Surveillance You Be Watching?GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-04-01T04:00:00Z<p>​A gunman opened fire at Marjory Stoneman Douglas High School in Parkland, Florida, on 14 February 2018, killing 17 students and staff members and injuring 17 others. </p><p>In the aftermath of this latest tragedy, many school systems across the United States began to reassess their overall security strategy. Some U.S. states and local jurisdictions even addressed the problem legislatively, allocating money for school resource officers and technology upgrades. (For more on the response to this tragedy, see “News and Trends,”)</p><p>As a result, many campuses installed comprehensive camera systems and access control equipment and renewed their focus on keeping bad elements out of the educational environment.</p><p>Shortly after these installations were made, one of the authors was asked to tour one such campus and provide feedback on the improvements. </p><p>After assessing the state-of-the-art camera and recording system, the noticeable increase in access control measures, and the presence of an armed law enforcement officer, the author asked the school administration: How are all these cameras being effectively monitored in real time to stop or mitigate any potential threat?</p><p>Unfortunately, there was no response. The question illustrated a major deficiency in the overall security plan for the school. </p><p>While virtually every square inch of access points, parking lots, and common areas was covered by the new camera system, the live feed went to a bank of monitors in an unoccupied office. School administrators would occasionally look at the feeds and were assured that incidents would be recorded for use later during investigations into disciplinary issues or criminal conduct. But there was no effective way to be alerted to suspicious activity or imminent threats before it was too late to prevent them.</p><p>The scenario that played out in this school has been repeated numerous times in industrial settings, commercial building​s, hotels, and residential settings. Cameras are an effective recording and forensic tool. But what role could—or should—they play in preventing criminal activity from occurring in the first place?</p><p>Not all situations are alike, and a camera monitoring strategy cannot be a one-size-fits-all solution. Sometimes a property’s needs are relatively simple, and the solutions are easily identifiable and available. Other times, the security needs of the property may require a significant amount of time to assess and determine if monitoring will be an effective prevention tool. Often it comes down to a simple question: Can it wait until tomorrow?</p><h2>Monitoring</h2><p>Video monitoring services typically fall under one of two categories: event-based video monitoring or patrol-based video monitoring.</p><p>With event-based monitoring, an alarm is generated—perimeter breach, motion detection, burglar alarm, and panic button—and received in a command center. A monitoring agent, often in a location that might be hundreds of miles away from the property, then investigates the alarm and its cause to determine if any action is needed, such as calling the police to respond to an intruder. This process is known as video verification.</p><p>With patrol-based monitoring, an agent looks at each camera to check for unwanted activity. The agent conducts proactive announcements as he or she goes, notifying an onsite security officer to investigate any suspicious activity that is observed. </p><p>Much like a security officer conducting patrols on foot, the agent is following predetermined protocols outlined by the property owner or security provider, including providing video escorts, reporting lighting deficiencies, and monitoring sensitive areas.</p><p>With each type of monitoring, agents address suspicious activity, track and log events, and create reports, as needed. Both are dependent on the performance of trained professionals and combine human intelligence with technology to form a comprehensive solution.</p><p>If there are no exigent circumstances surrounding the activity being recorded that would dictate the need to be proactive, then there is typically no need for real-time video monitoring. </p><p>To determine which approach to take, security managers should ask themselves: Do you want to prevent something from happening? Or are you more interested in piecing together events after the fact from recorded videos? In these situations, cameras are used as forensic tools.</p><p>Examples of this include toll booth and traffic light cameras that issue citations after the fact; cameras that are used that perform automated tasks, like counting visitors or shoppers for research purposes; specialized cameras, like license plate readers; or interior cameras within a monitored perimeter. </p><p>For instance, if a security manager oversees a production facility that has a monitored perimeter at a high level, then he or she may consider not having the second level—including interior cameras—actively monitored. This hybrid reduces cost and workload.</p><h2>Going Live</h2><p>All the examples listed above are useful functions that an unmonitored camera system, or a partially monitored one, can serve. But if there is a need for more than these applications provide, only live video monitoring will work.</p><h4>Distribution centers. </h4><p>A beverage manufacturer needed a security solution for several distribution centers in the northeastern United States. Fully loaded tractor-trailers were being stolen from sites, emptied of their contents, and abandoned, causing heavy losses for the manufacturer. The distribution centers were also victims of property damage, including vandalism. </p><p>Traditional security solutions were ineffective for the centers. And because each site had several authorized daily pickups, it was difficult to distinguish between thefts and normal operational activity.</p><p>To address the problem, the property owner installed cameras at all the distribution centers and programmed highly customized rules for alarm generation. Alarms would only be triggered if certain vehicles were moved—and only if they moved in a specific direction of travel.</p><p>Prior to the installation, each center was experiencing—on average—about one theft per month. Since implementing monitoring services, zero thefts have occurred, and all instances of vandalism have been eliminated.</p><p>This is because the property owner was able to take a proactive approach and intervene when suspicious activity occurred. A monitoring strategy was set up and analytic alarms were also implemented to alert personnel if a trailer began to move or if a person was in the vicinity of a fully loaded trailer. </p><p>When an alarm went off, personnel monitoring the camera feeds would make a call to the site to confirm if the activity was authorized. If it was not, monitoring personnel could use voice technology to communicate with the individual and on-site security or law enforcement could be dispatched to the scene.</p><h4>Remote areas. </h4><p>A large energy production company was faced with growing security issues commonly associated with remote well sites, such as theft, vandalism, and environmental damage at production and storage locations.</p><p>Recently, a vandal had opened a valve and left the site. This resulted in the loss of thousands of gallons of oil and a costly clean-up process. </p><p>Traditional security strategies such as fencing and on-site guards were not viable due to the remote and isolated location of the well site.  </p><p>The property owner, using a security monitoring company, conducted a site survey and put together a custom solution. The system featured solar power with a five-day backup power supply, cellular Internet, full audio, and a camera layout covering the entire site perimeter.</p><p>The system was designed this way because detection was not enough; the system needed to provide the property owner with the capability to intervene and stop intrusions from happening in the first place. </p><p>Using this monitoring system, the property owner was able to provide an effective security solution at a fraction of the cost normally associated with traditional security guards. Through the implementation of a video-voice system, the property owner was able to eliminate unwanted activity at the well site. </p><h4>Retail. </h4><p>A retail store was facing security challenges that were not adequately addressed by a traditional burglar alarm system. Off-hours staff in the store were setting off the alarm, resulting in a police response and financial charges.</p><p>The standard burglar alarm panel was insufficient to meet the store’s needs. And it was racking up thousands of dollars annually in overage charges with its monitoring company. Despite attempts to reduce false alarms and improve security, efforts had failed. In the one instance in which a true alarm went off, police responded seven minutes after the intruder had left.</p><p>To address the problem, the property owner installed a video verification system. The store’s burglar alarm panel was set up to send trouble signals to a video monitoring company’s command center, and cameras were added at alarm points so all signals could be visually verified.</p><p>This new approach allowed the property owner to visually verify the cause of alarms, eliminating false alarms and unnecessary police dispatches. The new system eliminated all false alarm response and resulted in better overall security for the store.</p><h4>Residential. </h4><p>One of the leading residential management companies in the United States was dealing with theft, vandalism, drug activity, loitering, and noise violations. Overseeing hundreds of properties, it needed a security solution that would not only be cost-effective but also efficient.</p><p>Various video and security systems were already in place at some of its properties. The company collaborated with a video monitoring firm to evaluate each site and develop action plans. </p><p>For some sites, the task involved modifications or enhancements to existing systems—such as additional cameras, recording devices, video analytics, and audio. Other sites required full proposals for new installations.</p><p>Intelligently designed systems to allow for maximum site coverage were installed with an emphasis placed on areas designated as trouble spots, such as stairwells and building entrances. </p><p>Door access systems were installed or updated at several sites, complemented by audio and video to allow for controlled entry to the complexes. Voice technology provided both proactive and reactive solutions to reducing and eliminating undesired behavior, like loitering. </p><p>Through voice technology, the remote monitoring agent could speak directly to the individuals in the environment that he or she was monitoring. For instance, an agent could use the voice ability to direct people lingering at a closed pool to leave the area—instead of sending someone in person to address the situation.</p><h2>Common Mistakes</h2><p>Camera monitoring is a valuable tool in a comprehensive security program, but it does present some common pitfalls that should be avoided. </p><p>One of the most common mistakes made in implementing a camera monitoring strategy is the fact that human viewing of a video monitor is not adequate—or ultimately productive. In many security operations centers, security officer duty stations, or front office environments, you will find a bank of camera monitors. In some cases, a single screen is filled with multiple camera feeds. </p><p>When someone is asked about the purpose of this, the response is often “the security officer is monitoring the cameras.” But is this approach effective?</p><p>The National Center for Biotechnology Information recently conducted a study that investigated how long individuals could concentrate on a task without becoming distracted. </p><p>It found that in 2000, the average attention span was 12 seconds. In 2014, that number dropped to 8 seconds. Most experts cite the advent of social media and increased stimulation in day-to-day activities as the reason people are losing their ability to stay focused.</p><p>Another recent study from The New York Times found that among people who watch videos online for entertainment, 19.4 percent abandon most clips after 10 seconds. After a full minute, only a little more than half of the original audience will still be watching. Even when people are not working, they struggle to see things through to the end. </p><p>These statistics and concepts reiterate and reinforce that video monitoring should be a team effort. One set of eyes is too easy to fool or to distract. And no method of training and education can overcome human nature.</p><p>Other mistakes that can negatively impact a monitoring strategy include installing improper or inferior equipment, and not having adequate camera coverage to detect suspicious activity and unfolding security events. </p><p>Budget concerns have also given rise to one recurring topic in the legal world: the dummy camera. This is nothing more than a plastic housing designed to look—and in some cases act—like a real camera.</p><p>Many home improvement stores offer consumers a four pack of decoy cameras, complete with blinking lights and signs that read “caution, video surveillance in progress.”</p><p>Some security companies and installers will also offer this as an option to customers who don’t want to invest in a real camera system. While this may seem like a quick and cheap alternative to accomplish the goal of deterrence, it raises legal and safety questions.</p><p>By installing dummy cameras, business or property owners risk creating a false sense of security, especially if they are on notice of a dangerous condition.  </p><p>Owners also must consider the message these fake cameras send to employees, visitors, and others who come onto the property and observe them. Is there a reasonable expectation that these cameras are preventing, or at a minimum recording, any incidents that take place? Or do most people use them to scare off bad actors?</p><p>If a major security incident occurs in or around a dummy camera, and a lawsuit is filed, this will likely be unpopular with the jury when it is deciding whether reasonable steps were taken to secure the premises.</p><p>The bottom line is this—if security needs are so pressing that an owner is considering installing a video system, he or she should spend the money necessary to do it right. Installing dummy cameras may save a few dollars in the short term, but in the long run they could become much costlier.</p><p>The security industry is enjoying a technology revolution like it has never seen before. One of the main benefits of this is improved and enhanced camera capabilities. </p><p>In the future, camera monitoring will continue to be part of the overall security plan. With the proper strategy that includes a blended approach of analytics, security officers on site, and proper installation and coverage, camera monitoring can be a significant force multiplier for virtually any property.</p><p>When security planning and discussions are held, security managers should ask how they can improve their overall program through effective camera monitoring—and if it can wait until tomorrow.  ___________________________________________________________________________________________________________________________________________________________________________________________________________</p><p><em>Eddie Sorrells, CPP, PCI, PSP, is the cEO and general counsel for DSI Security Services. He is the past chair of the ASIS International Security Services Council and currently serves as an ASIS council vice president. Bradley Gordon is the CEO of Viewpoint Monitoring in Lowell, Massachusetts. He served in the U.S. Marine Corps and holds a J.D. degree in Criminal Law from Boston College Law School. Gordon is a member of the ASIS Security Services Council and has been an ASIS member since 2013.</em></p><p><br></p>

