Recent developments in door opening technology have empowered today’s security directors to play a neat trick. Walk into a building, any building—a corporate office, a hospital, a school. Now select a door, any door. Look at the assets behind that door. Voila: an opening technology is available to match the exact security risks and needs for that specific door.
This is pretty mind blowing if you think back just a few short years ago when the only options for securing a door—regardless of the assets under protection—were either a relatively expensive hardwired, online access control system or a simple mechanical lock and key. Medium security openings that fell in the middle of this spectrum left security directors with the difficult choice of under-securing or sometimes over-securing and over-paying for a door.
Today, you’ve got options in this world of ‘medium security’. And best of all, especially in our tepid global economic climate, they don’t have to cost you a fortune. It’s now possible to implement varying degrees of access control at each opening that mesh together and operate seamlessly with the enterprise access control system to create a fully secure facility. All of this is possible thanks to innovation in a place you may not have been expecting it: the humble lock.
To understand the capabilities of this new class of locks, it’s helpful to look to the past. For years, traditional access control systems consisted of a host computer connected to controllers that connected to electrified locking hardware. The host computer, usually located in a security office, serves as the brains of the system and links to the controllers through long runs of wiring often dedicated to the security system. Additional runs of proprietary wiring then connect a controller with hardware components on multiple doorways.
Lock manufacturers originally offered an alternative in the form of a PDA programmed lock. Sure, these locks were relatively inexpensive, but generally required proprietary lock software and lots of ‘sneaker power’, as guards had to run from door to door to get transactions or change access rights.
Technology marched on and wireless technologies enabled locks to communicate with panels wirelessly, which brought many of the features of online access control to a lower cost than a wired opening. Not only were these ‘wire free’ openings less expensive to deploy, they can work with the same enterprise access control software that manages the online wired openings. Some of the savings come from fewer wire runs to the door, and other savings come from the integrated designs of locks where readers, REX, DPS and locking devices were integrated into a single device with about an hour of installation.
The next evolution was to tie locks into the existing IP network infrastructure to lower cost even further by avoiding the need for proprietary hubs and access control panels. Using smarter locks (essentially the panel is in the lock) and standard Wi-Fi access points, access control can be added for roughly 50% of the cost of wired access control per opening. Other variations use the same IP-based technology as your VOIP phone. Power Over Ethernet locks give end users full, real-time access control with all the same features you get with traditional access control for about 75% of the cost and you still get to control the lock from your favorite enterprise access control system.
Of course, not every opening requires the level of security delivered by online connectivity. But there may still be a desire to frequently change access rights, control the hour each person can access the door and/or track the door access history.
The least disruptive way to achieve this level of offline access control is with an electronic cylinder that fits directly into the existing lock. The cylinder can be programmed to allow access only to specific key holders and can be interrogated to determine who opened a door and at what time. If key control is compromised by a lost or stolen key, the cylinder can be reprogrammed to shut out that missing key. This eliminates the need for replacing cylinders or reissuing keys to a large-scale building population. Electronic cylinders can be used in a very wide variety of applications including cylinders, cam locks, cabinet locks and padlocks.
Keypad locks also fit into the category of offline access control. Like electronic cylinders, keypad locks can be re-keyed electronically. Codes can be changed on the fly if there are any concerns about who has access to different areas of a building. Keypads also have a convenience benefit; not all applications require a key. If the primary concern is controlling traffic to a particular area—say a bathroom door in a commercial building—it may be inconvenient to keep issuing keys to people coming in and out of that building. However, a code can be issued that provides a low-level, but more convenient type of security.
The available options for controlling access to medium security doors is at an all time high. By combining components, leveraging existing network infrastructure, and emphasizing convenience features, modern technology has created a much broader set of products than $300 mechanical locks or $3,000 online access-controlled openings. This allows for the selection of the right product to provide the right level of security within a given budget.
Martin Huddart is Vice President of Electronic Access Control at ASSA ABLOY Door Security Solutions
Parking areas are challenging spaces to secure because they vary greatly in size, geographic make-up, location and risk profile. Parking lots provide vehicle and customer access to area businesses and are often times one of the most traveled areas in a city or business district. Therefore, security managers must take the appropriate steps to make parking areas as safe as possible as an enhanced approach to security and safety in these areas only works to boost economic activity.
Unfortunately, there are very real reasons to feel unsafe in parking lots or garages because these spaces, due to their nature, are ideal places to commit crimes. Security guards are often charged with patrolling and monitoring parking lot activities, but this approach has its limits as it is not possible for security personnel to be everywhere at one time. Parking lots must be managed and monitored 24/7 to provide residents, employees and customers with a feeling of security, and advanced technology solutions can augment the capabilities of traditional security guards to increase safety and deter crime.
When evaluating enhancements or changes to existing security programs and technologies at parking areas, it is important to conduct a thorough review of the background issues and the environment that is contributing to security concerns. How are these issues currently being addressed by security patrols and technologies?
Security managers should review incident reports and benchmark incidents at one area with comparable facilities. Are your garages more successful at deterring crime than others? An assessment of each parking garage’s physical and operational characteristics must also be completed. All of these steps will help determine what mix of security personnel and security systems are most beneficial for your facility.
Detection Through Intelligence
Innovations in motion sensors and advanced algorithms enable the development of a new kind of automated detection technology that mimics the actions of traditional security guards. These systems are applicable in a variety of environments but are especially well suited for parking lots. These systems leverage built-in intelligence to automatically identify potentially dangerous targets within 1,000 feet and once detected, track objects to deter criminal behavior. Once it detects motion in a user-defined area, the system illuminates activity with a high-intensity LED light, and rotates to and from the detected activity. Once motion is no longer detected, it will conduct an area-wide search. If no additional movement is found, the system will conduct regular patrols of an area, scanning for unusual behavior, detecting criminal behavior before loss or damage occurs.
