Financial Activities

 

 

https://sm.asisonline.org/Pages/Teller-Trouble.aspxTeller TroubleGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-03-01T05:00:00Zhttps://adminsm.asisonline.org/pages/holly-gilbert-stowell.aspx, Holly Gilbert Stowell<p>​The insider fraud that took place at Wells Fargo is still being investigated, but experts say the scam that involved the creation of 2 million unauthorized customer accounts is unprecedented. Beginning as early as 2011, thousands of Wells Fargo employees created bank accounts for existing customers without authorization, and generated millions of dollars in fees that profited the company along the way. </p><p>“Wells Fargo employees secretly opened unauthorized accounts to hit sales targets and receive bonuses,” said Richard Cordray, director of the Consumer Financial Protection Bureau (CFPB) in a statement. </p><p>The CFPB went onto say that workers even created fake PIN numbers and phony email addresses to fraudulently create the accounts. The bank will pay $185 million in fines to the bureau and $5 million to customers for their losses.</p><p>During a U.S. Congressional hearing in which then-Wells Fargo Chairman and CEO John Stumpf testified before lawmakers, U.S. Rep. Maxine Waters (D-CA) called the event “some of the most egregious fraud we have seen since the foreclosure crisis.”</p><p>Stumpf stepped down in October 2016 as leader of Wells Fargo, and forfeited $41 million in stock awards and part of his 2016 salary and bonus. Since the scandal was uncovered, the bank has fired at least 5,300 employees.</p><p>While the ethics scandal at Wells Fargo garnered international attention, insider fraud and theft by employees has become increasingly prevalent at financial institutions. In 2014, New York Attorney General Eric T. Schneiderman announced the arrest of an identity theft ring that had siphoned $850,000 from a bank’s customer accounts with the help of several tellers at banks in New York City and surrounding counties. </p><p>In 2015, two private bankers with J.P. Morgan Chase were indicted for funneling $400,000 from Social Security accounts of 15 people, some of whom were deceased, according to court documents from the Brooklyn District Attorney’s office. </p><p>Schneiderman later sent a letter to several large banks, including J.P. Morgan Chase, Bank of America, and Wells Fargo, urging the financial institutions to rein in their employees’ access to customer data. The Wall Street Journal first reported on the letter, which it obtained in June 2015. Schneiderman said that teller theft was the number three cause of data breaches in the state of New York, just behind poor cybersecurity and lost or stolen equipment. </p><p>Schneiderman concluded that “much of the wrongdoing could have been caught if the banks had noticed and shared red flags; for example, an employee accessing an unusually large number of accounts or looking up accounts without dealing with those customers,” according to the article. ​</p><h4>Access to Information</h4><p>Experts say that an increase in theft and fraud has been accompanied by an evolution in the banker’s role. The traditional role of the teller who sits behind a desk counting dollar bills has progressed with the proliferation of the Internet and other digital tools. </p><p>“Technology now handles so many of the traditional teller transactions, like checking your balance or moving your money,” says Dr. Kevin Streff, associate professor and director of the Center for Information Assurance at Dakota State University. “Those kinds of transactions that used to be handled by people are now handled by automation for a large part, so the teller’s responsibility then moves up to the next level of service to the customer.” </p><p>Such transactions include changing personally identifiable information details on accounts, all available to tellers with the click of a button. </p><p>“Technology in general makes it so much easier to get the information that we’re talking about; there’s no question that’s increased the risk for internal theft cases,” says Kevin Smith, CPP, former senior vice president and corporate security director at Chevy Chase Bank and member of the ASIS International Banking and Financial Services Council. </p><p>But with the proliferation of ATMs and online banking services, this increased access to information is coupled with a diminished demand for tellers. They don’t garner the largest salaries—on average, tellers make about $13 an hour, or $27,000 a year, according to 2015 statistics from the U.S. Bureau of Labor. Experts say these low wages, combined with tempting sales-goal incentives, can create a formula for theft and fraud. </p><p><strong>Theft.</strong> Streff notes that the black market for customer records, credit card information, and other sensitive data is based on supply and demand, and the current supply is high. Therefore, employees will be tempted to steal more records to make the most money. </p><p>“It’s still very motivating to get 1,000 payment cards from a bank, and even if you can only get $25 a card, that’s still $25,000,” he says.</p><p>And there are plenty of bad actors waiting on the other side of the Web to help them carry out the crime. “The bad guy externally has the skill, the insider has the access privileges and the rights and trust, and that together creates the perfect storm to be able to complete that cybercrime,” Streff explains.</p><p>He recounts such a situation investigated by his firm Secure Banking Solutions, a cybersecurity company focused exclusively on the banking sector. </p><p>“We saw a situation at a Midwestern bank where a couple of tellers were printing about eight customer records each per day for about a year, and then they were putting them in their bags or purses and walking out the door,” Streff says. “So eight customer records a day is about $200 a day—there’s a nice little augmentation to their salary.”  </p><p>During his long tenure as a security director and vice president at banks across the country, Smith says he dealt with a similar situation during a merger and acquisition. </p><p>“The criminals were focused on the fact that the employees would no longer have allegiance to the company” that was being acquired, he says. “We apprehended one of our employees working at a call center that was selling customer information in the parking lot to someone that had approached them and said, ‘I’ll give you $50 for every name, address, telephone number, and date of birth that you can give me.’” </p><p><strong>Incentives.</strong> Scamming customers with help from the outside is just one of many risks faced by financial institutions. Corporate culture can become the catalyst for bad behavior as well. </p><p>During the U.S. House Congressional Services Committee hearing on Wells Fargo, lawmakers criticized the sales incentives that offered rewards to employees who opened a certain number of accounts. CNN Money reported in September 2016 that Wells Fargo employees had complained about the “pressure cooker environment” created by these “wildly unrealistic” sales goals. </p><p>Stumpf testified before the committee that sales goals were being eliminated companywide in January 2017 as a result of the scandal. </p><p>While this practice had become toxic at Wells Fargo, other banks rely heavily on the motivation behind such goals. </p><p>“The reality is that many companies, particularly smaller companies, survive on those sales goals,” says Smith, adding that common practice is to reward not only tellers, but managers and senior executives when their employees reach those goals. </p><p>This practice can lead to fraudulent behavior when employees are pressured to meet goals or face negative repercussions for not doing so. “When you dangle the guillotine over someone’s head and say ‘If you don’t do this, this thing is going to happen to you.’ Well come on, leadership gets exactly what they deserve,” says Clint Hilbert, owner of Corporate Protection Technologies, LLC. “They’re actually promoting that behavior.” </p><p>Hilbert says that a series of checks and balances within the company will help prevent fraud from occurring. </p><p>“The checks and balances have to be built in from the time you’re pursuing a market to the time you’re reinvesting your profits,” he says. “All of those stages in between have to have checks and balances that can be independently surveyed.” </p><p>Smith echoes the concern regarding a competitive sales environment, and notes that management can often become a part of the problem. </p><p>“Hypothetically, I think what happens in those situations is people are incented to sell, sell, sell,” he says. “And if the person monitoring that activity is also gaining from the sell, sell, sell, they’re disincentivized from identifying any problems.” </p><p>Having an independent third party or group outside the management chain to audit sales activity ensures that banks aren’t engaging in fraudulent behavior.​</p><h4>Management </h4><p>Experts say that engaging employees and giving them a sense of buy-in at the company is a first step to keeping them from becoming an insider threat, and treating whistleblowers with fairness and exercising transparency can help leadership build trust. </p><p><strong>Whistleblowers.</strong> Since the Wells Fargo scandal came to light, employees have come forward saying that they were fired or punished for blowing the whistle on the fraudulent activity taking place. </p><p>In a November 2016 letter to new Wells Fargo President and CEO Timothy Sloan, U.S. Senators Elizabeth Warren (D-MA), Robert Menendez (D-NJ), and Ron Wyden (D-OR) inquired about the firing of certain employees, writing that “the bank may have done so to retaliate against whistleblowers.” </p><p>Former employees told NPR News that they received bad marks on their U5 forms—a system set up and operated by the Financial Industry Regulatory Authority—after pointing out the fraudulent behavior. Those forms are essentially used as a permanent record of their employment history as a banker. Wells Fargo says it is investigating those claims.  </p><p>Hilbert says that anyone who raises a red flag about company practices should be treated with fairness, whether they are right or wrong. </p><p>“The first time you publicly fry a whistleblower, you no longer have ownership by the employees,” Hilbert says. “Even if the whistleblower is 100 percent wrong, there has to be transparency because that’s where you’re going to lose trust.” </p><p>Rather than creating a culture where managers are pitted against employees, Hilbert says, creating mutual respect will fuel the two-way relationship. He adds that employees essentially should respect the company more than they respect their coworkers who engage in bad behavior so that they report any incidents. </p><p> “You have to be transparent, you have to be honest, and you have to communicate—therein lies the basis of every relationship,” he says. “That trust today is such an important factor for the C-suite to embrace.”</p><p><strong>Hiring and training.</strong> Increasing levels of responsibility for tellers ought to be supplemented with more security training and better hiring practices, Smith says. And security compliance and training programs should be ongoing to keep employees engaged with banking best practices. </p><p>“Those types of training programs on ethics in the workplace really have to be an integral part of the program coming through the door, and they have to be emphasized on a regular basis,” he notes.  </p><p>For many bank workers, it may be their first job, meaning they haven’t had exposure to security or compliance training in the past. </p><p>“These tellers and call center employees can be right out of high school,” Smith says. “It’s an entry-level position, and you really need to drive that point home about ethics in the workplace because they’ve never had that training before.” </p><p>Hiring people with the right background is critical for employees that will be handling sensitive customer information. Banks can take advantage of access to law enforcement to conduct background checks. </p><p>“In the financial services industry, background investigations are critical,” Smith says. Under Federal Deposit Insurance Corporation (FDIC) rule number 19, banks can get permission to go directly to the FBI for such background screening. </p><p>Smith adds that under these regulations, banks are also prohibited from hiring someone who has been convicted of a theft or a breach of trust offense. </p><p><strong>Monitoring.</strong> Supervisors need to be the first line of defense when it comes to ensuring their employees aren’t engaging in bad behavior, Smith says. He explains that several technological tools are available to help produce reports using data from employee transactions. Using those reports, supervisors “ought to identify what the typical pattern is for their employees…and develop a report that would alert to out-of-pattern activity.”  </p><p>A worker accessing unusual amounts of customer information could be a tipoff to fraudulent behavior. “Let’s say typical daily activity for a teller is servicing about 50 accounts,” Smith says. “If you find that they’re looking at 300 accounts, that’s out-of-pattern activity and should be investigated.” </p><p>Streff adds that while technology is a great tool, creating awareness within the company is invaluable. “Certainly you want controls in place that lock things down, you want sensors to identify anomalous behavior, but you want to create an awareness in your workforce to be a protection as well,” he says.  </p><p>And employees at all levels can be the best tools for fighting insider threats, Hilbert says. “If you have 100 employees, you have 200 eyes,” he notes. “And if you can motivate those employees to do your camera work for you, you’ve got the best camera system that money can buy.”  ​ ​</p>

Financial Activities

 

 

https://sm.asisonline.org/Pages/Teller-Trouble.aspx2017-03-01T05:00:00ZTeller Trouble
https://sm.asisonline.org/Pages/Access-to-Bank-On.aspx2017-01-01T05:00:00ZAccess to Bank On
https://sm.asisonline.org/Pages/Access-Under-Control.aspx2015-08-10T04:00:00ZAccess Under Control
https://sm.asisonline.org/Pages/Diebold’s-Responsive-Banking-Concept-Enhances-ATM-Security-and-Service.aspx2014-12-02T05:00:00ZDiebold’s Responsive Banking Concept Enhances ATM Security and Service
https://sm.asisonline.org/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/migration/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/Pages/Banking-on-a-Security-Upgrade.aspx2014-02-01T05:00:00ZBanking on a Security Upgrade
https://sm.asisonline.org/Pages/cybersecurity-money-laundering-are-top-threats-facing-financial-industry-2014-0013072.aspx2014-01-07T05:00:00ZCybersecurity, Money Laundering Are Top Threats Facing the Financial Industry in 2014
https://sm.asisonline.org/Pages/Virtual-Money-Real-Crime.aspx2014-01-01T05:00:00ZVirtual Money, Real Crime
https://sm.asisonline.org/Pages/using-economics-fight-terrorists-0013004.aspx2013-12-13T05:00:00ZUsing Economics to Fight Terrorists
https://sm.asisonline.org/Pages/visa-discusses-efforts-prevent-fraudulent-transactions-0012832.aspx2013-10-17T04:00:00ZVisa Discusses Efforts to Prevent Fraudulent Transactions
