I spoke with a gentleman recently that expressed some 'unhappiness' with their security service provider. And why do you think might have been? There are only two possible reasons... Here they are and how to avoid them…
First, I want to clarify a quick point of misconception. A security system is a lot of things, or it can be a lot of things, but its presence or absence does not necessarily mean an organization is secure or has security. Electro-mechanical systems require procedures in order to be effective. They work within specific parameters and everything outside those parameters must still be met by additional effort. So now what makes you unhappy with your current service provider…
As I said, there are only two reasons why you are unhappy, and both stem from not getting what you want. The first reason is that the service provider is simply not providing the service promised. The contract or service agreement is clear and concise but the vendor cannot meet their obligation. Hopefully your contract either has a non-performance (punishment) clause or if this is unsatisfactory then a means to find another vendor without penalty. The written agreement you have with your vendor should state what you can do them for non-performance; maybe a fine/refund of fees each time a specific service is not performed. Sometimes it’s just not appropriate, or dangerous, to allow this condition to continue – fine or no fine – your just aren’t getting the protection you want. In these instances it is important that your agreement have a means of escape. Unfortunately, the uninitiated tend to sign agreements with vendors (provided by the vendors in a standard format) that actually penalize them for terminating the relationship early. It really doesn’t matter how “standard” their printed service agreement is or their insistence that they cannot make alterations. It’s your service and if one vendor won’t meet your needs then another will. It’s real simple. Security is not magic – security providers and security professionals do not have wizardly abilities that make them special – and there are enough service providers that someone will do what you want the way you want it. Count on it. You just need to find them. Think of all the angry moments you’ve had because of false alarms, missed patrols, or rude service; was it worth the convenience of the vendor or to save a few bucks?
Have you figured out the other likely reason for your unhappiness? It’s tucked into the paragraph above. Your vendor is performing just as the service agreement dictates, but you as the customer entered into an agreement that is inappropriate to your needs, or maybe just your wants. And for that, there is likely to be a penalty for terminating the agreement early. This is not the vendor’s fault – it’s yours. The truth hurts, but it’s not necessarily the end. Many times these agreements can be renegotiated. Why would a vendor do such a thing? Well, hopefully they appreciate your business and want to provide service that you’ll refer to others or at least speak well of whenever the opportunity presents itself. Word of mouth business referrals can’t be beat – and every vendor knows it – because it’s free marketing.
So how then do you avoid these errors and correct them after they happen? Naturally, I’d say find a reputable security consultant to assist you. While we can certainly help you with this, so can many others, and the results will change your view of security providers. Can you do it without a consultant? Sure you can, but you’re already unhappy (or rightly interested in avoiding that heartache) so why expose yourself unnecessarily.
Here’s why it works. A salesperson for the provider is focused on making as sale and preferably getting you to fit a pre-designed format of service. Their questions are focused on getting you into this mold. Your consultant, on the other hand, is focused on your needs and wants; all industry jargon aside. These can then be translated into service requirements. It’s a subtle difference. Typically, you don’t know what these services look and feel like until you experience them, but your consultant does. They have probably had to contract with guard services, alarm services, and courier services; so they know what hurts and what makes the relationship comfortable.
A consultant, or an in-house security manager, can also make for a better go-between. We have professional associations, peer groups, and, of course, our own jargon. It goes right back to the whole referral process. A service provider that takes care of a consultant or security manager can count on good words with other industry peers. And so….
Take a minute and consider what you don’t like about your service providers – and don’t forget what you like as well. Are you being serviced to your expectations?
Rob
/
Friday, October 28, 2005
Tuesday, October 25, 2005
Eco-terrorism - in the news and in front of Congress - again
Brian Connor over at Animal Crackers has offered us information on the recent postponing of LSR (Life Sciences Research - otherwise known as Huntingdon Life Sciences) listing on the New York Stock Exchange (he draws from here, here and here). Further, it looks like there will be more hearings concerning the radical Animal Rights movement.
For clarification on the issue - because few others will bother - there are LOTS of people involved in the animal welfare/rights/liberation movement and they are not all the same. Think of a continuum with Animal Welfare on one end, Animal Liberation on the other and Animal Rights in the middle. If you think of Democrats and Republicans in the same way you get the picture of how different these groups are; both Dems and Reps want what's best for the country but differ on how to get there. Now you may understand the vast differences in the movement. There are two significant demarcations in the movement: whether an individual believes that animals are equal to humans in terms of the value of their lives and whether an individual feels it is acceptable to commit criminal acts that surpass the notion of civil disobedience - in other words property destruction and threats of violence. That's a very short description of the spectrum of the movement.
So why do I care and consider this a point to be discussed in security? Simple; if it's not Animal/Eco folks then it's some other type of militant that is willing to affect you business. Just give it time. Since the cultural revolution (and I apologize if I'm wrong but this is how it was taught to me) every idea is as valid as the next - meaning anyone is now justified in targeting you. Who knows, maybe the paint used for your establishment uses chemicals that affect groundwater (and shame on you not knowing this when your vendor used it), or maybe the paint was mixed by someone in an impoverished country, or maybe you like to fly the U.S. flag, your state flag, or for that matter the Jolly Roger; you could become a target. My personal experience has to do with the Animal Rights/Liberation movement targeting a client.
The broader issue here is understanding your threats. Is it local crime - burglaries and vandalism, or something more sinister? In the case of the AR/AL movement it is important to understand that they believe that every animal is as valuable as your life. Professor Steven Best at the University of Texas - El Paso stated in a speech that he would save his dog rather then an unknown human if they were both in a fire. See his dog means more to him than a unknown human. It's as simple as that. In Terrorists or Freedom Fighters (I'm not linking to it - because I'd rather you not buy it and fund more of his activities) Dr. Best argues that violence cannot be committed on property and therefore the ALF (Animal Liberation Front) is non-violent. This is also an underlying theme of supporters of the ALF; however it is important to keep in mind that property destruction carries with it an inherent threat.
This post could go on for a long time discussing this topic but I'll keep it short. The tactics used by the Eco/Animal Liberation movements are in fact terrorism [how the few affect the many by affecting the few with violence or the threat of violence] and it must be addressed as such. Collect data, know your threat, develop/implement effective countermeasures, and stay orientated toward your threat - it is an intelligent and adaptive threat.
For additional information concerning Eco-terrorism in the U.S. check out this document.
Rob
/
For clarification on the issue - because few others will bother - there are LOTS of people involved in the animal welfare/rights/liberation movement and they are not all the same. Think of a continuum with Animal Welfare on one end, Animal Liberation on the other and Animal Rights in the middle. If you think of Democrats and Republicans in the same way you get the picture of how different these groups are; both Dems and Reps want what's best for the country but differ on how to get there. Now you may understand the vast differences in the movement. There are two significant demarcations in the movement: whether an individual believes that animals are equal to humans in terms of the value of their lives and whether an individual feels it is acceptable to commit criminal acts that surpass the notion of civil disobedience - in other words property destruction and threats of violence. That's a very short description of the spectrum of the movement.
So why do I care and consider this a point to be discussed in security? Simple; if it's not Animal/Eco folks then it's some other type of militant that is willing to affect you business. Just give it time. Since the cultural revolution (and I apologize if I'm wrong but this is how it was taught to me) every idea is as valid as the next - meaning anyone is now justified in targeting you. Who knows, maybe the paint used for your establishment uses chemicals that affect groundwater (and shame on you not knowing this when your vendor used it), or maybe the paint was mixed by someone in an impoverished country, or maybe you like to fly the U.S. flag, your state flag, or for that matter the Jolly Roger; you could become a target. My personal experience has to do with the Animal Rights/Liberation movement targeting a client.
