Kevin Ian Schmidt

Category: Security

  • Workplace Violence Awareness

    Workplace Violence Awareness

    workviolenceWorkplace violence involves any negative behavior that is disruptive to either another employee, customer or against the company itself. The reason I use such a broad term of definition is because most cases that end in violence begins with a negative behavior. It is at the inception of this behavior that action should be taken and not later, once things have gotten out of hand.

    Often Supervisors and Managers find themselves in a frustrating situation. Lack of awareness training leaves them feeling frustrated and uncertain. Workplace violence is not always obvious and therefore often managers do not know how to recognize a problem at its onset, let alone know what to do to stop it. It’s a legitimate concern because if the problem is real, one is dealing with a time bomb and action needs to be carefully planned and handled delicately. If there isn’t a problem, and the situation is handled poorly, the accused employee is embarrassed or forced to leave the job, then you have civil action to worry about.

    Company culture is a determining factor in acceptable employee behavior. Compounding the problem is weak or nonexistent policies regarding harassment and workplace violence, which hold just as much liability as apathetic management who choose to look the other way when a problem threatens escalation.

    Violent events at the workplace don’t just happen out of the blue. There are always warning signs that something is wrong. Ultimately, it is the coworkers who usually first notice the change in behavior of one of their teammates. If awareness trained, these coworkers will know the importance and necessity to report their observations to management who can take immediate crisis intervention action. This is where a company finds excellent use of a “hotline” service. Anonymity is essential because if the employee fears that the potential aggressor will know who to go after, he or she will not report the activity. In that same light, employees who have undergone such awareness training know that their timely action could not only save their own life, but the lives of their coworkers.

    Managers should take all threats seriously. Many times it’s one employee’s word against another, and when the offending employee is questioned s/he often remarks that – s/he was just kidding around or blowing off steam. Even if the offending employee was just blowing off steam or kidding around, keep in mind that the action was enough to cause concern to one employee – and that is one employee too many.

    The warning signs of potential workplace violence include:

     

    • Lowered productivity
    • Increased absenteeism
    • Behavioral outbursts such as arguing, yelling or arguing with coworkers
    • Displaced aggression [kicking desk or punching walls]
    • Talk of destruction or making someone pay
    • Depression
    • Family problems
    • Substance abuse
    • Preoccupation with violence through movies, magazines and weapon collecting

    preventing_workplace_violenceIt’s important to remember that our anticipation of violence can inadvertently perpetuate violence. For example, a termination is already a tense and emotional situation and it’s crucial that the employee be given a chance at a dignified exit. Having security in the same room at the time of termination is a show of force, and this alone can antagonize the employee into a hostile reaction. How you terminate someone should be carefully thought out and planned ahead of time with your safety in mind as well as the rest of your staff. If you think you are dealing with a volatile employee, pay the few extra dollars and have a counselor attend the dismissal meeting.

    What a manager or business owner doesn’t realize is that responsibility or liability concerning the safety of its employees does not end when they leave the company property. In the U.S., and Canada is not so far behind, lawsuits are being filed against employers for failing to take responsible and due care to prevent a foreseeable injury which the manager or company had a duty to prevent.

    Check Out: Layered Security

    The Common Forms of Workplace Violence Incidents is as follows:

    • 54% – Inappropriate language
    • 13% – Verbal abuse
    • 7% – Verbal threats of violence
    • 6% – Sexual harassment
    • 5% – Burglary
    • 4% – Pushing/Shoving
    • 3% – Fist fight
    • 2% – Threatening emails received by employees
    • 2% – Stalking
    • 1% – Robbery (holdup)
    • 1% – Threatening emails send by employees
    • 1% – Bomb threat

    Some employers have not yet fully addressed the issue of workplace violence; their negligence has not necessarily been purposeful. It has been due to a lack of awareness of the problem coupled with a preoccupation with everyday work and management pressures. This has caused employers to ignore some of the organizational factors that have contributed to workplace violence.

    Some of those factors include:1. A weak, misunderstood or non-existent policy against all forms of violence in the workplace
    2. Failure to educate managers and supervisors in recognizing early warning signs or symptoms of impending violence and their responsibility to take action
    3. No appropriate and safe mechanism for reporting violent or threatening behavior
    4. Failure to take immediate action against those who have threatened or committed acts of workplace violence
    5. Inadequate physical security
    6. Negligence in the hiring, training, supervision, discipline and retention of employees
    7. Lack of in-house employee support systems

    Employers who have addressed workplace violence have often overlooked domestic violence and how this plays a part in the workplace.

    Check Out: Corporate Volunteering Leads to Engaged Employees

    Myths about Workplace Violence That Cause It to Be Ignored

    Myth #1: Workplace violence incidents are rare.

    Unfortunately, we can find ourselves living in a bubble of complacency. And, unless we’re shaken out of our sleepwalking state by a terrifying news story, we tend to not notice less horrific things around us.

    While it is true that the number of murders occurring from a workplace violence attack have lowered over the past few years, we shouldn’t be limiting our focus to just homicide. In fact, according to OSHA, there are over 1 million reported incidents of assault each year, just in the United States alone. And, since it’s estimated that only about half of all incidents are ever reported, that the total is closer to 2 million. And, this doesn’t include the approximately 1,000 homicides and 51,000 sexual assaults!

    Myth #2: It will never happen here.

    I call this the “Ostrich Syndrome.” You know, the belief that, “if I bury my head in the proverbial sand, I can make danger disappear.” The truth is that workplace violence can happen in any business, at anytime, and anywhere. And, it does. In fact, I’ve consulted with executives, business owners, and employees from, not only the US, but also Canada, Germany, England, France, Japan, and Thailand. And… the story is the same: Today’s workplaces are the most violent environments in which you can find yourself.

    Myth #3: Postal employees have more to worry about than I do.

    Unfortunately, due to a few incidents which occurred decades ago, the post office and it’s employees have garnered a much undeserved reputation for violence. Even the phrase, “going postal,” is still popular after nearly four decades of it’s creation. The reality is that only about 3% of all incidents occur within all government agencies – combined!

    In fact, post office employees, as with any government workers, are probably some of the “least” likely to encounter violence in the workplace. While occupations like nursing and other healthcare, teaching, and psychiatric counselors have some of the highest incidents.

    Myth #4: Workplace violence is a guy thing and women shouldn’t worry about it.

    Murder is the number one cause of death for women killed on the job. And, as I said before, this is paled by the 13,000 rapes, 51,000 sexual assaults, and about 35% of the 600,000 simple assaults that occur in American workplaces every year. In other countries, like India, the Middle East, and the East, the percentages are even higher.

    Men may perpetrate more of the attacks involving the use of guns, but women share the field almost equally when it comes to being the attacker and the victim. In addition, over 65% of all non-fatal workplace assaults occur in nursing homes, hospitals, residential care facilities, and other social service environments – places where women make up the vast majority of the work force.

    Myth #5: Security guards and metal detectors will prevent workplace violence.

    As a former police officer, I learned very quickly that security measures can do little to stop a determined perpetrator of a crime. It doesn’t matter if we’re talking about a burglar, a rapist, murderer, or even a terrorist – the newest threat to workplace safety.

    In fact security guards and detection devices can do little more than cause an attacker to think more creatively. And, even if they do prevent the outsider from entering your company, they can do little to stop current or former employees, friends, family members and visitors that would have both knowledge of your facility, and a reason to be there in the first place.

    Myth #6: The only cost we’ll have to worry about is attorney fees.

    Over the years, I’ve had the opportunity to speak to my share of human resources managers, administrators, and executives about the need for a workplace violence prevention plan and crisis response training program in their facility. In that time, one of the most disturbing comments that I’ve ever heard was, “that’s what our attorney’s are for.”

    Not only can your attorney’s, or the police for that matter, “not” take away the damage, injuries, death, and destruction that can occur, but their fees will be the least of your problems. The true cost of workplace violence incidents are estimated to be between 55 and 2 million US dollars every year. Costs associated with your company’s recovery in the post-event aftermath include not only attorney’s fees, but also lost work time, the effects of negative press and public image, property repairs, increased insurance premiums, and fines or judgments entered in favor of any plaintiffs suing you for liability. To give you an idea about just one of these areas, OSHA reports that American companies pay for over 1,700,000 sick days annually due to lost time resulting directly from violence in the workplace.

    In many cases, the financial strain resulting from just one incident has put more than a few companies out of business for good.

    Myth #7: He just “snapped.” We can’t prevent it because there are no warning signs.

    Reports show that in 80% of all incidents of workplace violence, the assailant gave warning signs that went unheeded. In all of the programs that I teach, regardless of whether we’re talking about basic self-defense, street survival for law enforcement professionals, or workplace violence prevention and defensive tactics, “awareness” heads the list and is the easiest and most successful means for surviving a workplace violence attack.

    The reality is that managers and employees alike can learn to anticipate, assess, and even manage the risk from internal causes by identifying, monitoring, and addressing employees who exhibit high-risk behaviors and characteristics before they can escalate into actual violence.

    While not all situations can be prevented, and this is where a good, solid, self-defense and attack avoidance program comes in, early awareness and action can save property, lives, money, guilt and the embarrassment which can arise out of knowing that action “could” and “should” have been taken to prevent or minimize it.

    Myth #8: We have insurance to cover the cost of damages.

    Most workers and managers, as well as business owners wrongly believe that they are covered completely by whatever insurance coverage is in place to protect the company. When, in fact, supervisors, managers, and others in an authority or leadership position can be held personally responsible and sued in civil court for their actions or failure to act, and the conduct of others over which they had authority.

    And, while most companies carry some sort of liability coverage, you may find that your insurance policy may have clauses that exclude damages from certain types of actions. Like hospitals, universities, and other open, “porous” entities, your company can be left holding the proverbial “bag” in the case of injuries, damages, or harm that comes to visitors, guests, and family members caught in the cross-fire of an event but who are not actually employees of your company.

    Myth #9: We have a workplace violence prevention policy so we’re safe.

    In light of all the evidence, most companies still do not have workplace violence plans, policies, or training programs. I have found that those who do, are still missing critical elements from these plans and leaving themselves open to the same or greater liability issues that their plans were supposed to eliminate in the first place.

     

  • Clear Communication Tips

    Clear Communication Tips

    security guardsWhen an officer receives a message, does he (she) take the time to “play back” the information to the caller, or simply answer with “Yeah, I got that” and then forget it? Are there pink message pads or a computer log screen available that have the blank spaces for “caller”, “time”, “date”, “number”, “note”, and “operator”? And, after the call is completed, does the officer make an attempt to follow through by locating the recipient, or simply toss the message into the “in box” near the console?

    How about the famous “Oh, he knows who it is” or “No, I don’t want to leave a number-it’s unlisted!” These can frustrate the officer who attempts to complete the call. Add to this the wife or child calling with the tenth domestic emergency of the night- “Ask Jim to call me right away-my son smeared peanut butter in our VCR”. Now complete the daily routine with eight “Isn’t this Mario’s Pizza?” and you can see how the routine task of telephone message handling can become a frustration. (Remember-remain professional and approach each call in the same manner.)

    Check Out: Incident Report Writing Guide

    Radio messages are another challenge. Portable radios, even with speaker microphones attached, have to compete with noise from passing cars, screaming kids, and whatever else is happening while the officer is copying a transmission from base. Does the dispatcher take the time to phonetically spell out names and addresses? (“That’s R-Romeo-U-Uniform-N-November”). When numbers are used, are they run together or is a pause taken such as “044 ** 46 ** 6699”? And-the most frustrating cause of lost information- do you wait a few seconds before broadcasting or grab the mic and start talking right away? (A radio system needs time to “breathe” between transmissions, or else the beginning of each message will be cut out!)

    SecurityManagerWhen speaking on the phone or radio, or taking a message, the officer should try to project a positive image. This helps the company, the supervisor, and the security staff to “satisfy the public”. Avoid prejudging a caller, or editing information based on your own emotions or experience. I have personally witnessed alarm accounts rescued from cancellation by prompt delivery of an irate client’s message to management. If you use pink pads, computer logs, or the well-known “officer’s notebook” in the field, taking down the correct information and relaying that data to the proper individual is a vital part of your duties in security or alarm dispatching.

    A final note- in the communications office, the Dictaphone recorder will allow the officer to play back a conversation to make sure that all pertinent information was obtained. In the field, the patrol officer does not have that luxury, and so asking base to “repeat the last message” or “Did you say A as in Alpha or J as in Juliet?” is recommended to complete the call. If there are noise or interference problems, ask the dispatcher to relay the message by telephone.

    Clear communication skills will allow others to easily get relayed information for safety and security of all involved.

  • Conducting a DIY Security Audit

    Conducting a DIY Security Audit

    No business is totally immune from the threat of crime but a little prior planning and a few common sense precautions are all that is necessary to deter most criminals.

    Use this test to conduct a survey of your business. Each “NO” answer indicates a weakness that could help a criminal. As you eliminate the “NO” answers, you improve your level of protection and reduce your risk of becoming a victim. Go through the list carefully and systematically. You will also want to look at the business during the night and on weekends. Those are times when you may be most vulnerable.

    Remember, this checklist points out your weak areas. You are not fully protected until each of them is corrected. Of course complying with these suggestions won’t guarantee that your business will never be the target of crime but it will improve odds in your favor.

    This test is limited mainly to the physical security of your business. There are many other areas which also deserve your attention. A well rounded loss prevention program will also address internal security, customer theft, fraud, safety and fire prevention and emergency preparedness.

    Physical Security Checklist

    Building Exterior

    1. Are all vulnerable points adequately lighted?security audit
    2. Is shrubbery trimmed to provide for good visibility at all vulnerable points
    3. Is all access to the roof eliminated or secured?
    4. Have weeds and trash near your building been cleared away?
    5. If a fence would improve your protection, do you have one?
    6. Is your fence high enough and/or protected with barbed wire or tape?
    7. Is your fence in good repair?
    8. Are gates in good repair and locked properly?
    9. Have you protected solid block walls and wooden fences that someone could climb and/or hide behind?

