Guard Force Management Are People FirstGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-02-01T05:00:00Z<p>​Several years ago, at a Milwaukee-area hospital, a patient came into the emergency room for treatment. The patient was flagged in the hospital's system for a history of violent behavior; he was known to carry weapons. However, the attending nurse ignored the warning to involve hospital security and proceeded to provide care to the patient. During the triage process, the patient made several comments to the nurse, including threats to cut her with a knife. Instead of disengaging for her own personal safety and notifying hospital security, she continued triaging the patient. The nurse later filed a complaint about an unsafe work environment, and when asked why she continued triaging the patient even though he threatened physical harm, the nurse responded, "I have a job to do, and I had to triage him."       </p><p>Healthcare is one of the most violent professions in the private sector—the number of violent events in the healthcare workplace is on par with law enforcement and corrections. According to the U.S. Bureau of Labor Statistics, in 2015 all private sector industries experienced workplace violence at a rate of 1.7 incidents per 10,000 full time workers. However, those numbers jumped to an alarming rate in the healthcare industry—6.7 per 10,000 full-time workers at psychiatric or substance abuse facilities. At hospitals, the rate was even higher, with 8.7 per 10,000 full-time workers experiencing workplace violence. In such settings, security practitioners face the challenge of protecting both staff and patients—who are often the ones committing the violence.  </p><p>With the focus on patient satisfaction, caretakers often forgo their own safety to produce results, creating a more unsafe work environment and potentially providing a lower level of care—when staff do not feel safe, they are less likely to spend time working with their patients, instead focusing on getting to the next patient as quickly as possible.  </p><p>An unsafe work environment doesn't just affect employees. Hospital surveys show that when patients choose a hospital, they base that choice on their experiences and what they have seen in emergency rooms or waiting rooms. When a patient feels comfortable and safe in a hospital that has subpar care, they will choose it over a hospital that has good care but a reputation that it is unsafe. When workplace violence is not well managed, it can jeopardize not only the staff, but the reputation in the communities served. </p><p>Because caretakers themselves are on the front lines when it comes to patient-perpetrated violence, a healthcare facility's security approach must extend beyond top-down security management and physical security. Security directors should foster among staff the importance of a clear and uniformly enforced social contract—an agreement for how individuals treat each other and how they behave within a community—that providers and patients alike should adhere to.  </p><p>Social contracts are designed to manage low-level, disrespectful "gateway behaviors." When behaviors such as sarcasm, name calling, yelling, and swearing are not properly managed, they can lead to more threatening behaviors that often escalate to violence. Task-oriented staff often appease these behaviors to quickly and efficiently get on to the next patient. However, the message is sent that bad behavior is rewarded and the person displaying those behaviors learns it is okay to act in that manner. When these behaviors are properly managed, and the social contract is consistently enforced, the cycle of violence can be interrupted. Many organizations, however, have an ambiguous social contract that is often inconsistently enforced, creating a pattern of learned behaviors that empower disruptive individuals to act violently to get what they want.  </p><p>In addition to physical security and crisis response protocols, healthcare facilities should also train caregivers in nonescalation and de-escalation approaches. Adopting conflict management techniques can increase awareness and safety and achieve positive outcomes for staff and patients. </p><p>A concept known as the Six Cs of Conflict Management, developed by consultant and training institute Vistelar Inc., can be applied to the healthcare setting for better staff and patient relations.</p><p>The entire spectrum of human interaction can be broken down into six distinct concepts: context, contact, conflict, crisis, combat, and closure. Each of these concepts can impact interactions and influence the creation of an environment of care that is incompatible with conflict and violence.  </p><p><strong>Context.</strong> The concept of context encompasses all aspects of preparation for interaction within hospitals and clinics. Context begins with an understanding that, to produce positive outcomes, all people must be treated with dignity and respect, regardless of their background. Context also refers to knowing the inherent risks within the healthcare environment and planning for those risks through awareness of surroundings and escape routes.  </p><p>Along with this awareness comes the possibility of encountering verbal abuse and conflict. To respond professionally, healthcare staff must understand that hot-button words can trigger an emotional response in the heat of the moment, leading to negative interactions resulting in workplace violence. </p><p>To set and enforce a social contract, a facility's staff must identify triggers and develop safeguards to protect against an unprofessional response. </p><p>Keeping context in mind can help staff maintain a professional mindset by beginning interactions with patients on a positive note—if an individual or situation creates an uncomfortable atmosphere, healthcare workers should take a step back, take a deep breath, and conduct positive self-talk to encourage confidence.   </p><p><strong>Contact.</strong> Caregivers should have a foundational understanding of a situation's context to be mentally prepared to have positive interactions, which begin long before that first word is even spoken. Staff must take into account what message they are sending with their own body language and expressions. Understanding how nonverbal communication such as posture and facial expressions affects verbal communication can mean the difference between a positive and negative outcome.  </p><p>Oftentimes caregivers focus on the task at hand and overlook crucial nonverbal warning signs from the patient, such as preattack postures or targeted glances at items the caregiver might be carrying such as pens, clipboards, or stethoscopes around the neck. Along with body language, understanding personal space has an equally important role in positive contact—entering an individual's personal space begins to put pressure on them, and if individuals are angry and upset, encroaching on their space may begin to escalate their behavior because they feel that they are being cornered. </p><p>A real-life example of this happened not too long ago in a psychiatric facility when a nurse announced to several patients in a common area that it was time to head back to their rooms for bedtime. Most of the patients complied, but one woman began backing herself into a corner. Instead of retreating and attempting to verbally persuade the patient to come to her room, the nurse got closer to the patient, who then barricaded herself with a table. Two additional nurses came in, causing the patient to move into "fight" mode—she flipped the table, threw a chair at one of the nurses, and physically attacked another. This example demonstrates that when people are in conflict, managing distance and maintaining appropriate personal space can help avoid a potential physical attack. </p><p> However, as part of routine care, doctors and nurses have to touch, poke, and prod patients without regard to their physical or emotional state, developing what is known as presumed compliance. This approach leads to a staffer's complacency, giving them a false sense of security. If a caregiver has been assaulted, it is common to hear them say, "I've done this a thousand times and nothing ever happened before." Before entering a person's personal space, caregivers need to determine if it is safe and appropriate to do so.  </p><p>When a caregiver approaches an individual, they should conduct an assessment at specific distance intervals (such as 10 feet, five feet, and two feet) to determine their own level of risk at each stage, allowing them to either continue or disengage. As they engage physically, a caregiver's relative position comes into play. Standing directly in front of someone or towering over them can imply dominance, so caregivers need to be positioned in a manner that allows them to stay safe, as well as make the patient feel comfortable. Positioning at an approximately 45-degree angle to the patient and communicating at his or her eye level helps avoid an unintentional show of dominance and continue positive contact.          </p><p>After establishing a comfortable position, caregivers should use professional language to introduce themselves and communicate effectively. Verbal interaction begins with a proper greeting—beginning contact with informal greetings like "hey" or "hi" may send the wrong message to the other person. Proper greetings should be professional and tactical to begin the interaction on the right foot without unintentionally escalating the situation. After the proper greeting, caregivers should introduce themselves, state the reason for the contact, and bring the other person into the conversation by asking a relevant question. These four steps to a proper greeting help mitigate potential conflict.  </p><p>Verbal communication, however, is a two-way street. When gathering information to better meet the needs of their patients, caregivers need to go beyond active listening and understand the emotions behind the words, allowing them to use empathy to find the hidden meaning of the words being spoken. By combining the knowledge gained through observations of body language, personal space, and relative positioning, caregivers can make assessments that allow them to remain safe and communicate effectively. Positive contact fosters a supportive atmosphere, and when done well allows the interaction to move into closure. When done poorly, contact can move into conflict.   </p><p><strong>Conflict. </strong>Simply defined as "emotional violence," conflict can lead to stressful work environments and contributes to high staff turnover, leading to negative patient outcomes. Conflict typically begins when the expectations of individuals are not met, and in the healthcare environment usually arises because of someone's perceived lack of dignity and respect. </p><p>A few years ago, one of the security staff in a local hospital was watching a patient on a psychiatric hold. The attending nurse came in and offered to get the patient something to drink, suggesting apple juice. The patient told her that she hated apple juice and didn't want it. The nurse insisted on giving her apple juice, to which the patient said that she would throw it in the nurse's face. However, the nurse proceeded to bring her a carton of apple juice and, after handing it to the patient, had it thrown in her face, as promised. Conflict is more likely to occur when healthcare professionals fail to listen and forget that all people should be treated with dignity and shown respect.  </p><p>When involved in conflict, a caretaker's goal is to de-escalate tensions, return to normal conversation, and end with a positive outcome. De-escalating conflict begins by deflecting verbal abuse and redirecting it, focusing on managing gateway behaviors. Caretakers should then take the context they have gathered and put it into action by asking relevant questions, providing explanations, offering options, and finally giving a second chance. This technique is more likely to generate voluntary compliance, cooperation, and collaboration, which will lead to closure in conflict situations.  </p><p>It is important to incorporate all elements of context and contact when involved in conflict. This allows caregivers to maximize their safety and conduct themselves in a professional manner that gives them the ability to set limits and reinforce the social contract. However, if staff members do not manage conflict properly, they can unintentionally escalate a situation into a crisis.     </p><p><strong>Crisis. </strong>Some events have the potential to lead to an unstable or dangerous situation affecting an individual's ability to make good decisions. Anything can be a crisis—sudden bad news, a traumatizing event, a physical injury, or withdrawals from alcohol or substance abuse. Individuals with brain-based disorders may display rumbling or self-stimulating behaviors such as rocking back and forth, flicking fingers, making unusual noises, or displaying uncontrollable or unexplained twitching. Individuals with psychological disorders may experience visual or auditory hallucinations.  </p><p>Any of these may be warning signs that the individual is entering a crisis. If these behaviors are observed quickly and caretakers intervene effectively, they can begin to bring the individual back to normalcy. If the behaviors are not recognized for what they are, the individual may escalate to rage behaviors—self-destructive behaviors such as slapping their own faces or banging their heads against a wall. Other rage behaviors include physically lashing out and causing injury to others or damaging property. At this point, the primary goal is safety for everyone, including the individual displaying rage behaviors. Once safety is achieved, the goal is to work with the individual to move them into recovery.  </p><p><strong>Combat.</strong> The term "combat" sounds intimidating to most people, but combat is common in the healthcare environment. Combat can be physical violence that has escalated from other unmanaged behaviors. A patient can become combative when verbal skills have failed to de-escalate conflict, when the intervention during a crisis event was not effective, or when staff safety is threatened with potential for physical harm. Sometimes caretakers can be their own worst enemies by creating combat scenarios through their actions—or inactions.  </p><p>For example, a patient was discharged from the surgical floor of a local hospital. This patient refused to leave until she spoke with her doctor, so hospital security was called to intervene. However, before security personnel could respond, the decision was made to physically dress the patient and remove her from the room. When physical contact was initiated by the nursing staff, the results were disastrous. One caregiver was pushed over a table, injuring her back, while others struggled to control a now violent individual.   </p><p>Staff response to combat is dependent on the totality of each of the circumstances they encounter. When appropriate action is taken, rules of engagement such as policies and procedures, training and experience, and current laws and court rulings must be taken into consideration. As demonstrated by the story above, caregivers must be careful not to create their own combat scenarios. The primary goal in combat is to maintain everyone's physical safety, but if staff can take their time, communicate professionally, and have a preplanned and practiced response, they can take the appropriate action. In combat scenarios, staff members must always have the mindset of being the victor and not the victim. When action is taken, it must be done in a safe and efficient manner with the goal of re -establishing control to chaotic situations with minimal injury to all involved.  </p><p><strong>Closure. </strong>Closure is a personalized tactic that changes from situation to situation. When caregivers end their encounters with patients—whether good or bad—their goal is to establish a stronger foundation for future interactions. Closing encounters should summarize the events that took place, reinforce the social contract, and establish a plan for future interactions without inadvertently reigniting a previous conflict.  </p><p>A longtime member of a hospital security department shared an example of this after completing nonescalation training. Previously, he closed every encounter by telling the person to have a nice day, regardless of the circumstances. What he did not realize was that his closure statement was received in a negative light—it could be viewed as a parting shot—and often resulted in re-escalating the situation. Phrasing that treats the person with dignity and respect—such as "I'm sorry this happened today. Next time let's work together so that we don't have to go down this path. Sound okay?"—puts both the staff member and visitor on the same level, provides closure, and establishes an equal foundation for future interactions. </p><p>To reduce incidents of workplace violence, caregivers need to know they are supported in the actions they take. This begins with support from their leaders, encouraging caregivers to report workplace violence incidents when they happen. Additional support can be gained through partnerships with local and state law enforcement and legislatures, and development of a comprehensive training program. </p><p>Through these mechanisms, healthcare professionals can learn the skills to effectively manage and reduce incidents of workplace violence. By adopting a comprehensive conflict reduction plan into healthcare, caretakers can establish an environment of care that is incompatible with conflict and violence. </p><p><em><strong>Ryan Weber </strong>is Training Assistant, Loss Prevention Security at Aurora Health Care, and is trained by Vistelar as an organizational instructor of the Six Cs concept. His colleague Dennis Hafeman, Training Coordinator, Loss Prevention Security, contributed to this article.</em></p>