The broader issue here is understanding your threats. Is it local crime - burglaries and vandalism, or something more sinister? In the case of the AR/AL movement it is important to understand that they believe that every animal is as valuable as your life. Professor Steven Best at the University of Texas - El Paso stated in a speech that he would save his dog rather then an unknown human if they were both in a fire. See his dog means more to him than a unknown human. It's as simple as that. In Terrorists or Freedom Fighters (I'm not linking to it - because I'd rather you not buy it and fund more of his activities) Dr. Best argues that violence cannot be committed on property and therefore the ALF (Animal Liberation Front) is non-violent. This is also an underlying theme of supporters of the ALF; however it is important to keep in mind that property destruction carries with it an inherent threat.
This post could go on for a long time discussing this topic but I'll keep it short. The tactics used by the Eco/Animal Liberation movements are in fact terrorism [how the few affect the many by affecting the few with violence or the threat of violence] and it must be addressed as such. Collect data, know your threat, develop/implement effective countermeasures, and stay orientated toward your threat - it is an intelligent and adaptive threat.
For additional information concerning Eco-terrorism in the U.S. check out this document.
Rob
/
Monday, October 24, 2005
Looks like a plan
I would like to draw your attention to something I bumped into on the web while doing a little research that demonstrates a sincere effort in protecting kids. However, it goes much further than this alone by showing some important points in just a few words. Most importantly it appears to effectively blend procedures with technology. In other words, the technology only serves to enhance an already worthwhile process.
Consider these points:
Again, I am not saying that this document is perfect or that the system they have in place is even effectively maintianed, because that was not my point. I have never been to this organization or observed their activity, but given the presentation of the information on the web I thought it only fair to share it.
Keep in mind that good security comes from good procedures - what you do - and not necessarily from expensive equipment - what you have. Consider the "Security System" page just once more and realize that you could replace every mention of technology on that page with much more mundane tools. Consider cypher locks instead of a thumb reader and some other token rather than wristbands - the procedures still appears effective. So it would appear that there is a good marriage between technology and the operating procedures.
Sincerely. Kudos to the folks at Jersey Village for their efforts...
Rob
/
Consider these points:
- First is the acknowledgement that not system is "foolproof." This is essential in avoiding misconceptions of impenetrable security. Too many people like to tell people just how perfect their methodology, techniques, and systems are, but this has more to do with the speaker's ego and puffery than real security. Being honest is far more useful, especially because knowing that a system is not foolproof and being told that is the difference between telling people to relinquish their concerns and asking them to remain alert or aware.
- Second is a request for cooperation with the established procedures. This also acknowledges the contribution that the legitimate user makes to the overall success. Most systems of controls are built on an assumption of compliance, and without general compliance the process will FAIL. Consider the enforcement of speeding on the roads - nearly everyone exceeds the speed limit - creating a lack of general compliance and overwhelming the enforcement capability. Asking for the cooperation of the participant can go a long way toward getting it. Think carrot first, stick second.
- Third there are routine procedures and contingency procedures noted. I am not saying that these procedures are all encompassing, but they are considerably more thorough than I often see. Most importantly is the lack of legalese or technical language. The procedures are clearly written and simplistic (but not overly so). There is even direction should the wristband be lost, which helps to avoid the argument should this happen without a publicized procedure.
Again, I am not saying that this document is perfect or that the system they have in place is even effectively maintianed, because that was not my point. I have never been to this organization or observed their activity, but given the presentation of the information on the web I thought it only fair to share it.
Keep in mind that good security comes from good procedures - what you do - and not necessarily from expensive equipment - what you have. Consider the "Security System" page just once more and realize that you could replace every mention of technology on that page with much more mundane tools. Consider cypher locks instead of a thumb reader and some other token rather than wristbands - the procedures still appears effective. So it would appear that there is a good marriage between technology and the operating procedures.
Sincerely. Kudos to the folks at Jersey Village for their efforts...
Rob
/
Friday, October 21, 2005
A special note to my new "friend" - Some people make crime easy
Hey Steve! I'm calling your name so that you know this is about you - I gave you my card at the bookstore.
For everyone else, here's how it went...
I'm sitting at the cafe in the bookstore, minding my own business, when I hear a gentleman behind me start speaking on the phone. Nothing odd there; everyone does it - it's not like it's a library, right?
Then the call gets interesting. Steve began speaking about a donation. Being someone that considers Social Engineering (see a pro here, more here, and here) one of the most, if not the most, under treated security risk, I naturally began to listen more closely. And yes, he began to read off his credit card number (it was a Visa), along with his address, and year of birth.
Ah the damage that can be done with that. So Steve I gave you my card with little hope that you'll read this and appreciate the free advice of a security consultant.
This, of course, isn't really social engineering but instead a form of "shoulder surfing" which can also be an excellent way of getting passwords, PINs, and other access data.
Look folks. If you going to have that sort of conversation, take it outside so that you're not sharing the data with a handful of people that are reading - or in other words, focusing on remembering information. This sort of thing hurts to witness when so many people want advice on firewalls, alarm systems, shredders, and so on.
This is an example of poor OPSEC and I'm not saying we need to develop detailed OPSEC policies for our daily life, but hey at least keep your personal information and access to any financial resources "close to the chest," please.
For everyone else, here's how it went...
I'm sitting at the cafe in the bookstore, minding my own business, when I hear a gentleman behind me start speaking on the phone. Nothing odd there; everyone does it - it's not like it's a library, right?
Then the call gets interesting. Steve began speaking about a donation. Being someone that considers Social Engineering (see a pro here, more here, and here) one of the most, if not the most, under treated security risk, I naturally began to listen more closely. And yes, he began to read off his credit card number (it was a Visa), along with his address, and year of birth.
Ah the damage that can be done with that. So Steve I gave you my card with little hope that you'll read this and appreciate the free advice of a security consultant.
This, of course, isn't really social engineering but instead a form of "shoulder surfing" which can also be an excellent way of getting passwords, PINs, and other access data.
Look folks. If you going to have that sort of conversation, take it outside so that you're not sharing the data with a handful of people that are reading - or in other words, focusing on remembering information. This sort of thing hurts to witness when so many people want advice on firewalls, alarm systems, shredders, and so on.
This is an example of poor OPSEC and I'm not saying we need to develop detailed OPSEC policies for our daily life, but hey at least keep your personal information and access to any financial resources "close to the chest," please.
Thursday, October 20, 2005
Quick advert for a friend
My best friend has started a new blog.
The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.
So go check it out, bookmark it, and then come back here.
Rob
/
The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.
So go check it out, bookmark it, and then come back here.
Rob
/
Quick advert for a friend
My best friend has started a new blog.
The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.
So go check it out, bookmark it, and then come back here.
Rob
/
The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.
So go check it out, bookmark it, and then come back here.
Rob
/
Tuesday, October 18, 2005
Rest in peace - or so we hope...
In light of some recent news concerning the recent sentencing of a few cemetery vandals, let's consider this issue of protecting cemeteries.
I can’t say I understand why anyone would damage a cemetery or any part of it, but apparently there are many who think it’s entertainment. Cemeteries and memorial gardens have little in the way of assets - in a traditional sense. What you find in a cemetery generally has little resale value or ability for reuse. I’m certain, without a doubt, that there are exceptions to this; possibly gold trim, or ornaments, or something like that. Anyway, what is being protected has more to do with the idea that the dead should “rest in peace" than protecting assets - at least in my opinion.
Typically cemetery vandalism has to do with tipping headstones - defacing or rearranging them - and similar acts of mischief. On rare occasions there is the grave robbery. One notable recent occurrence is the grave robbery at the Newchurch Guinea Pig Farm in the UK where animal liberation extremists (including this group) stole the remains of a family relative (see here and here). The goal was to drive the farm owners to shut down the guinea pig operation. And, it was successful. There have been arrests but the damage is done.
So how then do you protect a cemetery? These are places that are often left quiet and unoccupied (at least by living souls) for considerable amounts of time. Oh, and dark - cemeteries are not generally illuminated at night. The other issue is to allow legitimate users access - as is the norm anyway.
Since most acts of vandalism occur during the hours of darkness, and there are generally fewer (if any) legitimate users, it's probably best to focus efforts on this time period. How then is the best way, generally speaking, to manage access during the hours of darkness?
We'’re right back at the 4D's -– Deter, Detect, Delay, Deny. Let's face it, vandals are not typically professionals. I mean there are professional thieves, robbers, and burglars, but have you ever heard of a professional vandal? Assuming this to be the case, it becomes an issue of making it more difficult to gain access -– delay. This does not mean that deterrents are ignored or that an attempt is made to detect intrusions.
Cemeteries generally have a fence or wall around them. The size and construction of this barrier can have real merit. Wrought iron fences are common and they create a worthy obstacle for climbing over. With few, if any, cross bars it is difficult to use the legs to assist with the climb. So there is a barrier that provides a delay - which in and of itself provides a further deterrent value since it's far easier to lose interest after a little unsuccessful effort.
Now it's also worthwhile to consider a few other features depending on whether the threat warrants them - and this is purely a judgment call. Like motion activated lighting, motion activated sprinklers, and a detection system - either a traditional alarm system or a monitored video system. There are many factors that may affect these potential options. One relatively simple option at this point might be to have a motion activated CCTV system to work in conjunction with motion activated lighting. There is some deterrent value in this - especially if signage is also used - but the additional CCTV system will assist with any investigations as well.
There can be little down doubt that an interactive monitored CCTV system would be an ideal application of technology in this environment. There are a couple of key reasons for this: One is the power of speaking to vandals - it can be very distracting to your activities when you here someone explaining to you that you're being videotaped and the police have been notified - and the site would not generally need a very high level of involvement. It would much like having a security officer on call.
For the really bad locations it may be best to use several options including onsite manned security posts. By far this is the most expensive but it also provides puts a lot of capability at the hotspot.
I can’t say I understand why anyone would damage a cemetery or any part of it, but apparently there are many who think it’s entertainment. Cemeteries and memorial gardens have little in the way of assets - in a traditional sense. What you find in a cemetery generally has little resale value or ability for reuse. I’m certain, without a doubt, that there are exceptions to this; possibly gold trim, or ornaments, or something like that. Anyway, what is being protected has more to do with the idea that the dead should “rest in peace" than protecting assets - at least in my opinion.
Typically cemetery vandalism has to do with tipping headstones - defacing or rearranging them - and similar acts of mischief. On rare occasions there is the grave robbery. One notable recent occurrence is the grave robbery at the Newchurch Guinea Pig Farm in the UK where animal liberation extremists (including this group) stole the remains of a family relative (see here and here). The goal was to drive the farm owners to shut down the guinea pig operation. And, it was successful. There have been arrests but the damage is done.
So how then do you protect a cemetery? These are places that are often left quiet and unoccupied (at least by living souls) for considerable amounts of time. Oh, and dark - cemeteries are not generally illuminated at night. The other issue is to allow legitimate users access - as is the norm anyway.
Since most acts of vandalism occur during the hours of darkness, and there are generally fewer (if any) legitimate users, it's probably best to focus efforts on this time period. How then is the best way, generally speaking, to manage access during the hours of darkness?
We'’re right back at the 4D's -– Deter, Detect, Delay, Deny. Let's face it, vandals are not typically professionals. I mean there are professional thieves, robbers, and burglars, but have you ever heard of a professional vandal? Assuming this to be the case, it becomes an issue of making it more difficult to gain access -– delay. This does not mean that deterrents are ignored or that an attempt is made to detect intrusions.
Cemeteries generally have a fence or wall around them. The size and construction of this barrier can have real merit. Wrought iron fences are common and they create a worthy obstacle for climbing over. With few, if any, cross bars it is difficult to use the legs to assist with the climb. So there is a barrier that provides a delay - which in and of itself provides a further deterrent value since it's far easier to lose interest after a little unsuccessful effort.
Now it's also worthwhile to consider a few other features depending on whether the threat warrants them - and this is purely a judgment call. Like motion activated lighting, motion activated sprinklers, and a detection system - either a traditional alarm system or a monitored video system. There are many factors that may affect these potential options. One relatively simple option at this point might be to have a motion activated CCTV system to work in conjunction with motion activated lighting. There is some deterrent value in this - especially if signage is also used - but the additional CCTV system will assist with any investigations as well.
There can be little down doubt that an interactive monitored CCTV system would be an ideal application of technology in this environment. There are a couple of key reasons for this: One is the power of speaking to vandals - it can be very distracting to your activities when you here someone explaining to you that you're being videotaped and the police have been notified - and the site would not generally need a very high level of involvement. It would much like having a security officer on call.
For the really bad locations it may be best to use several options including onsite manned security posts. By far this is the most expensive but it also provides puts a lot of capability at the hotspot.
Thursday, October 13, 2005
When you must share the house - or borrow it
I had an interesting conversation recently with someone that felt that they could not benefit from consulting services because, not having their own facility, they held their worship services at a nearby school. We did not go into details as to whether they would have a building anytime soon, and, quite frankly, it doesn't have a significant impact here. There are several safety and security issues that crop up in relation to sharing a house of worship - or borrowing one temporarily. I'll spend a little time on a few here...
Access: It's still about Access Management. Who has it, who needs it, and how do you know. How many access points does a school, or community center typically have? Quite a few in my experience, so how can you be sure who is in or out of a facility. What about hygiene facilities? At any given time, how do you know they are safe? In other words, who may be lurking in a restroom? How are collections processed and safeguarded? Who has access? How do you know. There are probably more keys floating around for those buildings than anyone can know. As a periodic user of the facility it is unlikely that you can change this fact, but you can manage the subsequent risks.
What are just a few thoughts to take away?
Keep a closer eye on children particularly when they head into the restrooms. It's also a good idea to ensure that these areas are searched by responsible adults prior to use. This could be done by those that arrive to set up.
Segregate the area to be used from the facility in general. Many schools, at least the ones I remember, had fences that were pulled across specific hallways as the school was closed. If these exist, and it DOES NOT create an evacuation hazard, then they should be used. Be sure that school officials are the ones to actually close and lock these to ensure that doing so keeps the occupancy within local code.
Any area in which cash is to be processed or stored should be adequately protected. It is my opinion, that when this is done within an uncontrolled location, like a school or community center, then a cash-in-transit provider should be used whenever possible - and please choose a reputable one (email me for some guidelines to use when evaluating vendors). Either way, I would not bother to count or process the funds on location; instead I would work with a bank that would provide a counting room and process it there. Otherwise, just pass it on to the bank and let them process it. I know it is important to give credit to those who use checks or donation envelopes and this service can be done by a CIT service; or this can be done in a counting room at the bank. There are other options but the bank is convenient since the funds will end up there anyway.
Nursery areas should also be carefully selected and searched since they are more likely to have a dangerous objects present (at least objects dangerous to young children).
Just a few thoughts. I'm sure this will be revisited again.
Rob
/
Access: It's still about Access Management. Who has it, who needs it, and how do you know. How many access points does a school, or community center typically have? Quite a few in my experience, so how can you be sure who is in or out of a facility. What about hygiene facilities? At any given time, how do you know they are safe? In other words, who may be lurking in a restroom? How are collections processed and safeguarded? Who has access? How do you know. There are probably more keys floating around for those buildings than anyone can know. As a periodic user of the facility it is unlikely that you can change this fact, but you can manage the subsequent risks.
What are just a few thoughts to take away?
Keep a closer eye on children particularly when they head into the restrooms. It's also a good idea to ensure that these areas are searched by responsible adults prior to use. This could be done by those that arrive to set up.
Segregate the area to be used from the facility in general. Many schools, at least the ones I remember, had fences that were pulled across specific hallways as the school was closed. If these exist, and it DOES NOT create an evacuation hazard, then they should be used. Be sure that school officials are the ones to actually close and lock these to ensure that doing so keeps the occupancy within local code.
Any area in which cash is to be processed or stored should be adequately protected. It is my opinion, that when this is done within an uncontrolled location, like a school or community center, then a cash-in-transit provider should be used whenever possible - and please choose a reputable one (email me for some guidelines to use when evaluating vendors). Either way, I would not bother to count or process the funds on location; instead I would work with a bank that would provide a counting room and process it there. Otherwise, just pass it on to the bank and let them process it. I know it is important to give credit to those who use checks or donation envelopes and this service can be done by a CIT service; or this can be done in a counting room at the bank. There are other options but the bank is convenient since the funds will end up there anyway.
Nursery areas should also be carefully selected and searched since they are more likely to have a dangerous objects present (at least objects dangerous to young children).
Just a few thoughts. I'm sure this will be revisited again.
Rob
/
Wednesday, October 12, 2005
Valuable lessons from the USS Cole attack
Let's all take a minute and remember the 17 dead and 42 wounded in the attack on the USS Cole five years ago today - that would October 12, 2000. See the Stars & stripes tribute many of the other news outlets.
Now take another few minutes and ask yourself what it is you, as a security professional (or just someone interested in security), can learn from this unfortunate event. For I'll start with the Cole Commission Report and work from that since we can all make unsubstantiated comments until the cows come home. Nothing beats information that can be sourced and, regardless of what you might think of commission reports, they generally do include some analysis of the facts surrounding the event.
I'll just take a few of the findings from the commission and equate them to the life of today's security manager or director. I'm sure there are other findings that can be used here, but these will suffice.
Disclaimer: All comments below are intended to relate the findings of the report to day-to-day security concerns - tending toward the commercial sector. In no way am I commenting on the performance of individuals involved or activities that affected the USS Cole.
Finding: Better force protection is achieved if forces in transit are trained to demonstrate preparedness to deter acts of terrorism
Deterrence works! Realistically it does not ALWAYS work, but then that's why a good security program goes beyond this one layer. Presenting a formidable (read: professional, well-trained, and prepared) image absolutely works in your favor. It discourages the casual nuisance and makes the committed plan more thoroughly - which means more time [the value of which we'll discuss further on], more tools and expertise (and probably money as well). Time, tools, expertise, and money are all commodities. To quote an old teacher, Dr. Kobetz, "Time is on no one's side. It is a commodity. You must decide how you will use it." I think we all familiar with the limitations on tools, expertise and money in preparing an attack.
Finding: Service AT/FP programs must be adequately manned and funded to support threat and physical vulnerability assessments of ports, airfields and inland movement routes that may be used by transiting forces
This goes right back to two recurring points - Know your environment and know what you are protecting. Sun Tzu said it like this (depending on the translation you read), "Know yourself and know your enemy; fight 100 battles have 100 victories. Know yourself and not your enemy; fight 100 battles have 50 victories. Know your enemy and not yourself; fight 100 battles have 50 victories." Get the point? The idea has been around for some time. So conduct Risk Assessments that include a view of the Assets, the Threats, and the Vulnerabilities - and keep them current over the years. A week old report is dated if it was conducted before an additional 100 employees are moved into your facility along with all their activities. So keep organizational plans in the mix as well.
Finding: The Geographic Commander in Chief should have the sole authority for assigning the threat level for a country within his area of responsibility
This applies in a couple of different ways here, but mostly a local security manager should be empowered (including being properly trained, mentored, guided, advised, and evaluated to be effective) to affect the protective posture of their site, location, facility, or area of responsibility. In an executive detail there is a fine line between the boss (principal/protectee) being in-charge and the protector. This is a very, very fine line that affects credibility when crossed one too many times. When the threat is identified then the principal's behavior must alter - this could mean many different things with the most extreme of which is being led by their security detail away to a safe location. In terms of a commercial facility it may simply be not allowing access through auxiliary doors and conducting a 100% ID check at the approved access point, or deploying counter surveillance folks into the parking lot/traveled way to observe those paying attention to the facility. This capability must reside at the lowest reasonable level to ensure timely preparation.
Finding: We need to shift transiting units from an entirely reactive posture to a posture that more effectively deters terrorist attacks
Here we are again with deterrence. Let the bad guys know that you mean business. In a retail setting this means signs, awareness programs, and making sure employees and customers know that security is involved. This does not mean that any shoplifter that is caught should be dragged by their hair through the store - don't forget the professional image. Roman soldiers were known for their discipline - they were feared because this discipline was unwavering - not so much because they were individually so ferocious. I once heard a quote from a friend that he claimed to have read (and I don't doubt him) concerning the Roman Army - "Ten disciplined soldiers are worth 100 warriors." Deterrence can be found in the effect of professional discipline and a willingness to act in concert. Consider the being the first barbarian commander to see the Romans employ the Greek technique of the tortoise formation with shields interlocked in front and overhead as they advanced - with each fallen soldier being immediately replaced by another. Now consider how your adversary may respond to a similar level of discipline and determination. Deterrence works at all levels from the initial appearance to the presentation of the response.
Finding: In-transit units require intelligence support tailored to the terrorist threat in their immediate area of operations. This support must be dedicated from a higher echelon (tailored production and analysis)
Intelligence - one of my favorites. Know your environment and how your adversary operates - but remember that this changes with very subtle geographic (and cultural) differences. Focus your intel efforts. What? You say you're a company and can't conduct collections. Hogwash! Get out and talk to people, but more importantly LISTEN to them and anyone around you. Search online; what you find may not be local but it also may provide context or a new mode, method, or technique you were unaware of - and it takes a professional to take this extra step. In retail this means going out into the mall or local community and watching, listening and talking with your peers. Stay within the law but collect.
Finding: Service counterintelligence programs are integral to force protection and must be adequately manned and funded to meet the dynamic demands of supporting in-transit forces
This is back to knowing your adversary or more accurately what they know or are trying to learn about you. Know your own "covert channels" (try here, or here for information). Who's watching you, your people, and so on. Again, at the very least, just listen to those around you, other employees, your industry peers, the news; just listen.