The system, described above, engages in the same motions and movements of a patrolling security force to enable security personnel to focus on other tasks, such as ID badging, inspecting vehicles or observing suspicious behavior. Business operations and security are maximized while maintaining a secure perimeter, and this is especially true in parking facilities with limited budgets.
Safe Passage
The most common crimes that occur in parking facilities are theft and vandalism but other more violent attacks, such as abductions and carjacking, are also real risks. To limit the occurrence of such incidents, facilities must have a solid security plan in place that incorporates personnel and technology, and evaluates environmental design.
Lighting is another important factor in keeping facilities secure. Proper lighting not only helps people feel safer, but it can also deter crime dramatically. Lighting is commonly used to enhance safety by increasing visual range during night hours and ensure a minimum level of visibility. Furthermore, lighting also has value as a deterrent to crime. It can be challenging to effectively illuminate small areas or corridors, such as those between parked cars. Since an automated detection solution tracks motion within 1,000 feet, it leverages the power of its built-in LEDs to shine light on those confined areas when it detects motion.
An automated detection solution can also be used to in place of a having security personnel escort customers or employees to their cars in the evening. The system tracks the person’s movement, shining its high-intensity lights to the detected area. Not only is the system illuminating the person’s activity to keep them safe and increase visibility, it deters potential criminals from approaching the individual. Therefore, the technology is useful at both providing peace of mind for shoppers and employees, and keeping criminals at bay. Combined with the additional feature of two-way audio, the system is a customer service tool as well as a security tool.
A True Solution
Although video surveillance plays an important role in monitoring activity and reducing crime in parking lots, it is only truly effective when it is being monitored in real time. Without 24/7 monitoring, it is not possible to respond to an emergency situation.
Automated detection systems work independently to continually monitor activity in high-risk areas. When cameras are leveraged alongside an automated detection system, the solution can be used for both proactive and reactive purposes, including investigations and crime reconstruction. The integration of high-resolution or HD surveillance cameras enable security teams to gather high levels of detail, while IP cameras enable remote monitoring of the system, providing even more ROI.
Another benefit of integrating cameras with an automated detection system is that it provides guards with an avenue in which to make an assessment of a situation before responding. This provides an additional layer of situational awareness.
The issue of parking garage security and the level of inappropriate and illegal activity that occurs on these premises continue to receive considerable attention. Facilities must establish security policies and practices as a way to enhance the business and entertainment environment, and mitigate the negative impacts of crime in parking areas. Automated detection technologies provide continuous patrol of a parking lot or garage, acts as a significant deterrent to criminals, and provides reassurance to customers and employees. Overall, a multi-layered approach to security that includes experienced personnel, innovative technologies and strong procedures will create a safer and more secure environment, and reduce undesirable activities.
Rolland Trayte is president and COO of FutureSentry. He can be reached at rollie.trayte@futuresentry.com.
When faced with corporate litigation stemming from a criminal event occurring on your property, members of the security community are often first in the line of command – fielding questions from members of the executive team, quelling employee speculation and dealing with myriad legal details.
In order to protect themselves and their companies from liability, security professionals should recognize that getting sued is not the biggest problem, losing the suit is. As the old adage goes, the best defense is a good offense, and in the case of corporate litigation, preparation is key.
What follows is a set of best practices aimed at preparing company witnesses for deposition, the “10 Commandments of Deposition Preparation.”
Commandment #1: Thou Shalt Be a Good Listener
The first and foremost “commandment” of preparing a company witness for deposition is “Thou Shalt Be a Good Listener.” During the course of a deposition, a witness must always listen carefully to the questions being asked. He or she should routinely stop and think before answering any given question, as well as listen to the objections being brought about by his/her counsel. Finally, a witness should never accept a fact merely because the plaintiff says it is so. These types of questions will sometimes be prefaced with the phrase “isn’t it true that …” In other instances, this is implicit in the phrasing of the question.
Commandment #2: Thou Shalt Keep Your Cool
One of the most important things for a company witness to remember during the deposition process is to always remain calm, cool and collected. Never argue with counsel, and if you feel yourself getting upset, take a break, remove yourself from the situation and come back after you have had some time to cool down. It is a common tactic for counsel to try and get under the witness’ skin in the hopes that the witness will lose focus and begin to give testimony that undermines the witness’ defenses. In expressing opposing points of view, it is always better to be polite, but firm.
Commandment #3: Thou Shalt Not Guess or Volunteer
In the world of depositions, guessing or speculation equals death. It is imperative for all company witnesses to refrain from volunteering information and/or naming others who may have information about the case. Guessing at an answer almost always has an adverse effect on your case. Therefore, it is best to candidly admit that you do not know the answer to the question. Further, if you are not certain who may have better information than you in response to a question, your best course of action is to say you are not sure and allow your counsel to confirm this information later.
Commandment #4: Thou Shalt Review All Documents Carefully Before Answering
During a deposition, when presented with any documents, it is best for company witnesses to avoid comment if they have never before seen the documents. Similarly, witnesses should know their company’s individual policies and procedures. Make sure that any documents shown correspond to the relevant time period, and always remember to read the fine print.
Commandment #5: Thou Shalt Know What the Case is About and What Your Defenses Are
When meeting with counsel to prepare for deposition, ask him/her to give the witness a synopsis of what is being alleged by the plaintiff and what the claimed injuries are. The pitfall here is that if you do not, you will be unprepared for the inevitable deposition question on this which will give the plaintiff’s counsel the opportunity to paint you and your company as aloof and uncaring in front of the jury.
It is equally important to review your company’s responses to written discovery requests. This way, you can ensure that your deposition testimony is as consistent as possible with those responses. More importantly, if it is determined that something needs to be corrected, the deposition gives us a good opportunity to do so.
Commandment #6: Thou Shalt Not Waive Privilege
In most jurisdictions, both the contents of the company’s incident reports, as well as discussions with counsel during the investigation and defense of the case, are privileged and must not be revealed to opposing counsel in deposition. Thus, we cannot stress enough to our employees that even a small breach of this important commandment could give opposing counsel license to argue that privilege has been waived.
Commandment #7: Thou Shalt Not Say That You/Your Company Acted Negligently or Recklessly or That You Violated Company Policy
One of the most vital tips in preparing employees for deposition is to remind them that – under no circumstances – should they ever admit to acting recklessly or negligently. Even more importantly is never admitting to violating company policy. While it might seem obvious, sometimes deposed employees are inadvertently led to making such statements, which puts the entire company at risk.
Commandment #8: Thou Shalt Not Talk About Money
Opposing counsel will frequently attempt to paint our business decisions involving security as having been motivated exclusively for profitability. It is important that our employees be prepared to discuss all of the factors that went into our decisions on the level of security to provide. Although costs are certainly a factor in our company’s decision making process, it will be critical that the witness be prepared to explain how and why safety was the paramount consideration.
Commandment #9: Thou Shalt Correct Your Answer if Necessary
When being deposed, employees should know that their first answer to a given question does not necessarily have to be their final answer. If they find themselves “breaking” any of the previous commandments, such as admitting negligence or incorrectly stating monetary facts, they do have the right to change their answers.
Commandment #10: Thou Shalt Insist That Your Lawyer Get Together with You 7-10 Days Before Deposition and, If Necessary, Undergo a Mock Deposition
In the case of employee witnesses being deposed, it is essential to undergo a “mock” or trial deposition with company attorneys. By doing this, employees can familiarize themselves with legal jargon and, more importantly, learn what to expect during the deposition process. Attorneys can review specific questions and answers, as well as run through any negative scenarios and how to correct them before they become insurmountable obstacles.
Conclusion
Obeying these Ten Commandments is a good first step to protecting the company’s assets, its brand and its reputation. To be sure, there are many components to defending a suit and the deposition is simply one step in the process. As with any business decision, careful analysis and preparation is of critical importance to management of the litigation, achieving the desired outcome and ultimately a successful defense.
By:
Jon D. Groussman, J.D.
CAP Index, Inc.
jgroussman@capindex.com
Constantine “Dean” Nickas, Esq.
Wicker Smith O’Hara
McCoy & Ford P.A.
cnickas@wickersmith.com
Ken Shuttleworth, Esq.
Shuttleworth Williams PLLC
krs@shuttleworthwilliams.com
The reality of hurricanes, flooding and other unforeseen disasters have unfortunately become a part of doing business today. I lost everything during Hurricane Katrina: My home, everything at my office and I couldn’t believe the devastation in the city. Then I started getting calls from employers and employees, who were dispatched to every part of this country, and were desperate to save their business. I would like to share my lessons learned from Katrina to help businesses prepare for emergency evacuation and show how security companies can aid their community in rebuilding.
Prepare Your Business
Plan to stay in business by talking to your employees and preparing a plan to protect your investment.
- Prepare a disaster protection and recovery plan or hire a security consultant to help determine which staff, materials, procedures and equipment are absolutely necessary to keep the business operating.
- Utilize an IP video surveillance system so you can see video from your business or home from almost anywhere in the world
- Plan ahead to hire security guards to help run contingency plans including:
◦ Business site protection
◦ Transportation needs
◦ Asset and fund transfers
◦ Executive and personnel protection
- Plan what you will do if your building, plant or store is not accessible:
◦ Consider if you can run the business from a different location or from your home.
◦ Develop relationships with other companies to use their facilities in case a disaster makes your location unusable.
In addition to protecting your business, also consider how you can aid your community and employees. The importance lies within the fact, that if and when such a disaster occurs, workers may be located far away from friends, family and home, leaving them stuck. So it’s important to help employees think about a personal emergency disaster plan for their families. Find a security company that has experience in handling emergencies and are ready to help your community from armed security to basic logistics and assistance.
As the CEO of CGI Protects for 17 years, Ms. Pierre helped the company rebound after Hurricane Katrina. Throughout her professional career, she has been devoted to serving her community and empowering women through politics, education, social involvement, and economics through an organization she founded, Women Organized Mobilized for Empowerment Now (W.O.M.E.N.) Inc.
by Hongwen Zhang, president and CEO of Wedge Networks
The continued growth of mobile device use within the enterprise has created an abundance of management and control issues for IT and security departments alike. The need to protect information that is accessed and/or stored on these devices has become a priority as today’s next-generation mobile devices are fast becoming as sophisticated as computers; yet the security for these devices is lacking, due to the intrinsic constraints imposed by battery life, portability, and economics of connectivity. For example, a mobile laptop could become infected while in a WiFi or 3G mobile network, before its anti-virus software signature is updated.
Industry analysts are reporting that half of the devices connected to corporate networks will be mobile by 2015 and in recent years malware targeting mobile phones specifically has grown exponentially. According to a 2011 report, Google had to remove more than 50 malware-infested applications for Android devices from its marketplace.
The abundance of business applications on mobile devices increases the risk of data loss and malicious attacks. Poorly designed applications are also exposing private and corporate identity information and additionally, because many of these devices belong to employees, enterprise data and applications have a tendency to become integrated, thereby exposing content.
In many instances, employees download applications, as opposed to IT provisioning devices and accessible platforms and applications, which opens the door to malicious attacks both on and from mobile devices.
One example, the Zeus Botnet, uses SMS messages to break into users’ bank accounts. The thief hijacks both user name and password from the infected phone, and uses the information to access the victim’s bank account. Another Android mobile operating system attack, allowed users’ private information to be transferred to a remote site. Not to mention, “jail broken” iPhones and iPads immediately lose 70 percent of their security features.
There are some steps that enterprise organizations can take to address the vulnerabilities associated with mobile computing, including the following:
1. Protect Web and Social Media Data – Implement full content scanning and inspection across all network protocols. Include protection against third-party services or applications and Web-based services such as Gmail, Facebook and YouTube.
2. Secure Endpoints-before it’s too late: Eliminate malicious attacks before they reach mobile devices. Protect all endpoints including mobile devices, to ensure that network traffic is free of malware, spam and unacceptable URLs. Firewalls, and traditional intrusion detection systems (IDSs) provide only limited protection, and often slow down the enterprise network. Look into emerging technologies that provide accurate, high-performance threat detection, complete visibility of what is transmitted through the network and the ability to stop the transmission of malware in real-time.
3. Ensure Security, Anytime, Anywhere – Employees roaming outside of an enterprise’s protection perimeters can have their traffic routed through malware scanners to ensure the safe usage of mobile data and applications. Consistent enforcement of IT security policies and optimization of Web resources provides all staff with safe mobile usage across distributed enterprises while reducing time required for IT departments to spend on management and control issues.
4. Get Real-Time Visibility – There are great benefits when network traffic can be looked at across all layers including the application layer, enabling visibility into the actual intent of the traffic. If this reconstruction and comprehension can be done in real-time, real-time security policies can then be applied to the traffic. This kind of deep content inspection can provide visibility, comprehension, manageability and real-time action for the information.
Conclusion
Knowing that all of the necessary security protections are in place provides organizations with the guarantee that mission critical data on mobile devices will remain safe, and systems protected against the spread of malware.
Dr. Hongwen Zhang is president and CEO of Wedge Networks, an innovative provider of remediation-based Deep Content Inspection for high-performance, network-based Web security. He holds a PhD in Computer Science from the University of Calgary. With more than two decades of high tech leadership experience, Zhang is a co-inventor and holder of several patents in the area of computing and networking.
By David Sylvester, VP of Business Development, Roper Industries
Wireless sensor networks in commercial settings are continuing to gain traction for life-safety applications. The wave of smart phones and tablet computers has contributed to an increased acceptance of wireless as a reliable alternative to wired in security and life-safety. 900MHz wireless sensor network technology, in particular, continues to prove itself as a trusted solution for emergency situations. Decision makers in the security industry are seeing a surge in the demand for wireless solutions, particularly in IP-based security solutions and applications that require mobile security capabilities. The need for integrated security solutions that can tie all the benefits of wireless together into a single, seamless platform as well as manage security infrastructure has become top of mind for many. Security dealers and directors are increasingly leveraging wireless throughout their organizations for these reasons. In 2011, we are seeing several trends that reflect this movement towards wireless.
Trend #1: Standardization on IP-based Hardware and Systems
Video is a hot topic today and generates the majority of physical security industry buzz. It is also clear that systems are leading to IP based platforms. Manufacturers of access control panels and video management systems are integrating their security networks into a cohesive IP-based solution. The transition to IP-based specifications is accelerating and will quickly drive the industry standard for all products.
There are numerous functions an IP-based system can monitor, control, and derive business information from as an added benefit. By closely monitoring security points, building automation, identity management, users can demonstrate a measureable payback. The information obtained can be put onto the network to generate data that is correlated and presented to management to help better manage the business and increase efficiency. IP creates a common connectivity, establishing the basis for total system coordination. This, in turn, sets the foundation for development of new applications and capabilities, and ultimately a layer of PSIM solutions.
Trend #2: Adoption of Wireless Technology Accelerating Rapidly
Wireless sensor networks and wireless locking hardware have been available for years, but the adoption of these technologies for security applications has been a slow process. However, with the popularity of smart phones and iPads, decision makers are beginning to accept wireless technology as a ubiquitous solution. Wireless sensor networks in commercial settings for life-safety applications continue to gain traction due to their ease in extending monitored sensors, speed of installation, cost savings at the end-user level, mobility and reliability.
Wireless technologies and mobile hardware have set an expectation of being able to do our work anywhere, any time and while on the move. That said, it is critical to note that not all wireless is the same. When it comes to planning a wireless system designed for life safety, it is critical that decision makers are informed of the differences between “casual” wireless verses life-safety wireless technologies. Casual wireless is intended for information and data flow where disruption or loss of signal creates a need to log back on to the network, such as Wi-Fi. On the other hand, in a life-safety application, the loss of signal could equal loss of life. If a life-threatening event occurs at a facility or on a multiple-building campus, 900 MHz wireless technologies are an effective way to transmit an alert because of their long range, durability and reliability. It enables the system to process and locate the position of the event and alert authorities immediately. Security dealers and integrators are learning that the benefits using the appropriate wireless technologies will improve the tangible ROI that commercial property owners expect.
Trend #3: Wireless Systems Create Expanded Applications, Security, Situational Awareness and Location Capabilities
Today, the expectation that we can take our work with us is creating new applications for smart phones, as well as stimulating growth in rugged mobile computing applications. This use of wireless mobility generates productivity that quickly moves beyond the facility and includes the entire campus environment or even city. Increasingly, productivity, security and safety applications are driven from situational awareness and location needs.
In campus or city environments, situational awareness and location plays a key role in first responder support, situational verification and event resolution. As the number of mobile security persons and human assets increases, it is critical to know where they are located within a building or campus setting when a duress alarm is activated. Wireless solutions can enable mobile duress applications by determining the area and location of an alarm – allowing those who are in harm’s way to signal for help and be immediately located.
Wireless sensor networks ensure that critical staff on and off campus are alerted in the most efficient way possible in the event of a threat. They offer the ability to alert users after-hours or when campuses and buildings are typically empty. The faster critical staff are notified of an issue, the more rapidly they can take action and in some instances save lives. As decision makers evaluate their options, it becomes essential to find a situational awareness and location solution that offers productivity, security and life-safety. And increasingly, wireless sensor networks will continue to play a critical role in physical security systems.
