he calls “a line of sight” between an employee’s work and the mission of the organization. To do this, managers need to explain where the company is going and its vision for the future; the strategy for how the company intends to get there; and how the employee’s work is a part of that. </p><p>“Line of sight is critically important to engagement. Employees should not be working in a vacuum,” he explains. ​</p><h4>What Organizations Can Do</h4><p>Managers are not the only ones who influence employee engagement. Organizations as a whole, through both their policies and executive leadership, can also have a significant effect, experts say. </p><p>For example, a company may want to consider reworking its performance review process so that engagement is discussed during reviews. These should be two-way, safe-space conversations, in which employees are comfortable talking about when they feel disengaged, for what reasons, and what could be done differently. </p><p>“Frame performance conversations as a way to look forward and help employees grow, not as a backward-looking, punitive means,” Looi says.</p><p>Some organizations may even want to consider replacing annual performance reviews with robust monthly check-in conversations that focus on the development of the employee. </p><p>“Get rid of the intimidating phrase ‘performance appraisals’ and replace it with a new forward-looking phrase—‘the employee development planning process,’” Kelleher says. </p><p>The organization’s executive leadership, not just middle managers and human resources staff, should also be focused on engagement. Successful companies, experts say, are often proactive on engagement; their leaders are focused on making their firm more attractive in the eyes of the employees, so that more workers will be committed to their jobs. </p><p>Some of these successful companies conduct informal stay interviews with staff. Instead of an exit interview, in which managers try to find out why employees are leaving, managers conducting stay interviews try to find out what it would take for an employee to stay. ​</p><h4>The Future Is Now</h4><p>While Gallup’s U.S. engagement rate has been at or below 33 percent for most of the last 15 years, some experts do see signs that employment engagement may improve in upcoming years. </p><p>Looi points to research advances in behavior economics and nudge theory, which can be used to improve workplace cultures so that greater engagement is inherently encouraged. </p><p>“When applied appropriately and ethically, you can use nudges to increase employee learning, performance, and engagement,” she says. (For more details on nudge theory see “Management Trends,” by Sean Benson, CPP, in the September 2016 issue of Sec­urity Management.)</p><p>Zinger explains that Fitbit-like devices that measure engagement, by way of physical indicators that signal when employees are holding their phones or sitting in a chair, may become more commonplace.  </p><p>And Harter, who describes himself as “hopeful,” sees new workers continuing to transform the U.S. workplace. The millennial generation, which has been driving an increased focus on engagement, will make up three-quarters of the nation’s workforce in just over a decade, according to demographic projections. This generation is keen on being engaged with work that has a purpose, and that is a positive reflection on their values. Studies show, for example, that recent MBAs with high earning power will work for a significantly lower salary if they truly believe in their jobs.</p><p>“There’s not as much separation between work and life. People want their work to be representations of who they are,” Harter says.   ​</p>
https://sm.asisonline.org/Pages/The-Evolution-of-Airport-Attacks.aspxThe Evolution of Airport AttacksGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The bustling Brussels Airport in Zaventem, Belgium, handles more than 500 flights a day, bringing more than 27,000 passengers into the facility with approximately the same number departing. Mornings are particularly busy at the airport, and amid the flurry of activity, it is little wonder that on March 22, 2016, three men emerging from a taxi outside of the departures hall passed through unnoticed. </p><p>The trio loaded their heavy suitcases onto baggage carts and entered the flow of people heading through the doors toward the ticket desks. Shortly after they entered the departures hall, the three split up to take their places in separate ticket lines.</p><p>Three minutes later, one of the men detonated his suitcase bomb, which had been packed with nails, as he stood in one of the check-in lanes. Approximately nine seconds after that, the second man detonated his suitcase bomb in another lane. The third suitcase bomb did not detonate immediately; surveillance camera footage showed that after being thrown to the ground by the second blast, the third man, Mohamed Abrini, simply got up and walked away from the airport toward the city center. </p><p>It is unknown whether he left because he got cold feet or because his device failed to detonate, but he was later arrested and charged with participation in the attack. Police bomb technicians destroyed Abrini’s bomb-filled suitcase, which they report may have been the largest of the three, in a controlled explosion. </p><p>The attack at Zaventem resulted in 17 deaths. Another 14 victims were killed when a fourth suicide bomb was detonated an hour later in a subway train at the Maalbeek metro station in Brussels. The coordinated attack was the deadliest in Belgian history. It was also a lethal reminder of the continuing threat to the soft parts of airports outside security checkpoints. ​</p><h4>Evolving Tactics<img src="/ASIS%20SM%20Callout%20Images/0417%20Feeature%204%20Infographic.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:466px;" /></h4><p>The air transit system has been considered a prime target since the beginning of the modern era of terrorism. From a terrorist’s perspective, hundreds of people trapped inside a pressurized metal tube at 30,000 feet are ideal targets not only because the victims are so vulnerable, but because of the heavy media coverage such attacks generate. </p><p>For example, the photos of TWA 847 pilot John Testrake in the plane’s cockpit window being held at gunpoint by a Hezbollah hijacker became some of the most iconic images of 1980s terrorism.</p><p>Terrorist threats to aircraft spurred a series of security improvements, which were in turn answered by changes in terrorist weapons and tactics. The evolutionary—and deadly—game of cat-and-mouse between terrorist planners and aviation security officials has been occurring since the 1960s.</p><p>Initially there was very little security provided to the air transportation system, but a sharp increase in commercial airline hijackings in the 1960s and early 1970s led to enhanced airline security in the United States and Europe. High-profile hijackings led to greater and more widespread improvements to aviation security worldwide. </p><p>As hijackings became more difficult to conduct, terrorists began to direct their attention to aircraft bombings. Palestinian bombmakers created plastic explosives to look like everyday items in increasingly elaborate efforts to bring them onto aircraft undetected. The result was a number of airline bombing plots in the 1980s using concealed devices. </p><p>In 1987, North Korean agents destroyed a plane using a device hidden inside a radio to set off liquid explosives hidden in a liquor bottle. In another incident in 1986, explosives and the detonating device were hidden in a suitcase under a false bottom and a pocket calculator. Security detected the device before it could be taken aboard the plane. </p><p>Perhaps the most famous of these bombings was Pan Am Flight 103 in 1988, a bombing that killed 243 passengers, including two of my colleagues, U.S. Diplomatic Security Service Special Agents Dan O’Connor and Ron Lariviere. </p><p>Despite security improvements, terrorists continued to focus on attacking aircraft. In 1994, an attacker assembled a bomb in the aircraft lavatory and left it on board when he deplaned at an intermediate stop on the flight’s course. The bombing was a dry run for a more complex strike against multiple airlines. </p><p>When security measures were improved in the 1990s to defend against this style of attack, terrorists adapted once again. While planning the 9/11 attack, hijackers used permissible carry-on items—like box cutters—to hijack planes and turn them into human-guided cruise missiles. </p><p>In response to post-2001 security crackdowns to protect against that type of attack, jihadists again shifted their tactics toward onboard suicide attacks with hidden bombs. The first of these was the failed December 2001 shoe bomb attack. When security officers began screening shoes routinely, aspiring airline bombers then shifted to a plot to fill camouflaged toiletry containers in carry-on baggage with liquid explosives.</p><p>The U.S. Transportation Security Administration subsequently intro­duced restrictions on the quantity of liquids that passengers could bring aboard an aircraft, and, in turn, a jihadist attempted an attack with a device that was sewn into a suicide operative’s underwear. </p><p>Once security measures were amend­ed to address the threat of underwear bombs, attackers turned to cargo aircraft, hiding improvised explosive devices in printer cartridges bound for the United States. </p><p>And the deadly escalation continues today. In November 2015, a bomb concealed in a soda can was smuggled onto an airliner in Egypt, killing 217. Three months later, another bomb, this one disguised in a laptop, was smuggled aboard a flight in Somalia. Fortunately, that bomb only killed the suicide operative when it detonated and the aircraft was able to return to the airport for an emergency landing.</p><p>However, not all attacks on aviation involve hijacking or smuggling bombs aboard aircraft. Just as terrorists adjusted for heightened security at embassies by targeting traveling diplomats, attackers have found ways to attack airline passengers even as it has become more difficult to attack aircraft. </p><p>Back in the mid-1980s, terrorists attacked crowds of airline passengers beyond the confines of airport security at ticket counters in Rome and Vienna. In November 2002, al Qaeda operatives attempted to attack an Israeli airliner in Kenya with a surface-to-air missile. A 2011 attack at Moscow’s Domodedovo airport took advantage of the facility’s soft areas, as did the Brussels attack. </p><p>In the wake of the Rome and Vienna attacks, perimeter security at airports in Europe was temporarily increased, but due to the cost and effort involved, soon reverted to business as usual. </p><p>Similar short-term increases in security posture at airports across the globe were seen in the wake of the 9/11 attacks and to a lesser extent following Domodedovo.  </p><p>The targeting of the soft side of airports is especially attractive to grassroots groups and individuals who lack the ability to construct bombs sophisticated enough to be smuggled through security. </p><p>The July 4, 2002, armed assault against a ticket counter at Los Angeles International Airport and the June 2007 attack against the Glasgow Airport using a poorly constructed vehicle bomb are examples of attacks against the soft side of airports by poorly trained grassroots jihadists.​</p><h4>Expanding Danger</h4><p>In response to recent attacks in Brussels and Istanbul against the soft side of airports, security has again been increased. However, in many places this increased security is not much more than a show of force intended to reassure the traveling public and to perhaps deter poorly trained would-be terrorists. Without names or bag checks, it is difficult to keep a professional terrorist—especially one who has a ticket—away from the facility. </p><p>In some places, more thorough checkpoints have been established away from the airport to conduct initial screening. This tactic can be quite effective at smaller airports, but cumbersome at larger, busier airports where the heavy volume of travelers causes a backlog at the inspection point, thus effectively pushing the target away from the building to the crowd of people awaiting screening.   </p><p>It is important to remember that the objective of terrorist planners is to create a high body count and a large amount of publicity. This means that an attack against the soft side of an airport can be almost as good as an attack against an aircraft, and a successful attack against an airport is better than a failed or thwarted attack against a harder target. </p><p>As the security at airports is pushed outward in response to attacks against the soft sides of airports, and checkpoints are established away from the building, this merely moves the real target—the vulnerable group of people awaiting screening from inside the building—to an area outside of it.   </p><p>This principle was demonstrated during the June 28, 2016, attack against Istanbul’s Ataturk International Airport. In that attack, three operatives armed with AK-47s and suicide vests launched an attack on the soft side of the airport. Coming in the wake of the Brussels attack, and due to the overall high terrorist threat inside of Turkey, security was increased at Turkish airports, and armed security checkpoints were established at the entrances to the departure hall to prevent terrorists from entering the hall like they did in Brussels. </p><p>Shortly after the three attackers exited their cab outside the departure hall, they were confronted by police and a firefight erupted between the police and the attackers. The first operative was able to approach the security checkpoint and detonate his device amid the crowd. This device shattered a large window that permitted the second attacker to enter the building and begin searching for a crowd of people to target with his suicide bomb. </p><p>Fortunately, the second attacker was shot and immobilized before he could do so. The third attacker was pursued by the authorities and detonated his device in a parking lot, causing minimal damage like the second bomber. Between the gunfire and the first bomb, however, 45 victims were killed—nearly three times more than in Brussels. The bulk of the victims were outside the security checkpoint at the door to the departure hall. ​</p><h4>Staying Ahead of the Game</h4><p>Moving the security checkpoint outward from the airport simply moves the chokepoint outward, and the crowd of people waiting to get through that checkpoint remains vulnerable. This principle applies to many circumstances and locations beyond airports as well, posing a significant challenge to security professionals. While not an easy problem to address, some methods exist to mitigate the threat.</p><p>First, static security checkpoints themselves are not enough. It is necessary to establish outward-looking protective surveillance that extends beyond the property line. This surveillance also needs to focus on preoperational surveillance rather than just attack recognition. Once the attackers start shooting or detonating bombs, it can be helpful to quickly counter them and limit their access to additional victims, but it is far better to catch them at an earlier phase of the terrorist attack cycle. </p><p>Many large international airports are using surveillance technology that identifies suspicious behavior and alerts operators. The information collected by these programs can be shared with nearby airports, allowing them to keep an eye out for similar activity on their premises. </p><p>Terrorists often follow an attack planning cycle and are vulnerable to detection as they conduct the surveillance they require to carry out an attack. Terrorist operatives generally possess poor surveillance tradecraft and are not difficult to spot if people are looking for them. </p><p>But cops or soldiers manning a checkpoint at a door are not normally well positioned to spot such activity. This, ideally, needs to be accomplished by specialized units that have been trained in the craft of detecting surveillance and who are not tasked with manning checkpoints. Teams such as these will patrol parking areas and other spaces further away from the airport to identify potential threats.</p><p>This type of technology and information sharing between airports is imperative because attackers may scope out multiple facilities in a region. It is important for security teams at different airports to foster information sharing by alerting their counterparts to anomalous behavior.</p><p>Surveillance must also go beyond the use of cameras and should use a combination of human agents and cameras integrated with analytic software that can be used to help expand and direct the efforts of the humans. Cameras with nobody watching them are little better than no cameras at all. They may be useful for investigating an attack after the fact, but will be of little help in preventing an attack.  </p><p>Even in a case where the preoperational surveillance is missed and an attack is underway, personnel located beyond checkpoints can help to see problems as they are developing rather than allowing attackers to gain tactical surprise by permitting them to have free rein in areas where they can assemble and coordinate their attack.  </p><p>Furthermore, undercover operators can enjoy tactical surprise themselves and are in a great position to turn the tables on the attackers. Action is always faster than reaction, and if the attackers are permitted to draw and shoot first, it gives them a significant advantage over security forces. </p><p>A failed attack against a soft target venue in Garland, Texas, in May 2015, showed that security personnel manning the door of a facility can gain a life-or-death advantage in a firefight if they have advanced warning and a description of a potential threat. </p><p>In the Garland case, the FBI alerted local authorities of a potential threat to the event and provided the suspect’s vehicle description. This passing of critical intelligence prepared local officers for an impending attack. It also highlights the importance of intelligence sharing both horizontally and vertically within the law enforcement and security communities as they seek to secure airports and other soft targets.  </p><p><em><strong>Scott Stewart </strong>is vice president of tactical analysis at Stratfor.com and lead analyst for Stratfor Threat Lens. ​</em></p>
https://sm.asisonline.org/Pages/Redefining-Loss.aspxRedefining LossGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The world of retail has relied on the word “shrinkage” for more than 100 years to describe the losses companies experience as they go about their business. Shrinkage, however, is almost a euphemistic term describing a simple contraction in the size of the stock held by a company, without offering any real sense of what the cause might be. </p><p>In this way, the term is similar to “shoplifting”—a rather benign term often used by the industry to describe people actively engaging in criminal acts of theft in stores. For comparison’s sake, you rarely see burglars or robbers described as houselifters or purselifters.</p><p>Four buckets of loss tend to be included in survey descriptions of what shrinkage is: external theft, internal theft, administrative or process errors, and vendor fraud. The term “administrative error or process failures” is particularly vague; depending upon the type of retailer and the types of products sold, it can potentially cover an enormous array of types of loss, including damage, spoilage, product going out of date, and incorrect price adjustments. </p><p>A retailer selling food and using a shrink­age definition that includes food spoilage will have a dif­ferent level of loss compared to a retailer selling clothing or auto parts; yet, many shrinkage surveys continue to combine this data together to generate an overall figure for the industry. </p><p>To date, there is no consistent, detailed definition or typology of shrinkage. It is a term that is used throughout the industry, but interpreted in different ways depending on the retail environment and the prevailing organizational culture and practices.</p><p>There is a constant desire to understand what the root causes of shrinkage are: Is it mainly external thieves? Is it the staff employed by retailers helping themselves to the stock? Is it due to organizational inefficiencies? Or is it caused by retail suppliers wrongly delivering on purpose or through error?</p><p>Surveys will often provide numbers that supposedly apportion the total shrinkage losses to each of these types of losses, with external theft frequently—but not exclusively—seen as causing the largest amount. </p><p>The reality is that what these reported shrinkage numbers are actually measuring is what respondents think the causes of shrinkage might be. They are much more a gauge of how the loss prevention industry is feeling than any true measure of the breakdown of losses within the retail industry.</p><p>This is because the vast majority of current shrinkage data collected by retailers is based on periodic audit data collected in stores and sometimes in parts of the distribution network. This data captures the difference between the value of stock retailers think they have and the amount that can be physically counted. The difference between the two is how most companies measure their shrinkage.</p><p>But all this data does is provide a value of how much stock is not there. What it does not do is offer an explanation as to why it has gone missing: Was the stock delivered to the retailer? Did a customer steal it? Was it damaged or stolen in the supply chain? Did an employee steal it? </p><p>The causes could be many and varied, but what is clear is that audit data is rarely good at explaining why discrepancies exist; it simply captures the value of losses where the cause is unknown. Attempts to apportion causes to this data will always involve a high degree of guesswork and personal prejudice.</p><p>Retailing has gone through some profound changes since shrinkage was first used back in the 19th century, not least the introduction of open displays, the growth of branding, greater consumer choice, introduction of credit cards and debit cards, the rise of online shopping, and the widespread use of various types of self-service checkout systems, to name a few. </p><p>Yet, throughout this time of enormous change, the retail industry has continued to use a term that vaguely captures the difference between expected and actual stock values as the core measure of loss in their businesses.</p><p>Given this, it’s time to reconsider how retail companies understand and measure the losses they experience and to develop a more consistent approach to enable future benchmarking activities to offer more meaningful and applicable information.​</p><h4>Total Retail Loss<img src="/ASIS%20SM%20Callout%20Images/0417%20Cover%20Story%20Infographic.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:652px;" /></h4><p>Both the Retail Industry Leaders Association’s Asset Protection Leaders Council, based in the United States, and the ECR Community Shrinkage and On-shelf Availability Group, headquartered in Europe, supported a research project led by the author to explore how retailers currently view the problem of loss across their business and develop a new definition and typology that might better capture their impact. </p><p>The research, detailed in the report Beyond Shrinkage: Introducing Total Retail Loss, used several different methodologies: an extensive literature review; a questionnaire to a group of large European retailers; 100 face-to-face interviews with senior directors of 10 of the largest U.S. retailers; and a series of workshops and focus groups with loss prevention representatives from a range of European retailers and manufacturers.</p><p><strong>Loss versus cost. </strong>One of the difficulties of benchmarking any retail business using shrinkage is understanding what categories of retail loss are included or excluded. </p><p>Some companies taking part in this research adopted strict criteria: shrinkage is only the value of their unknown losses based upon the difference be­tween expected and actual values; anything else is regarded as known and, therefore, not included in the calculation.</p><p>Other companies were much more inclusive, incorporating other types of loss ranging from damages, wastage, spoilage, and price markdowns to the costs of burglaries and robberies.</p><p>Part of this definitional variance seemed to be based on how respondents interpreted the difference between what could be considered a “loss” compared with a “cost,” the latter being viewed as an everyday planned and necessary expenditure for the business to achieve its profit goals. Respondents varied considerably in how they interpreted the difference, although many made a key distinction between the value of the outcome and how this differentiated costs from losses.</p><p>“Costs—they bring value to the business; they are incurred because there is a perceived positive purpose in having them. They are part of the revenue generation process and without them, profits would be negatively impacted,” one respondent said. “Losses are things which, if they didn’t happen, there would be no negative impact upon profitability. They do not offer any real value to the business and simply act as a drain on profitability.”</p><p>It was also instructive to hear how some respondents adopted a process of normalizing what some considered to be losses into costs. One respondent explained that “we plan a lot of those costs [possible types of losses], so when we’re looking at it from a planning perspective, we have that built in—anything that we can account for and process and know what it is, we take more so as a cost rather than a loss when we’re defining it.”</p><p>Another respondent talked about how the planning and budgeting process enabled many losses to be redefined as costs. “If it goes above budget, then it becomes a loss; otherwise it is a cost,” the individual explained, while another respondent was blunter: “We try and convert as much of [losses] to costs; it’s then not on my agenda anymore. I deal with shrink.”</p><p><strong>Definition. </strong>From the interviews with senior U.S. retail executives and feedback from the roundtables held in Europe, definitions of costs and losses were eventually developed.</p><p>Costs were defined as “expenditure on activities and investments that are considered to make some form of recognizable contribution to generating current or future retail income.”</p><p>Losses were defined as “events and outcomes that negatively impact retail profitability and make no positive, identifiable and intrinsic contribution to generating income.” Using these definitions, various types of events and activities could then begin to be categorized accordingly. </p><p>For example, incidents of customer theft can be considered a loss—the event and outcome play no intrinsic role in generating retail profits—because it makes no identifiable contribution and were it not to happen, the business would only benefit.</p><p>Alternatively, incidents of customer compensation, such as providing a disgruntled shopper with a discounted price, can be seen as a cost. In this case, the business is incurring the cost because it believes compensating the aggrieved consumer makes the individual more likely to shop with the business in the future. The policy of compensating is an investment in future profit generation and is categorized as a cost—not a loss.</p><p>Another example of a loss is workers’ compensation, where a retailer will cover the legal, medical, and other costs associated with an accident at work, such as falling off a ladder. There is no intrinsic value to the business if an employee is injured at work; if it had not happened, the business would only benefit by not having to pay for the consequences of the event. Therefore, workers’ compensation is a loss.</p><p>While some respondents to this research argued that workers’ compensation is a predictable problem that can be—and is—budgeted for, it still remains an event that the retailer would prefer not happen because it negatively impacts overall profitability.</p><p>In contrast, expenditure on loss prevention activities and approaches, such as employing security officers or installing tagging systems, can be seen as a cost. The retailer has committed to this expenditure because it feels there will be some form of payback from the investment: lower levels of loss, which in turn will boost profits. Whether this payback is measured or achieved is open to debate.</p><p>What these examples focus on is not whether an activity or event can be controlled or whether the incurred cost was planned, but its fundamental role in generating current or future retail income. If a clearly identifiable link can be made between an activity and the generation of retail income, then it should be regarded as a cost; all those activities and events where no link can be found should be viewed as a loss.</p><p><strong>Categorizing losses</strong>. In developing the categories of the Total Retail Loss Typology, it was important to draw a distinction between the types of loss that can be measured in a way that is manageable for modern retail business, and those that cannot. </p><p>Additionally, it was important to consider the value of collecting data on a given loss indicator. Is it meaningful for the business to monitor a category of loss? Will its analysis offer potentially actionable outcomes that may help the business meet its objectives?</p><p>There is little point in developing a typology made up of a series of categories that are either impossible or implausibly difficult to measure or once measured offer little benefit to the business undertaking the exercise.</p><p>For example, most retailers would be keen to understand how often items are not scanned at a checkout. While it is theoretically possible to measure this, the reality for most retailers is that the ongoing cost would probably be prohibitive. </p><p>Determining whether proposed loss categories met the three M’s test (manageable, measurable, and meaningful) was an important part of creating a typology likely to achieve any form of adoption across a broad range of retail formats.</p><p><strong>Typology.</strong> The research identified 31 types of known loss that are included in the Total Retail Loss Typology covering a wide range of losses across the retail enterprise and incorporating events and outcomes beyond just the loss of merchandise. The typology is broken down into four locations of loss: store, retail supply chain, e-commerce, and corporate. Each location then has a variety of subcategories divided between malicious and nonmalicious. </p><p>For example, a malicious corporate retail loss would be fraud; a nonmalicious corporate retail loss would be workers’ compensation, regulatory fines, or bad debt. </p><p>However, the term does not encompass every form of loss that a retailer could conceivably experience. The word “total” is being used in this context to represent a much broader and more detailed interpretation of what can be regarded as a retail loss, rather than necessarily claiming to reflect the entirety of events and activities that could constitute a loss. In the future, the scope and range of the Total Retail Loss Typology will change to accommodate new forms of loss, and this is welcomed.</p><p>The typology is designed to enable the calculation of the value of retail losses, not necessarily the number of events; where an associated value cannot be calculated or there is no loss of value associated with an incident, it should not be included.</p><p>For instance, if shop thieves are apprehended leaving a retail store and the goods they were attempting to steal are successfully recovered and can be sold at full value at a later date, there is no financial loss associated with the incident. The retailer may still want to record that the attempted theft took place and was successfully dealt with, but that it would not be recorded in the Total Retail Loss Typology.​</p><h4>Potential </h4><p>The proposed Total Retail Loss Typology is a radical departure from how most retail companies have understood and defined the problem of loss within their companies, moving away from a definition focused primarily on unknown stock loss to one that encompasses a broader range of risks across a wider spectrum of locations.</p><p>While there is a simple elegance about the approach adopted in the past, based upon the four traditional buckets of shrinkage, it is increasingly recognized that these broad brush and ambiguously defined categories are no longer capable of accurately capturing the increasingly complex risk picture now found in modern retailing. Instead, the Total Retail Loss Typology has the potential to benefit retail organizations by managing complexity, encouraging transparency, creating opportunities, and maximizing loss prevention.</p><p><strong>Managing complexity. </strong>The retail landscape in which shrinkage was first described has been transformed by innovation and change. Simply relying upon the traditional four buckets of estimated losses to fully reflect and properly convey the scale, nature, and impact of retail losses is no longer appropriate, particularly as the retail environment becomes more dynamic and fast changing.</p><p><strong>Encouraging transp</strong><strong>arency.</strong> The ambiguous nature of most shrinkage calculations and the difficulty of understanding its root causes generate a lack of accountability, particularly within retail stores.</p><p>Store managers question the reliability of the number, especially where there is a pervasive sense that the supply chain may be foisting losses upon stores that are actually caused by inefficiencies. Unknown store losses can conveniently be blamed upon short shipments or roaming bands of organized thieves, rather than being apportioned to actual events taking place in the store.</p><p>Losses can also be moved between different categories, depending upon the performance measures in place—wastage can quickly become shrinkage if the former is identified as a key performance indicator. </p><p>By measuring a broader range of categories of loss, it becomes much more difficult to play this game; most losses will be measured somewhere, improving transparency and accountability throughout the organization.</p><p><strong>Creating opportunities.</strong> A recurring theme from the research was the lack of prioritization and urgency associated with categories of loss that had already been measured or for which a budget had been allocated.</p><p>Many respondents were quick to view these factors as a cost; therefore, not requiring any remedial action by the business. In effect, the process of capturing the loss or planning for it through budget allocation rendered them immune from concern over the actual loss.</p><p>By adopting a systematic approach and agreeing on the definition of a retail loss and bringing these together under a single typology, opportunities may arise to minimize the overall impact of loss upon the business.</p><p><strong>Maximizing loss prevention.</strong> Dealing with an unknown loss, which is what most loss prevention practitioners typically focus on, is probably one of the hardest challenges faced by a management team in retail. This requires the team to develop a high level of analytical and problem solving capacity.</p><p>Trying to solve problems where the cause is typically unknown is also at the hard end of the management spectrum. It requires creative thinking, imaginative use of data, and considerable experience. Imagine if these capabilities were used on the broader range of known problems encapsulated in the Total Retail Loss Typology. The impact could be profound.</p><p><strong>Using resources. </strong>By generating a broader, more detailed understanding of how losses are impacting a retail organization, it may be possible to take a more strategic approach to the allocation and use of existing resources.</p><p>The Total Retail Loss Typology could offer value in how businesses not only respond to existing loss-related challenges, but also use it to review the implication of any future business decisions. </p><p>The interplay between sales and losses needs to be viewed in the round and not as a series of cross-functional trade-offs where losses and profits are allocated separately, driving behaviors that are unlikely to benefit the business.</p><p>It’s within this context that the Total Retail Loss Typology has been developed—to enable retail organizations to better understand the nature, scale, and extent of losses across the entire business, and to use this information to make more informed choices about how to grow profits and improve customer satisfaction.</p><p>As the pace of change in retail con­tinues to intensify, it’s time for the loss prevention industry to begin to move away from a notion of loss developed in the 19th century to one that better reflects and recognizes the complexities and challenges found in the 21st century.  </p><p><em><strong>Adrian Beck </strong>is a professor of criminology in the Department of Criminology at the University of Leicester in Leicester, United Kingdom. Beck undertook the study Beyond Shrinkage: Introducing Total Retail Loss commissioned by the Retail Industry Leaders Association’s Asset Protection Leaders Council and is an academic advisor to the ECR Community Shrinkage and On-Shelf Availability Group. ​ ​</em></p>
https://sm.asisonline.org/Pages/ERM-Best-Practices.aspxERM Best PracticesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​With the rise of Enterprise Risk Management (ERM) programs in the security field, some leaders are on the hunt for ERM best practice guidance resources. One recent report, courtesy of the U.S. government, contains guidance that may be applicable to private sector security operations.​</p><p>Last year, the U.S. Office of Manage­ment and Budget (OMB) called on federal ag­encies to implement ERM so that federal managers could more effectively manage risks that could affect agency strategic objectives. Given OMB’s call, the U.S. Government Accountability Office decided to update the government’s risk management framework and identify good practices that some agencies have been using. </p><p>The new report, <em>Enterprise Risk Man­age­ment: Selected Agencies’ Experiences Illustrate Good Practices in Managing Risk,</em> identifies six components of successful ERM programs, and then describes best practices that apply to each.  <img src="/ASIS%20SM%20Callout%20Images/0417%20NT%20Safety_FB.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:479px;" /></p><p>The six components and their best practices are as follows:</p><p><strong>Element One: Align the ERM process to goals and objectives.</strong></p><p>Senior leaders are fully engaged and committed to the ERM process, and they support how ERM contributes to the agency’s goal-setting process. This engagement helps demonstrate the importance of ERM to agency staff. </p><p><strong>Element Two: Identify risks.</strong></p><p>Successful agencies develop an organizational “risk-informed” culture in which employees are encouraged to identify and discuss risks openly. This openness is critical to ERM success.</p><p><strong>Element Three: Assess risks.</strong></p><p>Successful agencies can integrate prioritized risk assessments into their strategic planning and organizational performance management processes. This integration of risk assessments helps improve the budget process, resource allocation planning, and other aspects of operations. </p><p><strong>Element Four: Select risk response</strong>. </p><p>Successful agencies establish an ERM program that is customized to fit their particular operations. Once established, risk factors are regularly considered, and leaders select the risk response that is most appropriate for the structure and the culture of the agency. </p><p><strong>Element Five:</strong> <strong>Monitor risks.</strong></p><p>Successful agencies are able to continuously manage risk by conducting the ERM reviews on a regular basis. Leaders also monitor the selected risk response with performance indicators that allow the agency to track results and the response’s impact on the mission. Leaders can then determine if the risk response is successful or if it requires additional actions.</p><p><strong>Element Six</strong>: Communicate and report on risks. </p><p>Sharing risk information and in­corporating feedback from internal and external stakeholders helps organizations better identify and manage risks. It also increases trans­parency and accountability to Congress and taxpayers. ​</p>
https://sm.asisonline.org/Pages/ASIS-News-April-2017.aspxASIS News April 2017GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Volunteers Plan for the Future</h4><p>More than 250 ASIS International volunteer leaders from across the globe gathered in Arlington, Virginia, for the January leadership meetings and strategic planning workshop. The program launched with member awards, followed by an organizational update from CEO Peter J. O’Neil, CAE. He explained the changes taking place to better align staff and technology investments with organizational priorities. </p><p>The workshop component of the program opened with a discussion on the Society’s new strategic plan. Attendees broke into working groups to provide input on aligning their volunteer areas of work with the new plan. Many innovative ideas emerged and results are being used by ASIS staff and the Board of Directors to shape deliverables and metrics. At the end of the day, attendees and HQ staff came together for fun-filled, sports pub-themed networking. </p><p>“The opportunity to collaborate with ASIS staff and the Board of Directors, have concerns heard, and be involved in developing solutions for change was an unparalleled volunteer leadership experience that was on point, transparent, and highly appreciated,” said Senior Regional Vice President Jeffrey A. Slotnick, CPP, PSP. “The Sports Night was a terrific end to a full day of camaraderie and information sharing.”</p><p>Day two included the annual business meeting address to the membership from ASIS President Thomas J. Langer, CPP, who noted that the past two years have been “the stage setting and execution years for the Society’s refreshed direction.” He recapped past-year milestones, citing new leadership at headquarters, a renewed focus on member value, new strategic priorities (including ESRM and comprehensive mobile access to Society programs and services), and increased global growth and inclusion so all members can reap the full rewards of their membership. He noted that the board has addressed many tough realities—both financial and structural—and is fully aligned with the Society’s path forward. “In 2017, expect to see positive changes in member engagement, website design and experience, educational offerings and learning formats, and more responsiveness to chapters, councils, and regions.” Go to www.asisonline.org/volunteer to listen to Langer’s full address.</p><p>The program wrapped up with the Society’s first town hall of 2017, an interactive Q&A between volunteer leaders, board members, and ASIS executive leadership. The positive response from this exchange continued with the launch of bimonthly virtual town halls beginning in March. Share your thoughts on the Society’s new direction via email to asisfuture@asisonline.org.</p><h4>ASIS 2017: WHAT’S NEW? </h4><p>Get ready to experience the best in security networking, education, and technology. The ASIS International 63rd Annual Seminar and Exhibits (ASIS 2017) is coming to Dallas, Texas, September 25–28.</p><p>The finest global security event in the industry is getting better. Some events will be expanded and new ones will be launched. The calendar is shifting some popular activities to new times. These changes will lay the foundation for what is sure to remain an outstanding event for years to come. </p><p>Some of what’s new for 2017 includes:</p><p><strong>New hours for exhibits.</strong> Expo days will shift from the traditional Monday through Wednesday schedule to Tuesday through Thursday, creating more noncompeting hours so attendees can maximize their educational and networking experiences. Tuesday and Wednesday, the exhibit hall will be open from 10:00 am to 5:30 pm; Thursday’s hours are 10:00 am to 1:00 pm.</p><p><strong>Opening night celebration.</strong> Join peers and colleagues from around the globe and across the profession to kick off ASIS 2017 on Sunday, September 24, with a big Texas welcome. Mechanical bull riding, armadillo races, good food, live music...you’ll find it all at the ASIS 2017 Opening Night Celebration. This event, which will be held from 7:00 pm to 10:00 pm, was formerly known as the Welcome Reception.</p><p><strong>ASIS Happy Hour. </strong>Connect with peers and clients on Tuesday, September 26, from 4:30 pm to 5:30 pm. This gathering, which will be held in the exhibit hall, is designed to help you learn more about a wide range of security solutions and innovations.  </p><p><strong>President’s Reception.</strong> This event is moving from Monday night to Wednesday night. It is always one of the most anticipated events at Seminar—and this year will be no different! Be sure to stay in town for this one-of-a-kind experience.</p><p>New educational offerings. Watch for new learning formats, plus more education on the exhibit hall floor. Visit www.securityexpo.org for the latest announcements and updates. Use #ASIS17 on Facebook and Twitter to connect with ASIS show management staff, exhibitors, and fellow attendees. </p><h4>NEW CHAIR OF THE S&G COMMISSION</h4><p>For the first time in a decade, the ASIS International Standards and Guidelines (S&G) Commission has a new chairman. Michael Knoke, CPP, takes on the role vacated by F. Mark Geraci, CPP, at the start of 2017. Serving alongside Knoke is Vice Chair Bernard Greenawalt, CPP. The Commission has a full plate in the year ahead, including the upcoming release of the Security and Resilience in Organizations and their Supply Chain Standard. In addition, work is well underway on a joint ASIS/(ISC)2/ISACA Security Awareness Standard and a Private Security Officer Selection and Training Standard. Keep current on S&G news and activities at www.asisonline.org/standards. </p><h4>CSO SUMMIT</h4><p>Nearly 75 senior security executives from across the globe are expected to attend the 10th Annual CSO Summit April 23–25 at the Ritz Carlton at Pentagon City in Arlington, Virginia. The high-level program features sessions on cyber risk, community stakeholder engagement, and metrics for the C-suite. Attendees will also get a behind-the-scenes tour of the U.S. Capitol and gain insights on public-private partnerships from event keynoter John Walsh, who created the television program America’s Most Wanted and now anchors The Hunt with John Walsh on CNN. Summit updates can be found on the CSO Center website, www.cso.asisonline.org.</p><h4>Member Book Review</h4><p><em>Managing Critical Incidents and Large-Scale Event Security</em>. By Eloy Nuñez and Ernest G. Vendrell. Published by CRC Press; 314 pages, $89.95. </p><p>Examining case studies and after-action reports for valuable lessons, <em>Managing Critical Incidents and Large-Scale Event Security</em> provides a timely resource for understanding effective critical incident management. Effectively conveying their knowledge and experience, the authors use vignettes to provide real-world examples of hurricane response planning and recovery; planning and post-action events for several Super Bowls; and responses to various riots and other incidents from the 1980s to 2015. While walking the reader through known and familiar concepts and practices, Nuñez and Vendrell deliver a fresh perspective on successful critical incident management, explaining how to attain fiscal resources for planning, exercising, executing, and recovering from security events.</p><p>The authors challenge Federal Emergency Management Agency (FEMA) precepts of four phases of critical incident management. Advocating for a three-phase model, Nuñez and Vendrell suggest that mitigation is intrinsic throughout all stages and therefore is not a phase in and of itself. Throughout the text, the authors advocate for mitigation during the preparedness, response, and recovery phases of critical incident management.  </p><p>Written with the critical incident manager in mind, the book delivers sound advice, providing readers with several checklists for effective training and management of such events. Managing Critical Incidents is ideal as a go-to reference for incident managers, as well as a valuable textbook for instructing future practitioners.  </p><p><em><strong>Reviewer: Dr. Will Morrison, CPP, </strong>is a security management professional with more than 35 years of service in the U.S. federal government that includes work in national and homeland security. He has been a member of ASIS International since 2004.</em></p><h4>Lifetime Members</h4><p>The ASIS Board of Directors granted life membership to the following individuals:</p><p>• Ira M. Weiss, CPP</p><p>• Thomas M. Seamon, CPP</p><p>• Brian N. Goldsworthy, CPP</p><p>• Robert C. Anderton, CPP</p><p>• Richard F. Williams, CPP</p><p>Lifetime Certificants</p><p>Congratulations to the following security professionals who have achieved lifetime certification status:</p><p>• James V. Clarke, CPP</p><p>• John W. Collins, Jr., CPP</p><p>• Harold F. Crawford, CPP</p><p>• Daniel R. Devine, CPP</p><p>• Richard C. Hofmann, CPP</p><p>• Lester E. McFarland, CPP</p><p>• Margaret Nix, CPP</p><p>• Michael J. Pepe, CPP</p><p>• Robert W. Riley, CPP</p><p>• Fergus P. Ross, CPP</p><p>• Dennis J. Urban, CPP</p><p>• Jose Luis Zepeda, CPP ​</p>
https://sm.asisonline.org/Pages/Communal-Protection.aspxCommunal ProtectionGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Domestic terror attack targets are usually not chosen at random, and some populations are targeted more than others. Of all religious groups, Jews continue to be the most targeted in the United States, according to the findings of a new report.   </p><p>The report, Terrorist Incidents and Attacks Against Jews and Israelis in the United States, 1969-2016, examines the FBI’s annual hate crimes report for the years under study. For example, in 2015, 1,354 hate crimes were recorded in the report. Of those, 695 incidents, or 51 percent, targeted Jews. “This is a consistent finding of the FBI report over many years,” writes the report’s author, counterterrorism expert Yehudit Barsky.</p><p>Going deeper, the report catalogs 104 incidents in 2015 to better characterize the attacks. The majority, 51 percent, targeted synagogues, followed by community institutions (14 percent), Jewish persons (13 percent), and educational institutions (10 percent). In terms of means of attack, arson, shootings, and explosive devices were used in about equal frequency. </p><p>Year-over-year, the total number of attacks has been declining, but they have been increasing in severity. “Recent incidents have been increasingly lethal and have…claimed many more victims,” Barsky writes. </p><p>And the threat has been revived several times in the last few years. In October 2015, the Islamic State (ISIS) militant group directed its followers worldwide to kill Jews. ISIS’ Al-Masra Foundation issued a video, The Slaughter of the Jews, which called for followers to “Stab the Jew with a knife or run over him with a car; poison him; bring back explosives, the [use of] explosive belts and IEDs; burn their faces and their houses.”</p><p>Then in 2016, ISIS published an article in its Al-Naba publication that called for followers to help Palestinian Muslims by fighting Jews around the world: “killing them, destroying their property, and harming their interests in any way they can.”</p><p>The report also includes some lessons learned and related recommendations for future security. Jewish targets sometimes serve as precursors to larger attacks. The perpetrators of the 1993 World Trade Center bombing, for example, were previously involved in anti-Jewish attacks. </p><p>And in many of the incidents, the attackers conducted preoperational surveillance. For example, in 2014, neo-Nazi Frazier Glenn Miller carried out preoperational surveillance at two Jewish organizations that he later attacked. </p><p>“This phase of a typical attack cycle is the most likely point for detection, and thus recognizing it can avert or minimize an impending attack,” Barsky writes. “Training and engagement of community members is thus essential.” </p><p>While the U.S. Department of Homeland Security announced that it would step up efforts to support Jewish communities, others are working at the grassroots. </p><p>For example, the concept of the training and engagement of community members is at the heart of operations at Community Security Service (CSS), the nonprofit group that sponsored the report and whose mission is the protection of the people, institutions, and events of the American Jewish community. CSS started in 2007 with a small group of volunteers. It now has more than 3,500. </p><p>“The differentiator is—it is an entirely volunteer organization,” says Don Aviv, CPP, PCI, PSP, who is COO and director of physical security at Interfor International and a founding member of CSS. Aviv is also vice chairman of the ASIS Inter­national Security Services Council.</p><p>CSS serves as a security partner for various Jewish institutions and events, ranging from the National Menorah lighting in Washington, D.C., to an annual sit-down dinner of roughly 6,000 rabbis held in conjunction with a religious conference in Brooklyn. CSS also helps protect smaller events such as weekly services and Shabbat dinners across the country, according to Jason Friedman, the executive director of CSS, who is also an attorney and U.S. Navy officer.</p><p>The founding philosophy of CSS is that security should be rooted within the community. “The idea was, no one can protect your community better than yourself,” Aviv says. And so volunteers from the community are trained in the basics of security, including practices such as recognizing threats and devising a system to report threats or other incidents.</p><p>The training includes aspects like scenario-based exercises and helping volunteers maintain a higher level of security awareness by checking their surroundings daily. An important component is helping volunteers develop a level of comfort with being part of the security effort. “It comes down to motivating the individual member to be a part of their community” in an “empowering and enfranchising” way, Aviv says. </p><p>Community members are treated as partners in security to be worked with, not as people to be ordered around by those leading the security effort. “We don’t enter into a community without being invited. We’re not forcing our way in,” Aviv explains. </p><p>The other key aspect of CSS’s model is that security is achieved through a partnership among community members and volunteers, contract security, and law enforcement. This is accomplished through training and by building up a framework of interaction for all stakeholders.</p><p>For example, community members are advised that, if they decide to use contract security, they should not just hire security officers and then walk away and expect them to take care of everything: “You’re putting too many expectations on their shoulders,” Friedman says. Instead, by working with them, the community will receive a better return on its investment. </p><p>Similarly, volunteers embedded in the community will communicate with law enforcement officers, so that the officers know the community’s concerns and issues and do not have to “parachute in” blindly. “We’re a force multiplier for federal and local law enforcement,” Aviv says.  </p><p>While CSS is dedicated to protecting the Jewish community, its cooperative community-based model of security is replicable for use by other populations as well, Aviv says. “At the end of the day, the threats facing us are similar to those facing other groups,” he says. ​</p>
