Strategic Security

 

 

https://sm.asisonline.org/Pages/After-an-Active-Shooter.aspxAfter an Active ShooterGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-05-01T04:00:00Zhttps://adminsm.asisonline.org/pages/holly-gilbert-stowell.aspx, Holly Gilbert Stowell<p>​Organizations affected by an active shooter event will face extraordinary challenges from the moment the first shot is fired. Even if the company is able to maintain business operations in the aftermath, the physical and emotional recovery can go on for months and years after the event. Besides reevaluating physical security measures, updating business continuity plans, and dealing with possible lawsuits, companies also have a responsibility toward their employees who have suffered severe emotional trauma. </p><p>To recover from an active shooter event, restore business operations, and retain employees, experts say that business continuity planning, communication strategies, and personnel issues should be among the top priorities for organizations. In this article, experts discuss what security professionals can do in the aftermath of an incident to recover as quickly and effectively as possible.​</p><h4>Business Response </h4><p>Business operations will be devastated by an active shooter situation, experts say. Access to the building, or at least the floors where the incident occurred, will be virtually impossible.  </p><p>“Law enforcement is going to lock down the building, and it may not be given back for many days,” says Dave Hunt, senior instructor at Kiernan Group Holdings, a consulting firm that assists companies in planning for and responding to active shooter events. “It depends entirely on the extent of the incident–how many injured, dead, how many bullets? Every single trajectory of every single bullet, every shell casing, is all going to be essentially recovered.” </p><p>Communication. Having a well-prepared crisis communications plan in place before an incident is crucial, but executing that strategy is inevitably more difficult when faced with a real-life tragedy. Experts say that an organization needs to maintain open communication with various groups following an active shooter event.</p><p>Because news travels at lightning speed, any organization affected by an active shooter event can expect the media to pick up on it almost immediately. “When an incident occurs, local media, newspapers, and TV stations are going to hear about it and they’re going to descend on that campus or facility,” says Josh Sinai, principal analyst at Kiernan Group Holdings, “and this will happen within 30 minutes.”</p><p>Talking to the media and the public can be one in the same, says Hunt, and he recommends that companies put a message on their social accounts and websites, and have a skilled speaker to talk to the press. “The media is one avenue through which the public can be communicated to,” he says, “but today we can also communicate with the public directly via Twitter, websites–there are all kinds of different social media options.” </p><p>Larry Barton, a crisis management consultant, echoes this sentiment: “Get to the media before they get to you.” He recommends that leadership have several preplanned responses to rely upon and modify, as needed. </p><p>“This is where a company can really distinguish itself by being crisis-prepared. Have your frequently asked questions ready, and start filling in the blanks from the moment the incident occurs,” Barton says. “You can keep refining them, you can keep massaging them, but get them started.”</p><p>These communication techniques work in the case of any crisis, says Darryl Armstrong, crisis communications expert at Armstrong and Associates. For example, one of his clients, a company responsible for large cleanup jobs after natural disasters and other hazardous events, used prewritten statements for large-scale incidents to quickly communicate with the media. </p><p>“On the front end, they sat down as a core team and had put together an extensive set of media holding statements,” he says. These holding statements are prewritten messages that refer to specific event types, such as active shooter, fire, or medical hazard, for example. The documents can be easily accessed and modified during a crisis, then quickly sent out to the media and the public. </p><p>He adds that the company also took the time to think about “every single question imaginable” that could come up in a press conference for any given disaster. “There was not a single question in the press conference they were not prepared to handle,” Armstrong says. </p><p>Stakeholders. Communicating with family members of employees, especially those who are killed or wounded, should be a priority for companies after an active shooter event. </p><p>Barton, who helps clients prepare for and respond to active shooter and workplace violence events, tells Security Management that he recently worked for an industrial facility in Tennessee that lost three employees in a workplace shooting. Within an hour after the incident, the employer had contacted all the victims’ families. This should be a standard practice for any company that finds itself in a similar crisis, he says. </p><p>“There is not an ounce of liability associated with being kind to a family after an active shooter event,” he notes. “We have to say to our legal colleagues in HR, ‘This is not about the handbook, this is about the Golden Rule. We have to do the right thing.’”</p><p>Small and family-owned businesses tend to handle these events with more empathy, making for a faster overall recovery, says Armstrong. “In the recovery phase, they make themselves available. They go out of their way to do what they can to help the victims’ families, and the communities rally around them,” he notes. </p><p>He adds that universities are another sector that handle communicating with stakeholders well, given that there are usually guidance counselors and psychologists on staff. “Their crisis management teams typically include people who are interacting daily with students and parents, so they are able to empathize.” </p><p>Barton adds that while social media makes a great tool for communicating with the public post-incident, the platform is not appropriate for informing family members of any details. “Shame on any company where an employee’s loss of life is shared with the family by Twitter. That has happened, it will continue to happen, and you must never allow that to happen on your watch.”</p><p>Organizations may consider using “dark websites” that go live in the event of an emergency. When someone types in the main URL for the organization, they are redirected to a ghost site that has the latest information available. Armstrong recommends that organizations set up these pages to have at least 10 times the bandwidth as their normal site to accommodate heavy traffic. ​</p><h4>Recovery</h4><p>A well-prepared organization can continue business operations in the event of a range of hazards, such as bad weather or a fire, and it can build off those same crisis continuity plans when recovering from an active shooter event. “This is one more threat that your organization should be preparing for to determine how you can continue operations,” Hunt says. </p><p><strong>Business operations. </strong>Hunt recommends identifying an off-site location where operations can take place while the building is still being evaluated by law enforcement or damage is being repaired. IT systems should be backed up so they can be accessed from anywhere. </p><p>“You need redundancy for roles,” adds Sinai, who says that at least one additional person should be trained in each major position at an organization. That way if someone in a leadership role is killed or injured, their job function is not completely lost. </p><p>Company leaders will still be addressing basic questions of business operations that could easily be overlooked in the aftermath of a tragedy. Barton notes that employees who survive an incident are still worried about their livelihood. “Besides asking who got hurt or was killed, the second thing is, ‘Are we going to be paid?’” he notes. “So we have to have our leadership rehearse and train on a wide variety of questions that will come up.”</p><p>As a benchmark for business recovery, Sinai cites the example of a beer distribution plant in Manchester, Connecticut, that suffered an active shooter event. On August 3, 2010, eight employees of Hartford Distributors were killed by another worker at the facility who was being escorted out of the building after resigning. “It was a small business, it didn’t have the resources of a big company,” Barton says. But this distributor reached out to surrounding companies for help. </p><p>The beer distributor didn’t have a trained counselor on staff, so Manchester law enforcement contacted area businesses to get trauma counselors and ministers onsite. “Know the community resources that can be at your site within an hour after any catastrophe,” Barton says. </p><p>An offsite location was being set up for business operations, but employees protested, saying they felt strongly about returning to the original facility as soon as possible. In the days following the shooting, 100 employees from other beer distribution plants in Connecticut, as well as in Rhode Island, came to assist the company in keeping business operations on track. A memorial service was held for the employees who lost their lives. The company president addressed workers on the front lawn, in front of a makeshift mem­orial, before they reopened their doors. </p><p>Just two months after the tragedy, Hartford Distributors merged with another beer company, Franklin Distributors, forming a larger organization. “The shooting was a very tough thing for all of us to go through,” Jim Stack, president of the new business, said to the Hartford Business Journal in a January 2011 article. “It certainly slowed some things down for us in coming together, but it did not stop us.”</p><p><strong>Emotional response.</strong> The trauma inflicted on those who survive an active shooter incident can be enormous, and experts say that businesses ought to prepare in advance to provide mental health assistance for affected employees. This will help businesses recovery more quickly by retaining experienced workers, and provide employees with the emotional help they need. </p><p>Hunt cites the Navy Yard shooting in Washington, D.C., in September 2013, when a shooter killed 13 employees. He says that employees were shaken that an active shooter could breach a secure military installation. “People who were interviewed following that incident were asked, ‘Do you feel safe going back to work?’ and the answer was, ‘No, I don’t feel safe going back to work.’” Hunt notes. “So you have the potential of losing employees, which are your most valuable asset, as a result of this incident.” </p><p>Employees may not show immediate signs of trauma–negative emotions could surface months later. “Depression and PTSD are rarely going to emerge in the first hour. Your body is still in shock,” Barton says.  </p><p>Experts stress the importance of employee assistance programs (EAPs), which are confidential and provide counseling, assessments, and referrals for workers with personal or work-related concerns. </p><p>“In all 50 states you can mandate that an employee actually go to an EAP program if there was a critical incident,” Barton notes, though he doesn’t recommend it in every case. </p><p>To order an employee to seek counseling, the worker must demonstrate tangible evidence that they may pose a risk of harming themselves or others, Barton says, such as mentioning suicide, a desire to hurt others, or talking about weapons. Employers may decide instead to have a sit-down with that worker and have them sign a letter acknowledging they made the remarks, but understand doing it again could result in termination. “EAP is not your human resources department, they are there to support your HR department,” he emphasizes. </p><p>There will also be organizations indirectly affected by shootings. For example, Barton worked with one financial firm that had a worker lose a family member in a high-profile mass shooting. The other employees struggled with how to respond to him emotionally. The company asked Barton to hold a debriefing to address people’s concerns. </p><p>“I heard it all,” Barton says. “Do you leave a card on the desk? Do you kind of ignore him and just look the other way? Do you come up and say, ‘I have no idea what you went through but my prayers are with you?’” Ultimately, he says you can expect a variety of emotions expressed by employees at businesses both directly and indirectly impacted by these events, including fear, sadness, and even anger. </p><p><strong>Outlook. </strong>Conducting an after-action report may be a good idea for organizations that have suffered an active shooter event, experts say. It not only helps evaluate what worked and what did not in response to an incident, but other practitioners can turn to these documents for their own planning. “It’s very important for a security officer to look at after-action reports and to get best practices out of it,” Sinai says. </p><p>He cites the after-action report completed by the U.S. Fire Administration on Northern Illinois University (NIU) after a classroom shooting on campus in 2008. That tragedy left six people dead, including the perpetrator. </p><p>The report cites that NIU had studied the official report on the Virginia Tech Shooting and was prepared for the tragedy that occurred in its own building just a year later. “The value of that report, their training, and their joint planning was apparent in the excellent response to Cole Hall,” the after-action report stated of the university. </p><p>While organizations may recover from a business standpoint, there may be significant changes implemented afterwards. For example, the building that formerly housed Sandy Hook elementary was torn down, and a new facility was constructed at the same site. That building reopened in August of last year, nearly four years after the shooting. In the case of Virginia Tech, the classroom building where the second shootings took place was turned into a dormitory hall. </p><p>Overall, Hunt says that while organizations can never fully prepare themselves for a tragedy, they can learn from even the worst of situations. “You’re going to identify a lot of areas that can be improved,” he says. “There’s never going to be a perfect plan or a perfect response.” </p><p><em>​To read how the city of San Bernardino ​recovered from the 2015 holiday party shooting that killed 14 people, <a href="/Pages/Responding-to-San-Bernardino.aspx" target="_blank">click here.​</a></em><br></p><p>--</p><h2>Active Shooter Liability<br><br></h2><p>​In the case of an active shooter, U.S. companies are liable for protecting their employees as in any workplace violence incident. Under the U.S. Occupational Safety and Health Act of 1970, every U.S. employer is required to “furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees.” U.S. state and local provinces may also have their own relevant laws.</p><p>Hunt says companies that suffer a shooting can expect lawsuits. “If a family member is killed or injured here, there’s a high likelihood there will be a lawsuit alleging that not enough was done to prevent the incident, or to protect them during the incident,” he says. The case of disabled workers can also come up. “Someone who is disabled may feel they weren’t appropriately accommodated,” a requirement under the U.S. Americans with Disabilities Act. </p><p>Barton says he believes a little effort and communication goes a long way in helping reduce the severity of a lawsuit when employees are killed. “If you can, reach out to the family with the support of your legal department to simply say, ‘We are here for you,’” he notes.</p><p>In addition to advanced planning, organizations need to carefully document the steps they take in the aftermath to help their case “There’s going to be a lot of holes in there. But at least say, ‘Here are the steps that we did proactively take to try to manage the incident.’”​​ ​</p>