Trend #4: PSIM Solutions Knit All Data & Information Together Creating Collaboration on a Single Platform
All wireless security trends are leading to an increased demand for Physical Security Information Management (PSIM). Today, there are many individual pieces of a security system – physical access control (PACS), video management systems (VMS), alarm monitoring/response, real-time location systems (RTLS) as well as IT system access. PSIM solutions bring all the disparate systems together into one cohesive solution. With a proper PSIM solution in place, users will see increased security and safety, as well as improved first responder efficiencies. These solutions also will demonstrate new elements of productivity that create clear return on investments.
To properly monitor continually expanding wireless applications, a system that has achieved PSIM should have the capability to connect and manage a variety of security applications, such as video surveillance, access control, intrusion, fire and life-safety, perimeter protection, mass notification and building automation. The flexibility and reliability of wireless systems will play an important role in this evolution. Because integrated solutions can be so complex, wireless sensor networks — which are easy-to-install, user friendly and reliable — are expected to gain increasing acceptance among the security industry.
Conclusion:
Wireless sensor networks in commercial settings are continuing to gain traction due to their ease in extending monitoring sensors, speed of installation, cost savings, mobility and reliability. Security dealers and integrators are looking for vendors who can better integrate differing pieces of a security system onto a single platform to attain true PSIM capabilities. As wireless technology for life-safety applications increases, the security industry will see the use of PSIM solutions steadily increase and expand across entire facilities and campuses.
David Sylvester is a vice president of business development at Roper Industries (www.roperind.com). Roper owns Inovonics (www.inovonics.com), a leading manufacturer of wireless sensor networks.
By Aly Sidi, development manager, Absolute Software
For many organizations and security directors, the task of encrypting information on an employee’s computer poses a significant challenge. Encryption tools often serve as the “frontline of defense” for protecting sensitive data. Organizations rely on encryption to protect against data breaches and the negative publicity that follows such events.
Encryption has evolved over the past few years from file/folder encryption to volume and full disk encryption. All of these types of encryption utilize the operating system to perform the actual encryption. The biggest hurdle to a universal acceptance of encryption is that all of these tools and methods slow down the system as a whole. In addition, these encryption methods are also susceptible to cold boot attacks as the encryption keys are stored in RAM. Most importantly, traditional encryption tools have always suffered from one major setback: human error. For example, if a user using volume encryption fails to store the documents in an appropriate volume of a hard drive or forgets to safeguard their encryption key, the encryption product can be compromised, possibly resulting in a data breach. And if the organization does not employ a multi-layered approach to security, it could have serious implications when it comes to a breached, lost, or stolen laptop.
Many manufacturers including Samsung, Seagate, Toshiba, Fujitsu, and Hitachi are now building self-encrypted drives (SEDs) providing a standardized, hardware-based method of encryption that ships with the computer. At their core, SEDs are hard drives that have an encryption chip on the device, which protects the data. Based on a specification from the Trusted Computing Group (TCG) the encryption hardware is incorporated into the drive’s electronics controllers with either a 128-bit or 256-bit AES encryption algorithm.
Though many companies have already deployed full disk encryption onto their devices, SEDs have significant benefits for both IT managers and organizations. Unlike full disk encryption, SEDs are constantly encrypting. This eliminates the usual 6-10 hour wait to encrypt or decrypt the hard drive when loading the application. Additionally, the encryption chip is actually part of the hard drive, so it does not use the operating system resources. This has long been a pain point for users, as full disk encryption methods often tax the operating system, draining resources. Finally, SEDs are not susceptible to cold boot attacks, protecting the device’s encryption keys.
Some companies are ahead of this trend and are already employing SEDs in their organizations. However, these are the original Seagate DriveTrust drives. Computer and drive manufacturers are working on a new standard, the OPAL specification from TCG. Based on an agreement between drive manufacturers to conform to a single specification rather than create their own implementations, OPAL is positioned to become the de facto standard for SEDs. This summer, more companies will begin to make the switch to OPAL certified SEDs to get ahead of the game before mass implementation by the end of the year.
New devices bring new management challenges for security staff members. Though these drives ship directly from the manufacturer, organizations may still need to take immediate action to control and administer these drives. Third-party management tools are available and necessary in order to “lock” and “unlock” the drive. These tools can also help IT managers easily administer users, authentication methods, policies, and perform system maintenance tasks from one central administration console.
The cost effectiveness of the third-party management tools is one of the key benefits of managing these drives. For companies that go through frequent refresh cycles or staff changes, these tools can also wipe the drive for decommissioning or at the end of the device’s lifecycle. Finally, IT staff can easily restore credentials should the system crash or fail.
With such a strong value proposition, analysts are predicting that SEDs will make full disk encryption obsolete as organizations adopt this new form of encryption when they add new devices as part of their regular refresh cycle. It is expected PC OEM manufacturers will be shipping SEDs before the end of the year. Security and IT staff need to start preparing their teams now for this implementation. They must be trained and ready to administer and secure these devices before integrating them into an organization’s deployment.
As organizations – both employees and data – become increasingly mobile, IT needs to ensure their security methods are keeping pace. SEDs are the next evolution in encryption and will become the de facto standard in the next few years making software and full disk encryption obsolete. IT needs to start planning now for the integration of SEDs into their security methodology and begin their assessment of third-party management tools that add a competitive advantage over and above simply locking and unlocking the drive.
By David Speights, Ph.D., and Chris Hanks, Ph.D., The Retail Equation
The economic climate is still uncertain for retailers. Although sales are improving, the National Retail Federation reports that fraudulent and abusive returns are on the rise, costing retail companies millions in profits. Additionally, shrink and organized retail crime continue to be multi-billion dollar retail problems.
As hazardous as this climate appears, it also presents an ideal opportunity for loss prevention professionals. By monitoring transactions over time and bringing statistics to bear, loss prevention analytics is reshaping operations and policies to protect bottom lines. This process often begins with “data mining”―a catch-all term for the methods analysts use to make sense of vast quantities of information. By sifting through millions of data points, analytics professionals are able to tease out relationships that would otherwise be undetectable. The result is that today’s retailers have a number of loss prevention tools that were unavailable only a few years ago. Below is an outline of some of the techniques used to maximize a retailer’s margin.
Challenging Basic Assumptions
Most retailers’ current accounting programs do not accurately reflect their real return rates; they often overlook exchange transactions and therefore understate the value and quantity of merchandise returning to the store. The return rates for 10 different retailers were recently tallied to analyze how they viewed the impact of merchandise returns. All were underestimating their return rate―one by as much as 150 percent. In fact, the 10 retailers studied saw an average return rate discrepancy of more than 80 percent.
Why is this important? Items and dollars that get returned within exchange transactions are unexpectedly hidden, masking retailers’ opportunities to rescue sales, prevent fraud, reduce shrink and more.
Predictive Modeling
As a retailer, imagine that each customer who returns a product hands you a slip of paper. On the paper is written a number between 0 and 100 percent and a note that says, “This number represents the probability that my return is fraudulent.” Although not this simple, this is the end result of predictive modeling. By tracking and analyzing customers’ purchases, exchanges, and return behaviors over time, loss prevention statisticians are able to develop real-time mathematical models that accurately estimate the chances of a return being legitimate or fraudulent. Recognizing high-risk customers is important, as it often leads to broader networks of return fraud.
Beyond Exception Reporting
Bringing computing power and statistics to the process of exception reporting is a key means of reducing fraud. Today, almost all retailers’ loss prevention departments use some form of exception reporting to identify suspicious transactions, individuals or employees. This process usually involves a complex set of rules to flag certain situations that “seem” problematic.
Taking this scenario one step further, the complex rules for flagging transactions can be reduced to a set of risk variables, each of which can be correlated to known outcomes. By determining the relationship between risk variables and known outcomes (such as correlating a certain employee’s behavior with his/her ultimate termination for fraud), retailers can learn which risk attributes are most important and what weight to assign each. Feeding these variables into predictive models then yields composite risk scores for evaluating transactions, employees, stores or other units of interest. This transition from complex rules to predictive models for identifying fraudulent transactions is analogous to a transition that occurred in the 1990s in the credit card industry: improved ROI and greater loss prevention efficacy let that market do more with less.
Fraud Ring Analysis
Social analysts find that people tend to group together based on similarities, and that this is particularly true among criminals. A key method of identifying (and ultimately cracking) organized retail crime rings is by first identifying high-risk customers, and then mapping out clusters of similar customers and analyzing their transaction behavior. Using sophisticated linking algorithms such as “fuzzy matching,” loss prevention analysts can connect known fraudsters to other questionable customers, often uncovering clusters of identities that constitute either crime networks or aliases of the same criminal.
Product Associations
Knowing how products are associated with one another allows them to be clustered into groups and ranked for risk. Combining this information with the typical shrink data goes far beyond the groupings one might find in a standard product hierarchy. For example, consider the capability to us a common product-pairing, like a digital camera and photo paper, to create an indirectly associated product-pair, like a digital camera and a photo album. Knowing this association and crossing the information with shrink data engenders risk profiling for many products and product clusters.
ROI Analysis
Before implementing any loss prevention strategy or solution, retailers should understand both the costs and associated benefits. Controlled tests, followed by statistical analyses, aid this understanding. Using “experimental” and “control” groups of stores―and tracking key metrics such as shrink, sales, return rates, or other important outcomes in before-during-after analyses―loss prevention professionals can accurately calculate a given strategy’s ROI. Controlled trials also let analysts manipulate elements that make up an overall strategy: By correlating changes in strategy with changes in ROI, statisticians can optimize loss prevention policies.
Clearly, statistics play a growing role in retailers’ approach to loss prevention issues and solutions. This is important in any economic climate; but in a mixed economy where profit margins are uncertain, it is imperative for retailers to have an unambiguous picture of their business that is rooted in solid statistical analysis.
David Speights, Ph.D., is the chief statistician and Christopher Hanks, Ph.D., is the senior statistician of The Retail Equation, the industry leader in retail transaction optimization solutions. The company’s applications use statistical modeling and analytics to predict consumer behavior and turn each individual shopper visit into a more profitable experience. Its software-as-a-service applications operate in more than 15,000 stores in North America, supporting a diverse retail base of specialty, department, sporting goods, auto parts and more. For more information, visit www.theretailequation.com.
By Joe Davis, director of loss prevention for T-Mobile USA.
Having served in retail for 19 years, I’m not big on endorsing vendors or third-party products. The cardinal rule of showing complete objectivity when it comes to outside companies has been deeply engrained in me. Yet, I’m about to share with you rave reviews of the Wharton/ASIS Program for Security Executives: Making the Business Case for Security, which I recently attended. I am making this exception because in doing so, I believe there is enormous benefit to be gained by my peers. This course delivered such a new perspective and practical insights that I believe living by them can advance security in organizations to a whole new level. For my part, I feel as though I went from zero to Ivy League MBA in 10 days. So what exactly, you might ask, did I learn that was so valuable?
Not New Information, But A New Perspective
The program that I attended is the Wharton/ASIS Program for Security Executives: Making the Business Case for Security, or as I like to refer to it, Wharton’s Executive Bootcamp for Chief Security Officers. Like any executive business program, it is designed to lay a foundation for individuals in business who may not have a comprehensive understanding of all the different functional areas. As you would expect, the program is broken down into several different areas: strategic thinking, leadership, essentials of finance, fundamentals of marketing and a few more. My expectation was to walk in and learn an extensive amount of new information about the functional areas to which I am not typically exposed to in my career. Walking out, I realized that the greatest achievement was taking things that I already knew and refining my understanding of the application of these things into my business in a day-to-day process.