Guard Force Management Are People First Technology with a Personal Touch a Professional Guard Force Education Sessions Address Security Challenges Thanks: National Security Officer Appreciation Week Kicks Off Color Theory 2 Peer Protection Guard Scheduling Conundrum¡PRESTA-ATENCIÓN!.aspx2017-07-13T04:00:00Z¡PRESTA ATENCIÓN! Role of School Resource Officers and Security: The Risks of Arming Security Officers Next Tase Phase Arm or Not to Arm? Five Design Considerations for Control Rooms News June 2016 Dangers of Protection: What Makes a Guard Firm Low- or High-Risk? Review: Physical Security and Safety Tase Craze and Use of Force Plan for Polite Protection

 You May Also Like... a Professional Guard Force<p>In today's environment of heightened security in all areas, security departments are struggling to attract and retain high-quality guards. Now more than ever, it's vital to examine how security guards are evaluated, trained, and compensated.</p><p>All entities, including corporations and government facilities, understand the importance of a top-notch security force. However, not all of them recognize the elements needed to create such a force.</p><p>Security managers may presume that a security guard who passed the preemployment screening and successfully completed training when hired will perform the required duties well. And that may be true. But human nature allows people to become complacent, cut corners, and get too comfortable. Continuing education, regularly scheduled evaluations, and enhanced training can improve the team's performance.</p><p>On March 1, 2016, at Escuela Campo Alegre, Caracas, Venezuela, we initiated a new method of recruitment and selection for incoming loss prevention and control analysts (LPCAs). At that time, we chose to enhance our program by hiring 10 people with bachelor's or associate degrees in engineering, economics, administration, education, and other related fields.</p><p>We developed a screening and training program for candidates hoping to join our security team as LPCAs. In addition, we created a regimen of close supervision and daily evaluation of the security force to reinforce the training. </p><p>Here are the elements that led to success in creating excellent employees for our school's protection, from the first job application to seasoned protection professional.</p><p><strong>SCREENING AND TRAINING</strong></p><p><strong>Detailed job description. </strong>Experience has taught me the importance of a detailed and clearly stated job description. Candidates for the position of LPCA receive a precise explanation of the duties and expectations. This is presented first so that potential candidates fully understand the duties and responsibilities of the position. If the job description isn't something the candidate wants to do, we have saved everyone a lot of time.</p><p><strong>Required qualifications. </strong>Every security force has necessary requirements when seeking team members such as age, place of residence, experience, physical abilities, criminal background, and computer skills. Education, of course, is taken into consideration, and at Escuela Campo Alegre we look for higher education, from associate degree to bachelor's degree and up, for LPCA candidates.</p><p><strong>Testing potential candidates. </strong>LPCAs must have certain abilities from the beginning.</p><p><em>Observation.</em> The candidate must be attentive and aware at all times of the general appearance of people, placement of objects, locations, colors, vehicles, and location of security equipment.</p><p><em>Oral communication.</em> The candidate must be able to respond in detail when relaying and explaining the facts of a situation. The candidate must also be able to delegate duties to a third party using clear directions.  </p><p><em>Written communication: </em>The candidate must be able to write a report using correct grammar and vocabulary. An excellent memory is needed to write a complete report. Also, the candidate must be computer literate to produce the report.</p><p>During the interview process, we determine if the candidate has the qualifications listed above. We evaluate the ability to give directions properly to a third party. Observation skills are also evaluated. Reporting skills are tested by having the candidate read and summarize a paragraph using a computer.</p><p><strong>Introduction to private surveillance. </strong>A candidate who passes the initial interview process is invited to attend an eight-hour training presentation the next day. This introduction exposes the candidate to the basic requirements of private security. Among the topics addressed are the expectations of a security officer, the organizational mission, legal aspects, visitor management, keys and locks, and guard tours.</p><p>After the presentation, the candidate undergoes a test, which requires 17 points to pass. If successful, the candidate is invited to come the following day to read the operations manual. </p><p><strong>Operations manual. </strong>This next step is important. We determined that it requires five business days to read, analyze, and understand the school's operations manual. We administer an evaluation at the end of each day to determine whether the candidate has understood the reading for the day. This helps to clarify questions or misunderstandings the candidate may have. If the candidate does not reach the minimum score during the first evaluation, the average of the first and second tests must be a passing score. Candidates who do not receive the required score are no longer considered, but those who pass the evaluation are invited to the induction program.</p><p><strong>Induction program. </strong>This phase of our program provides detailed descriptions of the jobs to be performed. Candidates learn that they will rotate throughout the facility and understand that there are multiple and varying tasks at each location. They receive on-the-job exposure to the work by staying at our institution during four day shifts and two night shifts.