https://sm.asisonline.org/Pages/Perception-Versus-Reality.aspxPerception Versus RealityGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Terrorism rates dropped in 2015 for the first time in five years, but fears of violent extremism have continued to grow, new reports show. Approximately 82 percent of people polled around the world see the threat of violent extremism increasing in their country, according to the Center for Strategic and International Studies. And while deaths caused by terrorism fell 10 percent overall from 2014, countries in the Organisation for Economic Co-operation and Development (OECD)—including Denmark, France, Germany, Sweden, and Turkey—saw a 650 percent increase in terrorism-related deaths, according to the Institute for Economics and Peace’s Global Terrorism Index.</p><p>This redistribution of terrorist activity, along with less-organized but equally lethal homegrown extremist-style attacks, has kept fears of terrorist attacks high around the world, experts say. According to data from the National Consortium for the Study of Terrorism and Responses to Terrorism (START), the concerns of U.S. citizens when it comes to terrorism have not declined much since the September 11, 2001, attacks. Security Management spoke to Gary LaFree, director of START, to gain insight on these reports. </p><p>“We tracked a decline in worldwide attacks between 2014 and 2015, with fatalities and ISIS attacks reducing,” says LaFree. “You want to say that’s good news, but at the same time, we found there was a terrorist attack somewhere in the world every single day of 2015. You can interpret these statistics in a lot of different ways. It’s pretty easy to get the sense that we’re awash in terrorism, even though it’s still a relatively rare event [in the United States].” </p><p>LaFree tells Security Management that there are many different ways to interpret terrorism trends and the public’s resilience to attacks. On the one hand, he says, one of the goals of terrorism is to frighten and divide citizens, and, as his data shows, the public still thinks about terrorism almost as much as it did in the months after 9/11. However, LaFree says that citizens are more willing to report suspicious activity and be more engaged with the government overall due to their fears.</p><p>“What the data shows is a fairly high level of concern, still, now that we’re more than 15 years from 9/11,” LaFree says. “That has not dissipated. People really are still concerned about terrorist attacks.”</p><p>In 2012, START conducted a survey of more than 1,500 Americans on what LaFree calls “a barometer of how the public was feeling about terrorism.” START found that 15 percent of respondents thought about terrorism at least once a week—significantly higher than those who thought about hospitalization or violent crime victimization—and as part of the survey methodology, the organization planned to conduct three more waves of surveys to track changes in attitude.</p><p>But following the April 15, 2013, Boston Marathon bombings, where two homemade bombs killed three people and injured several hundred others, START realized it had a baseline of behavior before the attack and could leverage that in its ongoing research. “Events in Boston provided us with an unexpected opportunity to examine how public attitudes toward terrorism and counterterrorism policies in the United States changed before and after an actual terrorist attack,” noted one of the resulting reports, U.S. Attitudes toward Terrorism and Counterterrorism before and after the April 2013 Boston Marathon Bombings. </p><p>Surprisingly, the surveys found that many of the attitudes sampled in 2012—such as the frequency at which people thought about terrorist attacks or the likelihood of an attack in respondents’ own communities—did not change after the bombings. Significant changes included a higher percentage of people who believed a terrorist attack could happen on U.S. soil; a decrease in those who thought the government could effectively prevent terrorism; and a willingness to call the police in situations relating to terrorism.</p><p>LaFree says that START continued the surveys to understand how an attack on American soil might affect citizens’ attitudes towards terrorism, including the lasting desire to cooperate with the government when it comes to terrorist threats. </p><p>“What happens with the public is they get more concerned about terrorism when there’s a high-profile event, and they also report greater willingness to cooperate with federal officials to prevent further attacks,” LaFree explains. “That however dissipates over time—the longer you get away from a big attack, the less likely they are to see that, so the original change that’s produced disappears. What’s interesting is that their knowledge of the system doesn’t change over time—they continue looking for information to inform themselves, and that part they keep long after the attack.”</p><p>Despite the sustained public mindfulness of terrorism since 2001, LaFree says that he is heartened by the public’s ability to work with officials while knowing where to draw the line.</p><p>“After Boston, respondents were more likely to say they would cooperate with police and government officials, but they didn’t give carte blanche either,” LaFree explains. “A lot of people said they would report people that look suspicious with regard to bombmaking, but only a tiny minority said they would report someone who had terrorist literature in their possession. We drilled down on those questions, and they said, ‘well this is America, we have freedom to read what we want to read, and it’s not against the law.’ Even their responses in the aggregate were pretty reasonable.”</p><p>While terrorism deaths declined in 2015 for the first time since 2010, it was still the second-deadliest year since 2000, with terrorism claiming the lives of 29,376 people. However, 72 percent of the deaths occurred in five countries: Iraq, Afghanistan, Nigeria, Pakistan, and Syria. But the leap in high-profile terrorism-related deaths in OECD countries, including attacks on Charlie Hebdo in France, a museum in Tunisia, a bombing in Baghdad during Ramadan, and the coordinated attacks on soft targets in Paris, combined with the increased prevalence of social media makes it hard to keep today’s terrorism in perspective. </p><p>“Public opinion in the United States can now be affected by events that happen halfway around the world,” LaFree notes. “The interconnectedness of the United States has really changed, and that probably contributes to the public’s perception of this drumbeat of terrorism.”</p><p>In reality, terrorism-related deaths in the United States are historically low, compared to the 1970s, according to the START global terrorism database. The U.S. rates of terrorism are inversely related to world rates, which have continued to go up since 9/11. </p><p>While LaFree says he doesn’t think the public is being overly concerned, there is a more existential aspect to the sustained level of fear. </p><p>“Your chances of dying from lots of other things are much greater than terrorism, and that’s where we started this conversation,” LaFree states. “What we’re arguing is we need to stay vigilant and do a good job of protecting ourselves from the most serious threats, but we also need to realize that thus far in the history of terrorism, we haven’t faced existential threats of the nature we faced during the Cold War and nuclear annihilation,” according to LaFree. “It’s not a very flashy message if you think about it, but it’s as truthful as I think we can be.”   ​ ​</p>
https://sm.asisonline.org/Pages/Cyber-War-Games.aspxCyber War GamesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In the chaos of World War II, the U.S. Information Agency began a German radio broadcast to counter Nazi propaganda. The Voice of America (VOA) was designed to promote American values abroad, and after the end of the war, the United States enacted the Smith–Mundt Act to continue its broadcasts during peace time.</p><p>During the Cold War, VOA took on a new target—Soviet propaganda—and concentrated its message on communist nations in eastern and central Europe. By 1953, VOA was broadcasting 3,200 programs in 40 languages every week.</p><p>And America was not alone. The Soviet Union soon began adopting similar technology, attempting to influence elections through radio broadcasts, campaign funding, and recruitment efforts. In the 1970s, for example, during a U.S. presidential race, the Soviet KGB recruited a U.S. Democratic party activist to report on Democrat Jimmy Carter’s campaign and foreign policy plans.</p><p>Fast-forward to the present, when influence is no longer restricted to radio broadcasts or recruiting covert agents; it’s now being conducted on social media by nation-states. In an unprecedented unclassified report, the U.S. intelligence community detailed Russia’s most recent efforts to influence the 2016 U.S. presidential election in favor of candidate and eventual president Donald Trump. </p><p>The report, crafted by the U.S. National Security Agency (NSA), the CIA, and the FBI, and released by the U.S. Office of the Director of National Intelligence, found that Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election. </p><p>Putin’s goals, according to the report, were to undermine public faith in the U.S. democratic process, denigrate Democratic candidate former U.S. Secretary of State Hillary Clinton, and harm her electability and potential presidency.</p><p>“In trying to influence the U.S. election, we assess the Kremlin sought to advance its longstanding desire to undermine the U.S.-led liberal democratic order, the promotion of which Putin and other senior Russian leaders view as a threat to Russia and Putin’s regime,” the report explained.</p><p>To carry out this influence campaign, Russia used a messaging strategy that blended covert intelligence operations with overt efforts by Russian government agencies, state-funded media, third-party intermediaries, and paid social media users—known as trolls.</p><p>“The Kremlin’s campaign aimed at the U.S. election featured disclosures of data obtained through Russian cyber operations; intrusions into U.S. state and local electoral boards; and overt propaganda,” the report added. “Russian intelligence collection both informed and enabled the influence campaign.”</p><p>For instance, in July 2015 Russian intelligence organizations gained access to the U.S. Democratic National Committee’s (DNC’s) networks and maintained access to them until June 2016. Using this access, Russia’s General Staff Main Intelligence Directorate (GRU) compromised the personal email accounts of Democratic Party officials and political figures, including Clinton’s campaign chair, John Podesta. </p><p>Then, under the alias Guccifer 2.0, the GRU leaked those emails to DCLeaks.com and WikiLeaks, which shared information with RT—the Kremlin’s principal international propaganda outlet, which has more than 4 million Likes on Facebook and 2 million followers on Twitter. </p><p>“Russia’s state-run propaganda machine…contributed to the influence campaign by serving as a platform for Kremlin messaging to Russian and international audiences,” according to the report. “State-owned Russian media made increasingly favorable comments about President-elect Trump as the 2016 U.S. general and primary election campaigns progressed, while consistently offering negative coverage of Secretary Clinton.”</p><p>For instance, Russian media began to call Trump’s impending victory a “vindication of Putin’s advocacy of global populist movements” and the “latest example of Western liberalism’s collapse.”</p><p>Millions of people viewed these articles and shared them on social media, spreading them among U.S. voters. The U.S. intelligence community did not conduct opinion polls to see how Russian propaganda influenced voting behavior, said former Director of National Intelligence James Clapper in a Senate hearing. But he did reinforce the report’s assessment that Russia will apply lessons it learned from the campaign to future efforts to influence the United States and its allies.</p><p>And, because Americans elected Trump in the 2016 election, Russia is likely to view its influence campaign as a success and continue using similar methods to influence future elections.</p><p>“Putin’s public views of the disclosures suggest the Kremlin and the intelligence services will continue to consider using cyber-enabled disclosure operations because of their belief that these can accomplish Russian goals relatively easily without significant damage to Russian interests,” the report said.</p><p>Putin may hold this view because the United States responded to the influence campaign through targeted sanctions. One week before the U.S. intelligence community’s report was released, former U.S. President Barack Obama sanctioned two Russian intelligence services, four individual intelligence service officers, and three companies that provided material support to the Russian intelligence service’s cyber operations.</p><p>The U.S. Department of the Treasury also sanctioned two Russian individuals for using cyber-enabled means to misappropriate funds and steal personal identifying information. The U.S. Department of State also shut down two Russian compounds in Maryland and New York that were used by Russia for intelligence purposes, and declared 35 Russian intelligence operatives “persona non-grata.”</p><p>“These actions are not the sum total of our response to Russia’s aggressive activities,” Obama said in a statement. “We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized.”</p><p>While some experts are not surprised by Russia’s actions, one expert has said he was surprised at Russia’s willingness to engage in a disruptive cyberattack against U.S. institutions. </p><p>Adam Segal, Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, published The Hacked World Order at the beginning of 2016, saying that he thought states on the periphery—Estonia, Georgia, and Ukraine—would conduct disruptive attacks on each other, but that major nation-states would not.</p><p>“Clearly, I underestimated the willingness of Russia to use disruptive attacks on the United States,” Segal said at an event hosted by the American Bar Association in January. “I never considered disruptive attacks on the United States focused on institutions, even though I thought those might be the most vulnerable to attacks in the future.”</p><p>Disruptive attacks, like the Russian influence campaign, will be a difficult area for the Trump administration moving forward, especially based on the U.S. response to the activity. </p><p>Segal, who had just returned from China before speaking at the event, said that the Chinese “seem to see no deterrent value” in the U.S. response to Russia and that the response needed to be stronger to send a clear message not just to Russia, but to other adversaries who might try something similar.</p><p>That message was further muddled when just weeks into Trump’s presidency, the U.S. Department of the Treasury eased sanctions to end a ban on selling information technology products to Russia. The ban was originally put in place by Obama in 2015 in response to alleged “malicious cyber-enabled activities” by Russia’s security service in the U.S. electoral process.</p><p>Despite the deficient response to the disruptive attack, however, Segal said he still thinks that Russia and China are unlikely to use destructive cyberattacks against the United States—such as targeting critical infrastructure and causing damage—unless their national interests are threatened.</p><p>“The Chinese definition of core interests is unfortunately expanding,” Segal said. “But the Chinese know that the United States is going to attribute an attack to them, so they have to be ready for escalation.”</p><p> An escalation of destructive cyberattacks is something Leo Taddeo, former special agent in charge of the FBI’s New York Cybercrime Office and current CSO of Cryptzone, a network security and compliance software provider, says he sees happening in 2017. In an interview with <em>Security Management</em>, Taddeo says he sees nation-states—including the United States—taking a more aggressive position on international cybersecurity, leading to a cyber escalation between nation-states.</p><p>The U.S. public has an “appetite for more aggressive cyberactivity” and for “striking back” against those who conduct cyberattacks against American interests, according to Taddeo.</p><p>However, Taddeo says he is concerned that the U.S. private sector will be caught in the crossfire of this escalation involving the United States, Russia, China, and possibly Iran, when banks, power companies, and other critical infrastructure—largely controlled by the private sector in the United States—are targeted. </p><p>“The Russians don’t have that problem as much as the United States does because Russia is more autocratic,” Taddeo adds. “The private sector there doesn’t complain without permission from the regime and can tolerate more in a crisis.”</p><p>Those attack methods are also likely to trickle down to regional conflicts between nation-states with less cyber prowess, such as India and Pakistan. For instance, Taddeo says to look at the attack on the Bank of Bangladesh in 2016 when hackers stole $81 million. </p><p>“That type of attack may have been committed by a nation-state to obtain much needed cash resources or to embarrass a smaller state,” Taddeo says. “I think we’ll see more types of cyber conflict…some adopted by nation-states, some by super powers, but with all of these different tools becoming part of the arsenal.”</p><p>Taddeo adds that, with today’s technological advances and hacking services for hire, it doesn’t take a great deal of expertise to steal information and share it with organizations like WikiLeaks.</p><p>Either way, Taddeo says the “genie is out of the bottle” and actors and nation-states are now using cyber methods to conduct influence campaigns for strategic goals. </p><p>For the Kremlin, this includes gathering information and attempting to influence public—and government—opinion via social media in favor of Russia.</p><p>“Immediately after Election Day, we assess Russian intelligence began a spearphishing campaign targeting U.S. government employees and individuals associated with U.S. think tanks and NGOs in national security, defense, and foreign policy fields,” the U.S. intelligence report said. “This campaign could provide material for future influence efforts, as well as foreign intelligence collection on the incoming administration’s goals and plans.”   ​</p>
https://sm.asisonline.org/Pages/Access-and-IRIS-Scans.aspxAccess and Iris ScansGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Next time you fly the friendly skies and take a bite of your airline-provided meal, you may be eating food prepared by Gate Gourmet, a global provider of airline catering and services, which has approximately 130 locations in 28 countries. </p><p>“There’s a great deal of skill and care that goes into producing the food that we provide to our customers,” says Richard Newman, director of corporate security at Gate Gourmet for the United States and Canada. “It’s important to Gate Gourmet that we deliver the highest quality product that we can, in the safest way we can.”</p><p>With approximately 25 catering facilities nationwide, Gate Gourmet serves airline clients that fly out of major U.S. airports. </p><p>One of Gate Gourmet’s larger facilities is located at the Washington Dulles International Airport near Washington, D.C. Employees at the location produce 18,000 to 25,000 meals a day, depending on the season. </p><p>“The busiest fast food restaurant you can think of probably does about 8,000 meals a day,” Newman says. “We’re doing three to four times that just out of the Dulles kitchen.” </p><p>Who gains access to Gate Gourmet facilities is crucial. “As part of a layered approach to security, it’s important that we make sure that the people that are supposed to be on the inside can get inside, and the people that aren’t, don’t,” Newman says. <img src="/ASIS%20SM%20Callout%20Images/0417%20Case%20Study%20Stats.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;width:505px;" /></p><p>Beyond protecting its product and the customers it serves, Newman adds that the U.S. Transportation Security Administration (TSA) has its own security guidelines Gate Gourmet must adhere to. </p><p>“Because we’re in the aviation industry—and there is a layer of security that the industry puts on everything that goes on an airplane—those rules apply to us as well,” he explains.  </p><p>The operation at a Gate Gourmet kitchen is complex, Newman says. It includes preparing the meals, packing them onto trucks, and delivering them directly to the airplanes and the flight attendants who will ultimately serve the food. </p><p>“When the trucks come back from the airfield, they’ll bring the carts that have the dirty dishes into the kitchen, then we go through the dishwashing process, wash the equipment, and then the whole process starts again,” he says.</p><p>To monitor the employees coming in and out of work, Gate Gourmet had been using hand geometry at its Washington Dulles location. With this biometric technology, a user places his or her hand over a scanner that measures the shape of the palm. </p><p>While the palm method was effective at identifying employees, it wasn’t necessarily efficient for the company. “We wanted to move into something that was faster, easier, and touch-free,” Newman notes.</p><p>In 2013, Gate Gourmet was on the lookout for a new biometric access control solution, and came across the iCAM iris reader from Iris ID at that year’s ASIS International Seminar and Exhibits in Chicago. “I saw their booth at the convention; they gave me a demonstration, and I was impressed,” Newman explains. </p><p>The Iris ID iCAM is a black rectangular box that mounts to the wall with a built-in camera that measures the iris. When a user approaches the scanner, it adjusts to their height; once it enrolls a user, the technology will automatically return to that setting when the employee uses it again. The viewfinder can also be manually adjusted.</p><p> “For many people it can take the picture and recognize your eyes through your glasses, through your contact lenses—that’s helpful to us,” Newman adds. </p><p>When the system is ready for enrollment and iris capture, a user walks up to the reader, standing about an arm’s length away, and a yellow light appears. Once the administrator presses the enroll button, and the user has the camera properly centered on the bridge of his or her nose, the light turns green. The technology also has an automated voiceover that guides the user through the process. </p><p>Once the iris is properly captured, the administrator adds the rest of the enrollee’s information and registers them as a user in the system. “There’s actually not a photograph stored; it’s all reduced to a code through an algorithm and stored in a database,” Newman explains.</p><p>The company evaluated four different solutions from vendors to replace the palm scanner. After narrowing it down to two technologies, including Iris ID’s iCAM, Gate Gourmet began pilot testing the products in February 2014 at Washington Dulles. During the testing, which lasted for two months, the company deployed one technology at the entrance where employees report to work and another at the exit where they leave the premises. </p><p>Gate Gourmet was impressed with the speed of the iCAM, as well as with the price point, which was similar to the palm technology already in place. Newman found that enrollment takes a matter of minutes, and daily use is even faster. </p><p>“It takes one or two seconds to check an employee in, which is four times as fast as the technology it’s replacing,” Newman notes. </p><p>He adds that iris identification results in fewer false positives—when the system thinks the iris belongs to someone else who is registered—than other biometrics like palm reading technology. This is because there are so many unique points within the eye that can be mapped out and recorded by the system, says Newman. </p><p>The company ultimately chose to go with Iris ID, and Newman says the deployment process has been seamless. “Of all the technology that I’ve deployed since I’ve started with the company, this has probably been the easiest rollout just because of the nature of the technology.” </p><p>Employees are granted access in and out of the facilities at the beginning and end of their shifts by having their irises scanned in nearly the same way in which they enrolled. </p><p>To be granted access, Gate Gourmet requires dual authentication. In addition to using the iris scanner, employees must introduce a credential to a card scanner. Newman adds that the iris enrollment process is only for employees. Visitors have a sign-in and escort protocol, and “visitors are issued specific media to identify them,” according to Newman. </p><p>The iris identification registration system is administrated from the Gate Gourmet headquarters in Dulles, Virginia, but each location with iCAMs has the ability to enroll and remove people from the system. This allows the company to keep the registration updated when employees leave Gate Gourmet.</p><p>The iris scanners are still being deployed across many of its locations, and Gate Gourmet hopes to eventually install the Iris ID iCAMs at all of its U.S. locations.</p><p>Newman emphasizes that upgrading from the previous biometric solution has not compromised security, but only enhanced it, for Gate Gourmet. </p><p>“We’re replacing biometrics with biometrics,” Newman says. “We haven’t surrendered anything by having the iris scanners—this is just the next generation for us.”  </p><p><em>For more information: Tom DeWinter, Iris ID, tdewinter@irisid.com, www.irisid.com, 609/819-4724 ​</em></p>
https://sm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspxSurveillance and StereotypesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Juveniles make up 40 percent of the shoplifters in the United States. Shoplifters, in total, contribute to billions of dollars of loss each year, according to the National Association for Shoplifting Prevention’s 2014 report <em>Shop­lifting Statistics.</em></p><p>To combat adolescent shoplifting, according to the report, retailers depend on private security officers combined with other security measures, including security cameras, observation mirrors, and radio-frequency identification (RFID) tags. </p><p>The key to apprehending juveniles during or after shoplifting, however, is to correctly determine whom to surveil. Security personnel often rely on a combination of common underlying physical characteristics—race, gender, and age—and behavioral indices—glancing at clerks nervously, assessing security measures, and loitering—to distinguish shoppers from potential shoplifters. </p><p>Are these surveillance decisions a result of bias? To find out, the authors conducted original academic research funded by the John Jay College of Criminal Justice of the City University of New York on how stereotypes play into who is suspected of shoplifting, how that suspect is dealt with, and what private security can do to limit discriminatory practices.​</p><h4>Existing Data</h4><p>A 2003 Journal of Experimental Psychology article, “The Influence of Schemas, Stimulus Ambiguity, and Interview Schedule on Eyewitness Memory Over Time,” which discussed research findings and lawsuits against retailers, concluded that stereotypes of juvenile shoplifters may unduly influence security officers to target juveniles on the basis of their physical characteristics, rather than their behaviors.</p><p>Over the past 20 years, the media has reported on cases in which the retail industry engaged in discriminatory practices. This is known as consumer racial profiling (CRP), “the use of race and or ethnicity to profile customers.” According to a 2011 study in the Criminal Justice Review, “Public Opinion on the Use of Consumer Racial Profiling to Identify Shoplifters: An Exploratory Study,” officers sometimes use CRP to determine which juvenile shoppers are potential or actual thieves. </p><p>Most people develop negative stereotypes about juvenile thieves through exposure to various types of media, particularly when they reside in areas that contain few minorities. The media has the unique ability to both shape and perpetuate society’s beliefs about which juveniles typically commit offenses through its selective coverage of crimes. </p><p>It is also common for the media to portray adolescents—particularly boys—as criminals. Biases are then used, whether consciously or unconsciously, in the private sector by retailers and security officers to target shoppers, and in the public sector by those in the legal system, including law enforcement officers, prosecutors, judges, and even legislators, to arrest and prosecute thieves.</p><p>The consequences of applying discriminatory practices can be seen in the private sector through lawsuits against retailers. Ethnic minority shoppers purport that they were targeted through excessive surveillance—and even through false arrests. </p><p>Researchers have shown that this automated bias occurs even when observers were trained to focus on behavioral cues, and it persists despite findings that shoplifting occurs across racial and ethnic groups, according to the 2004 Justice Quarterly article “Who Actually Steals? A Study of Covertly Observed Shoplifters.”</p><p>Stereotypes also affect retailers’ decisions on how to handle shoplifters, either formally by involving the police, or informally. The results of accumulated discrimination, accrued during each step in the legal process—initial involvement of police, decision to prosecute, conviction, and sentencing—continue in the legal system. This is evidenced by the disproportionate number of African- and Latin-American boys shown in the apprehension and arrest statistics of juvenile thieves, compared to their representation in the population, according to Our Children, Their Children: Confronting Racial and Ethnic Differences in American Juvenile Justice, a book published by the Chicago University Press. ​</p><h4>Current Research</h4><p>To test the premise that there is a widespread stereotype of the typical juvenile thief and shoplifter, our research team obtained information from young adults in two diverse areas:  97 psychology-major college students in a small city in the U.S. state of Kansas, and 156 security and emergency management majors at a college in a large city in New York state. </p><p><strong>Shoplifter profile. </strong>The psychology-major students were 83 percent European American. The rest of the students were represented as follows: 5 percent African American, 2 percent Asian American, 1 percent Latin American, and 9 percent of mixed or unknown descent.</p><p>The security and emergency management major students—72 percent of whom were male—came from a variety of backgrounds: 31 percent European American, 37 percent Latin American, 19 percent African American, 9 percent Asian American, and 2 percent Middle Eastern American.</p><p>Participants in both locations were asked to guess the common physical characteristics of a typical juvenile shoplifter—age, gender, ethnicity or race, and socioeconomic status. </p><p>The stereotypical juvenile shoplifters described by both the Kansas and New York respondents were remarkably similar: male, aged 14 to 17, and from lower- to middle-class families of African-American, Latin-American, or European-American descent. The two samples also indicated that the stereotypical thief was likely to have short or medium length brown or black hair and an identifying mark—such as a piercing. </p><p>These findings show commonality in the prevalence of certain physical characteristics, despite the diversity of the two groups of respondents, and demonstrate that American society has a well-developed juvenile shoplifter stereotype.</p><p><strong>Decision processes. </strong>After determining the stereotype, the research team considered whether juvenile shoplifter stereotypes affected respondents’ decisions. The goal was to determine the degree to which the respondents believed that physical characteristics influenced the security guards’ decisions regarding whom to surveil, and what consequences to apply when a youth was caught stealing.</p><p>The New York respondents read a brief scenario describing a juvenile shoplifter as either male or female and from one of five backgrounds: European American, African American, Asian American, Latin American, or Middle Eastern American. However, the description of the overt behaviors by the juvenile was the same for every scenario—selecting and returning shirts in a rack, glancing around the store, and stuffing a shirt into a backpack.</p><p>Respondents provided their opinions about the degree to which the security officer in the scenario relied on physical characteristics in surveilling a juvenile, and whether the retail manager and security officer should impose informal or formal sanctions on the shoplifter. Researchers reasoned that respondents should draw identical conclusions for surveillance and sanctions if they were simply evaluating the juvenile shoplifters’ behaviors, but that students would have different recommendations for these choices if their racial or ethnic stereotypes were activated.</p><p>Respondents who indicated a preference for applying informal sanctions did so more frequently for girls of African-American and Middle Eastern-American descent. These respondents also assessed that the officer described in the scenario based his or her surveillance decisions on physical characteristics. No other gender differences for race or ethnicity were notable when considering reliance on physical characteristics.</p><p>Stereotypes also affected decisions on how to sanction the shoplifter. Respondents were given the option of implementing one of four informal sanctions: speak to the juvenile, call parents to pick up the juvenile, get restitution, or ban the youth from the store. Their selection of the least severe sanction—talk to the juvenile—was doled out at a higher rate for boys than for girls of each ethnicity except European Americans, which did not differ.</p><p>The moderate level sanction—call the youth’s parents—was selected more for girls than for boys of African and Latin descent. The most severe level sanction—ban the youth from the store—was selected more for boys than for girls of African descent. However, it was selected more for girls than for boys of Asian, European, and Middle Eastern descent.<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%201.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:510px;" /></p><p>Respondents who indicated a preference for applying formal sanctions attributed physical characteristics to the guards’ surveillance decision for girls more than for boys of Latin descent; gender differences were not apparent for the other ethnicities. </p><p>Respondents were also given five formal sanctions for the youths: involve the police, prosecute the theft as larceny, impose a fine, give the youth diversion or community service, or put the incident on the youth’s criminal record. Their selection of the least severe sanction—involve the police—was endorsed more for boys than for girls of Asian, European, and Latin descent, but more for girls than for boys of African descent. No gender difference was apparent for youths of Middle Eastern descent.</p><p>The most severe sanction—diversion or community service—was preferred more for boys than for girls of African descent. A small percentage of respondents endorsed a criminal record for the theft of a shirt, but only for girls of African and European descent and for boys of Middle Eastern descent.</p><p>Finally, a comparison of our data revealed that respondents believed informal—rather than formal—consequences should be imposed for girls rather than for boys of Asian and European descent, and for boys rather than for girls of Latin descent. ​<img src="/ASIS%20SM%20Callout%20Images/0417%20Feature%202%20Chart%202.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:519px;" /></p><h4>Lessons Learned</h4><p>Our findings clearly demonstrate that people have stereotypes about juvenile shoplifters. They also showed that people unconsciously use the typical physical characteristics of gender and race or ethnicity associated with their criminal stereotypes to make decisions and recommendations, such as whom to surveil and how to handle a shoplifting incident. Otherwise, there would not have been a difference in how the juvenile shoplifter was processed or punished, because the behaviors exhibited by all of the juveniles were identical across scenarios.</p><p>Consumer racial profiling is a defective filtering system that may direct private security officers’ attention to characteristics that are not reflective of actual shoplifting conduct. Our data suggests that CRP not only hurts retail businesses by discouraging minority consumers from shopping in their stores, but also simultaneously prevents security officers from apprehending shoplifters.</p><p>Other research, such as from “Juvenile Shoplifting Delinquency: Findings from an Austrian Study” published in the 2014 Journal for Police Science and Practice, shows that only 10 percent of juveniles are caught shoplifting. Even more disconcerting, the typical shoplifter steals on average 48 to 150 times before being apprehended. Clearly, retailers need a better strategy if they are to reduce loss due to shoplifting.</p><p>Another issue that was addressed was the decision to involve the legal system. Many businesses, despite having posted prosecution warnings, reported only about half of the adolescent shoplifters they caught to the police. </p><p>Retailers instead focus on minimizing loss and negative publicity, and may rationalize against reporting the offense to the police because they do not want to stigmatize the adolescent or because they consider it a one-time incident, particularly when the juvenile admits to the theft and then pays for or returns the items, according to the U.S. Department of Justice’s (DOJ) Community Oriented Policing Services.</p><p>These beliefs, however, may be misguided. Though current research is scarce, a 1992 study—The Sociology of Shoplifting: Boosters and Snitches Today—indicated that 40 to 50 percent of apprehended adolescent shoplifters reported that they continued shoplifting. </p><p>There are benefits for retailers who involve the legal system, especially for informal police sanctions. </p><p>First, criminal justice diversion programs and psychological treatment and educational programs treatment may reduce recidivism. For example, shoplifters who attended and completed a diversion program had significantly fewer re-arrests compared to those who failed to complete or did not attend, a DOJ study found.</p><p>Second, the private sector needs the support of the public sector to reduce shoplifting. Shoplifters can be given an opportunity to participate in first offender programs and, upon completion of classes on the effects of shoplifting, have their charges dismissed or even erased. ​</p><h4>Recommendations</h4><p>Retailers and private security officers need training to make them aware of their own biases and how their stereotypes affect their choices. They also need training to learn which behavioral indices are most effective in distinguishing shoppers from shoplifters. </p><p>If retailers do not make significant changes in guiding their employees—particularly security officers—towards objective measures of vigilance to prevent shoplifting, their financial loss will continue to be in the billions of dollars. </p><p>Private security officers must be taught how to treat all potential shoplifters, regardless of their gender, in the same way to prevent making mistakes and subjecting retailers to lawsuits for discriminatory security practices.</p><p>Overcoming unconscious biases is difficult. Prior to specialized training in bias identification and behavioral profiling, it is important to determine the biases of security officers. Self-assessment measures similar to the ones the researchers used in their study can be administered. </p><p>The officers should also keep records that specify each incident of shoplifting, what behaviors drew their attention to warrant surveillance, what act occurred to provoke them to approach the juvenile shoplifter, the items that were taken, the method used, the shoplifter’s demographics, how the situation was handled, who made the decision, and reasons for the decision. The officers should then review these records with their retail managers.</p><p>Retailers should also implement a mandatory training program to provide private security officers with the tools needed to identify shoplifting behaviors to increase detection and reduce shrink. </p><p>The incident records could be introduced and used to help identify the impact biases have on private security professionals’ decisionmaking about juvenile shoplifters. It would also help security guards learn the various types of suspicious behaviors that shoplifters exhibit, such as juveniles who make quick glances at staff, examine items in remote aisles, monitor security cameras and mirrors, and purposefully draw employees’ attention away from others.</p><p>Additionally, a practical component would be to show surveillance videos of the behaviors exhibited by juvenile shoplifters of different gender and race or ethnicity. In this way, the findings of past studies showing the insignificance of race, ethnicity, or gender can be learned through real-world examples.  </p><p>--<br></p><p><em><strong>Dr. Lauren R. Shapiro </strong>is an associate professor in the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She has published several journal articles and chapters on the role of stereotypes in perception and memory for crime and criminals. <strong>Dr. Marie-Helen (Maria) Maras</strong> is an associate professor at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. She is the author of several books, including Cybercriminology; Computer Forensics: Cybercriminals, Laws, and Evidence; Counterterrorism; and Transnational Security.   ​</em></p>
https://sm.asisonline.org/Pages/Book-Review---Enterprise-Risk-Management.aspxBook Review: Enterprise Risk ManagementGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>A curated collection of contributions by many expert authors, <em>Enterprise Risk Management </em>offers a comprehensive look at the risks that can endanger an organization. It covers everything from physical risks (environmental, health and safety, operational risk, project risk management, etc.) to intangible risks like cybersecurity. It has chapters on financial risk management, the role of insurance, global and strategic risk, and more.</p><p>Each chapter of this work can stand alone as a discussion of the risks associated with a particular area, such as supply chain management. Although this book cuts a wide swath, several chapters stand out as being particularly interesting.</p><p>The chapter on the insider threat (what the book calls human capital risk) is outstanding. It covers all of the different types of trouble that employees can get into, and discusses how to manage and avoid those risks. The only shortfall with this section is that it assumes that all of the actions of the insider are malicious; in practice, many well-intentioned employees have damaged their employers merely by clicking on a malicious link. Phishing, in all its forms, has become part of the insider threat spectrum, and should be treated as such.</p><p>The chapter on risk culture contains a fascinating section on how the attempts to control some forms of risk through the use of incentive programs end up exacerbating the very problems they seek to avoid. This section, while interesting, also shows the depth of this book: if you can’t find it here, there’s a good chance you don’t need to worry about it.</p><p>All of the risks discussed are in organized via a common framework: risk context, assessment, treatment, monitoring, and review. This framework will be familiar to anyone with experience in ISO 31000 Risk management—Principles and guidelines, although there is little discussion of the standard in the book, where it appears only in the footnotes.</p><p>Finally, the book ends with a case study on the rise and decline of Blockbuster, the video rental chain, and how it was felled by Netflix. It is relevant because it is an example that most readers are familiar with, and it shows how an incorrect assessment of risk can have catastrophic consequences.</p><p>Because of its breadth and depth, Enterprise Risk Management may have difficult sections for many readers. For example, the areas on financial risk may not be of interest to someone interested in brand risk. This points to a strength in this book: an authoritative work, it best belongs in the enterprise risk management department of an organization, on the chief risk officer’s desk, in internal audit, and most importantly, in the CEO’s office.  </p><p><em><strong>Reviewer: Ross Johnson, CPP</strong>, is the senior manager of security and contingency planning for Capital Power. He is an ASIS Council Vice President and the author of Antiterrorism and Threat Response: Planning and Implementation. He is an executive committee member of the North American Electric Reliability Corporation’s Critical Infrastructure Protection Committee, and is the infrastructure security advisor for Awz Ventures, Inc.</em></p>
https://sm.asisonline.org/Pages/Wells-Fargo-To-Pay-$110-Million-To-Settle-Class-Action-Lawsuits.aspxWells Fargo To Pay $110 Million To Settle Class Action LawsuitsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Wells Fargo & Co. will pay $110 million to settle several class action lawsuits brought in the wake of its mass unauthorized account scam, it announced in a <a href="https://www.wellsfargo.com/about/press/2017/class-action_0328.content" target="_blank">statement. </a></p><p>“This agreement is another step in our journey to make things right with customers and rebuild trust,” said Wells Fargo CEO Tim Sloan in a statement. “We want to ensure that each customer impacted by our sales practices issue has every opportunity for remediation, and this agreement presents an additional option.”<br></p><p>A dozen class action lawsuits were filed against Wells Fargo after it was disclosed in 2016 that employees at the financial institution created almost 2 million unauthorized customer accounts to generate millions in fees that profited the company. <br></p><p>The $110 million will be set aside for customer remediation, and will be used to pay customers for out-of-pocket losses, such as fees incurred due to unauthorized account openings, as well as for attorneys’ fees and administrative costs. <br></p><p>“The settlement class will consist of all persons who claim that Wells Fargo opened an account in their name without consent, enrolled them in a product or service without consent, or submitted an application for a product or service in their name without consent during the period from January 1, 2009, through the date the Settlement Agreement is executed,” according to the Wells Fargo statement.<br></p><p>A court must still approve the settlement agreement before funds can be distributed. <br></p><p>This settlement is the second major settlement Wells Fargo has agreed to related to the scandal. In September 2016, the financial institution agreed to pay $190 million to settle claims brought by government agencies, including the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency, and the city and county of Los Angeles, <a href="http://www.nationallawjournal.com/id=1202782282906?kw=Wells%20Fargo%20Strikes%20$110M%20Settlement%20Deal%20in%20Fake%20Accounts%20Cases&et=editorial&bu=National%20Law%20Journal&cn=20170329&src=EMC-Email&pt=Daily%20Headlines&slreturn=20170229140429" target="_blank">The National Law Journal reports. </a></p><p>“Only $5 million of the payment went to customers, who are the class members in the lawsuits against Wells Fargo,” according to the journal.</p><p>For more on the Wells Fargo scam and fraud trends at financial institutions, read <em>Security Management’s</em> March cover story <a href="/Pages/Teller-Trouble.aspx" target="_blank">"Teller Trouble."</a><a href="/Pages/Teller-Trouble.aspx">​</a></p>
https://sm.asisonline.org/Pages/Outdated-Protocols-and-Practices-Put-the-IoT-Revolution-at-Risk.aspxOutdated Protocols and Practices Put the IoT Revolution at RiskGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Linking physical objects in the real world to the virtual world, enabling “anytime, anyplace, and anything” communication was once the stuff of science fiction. However, it is made real today with the Internet of Things (IoT), which is widely considered to be the next phase of the Internet revolution.​</p><p>Knowing this, it could be expected that the protocols and infrastructure supporting the IoT would be just as advanced—but this is not the case. Instead, the technology underpinning the IoT is straight out of the 1990s or early 2000s—more Sega Dreamcast than PlayStation 4.</p><p>It’s no surprise that the tech industry and the public are falling head-over-heels for the possibility to connect everything, from our toothbrushes to our city infrastructure, to the Internet. However, the more devices we connect, the more opportunities there are for cyber criminals. </p><p>By getting carried away by the opportunity technology brings, we are charging ahead without considering the risks and without securing the technology. Before organizations continue to connect devices to the network, there needs to be a secure foundation to build up from. </p><p>The fundamental standards, which IoT devices have to comply to, must be secure so no one device can be breached and used as an entry point for the whole system. In 2015, the U.S. Federal Trade Commission recommended that security be baked into devices from the beginning—not as an afterthought. </p><p>Yet research from HP in its Internet of Things Research Study showed that 70 percent of the commonly used IoT devices had severe security issues. And there are critical vulnerabilities at the very core of many IoT networks. </p><p><strong>Smart Homes and Buildings</strong><br>The trend of automated buildings and making homes smarter by leveraging the IoT to save energy, increase comfort, or add capabilities for remote monitoring and control is on the rise. However, there are issues with the development of smart buildings and homes.​</p><p>A smart home using home automation is likely to have IoT devices that cover the following areas:</p><p><strong>HVAC Control. </strong>Smart HVAC units control room temperature, as well as automated ventilation systems, which can be switched on to replenish clean air based on temperature, moisture, smoke, heat, dust, or carbon dioxide levels in the unit.</p><p><strong>Light Control.</strong> In conjunction with smart bulbs, these units can adjust lighting behavior according to the presence of people in a designated space. Smart lights can be automatically switched off when the unit is empty and dimmed when there is natural light.</p><p><strong>Smart Surveillance. </strong>Intelligent surveillance systems record activity in the smart home, allowing authorities to remotely monitor where individuals are inside.</p><p><strong>Smart Door Locks. </strong>Smart door locks can be opened or locked remotely by a user. They can also track people entering or leaving the premises, and can act upon this by notifying the inhabitants or authorities. Researchers have found fundamental flaws in this automation system that leave people at risk, such as hackers using simple attacks to open and unlock the doors.</p><p>These systems often utilize wireless IoT protocols, such as ZigBee and Zwave, which have become their greatest asset and their greatest weakness. Wireless networks are prone to jamming (attackers try to prevent sensors from contacting the central hub by blocking the signal), the communication can be eavesdropped on to gather secret keying material, and is vulnerable to replay attacks (attackers inject recorded packets, e.g. a “door open” command to a door lock, or a “no-motion” command to a motion sensor, into the communication destined for the connected device or sensor).</p><p><strong>The ZigBee Wireless Communication Standard</strong><br>ZigBee is a standard for personal area networks developed by the ZigBee Alliance, which includes companies like Samsung, Philips, Motorola, Texas Instruments, and many others. ​</p><p>ZigBee’s aim is to provide a low cost, low power consumption, two-way, reliable, wireless communication standard for short-range applications. ZigBee is used for: remote controls, input devices, home automation, healthcare, and smart energy.</p><p>Devices on a ZigBee network communicate using application profiles. Those profiles are agreements for messages, like a common alphabet and language, that enable developers to create an interoperable, distributed application employing application entities that reside on separate devices. If a manufacturer wants a device to be compatible with certified devices from other manufacturers, the device must implement the standard interfaces and practices of certain profiles, such as the Home Automation profile.</p><p>The Home Automation profile relies on secrecy of key material and secure initialization and transport of its encryption keys. Recent research by Cognosec shows that keys can be compromised by attackers by passively sniffing and using weaknesses in the standard. </p><p>Sniffing in this context is best described as passively eavesdropping on wireless communication. An attacker could compromise the key by either listening to the initial setup of the devices or by imitating a legitimate device trying to "rejoin" a network.</p><p>During this rejoin the attacker would pretend to have lost key material needed to communicate with the management hub and send an unencrypted rejoin request there. This causes the hub to send out new keys, a process that should be protected by another key. But, crucially, that key is publicly known. Ultimately using the approach an attacker could request the active encryption key on network level.</p><p>As the Home Automation profile covers devices from lights to HVAC systems and door locks, this compromise might lead to serious security issues. This security issue was shown by Cognosec during the DeepSec Conference in Vienna in 2015 by opening a Yale Door lock using ZigBee without having the proper key. Security vulnerabilities from this kind of compromise are made worse because the fallback mechanism is the standard has to be implemented by every vendor that wants to market certified devices.</p><p>To remain compatible with devices that have not been pre-configured or are unknown to a ZigBee network, a default fallback mechanism was implemented that is considered a critical risk.</p><p>This fallback is used if devices from different vendors are connected to each other initially, or new devices are joined to an existing ZigBee network and they have not been pre-configured in the same way.</p><p>A single smart home or building with vulnerabilities may not seem like a problem at first, but a network of smart buildings—or a smart city—being breached could prove to be disastrous.</p><p><strong>ZWave Wireless Communication Standard</strong><br>ZWave also stands on the forefront of the IoT revolution. It was designed in 2001 by Zen-Sys, which was later acquired by Sigma Systems. ​</p><p>The Zwave standard does not require encryption support, so one can safely assume that vendors will only implement the bare minimum needed to get their products to market. This makes ZWave networks vulnerable to replay and eavesdropping attacks.</p><p>Two security researchers—Joseph Hall and Ben Ramsey—showed that few IoT devices are using encryption, and for those that are used for critical applications—like door locks—security is an opt-in feature that has to be enabled by the user.</p><p>In a demonstration at the ShmooCon 2016 Security Conference, ZWave-controlled light bulbs were physically destroyed in less than 24 hours by an attacker who gained access to the ZWave network using openly available information and some technical know-how.</p><p>It should be noted, though, that starting on April 2, 2017, the ZWave Security Framework S2 will be mandated on all devices. However, this will not fix issues on the devices that are already on the market and in stock. Future security research on the S2 framework should be conducted.</p><p>Besides this threat, implementation errors have been found in the firmware controlling door locks that allow an attacker to control the lock and prevent it from reporting its state to a central controller unit.</p><p><strong>Connecting to the World</strong><br>The adoption of IoT technology and increased outside connectivity in critical infrastructure could pose more critical risks to the energy and water supply, as well as to industrial control systems. </p><p>Recent research from Germany conducted in 2016 by internetwache.org shows that the water supply infrastructure is vulnerable and could be controlled by hackers because it’s not properly secured against outside attacks. In this particular case, it was not the lack of a security feature or faulty implementations of a wireless protocol that made the system vulnerable. Instead, it was a software vendor used to manage Germany’s water supply plants that did not implement security, instead leaving security configurations up to the plants themselves.​​<br></p><p>This an example of a new threat to critical infrastructure as it evolves from closed to open systems. Historically, industrial control systems (ICS) were designed to operate on an isolated network to protect them from security threats. Well-established physical security measures and the need to be physically present to harm the system provided a decent level of security to the systems, even if their IT systems were not sufficiently secure.</p><p>Now, as more devices are connected to the Internet they are communicating to each other and forming huge networks with machine-to-machine communication. The result is a massive growth of the attack surface and an increase in the potential effect an attack could have. By making systems interoperable, as is the current trend with the IoT, hacking one device could open up a Pandora’s box of security breaches.</p><p>Another fact making this problem worse is that some software vendors used by critical infrastructure—like in Germany—delegate security to the customer; a customer that normally has neither the necessary awareness nor know-how to property implement the now open infrastructure as IT is not its core business.</p><p><strong>Conclusion</strong><br>Security issues affecting buildings, power, and water supply plants—or even door locks—have been around for years. Still, every few months new threats arise and the situation is worsened by adding network connectivity to devices that broaden the attack surface. ​</p><p>Security must be built-in to devices and configured to be the default, not the exception or the responsibility of the end-user. The U.S. National Institute of Standards and Technology released a publication on this issue in 2016, which called for assigning a level of trustworthiness to a device and applying security considerations to it from the very beginning. </p><p>By integrating security from the design phase to the product development and life-cycle management phase, instead of adding security features or monitoring hardware after the device has been purchased, devices will be more resilient against attacks than they are now. <br><br>Until we can resolve these issues, and create new, secure protocols, IoT hacks will increase exponentially in volume and severity.</p><p><em>Florian Eichelberger is an information systems auditor at Cognosec. </em><br></p>
