Kevin Ian Schmidt

Transparent Security: not seeing it is the point

|

transparent securityFor businesses, the need for increased security is apparent. Yet there are many cases where the businesses may not want the appearance of security to be obvious. Although government organizations usually make security a priority over aesthetics, corporate and private facilities often cannot afford to follow this policy. With government facilities, if a property requires 12-foot-chain-link fence with razor wire, then that is what is put into place.

So where does that leave facility executives at corporate and private organizations? Many are taking physical security design to a new level: transparent security. Transparent security is strategy that addresses the need for security while respecting the importance of a low-key appearance.

Transparent Security

Enabling Technology

Transparent security follows two lines, hard and soft. Hard includes equipment, specifically equipment that is designed to be discrete or invisible. Soft involves policies and a strategy known as Crime Prevention Through Environmental Design (CPTED). Occasionally, nonsecurity objects may be used to serve soft security purposes. In one recent application, maple trees were planted in a park specifically to prevent vehicles from traveling into a restricted area. The trees were part of the park, the placement was part of the security plan.

The concept of transparent security design is proactive. The idea is to look for potential problems and take steps to put invisible or unobtrusive material in place to mitigate the potential problem.

Technology is helping to make transparent security easier, and recent advances in the field of window films are an example. An optically clear film is available that can be applied to almost any window, providing a significant increase in protection. Window films provide several security advantages. Glass-fragmentation retention film actually strengthens the glass, increasing the force necessary to break the glass and prevents glass fragments from flying. Window film is relatively inexpensive and is typically done as a retrofit on existing glass. An added benefit is that when properly applied, glass fragmentation window film is invisible.

Glass fragmentation window film has been applied at facilities owned by such diverse organizations as NASDAQ, Wells Fargo, and not surprisingly, the Department of Defense.

The idea of hiding security devices is not new. Manufacturers have been building hidden or low-profile closed-circuit television camera housings for years. Intrusion-detection equipment has also been available in hidden housings. Now, manufacturers of high-security vehicle barriers have followed suit. The vehicle barrier approach is unusual in that high-strength antivehicle bollards are now available in an ornamental configuration. One manufacturer has created a line of architecturally designed fiberglass and plastic sleeves to slip over bollards.

These ornamental barriers are being used to protect buildings as well as to control vehicle access in residential areas. In California, West Hollywood is employing the same type of antiterrorism bollards as used by the federal government to stop car bombers. The city’s barriers are used to block off residential areas from nighttime traffic off Sunset Boulevard from the new Sunset Millennium Shopping Center. The high-security barriers will stop vehicles weighing as much as 7 tons travelling at speeds of up to 62 miles per hour.

Security Meets Design

On the other side of the country, multiple entrances to the Florida State Capitol Building rate protection as well. High-security decorative bollard systems are proposed for the legislative members’ garage that will blend in with the aesthetics of the building. This system balances strength and design by placing ornamental trim around the perimeter of each bollard. In a crash test, the same bollards stopped a 7.5 ton vehicle traveling at 44 miles per hour. Mixing strength and aesthetics, these bollards carry a U.S. Department of State and Department of Defense rating of K8, L2, the highest rating that the government has given to a bollard system.

The impact of security is evident in perimeter systems, too. Some facilities are blending designs into the metal perimeter fence construction to reduce the visual impact of the fence. The corporate headquarters for Delta Airlines in Atlanta is surrounded by a fence with the Delta logo incorporated into it. Less than 10 miles away, the corporate headquarters for the Southern Company — parent company to Georgia Power and other utilities — sports lightning bolts bent into the metalwork of the perimeter fence. In both cases, the additional metal does nothing to increase the physical security.

CPTED takes the built environment and carefully modifies it to increase security. The concept has been used by planners and architects for many years to control behavior; the emphasis is on the placement of existing nonsecurity materials to achieve a security benefit.

CPTED classifies people as either normal users, abnormal users or observers. Normal users are the people that belong in a facility. They are the employees, the guy who fills the drink machine, the customers and anyone else who has legitimate business in a facility. The abnormal users are the opposite of the normal users. They are the thieves, the vandals, the graffiti artists and everyone else who is to be kept away.

The idea of letting some people in while keeping others out is at the heart of any access control system. What makes CPTED different is the idea of observers. A CPTED observer is a person who has been placed at a specific location to minimize the probability of a crime. The concept is simple: The more people looking at something, the less likely crime is to occur. As the number of people looking is increased, so is the probability that someone committing a crime will be seen, and therefore identified and caught.

Visibility Matters

Observers are not told that they are “observers.” They are not there to watch a location and report any crime. But reasonable people are is likely to call 911 if they witness a crime. Thus, security in crime-prone areas can be improved if there are reasons for someone — the observer — to be present. For example, park benches provide a place for people to sit, and as a result, they become places for observers to gather. From a design perspective, an observer is a transparent security measure.

CPTED also utilizes the concept of taking high-risk activities and placing them in low-risk areas to minimize the potential for crime. This is done without the use of security devices and is also transparent. Bank ATMs, for example, are inherently high-risk. The transparent goal in providing security for an ATM is to place the machine in an area of high visibility.

As the need for security continues to increase, transparent security design is becoming a factor in good architectural and security planning. Minor changes can make a big difference, without compromising aesthetics.

How do your alarms communicate?

|

There are many ways that a signal from a fire or burglar alarm can reach the receiver; from POTS (the telephone line that you talk on every day) to sophisticated radio transmitters that seem to have been designed for the CIA to cellular service. Whatever method your security system is using, the important function is to get the correct data from the device (motion detector, heat detector, door contact, etc.) to the base station where dispatching occurs.

The oldest method is the regular telephone wire. In the older systems, each account leased a copper wire connecting them to alarm company central station via the local telephone company switching station. Developed in the 1870’s to measure changes in current at a box in a store or home, it is still used by many private customers. One problem is that the communication flow depends on a solid connection between the two points – if a wire is cut on a pole, the earliest systems show an alarm. Over the past few years, telephone companies have begun to phase out this type of service, since maintenance costs are high and switching equipment is dated.alarm communications

The answer is derived channel monitoring – where the phone company provides a special device at the switching station and another at the alarm company. The digital signals are then monitored by the phone company for quality control – so line faults can be reported and alarms transmitted more securely. Please note this system is an option: not available in all areas of the country.