    Doors

    1. Have you secured all unused doors?
    2. Is glass in back doors and concealed or secluded locations protected by bars or heavy screen?
    3. Are all doors designed so that the lock release cannot be reached by breaking out glass or light-weight panels?
    4. Do exposed hinges have non-removable pins?
    5. Is a good quality deadbolt lock used whenever possible?
    6. Is the lock designed or the door frame constructed so that the door cannot be forced open by spreading the frame?
    7. Is the bolt protected so that it cannot be cut?
    8. Is the outside lock cylinder protected from twisting or prying?
    9. Is the lock a cylinder type with at least a five pin tumbler?
    10. Are keys issued only to persons who actually need them?
    11. Are doors with panic hardware properly secured after hours?
    12. Are padlocks locked in place when the door is unlocked?
    13. Are hasps made of hardened steel with non-removable screws?

    Windows

    1. Are accessible windows protected by heavy screen or bars?
    2. Are unused windows permanently sealed?
    3. Are bars and screens securely mounted?
    4. Are window locks designed or located so they cannot be defeated by merely breaking out the glass?
    5. Is burglary resistant glazing used whenever possible?
    6. Is valuable property removed from unprotected windows after hours?

    Other Openings

    1. Have skylights been protected by bars or polycarbonate glazing?
    2. Are roof hatches securely locked?
    3. Are ventilator shafts, air conditioning ducts and fan openings adequately protected with bars or wire mesh?
    4. Do you check panic hardware regularly to insure that it is properly closed and in good working order?
    5. If there are common attics, has some provision been made to prevent access through them?

    Safes

    1. Is safe designed for both burglary and fire protection?
    2. If safe weighs less than 750 pounds is it secured in place and are wheels removed?
    3. Is safe well lit and visible from outside, especially after hours?
    4. Is cash on hand kept to a minimum by banking regularly?
    5. Do you spin the dial when you lock the safe?
    6. Is the combination changed when personnel possessing it terminate?
    7. Is the cash register left empty and open after hours?

    Alarms

    1. Do you have an alarm system?
    2. Does your system meet Underwriters Laboratory standards?
    3. Is your system tested daily?
    4. Does it report to a central station?
    5. Does it have a back-up power supply for power failures?
    6. Is your system free from false alarms?
    7. Do you or a designated employee respond to every alarm and check it out?
    8. Is the system designed to fully protect all vulnerable areas?
    9. Does your system include fire protection?

    Other Considerations

    1. Do you lock up carefully at night, making sure that the safe is locked, doors and windows are secure, lights are on and the alarm is set and working?
    2. Have you recorded the serial numbers of all valuable merchandise, tools and office equipment?
    3. Do you maintain a good inventory control program?
    4. Do you guard against internal theft by having a written security policy and an audit system to maintain employee account ability?
    5. Do you carry sufficient insurance coverage?
    6. Do you have an effective background investigation program for screening new employees and promotional candidates?
    7. If your local police department has a helicopter or other aircraft, are your street numbers painted conspicuously on the roof of the business?

    Office Security

    1. Do you restrict office keys to those who actually need them?
    2. Do you keep complete, up-to-date records of the disposition of all office keys?
    3. Do you have adequate procedures for collecting keys from terminated employees?
    4. Do you secure all typewriters, calculators, computers, etc. with some type of locking device?
    5. Do you prohibit duplication of office keys except for those which are specifically ordered by you in writing?
    6. Do you require that all office keys be marked “Do not duplicate” to prevent legitimate locksmiths from making copies without your knowledge?
    7. Have you established a policy that keys will not be left unguarded on desks or cabinets – and do you enforce the policy?
    8. Do you require that filing cabinet keys be removed from locks and placed in a secure location when not actually in use?
    9. Do you have procedures to prevent unauthorized persons from reporting a “lost key” and getting a “replacement”?
    10. Do you routinely obliterate code numbers on all keys to prevent unauthorized duplication?
    11. Do you have a responsible person in charge of your key control program?
    12. Are all keys systematically stored in a secure wall cabinet of either your own design or from a commercial key control system?
    13. Do you keep a record showing issuance and return of every key, including name of person, date and time?
    14. Do you use telephone locks to prevent unauthorized use of phones when the office is unattended?
    15. Do you provide secure areas for employees to store their personal property?
    16. Do you have at least one filing cabinet secured with an auxiliary locking bar so that you can properly secure sensitive documents?
    17. Do you leave lights on at night?
    18. Do you record all equipment serial numbers and file them in a safe place?
    19. Do you shred sensitive documents before discarding them?
    20. Do you lock briefcases and bags containing important material in a safe place when not actually in use?
    21. Do you insist on proper identification from all vendors and repair persons who come into your office?
    22. Do you make regular bank deposits and avoid keeping large sums of money in the office overnight?
    23. Do you clear desks of important papers every night?
    24. Do you frequently change the combination to your safe?
    25. When employees work alone at night do they set the door lock to prevent anyone from entering uninvited?
    26. Are emergency phone numbers posted near all phones?
    27. Is computer access restricted to authorized personnel and are access telephone numbers kept confidential?
    28. Are all doors leading to the office protected by heavy duty, double cylinder deadbolt locks?
    29. Are all windows, transoms and ventilators properly protected?
    30. Is there a closing routine established to make sure that everything is properly secured prior to leaving?
    31. If the office is protected by an alarm system, does the equipment work properly and is it set every night?
    32. If you employ a guards, do you check their watch clock tape or dial each morning to be certain that they are doing their job properly?
    33. Do you periodically review your security policies and procedures and update them where necessary?
    34. Are computer files routinely backed up and backup files stored in a secure off-site location?

    Policies, Procedures & Training

    1. Do you have a Workplace Violence Prevention Policy?
    2. Do you have a Crisis Media Management Policy?
    3. Do you have a Disaster Preparedness Plan?
    4. Do you have a Workplace Harassment Policy?
    5. Do you provide on-going training to employees at all levels of the organization regarding these policies?

    Obviously, completing this checklist won’t solve all your security problems. It will however, give you a good idea of the level of security that now have. With that knowledge, you can begin to develop a security program that provides the type of individualized protection your particular business requires.

    If after completing this survey you find that the security of your business is poor or if you have any questions regarding security procedures and equipment, contact me.

    Remember too, this test covers only a small part of a complete business security program. Your business isn’t fully protected until you have taken steps to improve the security of every aspect your business.

    After a Security Audit, it is also a good time to check out your security policies, and my post, the 7 Security Policies you need, is a great starting point.

  • Risk Assessment Guidelines

    Risk Assessment Guidelines

    risk assessment

    Purpose of Risk Assessment Guidelines

    Most Corporate Risk and Security requires all locations to implement the baseline physical security controls described in the physical security standards. These controls are considered the minimum standards for the majority of locations. However, as a result of political, environmental or other local issues additional controls may be necessary. An analysis must be completed for each location to determine what additional risk exists and what additional controls are required.

    Scope

    Corporate Risk and Security will conduct a risk assessment of each location every three years or less if necessary.

    Definitions

    Risk Assessment: the risk assessment is a process, which identifies and quantifies the real risks and key business factors associated in operating a business location. The process is based upon a survey which facilitates the gathering of data specific to the following: environmental factors, business factors, site location and design, municipal resources, crime and demographic factors, business risk profile factors.

    Environmental factors: weather, geological activity, political, chemical.

    Business factors: value of operation, proprietary information, key assets (including manufacturing processes) duplicated/non-duplicated activity, level of staff, impact to total corporation.

    Site Location and Design: physical attributes, fire suppression, public accessibility, access points and natural hazards.

    Municipal Resources: public utilities police and fire resources and response, medical resources, bomb procedures, disaster assistance.

    Business Risk Profile: crime history and demographics, population analysis, historical crime survey and possible trends.

    Check Out: How to Complete a Risk assessment

    Requirements

    Risk Analysis Process:

     

    1. Evaluate the risk exposures and determine the corresponding risk category that must be applied to that location, if any, in reference to the Corporate Profile.
    2. The evaluation for the location must be done and approved by the Corporate Director of Risk and Security.
    3. Both a vulnerability and exposure matrix will be used for three distinct categories: (1) natural disasters; (2) man-made incidents; and (3) incidents.
    Check Out: Understanding of Real Risk

    Responsibilities

    Risk Quantification will be conducted by Corporate Risk and Security who will utilize four categories for quantifying risks in reference to the Corporate Profile:

    Category 1 (Extreme Risk):

    Civil and other war situations wherein the central government does not control significant geographical areas, which are in the partial control of insurgent forces, or where government control is immediately threatened. Also, nations or cities undergoing violent transformation through a military coup or revolution. A major environmental hazard has been determined to be uncontrollable and would cause serious harm, i.e., volcano. Travel and/or event movement are discouraged.

    Category 2 (High Risk):

    Locations where terrorist or guerrilla groups pose a serious threat to a nation’s political and/or economic stability; a country or city faced with widespread street violence resulting from political dissension or economic unrest. Also, countries or cities with known potential for military coup/militia groups or evidence of prejudicial treatment against foreign/nationality interests. Only essential travel would be recommended. Any location where company has been the target of terrorists around the world. Additional measures should be set forth to mitigate the threat of bombings, bomb threat searches, and reduce any real event risks to personnel and property. An environmental hazard has been determined to be uncontrollable and would cause harm if incident occurs. Stringent security precautions and travel awareness is warranted.

    Category 3 (Moderate Risk):

    Locations where political or economic turmoil is evident and/or terrorist/guerilla groups are regularly active but have not become strong enough to threaten government stability. Also, nations or cities involved in potentially violent regional disputes or with high rates of crime. The threat of violence in the work place is high. Non-US locations where the risk exists or is emerging where economic crime, underground/street gang/mob influence is prevalent. The measures designed to prevent or mitigate violence are on property must be implemented in all US locations wherever the risk exists worldwide. An environmental hazard is possible due to location and trend of natural disaster paths, i.e., cyclone paths, tornado alleys, earthquake epic centers, etc. Upgraded security precautions are warranted for travel or investment if disaster mitigation methods are required.

    Category 4 (Low Risk):

    Locations relatively free of frequently recurring acts of political, economic or criminal violence and societal arrest. Nations or cities where organized antigovernment elements or terrorist/guerilla groups may be active but maintain only limited operational capabilities. No known environmental hazards are apparent. Modest security precautions are warranted for travel or investment if corporate security concepts meet corporate standards.

    If you have any questions do not hesitate to contact me.

  • Transparent Security: not seeing it is the point

    transparent securityFor businesses, the need for increased security is apparent. Yet there are many cases where the businesses may not want the appearance of security to be obvious. Although government organizations usually make security a priority over aesthetics, corporate and private facilities often cannot afford to follow this policy. With government facilities, if a property requires 12-foot-chain-link fence with razor wire, then that is what is put into place.

    So where does that leave facility executives at corporate and private organizations? Many are taking physical security design to a new level: transparent security. Transparent security is strategy that addresses the need for security while respecting the importance of a low-key appearance.

    Transparent Security

    Enabling Technology

    Transparent security follows two lines, hard and soft. Hard includes equipment, specifically equipment that is designed to be discrete or invisible. Soft involves policies and a strategy known as Crime Prevention Through Environmental Design (CPTED). Occasionally, nonsecurity objects may be used to serve soft security purposes. In one recent application, maple trees were planted in a park specifically to prevent vehicles from traveling into a restricted area. The trees were part of the park, the placement was part of the security plan.

    The concept of transparent security design is proactive. The idea is to look for potential problems and take steps to put invisible or unobtrusive material in place to mitigate the potential problem.

    Technology is helping to make transparent security easier, and recent advances in the field of window films are an example. An optically clear film is available that can be applied to almost any window, providing a significant increase in protection. Window films provide several security advantages. Glass-fragmentation retention film actually strengthens the glass, increasing the force necessary to break the glass and prevents glass fragments from flying. Window film is relatively inexpensive and is typically done as a retrofit on existing glass. An added benefit is that when properly applied, glass fragmentation window film is invisible.

    Glass fragmentation window film has been applied at facilities owned by such diverse organizations as NASDAQ, Wells Fargo, and not surprisingly, the Department of Defense.

    The idea of hiding security devices is not new. Manufacturers have been building hidden or low-profile closed-circuit television camera housings for years. Intrusion-detection equipment has also been available in hidden housings. Now, manufacturers of high-security vehicle barriers have followed suit. The vehicle barrier approach is unusual in that high-strength antivehicle bollards are now available in an ornamental configuration. One manufacturer has created a line of architecturally designed fiberglass and plastic sleeves to slip over bollards.

    These ornamental barriers are being used to protect buildings as well as to control vehicle access in residential areas. In California, West Hollywood is employing the same type of antiterrorism bollards as used by the federal government to stop car bombers. The city’s barriers are used to block off residential areas from nighttime traffic off Sunset Boulevard from the new Sunset Millennium Shopping Center. The high-security barriers will stop vehicles weighing as much as 7 tons travelling at speeds of up to 62 miles per hour.

    Security Meets Design

    On the other side of the country, multiple entrances to the Florida State Capitol Building rate protection as well. High-security decorative bollard systems are proposed for the legislative members’ garage that will blend in with the aesthetics of the building. This system balances strength and design by placing ornamental trim around the perimeter of each bollard. In a crash test, the same bollards stopped a 7.5 ton vehicle traveling at 44 miles per hour. Mixing strength and aesthetics, these bollards carry a U.S. Department of State and Department of Defense rating of K8, L2, the highest rating that the government has given to a bollard system.

    The impact of security is evident in perimeter systems, too. Some facilities are blending designs into the metal perimeter fence construction to reduce the visual impact of the fence. The corporate headquarters for Delta Airlines in Atlanta is surrounded by a fence with the Delta logo incorporated into it. Less than 10 miles away, the corporate headquarters for the Southern Company — parent company to Georgia Power and other utilities — sports lightning bolts bent into the metalwork of the perimeter fence. In both cases, the additional metal does nothing to increase the physical security.

    CPTED takes the built environment and carefully modifies it to increase security. The concept has been used by planners and architects for many years to control behavior; the emphasis is on the placement of existing nonsecurity materials to achieve a security benefit.

    CPTED classifies people as either normal users, abnormal users or observers. Normal users are the people that belong in a facility. They are the employees, the guy who fills the drink machine, the customers and anyone else who has legitimate business in a facility. The abnormal users are the opposite of the normal users. They are the thieves, the vandals, the graffiti artists and everyone else who is to be kept away.

    The idea of letting some people in while keeping others out is at the heart of any access control system. What makes CPTED different is the idea of observers. A CPTED observer is a person who has been placed at a specific location to minimize the probability of a crime. The concept is simple: The more people looking at something, the less likely crime is to occur. As the number of people looking is increased, so is the probability that someone committing a crime will be seen, and therefore identified and caught.

