Setting aside the horrific ethical and moral implications that question raises, schools are actually more protected legally, and for security if they know what’s wrong. Even if they don’t fix their security issues right away. Here’s why every school is better off conducting physical security risk assessments.

When it comes to liability cases, knowing about a security issue actually gives you the ability to be more protective, not more liable. Here’s why.

Is Ignorance Bliss?

Imagine you go to a supermarket and there is a puddle on the floor that isn’t marked. You don’t see the puddle, and you slip and fall. Is the supermarket liable? You bet. Whether they knew about the wet spot or not, they’re still liable. Even if they had no knowledge, it’s their responsibility to know about the hazard and do something to prevent injury.

Now let’s say that they knew about the hazard and they put a sign in the aisle to warn customers. Are they still liable? It depends. In this case, investigators will ask about how much time was spent to remediate the risk—had it been hours since the puddle was spotted, or was somebody on their way to get a mop when you slipped and fell? That makes a big difference, and all the possible variables come into play.

Of course, the third scenario is that the puddle was spotted and cleaned up immediately before anyone was injured. In this case, knowing your vulnerabilities definitely makes a big difference in reducing liability!

Generally speaking, if you know about a security risk or vulnerability and you’re in the process of taking action on it, you’re more protected against liability. Even if you’re not able to resolve the issue at this time, planning out your remediation can be enough to reduce or remove your liability. Some issues simply take a long time to remediate. Not everything can be fixed at once—especially if it’s an expensive issue, or a complicated one. The courts realize this, and they take those variables into consideration.

The key is to be taking proactive measures and to be moving towards remediation.

Risk Assessments Don’t Increase Liability

On the other hand, what happens if you claim ignorance because you neglected to conduct a security risk assessment? The plaintiff will put a security expert on the stand and they’ll ask some damning questions:

In your professional opinion, should the school have known about the issue? Is there any reason the school shouldn’t have been conducting risk and vulnerability assessments? Could this issue have been reasonably foreseen?

Ninety-nine times out of one hundred, those questions won’t go well for the school administration.

Some time ago, we had done an assessment at a manufacturing facility that had multiple thefts of major products. It was a huge problem. The organization called us in to do an assessment, and I asked, “How long has the gap in the fence been there, by the entrance?” They didn’t know what I was talking about. This was a three-foot gap that every employee walked past every day, yet they didn’t recognize it as a problem!

If this had been a liability case, every employee in that facility would be a potential witness against the company. Everyone knew the gap was there, even if it hadn’t been seen as a security threat. Because the question is, “Is it foreseeable?” In that case, it absolutely was!

Just because you don’t have a security assessment done, that doesn’t absolve you of liability, because many security issues could be foreseen. And it just takes an employee to say, “We see it all the time—it’s been there for years.”

If that happens, not only are you liable, your liability could increase!

So what does that leave us with? Number one, an assessment will not increase your liability. Because:

Ignorance of a vulnerability is not a valid excuse. Foreseeability will come back to bite you. People in your own facility will be forced to testify against you. Simply beginning the remediation process is enough to reduce or remove liability.

The Costs of Liability

In 1994, the infamous McDonald’s coffee case went to court. A woman had spilled McDonald’s coffee on herself and suffered third-degree burns on her lower body. It made national headlines for weeks, and the TV sitcom Seinfeld even had an episode based on it.

The woman sued the restaurant, claiming they knew the coffee was too hot. McDonald’s claimed ignorance that it could happen, and placed blame on the customer for not handling the coffee cup properly. But because the incident was foreseeable, the woman won the lawsuit. What was originally a simple request for payment of medical bills became a $2.86 million cluster storm for an international brand.

Most organizations don’t realize how a physical incident will affect their brand or reputation. How important is your school’s reputation? If an incident were to happen in your school, how likely is it that your school will remain open? How long will it be shut down? How will it affect the careers and livelihoods of your teaching staff and administration? What will be the ramifications on your entire school district?

Protect Your School—Assess Your Risk

You can no longer say a security incident could never happen here. There have been over 300 different school shootings in the last ten years alone. There is no excuse for ignorance, anymore.

Every school should conduct a risk analysis on a regular basis. With technologies like the Black Swan Intelligence assessment tool, it is much more affordable than ever. We have industry experts and partners around the country that we can refer you to. With the Black Swan Intelligence software, your physical risk assessment can be done in a fraction of the time—and a fraction of the cost.