https://sm.asisonline.org/Pages/Four-Killed-In-U.K.-Parliament-Attack.aspxFour Killed In U.K. Parliament AttackGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<strong>Update: 23 March 2017, 11:50 a.m.</strong></p><p>​British authorities identified the man responsible for Wednesday's terror attack as 52-year-old Khalid Masood, according to a<a href="http://news.met.police.uk/news/update-westminster-attack-man-believed-responsible-named-230160" target="_blank"> press release from the London Metropolitan Police.​</a><br></p><p>Masood was born in Kent, and authorities believe he was recently living in the West Midlands in England. </p><p>"Masood was not the subject of any current investigations and there was no prior intelligence about his intent to mount a terrorist attack," the Met said. "However, he was known to police and has a range of previous convictions for assaults, including GBH, possession of offensive weapons, and public order offenses."</p><p><strong>Update: 23 March 201​7, 10:50 a.m.</strong></p><p>The Islamic State claimed responsibility for Wednesday's terrorist attack in London outside the U.K. Houses of Parliament. The assailant--whose identity has not been released--was a British-born man known to the U.K.'s domestic intelligence agency and previously investigated for connections to violent extremism.<br></p><p>U.K. Prime Minister Theresa May said the assailant was a "peripheral figure" that was examined by MI5, but was not "part of the current intelligence picture," according to <em>​<a href="https://www.nytimes.com/2017/03/23/world/europe/london-attack-uk.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=photo-spot-region&region=top-news&WT.nav=top-news" target="_blank">The New York Times. </a></em><em></em></p><p>Authorities believe the assailant​ acted alone, but continue to investigate the incident while Britain remains at a "severe" threat level.</p><p>"Yesterday, an act of terrorism tried to silence our democracy," May said. "We are not afraid, and our resolve will never waver in the face of terrorism."</p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 47879554-d7fa-4c6d-80ff-5853f98067e7" id="div_47879554-d7fa-4c6d-80ff-5853f98067e7"></div><div id="vid_47879554-d7fa-4c6d-80ff-5853f98067e7" style="display:none;"></div></div><p>Two of the victims killed in Wednesday's attack have also been identified. A Mormon church official <a href="https://apnews.com/e2b6328601424b8581bddc263b1071a2?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP">told the AP</a> that one of its members--Kurt W. Cochran--was killed in the attack while in London to celebrate his 25th wedding anniversary.​<br></p><p>Officials also released the name of the police officer who was killed in the incident: Constable Keith Palmer, a 48-year-old police officer who formerly served in the Royal Artillery.</p><p><strong>Update: 22 March 2017, 4:00 p.m.</strong><br></p><p>Four people were killed in a terror attack outside the U.K. Houses of Parliament on Wednesday afternoon. Police shot and killed one assailant involved in the attack, but a major security operation remains underway in London. </p><p>Details of the attack—being called a terrorist incident—remain unclear, but <em><a href="https://www.nytimes.com/2017/03/22/world/europe/uk-westminster-parliament-shooting.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=photo-spot-region&region=top-news&WT.nav=top-news&_r=0" target="_blank">The New York Times</a></em> reports that security officers shot an assailant outside of Parliament after the individual stabbed a police officer. A motorist on an adjacent bridge also hit at least five pedestrians. However, it remains unknown if the assailant—whose name has not been released—and the motorist were the same individual.<br></p><p>At least 20 people were injured in the attack, in addition to the four casualties that included the police officer. Three French schoolchildren were among those injured, <a href="http://www.reuters.com/article/us-britain-security-photographer-idUSKBN16T1Y5" target="_blank">according to Reuters.</a><br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 59a66d03-5516-4786-bdd2-d5cdc347d2ff" id="div_59a66d03-5516-4786-bdd2-d5cdc347d2ff"></div><div id="vid_59a66d03-5516-4786-bdd2-d5cdc347d2ff" style="display:none;"></div></div><p>​“This is a day we’ve planned for but hoped would never happen. Sadly, it’s now a reality,” said Mark Rowley, head of counterterrorism at the Met, in an interview with <em><a href="https://www.theguardian.com/uk-news/2017/mar/22/westminster-attack-man-shot-by-police-and-several-hurt-in-nearby-incident" target="_blank">The Guardian​</a></em>. “The attack started when a car was driven over Westminster Bridge hitting and injuring a number of members of the public, also including three police officers on their way back from a commendation ceremony.</p><p>“The car then crashed near to Parliament and at least one man armed with a knife continued the attack and tried to enter Parliament.”<br></p><p>Authorities are now conducting a full counterterrorism investigation into the incident, and are asking the public to stay away from an area of central London, report suspicious activity, and share any video or images of the attack.<br></p><p>"Londoners should be aware that there will be additional armed and unarmed police officers on our streets from tonight in order to keep Londoners, and all those visiting our city, safe," said London Mayor Sadiq Khan in a statement posted to his Twitter feed.</p><p></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 75cd54f2-dfa4-4bd7-9e23-4ca16192d225" id="div_75cd54f2-dfa4-4bd7-9e23-4ca16192d225"></div><div id="vid_75cd54f2-dfa4-4bd7-9e23-4ca16192d225" style="display:none;"></div></div><p>​Parliament was in session when the attack occurred at roughly 2:40 p.m. local time, and those in the House of Commons chambers were told to stay in place as officers searched the facility. </p><p>The attack occurred on the one-year anniversary of the <a href="/Pages/Terrorist-Attacks-in-Brussels-Leave-Numerous-Dead.aspx" target="_blank">Brussels attacks</a>, where terrorists bombed the Brussels airport and a metro station.<br></p><p>This is a developing story. <em>Security Management </em>will continue to update this post as more information is confirmed. <br></p><p><br>​</p>
https://sm.asisonline.org/Pages/Women-in-Executive-Protection.aspxWomen in Executive ProtectionGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Although plenty of women enjoy the benefits of executive protection (EP), not many actually work in the field. And that’s a shame—because women have plenty to give in this growing industry. Following are four lessons I have learned from the real world as a woman working in executive protection. ​</p><h4>Women bring a different perspective (and go-bag gear) to EP. </h4><p>And that’s a good thing. Looking at things differently has advantages in any situation, but it can be especially important when protecting a female client. </p><p>Case in point: Like most EP agents, I carry a “go bag” wherever I travel with a client. Of course, I always bring along my personal medical kit, phone chargers, and so forth. But I also add a few things that leave my male coworkers wondering: clear nail polish, super glue, and hair ties. Really? Yes, really. Clear nail polish is worth its weight in gold if a client gets a run in her pantyhose. Super glue is invaluable if a heel snaps. Hair ties? You always need an extra hair tie. </p><p>A lot of men in EP think that it’s not our job to take care of little things like these—that they distract from the core mission to keep the client safe and secure. I’d like to add a few things to our job description as EP professionals. Beyond keeping clients safe, it’s also up to us to make sure they stay happy and productive.</p><p>Carrying a bag with items someone might need helps across the board. In addition to reducing unproductive delays and preventing embarrassment or children’s tears, it also has security advantages: we don’t need to enter unknown areas for last-minute purchases. Women are more likely to consider these needs in advance.​</p><h4>Women blend in better than men.</h4><p>Two male coworkers and I once worked a detail for a family with small children. Whenever we advanced a location, our point of contact would invariably look at the men and ask what they needed to know for security purposes. After they toured us all around, they would ask me if I had any questions pertaining to the itinerary. </p><p>I told them I had no issues, but if they had any itinerary questions they should contact the assistant who was handling the schedule. “But aren’t you the assistant?” they’d blurt. This happens nearly every time I’m with a male coworker conducting an advance. Outsiders see them as the security detail and assume that I am the assistant. </p><p>While some may find this insulting, I use it to my advantage. It’s fine with me if people think I am the nanny or assistant. This prevents them from asking too many questions or getting anxious about why security is around. It helps me blend into the background. It’s also a welcome relief to clients who sometimes want to keep a low profile and just feel “normal” instead of being surrounded by security wherever they go.​</p><h4>Women can go places men can’t.</h4><p>I can easily walk into a women’s restroom to wash my hands and find out whether the client needs help or is just chatting with someone. There’s no need to awkwardly walk into the opposite sex bathroom and look around for the principal. It’s important that protective agents can sometimes be with the principal in bathrooms, dressing rooms, and hotel suites without being inappropriate. By not disrupting the client and by blending into surroundings, female agents raise fewer eyebrows and inspire less suspicion. ​</p><h4>It’s all about the team.</h4><p>I have been extremely fortunate to work with an amazing group of people—mostly men, because there are very few other women working in the industry. The importance of having a good team cannot be exaggerated. EP is not a one-person show, it’s a team effort.</p><p>Coming into a new company and working with a new client can be daunting enough. If you have the added burden of proving your worth to male coworkers, it just gets harder. </p><p>Fortunately, all the men that I work with have been supportive, kind, and understanding of the struggles women have in the industry. They’ve helped me achieve my career goals. I have also been blessed with a team leader who works extremely hard to actualize the team. Encouraging and managing team diversity isn’t always easy, but it’s worth it. Better and stronger teams rely on each other, help each other, and support each other to keep our principals safe, productive, and happy. </p><p>It is possible to create amazing, cohesive teams that include both women and men. I hope that other women will find rewarding careers in EP with both male and female coworkers that encourage everyone on the team to grow. </p><p><em><strong>Rachael Paskvan </strong>is an executive protection agent with AS Solution and a member of the ASIS San Francisco Bay Area Chapter.</em></p>
https://sm.asisonline.org/Pages/Servant-Leader-Counterpoint---President-Trump.aspxServant Leader Counterpoint: President TrumpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​U.S. President Donald J. Trump is no servant leader. He does not invert the traditional power model to put his staff at the top, and hi​mself at the bottom.</p><p>“He puts himself at the center. He’s not about the group,” says leadership expert Barry Strauss, a professor of history and classics and humanistic studies at Cornell University.</p><p>Nonetheless, Trump now holds the top public leadership position in the United States. By dint of that status alone, his leadership will be influential. The constant media attention, scrutiny, and television time that a president generates ensures this. </p><p>However, trying to contextualize Trump in the broader field of leadership is a tricky task, says Strauss, who is also a military historian and author of The Death of Caesar, Masters of Command, and other volumes. “Various people come to mind, but he’s not a perfect fit for any one of them,” says Strauss. Instead, Trump seems to possess “bits and pieces” of leadership traits of historically famous leaders.    </p><p>On one hand, Trump is visibly self-confident, a leader who has a tendency to “go with his gut,” and in the process sometimes ignore advice from advisors. President Franklin Roosevelt had a similar tendency, Strauss says.  </p><p>Trump also clearly places great stock in the idea that practical wisdom, more than knowledge accumulated from voracious book reading or a formal education, is tremendously important. Trump also touts his own strength, and is invested in being perceived as tough, and as someone who drives the hardest of bargains. In this, he is like Gaius Julius Caesar, the legendary Roman politician and general who was self-promotional in his political career, Strauss says.  </p><p>In fact, both Trump and Caesar are leaders who achieved part of their fame as authors, writing books that were, among other things, vehicles for self-promotion. While campaigning for president, Trump often pointed to his bestselling The Art of the Deal book as evidence that he could negotiate extraordinary trade deals as president.  </p><p>However, Strauss also emphasizes the clear difference between the two. Caesar was regarded as a masterful orator and prose stylist; by most accounts Trump is neither. And Caesar had an acclaimed military career, while Trump never served.  </p><p>But while clearly not a servant leader, Trump’s leadership style is in the mold of another recognizable type of leader–the charismatic leader, whose authority is built partly on personal charisma (and in Trump’s case, a “charismatic lifestyle” filled with opulence). That gives Trump’s leadership style some affinity with President Ronald Reagan’s, but there is a difference. Reagan used acting techniques to enhance his speaking style, which earned him the nickname “The Great Communicator.” Trump is a specific type of charismatic leader–not a galvanizing communicator, but a showman, Strauss says. </p><p>Trump is forthcoming in his interest in showmanship. To illustrate, Strauss cites remarks Trump made during a revealing interview in the 1990s with Playboy magazine. When asked about his heroes, Trump cited Broadway impresario Flo Ziegfeld and Metro-Goldwyn-Mayer studio cofounder Louis B. Mayer. “The ultimate job for me would have been running MGM in the 30s and 40s,” Trump told the magazine. Indeed, Trump described his opulent assets of casinos and Trump Towers as “props for the show.”</p><p>In the same interview, Trump also discusses his relationship with his staff. He prizes loyalty, but unlike a servant leader, who is focused on empowering and uplifting employees, Trump favors testing staffers to see if they will stay loyal and make good decisions. </p><p>“I am always testing people who work for me,” Trump said. “I will send people around to my buyers to test their honesty by offering them trips and other things. I’ve been surprised that some people least likely to accept a trip from a contractor did and some of the most likely did not. You can never tell until you test.”</p><p>Whether Trump’s leadership style will trickle down into the executive suites of U.S. workplaces will ultimately depend on his success, Strauss argues. Trump himself derides many as “losers,” so if his administration runs into serious problems, he could be deemed a loser by those looking to emulate a leader. But peace and prosperity in a Trump administration, Strauss says, will likely mean that more U.S. business leaders will be asking themselves, “Is there something I can learn from this?” ​ ​</p>
https://sm.asisonline.org/Pages/A-Picture-of-U.S.-Crime-.aspxA Picture of U.S. Crime GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​“We need more transparency and accountability in law enforcement. We also need better, more informed conversations about crime and policing in this country,” ​U.S. FBI Director James Comey said when his agency issued its most recent national crime statistics late last year.</p><p>And so, the FBI is moving forward on two major initiatives toward this goal. The agency has started collecting information for its first nationwide use-of-force database. This will be an online database containing information on interactions—both nonfatal and deadly—that U.S. law enforcement officers have with the public.   </p><p>Back in 2014, the U.S. Congress passed the Death in Custody Reporting Act (DCRA), which required states and federal law enforcement agencies to report data to the U.S. Department of Justice (DOJ) when civilians died during interactions with law enforcement. The DCRA also authorizes the U.S. attorney general to impose financial penalties on noncompliant states.</p><p>However, the DCRA did not require reporting for nonfatal interactions. In the absence of such a mandate, the FBI has been partnering with local, state, tribal, and federal law enforcement to set up a system for national data collection about nonlethal incidents. Comey himself had repeatedly advocated for a more comprehensive use-of-force database, as he called the lack of national data on the use of force “embarrassing and ridiculous.” </p><p>The second initiative is a change in the agency’s primary crime reporting system. For years, the FBI’s Uniform Crime Reporting (UCR) program has played this role, but five years down the road, the agency plans to replace it with the National Incident-Based Reporting System (NIBRS).</p><p>Although the UCR system keeps track of the number of homicides, armed robberies, aggravated assaults, and other crimes, agency officials say it does not go far enough in collecting information that could give indications of why crimes occur, and what can be done to prevent them. </p><p>In contrast to the UCR, the NIBRS offers a fuller picture of incidents of crime, with information about what exactly transpired, demographic information about the people involved, the relationship between the perpetrators and victims, and specific location and time coordinates. </p><p>But as of a few months ago, only roughly a third of law enforcement agencies were reporting into NIBRIS. The FBI’s goal is to have all enforcement agencies doing so by 2021, if not sooner. To help lead the way, the FBI has started to publish more data from its field offices about such offenses as human trafficking, hate crimes, and cyber intrusions.</p><p>“Information that is accurate, reliable, complete, and timely will help all of us learn where we have problems and how to get better,” Comey said. ​ ​</p>
https://sm.asisonline.org/Pages/Ramping-Up-Resilience.aspxRamping Up ResilienceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​America’s national defense has many components. Some of the lesser known pieces are utilities—the nearly 2,000 electric, water, wastewater, and natural gas systems that help the U.S. Department of Defense (DoD) accomplish its mission. When these systems fail, military operations can be disrupted, and national defense can become a bit weaker. </p><p>In recent years, these systems have failed thousands of times, according to a recent study conducted by the U.S. Government Accountability Office (GAO), which examined a representative sample of 453 DoD-owned utilities. The survey found that 4,393 instances of disruption occurred in fiscal years 2009 through 2015, resulting in a financial impact of $29 million. </p><p>These disruptions take many forms. At Joint Base McGuire-Dix-Lakehurst in New Jersey, operations were shut down for an entire week after a power line exploded. The power line had been installed in 1945, and was past its expected service life, base officials explained to GAO researchers. After the shutdown, the facility ran on generator power for the next three weeks while repairs to the line were completed.</p><p>At Naval Auxiliary Landing Field San Clemente Island in California, seven utility poles caught fire and caused an eight-hour islandwide electrical disruption. The fire occurred because the poles’ insulators, which are used to attach lines to the pole so that the electricity will not flow through the pole itself, were corroded and covered with salt, dust, and debris, the report found. This debris formed a conductive layer on the insulator that created an electricity flashpoint that resulted in a fire. </p><p>And there are disruptions due to weather. At Naval Weapons Station Earle in New Jersey, Hurricane Sandy’s storm surge in 2012 destroyed utility infrastructure, disrupting potable and wastewater service and resulting in almost $26 million in estimated repair costs.</p><p>Of those 4,393 disruptions, 1,942 involved water utility systems, 1,838 involved electric utility systems, 343 involved wastewater systems, and 270 involved natural gas utility systems. The Air Force suffered the most frequent disruptions, with 2,036. Next came the Navy (1,487), the Army (784), and the Marines (86). </p><p>The equipment failures that led to the disruptions were often caused by one of three main factors, the study found: the equipment was operating beyond its intended lifespan; the equipment was within its lifespan, but still in generally poor condition; or the equipment’s performance suffered because it had not been properly maintained. </p><p>This finding points to a fundamental challenge for DoD and other federal agencies: real-world budget constraints mean that DoD does not have the funding to upgrade every single system that has outdated equipment. Building resilience under such circumstances is not easy, and it sometimes requires a strategic plan with an achievable baseline goal, says Jason Black, director of analytic insights for Huntington National Bank and a utility policy expert who is also a former U.S. military officer. </p><p>A strategic plan with a goal of sustaining round-the-clock operations every day of the year would be difficult to achieve. A more realistic plan, however, could allow for some disruptions, with a goal of limiting them. For example, the goal could be to limit disruptions to 10 times a year, with each disruption lasting no more than an hour, Black says.</p><p>In striving for this goal, the plan may sketch out how older and more vulnerable utilities would be supported by back-up systems or localized generators, and other special configurations that would be needed to deal with different scenarios. “It’s one thing if a whole base goes out. It’s another thing if just one maintenance facility goes out,” Black says.</p><p>This type of strategic resilience plan could be designed across DoD’s entire fleet of utilities. Some systems only play a crucial role a few times a year, when certain situations are occurring. System resources can also be pooled; if there are four airfields located in one state, it might not be necessary for disruptions on one field to be immediately rectified. “It doesn’t have to be the case that every base has to be sustained all the time,” Black says. “In some cases, it may be cheaper and easier to move people.” </p><p>Instead of simply being reactive and replacing equipment as it breaks, officials could also incorporate utility equipment updates into the strategic plan, to best support operational goals. Incorporating an equipment plan can also serve as an incentive for investment when funding is limited: it illustrates how small investments in certain key systems will put operations in a better position over time, Black says.   </p><p>However, a strategic resilience plan must be based on good information about where disruptions are occurring, their frequencies and patterns, and other data that could be analyzed. In this area, DoD is falling down, the GAO found. Specifically, 151 out of 364 survey respondents in GAO’s study said they did not have information on utility disruptions during the 2009–2015 time period of the study. </p><p>The reason for this lack of in­formation, GAO found, is that the military services are inconsistent in issuing guidance on collecting and retaining utility disruption data. The study found that the Air Force and Marine Corps did not have current guidance on tracking utility disruption information; the Army had some guidance, but it was not available at all installations. </p><p>“Without guidance directing installations to collect information about all types of utility disruptions, service officials may not have the information needed to make informed decisions or to compete effectively for limited repair funds,” the study found. The exception among the services was the Navy, which had recently issued new guidance, auguring well for future data collection within that service, the study found.   </p><p>Given this, the GAO recommended that the Army, Air Force, and Marine Corps take steps to consistently collect disruption information, and issue better guidance on doing so. DoD concurred with these recommendations. </p><p>Finally, Black says there is another tool that DoD may use to boost its utility resilience–partnerships with the private sector. Here, DoD has some advantages at its disposal; some of its sites include significant amounts of land, and they have more zoning and use flexibility because they are government owned. Given these resources, DoD may be able to partner with private sector companies on utility projects, ranging from wind turbines to solar panels. “They may have the room, and they may not have zoning concerns,” Black says. </p><p>Shared resources could also be leveraged in such partnerships, he adds. For example, a generator could be built on a DoD site that would power the local area, but could also be used as a backup in case of power failure at the DoD facility.   ​ ​</p>
https://sm.asisonline.org/Pages/Industry-News-March-2017.aspxIndustry News March 2017GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Museum Video</h4><p>Visitors to the USS Midway Museum in San Diego experience a floating city at sea with exhibits, flight simulators, restored aircraft, a gift shop, and more on its 18 decks. The aircraft carrier was an important tool in the U.S. military missions during the Cold War, the Vietnam War, and the Gulf War. Each year, 100,000 visitors come aboard to learn about the ship and its history.</p><p>A recent security upgrade included improving the museum’s video surveillance system. Integrator Layer3 Security Services selected cameras from VIVOTEK for the entire installation. The wide range of cameras used includes fixed domes, pan-tilt-zoom models, and box cameras. Units that withstand inclement weather and vandalism protect the outer areas of the museum. Speed dome cameras are used in the parking lots and on the deck. The cameras operate with ExacqVision software from Tyco Security Products.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Orchard Place, a provider of children’s mental health services, is using infinias access control from 3xLOGIC, Inc., for most of its facilities.</p><p>Pensacola Christian College installed 12 waist-high turnstiles from Boon Edam Inc. to manage entry into two of its dining halls. </p><p>Covenant Security Services and Covenant Aviation Security formed a strategic partnership with the Risk Services Division of HUB International Limited to provide sophisticated risk management services.</p><p>Criterion Healthcare Security will help members of Vizient, Inc., achieve a standardized security approach in compliance with industry and regulatory standards.</p><p>JRN, Inc., a Kentucky Fried Chicken franchisee in Tennessee, reduced employee theft after partnering with Delaget, LLC.</p><p>DSI Security Services and Viewpoint Monitoring are partnering to provide a wider array of security services for clients across all industries. </p><p>A global collaboration between Evidence Talks and Schatz Forensic will enable investigators to create forensic images using the SPEKTOR forensic intelligence product suite.</p><p>IPC joined the Equinix Cloud Exchange.</p><p>LaView entered a partnership with InstallerNet.</p><p>Nuvias Group became a member of the HID Advantage Partner Program.</p><p>Praetorian became a global auditing partner with Microsoft under the new Security Program for Azure IoT.</p><p>PrecyseTech Corporation teamed with Blackhawk Imaging, LLC, to launch the InPALM Enhanced Video Exchange for law enforcement and security applications.</p><p>RiskIQ is working with Evry as a key reseller in the Nordic region. </p><p>Many DVRs and NVRs from Speco Technologies are now integrated with Immix CC and CS platforms from SureView Systems.</p><p>Security-Net, Inc., formed a strategic partnership with Vector Firm to develop an enhanced sales training program.</p><p>Sony Corporation signed a partnership agreement with Bosch Security Systems to develop pioneering video security applications.</p><p>Suprema entered into partnership with Egis Technology Inc. to produce mobile fingerprint authentication for smartphones.</p><p>The University of Washington, Seattle, is using the unified parking management platform from TagMaster North America, Inc., and T2 Systems. </p><p>Hult International Business School is implementing Touchless Biometric Systems 3D technology to record class attendance in Dubai, London, Boston, and San Francisco.</p><p>Tyco Security Products helped Kiwanis Village Lodge in British Columbia upgrade to an IP-based access control system using Kantech EntraPass Security Software and KT-1 Door Controllers.</p><p>Universal Security staff working at Chicago O’Hare and Chicago Midway Airports received active shooter response training from Archway Defense. </p><p>Dutch mobile-only bank bunq partnered with Veridium to provide secure mobile banking using Veridium ID hand recognition software.​</p><h4>GOVERNMENT CONTRACTS</h4><p>BICSI signed a memorandum of understanding (MOU) with the Engineering Institute of Thailand under H.M. The King’s Patronage to develop engineering practices and solve national problems in engineering through collaboration and information-sharing on events, education, marketing, and standards development.</p><p>BICSI also signed an MOU with La Asociación Mexicana de Empresas del Ramo de Instalaciones para la Construcción (AMERIC) in Mexico.</p><p>Montgomery County Public Schools in Virginia will implement the COPsync911 threat-alert system.</p><p>Farpointe Data announced that its proximity/keypad reader was installed by Cameras Networking and Security of Vermont at the Morristown Fire and EMS building, also in Vermont.</p><p>Magal Security Systems Ltd. announced that Senstar, its North American subsidiary, delivered perimeter electronic security systems to the North Atlantic Treaty Organization for its rapidly deployable military camps.</p><p>NAPCO Security Technologies, Inc., was chosen by the Houston Independent School District to supply security motion detection in all its schools. </p><p>Parabon NanoLabs won a U.S. Department of Defense contract to develop a software platform for forensic analysis of DNA evidence.</p><p>Qognify, formerly NICE Security, announced that the Navi Mumbai Metro selected its mass transit solution to ensure the safety and security of passengers and assets.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>The U.S. Department of Homeland Security granted Safety Act designation protections to Databuoy Corporation for its ShotPoint shooter localization system.</p><p>The DERMALOG AFIS was confirmed as the fastest automated fingerprint identification system in the world by test body SGS-TÜV Saar; the software allows the processing of almost a billion matches per second.</p><p>Farpointe Data announced that three of its card readers with keypads meet the impending requirements for two-factor authentication as described by the U.S. National Institute of Standards and Technology.</p><p>Galaxy Control Systems received new FICAM certification for its System Galaxy Software and its CS Infrastructure System Galaxy Software, now listed on GSA’s approved product list.</p><p>GhangorCloud was named DLP Solution of the Year-2016 and won the Editor’s Choice Award from Computing Security Magazine.</p><p>The New Jersey Tech Council named Lumeta Corporation the winner of its Innovative Technology Company award for 2016. The council selected Princeton Identity Inc. to receive the Outstanding Technology Development Company Award for 2016. </p><p>Reltio earned HITRUST CSF certification status for information security from the Health Information Trust Alliance for its Reltio Cloud. </p><p>Send Word Now was awarded a U.S. patent for the technology inherent in SWN Direct, its new mobile app for alert recipients. </p><p>Winners of the 2016 Detektor International Awards included ILOQ NFC in the access control category; SpotterRF A2000 drone detection in the alarm and detection category; and Sony SNC-VB770 camera in the CCTV category. Suprema, Inc., won the Innovative Achievement Award with BioEntry W2, a fingerprint access control device.​</p><h4>ANNOUNCEMENTS</h4><p>Allied Universal purchased Source Security & Investigations of Halifax, Nova Scotia.</p><p>AT&T and the National Aeronautics and Space Administration are researching traffic management solutions for unmanned aircraft systems. </p><p>Boon Edam Inc. is expanding its training programs to include factory trainings, roadshow trainings, and technical workshops.</p><p>Carnival Corporation announced that it will be the first maritime company to partner with INTERPOL for advanced security screening across its global operations.</p><p>Confidex Ltd. opened a new office in Nice, France, to better serve its global customers.</p><p>International SOS and Control Risks launched the Travel Risk Map for 2017. </p><p>Mesker Openings Group will be acquired by dormakaba to increase product offerings in North America. </p><p>Hitachi, Ltd., established an open laboratory within the Yokohama Research Laboratory to conduct prototyping and proof-of-value. </p><p>Insurance Bureau of Canada participated in Project Cyclone, a joint auto theft investigation involving York Regional Police, Peel Regional Police, the Toronto Police Service, and Canada Border Services Agency, which led to 24 arrests, seizures of property, and recovery of 60 stolen vehicles.</p><p>The Medical Identity Fraud Alliance released a paper to help businesses within the healthcare industry better understand how to deal with medical identity fraud. </p><p>Middle Atlantic Products is participating in UL’s Standard Technical Panel for UL 2416, helping develop future requirements of the standard for audio/video, information, and communication technology featured in cabinet, enclosure, and rack systems.</p><p>Nortek Security & Control will expand its manufacturing capacity by 25 percent.</p><p>OneLogin acquired Sphere Secure Workspace, Inc., to help provide a unified endpoint management solution for enterprises.</p><p>PSA will expand its market footprint to include the professional audio-visual and communications market. </p><p>Smartrac is selling its Secure ID & Transactions Business Division to the Linxens Group. </p><p>SOS Security LLC acquired Eastern Security Inc. of Waltham, Massachusetts. </p><p>The University of California-Berkeley School of Information is partnering with 2U, Inc., to deliver cybersecurity@berkeley, a new online master of information and cybersecurity program.</p><p>Vertx announced the winners of its 5 Days of Thanks campaign: Concerns of Police Survivors; the Special Operations Warrior Foundation; K9s for Warriors; the National Law Enforcement Officers Memorial Fund; and the Sua Sponte Foundation. ​</p>
https://sm.asisonline.org/Pages/Detention-Tension.aspxDetention TensionGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When the U.S. Department of Justice (DOJ) announced last August that it planned to phase out and eventually close 13 private prisons, it was seen as a victory for the prison reform movement. Privately run prisons “incurred more safety and security incidents per capita” than those run by the government, according to a DOJ report released shortly before the announcement. </p><p>Numerous critical investigations on private prisons, as well as the DOJ report and decision, inspired other federal agencies, including the U.S. Department of Homeland Security (DHS), to reassess their use of the facilities. But, despite allegations of inhumane conditions and dissention among DHS advisors, it appears immigration detention centers will continue to be contracted out to private corporations.</p><p>In an unusual series of events, a DHS Homeland Security Advisory Council (HSAC) subcommittee issued a report finding that federally run facilities used for the civil detention of immigrants during immigration hearings are more beneficial, but less cost effective. “Much could be said for a fully government-owned and government-operated detention model, if one were starting a new detention system from scratch,” the report noted. “But of course we are not starting anew.” Just one of the six subcommittee members dissented with the report’s recommendation to continue using private detention facilities, but when the issue was brought to the broader council for a vote, HSAC recommended that DHS oppose the report’s conclusion and close private facilities.</p><p>However, the vote may be more symbol than substance because the HSAC serves in an advisory role to DHS decision makers. Any action on the matter now rests with U.S. Immigration and Customs Enforcement (ICE) officials. In the interim, ICE has already renewed or expanded 15 private and local prison contracts to add 3,600 beds to its arsenal, including reopening a private correctional center in New Mexico that was shut down last year following a series of inmate deaths and reports of deficient medical care.</p><p>The HSAC report’s recommendation appears to be out of necessity—as of November 2016, ICE held more than 40,000 people in 197 immigrant detention centers, even though Congress has currently approved and funded the use of 32,000 beds, according to ICE. Individuals confined in ICE facilities can be held only for the purpose of detaining and removing them from the country. Immigrant detention numbers have already reached record-breaking levels and are expected to continue growing–U.S. President Donald Trump has pledged to deport 2 to 3 million immigrants, further straining the facilities. </p><p>“Capacity to handle such surges, when policymakers determine that detention will be part of the response, cannot reasonably be maintained solely through the use of facilities staffed and operated by federal officers,” the report states. “Fiscal considerations, combined with the need for realistic capacity to handle sudden increases in detention, indicate that DHS’s use of private for-profit detention will continue.”</p><p>The cost of building and operating enough federally run detention facilities to phase out private detention centers, which make up two-thirds of all immigration centers, would cost billions of dollars and not be a good use of government resources, the report notes.</p><p>There have been numerous contributing factors to the increase in detainees held by ICE. A controversial 2009 addition to ICE’s detention budget stating that funding would be made available to “maintain a level of not less than 33,400 detention beds” was interpreted by ICE as a mandate to contract for and to fill that number of beds on a daily basis. This so-called immigrant detention quota has correlated with the expanded detainee population, as well as the involvement of private prison corporations in ICE facility operations, according to Payoff: How Congress Ensures Private Prison Profit with an Immigrant Detention Quota, a 2015 report by nonprofit Grassroots Leadership. The quota system is unique to ICE—no other law enforcement agency operates in such a fashion.</p><p>“Since just before the onset of the quota, the private prison industry has increased its share of immigrant detention beds by 13 percent,” the report states. “Nine of the ten largest ICE detention centers are private. This is particularly noteworthy in light of the expansion of the entire ICE detention system by nearly 47 percent in the last decade.” </p><p>Immigration patterns have also bloated the number of immigrants held in detention centers. An unprecedented surge of Central American women and children to the United States in 2014 created overcrowding, resulting in the construction of the nation’s largest immigration detention center by a private prison corporation. A more recent influx of asylum seekers and immigrants who have been in the United States for years but are now facing exile has continued to strain the facilities.</p><p>Holding immigrants in privately run detention centers is easier on taxpayers’ wallets, ICE says. More than $2 billion in taxes goes to the country’s prison system each year, and lowering that cost is a big incentive to use private facilities, the report notes. Federally run detention centers are notoriously more expensive than their private counterparts—it costs about $127 a day to hold a person in a private facility, versus more than $180 in a government facility. And completely doing away with private facilities and replacing them with federally run ones would cost up to $6 billion, according to the HSAC report. </p><p>Despite the lower price tag for private facilities, prison corporations have seen their profits rise over the past six years—GEO Group, which owns a quarter of all ICE immigrant detention centers, has seen a 244 percent profit increase from 2010 to 2014, the Grassroots Leadership report found. The private prison companies have also spent millions of dollars lobbying on immigration issues and DHS appropriations, according to Grassroots Leadership.</p><p>To civil rights organizations, the increase in private detention facilities means not only the monetization of detainees but centers that do not have to abide by federal quality control. The DOJ report on private facilities notes that contract compliance checklists do not address federal health and correctional services requirements.</p><p>“The observation steps do not include checks on whether inmates received initial examinations, immunizations, and tuberculosis tests…[and] does not include observation steps to ensure searches of certain areas of the prison, such as inmate housing units or recreation, work, and medical areas, or for validating actual correctional officer staffing levels and the daily correctional officer duty rosters,” the DOJ report notes.</p><p>The nonprofit Human Rights Watch website stresses that those kept in immigrant detention centers are not criminals—they are often legal permanent residents, families with young children, or asylum seekers in the midst of civil immigration proceedings. For years, Human Rights Watch and similar organizations have documented abuse and substandard medical care in privately run detention facilities. For example, three people died in detention facilities between October and December 2016. </p><p>While the future of ICE immigration facilities will continue to involve privately run centers despite HSAC dissent, the council did agree with portions of the report’s recommendations that ICE must increase oversight of nonfederal detention facilities. The report found that county jails, which are often used for initial detention and staging, do not have to follow ICE facility standards and should be used for detaining immigrants for no more than 72 hours before moving them to a federal facility. The document also outlined the need for more stringent inspections of nonfederal facilities, including unannounced inspections and meaningful evaluations of conditions in each facility.</p><p>“U.S. Immigration and Customs Enforcement appreciates the Homeland Security Advisory Council’s recent review of the agency’s use of private contract detention facilities,” says ICE spokesperson Danielle Bennett. “The council’s report recognizes ICE’s ongoing commitment to providing a secure and humane environment for those in our custody while making the best use of agency resources. ICE’s civil detention system aims to reduce transfers, maximize access to counsel and visitation, promote recreation, improve conditions of confinement and ensure quality medical, mental health and dental care. ICE leadership will review and consider the council’s recommendations and will implement any changes, as appropriate.” ​ ​</p>
https://sm.asisonline.org/Pages/Stopping-the-Cyber-Buck.aspxStopping the Cyber BuckGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​While a wonderful tool, Spell Check is not always available. And sometimes a misspelling can have a major ramification. That’s what hackers found out in 2016 when a spelling mistake in an online bank transfer instruction prevented them from stealing nearly $1 billion from the Bangladesh central bank and the New York Federal Reserve.</p><p>The hackers, now believed to belong to three separate groups that planned the heist for more than a year, breached the Bangladesh bank’s systems, stole its credentials for payment transfers, and then bombarded the Federal Reserve bank of New York with almost 36 requests to move money from a Bangladesh bank account to accounts in the Philippines and Sri Lanka.</p><p>“Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan nonprofit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation,” Reuters reported. Instead of spelling “foundation,” the hackers wrote “fandation,” which grabbed the attention of the Deutsche Bank employee routing the transaction and led to the suspension of the transfer.</p><p>The hackers, however, managed to get away with about $80 million, making the heist one of the largest bank thefts in history. A later investigation determined that Bangladesh central bank officials “deliberately exposed its computer systems and enabled hackers” to steal the money, a top police investigator told Reuters.</p><p>The heist also brought new attention to financial institutions’ cybersecurity practices and the effects a cyberattack on a major institution could have on the rest of the economy. To address these concerns at the U.S. state level, the New York State Department of Financial Services (DFS) proposed cybersecurity regulations for financial institutions operating in the state.</p><p>The rules were initially slated to go into effect on January 1, but were delayed and went into effect on March 1 to allow time for revisions and industry input. The rules, as of Security Management’s press time, apply to any “person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York banking law, the insurance law, or the financial services law.”</p><p>Those covered by the rules are required to have written policies and procedures that identify and assess the data security practices of third parties that access or hold their nonpublic information. Third parties must meet minimum requirements for cybersecurity practices, and periodic assessments (at least annually) of third parties and their cybersecurity practices are required. </p><p>Additionally, the rules require covered entities to designate a qualified chief information security officer (CISO) to be responsible for overseeing and implementing their cybersecurity program and enforcing cybersecurity policy. They also must hire cybersecurity personnel to perform cybersecurity functions, such as identifying cyber risks, responding to cyber events, and recovering from them.</p><p>While these seem like good polices on paper, Vice President of Technology and Risk Strategy for BITS and member of the Financial Services Roundtable Heather E. Hogsett said the rules are proscriptive and present a one-size-fits- all solution that doesn’t work for the New York financial industry, which is made up of international firms, as well as medium-sized and small banks.</p><p>The DFS rules also conflict with other regulatory measures, making it difficult for organizations to comply with them, Hogsett explained in an appearance at the New America Foundation in December.</p><p>“The question is, where does this end? And we do run the risk…the more you require information to be reported to different places in different formats, you’re taking your security professional’s eye off the ball and focusing more on compliance instead,” Hogsett said. “And it’s a national security concern. You’re creating honeypots of really sensitive information for a critical sector of the economy for attackers to really go hard at.”</p><p>New America recently called this out in a report, something Hogsett said she appreciated, and requested that all federal agencies follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It called for regulatory bodies to go back through their frameworks and harmonize them to the NIST framework.</p><p>One recent effort by the U.S. federal government to do this is an advanced notice of proposed rulemaking (ANPR) on Enhanced Cyber Risk Management Standards by the U.S. Federal Reserve Board, the U.S. Federal Deposit Insurance Corporation (FDIC), and the U.S. Office of the Comptroller of the Currency (OCC).</p><p> “As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyberattacks,” the ANPR says. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.”</p><p>The three agencies are considering applying the new standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board. The standards, however, would not apply to community banks.</p><p>“This ANPR would build on the existing framework of information technology guidance already in place,” said FDIC Chairman Martin J. Gruenberg in a statement. “The enhanced standards for large and interconnected entities would be aimed at increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities.”</p><p>The ANPR addresses five categories of cyber standards: cyber risk governance, cyber risk management, internal dependency management, external dependency management, and incident response, cyber resilience, and situational awareness.</p><p>The agencies are considering a two-tiered approach for an additional, higher set of expectations that would apply to covered entities that are critical to the financial sector. Security Management reached out to both the FDIC and the OCC for comment and was referred to the Federal Reserve, which did not return requests for comment for this article.</p><p>As part of the proposed rulemaking process, the agencies had asked for extensive feedback from stakeholders before the open comment period closed on January 17, 2017.</p><p>However, as of Security Management’s press time, only one person had submitted a comment on the ANPR: Reginald P. Best, president and chief product officer of the Lumeta Corporation, which provides network situational awareness services.</p><p>Lumeta has worked with the financial community for the past decade and has provided network-based cyber situational awareness analytics tools and services to seven of the largest financial institutions with more than $50 billion in assets that may be covered by the ANPR. </p><p>“We’ve had a fair amount of experience in some of the underlying issues that we think are problems that may potentially lead to more substantive breaches,” Best explains. “As I looked at the proposed rule, we wanted to provide some of our insights to help the industry in figuring out what they need to do and what they should be doing.”</p><p>In his comment, Best focused on responding to three of the agencies’ questions that asked for information on how entities evaluate their situational awareness which forms the core of a strong cybersecurity program.</p><p>“Without fundamental situational awareness of the network infrastructure, which is easy to say and hard to do, nothing else that you do will matter or be as complete as it needs to be,” Best tells Security Management.</p><p>One of the biggest problems right now, however, is that many large financial institutions have a false sense of security about their situational awareness—they feel like they know what is happening on their networks. </p><p>“Despite investment in multiple tools at various places in the enterprise ‘security stack’…the very basic understanding of what constitutes the network, how it changes in real time, what the infrastructure comprises (approved versus rogue), what the authoritative topology of the network and network edge is, remains elusive and is often an afterthought,” Best wrote.</p><p>Some financial institutions miss this infrastructure because they forget to document it, aren’t aware of it, and aren’t hunting for network state changes to validate that they have an accurate understanding of their network.</p><p>With his feedback, Best says he hopes that if a proposed rule is created from the ANPR process, it will include a mandate for covered financial institutions to have an automated way of understanding their infrastructure. </p><p>However, Best adds that it would be a mistake for the agencies to require all processes of monitoring, identifying, and remediating cyber threats be automated. </p><p>“I think that could be challenging for most organizations to do today,” he says. “Ultimately, that may be required in the future—that networks be self-healing. But it might be a mistake to enforce that extent in the proposed rulemaking.”</p><p>Instead, Best says he hopes that the agencies focus on getting the basics right when it comes to cybersecurity—like NIST did in its Cybersecurity Framework. </p><p>“Because if you get the foundation right, then all the other stuff in the stack can come on and take care of itself in the fullness of time,” he says.   ​</p>
https://sm.asisonline.org/Pages/Message-to-the-Masses.aspxMessage to the MassesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Sanofi is a global pharmaceuticals business that manufactures and distributes vaccines and medications worldwide. The organization provides diabetes solutions, consumer healthcare services, animal health products, and other therapies. Sanofi Pasteur, the vaccines division of Sanofi, provides more than 1 billion doses of vaccines each year, which immunize more than 500 million people across the globe.<img src="/ASIS%20SM%20Callout%20Images/0317%20Case%20Study%20Stats%20Sidebar.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:296px;" /></p><p>With more than 100 locations in the United States, Sanofi has approximately 25,000 employees domestically, and a global workforce of more than 125,000. Keeping track of those workers and ensuring their safety is of utmost concern to the company, says Joe Blakeslee, security systems manager at Sanofi. </p><p>For its North American sector, the organization incorporates several solutions as part of its overall security profile, including access control, CCTV, and emergency notification. For many years, Sanofi had several mass notification platforms that were disparate, without a centralized way to manage alerts for all employees. </p><p>In late 2014, Sanofi put out a request for proposal to find a product that could unify its many mass notification platforms into one seamless solution. Near the beginning of 2015, it chose Everbridge Mass Notification, a Web-based application that allows for distribution of messages to a large audience. </p><p>“The biggest part about Everbridge that stood out was the user interface,” Blakeslee says. “It provided everything we needed, and we were also impressed with how easy the system was to use.” The Sanofi North America security team started rolling out the application at the beginning of 2015 for internal security purposes, and in June of that year began registering all North American employees into the system.</p><p>He adds that the variety of options for reaching employees was paramount, given Sanofi’s mobile workforce. “Everbridge has multiple modalities in which you can actually send the message,” he says. “We use all the modalities whether it’s cell phone, SMS, home phone, or email. We give all of our employees the ability to elect whatever modality they would like.” Employees rank their preferred communication modalities in order when registering for the system; that way, if one method fails to contact the worker, notifications will automatically be sent via other methods until the party is reached.  </p><p>Everbridge is used on a daily basis at Sanofi, he adds. “Every day we use the application to alert various groups within the company, whether it’s related to fire alarms, evacuations, hazmat response, or other incidents.” </p><p>Sanofi has a central security services center (SSC). There, analysts monitor the business locations across the country for alarms and alerts using various security management software. Only designated individuals within the SSC can access the Everbridge platform and administrate messages through the platform. When there is an incident, such as a fire alarm, analysts send out alerts to the affected employees to give them situational awareness through the Everbridge Web portal. In the fire example, employees would be alerted to evacuate the building and await further instruction. The messages being sent can be selected from a set of prewritten options, or modified based on the particular event; normally in an emergency, the messages are written at the time by the security team. </p><p>“Say you have a building with 3,000 people in it. We want to reach them wherever they may be,” he says, “and reach as many people as we can in as little amount of time as possible.” </p><p>The Everbridge application is used to notify workers that it is safe to return to their desks. It also displays in real-time the status of employees involved in the incident. Employee status can either be confirmed or unconfirmed. If someone is unconfirmed, the Everbridge system allows the SCC to resend the message or try a new contact path based on the order of the employee’s preferred contact methods to try to get a response. For example, if sending an SMS to a cell phone doesn’t work, the system will make a telephone call, then send an email, and so forth. The confirmation lets the security team determine which employees are safe. </p><p>The system helps get employees back to work more quickly, because people aren’t wondering whether it’s safe to return to their desks. </p><p>Everbridge can also be used for incident management. For example, in the case of a trespasser, security would get an alarm or a phone call. “From there, SSC would send out a notification from Everbridge to the local emergency response personnel, asking for them to respond to the occurrence,” Blakeslee says. “After the message is sent to all the recipients’ devices, the SSC would, in real time, monitor the responses from the recipients’ confirmations and determine how many people are responding to the event.” </p><p>Everbridge isn’t just used for reactionary purposes. It provides proactive security measures as well. Sanofi has security officers at each of its locations, and the organization conducts daily check-ins with those personnel who are patrolling alone to ensure they are safe and accounted for. Sanofi expects a message back, and “if they don’t respond, we escalate that to the SSC and they handle it from there,” Blakeslee says.  </p><p>He adds that the mobile nature of the modern workforce means that employees won’t always be working from their primary location. “Our workforce is dynamic. One day I may be working in Pennsylvania, the next day I might be in New Jersey,” he says, noting that several employees and contractors travel frequently. To help keep track of its mobile workforce, Sanofi rolled out a newer feature from Everbridge called Safety Connection in the second quarter of 2016. The solution aggregates geo-location data from multiple systems so Sanofi knows where its employees are at any given time.  </p><p>Blakeslee says that given the sensitivity of materials they manufacture and distribute, as well as the importance of their services to customers, the culture at Sanofi is safety oriented. “Anything dealing with safety we’re really reactive to, so Everbridge provides us another means of communicating to keep our employees safe.”</p><p>--<br></p><p>For more information: Jeff Benanto, jeff.benanto@everbridge.com, www.everbridge.com, 781.373.9879 ​</p>
https://sm.asisonline.org/Pages/Teller-Trouble.aspxTeller TroubleGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The insider fraud that took place at Wells Fargo is still being investigated, but experts say the scam that involved the creation of 2 million unauthorized customer accounts is unprecedented. Beginning as early as 2011, thousands of Wells Fargo employees created bank accounts for existing customers without authorization, and generated millions of dollars in fees that profited the company along the way. </p><p>“Wells Fargo employees secretly opened unauthorized accounts to hit sales targets and receive bonuses,” said Richard Cordray, director of the Consumer Financial Protection Bureau (CFPB) in a statement. </p><p>The CFPB went onto say that workers even created fake PIN numbers and phony email addresses to fraudulently create the accounts. The bank will pay $185 million in fines to the bureau and $5 million to customers for their losses.</p><p>During a U.S. Congressional hearing in which then-Wells Fargo Chairman and CEO John Stumpf testified before lawmakers, U.S. Rep. Maxine Waters (D-CA) called the event “some of the most egregious fraud we have seen since the foreclosure crisis.”</p><p>Stumpf stepped down in October 2016 as leader of Wells Fargo, and forfeited $41 million in stock awards and part of his 2016 salary and bonus. Since the scandal was uncovered, the bank has fired at least 5,300 employees.</p><p>While the ethics scandal at Wells Fargo garnered international attention, insider fraud and theft by employees has become increasingly prevalent at financial institutions. In 2014, New York Attorney General Eric T. Schneiderman announced the arrest of an identity theft ring that had siphoned $850,000 from a bank’s customer accounts with the help of several tellers at banks in New York City and surrounding counties. </p><p>In 2015, two private bankers with J.P. Morgan Chase were indicted for funneling $400,000 from Social Security accounts of 15 people, some of whom were deceased, according to court documents from the Brooklyn District Attorney’s office. </p><p>Schneiderman later sent a letter to several large banks, including J.P. Morgan Chase, Bank of America, and Wells Fargo, urging the financial institutions to rein in their employees’ access to customer data. The Wall Street Journal first reported on the letter, which it obtained in June 2015. Schneiderman said that teller theft was the number three cause of data breaches in the state of New York, just behind poor cybersecurity and lost or stolen equipment. </p><p>Schneiderman concluded that “much of the wrongdoing could have been caught if the banks had noticed and shared red flags; for example, an employee accessing an unusually large number of accounts or looking up accounts without dealing with those customers,” according to the article. ​</p><h4>Access to Information</h4><p>Experts say that an increase in theft and fraud has been accompanied by an evolution in the banker’s role. The traditional role of the teller who sits behind a desk counting dollar bills has progressed with the proliferation of the Internet and other digital tools. </p><p>“Technology now handles so many of the traditional teller transactions, like checking your balance or moving your money,” says Dr. Kevin Streff, associate professor and director of the Center for Information Assurance at Dakota State University. “Those kinds of transactions that used to be handled by people are now handled by automation for a large part, so the teller’s responsibility then moves up to the next level of service to the customer.” </p><p>Such transactions include changing personally identifiable information details on accounts, all available to tellers with the click of a button. </p><p>“Technology in general makes it so much easier to get the information that we’re talking about; there’s no question that’s increased the risk for internal theft cases,” says Kevin Smith, CPP, former senior vice president and corporate security director at Chevy Chase Bank and member of the ASIS International Banking and Financial Services Council. </p><p>But with the proliferation of ATMs and online banking services, this increased access to information is coupled with a diminished demand for tellers. They don’t garner the largest salaries—on average, tellers make about $13 an hour, or $27,000 a year, according to 2015 statistics from the U.S. Bureau of Labor. Experts say these low wages, combined with tempting sales-goal incentives, can create a formula for theft and fraud. </p><p><strong>Theft.</strong> Streff notes that the black market for customer records, credit card information, and other sensitive data is based on supply and demand, and the current supply is high. Therefore, employees will be tempted to steal more records to make the most money. </p><p>“It’s still very motivating to get 1,000 payment cards from a bank, and even if you can only get $25 a card, that’s still $25,000,” he says.</p><p>And there are plenty of bad actors waiting on the other side of the Web to help them carry out the crime. “The bad guy externally has the skill, the insider has the access privileges and the rights and trust, and that together creates the perfect storm to be able to complete that cybercrime,” Streff explains.</p><p>He recounts such a situation investigated by his firm Secure Banking Solutions, a cybersecurity company focused exclusively on the banking sector. </p><p>“We saw a situation at a Midwestern bank where a couple of tellers were printing about eight customer records each per day for about a year, and then they were putting them in their bags or purses and walking out the door,” Streff says. “So eight customer records a day is about $200 a day—there’s a nice little augmentation to their salary.”  </p><p>During his long tenure as a security director and vice president at banks across the country, Smith says he dealt with a similar situation during a merger and acquisition. </p><p>“The criminals were focused on the fact that the employees would no longer have allegiance to the company” that was being acquired, he says. “We apprehended one of our employees working at a call center that was selling customer information in the parking lot to someone that had approached them and said, ‘I’ll give you $50 for every name, address, telephone number, and date of birth that you can give me.’” </p><p><strong>Incentives.</strong> Scamming customers with help from the outside is just one of many risks faced by financial institutions. Corporate culture can become the catalyst for bad behavior as well. </p><p>During the U.S. House Congressional Services Committee hearing on Wells Fargo, lawmakers criticized the sales incentives that offered rewards to employees who opened a certain number of accounts. CNN Money reported in September 2016 that Wells Fargo employees had complained about the “pressure cooker environment” created by these “wildly unrealistic” sales goals. </p><p>Stumpf testified before the committee that sales goals were being eliminated companywide in January 2017 as a result of the scandal. </p><p>While this practice had become toxic at Wells Fargo, other banks rely heavily on the motivation behind such goals. </p><p>“The reality is that many companies, particularly smaller companies, survive on those sales goals,” says Smith, adding that common practice is to reward not only tellers, but managers and senior executives when their employees reach those goals. </p><p>This practice can lead to fraudulent behavior when employees are pressured to meet goals or face negative repercussions for not doing so. “When you dangle the guillotine over someone’s head and say ‘If you don’t do this, this thing is going to happen to you.’ Well come on, leadership gets exactly what they deserve,” says Clint Hilbert, owner of Corporate Protection Technologies, LLC. “They’re actually promoting that behavior.” </p><p>Hilbert says that a series of checks and balances within the company will help prevent fraud from occurring. </p><p>“The checks and balances have to be built in from the time you’re pursuing a market to the time you’re reinvesting your profits,” he says. “All of those stages in between have to have checks and balances that can be independently surveyed.” </p><p>Smith echoes the concern regarding a competitive sales environment, and notes that management can often become a part of the problem. </p><p>“Hypothetically, I think what happens in those situations is people are incented to sell, sell, sell,” he says. “And if the person monitoring that activity is also gaining from the sell, sell, sell, they’re disincentivized from identifying any problems.” </p><p>Having an independent third party or group outside the management chain to audit sales activity ensures that banks aren’t engaging in fraudulent behavior.​</p><h4>Management </h4><p>Experts say that engaging employees and giving them a sense of buy-in at the company is a first step to keeping them from becoming an insider threat, and treating whistleblowers with fairness and exercising transparency can help leadership build trust. </p><p><strong>Whistleblowers.</strong> Since the Wells Fargo scandal came to light, employees have come forward saying that they were fired or punished for blowing the whistle on the fraudulent activity taking place. </p><p>In a November 2016 letter to new Wells Fargo President and CEO Timothy Sloan, U.S. Senators Elizabeth Warren (D-MA), Robert Menendez (D-NJ), and Ron Wyden (D-OR) inquired about the firing of certain employees, writing that “the bank may have done so to retaliate against whistleblowers.” </p><p>Former employees told NPR News that they received bad marks on their U5 forms—a system set up and operated by the Financial Industry Regulatory Authority—after pointing out the fraudulent behavior. Those forms are essentially used as a permanent record of their employment history as a banker. Wells Fargo says it is investigating those claims.  </p><p>Hilbert says that anyone who raises a red flag about company practices should be treated with fairness, whether they are right or wrong. </p><p>“The first time you publicly fry a whistleblower, you no longer have ownership by the employees,” Hilbert says. “Even if the whistleblower is 100 percent wrong, there has to be transparency because that’s where you’re going to lose trust.” </p><p>Rather than creating a culture where managers are pitted against employees, Hilbert says, creating mutual respect will fuel the two-way relationship. He adds that employees essentially should respect the company more than they respect their coworkers who engage in bad behavior so that they report any incidents. </p><p> “You have to be transparent, you have to be honest, and you have to communicate—therein lies the basis of every relationship,” he says. “That trust today is such an important factor for the C-suite to embrace.”</p><p><strong>Hiring and training.</strong> Increasing levels of responsibility for tellers ought to be supplemented with more security training and better hiring practices, Smith says. And security compliance and training programs should be ongoing to keep employees engaged with banking best practices. </p><p>“Those types of training programs on ethics in the workplace really have to be an integral part of the program coming through the door, and they have to be emphasized on a regular basis,” he notes.  </p><p>For many bank workers, it may be their first job, meaning they haven’t had exposure to security or compliance training in the past. </p><p>“These tellers and call center employees can be right out of high school,” Smith says. “It’s an entry-level position, and you really need to drive that point home about ethics in the workplace because they’ve never had that training before.” </p><p>Hiring people with the right background is critical for employees that will be handling sensitive customer information. Banks can take advantage of access to law enforcement to conduct background checks. </p><p>“In the financial services industry, background investigations are critical,” Smith says. Under Federal Deposit Insurance Corporation (FDIC) rule number 19, banks can get permission to go directly to the FBI for such background screening. </p><p>Smith adds that under these regulations, banks are also prohibited from hiring someone who has been convicted of a theft or a breach of trust offense. </p><p><strong>Monitoring.</strong> Supervisors need to be the first line of defense when it comes to ensuring their employees aren’t engaging in bad behavior, Smith says. He explains that several technological tools are available to help produce reports using data from employee transactions. Using those reports, supervisors “ought to identify what the typical pattern is for their employees…and develop a report that would alert to out-of-pattern activity.”  </p><p>A worker accessing unusual amounts of customer information could be a tipoff to fraudulent behavior. “Let’s say typical daily activity for a teller is servicing about 50 accounts,” Smith says. “If you find that they’re looking at 300 accounts, that’s out-of-pattern activity and should be investigated.” </p><p>Streff adds that while technology is a great tool, creating awareness within the company is invaluable. “Certainly you want controls in place that lock things down, you want sensors to identify anomalous behavior, but you want to create an awareness in your workforce to be a protection as well,” he says.  </p><p>And employees at all levels can be the best tools for fighting insider threats, Hilbert says. “If you have 100 employees, you have 200 eyes,” he notes. “And if you can motivate those employees to do your camera work for you, you’ve got the best camera system that money can buy.”  ​ ​</p>
https://sm.asisonline.org/Pages/Lessons-in-Liability.aspxLessons in LiabilityGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p dir="ltr" style="text-align:left;">This article has been updated. Following are comments from Richard Wyckoff, President & CEO, U.S Security Associates, Inc.</p><p dir="ltr" style="text-align:left;">--​</p><p dir="ltr" style="text-align:left;">U.S. Security Associates was disappointed to read the article titled "Lessons in Liability" in the March issue of <em>Security Management</em> magazine. The article contained factual mistakes, omitted key facts, and sensationalized the tragedy of an incident that led to two deaths.<br></p><p dir="ltr" style="text-align:left;">The events of September 9, 2010, were unquestionably tragic. In the security industry, we all pray that an unpreventable incident does not occur on our watch, and we all take great measures to reduce the likelihood and risk of an active shooter. Not even the full force of the federal government and local   authorities, working together, can prevent these senseless acts of violence.</p><p dir="ltr" style="text-align:left;">Our two officers on post at the Kraft client site were well trained, having passed background screening and onboarding employment verification. But they were unarmed and could not defend against an attacker with a .357 Magnum handgun, which was pointed at both of their bodies. Neither guard “ran  away.” Instead, they took cover and each called 911 as soon as possible. Their quick actions may have prevented further loss of life.</p><p dir="ltr" style="text-align:left;">Each officer independently adjudged not to use the general announcement system. Again, this was a split-second decision that may have prevented further loss of life; causing a panic in the manufacturing facility might have sent more employees into the path of the murderer. Indeed, Yvonne Hiller fired her weapon at other Kraft employees as she transited the facility.</p><p dir="ltr" style="text-align:left;">All of this happened in less than five minutes. Emergency response showed up nine minutes after Hiller re-entered the facility, armed and dangerous. It is hard to understand what other actions our guards could have taken to prevent this tragedy.</p><p dir="ltr" style="text-align:left;">And the primary lesson to take away from this tragedy is not one of liability. Certainly a Monday­ morning quarterback’s view is improper; those quoted in the article neither attended the trial nor contacted the company for the details and suppositions made about the incident.</p><p dir="ltr" style="text-align:left;">We believe that the real lessons are ones of leadership and loyalty. U.S. Security Associates took this incident very seriously and pivoted to lead the industry in response to the active shooter problem. The company has added Active Shooter Training to its basic, required training for new employees and trained all existing employees as well. The company also developed Security Stars, an officer professionalism and career development training course above and beyond the minimum Security Officer Basic Training. We recruited Harold Underdown, a Navy Seal Master Chief with 30 years of Naval Service, to join the company as the Senior Vice President of Officer Development. Harold has spearheaded our Security Stars initiative and visits our sites nationwide to lead this unique and forward­ looking program.</p><p dir="ltr" style="text-align:left;">We also know that training programs alone do not prevent future incidents. The company showed that loyalty is part of our core values. We remained on site at Kraft and continued to provide services to the facility until it was shut down in a corporate reorganization. We stood by Kraft at trial, and our founding CEO and Chairman of the Board attended the trial as the company representative. Most tellingly, Kraft recently selected U.S. Security Associates as its single-source security provider nationwide. This loyalty and commitment to excellence is part of the “corporate heartbeat”. And it is this corporate heartbeat that enables U.S. Security Associates to see lessons in leadership where others see lessons in liability.</p><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;"><em>Security Management</em> responds:</p><p dir="ltr" style="text-align:left;">The reporting in the article was based on the written opinion of a state district court. We regret that we were unable to incorporate U.S. Security's comments into the original article.</p><p dir="ltr" style="text-align:left;"><br></p><div dir="ltr" style="text-align:left;"><br>​<em>​Original article</em></div><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;">​Yvonne Hiller was not having a good day. On September 9, 2010, Hiller had a quarrel with her coworkers—Tanya Renee Wilson, LaTonya Brown, and Bryant Dalton—at the Kraft Foods plant in Northeast Philadelphia where she had worked for 15 years. At a union stewards and supervisors meeting that evening, a decision was made. She was suspended and had to vacate the facility immediately.</p><p dir="ltr" style="text-align:left;">Kraft had contracted U.S. Security Associates, a private-sector firm, to provide security for the plant, and U.S. Security Site Supervisor Damon Harris was called to escort Hiller to her vehicle and ensure that she left the property.</p><p dir="ltr" style="text-align:left;">However, Harris did not walk Hiller to her car. He left her at the guard booth at the security gate at the entrance to the plant and allowed Hiller to walk to her vehicle, alone. But Hiller did not drive away.</p><p dir="ltr" style="text-align:left;">Instead, she retrieved a firearm from her car and drove back to the security gate where she pointed her gun at U.S. Security Officer Marc Bentley, who was inside the guard booth, and demanded to be allowed back into the plant.</p><p dir="ltr" style="text-align:left;">When Bentley did not open the gate, Hiller drove through it. Bentley then paced back and forth inside the guard booth, while his supervisor—Harris—ran away. Both security officers called 911 after several minutes of panic and confusion, but they failed to alert anyone else in the plant that Hiller was inside, and that she was armed.</p><p dir="ltr" style="text-align:left;">Hiller made her way through the plant to where the union meeting had taken place earlier that evening, opened fire, and shot Wilson, Brown, and Dalton. Wilson and Brown were killed, but Dalton survived the attack.</p><p dir="ltr" style="text-align:left;">Local law enforcement responded to the scene, taking Hiller into custody. She was eventually convicted of two counts of first-degree murder and one count of attempted murder. She is currently serving a life sentence in prison.</p><p dir="ltr" style="text-align:left;">The estates of Wilson and Brown filed a civil suit against U.S. Security and Hiller in 2015, alleging that the security company was guilty of negligence for failing to protect the people at the plant during the shooting and for failing to warn employees that Hiller was in the plant, armed with a gun.</p><p dir="ltr" style="text-align:left;">The First Judicial District Court of Pennsylvania agreed with them, granting the estates more than $46.5 million in damages—$8.02 million in compensatory damages and $38.5 million in punitive damages.</p><p dir="ltr" style="text-align:left;">“The verdict is an important message to U.S. Security that their guards can’t simply run away in the middle of a crisis,” said Shanin Specter of Kline & Specter, P.C., which represented the Wilson and Brown families in the civil suit, in an interview with Philadelphia’s NBC local affiliate. U.S. Security did not return requests for comment on this article. </p><p dir="ltr" style="text-align:left;">Kraft had contracted with U.S. Security and set forth the service agreement in written documents, outlining the security officers’ guide and post orders. </p><p dir="ltr" style="text-align:left;">The service agreement explained that U.S. Security personnel would have administrative and operations experience in security services at a level adequate to the scope of work and would be “responsible for maintaining high standards of performance, personal appearance, and conduct,” according to court documents. </p><p dir="ltr" style="text-align:left;">Personnel would be responsible for duties such as access control; escort services; incident reports; in-depth knowledge of facility-specific requirements, expectations, and emergency procedures; patrol service duties; alarm response; emergency and accident response; and security gate control.</p><p dir="ltr" style="text-align:left;">The service agreement also outlined what was expected of security personnel in response to an emergency at the Kraft plant in Philadelphia. The nine-step procedure included remaining calm if the officer was witness to a threatening situation, contacting a Kraft representative immediately, calling 911 if the threat was immediate, being prepared to assist if the situation became confrontational, and noting all facts about the incident in the security log.</p><p dir="ltr" style="text-align:left;">This is why it is critical for contract security providers and their clients to draft and review policies related to security officer duties and emergency response.</p><p dir="ltr" style="text-align:left;">“Any plans, procedures, and policies that you had in place are going to be front and center when a tragedy like the Kraft case happens—or even something far less tragic,” <span style="background-color:#ffffff;">s</span><span style="background-color:#ffffff;">ays Eddie Sorrells, CPP, PCI, PSP, chief operating officer and general counsel for DSI Security Services, a contract security provider based in Dothan, Alabama.</span><span style="background-color:#ffffff;">​</span>. </p><p dir="ltr" style="text-align:left;">For contract security providers, the case illustrates the importance of reviewing background screening and training processes for security guards. One criticism in the U.S. Security case, according to court documents, was that Bentley—a relatively new security officer—was not adequately trained to know how to use the available technology to communicate that Hiller had reentered the plant with a gun.</p><p dir="ltr" style="text-align:left;">“One of the most important lessons learned from this case is how critical training is for the security officer,” Sorrells explains. “That’s not a suggestion that U.S. Security didn’t have that; it just reinforces the need to have real policies and procedures that can be…exercised and trained on.”</p><p dir="ltr" style="text-align:left;">“I’m fond of saying that corporations a​re not hiring a staffing agency; they’re hopefully hiring security experts who can come in and advise them on what is needed in terms of emergency communications, training, and internal education for your employees,” Sorrells adds. </p><p dir="ltr" style="text-align:left;">“We have to make sure that training is there to hopefully prevent these things from happening; and even if all those efforts fail, once someone does show up with a weapon, we need to have procedures in place to make sure emergency notifications are sent out,” Sorrells says. ​</p><h4 dir="ltr" style="text-align:left;">Insider Threats</h4><p dir="ltr" style="text-align:left;">Around 10:09 a.m. on September 8, 2013, Yale University doctoral student Annie Le swiped her security card and entered the research lab on Yale’s campus where she conducted experiments into enzymes that could have implications for cancer, diabetes, and muscular dystrophy treatments. </p><p dir="ltr" style="text-align:left;">Later that day, a fire alarm went off in the lab, requiring everyone to evacuate the facility. But Le did not leave. And Yale University did not search the building to locate her. Eventually, when Le did not come home that night, her roommate called the authorities at Yale to report her missing.</p><p dir="ltr" style="text-align:left;">However, authorities did not begin looking for Le until the following morning. They would not find her until five days later—on the day she was scheduled to be married—when they discovered her body stuffed into a wall in the basement of the lab facility.</p><p dir="ltr" style="text-align:left;">Authorities would later determine that fellow laboratory technician Raymond J. Clark III had brutally assaulted and strangled Le on Sep­tember 8. He pleaded guilty to her murder and is currently serving a 44-year prison sentence.</p><p dir="ltr" style="text-align:left;">Following his sentencing, Le’s family filed suit against Yale, alleging that it was negligent and failed to use reasonable care by hiring Clark for a position that allowed him unsupervised access to students and staff; by retaining Clark in that position; by failing to adequately supervise and monitor Clark’s activities; and by permitting Clark to work alone in remote areas of the building with Le and others.</p><p dir="ltr" style="text-align:left;">The family also claimed that Yale was negligent for failing to inform and warn Le about the potential threat Clark posed; failing to take “reasonable steps” to provide a safe and secure environment for Le to work at the facility; failing to maintain a properly qualified and trained security staff at the lab; failing to respond to a fire alarm that sounded the same day Le was murdered; fostering an atmosphere of tolerance of sexual harassment and sexual assaults that emboldened Clark; failing to investigate Le’s unexplained disappearance; and failing to detect, prevent, or intervene in Clark’s attack and murder of Le.  </p><p dir="ltr" style="text-align:left;">Yale denied the allegations, ABC News reported. “Yale had no information indicating that Raymond Clark was capable of committing this terrible crime, and no reasonable security measures could have prevented his unforeseeable act,” the university said. Yale later agreed to pay the Le family $3 million to settle the suit in 2016, according to the Associated Press.</p><p dir="ltr" style="text-align:left;">Paul Slager, a lawyer for Le’s family and a partner at Silver Golub & Teitell LLP, declined to comment on the settlement but did say that the case was part of a broader trend he’s seen in negligent security cases. </p><p dir="ltr" style="text-align:left;">“Ten years ago when people talked about negligent security it was ‘How do you keep unauthorized intruders out?’” he explains. “As a lawyer, the issues have shifted now that there has to be recognition by security professionals that just keeping intruders out doesn’t mean you’re maintaining a safe and secure environment.”</p><p dir="ltr" style="text-align:left;">For instance, the security precautions that Yale had taken—installing security cameras and using a card access control system—were designed to keep unauthorized individuals from entering the laboratory that Le worked in. However, they were not designed </p><p dir="ltr" style="text-align:left;">to address insider threats from those who had authorized access to the facility.</p><p dir="ltr" style="text-align:left;">Now, there is a greater acknowledgment that sometimes the threat to employees and students is an insider threat, and there may be other ways to prevent those crimes or acts of workplace violence from taking place, Slager explains.</p><p dir="ltr" style="text-align:left;">“Workplace violence is such a big issue, and this case had layers of workplace violence to it,” he says. “These people (Le and Clark) knew each other really well.”</p><p dir="ltr" style="text-align:left;">One security method Slager says he’s seen more of recently is the rise in portable personal protective devices, which are designed to be carried by individuals and allow them to request help immediately.</p><p dir="ltr" style="text-align:left;">For instance, the University of Bridgeport in Connecticut began giving all new students National Protective Systems’ Personal Alarm Locators (PALs) in 2003. When pressed, the device can pinpoint a student’s location on campus and alert campus security. </p><p dir="ltr" style="text-align:left;">“The PAL system is only used on the main campus of the university. Your picture and location will automatically appear on two screens at the security office,” according to the university’s 2016 Annual Security and Fire Report. “Security will then respond to the location of your PAL, even if it is in motion.”</p><p dir="ltr" style="text-align:left;">The device also provides critical health information about students in the event of an emergency. The university won the Jeanne Clery Campus Safety Award in 2003 for its use of the technology to improve campus safety.</p><p dir="ltr" style="text-align:left;">The devices have been effective at deterring crimes, and in one instance prevented a crime when there was a conflict between a man and a woman on campus, Slager says. </p><p dir="ltr" style="text-align:left;">Because of this, Slager explains that he argued in the Le family’s suit against Yale that giving this type of personal protective device to students and employees would have been an effective way to deter or interrupt the assault on Le, which killed her.</p><p dir="ltr" style="text-align:left;">Le worked in an isolated part of the lab facility and Yale “didn’t offer sufficient protections from coworkers or people who had proper authority to be there,” Slager says. </p><p dir="ltr" style="text-align:left;">Because Yale and the Le family settled their suit, no damages were awarded. But in the U.S. Security Services case, the damages the jury awarded the plaintiffs were significant. The case was being appealed at the time Security Management went to press, so they may be reduced, but the high amount was initially awarded, Sorrells says, due to the loss of life and the perception that more could have been done to prevent it. ​ ​ </p>
https://sm.asisonline.org/Pages/The-Art-of-Servant-Leadership.aspxThe Art of Servant LeadershipGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Servant leaders are a revolutionary bunch–they take the traditional power leadership model and turn it completely upside down. This new hierarchy puts the people–or employees, in a business context–at the very top, and the leader at the bottom, charged with serving the employees above them. And that’s just the way servant leaders like it.</p><p>That’s because these leaders possess a serve-first mindset, and they are focused on empowering and uplifting those who work for them. They are serving instead of commanding, showing humility instead of brandishing authority, and always looking to enhance the development of their staff members in ways that unlock potential, creativity, and sense of purpose.  </p><p>The end result? “Performance goes through the roof,” says Art Barter, founder and CEO of the Servant Leadership Institute and former CEO of Datron World Communications, Inc.</p><p>“Magic happens,” agrees Pat Falotico, a former executive leader at IBM who is now CEO of the Robert K. Greenleaf Center for Servant Leadership. </p><p>Experts often describe the majority of traditional business leaders as managers who mainly function as overseers of a transaction: employees maintain desired performance levels, and in exchange they receive salary and benefits. Generally, these managers are positional leaders–they derive authority simply from the fact that they are the boss.</p><p>The servant leader moves beyond the transactional aspects of management, and instead actively seeks to develop and align an employee’s sense of purpose with the company mission.</p><p>The fruits of these labors are bountiful, servant leadership advocates say. Empowered staff will perform at a high, innovative level. Employees feel more engaged and purpose-driven, which in turn increases the organization’s retention and lowers turnover costs. Well-trained and trusted staffers continue to develop as future leaders, thus helping to ensure the long-term viability of the organization. </p><p>To reap these fruits, several things need to happen, experts say. Servant leadership ultimately starts with an unselfish mindset. “If you have selfish motivations, then you are not going to be a good servant leader. It has to be less about you,” Falotico says. Moreover, the organization at large needs to sustain a workplace culture in which this type of leadership can thrive. Finally, there are behaviors that the servant leaders themselves must practice on a regular basis. “As leaders, we can say anything we want, but we’re going to be judged on our behavior,” Barter says. And for the servant leader, behavior isn’t just what gets done, but how it gets done.</p><p>This article, based on several expert and practitioner interviews and recent research in the leadership field, explores the art and practice of servant leadership–its philosophy and goals, as well as best practice guidance for security leaders who aspire to become great servant leaders. We also take a look forward, and explore servant leadership’s impact on the future of leadership.​</p><h4>Origins and Applications</h4><p>Servant leadership can be considered something of a universal concept, because it has roots in both Eastern and Western cultures, researchers say. In the East, leadership scholars point to Chinese philosophers in 5th century BC such as Laozi, who asserted that when the best leaders finished their work, their people would say, “we did it ourselves.”</p><p>In modern-day leadership circles, the concept gained much currency with Robert Greenleaf’s 1971 essay, The Servant as Leader. Greenleaf, who passed away in 1990, went on to found the Atlanta-based Greenleaf Center for Servant Leadership. Falotico now leads the center, after spending 31 years at IBM.</p><p>In practice, Southwest Airlines, under the direction of founder Herb Kelleher, is frequently cited as the model servant leadership corporation. Kelleher’s philosophy of putting employees first resulted in a highly engaged, low-turnover workforce and 35-plus consecutive years of profitability, an unheard-of record in the turbulent airline industry </p><p>Barter, who now leads the California-based Servant Leadership Institute, came to the concept by a circuitous path–working for companies that did not follow its practices. “I spent 20 to 25 years working at public companies that believed in the power model–it was all about what you could do for me in this quarter,” he says. He then became acquainted with the work of management expert and servant leader advocate Ken Blanchard. In 2004, when Barter became the CEO of Datron, a tactical communications equipment supplier, he was determined to head the firm as a servant leader. The results were dramatic. The company’s revenue grew from $10 million to $200 million in six years.</p><p>As a veteran business executive for many different companies, Barter is familiar with corporate security operations and departments, and he believes that the servant leadership model is a great fit for security leaders who are charged with protecting people and assets. He explains it this way: security managers must sometimes make quick and informed operational decisions, such as when a breach is suspected. A servant leader will do this, and will then use those decisions as educational tools, analyzing them in discussions with staff, and soliciting their opinions and ideas. This becomes a win-win-win situation: it builds trust between manager and staff, it helps employees develop as security professionals, and it enables the manager to gain new perspectives on security issues.  ​</p><h4>Best Practices</h4><p>Experts offer a range of best practice suggestions for security leaders who aspire to become successful servant leaders. Most experts agree, however, on one bedrock principle: successful servant leadership starts with a leader’s desire to serve his or her staff, which in turn serves and benefits the organization at large. This serve-first mindset can be put into practice from the beginning, during an employee’s onboarding phase, says Michael Timmes, a leadership expert and consultant and coach with the national human resources provider Insperity.</p><p>During onboarding, after the initial introductions, getting-acquainted conversations, and explanations about how security operations work, the servant leader should solicit the new hire’s observations, impressions, and opinions, Timmes says. This conveys the message, from the onset, that the employee’s thoughts are valued. </p><p>And from that point, the servant leader keeps a continual focus on talent development. “They take folks early in their careers, and think of them as the leaders of the future,” Timmes explains. He approvingly cites one expert’s view that if a manager is not spending at least 25 percent of his or her time developing future leaders, then “you’re really not fulfilling your responsibilities as a leader.” </p><p>The servant leader can enhance this talent development process in several ways. For Barter, one of the keys is to leverage the employees’ strengths. Often, an employee’s highest performance is on tasks they are most passionate about, yet some managers never find this out. “We don’t take the time to ask them—‘What do you really want to do? What really excites you?’” Barter says. </p><p> Another way to enhance the talent development process is to selectively relinquish power, so that employees can lead certain projects and take ownership of initiatives. “Giving up power, and having others lead—that builds confidence in people,” Timmes says. </p><p>This can be tricky for some leaders because they equate leadership with control and they feel they should be responsible for everything. But therein lies a paradox—leaders that are able to let go often find that they are actually in more control, because they have harnessed the resources and talents of their staff, which collectively can guide operations more effectively than one person can, he explains.</p><p>This is a crucial requirement for effective servant leadership, says Falotico. She tells leaders to “get over yourself” and realize that business objectives, whatever they are, will not be reached without sharing the load and responsibility. “You are no longer an individual performer–you are a leader,” she says. “Leaders are enablers. That’s your work.” ​</p><h4>Question Close, Listen Closer</h4><p>If serving staff is the bedrock principle of servant leadership, two core practices toward achieving that goal are close listening and searching questions.  </p><p>Darryl Spivey, a senior faculty member at the Center for Creative Leadership (CCL) who coaches executives on servant leadership, says that asking the right questions is the “secret sauce” of great coaching, and is crucial for servant leaders. CCL is a leadership development institute with offices around the world, including China, Ethiopia, India, Russia, and several U.S. cities.  </p><p>Servant leaders build relationships with staff primarily by listening closely and by asking many questions—on anything from the employee’s background to detailed queries about their assessment of the firm’s business environment, Spivey explains. If an employee is struggling, leaders should ask questions about what might be impeding his or her progress. Even questions about smaller aspects of operations, such as the best use of time during meetings, are helpful. “The message this sends to the individual is that their opinion does matter, and that [leaders] want their feedback,” he says. </p><p>And the emphasis on questions works both ways. Employees should feel comfortable asking the servant leader questions without worrying that the leader will feel badgered, threatened, or implicitly criticized, Spivey says. Such questions help drive the development and growth of the employee. </p><p>Carefully asking questions is related to another crucial practice–listening to understand. This means listening to the employee silently and making an active effort to understand his or her point of view. Even if the leader feels the need to disagree or interject, they will wait until the person is finished speaking. If need be, the leader can briefly summarize what the employee has just expressed, as a way to communicate understanding. </p><p>While this may strike some as merely common courtesy, listening to understand is becoming harder with the rise of technology and the decrease of attention spans, experts say. For example, a leader who keeps the iPhone on the desk, and glances at it repeatedly during conversations, is not listening to understand. ​</p><h4>Encouragement, Humility, Trust </h4><p>Servant leaders can do more than listen to staff: they can encourage them. Indeed, in many ways encouragement is the hallmark expression of a servant leader, and it is a tremendously powerful tool, experts say. </p><p>Whatever the type of interaction with staff, servant leaders are consistent in showing encouragement and humility with an egalitarian attitude. “They don’t think of themselves as any better than anybody else,” Timmes says. In practice, this means that when employees make mistakes, the leader isn’t treating them as children who need to be scolded. “Some say, ‘aren’t you going to sit down and discipline them?’ But that’s not really a good leadership approach,” he explains. </p><p>Instead, the servant leader engages in respectful conversation which demonstrates trust in the employee to make the needed adjustments.</p><p>Trust is both a defining characteristic and defining outcome of servant leadership, says Stephen M.R. Covey, former CEO of the Covey Leadership Center and author of The Speed of Trust. </p><p>To Covey, it’s important to remember that servant leaders are both servants and leaders. “You do serve, but it still requires the other dimensions of leadership–character and competence,” he says. Competence means that the leader has a track record of high ability and achieving results, with skills that are relevant. Character means that results and accomplishments are achieved with integrity and ethics. </p><p>Trust is a prerequisite for servant leaders, because the leaders must trust that the employees are worth serving, and that they, and the organization, will benefit from their service. Practicing servant leadership generates trust in the employees, who may be inspired by their manager’s competence and character and convinced by their manager’s serve-first practice that he or she has their best interests at heart. “Trust is one of the means to achieve servant leadership, and it is also an end that is achieved by servant leadership,” Covey says.   ​ ​​</p>
https://sm.asisonline.org/Pages/Kidnapping-and-the-Private-Sector.aspxKidnapping and the Private SectorGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The news media focuses primarily on kidnapping cases involving high-profile targets such as captured journalists and soldiers, high-net-worth individuals, and children. </p><p>However, sensational depictions in film and television have created a popular perception of kidnapping that is often at odds with the reality. Kidnaps-for-ransom happen every day around the world, with rates influenced by geography, conflict, and political, economic, and social issues. Many cases go unreported and unnoticed outside their local setting. </p><p>In some parts of the world, law enforcement and security services are too ineffective to properly guide kidnap victims to a safe resolution. Eager to project strength, and frequently lacking effective training in how to peacefully resolve the situation, security forces often prioritize tactical interventions that may jeopardize the lives of the victims. And, in rare cases, they have been found to be complicit in the kidnapping. </p><p>It is into this space that third-party actors and private sector organizations can step in to offer support and assist in securing the safe release of the victim. Otherwise, absent advisory and duty-of-care structures compound the trauma of the ordeal for victims and their families. Structure provided by experts can help guide financial negotiations, manage family and employer liaisons, and arrange post-incident support, such as counseling or medical care. There may also be jurisdictional conflicts that preclude victims from getting the full support of their home or host country, or governments could simply be unable or unwilling to provide consular or legal support abroad. </p><p>Debunking the common myths surrounding kidnap-for-ransom enables a clear understanding of where there is an opening for private sector engagement and where third-party support is most required. ​</p><h4>The Kidnappers</h4><p>Although there is a common perception that militant groups carry out a large proportion of kidnaps, data from global risk consultancy Control Risks shows that only 14 percent of the kidnapping incidents that took place worldwide last year involved these groups. </p><p>This is despite the concerted kidnapping activity accompanying insecurity in places such as Libya, Iraq, and Syria, attributed particularly to ISIS, as well as renewed kidnapping activity by al Qaeda in the Islamic Maghreb (AQIM) in the Sahel region and the Abu Sayyaf Group in the Philippines.  </p><p>Instead, some 85 percent of the kidnaps recorded this year by Control Risks were perpetrated by criminal elements such as organized networks, small gangs, or individuals. These are not exclusive, with current or former members of militant groups sometimes using their resources to carry out kidnaps-for-ransom purely for personal financial gain.​</p><h4>Targeted Victims</h4><p>Corporate security managers considering their organization’s exposure to kidnap risk at home and overseas often approach the issue with their employees’ specific profile in mind. </p><p>While managers may assume that a foreign or Western employee is more likely to be targeted in higher-risk regions abroad, this is not borne out by Control Risks’ kidnapping data, which shows that 97 percent of all kidnaps last year involved local victims. Furthermore, the professionals or businesspeople among those victims represented 54 different industries and were targeted in 77 different countries, illustrating the pervasiveness of the threat and lack of focus on a limited spectrum of sectors. </p><p>There are local nuances to the way in which kidnappers target victims in every state or province in a given country—the kidnapping group’s capability and the general security environment largely dictate target selection. Kidnappers often take into consideration the victim’s apparent wealth to draw a high ransom, the abduction’s chance of success, and other aspects of the victim’s profile.</p><p><strong>Wealth. </strong>Criminals who make their living from kidnapping want to maximize the income from each abduction. Individuals employed by multinational companies or in high-revenue sectors might attract the attention of kidnappers because they appear to be wealthy in the local context. Kidnappers will make assumptions about a potential victim’s social and economic standing based on simple things, such as material displays of wealth like new vehicles, whether they live in a wealthy suburb, or if their children go to a fee-paying school, for example. </p><p>Alternatively, they may have insider information. A fashion heiress kidnapped in Hong Kong in April 2015, for instance, was targeted after one of the suspects carried out renovations of the property and noticed the presence of luxury cars and goods. In another case in Nigeria in 2015, a large wedding celebration hosted by the victim was enough to prove his financial value to the kidnappers, who abducted him within the month. </p><p><strong>Risk.</strong> Having selected a target, the kidnappers could put the potential victim under surveillance to ascertain any weaknesses in his or her security. The simplest option is always to abduct the victims while they are in the open. Those who have a predictable daily routine are easy to target because the kidnappers know when and where they will be traveling. The daily commute, school run, or other regular travel can give kidnappers a variety of options. </p><p>Control Risks’ data shows that abductions most commonly occur during a routine journey to or from work, school, or home, with 35 percent of all kidnaps in 2016 taking place at this time. In southern Nigeria, for instance, kidnappers frequently strike on Sundays when families travel to and from church services at a regular time and are vulnerable in transit. </p><p>Nevertheless, kidnappers can often be deterred by even rudimentary security provisions. Anything that makes the abduction more difficult may convince them to move on to a new target.  </p><p><strong>Profiling.</strong> In some places, criminally motivated kidnappers are more likely to target local junior or middle management employees than CEOs or foreigners in the corporate context. The calculation is that, while the latter would probably yield a higher ransom, the increased risk of arrest that follows the abduction of a high-profile figure could outweigh the potential financial benefit. </p><p>However, foreign nationals are also often harder to abduct because those present in higher-risk areas generally employ more stringent security precautions and represent a much smaller slice of the population. </p><p>In other regions, usually those prone to militancy, the victim’s unique profile will not act as a deterrent, and foreigners are often the most highly sought captives. Some groups have significant capability to kidnap high-profile victims and, by taking advantage of difficult terrain and ungoverned spaces, can hold them for long periods without fear of arrest while they negotiate a ransom. </p><p>Indeed, for some of these kidnappers, increased attention, both from the government and the media, is part of their motivation to kidnap a high-profile victim for leverage and propaganda purposes.  ​</p><h4>Abduction Locations<img src="/ASIS%20SM%20Callout%20Images/0317%20Feature%204%20Infographic.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:610px;" /></h4><p>When preplanning an abduction, kidnappers look for an easy means of escape from the immediate vicinity of the abduction and a viable safe space for the period of captivity. </p><p>The partition of Mali in 2012 and the accompanying establishment of operating space for jihadist groups in the remote northern half of the country, for instance, emboldened and enabled AQIM to significantly ramp up its kidnapping activity. The group and its affiliates operating in the western Sahel have since carried out several high-profile kidnaps of foreign nationals, including in northern Burkina Faso and Niger, within a day’s drive of safe zones in northern Mali. </p><p>The porous border and weak security presence in the area create a permissive climate in which to conduct operations, and afford AQIM and its satellite groups the time and space to plan kidnaps. In 2016 alone, at least three separate kidnaps targeting foreign nationals and launched from northern Mali were attributed to the network, including that of an Australian couple in northern Burkina Faso last January and an American aid worker in Niger in October.  </p><p>In an opportunistic abduction, the targeting process is accelerated. A typical method is to set up a roadblock and screen victims as they drive through. The kidnappers will make snap assumptions about the victims’ wealth based on the car they are driving and whether they have a driver. </p><p>They can then further question the victims and search the vehicle for confirmation of their wealth. Often people will carry some detail of their employment, such as an identity or access card, that might alert the kidnappers to their potential worth. Visibly branded vehicles, particularly in remote or poor areas, indicate that the occupants may have a higher comparative income or that there is a chance their employer would be willing to pay a ransom for their freedom, increasing the risk. </p><p>Opportunistic, ambush-style abductions are particularly common in the eastern provinces of Congo (DRC)—for example. In North Kivu province—home to a plethora of armed groups, including Rwandan rebels, local militias, and army defectors—almost all kidnaps take place at improvised roadblocks and fake checkpoints, and they frequently target convoys of vehicles. More than half of all kidnaps recorded in Congo take place in the province. Many target nongovernmental organizations and other organizations with projects in the hinterland, including construction and telecommunications firms. ​</p><h4>The Ransom</h4><p>While a ransom is not limited to a financial payment to release the victims, financial demands are most commonly made to the victims’ families or employers and can also extend to the victims’ national government or the victims themselves. </p><p>The type of ransom sought can vary greatly depending on the kidnapper’s profile—for example, militant groups often take hostages with the intention of trading them for group members in custody in a prisoner exchange. They have also been known to make other demands, such as a cessation of drone strikes or the withdrawal of enemy troops. </p><p>In a January 2016 hostage video featuring a Swiss missionary kid­napped from her residence in Timbuktu, for example, an al Qaeda–linked group specifically demanded the release of Ahmad al-Faqi al-Hadi, a militant on trial at the international criminal court in Brussels for ordering the destruction of ancient monuments and shrines in the city during its occupation by Islamist militants in 2012. Other armed groups routinely include in their demands materials useful for their future operations, such as satellite telephones, foodstuffs, vehicles, and weapons. </p><p>Sometimes less-straightforward concessions are demanded. Kidnapping is occasionally used as a last resort in cases of industrial action or as a result of a personal, business, or criminal dispute in which one party is kidnapped to compel them to pay a debt or agree to some stipulation for their release. </p><p>Control Risks has recorded several cases in Asia where kidnap is used to apply pressure on a company or vendor; these often revolve around contracting. In one 2013 case in India, for example, employees of a company kidnapped a junior staff member at another company to compel his employer to pay them money that was unforthcoming but contractually owed. </p><p>In China, the kidnap or detention of executives is a relatively common way for employees to extract concessions from their employers during labor unrest or disputes. In one such case in 2013, Chinese factory workers held their U.S. manager for five days amid a dispute over severance pay.​</p><h4>Express and Virtual Kidnappings</h4><p>Classic kidnap-for-ransom is not the only crime that companies or security managers need to consider when thinking about risks to their staff, nor is it the sole extortive crime covered by insurance policies. New forms of extortive crime have accompanied the advent of new technology. These include cyber extortion, virtual kid­napping, and express kidnapping. </p><p>Virtual kidnapping is the name given to a form of extortion that emerged in Latin America in 2004 and has since spread to many parts of the world. Notably, it has become increasingly common in Asia, particularly China.</p><p>In a virtual kidnap, a criminal typically contacts a family and claims to have abducted one of their loved ones. The criminal threatens to harm or kill the victim if a ransom is not paid. In fact, the supposed victim of a virtual kidnap is never actually held captive, but may have been forced to cooperate with the criminals or may be completely unaware of the incident. </p><p>In many cases in Mexico, the alleged kidnap victims are contacted by the extortionists and forced to isolate themselves by checking into a hotel or another location, and remaining there until told to leave. </p><p>In most countries, the crime affects local nationals, but in Latin America, particularly in Mexico, Spanish-speaking business travelers are in­creasingly falling victim to the crime. Knowledge of the prevalence of this crime, and adequate preparation and training for employees who travel to areas where it is common, are crucial to mitigating the financial risk to both the individual and the company. </p><p>Express kidnapping generally involves the abduction of a victim who is forced, under threat of injury or death, to withdraw funds from ATMs. It is generally opportunistic and carried out by individuals or small, dedicated, and well-organized gangs that are often armed. </p><p>In Mexico, for example, they frequently use taxis to carry out kidnaps, posing as taxi drivers to rob the passenger. The average gain made by an express kidnapper is relatively small and the duration of captivity is generally between two and four hours. Kidnappers are attracted to express kidnapping because it allows them to avoid protracted negotiations with the victims’ families, involves little risk, and is a quick way of making money. </p><p>Foreign nationals are a favored target for express kidnappers because of their presumed wealth and the assumption that they are less likely to remain in the area during a police investigation or be able to identify the offenders. In countries like Brazil, Ecuador, and Tanzania, express kidnapping has overtaken traditional kidnapping-for-ransom. ​</p><h4>Response and Insurance </h4><p>Most reputable insurance companies that offer kidnap-for-ransom insurance have an exclusive partnership with a specialist response firm, guaranteeing their clients immediate access to expert consultants and advice in a crisis incident. </p><p>Although insurance companies offering kidnap-for-ransom coverage and private response companies have been working hand-in-hand for decades, the confidentiality inherent in the business precludes transparency around the specifics of the insurers’ role and the services the responders provide. </p><p>Good responders are defined by their independence and are trusted by their insurance partner to work towards the best possible outcome in each kidnap: the safe and timely release of the victim. It is imperative that the insurer maintains a reputation as a reliable provider, further incentivizing the safe release of a victim or successful resolution of the case. The role of the insurer should simply be to reimburse costs and expenses the responder incurs during the process of supporting and advising the policyholder. Kidnap-for-ransom policies sold by leading insurers can also include coverage for extortion, threats, missing persons, and wrongful detention cases.  </p><p>Experienced responders can provide invaluable support to the victims, their families, and their employers, particularly in places where law enforcement and crisis management institutions are unequipped or under-resourced. Above all, the private responder has an obligation to respect the wishes of the victim, their family, or the employer, and a duty to provide them with the best possible advice and course of action. The client is free to take or ignore that advice and is always the final decision maker. Responsible responders will never act unilaterally outside the course of action agreed with the client, or outside the law. </p><p>Kidnap-for-ransom is not confined to the world’s most dangerous locations or perpetrated principally by jihadis or guerrillas, nor does it predominantly target those wealthy enough to pay a large ransom. </p><p>The crime is constantly evolving and adapting to the changing security environment, and security professionals must understand the nuances and risks involved for all forms of kidnap and extortive crime to practice successful mitigation.   ​</p><p>--<br></p><p><em>Sebastian Boe is a special risks analyst responsible for conducting research and analysis on kidnapping and extortion trends in Africa within Control Risks’ Response department. ​</em></p>
https://sm.asisonline.org/Pages/Running-on-Empty.aspxRunning on EmptyGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In this age of overload, with organizations trying to do more with less, employees buried in information, and devices that call for round-the-clock urgency, burnout is a malady ripe for our times. Burnout can strike even the most productive workers and the most consistent performers, as well as those who seem to have the greatest capacity for hard work, experts say. </p><p>One reason burnout is such a pernicious problem is that it does not have to be total for its effects to be devastating.</p><p>“Burnout tends to plateau rather than peak,” says Paula Davis-Laack, specialist in burnout prevention programs, founder and CEO of the Stress and Resilience Institute, and author of Addicted To Busy: Your Blueprint for Burnout Prevention. “Burnout exists on a continuum. You don’t have to be completely mentally broken down and barely able to get out of bed to feel major effects.”</p><p>In other words, employees suffering mid-level burnout may still be able to power through and complete an adequate amount of work by sheer force of will, but their partially depleted state greatly hinders their performance and productivity, and it keeps them from realizing their full potential. </p><p>“That can go on for months, or even years, depending on the person’s work ethic,” says management expert Brady Wilson, cofounder of Juice Inc. and author of Beyond Engagement and other business performance books. </p><p>In a field like security, workers can be especially vulnerable to burnout, given the continual pressure and stress that go into protecting people and assets, and the high stakes involved if a breach does occur. </p><p>“Constant job pressure, especially when some of the factors are out of your control like they are with security, is definitely one of the causes of burnout in employees,” says Carlos Morales, vice president of global sales, engineering, and operations at Arbor Networks, which specializes in network security. </p><p>The consequences of burnout are varied; in some cases, they involve serious health issues. Davis-Laack, who became a specialist in the field after burning out as a practicing attorney, says she experienced weekly panic attacks and a few stomachaches that were so painful they sent her to the emergency room. Coronary disease, depression, and alcohol abuse are other possible consequences. </p><p>For the employer, burnout can significantly compromise workplace quality, causing more absenteeism, turnover, accident risk, and cynicism, while lowering morale and commitment and reducing willingness among workers to help others.</p><p>Fortunately, in many cases burnout can either be avoided, with deft management and a supportive organization, or significantly alleviated using various strategic methods. But like most maladies, it must be understood before it can be properly addressed. ​</p><h4>Symptoms and Conditions</h4><p>Burnout occurs when the demands people face on the job outstrip the resources they possess to meet them. Psychologists who study burnout as a condition divide it into it three dimensions: exhaustion, depersonalization, and reduced personal accomplishment.</p><p>When the first aspect—exhaustion—hits, the employee may feel emotionally, physically, and cognitively depleted. This often spurs feelings of diminished powers; challenges that were formerly manageable can seem insurmountable. As Davis-Laack describes her own experience of this condition: “Every curveball seems like a crisis.”</p><p>When depersonalization occurs, an employee may start to feel alienated from his or her own job, and more cynical and resentful toward the organization. Work and its mission lose meaning; feelings of going-through-the-motions increase. Detached and numb, the employee tries to plow ahead. </p><p>Exhaustion and depersonalization often combine to produce the third component of reduced personal accomplishment. As Wilson explains, the depleted employee possesses considerably less “executive function,” or the ability to focus, self-regulate, connect the dots between ideas, strategize, analyze, execute smoothly, and follow through—all of which can be thought of as “the power tools of innovation.” </p><p>“Nuanced thinking and value-added thinking are the first to go when employees are exhausted,” he says. “Instead, they rely on duct-tape fixes, reactivity, firefighting. They don’t get to the root causes of problems and issues.” </p><p>The state of mind that burnout can elicit sometimes leads to self-blame, where the employee feels that he or she is professionally inadequate. But that is unfair, says Davis-Laack: “I don’t want individual workers to feel that it’s all their fault.” </p><p>The root causes of burnout, she explains, are usually a product of what employees bring to the table—work ethic, how closely they tie work to self-worth, their level of perfectionism—and how the organization itself functions, which can be an important factor. </p><p>Understanding key organizational conditions, experts say, will help managers maintain a culture that protects employees from burning out. One of these conditions involves what the organization chooses to reward. </p><p>Wilson explains this as follows. For many years, many organizations stressed the importance of keeping employees engaged. But the definition of engagement has shifted, so that many firms now define engaged workers as those with clear dedication and commitment, who come to work early and stay late. “What’s missing from this definition is passion, enthusiasm, verve, and spirit,” he says. </p><p>When engagement is so defined, increased effort, such as working more hours and taking on more projects, is rewarded. But simply increasing hours at the office does not produce high performance, Wilson says. </p><p>“We get our epiphanies in the shower—we don’t get them when we are determined and gritting our teeth around a board room table. It’s not effort that produces brilliance, it’s energy,” he explains. But sometimes, the more-rewards-for-more-work philosophy can function as an unintentional incentive to burn out.</p><p>The organization’s day-to-day working conditions are also a crucial here. Research has found that two factors can be deadly in sapping an employee’s resources, according to Davis-Laack. </p><p>One is role conflict and ambiguity, which can occur when employees are never clear on exactly what is expected of them, and on what part they should be playing in active projects. “That’s very wearing on people,” she says. </p><p>Another is unfairness, which is often related to office politics. This can include favoritism, failure to recognize contributions, being undermined, or dealing with the demands of never-satisfied supervisors.</p><p>Such stressful conditions push some employees into “gas guzzling” energy mode, because they require so much emotional effort just to cope with them, Wilson says. </p><p>“Substances generated by stress, such as cortisol and adrenaline, have a beautiful utilitarian use—to get us out of trouble, to keep us safe,” he explains. “But we are not as productive when we have a brain that is bathed in those things day in and day out.”  ​</p><h4>Detection</h4><p>Although it is vital for managers to strive to maintain a positive office culture, it’s also important to recognize that burnout can happen even in the healthiest of environments. Given this, Morales encourages attempts at early detection.  </p><p>“As a manager or executive, it is important to first note the factors that tend to cause burnout even before employees begin to show signs,” he says. “This gives you the opportunity to address issues proactively with employees.” </p><p>These factors, he explains, include a very travel-heavy schedule (50 percent or more of total work time); consistently logging work weeks of 60-plus hours; unrelenting expectations of working off-hours and on weekends; and constant deadline time pressure. </p><p>But since early detection is not always successful or even possible in some cases, managers should also be looking for common signs of burnout that their employees might be exhibiting. Morales advises security managers to look for combinations of the following characteristics that are different from usual behaviors:</p><ul><li><p> General lack of energy and enthusiasm around job functions and projects.<br></p></li><li><p> Extreme sensitivity and irritability towards coworkers, management, and work situations.<br></p></li><li><p> Constant signs of stress and anxiety.<br></p></li><li><p>Significant changes in social patterns with coworkers.<br></p></li><li><p>Sharp drop in quantity and timeliness of output.​<br></p></li></ul><p>When looking for signs of burnout, it’s important for a manager to have a high degree of familiarity with the employee in question, a familiarity which is a byproduct of a strong manager-staff relationship. </p><p>“You’ve got to know your people,” Davis-Laack says. “When someone seems more checked out and disengaged than usual, if you know your people well enough, you can spot it.” ​</p><h4>Treatment</h4><p>When it becomes clear that an employee is suffering from burnout, managers have several options for treatment and alleviation, experts say. Morales says he believes that managers must first come to an understanding of the underlying factors, so that they can be addressed.   </p><p>“If there is a workload issue, a manager may be able to spread out the workload with other workers to alleviate the issue,” he says. “It’s important to let the employees know that this is being done to gain more scale, and to reinforce that they are doing a good job.”</p><p>Indeed, crushing workloads are now common in many workplaces, experts say, as many companies are actively cost cutting while attempting to raise productivity and output. And for employees who work with data, such as security employees who use analytics, benchmarks, or some form of metrics, the information explosion is requiring more and more staff hours to keep up with the processing and analysis. Managers must be cognizant of this, Davis-Laack says. </p><p>“If you do nothing but pile work on people—well, people are not robots and they are not computers. They are going to wear out,” she explains.</p><p>To combat this, managers should employ a strategic and honest operations analysis, she advises. The department may be generating more output with increasing workloads, but burnout and turnover risk is also increasing, as is the likelihood of costly mistakes. Is it worth the risk? Hiring additional help or outsourcing some tasks may be cheaper in the long run than the costs due to turnover and errors. </p><p>When a department conducts a strategic review of operations, the focus is often on fixing glitches in process, experts say. A focus on reducing workload is less common, but when it is adopted, it often reveals that certain time-consuming tasks are unnecessary.</p><p>If the burnout is caused by a stressful job function, such as a security position in which the worker is protecting assets of great value, the manager can discuss the situation with the employee and ensure that support is available, Morales says. “This may help them feel less alone or helpless in situations,” he says.   </p><p>Another key strategy for managers is to add extra focus and energy to the resources part of the puzzle, Davis-Laack says. “Help them to build up their energy bank account, so they are not always feeling depleted.” </p><p>She offers five ways for managers to do so:  </p><ul><li><p> Maintain and ensure high-quality relationships between managers and staff members, and between team members themselves. This fosters a healthy and safe environment where problems can be discussed and addressed.  <br></p></li><li><p> Whenever possible, give team members some decision authority. This gives them a sense of autonomy and strength when dealing with issues, and helps avoid feelings of powerlessness. <br></p></li><li><p> Follow the FAST system of respectful feedback—give frequent, accurate, specific, and timely feedback. This helps employees make tweaks and adjustments, and lets them know they are on the right course.  <br></p></li><li><p> Demonstrate that you have the employees’ backs, and always be willing to go to bat for them. Don’t point fingers or complain to higher ups when mistakes are made. This is crucial in building trust.  <br></p></li><li><p> Identify and encourage skills that will help your team members build resilience. These will vary depending on the specific job and situation, but include any skill or resource that can be used when challenges arise, as well as those that help manage stress.  ​<br></p></li></ul><p>In working toward the previous point, managers may want to brainstorm with staff to find ways to make everyone more resourceful. For instance, managers could periodically check in with staff members to determine the team’s overall level of resources, so they can replenish them when they’re low.</p><p>Indeed, soliciting solutions from staff is an excellent practice for managers, because it shows they are partnering with employees, not parenting them, Wilson says. The parenting style of management assumes that the manager has knowledge that the worker will never have, and it sets up the employee for helplessness. The partnering style cultivates the employees’ decision-making skills, so they can skillfully meet their own needs. ​</p><h4>Touchy Subject</h4><p>Burnout can be a sensitive subject. Some workers attach great self-worth to their productivity and performance, and do not like to concede that they are struggling. </p><p>“It is very difficult for some high performers to admit that their engagement is lacking. There’s a sense of judgment associated with that,” Wilson says. </p><p>Some of these workers truly are burned out despite their failure to admit it, and they may be in a precarious state. “I have seen cases where the hardest and most productive workers will not admit to burnout,” Morales says. “In these situations, burnout occurs quite suddenly, without many of the behavioral warning signs.”</p><p>Other employees fear that admitting burnout is disclosing a weakness, one that could prevent them from future promotions or ultimately cost them their job. “They like their work and they don’t want to change jobs, or </p><p>they can’t change jobs because they have monetary obligations,” Davis-Laack says. </p><p>Here, management can go a long way by being proactive and soliciting feedback from workers regarding their state of mind. “It’s important to have regular discussions with employees about the impact of the workload on them personally, and give them every opportunity to talk through their situation, and vent if necessary,” Morales says. “It’s important for management to recognize the potential for burnout and approach employees proactively to discuss it. It provides employees a safe environment in which to talk through the situation.”</p><p>In these situations, a manager can approach an employee with a proactive goal—how can workload and workplace environment be shaped so that the employee is energized in the office, and still has energy left at the end of the day and on weekends for a life outside of work, Wilson explains.  </p><p>Using this framework, Wilson adds that it is often easier for the manager to then ask, “What’s getting in the way of that? Is it bureaucratic interference? Is there too much on your plate? Is there bullying going on, or other workplace environment problems?”  ​</p><h4>More Recognition</h4><p>But while burnout is still a sensitive subject among some workers, there is also a growing recognition that it is a serious issue that needs to be dealt with, experts say. This may be partly driven by recent research in fields like healthcare and finance, where findings suggest that burnout and overwork are causing costly mistakes that are detrimental to a company’s bottom line. </p><p>Moreover, more business leaders see that the problem, if left unchecked, will just get worse in the future, due to factors such as globalization and a web of technology that is becoming more and more complex. “The perfect storm is upon us,” Wilson says.</p><p>Davis-Laack says she is heartened by the fact that the burnout issue, which was frequently dismissed as too “soft” to be a subject at business conferences, is appearing on more agendas. </p><p>“It’s finally starting to get attention across different professions and different sectors,” she says. “Managers are taking it more seriously.” ​​</p>
https://sm.asisonline.org/Pages/ASIS-News-February-2017.aspxJack Lichtenstein Leaves ASIS, Offers Insights on TrumpGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>At this, the end of my 22 years as staff executive for ASIS International’s legislative and public policy work, I have been asked to provide some insights into the political near-future of security.   </p><p>These are unnerving times. Rarely has there been such uncertainty about America’s direction at home and abroad as there is at the end of 2016.  All this is in the face of mounting threats to our security and to that of our friends.</p><p>Eventually, Americans will sort it out; they always have. But there are dangers. The sorting may be long and uncertain.  And uncertainty is not the friend of security. Security requires planning, analysis, and agility, none of which can be done well in an environment filled with unknowns. Security is the antithesis of politics, which tends to be careless and messy in democracies. </p><p>The new American administration will be led by a man without credentials in government, who has pledged to change how Washington works. He was elected not as much to keep America secure but because so many Americans feel alienated from their own political and governmental institutions. They see their standard of living in decline; they sense that they have been overlooked, even disdained. More than anything, that explains the election of Donald Trump.</p><p>Trump seems to espouse two overarching themes, both recurring repeatedly in his pronouncements and appointments. One is to restore the U.S. economy to a position of world leadership. The other is to keep America and Americans secure.</p><p>The president has tools to invigorate the economy. His early aims will include accelerating job creation via infrastructure programs and tax and regulatory relief. Nearly all avenues will be aimed at job creation in the United States, despite many economic factors that are out of his control.</p><p>Security is more manageable by the White House, a result not only of presidential control of the bureaucracy but of strong (some would say excessive) executive actions in the form of Presidential Directives issued by the George W. Bush and Barack Obama administrations.</p><p>It is too early to tell which of Trump’s positions—many of which have been incomplete, infeasible, or conflicting—will find their way into practice. But I offer the following recommendations based on what is possible and likely:</p><p>• Pay attention to what he does, not what he says. Trump is known for impromptu statements, which get attention but are not always useful to understanding.</p><p>• Expect emphasis to be on U.S. domestic issues during the first two years. Trump will enjoy a Republican majority in Congress for that long, which he will need to get his domestic agenda passed. He is most comfortable with economic and infrastructure issues, including job creation. He knows he was elected by Americans who want first to restore their country’s economic vitality.</p><p>• “The Wall” is a metaphor, but border security will be real. U. S. Department of Homeland Security selectee and retired U.S. Marine Corps General John F. Kelly commanded the U.S. Southern Command. He understands border issues and security and will be charged with assessing vulnerabilities and determining the right combinations of physical, technological, and personnel means for dramatically reducing illegal immigration.</p><p>• In other matters of security, America will continue to be a reliable ally if for no other reason than that conflict disrupts growth. Trump will expect U.S. allies to invest heavily in their own security. This means that there will be more spending on prevention and response programs, but also avoidance of political positions, for example immigration policies, that lay bare their vulnerabilities.</p><p>• Finally, in any dealings between the United States and other countries, America must emerge a winner. That does not mean the only winner; there can be many. But the United States will not be a loser. As those familiar with Trump’s pronouncements know so well, he abhors the very thought of being a loser.</p><p>As I move on to new professional challenges, I believe more than ever that government relations is an essential role for security professionals. Its aim must be creation and maintenance of effective public-private partnerships in security. This should be part of the mission not only of ASIS but of every ASIS chapter in every country.</p><p>The people of democracies expect those overseeing government and corporate security to coordinate in the public interest. Failure to do so is unacceptable. It not only weakens security, it leaves private practitioners exposed to needless government oversight and overreaction when politicians respond, as they will, to security failures that are sometimes unforeseeable.</p><p>I thank the membership of ASIS International for the privileges of being their counsel and representing their interests these many years. Few pursuits are more vital, and few professions more important. </p><p>--<br></p><p><em>Jack Lichtenstein, former vice president, ASIS Government Affairs and Public Policy ​</em></p>
https://sm.asisonline.org/Pages/The-Virtual-Lineup.aspxThe Virtual LineupGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​U.S. State and federal agencies are amassing databases of American citizens’ fingerprints and images. The programs were largely under the public radar until a governmental watchdog organization conducted an audit on them. The so-called “virtual lineups” include two FBI programs that use facial recognition technology to search a database containing 64 million images and fingerprints.</p><p>In May 2016, the U.S. Government Accountability Office (GAO) released Face Recognition Technology: FBI Should Better Ensure Privacy and Accuracy, a report on the FBI programs. Since 1999, the FBI has been using the Integrated Automated Fingerprint Identification System (IAFIS), which digitized the fingerprints of arrestees. In 2010, a $1.2 billion project began that would replace IAFIS with Next Generation Identification (NGI), a program that would include both fingerprint data and facial recognition technology using the Interstate Photo System (IPS). The FBI began a pilot version of the NGI-IPS program in 2011, and it became fully operational in April 2015. </p><p>The NGI-IPS draws most of its photos from some 18,000 federal, state, and local law enforcement entities, and consists of two categories: criminal and civil identities. More than 80 percent of the photos are criminal—obtained during an arrest—while the rest are civil and include photos from driver’s licenses, security clearances, and other photo-based civil applications. The FBI, which is the only agency able to directly access the NGI-IPS, can use facial recognition technology to support active criminal investigations by searching the database and finding potential matches to the image of a suspected criminal. </p><p>Diana Maurer, the director of justice and law enforcement issues on the homeland security and justice team at GAO, explains to Security Management that the FBI can conduct a search for an active investigation based on images from a variety of sources—camera footage of a bank robber, for example. Officials input the image to the NGI-IPS, and the facial recognition software will return as many as 50 possible matches. The results are investigative leads, the report notes, and cannot be used to charge an individual with a crime. A year ago, the FBI began to allow seven states—Arkansas, Florida, Maine, Maryland, Michigan, New Mexico, and Texas—to submit photos to be run through the NGI-IPS. The FBI is working with eight additional states to grant them access, and another 24 states have expressed interest in using the database.</p><p>“The fingerprints and images are all one package of information,” Maurer says. “If you’ve been arrested, you can assume that you’re in, at a minimum, the fingerprint database. You may or may not be in the facial recognition database, because different states have different levels of cooperation with the FBI on the facial images.”</p><p>The FBI has a second, internal investigative tool called Facial Analysis, Comparison, and Evaluation (FACE) Services. The more extensive program runs similar automated searches using NGI-IPS as well as external partners’ face recognition systems that contain primarily civil photos from state and federal government databases, such as driver’s license photos and visa applicant photos. </p><p>“The total number of face photos available in all searchable repositories is over 411 million, and the FBI is interested in adding additional federal and state face recognition systems to their search capabilities,” the GAO report notes.</p><p>Maurer, who authored the GAO report, says researchers found a number of privacy, transparency, and accuracy concerns over the two programs. Under federal privacy laws, agencies must publish a Systems of Records Notice (SORN) or Privacy Impact Assessments (PIAs) in the Federal Register identifying the categories of individuals whose information is being collected. Maurer notes that the information on such regulations is “typically very wonky and very detailed” and is “not something the general public is likely aware of, but it’s certainly something that people who are active in the privacy and transparency worlds are aware of.” </p><p>GAO found that the FBI did not issue timely or accurate SORNs or PIAs for its two facial recognition programs. In 2008, the FBI published a PIA of its plans for NGI-IPS but didn’t update the assessment after the program underwent significant changes during the pilot phase—including the significant addition of facial recognition services. Additionally, the FBI did not release a PIA for FACE Services until May 2015—three years after the program began. </p><p>“We were very concerned that the Department of Justice didn’t issue the required SORN or PIA until after FBI started using the facial recognition technology for real world work,” Maurer notes. </p><p>Maurer says the U.S. Department of Justice (DOJ)—which oversees the FBI—disagreed with the GAO’s concerns over the notifications. Officials say the programs didn’t need PIAs until they became fully operational, but the GAO report noted that the FBI conducted more than 20,000 investigative searches during the three-year pilot phase of the NGI-IPS program. </p><p>“The DOJ felt the earlier version of the PIA was sufficient, but we said it didn’t mention facial recognition technology at all,” Maurer notes. </p><p>Similarly, the DOJ did not publish a SORN that addressed the collection of citizens’ photos for facial recognition capabilities until GAO completed its review. Even though the facial recognition component of NGI-IPS has been in use since 2011, the DOJ said the existing version of the SORN—the 1999 version that addressed only legacy fingerprint collection activities—was sufficient. </p><p>“Throughout this period, the agency collected and maintained personal information for these capabilities without the required explanation of what information it is collecting or how it is used,” the GAO report states.</p><p>It wasn’t until May 2016—after the DOJ received the GAO draft report—that an updated SORN was published, Maurer notes. “So they did it very late in the game, and the bottom line for both programs is the same: they did not issue the SORNs until after both of those systems were being used for real world investigations,” Maurer explains. </p><p>In the United States, there are no federally mandated repercussions for skirting privacy laws, Maurer says. “The penalty that they will continue to pay is public transparency and scrutiny. The public has very legitimate questions about DOJ and FBI’s commitment to protecting the privacy of people in their use of facial recognition technology.”</p><p>Another concern the GAO identified is the lack of oversight or audits for using facial recognition services in active investigations. The FBI has not completed an audit on the effectiveness of the NGI-IPS because it says the program has not been fully operational long enough. As with the PIA and SORN disagreements, the FBI says the NGI-IPS has only been fully operational since it completed pilot testing in April 2015, while the GAO notes that parts of the system have been used in investigations since the pilot program began in 2011. </p><p>The FBI faces a different problem when it comes to auditing its FACE Services databases. Since FACE Services uses up to 18 different databases, the FBI does not have the primary authority or obligation to audit the external databases—the responsibility lies with the owners of the databases, DOJ officials stated. “We understand the FBI may not have authority to audit the maintenance or operation of databases owned and managed by other agencies,” the report notes. “However, the FBI does have a responsibility to oversee the use of the information by its employees.” </p><p>Audits and operational testing on the face recognition technology are all the more important because the FBI has conducted limited assessments on the accuracy of the searches, Maurer notes. FBI requires the NGI-IPS to return a correct match of an existing person at least 85 percent of the time, which was met during initial testing. However, Maurer points out that this detection rate was based on a list of 50 photos returned by the system, when sometimes investigators may request fewer results. Additionally, the FBI’s testing database contained 926,000 photos, while NGI-IPS contains about 30 million photos.</p><p>“Although the FBI has tested the detection rate for a candidate list of 50 photos, NGI-IPS users are able to request smaller candidate lists—specifically between two and 50 photos,” the report states. “FBI officials stated that they do not know, and have not tested, the detection rate for other candidate list sizes.” </p><p>Maurer notes that the GAO recommendation to conduct more extensive operational tests for accuracy in real-world situations was the only recommendation the FBI agreed with fully. “It’s a start,” she says. </p><p>The FBI also has not tested the false positive rate—how often NGI-IPS searches erroneously match a person to the database. Because the results are not intended to serve as positive identifications, just investigative leads, the false positive rates are not relevant, FBI officials stated.</p><p>“There was one thing they seemed to miss,” Maurer says. “The FBI kept saying, ‘if it’s a false positive, what’s the harm? We’re just investigating someone, they’re cleared right away.’ From our perspective, the FBI shows up at your home or place of business, thinks you’re a terrorist or a bank robber, that could have a really significant impact on people’s lives, and that’s why it’s important to make sure this is accurate.”</p><p>The GAO report notes that the collection of Americans’ biometric information combined with facial recognition technology will continue to grow both at the federal investigative level as well as in state and local police departments.</p><p>“Even though we definitely had some concerns about the accuracy of these systems and the protections they have in place to ensure the privacy of the individuals who are included in these searches, we do recognize that this is an important tool for law enforcement in helping solve cases,” Maurer says. “We just want to make sure it’s done in a way that protects people’s privacy, and that these searches are done accurately.”</p><p>This type of technology isn’t just limited to law enforcement, according to Bloomberg’s Hello World video series. A new Russian app, FindFace, by NTechLab allows its users to photograph anyone they come across and learn their identity. Like the FBI databases, the app uses facial recognition technology to search a popular Russian social network and other public sources with a 70 percent accuracy rate—the creators of the app boast a database with 1 billion photographs. Moscow officials are currently working with FindFace to integrate the city’s 150,000 surveillance cameras into the existing database to help solve criminal investigations. But privacy advocates are raising concerns about other ways the technology could be used. For example, a user could learn the identity of a stranger on the street and later contact that person. And retailers and advertisers have already expressed interest in using FindFace to target shoppers with ads or sales based on their interests. </p><p>  Whether it’s a complete shutdown to Internet access or careful monitoring of potentially dangerous content, countries and companies around the world are taking advantage of the possibilities—and power—inherent in controlling what citizens see online. As criminals and extremists move their activities from land and sea to technology, governments must figure out how to counter digital warfare while simultaneously respecting and protecting citizens’ basic human right to Internet access.​ ​</p>
https://sm.asisonline.org/Pages/No-One-at-the-Wheel.aspxNo One at the WheelGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Jeffrey Zients, director of the U.S. National Economic Council, has some advice for workers who are worn out by their daily car commute: simply take your hands off the wheel and turn your attention to something other than driving. “Your commute becomes restful or productive, instead of frustrating and exhausting,” Zients said at a recent press conference.</p><p>Of course, Zients’ vision assumes that the commuter is in a driverless car—or in industry parlance, a highly automated vehicle (HAV). A few months ago, the development of such driverless cars received a jumpstart from U.S. officials, who released new guidelines for operating the vehicles while promoting the government’s position that American highways will be safer when more cars are machine-driven. </p><p>“Too many people die on our roads—35,200 last year alone–with 94 percent of those the result of human error or choice. Automated vehicles have the potential to save tens of thousands of lives each year,” U.S. President Barack Obama wrote in a Pittsburgh Post-Gazette op-ed article about the new guidelines. “And right now, for too many senior citizens and Americans with disabilities, driving isn’t an option. Automated vehicles could change their lives.”</p><p>Global consulting firm McKinsey & Company has predicted that consumers will begin to adopt driverless cars starting in 2020—and that their popularity will overtake conventional cars by 2050. </p><p>But not everyone shares the government’s rosy view about these developments. In some quarters, security and safety concerns about driverless cars abound. Those that are concerned argue that the cars themselves, and the roads they will drive on, will both be too vulnerable once automated vehicles become more common.  </p><p>Despite these concerns, industry is speeding forward, and carmakers are vying to enter the driverless car market first. Tesla has already sold tens of thousands of cars with a self-driving feature known as Autopilot. The company says it aims to be the first to put a fully driverless car on the road, although it hasn’t set a specific date. </p><p>Both the Ford Motor Company and Nissan have said they plan to release driverless car models within the next five years. Driverless taxis may come sooner. General Motors Company, working with taxi service startup company Lyft, said it plans to start testing a fleet of driverless taxis soon. </p><p>Internationally, the NuTonomy company has said it will provide self-driving taxi services in Singapore by 2018, and expand to 10 cities around the world by 2020. And Nissan expects to release a feature called SuperCruise that will allow for hands-free highway driving. </p><p>Given this frenzy of market activity, Zients and U.S. Secretary of Transportation Anthony Foxx released the new U.S. federal guidelines at a press conference last September. The guidelines represent best practice guidance rather than rulemaking, and they outline the government’s expectations in terms of safety and how the new technologies should be regulated. </p><p>The guidelines are broken up into four main areas. The first part is a 15-point safety standard for the design and development of autonomous vehicles. The second part is guidance for states developing their own driverless car policies. The third consists of information on how current regulations can be applied to driverless cars. The fourth is a discussion of specific new regulatory tools and authorities that transportation officials believe might be needed for proper development of driverless cars.</p><p>The safety standards address questions such as: How will driverless cars react if their technology fails? How will occupants be protected in crashes? What measures should be put in place to preserve passenger privacy? </p><p>Also included is guidance on how automakers should approach cybersecurity issues in driverless vehicles. U.S. federal officials encourage carmakers “to design their HAV systems following established best practices for cyber physical vehicle systems.” The guidance calls on manufacturers to use best practice principles published by U.S. agencies and organizations, such as the National Institute for Standards and Technology, the Alliance of Automobile Manufacturers, and the Automotive Information Sharing and Analysis Center.</p><p>“The identification, protection, detection, response, and recovery functions should be used to enable risk management decisions, address risks and threats, and enable quick response to and learning from cybersecurity events,” the guidance reads. </p><p>The guidance adds, however, that “this is an evolving area and more research is necessary before proposing a regulatory standard.” And the view that more research is necessary is shared by many, including those who argue that driverless cars have a long way to go before security and safety concerns are satisfied. </p><p>Cybersecurity is the biggest concern for companies now evaluating risk in the developing driverless car industry, according to a recent survey conducted by Munich Re, the German reinsurance and risk management firm. </p><p>In the study, 55 percent of corporate risk managers surveyed named cybersecurity as their top concern regarding driverless cars. In the cybersecurity category, respondents said they believed the greatest threats were auto theft by an unknown individual hacking into and overtaking vehicle data systems (42 percent) and the failure of smart road infrastructure technologies (36 percent).</p><p>Researchers have demonstrated how a hacker can remotely take over the brakes, engine, or other components of a standard car. The attack surface for a driverless car is even larger, experts say, because it contains extra computers, sensors, and more extensive Internet connectivity.</p><p>There are also security and safety concerns regarding the roads that the driverless cars will travel on, says Howard Jennings, managing director of Mobility Lab, a transportation research firm. </p><p>Early testing shows that driverless cars will be able to drive with less space between them compared with conventional cars. But in areas that are meant to be village-type developments with many pedestrians, and with densely packed cars driving down narrow streets, this feature could create safety hazards. “We could have an unintended consequence here,” Jennings says.</p><p>Related to this issue is what some call the Waze effect, named after the community-based traffic application. When suggesting alternate routes, the Waze app sometimes sends many drivers down the same small street, causing logjams on narrow roads. Driverless cars could wind up doing this as well.</p><p>Finally, Jennings says that people make transportation choices based partially on the “hassle factor”—they take public transportation downtown because they think parking will be a problem, for example. If driverless cars make car commuting less stressful and take the hassle out of parking, many people may choose them over public transportation. This could put a huge unanticipated strain on road networks, causing infrastructure safety issues due to overuse.   </p><p>Finally, some fear that these significant concerns are not being addressed quickly enough, given that driverless cars for consumer purchase may be only a few years down the road.  </p><p>“It’s no longer a matter of if, but rather when the time will come for the widescale adoption of automated vehicles,” said Munich Re President and CEO Tony Kuczinski when the survey was issued. “The timeline for adoption may be sooner than many realize.” ​ </p>
https://sm.asisonline.org/Pages/Industry-News-February-2017.aspxIndustry News February 2017GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​CAMPUS SURVEILLANCE</h4><p>Two universities in Utah partnered with Stone Security to upgrade their existing surveillance systems. Utah State University and Salt Lake Community College both had standalone analog systems with few cameras that could be monitored from only one location. Both schools chose to implement open platform, IP-based solutions built with Milestone XProtect VMS and network cameras from Axis Communications. Axis encoders integrate older analog cameras into the system, allowing the schools to continue using them.</p><p>Utah State University has campuses in every county in the state, and nine of those locations are integrated with the Milestone system. Video data is fed to the main campus in Logan, Utah.</p><p>Better video monitoring has improved coordination with campus police, reducing the time for incident response, as well as mitigating theft in the campus bookstores. The video system has also been leveraged to include watching over livestock in an animal science department, so researchers can respond when a birth is imminent, for example. Another innovative way officials are using the video is to prioritize snow removal based on the accumulations seen in the images.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>ADT announced a new affiliation with MetLife Auto & Home for small business customers in New Jersey and California.</p><p>Dell EMC chose BlueTalon to deliver data security and governance for the newly announced Dell EMC Analytic Insights Module. </p><p>G4S will deploy ThruVis from Digital Barriers at major events in the United Kingdom.</p><p>Federal Signal Corporation’s Safety and Security Systems Group formed a strategic partnership with Edesix Ltd. to offer IndiCue products that collect, distribute, and manage video evidence. </p><p>FinalCode, Inc., appointed DNA Connect as its distributor for Australia.</p><p>Genetec and Point Blank announced a direct integration between the IRIS CAM body-worn camera and the Genetec Clearance case management system.</p><p>Hanwha Techwin America formed a partnership with Security-Net Inc., allowing Security-Net’s partners to source the full line of Hanwha Techwin’s surveillance solutions as a gold level dealer.</p><p>ISONAS Inc. selected two new manufacturers’ representatives: Wilens Professional Sales, Inc., in New York and The Tronex Group in Florida.</p><p>Kwikset formed a partnership with Horizon Global to expand its SmartKey security to the automotive accessories industry, including hitches, fifth wheels, ball mounts, bike racks, cargo management products, and more.</p><p>Louroe Electronics signed with Tech Sales & Marketing and expanded its partnership with Thomasson Marketing Group to strengthen its presence across the United States.</p><p>Oceanscan is using iland’s DRaaS with Veeam to reduce incident response time.</p><p>OnSSI integrated its Ocularis 5 Video Management System with Vidsys’s Converged Security and Information Management software. </p><p>OnX Enterprise Solutions and Splunk collaborated on the new OnX Security Intelligence Appliance that implements both the hardware and software needed to combat attackers.</p><p>Open Options partnered with Mercury Security to offer two new bridge technology integrations with Software House iSTAR Pro and Vanderbilt SMS. </p><p>Red Hawk Fire & Security U.S. announced that Affiliated Monitoring will manage central station monitoring for Red Hawk customers. </p><p>SeQent has been accepted into the Schneider Electric/Wonderware Technology Partner program. </p><p>FC TecNrgy will market SFC Energy’s defense and industry portfolio of off-grid power sources to the Indian defense, homeland security, and oil and gas markets. </p><p>ZKAccess retained manufacturers’ rep firm ISM Southeast.​</p><h4>GOVERNMENT CONTRACTS</h4><p>The U.S. Federal Trade Commission selected AMAG Technology and its Symmetry Homeland Access Control System to secure its Office of the Executive Director.</p><p>Convergint Technologies and BriefCam announced that Austin-Bergstrom International Airport in Texas expanded its use of BriefCam Syndex.</p><p>For the Las Vegas presidential debate, the Las Vegas Metropolitan Police Department deployed a drone detection and counter-drone solution from Dedrone. Dedrone also joined forces with Nassau County Police and Hofstra University to protect the first presidential debate in New York.</p><p>The Payne County Sheriff’s Office in Oklahoma selected Digi Security Systems to design and install a new video system for its jail and courthouse.</p><p>Electronic Control Security, Inc., received an award from prime contractor Hudson Valley EC&M Inc. for an entry control system and support services for the Sullivan County and Eastern Correctional Facilities in New York.</p><p>Exiger was chosen by the University of Cincinnati to act as the independent monitor of its police department.</p><p>Port St. Lucie, Florida, worked with SecurPoint to install a wireless, IP-based video surveillance system from FLIR.</p><p>Johnson Controls announced a Cooperative Research and Development Agreement with the U.S. Department of Homeland Security to help secure critical infrastructure.</p><p>Leidos won a prime contract from U.S. Customs and Border Protection to provide systems administration and maintenance services for x-ray and imaging technology.</p><p>MacDonald, Dettwiler and Associates Ltd. will provide space-based synthetic aperture radar capabilities for the Canadian Department of National Defence.</p><p>NAPCO Security Technologies, Inc., announced that the San Diego Unified School District will use NAPCO’s Continental Access control system.</p><p>NC4 announced that the Fulton County Police Department in California chose NC4 Street Smart to help fight crime.</p><p>Palo Alto Networks signed a memorandum of collaboration with the Cyber Security Agency of Singapore to exchange ideas, insights, and expertise on cybersecurity. </p><p>Saab announced that its Airport Surface Surveillance Capability is operational for the U.S. Federal Aviation Administration at San Francisco International Airport.</p><p>Salient CRGT, Inc., won a contract from the U.S. Department of Homeland Security Science and Technology Directorate to provide development, integration, and evaluation in support of BorderRITE.</p><p>SDI Presence LLC is a key subcontractor to Saab Sensis in deploying an advanced event management system for Phoenix Sky Harbor International Airport.</p><p>TASER International received an order for 900 TASER X2 Smart Weapons from the Kentucky State Police.</p><p>Unisys Corporation won a contract from U.S. Customs and Border Protection to modernize the agency’s technology for identifying people and vehicles entering and exiting the country.</p><p>Veridos is providing the Republic of Kosovo with ePassports in addition to a solution to personalize the ePassports. Veridos is responsible for data management, as well as service and maintenance for the software and</p><p>hardware infrastructure.</p><p>Veteran Corps of America will perform contractor logistics support for the Joint United States Forces Korea Portal and Integrated Threat Recognition (JUPITR) system.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>AMAG Technology announced that its Federal Identity, Credential, and Access Management (FICAM)/FIPS 201–compliant solution was approved by the U.S. General Services Administration.</p><p>Legrand North America achieved Excellence within the Industry Data Exchange Association’s data certification program.</p><p>Middle Atlantic Products secured a patent from the U.S. Patent and Trademark Office for its Essex QAR Series Rack.</p><p>Passport Systems, Inc., received the Security Innovation Award from Massachusetts Port Authority for helping to revitalize the Port of Boston with state-of-the-art detection systems.</p><p>Qognify received Lenel Factory Certification Under Lenel’s OpenAccess Alliance Program.</p><p>Safran Identity & Security announced that its Airpass mobile payment solution, with a cryptographic security component, was certified by Visa and Mastercard.</p><p>SecurityScorecard received the Most Promising Company Award for its sophisticated technology and strategic implementation during PricewaterhouseCoopers’ Inaugural Cyber Security Day.</p><p>Tosibox won the Finnish Security Company of the Year award. The Turvallisuus ja Riskienhallinta magazine annual award was presented at the Finnish Security Awards. ​</p><h4>ANNOUNCEMENTS</h4><p>As part of its product rebranding, 3xLOGIC launched an updated website.</p><p>Aite Group’s report, Biometrics: The Time Has Come, examines biometrics capabilities that are deployed across the globe. </p><p>Allied Universal announced the purchase of FJC Security Services of Floral Park, New York.</p><p>Anixter International Inc. is opening a customized flagship facility in Houston, Texas.</p><p>Illinois Joining Forces, a public-private network of veteran and military service organizations, received a $125,000 grant for veteran outreach from Boeing.</p><p>CGL Electronic Security, Inc., moved its corporate headquarters to Westwood, Massachusetts. The new facility includes a customer training area, demonstration space, warehouse, and testing area.</p><p>CNL Software expanded its U.S. operations with new regional offices and a demonstration area in Ashburn, Virginia.</p><p>College Choice published its 2016 ranking of the safest large colleges in America.</p><p>The Financial Services Information Sharing and Analysis Center established the Financial Systemic Analysis & Resilience Center to mitigate risk to the U.S. financial system.</p><p>Modern Tools To Achieve Excellence In Video Security is a new white paper from Geutebrück.</p><p>Implant Sciences will sell its explosives trace detection assets to L-3 Communications where they will be integrated into L-3’s Security & Detection Systems Division.</p><p>Milestone Systems is making its XProtect Essential 2016 R3 available as a free download to users worldwide.</p><p>The National Electrical Manufacturers Association published NEMA WD 7-2011 (R2016) Occupancy Motion Sensors Standard.</p><p>Safran Identity & Security opened a location in the Silicon Valley that features an innovation center with a specific focus on digital payment, digital identity, and the Internet of Things.</p><p>Nonprofit SecureTheVillage (STV) launched a weekly news podcast, SecureTheVillage’s Cybersecurity News of the Week, available on the STV website, iTunes, SoundCloud, and other podcast sites. </p><p>SightLogix published a new design guide to assist integrators, architects, and engineers in planning, selecting, and installing video-based security systems. Securing Outdoor Assets with Trusted Alerts offers practical advice about using outdoor video.</p><p>The Smart Card Alliance released a mobile payments workshop video for understanding mobile wallets.</p><p>The Tyco Security Products Cyber Protection Team is offering security advisories on its website. The team generates a security notification about which products might be vulnerable, along with mitigation steps. </p><p>The U.S. Office of Management and Budget will create a new privacy office to oversee the development and implementation of new federal privacy policies, strategies, and practices across the federal government. ​</p>
https://sm.asisonline.org/Pages/The-Road-to-Resilience.aspxThe Road to ResilienceGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Of course, 100RC had neither the resources nor staff to partner with 10,000 cities. But organization leaders argued that its 100 member cities could be models for institutionalizing resilience—that is, embedding resilience thinking into all the decisions city leaders make on a day-to-day basis, so that resilience is mainstreamed into the city government's policies and practices. Other cities could then adapt the model to fit their own parameters, and institutionalized resilience would spread throughout the world. </p><p>Toward this aim, 100RC recently released a report that discusses three case studies of institutionalizing resilience in New Orleans, Louisiana; Melbourne, Australia; and Semarang, Indonesia. </p><p>For all cities that 100RC works with, the organization provides funding to hire a new executive, the chief resilience officer (CRO). The group also advocates that member cities take the "10% Resilience Pledge," under which 10 percent of the city's annual budget goes toward resilience-building goals and projects. So far, nearly 30 member cities have taken the pledge, which has focused more than $5 billion toward resilience projects.</p><p>Of the three case study cities, New Orleans may be most known as a jurisdiction that has had to recover from repeated recent disasters, including Hurricanes Katrina and Isaac and the Deepwater Horizon oil spill. Given these experiences, New Orleans was one of the first cities to release a holistic resilience strategy, which connected resilience practices to almost all sectors of the city, including equity, energy, education, and emergency planning.</p><p>The strategy, Resilient New Orleans, has three underlying goals: strengthen the city's infrastructure, embrace the changing environment instead of resisting it, and create equal opportunities for all residents. </p><p>To better implement the strategy, New Orleans CRO Jeff Hebert was promoted to the level of first deputy mayor, and departments were joined to unite resilience planning with key sectors like water management, energy, transportation, coastal protection, and climate change.</p><p>Once this reconfiguration was complete, the city took several actions. It created the Gentilly Resilience District, which is aimed at reducing flood risk, slowing land subsidence, and encouraging neighborhood revitalization. The resilience district combines various approaches to water and land management to move forward on projects that will make the area more resilient. The city will also train some underemployed residents to work on the projects. </p><p>In addition, New Orleans leaders are developing and implementing new resilience design standards for public works and infrastructure, so that efforts to improve management of storm water and multi-modal transit systems will be included as standard design components.</p><p>Melbourne has its own challenges. Situated on the boundary of a hot inland area and a cool Southern Ocean, it can be subject to severe weather, such as gales, thunderstorms and hail, and large temperature drops. Governmentally, it is a "city of cities" made up of 32 local councils from around the region, so critical issues such as transportation, energy, and water systems are managed by various bodies, complicating decision making.</p><p>City leaders created the Resilient Melbourne Delivery Office, which will be hosted by the City of Melbourne for five years, jointly funded by both local and state governments. The office—an interdisciplinary team of at least 12 people, led by the CRO Toby Kent—is responsible for overseeing the delivery of the resilience strategy.</p><p>The strategy has four main goals: empower communities to take active responsibility for their own well-being; create sustainable infrastructure that will also promote social cohesion; provide diverse local employment opportunities to support an adaptable workforce; and ensure support for strong natural assets.</p><p>For Semarang, a coastal city in an archipelago, water is the main focus of sustainability. Factors like a rise in sea levels and coastal erosion have increased the negative impact of floods.</p><p>These impacts can challenge the city in many ways. Thus, for its resilience strategy, Semarang leaders focused on building capacities, including more economic opportunity, disaster risk management, integrated mobility, and sustainable water strategies.</p><p>In Indonesia, like many other Asian countries, the national government sets the goals and parameters for much of the development that takes place at the local level. Thus, Semarang leaders worked with members of the Indonesian Parliament to educate them on the city's existing resilience strategy, and to integrate the city's findings and insights into Indonesia's National Development Plan.</p><p>These coordination efforts bore fruit in the establishment of projects like a bus rapid transit system, which had strong support from the national government. The system has already been implemented in several main corridors and will be expanded. It is expected to offer insight and experience in cross-boundary resilience-related travel.</p><p>As 100RC cities look to institutionalize resiliency, the organization is also helping members improve their emergency management programs. The group is partnering with the Intermedix Corporation, which will help some member cities assess their current emergency management programs, and develop a blueprint for addressing gaps in the program and meeting resiliency goals.</p><p>"As new and complex problems and challenges arise, it's becoming more and more important for cities to look outside of their own organizations for the expertise and solutions required to meet and overcome these challenges," says Michael Berkowitz, president of 100RC. ​​</p>
https://sm.asisonline.org/Pages/Trade-Secrets-2.0.aspxTrade Secrets 2.0GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The enactment of the Defend Trade Secrets Act (DTSA) of 2016 in the United States creates a new paradigm and is a watershed event in intellectual property law. U.S. President Barack Obama signed the bill into law on May 11, 2016, and the DTSA now applies to any misappropriation that occurred on or after that date.</p><p>A trade secret is any technical or nontechnical information that can be used in the operation of a business or other enterprise and that is sufficiently valuable and secret to afford an actual or potential economic advantage over others.</p><p>The law allows trade secret owners to file a civil action in a U.S. district court for trade secret misappropriation related to a product or service in interstate or foreign commerce. The term “owner” is a defined statutory term. It means “the person or entity in whom or in which rightful legal or equitable title to, or license in, the trade secret is reposed,” according to the DTSA.</p><p>Under the DTSA, in extraordinary circumstances, a trade secret owner can apply for and a court may grant an ex parte seizure order (allowing property to be seized, such as a computer that a stolen trade secret might be saved on) to prevent a stolen trade secret from being disseminated.</p><p>With this development in the law, trade secret assets are no longer stepchild intellectual property rights. Trade secret assets are now on the same playing field as patents, copyrights, and trademarks. The DTSA reinforces that a trade secret asset is a property asset by creating this new federal civil cause of action.</p><p>And there is no preemption. The U.S. district courts have original jurisdiction over a DTSA civil cause of action, which coexists with a private civil cause of action under the Uniform Trade Secrets Act (UTSA). The UTSA—most recently amended in 1985—codified common law standards and remedies for trade secret misappropriation at the state level.</p><p>The DTSA also coexists with criminal prosecutions under the U.S. Economic Espionage Act of 1996 (EEA), which makes it a federal crime to steal or misappropriate commercial trade secrets with the intention to benefit a foreign power.​</p><h4>What the DTSA Means</h4><p>A trade secret asset must be managed like other property assets. However, trade secret asset management differs because it first requires the identification of the alleged trade secret asset. Because millions of bits of information within a company can qualify as proprietary trade secrets, it is critical to classify and rank trade secret assets.</p><p>Most companies focus on the protection phase of trade secret asset management without first identifying and classifying their trade secrets. This approach is doomed to fail without a thorough analysis. Unless the company knows what it’s protecting, there can be no effective protection. And all three phases—identification, classification, and protection—must occur before an accurate valuation of trade secret assets can be determined.</p><p><strong>Proof. </strong>Additionally, information assets must be validated in a court of law as statutory trade secret assets. There is no public registry for trade secret assets. The courts require proof of four things: existence, ownership, notice, and access. </p><p>The first element requires proof of existence of the trade secret asset. The litmus test for proving the existence of a trade secret has six factors: the extent to which the information is known outside the business; the extent to which the information is known inside the business; the extent of measures taken to guard the secrecy of the information; the value of the information to the business and to competitors; the amount of time, effort, and money expended to develop the information; and the ease or difficulty with which the information could be properly acquired or duplicated by others.</p><p>The plaintiff must show that he or she owns the trade secret. A misappropriator cannot be the owner of a trade secret.</p><p>However, a person who independently develops or independently reverse engineers the trade secret can be the owner of the trade secret. By using reverse engineering, an employee who has not been granted intellectual property rights in the trade secret asset may also be the lawful owner—instead of the employer.</p><p>For proof of notice, the plaintiff must show that the defendants had actual, constructive, or implied notice of the alleged trade secret. A former employee may use his or her general knowledge, skills, and experience. However, a former employee may not disclose or use the trade secrets of the former employer. Also, the former employer is prohibited from claiming that “everything we do is a trade secret.”</p><p>The court will take judicial notice that there is both unprotected and protected trade secret information in every company. If the line is unclear, the court will draw the line in favor of the former employee. </p><p>For proof of access, the plaintiff must prove that the defendant had access to the alleged trade secret. If the evidence shows that the defendant never had direct or indirect access to the trade secret, and there is no conspiracy claim, there cannot be misappropriation. This is because misappropriation requires proof of unauthorized acquisition, disclosure, or use of the trade secret by the alleged trade secret thief.</p><p><strong>Protection. </strong>The DTSA also requires that the trade secret owner take reasonable measures to protect the secrecy of trade secret assets. This is a much more challenging task today because trade secret assets are no longer at rest in a locked file cabinet in an engineer’s office. Today, trade secrets are in motion and in use via computer systems and networks with access points all over the world.</p><p>Companies must actively monitor the access and movement of critical trade secret assets throughout the corporate enterprise, or risk the serious consequences of forfeiting trade secret assets by failing to take the reasonable efforts necessary to protect these assets.</p><p>The point is illustrated by U.S. v. Lee (U.S. District Court for the Northern District of Illinois, 2009). A 52-year-old senior scientist, David Yen Lee, suddenly resigned from his job at Valspar on March 19, 2009, and bought a one-way ticket to Shanghai, scheduled to leave on March 27.</p><p>One of Lee’s coworkers discovered irregularities in Lee’s work computer. Upon further investigation, an unauthorized program called “Sync Toy” was uncovered in invisible Windows files. It showed that Lee downloaded 44 gigabytes of paint and coating formulas, product and raw material data, sales and cost data, and product development and test information.</p><p>The FBI was informed and brought in to investigate. The bureau raided Lee’s apartment and recovered the stolen trade secret assets before Lee’s flight left for Shanghai. Valspar’s security readiness was directed to protection against outside intrusions. However, there was little security in place to guard against trade secret theft by insiders and trusted employees. </p><p>To mitigate against future insider theft, Valspar set up an internal identification and classification system for trade secrets called the CPR (classify, protect, report) model. Valspar now tracks the movement of all critical trade secret assets within the various computer environments with triggers that are activated if unauthorized activities are detected.</p><p>The reasonable measures necessary for the protection of trade secret assets continues to grow as the risk of sensitive data loss increases by various means: unauthorized uploading of trade secret assets to an insecure cloud or Web application; unauthorized email communications disclosing trade secret information; unauthorized acquisition of highly classified trade secret assets onto USB drives; and undetected incoming malware, phishing emails, and corrupted Web software all facilitate foreign economic espionage and theft of corporate trade secret assets.</p><p><strong>Seizures. </strong>Companies cannot take advantage of the DTSA’s powerful seizure provisions unless effective trade secret asset management protocols are in place before the actual or threatened misappropriation occurs.</p><p>First, the owner must demonstrate, in a sworn affidavit or a verified complaint, that the ex parte seizure order is necessary and that a temporary restraining order is inadequate. Second, that immediate and irreparable injury will occur if the seizure is not ordered. Third, that the person the seizure would be ordered against has possession of the trade secret and property that is to be seized.</p><p>Once the ex parte seizure order is granted, the court must take custody of and secure the seized property and hold a seizure hearing within seven days. Individuals can also file a motion to have the seized material encrypted.</p><p>A court can issue an ex parte seizure order, according to the DTSA, “in extraordinary circumstances” to “prevent the propagation or dissemination of the trade secret” or to “preserve evidence.”</p><p>These circumstances exist when a trade secret thief is attempting to flee the country, if he or she is planning to disclose the trade secret to a third party, or if it can be shown that he or she will not comply with court orders. </p><p>The Valspar case is an excellent example of the necessity for ex parte seizure orders. However, the FBI will not always be there, and the window of time to protect against the loss of trade secret assets and destruction of the evidence will often be shorter than the eight-day period in the Valspar case. This is why a DTSA civil cause of action and an ex parte seizure order are so important to protect U.S. trade secret assets.</p><p>The protection of trade secret assets in these circumstances requires emergency actions. Once lost, a trade secret is lost forever. The DTSA requires that the trade secret Owner file suit, and provide verified pleadings and affidavits to successfully obtain a DTSA ex parte seizure order before the de­f­en­dants know the suit has been filed. </p><p>Otherwise, without the element of surprise, the defendants—often with several clicks of a computer mouse—can transfer the trade secrets outside the country and destroy the evidence of trade secret theft by running data and file destruction software.</p><p>Therefore, to take advantage of the robust provisions of the DTSA, the trade secret owner must be able to move faster than the trade secret thief. This will require that companies develop internal trade secret asset management policies, practices, and procedures. </p><p>The DTSA creates a new paradigm. If management waits until the trade secret theft occurs to identify what the trade secret is and investigate the evidence of misappropriation, the actual trade secret assets will be long gone before counsel can provide the U.S. district court with the proof necessary to obtain an ex parte seizure order.</p><p>The result: if the losses from the trade secret theft are severe, both the board of directors and senior executives of the company can be charged with malfeasance, including the willful failure to take reasonable measures to protect the corporate trade secret assets from insider theft or foreign economic espionage.​</p><h4>DTSA Application</h4><p>What are the next steps in view of the DTSA? Every organization is different. There are no one-size-fits-all solutions. Each trade secret asset manager must audit existing approaches to protecting trade secret assets, the resource allocations within the organization, and any budgeting issues with protecting trade secrets.</p><p>A fundamental first step should be the creation of An internal trade secret control committee (TSCC). The TSCC should be charged with the responsibility to adopt policies and procedures for the identification, classification, protection, and valuation of the company’s trade secret assets.</p><p>The next step should be the creation of an internal trade secret registry (TSR). This is a trade secret asset management system that can be deployed as a cloud-based solution, on a corporate server, or on a standalone work station. </p><p>The TSR should operate like a library card catalog storing necessary trade secret asset information with hash codes and block chaining (a database that sequences bits of encrypted information—blocks—with a key that applies to the entire database) to ensure the authenticity of the data stored in the TSR and to meet the required evidentiary standards in a trade secret misappropriation lawsuit.</p><p>Another necessary step is trade secret asset classification, the foundation of a successful trade secret asset management program. Asset classification allows trade secret assets to be identified and ranked, so that the level of security matches the level of importance of the trade secret asset. There are now automated trade secret asset management tools available to assist companies with the classification and ranking of trade secret assets.</p><p>Security, without identification and classification, is doomed to fail. In contrast, securing data after identification and classification of the trade secret assets makes it much easier for the internal security ecosystem to enforce trade secret protection policies and to prohibit unauthorized access, disclosure, or use.</p><p>Today, software tools can protect the company from mistakes that lead to the forfeiture of classified trade secret assets. If a user attempts to email a trade secret document to unauthorized recipients, the software program will immediately alert the user so the mistake can be corrected. Further, classified trade secret assets can be monitored. Administrators can track abnormal or risky behavior that otherwise cannot be tracked until the trade secret is compromised.</p><p>Developing a trade secret incident response plan (TSIRP) is another critical requirement. The flow of trade secret assets throughout the corporate enterprise should be tracked with built-in red flags, designed to trigger the TSIRP and notify outside counsel to proceed immediately to the courthouse to seek a DTSA ex parte seizure order before the bad actors can destroy the evidence or transfer the stolen trade secret assets outside the court’s jurisdiction.​</p><h4>Employee Management</h4><p>There are other best practices for trade secret assets now that companies are focusing on the various stages of identification, classification, protection, and valuation.</p><p>Building a trade secret culture from the top down, with required training and compliance with TSCC policies, practices, and procedures, is at the top of the list. Companies must promote a trade secret culture by prompting employees and users to stop, think, and consider the business value of proprietary, internal information they are creating, handling, and reviewing.</p><p>The new employee hiring process should include an investigation and certification by the new employee that no proprietary trade secret information of any previous employer is being brought to the company or is being stored electronically in his or her personal email system or other electronic storage locations.</p><p>The prospective new employee should sign an employment agreement with patent and trade secret assignment provisions. He or she should also receive and review the company’s required trade secret policies and procedures.</p><p>When an employee leaves the company, off-boarding procedures should include a mandatory trade secret exit interview. The interview should be conducted under strict procedures adopted by the TSCC, including execution of a trade secret acknowledgement at the conclusion of the interview certifying that all company devices, documents, and materials, including electronic copies, paper copies, and physical embodiments have been returned. It should also certify that all proprietary and confidential information, stored on any personal computer or mobile device, has been identified and preserved, returned, or deleted under the company’s instructions.</p><p>The enactment of the DTSA will usher in a new era. It requires trade secret owners to identify, classify, and protect trade secret assets as property assets. In time, the DTSA will become a precursor for new accounting systems that will provide valuations for trade secret property assets.  </p><p>--<br></p><p><em><strong>R. Mark Halligan</strong>, partner at FisherBroyles LLP, is recognized as one of the leading lawyers in trade secrets litigation in the United States by Legal 500 and Chambers USA: America’s Leading Lawyers for Business. He is also the lead author of the Defend Trade Secrets Act of 2016 Handbook and coauthor of Trade Secret Asset Management 2016: A Guide to Information Asset Management Including the Defend Trade Secrets Act of 2016.  ​</em></p>
https://sm.asisonline.org/Pages/Supply-Chain-Strategies.aspxSupply Chain StrategiesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Take almost any product you have purchased in a store or used at home or work in the last week. Chances are, that object moved thousands of miles from where it was originally manufactured to the place where it was ultimately purchased or delivered to you. Organizations have intricate supply chain networks that are constantly moving every day around the world, and having an efficient supply chain security program ensures that movement of goods is not interrupted or compromised. </p><p>Security professionals must take a detailed look at the vendors who supply their assets and understand how those goods will be handled and ultimately implemented into their company’s operations or services. Following is a look at how a children’s hospital in Alabama applied supply chain security best practices to weather an unexpected storm, as well as provide for day-to-day operations. In addition, supply chain experts discuss lessons learned from their own experience of conducting risk assessments, following standards, and vetting suppliers and transporters to better protect company property. ​</p><h4>Alabama Children’s </h4><p>When a snowstorm hit Birmingham, Alabama, on January 28, 2014, the city was caught unawares. The snowfall, which quickly turned to ice, left thousands stranded on highways or in their offices. Children were stuck at school, their parents unable to pick them up. The event became known as “Snowpocalypse,” and news service AL.com called it “the winter storm that brought Birmingham to its knees.” </p><p>Hospitals were affected by the storm as well, including Children’s of Alabama. The pediatric center encountered vulnerabilities in its supply chain during that event it hadn’t previously considered, says Dennis Blass, CPP, PSP, director of safety and security at the hospital. </p><p><strong>Lessons learned. </strong>Every year the hospital conducts a hazards vulnerability assessment for its supply chain to find out where it can improve safety and security. “Once you identify your hazards and your vulnerabilities–the things that are dangerous to you or the things that you’re weak in–then you start peeling those back,” he says. “If we identify hazards that we need to correct, then we probably are going to create a management plan to correct those issues.” </p><p>Many displaced people in the community turned to the hospital for shelter when they had nowhere else to go. “We have a very prominent position in the Birmingham skyline, so if things look bad, the hospital looks like a place to go and get help–as it is,” Blass says. There were also clinic patients who had come to the hospital that morning for a routine checkup, planning to leave; many of them were stuck because of the snowstorm, which began around 10:30 a.m. local time.</p><p>Instead of being filled to the normal capacity of 300 people—the number of beds in the hospital—there were roughly  about 600 people who spent about 48 hours at the facility to ride out the storm.</p><p>The number of people at the hospital exposed one unforeseen vulnerability—obtaining clean linens from its supplier, which is separated from the hospital by a chain of mountains. “The supplier can wash the linens, but they can’t deliver them to us…we ended up making it, but that was a close call,” says Blass.</p><p>“We could handle supplies for patients, but we had a lot of people who just came to the hospital because it was a warm place to be,” according to Blass. “That had impacts on the amount of food that got consumed, and it had impacts on the amount of linens we went through. Just things that people need, supplies like toilet paper, things you don’t think a lot of.” </p><p>For those who weren’t patients, the hospital served smaller meals than normal; “sandwiches and soup, as opposed to meat and potatoes,” Blass says, to stretch resources. </p><p>The main drug supplier for the hospital is located in the same region, so obtaining critical medicine was not a concern during the storm. The hospital also has plenty of diesel fuel tanks, and can go for days without restocking. Only the insufficient linens, which must be sent off to a facility for proper sanitation before being returned to the hospital, turned out to be an issue.</p><p>“We did an after-action report on that experience, so we…put it in our emergency management plans for the future,” he notes.</p><p>The hospital’s emergency plans help ease any supply chain shortages. The institution follows the hospital incident command system (HICS) which assigns temporary duties to leadership during an emergency. For example, during the snowstorm, the chief operating officer of the hospital assumes the role of incident commander; an information officer is assigned to keep the community informed of hospital activities; and the plan also incorporates a medical officer, logistics chief, and planning chief. </p><p>During the incident, this system helped ensure proper patient care and as few gaps in the supply chain as possible. “Food was getting tight,” Blass says, and the food warehouses are not located near the hospital. “Because of the command structure, leadership can say, ‘okay you have a company credit card, we’ll contact the bank and raise your limit from $500 to $5,000 or whatever you need.’”</p><p>The U.S. Joint Commission, which certifies and accredits healthcare bodies, requires that hospitals have a group with representatives from various divisions that evaluates the standard of care they are providing to patients. Alabama Children’s has an environment of care committee that meets once a month to complete this requirement. “Our environment of care committee looks at things like safety, security, and resource management,” says Blass. “We have to meet the Joint Commission’s standard, and it surveys us every three years.” </p><p>Representatives on the team at Alabama Children’s include staff from the pharmacy, medical team, facilities, human resources, dining services, and more. This team ensures that there aren’t any gaps in the supply chain that would interrupt the hospital’s daily operations. As a rule, Blass says that having enough supplies for 96 hours will allow the facility to continue operating smoothly and efficiently. This includes a variety of items that the environment of care team must carefully think through and document. “You’re talking about water, fuel, basic sanitary supplies, and then you start talking about medicine and those things necessary for a hospital to run,” he says. </p><p>And there can be more than one type of each supply, a detail that, if overlooked, could mean life or death. “We have pumps that pump air, we have pumps that pump blood, we have pumps that pump saline, we have pumps that do many different things. You have to have all the things needed to make those supplies work for 96 hours,” he notes. </p><p>Keeping track of inventory is critical to determine whether the hospital has a sufficient supply of each item. Blass says that the hospital is moving toward a perpetual inventory system, where a new item is ordered as soon as one is pulled off the shelf. </p><p>There is a downside to stocking too many items, which is why it’s a delicate balance between having 96 hours’ worth of supplies and more than enough. “Space is expensive. And if you want to have enough water for four days, how much water is that? Where do you put it? How do you keep it fresh?” He adds that the hospital must be thoughtful in its policies and procedures on maintaining its inventory to avoid any issues.  </p><p>Thankfully, Blass notes, t​he 2014 snowstorm only lasted 48 hours. “The size of the surge exceeded our plan, but the length of the surge was shorter than our plans, so it all worked out,” he says. </p><p>And not every element of securing the supply chain is tangible; the information and communication pieces are also critical. “Every day we’re getting blood supplies in, and other kinds of materials that must be treated very carefully,” he says. Special instructions need to be followed in many cases. For example, there may be medicine that must be stored at a precise temperature until 30 minutes before it’s dispensed. That information must be communicated from the pharmacist to the supplier, and sometimes to security, who can give special access to the supplier when it delivers the drugs. </p><p>Blass is a member of the ASIS International Supply Chain and Transportation Security Council. He helped develop an American National Standards Institute (ANSI)/ASIS standard for supply chain security, Supply Chain Risk Management: A Compilation of Best Practices Standard (SCRM), which was released in July 2014. The standard provides supply chain security guidelines for companies, and has illustrations of what exemplary supply chain models look like.</p><p><strong>Best practices.</strong> Marc Siegel, former chair of the ASIS Global Standards Initiative, also participated in the creation of the ANSI/ASIS standard, which provides explanations of how to look at managing risk in the supply chain. “It’s based on the experiences of companies that have very sophisticated supply chain operations,” he tells Security Management. “The companies that put it together were really looking at having a document that they could give to their suppliers, to help them look at themselves and think of things that they should be doing and preparing for.” </p><p>Siegel is now director of security and resilience projects for the homeland security graduate program at San Diego State University. He promotes supply chain mapping, which takes a risk management–based approach to supply chain security. “Traditionally, a lot of security people have looked at supply chain as logistics security,” he says, “whereas companies with major supply chain considerations have been moving more into an enterprise risk management perspective.” These organizations take an across-the-board look at risks that could create a disruption in the supply chain, asking themselves what the specific things are that could interrupt or prevent them from manufacturing or delivering their product. </p><p>Siegel says there is a disproportionate focus on bad actors and intentional acts as threats to the supply chain, when more often it’s a natural disaster or accident that causes the most significant disruptions. “The broader risk management perspective is also looking at, ‘Is there a potential for a storm, is there a potential for political disorder, or instability in a region, that can cause a delay in processing?’” Only then, he says, are companies efficiently mapping out all the factors that could introduce uncertainty.</p><p>Maintaining a broader perspective will keep organizations from fixating on two of the most common hangups in supply chain security. “You have people who fixate on ‘everything is a threat,’ and you have people who fixate on ‘everything is a vulnerability,’ and if you only fixate on those two things you’re going to miss a lot of stuff,” Siegel says.</p><p>Blass agrees. “When we start that annual hazards vulnerability assessment, I’m going to look through the standard and notes I’ve written myself to make sure I’ve got everything covered,” he notes. “You can never rest and say, ‘well, we’re safe and secure and we don’t have to do anything else,’ because the threats keep changing.”   ​</p><p>--</p><h4>Sidebar: assess risk<br></h4><p> </p><div>​For the co​rporation that produces the F-35 fighter jet and other advanced technologies for the U.S. government, supply chain security is of utmost importance. “The threats that we face are universal in nature due to the size and the complexity of our supply chain,” says Vicki Nichols, supply chain security lead for Lockheed Martin’s Aeronautics business. </div><div><br> </div><div>Lockheed Martin Aeronautics assesses the supply chain in a number of categories, but Nichols works most closely with cargo security. “The threats there are cargo disruption, unmanifested cargo, and anti-Western terrorism,” she notes. </div><div><br> </div><div>The division conducts a risk assessment of its international suppliers. “We look at what type of products they provide us and how vulnerable that product is to manipulation or intellectual property theft, and we look at country risk,” she says.  </div><div><br> </div><div>The company sends a questionnaire to its suppliers, and comes up with an overall score for each of them based on 10 criteria, including country risk and transportation mode. In many cases, it also sends field personnel to evaluate the supplier’s facility. “If we know we have eyes and ears going in and out of the facility, and those people are trained to recognize red flags, then we know we have a lower threat because of our presence,” she says. </div><div><br> </div><div>After one such site check at a facility in Italy, Lockheed Martin Aeronautics determined that the use of technology was warranted to further enhance security. “The concern was that the area was known for introduction of unmanifested cargo—weapons, cargo disruption,” she notes. “We began to look at tamper-evident technologies, and track-and-trace devices that would allow us to know if someone had opened or tampered with the freight.”  </div><div><br> </div><div>Lockheed Martin has a corporate supply chain security council that meets at least once a month to provide updates and discuss any issues that arise. Representatives from the company include human resources, personnel security, physical security, and counterintelligence. Stakeholders from major partner organizations are also invited to participate.</div><div><br> </div><div>Lockheed Martin Aeronautics also works closely with law enforcement and federal intelligence sources who disseminate relevant information to the company. “We subscribe to some intelligence data that is cargo-specific, so we issue a spotlight report about three times a week just to keep people engaged and aware of the threats in the supply chain,” she notes. </div><div><br> </div><div>Supplier engagement is also critical, Nichols says, so the company stays in touch with about 120 suppliers internationally. </div><div><br> </div><div>Sometime in 2017, Lockheed Martin Aeronautics plans to purchase a software management tool that will release supplier questionnaires in the native language for countries it does business with. It will tap existing resources such as “Supplier Wire” to offer training to the supply base. “This will be another evolution on how we can engage, rather than just sending them to a website,” Nichols says. “I think it’s important for our supply base to see how seriously we take security, so they will take it seriously as well.”​</div><div><br> </div><h4>sidebar: consult standards<br></h4><p> </p><p>​Laura Hains, CPP, operations manager, supply chain security and consulting at Pinkerton, member of the ASIS International Supply Chain and​ Transportation Security Council, says that companies should research whether their partners and suppliers are following major supply chain security protocols, like those put out by ASIS, and others such as the Transported Asset Protection Association (TAPA) standards for trucking companies. “TAPA is one of the big authorities on trucking, so if a company says they are TAPA certified, that to me says that they follow protocol,” she says. </p><p>Other standards include the National Strategy for Global Supply Chain Security which U.S. President Barack Obama signed in 2012 and was designed to enhance public-private partnerships. Arthur Arway, CPP, author of Supply Chain Security: A Comprehensive Approach, says the framework seeks to combine input from government and industry on protecting the transport of goods to and from the United States. “I think the government is far more willing to seek out subject matter experts and all the different modes and companies that may transport goods into the United States for their help,” he says. Arway adds the document is relatively recent, and that it could take a while before it is widely adopted. </p><p>Though terrorism is an uncommon threat to the supply chain, it must always be a consideration. Hains gives the example of vehicular attacks. In Nice, France, on July 14, 2016, Tunisia native Mohamed Lahouaiej Bouhlel drove a 19-ton cargo truck into a crowd of Bastille Day festival-goers. That attack killed 86 people and injured more than 400. New York police also warned of possible vehicular terrorism against the 2016 Macy’s Thanksgiving Day Parade. “A small company truck—that could be a target,” notes Hains. “So everybody has to think about terrorism because it’s out there.”</p><p>Another standard at the national level seeking to combat terrorism within the supply chain is the U.S. Customs Trade Partnership Against Terrorism (C-TPAT). The program is voluntary for private industry, but Arway says the national standards as a whole are seeing global adoption.​</p><p>“Standards have come a long way in how they’ve been able to incorporate security into the movement of goods,” he notes. “Many countries have accepted these programs into their own supply chain security programs.”​</p>
https://sm.asisonline.org/Pages/Radioactive-Remedies.aspxRadioactive RemediesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In 2013 and 2014, there were 325 reported incidents of lost, missing, or stolen nuclear and radioactive material worldwide. And about 85 percent of those incidents involved non-nuclear radioactive material, which is used to make dirty bombs, according to the<em> 2016 Radiological Security Progress Report</em> by the Nuclear Threat Initiative.</p><p>In recent years, the fear that a terrorist would detonate a dirty bomb—use conventional explosives to blow up radiological material—has outpaced concerns about a full-scale nuclear bomb, because nuclear materials are so heavily regulated. Radiological material, on the other hand, is used in more than 100 countries around the world for research, agriculture, and life-saving medical procedures in hospitals. While a dirty bomb wouldn’t cause destruction on the scale of a nuclear weapon, it would contaminate property, cause fear and panic, and require costly cleanup, in addition to the damage caused by the conventional explosion. This type of bomb is appealing to terrorists because it adds a negative psychological response to the normal destruction of an explosive, according to the U.S. Nuclear Regulatory Commission (NRC). <img class="ms-rtePosition-2" src="/ASIS%20SM%20Callout%20Images/0217%20Chapa%20Feature%20Sidebar.jpg" alt="" style="margin:5px;width:323px;" /></p><p>The NRC, along with partners in 37 U.S. states, licenses, monitors, tracks, and enforces security regulations for nuclear and radioactive material to protect those who work with the material and the public from potentially harmful exposure. </p><p>A July investigation by the U.S. Government Accountability Office (GAO) led the NRC to strengthen its licensing processes after the GAO was able to obtain a license under false pretenses and purchase a dangerous quantity of radioactive materials—for the second time in less than a decade. (See November 2016’s “News and Trends” department for more on this issue.)</p><p>After researchers alerted NRC officials about their investigation, the organization began making corrective actions, including enhanced training, increased scrutiny during site visits, and evaluating license verification.</p><p>This isn’t the first time the NRC has made significant changes to its practices due to a GAO report. In 2012, the watchdog organization focused on radioactive materials in medical facilities—a unique environment because, unlike research facilities, medical facilities are open to the public and don’t have the hardened environment inherent in facilities dedicated to working with high-risk materials.</p><p>Medical facilities use material produced in nuclear reactors to treat cancer and blood diseases. These uses create another unique threat: the materials are often sealed in metal capsules small enough to be portable. “In the hands of terrorists, these sealed sources could be used to produce a simple and crude but potentially dangerous weapon, known as a dirty bomb, by packaging explosives with the radioactive material for dispersal when the bomb goes off,” notes the 2012 report, Additional Actions Needed to Improve Security of Radiological Sources at U.S. Medical Facilities. </p><p>Daniel Yaross, CPP, who sits on the ASIS International Healthcare Security Council, has worked in the healthcare security field for more than 15 years and understands the importance of adhering to NRC regulations to secure nuclear materials. He recalls when the 1,503 U.S. hospitals and medical facilities holding nuclear materials had to update their security practices—at times a costly undertaking—to comply with the newly released NRC standards in 2012. </p><p>“Finance could be a hurdle that slows down the progress of providing enhanced security and safety for protective materials,” Yaross tells Security Management.</p><p>Yaross notes that it can be expensive for medical facilities to comply with NRC regulations, especially after the overhaul in 2012, which required biometrics updates and constant monitoring. At the time, the U.S. National Nuclear Security Administration (NNSA) had spent more than $100 million in helping hospitals meet NRC compliance. NNSA has reported that, due to the expense of the upgrades, the 2012 mandate will not be completed until 2025. </p><p> The NRC agreements with their U.S. state partners require that states adopt regulations that are compatible with the NRC’s. Hospitals in these states will be visited biannually to make sure they are compliant with the regulations. Based on the most recent NRC regulation updates, licensed medical facilities are required to ensure security when the radioactive material is being transported; secure the material once it is at its designated storage location; maintain records of transfer and disposal of any radioactive material; and conduct physical inventories of the material. </p><p>After the 2012 GAO report, the NRC has provided more specific guidance to licensed facilities, including how cameras, alarms, and 24-hour human monitoring should be implemented. The regulations also specify how radioactive material should be trans­ferred, who is allowed to access sen­sitive machinery, and what type of storage is required.</p><p>“When we look at nuclear compliance, just like anything else in our security world, it’s not just physical security but cybersecurity too—it’s concentric rings of defense,” Yaross says. “That’s how we handle security for these nuclear materials: concentric rings to make it harder and harder for someone who does not have the authority to get into that specific area unaccompanied.” </p><p>Those rings of security typically include basic security measures such as perimeter security and access control, as well as specified measures such as round-the-clock surveillance of the radioactive material and a dedicated radiation safety officer, which are all dictated by the NRC. </p><p>While most nuclear materials in hospitals are hidden in plain sight—as small masses of radioactive material buried in large, complicated machines—Yaross says the main goal is to reduce unaccompanied access as much as possible. To this end, the insider threat is taken seriously—few people are allowed to access the radioactive materials unaccompanied, which is emphasized in the NRC regulations. Those allowed to have unaccompanied access to sensitive machinery must undergo a full FBI background check going back seven years.</p><p>“A big part of the program is ensuring that the first line of defense, the operational side, is not increasing risk to that material by not vetting our employees that we grant unaccompanied access to,” Yaross explains. “We narrow down the number of people of who actually need to gain unaccompanied access into the facility. It includes security and police officers, as well as the lab technicians and the radiation safety officer.”</p><p>Yaross says that while the NRC regulations are generally straightforward and proper compliance looks similar at most medical facilities, it’s still important to have low-profile, highly targeted security systems and processes dedicated to radioactive materials that also mesh with the rest of the hospital’s security standards. </p><p>“Most people don’t even know it’s there, and frankly, most would not have a clue of how to access it, or how to separate the material from the actual piece of equipment,” Yaross explains. “Again, we have so many concentric rings of security, it gets harder and harder to get through each layer. That’s not just technology but background and operational procedures, such as how the floor plan is laid out.”   ​ ​</p>
https://sm.asisonline.org/Pages/Surveillance-is-Instrumental.aspxSurveillance is InstrumentalGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Where can you go to see the iconic black suit worn by Johnny Cash, a guitar strummed by Eric Clapton, and instruments from sub-Saharan Africa, all under one roof? The Musical Instrument Museum (MIM) in Phoenix, Arizona, a 200,000 square-foot facility, is home to these and thousands of other legendary and significant instruments from around the world. ​<br></p><p>The collection is made up of more than 16,000 instruments, 6,000 of which are on display at any given time. Each year, upwards of 220,000 people visit the museum, which also has a 300-seat theater where notable musicians make regular headlines. The museum, which opened in 2010, is an affiliate of the Smithsonian Institution. “We’re constantly updating exhibits, changing things out, telling new stories,” says David Burger, security manager at the facility. ​</p><p>Securing this wealth of cultural items, as well as keeping the museum’s visitors safe, are top priorities for MIM, Burger says. “Very few of the exhibitions are under glass, so that creates a unique security concern between providing our guests with the world-class experience that we strive for, but also maintaining the safety of the instruments and making sure that everything is here for generations to come,” he says. </p><p>The museum employs contract security officers, in addition to police from the local precinct who act as “boots on the ground” security. “The local police are an invaluable asset to our security operations, both for the visibility and deterrence that they bring, but also their wealth of experience and knowledge,” Burger says. <img src="/ASIS%20SM%20Callout%20Images/0217%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:495px;" /></p><p>The security operations center is another vital piece of the puzzle at MIM, where contract officers monitor the approximately 200 cameras that cover the premises, as well as manage alarms and access control, and dispatch help in the case of an incident. “Our video is not just for forensics use, we actually do a lot of training and work with our security operators to be more proactive—live-monitoring the video, identifying issues before they become incidents,” Burger notes. </p><p>A couple of years ago, MIM was in the process of upgrading its existing cameras for increased situational awareness and improved analytics across the entire property. “We reached out to several manufacturers, talked to their local representatives, and found out more about their products,” he says.</p><p>After narrowing it down to a few products, MIM chose Hanwha Techwin America, formerly Samsung, and selected a variety of its camera models. “This was a multiphase project of refreshing all our cameras and getting them up to a certain standard,” says Burger. “Hanwha was selected for this portion of it, which covered all of the main public spaces, employee areas, and building perimeters.” </p><p>Approximately 70 Hanwha cameras were installed, including fisheye and pan-tilt-zoom (PTZ) cameras. For sensitive places, such as loading docks and cash-handling areas, higher megapixel cameras were deployed. Burger says MIM was attracted to Hanwha for several reasons. “The integration the Hanwha cameras had with our Genetec VMS was a big deciding factor,” he notes, explaining that the alarms, motion detection, and other features of the existing video management system are easily tied into the Hanwha cameras. There is also “plenty” of storage space on the cameras, he adds, allowing for additional analytics or other processes to be run on the edge.</p><p>The installation began in early 2015 and was completed in March 2016. With the Hanwha cameras, MIM can set video analytics to detect motion and set off alarms if appropriate. With facial detection, the analytics can differentiate a human from other moving objects like debris and small animals that would not necessarily warrant the triggering of an alarm. If the system detects unwanted motion or people, an alarm goes off in the control center to alert operators to pay attention to the monitor showing that camera. “It’s an improved efficiency, being able to automate those features so the operator isn’t constrained with watching hundreds of cameras at once, and having to make all of those decisions himself,” Burger says.  </p><p>When an incident occurs that requires dispatch, control room operators notify the police at the main security desk in the front lobby. Those officers have a few monitors at their station for viewing any relevant video, as well as smartphones to receive images or video in the field. </p><p>Burger notes that, thankfully, no notable security incidents have occurred at the museum since installing the cameras. However, the day-to-day issues are easily resolved thanks to the cameras and ease of reviewing video on the Genetec VMS. “A common scenario is locating lost family members, and we’re able to pretty quickly backtrack and do some forensic searches [with the video],” he says. </p><p>Locating lost bags or spotting unattended packages is another routine event, as well as dealing with visitors’ slips, trips, and falls. “We can identify cases where somebody says things happened a certain way, and we were able to find that it wasn’t exactly the case,” notes Burger. On average, MIM keeps the video for 30 days before overwriting it, unless an incident warrants holding onto the footage longer.</p><p>Eventually Burger says MIM will integrate access control with video as well, so that alerts and alarms for doors can be tied to the appropriate cameras. </p><p>“The cameras have really increased our situational awareness, reducing potential blind spots or areas where there could have been a gap before,” he says.</p><p>--<br></p><p>For more information: Tom Cook, tom.cook@hanwha.com, www.hanwhasecurity.com, 201.325.2623 ​</p>