</p><p>The candidate is evaluated each day, and the minimum passing grade is 17 out of 20 points. Once again, candidates who do not receive a passing grade will no longer be considered for a position.</p><p><strong>Final evaluation. </strong>After passing the induction program, the candidate will meet with the security manager for the final assessment. This assessment includes topics such as employee identification, addresses of various locations, location of safety equipment, knowledge of the operations manual, recognition of patrol routes, and disciplinary code.</p><p><strong>Assignment to a guard group. </strong>Candidates who advance through the final evaluation receive the rank of Officer I and are assigned to a regular working group. Together with the supervisor, the officer will put into practice all theoretical and practical knowledge achieved through training. The officer will work as an auxiliary for 90 days and will perform day-shift and night-shift tasks in conjunction with the assigned group. </p><p>During this trial period, the officer will be guided and instructed by the supervisor regarding the responsibilities of the log book; closing and opening of facilities; operation of lighting; vehicle fleets; entry and exit of students; entrance of drivers, chauffeurs, and caregivers; Escuela Campo Alegre staff, contractors, tutors, substitutes, trainers, and frequent visitors; entry and exit materials; fire alarm system; evacuation drill; and many other activities. </p><p><strong>Completing the probationary period</strong>. Once Officer I completes the probationary period, we administer an evaluation to demonstrate readiness to assume multiple responsibilities. If the officer does not pass the evaluation, an additional 15 days as an auxiliary allows for more instruction, followed by another evaluation. When this evaluation is passed, the individual is promoted to Officer II.</p><p><strong>Certification as Loss Prevention and Control Analyst. </strong>An Officer II will work for nine continuous months at the new job, demonstrating knowledge of establishing priorities, situation analysis, decision making, safety, conflict management, investigations, and first aid. Depending on performance and the results of monthly assessments, it can be determined that the officer has a clear understanding of what constitutes the work of the supervisor. The officer is now eligible to be certified as an LPCA. A further evaluation involves a series of cases and situations and requires a passing score to become a certified LPCA.</p><p>Out of 120 people who apply for a position as an LPCA, only about 10 successfully reach this point.</p><p><strong>EMPLOYEE DEVELOPMENT</strong></p><p><strong>Training updates. </strong>In our organization, we believe that providing continuous training enhances the performance of each member of the group. Daily training is provided to each member of the guard force for 15 minutes prior to the day shift and the night shift. This training is different every day and covers more than 40 areas related to the fulfillment of security tasks. The training aims to strengthen the knowledge and ability to perform required tasks.</p><p><strong>Daily evaluations. </strong>From the first moment the candidate joins our ranks, we stress the importance of maintaining our organization with a spirit of healthy competition within the groups. This interest and enthusiasm in our organization fosters respect, pride, and knowledge about the organization.</p><p>The daily evaluation is a practical application that consists of the exchange of files and questions that the coordinator of vigilance presents to each member of the group. Officers must demonstrate their ability to recognize the faces of employees, know the geographical location of any room on campus, know the exact location of the security equipment, provide detailed information of the operations manual, run the courses correctly, and honor the disciplinary code. This daily evaluation keeps officers on their toes and objectively assesses their knowledge.</p><p><strong>Monthly evaluations. </strong>At the end of each month, the scores from the daily assessments are reviewed, allowing us to determine who has been an outstanding analyst and who may need more supervision and additional training. Officers who come up short three times during the school year are reassigned to jobs outside of Escuela Campo Alegre. </p><p><strong>LPCA lectures. </strong>Each LPCA of Campo Alegre School, as part of ongoing professional development, must present a lecture about security once a year. Each 20-minute lecture is followed by a 10-minute question-and-answer session. The topic of the lecture is assigned by management. </p><p><strong>Annual research presentation. </strong>For further professional development, each LPCA at Escuela Campo Alegre must research and propose new tools, criteria, or procedures to make the job function better and more efficiently. This improves the LPCA's skills while helping management meet its objectives.</p><p><strong>Interpersonal communications with management. </strong>Once a week, an off-duty analyst will attend an hour-long meeting with management. The parties discuss topics not related to work, such as sports, hobbies, and leisure pursuits. Management gains an appreciation of the social, cultural, and familial environment of the analyst, and both participants strengthen their communication. </p><p><strong>Disciplinary court. </strong>If any officer is involved in a disciplinary action, that officer seeks a member of his group to act as his "lawyer." The lawyer will represent the officer and help to clarify the situation. Likewise, management will choose an officer to act as "prosecutor" to argue the case of the disciplinary action. This interaction allows each party a fair chance to present facts. </p><p><strong>LPCA authors. </strong>Every member of the security team is required to write an article about campus security. The article is published in our digital magazine and is shared with the Campo Alegre community, including parents, students, teachers, employees, and contractors.</p><p><strong>LPCA of the month. </strong>Each month, an officer who has successfully met all objectives is awarded LPCA of the month. The objectives include staff identification, detailed knowledge of the campus, analytical prowess with regard to the operations manual, location of safety equipment, completion of duties, and adherence to the disciplinary code. The officer must demonstrate clear concise communication and common sense.</p><p><strong>LPCA of the year. </strong>This honor is awarded to the LPCA who has received the greatest number of monthly awards.</p><p><strong>Compensation. </strong>In addition to careful training, we know that humans respond well to a good salary and benefits. They feel appreciated for a job well done. We are proud to say that our LPCAs are the best paid in the country. In addition, they receive a stipend for being a university graduate, a stipend for transportation, and bonuses for work performance. The Escuela Campo Alegre community also shows appreciation through thank you notes and personal gratitude. That goes a long way in making our team feel appreciated.</p><p><strong>RESULTS</strong></p><p>Since Escuela Campo Alegre began this program of recruitment, training, supervision, daily evaluations, and professional development of analysts, management has observed both positive and negative behaviors: distractibility, obscurity, lack of discipline, lack of confidence to perform duties, inequality when working in groups, selfishness, and lying, as well as professionalism, fairness, honesty, transparency, and overall pride in the work and the institution. </p><p>Our evaluation system contributes greatly toward a successful program. A Google Doc is available so that every person on the task force can monitor his behavior and improve in areas of operation, manual details, face recognition, geographic location on campus, security equipment location on campus and security rounds. With this information available at any time, they can self-motivate and improve. The same Google Doc can show them where they stand as far as positioning and they can see what salary increase they may expect on their next evaluation. The disciplinary system tracks all mistakes made by the analyst on duty. This provides the analyst the opportunity to correct mistakes and advance in the program.</p><p>Our turnover is very low because of our evaluation system. It not only helps those who wish to advance, but it also allows others to realize, on their own, that their job performance is too low to continue.</p><p>The analysts take pride in their work and, because they can see what other analysts are achieving, they can collaborate and ask questions of those higher achievers. There are fewer missed shifts. Because the analysts work so closely together and respect each other, they are more willing to cover for a team member.</p><p>It has been arduous work that involves a great deal of discipline, ethics and morals, teaching, and faith in what we are doing. We are proud of our successful program and will continue to refine and improve it in the future.</p><p><em>Guillermo Guevara Penso was security manager at Escuela Campo Alegre in Caracas, Venezuela, until July 2017 when he elected to seek other security related opportunities in Chile. He has more than 30 years of experience in the security field.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Unseen Threat<p>​Traditionally, factory security assessments have been directed towards the inside of the factory or plant and not to the more exposed perimeter, including the perimeter wall of the factory structure and the fence line. Similarly, assessors often look at the factory’s cyber network and examine the configuration of servers, switches, and human-machine interfaces, but may pay less attention to the outside of the facility walls and physical grounds because they tend to fall outside the classic cyber and physical security boundaries. </p><p>However, with the increased awareness of the security weaknesses that industrial control systems face, there has been a growth in requests to security and consulting companies for combined cyber and physical security assessments of factories and critical infrastructure. The North American Electric Reliability Corporation (NERC) puts out Critical Infrastructure Protection (CIP) standards that strengthen the cybersecurity of North American electric grid operations, and recent updates emphasize the importance of strengthening both physical and electronic security perimeters. </p><p>A shift in the industry toward enterprise security risk management (ESRM)—which focuses on using risk assessments to inform an organization’s security approach—moves beyond assessing physical security. However, this can be a difficult shift for facilities that do not have a clear risk profile.</p><p>This gap in the security assessment process offers an opportunity for plant managers to take an ESRM-inspired approach and better understand their security and infrastructure vulnerabilities to both physical and cyber threats.​</p><h4>DRAWING THE LINES</h4><p>Two security concepts raised in the NERC CIP are related to electronic security perimeters (ESPs) and physical security perimeters (PSPs). The ESP is an imaginary perimeter drawn around a set of critical cyber assets and is usually defined by the location of perimeter access points such as firewalls and modems. The PSP is typically defined as a six-sided border that surrounds critical assets. In the NERC model, the border is intended to totally enclose the ESP. </p><p>Although the ESP is a logical, imaginary depiction, it gives a sense of the electronic traffic flowing into and out of a critical set of digital assets as well as the physical plant. This assessment is normally performed by evaluating network topology diagrams, walking down network systems looking for telephone and wireless infrastructure, and conducting interviews with plant operations technology staff. If done thoroughly, the assessors are also looking at wireless traffic such as cellular, LAN network, or Wi-Fi connectivity flowing across the ESP.