A third source may use a cell-phone similar to what you probably carry with you today. It was marketed in the 1980’s and allows the alarm user to transmit data on the same system that local cellular phone companies provide. There is a charge, of course, as you are paying for the phone number and usage. A typical system has an alarm control interface, a cell phone mounted in a cabinet with back-up power, and an outside antenna if needed. This device allows for alarms to be transmitted even if local phone service is down, providing that it can “hand-shake” with a cellular tower site. Upgrades are ongoing, such as the same technology that allows you to operate your laptop computer in the car. (Telemetry)

Another plan of action is radio, again this is a newer technology developed in the past twenty years. The simplest type simply substitutes a two-way radio (such as your officers use in the field) to transmit alarm information from one building to another instead of a phone line. This requires a dedicated radio channel as well as line-of-sight reception. A better solution is becoming part of a commercial network, where tower sites and equipment are maintained by a private company and channels are shared based on repeating the messages from office building roofs, water towers, mountaintops and other elevated locations.

Hardwired alarm panels are less expensive than wireless panels, but they are harder to install. Keep this in mind when working on budgeting for alarm systems. An average alarm installation with a hard-wired system takes about 12-16 hours. A typical wireless installation will take less than 4 hours.

Another consideration is that some types of construction lend themselves well to a hardwired installation, and others will require the use of wireless.

Even if you select a wireless alarm panel, some jurisdictions still require that the device back-ups are hardwired. These typically include the power transformer, the electrical ground wire, the telephone connections and any keypads/arming stations and audible alarms.

Check Out: Emergency Action Plan Basics

The main difference between a hardwired and a wireless alarm panel is how each one communicates with the protection devices connected to the system. A hardwired panel will require a wire to each “zone” or device on the system, while a wireless system utilizes a radio frequency to communicate with the “zones” or devices that are connected to it.

While a normal electrical circuit is a Parallel Circuit, a typical hard wired alarm circuit is a 2-wire normally closed loop with end of line supervision commonly referred to as a Series Circuit.

A Series Circuit allows electrical current to flow from the alarm panel, down one wire through the alarm initiating device and back to the alarm panel. When the current is interrupted, the panel will register a fault on the circuit/zone. End of Line (EOL) resistors are added to the circuit so that the alarm panel can supervise the condition of the zone for ground faults, electrical shorts and open or cut wires.

Multiple normally closed devices can be connected to a single zone by connecting the devices in series, with the EOL resistors installed on the last device in line. This way, the entire circuit is completely supervised from the panel to the last device in line.

When wireless alarm systems first appeared on the market, they were not the most reliable systems around. Most of them utilized non-supervised wireless transmitters to communicate to each of the field devices. A non-supervised wireless alarm transmitter would only send a signal “one way” to the alarm panel receiver when it was activated.

For example, when a door or window was opened, the transmitter would send a wireless signal. The alarm panel would receive the signal and activate the appropriate zone. The transmitter would not send a signal when the door or window was closed, so the receiver/zone had to reset itself after a few seconds. With a non-supervised wireless system, you could actually arm the system with a door or window wide open without even knowing it.

Most new alarm systems utilize a redundant bi-directional fully supervised wireless connection for two way communication between the transmitters and the alarm panel receiver. With fully supervised wireless, the alarm panel can tell you the real time status of a door or window. If a door is open, it will keep the zone faulted until the door is closed.

Most of the early wireless systems were very limited in their addressing schemes. They utilized dip switches with binary addressing (explained later) to differentiate between points on the system.

This was O.K. if your wireless system was installed and commissioned correctly, but what happened when a neighboring location installed the same type of system? If the neighbors motion detector was addressed the same as your dock door, your alarm would go off every time they moved around inside their building. As you can imagine, this could cause some major problems that were very difficult to troubleshoot.

Modern wireless systems utilize serial numbers, binary house codes, or other proprietary technology to assure that only transmitters enrolled into your panel will be received by your alarm system. If you do your research and purchase a good reliable supervised alarm system, you should never need to worry about your neighbor’s wireless transmitter setting off your alarm system.

Another problem with the older non-supervised systems is that you did not know when the batteries in the transmitters are low or need to be replaced. The only way to verify that they were working is to periodically test them.

Because, even the most sophisticated wireless alarm panels are useless if the transmitter batteries are dead, therefore supervised wireless panels are programmed to check in with each of the remote transmitters at least once every 24 hours. If your transmitter has a low battery, the keypad/arming station will immediately inform you of the trouble condition.

Check Out: Improve Your Security Guard Service in 5 Steps

With any wireless security system you should always test the performance of your system regularly. The range of any wireless product can be affected by the environment and the structure in which it is installed. Additionally, the range can be adversely affected by environmental conditions, interference form electrical devices or even the orientation of the transmitter in relation to the receiver.

So who is the winner of this argument? Well, according to Underwriters Laboratory (U.L.), the most secure and reliable installation methods utilize hardwired installations with End of Line (EOL) 1 or 2-resistor supervision. In fact, U.L. approved installation standards for federal government and other high security installations require all zones of protection to be hardwired with complete 2-resistor line supervision.

Not to say that wireless systems are an inferior product. In fact the fully supervised systems offer excellent protection that is perfectly suitable for 90% of residential installations.

If you are considering a wireless alarm system, be warned, there are still systems being sold and installed today that are non-supervised, so make sure that any system you are considering offers complete wireless supervision.

If you opt for a hard-wired alarm system, make absolutely sure that the system is installed with the supervisory resistors at the end of the line. To make installation faster and simpler, some installers will place the resistors in the alarm panel rather than at the end of the line.

While this method provides supervision of the zone for ground faults, it does not provide protection for a direct short or worse yet, someone splicing into the wire and shorting them together which will essentially close the loop so the panel will not see the zone open or close.

Whatever method that your security department chooses to move the alarm information from the point of occurrence to the receiving station, make sure that you can provide interference-free data and your staff is able to interpret and dispatch the information. As technology grows into the twenty-first century, new ideas about alarm transmission will be unveiled and older technology will be challenged by parts shortage, lack of technical support, or noise on the line. This article does not offer any specific vendor names or ultimate solutions – but I hope that you will examine your burglar and fire alarm system with an eye toward data transmission.

Basics of a Security Risk Assessment

|

security risk assessment

A proper security risk assessment is necessary to truly understand what security risks your company faces. As a physical security professional you must understand how to conduct a proper security risk assessment. Check out the Risk Assessment Guidelines to understand in-depth what a full security risk assessment entails.

The following tips will guide you in understanding how to conduct a Security Risk Assessment.

Zone 1: The Interior

Every facility executive needs to protect interior space from unauthorized entry. The means available include:

  • An effective system at the front desk or lobby to identify and badge employees and visitors
  • Locking systems
  • Intrusion detection and 24-hour alarm monitoring
  • Closed-circuit television (CCTV) in key locations
  • Security guards

Zone 2: The Perimeter

The typical multi-tenant building perimeter base building system focuses on elements that are incorporated into the design of a new structure, but also may be retrofitted. Some of these elements are:

  • Window coatings to minimize glass shards; polycarbonate glass from grade to 30 feet or higher
  • Structurally hardened building exteriors
  • Defensive landscaping — avoiding landscaping that conceals intruders or provides natural “ladders”
  • Lighting and CCTV in key areas
  • Control of loading dock traffic
  • Control of building entrances — main lobby and elevator core interface with public

Mail facilities are also vulnerable to biological and chemical weapons, and unauthorized entry. To combat those threats, consider:

  • Limiting access to authorized personnel
  • Placing barriers at the building perimeter to decrease access and reduce the impact of hazards
  • Installing X-ray package-screening equipment
  • Installing nuclear, biological and chemical (NBC) detection equipment
  • Installing negative pressurization systems to contain hazardous materials
  • Using HVAC filtering and treatment, such as HEPA filters and UV treatment

Finally, the building’s air systems and mechanical room, if located on the perimeter, are another area of vulnerability. Protect air handling systems from tampering by:

  • Fencing off fresh-air intakes and return-air vents or moving them to roof
  • Securing mechanical room exits

Zone 3: Building Grounds

Building grounds should be treated as a defensive zone to prevent cars and trucks, which might be carrying explosives, from crashing into the building. One security measure against these threats is the installation of highway barriers, but these are unsightly. Instead, use landscape elements to create a stand-off zone around the building, remembering that the effect of blasts diminishes with the distance from the blast. Effective methods include:

  • Using mature trees, landscaped earth berms, raised planter beds, benches, ornamental fencing and ornamental light posts
  • Incorporating effective lighting

Zone 4: Property Boundary

Implement security measures at the property line, which may include:

  • Roadway and barrier systems, such as a guardhouse
  • Communication systems in remote parking lots, such as emergency intercom and CCTV surveillance
  • Secured access to gas, water, electric, telephone service and utilities, such as locking manhole covers

Zone 5: Parking Structures

Parking structures are a significant area of vulnerability. Limit and monitor access and use, particularly if the parking structure is within or under the main part of the building. In addition to eliminating on-street curb parking, successful methods might include using:

  • Parking control system
  • Vehicle identification system
  • License plate recognition system

Zone 6: Public Domain

Finally, leverage the assets that are available to property owners in the public domain: streets, police, fire and emergency services departments. Coordinate security policies and procedures with public agencies at the local, state and federal levels, as appropriate. Establish a liaison to obtain real-time intelligence about actual and potential threats.

In today’s world, facility executives must take a holistic approach to security planning, programming and system design. They must assess the full range of security assets available — both human and electronic — and develop a system that protects the property at every zone from the interior to the public domain.

 

Here are suggestions of what to check before contracting Kevin Ian Schmidt for a physical security risk assessment.

This article is just to provide you with the basics of a security risk assessment, so you are knowledgeable on what to expect when hiring a consultant, and will potentially be able to address minor, simple issues beforehand to save cost.

Layered Security

|

layered securityAt its most basic, layered security refers to concentric rings of site and building security. These rings typically progress from the exterior boundaries of a site to the exterior building shell to increasingly secure areas within the building. The rings are not always symmetric or well defined, but each one represents an increase in security hardening against external threats as one moves inward from the site boundary or building exterior.

In a layering approach, design consideration must be given to the flow of people and material as they move though public, private and restricted building areas. Controlled paths need to be established in conjunction with each layer of security. This is where design with security concerns in mind can minimize implementation and future operating costs.

Equally important are the internal security layering requirements that segregate building spaces from one another — a key requirement when multiple tenants or departments with differing security needs occupy a single building.

Securing Core Areas

Most buildings share core areas that include vertical transportation, electrical and telephone rooms, janitor closets, and public amenities like parking areas, lobbies and toilet facilities. A successful security design must not only plan for the flow of people and material during occupied and unoccupied hours, but also consider how this flow affects the sharing of public and service areas.

For example, building access from surface or underground parking facilities needs to be segregated and directed to a common access control point to minimize security staffing and other operating costs. Because of past incidents in high-profile buildings, underground parking may in the future be limited or not be provided at all.

When designing security to maintain segregation of building areas, life safety code requirements must be observed, and the required emergency egress paths must be maintained using appropriate egress hardware. Though it sounds simple, this is one of the most difficult requirements to implement because it requires comprehensive understanding and interpretation of building codes and close coordination of door hardware, security system and fire alarm system requirements.

Check Out: Physical Security Program – Know the Process

Design Principles for Security

Proper design and use of the built environment can assist in effective security layering. The following four design principles are key:

  1. Natural surveillance: The ability to keep potential threats easily observable in parking areas and building entrances.
  2. Territorial reinforcement: Defining private and public areas in the facility or campus using landscape plantings, pavement designs, gates and fences
  3. Natural access control: Design of streets, sidewalks and building entrances to indicate clearly the public access routes and to discourage pathways outside the secure areas, using structural elements to complement electronic access control.
  4. Target hardening: Design using features that prohibit entry or access, such as window, door and air intake location; locks; dead bolts; electronic card access; and closed circuit television (CCTV).

To enhance security, building exteriors will in the future likely be designed with fewer windows and other openings; exterior windows and doors at the lower floors will be reinforced. Fresh air intakes will no longer be at grade. The number of outside entrances for pedestrians on foot or from parking areas will be reduced to channel the flow to lobby security stations that can be staffed with the minimum number of personnel.

Underground parking, loading docks and service entrances will be located and designed to segregate and effectively control the flow of personnel and goods using transition areas. Building service areas, toilet facilities, corridors, and electrical and telecommunication closets will be located so that the building’s net usable space can be subdivided, segregated and secured as needed to meet the requirements for each tenant or department’s security, while maintaining the code-required means of egress.

Technology’s Role in Layered Security

In addition to physical barriers, a layered approach to security typically requires electronic security systems — different combinations of things like badges, biometrics, card access, door alarms, CCTV and package scanning machines in different combinations — along with personnel trained to make the final decisions. The effective placement of these systems can reduce staffing requirements.

The upper box on page 53 shows the placement of card access devices and personnel to control access to building core areas from the outside while minimizing staff needed to handle visitors.

In the example shown, everyone who wants access to non-public areas of the building is directed to the turnstiles that control access to the elevators. Visitors can gain access when authorized by the security personnel.

In a building similar to the one in the example, delivery trucks could gain access to the loading dock after being cleared by the security staff. Depending on the security level required, access to the freight elevators can be further controlled after inspection of the cargo.

Check Out: How do Your Alarms Communicate

Further security layering can be implemented for personnel and material that have been cleared for access to tenant spaces. The bottom box on page 53 shows a typical arrangement of multiple-tenant floors. Tenant security is maintained with the use of card readers to control access into the space. Tenants that need to track personnel who enter and leave their spaces can use their own card readers. Tenant personnel can gain access to the toilet facilities while maintaining security; the use of keys or card readers at the toilet facilities is an option that needs to be evaluated separately. Those making deliveries from the freight elevator need to request access to tenant spaces via telephone or intercom.

CCTV systems with motion detection can provide continuous monitoring that is useful not only to grant access to the protected spaces, but also to provide forensic evidence needed to investigate security-related incidents. Digital CCTV provides for easy retrieval of information on demand without the time-consuming searching required by older analog systems.

Although security layering is a valuable strategy for controlling the flow of people and materials within the building, it isn’t the whole story. Operational plans are needed to limit access only to suppliers and staff with legitimate need. Deliveries of supplies from known sources should be coordinated in advance. Delivery times may have to be restricted to off-peak hours to avoid unnecessary delays to building occupants. For particularly sensitive areas, requirements for background investigations of outside contractor staff may need to be established to prevent “Trojan horses,” such as bugging devices, from being introduced into the building during construction, maintenance or deliveries. Emergency plans need to be developed and tested with the building occupants to address different types of security-related emergencies. Exit and emergency pathways need to be established for different scenarios.

Special measures and additional staffing may be required for special events, such as social functions and tenant relocations, where a large number of strangers may require access to secured areas.

In new buildings, security layering can be integrated into the original design in a very cost-effective manner. But, of course, occupants of existing buildings are demanding increased security as well. In most of these buildings, security improvements are more costly to provide because of significant additional staffing costs or building modification costs to redirect the flow of people and materials. Many existing buildings were designed with multiple entrance pathways; these buildings must add significant security staff or make costly changes to the building itself to provide minimum levels of security. Building owners will have to treat those additional expenses as a cost of doing business; tenants are demanding increased security, and those measures carry additional costs. Another challenge for existing buildings is that the security layering approach requires both building owners and tenants to accept changes in behavior without developing a trench mentality.

When it comes to upgrading security from what was acceptable in the past, there is no free lunch. To put it another way, no pain, no gain.

With new buildings, costs can be minimized. Doing that requires building owners to remember two key points: first, that during the design process it is never too early to plan for security; second, that many tools are available to provide security. And it’s not just building owners who need to think in a new way about security in new buildings. The increased demand for security also will require a change in the mindset of architects and engineers. Design professionals will have to consider how to incorporate into building designs the sometimes conflicting desires and requirements of building owners, occupants, vendors, visitors and governing agencies.

If everyone on the design and construction team focuses on security early and consistently, security does not need to be expensive and in many cases can be incorporated with minimal impact on the tenants who spend a great deal of their everyday lives in the building.

It’s also important to remember that effective security requires the building owner to address both operational and security technology issues as well as architectural factors. For example, it is critical that the issues of security staffing and training be addressed. With solid planning and an awareness of the tools available to designers, building owners can achieve the security levels they need without high ongoing costs.

Understanding of Real Risks

|
Photo Courtesy: Nick Carter/Flickr
Photo Courtesy: Nick Carter/Flickr

To anyone who has an understanding of real risks, some of the most unnerving stories about security involve facilities where nothing bad has happened — at least not yet. These are facilities where vulnerabilities exist but haven’t been discovered or addressed yet.

Case in point: the headquarters of a large health care company. A security review determined that anyone in the lobby could go straight into the rest of the building without being stopped. But the audit recommendations to address that problem languished in the hands of company executives. Six months later, the company found itself embroiled in tense collective bargaining negotiations. One day, a group of people barged in through the front door, raced through the lobby and disappeared into the heart of the building. The stunned receptionist could do nothing but call the police and hope that nothing happened until they arrived.

Think that a security breach like that — involving an obvious vulnerability — is an isolated case? Look around many facilities, and it’s not difficult to spot security risks: a door propped open, poor lighting in the parking lot, a window cracked open or an unlocked gate. And obvious risks like those are only the beginning. Facilities face a wide range of potential threats. The real question is, which vulnerabilities are most likely to be exploited?

There are plenty of excuses not to address that question. An office building may be deemed too small to require a detailed security audit. Or its out-of-the-way suburban location may be judged safe because it does not face obvious, high-profile risks. Cost is often an obstacle. So is the lack of an on-site person who is directly responsible for security.

Excuses aside, experts agree that conducting an audit is paramount to making sure that everyone and everything in a building is as safe as possible.

In order to really do anything from a security standpoint, you have to know what your risks are, how can you make security decisions if you don’t have a clear understanding of what your problems are?

Some buildings are clearly high-risk and therefore demand that special attention be paid to security. A good example is a nuclear power plant, the security level requires special attention to detail. The Nuclear Regulatory Commission has specific guidelines for how those facilities should be secured, and it’s not just the release of nuclear material into the air that has to be addressed. Many of those plants, for example, have regularly scheduled deliveries of chemicals via truck or rail. That schedule requires evaluations on which roads leading to the plants have the most risks. Moreover, the possibility that someone may try to sabotage the truck or train delivering the chemicals should also be considered, Benne says.

The definition of what constitutes a high-risk building has changed over time. For example, the threat of terrorism has created a demand for specialized research buildings to study and respond to a biological event.

The federal government is looking closely at the security of those biological labs. Two types of assessments are typically conducted on those labs: a bio-risk assessment that focuses on handling and containing biological agents, and a more traditional security assessment that addresses outside threats, such as someone trying to enter the facility.

If you’re designing a facility with agents that are lethal, the community wants to know what you’re doing to protect it, it’s a sensitivity and not just a process.

But for every building that is closely scrutinized because it is clearly at high risk, there are many more facilities where risks have never been adequately identified. And a building need not be a landmark to face significant risks. A good example is a branch bank located near the entrance ramp to a highway. Someone who understands risk assessment sees that a financial institution has branches located where other financial institutions have had robberies. Those (new) branches will then be seen as high-risk and added security measures would be put in place.

Time for Action

Formal security audits should be done on a regular basis, noting that there are three occasions in particular when they should be conducted. The first is when a site is being considered for a new building. There are commercial and consumer crime statistics companies available that conduct threat and risk assessments based on geographical location. Their assessments detail what the crime and murder rates are for a specific address and compare those rates to those of the city and county.

Many times you’ll find that the differences are miniscule, but if one location has a greater crime rate, it may have an impact on the decision.

A security audit should also be conducted when a significant change has been made to an existing facility, such as an addition, and when there’s been a serious incident. In the latter, the goal is to find out why an incident occurred and how it can be avoided in the future.

A security audit is a three-step process: first, where do you stand today? What are your policies? Procedures? Equipment? Second, where do you need to be? Third, if there’s a significant gap between where you are and where you need to be, how do you fill that gap?

Risk assessment can go beyond a security audit and try to determine how survivable a business is if something catastrophic occurs. A number of companies went out of business after the World Trade Center collapsed on Sept. 11, while others survived but got “a big wake-up call.” You can’t, for example, put all the data in one location. You need redundancy. Companies have to ask how they’ll continue operating if they want to keep the doors open after an emergency.

Check Out: How to Complete a Risk Assessment

Excuses, Excuses

Despite the benefits of security audits, many companies don’t do them because of the expense, the average in-depth security audit costs between $10,000 and $50,000.

It’s often not easy for a security director to justify spending money on a security audit when nothing bad has happened in or around a building. Recommending that an audit be conducted is much like making a sales pitch to management. The reason? A security director is competing with others on the staff who want money to be spent on new computers or the replacement of a compressor.

Audits also aren’t conducted because there hasn’t been an incident in or near a building and so no one feels the need to look for weaknesses. That misses the point of doing a security audit. The goal is to be proactive in organizing a plan to handle different types of threats and reduce liabilities.

Having a plan could pay off when partnering with an insurance company, if you can show them that you’ve done an audit, an insurance company may lower your premium, so there are some benefits that are outside of just mitigating risk.

Another reason security audits are neglected is because it is assumed that the risks facing the facility are so clear, and the appropriate countermeasures so straightforward, that a detailed analysis of security risks seems superfluous. For example, administrators at a school that has several open perimeter doors may decide to lock all those doors in a reaction to violence at another school. And while the doors may stay locked for the next several months, at some point security typically becomes lax once again if another incident doesn’t occur. An audit can help structure and focus to security efforts.

This isn’t to say that security incidents at a similar type of building, or strategies used by comparable facilities, aren’t important parts of the security decision-making process.

Piece of the Puzzle

Clearly, a review of strategies used by comparable facilities is an essential component of a security plan. A facility executive responsible for K-12 schools, for example, should be aware that other schools have put an increasing focus on perimeter security, so that no one has unchallenged access. So when someone walks in, they can get to a certain point and then they have to be vetted by signing in, showing credentials and being checked out before they can progress further into the building. At most schools, and this is slowly changing, you can just come in and wander around. Knowing how other schools are addressing security risks can help educational facility executives make decisions about their own buildings, but knowledge of industry trends is no replacement for a security audit.

An audit is especially important when the installation of security systems is being considered. Facility executives may decide to add video cameras because a similar building did so. But if there are no provisions for monitoring the cameras, they won’t achieve the goal of improving security. Organizations make short-term changes that lack the thoroughness of a well-thought-out plan, often costing money without a return of investment in improved security.

Organizations that don’t conduct security audits often end up with knee-jerk reactions to incidents. Suppose a company is having its products stolen but it’s unclear exactly how that’s occurring. Feeling the need to take some action, the company’s management might decide to put cameras throughout the facilities. However, if the products are being put in briefcases, cameras won’t spot the thefts.

Although getting input from the local police department may be useful in the audit, simply asking the police for advice about ways to improve security is no substitute for an audit. Police focus on law enforcement, which is different than securing a building. Law enforcement responds to criminal activity and security is designed to mitigate criminal activity.

Check Out: Basics of a Security Risk Assessment

Taking Action

Some organizations have a security audit conducted and then fail to act on its recommendations. Taking that approach, however, opens management to liability because there’s an obligation to fix the items that the audit found. An audit is likely to find more problems than there are dollars to address them. At that point management needs to set priorities, determining what situations and events are possible, what their probabilities are, and whether their impacts would be catastrophic, minor or something between the two. These are tough decisions, how do you invest money in things that might never happen?

Of course, if audit recommendations are ignored, and an incident occurs, the company must deal with the effects of the incident as well as the cost of countermeasures, which will surely be taken. In the case of the health care company that ignored the audit recommendation to improve lobby security, the intruders wound up in the office of a facility manager, who called the security manager demanding to know how the breach could have occurred. The security manager pulled out the audit report, which had warned of the risk of such an incident. Companies don’t fully understand the cost associated with the risk. As a result of the incident, the lobby was compartmentalized to preclude the possibility of a similar event in the future.