 

 

https://sm.asisonline.org/Pages/Book-Review---Info-Risk.aspx2017-05-01T04:00:00ZBook Review: Info Risk
https://sm.asisonline.org/Pages/The-Roots-of-Risk.aspx2017-05-01T04:00:00ZThe Roots of Risk
https://sm.asisonline.org/Pages/Facebook-Takes-Action-To-Limit-Spread-of-Propaganda.aspx2017-04-28T04:00:00ZFacebook Takes Action To Limit Spread of Propaganda

 

 

https://sm.asisonline.org/Pages/SM-Online-June-2017.aspx2017-06-01T04:00:00ZSM Online June 2017
https://sm.asisonline.org/Pages/Bully-for-You-.aspx2017-05-01T04:00:00ZBully for You?
https://sm.asisonline.org/Pages/Flying-Solo.aspx2017-05-01T04:00:00ZFlying Solo

 

 

https://sm.asisonline.org/Pages/The-Road-to-Resilience.aspx2017-02-01T05:00:00ZThe Road to Resilience
https://sm.asisonline.org/Pages/Silencing-False-Alarms.aspx2016-12-06T05:00:00ZSilencing False Alarms
https://sm.asisonline.org/Pages/Playing-Clean.aspx2016-12-01T05:00:00ZPlaying Clean

 

 

https://sm.asisonline.org/Pages/The-Most-Resilient-Countries-in-the-World.aspx2017-05-11T04:00:00ZThe Most Resilient Countries in the World
https://sm.asisonline.org/Pages/After-an-Active-Shooter.aspx2017-05-01T04:00:00ZAfter an Active Shooter
https://sm.asisonline.org/Pages/Responding-to-San-Bernardino.aspx2017-05-01T04:00:00ZResponding to San Bernardino

 

 

https://sm.asisonline.org/Pages/Legal-Report-Resources-June-2017.aspx2017-06-01T04:00:00ZLegal Report Resources June 2017
https://sm.asisonline.org/Pages/SM-Online-May-2017.aspx2017-05-01T04:00:00ZSM Online May 2017
https://sm.asisonline.org/Pages/Legal-Report-Resources-May-2017.aspx2017-05-01T04:00:00ZLegal Report Resources May 2017