</p><p>A PSP is more readily determined and tangible. Here, security is literally walking along the perimeter of a room or building that is enclosing the ESP. Security is normally looking for any means of physical penetration such as doors, ventilation louvers, or an opening under the wall or fence. A PSP determination is more natural and can be readily performed by a skilled physical security professional.​</p><h4>ELECTRONIC PERIMETERS</h4><p>A structured but more unusual way to approach a facility assessment is to start with the ESP and PSP concepts in mind and to apply them to the footprint of the facility being examined.  </p><p>Begin with an overhead view of the facility and the corresponding fence line if possible. One technique is to obtain the satellite view of the facility from an online mapping tool such as Google Earth. Alternatively, a plan view drawing of the facility and surrounding grounds obtained from the facility service manager may be used.</p><p>Using this overhead view, draw a border around the facility perimeter with an optional border at the fence line. Once the analysis boundary has been identified, pinpoint both tangible and invisible services and activities, including underground, airborne, or surface vectors. Consider services that cross this boundary and place them on the map where they enter the facility.</p><p>Infrastructure to consider includes electric power feeds from substation or emergency generators, natural gas or propane, water, sewer, enterprise and public fiber connections, telephone and cable television lines, and other commercial services. Inbound services such as product feeds from other facilities and deliveries like mail or packages, as well as outbound shipments, should also be taken into consideration.</p><p>Electronic signals that cross in and out of the facility include Wi-Fi, cellular, radio, and satellite communications, and these should be included on the risk map. For example, while performing an assessment of a client’s facility, including a wireless security inspection, Wi-Fi service was detected but was not owned or provided by the enterprise. The investigation revealed that the signal was from a nearby house and was not secured, allowing employees and visitors at the factory to connect to the rogue Wi-Fi. Such a connection could contaminate the individual’s laptop or mobile phone, as well as other Wi-Fi–equipped devices, with a worm, virus, or ransomware from the unknown and uncontrolled Wi-Fi.</p><p>A similar vulnerability was discovered at another power plant: a contractor’s trailer adjacent to the plant fence line had an insecure Wi-Fi set up, which was available inside the power plant.</p><p>Depending on the age and type of property, identifying these services may be a challenge. Older facilities may not have the necessary drawings, infrastructure diagrams, or employee knowledge to identify where the underground lines are for some of these services. Older facilities also suffer from abandoned equipment and systems that tend to be ignored because they are no longer in service. If the client has recently purchased the property, it may not know where these services enter or exit the plant.</p><p>An additional complication is that some services have dual feeds from separate locations. For instance, a data center will normally have redundant power and communications at different perimeter locations. These should be reflected on the analysis mapping.</p><p>Once these various activities and services have been identified and listed, begin looking at the vulnerabilities each poses to the plant and to the availability of the facility operations. </p><p>The perimeter assessment should be more holistic than simply walking down a fence line or the perimeter of a building. For example, while performing this analysis for a client, a problem was identified with the underground water feed into the plant. The plant had only one line entering the plant supplying potable water, service water, and fire protection/sprinkler water. The line ran under the fence, across a large field between the fence and the factory itself, and then into the building with some feeders going to the fire pumps located outside the factory in a field. The line could be subject to backhoe or digging damage because it was not effectively marked, but the larger problem was outside of the fence.</p><p>Beyond the fence line was the water service building—a small, unmarked wooden structure that contained the tap into the local city water supply, as well as several isolation valves and a flow meter for billing and volume calculations. The inspector discovered the building open and unoccupied—the door padlock was hanging open on the hasp. This would have allowed an attacker to shut the water supply valves and take advantage of the unlocked padlock to either lock the valves or close and lock the building door, thus delaying emergency responders to reopen the valves. Such an attack would have posed serious consequences for the factory because closing these valves would have shut off all water to the facility.</p><p>The inspector needs to look at all telltale signs and artifacts—many of which are prominently placed—that could tell an attacker where a softer and more vulnerable service feeding the plant is located. For example, site and facility architects use underground vault covers that explicitly label the service. That practice can be helpful for maintenance and emergency response but it also provides an easy target for criminals. </p><p>Similarly, the way these vault covers are secured could be problematic. The covers should be locked, but an added layer of security includes using tamper-resistant fasteners or proprietary screw heads and bolts.