    Visibility Matters

    Observers are not told that they are “observers.” They are not there to watch a location and report any crime. But reasonable people are is likely to call 911 if they witness a crime. Thus, security in crime-prone areas can be improved if there are reasons for someone — the observer — to be present. For example, park benches provide a place for people to sit, and as a result, they become places for observers to gather. From a design perspective, an observer is a transparent security measure.

    CPTED also utilizes the concept of taking high-risk activities and placing them in low-risk areas to minimize the potential for crime. This is done without the use of security devices and is also transparent. Bank ATMs, for example, are inherently high-risk. The transparent goal in providing security for an ATM is to place the machine in an area of high visibility.

    As the need for security continues to increase, transparent security design is becoming a factor in good architectural and security planning. Minor changes can make a big difference, without compromising aesthetics.

  • How do your alarms communicate?

    How do your alarms communicate?

    There are many ways that a signal from a fire or burglar alarm can reach the receiver; from POTS (the telephone line that you talk on every day) to sophisticated radio transmitters that seem to have been designed for the CIA to cellular service. Whatever method your security system is using, the important function is to get the correct data from the device (motion detector, heat detector, door contact, etc.) to the base station where dispatching occurs.

    The oldest method is the regular telephone wire. In the older systems, each account leased a copper wire connecting them to alarm company central station via the local telephone company switching station. Developed in the 1870’s to measure changes in current at a box in a store or home, it is still used by many private customers. One problem is that the communication flow depends on a solid connection between the two points – if a wire is cut on a pole, the earliest systems show an alarm. Over the past few years, telephone companies have begun to phase out this type of service, since maintenance costs are high and switching equipment is dated.alarm communications

    The answer is derived channel monitoring – where the phone company provides a special device at the switching station and another at the alarm company. The digital signals are then monitored by the phone company for quality control – so line faults can be reported and alarms transmitted more securely. Please note this system is an option: not available in all areas of the country.

    A third source may use a cell-phone similar to what you probably carry with you today. It was marketed in the 1980’s and allows the alarm user to transmit data on the same system that local cellular phone companies provide. There is a charge, of course, as you are paying for the phone number and usage. A typical system has an alarm control interface, a cell phone mounted in a cabinet with back-up power, and an outside antenna if needed. This device allows for alarms to be transmitted even if local phone service is down, providing that it can “hand-shake” with a cellular tower site. Upgrades are ongoing, such as the same technology that allows you to operate your laptop computer in the car. (Telemetry)

    Another plan of action is radio, again this is a newer technology developed in the past twenty years. The simplest type simply substitutes a two-way radio (such as your officers use in the field) to transmit alarm information from one building to another instead of a phone line. This requires a dedicated radio channel as well as line-of-sight reception. A better solution is becoming part of a commercial network, where tower sites and equipment are maintained by a private company and channels are shared based on repeating the messages from office building roofs, water towers, mountaintops and other elevated locations.

    Hardwired alarm panels are less expensive than wireless panels, but they are harder to install. Keep this in mind when working on budgeting for alarm systems. An average alarm installation with a hard-wired system takes about 12-16 hours. A typical wireless installation will take less than 4 hours.

    Another consideration is that some types of construction lend themselves well to a hardwired installation, and others will require the use of wireless.

    Even if you select a wireless alarm panel, some jurisdictions still require that the device back-ups are hardwired. These typically include the power transformer, the electrical ground wire, the telephone connections and any keypads/arming stations and audible alarms.

    Check Out: Emergency Action Plan Basics

    The main difference between a hardwired and a wireless alarm panel is how each one communicates with the protection devices connected to the system. A hardwired panel will require a wire to each “zone” or device on the system, while a wireless system utilizes a radio frequency to communicate with the “zones” or devices that are connected to it.

    While a normal electrical circuit is a Parallel Circuit, a typical hard wired alarm circuit is a 2-wire normally closed loop with end of line supervision commonly referred to as a Series Circuit.

    A Series Circuit allows electrical current to flow from the alarm panel, down one wire through the alarm initiating device and back to the alarm panel. When the current is interrupted, the panel will register a fault on the circuit/zone. End of Line (EOL) resistors are added to the circuit so that the alarm panel can supervise the condition of the zone for ground faults, electrical shorts and open or cut wires.

    Multiple normally closed devices can be connected to a single zone by connecting the devices in series, with the EOL resistors installed on the last device in line. This way, the entire circuit is completely supervised from the panel to the last device in line.

    When wireless alarm systems first appeared on the market, they were not the most reliable systems around. Most of them utilized non-supervised wireless transmitters to communicate to each of the field devices. A non-supervised wireless alarm transmitter would only send a signal “one way” to the alarm panel receiver when it was activated.

    For example, when a door or window was opened, the transmitter would send a wireless signal. The alarm panel would receive the signal and activate the appropriate zone. The transmitter would not send a signal when the door or window was closed, so the receiver/zone had to reset itself after a few seconds. With a non-supervised wireless system, you could actually arm the system with a door or window wide open without even knowing it.

    Most new alarm systems utilize a redundant bi-directional fully supervised wireless connection for two way communication between the transmitters and the alarm panel receiver. With fully supervised wireless, the alarm panel can tell you the real time status of a door or window. If a door is open, it will keep the zone faulted until the door is closed.

    Most of the early wireless systems were very limited in their addressing schemes. They utilized dip switches with binary addressing (explained later) to differentiate between points on the system.

    This was O.K. if your wireless system was installed and commissioned correctly, but what happened when a neighboring location installed the same type of system? If the neighbors motion detector was addressed the same as your dock door, your alarm would go off every time they moved around inside their building. As you can imagine, this could cause some major problems that were very difficult to troubleshoot.

    Modern wireless systems utilize serial numbers, binary house codes, or other proprietary technology to assure that only transmitters enrolled into your panel will be received by your alarm system. If you do your research and purchase a good reliable supervised alarm system, you should never need to worry about your neighbor’s wireless transmitter setting off your alarm system.

    Another problem with the older non-supervised systems is that you did not know when the batteries in the transmitters are low or need to be replaced. The only way to verify that they were working is to periodically test them.

    Because, even the most sophisticated wireless alarm panels are useless if the transmitter batteries are dead, therefore supervised wireless panels are programmed to check in with each of the remote transmitters at least once every 24 hours. If your transmitter has a low battery, the keypad/arming station will immediately inform you of the trouble condition.

    Check Out: Improve Your Security Guard Service in 5 Steps

    With any wireless security system you should always test the performance of your system regularly. The range of any wireless product can be affected by the environment and the structure in which it is installed. Additionally, the range can be adversely affected by environmental conditions, interference form electrical devices or even the orientation of the transmitter in relation to the receiver.

    So who is the winner of this argument? Well, according to Underwriters Laboratory (U.L.), the most secure and reliable installation methods utilize hardwired installations with End of Line (EOL) 1 or 2-resistor supervision. In fact, U.L. approved installation standards for federal government and other high security installations require all zones of protection to be hardwired with complete 2-resistor line supervision.

    Not to say that wireless systems are an inferior product. In fact the fully supervised systems offer excellent protection that is perfectly suitable for 90% of residential installations.

    If you are considering a wireless alarm system, be warned, there are still systems being sold and installed today that are non-supervised, so make sure that any system you are considering offers complete wireless supervision.

    If you opt for a hard-wired alarm system, make absolutely sure that the system is installed with the supervisory resistors at the end of the line. To make installation faster and simpler, some installers will place the resistors in the alarm panel rather than at the end of the line.

    While this method provides supervision of the zone for ground faults, it does not provide protection for a direct short or worse yet, someone splicing into the wire and shorting them together which will essentially close the loop so the panel will not see the zone open or close.

    Whatever method that your security department chooses to move the alarm information from the point of occurrence to the receiving station, make sure that you can provide interference-free data and your staff is able to interpret and dispatch the information. As technology grows into the twenty-first century, new ideas about alarm transmission will be unveiled and older technology will be challenged by parts shortage, lack of technical support, or noise on the line. This article does not offer any specific vendor names or ultimate solutions – but I hope that you will examine your burglar and fire alarm system with an eye toward data transmission.

  • Basics of a Security Risk Assessment

    Basics of a Security Risk Assessment

    security risk assessment

    A proper security risk assessment is necessary to truly understand what security risks your company faces. As a physical security professional you must understand how to conduct a proper security risk assessment. Check out the Risk Assessment Guidelines to understand in-depth what a full security risk assessment entails.

    The following tips will guide you in understanding how to conduct a Security Risk Assessment.

    Zone 1: The Interior

    Every facility executive needs to protect interior space from unauthorized entry. The means available include:

    • An effective system at the front desk or lobby to identify and badge employees and visitors
    • Locking systems
    • Intrusion detection and 24-hour alarm monitoring
    • Closed-circuit television (CCTV) in key locations
    • Security guards

    Zone 2: The Perimeter

    The typical multi-tenant building perimeter base building system focuses on elements that are incorporated into the design of a new structure, but also may be retrofitted. Some of these elements are:

    • Window coatings to minimize glass shards; polycarbonate glass from grade to 30 feet or higher
    • Structurally hardened building exteriors
    • Defensive landscaping — avoiding landscaping that conceals intruders or provides natural “ladders”
    • Lighting and CCTV in key areas
    • Control of loading dock traffic
    • Control of building entrances — main lobby and elevator core interface with public

    Mail facilities are also vulnerable to biological and chemical weapons, and unauthorized entry. To combat those threats, consider:

    • Limiting access to authorized personnel
    • Placing barriers at the building perimeter to decrease access and reduce the impact of hazards
    • Installing X-ray package-screening equipment
    • Installing nuclear, biological and chemical (NBC) detection equipment
    • Installing negative pressurization systems to contain hazardous materials
    • Using HVAC filtering and treatment, such as HEPA filters and UV treatment

    Finally, the building’s air systems and mechanical room, if located on the perimeter, are another area of vulnerability. Protect air handling systems from tampering by:

    • Fencing off fresh-air intakes and return-air vents or moving them to roof
    • Securing mechanical room exits

    Zone 3: Building Grounds

    Building grounds should be treated as a defensive zone to prevent cars and trucks, which might be carrying explosives, from crashing into the building. One security measure against these threats is the installation of highway barriers, but these are unsightly. Instead, use landscape elements to create a stand-off zone around the building, remembering that the effect of blasts diminishes with the distance from the blast. Effective methods include:

    • Using mature trees, landscaped earth berms, raised planter beds, benches, ornamental fencing and ornamental light posts
    • Incorporating effective lighting

    Zone 4: Property Boundary

    Implement security measures at the property line, which may include:

    • Roadway and barrier systems, such as a guardhouse
    • Communication systems in remote parking lots, such as emergency intercom and CCTV surveillance
    • Secured access to gas, water, electric, telephone service and utilities, such as locking manhole covers

    Zone 5: Parking Structures

    Parking structures are a significant area of vulnerability. Limit and monitor access and use, particularly if the parking structure is within or under the main part of the building. In addition to eliminating on-street curb parking, successful methods might include using:

    • Parking control system
    • Vehicle identification system
    • License plate recognition system

    Zone 6: Public Domain

    Finally, leverage the assets that are available to property owners in the public domain: streets, police, fire and emergency services departments. Coordinate security policies and procedures with public agencies at the local, state and federal levels, as appropriate. Establish a liaison to obtain real-time intelligence about actual and potential threats.

    In today’s world, facility executives must take a holistic approach to security planning, programming and system design. They must assess the full range of security assets available — both human and electronic — and develop a system that protects the property at every zone from the interior to the public domain.

     

    Here are suggestions of what to check before contracting Kevin Ian Schmidt for a physical security risk assessment.

    This article is just to provide you with the basics of a security risk assessment, so you are knowledgeable on what to expect when hiring a consultant, and will potentially be able to address minor, simple issues beforehand to save cost.

  • Layered Security

    Layered Security

    layered securityAt its most basic, layered security refers to concentric rings of site and building security. These rings typically progress from the exterior boundaries of a site to the exterior building shell to increasingly secure areas within the building. The rings are not always symmetric or well defined, but each one represents an increase in security hardening against external threats as one moves inward from the site boundary or building exterior.

    In a layering approach, design consideration must be given to the flow of people and material as they move though public, private and restricted building areas. Controlled paths need to be established in conjunction with each layer of security. This is where design with security concerns in mind can minimize implementation and future operating costs.

    Equally important are the internal security layering requirements that segregate building spaces from one another — a key requirement when multiple tenants or departments with differing security needs occupy a single building.

    Securing Core Areas

    Most buildings share core areas that include vertical transportation, electrical and telephone rooms, janitor closets, and public amenities like parking areas, lobbies and toilet facilities. A successful security design must not only plan for the flow of people and material during occupied and unoccupied hours, but also consider how this flow affects the sharing of public and service areas.

    For example, building access from surface or underground parking facilities needs to be segregated and directed to a common access control point to minimize security staffing and other operating costs. Because of past incidents in high-profile buildings, underground parking may in the future be limited or not be provided at all.

    When designing security to maintain segregation of building areas, life safety code requirements must be observed, and the required emergency egress paths must be maintained using appropriate egress hardware. Though it sounds simple, this is one of the most difficult requirements to implement because it requires comprehensive understanding and interpretation of building codes and close coordination of door hardware, security system and fire alarm system requirements.

    Check Out: Physical Security Program – Know the Process

    Design Principles for Security

    Proper design and use of the built environment can assist in effective security layering. The following four design principles are key:

    1. Natural surveillance: The ability to keep potential threats easily observable in parking areas and building entrances.
    2. Territorial reinforcement: Defining private and public areas in the facility or campus using landscape plantings, pavement designs, gates and fences
    3. Natural access control: Design of streets, sidewalks and building entrances to indicate clearly the public access routes and to discourage pathways outside the secure areas, using structural elements to complement electronic access control.
    4. Target hardening: Design using features that prohibit entry or access, such as window, door and air intake location; locks; dead bolts; electronic card access; and closed circuit television (CCTV).

    To enhance security, building exteriors will in the future likely be designed with fewer windows and other openings; exterior windows and doors at the lower floors will be reinforced. Fresh air intakes will no longer be at grade. The number of outside entrances for pedestrians on foot or from parking areas will be reduced to channel the flow to lobby security stations that can be staffed with the minimum number of personnel.

    Underground parking, loading docks and service entrances will be located and designed to segregate and effectively control the flow of personnel and goods using transition areas. Building service areas, toilet facilities, corridors, and electrical and telecommunication closets will be located so that the building’s net usable space can be subdivided, segregated and secured as needed to meet the requirements for each tenant or department’s security, while maintaining the code-required means of egress.

    Technology’s Role in Layered Security

    In addition to physical barriers, a layered approach to security typically requires electronic security systems — different combinations of things like badges, biometrics, card access, door alarms, CCTV and package scanning machines in different combinations — along with personnel trained to make the final decisions. The effective placement of these systems can reduce staffing requirements.

    The upper box on page 53 shows the placement of card access devices and personnel to control access to building core areas from the outside while minimizing staff needed to handle visitors.

    In the example shown, everyone who wants access to non-public areas of the building is directed to the turnstiles that control access to the elevators. Visitors can gain access when authorized by the security personnel.

    In a building similar to the one in the example, delivery trucks could gain access to the loading dock after being cleared by the security staff. Depending on the security level required, access to the freight elevators can be further controlled after inspection of the cargo.

    Check Out: How do Your Alarms Communicate

    Further security layering can be implemented for personnel and material that have been cleared for access to tenant spaces. The bottom box on page 53 shows a typical arrangement of multiple-tenant floors. Tenant security is maintained with the use of card readers to control access into the space. Tenants that need to track personnel who enter and leave their spaces can use their own card readers. Tenant personnel can gain access to the toilet facilities while maintaining security; the use of keys or card readers at the toilet facilities is an option that needs to be evaluated separately. Those making deliveries from the freight elevator need to request access to tenant spaces via telephone or intercom.

    CCTV systems with motion detection can provide continuous monitoring that is useful not only to grant access to the protected spaces, but also to provide forensic evidence needed to investigate security-related incidents. Digital CCTV provides for easy retrieval of information on demand without the time-consuming searching required by older analog systems.

    Although security layering is a valuable strategy for controlling the flow of people and materials within the building, it isn’t the whole story. Operational plans are needed to limit access only to suppliers and staff with legitimate need. Deliveries of supplies from known sources should be coordinated in advance. Delivery times may have to be restricted to off-peak hours to avoid unnecessary delays to building occupants. For particularly sensitive areas, requirements for background investigations of outside contractor staff may need to be established to prevent “Trojan horses,” such as bugging devices, from being introduced into the building during construction, maintenance or deliveries. Emergency plans need to be developed and tested with the building occupants to address different types of security-related emergencies. Exit and emergency pathways need to be established for different scenarios.

    Special measures and additional staffing may be required for special events, such as social functions and tenant relocations, where a large number of strangers may require access to secured areas.

    In new buildings, security layering can be integrated into the original design in a very cost-effective manner. But, of course, occupants of existing buildings are demanding increased security as well. In most of these buildings, security improvements are more costly to provide because of significant additional staffing costs or building modification costs to redirect the flow of people and materials. Many existing buildings were designed with multiple entrance pathways; these buildings must add significant security staff or make costly changes to the building itself to provide minimum levels of security. Building owners will have to treat those additional expenses as a cost of doing business; tenants are demanding increased security, and those measures carry additional costs. Another challenge for existing buildings is that the security layering approach requires both building owners and tenants to accept changes in behavior without developing a trench mentality.

    When it comes to upgrading security from what was acceptable in the past, there is no free lunch. To put it another way, no pain, no gain.

    With new buildings, costs can be minimized. Doing that requires building owners to remember two key points: first, that during the design process it is never too early to plan for security; second, that many tools are available to provide security. And it’s not just building owners who need to think in a new way about security in new buildings. The increased demand for security also will require a change in the mindset of architects and engineers. Design professionals will have to consider how to incorporate into building designs the sometimes conflicting desires and requirements of building owners, occupants, vendors, visitors and governing agencies.

    If everyone on the design and construction team focuses on security early and consistently, security does not need to be expensive and in many cases can be incorporated with minimal impact on the tenants who spend a great deal of their everyday lives in the building.

    It’s also important to remember that effective security requires the building owner to address both operational and security technology issues as well as architectural factors. For example, it is critical that the issues of security staffing and training be addressed. With solid planning and an awareness of the tools available to designers, building owners can achieve the security levels they need without high ongoing costs.

  • Understanding of Real Risks

    Understanding of Real Risks

    Photo Courtesy: Nick Carter/Flickr
    Photo Courtesy: Nick Carter/Flickr

    To anyone who has an understanding of real risks, some of the most unnerving stories about security involve facilities where nothing bad has happened — at least not yet. These are facilities where vulnerabilities exist but haven’t been discovered or addressed yet.

    Case in point: the headquarters of a large health care company. A security review determined that anyone in the lobby could go straight into the rest of the building without being stopped. But the audit recommendations to address that problem languished in the hands of company executives. Six months later, the company found itself embroiled in tense collective bargaining negotiations. One day, a group of people barged in through the front door, raced through the lobby and disappeared into the heart of the building. The stunned receptionist could do nothing but call the police and hope that nothing happened until they arrived.

    Think that a security breach like that — involving an obvious vulnerability — is an isolated case? Look around many facilities, and it’s not difficult to spot security risks: a door propped open, poor lighting in the parking lot, a window cracked open or an unlocked gate. And obvious risks like those are only the beginning. Facilities face a wide range of potential threats. The real question is, which vulnerabilities are most likely to be exploited?

    There are plenty of excuses not to address that question. An office building may be deemed too small to require a detailed security audit. Or its out-of-the-way suburban location may be judged safe because it does not face obvious, high-profile risks. Cost is often an obstacle. So is the lack of an on-site person who is directly responsible for security.

    Excuses aside, experts agree that conducting an audit is paramount to making sure that everyone and everything in a building is as safe as possible.

    In order to really do anything from a security standpoint, you have to know what your risks are, how can you make security decisions if you don’t have a clear understanding of what your problems are?

    Some buildings are clearly high-risk and therefore demand that special attention be paid to security. A good example is a nuclear power plant, the security level requires special attention to detail. The Nuclear Regulatory Commission has specific guidelines for how those facilities should be secured, and it’s not just the release of nuclear material into the air that has to be addressed. Many of those plants, for example, have regularly scheduled deliveries of chemicals via truck or rail. That schedule requires evaluations on which roads leading to the plants have the most risks. Moreover, the possibility that someone may try to sabotage the truck or train delivering the chemicals should also be considered, Benne says.

    The definition of what constitutes a high-risk building has changed over time. For example, the threat of terrorism has created a demand for specialized research buildings to study and respond to a biological event.

    The federal government is looking closely at the security of those biological labs. Two types of assessments are typically conducted on those labs: a bio-risk assessment that focuses on handling and containing biological agents, and a more traditional security assessment that addresses outside threats, such as someone trying to enter the facility.

    If you’re designing a facility with agents that are lethal, the community wants to know what you’re doing to protect it, it’s a sensitivity and not just a process.