https://sm.asisonline.org/Pages/Rise-of-the-IoT-Botnets.aspxRise of the IoT BotnetsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​There are many doomsday cyber scenarios that keep security professionals awake at night. Vint Cerf, one of the fathers of the Internet and current vice president and chief Internet evangelist for Google, speaking at an event in Washington, D.C., in 2015, shared his: waking up to the headline that 1,000 smart refrigerators were used to conduct a distributed denial of service (DDoS) attack to take down a critical piece of U.S. infrastructure.</p><p>Cerf’s nightmare scenario hasn’t happened, yet. But in 2016 thousands of compromised surveillance cameras and DVRs were used in a DDoS attack against domain name server provider Dyn to take down major websites on the East Coast of the United States. It was a massive Internet outage and, for many, a true wake-up call.</p><p> At approximately 7:00 a.m. on October 21, Dyn was hit by a DDoS attack, and it quickly became clear that this attack was different from the DDoS attacks the company had seen before. </p><p>It was targeting all of Dyn’s 18 data centers throughout the world, disrupting tens of millions of Internet Protocol (IP) addresses, and resulting in outages to millions of brand-name Internet services, including Twitter, Amazon, Spotify, and Netflix.</p><p>Two hours later, Dyn’s Network Operations Center (NOC) team mitigated the attack and restored service to its customers. </p><p>“Unfortunately, during that time, Internet users directed to Dyn servers on the East Coast of the United States were unable to reach some of our customers’ sites, including some of the marquee brands of the Internet,” Dyn Chief Strategy Officer Kyle York wrote in a statement for the company. </p><p>A second attack then hit Dyn several hours later. Dyn mitigated the attack in just over an hour, and some customers experienced extended latency delays during that time. A third wave of attacks hit Dyn, but it successfully mitigated the attack without affecting customers.</p><p>“Dyn’s operations and security teams initiated our mitigation and customer communications process through our incident management system,” York explained. “We practice and prepare for scenarios like this on a regular basis, and we run constantly evolving playbooks and work with mitigation partners to address scenarios like this.”</p><p>The attacks caused an estimated lost revenue and sales of up to $110 million, according to a letter by U.S. Representative Bennie G. Thompson (D-MS) sent to former U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson.</p><p>“While DDoS attacks are not uncommon, these attacks were unprecedented not only insofar as they appear to have been executed through malware exploiting tens of thousands of Internet of Things (IoT) devices, but also because they were carried out against a firm that provides services that, by all accounts, are essential to the operation of the Internet,” the letter explained.</p><p>These devices were part of the Mirai botnet, which is made up of at least 500,000 IoT devices, including DVRs and surveillance cameras, that are known to be in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain, among other nations.</p><p>The botnet, which was created in 2016, has been used to conduct high-profile, high-impact DDoS attacks, including the attack on security researcher Brian Krebs’ website, Krebs on Security—one of the largest DDoS attacks known to date. </p><p>“Mirai serves as the basis of an ongoing DDoS-for-hire…service, which allows attackers to launch DDoS attacks against the targets of their choice in exchange for monetary compensation, generally in the form of Bitcoin payments,” according to Arbor Networks’s Security Engineering and Response Team (ASERT) threat intelligence report on Mirai. “While the original Mirai botnet is still in active use as of this writing, multiple threat actors have been observed customizing and improving the attack capabilities of the original botnet code, and additional Mirai-based DDoS botnets have been observed in the wild.”</p><p>This is because shortly after the Dyn attack, Mirai’s source code was published on the Internet, and “everyone and their dog tried to get their hands on it and run it in some form or another,” says Javvad Malik, a security advocate at AlienVault, a cybersecurity management provider.</p><p>Mirai is “out there and the problem is, there isn’t any easy mitigation against it,” Malik explains. “A camera or a webcam, there’s no real, easy way to patch it or update it, or there’s no non-technical way your average user could patch it. And most users aren’t even aware that their device was part of the attack.”</p><p>There are more than 25 billion connected devices in use worldwide now, and that amount is expected to increase to 50 billion by 2020 as consumer goods companies, auto manufacturers, healthcare providers, and other businesses invest in IoT devices, according to the U.S. Federal Trade Commission.</p><p>But many of the devices already on the market are not designed with security in mind. Many do not allow consumers to change default passwords on the devices or patch them to prevent vulnerabilities.</p><p>The Mirai botnet—and others like it—take advantage of these insecurities in IoT devices. Mirai constantly scans devices for vulnerabilities and then introduces malware to compromise them. Once compromised, those devices scan others and the cycle continues. These devices can then be used by an attacker to launch DDoS attacks, like the one on Dyn.</p><p>Some manufacturers have sought to remedy vulnerabilities in their devices by issuing voluntary recalls when they discover that they’ve been used in a botnet attack. But for many other manufacturers, there’s not enough incentive to address the problem and most consumers are unaware of the issue, says Gary Sockrider, principal security technologist at Arbor Networks.</p><p>“Consumers are largely unaware. Their devices may be compromised and taking part in a botnet, and most consumers are completely oblivious to that,” he explains. “They don’t even know how to go about checking to see if they have a problem, nor do they have a lot of motivation unless it’s affecting their Internet connection.”</p><p>DHS and the U.S. National Institute of Standards and Technology (NIST) both recently released guidance on developing IoT devices and systems with security built in. In fact, NIST accelerated the release of its guidance—Special Publication 800-160—in response to the Dyn attack.</p><p>But some experts say more than guidance is needed. Instead, they say that regulations are needed to require IoT devices to allow default passwords to be changed, to be patchable, and to have support from their manufacturers through a designated end-of-life time period.</p><p>“The market can’t fix this,” said Bruce Schneier, fellow of the Berkman Klein Center at Harvard University, in a congressional hearing on the Dyn attack. “The buyer and seller don’t care…so I argue that government needs to get involved. That this is a market failure. And what I need are some good regulations.”</p><p>However, regulations may not solve the problem. If the United States, for instance, issues regulations, they would apply only to future devices that are made and sold in the United States. And regulations can have other impacts, Sockrider cautions.</p><p>“It’s difficult to craft legislation that can foresee potential problems or vulnerabilities,” he explains. “If you make it vague enough, it’s hard to enforce compliance. And if you make it too specific, then it may not have the desired effect.”</p><p>Regulations can also drive up cost and hinder development if they are not designed to foster innovation. “Compliance does not equal security, necessarily,” Sockrider says. “Part of compliance may mean doing things to secure your products and services and networks, but there could always be vulnerabilities that aren’t covered…. You’ve got to be careful that you’re covering beyond just compliance and getting to true security as much as possible.” </p><p>So, what steps should organizations take in the meantime to reduce the risk of their devices being compromised and used to launch attacks on innocent parties?</p><p>If a company already has IoT devices, such as security cameras or access control card readers, in its facilities, the first step is segmentation, says Morey Haber, vice president of technology for security vendor BeyondTrust. </p><p>“Get them off your main network,” he adds. “Keep them on a completely isolated network and control access to them; that’s the best recourse.”</p><p>If the organization can’t do that and it’s in a highly regulated environment, such as a financial firm subject to PCI compliance, it should replace the devices and reinstall them on a segmented network, Haber says.</p><p>Organizations should also change all default user accounts and passwords for IoT devices, Sockrider says. “Disable them if possible. If you can’t, then change them. If you can’t change them, then block them.”</p><p>For organizations that are looking to install IoT devices, Haber says they should plan to install them on a segmented network and ask integrators about the security of the devices. </p><p>Sample questions include: Do they maintain a service level agreement for critical vulnerabilities? What is the lifespan of the device? How often will patches be released? </p><p>“And the last thing that becomes even more critical: What is the procedure for updating?” Haber says. “Because if you have to physically go to each one and stick an SD card in with a binary to do the upload, that’s unfeasible if you’re buying thousands of cameras to distribute to your retail stores worldwide. There’s no way of doing that.”</p><p>Organizations should also look at their policies around allowing employees to bring in their own devices to the workplace and allowing them to connect to the network. </p><p>For instance, employers should be wary when an employee who brings in a new toaster connects it to the company Wi-Fi without anyone else’s knowledge. “That type of Shadow IT using IoT devices is where the high risk comes from,” Haber explains. </p><p>And organizations should also look to see what they can do to block inside traffic from their network getting out. </p><p>“Think about it in the reverse; normally we’re trying to keep bad stuff out of our network, but in this case, we want to keep the bad stuff from leaving our network,” Sockrider says. “Because in this case, if an IoT device on your network is compromised, it’s not necessarily trying to attack you, it’s trying to attack someone else and you can be a good citizen by blocking that outbound traffic and preventing it from doing so.”</p><p>While companies can take steps to reduce the likelihood that their devices will be compromised by a botnet and used to attack others, attacks—like the Dyn attack—are likely to continue, Malik says.</p><p>“We’ll probably only see more creative ways of these attacks going forward,” he explains. “At the moment, it’s primarily the webcams and DVRs, but you’re probably going to see different attacks that are more tailored towards specific devices and maybe even a change of tactics. Instead of going after Dyn…taking down a smaller competitor.”</p><p>Malik also says he anticipates that cyber criminals will conduct these more creative attacks through purchasing DDoS as a service, a growing industry over the past few years. </p><p>“Some providers are just as good, if not better than, professional legitimate services,” Malik says. “It’s very easy; they offer support. You just go there, you click buy, send the Bitcoins, enter your target, and job done. You don’t even need any technical expertise to do this. It’s very, very convenient.”   ​ ​</p>
https://sm.asisonline.org/Pages/Security-101--What-to-Expect-at-the-U.S.-Presidential-Inauguration.aspxSecurity 101: What to Expect at the U.S. Presidential InaugurationGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Almost 1 million people are estimated to descend on Washington, D.C., on Friday for the inauguration of U.S. President-elect Donald Trump. Many of those individuals are part of 63 groups planning demonstrations at the inauguration, presenting a unique security challenge for the U.S. federal government, D.C. officials, and other stakeholders.</p><p>“Anytime you have coming together such large numbers of people, such large numbers of groups that intend to demonstrate and exercise their First Amendment rights, you’ve got to be vigilant; you’ve got to plan; you’ve got to prepare,” said U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson in a press conference. <br></p><p>This is why the inauguration was designated as a National Special Security Event (NSSE), allowing federal officials to begin crafting a security plan for the event 180 days before it was to take place. <br></p><p></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read af4e0b24-c744-4f11-a407-cfd54f64d3ec" id="div_af4e0b24-c744-4f11-a407-cfd54f64d3ec"></div><div id="vid_af4e0b24-c744-4f11-a407-cfd54f64d3ec" style="display:none;"></div></div><p>​The U.S. Secret Service led the planning, working with other federal partners, such as the U.S. Department of Defense and the Federal Emergency Management Agency, and local partners such as the Metropolitan Police Department (MPD)—Washington, D.C.’s local police force.</p><p>Given the unique scope of a U.S. presidential inauguration where heads of state and numerous U.S. leaders will be in attendance, along with between 700,000 to 900,000 civilians, there will be an enormous security presence in the nation’s capital. <br></p><p>Johnson said that approximately 35,800 security personnel will be involved over the course of inauguration weekend—10,000 DHS personnel, 12,000 other federal personnel, 7,800 National Guard personnel, and 6,000 police officers from MPD and other local police departments.<br></p><p><strong>Security Measures for the Inauguration </strong><br></p><p>On Wednesday at 5 p.m., U.S. Capitol Police will begin <a href="https://www.uscp.gov/media-center/press-releases/2017-presidential-inaugural-capitol-complex-street-closures-parking" target="_blank">closing street access</a> to the Capitol complex and continue closing streets on Thursday at 11 p.m. local time. Streets access is expected to resume at 5 p.m. on Friday, and in the meantime the police are encouraging people to walk or take public transportation.<br></p><p>"Inaugural events attendees are encouraged to use public transportation, as many streets in and around the Capitol Grounds and the National Mall will be closed to private automobiles for much of the day," Capitol Police said in a statement. </p><p>Security personnel will establish two different types of perimeters for the event: soft vehicle perimeters where those who live or work inside the perimeter will be given access, and hard vehicle perimeters where only official vehicles will be allowed to pass through. The hard vehicle perimeter will also be heavily fortified by trucks and dumpsters, “given the current threat environment,” Johnson added.<br></p><p>The <a href="https://www.wmata.com/rider-guide/events/inauguration/index.cfm#MoreInfo" target="_blank">Washington Metropolitan Area Transit Authority​</a> (WMATA) will open at 4 a.m. on Friday and run through midnight. It plans to run at peak service from 4 a.m. until 9 p.m. that evening to service riders, but the Navy Archives, Federal Triangle, Mount Vernon Plaza, Pentagon, and Smithsonian stations will be closed.<br></p><p>Security personnel will have bag checks and 300 magnetometers set up to screen individuals planning on attending the inauguration festivities.<br></p><p>Washington, D.C., is also a <a href="https://www.secretservice.gov/data/press/releases/GPA-01-17-Inauguration-No-Drone-Zone.pdf" target="_blank">no fly zone​</a> for unmanned aircraft (drones), and Johnson said security measures have been taken to ensure that no drones are able to fly within the District during the inauguration weekend. <br></p><p>“Christmas was just a few weeks ago,” Johnson added. “I suspect a lot of people got drones for Christmas…this is something we’ve thought about, we have planned for, and we have technology to deal with it.”<br></p><p>Officials have also issued permits to 99 groups planning to demonstrate on inauguration weekend—63 of which plan to demonstrate on Friday. These permits were issued to help security plan for how it will handle these protesters—such as where protestors will be allowed to demonstrate to ensure that they are not crossing paths with groups that might hold opposing views. <br></p><p>This helps security personnel ensure that opposing groups do not disrupt the festivities and it helps prevent demonstrations from escalating. Security personnel will also monitor these groups for disruption and to make sure they remain separated, Johnson explained.<br></p><p>There is no specific threat to the inauguration, Johnson said, but security personnel will remain vigilant as the global terrorist environment is very different in 2017 than it was in 2013—the last time an inauguration was held in the United States. <br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 9c55b8b2-304d-46c0-8e24-aa44e28ebc64" id="div_9c55b8b2-304d-46c0-8e24-aa44e28ebc64"></div><div id="vid_9c55b8b2-304d-46c0-8e24-aa44e28ebc64" style="display:none;"></div></div><p>​Officials have to be concerned about homegrown violent extremism and lone wolves, Johnson explained, along with the “larger picture of general security and general public safety when you have a large public gathering with estimates of 700,000 to 900,000 people in close proximity of each other.”</p><p><strong>Securing Local Businesses</strong><br></p><p>While U.S. federal and local officials will be handling the security of public spaces in and around the inauguration, business owners will be responsible for securing their own facilities throughout the festivities. <br></p><p>One precaution these individuals should take is to map concealment areas in their facilities and regularly conduct routine sweeps of them—particularly the exterior—for weapons of convenience or cached weapons, says Ross Bulla, CPP, PSP, founder and president of The Treadstone Group, Inc., which advises clients on security solutions and best practices for protecting people, property, and information.<br></p><p>This is because a group who might be planning a violent demonstration may try to leave supplies at a local business on a parade route or nearby the National Mall to access them later. If facility owners find these kind of items, Bulla says they should contact law enforcement immediately and post security—if possible—in the area that the items were stowed in.<br></p><p>Bulla also recommends businesses in the immediate vicinity of the inauguration and its parade route assess their physical security, their food and safety handling, water supplies, electrical systems, and shelter in place procedures. This is especially critical for hotels, which might require hundreds of people—both guests and staff—to shelter in place should an emergency occur.<br></p><p>“You also may need to determine a way to re-credential people,” Bulla explains. “Guests who’ve left the facility and need to get back inside, you need to be able to quickly identify them as a guest and get them inside, while not allowing non-guests in.”<br></p><p>And for high-rise facilities, Bulla says it’s critical to limit or prevent rooftop access. <br></p><p>“Check door locks and secure windows that face the inauguration and parade route because on of the main or favored activities of protest groups is to get on a roof and unfurl banners or throw objects,” he explains. “Your roofs’ become focal points. Newspapers see them, and they’re a great place to throw rocks at law enforcement.”<br></p><p><strong>Securing your Person</strong><br></p><p>Individuals planning to attend the inauguration should <a href="https://www.secretservice.gov/data/press/releases/JIC-01_PressRelease_TransportationPlan-Final_USCP-1-6-17.pdf" target="_blank">review the reference materials</a> provided by officials on prohibited items, which include animals other than service or guide animals, oversized backpacks and bags (18” by 13” by 7”), coolers, mace, selfie sticks, bicycles, and more.<br></p><p>While small bags and purses will be allowed in secure areas, Bulla recommends individuals planning to attend the inauguration try not to carry a bag at all as it will slow them down going through security screenings. <br></p><p>“If you go to an officially sanctioned event or any unsanctioned or related event, there will be security screening in place,” Bulla says. “Don’t carry an oversized camera, don’t carry an oversized purse—or even carry one…just pack lightly, or nothing more than your wallet if possible.”<br></p><p>Those traveling to Washington, D.C., for inauguration festivities can also sign up for free emergency text alerts and notifications by texting the word “INAUG” to 888777, according to the Secret Service.<br></p><p>Bulla also suggests creating a muster point plan if you’re attending the event with several people should an emergency occur and you need to evacuate quickly.<br></p><p>“It’s one thing to evacuate quickly and protect yourself if there is an incident,” Bulla ​says. “It’s entirely different to be one of 100,000 people running. You’re not going to be able to stay with your husband, your wife, your children.”<br></p><p>Instead of attempting to stay with your party, Bulla says you should plan to run with the crowd and exit the area as quickly as possible. Then, when you’re away from danger, head to the muster point you agreed on beforehand, such as a hotel lobby.<br></p><p>“One of the primary reasons that people are injured or killed is because they panic and don’t have an escape route,” he adds. “Just always know and be aware of your surroundings, and where you’d go if something happened.”<br></p><p>For more on inauguration security, listen to a special edition of the <em></em><a href="https://soundcloud.com/security-management/special-edition-us-presidential-inauguration-security"><em>Security Management </em>podcast</a> with a former U.S. Secret Service agent.<br></p><p><br></p>
https://sm.asisonline.org/Pages/Gunman-Opens-Fire-at-Fort-Lauderdale-Airport;-Authorities-Say-Multiple-Dead.aspxGunman Opens Fire at Fort Lauderdale Airport; Authorities Say Multiple DeadGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A gunman opened fire at a Fort Lauderdale, Florida, airport, killing five and wounding at least eight people in a shooting Friday afternoon, authorities said.​</p><p>The Broward County Sheriff's Department confirmed on Twitter that it had a subject in custody, but had not released any further information about the individual.</p><p>The department received a call at 12:55 p.m. local time that shots were fired at Fort Lauderdale-Hollywood International Airport near the baggage claim for Terminal 2—the baggage claim used by Delta Air Lines and Air Canada.<br></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 8ac4e3b3-5843-431b-8b91-436f708a3458" id="div_8ac4e3b3-5843-431b-8b91-436f708a3458"></div><div id="vid_8ac4e3b3-5843-431b-8b91-436f708a3458" style="display:none;"></div></div><p>​Local authorities responded to the scene, where five people had been killed and eight others were wounded. Authorities have not released names of the victims as they are continuing to identify them and notify their first of kin.</p><p>In a press conference, Broward County Sheriff Scott Israel said the suspected gunman surrendered to a sheriff's deputy and was taken into custody without incident.</p><p>The suspect--who's identity was not released or confirmed by Israel--is being interrogated by local law enforcement and members of the FBI Miami field office.</p><p>Israel also declined to answer questions about whether the gunman was on a flight that arrived at the airport, or if he had entered the baggage claim area from outside the airport.</p><p><a href="http://www.cnn.com/2017/01/06/us/fort-lauderdale-airport-incident/index.html" target="_blank">CNN spoke to Broward County Mayor Barbara Sharief, </a>who said the terminal was an active crime scene. The gunman was a “lone shooter,” Sharief said, “and we have no evidence at this time that he was acting with anyone else.”<br></p><p>Reports on social media showed the airport evacuating individuals in response to the gunfire. The airport has temporarily suspended all services and is encouraging travelers to contact their air carriers about their flight information.<br></p><p>SWAT teams are currently clearing the entire airport, and Israel said that the airport will not reopen until they give the all clear that the scene is secure.</p><p>"My concern right now is with the citizens of Broward County," Israel said. "And until myself and the director [of the airport] believe this airport is a safe place and people can move about, it won't be open."<br></p><p>The Fort Lauderdale-Hollywood International Airport (FLL) forms an airport system with North Perry Airport (HWO) and serves the needs of roughly 26.9 million passengers in south Florida, with more than 73,000 travelers passing through its four terminals every day.<br></p><p>“FLL is ranked 21st in the United States in total passenger traffic and 13th in domestic origin and destination passengers,” according to <a href="http://www.broward.org/Airport/About/Pages/Default.aspx" target="_blank">FLL’s website. </a>“There are more than 325 departure and 325 arrival flights a day.”<br></p><p><br></p>
https://sm.asisonline.org/Pages/World-Water-Woes.aspxWorld Water WoesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Our most basic common link is that we all inhabit this small planet. We all breathe the same air. We all cherish our children’s future. And we are all mortal.” U.S. President John F. Kennedy’s 1963 commencement speech, titled “A Strategy of Peace,” foreshadowed the vulnerability of nonrenewable resources around the world today.</p><p>Human beings require approximately 50 liters (about 13 gallons) of fresh water per day. But in North America, the average citizen uses more than 300 liters (almost 80 gallons) of fresh water every day, more than twice the world average. At least 75 percent of the water consumed in North America has been acquired, transported, treated, and distributed through municipal or regional water treatment systems, at a significant cost. </p><p>Water treatment systems in North America are vital—and make tempting targets for terrorists. Between 1994 and 2014, 138 attacks targeting food and water supplies were recorded in the Global Terrorism Database maintained by the University of Maryland. As a vital asset and symbol of democratic societies, water is and will continue to be considered a high-value target for terrorists.</p><p>More evidence of threats to these critical systems can be found in the water conflict chronology list, compiled by the Pacific Institute in the United States. </p><p>In 2014, three men in the U.S. state of Georgia were arrested for planning to attack water treatment plants, power grids, and other infrastructure. And, in 2011, a hacker targeted a water plant in Houston, Texas, following earlier news of an electronic attack on an Illinois water plant. The breach occurred after the attacker hacked into supervisory control and data acquisition software used by the utility.</p><p>The relative scarcity of water around the world may lead to global conflict. In 2012, the U.S. Office of the Director of National Intelligence (ODNI) issued Global Water Security, an assessment that concluded that the safety, security, and sustainability of Canada’s water supply may soon become a source of conflicts between nations. </p><p>“Several regions of the world will face major challenges coping with water problems,” according to the report. “Between now and 2040, fresh water availability will not keep up with demand, absent more effective management of water resources. These findings reinforce the view that water is not just a human health issue, not just an economic development or environmental issue, but a peace and security issue.”</p><p>Water rights may also impact the relations between countries, as exemplified by disputes that arose recently when municipalities in the United States began replenishing their aquifers by withdrawing water from the Great Lakes. Canada and the United States not only share the longest unprotected border in the world, but also the Great Lakes—the largest surface freshwater system on earth.  </p><p>The United States and Canada have identified water and wastewater systems as critical infrastructure, and the protection of this infrastructure raises significant challenges, including a less-than-ideal governance model. </p><p>There are no federal standards or agreed-upon practices within the water infrastructure sector to govern readiness, response to security incidents, or recovery in the United States or Canada. By providing the industry with an adequate governance framework, the governments could promote resilience along the entire water supply chain.  </p><p>Given these governance issues, the aging water infrastructure, dwindling expertise, complex and open systems, and the lack of standards in protection, North America’s vulnerabilities to potential attacks may be considered high to very high. </p><p> “Although the frequency of warfare, particularly in developed countries, may be decreasing, advances in technology, including increased global mobility and communication, have heightened the threat posed by individuals and small groups, including decentralized terrorist organizations,” according to the 2014 book Drinking Water Security for Engineers, Planners, and Managers by Ravi Jain. </p><p>By assessing and revisiting the security risks associated to water and wastewater, the effectiveness of current layers of protection can be determined by using a standard equation where risk is calculated as the product of the likelihood, the consequences, and the vulnerabilities.​</p><h4>Likelihood </h4><p>Many nations are engaged in a war of ideas and values with terrorist organizations that export their concepts to individual citizens. Recent events confirmed the fact that no one is immune to terrorist attacks and that these organizations will go to great lengths to carry out attacks on the most vulnerable contingents of society. Security professionals must learn from past events while building on this knowledge to identify how and where the next attack may occur.  </p><p>Conflicts have begun to emerge between nations over water issues in Africa and the Middle East. These isolated events may increase in number as the world population continues to grow. Geopolitical, environmental, and economic factors will contribute to migrations, adding to the size of large metropolitan areas—by 2050, seven out of 10 people will live in cities.</p><p>These changes will spur new pressing demands for water services, which may affect public and national security as well. For example, while the likelihood of a terrorist attack in parts of Africa may currently be low, this level could be elevated rapidly based on intelligence gathered by national and international authorities. ​</p><h4>Consequences</h4><p>Attacks directed at water infrastructure can be categorized as rare events that occur with a low frequency. However, the consequences could be severe. Researchers have attempted to identify and even quantify just what those consequences could be. </p><p>“The potential economic fallout from accidental or deliberate contamination in a water system is significant,” Jain notes in his book. J.W. Porco with the American Water Works Association estimates that “the cost for radiological contamination in a water system serving a population of 10,000 could be as high as $26 billion; for a population of 100,000, the estimated economic impact could be $100 billion.” </p><p>Although biological, chemical, and radiological detection systems protecting water sources are becoming more sophisticated and effective, they can only protect against known forms of attacks and may not fare as well against zero-day vectors. Considering the severe impact that could be generated by similar scenarios, the consequences of such attacks can be estimated as very high. ​</p><h4>Vulnerabilities</h4><p>To identify a nation’s vulnerabilities, officials must start by assessing the governance model to determine how effectively the procedures and the equipment associated with the protection of water and wastewater systems are managed. </p><p>The U.S. governance model provides a significant level of coordination and oversight from the federal government under the leadership of the U.S. Environmental Protection Agency (EPA), supported by the U.S. Department of Homeland Security (DHS). </p><p>The objective of the EPA is to build resilience at drinking and wastewater utilities, notably by providing section-specific plans including security, which are found on the DHS website. It is unclear how the new U.S. administration will approach water infrastructure.</p><p>In Canada, most of the investments and practical managing issues are delegated to municipal and regional authorities under distinct provincial and federal legislation. There is not as much coordination or oversight from the central government, which may explain the lack of national standards for water protection.</p><p>The newly-elected liberal government in Canada has pledged to provide provincial and municipal authorities in the country with infrastructure funding in the coming years. This may allow municipal and regional authorities to invest in water and wastewater infrastructure, which in many cases is old and fragile. The aging infrastructure is further compounded by a North American demographic trend where experienced workers are leaving the workforce in record numbers. It is unknown whether current succession planning and training efforts are sufficient to counter this trend.  ​</p><h4>Managing the Threat</h4><p>Terrorist organizations are determined to exploit weaknesses, either physically or virtually, to create chaos and terror, usually accompanied by a significant impact on national economies. This is their raison d’être, and to remain relevant and to attract more followers, they will continue their attacks. </p><p>Simple and minimal resources on the part of the terrorists are inflicting major damages, whereas the means to prevent and protect against those attacks are both complex and costly, creating an asymmetric conflict. It is difficult to determine how much to spend on reducing the risk of attacks to critical infrastructure when measured against other forms of security risks, as well as whether the resources invested in the protection of this infrastructure are delivering the desired outcome.</p><p>As part of a diligent approach, the risk level associated with critical infrastructure must be regularly assessed to prevent accidents and incidents that could put North America’s respective populations at risk.</p><p>It may be beneficial for Canada and the United States to develop—in collaboration with provincial and state regulators—an all-hazards approach to water security based on existing models, such as the American Water Works Association Risk and Resilience Management of Water and Wastewater Systems. Although the countries’ regulations may differ, it may be beneficial to develop measures that could be mutually recognized and accredited by central, provincial, and state governments. To do otherwise may lead to duplication, confusion, and wasted resources. </p><p>Building resilience will also require an increased awareness of the issue on the part of the public. In this regard, Canada should copy and adapt the Water Sentinel project that was launched by the EPA in 2006. </p><p>   Considering the cross-jurisdictional situation of watershed management, more regulatory clarity, increased oversight, and audits to build resilient water and wastewater systems are necessary to instill a higher level of accountability and readiness among the various stakeholders.​</p><h4>Collaboration</h4><p>Demographic trends for the next 30 years show a significant growth in urban populations in the world, including North America. As the population grows so will the need for food and water, which are intimately intertwined. Along with the continent’s disturbing consuming habits and changing weather patterns, this will further stress fresh water supplies. </p><p>The scarcity of fresh water in the future will make this infrastructure even more critical and attractive for terrorist organizations. It will be imperative to effectively respond to unforeseen events, from using collaboration across national and organizational boundaries to resuming operations once the threat has been eliminated.</p><p>Collaboration fosters resilience, and actions such as providing stakeholders with standards, training, and common communication and information sharing platforms will help accomplish that.  </p><p>--<br></p><p><i><strong>Yves Duguay</strong><b></b>, ICD.D (Institute of Corporate Directors, Director), CSSP (Certified Sport Security Professional), is the president of HCI World.</i></p>
https://sm.asisonline.org/Pages/Access-to-Bank-On.aspxAccess to Bank OnGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The intersection of cyber and physical security is a critical consideration for banks with brick and mortar buildings, who also offer many of their services to customers online. To protect these assets, financial institutions have increased their information technology security spending by 67 percent since 2013, according to a recent survey by PricewaterhouseCoopers.</p><p class="p1">Zions Bancorporation is one such institution that has taken steps to converge its physical and cybersecurity systems to protect its customers and assets, which total approximately $60 billion. One of its affiliates, Nevada State Bank, recently upgraded its access control system to provide enhanced security, as well as convenience, for its workers.</p><p class="p1">To workers at Nevada State Bank, the old system of physical keys and hard locks was both a security concern and a nuisance. For example, an employee was at the park playing with her child when someone broke into her car. Along with the employee’s purse, the robber got away with a physical key to the bank’s branch where she worked. She made a phone call to corporate security, and the entire building had to be rekeyed that weekend. </p><p class="p1">“To rekey all the locks and replace keys could cost $3,000–or it could be even more costly if it’s a master key that’s lost,” says Bob Shandle, regional security officer for Zions Bancorporation. He adds that when employees lose their keys, “it almost always happens over the weekend,” an inconvenience to the security staff.  </p><p class="p1">Replacing physical keys with cards was one of the biggest advantages to upgrading access control at three Nevada State Bank branches, says Shandle, who introduced new security cameras and alarm systems as well. “Card access is just a small part of the big picture of what we’re trying to accomplish” in terms of security, he notes. </p><p class="p1">Zions worked with an integrator to find the best choice for an access control platform for the bank. In March 2015, it chose Sielox Pinnacle, the software that serves as the hub for the overall access control system. Sielox 1700 Network Controllers are used to support card readers installed at door locations, including hardwired doors located in the branch’s vault.</p><p class="p1">At the majority of its entryways, the bank first chose Allegion AD-400 wireless locks that integrated with the Sielox system. Because the locks are large and require drilling holes for installation, the AD-400 locks were functional but not ideal. In March 2016, Shandle purchased Schlage NDE locks, which have a smaller form factor and are more affordable. Both Schlage and Allegion are owned by manufacturer Ingersoll Rand, so the microchips inside employee access cards did not change. The cards were simply updated through the Pinnacle software. </p><p class="p1">“The NDE lock requires no special modifications to the door. It goes right on top of where your old lock used to be,” Shandle explains. This is especially useful given the “bandit barriers,” or bulletproof glass walls, that run throughout the branch to protect tellers from potential shooters. With a wired system, “you’d basically have to disassemble the entire door area” for installation, Shandle says. “With the NDE lock I was able to get the mount right on top of that heavy-duty Plexiglas, and it worked really well.” </p><p class="p1">He adds that the locks resulted in a “huge cost savings,” and says the price of the wireless access control system was roughly one-third the cost of a hard-wired one. Commissioning the lock to work with existing cards was also fairly seamless. Using a smartphone and tablet app from Allegion that integrates with the Sielox software, administrators create a username and password, and then link the wireless locks to Pinnacle. This enables the chips in the card to work with the control boards in the door readers. “Sielox is the only access controller provider in the market that seamlessly integrates the NDE locks from Allegion, so it really did work out well,” he adds.</p><p class="p1">In addition, someone at the bank is responsible for going through the card access database every day to ensure that it reflects employees who have been terminated, are on temporary leave, or have returned from leave. Changes can be managed within the Sielox Pinnacle online Web portal. Additionally, all actions are recorded and reported on every card, so security personnel can track activity and spot abnormalities in the log files. </p><p class="p1">Vendors who spend an extended period of time at a branch are assigned a bank employee who is responsible for their access card. “That supervisor or person from the bank would have to request the card in writing from us, and then we would issue it on a temporary basis,” he says. The assigned person from the bank is responsible for eventually getting the card back to security. </p><p class="p1">Currently three Nevada State Bank branches have card access throughout the building, as well as the central vault. Eventually Shandle says they hope to implement the system organization-wide. “We are trying to consolidate all of the branches under the Sielox Pinnacle card access system and eliminate the need for employees to carry keys altogether,” he notes. </p><p class="p1">The biggest concern with wireless access control readers is battery life, Shandle says, so Pinnacle has an application that tells security how long until the batteries on individual door readers are exhausted. And there is a small time-delay between putting the card up to the reader and when the door unlocks. “When it comes to presenting your credentials, the readers don’t always respond immediately like the hardwired ones do,” he notes. </p><p class="p1">However, these concerns are outweighed by the convenience of the overall system. A key can be disabled within minutes, no longer requiring an expensive and timely rekeying of the building. “It costs about $5, and I can have a key card removed from the system in a number of seconds,” Shandle says. “Even if you lose it on a Friday night, we can have that card disabled, so that the missing fob that grants access to our branch doesn’t work anymore.”</p><p class="p1"><i>For more information: Karen Evans, karen.evans@sielox.com, www.sielox.com, 856.861.4568​ ​</i></p>
https://sm.asisonline.org/Pages/An-Intelligent-Solution.aspxAn Intelligent SolutionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A large, international finance company was recently planning to fire one of its employees, but the company’s leadership was concerned. The employee, whom we’ll call John, had a history of being aggressive towards his supervisors.</p><p>Thankfully, the actual termination went smoothly and without incident, but that’s where the company’s good fortune ended. During the days that followed John’s termination, several employees received notes from him on social media instructing them to “consider not going to work” on a specified day.</p><p>As a precautionary measure, the company contracted for additional physical security at its main office building. However, when it became aware of the social media threats, the company reached out to the author’s international protection, investigations, and consulting firm for advice on how to handle this new challenge.</p><p>The firm immediately began conducting physical surveillance, following John’s movements. It also started analyzing his social media accounts and noticed that he had made several posts about the company’s vice president of human resources. </p><p>Upon further observation, the firm discovered that John had recently driven to an intersection about one mile from the company’s building. This location was also on the route that the vice president took to get to work every day.</p><p>Using the intelligence gathered from social media and physical surveillance, the firm observed John’s behavior in real time and contacted law enforcement to prevent him from causing any harm to the vice president or to the company’s facility.</p><p>Not all workplace violence threats are so successfully mitigated. An average of 551 workers were killed each year between 2006 and 2010 as a result of work-related homicides, according to the most recent numbers from the U.S. Bureau of Labor Statistics (BLS). And as many as 2 million workers report having experienced workplace violence each year, according to the Census of Fatal Occupational Injuries.</p><p>Most alarmingly, shootings accounted for 78 percent of all workplace homicides—83 percent of which occurred within the private sector. </p><p>Unfortunately, the traditional corporate climate is reactive because most companies only respond after there’s been a highly publicized workplace violence incident. Furthermore, many do not enact changes at all once the dust settles and the incident is no longer in the media. </p><p>With concern growing over workplace violence from all sectors, there is a demand for protective intelligence, which can avert a crisis instead of reacting after it occurs. To put it simply, you cannot mitigate a risk that you have not anticipated.​</p><h4>Intelligence</h4><p>The primary objective of protective intelligence is to collect information to help determine if an individual demonstrates the intent and capability to formulate and execute a violent plan of action.</p><p>To determine this, most use the intelligence cycle—an important process for investigators or anyone who collects information for assessment or analysis. </p><p>Originally implemented by the U.S. Military Intelligence Division during World War I, this process is leveraged by many government entities and for a wide spectrum of tasks, such as by organizations like the Federation of American Scientists. This process is most notably used in the investigative processes within the FBI and within the U.S. Secret Service, namely the National Threat Assessment Center. </p><p>The FBI defines the intelligence cycle as “the process of developing unrefined data into polished intelligence for the use of policymakers.” Protective intelligence investigations differ from other kinds of investigations because the goal is to prevent violence or a loss, not simply secure the requested facts. </p><p>An individual, group, or organization must collect information that will develop the critical intelligence required to take preventative actions. The U.S. Secret Service defines this process as “gathering and assessing information about persons who may have the interest, motive, intention, and capability of mounting attacks against public officials and figures.”</p><p>The intelligence cycle has six steps. These steps are: identify requirements, plan and provide direction for intelligence that is to come, collect and gather information, process and exploit collected information, analyze and convert that information to produce raw intelligence, and disseminate intelligence to those who will use it for tactical, operational, and strategic decision making.</p><p><b>Identify requirements. </b>The first step is to identify the requirements the information is designed to satisfy. This step will help filter data into the most critical pieces of information and organize them by relevance.</p><p>For workplace violence investigations, investigators should focus on information that will help answer the fundamental question: Does this subject present a threat to protected individuals, groups, or organizations?</p><p>Some companies do designate internal employees as threat response personnel. Protective intelligence investigations are performed most effectively by those who have experience and training doing them and who are also unbiased, such as a third-party consultant. </p><p>Plan and provide direction.<b></b> The second step in the cycle is to create a plan and provide direction for the intelligence that is to come. </p><p><b>Collect and gather information. </b>Gathering of information is the third step and includes researching online databases, performing physical surveillance, and conducting interviews. </p><p><b>Process and exploit. </b>After col­lecting relevant information, the fourth step of the intelligence cycle is to process and exploit that information. This means filtering the data into useable bits for the decision-making processes defined by the requirements in the first step; the bits can be referred to as the dots. </p><p>For example, when conducting an investigation of a subject who may be on the path to violence, social media or other tools may reveal his whereabouts during certain times that may be indicative of a hostile planning process. Critical decision points for likely pathways the subject would take to commit an act of violence could be established, and their correlation with the information that has been revealed would create the dots. </p><p>This can be a time-consuming burden, especially for investigators using social open-source intelligence (SOSINT). To be effective at this task, investigators should combine resources by directly researching on social media sites and by using search engines to do the task. With this methodology, investigators can start to connect the dots, enabling analytical confidence—particularly when dealing with the concern of targeted violence.</p><p><b>Analyze and convert. </b>The fifth step of the process is to analyze and convert these bits of data to produce raw intelligence.</p><p>In the event that a subject’s behavior reveals the impending manifestation of a perceived threat, these connected dots are used to make decisions that will effectively impede the process.</p><p><b>Disseminate. </b>The final step of the cycle is disseminating the intelligence to those who will use it for tactical, operational, or strategic decision making. ​</p><h4>Sources </h4><p>Although most would believe that intelligence is gathered from secret or covert sources, the largest collection of information available to investigators is open-source intelligence (OSINT), or intelligence collected from publicly available resources.</p><p>Within the intelligence community, the term “open” refers to overt, publicly available sources drawn from public resources, such as the Internet, media coverage, photos, and geospatial information. However, it’s important to keep in mind that there is no authority ensuring the accuracy of any information available through OSINT. Because of this, employers who use this collection method have a responsibility to verify—or at least corroborate—its validity. </p><p>SOSINT, the collective term for information from sources such as Facebook, Twitter, blogs, and microblogging sites, is becoming more important within the intelligence community. SOSINT is a content-rich gold mine and a valuable investigative tool when seeking corroborative information about individuals or groups, such as behavioral changes, interests, emulations, gang activity, and general life circumstances.</p><p>Social media is particularly useful to investigators for several reasons. The first is the immediacy in which content is not only created, but disseminated. The Facebook news feed is the epitome of a media outlet for such content because there is no delay in publication and almost no restriction in its ability to spread virally. Social media provides a variety of ways for potential subjects to distribute thoughts or request tactical assistance, along with numerous ways for investigators to gather that information.</p><p>In 2014, LexisNexis published a survey, Social Media Use in Law Enforcement, of federal, state, and local law enforcement professionals in the United States who are users of social media on the job. The survey details how social media can enhance the assessment and threat management process. </p><p>The survey found that “respondents indicated several real-world examples in which they prevented or thwarted pending crime, including stopping an active shooter, mitigating threats toward school students, executing outstanding arrest warrants, and actively tracking gang behavior.” </p><p>For the private investigator seeking information on the behavioral circumstances of a subject, something as quick and easy as analyzing a subject’s status updates, check-ins, and posted photos may provide the information necessary to conclude if a legitimate threat exists.​</p><h4>Surveillance </h4><p>Physical surveillance is one of the oldest and most common practices within investigative services, yet it remains the best option in cases when real-time information is required. To do this, employers must hire a licensed professional who can conduct surveillance legally.</p><p>Surveillance in the investigative field is used mostly as a tool for developing factual evidence to prove or disprove circumstance. However, surveillance can also provide information that is critical to the decision-making pro­cess for a much broader spectrum of investigations than most private detectives recognize.</p><p>In conducting protective intelligence investigations, surveillance is a viable option to gather the necessary information on a subject because not all attackers make direct threats. This increases the difficulty of validating or legitimizing the threat through other sources. </p><p>Using information from OSINT may reveal the threat, such as general ideas and interests, but it is typically not specific. Surveillance can be used to confirm a suspected threat or to find out more details.</p><p>Furthermore, the analytical confidence from deriving conclusions based on direct observations versus assessing the quality and quantity of third-party information is an important factor. This provides the investigator and analyst a more profound confidence in the facts at hand. </p><p>In one such instance, upon investigating a subject who was facing possible termination following a history of unsatisfactory performance and increasingly aggressive behavior, the author’s firm noted a hunting license in the subject’s background investigation. </p><p>Taken in isolation, this is not a threatening piece of information. However, during the day of a contentious announcement of the firing from the company’s CEO, it was decided by the author’s firm—hired to provide executive protection for the company—to restrict access to the facility.</p><p>Local law enforcement helped bar the subject from the property. The former employee had a hunting rifle in his vehicle even though no hunting seasons were in effect. There was no violence that day, but the potential mitigation was worth the effort.</p><p>Once the subject is identified and background information has been collected, the main factors investigators should concentrate on during surveillance are the current living characteristics of the subject and context of the subject’s daily routine. </p><p>Surveillance should focus on factors in the subject’s life and environment that might increase the probability of an outburst or attack, such as living arrangements; actions and behavior; and daily activities and social interactions, particularly compared to possible known historical circumstances and behavior of the subject. This focus on routine can provide valuable information that can help assess the subject’s stability.</p><p>For example, if the subject does not currently have the means to satisfy the basic needs of food, clothing, shelter, or social interaction, then he or she may be in desperate crisis with no option left but to act out. </p><p>Additionally, researching, planning, and coordinating the attack are critical to the attacker’s success. The steps required in developing a plan will reveal the person’s intentions, actions, and acquaintances. </p><p>For instance, this can be seen in the events that led up to the kidnapping of Sidney Reso, former president of Exxon Co. Reso was kidnapped by Irene Seale and her husband Arthur Seale from the end of Reso’s driveway in suburban New Jersey on April 29, 1992. Reso was shot in the arm during the kidnapping, and died a few days later. However, the Seales claimed that he was alive and demanded $18.5 million in ransom before finally being discovered and apprehended.</p><p>Prior to kidnapping Reso, the Seales watched his home from a van parked down the street for almost a month. These preparations were highly visible and could have been easily identified. The Seales could have potentially been intercepted with a counter surveillance effort as part of an executive protection program.</p><p>For violent attackers, the chances of success and escape are the predominant factors in determining the location to attack. Therefore, research and planning efforts on site selection and even tactical decisions pertaining to that site are particularly revealing during physical surveillance. The subject’s behavior and rituals during this process are also extremely revealing because the attacker’s intention may not include any escape plans at all, potentially indicating the worst case scenario of a suicide attack. </p><p>This type of behavior was demonstrated by Khalid al-Mihdhar and Nawaf al-Hazmi who flunked their flying lessons because they were disinterested in the landing process, administrative actions, or flying anything other than Boeing jets. The two individuals failed to obtain their pilot’s license, but ended up being two of the four “muscle men” on American Airlines Flight 77, which flew into the Pentagon on 9/11. </p><p>The potential attacker will want to gain familiarity with the location, how to get there, and—in most cases—how to escape. He or she may even take pictures of the location for reference later in the planning process, and may conduct rehearsals to discover what the security response might be during a crisis or how effective access control is. </p><p>In the investigation that followed the mass shooting in the Aurora, Colorado, movie theater, it was revealed that gunman James Holmes had purchased his ticket for that showing of The Dark Knight Rises more than a week in advance, carefully selecting the time and place for his attack. </p><p>Additionally, he had set explosive traps at his apartment, planning for them to be tripped prior to his attack to send resources to that incident instead of the movie theater. </p><p>Real-time information gathered via surveillance can lead to making preventative decisions sooner and more reliably than other methods of investigation.<span style="color:#222222;font-family:novecentosanswide-bold, sans-serif;font-size:1.1em;text-transform:uppercase;">of investigation.</span></p><p>Examples of behaviors that may indicate the coordination or planning of an attack could be visiting others who share the same ideas and interests, visiting websites linked to the company, obtaining supplies, or purchasing weapons. At this point, the investigator should avoid bias and assumption, concentrating only on facts.</p><p>For example, if a suspect who has no historical interest in firearms obtains weapons and ammunition over the course of an investigation and then proceeds to a target location, investigators conducting the surveillance may be able to involve the authorities immediately. </p><p>To be effective at surveillance, the investigators must anticipate the subject’s actions. Investigators must ask themselves where the subject would have to be and what materials would have to be obtained. To that end, investigators should develop a list of locations and activities that may be part of the subject’s target selection or planning processes. </p><p>For investigators, protectors, and those who conduct threat assessments and evaluations, protective intelligence programs are a critical aspect of proactively preventing workplace violence incidents before they occur. When it comes to reducing workplace violence as a whole, we all share the responsibility of identifying, assessing, and intervening as early as possible.  </p><p>--<br></p><p><i><b>Joseph M. LaSorsa, CPP</b>, is senior partner at LaSorsa & Associates, an international protection, investigations, and consulting firm. He manages and conducts protective operations training courses and specializes in executive and bodyguard services; risk management consultations and seminars; workplace violence prevention seminars and intervention services; security consultations and seminars; private investigations; and technical surveillance countermeasures. ​</i></p>