Finding: Service Level II AT/FP Training must produce a force protection officer capable of supervising unit training and acting as the subject matter expert for the commander in transit
This says so much. What do you know about security officer, security supervisor, or security manager training? Training is essential. If you are not taking every opportunity to train, improve, train, improve, train, and improve your protection team then shame on you. The military is generally really great for this mindset. Once again we should revisit Patton's thoughts on this, "A gallon of sweat in training is better than a pint of blood in battle." Or as presented in one of Marcinko's books, "Train hard, fight easy!" Although enough may be said about training - enough is rarely done about training.
Just a few comments on what every security professional/practitioner can learn from a tragic event.
Now take another few minutes and ask yourself what it is you, as a security professional (or just someone interested in security), can learn from this unfortunate event. For I'll start with the Cole Commission Report and work from that since we can all make unsubstantiated comments until the cows come home. Nothing beats information that can be sourced and, regardless of what you might think of commission reports, they generally do include some analysis of the facts surrounding the event.
I'll just take a few of the findings from the commission and equate them to the life of today's security manager or director. I'm sure there are other findings that can be used here, but these will suffice.
Disclaimer: All comments below are intended to relate the findings of the report to day-to-day security concerns - tending toward the commercial sector. In no way am I commenting on the performance of individuals involved or activities that affected the USS Cole.
Finding: Better force protection is achieved if forces in transit are trained to demonstrate preparedness to deter acts of terrorism
Deterrence works! Realistically it does not ALWAYS work, but then that's why a good security program goes beyond this one layer. Presenting a formidable (read: professional, well-trained, and prepared) image absolutely works in your favor. It discourages the casual nuisance and makes the committed plan more thoroughly - which means more time [the value of which we'll discuss further on], more tools and expertise (and probably money as well). Time, tools, expertise, and money are all commodities. To quote an old teacher, Dr. Kobetz, "Time is on no one's side. It is a commodity. You must decide how you will use it." I think we all familiar with the limitations on tools, expertise and money in preparing an attack.
Finding: Service AT/FP programs must be adequately manned and funded to support threat and physical vulnerability assessments of ports, airfields and inland movement routes that may be used by transiting forces
This goes right back to two recurring points - Know your environment and know what you are protecting. Sun Tzu said it like this (depending on the translation you read), "Know yourself and know your enemy; fight 100 battles have 100 victories. Know yourself and not your enemy; fight 100 battles have 50 victories. Know your enemy and not yourself; fight 100 battles have 50 victories." Get the point? The idea has been around for some time. So conduct Risk Assessments that include a view of the Assets, the Threats, and the Vulnerabilities - and keep them current over the years. A week old report is dated if it was conducted before an additional 100 employees are moved into your facility along with all their activities. So keep organizational plans in the mix as well.
Finding: The Geographic Commander in Chief should have the sole authority for assigning the threat level for a country within his area of responsibility
This applies in a couple of different ways here, but mostly a local security manager should be empowered (including being properly trained, mentored, guided, advised, and evaluated to be effective) to affect the protective posture of their site, location, facility, or area of responsibility. In an executive detail there is a fine line between the boss (principal/protectee) being in-charge and the protector. This is a very, very fine line that affects credibility when crossed one too many times. When the threat is identified then the principal's behavior must alter - this could mean many different things with the most extreme of which is being led by their security detail away to a safe location. In terms of a commercial facility it may simply be not allowing access through auxiliary doors and conducting a 100% ID check at the approved access point, or deploying counter surveillance folks into the parking lot/traveled way to observe those paying attention to the facility. This capability must reside at the lowest reasonable level to ensure timely preparation.
Finding: We need to shift transiting units from an entirely reactive posture to a posture that more effectively deters terrorist attacks
Here we are again with deterrence. Let the bad guys know that you mean business. In a retail setting this means signs, awareness programs, and making sure employees and customers know that security is involved. This does not mean that any shoplifter that is caught should be dragged by their hair through the store - don't forget the professional image. Roman soldiers were known for their discipline - they were feared because this discipline was unwavering - not so much because they were individually so ferocious. I once heard a quote from a friend that he claimed to have read (and I don't doubt him) concerning the Roman Army - "Ten disciplined soldiers are worth 100 warriors." Deterrence can be found in the effect of professional discipline and a willingness to act in concert. Consider the being the first barbarian commander to see the Romans employ the Greek technique of the tortoise formation with shields interlocked in front and overhead as they advanced - with each fallen soldier being immediately replaced by another. Now consider how your adversary may respond to a similar level of discipline and determination. Deterrence works at all levels from the initial appearance to the presentation of the response.
Finding: In-transit units require intelligence support tailored to the terrorist threat in their immediate area of operations. This support must be dedicated from a higher echelon (tailored production and analysis)
Intelligence - one of my favorites. Know your environment and how your adversary operates - but remember that this changes with very subtle geographic (and cultural) differences. Focus your intel efforts. What? You say you're a company and can't conduct collections. Hogwash! Get out and talk to people, but more importantly LISTEN to them and anyone around you. Search online; what you find may not be local but it also may provide context or a new mode, method, or technique you were unaware of - and it takes a professional to take this extra step. In retail this means going out into the mall or local community and watching, listening and talking with your peers. Stay within the law but collect.
Finding: Service counterintelligence programs are integral to force protection and must be adequately manned and funded to meet the dynamic demands of supporting in-transit forces
This is back to knowing your adversary or more accurately what they know or are trying to learn about you. Know your own "covert channels" (try here, or here for information). Who's watching you, your people, and so on. Again, at the very least, just listen to those around you, other employees, your industry peers, the news; just listen.
Finding: Service Level II AT/FP Training must produce a force protection officer capable of supervising unit training and acting as the subject matter expert for the commander in transit
This says so much. What do you know about security officer, security supervisor, or security manager training? Training is essential. If you are not taking every opportunity to train, improve, train, improve, train, and improve your protection team then shame on you. The military is generally really great for this mindset. Once again we should revisit Patton's thoughts on this, "A gallon of sweat in training is better than a pint of blood in battle." Or as presented in one of Marcinko's books, "Train hard, fight easy!" Although enough may be said about training - enough is rarely done about training.
Just a few comments on what every security professional/practitioner can learn from a tragic event.
Monday, October 10, 2005
Dangerous persons - "One for you - two for me"
And a couple of quick words on employing - or allowing to volunteer - persons with violent backgrounds. Who's at risk, who's responsible, and maybe some ideas for managing the issue.
There is a great deal of discussion on the value of background checks (which typically just amount to a local criminal records check) on potential employees. Well, I'll here to say that there is a great deal more to this topic - for so many reasons. At their root, though, is how your organization looks to its stakeholders. That would be the congregants, potential congregants, surrounding communities, trustees, clergy, and any affiliated institutions (schools, other churches within a denomination, etc.). How these individuals perceive your organization - church, synagogue, mosque, temple, sanctuary, coven, or any other title used - will impact many things. Will membership or attendance grow, will members leave, will the community (and the press) look favorably on you should something happen? Ok, so there are lots of people to keep happy or at least calm, but we are leaving out another category of constituents - the victims. As we've all seen on the news concerning the Catholic Church's unfortunate sex scandals, we will be held accountable to make the victim whole again (or at least try too - see this article on a quick resolution).
With all that said, we can make a concerted effort to eliminate one class of constituent - you got it - the victims. And, we can use the same Deter, Detect, Delay, Deny concept of security. We deter would be miscreants by making it known that we screen all applicants (and the includes volunteers). I had a professor that owned a security firm and used to call to a room of applicants, "We'll start the polygraphs in five minutes," only to find the room nearly empty in half that time. As humorous as this maybe it is also very sad... It shows that far too many wolves attempt to infiltrate the ranks of the sheepdogs. None-the-less making it clear that these backgrounds will be conducted is a useful pre-screening tool. Are they expensive? Not all pre-screening tools/services are the same, but try and find one and multiply it by say 200 and see if it has reached amount of one significant lawsuit (plus legal fees, lost wages, lost revenue/donations, and lost TRUST). From my own experience this doubtful, even at almost $150 each - and you most certainly can find a solution for less. Need help or don't believe me then call and we'll get you the right solution provider.
So we've publicized that we pre-screen, but what do we check for? This is where price comes in - sort of. Start with the local criminal record check, sex offender registries, and heck throw in a Google search for good measure. If the person is performing community service then there should be a way to inquire through official channels as the why they were sentenced to this service. Someone doing this for a Shoplifting charge should not be left alone in say a thrift store. Again, we don't want to set anyone up to fail - do we?
Besides criminal checks, it may be worthwhile in some cases to do civil records, bankruptcy/public filings, and so on. The civil records can be useful for the odd instance when someone is sued for theft, but not criminally charged, or domestic violence (battery), or similar instances where the victim chose a route other than criminal charges.
Incidentally, pre-screening efforts would fall under the Detect segment of the paradigm.
For more information on what is available in background investigations - see this article by Joe Labrozzi.
We'll continue on next with a look at delay and deny.
There is a great deal of discussion on the value of background checks (which typically just amount to a local criminal records check) on potential employees. Well, I'll here to say that there is a great deal more to this topic - for so many reasons. At their root, though, is how your organization looks to its stakeholders. That would be the congregants, potential congregants, surrounding communities, trustees, clergy, and any affiliated institutions (schools, other churches within a denomination, etc.). How these individuals perceive your organization - church, synagogue, mosque, temple, sanctuary, coven, or any other title used - will impact many things. Will membership or attendance grow, will members leave, will the community (and the press) look favorably on you should something happen? Ok, so there are lots of people to keep happy or at least calm, but we are leaving out another category of constituents - the victims. As we've all seen on the news concerning the Catholic Church's unfortunate sex scandals, we will be held accountable to make the victim whole again (or at least try too - see this article on a quick resolution).
With all that said, we can make a concerted effort to eliminate one class of constituent - you got it - the victims. And, we can use the same Deter, Detect, Delay, Deny concept of security. We deter would be miscreants by making it known that we screen all applicants (and the includes volunteers). I had a professor that owned a security firm and used to call to a room of applicants, "We'll start the polygraphs in five minutes," only to find the room nearly empty in half that time. As humorous as this maybe it is also very sad... It shows that far too many wolves attempt to infiltrate the ranks of the sheepdogs. None-the-less making it clear that these backgrounds will be conducted is a useful pre-screening tool. Are they expensive? Not all pre-screening tools/services are the same, but try and find one and multiply it by say 200 and see if it has reached amount of one significant lawsuit (plus legal fees, lost wages, lost revenue/donations, and lost TRUST). From my own experience this doubtful, even at almost $150 each - and you most certainly can find a solution for less. Need help or don't believe me then call and we'll get you the right solution provider.
So we've publicized that we pre-screen, but what do we check for? This is where price comes in - sort of. Start with the local criminal record check, sex offender registries, and heck throw in a Google search for good measure. If the person is performing community service then there should be a way to inquire through official channels as the why they were sentenced to this service. Someone doing this for a Shoplifting charge should not be left alone in say a thrift store. Again, we don't want to set anyone up to fail - do we?
Besides criminal checks, it may be worthwhile in some cases to do civil records, bankruptcy/public filings, and so on. The civil records can be useful for the odd instance when someone is sued for theft, but not criminally charged, or domestic violence (battery), or similar instances where the victim chose a route other than criminal charges.
Incidentally, pre-screening efforts would fall under the Detect segment of the paradigm.
For more information on what is available in background investigations - see this article by Joe Labrozzi.
We'll continue on next with a look at delay and deny.
Wednesday, October 5, 2005
Home care providers and workplace violence
Here's an interesting topic that came up today: Security in home service industries. You know house cleaning services, home healthcare, and all the other services that involve someone being sent to a home to assist the homeowner.
Here are a couple of quick resources on the topic: book, article, article, article, article, government publication, another government publication, and there are more available on the web.
As far as security goes on these topics it's just a tad more complicated than usual. Not only is it important to vet your own employees so that they (hopefully) will not victimize your clients, but it's also important to vet your clients. Oh yah, that's right - the client should be checked. Why? Well it's like this. You are sending an employee to a "work site" and if that site is not safe then you have sent your employee into an unsafe environment... Potentially this could be construed to mean that - assuming the employer made no effort to determine the site's level of danger - the employer is responsible for placing the employee in harm's way. And what a costly oversight it could be and not just in dollars. Employee mistrust of management, lowered morale, uncertainty, and all those emotions that come when one feels that they have been betrayed by a superior. Enough doom and gloom!
What are some steps that can get in front of this potential problem? First, make sure your employees know that a site could include danger. Now we all know that danger could be around the next corner, but simply reminding someone that it could be there does two things. One, it means that you, the employer, has acknowledged the problem and want your employee to be safe, and two it puts the employee on guard - even just a little - which actually makes them better able to avoid the danger. Hand-in-hand with that is to develop organizational procedures for dealing with the issue. What does an employee have to do to refuse service? If the client has immediate medical needs then how will these be met so as not to endanger them, and possibly breach the contract. This might be referring the issue to emergency services personnel (calling an ambulance), sending an extra employee, maintaining phone contact throughout the visit, or whatever is most appropriate. Having a range of choices or escalating options is very appropriate for managing risks - it also lends itself better to profitability than a one-size fits all system.
It should be a given that an interview is conducted to determine the needs of the client, but consider including questions that answer to the needs of the caregiver. Who else has a key to the residence? Who else might be present when care is provided? Are there firearms or hazardous materials in the residence? Sound silly or unnecessary? Heck these are the types of questions asked by Executive Protection (see this, and this) details when they conduct an advance. Why? To manage risks simple as that. Now you have better idea of the physical environment the caregiver will be in, and you've only added what, a warning, a set of procedures and a couple of questions to your client interview.
Next consider the human factor. Determine whether a sex offender is registered to the client site or a nearby residence (available on state and often county/city register websites). Should this preclude service? No, but it should move the risk level up a notch. Follow this with other research, like a criminal background or maybe a civil record search for battery lawsuits. How far should you go? Only so far as a crime is foreseeable. foreseeability is one factor used during civil litigation to determine and employer's liability (please discuss this more closely with your counsel). On another note, you did this to your employee so that the client would feel safe; doesn't your employee deserve the same consideration? (See this on background research)
A couple of quick notes on background research. First it's always best to get consent up front; however public records are public so consent is not needed - credit reports are a different issue. Beware of databases - that would be the extremely cheap searches that are generally advertised online (something like this; however I have no direct experience with this example). If you find the right vendor they will send a researcher into the courthouse to look for records - the right vendor does such bulk that it's still pretty inexpensive. Databases can be outdated or simply not updated frequently enough. Enough said there.