Don’t hide from your liability—reduce it! Contact us today to talk about how to take the first step.

Source:https://www.circadianrisk.com/2019/02/07/insider-insights-can-schools-avoid-security-liabilities/

The post Can Schools Avoid Security Liabilities? appeared first on Physical Security Risk Assessment.

The suspected shooter, Jarrod W. Ramos, had a longstanding grievance with The Capital Gazette stemming from the paper’s 2011 coverage of a harassment charge against him. He pursued—and prolongated—legal action against the reporter, publisher, and judge involved. He also started a website and several Twitter accounts berating the newspaper.  ​

In 2013, the paper and one of the targeted reporters contacted police to discuss filing a restraining order or misdemeanor charges due to the prolonged harassment but ultimately decided to not follow through for fear of further antagonizing him, the Baltimore Sun reports.  

The reporter and the publisher involved in the legal proceedings from more than seven years no longer work at The Capital Gazette.

“If you fire somebody or have an incident with them, it’s typical to feel that their retaliation is going to be in the near future, but that’s not necessarily true,” says Michael Crane, CPP, security consultant and attorney at Securisks. “You hear stories where people come back after a year or two—and in this case, it was after five or more years.”

Crane—who is also the chair of the ASIS Active Assailant Working Group—notes it appears that the paper followed security best practices after the threats escalated in 2013.

“Between his lawsuit and the threats that he made, that certainly should have given them an increased sense of surveillance or security,” Crane says. “What you want to do in that type of situation is conduct an assessment to harden your facility. I’m assuming that part of the newspaper contacting the police was putting in access control on a locked front door so nobody could just walk in without being buzzed in.”

The Capital Gazette shares a building with several other commercial tenants. The shooter entered through the building’s rear entrance and, despite closed access to the newsroom, was able to enter by shooting through a glass door or window. The Capital Gazette—like many newsrooms and office spaces—has an entirely open floorplan, with glass windows all around the room, reporters working at desks in the middle, and half-walls along one side for editors’ offices, according to CNN.

As the gunman proceeded to systematically fire his 12-gauge pump-action shotgun along the room, some employees ran to the back door. However, before entering the building, the gunman had barricaded the door. One man who tried to force the door open was shot and killed.

The rest of the employees hid as best they could under desks and behind filing cabinets. After less than two minutes of shooting, police arrived and the shooter ceased his attack to hide under a desk, before being captured by responders.

“The police were there in 60 to 90 seconds—that’s absolutely tremendous and should be applauded,” says Kevin Doss, CPP, PSP, CEO at Level 4 Security. “However, five people were killed in less than 90 seconds. These happen quickly, so performing a threat assessment, hardening facilities, planning procedures, and training are all critical—you’re only going to have a split second to react.”

Building a training program based on an organization’s specific needs and threat points–and that implements both physical security measures and procedures–is imperative for success, Doss explains. Media organizations, for example, are higher-risk targets because they publish news that is bound to cause grievances. 

“You can take a basic program, and then we talk about site specifics, and that’s where a risk assessment is critical,” says Doss. “You can’t use a cookie-cutter approach to an asymmetrical threat like active shooter because that threat can change characteristics. People are going to have a plan of attack before they show up, and this guy did—he had a plan to lock people in.”

Doss has trained U.S. federal agencies using the U.S. Department of Homeland Security’s Run. Hide. Fight. active shooter protocol and now uses a similar approach when training organizations. He notes that he is working with more companies that have open offices—often featuring open workspaces and glass instead of walls and doors. Active shooter training must account for this increasingly-popular type of workspace, he tells Security Management.

“Look at your workspace from a survival capability,” Doss says. “If it was all open space, there are very few places to hide. At that point train yourself–what could I do if a shooter gets here? If door is barricaded, look at breaking a window or looking at another method. That’s where training comes into play because you don’t want to figure that out during an emergency. You want a planned course of action to train on. If you’re not trained on it, you won’t know to do it.”

Crane agrees, noting that even open office environments should ensure that there are safe places to hide, such as bathrooms or conference rooms with locked doors. Doss points out that while glazing is common in many offices and allows for natural surveillance, it’s also the weakest barrier. Hardening that vulnerability by using polycarbonate or bulletproof glass, or adding a shatterproof film, can help in such instances. 