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Drafting-a-Blueprint-for-Security.aspxDrafting a Blueprint for Security<p>​<span style="line-height:1.5em;">Immediately upon concluding the construction of a secure-asset facility 10 years ago, project management hit a major setback: the security manager. Instead of working with the design team and project manager in the initial phases of the project, the security manager waited until the new facility was already erected to determine where security cameras needed to be placed.</span></p><p>“All of a sudden, we’re moving cameras and changing openings and sleeves in the wall for wiring because [the security manager] had difficulty reading blueprints,” says Rick Lavelle, PSP, principal architect and owner of Creador Architecture, of the experience. Instead of admitting that he had this difficulty, the security manager waited until he could see the facility three-dimensionally, causing delays and increasing project costs.</p><p>“Then he’d step in and really do his job that would have been helpful to have earlier in the process,” Lavelle explains.</p><p>To help prevent security professionals from becoming similar setbacks in construction projects, Security Management sat down with Lavelle; Mark Schreiber, CPP, principal consultant for Safeguards Consulting and chair of the ASIS International Security Architecture and Engineering Council; Rene Rieder, Jr., CPP, PSP, associate principal at Ove Arup & Partners; and J. Kelly Stewart, managing director and CEO of Newcastle Consulting, for their tips on navigating the document and project management process.​</p><h4>1. Know Your Team</h4><p>Like almost any project that involves numerous people, it’s crucial to understand that a construction project is a team effort that requires team members to understand the process and communicate with each other.</p><p>“We emphasize...know who your team is, align with your team, and communicate with your team as much as possible because that will support a central project,” Schreiber explains. </p><p>And this team can be quite large, including top executives at the company, the project manager, the facility operations manager, the facility engineer, the security manager, security consultants, architects and designers, engineers, and general consultants—just to name a few. The council encourages team members to construct a simple diagram to help keep track of everyone.</p><p>While it may take a while, identifying the team and communicating with them helps ensure that security is included in construction project discussions from the very beginning—something that doesn’t always happen automatically. </p><p>“I was fairly surprised to learn early on in one of [the first classes I taught] that most of the project is completed—and sometimes is built—when the security manager gets a roll of drawings and they say, ‘Give us a security plan,’” Lavelle says.  </p><p>To change this, he explains that security needs to “know the relationships within their own companies that they need to develop so that doesn’t happen to them, [and that they make sure] they’re brought in earlier in the process. That leads to a much more successful implementation of anybody’s security plan.”</p><p>Lavelle also recommends that security leads work with the IT department during the project. “Getting IT, security, and the facilities people together on one team and having them all have the same direction, you’ll probably have the most effective security program that’s possible,” he explains.​</p><h4>2. Know Your Goals</h4><p>A construction project is rarely initiated just to meet a security need. It’s typically instigated to meet some other operational need, such as to increase manufacturing capacity. So the security department must ensure that its goals for the project—whether it’s introducing a new CCTV system or implementing its existing access control system—align with the overarching goals for the new facility.</p><p>“Just because they now have been given the green light to do an improvement for their facility doesn’t mean that they can go in and put every possible technology, every possible countermeasure that they’ve been dreaming about for years in,” Schreiber says. “They have to work within the goals of that project.”</p><p>This means that once the goals for the facility are outlined, the security department needs to specify its own project goals, providing a way to measure those goals, ensuring that goals are attainable and relevant to the overall project, identifying the starting functional requirements, and making sure they meet time and budgetary constraints. In the case of a new manufacturing plant, for example, CCTV might be attractive to other departments as well, such as quality management or logistics, creating a stronger case for the technology and getting these departments to share the expense.</p><p>By going through this process, security professionals can make sure that their goals are aligned with the overall project goals, enabling them to have success, Schreiber adds. “Whereas the more they stray away, they’re going to essentially be spinning their wheels, wasting effort, and possibly jeopardizing credibility.”​</p><h4>3. Know Your Documents</h4><p>For most security professionals, being part of a construction project is not routine. Nor is the process of reading project manuals, floor plans, elevations, and other drawing plans. But understanding what these documents are and how they come together to represent a construction project is key to the success of the project “because if the documents are correct, then you have a sound project for development,” Stewart says.</p><p>That’s because the documents work together as a guide detailing the design of the project, the technology that will be installed, and where exactly those installations will take place in the final construction. </p><p>And while discussing changes or where technology should be installed in the final project, security directors can communicate with design professionals and architects—regardless of their drawing skills, Lavelle adds. A quick visual representation of the camera and access control location can be helpful. </p><p>While these discussions are taking place, it’s important to document changes throughout the process and review them with the project team after each step is completed. “It’s arduous, but it’s a necessary evil because if you skip a step, you’ll forget something or something will fall through the cracks,” Stewart explains.</p><p>After the construction project is completed, it’s important to continue to keep track of its documentation and make sure it’s up to date so it reflects the current facility. In one case, Stewart took over as a director of security for a company that hadn’t documented the many changes to its system over the years. </p><p>“I actually had to bring in a security consultant and architect to figure out where all the stuff was,” he says. “There were drawings that were going back 20 years, which had nothing to do with the current system.”​</p><h4>4. Know Your Chain of Command</h4><p>In an ideal world, once the initial security goals for the project are outlined and plans are designed to implement them, nothing would change. “But truthfully, it never works that way,” Lavelle says. And when changes or problems occur, it’s critical to know who in the project team you need to talk to about implementing a solution. </p><p>As the project goes further along, you spend less time with the design team and more time with the general contractor, Lavelle explains. This means that security directors need to understand the roles and responsibilities of those involved in the project, and who they need to speak to about changes throughout the process.</p><p>For instance, some construction projects can take more than 18 months to complete, and during that time technology may change or new company policies may be implemented. The security needs for the project may shift, but it might not be appropriate to seek executive approval for the change.</p><p>“Going back to the CEO or the CFO who approved the project costs in the beginning may not be appropriate if you’re halfway through construction,” Lavelle says. Instead, security directors will likely need to go to the facility or project manager, or even their direct supervisor, to have the changes approved.</p><p>Most security professionals have never been involved in a construction project. For them, this is a “once in their career” experience, Rieder says. Following the steps outlined above can help smooth the way. However, if a project seems overwhelming security professionals need to reach out to peers or experts for help and advice.</p><p><em>​The Security Architecture and Engineering Council is sponsoring an educational session on the <a href="https://www.asisonline.org/Education-Events/Education-Programs/Classroom/Pages/Security-Document-and-Project-Management-Process.aspx" target="_blank">security document and project management process​</a> in October.</em><br></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/After-an-Active-Shooter.aspxAfter an Active Shooter<p>​Organizations affected by an active shooter event will face extraordinary challenges from the moment the first shot is fired. Even if the company is able to maintain business operations in the aftermath, the physical and emotional recovery can go on for months and years after the event. Besides reevaluating physical security measures, updating business continuity plans, and dealing with possible lawsuits, companies also have a responsibility toward their employees who have suffered severe emotional trauma. </p><p>To recover from an active shooter event, restore business operations, and retain employees, experts say that business continuity planning, communication strategies, and personnel issues should be among the top priorities for organizations. In this article, experts discuss what security professionals can do in the aftermath of an incident to recover as quickly and effectively as possible.​</p><h4>Business Response </h4><p>Business operations will be devastated by an active shooter situation, experts say. Access to the building, or at least the floors where the incident occurred, will be virtually impossible.  </p><p>“Law enforcement is going to lock down the building, and it may not be given back for many days,” says Dave Hunt, senior instructor at Kiernan Group Holdings, a consulting firm that assists companies in planning for and responding to active shooter events. “It depends entirely on the extent of the incident–how many injured, dead, how many bullets? Every single trajectory of every single bullet, every shell casing, is all going to be essentially recovered.” </p><p>Communication. Having a well-prepared crisis communications plan in place before an incident is crucial, but executing that strategy is inevitably more difficult when faced with a real-life tragedy. Experts say that an organization needs to maintain open communication with various groups following an active shooter event.</p><p>Because news travels at lightning speed, any organization affected by an active shooter event can expect the media to pick up on it almost immediately. “When an incident occurs, local media, newspapers, and TV stations are going to hear about it and they’re going to descend on that campus or facility,” says Josh Sinai, principal analyst at Kiernan Group Holdings, “and this will happen within 30 minutes.”</p><p>Talking to the media and the public can be one in the same, says Hunt, and he recommends that companies put a message on their social accounts and websites, and have a skilled speaker to talk to the press. “The media is one avenue through which the public can be communicated to,” he says, “but today we can also communicate with the public directly via Twitter, websites–there are all kinds of different social media options.” </p><p>Larry Barton, a crisis management consultant, echoes this sentiment: “Get to the media before they get to you.” He recommends that leadership have several preplanned responses to rely upon and modify, as needed. </p><p>“This is where a company can really distinguish itself by being crisis-prepared. Have your frequently asked questions ready, and start filling in the blanks from the moment the incident occurs,” Barton says. “You can keep refining them, you can keep massaging them, but get them started.”</p><p>These communication techniques work in the case of any crisis, says Darryl Armstrong, crisis communications expert at Armstrong and Associates. For example, one of his clients, a company responsible for large cleanup jobs after natural disasters and other hazardous events, used prewritten statements for large-scale incidents to quickly communicate with the media. </p><p>“On the front end, they sat down as a core team and had put together an extensive set of media holding statements,” he says. These holding statements are prewritten messages that refer to specific event types, such as active shooter, fire, or medical hazard, for example. The documents can be easily accessed and modified during a crisis, then quickly sent out to the media and the public. </p><p>He adds that the company also took the time to think about “every single question imaginable” that could come up in a press conference for any given disaster. “There was not a single question in the press conference they were not prepared to handle,” Armstrong says. </p><p>Stakeholders. Communicating with family members of employees, especially those who are killed or wounded, should be a priority for companies after an active shooter event. </p><p>Barton, who helps clients prepare for and respond to active shooter and workplace violence events, tells Security Management that he recently worked for an industrial facility in Tennessee that lost three employees in a workplace shooting. Within an hour after the incident, the employer had contacted all the victims’ families. This should be a standard practice for any company that finds itself in a similar crisis, he says. </p><p>“There is not an ounce of liability associated with being kind to a family after an active shooter event,” he notes. “We have to say to our legal colleagues in HR, ‘This is not about the handbook, this is about the Golden Rule. We have to do the right thing.’”</p><p>Small and family-owned businesses tend to handle these events with more empathy, making for a faster overall recovery, says Armstrong. “In the recovery phase, they make themselves available. They go out of their way to do what they can to help the victims’ families, and the communities rally around them,” he notes. </p><p>He adds that universities are another sector that handle communicating with stakeholders well, given that there are usually guidance counselors and psychologists on staff. “Their crisis management teams typically include people who are interacting daily with students and parents, so they are able to empathize.” </p><p>Barton adds that while social media makes a great tool for communicating with the public post-incident, the platform is not appropriate for informing family members of any details. “Shame on any company where an employee’s loss of life is shared with the family by Twitter. That has happened, it will continue to happen, and you must never allow that to happen on your watch.”</p><p>Organizations may consider using “dark websites” that go live in the event of an emergency. When someone types in the main URL for the organization, they are redirected to a ghost site that has the latest information available. Armstrong recommends that organizations set up these pages to have at least 10 times the bandwidth as their normal site to accommodate heavy traffic. ​</p><h4>Recovery</h4><p>A well-prepared organization can continue business operations in the event of a range of hazards, such as bad weather or a fire, and it can build off those same crisis continuity plans when recovering from an active shooter event. “This is one more threat that your organization should be preparing for to determine how you can continue operations,” Hunt says. </p><p><strong>Business operations. </strong>Hunt recommends identifying an off-site location where operations can take place while the building is still being evaluated by law enforcement or damage is being repaired. IT systems should be backed up so they can be accessed from anywhere. </p><p>“You need redundancy for roles,” adds Sinai, who says that at least one additional person should be trained in each major position at an organization. That way if someone in a leadership role is killed or injured, their job function is not completely lost. </p><p>Company leaders will still be addressing basic questions of business operations that could easily be overlooked in the aftermath of a tragedy. Barton notes that employees who survive an incident are still worried about their livelihood. “Besides asking who got hurt or was killed, the second thing is, ‘Are we going to be paid?’” he notes. “So we have to have our leadership rehearse and train on a wide variety of questions that will come up.”</p><p>As a benchmark for business recovery, Sinai cites the example of a beer distribution plant in Manchester, Connecticut, that suffered an active shooter event. On August 3, 2010, eight employees of Hartford Distributors were killed by another worker at the facility who was being escorted out of the building after resigning. “It was a small business, it didn’t have the resources of a big company,” Barton says. But this distributor reached out to surrounding companies for help. </p><p>The beer distributor didn’t have a trained counselor on staff, so Manchester law enforcement contacted area businesses to get trauma counselors and ministers onsite. “Know the community resources that can be at your site within an hour after any catastrophe,” Barton says. </p><p>An offsite location was being set up for business operations, but employees protested, saying they felt strongly about returning to the original facility as soon as possible. In the days following the shooting, 100 employees from other beer distribution plants in Connecticut, as well as in Rhode Island, came to assist the company in keeping business operations on track. A memorial service was held for the employees who lost their lives. The company president addressed workers on the front lawn, in front of a makeshift mem­orial, before they reopened their doors. </p><p>Just two months after the tragedy, Hartford Distributors merged with another beer company, Franklin Distributors, forming a larger organization. “The shooting was a very tough thing for all of us to go through,” Jim Stack, president of the new business, said to the Hartford Business Journal in a January 2011 article. “It certainly slowed some things down for us in coming together, but it did not stop us.”</p><p><strong>Emotional response.</strong> The trauma inflicted on those who survive an active shooter incident can be enormous, and experts say that businesses ought to prepare in advance to provide mental health assistance for affected employees. This will help businesses recovery more quickly by retaining experienced workers, and provide employees with the emotional help they need. </p><p>Hunt cites the Navy Yard shooting in Washington, D.C., in September 2013, when a shooter killed 13 employees. He says that employees were shaken that an active shooter could breach a secure military installation. “People who were interviewed following that incident were asked, ‘Do you feel safe going back to work?’ and the answer was, ‘No, I don’t feel safe going back to work.’” Hunt notes. “So you have the potential of losing employees, which are your most valuable asset, as a result of this incident.” </p><p>Employees may not show immediate signs of trauma–negative emotions could surface months later. “Depression and PTSD are rarely going to emerge in the first hour. Your body is still in shock,” Barton says.  </p><p>Experts stress the importance of employee assistance programs (EAPs), which are confidential and provide counseling, assessments, and referrals for workers with personal or work-related concerns. </p><p>“In all 50 states you can mandate that an employee actually go to an EAP program if there was a critical incident,” Barton notes, though he doesn’t recommend it in every case. </p><p>To order an employee to seek counseling, the worker must demonstrate tangible evidence that they may pose a risk of harming themselves or others, Barton says, such as mentioning suicide, a desire to hurt others, or talking about weapons. Employers may decide instead to have a sit-down with that worker and have them sign a letter acknowledging they made the remarks, but understand doing it again could result in termination. “EAP is not your human resources department, they are there to support your HR department,” he emphasizes. </p><p>There will also be organizations indirectly affected by shootings. For example, Barton worked with one financial firm that had a worker lose a family member in a high-profile mass shooting. The other employees struggled with how to respond to him emotionally. The company asked Barton to hold a debriefing to address people’s concerns. </p><p>“I heard it all,” Barton says. “Do you leave a card on the desk? Do you kind of ignore him and just look the other way? Do you come up and say, ‘I have no idea what you went through but my prayers are with you?’” Ultimately, he says you can expect a variety of emotions expressed by employees at businesses both directly and indirectly impacted by these events, including fear, sadness, and even anger. </p><p><strong>Outlook. </strong>Conducting an after-action report may be a good idea for organizations that have suffered an active shooter event, experts say. It not only helps evaluate what worked and what did not in response to an incident, but other practitioners can turn to these documents for their own planning. “It’s very important for a security officer to look at after-action reports and to get best practices out of it,” Sinai says. </p><p>He cites the after-action report completed by the U.S. Fire Administration on Northern Illinois University (NIU) after a classroom shooting on campus in 2008. That tragedy left six people dead, including the perpetrator. </p><p>The report cites that NIU had studied the official report on the Virginia Tech Shooting and was prepared for the tragedy that occurred in its own building just a year later. “The value of that report, their training, and their joint planning was apparent in the excellent response to Cole Hall,” the after-action report stated of the university. </p><p>While organizations may recover from a business standpoint, there may be significant changes implemented afterwards. For example, the building that formerly housed Sandy Hook elementary was torn down, and a new facility was constructed at the same site. That building reopened in August of last year, nearly four years after the shooting. In the case of Virginia Tech, the classroom building where the second shootings took place was turned into a dormitory hall. </p><p>Overall, Hunt says that while organizations can never fully prepare themselves for a tragedy, they can learn from even the worst of situations. “You’re going to identify a lot of areas that can be improved,” he says. “There’s never going to be a perfect plan or a perfect response.” </p><p><em>​To read how the city of San Bernardino ​recovered from the 2015 holiday party shooting that killed 14 people, <a href="/Pages/Responding-to-San-Bernardino.aspx" target="_blank">click here.​</a></em><br></p><p>--</p><h2>Active Shooter Liability<br><br></h2><p>​In the case of an active shooter, U.S. companies are liable for protecting their employees as in any workplace violence incident. Under the U.S. Occupational Safety and Health Act of 1970, every U.S. employer is required to “furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees.” U.S. state and local provinces may also have their own relevant laws.</p><p>Hunt says companies that suffer a shooting can expect lawsuits. “If a family member is killed or injured here, there’s a high likelihood there will be a lawsuit alleging that not enough was done to prevent the incident, or to protect them during the incident,” he says. The case of disabled workers can also come up. “Someone who is disabled may feel they weren’t appropriately accommodated,” a requirement under the U.S. Americans with Disabilities Act. </p><p>Barton says he believes a little effort and communication goes a long way in helping reduce the severity of a lawsuit when employees are killed. “If you can, reach out to the family with the support of your legal department to simply say, ‘We are here for you,’” he notes.</p><p>In addition to advanced planning, organizations need to carefully document the steps they take in the aftermath to help their case “There’s going to be a lot of holes in there. But at least say, ‘Here are the steps that we did proactively take to try to manage the incident.’”