    But for every building that is closely scrutinized because it is clearly at high risk, there are many more facilities where risks have never been adequately identified. And a building need not be a landmark to face significant risks. A good example is a branch bank located near the entrance ramp to a highway. Someone who understands risk assessment sees that a financial institution has branches located where other financial institutions have had robberies. Those (new) branches will then be seen as high-risk and added security measures would be put in place.

    Time for Action

    Formal security audits should be done on a regular basis, noting that there are three occasions in particular when they should be conducted. The first is when a site is being considered for a new building. There are commercial and consumer crime statistics companies available that conduct threat and risk assessments based on geographical location. Their assessments detail what the crime and murder rates are for a specific address and compare those rates to those of the city and county.

    Many times you’ll find that the differences are miniscule, but if one location has a greater crime rate, it may have an impact on the decision.

    A security audit should also be conducted when a significant change has been made to an existing facility, such as an addition, and when there’s been a serious incident. In the latter, the goal is to find out why an incident occurred and how it can be avoided in the future.

    A security audit is a three-step process: first, where do you stand today? What are your policies? Procedures? Equipment? Second, where do you need to be? Third, if there’s a significant gap between where you are and where you need to be, how do you fill that gap?

    Risk assessment can go beyond a security audit and try to determine how survivable a business is if something catastrophic occurs. A number of companies went out of business after the World Trade Center collapsed on Sept. 11, while others survived but got “a big wake-up call.” You can’t, for example, put all the data in one location. You need redundancy. Companies have to ask how they’ll continue operating if they want to keep the doors open after an emergency.

    Check Out: How to Complete a Risk Assessment

    Excuses, Excuses

    Despite the benefits of security audits, many companies don’t do them because of the expense, the average in-depth security audit costs between $10,000 and $50,000.

    It’s often not easy for a security director to justify spending money on a security audit when nothing bad has happened in or around a building. Recommending that an audit be conducted is much like making a sales pitch to management. The reason? A security director is competing with others on the staff who want money to be spent on new computers or the replacement of a compressor.

    Audits also aren’t conducted because there hasn’t been an incident in or near a building and so no one feels the need to look for weaknesses. That misses the point of doing a security audit. The goal is to be proactive in organizing a plan to handle different types of threats and reduce liabilities.

    Having a plan could pay off when partnering with an insurance company, if you can show them that you’ve done an audit, an insurance company may lower your premium, so there are some benefits that are outside of just mitigating risk.

    Another reason security audits are neglected is because it is assumed that the risks facing the facility are so clear, and the appropriate countermeasures so straightforward, that a detailed analysis of security risks seems superfluous. For example, administrators at a school that has several open perimeter doors may decide to lock all those doors in a reaction to violence at another school. And while the doors may stay locked for the next several months, at some point security typically becomes lax once again if another incident doesn’t occur. An audit can help structure and focus to security efforts.

    This isn’t to say that security incidents at a similar type of building, or strategies used by comparable facilities, aren’t important parts of the security decision-making process.

    Piece of the Puzzle

    Clearly, a review of strategies used by comparable facilities is an essential component of a security plan. A facility executive responsible for K-12 schools, for example, should be aware that other schools have put an increasing focus on perimeter security, so that no one has unchallenged access. So when someone walks in, they can get to a certain point and then they have to be vetted by signing in, showing credentials and being checked out before they can progress further into the building. At most schools, and this is slowly changing, you can just come in and wander around. Knowing how other schools are addressing security risks can help educational facility executives make decisions about their own buildings, but knowledge of industry trends is no replacement for a security audit.

    An audit is especially important when the installation of security systems is being considered. Facility executives may decide to add video cameras because a similar building did so. But if there are no provisions for monitoring the cameras, they won’t achieve the goal of improving security. Organizations make short-term changes that lack the thoroughness of a well-thought-out plan, often costing money without a return of investment in improved security.

    Organizations that don’t conduct security audits often end up with knee-jerk reactions to incidents. Suppose a company is having its products stolen but it’s unclear exactly how that’s occurring. Feeling the need to take some action, the company’s management might decide to put cameras throughout the facilities. However, if the products are being put in briefcases, cameras won’t spot the thefts.

    Although getting input from the local police department may be useful in the audit, simply asking the police for advice about ways to improve security is no substitute for an audit. Police focus on law enforcement, which is different than securing a building. Law enforcement responds to criminal activity and security is designed to mitigate criminal activity.

    Check Out: Basics of a Security Risk Assessment

    Taking Action

    Some organizations have a security audit conducted and then fail to act on its recommendations. Taking that approach, however, opens management to liability because there’s an obligation to fix the items that the audit found. An audit is likely to find more problems than there are dollars to address them. At that point management needs to set priorities, determining what situations and events are possible, what their probabilities are, and whether their impacts would be catastrophic, minor or something between the two. These are tough decisions, how do you invest money in things that might never happen?

    Of course, if audit recommendations are ignored, and an incident occurs, the company must deal with the effects of the incident as well as the cost of countermeasures, which will surely be taken. In the case of the health care company that ignored the audit recommendation to improve lobby security, the intruders wound up in the office of a facility manager, who called the security manager demanding to know how the breach could have occurred. The security manager pulled out the audit report, which had warned of the risk of such an incident. Companies don’t fully understand the cost associated with the risk. As a result of the incident, the lobby was compartmentalized to preclude the possibility of a similar event in the future.

    What facility executives and security directors need to remember is that there is no way to prevent all security incidents. If a security breach occurs, there will often be recriminations, with people saying that management and others involved in security should have seen it coming. But there’s a huge list of things that can happen, the goal from a security standpoint is to identify things most likely to occur and take reasonable steps to prevent them.

  • Questions to Ask Yourself BEFORE Security Risk Assessment

    Before you hire me as a consultant for a security risk assessment, I advise you to review your business by asking yourself the following questions. Conducting this self assessment before paying for a security risk assessment, will save you money.

    • Are physical controls documented?
    • Are secure areas controlled?
    • Are review and maintenance of access controls taking place?
    • Are there non-standard entry points to secure areas?
    • Are these non-standard entry points secured and/or monitored?
    • Are visitors required to have supervision at the institution?
    • Are visitors allowed within secure areas?
    • If your organization shares access to your facility, does it have proper controls to segregate access?
    • Is sharing physical access to the institution by other organizations documented?
    • Are there contracts or agreements with the organization regarding this physical access?
      • Has a physical penetration test been performed?
    • Are magnetic media stored in accordance with regulatory requirements and manufacturers’ suggested standards?
    • Do guards at entrances and exits randomly check briefcases, boxes or portable PCs to prevent unauthorized items from coming in or leaving?
    • Do guards allow visitors to bring laptop computers into the institution without proper signoff or authorization?
    • Are fire detectors and an automatic extinguishing system installed on the ceiling, below the raised flooring and above dropped ceilings in computer rooms and tape/disk libraries?
    • Are documents containing sensitive information not discarded in whole, readable form? Are they shredded, burned or otherwise mutilated?
    • Are DVD and CDs containing sensitive information not discarded in whole, readable form? Are they “shredded” or mutilated with no restoration possible? (This also should be asked of hard drives and other data storage technology prior to disposal).
    • Are data center and server center activity monitored and recorded on closed-circuit TV and displayed on a bank of real-time monitors?
    • Does access to a controlled area prevent “Tail-gating” by unauthorized people who attempt to follow authorized personnel into the area?