https://sm.asisonline.org/Pages/data-brokers-0012627.aspx2013-08-01T04:00:00ZFTC Warns Data Brokers
https://sm.asisonline.org/migration/Pages/dunbar-digital-armor-announces-partnership-with-nasdaq-0012531.aspx2013-06-13T04:00:00ZDunbar Digital Armor Announces Partnership with NASDAQ
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-february-0012386.aspx2013-05-01T04:00:00ZTop 10 Performing Security Industry Stocks for February
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-january-0012327.aspx2013-04-01T04:00:00ZTop 10 Performing Security Industry Stocks for January
https://sm.asisonline.org/Pages/Banking-on-Security.aspx2013-03-01T05:00:00ZBanking on Security
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-december-0012009.aspx2013-03-01T05:00:00ZTop 10 Performing Security Industry Stocks for December
https://sm.asisonline.org/Pages/presidio-combats-fraud-with-ironkey-0011372.aspx2013-01-01T05:00:00ZPresidio Combats Fraud with IronKey
https://sm.asisonline.org/Pages/terrorist-financing-money-laundering-and-tax-evasion-0011369.aspx2013-01-01T05:00:00ZTerrorist Financing, Money Laundering, and Tax Evasion
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-october-0011374.aspx2013-01-01T05:00:00ZTop 10 Performing Security Industry Stocks for October

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Access-Under-Control.aspxAccess Under Control<p>​<span style="line-height:1.5em;">Companies spend significant resources on access control equipment. Estimates of the size of the global market range from about $6 billion to around $22 billion, and a recent ASIS survey indicates that 57 percent of U.S. businesses will be increasing access control spending through 2016. </span></p><p>Upfront costs are just the start. Security professionals take time to determine which doors need to be locked and when.  They decide where to install readers and decide how to pro­cess visitors. Despite the effort spent on the access control equipment layout and maintenance, over time the access control database can become mismanaged. Requests for tweaks to reader groupings and access levels are continuous. One group may want time restrictions for the janitorial crew; another group may need access to one door but want to restrict others. If these accommodations are made without regard for the overall system, over time a complicated tangle of access control levels is created. The next thing you know, security no longer controls access; access control takes charge of the organization’s security, resulting in a chaotic mess.</p><p>BB&T, a large financial services institution headquartered in Winston-Salem, North Carolina, has protocols in place that ensure appropriate and accurate administration of access control systems at its corporate locations. The Fortune 500 company has more than 1,800 financial centers in 12 states.  In addition, it has approximately 120 corporate buildings–data centers, operations centers, call centers, corporate and regional headquarters–that have access control systems. ​</p><h4>Challenges</h4><p>Regulatory developments over the last decade make it necessary to closely maintain access control data. The Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act of 1999 require health­care and financial organizations, respectively, to keep strict watch over sensitive and personal information. The Sarbanes-Oxley Act of 2002 forced a strengthening of internal controls within corporations. More recently, the Payment Card Industry Data Security Standard requires that companies keep tight control over credit and debit card data. </p><p>These regulations, as well as others that affect specific industries, have brought more scrutiny to the administration of access control data. Most large organizations, especially those in regulated industries, have experienced an increase in audit activity as it relates to physical access controls. This means that regular reviews of access reports are required in many cases. For this reason, it is critical that the data in a company’s access control database be clean and accurate.  </p><p>Numerous challenges can arise from failing to properly maintain an access control system. Maintenance lapses can result in thefts when, for example, terminated employees get into a facility. What good is an access control system if, due to negligence in maintaining the system, people can enter places they shouldn’t? If your access control database has been around for years and has turned into a Byzantine web of access permissions, what steps can be taken to get control over the data? </p><p>Access control database administrators must have an ongoing process of maintaining the accuracy of the data. A standards-based approach must be taken to manage any effective access control program. Standards include defining the types of users in the system–employees, vendors, visitors, temporary card users– and establishing credentials for which each of these user categories will be managed and reviewed. Once the user categories are defined, space definitions and ongoing maintenance procedures