Surveillance You Be Watching? Future of Office Security City Embraces STANLEY Service Solution to Investigate #MeToo Online the Control Room of Tomorrow.aspx2018-12-01T05:00:00ZBuilding the Control Room of Tomorrow 2018 Industry News Security: Patrons, Players, And Cheats Security, Small-Town Feel With A Twist Survey On Video Surveillance Trends Launches Port Problems Ways VMS Solutions Enhance Municipal Surveillance End Benefits of Remote Monitoring and Services IT Innovations are Changing the Security Market VUELO in for Safety on the High Life Charleston International Airport Modernizes Security with Pivot3“Artificial-Intelligence-of-Things”-is-Transforming-Video-Security.aspx2018-06-26T04:00:00ZHow the “Artificial Intelligence of Things” is Transforming Video Security

 You May Also Like... Study: Loss Prevention at Stew Leonard’s Farm Fresh Foods<p>In 1969, a Norwalk, Connecticut, dairy farmer named Stew Leonard had an epiph­­any: the milk delivery business was going to go the way of the horse and buggy. Leonard decided to found a small dairy shop with seven employees and carrying just eight items. The little market quickly grew into the world’s largest dairy store. Today, Stew Leonard’s Farm Fresh Foods are located in Norwalk, Danbury, and New­ington, Connecticut; and Yonk­ers, New York. It is a $300 million annual enterprise with approximately 2,000 employees.</p><p>The stores sell more than 6,000 items—everything from meats to wine to bakery goods to gifts—in a farmer’s market atmosphere where the primary rule is literally chiseled in stone on three-ton granite slabs parked at the entrance to each store: “The Customer is Always Right.” In addition to its commitments to customer service, Stew Leon­ard’s is regarded as the Disneyland of dairy stores because of its costumed characters, petting zoo, and animatronics. </p><p>The loss prevention (LP) department at Stew Leonard seeks creative solutions. It hasn’t gone so far as to use the company’s six-foot-tall dancing bananas as spy cams, but it has put into place an innovative video synopsis technology that enables security to save copious staff hours during investigations.</p><p>“We’re a relatively small security department with a significant enclave of cameras throughout our buildings,” says Bruce Kennedy, Stew Leonard’s director of LP and logistics. “We have close to 500 cameras in the network.” This becomes an issue when investigations of thefts, accidents, and other issues occur. “One investigation can take eight to 12 hours—especially if there is video involved,” he states.</p><p>About two years ago, the loss prevention team began looking for a solution to shorten the process of reviewing CCTV video. “We looked at the entire gamut of solutions…. We attended several trade shows, took a look at white papers on the Internet, and I spoke to a lot of my peers in the industry,” Kennedy recalls, adding that the solution they were seeking had to be “cost-feasible; it had to integrate seamlessly, and had to be easy to use—that was probably the most important thing.” </p><p> </p><p>LP evaluated all the technologies and narrowed it down to the two strongest con­tend­ers. “They were separated by extremes,” he says. “One involved sending the video to a third party to review and after a week or two, we’d get a response back. That was too long. We wanted to provide answers as quickly as we could.”</p><p>The other contender was BriefCam, by BriefCam Ltd. of Neve Ilan, Israel, an award-winning product suggested by an integrator who had worked with Stew Leonard’s on its CCTV system. (BriefCam was the winner of the 2011 ASIS International Accolades Award for Surveillance, as well as the 2010 Wall Street Journal Technology Innovation Award for Physical Security, and other honors.) </p><p>Kennedy contacted the company. “They were just starting to get a hold in the industry in the United States. They said, ‘Give us a try,’ and from the onset we saw the possibilities.”</p><p>BriefCam offers two solutions: BriefCam Video Synopsis (VS) Enterprise and VS Forensics, both of which use the same technology to allow video reviews to proceed at a greatly quickened pace. VS Enterprise can fully integrate with almost all IP cameras and digital video recorders (DVRs) or networked video recorders (NVRs). The software interface allows users to pull re­corded footage by specific dates and times; it then uses video-analytic software to compress the footage into a radically shortened synopsis. One hour of footage can be viewed in an average of one minute.</p><p>Kennedy explains that what he and his team see when they review the footage is a series of superimposed streams of activity—for example, if the camera feed is from a camera focused on the entrance to one of the Stew Leonard’s stores, the synopsis will show every customer or employee coming and going, each one with a time stamp following them along. “When we see something of interest, we click on the time stamp or the image,” he says. “BriefCam isolates that specific video stream.” </p><p> </p><p>Asked if the superimposed images are confusing, Kennedy responds that they are not, especially because in the majority of investigations the security staff already knows what to look for. “So, if we are looking for a customer in a red baseball cap, once we see him, we click on him, and everyone else goes away except that customer,” he states.</p><p>The BriefCam VS Forensics creates the same time-stamped synopses, but is a standalone, offline application that does not require integration with a DVR or NVR. Users import the video into VS For­ensics to create the time-compression synopses.</p><p>Kennedy decided to employ both the VS Enterprise and VS Forensics at Stew Leonard’s. The installation took place last autumn at all the stores and also at Stew Leonard’s Wine Stores, which is a legally separate entity that contracts the use of Stew Leonard’s name and human resources, public relations, loss prevention, and security services.</p><p>During integration, there were some technical kinks, “but the BriefCam staff were absolutely great,” he says. </p><p>“Early in the process,” he recalls, “as we spoke to vendors, we told them that we were looking for a partnership with Stew Leonard’s. This is not going to be a purchase and out-the-door kind of thing. We wanted to be able to call someone and get a response back to any critical issues we came across. They have come through on that.”</p><p>A BriefCam technical specialist worked with Stew Leonard’s IT department during the installation, placing the VS Enterprise software on the servers that operate the cameras covering critical areas, such as money rooms and cash registers. “Those are dialed directly into the software application so we can pull up synopses immediately,” Kennedy says. </p><p> </p><p>Synopses from noncritical cameras are created by VS Forensics on an as-needed basis, rather than being connected directly. “We can pull video from a specific camera, from any server we want, and we can export it—bring it into BriefCam VS Forensics…. It gives you the exact same synopsis as VS Enterprise will, there’s just an extra step in between.”</p><p>Ease of use was important to security, and Kennedy says the pair of solutions have not disappointed in that regard. “Within five to 10 minutes of sitting down with the product, [LP officers] were fully trained,” he states.</p><p>And after seven months of use, Ken­nedy couldn’t be more pleased. “It has worked very well. There have been a lot of successes with investigations we’ve done. We’ve also used it in nonconventional LP aspects of business. For example, it is deployed at some of our wine stores; and we use it there for marketing purposes, product flow, customer flow, and to monitor activity during tastings. We give our feedback to non-LP folks, the marketers, and the buyers,” he says.</p><p>Kennedy also states that VS Enterprise and VS Forensics “have already paid for themselves. Return on investment was in less than six months.”<br><em><br>(For more information: BriefCam, Ltd.; e-mail:; Web: <a title="" href=""><span style="text-decoration:underline;"><font color="#0066cc"></font></span></a>)</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Panacea or Problem<p>Closed-circuit television (CCTV) is the most vibrant color on the security engineer’s and integrator’s palette, but it can also be the most wasteful.  It all hinges on whether you understand its limitations.  I’ve designed, specified, or surveyed hundred’s of CCTV systems and, in my opinion, from 25% to 50% of video cameras represent wasted money, depending on the application. In some cases, there are serious hidden legal liabilities.</p><p>CCTV sales exploded after 9-11.  No one has definitive numbers and industry-generated estimates vary wildly, but annual revenues from CCTV sales are likely to range from $1.3 to $2.4 billion.</p><p>According to Security Sales & Integration Annual Installation Business Report (2006), CCTV installations experienced the second highest increase ever recorded.  (The highest was in 2003, a little more than a year after 9-11.)  Moreover, companies reported average gross profit margins of 39%. That’s pretty good.</p><p>Schools are not the largest market by any means, but they are the most troubling. There is a virtual pandemic of schools installing video cameras willy-nilly in the aftermath of Columbine and Virginia Tech. The lay public, unfortunately, doesn’t understand the technology and ignorantly believes that the simple act of installing cameras stops crime.  Cash-starved high schools, in particular, may be choosing video surveillance over higher teacher pay, text books, or afterschool programs for students.  CCTV is a superb investigative tool after something terrible occurs, but then again, the identification of the shooters in the recent incidents at schools didn’t require video to identify the perpetrators.  With very few exceptions, it is almost a useless tool to prevent serious crimes in most schools because they rarely—if ever—have the staff to effectively monitor the cameras. Too often, the monitors are tucked beneath the counter at the main reception desk.</p><p>I recall a marketing interview I had with a major New England university.  I told their chief of security and the consultant selection committee that they were planning to buy many more cameras than they needed. I didn’t get that job. It’s not what he wanted to hear.</p><p class="MsoNormal" style="line-height:200%;"> <strong>Crime Prevention Pitfalls</strong></p><p>Video is ineffectual because it only has crime prevention value under two circumstances: a human continuously monitors it and can call on an almost instantaneous response when a crime occurs.  Few organizations (save the CIA and similar high-security facilities) have the resources to effectively implement these two prerequisites. </p><p>In addition to the potentially exorbitant costs of buying and installing a full coverage video system, the consequent life-cycle costs (labor, repair, and maintenance costs) are massive over time if the video system is properly managed. The alertness of security console operators peaks in 20 minutes, according to many studies.  It is necessary to change monitoring duties every two hours for optimal surveillance—hence, the very high labor costs.  Moreover, a human can’t efficiently and reliably watch more than 9 to 12 monitors—let alone the dozens of monitors that can be found at some security monitoring centers. There is a paradox at play. CCTV is potentially the most valuable security resource as well as the most misused and wasteful.  It is the familiar story of having too much of a good thing. </p><p>Getting back to cost, as a rule of thumb, each indoor camera averages $1500 (as a complete, installed cost, including power, wire, and conduit) and each outdoor camera, $3500.  If all the bells and whistles are added, per camera costs for outdoor, day/night units can easily approach $9,800 per position and up to $60,000 for very exotic capabilities and for very difficult locations. For a very large school, university, hospital, shopping mall, parking garage, or office building, the final costs for complete video systems can range from hundreds of thousands to millions of dollars. Sometimes these expenditures are like flushing money down a toilet.</p><p>To put what I have been saying into a useful context, a very short tutorial is called for.  CCTV serves three primary functions: perform surveillance; support post-incident investigations, including identification; and automate a function, such as at remotely controlled doors or vehicle entrances. It has momentous value for crime investigation.  Most organizations, however, purchase video systems with the generally unrealistic expectations that it will prevent crime. Often, they have little understanding of security console operations or ergonomics.</p><p>There are some interesting and growing secondary applications that are mostly benign.  The increasing popularity of “nanny cams” is well known. The use of CCTV to catch red light runners at busy intersections, to read license plates at tollbooths and airport parking garages, and to catch speeders is also common now.  Similarly, video cameras can reduce bad behavior on school buses. Cameras also work well for law enforcement sting operations. Police park a “bait” automobile in an area known for high incidents of car theft and car-jackings.  When the miscreant enters the vehicle, the police can remotely lock the doors and record the event on video. But as valuable as these various uses are, these kinds of applications rarely involve thwarting serious crimes. Moreover, they document a crime; they don’t prevent it.</p><p>The use of CCTV in conjunction with very sophisticated facial recognition software is an interesting case study.  Every city that has installed these extremely expensive systems, such as Tampa and Virginia Beach, eventually shut them down.  Facial recognition isn’t ready for prime time yet. This new technology fits the same pattern: the consumer does not understand the limitations of unfamiliar technology.</p><p class="MsoNormal" style="line-height:200%;"><strong>CCTV in Public Places</strong></p><p>The installation of massive video nets in public spaces is another mounting trend, especially in light of the remarkable success the British had on several occasions in identifying and then tracking suspected terrorists after an attack.  Bear in mind that the United Kingdom has 4.2 million CCTV cameras in place.  There is a camera for every 14 people and an average Londoner is seen on camera 300 times each day.  The United States isn’t even close to that kind of surveillance saturation on a per capita basis, but we’re catching up fast. City after city is embarking on public video surveillance programs. By some accounts, downtown Manhattan already has 4,200 public and private sector video cameras. The NYPD would like to install 3,000 new cameras by the end of 2008. Police departments in Baltimore, Hollywood, Houston, Memphis, Newark, San Diego, Tampa, Virginia Beach, Washington, D.C., and in many other cities are installing video cameras and connecting to feeds from private sector CCTV systems. This is a great idea if the objective is to support post-incident investigations. Whether these systems contribute to crime reduction is still controversial—and in my view, dubious.</p><p>With the recent Federal trend toward design-build contracts, government bodies at all levels typically uses companies that sell and install video systems to determine how much CCTV they need, rather than impartial security engineers and consultants. It’s not exactly a surprise that these companies want to sell and install as many CCTV systems as they possibly can. Moreover, this is a partial explanation of the exponential growth of citywide video systems. Yet another reason for this growth is the ever-mounting pressure from the Department of Homeland Security for more and more video. Bear in mind that the British didn’t prevent any of their terrorist attacks as a result of video surveillance.  Could it happen in the future? Sure, even a blind hog can find an acorn now and then.</p><p>The effectiveness of CCTV in public spaces to reduce crime is counterintuitive and controversial. It is not at all clear that crime rates are reduced. Some criminologists think that crime is only displaced by video systems.  When studies do claim CCTV does reduce crime, the reduction is usually marginal.</p><p>In 1995, a study was conducted to determine the deterrent value of various crime prevention factors for convenience stores. These variables included how much cash was kept on site, retreat distance, police patrolling, an armed clerk, and so forth. The researcher interviewed robbers and asked them to rank the most important factors in deciding whether or not to commit the robbery. Of 11 factors, a camera system ranked tenth and video recording, eleventh. These findings were compared to a similar study that was conducted in 1985: the rankings had hardly changed. The finding was also similar to the results from a study completed in the 1970s.  The top two reasons a robber would decide against holding up a store were too little money kept on site and a long or complicated escape route.</p><p>Another phenomenon that could be at play in determining if CCTV deters crime is something called the Hawthorne Effect (or variously, the Westinghouse Effect), a term coined by a study conducted in 1939 at the Hawthorne Plant of Western Electric Company. Efficiency experts wanted to determine the optimal working conditions for maximum production.  Among various techniques, the researchers found that increasing lighting increased production. But there was a surprise. When they later reduced lighting levels to bracket peak efficiency—to the point that workers couldn’t see (some even brought in lamps from home)—production still increased. The explanation is a variant of the famous Heisenberg Uncertainty Principle, well known to Star Trek fans. The Principle states that “the act of observing alters that which is being observed.”  This can occur in various ways. There may be direct interference. There can be unconscious bias in reading or collecting the data. There can be factors interacting with the situation that are undiscovered.</p><p>Washington, D.C., conducted a number of lighting studies following the city-wide riots in April 1968 following the Martin Luther King Jr. assassination.  They wanted to learn what type of lighting was best to fight crime: low-pressure sodium, high-pressure sodium, mercury vapor, metal halides, etc. The study seemed to demonstrate that all lighting reduced crime.</p><p>It wasn’t until years later when the results were scrubbed by social psychologists and criminologists that the results became suspect.  Was it the lighting or was it because squad cars were parked on every street to observe the effects? Or, were police officers subconsciously (or consciously) motivated to underreport crime if their performance was being evaluated?  Which played the greatest role? That notwithstanding, few authorities would dispute the conclusion that lighting (and CCTV) can effectively displace crime. </p><p>Displacement is a very good thing if you happen to live or work in a high crime area.  It’s not such a good thing if you live in the area the crime is moving to. The chief question is, “Does CCTV actually reduce crime?” City politicians are more than willing to glom onto crime statistics to suggest that this or that program they championed reduced crime. When crime reductions do occur, a pantheon of factors likely causes the decline. The state of the local and national economy, for example, plays a major role.</p><p><strong>Civil Liberty and Liability Concerns</strong>.There is another very important question that some people feel very strongly, if not fanatically, about. Does saturation video surveillance in public areas violate the right to privacy? Or, is it a Fourth Amendment issue, which governs against unreasonable searches and seizures? The U.S. Supreme Court  in United States vs. Knotts  put part of this matter to bed by determining that surveillance was constitutional when conducted in areas where there should be no expectation of privacy.  However, the other shoe still hasn’t dropped.  Does CCTV surveillance represent unreasonable search? Ever? Sometimes?  Most authorities believe that the Supreme Court will continue to rule in favor of public video surveillance, but it isn’t a dead issue.</p><p>Legal liability is yet another volatile issue related to video surveillance. In our ever litigious society being a crime victim (or faking it) can sometimes be like winning the lottery. Negligent security torts are common and increasing in frequency.  The lawsuits spawned by the 1993 attack on the World Trade Center in Manhattan were only finally settled earlier this year—14 years later. The defendants paid millions. Lawsuits pertaining to the 9-11 attacks are going to the courts now.</p><p>Sometimes lawsuits are, and will be, deserving, because there is true gross negligence at work. I know of one smallish company that couldn’t afford a complete video surveillance system, so they only purchased the cameras.  There were no wires or monitors.  The idea was that the sight of the cameras along the roofline watching a dark and unfenced employee parking lot would deter theft, robbery, and rape. If someone is assaulted in spite of the cameras, someone at that company should not only pay the future victims handsomely; they should probably go to jail.</p><p>Despite their many limitations and problems, CCTV systems can also be an extremely powerful weapon in the security arsenal.  It is of critical importance in a post-incident criminal investigation: sometimes it provides the only clues available to law enforcement. The British success in identifying and then finding terrorists is phenomenal. </p><p>Video can support other important uses as well.  Security guards can do virtual tours of a large building or outdoor area without leaving the guard booth. Some cameras can see in the dark.  If you are using an access card to unlock a door on a cold, rainy night, and if for some reason it doesn’t unlock, the availability of an intercom and a camera showing you to a security guard is priceless. License-plate readers have been a boon to toll booth operators and small towns needing more revenue from speeders and red light runners. Now that technology has taken us to digital video and IP-networked surveillance, the varying applications for CCTV are spectacular. The key for security managers is to understand the system’s limitations so they choose the right system for their organization, without squandering too many resources and without making grandiose claims that only create a false sense of security.</p><hr width="100%" size="2" /><p>John J. Strauchs, CPP, is Senior Principal of Strauchs LLC.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Unique Threat of Insiders<p>​It’s perhaps the most infamous incident of an insider threat in modern times. During the spring and summer of 2013, then-National Security Agency (NSA) contractor and Sharepoint administrator Edward Snowden downloaded thousands of documents about the NSA’s telephone metadata mass surveillance program onto USB drives, booked a flight to Hong Kong, and leaked those documents to the media.</p><p>An international manhunt was launched, Snowden fled to Moscow, hearings were held in the U.S. Congress, and new policies were created to prevent another insider breach. The damage a trusted insider can do to an organization became painfully obvious.</p><p>“If you’d asked me in the spring of 2013…what’s the state of your defense of the business proposition as it validates the technology, people, and procedures? I would have said, ‘Good. Not perfect,’” said Chris Inglis, former deputy director and senior civilian leader of the NSA during the Snowden leaks, in a presentation at the 2017 RSA Conference in San Francisco.</p><p>“I would have said that ‘we believe, given our origins and foundations, and folks from information assurance, that that’s a necessary accommodation,” he explained. “We make it such that this architecture—people, procedure, and technology—is defensible.”</p><p>Inglis also would have said that the NSA vetted insiders to ensure trustworthiness, gave them authority to conduct their jobs, and followed up with them if they exceeded that authority—intentionally or unintentionally—to remediate it. </p><p>“We made a critical mistake. We assumed that outsider external threats were different in kind than insider threats,” Inglis said. “My view today is they are exactly the same. All of those are the exercise of privilege.”</p><p>Inglis’ perspective mirrors similar findings from the recent SANS survey Defending Against the Wrong Enemy: 2017 Sans Insider Threat Survey by Eric Cole, SANS faculty fellow and former CTO of McAfee and chief scientist at Lockheed Martin.</p><p>The SANS survey of organizations with 100 to 100,000 employees found that it can be easy to conclude that external attacks should be the main focus for organizations. </p><p>“This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage,” Cole wrote. “Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.”​</p><h4>Insider Threat Programs</h4><p>Incidents like the Snowden leaks and the more recent case of Harold Thomas Martin III, an NSA contractor accused of taking top secret information home with him, along with other incidents of economic espionage have raised awareness of the impact insider threats can have. However, many organizations have not adjusted their security posture to mitigate those threats.</p><p>In its survey, SANS found that organizations recognize insider threat as the “most potentially damaging component of their individual threat environments,” according to the survey. “Interestingly, there is little indication that most organizations have realigned budgets and staff to coincide with that recognition.”</p><p>Of the organizations surveyed, 49 percent said they are in the process of creating an insider threat program, but 31 percent still do not have a plan and are not addressing insider threats through such a plan. </p><p>“Unfortunately, organizations that lack effective insider threat programs are also unable to detect attacks in a timely manner, which makes the connection difficult to quantify,” SANS found. “From experience, however, there is a direct correlation between entities that ignore the problem and those that have major incidents.”</p><p>Additionally, because many are not monitoring for insider threats, most organizations claim that they have never experienced an insider threat. “More than 60 percent of the respondents claim they have never experienced an insider threat attack,” Cole wrote. “This result is very misleading. It is important to note that 38 percent of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening.”</p><p>The survey also found that the losses from insider threats are relatively unknown because they are not monitored or detected. Due to this, organizations cannot put losses from insider threats into financial terms and may not devote resources to addressing the issue, making it difficult or impossible to determine the cost of an insider attack.</p><p>For instance, an insider could steal intellectual property and product plans and sell them to a competitor without being detected.</p><p>“Subsequent failure of that product might be attributed to market conditions or other factors, rather than someone ‘stealing it,’” Cole wrote. “Many organizations, in my experience, are likely to blame external factors and only discover after detailed investigation that the true cause is linked back to an insider.”</p><p>And when organizations do discover that an insider attack has occurred, most have no formal internal incident response plan to address it.</p><p>“Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20 percent of respondents reported having a formal incident response plan that deals with insider threat,” according to the SANS survey. </p><p>Instead, most incident response plans are focused on external threats, Cole wrote, which may explain why companies struggle to respond to insider threats.</p><p>Organizations are also struggling to deal with both malicious and accidental insider threats—a legitimate user whose credentials were stolen or who has been manipulated into giving an external attacker access to the organization. “Unintentional insider involvement can pose a greater risk, and considerably more damage, by allowing adversaries to sneak into a network undetected,” the survey found. “Lack of visibility and monitoring capability are possible explanations for the emphasis on malicious insiders.</p><p>To begin to address these vulnerabilities, SANS recommends that organizations identify their most critical data, determine who has access to that data, and restrict access to only those who need it. Then, organizations should focus on increasing visibility into users’ behavior to be proactive about insider threats. </p><p>“We were surprised to see 60 percent of respondents say they had not experienced an insider attack,” said Cole in a press release. “While the confidence is great, the rest of our survey data illustrates organizations are still not quite effective at proactively detecting insider threats, and that increased focus on individuals’ behaviors will result in better early detection and remediation.”​</p><h4>Trusted People</h4><p>When the NSA recruits and hires people, it vets them thoroughly to ensure their trustworthiness, according to Inglis.</p><p>“We ultimately want to bring some­body into the enterprise who we can trust, give them some authority to operate within an envelope that doesn’t monitor their tests item by item,” he explained. “Why? Because it’s within that envelope that they can exceed your expectations and the adversary’s expectations, your competitors’ expectations, and hope­fully the customers’ expectations. </p><p>You want them to be agile, creative, and innovative.”</p><p>To do this, the NSA would go to great lengths to find people with technical ability and possible trustworthiness. Then it or a third party would vet them, looking at their finances and their background, conducting interviews with people who knew them, and requiring polygraph examinations.</p><p>After the Snowden leaks, the U.S. federal government examined the work of its contract background screening firm—United States Investigations Services (USIS). USIS had cleared both Snowden and the Washington Navy Yard shooter Aaron Alexis. The government decided to reduce its contracted work with the company.</p><p>USIS later agreed to pay $30 million to settle U.S. federal fraud charges, forgoing payments that it was owed by the U.S. Office of Personnel Management for conducting background checks. The charges included carrying out a plot to “flush” or “dump” individual cases that it deemed to be low level to meet internal USIS goals, according to The Hill’s coverage of the case.</p><p>“Shortcuts taken by any company that we have entrusted to conduct background investigations of future and current federal employees are unacceptable,” said Benjamin Mizer, then head of the U.S. Department of Justice’s Civil Division, in a statement. “The Justice Department will ensure that those who do business with the government provide all of the services for which we bargained.”</p><p>This part of the process—vetting potential employees and conducting background checks—is where many private companies go wrong, according to Sandra Stibbards, owner and president of Camelot Investigations and chair of the ASIS International Investigations Council.</p><p>“What I’ve come across many times is companies are not doing thorough backgrounds, even if they think they are doing a background check—they are not doing it properly,” she says. </p><p>For instance, many companies will hire a background screening agency to do a check on a prospective employee. The agency, Stibbards says, will often say it’s doing a national criminal search when really it’s just running a name through a database that has access to U.S. state and county criminal and court records that are online.</p><p>“But the majority of counties and states don’t have their criminal records accessible online,” she adds. “To really be aware of the people that you’re getting and the problem with the human element, you need to have somebody who specializes and you need to…invest the money in doing proper background checks.”</p><p>To do this, a company should have prospective employees sign a waiver that informs them that it will be conducting a background check on them. This check, Stibbards says, should involve looking at criminal records in every county and state the individual has lived in, many of which will need to be visited in person.</p><p>She also recommends looking into any excessive federal court filings the prospective employee may have made.</p><p>“I’ll look for civil litigation, especially in the federal court because you get people that are listed as a plaintiff and they are filing suits against companies for civil rights discrimination, or something like that, so they can burn the company and get money out of it,” Stibbards adds.</p><p>Additionally, Stibbards suggests looking for judgments, tax liens, and bankruptcies, because that gives her perspective on whether a person is reliable and dependable.</p><p>“It’s not necessarily a case break­er, but you want to have the full perspect­ive of if this person is capable of managing themselves, because if they are not capable of managing themselves, they may not make the greatest employee,” she says.</p><p>Companies should ensure that their background screenings also investigate the publicly available social media presence of potential employees. Companies can include information about this part of the process in the waiver that applicants sign agreeing to a background check to avoid legal complications later on. </p><p>“I’m going to be going online to see if I see chatter about them, or if they chat a lot, make comments on posts that maybe are inappropriate, if they maintain Facebook, LinkedIn, and Twitter,” Stibbards says. </p><p>Posting frequently to social media might be a red flag. “If you find somebody on Facebook that’s posting seven, eight, nine, or 10 times a day, this is a trigger point because social media is more important to them than anything else they are doing,” Stibbards adds.</p><p>And just because a prospective employee is hired doesn’t mean that the company should discontinue monitoring his or her social media. While ongoing review is typically a routine measure, it can lead to disciplinary action for an employee who made it through the initial vetting process. For instance, Stibbards was hired by a firm to investigate an employee after the company had some misgivings about certain behaviors.</p><p>“Not only did we find criminal records that weren’t reported, but we then found social media that indicated that the employee was basically a gang member—pictures of guns and the whole bit,” Stibbards says.</p><p>It’s also critical, once a new employee has been brought on board, to introduce him or her to the culture of the organization—an aspect that was missing in Snowden’s onboarding process, Inglis said. This is because, as a contractor working for the NSA, regulations prohibited the U.S. government from training him. </p><p>“You show up as a commodity on whatever day you show up, and you’re supposed to sit down, do your work—sit down, shut up, and color within the lines,” Inglis explained.</p><p>So on Snowden’s first day at the NSA, he was not taken to the NSA Museum like other employees and taught about the agency’s history, the meaning of the oath new employees take, and the contributions the NSA makes to the United States.</p><p>“Hopefully there are no dry eyes at that moment in time, having had a history lesson laying out the sense of the vitality and importance of this organization going forward,” Inglis explained. “We don’t do that with contractors. We just assume that they already got that lesson.”</p><p>If companies fail to introduce contractors and other employees to the mission of the organization and its culture, those employees will not feel that they are part of the organization.​</p><h4>Trusted Technology</h4><p>Once trusted people are onboarded, companies need to evaluate their data—who has access to it, what controls are placed on it to prevent unwarranted access, and how that access is monitored across the network.</p><p>“The one thing I always recommend to any company is to have a monitoring system for all of their networks; that is one of the biggest ways to avoid having issues,” Stibbards says. “Whether it’s five people working for you or 100, if you let everybody know and they are aware when they are hired that all systems—whether they are laptops or whatever on the network—are all monitored by the company, then you have a much better chance of them not doing anything inappropriate or…taking information.”</p><p>These systems can be set up to flag when certain data is accessed or if an unusual file type is emailed out of the network to another address. </p><p>Simon Gibson, fellow security architect at Gigamon and former CISO at Bloomberg LP, had a system like this set up at Bloomberg, which alerted security staff to an email sent out with an Adobe PDF of an executive’s signature.</p><p>“He’s a guy who could write a check for a few billion dollars,” Gibson explains. “His signature was detected in an email being sent in an Adobe PDF, and it was just his signature…of course the only reason you would do that is to forge it, right?”</p><p>So, the security team alerted the business unit to the potential fraud. But after a quick discussion, the team found that the executive’s signature was being sent by a contractor to create welcome letters for new employees.</p><p>“From an insider perspective, we didn’t know if this was good or bad,” Gibson says. “We just knew that this guy’s signature probably ought not be flying in an email unless there’s a really good reason for it.”</p><p>Thankfully, Bloomberg had a system designed to detect when that kind of activity was taking place in its network and was able to quickly determine whether it was malicious. Not all companies are in the same position, says Brian Vecci, technical evangelist at Varonis, an enterprise data security provider.</p><p>In his role as a security advocate, Vecci goes out to companies and conducts risk assessments to look at what kinds of sensitive data they have. Forty-seven percent of companies he’s looked at have had more than 1,000 sensitive data files that were open to everyone on their network. “I think 22 percent had more than 10,000 or 12,000 files that were open to everybody,” Vecci explains. “The controls are just broken because there’s so much data and it’s so complex.”</p><p>To begin to address the problem, companies need to identify what their most sensitive data is and do a risk assessment to understand what level of risk the organization is exposed to. “You can’t put a plan into place for reducing risk unless you know what you’ve got, where it is, and start to put some metrics or get your arms around what is the risk associated to this data,” Vecci says. </p><p>Then, companies need to evaluate who should have access to what kinds of data, and create controls to enforce that level of access. </p><p>This is one area that allowed Snowden to gain access to the thousands of documents that he was then able to leak. Snowden was a Sharepoint administrator who populated a server so thousands of analysts could use that information to chase threats. His job was to understand how the NSA collects, processes, stores, queries, and produces information.</p><p>“That’s a pretty rich, dangerous set of information, which we now know,” Inglis said. “And the controls were relatively low on that—not missing—but low because we wanted that crowd to run at that speed, to exceed their expectations.”</p><p>Following the leaks, the NSA realized that it needed to place more controls on data access because, while a major leak like Snowden’s had a low probability of happening, when it did happen the consequences were extremely high. </p><p>“Is performance less sufficient than it was before these maneuvers? Absolutely,” Inglis explained. “But is it a necessary alignment of those two great goods—trust and capability? Absolutely.”</p><p>Additionally, companies should have a system in place to monitor employees’ physical access at work to detect anomalies in behavior. For instance, if a system administrator who normally comes to work at 8:00 a.m. and leaves at 5:00 p.m. every day, suddenly comes into the office at 2:00 a.m. or shows up at a workplace with a data storage unit that’s not in his normal rotation, his activity should be a red flag.</p><p>“That ought to be a clue, but if you’re not connecting the dots, you’re going to miss that,” Inglis said.  ​</p><h4>Trusted Processes</h4><p>To truly enable the technology in place to monitor network traffic, however, companies need to have processes to respond to anomalies. This is especially critical because often the security team is not completely aware of what business units in the company are doing, Gibson says.</p><p>While at Bloomberg, his team would occasionally get alerts that someone had sent software—such as a document marked confidential—to a private email address. “When the alert would fire, it would hit the security team’s office and my team would be the first people to open it and look at it and try analyze it,” Gibson explains. “The problem is, the security team has no way of knowing what’s proprietary and valuable, and what isn’t.”</p><p>To gather this information, the security team needs to have a healthy relationship with the rest of the organization, so it can reach out to others in the company—when necessary—to quickly determine if an alert is a true threat or legitimate business, like the signature email. </p><p>Companies also need to have a process in place to determine when an employee uses his or her credentials to inappropriately access data on the network, or whether those credentials were compromised and used by a malicious actor. </p><p>Gibson says this is one of the main threats he examines at Gigamon from an insider threat perspective because most attacks are carried out using people’s credentials. “For the most part, on the network, everything looks like an insider threat,” he adds. “Take our IT administrator—someone used his username and password to login to a domain controller and steal some data…I’m not looking at the action taken on the network, which may or may not be a bad thing, I’m actually looking to decide, are these credentials being used properly?”</p><p>The security team also needs to work with the human resources department to be aware of potential problem employees who might have exceptional access to corporate data, such as a system administrator like Snowden.</p><p>For instance, Inglis said that Snowden was involved in a workplace incident that might have changed the way he felt about his work at the NSA. As a systems administrator with incredible access to the NSA’s systems, Inglis said it would have made sense to put a closer watch on him after that incident in 2012, because the consequences if Snowden attacked the NSA’s network were high.</p><p>“You cannot treat HR, information technology, and physical systems as three discrete domains that are not somehow connected,” Inglis said.</p><p>Taking all of these actions to ensure that companies are hiring trusted people, using network monitoring technology, and using procedures to respond to alerts, can help prevent insider threats. But, as Inglis knows, there is no guarantee.</p><p>“Hindsight is 20/20. You have to look and say, ‘Would I theoretically catch the nuances from this?’”   ​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465