Here are a couple of quick resources on the topic: book, article, article, article, article, government publication, another government publication, and there are more available on the web.
As far as security goes on these topics it's just a tad more complicated than usual. Not only is it important to vet your own employees so that they (hopefully) will not victimize your clients, but it's also important to vet your clients. Oh yah, that's right - the client should be checked. Why? Well it's like this. You are sending an employee to a "work site" and if that site is not safe then you have sent your employee into an unsafe environment... Potentially this could be construed to mean that - assuming the employer made no effort to determine the site's level of danger - the employer is responsible for placing the employee in harm's way. And what a costly oversight it could be and not just in dollars. Employee mistrust of management, lowered morale, uncertainty, and all those emotions that come when one feels that they have been betrayed by a superior. Enough doom and gloom!
What are some steps that can get in front of this potential problem? First, make sure your employees know that a site could include danger. Now we all know that danger could be around the next corner, but simply reminding someone that it could be there does two things. One, it means that you, the employer, has acknowledged the problem and want your employee to be safe, and two it puts the employee on guard - even just a little - which actually makes them better able to avoid the danger. Hand-in-hand with that is to develop organizational procedures for dealing with the issue. What does an employee have to do to refuse service? If the client has immediate medical needs then how will these be met so as not to endanger them, and possibly breach the contract. This might be referring the issue to emergency services personnel (calling an ambulance), sending an extra employee, maintaining phone contact throughout the visit, or whatever is most appropriate. Having a range of choices or escalating options is very appropriate for managing risks - it also lends itself better to profitability than a one-size fits all system.
It should be a given that an interview is conducted to determine the needs of the client, but consider including questions that answer to the needs of the caregiver. Who else has a key to the residence? Who else might be present when care is provided? Are there firearms or hazardous materials in the residence? Sound silly or unnecessary? Heck these are the types of questions asked by Executive Protection (see this, and this) details when they conduct an advance. Why? To manage risks simple as that. Now you have better idea of the physical environment the caregiver will be in, and you've only added what, a warning, a set of procedures and a couple of questions to your client interview.
Next consider the human factor. Determine whether a sex offender is registered to the client site or a nearby residence (available on state and often county/city register websites). Should this preclude service? No, but it should move the risk level up a notch. Follow this with other research, like a criminal background or maybe a civil record search for battery lawsuits. How far should you go? Only so far as a crime is foreseeable. foreseeability is one factor used during civil litigation to determine and employer's liability (please discuss this more closely with your counsel). On another note, you did this to your employee so that the client would feel safe; doesn't your employee deserve the same consideration? (See this on background research)
A couple of quick notes on background research. First it's always best to get consent up front; however public records are public so consent is not needed - credit reports are a different issue. Beware of databases - that would be the extremely cheap searches that are generally advertised online (something like this; however I have no direct experience with this example). If you find the right vendor they will send a researcher into the courthouse to look for records - the right vendor does such bulk that it's still pretty inexpensive. Databases can be outdated or simply not updated frequently enough. Enough said there.
Cash Controls - "One for you - two for me"
And we're carrying on with concerns of mentally disabled and thieving individuals working in religious institution (it's not just churches anymore) food service operations - but it does apply to their thrift stores or anywhere else cash may be handled.
Here's a down and dirty look at cash controls and that includes any monetary instrument including checks, store script/gift certificates, and so on.
In any cash management system there are at least two places from which to reconcile your activities - when the cash is received and when it gets into your account. In some cases the 'receiving' part is a little more vague and uncontrolled - like offering plates - but for now we'll stick to this assumption. The problem isn't whether the money makes it from point A (receiving the money) to point B (arrival in the account), but what happens to it in between. The real problem is how the funds are transferred between parties at different points in the process. (If you're skilled with flowcharts then they can be very handy at this point.) In other words, it's the transfers between parties and the processing done between transfers that create the problem. Common sense, you say? Maybe so, but it's amazing how often a very simple procedure could have prevented an enormous loss - and the accompanying embarrassment, loss of face, distrust, anger, and the rest that comes from a betrayal!
In short, each transfer of cash should include the active participation of two persons. Each party is then responsible for verifying what is transferred. Documenting this is also useful for many reasons and the documentation typically includes the signatures of both parties (date and time, etc.). If the receiving party is unable to verify the total in the presence of the transmitting party then there should be two persons in the receiving party that verify it. This is based on an assumption (sometimes incorrectly - but that's another discussion) that it's harder for two persons to collude on a crime than for one person to commit it alone... So then if we have a loss we are able to see that the proper funds are transferred from party to party until an incorrect amount of funds are transferred. So easy - when done properly - and having clear (and enforced) procedures for transfers goes a long way to preventing losses. Why is prevention better? Especially here? First, proving larceny or embezzlement often requires an admission by the thief - which may not be difficult for an experienced interviewer/interrogator (see Chris' article here, and this website, and this website for more information on interviews) but what house of worship wants to employ these methods? (I think they all should because it's effective and, if done properly, helps the organization make a meaningful loss recovery and aids the thief because they get the feeling of a clear conscience - they don't call it a confession for nothing) Also law enforcement is generally too busy to get deeply involved in an internal loss - it's a property crime, time consuming, and is many times not seen as "real crime," and it costs money to go through an investigation. That means more loss! So prevention, prevention, prevention.
The next concern is what is done between transfers - the processing. Whatever processing that should be done to funds including counting, recording, packaging, and deposit preparation should have clear (and enforced) procedures. It is always preferable that any handling of funds is done under "dual control." This involves two (dual) people that verify each other's work to ensure accuracy. The purpose of dual control is to avoid errors; however a byproduct is an significant decrease in opportunities for theft. Their activities should also be documented - preferably with their signatures.
That is the short form on cash control... I didn't mention issues concerning the verification that it was received in the first place but we can save that for another time. This opens a whole other can of worms since you must now determine whether items were accounted for at the point of sale/transfer and so on... Enough for now.
Here's a down and dirty look at cash controls and that includes any monetary instrument including checks, store script/gift certificates, and so on.
In any cash management system there are at least two places from which to reconcile your activities - when the cash is received and when it gets into your account. In some cases the 'receiving' part is a little more vague and uncontrolled - like offering plates - but for now we'll stick to this assumption. The problem isn't whether the money makes it from point A (receiving the money) to point B (arrival in the account), but what happens to it in between. The real problem is how the funds are transferred between parties at different points in the process. (If you're skilled with flowcharts then they can be very handy at this point.) In other words, it's the transfers between parties and the processing done between transfers that create the problem. Common sense, you say? Maybe so, but it's amazing how often a very simple procedure could have prevented an enormous loss - and the accompanying embarrassment, loss of face, distrust, anger, and the rest that comes from a betrayal!
In short, each transfer of cash should include the active participation of two persons. Each party is then responsible for verifying what is transferred. Documenting this is also useful for many reasons and the documentation typically includes the signatures of both parties (date and time, etc.). If the receiving party is unable to verify the total in the presence of the transmitting party then there should be two persons in the receiving party that verify it. This is based on an assumption (sometimes incorrectly - but that's another discussion) that it's harder for two persons to collude on a crime than for one person to commit it alone... So then if we have a loss we are able to see that the proper funds are transferred from party to party until an incorrect amount of funds are transferred. So easy - when done properly - and having clear (and enforced) procedures for transfers goes a long way to preventing losses. Why is prevention better? Especially here? First, proving larceny or embezzlement often requires an admission by the thief - which may not be difficult for an experienced interviewer/interrogator (see Chris' article here, and this website, and this website for more information on interviews) but what house of worship wants to employ these methods? (I think they all should because it's effective and, if done properly, helps the organization make a meaningful loss recovery and aids the thief because they get the feeling of a clear conscience - they don't call it a confession for nothing) Also law enforcement is generally too busy to get deeply involved in an internal loss - it's a property crime, time consuming, and is many times not seen as "real crime," and it costs money to go through an investigation. That means more loss! So prevention, prevention, prevention.
