Don't get caught sleeping: why physical security still matters.WE'VE been inundated in·un·date tr.v. in·un·dat·ed, in·un·dat·ing, in·un·dates 1. To cover with water, especially floodwaters. 2. with issues of technological security. Open up an information technology or business magazine and you will be hard pressed not to find an article that talks about viruses worms, trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
********** TECHNOLOGY SYSTEMS ARE increasingly at risk from attacks by unscrupulous individuals. But businesses have gotten so caught up in technological security that they have forgotten the more basic, yet salient, notion of physical security. By physical security, we mean securing your office buildings and other physical assets from unauthorized access, usage, movement and destruction. [ILLUSTRATION OMITTED] Physical security has lost its glamour recently, taking a back seat to issues of technological security. However, an organization can be brought to the ground in seconds if the right perpetrator A term commonly used by law enforcement officers to designate a person who actually commits a crime. is able to breach physical security and gain access to sensitive areas in an office building. One of us just wrapped up a consulting project for a large financial institution (let us call it Gamma) based in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. . The project was simple and straightforward. Gamma had just finished a review of its security procedures, protocols and practices. Confident about the strengths of its security regiment, Gamma asked us to see if we could gain access to one its office suites. There was only one condition: We had to gain access using unauthorized mechanisms. They did not provide us with any information (such as blueprints of the office layout) or access mechanisms (such as ID cards). We were able to breach Gamma's security protocols in less than 10 minutes, even though the company's budget for security issues ran into the millions of dollars. Here is how it happened: Our man got dressed in a pair of jeans and a T-shirt and grabbed a FedEx envelope from his office. He then rode the subway to the bank's location and went to the reception desk. The reception desk was used for tenants of the office building. He introduced himself as "Kevin," using his real name. The receptionist said "Hello, Kevin. How are you? To whom are you delivering your mail?" Kevin never said he had mail to deliver. Actually, he was just there to get a sense of the building premises. But an opportunity for a security breach had opened that could not be wasted. Kevin replied: "Yes, I am, and it sure is a nice day today. Can you please let me know how I get to the reception desk of Gamma Bank?" The receptionist gave out the floor number of the reception desk and also informed Kevin that the mailroom mail·room n. A room in which ingoing and outgoing mail is handled for a company or other organization. was on a different floor. Then, without checking identification or even calling up Gamma's receptionist, she pointed him to the elevator. Kevin went to the floor that housed the mailroom and was greeted by another employee. She advised him that the package (a blank FedEx envelope) could be left with her and he could leave. Kevin insisted that the package had to be hand-delivered to the Chief Operating Officer Chief Operating Officer (COO) The officer of a firm responsible for day-to-day management, usually the president or an executive vice-president. . The mailroom attendant was eventually convinced, and decided to escort Kevin to the main office floor. She helped Kevin pass through the main reception desk, once again without checking for identification, and then pointed him toward where the Chief Operating Officer's suite was located. Kevin now had access to the main office floor, and by asking two more employees, eventually reached the designated office suite. This security breach led the executives of Gamma to rethink a major component of their security plans--protecting the physical organization from intruders. Gamma's measures to ensure protection of their offices were simply inadequate. But Gamma is not alone in this deficiency. Most organizations are vulnerable to physical security breaches. A lot of money and resources have been diverted to ensuring technological security, many times at the cost of physical security. Ensuring physical security is a much easier task to achieve than the elusive goal of protecting technology from vulnerabilities. However, organizations have become careless careless adj., adv. 1) negligent. 2) the opposite of careful. A careless act can result in liability for damages to others. (See: negligent, negligence, care) in this area, and many have the misconception mis·con·cep·tion n. A mistaken thought, idea, or notion; a misunderstanding: had many misconceptions about the new tax program. that ensuring technological security is much more serious than physical security. Yet to conduct the break-in described above, there was absolutely no technology involved. Failure to protect A large percentage of the personnel thrown into a "security" role do not have the necessary knowledge, experience, or skills. We spoke to over 60 different private security personnel who were charged with protecting office buildings in the downtown Chicago area. Over 85 percent of them had never attended a university or had any training in aspects of crisis management, security, or law enforcement. Of the 15 percent that had attended universities, most were college dropouts and had minimal training in security management. Also, most of the job descriptions for security personnel were vague in their description of minimal requirements for hiring. As one of our respondents put it: "In the interview ... the most important question was if I knew how to use a walkie-talkie." If we do not hire high-caliber personnel, we should not expect much in terms of protection. To be effective, security personnel must have requisite knowledge in the areas of security, crisis management and law enforcement. Without these skills, we might as well leave our doors wide open to intruders. Second, most organizations view their physical security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security as an expense, not an asset. As such, the first line of thinking is: How I can reduce this expense? Amid shrinking budgets and difficult growth periods for organizations, any method of reducing expenses is likely to be welcomed by management. Most organizations outsource their security management functions, many times to the lowest bidder, without executing due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. in evaluating the capabilities of the security vendor. In downtown Chicago, most security guards barely earn $8 to $12 an hour in wages, with minimal fringe benefits fringe benefits, n.pl the benefits, other than wages or salary, provided by an employer for employees (e.g., health insurance, vacation time, disability income). . With such salaries, we cannot expect to attract the best and brightest to take up security positions. And with such low pay, the security personnel can more easily be subject to manipulation by unscrupulous individuals. For example, if we wanted to get access to an office space and found a security guard who was having a hard time making ends meet on his salary, chances are high that we could get access to the space after a bit of convincing--or upon offering a bribe BRIBE, crim. law. The gift or promise, which is accepted, of some advantage, as the