What facility executives and security directors need to remember is that there is no way to prevent all security incidents. If a security breach occurs, there will often be recriminations, with people saying that management and others involved in security should have seen it coming. But there’s a huge list of things that can happen, the goal from a security standpoint is to identify things most likely to occur and take reasonable steps to prevent them.

5 Common Ways Employees Steal

|

Small-business owners aim to hire trustworthy workers, but companies must be aware that theft will occur. Understanding common ways employees steal requires that you look at the type of items thieves go after and the methods used to take them. Theft can have a significant impact on a small business and can even result in your business failing. Knowing the five most common ways employees steal can help you develop methods to combat the problem.

5 Common Ways Employees Steal

Cash

Unethical practices by employees that result in financial losses for a business can manifest in various ways. One common method involves the misappropriation of funds during sales transactions. Employees may discreetly transfer money from cash registers into their pockets, exploiting their position at the point of sale. This covert activity can lead to a direct and immediate impact on the company’s revenue.

Furthermore, another avenue for potential theft is the unauthorized access to open or unsecured safes, petty cash drawers, or cash boxes. Employees may exploit vulnerabilities in the security system, taking advantage of lax protocols to pilfer funds. This type of theft can occur gradually over time, making it challenging to detect until substantial losses have accumulated.

In addition to physical theft, there’s a subtler form of financial misconduct that involves quoting customers inflated purchase amounts. Employees may intentionally communicate a price higher than the actual cost of an item during a transaction, pocketing the excess funds. This manipulation can go unnoticed in the hustle and bustle of daily operations, making it a deceptive yet effective method of embezzlement.

Once an employee has successfully obtained cash through these illicit means, they may exit the business premises at the end of their shift without raising suspicion. This method allows them to evade immediate detection, making it imperative for businesses to implement robust internal controls and monitoring mechanisms.

Merchandise

The challenge of inventory loss or shrinkage stemming from theft poses a significant concern within the merchandise distribution process. This issue is pervasive and manifests at various stages, affecting the overall integrity of a business’s inventory management.

One prevalent scenario unfolds on the sales floor, where employees, unfortunately, engage in deceptive practices. This may involve the discreet concealment of merchandise within apron pockets or strategically placing items behind others on shelves. The intention is often to retrieve these hidden items at the conclusion of their shifts, contributing to a decline in available inventory and potential financial losses for the business.

Beyond the sales floor, the issue extends to the pre-public availability phase. Employees, seeking to exploit vulnerabilities in the system, may pilfer items directly from warehouse shelves or intercept newly arrived merchandise before it is officially scanned into the inventory software. This early-stage theft not only impacts inventory accuracy but also disrupts the seamless flow of merchandise from distribution to retail.

In more audacious instances, employees have been known to resort to grander schemes, such as stealing entire shipping trucks. These acts involve the unauthorized acquisition of vehicles laden with merchandise meant for their employer’s business. The repercussions of such actions extend beyond inventory loss, encompassing operational disruptions, financial ramifications, and potential damage to the business’s reputation.

Addressing this multifaceted challenge requires a comprehensive approach. Businesses must invest in robust security measures, both on the sales floor and within distribution channels, to deter potential theft. Implementing advanced surveillance systems, access controls, and stringent inventory tracking protocols can fortify defenses against deceptive practices.

Check Out: Using Social Media for Investigations

Supplies

Certain employees engage in pilfering small items, like pens, staples, or scissors, incrementally over time, exhibiting a pattern of repeated theft. Alternatively, individuals may opt for a bolder approach by taking such items on the day they decide to quit, often before formally submitting their resignation. On the other end of the spectrum, more audacious theft involves the pilferage of pricier items, including furniture or equipment. This type of theft tends to occur during after-hours periods when employees work unsupervised overtime or gain unauthorized access to the business premises after it has closed for the day. Both forms of theft, whether gradual or more immediate, necessitate vigilant oversight and security measures to safeguard a company’s assets.

Payroll

Instances of employee misconduct may involve the falsification of records or the execution of actions leading to payment for work that was not performed. In some cases, employees may engage in deceptive practices, seeking reimbursement for travel or other expenses unrelated to work. This can include submitting reimbursement requests for personal meals disguised as business lunches.

Another form of deceit involves the manipulation of time-related records. Employees may submit falsified time sheets, claiming hours they did not work or neglecting to deduct time taken for extra breaks. This misrepresentation of work hours can contribute to financial losses for the employer.

Furthermore, theft can manifest in less tangible ways, such as time theft. Employees may divert work hours by engaging in personal phone calls, extended conversations with co-workers, or spending excessive time surfing the Internet instead of fulfilling work responsibilities. These actions not only compromise productivity but also lead to an overall decrease in the quality and quantity of work completed.

Informationemployee-stealing

Instances of deliberate information theft by employees pose a serious threat to the confidentiality and intellectual property of their employers. Motivated by personal gain or, at times, by a desire to benefit competitors, these individuals engage in activities that compromise sensitive company data. The purloined information spans various categories, encompassing customer lists, internal memos, and proprietary details related to products, services, or other critical facets of the business.

This illicit activity often takes shape through modern communication channels, with employees utilizing email as a conduit for transmitting sensitive information externally. In some cases, individuals employ more traditional methods, such as printing out confidential documents, copying them onto portable storage devices like flash drives or cellphones, and physically carrying the information away from the business premises. The ease with which information can be transferred in our interconnected world underscores the need for robust security measures and vigilant oversight.

In the digital realm, information theft via email requires businesses to implement stringent access controls and monitoring systems. Proactive measures should include educating employees on the ethical and legal implications of misusing company information, emphasizing the importance of maintaining data confidentiality.

Additionally, the more tangible act of physically removing printed documents or electronic storage devices demands a comprehensive approach to security within the workplace. Access control systems, surveillance measures, and employee training on the responsible handling of company information all play crucial roles in mitigating the risk of information theft.