​​ ​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Intelligent-Infrastructure.aspxIntelligent Infrastructure<p>​<span style="line-height:1.5em;">The familiar Tower of Babel story comes from the Bible in the Book of Genesis. After the Great Flood, all the people on earth spoke a common language, and they decided to build a tower that would reach to the heavens. Upon seeing their actions, God was angered, and confused their languages so that they could not communicate with one another, and scattered them across the face of the earth. </span></p><p>In many buildings today, a similar disparity of language exists in the technology deployed throughout the structure, creating scattered data points that can’t be leveraged in a useful way. This inefficiency leads to higher energy and facility maintenance costs, and less productivity overall. </p><p>But experts say smart buildings are correcting the “Tower of Babel” effect in disparate building management systems, and saving companies millions of dollars. A smart building turns the multitude of data coming from sensors and equipment throughout the structure into actionable intelligence, giving operators one platform that controls everything from lighting to life safety systems.</p><p>Smart buildings are energy information systems that have diagnostic and performance monitoring feedback tools, according to Jessica Granderson, research scientist and deputy of research programs at the Lawrence Berkeley National Laboratory. Known as Berkeley Lab, the prestigious research institute has been associated with 12 Nobel prizes, and is one of several labs across the nation overseen by the U.S. Department of Energy. “What’s at the core of a smart building is the intersection of sensing and measurement, or production of information, combined with connectivity and cross-system integration to be able to deliver and improve efficiency, improve operations, maintenance, and management,” Granderson says.</p><p>She says the experience of those who actually occupy the building and maintain the services that need to be delivered is a critical component of a smart building. Also at the core is a strong IT agenda, governing how the company can “use data sensing and measurement to not only optimize the operation of any individual system, like the HVAC system or the lighting system, but then also use networking and an increased degree of connectivity to integrate across those systems for those who are running and managing the building,” she says.  </p><p>Smart buildings are a growing industry. Research by the International Data Corporation forecasts that the smart building revolution will grow from around $8 billion in 2014 to more than $21 billion by 2018. Using smart technology, building operators can detect when something’s not working properly, or be alerted when a piece of equipment is about to fail and dispatch an engineer to fix it. And because corporate buildings account for 65 percent of electricity consumption in the United States and 36 percent of total energy use, according to numbers from the Environmental Protection Agency, integrating smart building technology is set to save industries millions of dollars in energy costs.</p><p>Following is a discussion of how Microsoft turned a sprawling corporate campus into a more efficient network of smart buildings. Then, experts discuss the challenges wireless devices create for smart buildings and how standards and best practices can help mitigate these concerns.​</p><h4>Microsoft’s Smart Campus</h4><p>Microsoft’s corporate headquarters in Redmond, Washington, spans 500 acres and consists of 125 buildings. Approximately 59,000 people work at this campus that totals close to 15 million square feet. “We’re a small city,” says Darrell Smith, the company’s director of facilities and energy.</p><p>Challenges. When Smith came to Microsoft in 2008, he and his team were tasked with making a more efficient campus that would allow them to leverage existing data from the buildings. “Microsoft had always done energy-efficient work, but we really needed to find a way to accelerate it.” The greatest challenge, he says, was the disparity that existed across building systems. “Your HVAC system, your lighting control system, power monitoring, elevators–were all in these silos,” notes Smith. “Having and managing all of these assets in disparate systems just wasn’t effective. So we said, ‘there’s got to be a better way.’” </p><p>At the time, buildings were being fully inspected only once every five years. “We would run the building through its paces, but we only focused on the large assets…the really large equipment, because we didn’t have time to go very wide nor did we have time to go very deep,” notes Smith. He says each year they’d only cover about 20 percent of the campus, touching only around 200 assets. They would assess big items, like air chillers, but not the distribution centers that affected how the air was feeding into individual offices, for example. </p><p>His team began a procurement process that would determine how to best make the campus more efficient. Smith says that there were two options before him. Option one was to take out all the existing systems, controllers, control systems, and replace them with a single, integrated system at a cost of approximately $70 million. “It just wasn’t feasible,” says Smith. This option would have included shutting down buildings during construction, making it an intrusive process. </p><p>The second option was a software overlay, which would integrate with existing technology throughout the buildings to create a central command and control center where managers could use data points to improve efficiency. </p><p>The solution. Although the industry was not embracing smart building technology during that period, the option of installing software to integrate the systems was more affordable and attractive to Smith. In early 2011, Microsoft rolled out a pilot using three vendors at 13 buildings within its corporate headquarters to simultaneously test how the software would integrate and improve operations.  </p><p> “The software was seamless to occupants and a fraction of the cost,” Smith says. He points out that all the data already existed on campus, but the company wasn’t doing anything with it. “We overwrote it, we deleted it, maybe saved it for 30, 45 days, but we never leveraged it,” he says. </p><p>The system works by combining equipment-level data, including information from energy meters, from the building management system servers to a central cloud server. Other information, such as how many occupants are in a building and the building type, feed in from Microsoft’s existing software. A series of analytics are run on the various data points to determine what outputs to display to operators. Engineers can read the information on any smart device or via the central command center. The data is output in a variety of logs and charts that show operators exactly when and where a fault occurs or an alarm goes off, for example, or can predict when something is about to fail. The information is aggregated via a combination of cloud technology, Microsoft’s servers, and the third-party vendor servers. </p><p>The team built a central command and control center, known as the Redmond Operations Center, where they now monitor their assets throughout the campus. In turn, they can effectively perform a number of other tasks and save on maintenance and labor costs, as well tailor the campus to the needs of the occupants. </p><p>With this system, the team is connected to 2 million data points across its portfolio, and collects half a billion data transactions every 24 hours through graphics, charts, and trending reports available at their fingertips. “The impact of the amount of data that we’re able to sift through and leverage is changing the way we manage our buildings. It’s changing the way we operate,” says Smith. </p><p>That pilot phase ended about a year later in early 2012, and Microsoft awarded the full deployment to ICONICS. It then began rolling the smart building technology out across the entire campus, which is an ongoing process. </p><p>Systems management. With smart building technology, Microsoft was able to focus more closely on alarm management, energy management, and fault detection and diagnosis. With an array of maintenance alarms going off in buildings around campus, engineers needed a way to determine which were of highest importance. Software within the smart building portfolio can help classify this. When it comes to energy, an unoccupied building may have the lights or air conditioning system on, creating inefficiencies. The technology now helps determine traffic patterns and establish which buildings have occupants and where.  </p><p>One of the critical features of the new system involves using data for fault detection, Smith says. Previously, when a piece of equipment or a system in a building was going bad, engineers wouldn’t know about the problem until it actually failed. Now that the equipment is online and can be monitored remotely, equipment can be fixed quickly: “Roughly 48 percent of the faults we’re finding we can fix in 60 seconds or less.” The other 52 percent of the time, Smith explains, someone is physically deployed to fix the issue. </p><p>Before the project, engineers were walking around the different buildings, performing manual inspections. “We were only spending about 20 percent of our time truly doing the engineering work that’s our core priority,” notes Smith. But the smart campus initiative has turned that process around entirely. “Because we have all the data at our fingertips, we get to do the engineering that we’ve always wanted to.” </p><p>When it comes to fire and life safety systems, Smith notes that the smart campus is streamlining the way the company remains compliant with regulations. For example, the National Fire Protection Association requires fire extinguishers to be inspected to ensure that pressure levels are correct. “We have 8,500 fire extinguishers…and I used to have somebody walking around the campus with a punch card, inspecting every one,” he says. “So we actually put our fire extinguishers on the network.” Each one is now equipped with a sensor that monitors the pressure level, and also sends an alert if the cylinder is removed from the wall or someone blocks it with a piece of furniture. ​</p><h4>The Internet of Things</h4><p>With every smart building comes a host of cybersecurity concerns. The Internet of Things (IoT), the ever-expanding web of devices with wireless connectivity, is at play in smart buildings. Wireless connectivity is what allows sensors and other devices to feed into the smart building systems, and allows the data to be leveraged in meaningful and intelligent ways. But experts warn that with that power comes great responsibility.  </p><p>Cybersecurity. “Network vulnerability, security, and access are just as important in a building operational context as they are for any of the other business services that are IT-based that we’re seeing across multiple industries today,” says Granderson. </p><p>When these devices were made by the manufacturer, they weren’t necessarily built with security in mind, says John Steven, internal chief technology officer at Cigital, a consulting firm that specializes in application and software security. “These new devices add to the attack surface considerably–they’re physically accessible,” he says, adding that securing such devices is difficult and expensive. </p><p>“There’s a massive push to get IoT products to market, and security is clearly an afterthought,” says Chris Rouland, chief executive officer of Bastille Networks. He points out that enterprises will also have to find a way to manage the “personal area networks” employees bring into a corporate network with their smartphones and all the devices that pair with them. This could create IoT overload, where new devices are disrupting networks by consuming bandwidth.</p><p>Standards. With so many devices communicating with computer networks, getting them to communicate with one another is critical. Historically, the manufacturers of different building automation systems have worked hard to maintain proprietary communication protocols to essentially “lock customers in,” says Dan Probst, chairman of energy and sustainability services at Jones Lang LaSalle. “So a system made by one manufacturer wouldn’t talk to a system made by another manufacturer.” But over time, there’s been work to create standardization among communication protocols. “That enables you to take this building automation to the next level, where you’re fine-tuning the operation of a building’s systems and equipment all the time, in real time, in response to changes in occupancy, changes in weather, changes in the actual performance of the piece of equipment itself,” he says. </p><p><span style="line-height:1.5em;">“There’s a real need to converge to some commonality as you’re talking across systems, across vendors, proprietary systems, and open systems,” says Granderson. </span></p><p>The U.S. General Services Administration, for one, has made an effort to set federal standards for smart building technology. That agency is working to modernize existing buildings and implement standards for design and construction to make government infrastructure more energy-efficient, according to specifications laid out in the American Recovery and Reinvestment Act of 2009. </p><p>Hugh Boyes, cybersecurity lead at the Institution of Engineering and Technology in the United Kingdom, is working on standards to address cybersecurity concerns as they relate to smart buildings. “What we’re hoping to do, and the work we’re doing in briefing the industry, is trying to explain the need for better built-in security.”</p><p>Boyes’ organization has published a body of standards with the help of the British government that they hope will one day become the international protocol for smart buildings and cybersecurity. “What we’re trying to do is educate the engineering community about the cybersecurity risk to the technology infrastructure in the built environment, [including] building management systems and asset management systems,” he notes of his organization. They are taking existing standards for things like industrial control systems from the National Institute for Standards and Technology and making them more understandable for building engineers. For example, they are creating minimum security standards for devices with wireless connectivity.  </p><p>Energy efficiency. Buildings make up about 19 percent of the world’s carbon footprint, according to the World Business Council for Sustainable Development. To tackle this problem, some certifications have been established around energy standards. Experts say one notable industry accreditation is the LEED rating system from the U.S. Green Building Council. To be LEED-certified, a building must meet a number of design and operational criteria depending on the function of the structure. However, Smith says that shouldn’t make an enterprise complacent, noting that some of the Microsoft campus’s LEED buildings were the ones wasting the most energy. “It turns out the building is only energy efficient if it’s operated energy efficiently.” </p><p>Over time, Microsoft could save money by understanding how individual buildings consumed energy and where it was being wasted. The aforementioned advantages to smart building technology, such as fault detection and alarm management, allow Smith’s team to see exactly where energy is being consumed and at what rate. “We have cost-saving algorithms that we can say, if the fault occurs for this type of asset, the energy waste is this dollar amount,” he notes. And because Washington State has the third highest energy costs in the nation, efficiency is even more critical to the bottom line. ​</p><h4>Looking Ahead</h4><p>“It’s a really exciting time for our industry,” adds Granderson, who says there’s been a groundswell of work that will allow for a higher degree of smart building integration. “I think in the next five and 10 years we will see a lot of change and advances in how we’re able to monitor, control, operate, and optimize our buildings.” </p><p>One future challenge could be making the case for smart buildings when the value proposition is less than, say, that of a 500-acre campus. “One reason we’ve seen great successes at the enterprise level is that the energy and operational expenditures are large enough to justify and offset some of the first costs that are involved in really implementing a smart building,” says Granderson. “So scaling to smaller buildings in a nonenterprise context is something I believe we’ll see, but is currently a challenge.”</p><p>Another foreseeable challenge is the integration process, which Granderson says includes all of the different players involved in the operation of a building. “There are legacy systems, there are multiple independent proprietary systems, and we’re not to the point yet where the smart solutions scale easily in every case and are straightforward and simple to adopt,” she notes. </p><p>Overall, Smith says that smart building technology is a “gift that keeps on giving,” and optimizes what can be accomplished from existing infrastructure. “Buildings are living, breathing things,” he says, “and once we have a building ‘plugged in,’ if you will, it does nothing but get more efficient from that point on.”</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465