must be established. ​</p><h4>Database management</h4><p>BB&T categorizes its cardholders into three groups based on the users’ network login ID. There are employees and contractors with a company network login ID; vendors, tenants, and others without a company network login ID; and temporary users. BB&T uses the network login ID for employers and contractors because the network ID is also used in the IT security database. This allows security to match the IT access records to the physical access records. Human resource data was considered for this match, but the bank determined that many vendors, temporary employees, and contractors who have a BB&T network login ID are not included in its human resource system. Matching the network login ID covers a majority of the organization’s users. If the records do not match, the user’s access is terminated.   </p><p>For cards not involved in the matching process, BB&T identifies a company employee who can serve as a sponsor for each vendor and tenant. The company conducts quarterly reviews of those cards, during which the company sponsor ascertains whether the vendor or tenant employee still works for the third-party company and still needs the BB&T card.</p><p>All temporary cards in the system are assigned to the individuals who have the cards in their possession. The temporary cards may be used by visitors, trainees, vendors, and employees who forgot their badge at home. Information on the cardholder is housed within the access control database. Quarterly reports for all temporary cards are sent to one person who is responsible for ensuring that their temporary cards are accounted for.  ​</p><h4>Space</h4><p>BB&T has established criteria and definitions of the physical space in its environment and categorizes space into three categories: critical, restricted, and general. Criteria are established for each category of space. The critical category is reserved for high-risk, critical infrastructure areas, such as server rooms or HVAC sites. Restricted space is office space for departments that the company deems restricted. All critical and restricted space is assigned a space owner. The space owner is then responsible for approving or denying people’s access to that area. General access areas are common doors and hallways.</p><p>For each category of space, standards are established on how access is governed. For example, the data center standards might state that janitors or nonessential personnel are not granted access without an escort. Standards also dictate who can approve access to that space and how often access reports should be reviewed. For example, critical and restricted space reports are reviewed monthly or quarterly.</p><p>Access devices are grouped together based on the categories of space and the users that access the space. This streamlines the access request process and makes it easier for the requestors to understand what access they are selecting. Grouping as many readers together as possible minimizes the number of possible groupings meaning that there are fewer choices for those requesting access. It also makes it easier to ensure that access reports are accurate, and it simplifies the process of approving access and access report reviews. If all readers for critical space to a building are grouped together, only one approval would be required for critical space and only one report would need to be reviewed.  </p><p>However, in some cases, minimizing groupings may not possible. For example, one group of users may be allowed into the IT area but only a subset of that group has access to the server room that resides within the lab. In this case, groups would be categorized by the users rather than the readers.</p><p>It’s also important to make sure that access levels and device groupings don’t overlap. This can complicate the request process and the report reviews and could cause access reports to reflect an incomplete list of users who have access to a space. For example, in a building with three readers, grouping one may include the front and back doors, and grouping two may include the communications room. If, in addition to these two groupings, there is an overarching grouping three that includes all three readers, this could create a problem since each of the three individual readers belong to two different groupings. In this scenario, if a request is made to determine who has access to the communications room, rather than producing a report of the communications room reader group, an additional report of the group of all three readers would need to be provided. In many organizations, this second step is missed, causing an inaccurate representation of those with access to a specific area. This can be a major issue if discovered during an audit.</p><p>Another way to remedy this issue would be to run reader reports on individual doors, in this example, a reader report on the communications room only. Most access control systems allow for this type of report. However, in companies with a large number of individual card readers, this would require many more reports. The same users often need access to multiple doors, so combining them into groupings that don’t overlap makes more sense than running individual reader reports. As a rule, BB&T does not allow a reader that has been deemed critical or restricted to belong to more than one reader grouping. This ensures that access reports are accurate and complete.  It does, however, require that a user who needs access to a full building, such as a janitor or security officer, request access to each area of the building rather than requesting overarching access to the entire building. This is beneficial, not only for reporting reasons, but also because it requires that space owners approve all users who have access to their space and holds the space owners responsible for knowing who is entering their space. Controls in the report review process can be set up to ensure that a space owner does not remove access for a janitor or security officer. Some systems allow cards to be flagged and would require a higher level of scrutiny before access is removed. Nonetheless, this is a cleaner way to set up access levels and ensures that space owners will review a report of all users that have access to their space, which is what most auditors are looking for.   ​</p><h4>Clean-Up</h4><p>If an access control system has become muddled over time, a database clean-up is recommended. A good place to start is to deactivate all cards that have not been used in a specific timeframe, such as the previous six months. Thus there will be fewer cards to review. Then, security can find a common piece of data with another database in the company that provides a match of current employees. Human resource or information security data is best to determine whether active cardholders in the system still work for the company. Of the remaining cards for nonemployees, visitors, tenants, and contractors, security should research whether the card users can be associated with a manager or employee within the company. Security can work with these internal partners to implement an ongoing review of access cards. ​</p><h4>Maintenance</h4><p>Performing a regular match of human resource or information security data ensures that cards are deactivated for users whose information does not match that on the card. If a user is not captured in the match, that person should be assigned to a sponsor for quarterly review to determine whether any credentials need to be terminated. Access reports should be reviewed for all nongeneral space to ensure that users still need access to the designated areas. Such reviews should take place at regular intervals–not more than quarterly. An important piece of the access request process is to ensure that all necessary information is captured to support the new standards and to support the report review. For example, if the request is for a visitor, security should capture the name of the person who will have that card in their possession during the request.   ​</p><h4>Automation</h4><p>BB&T is working to upgrade the auto­mation of its access control request and audit reporting system by the end of 2015. It is considering software that automates the entire access control database management process from the onboarding human resource system to the access control system. This would include a software interface that would be fully integrated with the information security credentialing system. The ideal software would fully integrate with the access control system where approved access is automatically provisioned with no human intervention.</p><p>Cost is a major factor in implementing such automation. Some companies choose to automate pieces of the process. Some use a simple Web portal form that sends e-mails to approvers and ultimately e-mails the request to the team that provisions access or provides a dashboard for the access control team to view requests. Many companies have integrated with human resource or information security data to update their access control system, which allows for the automatic deactivation of cards for terminated employees, vendors, or contractors. Others have found a way to automate the report reviews. Few access control manufacturers provide these additional software tools in combination with their access control software. Some will work with or direct their customers to third-party solutions, while others are beginning to see the need for automation and are incorporating pieces into their standard software package, such as more robust reporting capabilities.  </p><p>These efforts may seem daunting, but once the standards are set and the database is cleaned up, ongoing maintenance is initiated, and some level of automation is implemented, the system will be under control. It is imperative that security professionals see beyond the equipment and installation and not rely solely on these for protection. A sound maintenance program ensures that, should access control processes be called into question, security can be confident that the company’s program is under control.  </p><p>--</p><p><em><strong>Briggette Jimenez, CPP,</strong> is physical security manager at BB&T where she manages the company’s security command center, security operations, and workplace violence prevention programs.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Guns-and-Security-The-Risks-of-Arming-Security-Officers.aspxGuns and Security: The Risks of Arming Security Officers<p>​Cinemark was not to blame for the 2012 shooting at its Aurora, Colorado, movie theater where gunman James Holmes killed 12 people and injured 70 more. A jury did not find a <a href="http://www.denverpost.com/2016/05/19/cinemark-not-liable-for-aurora-theater-shooting-civil-jury-says/" target="_blank">lawyer’s argument compelling</a> that Cinemark should have provided armed security officers at the premier for <em>The Dark Knight Rises</em> because it was anticipating large crowds.</p><p>But should Cinemark have? Debates about armed security officers have flared up in the media and public discourse over the past few years. With the combination of a uniform and a firearm, armed officers may suggest a sense of security to the greater public, signaling that a business takes security and protection seriously. Others believe the presence of a gun merely stands to escalate dangerous situations.<br></p><p>The debate over the effect of firearms in such settings will not be settled anytime soon. But there are some things we do know about the consequences of arming security officers. Looking at it from an insurance perspective gives us a vantage to examine the risks and real-life consequences of arming security officers.<br></p><p><strong>Demand for Officers</strong><br></p><p>There are more than 1 million private security officers in the United States and about 650,000 police officers, according to the federal <a href="http://www.bls.gov/oes/current/oes333051.htm" target="_blank">Bureau of Labor Statistics (BLS)</a>. After several years of steep increases in the number of security officers, the field is expected to grow by a steady 5 percent every year, the BLS estimates. Private security officers, more and more, are the face of security in the United States.</p><p>In some industries, such as healthcare, armed officers are a growing presence. Crime in healthcare facilities is a serious issue, so hospitals are looking to provide stronger security. The percentage of healthcare facilities that reported staffing armed officers in 2014 was almost double the rate four years prior, according to an <a href="http://www.nytimes.com/2016/02/14/us/hospital-guns-mental-health.html" target="_blank"><em>article in The New York Times. </em><br></a></p><p>“To protect their corridors, 52 percent of medical centers reported that their security personnel carried handguns and 47 percent said they used Tasers,” the Times reported, citing a 2014 survey by the International Association for Healthcare Security and Safety.<br></p><p>As discussed in a previous <em></em><a href="/Pages/The-Dangers-of-Protection-What-Makes-a-Guard-Firm-Low--or-High-Risk.aspx" target="_blank"><em>Security Management </em>article,</a> there’s been a pronounced demand for insurance for armed security officers at legal marijuana facilities. We can always expect there to be demand for armed officers at government facilities, though the demand at schools has decreased slightly.<br></p><p><strong>Pros and Cons of Armed Officers</strong><br></p><p>Many people perceive armed security officers favorably as a deterrent against violence and an assurance that a violent incident can be quickly quelled. From a client’s standpoint, it offers a perception of higher protection.</p><p>Armed security officers are widely accepted as warranted in certain locations where the threat level matches the use of force. Government contracts and high-profile corporate executives are protected by highly trained armed officers. At banks, the risk of robbery also justifies an armed officer.<br></p><p>But from an insurance and risk standpoint, it is difficult to craft a convincing argument for armed security officers in many settings. The presence of a gun is not proven to de-escalate a situation in every environment, and it is unlikely to deter violent and determined individuals. The presence of an additional firearm—even in an officer’s hands—only stands to increase the risk of casualties. This is particularly true of public or crowded environments, like stadiums, schools, and restaurants.<br></p><p>By looking at insurance claims, it’s clear that when a security officer discharges his or her gun, the resulting claims are serious. There is a big difference between an officer using mace and an officer using a gun. Claims resulting from the use of firearms are likely to breach insurance policy limits, so firms employing armed security officers are wise to purchase higher limits of liability than firms not employing armed officers.<br></p><p>When someone is shot by a security officer, his—or his estate—will likely sue the business that contracted the officer. And the security firm and officer are going to be brought into the suit as well—no matter how well-trained the officer. If it goes to trial, it is very rare for a judge and jury to believe use of the weapon was justified. It is almost always perceived as excessive force.