While the program is called, Wharton/ASIS Program for Security Executives: Making the Business Case for Security, there is absolutely no material on security presented. A clever approach by Wharton. Why would they need to teach security experts about security? What they want to do is teach security experts how to most successfully achieve their goals in the whole business environment. I did not necessarily learn new information; what I learned was how to look at my job from a new perspective. Think about the difference in climbing into a helicopter and taking an aerial tour of the Grand Canyon as opposed to experiencing it as a hiker at the bottom of the canyon. Let me tell you, the perspective is starkly different.
Here are some examples of insights I took away from the program that you can bring to your organization as well.
The Need To Define Strategy Differently
Think of how many different books and articles are written on strategy: what it is, how to define it, how to create it. At Wharton, they teach that the definition of strategy is simple: “A plan to win.” Too often, business executives focus on strategy as a process: A means to an end rather than the end itself. But strategy is ultimately about achieving outcomes. In security, that means reducing losses, expanding the revenue model, increasing sales, or any other number of enterprise business objectives. If you don’t infuse your team with the ultimate goal, strategy quickly digresses into the realm of implementing tactics, with focus lost on winning. We don’t want participation trophies, we want championship trophies.
Too often we are overcome with the process that may hold us captive. At Wharton they encourage the development and implementation of a sound business strategy, but, more importantly they stress the critical nature of defining what winning looks like to you and your business. In my business today winning is hitting key financial metrics as well as the overall protection of the assets of my company. Taking strategy out of the visionary realm and placing it into the tactile world of specific outcomes will drive ownership and accountability within your business.
Logic is not always the best tool
Security professionals have a tendency to respect logic above all else. After all, it’s essential to success in our own jobs. We have to follow a path of facts to their logical conclusion to identify and solve problems. And while logic is a critical tool in security, it is not always the best tool when working with other functional areas in the organization.
Sit down. This isn’t going to be easy. But sometimes you have to let go of logic and focus on relationships. While it might sound eerily like something off of the Oprah Winfrey show, it’s the truth. When it comes to getting buy-in from different groups or winning over skeptics to your way of thinking, logic is not necessarily the most effective tool. It is true for communities, families, businesses and any human network: people do things for people they know and like. Asking for a favor as a friend is likely to yield better, quicker results than trying to enforce action through formal channels. What does this mean for security professionals? Well, it means getting out and getting exposure to colleagues across the organization and interfacing with them on a regular basis. Often, security professionals limit their exposure to executive leadership and other functional areas unless it’s required by a specific project or event. This is often done in the name of efficiency. So when security needs or wants something, they are reduced to delivering dry arguments for action, which produce little enthusiasm and gain a paltry following. An investment in colleagues and relationships is an investment in your strategy.
Let’s say you want to change the way you are protecting a distribution center and want to increase guard coverage. Many times, a security professional will pull together a plan and give a list of reasons why additional guards are needed. But without relationships, the executives see you as a walking blank check. Knowing you personally, and the value you are adding, and what you are trying to accomplish for the organization, makes accepting your proposal much easier, a more personal affair.
How to Ask for Money
Our instructor for this session, John R. Percival, PhD is a professor of finance at Wharton. Dr. Percival provided some excellent case studies on building shareholder value within your business. His real life examples and engaging delivery had me more interested in Finance than I thought was actually possible. Asking for budget dollars in the security realm is a tedious annual process that is many times bane of a CSO’s existence. I learned that it’s easier to ask for funding if you can do it in a manner that drives value into your organization by delivering the message in the language of the finance team. Shift your focus from asking about financing for your project to telling how your project will positively impact financials. This is about communicating in the language of your audience. Instead of asking for money and justifying why it should be spent, position your projects in light of the value they will drive to the bottom line: the reduction in loss, the savings in personnel, the increase in time spent focusing on the customer.
Security is often pigeon-holed as a cost center, when in reality it can and should be marketed as a competitive advantage. Think about how security positively impact the business. For example, by mitigating risk, the company can deploy more stores in the market. By reducing shrink, the business can invest in growth initiatives. By streamlining operations to reduce loss, security improves efficiency and helps save labor costs. It’s easy for security professionals to focus on what’s inside their area instead of focusing on their true impact to the outside organization.
Prepare for Meetings
“Really?” you’re asking. “Prepare for meetings?” It seems obvious, but amidst the frantic pace of business today, think of how inefficient most meetings are. How many times have you been to a meeting at a set time and the only preparation time you have is the time it takes from you to walk from the last meeting into the next? The executive course really delves into the value of being prepared for meetings. The prepared person is more effective at gaining their expected outcome than the person with no agenda. It’s a small, seemingly unimportant concept, but the result of poor preparedness is simply that all your time spent in meetings gets thrown down the drain. When you think about how many meetings you have each week, that’s a significant loss.
In Conclusion: Escape out of the security silo
In short, the big lesson I learned was how to avoid getting caught up in the security silo and how to start viewing my work as a program that aligns with the company’s strategy. I know that what I am doing in security is helping the organization achieve its goals, but often I reduce my programs to tactical plans that I fail to communicate to others in the organization on a regular basis.
Security is its own animal. It’s not like sales or marketing and will not be treated like those things. In some ways, it’s the least understood function in the organization. Therefore, our job of explaining how security supports the overall strategy of the organization is much harder than it is for others. We have to look for points of integration as opposed to points of differentiation. The good news is that as security professionals, we have many strengths that we can leverage to better communicate our messages and objectives. We know people. We understand interviewing and picking up on body language and other clues. We can easily tell how people are responding to our interaction. Use this skill to guide you when presenting proposals and communicating with others.
The program’s academic director, Mario Moussa, told us, “Reality is a liquid, not a solid.” It’s the truth. In the security world, we pine for a firm foundation from which to work. We must learn to be willing to step into the liquid and immerse ourselves in the fluid reality in which business exists. We have to gain flexibility outside of the self assurance that we have developed in our specialty over the years and recognize that there is a different way to doing things. Failure to do so limits our success and that of our companies.
Joe Davis is a director of loss prevention for T-Mobile USA. He manages a team of corporate and field level investigators focused on enhancing profitability within the enterprise. Joe’s team is responsible for all internal and external operational improvement and investigative programs in the business. Since joining T-Mobile in 2008 Joe has designed and implemented numerous cutting edge programs from risk mitigation in the retail stores, to reducing operational expenses by $30MM.
By Al Jacobs, former physical security manager at Babies R Us and Linens n Things
This article is dedicated to the unlucky regional retail loss prevention manager who was suddenly given the full responsibility to install cameras in a new store. For this article, let’s call this manager Zack [all the characters listed here are fictitious]. We all can learn from Zack’s story.
As a sign of the times, most of Zack’s corporate loss prevention support staff was laid off. Each regional loss prevention manager was tasked with installing their own cameras.
What did Zack do first? Not much. Zack should have taken the time to create a comprehensive and formal project plan. There is an old Marine Corps mantra that says “prior planning alleviates confusion…” You will see how this still holds true.
Zack’s corporate seniors gave him full responsibility to hire a vendor to install a new camera system in one of his soon-to-open stores. Zack faced rapidly approaching deadlines. His store’s grand opening date gave him three weeks to complete this project. One way he found to “transfer” the risk of missing this deadline was to quickly hire a camera installation vendor and punt the project to him. If anything went wrong, he had a scapegoat. If not, he was a hero.
Zack promptly emailed out a few simple specifications and an indecipherable hand drawn camera plan to four security integrators. Zack knew he should have provided his bidders a highly detailed and scaled computer-crafted camera plan along with specific equipment configuration. Zack rationalized that he could not afford to take the time to do that. He also did not have the foresight to hold a “bidder conference” so that all the vendors he contacted could interactively confirm his job’s requirements. As a result, Zack’s vendors replied with wildly disparate proposals.
Zack’s project clock ticked loudly and he was forced to quickly pick one vendor. He selected the firm with the fastest response, least detailed proposal, cheapest price and a few select but deceptively comprehensive “notes.” Zack did not realize it at the time, but the “notes” were the golden eggs that would eventually permit Zack’s chosen vendor to charge him “extra” fees later on.
With the contract inked, Zack and his approved vendor, Fred from I.M. Cameras, LLC, reviewed the project. Fred detailed his perceived scope of work. He also asked for Zack’s help in coordinating his interaction with Zack’s new store general contractor. In short order, it turned out that Zack ignored Fred’s pleas and the GC remained an aloof wild card.
Zack’s GC had other priorities. He felt no pressure to integrate his plans and schedule with Fred’s. As a result, Fred was not able to meet preliminary installation milestones. It got worse. Electrical outlets, lighting, exit doors, signage and fixtures were moved due to changed fire codes and merchandising plans. Nobody told Fred.
Fred hated being ignored by Zack’s GC. In absolute desperation, Fred called Zack’s boss, an old friend he met at a charity golf outing last year. Predictably, Zack got an irate call from his boss directing him to get Fred on the GC’s schedule or else. Zack called his GC and gave him the riot act.
Finally, the camera installation was on track. However, the delays wasted thousands of labor dollars. These charges ended up in a change order. Fred’s profits increased.
With Fred’s persistence, the job was done before the store’s grand opening. A final inspection walk through was arranged. At the walk through, Zack realized that the camera layout was not perfect. Some cameras needed to be moved. Zack realized Fred did what he could with a plan that Zack never got around to updating despite GC changes. Fred was good but not clairvoyant.
Zack accepted responsibility for the “misalignment” and created a punch list with Fred. Fred turned around and created another expensive change order to finally get Zack’s cameras system squared away. Zack’s budget was blown but the system was all squared away; at least that was what Zack thought at the time.
A parting thought, Fred, like any experienced installer, told Zack to change his camera system’s default password. Zack, in his haste to get the camera system turned over to the new store staff, forgot to change it. The default password, the one that had unrestricted authority to change any settings, was spelled out in the system’s equipment manual and online at the manufacturer’s website for the world to see. This included, at least one of Zack’s future employees.
Weeks later Zack hired a new hard charging loss prevention investigator named Willie to watch the new store. That was a big mistake.
On Willie’s first day, he had a highly caustic run in with the store’s General Manager. That prompted Willie to quit at the end of his shift. As a parting gesture, for his aggravation, he easily found the camera system’s administrative password, surreptitiously changed it and deleted all the other users.
It was Friday evening, a day later, and life sent Zack a catastrophic wake up call. His office phone rang and he found out the new store was just “hit.” It was held up. There was a crazed man with a gun who barged in, brutally pistol whipped two managers and stole all sorts of cash and merchandise. The police and an ambulances were called. Guess what happened next?
Zack’s told his boss and then tried to remotely log-in to the store’s camera system to see what just happened. He could not connect. He called the store and asked a store supervisor to try it on-site. He had no luck. Panic set in. Zack called Fred and the manufacturer’s technical support help line. Fred was on a cruise taking advantage of his change order windfall. He did not answer his phone. The camera system’s support help line was closed for the weekend. The police would have to work without video. Zack’s boss was fuming.
The story was fabricated or was it? When it comes to camera surveillance systems, spending time up front to create a comprehensive RFP, fairly bidding out the job, verifying the deliverables and then properly following up on all the loose details afterward may seem like overkill. Invariably they prove to be necessary.
To hammer this point home, remember another old Marine Corps expression: “Sometimes it is entirely appropriate to kill a fly with a sledge-hammer!”
About the author:
Al Jacobs is a certified project management professional. He held positions as a physical security manager at Babies R Us and Linens n Things. He also worked for Stanley Convergent Security Solutions and Universal Surveillance Systems. Early in his career he was a Marine Corps communications-electronics officer.