Crane discusses the challenge of assessing the true danger of a person—either an insider or someone in the community—with a longstanding grudge. Threat assessment teams are helpful in keeping track of terminated employees or customers or people who have been making threats.

“You have to look at active assailant as a subset of a workplace violence incident, which has been going on for years,” Crane explains. “The majority of our workplace violence incidents are domestic related and can spill into the workplace. However, as rare as it is, active assailants do happen. Recognizing behavior and doing something about that behavior, contacting the police, increasing security, limiting access into your facilities, training as to run-hide-fight, those are the only things you can really do.”

Doss says threat assessments not only help harden a facility but allow for the detection of potential bad actors. While good assessments are costly, he recommends high-risk organizations conduct them yearly. 

“I may not be a threat this year, but I may be escalating toward becoming an actual threat, and the only way you’re going to find that out is to track these types of incidents or behaviors,” Doss notes. “Active shootings never happen all at once, there’s always a building and progression–some type of behavioral issues prior to them committing the act. That’s where we have an opportunity to identify these behavioral characteristics and intercede.”

For small businesses and houses of worship, there are a plethora of resources on how to conduct a threat assessment and make sure every employee receives basic active shooter training. “This problem is only getting worse, and we need to become more proactive from organizational side of things because we have a responsibility to provide safe workplace for employees,” Doss says.​

The shooter had to be identified via facial recognition software because the fingerprint analysis system was taking too long. Police searched his home in Laurel, Maryland, about 30 minutes from the newsroom, and found evidence of the origination of the planning. He is being held without bail and has been charged with five counts of first-degree murder. Security at newsrooms across the country has been increased as a precaution. ​

The post CHALLENGES OF SECURING OPEN OFFICES appeared first on Physical Security Risk Assessment.

I don’t blame you. In fact, I’d probably feel the same way.

Handpicked related content: How Often Should You Do a Risk Analysis? More Often Than You Think

If you’re like a lot of other organizations out there, you’re hiring the cheapest security consultant you can find. And that means you’re getting cheated on your physical security assessments. No wonder you don’t see any value in them!

When you hire the lowest bidder, you’re actually making a costly mistake that impacts your company’s bottom line. Here’s what I mean by that.

What Is Your Cheap Consultant Really Costing You?

Organizations hire the lowest bidder to save money, but cheap consultants are more expensive than you realize. And they’ll take a bite out of your bottom line that could have long-term effects.

How could a cheap security consultant be a costly expense? Here are three of the top liabilities to hiring the lowest bidder.

Handpicked related content: What NOT to Look for When Hiring a Security Consultant

A physical risk assessment you never use

Inexpensive security consultants have to cut corners somewhere. Usually it’s in the risk assessment reports, because writing reports takes a lot of unbillable time. The less time a consultant spends on reporting, the more revenue they can earn. The end result is usually one of two things:

• The report just regurgitates information you already knew about your physical premises

• The report is loaded with observations, but it’s hard to read and doesn’t tell you how to fix the problems

For most security professionals, it takes a long time to create a valuable report that’s easy to read and includes detailed corrective actions. Cheap consultants can’t do it, because they would lose money and quickly go out of business.

If you hire a cheap consultant, you’ll pay for a risk assessment report you’ll never use.

A risky assessment

What would you do if your CPA used the same out-of-the-box tax strategy for all of their clients? That’s how many cheap consultants approach risk assessments. They treat all facilities the same—whether they’re doing physical risk assessments for schools, hospitals, banks or private corporations. Your facilities are unique, and your security consultant should consider your industry, your geography, your business model, seasonal factors and much more. No two facilities are the same—even two fast food franchises in the same town have important differences.

What happens when you treat every facility the same? You get the wrong recommendations. Just as an out-of-the-box CPA could cost you money instead of saving money, a cheap consultant could make inappropriate security recommendations. At best, the recommendations don’t reduce your vulnerabilities. At worst, they actually increase your physical security risks, and you never know it. Is that a risk you want to take?

Handpicked related content: Don’t Stop at the Door—Keep Employees Safe Outside of Work

Security upgrades you don’t need

Sometimes the problem isn’t the assessment itself, but the remediations. For example, a cheap consultant could properly identify a problem with your building entrances. But they may convince you to install an expensive new access control system when all you really need to do is upgrade your door locks. In a bizarre true story, one Pennsylvania school district armed 500 teachers with miniature baseball bats, as protection during an active shooter scenario.

You can lose a lot of money by making the wrong kinds of physical security changes.

What to Look for in a Security Consultant

You can get greater value out of a quality security consultant who can identify physical security improvements that reduce risk and save money. Instead of hiring the lowest bidder, make these your top priorities:

• Industry experience. How long have they been in your sector? What’s the depth of their industry knowledge? Being new to the industry (referring to the company) do we risk this statement coming back to bite us? Just asking.

• Geographic experience. Every geographic area has its own particular risks. Can the consultant showcase their experience within your area? Are they connected to local law enforcement and other related agencies?

• Team players. Consultants should bring a second set of eyes with them on inspections. Don’t hire lone wolves.

• Quality reports. Ask for a sample of the report you’ll receive. Is it valuable information? Is it usable? Does it provide detailed corrective actions? If it’s not a redacted report, end negotiations with that consultant immediately!

• Tools. Will the consultant use the latest available technologies for the assessment, or is everything paper-based? Digital technologies far outpace the value you’ll get from paper methods.

• Full process. Will they spend more time on-site, where they can observe your organization, or at home? Find out what happens after the assessment. Will they help you prioritize your needs?

• Education. They should be a certified protection professional or be educated in the field. Having a law enforcement background doesn’t qualify a person for security consulting.

• Referrals. Always ask for multiple referrals from recent clients.

Often, the cheaper consultants are police or security officer retirees. They’ve recently taken up consulting because they’re just looking for supplemental income. But the more expensive consultants are the professionals who have made a career out of risk assessment. These are the people who have been around for a long time. They have the expertise and experience to justify a higher rate, and you’ll get more value from their assessments.

Security Is an Investment, Not a Liability

Security assessments, when they’re done right, are an investment into your organization—not a liability. You should be doing risk assessments not because your insurance requires it, but because they will save you money by reducing liability and expenses.

Even if you’re only hiring a risk consultant because your insurance requires it, you may as well get value out of the physical risk assessment. It’s foolish to throw away good money and get nothing out of it.

Hire a quality professional who helps you reduce security costs and reduce your risk. A safer facility will result in a healthier bottom line for your company.

The post The True Price of a Low-Cost Physical Risk Assessment appeared first on Physical Security Risk Assessment.

To paraphrase the well-worn mantra on hacking and apply it to the pandemic of Insider Threat: There are two types of companies, those whose employees have already stolen IP, and those who simply don’t know it yet. No matter where your company is along its journey toward an effective insider threat program, success or failure is measured by the last harmful egress of research, formulas, algorithms, strategies, service manuals, or other critical business information (CBI). Whether your effort to detect, deter, and prevent CBI loss has become an industry model or is still a nascent vision, three common components can help build a new plan or help review and adapt a mature program.

Security professionals exploring insider threat fundamentals can take a lesson from first year journalism students. Budding reporters are trained to instinctively repeat basic questions designed to get to the truth, and three of those questions drive formation of all Insider Threat programs: “What?”; “Where?”; and, “Who?” Security leaders should make it their practice to ask these three questions of their staff, key partners, and operational components of their companies. What is it that most merits protection? Where is this most critical information located, physically and in cyber space? Who amongst us requires regular access to CBI?

As the past head of counterintelligence for the FBI, a former corporate security executive for one of the world’s largest companies, and now a risk management consultant, it no longer surprises me to hear new security professionals struggle to answer these basic questions. Security practitioners sometimes perpetuate the long-standing C-suite myth that “security’s got this” when it comes to everything from a missing gym bag to a missing gyroscope. The perception that someone, somewhere, must have already addressed, planned for, or is in the process of resolving the concern of the moment, provides comfort to our senior executives and job assurance for those of us in the profession. But the comfort is dangerous and the assurance is hollow. Rather, we should work to dispel the notion that security can or should protect everything. To do that, the savvy security executive endeavors to first identify and then deeply understand exactly what represents the future of the company, where it resides, and which employees have stewardship of this lifeblood. Done correctly, in partnership with key stakeholders including Human Resources (HR), Legal, IT Risk, and Engineering, Science or Business leaders, this approach provides laser-like focus on what really matters, shares ownership across components, and generates confidence in a process designed to protect against existential threats to jobs and share price.

Build Your Team

Successful implementation of insider threat programs hinge on assembling the right team. IP protection is a team sport and should not be carried out by one component alone. The team requires willful senior level participants who are convinced the time is right to defend the company against the threat from within. Leadership is often motivated to take this step by a crisis sparked by the loss or near loss of a trade secret at the hands of a departing or on-board employee or contractor. But waiting for such a crisis is not advisable. Gather data on losses suffered within your industry, supply chain, or customers. Talk to FBI corporate outreach contacts and ask for examples of economic espionage targeting your technologies. Talk to HR about where employees go when they depart and ask those employee’s former managers whether cumulative losses pose a concern.

Meet one-on-one with a senior thought leader in Legal, IT Risk, HR, Business Development, or Research and ask them to partner with you to assemble a team and form an Insider Threat program. Next, meet unilaterally with each proposed team member to brief them on the threat and risk to proprietary data and seek their support to more strongly defend the company. In some non-defense corporate cultures, using the phrase “Insider Threat” can still generate privacy, trust, and culture concerns. In one large company, a security leader’s proposal to discuss such a program was met with this question from the head of HR, “Do you not think we should trust our employees?” The security leader responded, “I do, and I think we should have mechanisms in place to defend our trust.” Meeting first with each partner will allow you to listen to their concerns. Limit the team to five or six decision makers from key functions. When the team is assembled start asking the first of the Journalism 101 questions.

What?

Whether a newly appointed security leader or seasoned veteran, the question at the heart of IP protection is, “What exactly are we protecting?” Responses provided by security and business leaders to this single question help measure the need for an Insider Threat initiative or the maturity of an existing program. Common responses from the security ranks include; “I’m protecting these buildings”, “I’m protecting this campus”, “I’m protecting people”. Even security professionals in large, sophisticated corporations frequently do not cite, “ideas”, “research”, “technologies”, or “critical employees”, when asked what they protect. Follow up questions on which campuses, buildings, or people are more critical than others are sometimes met with silence or criticism that the question implies some employees are more important than others. One long-tenured security leader responded by displaying his daily automated reports advising him which doors, hallways and offices were entered, but, he could neither articulate which company functions occurred there nor how his data was relevant.

Importantly, your team should pose the “What” question to key business leaders including the CEO, General Counsel, CFO, Supply Chain leader, Research or Engineering executives, Business Development or Sales heads, and corporate audit manager. Provide context by framing the question as an attempt to identify the small subset of proprietary information that would most damage the company if it fell into the wrong hands. Various formulas and thresholds can be customized to help guide this discussion and quantify the degree of damage to finances, share price and reputational risk.

Where?

Security professionals can only truly protect that which they know is there. Once CBI is identified, the team must learn where it resides, in both physical and cyber space. In large companies with thousands of employees and facilities, this question is more easily asked than answered. Yet, the answer is vital to learning how your CBI is exposed. One large company locating its CBI discovered a proprietary formula sitting in an open folder accessible by its entire employee population. Audit of the folder revealed that employees in high risk nations had visited the folder without any valid reason.

When countering the insider threat, the physical and the cyber security of CBI must be viewed as one holistic endeavor. The behavior of data and the behavior of humans are inextricably linked and the partnership between IT Risk and Physical Security should be seamless. Once aware that specific buildings, offices, or laboratories contain CBI, protocols and checklists for enhanced safeguarding can be drafted. This initiative counters more than just the internal threat. Upon learning the location of a sensitive manufacturing process one company found the process was part of a public tour route.

Who?

The seemingly simple “Who” question can generate more consternation than the previous two questions combined, particularly from your partners in HR and Labor & Employment Law. While answering the first two questions is often labor intensive, this last query raises issues of policy, organizational culture, and law. Companies may learn that some CBI is assigned to contractors, and the team must wrestle with the issue of whether people with less allegiance, and more transient tenure, should be entrusted with the firm’s future. Yet, identifying employees who require access to CBI is easy compared to planning how to relate to them. This discussion should include: standards for employees to receive and maintain CBI access; policies on travel and device security; enhanced computer monitoring; and, governance protocols for investigative response to suspicious conduct. Importantly, the approach to such vital and often singularly knowledgeable employees should be an inclusive one that views them as special stewards with more responsibility than the average employee.

If approached carelessly, insider threat plans can breed mistrust, alienate key employees, erode company culture, and even violate labor or privacy laws. But, a quality program can be a leader’s most important legacy, reaping tangible dividends in loss prevented, jobs saved, and relationships forged.

The post Insider Threat Programs: A Beginner’s Guide appeared first on Physical Security Risk Assessment.