Read: Tips to Identify Internal Theft

Mitigating Common Ways Employees Steal: Proactive Measures

Countering the five most prevalent avenues of employee theft requires a strategic approach. Several preventive measures can significantly reduce the impact of such incidents on your business. One effective strategy is to regularly reconcile physical inventory with shipment and sales records, ensuring accuracy and promptly identifying any discrepancies. Conducting comprehensive audits, including cash, payroll, and computer usage assessments, serves as another valuable tool to detect irregularities and address potential areas of vulnerability.

To enhance security measures, consider implementing sophisticated systems such as time-tracking devices and surveillance cameras. These technologies can help monitor employee activity, providing an additional layer of protection against theft. Regularly reviewing the data collected by these systems enables proactive identification and response to any suspicious behavior.

Employee training plays a crucial role in preventing theft. Educate your staff on recognizing common behavior patterns exhibited by potential thieves. This may include repeated requests for outside breaks, unsupervised overtime, or expressing a desire to be transferred to a stockroom or cashier position. By fostering awareness and vigilance among employees, you create a more secure and vigilant work environment.

By adopting a multifaceted approach that combines regular audits, advanced security technologies, and employee education, businesses can significantly reduce the risk of employee theft and safeguard their assets.

 

5 Non-Verbal Indicators in Interviews

|

When setting up a room for conducting an investigation interview, there are a few basic rules the investigator should keep in mind. Aside from making the interviewee feel as comfortable as possible, the interview room should also facilitate clear communication, including non-verbal. This means that there should be no physical barriers between the interviewee and subject that might block the interviewer’s view of the subject.

There are good reasons for this. Firstly, a physical barrier, such as a table, can act as a psychological barrier. In a situation in which open communication is sought, putting up barriers obviously goes against the goal.

Another reason to keep furniture out of the way is to provide the investigators with a full-body view of the subject. This is important when assessing the subject’s body language, or non-verbal clues, when he or she is answering questions and providing detail about the incident in question.

There have been many articles, books, even television shows, written about how to detect deception in investigation interviews, and there are as many theories as there are theorists. But there are a few fairly well researched and generally acknowledged non-verbal indicators in interviews that may indicate that a speaker is being deceitful. As long as the investigator is experienced enough to know that one sign does not make the subject a liar, these clues can be considered as part of an overall strategy to assess the credibility of the interviewee.

5 Non-Verbal Indicators

Illustrators

hand manipulatorThese are hand motions a person makes when talking. They are normal and often used to illustrate a point. During times of low stress, a person uses illustrators at one rate, but when the stress level increases the subject’s use of illustrators may increase or decrease. A change in the use of illustrators, therefore, may be taken as a possible clue to deception.

Manipulators

Like illustrators, manipulators are hand motions. But rather than illustrating a point, they are used to displace nervousness. Examples of manipulators are playing with jewelry, picking lint off clothing or clasping and unclasping the hands.

Full-Body Positioning

A person who is engaged in a conversation and being honest will often lean toward the person they are talking to as the questions get more serious. A dishonest person might lean away from the interviewer, changing his or her posture completely.

Check Out: Guidelines for Investigation Interviews

Fleeing the Interview

Similarly, a subject who is being dishonest might actually arrange his or her body in a position that suggests fleeing the room. While the person’s upper body is facing the interviewer, his or her legs may be facing the door, as if in an unconscious effort to leave.

Covering the Mouth

And while it seems too symbolic to be true, liars will sometimes place their fingers or hands over their mouths, as if to contain the lies before they escape, just as they did as children.

 

 

The Basics of Body Language:

Your primary goal when reading body language is to determine their comfort level in their current situation. There is a process of combining verbal cues and body language to determine this.

Positive body language:

  • Moving or leaning closer to you
  • Relaxed, uncrossed limbs
  • Long periods of eye contact
  • Looking down and away out of shyness
  • Genuine Smiles

Negative body language:

  • Moving or leaning away from you
  • Crossed arms or legs
  • Looking away to the side
  • Feet pointed away from you, or towards an exit
  • Rubbing/scratching their nose, eyes, or the back of their neck

A single cue can be misleading so it’s essential to pay attention to multiple behavioral cues.

Check Out: Effective Communication Skills: LISTENING

Reading the Non-verbal Clues

One thing to keep in mind is that non-verbal clues mean nothing in isolation. Some people exhibit these characteristics when they are not stressed, and some people are stressed all the time, whether they are being deceptive or not. So it’s important for investigators to treat clues as insight into where to probe further, rather than as proof of deception.

Investigators should also be careful to assess the state of mind of a subject as part of assessing credibility. Subjects who are mentally unstable or who are inebriated or under the influence of drugs do not exhibit reliable clues. In fact, it’s not a good idea to interview these people at all.

PEACE Method of Investigative Interviews- Overview

|

A number of police forces through the world are using a model of investigative interviews that is more information gathering as compared to obtaining a confession from a suspect. As we in the safety world are concerned with gathering information following an accident I thought the technique might be of interest to readers. The method incorporated is what I’ve been teaching for years, but the use of the mnemonic PEACE brings all the ideas together nicely.

P – Preparation and planning
E – Engage and explain
A – Account
C – Closure
E – Evaluate

I’ve deleted some police/legal concepts from the web based material and added a few comments of my own.

P – Preparation & Planning

Crucial elements of good planning and preparation for an interview situation include:

  • Understanding the purpose of the interview;
  • Defining the aims and objectives of the interview;
  • Understanding and recognizing the points to prove or to clarify;
  • Assessing what evidence is available and from where it can be obtained;
  • Assessing what evidence is needed and how it can be obtained;
  • Preparing the mechanics of the interview (stationery, exhibits, location etc).

E – Engage & Explain

PEACE interviewsThese two terms also known as ‘Interview Preamble’ refers to early phases within the actual interview and is defined as follows:

The essential element of engagement is an introduction appropriate to the circumstances of the interview. It is desirable that a proper relationship is formed between the interviewer and interviewee. This requires, for example, that the interviewer develops an awareness of, and is able to respond to, the welfare needs of the interviewee and any particular fears and expectations.

The engage phase is followed by the explanation phase in which the investigator should outline the reasons for the interview and explain what kinds of action will be followed during the interview, particularly the routines.