The next concern is what is done between transfers - the processing. Whatever processing that should be done to funds including counting, recording, packaging, and deposit preparation should have clear (and enforced) procedures. It is always preferable that any handling of funds is done under "dual control." This involves two (dual) people that verify each other's work to ensure accuracy. The purpose of dual control is to avoid errors; however a byproduct is an significant decrease in opportunities for theft. Their activities should also be documented - preferably with their signatures.
That is the short form on cash control... I didn't mention issues concerning the verification that it was received in the first place but we can save that for another time. This opens a whole other can of worms since you must now determine whether items were accounted for at the point of sale/transfer and so on... Enough for now.
Monday, October 3, 2005
New Training Program!!!
The International Foundation for Protection Officers has just released a new training program: Crime and Loss Investigations. This isn't just for security officers either! It can be of great use to anyone responsible for managing losses.
In addition to a textbook this program also uses a few online papers as a supplement. Take a look.
I was lucky enough to have been able to get an article on intelligence operations into the training program.
But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.
And another one on Interviewing - the lifeblood of retail loss prevention investigations.
It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.
In addition to a textbook this program also uses a few online papers as a supplement. Take a look.
I was lucky enough to have been able to get an article on intelligence operations into the training program.
But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.
And another one on Interviewing - the lifeblood of retail loss prevention investigations.
It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.
New training program!!!
The International Foundation for Protection Officers has just released a new training program: Crime and Loss Investigations. This isn't just for security officers either! It can be of great use to anyone responsible for managing losses.
In addition to a textbook this program also uses a few online papers as a supplement. Take a look.
I was lucky enough to have been able to get an article on intelligence operations into the training program.
But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.
And another one on Interviewing - the lifeblood of retail loss prevention investigations.
It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.
In addition to a textbook this program also uses a few online papers as a supplement. Take a look.
I was lucky enough to have been able to get an article on intelligence operations into the training program.
But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.
And another one on Interviewing - the lifeblood of retail loss prevention investigations.
It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.
Controls and process management
This will just be a quick post to discuss what I mean when I talk about controls - as they pertain to process management.
Security in the retail sector historically counted on catching the shoplifter; however this is not the most effective means for controlling losses. Another example is having someone that counts the offering plate collections arrested after they embezzle some cash. It's just not effective and it means that you have lost it - and you probably won't get it back. So what is more effective?
Take the shoplifting example. In our instance our thief takes several items into the fitting room where they conceal some within their personal bags. Maybe the loss prevention team is allowed to make fitting room stops, or maybe not. Either way the crime must be committed first. How many will be able to do this without attracting enough surveillance to be stopped (legally)? Far too few compared with the thieves successes. Now how about a fitting room attendant? When the thief enters the fitting room area the attendant counts the garments and provides the thief with a numbered placard that corresponds to the number of garments. When they come out the process is reversed... Voila' magic does not happen in the fitting room and nothing disappears - this time. It's not a foolproof system but it's good enough for this example. If even half the thieves are stopped in this manner it is still more effective that trying catch them after they conceal something.
Back to the offering plate... We have a long-term member of the congregation counting the money and one day someone realizes that all of it didn't make it into the church's accounts. It's a crime, yes, but now an investigation must take place - which costs money - and even if they admit to the theft the cash is probably gone - POOF - into thin air. Now what if we were to have two persons count the money together? Maybe then they could keep each other honest. What you say? They'll just steal some other way! Maybe so, but we can always add controls so that thefts become more visible more rapidly. This is much more cost effective in the long run.
So that is what is meant by controls. Procedures and devices put in place to enforce policies. Our policy says all the funds must make it into the organizational account, so we make it difficult to do otherwise.
Security in the retail sector historically counted on catching the shoplifter; however this is not the most effective means for controlling losses. Another example is having someone that counts the offering plate collections arrested after they embezzle some cash. It's just not effective and it means that you have lost it - and you probably won't get it back. So what is more effective?
Take the shoplifting example. In our instance our thief takes several items into the fitting room where they conceal some within their personal bags. Maybe the loss prevention team is allowed to make fitting room stops, or maybe not. Either way the crime must be committed first. How many will be able to do this without attracting enough surveillance to be stopped (legally)? Far too few compared with the thieves successes. Now how about a fitting room attendant? When the thief enters the fitting room area the attendant counts the garments and provides the thief with a numbered placard that corresponds to the number of garments. When they come out the process is reversed... Voila' magic does not happen in the fitting room and nothing disappears - this time. It's not a foolproof system but it's good enough for this example. If even half the thieves are stopped in this manner it is still more effective that trying catch them after they conceal something.
Back to the offering plate... We have a long-term member of the congregation counting the money and one day someone realizes that all of it didn't make it into the church's accounts. It's a crime, yes, but now an investigation must take place - which costs money - and even if they admit to the theft the cash is probably gone - POOF - into thin air. Now what if we were to have two persons count the money together? Maybe then they could keep each other honest. What you say? They'll just steal some other way! Maybe so, but we can always add controls so that thefts become more visible more rapidly. This is much more cost effective in the long run.
So that is what is meant by controls. Procedures and devices put in place to enforce policies. Our policy says all the funds must make it into the organizational account, so we make it difficult to do otherwise.
One for you - Two for me
Here's a couple of questions from back in August's Embezzlement piece:
When using volunteers or food service firms there is some concern over the screening of persons who have access to cash. Some of the food service firms employ disabled (mentally) persons as well as those on parole. What are some controls that can be implemented?
Houses of Worship routinely operate food services for the poor or economically disadvantaged as well as thrift stores and other types of activities that may or may not involve monetary remuneration for the service. For instance, in some cases persons on government assistance may be given the opportunity to select one or more pieces of clothing from a thrift store each month - a shopping trip for those who cannot afford it.
I think there are really two very broad questions: one concerning cash controls and another concerning liability from employing potentially dangerous persons (or allowing them to volunteer). These are distinct issues with different tools to manage them. We'll break these down into separate blog posts. First we'll discuss an overview of the problems and controls; then we'll look at cash controls followed by managing dangerous persons.
When using volunteers or food service firms there is some concern over the screening of persons who have access to cash. Some of the food service firms employ disabled (mentally) persons as well as those on parole. What are some controls that can be implemented?
Houses of Worship routinely operate food services for the poor or economically disadvantaged as well as thrift stores and other types of activities that may or may not involve monetary remuneration for the service. For instance, in some cases persons on government assistance may be given the opportunity to select one or more pieces of clothing from a thrift store each month - a shopping trip for those who cannot afford it.
I think there are really two very broad questions: one concerning cash controls and another concerning liability from employing potentially dangerous persons (or allowing them to volunteer). These are distinct issues with different tools to manage them. We'll break these down into separate blog posts. First we'll discuss an overview of the problems and controls; then we'll look at cash controls followed by managing dangerous persons.
Subscribe to:
Posts (Atom)