<br></p><p>The insurance marketplace for security firms is very small, and employing armed officers reduces the market even further. This means firms that provide armed officers will be paying a higher premium for less coverage; they will most likely be relegated to the surplus lines insurance market, which can mean more policy exclusions. Therefore, it’s important for the security firm to weigh the increased costs and policy limitations of taking on an armed contract.<br></p><p><strong>Mitigating Risks of Armed Officers</strong><br></p><p>If a client insists on armed officers, there are steps that can be taken to reduce the risk of an officer discharging his or her weapon. </p><p>All officers should be checked against lists of individuals who are not permitted to carry firearms, in addition to the usual criminal background check. For armed posts, staff them with off-duty or former law enforcement officers; police receive extensive firearms training, as well as other training that helps them de-escalate challenging situations.<br></p><p>Consider local or state licensing requirements for armed security officers—they can vary by municipality. In some states, armed officers are not required to have special firearms training. For those states that do, officers and clients can be protected by ensuring that officers are trained to use firearms. Situational training, which is recommended for all officers, is particularly important for armed security officers as it teaches them to understand a judicious use of force for the environment they serve.<br></p><p>There are no easy, blanket answers to the question of whether to arm security officers. But looking at the risks and financial implications might help security leaders make decisions on a case-by-case basis.<br></p><p><em>Tory Brownyard is the president of Brownyard Group, a program administrator that pioneered liability insurance for security guard firms more than 60 years ago. He can be reached at tbrownyard@brownyard.com or 1-800-645-5820.</em><br></p><p><br></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Book-Review---Workplace-Safety.aspxBook Review: Workplace Safety<p>Butterworth-Heinema​nn; Elsevier.com; 180 pages; $49.95.</p><p>The threat of workplace violence is a continuous issue affecting the well-being of the American workforce. Horrific reports and images of violent acts in the workplace appear far too often in the media, disrupting the safety, well-being, and productivity of the general public. </p><p>In an attempt to help businesses and organizations deter or deflect these violent acts, Randall W. Ferris and Daniel Murphy authored <em>Workplace Safety: Establishing an Effective Violence Prevention Program. </em>This is a well-intended book designed to help organizations with the development of policies and practices to prevent violence in the workplace. The book offers information on applicable topics, including relevant definitions, justifications for workplace violence procedures, explanations of various types of violence, environmental causes, and possible motives behind the attacks, as well as details for creating and implementing methods to prevent violent incidents. The authors draw from the guidelines presented in the Occupational Safety and Health Administration’s standards for the prevention of workplace violence as their primary source of creditable information.</p><p>The book reads more like a how-to manual than a professional publication. The chapters are consistently formatted with a motivational quote, chapter contents, an abstract, and applicable key words. The chapters include various personal experiences from the authors, fictitious scenarios, and bulleted or numerical lists pertaining to the chapter’s content. Further diluting the professionalism is the use of common or slang terms in text that is often brash or casual. </p><p>There is value here for some audiences. For organizations that have not developed procedures to deter or respond to violent incidents in the workplace and those that do not understand the concept of these issues, this could be a helpful guide. Those working in human resources or facility management and individuals who are new to security management can gain some useful information. Also, managers desiring to completely redesign or reevaluate their workplace violence policies might use this book as a starting point. However, it should be viewed as a supplemental publication and not a primary source. Workplace Safety: Establishing an Effective Violence Prevention Program will not impress the educated or experienced reader or introduce new concepts that have not been previously explored. </p><p><em><strong>Reviewer: Joseph Jaksa, Ph.D., CPP, </strong>is an associate professor of criminal justice at Michigan’s Saginaw Valley State University. He is a member of ASIS International and the Saginaw Valley Chapter of ASIS.  </em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465