Check Out: Effective Communication Skills – NONVERBAL

A – Account

This term describes the stage in which the interviewee’s recollection of the events of interest is obtained. This stage is directed at obtaining the fullest possible account from the suspect. There are two accepted approaches of inducing recollection known as:

  • The Cognitive approach;
  • Conversation management.

Different techniques for assisting recollection are associated with each method. With the cognitive method, the interviewee is asked to think back and mentally relive the event, initially with minimal interference from the interviewing officer. The interviewer does not interrupt, makes effective use of pauses and avoids leading questions. The interviewee is then encouraged to recall the event again using a different chronological order, or from a different perspective.

When the conversation management method is used, the interviewee is asked first to say what happened and the interviewer then subdivides the account into a number of individual parts which are enquired about in turn for further details.

The cognitive method provides the interviewee with greater control over the way the interview develops, whereas conversation management attributes more authority to the interviewer. This basic difference between the two approaches broadly defines when each is most appropriately used. For example, conversation management may be more appropriate for reluctant interviewees than the cognitive method.

C – Closure

To avoid immediate or future problems with the relationship formed between the interviewer and interviewee, investigators should ensure that, at the end of an interview:

  • interviewees are thanked before leaving;
  • everyone understands what has happened during the interview;
  • everyone understands what will happen in the future.

Closure should also include elements such as giving the interviewee the opportunity to ask any questions. It is crucial that the interviewer always ensures that there is a planned closure, rather than an impromptu end, to the interview. The interviewer should summarize and check back as to what the witness has said.

E – Evaluate

After each interview is completed, the event and the material that came from it should be evaluated fully. The first consideration is whether the objectives of the interview were achieved. Decisions must then be made about whether any further interview is required or whether other inquiries need to be made. Evaluation can also help interviewers to improve their interviewing skills. To this end, they should take the opportunity to reflect on their personal performance and identify areas for future development or improvement.

 

When conducting an investigative interview, you also need to be aware of the non-verbal indicators.

Understanding the PEACE Method is an important part of an investigative interview, but know the Factors to consider in an investigative interview is equally important in being successful when using the PEACE Method.

Questions to Ask Yourself BEFORE Security Risk Assessment

|

Before you hire me as a consultant for a security risk assessment, I advise you to review your business by asking yourself the following questions. Conducting this self assessment before paying for a security risk assessment, will save you money.

  • Are physical controls documented?
  • Are secure areas controlled?
  • Are review and maintenance of access controls taking place?
  • Are there non-standard entry points to secure areas?
  • Are these non-standard entry points secured and/or monitored?
  • Are visitors required to have supervision at the institution?
  • Are visitors allowed within secure areas?
  • If your organization shares access to your facility, does it have proper controls to segregate access?
  • Is sharing physical access to the institution by other organizations documented?
  • Are there contracts or agreements with the organization regarding this physical access?
    • Has a physical penetration test been performed?
  • Are magnetic media stored in accordance with regulatory requirements and manufacturers’ suggested standards?
  • Do guards at entrances and exits randomly check briefcases, boxes or portable PCs to prevent unauthorized items from coming in or leaving?
  • Do guards allow visitors to bring laptop computers into the institution without proper signoff or authorization?
  • Are fire detectors and an automatic extinguishing system installed on the ceiling, below the raised flooring and above dropped ceilings in computer rooms and tape/disk libraries?
  • Are documents containing sensitive information not discarded in whole, readable form? Are they shredded, burned or otherwise mutilated?
  • Are DVD and CDs containing sensitive information not discarded in whole, readable form? Are they “shredded” or mutilated with no restoration possible? (This also should be asked of hard drives and other data storage technology prior to disposal).
  • Are data center and server center activity monitored and recorded on closed-circuit TV and displayed on a bank of real-time monitors?
  • Does access to a controlled area prevent “Tail-gating” by unauthorized people who attempt to follow authorized personnel into the area?

Common Security Vulnerabilities

|

The more involved type of security study, often called a threat vulnerability risk assessment (RVRA), will typically describe the common security vulnerabilities uncovered and ways to mitigate them, and offer a prioritization so that the organization can fiscally manage its security improvements. A Security Study can discover potential vulnerabilities such as a flood risk to a building, weak infrastructure, location of a building along an airport’s flight path, or that the building may be near a railroad line that carries industrial chemicals.

 

Being aware of the common security vulnerabilities your facility faces, is important, and a quality consultant can help you identify them if needed. You can contact me to schedule an initial consultation if a service like this interests you.

What are common workplace security breaches?

Security can be compromised through physical as well as digital types of security breaches. The physical Common Security Vulnerabilitiessecurity breaches can deepen the impact of any other types of security breaches in the workplace. So, let’s expand upon the major physical security breaches in the workplace.

  • Casual Attitude  
      • The casual attitude of employees or management toward security awareness can lead to the disastrous results. There should be strict rules to follow the procedures without any exceptions.
  • Unattended Assets & Areas
      • Any valuable data or equipment at the workplace should not be left unattended at all. Meanwhile, leaving a critical workplace area unattended or unlocked is another critical component that can add huge risk to the physical security breaches in your workplace.
  • Exceptions in Physical Access Rules
      • The physical security is the first circle of a powerful security mechanism at your workplace. So, always keep it strict and follow the physical security procedures in real sense. Always avoid any kind of exceptions in allowing access to the internal or external peoples to the restricted areas.
  • Rogue Employees
      • It has been observed in the many security breaches that the disgruntled employees of the company played the main role in major security breaches in the workplace. The example of Sony’s data breach is one such kind of workplace security breach.
  • Eavesdropping over Sensitive Information
      • Eavesdropping has been a fundamental breach in the data security as well as in the physical security. The overhearing of the lock codes, pins, and security passwords is a big breach, which can lead to the disastrous outcomes. So, always take care to avoid any kind of eavesdropping in your surroundings.
Check Out: Layered Security

How do you go about preventing these security breaches?

To prevent any security breach at the workplace, take the following steps:

  • Review and restrict physical access as per security policy
  • Review and change the access passwords and keys
  • Review and monitor the egress and ingress points
  • Aware the concerned people to handle any uneven situation
  • Identify and secure critical information
  • Check and renew the network security and firewall settings
  • Change security keys after every employee leaves the company
  • Change the guards (human), if any