</p><p>Conducting an integrated, ESRM-based analysis helps bring awareness of what crosses facility boundaries, whether it be in electronic or physical form. It encourages plant managers to document underground infrastructure and fill gaps in knowledge, and provides enhanced planning for both physical and wireless attacks from modes ranging from surface injections to airborne threats. By mapping out both the physical and electronic perimeters, a facility’s security approach can be based on what can and cannot be seen.  </p><p><em>Ernie Hayden, PSP, Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), SANS Global Industrial Cyber Security Professional (GICSP), is the ICS cybersecurity lead at BBA, a Canadian engineering company. He is a member of ASIS. ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Guard Scheduling Conundrum<p>​Guard scheduling in a security services company may seem straightforward, but the potential for costly consequences is huge. Scheduling-related errors can lead to financial penalties that can put the business at risk. Class-action claims for unpaid overtime, unpaid breaks, and illegal scheduling practices have cost companies millions of dollars. How can you minimize risk?</p><p>The basic premise is simple: Get the right guard to the right place at the right time, doing the right things. But it takes only a few minutes on the job for the scheduler to realize that simple scheduling gets complicated—very complicated. Let’s step back and look at all the pieces that go into the scheduling puzzle.</p><p><strong>Repeated tasks.</strong> Each assignment requires the same basic actions. A guard scheduling process should handle the myriad details of scheduling easily and efficiently so that managers are freed up to keep their eye on the broader operation. Moreover, schedules are not done once and then left on a shelf. They are alive and active, so modifying them must be easy and accurately done. </p><p><strong>Rules, rules, and more rules. </strong>Scheduling people is full of micro conditions that you need to know: overtime, breaks (paid or not), site rules, and business processes. Does your week start at midnight Sunday? Do hours worked fall into the week they are worked or into the last day of the week they are completed? You need to know the answers and keep track of them.</p><p><strong>Skill sets.</strong> Your top salesperson just signed a high-profile account in town. To onboard your staff for the new account, you need to clearly identify what skills and attributes are required for a guard to work there. For example, will the guard need to use systems or equipment that require training?</p><p><strong>Exposure.</strong> Security staff occasionally fail to show up, book off, or have emergencies. To protect your client and yourself from an uncovered site, you need a 24/7 alerting mechanism that can also help you quickly find a qualified replacement.</p><p><strong>Exceptions. </strong>We live in a world of exceptions—the “yes-but” clause. For example: “That is always the schedule except…” or “I will always work five days in a row, except when I…” The scheduling process has to be flexible enough to manage exceptions. </p><p><strong>Overtime.</strong> Simply put, unbilled overtime (OT) can destroy profit margins, which are already tight in most guard companies. OT varies based on jurisdiction, but in general OT can be 1.5 or 2 times a regular wage rate. Even salaried people can be entitled to OT if they earn less than the weekly threshold (subject to conditions, the U.S. threshold is $913 per week). Does your process protect you from overscheduling individuals?</p><p><strong>Liabilities. </strong>Even if you prepare for every contingency, liabilities can occur. A guard who doesn’t know what to do or whom to alert can cause damage. Or, imagine that a new scheduler places an employee at a site they were previously banned from: client confidence will take a hit.</p><p><strong>Large volume.</strong> When you are running an event and need to book many guards at the same time, your process should allow you to book by multiple means. At events, getting guards logged in and attending to their posts with the required instructions are crucial; the process needs to be efficient.</p><p><strong>Special rules.</strong> Countries, states, provinces, and even cities have their own rules. On top of that, there are collective agreements and special function rules to consider, where applicable. Are compressed work weeks legal or not? What sort of rest periods are required between shifts?</p><p><strong>Scheduling errors.</strong> Client confidence can be shaken if you are repeatedly double-booking guards for the same shift. In that scenario, which guard gets paid? Both?</p><p><strong>Ecosystem.</strong> There are many moving parts in a security business: applicant tracking, onboarding, security operations, scheduling, payroll, invoicing, accounting, and other business operations. It is smart to have systems that integrate seamlessly with each other. Do not be held hostage to a system!</p><p>The most obvious way to address the mission-critical function of scheduling and timekeeping is to adopt a back-office software tool. Such software is designed to automate the repeatable, consider all the rules, provide guidance when assigning resources, and adhere to functions in service-level agreements. To truly drive efficiency, systems must do more than just schedule. They should give you a leg up on contract management and invoicing as well as drive business intelligence data. </p><p>To fully benefit your operations, couple back-office tools with front-line automation tools to create an ecosystem that harnesses the data generated by the security company and drives overall service that is more accountable, reliable, transparent, and efficient. After all, a security business needs to invest in activity that drives business, and avoid wasting money on the management of lawsuits and exposure.</p><p><em>Mark Folmer, CPP, is vice president for the security industry at TrackTik. He is a member of the ASIS Security Services Council and ASIS senior regional vice president for Region 6, Canada. He also serves on the PSC.1 Technical Committee and Working Group.</em></p><p><br> </p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465