https://sm.asisonline.org/Pages/Pesky-Passwords.aspxPesky PasswordsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Treat your passwords like your underwear: make them exotic, keep them to yourself, and change them from time to time. That’s the memorable approach that Cisco Chief Privacy Officer Michelle Dennedy takes to creating strong passwords. </p><p>But sadly, most people do not put that much effort into crafting passwords for their online accounts, and this can have dire consequences for corporations. In 2015, 63 percent of confirmed data breaches involved leveraging weak, default, or stolen passwords, according to the 2016 Verizon Data Breach Incident Report. </p><p>“The capture and/or reuse of credentials is used in numerous incident classification patterns,” the report explained. “It is used in highly targeted attacks, as well as in opportunistic malware infections. It is in the standard toolkit of organized criminal groups and state-affiliated attackers alike.”</p><p>The use of stolen, weak, or default credentials in breaches is not a new trend. In 2015, attackers who used stolen credentials in breaches predominantly used them to steal more credentials (1,095 instances), export data using malware (1,031 instances), and to conduct phish­ing (847 instances), among other threat actions, according to the Ver­izon report.</p><p>“We are realists here, we know that implementation of multi-factor authentication is not easy,” the report said. “We know that a standard username and password combo may very well be enough to protect your fantasy football league. We also know that implementation of stronger authentication mechanisms is a bar raise, not a panacea.”</p><p>But just what should those stronger authentication mechanisms be? What approach should you take to make your passwords stronger in 2017?</p><p>Make them exotic. Creating an exotic password can mean something different, depending on who you’re talking to. For Dennedy, having an exotic password means creating a password with different characters that’s not a dictionary word. For instance, pick a favorite book and use the first letters of the first paragraphs of various chapters in that book to create a password. </p><p>“And have some special characters thrown in there,” Dennedy explains. “That’s a great formula, and you don’t have to remember anything more than the book.”</p><p>Or, exotic passwords can be developed from a pattern that is special to a various website. “So having something that reminds you of your shopping list site and then adding on your special paragraph pattern,” Dennedy says. “These are tricks that can make your password exotic enough that it’s not guessable, and yet memorable enough that you actually get use out of it, rather than having to change your password every time because you’ve forgotten it.”</p><p>Another option is to go for length, says Lance Cottrell, chief scientist for Ntrepid’s Passages. “It used to be that if you had an eight-character password, that would be enough, they are not going to be able to guess your password,” he explains. “But realistically these days, that’s not true. They are able to get through much longer passwords, particularly if you’re not using the full breadth of characters available to you.”</p><p>Instead, users should aim for at least 20 characters and use upper case and lower case letters, numbers, and emojis—if that’s an option. </p><p>“You just can’t beat length; the longer your password is, the better off you are,” Cottrell says, adding that 20 characters is long enough because it’s well outside the realm of brute force attack ability, while remaining manageable to type when you need to type it.</p><p>However, Cottrell says he doesn’t type his passwords very often anymore, something he sees as key to creating strong passwords.“People are still in this mindset of ‘I’m going to make up this password and remember and then type them in from memory,’” he explains. “My general rule of thumb is a password that you can remember is probably too simple.”</p><p>That’s because “memory-based” solutions violate what Cottrell thinks of as the prime directive of password security: never reuse passwords.</p><p>“There should never be two websites with the same password from you,” he says. “Because it’s easy to guess your username; it’s probably your name or more often your email address. So if I steal your password on one website, I’m going to try that email address and password on every other website I know of. I’m going to hack it off of some website you don’t care about, and then try it on your bank and every bank out there just to see whether it will work.”</p><p>Instead of using a memory-based solution for his passwords, Cottrell uses a password management application to keep track of the passwords for his hundreds of online accounts created over the years. This application then syncs with his devices, such as his iPhone and iMac, so he doesn’t have to remember them.</p><p>“If there’s one practice that I could say, ‘Go do this thing and it will make your security better,’ it’s to start using a password manager application,” he says, adding that he uses the application 1Password to keep track of his.</p><p>Like most password management applications, 1Password allows you to create a login and then save all of your passwords for your online accounts to the site. It then encrypts your data, securing it from potential hackers who might try to gain access to the site to steal your credentials.</p><p>“I have one really good password for that vault,” Cottrell says. “I have one really big, long passphrase that I have memorized that unlocks that, and then that gives me access to everything else.”</p><p>While you can add passwords you’ve created to the password management application, you can also choose to have it automatically generate a password to your specifications—such as 20 characters in length—to give you completely random passwords for all of your online accounts.</p><p>One downside of password management applications, however, is that they can be inconvenient to use, which is one reason Dennedy adopted the practice and then gave it up. “I’ve tried them and I’ve made the super password easy enough that I’m not inconvenienced, and that makes me nervous,” she says, adding that she’s had trouble finding a solution that scales across all the places she needs to be, especially when traveling.</p><p>“My job is weird; no two days are the same and I’m doing planes, trains, and automobiles, so if my login fails, that’s a real pain,” Dennedy explains. </p><p>Keep them to yourself. Many users have been there before. They have access to a corporate account, such as a Twitter account, and another employee needs access to it. So, they email the other employee the credential. While that might be an efficient way to share access, it is not a secure one and should be avoided if at all possible, Cottrell says.</p><p>Instead, if you’re sharing an account, make sure the password is strong—exotic, long, and possibly generated by a password management application. Also, make sure that you’re not sharing it through email.</p><p>“Even sending it through a text message is better than sending an email,” Cottrell says. “Send it in a path that avoids email and using the computer…as that makes it much more difficult for an attacker to make use of it. An actual physical note with the password on it, that’s shredded later, is going to be even better.”</p><p>Also, when it comes to passwords, make sure you’re not giving information away on social media sites that could be used to compromise your password hint questions, which are often a fixed set of questions with information that’s easily discoverable.</p><p>“Don’t put as your security question the name of your real dog,” Dennedy says. “It’s okay to lie there.”</p><p>Instead, make up an answer such as using the name of a dog that you don’t own to answer your security question. And to keep track of these answers, you can set up a list in most password management applications to store them. This way, you don’t have to remember what your lie on your security question was, Cottrell says.</p><p>“So if the security question says ‘Where did you go to high school?’ Put in something like Richard Nixon High School or a Lord of the Rings reference,” he adds. “Anything you want can go in those slots, and then just add them to the notes section of your password management app.”</p><p>Change them. When it comes to changing your password, how often is too often? And does changing your password regularly make it less secure?</p><p>The answer is complex. U.S. Federal Trade Commission (FTC) Chief Technologist Lorrie Cranor made headlines in 2016 when she suggested that companies rethink mandatory password changes for employees.</p><p>“There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily,” Cranor wrote in a blog post. “Unless there is a reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good.”</p><p>This is why all organizations should consider their risk profile and the security benefits and drawbacks of having employees frequently change their passwords, Cranor added in her post. </p><p>“Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely,” she explained. “Encouraging users to make the effort to create a strong password that they will be able to use for a long time may be a better approach for many organizations, especially combined with slow hash functions, well-chosen salt, limiting login attempts, and password length and complexity requirements.”</p><p>A cryptographic hash takes a message (your password) and computes it into an alphanumeric string, called the hash value, for password storage; this stores the alphanumeric string, instead of the original version of your password—making it more difficult for the password to be stolen. </p><p>Slow hashes are designed to be inefficient, making it harder to crack a password once it’s been exposed. Organizations can also use salt, random characters in the hash, to defend against dictionary attacks.  </p><p>Cranor makes a valid argument, Dennedy says, but only if you don’t follow all of Dennedy’s prescriptions—exotic, secret, and changed often.</p><p>“So if you’re changing passwords often ... between ‘1234567’ and ‘ABCDEFG,’ you’re still going to have an incredibly weak system,” she explains. People who change passwords frequently have trouble remembering them, so they do a lot of password recycling.”</p><p>And from a corporate security standpoint, having employees regularly change passwords is a good idea because it shrinks the window of opportunity for hackers to use stolen credentials to access corporate networks.</p><p>“It’s a real plus in reminding people what’s important [data] and it’s also helpful in that brute force attacks are quite brutal these days with computer power as strong as it is today, so even if you have a semi-exotic password and it’s static over a period of time, it’s that much easier to put the combination together,” Dennedy says. (The FTC did not return requests for comment on this article.)</p><p>But while developing good password habits can help increase security, it’s not a silver-bullet solution.</p><p>“If someone can hack the computer itself, they can probably get access to all of the passwords,” Cottrell says. “So no matter how good your password hygiene is, it’s no better than the security of the device you’re typing it into.” ​</p>
https://sm.asisonline.org/Pages/A-Museum-of-the-World-and-for-the-World.aspxA Museum of the World and for the WorldGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​On a rainy early spring morning, a group of security professionals made their way along Great Russell Street in fashionable, bustling Bloomsbury, London. They passed vehicle-distancing bollards, entered through the gate of a black iron fence, and crossed a large courtyard to reach a neoclassical building that dates from the Georgian period. </p><p>After a security inspection, the visiting professionals traversed the Queen Elizabeth II Great Court with its soaring, tessellated blue glass roof. Once the open-air courtyard outside the Victorian reading room of the British Library, in 2000, the area was refashioned into an epic enclosure worthy of the treasure in the surrounding galleries.</p><p>“The British Museum is of the world, for the world,” David Bilson, CPP, head of security and visitor services, told the security professionals later, when they were congregated for a special program in the BP Lecture Theatre of the Clore Center for Education. It was the day before the opening of the ASIS International 15th European Security Conference and Exhibition, and Bilson was the host and first presenter.</p><p>“People sometimes think that the museum is about the history of Britain, but it’s not,” he explains. “It’s about the history of mankind.”</p><p>Just a few of humanity’s priceless objects that the British Museum cares for are the Rosetta Stone—a rock stele with the same inscription in three languages that helped crack the puzzle of Egyptian hieroglyphs; the Sutton Hoo Anglo-Saxon burial treasure; the classical Greek Parthenon sculptures; colossal granite heads from the Ramesseum temple in Thebes, Upper Egypt; the 12th-century Lewis chessmen; an Easter Island gigantic figure (Hoa Hakananai’a); and a pair of Assyrian human-headed, winged bulls from Khorsabad, Iraq, which date to about 710 BC. (In February 2015, ISIS extremists destroyed a similar pair from the ancient city of Ninevah.)</p><p>At the British Museum, said Bilson, “We present items that date from 2 million years ago to the present day, in a collection that we are still continuing to build.”</p><p>The 18th century physician and hot-chocolate entrepreneur Dr. Hans Sloane laid the foundation for the collection. When Sloane died in 1753, he left everything to King George II. A public lottery raised funds for the original building. </p><p>“We welcomed our first visitors here in 1759, so it is our 257th birthday,” Bilson added. Since then, the collection has grown to more than 8 million items.</p><p>“We are one of the nation’s treasure houses,” Bilson told his audience. “We now welcome 6.8 million visitors per year, which makes us the U.K.’s leading visitor attraction—and I say that not to be glib, but because it brings us major security and public safety issues. We are one of London’s ‘crowded spaces,’ so therefore we have security risks.”</p><p>Art thieves are also a threat. For example, Chinese art has skyrocketed in price at auction, allowing thieves to easily sell stolen items on the black market.  In 2012, the Metropolitan Police New Scotland Yard intercepted a gang that planned to target objects in one of the museum’s public galleries. Working with law enforcement agencies is a key aspect of security operations at the museum.</p><p>In addition, Bilson said the museum “is a place that transforms at night. If you stand in the front hall of the museum at 5 to 6 o’clock, you’ll see all my security colleagues escorting visitors out and thanking them for coming. At 6 o’clock, all the contractors come in, and by five minutes till 7 p.m., the whole place may be transformed with tables for dinners or corporate events…which is another demand on the security services that we have here.” </p><p>Later that evening, the visiting security professionals would witness just such a transformation when the museum’s Egyptian Sculpture Gallery hosted an ASIS reception. The varied aspects of the museum’s security program were present and working, but even to the security practitioner guests, they were imperceptible.</p><p>Later, Bilson sat down with Security Management to discuss the security program at the museum and its myriad of security concerns.</p><p>The security context has changed tremendously for all museums, Bilson says, naming as examples the May 2014 attack on the Jewish Museum in Brussels, Belgium, the foiled 2014 attack on the Louvre in Paris, and the March 2015 attack on the Bardo National Museum in Tunis, Tunisia.</p><p>During the last four years, the British Museum has invested in various aspects of its security infrastructure. One part of that investment was completed in early April 2016 when security “switched to our new digital radio system with much better coverage across our locations,” Bilson says.</p><p>Also in place now are vehicle defenses. “I hope as you came through the front gate this morning, you admired our vehicle-standoff bollards, which are a substantial upgrade in our protective resilience,” he adds.</p><p>In 2013, the museum became a construction zone with the creation of the World Conservation and Exhibition Centre on the estate’s northwest corner. It comprises scientific laboratories, office facilities, and a major new public exhibition hall, “which gives us a bigger, more flexible space than we have ever had, and below ground, we have a secure collections storage area,” he says.</p><p>Security was involved in the design for the new facility, Bilson notes. “In fact, we upgraded security substantially because of the nature of that building. So that has become our benchmark for security across the rest of the estate. It integrates all the modern technology of cameras, alarms, access control, and now the new radio system.”</p><p>Guard force. Since the Great Court was built 16 years ago, the number of annual visitors to the museum has jumped by nearly 3 million. </p><p>“We are delighted to welcome more visitors but this of course impacts our operations; we want to ensure visitors have an enjoyable and safe visit,” Bilson says. </p><p>Guidance on the management of events in the United Kingdom has changed, too. This has led to an ongoing modernization of the guard force, which comprises 300 full-time, proprietary officers.</p><p>“We are looking to take up the best of that advice, as well as lifting the security standards for all of our officers here, to a high level of professionalism,” he adds. “They are all great people, and we want to lift them up still further into new ways of working.”</p><p>“In the U.K., there are two categories of security officers: you can either be proprietary if you are working in your organization on your site, but if you provide a security service…it has to be licensed,” he explains. “At the moment we are also using licensed support while we go through our improvements.”</p><p>There is a security central command center in the museum that is staffed around the clock. </p><p>“Not only are they doing a security watch, they are watching building systems and the condition of the building overnight, as well as the primary security function of protecting the collection,” Bilson points out.</p><p>Bag checks. While terrorism is a key threat to the museum, “The biggest challenge affecting us at the moment is the searching and screening of visitors,” Bilson says. “I’m not prec­ious about it. We’re working hard to improve upon it, but it is a challenge on a day when 20,000 visitors come through who are not timed in their entry, so we get these peaks in demand. More than 50 percent have some sort of bag with them.”</p><p>Visitor bag searching has been stepped up at the museum, resulting in an increase in the discovery of weapons.</p><p>“The majority of our visitors are of course law-abiding and are here to enjoy the collection,” Bilson says. “But I have been surprised that a minority have brought in inappropriate items that could pose a risk.”</p><p>To ensure that the museum can secure its premises from weapons brought in bags through the entrances, new visitor search facilities were recently installed outside the building.</p><p>The museum’s executive leadership supports decisions such as these. “We have great support here. The trustees, the board that oversees museum operations, are in favor of more security, doing more, but keeping a balance,” Bilson explains. “We want the visitors to know they are coming into a secure space, but to know that they are coming into a welcoming experience as well.”</p><p><b>Perimeter security. </b>Bilson says that perimeter security depends upon the state of the museum at various times of day. </p><p>For example, he explains that when the museum is on lockdown overnight, “we have clear definition of boundaries by way of walls and railings. They are guarded and protected by technology 24 hours per day. We use a range of technology measures, whether it is intrusion detection or surveillance or physical locks and access control.”</p><p>When the museum opens, the perimeter becomes porous, but with public boundaries, he says. “There are layers of defense within the site.” When the visitors leave, the perimeter hardens again.</p><p>“In explaining this to staff, I tell them we act in the same way as an airport—the secure air side and the public side,” he says. “So the status of areas within the museum changes, but broadly the back of house areas stay secure 24/7.”</p><p>Coordination between security and museum staff is “hugely important—that whole preplanning and coordination piece,” Bilson states. “We work very hard with facilities management and with events planning to think through levels of detail.”</p><p><b>Collection protection. </b>Museum security protects its collection in much the same way that businesses protect their own assets. “Security technology helps, but we need people to intervene in situations as well,” Bilson says.</p><p>Like all large museums, temporary major exhibitions are staged at the museum, such as Life and Death: Pompeii and Herculaneum, which ran throughout most of 2013 attracting 400,000 visitors, and the newest, Sunken Cities: Egypt’s Lost Worlds, which closed in November and broke attendance records, according to Bilson.</p><p>The arrival and departure of special exhibitions is ongoing and security plays a large role. Before items are loaned to the museum, “we have to give an account to the lenders of how good our [security and environmental] processes are here,” Bilson says.</p><p>The museum also lends artifacts and even major collections to museums around the globe. </p><p>“We apply all of our own security standards to the venue that the exhibition is going to,” Bilson explains. “Sometimes that is a learning experience for the people borrowing from us, and we try to help them get their security to such a standard that long-term they have a more resilient venue for themselves and can borrow more collections from around the globe.”</p><p><b>Travel.</b> “The museum is constantly changing, always taking on new ideas and new things to do,” Bilson notes. “It is a busy organization that is studying and researching and constantly evolving.”</p><p>Bilson says that the museum’s policies and procedures for staff working in other nations weren’t anywhere near as robust as they should have been. </p><p>An incident involving museum staff in another country caused the museum to rethink. “We asked ourselves, ‘Where are our people today? Do we know what countries they are in? Are they insured? Have we thought about their security and what measures have been taken?’” he explains.</p><p>Bilson discovered that there were free services tied to the museum’s insurance and travel services that had not been previously used, including “risk reports, country reports, access to services that we thought we might need one day…. Now we build emergency plans in case we need to bring teams home from overseas,” he says. “We put in place a good personal emergency plan for everybody, good support from London from the home department, and pre-travel risk assessments, advising staff before they go.”</p><p><b>Partnerships. </b>The museum actively partners with police, “whether at the operational level or counterterrorism level, intelligence services, or security design advisors,” Bilson says. “We have strong links with specialists around art and antiques thefts and crime. We have a national museum security group, and most recently, we have established a European roundtable of CSOs so that we can link with our colleagues. After the terrorist events in Paris and Brussels, we supported our friends in that group, exchanging advice, and helping them with things that could be done in their museums.”</p><p>Security also works with the policing teams in the area around the museum estate. The museum interacts with its neighbors about emergency planning and special events that could affect them, such as when Night at the Mus­eum was filmed on site or movies are shown outside on the lawn on sum­mer evenings.</p><p>Bilson says that as a security case study, the British Museum is different because it houses a world collection that must be protected alongside large numbers of visitors and staff and a 200-year old heritage building.  </p><p>While the museum doesn’t discuss security systems in detail, visitors—he insists—want to know that security is in place. </p><p>“Peaceful, law-abiding visitors to the museum are looking for that kind of protection,” Bilson says. “When we check their bags, we get thanked for doing so and know that it gives them reassurance.”   ​</p>
https://sm.asisonline.org/Pages/Brexit,-Employment,-and-the-Law.aspxBrexit, Employment, and the LawGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The European Union has historically been a driver for the advancement of nondiscrimination and equality employment legislation. The United Kingdom’s first-ever statutory prohibitions of discrimination based on sexual orientation, religion, and age were established in 2000 to comply with the EU Employment Equality Directive. But now that Britain doesn’t technically need to comply with EU employment requirements, what will happen to the current employment legislation?</p><p>Human resources directors don’t have reason to panic quite yet. The United Kingdom has just started the withdrawal process, and it has two years to negotiate the terms of the exit. During that time, the United Kingdom will still be a part of the European Union’s free trade agreement and be bound by all existing laws. Once the separation is complete, EU-driven employment legislation will remain in effect because the majority of it was passed domestically. It will be up to parliament to determine whether to repeal or change current employment legislation. However, if Britain does want to continue with the free trade agreement, the European Union may require that the United Kingdom comply with its employment law. </p><p>Attorneys with law firm Jones Day note that laws more likely to be repealed or amended after Britain’s exit include overly bu­­­reaucratic legislation—EU-enforced agency worker regulations and the required European Works Council, which won’t be relevant once the United Kingdom leaves the European Union. Other controversial legislation includes whether vacation leave is accrued while employees are sick, as well as how vacation pay is calculated. </p><p>However, U.K. employers may be facing more complaints of discrimination and workplace harassment soon. Britain currently abides by the European Union’s free trade and travel agreement, which allows EU nationals to freely live and work in any member country. But U.K. employers know that these rights are unlikely to extend af­ter the withdrawal is complete, bringing up a hiring concern: why hire EU nationals if they may not be able to work in the United Kingdom in two years? </p><p>U.K. employers can refuse employment to anyone who does not have the right to work in the country, but refusing to hire someone because they may not be able to work in the United Kingdom in the future is almost certainly unlawful, according to CIPD, a U.K.-based HR professional body. Most employers know that this type of blanket hiring policy is likely to bring them trouble, CIPD’s website notes, and instead a more likely approach will be to require a potential employee to prove that he or she has indefinite rights to remain and work in the United Kingdom. However, this is grounds for an indirect discrimination lawsuit. </p><p>Instead, CIPD recommends that employers make employment contracts conditional on maintaining the right to work in the United Kingdom. This conditional agreement should be included in all employment contracts to avoid potential discrimination issues. “Although this will not solve the problem of employees’ immigration status changing due to Brexit, it will help with terminating the employee’s employment if that proves necessary,” CIPD notes.</p><p>A more intractable problem facing U.K. employers is discrimination against Muslim women, according to a new report. While 69 percent of all working-age wo­men are employed, just 35 percent of Muslim women have jobs, according to Employment Opportunities for Muslims in the UK, a report issued by the parliamentary Women and Equalities Committee in August. </p><p>Muslim women face a “triple penalty” when trying to find jobs: their race, their gender, and their religion, the report notes. A National Centre for Social Research for the Department for Work and Pensions study last year revealed that a job applicant who appeared on paper to be white would receive a call back after applying to nine jobs, while minority candidates with the same qualifications had to send 16 applications before receiving a response. To address the issue, former Prime Minister David Cameron passed legislation requiring that the government use name-blind recruitment for all positions below a senior level. Several large private sector recruiters adopted the practice as well, but the practice needs to be countrywide, the report recommends.</p><p>“To be fully effective this should form part of a sustained initiative which pro­files those employers which have successfully implemented the policy in order to incentivize others to follow suit,” the report notes “The government should monitor uptake and legislate if progress is not made within this parliament.”</p><p>Forty-one percent of Muslim women are unemployed and not seeking work, compared with 21.8 percent of the total population. However, this statistic should not discount the struggles Muslim women face when trying to find employment, says Maria Miller, the chairwoman of the committee that produced the report.</p><p>“The impact of Islamophobia on Muslim women should not be underestimated,” the report explains. “They are 71 percent more likely than white Christian women to be unemployed, even when they have the same educational level and language skills.” </p><p>The report lists a number of recommendations to help even out the path to employment, including more specific antidiscrimination legislation, professional mentoring programs within Muslim communities, and more generalized language and skills education. However, Miller notes that an unexpected find in the study was that the United Kingdom’s countering violent extremism (CVE) programs seemed to be contributing to discrimination against Muslim women.</p><p>Prevent, Britain’s original antiradi­cal­i­zation program, was implemented af­ter 9/11. In 2015, new legislation was passed that requires public sector workers to report signs of extremism. The program has been decried by Muslim and civil rights groups for discriminating against religious minorities in Britain. It is widely known that Muslims are suspicious of the program, especially after a number of high-profile incidents in which children were interrogated by officials for alleged extremist views. Furthering concerns of discrimination is a National Police Chiefs Council report, which found that last year, at least 90 percent of reports of alleged extremist behavior were made by non-Muslims. </p><p>“The government is making attempts to deal with the problems that Muslim people face in getting work, but our analysis would be that their attempts are being undermined by this clear link that Muslim people are making between government policy on employment and government policy on counterextremism,” Miller told The Guardian.   ​</p>
https://sm.asisonline.org/Pages/Extreme-Internet-Control.aspxExtreme Internet ControlGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Last June, the United Nations Human Rights Council determined that Internet access is a basic human right. However, many countries and organizations continue to limit access to the Internet. Last August, Russia briefly turned off Internet access in Crimea for unclear reasons. Ghana switched off its Internet during the country’s November elections. Bangladesh has been testing Internet lockdowns since August. And countless countries block selected social media platforms, news websites, and other content, often under the auspices of national security.</p><p class="p1">It may be unsurprising that oppressive regimes are throttling Internet access. But national security leaders in many nations around the world are working with social media platforms to restrict content that encourages violent extremism, which privacy advocates say is no different from the Internet censorship taking place in North Africa and the Middle East.</p><p class="p1">ISIS and other extremist groups are using social media platforms excessively—and effectively—to recruit members, raise money, and spread their ideologies. In May, digital platforms, including Face­book, Twitter, YouTube, and Microsoft, signed a Euro­pean Com­mission Code of Conduct agreeing to remove “illegal, online hate speech” from their sites. Since then, Twitter has stepped up its monitoring of users’ content, deleting hundreds of thousands of accounts linked to radical extremism. Facebook will remove any content celebrating terrorism. And Google redirects people searching for information about ISIS to anti-extremism websites. </p><p class="p1">However, privacy advocates note that there is no standing definition of illegal online hate speech, and that there is no way that censorship by social media platforms can be objective. Indeed, Facebook is working with Israeli officials to remove pro-Palestinian posts that incite violence against Israel. In September, Israeli officials noted that Facebook, Google, and YouTube are complying with 95 percent of the government’s requests to delete content. </p><p class="p1">“What is extremist speech? The state doesn’t know,” says Shahid Buttar, director of grassroots advocacy at the Electronic Frontier Foundation, a nonprofit civil liberties defense organization. “And when it’s tried to define it, online or offline, it has always swept up constitutionally protected speech. It’s well documented that people silence themselves when they know they’re being watched.”</p><p class="p1">Buttar points to the recent removal of the famous Napalm Girl photo—depicting the aftermath of a napalm attack on a village during the Vietnam War—from Facebook, which does not permit its users to post content containing nudity. After worldwide backlash, Facebook reinstated the photo on its site. Buttar says sites like Facebook use algorithms to flag content that violates their terms of use, and that the context of the content—in this case, a series of iconic war images—is lost. “There’s a content-based discrimination implicit in the algorithmic approach that is obscured in the security conversation,” he notes.</p><p class="p1">Mark Wallace, the CEO of the Counter Extremism Project (CEP), helped develop one of those algorithms. Wallace explains that the nonprofit CEP “fills the gaps” when it comes to fighting extremists on a theater that has moved from sea, land, and air to online. Wallace worked with Hany Farid, who previously developed an algorithm to identify child pornography online, to find a way to report violent extremist images. The technology uses hashing, which identifies the unique digital signature of audio, video, or images and scans a database for matches—in this case, of violent beheading videos and other powerful extremist recruiting tools. The algorithm will automatically report the content to the host platform, which will ostensibly remove it.</p><p class="p1">“We have collected systematically thousands of video, audio, and photographic items that we think are extremist content,” Wallace tells Security Management. “We can take that database, and it immediately identifies that content wherever it resides on those platforms, including at the Internet Service Provider (ISP) level. The Internet has been a very welcoming place to the cyber jihadi. We hope our algorithm will be the mechanism to make the Internet and social media companies no longer a welcoming place for them.”</p><p class="p1">Wallace notes that researchers are responsible for initially identifying extremist content, but the same content tends to emerge repeatedly. He points to the messages of Anwar al-Awlaki, an al Qaeda recruiter and U.S. citizen who was killed in 2011 by a CIA drone strike. </p><p class="p1">“If you look at the domestic terror prosecutions here in the United States, a majority of those tried were radicalized by al-Awlaki’s videos from the grave,” Wallace says. “That’s content we know, and hopefully will be able to remove from social media platforms instantaneously.”</p><p class="p1">Free speech activists also identify al-Awlaki as a prime example of censorship, but for different reasons. There was a federal court proceeding at the time of al-Awlaki’s death in which his family sought due process for him, but he was killed before the courts could address the situation, experts say.</p><p class="p1">Wallace and the CEP are currently working with social media platforms and governments around the world to deploy their algorithm “in a manner that is effective and responsible,” he says.</p><p class="p1">“I think we can all agree that removing the worst of the worst content is a good starting place and should be uncontroversial,” Wallace says. “Maybe the next Jihadi John will realize that no longer is a video of a terrorist with his knife at the neck of some poor soul used as a tool to glorify a terrorist group, to propagandize, to call others to act, to fundraise, and to recruit.”</p><p class="p1">Meanwhile, the Middle East, North Africa, and Russia are still dealing with an increase in state-mandated Internet shutdowns. William Buchanan, a computing professor at Edinburgh Napier University, explains that Internet traffic goes through a countrywide firewall. In times of crisis, the country’s leaders can control the main firewall and drop service if necessary. He suggests that in the coming years, most countries will articulate plans for when and how they can take over the firewall.</p><p class="p1">“What happens in an emergency is people swamp the network with traffic, so I think many countries will have a plan to cut citizens off the network for a certain amount of time while they cope with something like a cyberattack,” Buchanan says. He says he thinks countries like Bangladesh are testing the network to see if they can take it over and make sure they have priority over the rest of the network.</p><p class="p1">Buchanan sees the use of firewall control during a major event as justified because it allows emergency and first responders to communicate in a timely manner, but he says in countries with high political tensions, blocking the Internet can be done maliciously. For example, when Bangladesh tested its network control, it blocked news outlets that reported on antigovernment organizations, he notes. And during the coup in Turkey last July, the government cut off access to YouTube, Facebook, and Twitter to quell any uprisings.</p><p class="p1">Many countries “play the terrorism card” to justify controlling the Internet or viewing private data, Buchanan says, which isn’t logical because terrorists know how to hide their tracks. “Operating systems that boot from USB sticks and leave no presence on devices, VPNs, and proxies…those are the types of tools that a terrorist or criminal will use, and invest a lot of time and energy to create.”</p><p class="p1">This kind of reasoning, as well as roundabout laws such as Saudi Arabia’s ban on all use of encrypted traffic, can be a slippery slope for privacy concerns and affects law-abiding citizens more than the troublemakers, Buchanan notes. </p><p class="p1">“The more that we use encryption panels, the less chance that law enforcement will have in actually tracing the real criminals,” Buchanan explains. “What they’ll end up doing is monitoring everyone else for the normal things, and then a data breach at an ISP could release information about the president or prime minister, and everyone else whose information was collected.”</p><p class="p1">Whether it’s a complete shutdown to Internet access or careful monitoring of potentially dangerous content, countries and companies around the world are taking advantage of the possibilities—and power—inherent in controlling what citizens see online. As criminals and extremists move their activities from land and sea to technology, governments must figure out how to counter digital warfare while simultaneously respecting and protecting citizens’ basic human right to Internet access. ​ ​</p>
https://sm.asisonline.org/Pages/Only-A-(Lonely)-Test.aspxOnly A (Lonely) TestGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​When Admiral Jamie Barnett took over as chief of public safety and homeland security at the U.S. Federal Communications Commission (FCC) in 2009, he learned something interesting about the Emergency Alert System (EAS). “It had never been used, and it had never been tested,” he says.</p><p class="p1">The never-been-tested part was surprising, because by that time the EAS had been around since 1997, when it replaced the Emergency Broadcast System. And the importance of having a well-functioning system seemed undeniable. “If the president were concerned that North Korean missiles were headed our way, he would have the ability, in essence, to preempt all the programming in the United States, pick up a mic, and say ‘We are under attack,’” Barnett says. </p><p class="p1">So Barnett sent a memo to the chairman of the FCC, expressing concerns about the viability of a system that had never been tested on a nationwide basis, and in fact had never even been scheduled for such a test. In turn, the FCC chairman sent the message up the chain, and it eventually reached the White House. After input from leading agencies such as the National Association of Broadcasters, the U.S. Federal Emergency Management System, and the White House Military Office, the administration decided to conduct a national EAS test on November 9, 2011.</p><p class="p1">What these officials were testing was a system that is a great-grandchild of the Cold War. Up until 1950, the government had no real method for broadcasting warnings to the nation at large. In 1951, U.S. President Harry S. Truman established an early emergency broadcast system, CONELRAD (Control of Electromagnetic Radiation), that was primarily designed to alert the public in the event of a Soviet attack during the Cold War. When new defense technology reduced the likelihood of a Russian bomber attack, CONELRAD was replaced by the Emergency Broadcast System (EBS) in 1963.</p><p class="p1">The EBS was tested on a weekly basis, with stations broadcasting a distinctive pattern of beeping sounds and a variation of the following announcement: “This is a test. For the next 60 seconds, this station will conduct a test of the Emergency Broadcast System. This is only a test.” While the system was never used for a national emergency (save for a false alarm in 1971), it was activated thousands of times for regional emergency messages such as severe weather warnings. In 1997, the EBS was expanded to include cable stations, and it became the EAS. (More recently, the government created a Wireless Emergency Alert (WEA) system to disseminate emergency alerts on mobile devices; see Security Management’s December issue for more coverage of that system.)  </p><p class="p1">In sum, the EAS sends audio signals–that distinctive pattern of beeps that the EBS testing formerly made familiar–to 77 primary entry point stations. When these primary stations hear the signals, they immediately transmit it to other stations, so that in a matter of seconds the whole country is covered. “That irritating noise that you hear–that’s actually what the stations are listening for,” Barnett says. In fact, the government prohibits anyone from replicating those irritating beeps in a movie or television program or song. “People have been fined. The FCC would contact you,” he adds.</p><p class="p1">Although the sending of audio signals may not be cutting edge in terms of technology, it is resilient. “The system is designed to work when nothing else does. If the power is cut, this system will work,” Barnett explains. Since the security technology around the system is continually updated, hacking incidents have been rare; one of the few occurred in Great Falls, Montana, in 2013, when the EAS system at a television station was hacked to broadcast a zombie apocalypse message: “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living.”</p><p class="p1">The 2011 national test, which went generally well, showed there was room for improvement. An assessment found that there were issues affecting 10 to 20 percent of the national system, such as local equipment problems. </p><p class="p1">For example, some stations experienced a feedback loop in which they started to broadcast the test, but then immediately shut down. One station malfunctioned and went silent during the test, and because dead air is against FCC broadcasting rules, an operator threw on a Lady Gaga CD. “So people heard ‘There is an emergency alert’ and then [the song] Born this Way,” says Barnett, laughing.</p><p class="p1">Despite these problems, the FCC did not run another test until five years later. That test occurred last September. In a response to an inquiry from Security Management, FCC officials said that early reports indicated that the test went well.</p><p class="p1">“We have received over 24,000 initial reports from Emergency Alert System participants. The reports indicate that the vast majority of EAS participants successfully received and retransmitted the test alert,” Rear Admiral (ret.) David Simpson, chief of public safety and homeland security at the FCC, said in a statement. “After EAS participants file their more comprehensive reports, including information on any issues they encountered during the test, we will analyze the data and then work with the Federal Emergency Management Agency (FEMA) and other stakeholders to implement any needed improvements.” </p><p class="p1">However, given that such national testing is vital for maintaining a viable system, Barnett and others argue that it should be done more frequently.</p><p class="p1">“I think five years is too long,” Barnett says. “My thought originally was that it needed to become routine, so every two to three years would be about right.”</p><p class="p1">Nelson Daza, an incident communications expert with Everbridge, argues in favor of annual national testing, to ensure readiness and point out potential infrastructure problems. “FEMA reminds everyone to test local emergency plans and family emergency plans at least once per year, so why does the government not mandate an annual EAS test?” Daza asks. “If we let these systems lie dormant until we need them for an emergency, there’s a very real possibility that we may not be able to get these critical messages out.”</p><p class="p1">Daza also says he feels that some of the devices and protocols of the EAS need to be updated. He says that the hardware maintained by broadcasters is of limited functionality–it can only broadcast text information in ticker-tape style across the top or bottom of a television set. “Since the EAS system is vital to our national security and to our public safety, it should undoubtedly be a state-of-the-art system,” he explains. </p><p class="p1">But Daza does disagree with those who argue that the U.S. population’s general move away from broadcast televisions and radio, in favor of Internet-based programming and wireless communications, is making the EAS obsolete. </p><p class="p1">“WEA, television alerts, and radio alerts are just different channels for delivering a message. Tens of millions of people listen to the radio in their cars every day, and the average person in the U.S. still watches 5 hours of television every day,” he says. “With that many ears and eyes, it would be a mistake to think WEA, which distributes only mobile alerts, will replace emergency alerts broadcast via TV and radio.” ​ ​</p>
https://sm.asisonline.org/Pages/Wildlife-Trafficking.aspxWildlife TraffickingGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Terrorist groups, transnational crime organizations, and even rogue security personnel are all contributing to the growing international problem of illegal trade in wildlife, otherwise known as wildlife trafficking. And the detrimental effects of this multibillion-dollar international criminal activity, one of the costliest forms of illicit trade, are varied and alarming.</p><p class="p2">“Wildlife trafficking can contribute to instability and violence, and harm people as well as animals. According to reports, about 1,000 rangers were killed from 2004 to 2014,” says a recent study on the issue by the U.S. Government Accountability Office (GAO), Combating Wildlife Trafficking. Illegal trade in wildlife also fuels corruption, destabilizes local com­munities that depend on wildlife for ecotourism revenue, and undermines conservation efforts.<br></p><p class="p1">This illegal practice is primarily driven by demand for exotic pets, culinary delicacies, and medicines. In some cases, it has pushed endangered animal species to the brink of extinction; unlawful capture and slaughter have devastated the populations of tigers, elephants, rhinos, turtles, exotic birds, and pangolins. The latter, a prehistoric mammal covered in scales that resembles an anteater clad in armor, is one of the most trafficked animals on earth, with 100,000 pangolins killed every year. Pangolin scales are sold by the bag in Asia, where some believe they can cure cancer, acne, and a host of other maladies. </p><p class="p1">Overall, wildlife trafficking results in revenue losses of anywhere from $7 billion to $23 billion, according to estimates from the United Nations Environment Program. In 2012, the price of rhino horn reached roughly $27,000 per pound, which was twice the value of gold at the time and more valuable on the black market than diamonds and cocaine, according to the World Wildlife Fund. </p><p class="p1">Although the United States is one of the world’s largest end markets for trafficked wildlife, much of the practice relies on an Africa-Asia nexus for supply and sales. For example, illicit elephant ivory is stolen in Africa, and most often comes out of Kenya and Tanzania. It is then shipped to China, Thailand, and Vietnam, with Malaysia and Singapore acting as transshipment hubs, according to a 2014 report, Out of Africa: Mapping the Global Trade in Illicit Elephant Ivory, issued by Born Free USA and C4ADS, two nongovernmental organizations.</p><p class="p1">Of all the bad actors involved in these practices, transnational organized crime networks are driving the trade. Wildlife trafficking is an increasingly popular area of specialization for international organized crime networks, according to the United Nation’s Office on Drugs and Crime 2016 World Wildlife Crime Report. </p><p class="p1">Last July, the U.S. State Depart­ment’s Transnational Organized Crime Rewards Program identified the Xaysavang Network as an international wildlife trafficking syndicate that facilitated the kill­ing of elephants, rhinos, and other protected species. Vixay Keosavang, a Lao national, is believed to be the leader of the network, according to the U.S. State Department, which is offering a reward of up to $1 million for information leading to the dismantling of the Xaysavang Network.</p><p class="p1">Terrorist groups also seem to be involved in wildlife trafficking, but the extent of the involvement is still up for debate. The al-Shabaab militant group is either directly or indirectly (through taxation of illegal goods moving through areas they control) involved with illegal wildlife trade, the GAO report found. There are also some reports that al-Shabaab has been buying and selling ivory to fund military operations, although some argue that evidence of that is inconclusive, the report adds. </p><p class="p1">Finally, wildlife trafficking, enabled by corruption, contributes to instability and violence in many regions. According to a 2013 report from the U.S. Office of the Director of National Intelligence, systemic corruption enables illegal ivory and horn trade, and in turn the trade exacerbates corruption by making high-value illicit products available to influential officials along the supply chain, such as police, customs officers, and local security personnel. </p><p class="p1">The movements of armed poachers and traffickers also increases border insecurity; for example, gun battles at the South African border often occur between law enforcement and poachers from Mozambique who are trying to gain access to rhinos in Kruger National Park. </p><p class="p1">To beef up U.S. efforts to fight wildlife trafficking, President Barack Obama issued an executive order in 2013 that established an interagency task force, with 17 federal agencies as members, charged with developing a strategy to guide the government’s efforts. In 2015, the task force released an Implementation Plan for the National Strategy for Combating Wildlife Trafficking.</p><p class="p1">Task force agencies, following the implementation plan, are helping to fight wildlife trafficking through a variety of efforts, the GAO report found. But it also found that, “at the strategic level, the task force has not identified performance targets. Without such targets, it is unclear whether the task force’s accomplishments are meeting expectations, making it difficult to gauge progress.”</p><p class="p1">Given this, the GAO recommends that the secretary of state, the secretary of the interior, and the attorney general jointly work to develop performance targets for the task force. The agencies agreed with the GAO’s recommendation. ​</p>