inducement for some illegal act or omission; or of some illegal emolument, as a consideration, for preferring one person to another, in the performance of a legal act. . Organizations put themselves at risk by creating environments where allegiance is tested. Would you pay your best software programmer See systems programmer. or salesperson minimal wages? If you did, they would probably leave for another organization. And if they stayed, they would probably perform below their true potential. We need to start thinking in a similar fashion when it comes to security personnel. Security personnel are like puppets in uniforms. In the majority of organizations they lack significant authority or accountability. Put another way, there are always ways to get around them. Consider the following case. In one organization, a security guard was fired after not allowing a person without an ID card into the office building. The security guard did his job; he was hired to prevent unauthorized individuals from entering the building. However, the person he stopped was a senior member of the organization's management team. Due to questioning, the senior official of the organization was delayed--and the vigilant guard was relieved from his post. After this incident, do you think any security guard at this organization will stop a person who happens to look like a senior manager? Security guards have a hard time enforcing security rules. For example, in most organizations there is a rule stating that you must display your ID at all times. But try walking around your office premises for a day without your ID and see if you are ever questioned by a security guard. Unless we give security personnel requisite authority, they will not be successful in protecting our assets. Just like the police have the authority to ensure that all citizens abide by the laws, security personnel must have the authority to enforce security policies. Five steps to security It's not surprising that most Defense and Intelligence Sector (DIS) organizations do not view security as a cost item. To the contrary, such organizations go to great steps to ensure that their assets are protected from unauthorized access, sabotage sabotage [Fr., sabot=wooden shoe; hence, to work clumsily], form of direct action by workers against employers through obstruction of work and/or lowering of plant efficiency. Methods range from peaceful slowing of production to destruction of property. and vandalism The intentional and malicious destruction of or damage to the property of another. The intentional destruction of property is popularly referred to as vandalism. It includes behavior such as breaking windows, slashing tires, spray painting a wall with graffiti, and . DIS organizations often have their own internal security personnel and resist outsourcing this responsibility to a third-party. To be in charge of security matters at a DIS organization, one must have a proven track record, the necessary knowledge and skills--and must be tested for allegiance to the organization. There are extensive training modules provided to security personnel to ensure that they have the requisite knowledge needed to perform their duties. Security personnel at DIS organizations have the authority to take action against security breaches. In the most general sense, they can remand To send back. A higher court may remand a case to a lower court so that the lower court will take a certain action ordered by the higher court. A prisoner who is remanded into custody is sent back to prison subsequent to a Preliminary Hearing before a tribunal or magistrate or quarantine quarantine (kwŏr`əntēn), isolation of persons, animals, places, and effects that carry or are suspected of harboring communicable disease. a staff member for alleged security breaches. Investigations into failure to adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. security protocol can significantly impact one's chances for promotion, or in some cases can even lead to the suspension of security clearances and the loss of one's job. Extensive training is a necessity. Security policies and practices are not static. They need to be updated on a regular basis as new information on threats becomes available. It is critical to have an appropriate asset management system. An organization must have a way to tag its assets--e.g., with serial numbers on the computer system--and also have ways to gather information from sensitive assets in real-time. For example, the door used by employees to enter the office must be able to emit TO EMIT. To put out; to send forth, 2. The tenth section of the first article of the constitution, contains various prohibitions, among which is the following: No state shall emit bills of credit. real-time information as to who has just entered. This is possible through monitoring logs of ID card swipes and by viewing a video camera feed. RFID (Radio Frequency IDentification) A data collection technology that uses electronic tags for storing data. The tag, also known as an "electronic label," "transponder" or "code plate," is made up of an RFID chip attached to an antenna. (Radio Frequency Identification See RFID. ) tags can be helpful here. If attached to an asset of interest, they can be used to track the movements of the asset, tampering tampering The adulteration of a thing. See Drug tampering. with the asset and other activities. RFID tags An electronic identification device that is made up of a chip and antenna. For reusable applications, it is typically embedded in a plastic housing, and for tracking shipments, it is usually part of a "smart" packaging label. can emit information in real-time that can be monitored by security personnel. Finally, it is important to centralize cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. the security function. The centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. security unit must have links to the financial, information system and human resource functions of the organization. These links will be critical in taking measures required to protect the organization. For instance, if the security unit discovers an employee is committing acts of theft, they must have the capability to instantly freeze the employees' access to information systems, stop payment of paychecks, and begin to take legal action. These will call for collaboration with members of the information technology, human resource and financial divisions of the company. Management of security is a strategic matter for all organizations. It must be given the attention, resources and care that other strategic management activities command. Kevin C. Desouza is the President and founder of The Engaged Enterprise and is the director of its research institute--Institute for Engaged Business Research [IEBR IEBR Institute of Ecology and Biological Resources (Hanoi, Vietnam) ]. Desouza has authored over 80 articles for prestigious business and academic journals. In addition, he has written Managing Knowledge with Artificial Intelligence (Quorum A majority of an entire body; e.g., a quorum of a legislative assembly. A quorum is the minimum number of people who must be present to pass a law, make a judgment, or conduct business. Books, 2002), and has co-authored Managing Information in a Complex World (M.E. Sharpe Inc., 2004). Yukika Awazu is the Vice President and co-founder of The Engaged Enterprise and is a senior research fellow at IEBR. Awazu has authored a dozen articles for prestigious business and academic journals. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion