Protecting Your House of Worship

What's wrong with this?

2007-05-12T21:18:00.000-07:00

Or, maybe the title should have been is this the best way to deal with the problem. This news story from North Carolina brings up a couple of key points in a just a few lines.

First the problem is on-going and not a single loss event.
"An uptown church is shutting its doors more often after a recent rash of robberies."
Ok good, at least we know they aren't making knee-jerk reactions and spending money for just one loss event. Sadly in many instances, and it sure as heck isn't limited to houses of worship, organizations get a little nuts after some event and jump through hoops to make themselves feel better - or that they are safe again. This is not to say that after each and every loss event there shouldn't be a review to improve security planning; it just means that this review need not always result in more spending.

Second, there is a societal fixation on cameras.
"The church plans to buy newer, better security cameras"
Does anyone out there still believe that closed-circuit television cameras (CCTV, aka security cameras) deter any crime? Maybe they do, a little, but if they were effective at it then we might not see so many videos of crime on the news. Consider this, cameras offer a tools for following up, or investigating, activities after they occur. Now this is indeed a very important tool and one that should not be overlooked. Unless someone is monitoring the CCTV system there will be no immediate response to a wrongful act.
So third, just installing better cameras will not likely reduce the number of incidents that occur, unless they are being committed by a select few individuals who, once apprehended, are not able to continue. If not, the losses will continue and the police will more arrests - AND the organization will continue to lose valuable assets. CCTV systems, in a traditional sense, create a nice record of what happened but they are not effective at facilitating the intervention necessary to stop the event.

Look, I'm not saying they shouldn't upgrade their CCTV system. What I am saying is, "hey, let's look into how we might be able to prevent these events from happening in the first place." Maybe, just maybe, catching one of these thieves in the act and counseling them might result in a much better outcome than just having them arrested at some later time.

So how could we prevent it from happening??? I think in the next I might discuss some newer tools - and some old tools.

Fresh start - in more ways than one

2007-05-12T21:04:00.000-07:00

Clearly I haven't been posting any information to this blog in quite some time, and for good reasons... Today, however, signals a fresh start for the blog counter for another really good reason. I just learned that Sitemeter had started installing ad cookies on its member sites. So I've moved to a new counter service, and I figured I'd take this time to go ahead and start over - with the counter and with new posts.

Also, some of you may know that I've stopped consulting full-time and returned to the world of "doing" security. I know, I know. You're asking why anyone would do that; give up the cushy hours, the fun travel, eh, you get the point. Suffice it to say it was just time to go ahead and get back into the game.

Stay tuned. More to come (hopefully more regularly)

See this on wireless alarm systems

2007-02-01T00:31:00.000-08:00

Wireless alarm systems are a real option especially when retrofitting a building. Wireless devices save money and time that is consumed trying to drag wire throughout a facility that is already built.

A short note on landscaping

2006-10-17T07:29:00.000-07:00

Landscaping can be an indispensable tool for security, not to mention how much better it can make any building look. For security it can provide some very real benefits, and I'm not talking about those "tips" for home protection like placing thorny bushes around windows (which works or doesn't depending on who you consult).

So here are a few basics for incorporating security functions into your landscaping.

The most important bit has to do with Natural Surveillance, or making sure that everyone is able to see the goings on in a given area. To do this keep shrubs relatively low, particularly closer to the building, to reduce potential areas of concealment. Then keep trees high, or "canopy" them, with the lowest branches somewhere above five feet (six is event better). There reason for adjusting the trees is to highlight the silhouette of a person standing near it. The head is one of the most identifiable features on a human silhouette. This coupled with improved lighting makes it much harder for someone to conceal themselves around a building.

From there is becomes possible to use landscaping for "wayfinding" or assisting persons to remain on the proper path. Shrubs and trees can help guide people without the use of fencing, bollards or chains. It looks nicer, costs less over time, and can be just as effective. For instance, if folks like to "cut across" the lawn on their way to a nearby attraction then a row of shrubs can help deter this behavior. Again the shrubs can be kept relatively low and the height can be compensated with depth. While it might be easy to just over an 18" high row of shrubs, it is much more difficult to do the same for a row that is, say, four or five feet deep. Different types of shrubs can add color and texture for visual appeal while making it uncomfortable to force passage. Some shrubs are particularly adept had creating a sort of "tanglefoot" entrapment that is difficult (or even treacherous) and uncomfortable to pass through. Here again, lighting can help enhance the shrubbery by lighting the path around the plants to further assist in guiding individuals.

There. A couple of quick thoughts on the uses of landscaping in security.

Managing vandalism - Part II: an alternate approach

2006-10-11T06:17:00.000-07:00

Although it may be well past the original event discussed in this series of postings, vandalism to Houses of Worship continues unabated throughout the world. This article is a bit more recent but similar acts occur nearly every day (or night depending on how you look at it).

I have received much feedback from some very vocal peers with a different view on how to respond to such vandalism. Their approach is certainly valid and is, and has been, used many times in many communities - successfully. So here is an alternate response:

As discussed in the previous post you must do a little leg work in advance, but if you don't you will simply have to do it on the fly afterwards. Get a feel for how long it may take to discover vandalism. Keep in mind that I am speaking of prominent vandalism not so much something small in an out of the way place. I mean the sensational stuff that the passing public will see. Will you be aware of it in an hour, a day, or longer?

Then discuss with your local law enforcement what steps they will take once the event is reported. Build your actions around their response. It's just easier that way. Given that your organization is probably a little more agile than the local government (but not always).

The real divergence in this alternate approach is when the vandalism is removed. In this scenario, rather than hiding the damage, covering it up, cleaning in expeditiously, it is used for public relations and awareness.

Organize a press conference with the local media. Include whichever partners may be most appropriate: the local police chief, prosecutor, mayor, or council members. The press conference becomes a time to speak out say that you are not afraid or ashamed. And to discuss how long the vandalism will remain as a symbol of defiance. Follow-up coverage should be arranged with local media to keep this thought fresh in the public mind and additional awareness activities may be planned as well.

Regardless of which approach might be used, or any method for that matter, it is without a doubt important to plan your actions. Even if this planning is done for just a few minutes after an event. Take the time to think through your actions. What is it you wish to accomplish and why. Then act accordingly with those goals. A few minutes of preparation can prevent embarrassment, annoyance, and further hurt from the event.

Good luck.

Managing vandalism - Part II (The Response)

2006-01-11T09:08:00.000-08:00

Let's continue on and briefly discuss responding to vandalism and managing the successful attack. Once again, this has been spurred by this recent article about events near my home revisits just how hard it can be to prevent and manage vandalism.

Once a vandal, or vandals, have successfully attacked your facility what do you do? How long will it be before it is discovered and reported? What will the police want to do and how long will it take?

First make sure that you conduct some sort of liaison with your community police officer (by whatever name this position goes by in your local department) and learn how they will respond along with a "scientifically estimated wild guess" about how long their process will take to process the crime scene. Why? Because you want the greatest amount of time to reverse the efforts of the vandal before the general public gets a glimpse. Why? Because this has two effects: one it negates the effort of the bad guy and is a symbol of defiance, and two it helps to prevent any negative press that may come from the attack. What I mean by that is the willingness of the media - and this is not an attack on their activities - to begin digging and reporting on hate groups; and possibly giving them "face time" or printing their views. Why should your loss contribute to the publicity of those that work to destroy your organization.

With that said a quick step back to the previous post... You should create the opportunity to, if not prevent the attack, identify it as early as possible - so maybe patrols every two or three hours after nightfall. This might provide a large enough window to eliminate the value of the attack. This may further work as a deterrent to future efforts because they just didn't get anything out of their efforts - which may be referred to as a "benefit denial" strategy.

But let's assume that the attack has been discovered and the police notified. What should you do? First secure the scene. Keep everyone away from anything that may have value, like footprints, trash in trash cans, tire tracks, glass shards, and so on. It's perfectly acceptable, and in my opinion essential, to begin taking pictures now and keep taking them until the clean up it complete. This is useful for insurance purposes and for documenting the effort necessary to clean up the attack. Some of these may be useful when giving presentations to the local government and petition for better policing (manpower increases, enhanced patrols, etc.) or in developing anti-hate programs. You just can't go wrong with the pictures. I'd also encourage anyone to treat these like evidence and control the camera, any picture or film processing, and the pictures themselves. Also keep the rolls of film "clean" or don't mix pictures of none related activities with the attack.

Now that the police are gone you have to get rid of the mess. The purpose of this is to reduce the value that the attacker's efforts, not because of shame or other internal concerns. This is important to communicate to your members. You must not be ashamed - you did not commit the attack, you did not ask to have it committed. Cleaning up becomes an act of defiance. It is an act that is imminently more efficient if you have materials on-hand. Keep paint, sanders and sandpaper, boards for windows, tools, and the like availabe in moderate supply. More can be obtained on relatively short notice, but you should have enough to get started.

Determine in advance how you will respond to media inquiries for vandalism, then tailor your plan accordingly. Do you denounce the action, express forgiveness, seek punishment... Decide in advance when the emotions are not quite as strong. This first message after an attack may be crucial to how your congregation is portrayed in the media and in the community.

Just one last word... The goal is to prevent and not respond, but make sure that your response is planned in advance. Emotions can cause kneejerk reactions that are more detrimental than helpful, so plan your response and respond with your plan.

Rob
/

Managing vandalism - Part I

2006-01-11T08:19:00.000-08:00

This recent article about events near my home revisits just how hard it can be to prevent and manage vandalism. Although the article gives no details of the attack, we really don't need to know those to discuss the difficulties with managing the potential, or continuing, threat of vandalism at any House of Worship. To better cover this topic we'll look at if from a couple of different perspectives including environmental knowledge, specific preventive and mitigative efforts, and finally the response.

We'll start a little out of order with preventing and mitigating these attacks...

Designing a plan to manage vandalism revolves around a couple of key points that rely on specific behavioral assumptions. First there must be some degree of privacy for the attackers to feel comfortable; that is comfortable that they will not be discovered, observed or caught. If they attackers do not fear discovery or capture then the entire dynamic of the management efforts must be altered. Second, there is an assumption that someone will see the fruit of the vandal's efforts. This is the psychological part of the attack. The physical damage to the facility may be annoying and expensive, but it is the specific nature of any messages left behind that causes the greatest impact.

With this in mind the greatest way to avoid much the impact is to prevent the successful completion of the attack. There may even be ways to thwart the manifestation of the threat, but we'll discuss that later in the environmental knowledge piece. Preventing a vandalism requires an effort to increase the likelihood, as well as the perception, that a vandal will be discovered and caught. This may be done a number of different ways given an ideal location with ideal conditions and we all know that each location has its own quirks and needs. As such, discovery and apprehension requires successful surveillance efforts that may be either natural or electronic. That means changing traffic patterns to ensure there is a steady flow of people that can observe activity in a specific place. I know this sounds a little silly when dealing with late night crime - even the most well illuminated locations could still be attacked simply because no one is there to see the attack. Furthermore there is an underlying assumption that those providing the natural surveillance will act on their observations - in other words that they'll care about what they are seeing. These shortcomings can be countered using electronic surveillance technologies, particularly at night or during low traffic times, and these have really come a long way in the last decade with some that are ideally suited for dealing with vandalism.

Let me preface this bit by saying that I generally discourage the purchase of equipment as a "point solution" because the cost can become onerous for any one issue, but in this case the solution has many applications besides crime loss management. Remote video monitoring. It used to be that you installed an alarm system and when it activated the police were dispatched by a central alarm monitoring station - time passed the the attack was completed - making this not much of a preventive tool. Now consider this current technology solution. The attacker approaches a "restricted" area, that may be defined as the area immediately surrounding the building, which causes a camera to become active a central monitoring station. The watch officer at the station seeing the attackers and activates a two-way intercom and reads a script that has been coordinated with the property owners. It may be something like:

"Attention! You are trespassing on private land. Your activity is being recorded and observed by live personnel. The police have been notified and are responding. Please depart immediately."

It has an amazing effect and has been used successfully at locations around the country in a variety of applications. The benefits are immense because an organization reduces the likelihood of a false alarm, which are getting expensive, and also receives the immediate interaction with the attacker. Not to mention that these systems may be tied into pretty much any alarm sensor like fire, flood, or medical assistance. Now I must admit I'm a little partial to this technology because I wrote a short paper on it while finishing my degree and it was still considered an "emerging" technology, but with that said it has real applications for this scenario. Imagine the vandal, or vandals since there is a degree of vanity and group think involved, being confronted as they prepare to committ mayhem. They just be stopped; at least stopped long enough to think about what they are about to do and the potential consequences. Besides the monetary benefit of preventing any damage, there is a real spiritual value to guiding someone away from wrongdoing rather than simply punishing them, right? Changing a thought rather than forgiving an act.

Ok, so we have natural surveillance and electronic surveillance and each can be reached differenct ways - far too numerous to cover here effectively. However, we neglected the value and method of increasing natural surveillance earlier. Natural surveillance often has the primary benefit lower cost. Let's face it, people moving around normally is, well, free. It does unfortunately breakdown when traffic is reduced. So how then can traffic be increased? Maybe by using the facility as much as possible for community events, although let me caution briefly that this creates other potential loss opportunities; or possibly security patrols can be added. This could be from a formal security service or by dedicated congregation members that will take time to check on the facility. It may also be possible to use the camera systems mentioned above on a private website with access available to congregation members. Possibly a "patrol" schedule could be created with specific members agreeing to keep an eye it. Like I said, once we get creative there just isn't enough room here for the options.

There is, at least, one other bit of technology to assit in preventing vandalism and that's vandalism resistant paint. This tool works to prevent other paints from bonding to the material permenantly. One word of caution is that the cost for materials could be as much 10x that of ordinary paint.

Here's a short article in Religious Product News on technology trends in security.

Security Technology - tools and trends

2005-11-22T11:18:00.000-08:00

Religious Product News technology issue is out and with it a short article I put together..

I know the entire basis of my security philosophy is the "Security is what you do and not what you have," and it is. However, that is not to say that technology is some sort of evil that should be shunned. What can it do for you?

Technology cannot create exceptional security. It can make exceptional security easier, apparently seamless, and less noticeable. After all, we all want better security but we don't want to tilt the "Security v. Convenience" scale too far, right?

No one wants to be inconvenienced; least of all me. I'm a bear at the airport. Why? Because that security is an illusion. I've been inconvenienced at many facilities and, as annoying as it might have been, it was effective. I remember one jewelry manufacturer out West. No one told me it was a no-metal facility so I had to conduct my survey without a belt or any other bits of personal possessions. Losing the belt was particularly difficult since I had just lost a little weight and the pants were a from before that time. Effective security makes some things bearable, but illusionary stuff is just annoying.

So once you start with a well designed security program that's built around processes and engineering the environment the technology becomes a creature comfort. It makes the other stuff easier. Now you no longer need a guard at a door to identify you (or maybe you still do). Now you no longer need to patrol your property with a quality alarm and response system (and maybe you still do).

All this article is meant to do is provide a snapshot into where technology is right now and how some of that can be of help to you and your congregation. Creating a Safe Sanctuary should make "God's House" more secure and not turn it into "God's Fortress."

Weak Assumptions + Overconfidence = Poor Security

2005-11-14T21:00:00.000-08:00

Here's an article that I found recently that illustrates an interesting point.

Security is a process; not a product. Our security is determined by what we do and how we do it much more so than what we have.

September 11th is another example - and a very painful one at that - the airport screeners were not required to identify and remove small knives. We all know what this resulted in. We failed to manage the threat, and recognize that a hijacker, or hijackers, might seek alternate methods beyond a firearm or bomb.

We must manage our threats and not simply operate equipment if we are seeking real security.

Incidentally, if anyone is offended by the article topic, I apologize, it's merely an example to illustrate a point.

Tuesday, August 30, 2005

Harry Potter and the half-assed security

In the latest Harry Potter book, we see Hogwarts implementing security precautions in order to safeguard its students and faculty.

One step that was taken was that all the students were searched Â wanded, in fact Â to detect any harmful magic. In addition, all mail coming in or out was checked for harmful magic.

In spite of these precautions, two students are nearly killed by cursed items.

One of the items was a poisoned bottle of mead, which made it onto school grounds and into a professor's office.

It turned out that packages sent from various addresses in the nearby town were not checked. The addresses were trusted, and anything received from them was considered safe. When a key person was compromised (in this case, by a mind-control spell), the trusted address was no longer trustworthy, and a gaping hole in security was created.

Of course, since everyone knew everything was checked on its way into the school, no one felt the need to take any special precautions.

The moral of the story is, inadequate security can be worse than no security at all.

The last statement is important. We failed to build appropriate countermeasures for the threat on 9/11 and the results were disasterous. When we accept that our security today is adequate for the threat tomorrow then we create opportunities for our adversaries. We must continually question our own methods, countermeasure effectiveness, and what our threats actually are, if we wish to create real security.

Enough said for now...

Veteran's Day 2005

2005-11-11T05:55:00.000-08:00

Please take a moment and consider the sacrafices over the years that have secured our blessings of liberty.

Here are a few interesting links in no particular order:

From the Department of Veteran's Affairs

From Wikipedia

Voice of America

Information from the Census Bureau

From the U.S. Army

From About.com

When surveillance may be necessary

2005-11-03T11:20:00.000-08:00

http://www.thedailyitemoflynn.com/news/view.bg?articleid=10246

http://www.thejewishadvocate.com/this_weeks_issue/news/?content_id=447

It looks like someone, or someones, may have a problem with the Jewish congregation of Chabad Lubavitch. First vandalism and then a little arson – I’d say they have a problem.

Preventing these attacks may be difficult at best since the miscreant is willing to target materials outside the facility and to increase the destructiveness of the effort. You just can’t protect everything. No doubt the doors are now locked, being the access point for the first attack, but how can you protect vehicles and other items on the outside?

Regular patrols (police, contact security, or congregation members) through the property can be both a deterrent and a method of detection. It may also be worthwhile to get in tough with a local investigator with strong surveillance capabilities to arrange surveillance of the property. It won’t be cheap but if someone does come back, and how can you expect this person to stay away, there should be video. Not just video but video that can be used to ensure a conviction.

Just a thought…..

Rob
/

Sticky fingers, or something like that anyway.

2005-11-03T11:10:00.000-08:00

http://www.nydailynews.com/front/story/359770p-306402c.html

Come on. This is pretty ridiculous.

A literally sticky-fingered bandit who used a stick and double-sided tape to fish cash out of an upper East Side church collection box was busted by a cop posing as a parishioner, authorities said yesterday.
Police believe Gilbert Alicea, 41, was ripping off the St. Vincent Ferrer Church for months before a 19th Precinct plainclothes cop nabbed him on Oct. 19, sources said.
Since the summer, Alicea spent hours at the Lexington Ave. church, kneeling in prayer and schmoozing with priests, while his female accomplice pretended to pray the rosary and act as a lookout, sources said.
When the church was relatively empty, Alicea dipped a stick with double-sided tape into the donation box slot - labeled "For the Poor" - and snared cash, authorities said.

What more can be said. It can happen to you. I’ve known individuals that could use tape and a pen to steal bills through holes not much bigger than the pen in tamper-evident bags. That would be those bags that seal up for one-time use, typically for bank deposits from commercial locations.

Since these poor boxes are generally not accounted for at the time of collection this type of theft would be relatively hard to detect. So be aware.

Rob
/

An even better Embezzlement story…

2005-11-03T11:00:00.000-08:00

http://cbs13.com/topstories/local_story_306200258.html

A fiction writer would be creative to come up with this one…

So the Pastor forged documents and sold the church without anyone knowing. Where do you start with this one?

Embezzlement – just a little more (no pun intended)

2005-11-03T10:30:00.000-08:00

http://www.gmtoday.com/news/local_stories/2005/October_05/10262005_01.asp

In a recent story out of Wisconsin a church business manager was convicted for theft from the church. Here are a couple of germane quotes from the article:

Anderson was the business manager of the church from 1986 to 2003, the last three years of which she wrote checks to herself from church coffers, a criminal complaint said.

Other documents chronicling her history showed that she received a $450,000 inheritance after her mother died in 1998, but it was gone in two years as her family’s debt mounted. Anderson and her family took annual skiing trips to Colorado and annual golfing trips to Florida, the documents showed.

There are a few key things that clearly were not done in this situation.

First, the position of Business Manager at this church clearly had too much power. There can be no argument to this when someone was able to write checks to them self from a corporate account – period. The person authorizing disbursements should not be the person that signs the check. Dual control and effective auditing is essential to all financial controls

Second, only one person was “minding the store” and that’s just unacceptable. Forget the concern about theft (only for the next sentence). Accounting errors are all too common. So having a second person review records periodically is not just to avoid theft, although it’s a great by-product of the effort, but to prevent mistakes. These mistakes can be costly. How long would it take to find out that a vendor had been overpaid? How willing are they going to be to returning funds two or three years later? I know, I know, where is their ethical obligation in this, but that’s not the point and arguments can be made all around on the whole returning money after a year or two.

Third, background checks should be done ROUTINELY on individuals in positions of trust and not just upon hiring. There is nothing wrong with asking for consent to get a credit report on an annual basis. If this feels inappropriate (and I can understand your thinking if it feels that way) then you have got to tighten your controls way down. Lots of “dual control” throughout the process to ensure that one person is not able to manipulate the entire system. And a little more on this… Everyone talks to each other in a workplace. Salaries are known (at least the general ballpark usually is) so you just have to wonder where all the money comes from and how it goes. Living beyond their means is a COMMON cause of embezzlement. Let me say that one more time. Living beyond their means should be a key indicator of employee theft. They steal, and learn a new level of comfort, and then they have to steal to support this new level. No doubt they rationalize it with the thought that they’ll pay it back but it’s still gone.

Fourth, these thefts went on for years. Where was the auditing? Were checks matched to expenses, vouchers reviewed, and so on? Not likely, but if so then their auditor is practically negligent for not raising questions about cash disbursements to employees.

If you’re unsure whether your controls are adequate then contact AP Innovations, but at least speak with someone experienced in these loss opportunities.

Rob
/

Expansile Significance - "The Tip of the Iceberg" and how solving large losses often means addressing the insignificant ones

2005-11-03T10:00:00.000-08:00

What the hell is Expansile Significance you ask? So did I, though the problem wasn’t with the term but with the fact that our industry never bothered to create one for a time honored concept. To better explain it consider combining the idea of the “tip of the iceberg” and the “Broken Window” Theory (here, here, and here, with dissenting view here).
We’ve all seen it – in one way or another. In my retail days it was not uncommon to ‘interview’ a sales associate about a minor policy violation, say ringing their own transaction or giving their discount to a friend (aka employee discount abuse). And for those familiar with interview techniques (I started with Wicklander-Zulawski – which competes with Reid and LSI) you know you approach these interviews similarly to a known loss (theft) interview anyway. So there you are going through you doing your spiel with you realize that this person has done much more than you knew – on one occasion I went from one missing gift certificate to four felony theft cases.

In the world of law enforcement, former NYC Mayor Rudi Giuliani encapsulated it with through enhanced enforcement based on the “Broken Window” Theory. You know, by showing that minor violations won’t be accepted you decrease the appearance that more serious deviance is acceptable. I don’t intend to try and prove the efficacy of NYC’s efforts now. Instead keep in mind that if a violation is the time of enforcement then it’s worth the time to do it right.

Embezzlement – or any other form of stealing from an employer – is a great example of this. It is HIGHLY unlikely that you, or any other investigator, will catch someone on their first theft. Maybe their first theft using that method; however there have probably been other losses that they have caused. I recall from my W-Z training that a thief probably will not remember every individual theft, but will remember the first act and the most recent. Then you can work out some mathematical averages to estimate the total loss (which should then be used to help identify further evidence to corroborate or support this estimate). With this in mind it is important to explore all avenues of loss in an investigation – that is if you want to try and find the most accurate estimate and maybe get some hints for improving your internal controls.

Anyway take the time to conduct investigations properly. Be thorough and don’t arbitrarily assume you have the answers. I know that in the real-world time often is the biggest constraint so at least recognize what you may be missing – and work on ways to evaluate this more efficiently.

Rob
/

You say you're unhappy with your security service providers? Here's why!

2005-10-28T12:14:00.000-07:00

I spoke with a gentleman recently that expressed some 'unhappiness' with their security service provider. And why do you think might have been? There are only two possible reasons... Here they are and how to avoid them…
First, I want to clarify a quick point of misconception. A security system is a lot of things, or it can be a lot of things, but its presence or absence does not necessarily mean an organization is secure or has security. Electro-mechanical systems require procedures in order to be effective. They work within specific parameters and everything outside those parameters must still be met by additional effort. So now what makes you unhappy with your current service provider…

As I said, there are only two reasons why you are unhappy, and both stem from not getting what you want. The first reason is that the service provider is simply not providing the service promised. The contract or service agreement is clear and concise but the vendor cannot meet their obligation. Hopefully your contract either has a non-performance (punishment) clause or if this is unsatisfactory then a means to find another vendor without penalty. The written agreement you have with your vendor should state what you can do them for non-performance; maybe a fine/refund of fees each time a specific service is not performed. Sometimes it’s just not appropriate, or dangerous, to allow this condition to continue – fine or no fine – your just aren’t getting the protection you want. In these instances it is important that your agreement have a means of escape. Unfortunately, the uninitiated tend to sign agreements with vendors (provided by the vendors in a standard format) that actually penalize them for terminating the relationship early. It really doesn’t matter how “standard” their printed service agreement is or their insistence that they cannot make alterations. It’s your service and if one vendor won’t meet your needs then another will. It’s real simple. Security is not magic – security providers and security professionals do not have wizardly abilities that make them special – and there are enough service providers that someone will do what you want the way you want it. Count on it. You just need to find them. Think of all the angry moments you’ve had because of false alarms, missed patrols, or rude service; was it worth the convenience of the vendor or to save a few bucks?

Have you figured out the other likely reason for your unhappiness? It’s tucked into the paragraph above. Your vendor is performing just as the service agreement dictates, but you as the customer entered into an agreement that is inappropriate to your needs, or maybe just your wants. And for that, there is likely to be a penalty for terminating the agreement early. This is not the vendor’s fault – it’s yours. The truth hurts, but it’s not necessarily the end. Many times these agreements can be renegotiated. Why would a vendor do such a thing? Well, hopefully they appreciate your business and want to provide service that you’ll refer to others or at least speak well of whenever the opportunity presents itself. Word of mouth business referrals can’t be beat – and every vendor knows it – because it’s free marketing.

So how then do you avoid these errors and correct them after they happen? Naturally, I’d say find a reputable security consultant to assist you. While we can certainly help you with this, so can many others, and the results will change your view of security providers. Can you do it without a consultant? Sure you can, but you’re already unhappy (or rightly interested in avoiding that heartache) so why expose yourself unnecessarily.

Here’s why it works. A salesperson for the provider is focused on making as sale and preferably getting you to fit a pre-designed format of service. Their questions are focused on getting you into this mold. Your consultant, on the other hand, is focused on your needs and wants; all industry jargon aside. These can then be translated into service requirements. It’s a subtle difference. Typically, you don’t know what these services look and feel like until you experience them, but your consultant does. They have probably had to contract with guard services, alarm services, and courier services; so they know what hurts and what makes the relationship comfortable.

A consultant, or an in-house security manager, can also make for a better go-between. We have professional associations, peer groups, and, of course, our own jargon. It goes right back to the whole referral process. A service provider that takes care of a consultant or security manager can count on good words with other industry peers. And so….

Take a minute and consider what you don’t like about your service providers – and don’t forget what you like as well. Are you being serviced to your expectations?

Rob
/

Looks like a plan

2005-10-24T20:49:00.000-07:00

I would like to draw your attention to something I bumped into on the web while doing a little research that demonstrates a sincere effort in protecting kids. However, it goes much further than this alone by showing some important points in just a few words. Most importantly it appears to effectively blend procedures with technology. In other words, the technology only serves to enhance an already worthwhile process.

Consider these points:

First is the acknowledgement that not system is "foolproof." This is essential in avoiding misconceptions of impenetrable security. Too many people like to tell people just how perfect their methodology, techniques, and systems are, but this has more to do with the speaker's ego and puffery than real security. Being honest is far more useful, especially because knowing that a system is not foolproof and being told that is the difference between telling people to relinquish their concerns and asking them to remain alert or aware.

Second is a request for cooperation with the established procedures. This also acknowledges the contribution that the legitimate user makes to the overall success. Most systems of controls are built on an assumption of compliance, and without general compliance the process will FAIL. Consider the enforcement of speeding on the roads - nearly everyone exceeds the speed limit - creating a lack of general compliance and overwhelming the enforcement capability. Asking for the cooperation of the participant can go a long way toward getting it. Think carrot first, stick second.

Third there are routine procedures and contingency procedures noted. I am not saying that these procedures are all encompassing, but they are considerably more thorough than I often see. Most importantly is the lack of legalese or technical language. The procedures are clearly written and simplistic (but not overly so). There is even direction should the wristband be lost, which helps to avoid the argument should this happen without a publicized procedure.

Again, I am not saying that this document is perfect or that the system they have in place is even effectively maintianed, because that was not my point. I have never been to this organization or observed their activity, but given the presentation of the information on the web I thought it only fair to share it.

Keep in mind that good security comes from good procedures - what you do - and not necessarily from expensive equipment - what you have. Consider the "Security System" page just once more and realize that you could replace every mention of technology on that page with much more mundane tools. Consider cypher locks instead of a thumb reader and some other token rather than wristbands - the procedures still appears effective. So it would appear that there is a good marriage between technology and the operating procedures.

Sincerely. Kudos to the folks at Jersey Village for their efforts...

Rob
/

Quick advert for a friend

2005-10-20T07:17:00.000-07:00

My best friend has started a new blog.

The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.

So go check it out, bookmark it, and then come back here.

Rob
/

Rest in peace - or so we hope...

2005-10-18T21:07:00.000-07:00

In light of some recent news concerning the recent sentencing of a few cemetery vandals, let's consider this issue of protecting cemeteries.

I can’t say I understand why anyone would damage a cemetery or any part of it, but apparently there are many who think it’s entertainment. Cemeteries and memorial gardens have little in the way of assets - in a traditional sense. What you find in a cemetery generally has little resale value or ability for reuse. I’m certain, without a doubt, that there are exceptions to this; possibly gold trim, or ornaments, or something like that. Anyway, what is being protected has more to do with the idea that the dead should “rest in peace" than protecting assets - at least in my opinion.

Typically cemetery vandalism has to do with tipping headstones - defacing or rearranging them - and similar acts of mischief. On rare occasions there is the grave robbery. One notable recent occurrence is the grave robbery at the Newchurch Guinea Pig Farm in the UK where animal liberation extremists (including this group) stole the remains of a family relative (see here and here). The goal was to drive the farm owners to shut down the guinea pig operation. And, it was successful. There have been arrests but the damage is done.

So how then do you protect a cemetery? These are places that are often left quiet and unoccupied (at least by living souls) for considerable amounts of time. Oh, and dark - cemeteries are not generally illuminated at night. The other issue is to allow legitimate users access - as is the norm anyway.

Since most acts of vandalism occur during the hours of darkness, and there are generally fewer (if any) legitimate users, it's probably best to focus efforts on this time period. How then is the best way, generally speaking, to manage access during the hours of darkness?

We'’re right back at the 4D's -– Deter, Detect, Delay, Deny. Let's face it, vandals are not typically professionals. I mean there are professional thieves, robbers, and burglars, but have you ever heard of a professional vandal? Assuming this to be the case, it becomes an issue of making it more difficult to gain access -– delay. This does not mean that deterrents are ignored or that an attempt is made to detect intrusions.

Cemeteries generally have a fence or wall around them. The size and construction of this barrier can have real merit. Wrought iron fences are common and they create a worthy obstacle for climbing over. With few, if any, cross bars it is difficult to use the legs to assist with the climb. So there is a barrier that provides a delay - which in and of itself provides a further deterrent value since it's far easier to lose interest after a little unsuccessful effort.

Now it's also worthwhile to consider a few other features depending on whether the threat warrants them - and this is purely a judgment call. Like motion activated lighting, motion activated sprinklers, and a detection system - either a traditional alarm system or a monitored video system. There are many factors that may affect these potential options. One relatively simple option at this point might be to have a motion activated CCTV system to work in conjunction with motion activated lighting. There is some deterrent value in this - especially if signage is also used - but the additional CCTV system will assist with any investigations as well.

There can be little down doubt that an interactive monitored CCTV system would be an ideal application of technology in this environment. There are a couple of key reasons for this: One is the power of speaking to vandals - it can be very distracting to your activities when you here someone explaining to you that you're being videotaped and the police have been notified - and the site would not generally need a very high level of involvement. It would much like having a security officer on call.

For the really bad locations it may be best to use several options including onsite manned security posts. By far this is the most expensive but it also provides puts a lot of capability at the hotspot.

When you must share the house - or borrow it

2005-10-13T16:30:00.000-07:00

I had an interesting conversation recently with someone that felt that they could not benefit from consulting services because, not having their own facility, they held their worship services at a nearby school. We did not go into details as to whether they would have a building anytime soon, and, quite frankly, it doesn't have a significant impact here. There are several safety and security issues that crop up in relation to sharing a house of worship - or borrowing one temporarily. I'll spend a little time on a few here...

Access: It's still about Access Management. Who has it, who needs it, and how do you know. How many access points does a school, or community center typically have? Quite a few in my experience, so how can you be sure who is in or out of a facility. What about hygiene facilities? At any given time, how do you know they are safe? In other words, who may be lurking in a restroom? How are collections processed and safeguarded? Who has access? How do you know. There are probably more keys floating around for those buildings than anyone can know. As a periodic user of the facility it is unlikely that you can change this fact, but you can manage the subsequent risks.

What are just a few thoughts to take away?

Keep a closer eye on children particularly when they head into the restrooms. It's also a good idea to ensure that these areas are searched by responsible adults prior to use. This could be done by those that arrive to set up.

Segregate the area to be used from the facility in general. Many schools, at least the ones I remember, had fences that were pulled across specific hallways as the school was closed. If these exist, and it DOES NOT create an evacuation hazard, then they should be used. Be sure that school officials are the ones to actually close and lock these to ensure that doing so keeps the occupancy within local code.

Any area in which cash is to be processed or stored should be adequately protected. It is my opinion, that when this is done within an uncontrolled location, like a school or community center, then a cash-in-transit provider should be used whenever possible - and please choose a reputable one (email me for some guidelines to use when evaluating vendors). Either way, I would not bother to count or process the funds on location; instead I would work with a bank that would provide a counting room and process it there. Otherwise, just pass it on to the bank and let them process it. I know it is important to give credit to those who use checks or donation envelopes and this service can be done by a CIT service; or this can be done in a counting room at the bank. There are other options but the bank is convenient since the funds will end up there anyway.

Nursery areas should also be carefully selected and searched since they are more likely to have a dangerous objects present (at least objects dangerous to young children).

Just a few thoughts. I'm sure this will be revisited again.

Rob
/

Dangerous persons - "One for you - two for me"

2005-10-10T08:55:00.000-07:00

And a couple of quick words on employing - or allowing to volunteer - persons with violent backgrounds. Who's at risk, who's responsible, and maybe some ideas for managing the issue.

There is a great deal of discussion on the value of background checks (which typically just amount to a local criminal records check) on potential employees. Well, I'll here to say that there is a great deal more to this topic - for so many reasons. At their root, though, is how your organization looks to its stakeholders. That would be the congregants, potential congregants, surrounding communities, trustees, clergy, and any affiliated institutions (schools, other churches within a denomination, etc.). How these individuals perceive your organization - church, synagogue, mosque, temple, sanctuary, coven, or any other title used - will impact many things. Will membership or attendance grow, will members leave, will the community (and the press) look favorably on you should something happen? Ok, so there are lots of people to keep happy or at least calm, but we are leaving out another category of constituents - the victims. As we've all seen on the news concerning the Catholic Church's unfortunate sex scandals, we will be held accountable to make the victim whole again (or at least try too - see this article on a quick resolution).

With all that said, we can make a concerted effort to eliminate one class of constituent - you got it - the victims. And, we can use the same Deter, Detect, Delay, Deny concept of security. We deter would be miscreants by making it known that we screen all applicants (and the includes volunteers). I had a professor that owned a security firm and used to call to a room of applicants, "We'll start the polygraphs in five minutes," only to find the room nearly empty in half that time. As humorous as this maybe it is also very sad... It shows that far too many wolves attempt to infiltrate the ranks of the sheepdogs. None-the-less making it clear that these backgrounds will be conducted is a useful pre-screening tool. Are they expensive? Not all pre-screening tools/services are the same, but try and find one and multiply it by say 200 and see if it has reached amount of one significant lawsuit (plus legal fees, lost wages, lost revenue/donations, and lost TRUST). From my own experience this doubtful, even at almost $150 each - and you most certainly can find a solution for less. Need help or don't believe me then call and we'll get you the right solution provider.

So we've publicized that we pre-screen, but what do we check for? This is where price comes in - sort of. Start with the local criminal record check, sex offender registries, and heck throw in a Google search for good measure. If the person is performing community service then there should be a way to inquire through official channels as the why they were sentenced to this service. Someone doing this for a Shoplifting charge should not be left alone in say a thrift store. Again, we don't want to set anyone up to fail - do we?

Besides criminal checks, it may be worthwhile in some cases to do civil records, bankruptcy/public filings, and so on. The civil records can be useful for the odd instance when someone is sued for theft, but not criminally charged, or domestic violence (battery), or similar instances where the victim chose a route other than criminal charges.

Incidentally, pre-screening efforts would fall under the Detect segment of the paradigm.

For more information on what is available in background investigations - see this article by Joe Labrozzi.

We'll continue on next with a look at delay and deny.

Cash Controls - "One for you - two for me"

2005-10-05T17:20:00.000-07:00

And we're carrying on with concerns of mentally disabled and thieving individuals working in religious institution (it's not just churches anymore) food service operations - but it does apply to their thrift stores or anywhere else cash may be handled.

Here's a down and dirty look at cash controls and that includes any monetary instrument including checks, store script/gift certificates, and so on.

In any cash management system there are at least two places from which to reconcile your activities - when the cash is received and when it gets into your account. In some cases the 'receiving' part is a little more vague and uncontrolled - like offering plates - but for now we'll stick to this assumption. The problem isn't whether the money makes it from point A (receiving the money) to point B (arrival in the account), but what happens to it in between. The real problem is how the funds are transferred between parties at different points in the process. (If you're skilled with flowcharts then they can be very handy at this point.) In other words, it's the transfers between parties and the processing done between transfers that create the problem. Common sense, you say? Maybe so, but it's amazing how often a very simple procedure could have prevented an enormous loss - and the accompanying embarrassment, loss of face, distrust, anger, and the rest that comes from a betrayal!

In short, each transfer of cash should include the active participation of two persons. Each party is then responsible for verifying what is transferred. Documenting this is also useful for many reasons and the documentation typically includes the signatures of both parties (date and time, etc.). If the receiving party is unable to verify the total in the presence of the transmitting party then there should be two persons in the receiving party that verify it. This is based on an assumption (sometimes incorrectly - but that's another discussion) that it's harder for two persons to collude on a crime than for one person to commit it alone... So then if we have a loss we are able to see that the proper funds are transferred from party to party until an incorrect amount of funds are transferred. So easy - when done properly - and having clear (and enforced) procedures for transfers goes a long way to preventing losses. Why is prevention better? Especially here? First, proving larceny or embezzlement often requires an admission by the thief - which may not be difficult for an experienced interviewer/interrogator (see Chris' article here, and this website, and this website for more information on interviews) but what house of worship wants to employ these methods? (I think they all should because it's effective and, if done properly, helps the organization make a meaningful loss recovery and aids the thief because they get the feeling of a clear conscience - they don't call it a confession for nothing) Also law enforcement is generally too busy to get deeply involved in an internal loss - it's a property crime, time consuming, and is many times not seen as "real crime," and it costs money to go through an investigation. That means more loss! So prevention, prevention, prevention.

The next concern is what is done between transfers - the processing. Whatever processing that should be done to funds including counting, recording, packaging, and deposit preparation should have clear (and enforced) procedures. It is always preferable that any handling of funds is done under "dual control." This involves two (dual) people that verify each other's work to ensure accuracy. The purpose of dual control is to avoid errors; however a byproduct is an significant decrease in opportunities for theft. Their activities should also be documented - preferably with their signatures.

That is the short form on cash control... I didn't mention issues concerning the verification that it was received in the first place but we can save that for another time. This opens a whole other can of worms since you must now determine whether items were accounted for at the point of sale/transfer and so on... Enough for now.

New training program!!!

2005-10-03T19:37:00.000-07:00

The International Foundation for Protection Officers has just released a new training program: Crime and Loss Investigations. This isn't just for security officers either! It can be of great use to anyone responsible for managing losses.

In addition to a textbook this program also uses a few online papers as a supplement. Take a look.

I was lucky enough to have been able to get an article on intelligence operations into the training program.

But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.

And another one on Interviewing - the lifeblood of retail loss prevention investigations.

It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.

Controls and process management

2005-10-03T19:22:00.000-07:00

This will just be a quick post to discuss what I mean when I talk about controls - as they pertain to process management.

Security in the retail sector historically counted on catching the shoplifter; however this is not the most effective means for controlling losses. Another example is having someone that counts the offering plate collections arrested after they embezzle some cash. It's just not effective and it means that you have lost it - and you probably won't get it back. So what is more effective?

Take the shoplifting example. In our instance our thief takes several items into the fitting room where they conceal some within their personal bags. Maybe the loss prevention team is allowed to make fitting room stops, or maybe not. Either way the crime must be committed first. How many will be able to do this without attracting enough surveillance to be stopped (legally)? Far too few compared with the thieves successes. Now how about a fitting room attendant? When the thief enters the fitting room area the attendant counts the garments and provides the thief with a numbered placard that corresponds to the number of garments. When they come out the process is reversed... Voila' magic does not happen in the fitting room and nothing disappears - this time. It's not a foolproof system but it's good enough for this example. If even half the thieves are stopped in this manner it is still more effective that trying catch them after they conceal something.

Back to the offering plate... We have a long-term member of the congregation counting the money and one day someone realizes that all of it didn't make it into the church's accounts. It's a crime, yes, but now an investigation must take place - which costs money - and even if they admit to the theft the cash is probably gone - POOF - into thin air. Now what if we were to have two persons count the money together? Maybe then they could keep each other honest. What you say? They'll just steal some other way! Maybe so, but we can always add controls so that thefts become more visible more rapidly. This is much more cost effective in the long run.

So that is what is meant by controls. Procedures and devices put in place to enforce policies. Our policy says all the funds must make it into the organizational account, so we make it difficult to do otherwise.

One for you - Two for me

2005-10-03T19:20:00.000-07:00

Here's a couple of questions from back in August's Embezzlement piece:

When using volunteers or food service firms there is some concern over the screening of persons who have access to cash. Some of the food service firms employ disabled (mentally) persons as well as those on parole. What are some controls that can be implemented?

Houses of Worship routinely operate food services for the poor or economically disadvantaged as well as thrift stores and other types of activities that may or may not involve monetary remuneration for the service. For instance, in some cases persons on government assistance may be given the opportunity to select one or more pieces of clothing from a thrift store each month - a shopping trip for those who cannot afford it.

I think there are really two very broad questions: one concerning cash controls and another concerning liability from employing potentially dangerous persons (or allowing them to volunteer). These are distinct issues with different tools to manage them. We'll break these down into separate blog posts. First we'll discuss an overview of the problems and controls; then we'll look at cash controls followed by managing dangerous persons.

Increased threats + Increased Concerns <> Increased Security

2005-09-20T13:31:00.000-07:00

The Jewish high holidays are on their way and just in time for the recent threats from "the American Al-Queda" against targets in the U.S. and Australia and the break-up of another Southern California plot. But Australia? I must admit I'm not sure why he picked them, but hey it's his videotape anyway. Regardless of my personal feelings about those who wish to change my beliefs by force - I want to discuss the fallacy that merely increasing our concerns somehow increases our security.

Efforts will be made to increase the preparedness of Jewish and Israeli property all over the world, but I keep hearing people say that somehow we're better prepared because of our awareness. Well, I must admit that this is somewhat true, BUT it is the preparedness supporting this awareness that brings the security. Imagine of we all knew that 9/11 was going to happen but lacked a way to tell anyone besides each other? OK maybe this isn't the best example but we must have a plan for reporting and responding to threats - regardless of when we must react. Thus plans must be dynamic to be useful if a plan is discovered at any phase up to and including its successful manifestation. So we must have a way to report our suspicions and investigate them. This may be from a conversation overhead in public (however unlikely) or it may be THAT PERSON WALKING TOWARDS US NOW!

So now that we have the heightened awareness going for us we need to get the plans in place (and communicated) to ensure we are able to identify, assess, respond, and resolve all real or potential encounters.

The hard part is coordinating the activities of the good guys - private, local law enforcement, state law enforcement, federal law enforcement, and the intelligence capabilities of each.

What private intelligence capabilities you ask. Every organization possessed an immense intel ability. How many of our members here information in public, find information on the web, or are able to collate information from all of these sources? I worked with a firm that tracked domestic environmental extremists for a client. Were we successful? Very much. So much so that after some of the less publicized acts of Eco-terror we provided much of the contextual information to law enforcement investigators.

As they say - Keep you ear to the ground. Oh, and have a plan, test it, revise it, test it again, communicate it, and keep it flexible. Your defense in-depth starts with your intel, progesses through your passive and active defensive measures and ends with your ability to react to a successful event.

Rob
/

Peeling safes - huh?

2005-09-15T15:02:00.000-07:00

I read a recent article about a number of church burglaries in a local community, and one of the churches had their safe "peeled." I don't know exactly what happened but I can offer a small about of info on breaching safes....

First of all safes are a barrier device! They are not a stand alone solution. Never forget that given enough time any barrier can be breached - this is especially so with things that contain money (or are perceived to contain money). That is why monitoring devices, like alarms, are used; they permit a response that shortens the available time to complete the attack. Back to safes -

Safes come in two general varieties - burglary resistant and fire resistant - and they are rated to describe their robustness. Fire safes are meant to prevent property inside from being destroyed by heat from the outside. Remember paper breaks down around 350 degrees Fahrenheit and magnetic media starts to go at about 150 degrees. Fire safes are also only good for a fixed period of time after manufacture - generally. Anyway, they are not meant to significantly delay physical entry by a determined attacker. Their sides are filled with insulation to repel heat and not tools. Simple tools can do wonders when used for forcible entry. They are ideal for those records that you do not want destroyed - although the best solution is to also store duplicates off-site (also done somewhat securely). Now burglary resistant safes, on the other hand, are an entirely different animal. They are meant to keep unauthorized folks out. Because their sides are typically made of steal they tend to work like an oven during a fire - so not good for important records. And yes you can use a fire resistant box inside a burglary resistant safe - again it's a heat issue... how long and how much. Burglary resistant (BR) safes that rated by the Underwriter's Laboratories carry ratings like TL-15, or my personal favorite TLTR-30x6. In short TL = tools, TR = torch, and TX = explosives (although you don't see many of these). So a TLTR is rated for tools and torches. The number after these designators represent the amount of time in minutes. Yes, that 200 pound safe is only rated for 15 minutes of protection! And they should be bolted to the floor and away from external doors because they can still be chained to a vehicle and dragged off. If a "x6" is attached to the end it means that the protection is extended to all six sides. Normally only the door is tested and rated. It is also the most likely point of attack. When locksmiths need to gain access they will either drill through the door or through the back so that they can see the door to manipulate the "wheelpack" which is how the combination works. But that's not the focus right now. Incidentally, safes are not intended to go beyond the 30 minute mark - after that you should be looking at a vault for protection, but that's for another time (and likely over on security-today.blogspot.com)

Safes can be breached (besides explosives) in a couple of ways with the most common being "peeling" and manipulation. Peeling is just how it sounds. A segment of metal is gotten hold of - often at the edge of the door - and pulled away. This along should tell you two things: the quality of the safe and the amount of force applied. Drilling into the door to allow he manipulation of the combination is dangerous if the safe is equipped with a "re-locking device" - which might be a sheet of glass that, when broken, causes spring-loaded rods to push into the door PERMANENTLY. The safe will now require a locksmith - of safe cracker - to gain access. My lesson learned came when a safe I needed at a store was pushed off the back of a truck - the glass broke and I had a very heavy empty metal box.

So there you have it in a nutshell. Choose your safe carefully and make sure you have a few layers of protection in front of it. And yes, we will discuss layered protection in the future..

Rob
/

Panic buttons - When, Where and Why

2005-09-13T08:12:00.000-07:00

This is an interesting post concerning a fire in a Mosque in South London last month. I haven't sought any clarifying information concerning the fire, but let's go with the statements and stick with arson and the use of panic buttons.

What is a panic button (or duress alarms, or silent hold-up alarm)? It is literally an alarm that may be activated when someone is being threatened - or panicking. They come in many shapes and sizes - some are hardwired (or fixed) and others are wireless (or portable). In the U.S. anyway - and I know the article is in South London - panic buttons generally garner a faster more serious response by the police - why? Well quite simply because a person has to actually activate it. That means some conscious thought went into it - or it is improperly placed to allow accidental activations. Whereas a motion sensor - of any sort - may cause a nuisance alarm because of some environmental condition the only environmental condition that cause the activation of a panic alarm is, well, panic. That means someone is under duress and needs immediate assistance. That's why the response it generally better. They are very useful and applicable to nearly any setting - not just for intruders or threats. They may be used for safety, such as for the elderly. Granted these transmit the signal someplace other than the police, but it's the same technology.

My only guess in this article is that the alarm is tied directly to the police and therefore special permission is required for its installation. In the U.S. these devices may be obtained through, and I'm guessing, just about every alarm monitoring service. They are generally inexpensive - after all they are just a button - and can be a great enhancement to your current system.

Where should they go? The receptionist (or any gatekeeper) for one, along with 'executive' (read clergy) offices, and in any "safe" rooms that may exist. These may be bathrooms or basement areas that are used for sheltering during threats and disasters. Wireless panic buttons are especially useful for use by those that must work with large sums of money - while they work with the money. This way they do not need to find the alarm - grope around aimlessly - when they are frightened.

Remember every device also needs to have policies and procedures governing their use, training, drills, and a plan for what to do next. Liaison with law enforcement is helpful so that everyone knows what to expect with the response. In many instances, if he PD must make any sort of entry they simply secure (handcuff) everyone and sort out the bad guys after controlling the facility. This can be pretty traumatic to those not expecting it.

Rob
/

What do you think?

2005-09-09T11:27:00.000-07:00

I bumped into this interesting post on another blog today and thought it might make for an interesting topic. By no means do I encourage or discourage anyone to carry a firearm anywhere let alone in a church, mosque, synagogue, temple, sanctuary, or other house of worship. That decision is not for me to make for others, but it does bring up something worth discussing.

What if you specifically (passionately or not) believe that firearms should not be carried in church - let's not worry about the rest of civilization just yet - what can you possibly do to combat an armed aggressor? Can you? Should you? Should anyone? Just how can the survival of as many people be helped? To answer this let's start with a short path analysis of what it takes to accomplish this. First let me just add that simply arming everyone is not the first answer that should be sought. Sadly, it may be necessary to have armed individuals present but if this is the only solution chosen then it implies a willingness to allow the violence to begin in the first place. Remember the pillars of security - Deter, Detect, Delay, Deny. We need to have layers of features in place for the greatest opportunity to mitigate such an event.

Back to the path analysis (a very simplified version)... The assailant must come onto the property, enter the facility, locate their target or choose the moment to initiate the attack. Now there probably isn't too much opportunity to keep this person off of the grounds since most people aren't challenged at this point, however it is often common to challenge people before entering the facility. What is that you say? Challenge, greet - same thing! There is no reason that you cannot use the greeting as an opportunity to make an evaluation - we do it naturally anyway. If a person seems out of sorts isn't just being a good neighbor to inquire to their need? Offer assistance? Find them counseling? I am not trying to say that any of these incidents could necessarily have been prevented, but we do know that there weren't any controls in place to be tested. So the greeter can be an important asset in detecting potential problems. They should be trained to ask how worshippers are and attempt to carry on a short conversation. What not enough greeters? Then seek more volunteers. What if the individual isn't seeking to harm anyone but is disturbed - a well trained greeter could be the first friendly voice that is heard and the first person to offer to guide them to help. Think about it. The plan cannot just be to catch shooters - it must be able to identify various sorts of problems. They are all people in need, right?

So the person has entered the facility, now what? Once it all "drops in the pot" there isn't too much that you can do, but react. If shooting starts, for any reason, the goal must be to get as many people out as quickly as possible. Subduing the attacker comes second, unless there persons prepared to engage in a force-on-force engagement - and that is what it is at that point. The winner is the one with the means to employ force more effectively. But let's not forget this is still in a church - so explore opportunities to 'cut' the path and avoid being too focused on just one sort of incident.

According to an old say, "Your mind is your primary weapon." Take a minute and employ yours to seek ways to detect and prevent violence rather than simply responding to it. Someone has to decide to commit violence, maybe we can convince them ahead of time that it's the wrong choice.

Rob
/

Are you locking your doors?

2005-09-04T13:50:00.000-07:00

Some HOW are still able to get away with not locking up - and I say great it sounds like a community I want to live in. Everyone else, however sad it may be, realizes the need to lock their sanctuary to prevent criminal damage.

But who has a key? The best lock is worthless if everyone has a key!!! In the world of security this is called - prepare for the creativity of the name - Key Control. It sounds so simple - and many consultants will act like it is - but let's face it... Houses of Worship - churches, synagogues, mosques, and sanctuaries of all sorts - must provide access to lots of people for just as many reasons. So where then does one begin and how does it happen and what if it won't work for us and what if and what if and what if and what if... We haven't gotten that far yet. Save the "what ifs" for the right time - which is after you hear how the basic process works. Think of it in these phases: Sourcing access, granting access, managing access devices.

Sourcing access comes when you know who changed the locks (or rekeyed them) and how many keys were made for them. Typically this is done when they are rekeyed (we'll call it changing locks going forward rather than worrying about the technicalities between changing or rekeying locks) and the locksmith is right there. Once the work is done and all the keys are received there should be some documentation that indicates that, preferably, two responsible people acknowledge that the correct number of keys were received. Then the process of granting access starts. Who needs access and why. These individuals should be required to sign for their key - which is property of your organization - to acknowledge receipt. They should also have to sign an acknowledgement that they have received a copy of your organization's Access Control Policy (which we will discuss another time) that describes how and why the facility should be accessed and egressed, or occupied and vacated. This police will evolve so new ones can be distributed on a somewhat routine basis - maybe every six months to a year. Now people have access to the facility. The policy should include obligations not to reproduce the keys (access devices) or to share them with others, and to return them immediately upon request. Why would they have to return them? Well that should be in the policy as well, but don't be afraid to revoke access every so often if warnings and other agreements cannot be abided. This is part of managing access devices - revoking access - along with inventorying spare devices regularly and securing them appropriately so that those without access to the facility cannot conveniently get access.

Alright I think I'm done with this topic for now. I'd be glad to discuss it with anyone looking for help - so drop me a line.

Rob
/

Embezzlement - breach of Trust

2005-08-22T09:41:00.000-07:00

I was just reviewing some recent news articles concerning crimes at churches and I had to stop and take a second look. Clearly more than half of the articles I looked at dealt with embezzlement. In addition, some of these involved Pastor's and in at least one instance the thefts had been occurring for several years. Now this isn't unusual necessarily, but it does beg the question - "Why did it go on for so long?"

The answer is simple is found where the security and accounting professions meet. Lack of Controls - or - Lack of Effective Controls. The bottom line here is that no one was paying attention or, more importantly, the right people weren't paying attention. Many times these losses can be traced back to one particular control - Separation of Duties - which, many times, is a difficult one to overcome in small organizations. Separation of duties simply requires that multiple persons be involved in transactions to ensure their legitimacy. For instance, the person approving the purchase of supplies and the person writing the check for them should be separate people. Another example would include at least two different persons for writing checks and reconciling the bank account. Again, this is not difficult or complicated, but it is often ignored, overlooked, or just overrun by the wrong person. The reasoning behind the use of multiple persons is an assumption that collusion is not always easy to accomplish, but it is, many times, and so one last step may be added as an extra safety measure - the independent auditor.

Take a look at your organization. Use process mapping (flowcharting, etc.) to determine how funds are received, verified, accounted for, and dispersed. Then step back and look at the chart, but not in a friendly way. Take a look at with eye to defeating it. Oh, and do this with multiple persons as well, and document the event clearly so that should something come up in the future you role and knowledge are clear. Now how can the process, at it is currently mapped, be defeated? Who in the process, now, has that capability? Remember that a threat requires both capability and intent. So just because someone has the capability does not mean that they have done anything wrong, but it is a good place to begin adjusting process. Never forget that we exist in a changing environment - everything changes - including the people within it. So motivations, or the person a particular role may change and then the problem begins.

Anyone interested in either process-mapping or on developing near-bullet-proof process send an email to rmetscher@apinnovations.biz

Rob
/

Risks from community events

2005-08-19T08:07:00.000-07:00

Just a couple of quick comments on some of the concerns that arise from hosting community events within your facility and an angle towards this short mention about an attendee being threatened in a meeting.

We don't know what kind of meeting it was, and it really doesn't matter to much here. Whenever allowing anyone to utilize your facility it is very important to consider how this may impact your operation. The facility may need to remain open when it wouldn't normally be so, or you may be expected to allow the use of appliances or the entire kitchen, and without a thought towards any liability that may exist.

First - understand what the group will be doing in your facility and what support they may want and take a minute to learn a little about their history. Why do they wish to start using your facility. We're they asked to leave the last - the 'why' here is key. If there was a problem and you still want to help then discuss what efforts have been made to prevent or control a similar problem.

Second - know how this impact your operations. What times are the meetings? Are they outside your normal 'open times' and what additional resources will be needed. Will there be a significant effect on utilities, a need for a member presence and so on. If you already support other meetings then consider the topics carefully! It may not be wise to have a spousal abuser support group alongside an abused spouse group meeting, or any other sort of possible conflict.

Third - Decide what you plan to do to ensure your organization's safety, security, and operational continuity. Who will be responsible for opening and securing the facility, making sure coffee pots are turned off, and any expensive property placed in the protected area. How will you handle any press for a disruption at a meeting (planning ahead is essential to media survival and even triumph). If a kitchen is to be available decide ahead of time whether or not utensils and cookware will be made available. Don't let your knives become someone else's weapon - and so on, and so on.

In all matters, build in the means to take action if necessary. A formal contract with the group, and in some cases the attendees, concerning conduct, facility maintenance, and vacate times. Try to avoid putting yourself in a position that your only recourse is to evict the group. Provide terms that allow for individual misconduct - so long as it's corrected by the group. Otherwise you may become unwilling to take any action, and when you do take action it's resented by everyone.

The important thing to remember is this: Those who are attending the group (not necessarily the group organizers) do not have a stake in your facility or your organization. So it's essential to the community to host such functions, but it is equally important to protect that which allows you to continue operations.

Oh, and don't be afraid to spot check the meeting activities periodically, or to ask your members that routinely use the meeting area following the meeting whether the room is left in compliance with your agreement with the group. Not monitoring, not guiding, and the like only sets the group up for failure, and the goal is supposed to be help everyone succeed.

Rob
/

Lighting and landscaping

2005-08-18T10:50:00.000-07:00

Here are a couple of quick thoughts that come straight from the concepts of Crime Prevention Through environmental Design (CPTED) - a concept that seeks to alter an environment to be 'unfriendly' to illegitimate activity while facilitating legitimate activities. It is very useful for managing space without making it look like a prison.

I have seen many churches with beautiful landscaping - unfortunately it all too often makes the bad guys efforts easier than it needs to - and with a few changes it will still be beautiful, but functional as well. Take the average shrub - it is the perfect size and shape for hiding a crouching person. So why not keep them far enough away from doors and paths to prevent an attacker from hiding right next to a potential victim? Trees as well, however with trees it is generally sufficient to create a canopy with the lowest branches too high to effectively conceal a person. Maybe trimming the shrubs to lower than 18" and the "canopying" the trees with branches no lower than say 6' would be sufficient to make it hard to hide. But what if it just won't look right to do this? Well it may be possible to place illumination in the concealed area - but not just throwing lights in the dark space. Many times the light may be positioned to cause persons concealed behind these obstacles (not all of them will be vegetation) to cast a shadow into a readily observable area. Consider how silly it must look... Just like a scene right out of Scooby Doo with the big shadow preceding the monster. Are there other "tricks" to this, absolutely!!! Consider lighting and vegetation to be complementary. They can work together to create paths for legitimate movement and clear boundaries for directing activity away from other areas.

How then can these boundaries be created? Well, it's certainly possible to plant a long line of bushes to create a physical boundary. Heck, plant it a few bushes deep and it becomes nearly impossible to move through it, but it looks like a big wall. Another method is called "fence posting" and involves obstacles that are spaced to create fixed points or "dots" that can be connected mentally. The closer the dots, the clearer the boundary - just think of the line of bushes as the closely spaced dots that they really are. Now couple these "fence posts" possibly with different types of grasses on each side or maybe mow the same grass in different directions and you have created a clear visual boundary.

More on this topic later... It's a very powerful tool so step back and look at your facility.

Rob
/

Tougher laws <> reduced losses

2005-07-22T12:13:00.000-07:00

According to some recent media, the North Carolina legislature has sent a bill to the Governor that makes church burglary a more serious felony than before. Larger penalties, more time in jail, longer incarcerations, call it what you will it is all on the wrong end for security. While it can be said with some certainty that the intent of the bill is to reduce church burglaries and was developed in good faith, it can also be said with some authority that increased penalties only do so much for reducing crime.

Practically speaking, warehousing criminals for longer periods of time does prevent that criminal from committing further crime - at least on the public - during the incarceration, however let's consider the ultimate state sanction and its affect on crime and then we'll move to a better discussion. Murder is punishable by the death penalty in many states. This penalty has not significantly reduced the murder rate where ever it is applied. Yes, I know, there are many reasons for this and extensive circumstances that affect it, but let's admit that, by and large, increasing penalties beyond a specific point has little further deterrent effect.

So let's focus on the fact that increasing penalties do more for the politicians than for the victims - in this case churches. Once a facility, any facility, has been violated there is damage - physical and psychological - and that damage cannot always be fixed easily. There are losses - direct and indirect - that affect when or if a facility can be used again, or whether operations must be relocated, postponed, or ceased. We can discuss losses another time, but for now it is important to recognize the value of preventing losses. A proportionate investment in protective strategies is a budgeted occurrence, but dealing with a loss is crisis-spending. Unplanned, unbudgeted and generally the impact causes some other program to be reduced.

There were five burglaries in North Carolina that occurred just prior to the passing of this bill. Five organizations lost assets that affected their lives and how their operations were conducted, but far worse was the feeling that someone had invaded sacred space, stolen objects, and possibly, if not likely, desecrated the sanctity of the church. Could the burglaries have been prevented? Absolutely and without a doubt YES! But remember sometimes it is necessary to accept some risk rather than completely altering, impeding or destroying how operations are conducted. Too much prevention could make worship services impossible. But burglary is generally a preventable loss and at the very least it could have been possible to mitigate the actual loss that occurred. Sometimes it's technology that can help and other times it's processes, procedures and community involvement. Determining the proper mix is matter best completed after a Risk Assessment - which incidentally usually take one or two days to complete at most churches and maybe another week for analysis and reporting - and can mean the difference between losses and prevented losses (which is not exactly a 'gain' but much better than a loss).

What I'd really like to impress upon everyone here is that increased criminal penalties are a great gesture by the government but they do not necessarily help reduce losses. The bad guy is probably still going to commit the act - and then you're just stuck with the aftermath, the cleanup, and the personal impact felt by each member. Applaud the legislature for responding to the community - but role up your sleeves and start planning how to prevent the need for the law.

This first step an any Risk Assessment is to determine what assets exist within the organization. Consider this for your organization - you'll find that there is a lot more than you may have first realized. Have you considered what the impact might be if one, some or all of these were lost?

A little more on the Critical Detection Point

2005-07-15T18:22:00.000-07:00

Alright, I mentioned this last post and I think it deserves a little more explanation. But I'll try to keep it brief. Check THIS out for additional information on the theory and application behind this.

Remember we discussed security efforts as deter, detect, delay, deny? And prevent, detect, respond? Well this is where the math meets the road. It goes something like this.

An attacker must complete certain tasks to successfully complete their objective, whatever that might be. You must devise a way, in advance, that thwarts their efforts. A significant part of the problem is that at some point all the prevention in the world fails to stop the attack. So there must be a response which naturally follows a successful detection of the threat. So assuming that an attack occurs at what point in the attack must the detection occur in order to insure that the response gets there in time. Garcia offers us a mathematical formula to describe this. Yes I know that we all thought that we left math theory behind a long time ago, but here it is:
CDP = TR > TG

TR is the minimum remaining delay on the adversary path, and
TG is the guard (police) response time
.
Alright so that wasn't any more simple. Look, you just have to make sure that the attack is detected with enough time that the response has enought time to stop it from being successful.

At that is the point. Where do you want to stop the attack? Before they gain access the property? Before they gain access to the building? Or, before they gain access to the safe? That's it.

Security, all security, is a function of time - I know we're back to math and I wasn't very strong in math either. But remember that although you are secure right now - most certainly because of carefully designed process but never by chance - you may not be secure in just a few minutes. Times change! New technology is introduced and diligence changes.

Here a few concepts playing on the time function of security:

With unlimited time you can gain access to anything or anyplace

There is never unlimited time - we get old, assets move, etc.
With unlimited time it is possible to acquire any necessary resources

With unlimited resources you can gain access to anything or anyplace

But these are also limited - people, money, tools, etc.

Resources are used to reduce the amount of time needed to be successful

More people = overwhelming force
More tools = technology being defeated quicker
More money = more ability to acquire other resources

That's enough for now.

Burglaries - Internal countermeasures

2005-07-13T06:22:00.000-07:00

Just yesterday we discussed a few ideas for dealing with burglars before they have gotten inside the building. So let's continue with the building and its interior... But for now let's just focus on detecting their intrusion.

The natural thought for keeping burglars out is an alarm system. However, alarms do not really prevent a person from entering. Consider again the concepts of deter, detect, delay, deny. An alarm system is generally meant only to detect an attack. Some integrated systems can initiate an automated response but strictly speaking an alarm only detects. Granted some aspects of it may deter an intruder and a determined intruder attempting to bypass an alarm system will certainly be delayed, but let's stick to its detection value.

Keeping bad guys out of the building falls to physical control devices - locks, doors, windows, walls and so on. Once a person has reached the building there are some considerations. Make sure foliage is trimmed (less than 18") and canopied (above 5-6') to enhance the detectability of a person near the building. Windows and doors should be locked! Bad guys are generally 'minimalists' and want ease and convenience. Now assuming that they do not have a key to an exterior door (and how many churches really implement a key control program - does yours) and that all other access points are secured, the bad guy will have to force access. That means a broken window, door frame, or padlock (in the case of sheds).

They're in! How do you know? Well a well designed alarm system can be very useful with this, however most systems are not well designed or well installed - thus many false alarms. Frequent false alarms mean that the police response will cease, at some point, from being a serious effort. This can be mitigated with a CCTV (closed-circuit television) camera system that allows a monitoring service to verify the alarm before sending a response, but that can really cost money up front.. It is however an excellent solution. Sparta is an exceptional company providing remote video monitoring services and there are several others.

I strongly encourage alarm systems, but today's technology offers some low-cost options that can be very effective. Take for instance, integrated wireless sensors and control panel that also offer network notification methods - that's right - email or text messaging. So rather than paying for a monitoring service it is possible to have your (or several members of your congregation) cellphones messaged directly by the alarm system. What a great tool.

So without an alarm system how does one know that an intrusion has occurred? One method we've already discussed briefly are patrols. The issue here is how long will it take the burglar to accomplish their goal - what is the delay? Having someone 'patrol' the property several times over the course of a night could offer detection that is timely enough. But let's consider one additional piece of technology network accessible CCTV. Yes, rather than having someone actually expose themselves to danger by walking or driving to the property they can observe the area from the safety of their own home (laptop at a wireless access point). Just a thought..

The answer, without technology, is creativity... The key concept to remember here is the Critical Detection Point which is the point in an attacker's activity that affords the last possible detection in order for a response to disrupt their success. In other words, the time will the bad guy need to complete the task minus the time it takes a response to arrive and disrupt the activity and the amount of time it takes to initiate that response after the detection. These numbers are generally pretty sloppy but it does offer a way to consider just how much observation may be needed without an alarm system - and how fast response will be needed with an alarm system.

Rob
/

Burlgaries in the Southeast

2005-07-11T20:09:00.000-07:00

Recently I have seen many articles on the burglaries of various churches. Ah burlaries - I promised. Now here's a topic that is relatively simple compared with Arson but no less devastating in many instances to the minds of the victims.

As I mentioned in the first post ACCESS is everything. A burglar must have access, right. So let's consider some of the key points in the attack tree for a typical burglary.
1. The subject (A1 - attacker one) must defeat the perimeter of the property
2. A1 must defeat the perimeter of the structure (building, shed, rectory, chapel, etc.)
3. A1 must select, gather and prepare asset(s) for removal
4. A1 must transport the selected asset(s) out of the structure and off the property.

Now we can't dictate whether A1 arrives on a bike or with a tractor-trailer so we can't control how much he/she is able to transport away. We can probably also assume that defeating the perimeter and moving to the building are given events - I haven't seen many houses of worship with effective permiter fences. That brings us to the building.

We should want to deter their efforts to gain access and this can be done at many levels, but for now we'll consider signage, illumination, irrigation, and patrols. That's all pretty straightforward. Signs that indicate that an alarm system is in use - I really dislike offering this advice if there is no alarm system because any thief worth his weight will have determined this ahead of time - but it can't hurt all the same. Lighting that makes the intruder more visible to passersby - thereby increasing the perceived risk of detection. This has only a psychological impact if the property is already well concealed from passing traffic. It is also possible to have sprinkler systems set to be activated by motion sensors. This may sound silly, but have sprinklers and lights activate together will likely spark the response of running away prior to any decision to continue. It may also cause the intruder to make some noise out of complete annoyance. The options for enhancing this are nearly endless depending on the intention. Heck it even result in a some amusing video. On an incidental note - a well soaked intruder may be easier for the police to identify while escaping.

Now the topic of patrols. This may be police, a security service, or passersby (such as congregation members) that have agreed to communicate or document findings. Again, creativity here can save some money, but sometimes it's just worth paying some to check in periodically. This option should also be considered in advance as a contingency. If a series of buglaries - or vandalism for that matter - occur to other houses of worship in your area it might be time to activate that pre-agreed upon contract with a security provider to begin periodic patraols. This may be just enough to move the micreants to another location and the service could be ended whenever they may be caught by the authorities.

So there are few thoughts on preventing burglaries outside the building. There are many more but want to try and keep this as short as possible. Feel free to comment with your own thoughts. Next we'll look at methods useful from within the building. Remember water is relatively harmless, cheap and can create the opportunity for footprints or identifying the burglar. Oh yea, there is the amusement factor as well.

Rob
/

Terrorism - thoughts on preparing and coping

2005-07-07T16:23:00.000-07:00

As I mentioned earlier, terrorism is not a noble cause of some kind, it is the deliberate threat or use of violence by the few to affect the many by affecting the few. It's a theatrical event designed to affect YOUR emotions. And it generally works; now doesn't it?

So how do we prevail? Well that has a lot more to do with the government than individual actions. We'll leave that alone for now except to say that by not living our lives our way is a sign of defeat. We, as a community, must stick together - avoid using stereotypes as a reason to mistreat your neighbor. Mistrusting your neighbor because he is an Arab or a Muslim weakens our position. It denies all that we value in America. The form of Islam that is used to justify such attacks should not be used as a measuring stick for the religion. No more so than violent Christian fundamentalists should necessarily be used to describe the Christian faith. So keep in mind what it means to live in, come to, and thrive in the U.S. before getting too paranoid, and remember we craete our own violent activists pretty well too - since the Oklahoma City bombing was the second worst terrorist act on our soil. Enough said...

So how does one prepare? Just be aware of your surroundings and THINK. Henry Ford used to day that thinking was the hardest work and that's why so few people ever did it. So think and be aware. If you generally make sound decisions then be a leader if an event occurs. Panic - or terror - is the goal of the attack. Deny them that and the attack loses value. The bird that leads the flock is the bird that flew out in front in the first place. Being a leader during crisis will provide structure to others efforts and thoughts. I know this all sounds great sitting in a cafe and drinking hot chocolate without a real care in the world. I have been a security professional for most of my life and when I was in High School I used to monitor the terrorism of that day. I have always been an observant person - it's just been in my nature I guess - but it's not hard. And it can be fun. When you walk into a room, train, subway, or bus glance around quickly. Then think of a number... Eventually you will walk into a room and glance around naturally - without an actaul conscious thought - and that number that pops to mind will be the number of people present. Test yourself periodically. Next try doing the same thing but later in the day write down what was on one of the walls in that room. Now you're finding exits and restrooms automatically - this can be quite useful when you just have to go and don't have time to ask. Relax and let that amazing computer on your shoulders do the work. Think and be aware. Oh, by the way there are 15 people in the cafe with me now - actually it's sixteen, I didn't see a small child behind a table. I did this count without raising my head from the computer. Have fun with it... It can be quite soothing to know - really know - your surroundings.

Coping with terrorism is a whole different ballgame and I don't think I'm the right kind of professional to offer the best advice. I cope with it by living and enjoying - and I can relax because I stay aware of my surroundings. It's sort of like playing "Where's Waldo" for me. Once you start paying attention to your surroundings you start to immediately recognize what doesn't belong. So think and be aware.

I think that's enough of this topic. I want to move on to something more uplifting - like burglary.

Rob
/

London today - terrorism - understanding it

2005-07-07T13:57:00.000-07:00

I know I wasn't planning to take on big issues just yet, but in light of the events today it only makes sense to put a few comments down now. First, everyone's thoughts and prayers should go out to those that have been directly impacted by the attack in London today. For anyone who got stuck under a rock and missed the ongoing coverage - Four explosive devices were detonated in London today during the morning rush hour. Three of the devices were set off on the subway (tube) and the fourth was on a double decker bus. There are more than 35 confirmed deaths and about 700 injuries. That's right - four coordinated detonations all occuring in about 30 minutes. But that's enough of recaping news. For more information try the BBC (and excellent source of world news) and let's get on with understanding the event.

First of all terrorism is not a noble cause and it is not the work of noble freedom fighters. Deliberately targeting civilians is not a just way of waging war. Terrorism is a theatrical event, using violence or the threat of violence, that is staged with the intent of affecting political, economic or social change. If you want an official definition try the FBI's website. To put it in the most elementary terms - it is the threat or use of violence by the few to affect the many by affecting the few. We are all meant to become scared for our lives because of the event. It is not random - typically - but is carefully planned and executed to have the greatest impact on YOUR emotions. McVeigh is said to have admitted (American Terrorist) that one of the reasons he selected the Murrah building was because of the potential camera angles that would allow the public to clearly see the extent of destruction. Yes this is factor in the planning of a terrorist attack. You cannot maximize the impact on the 'many' without media coverage. It is these images that we see - and remember - that affect us from that moment forward. One of the best descriptions of terrorism I have ever read went something like this...

We have the right of free speech but we do not have a right to force anyone to listen, and that is what terrorism does. It forces us to listen, to see, to wonder, and to fear. Terrorism is terrorism is terrorism. It does not matter what the cause is. It does not matter what the goal is. It is meant to instill fear - fear that will ultimately change your view, or your vote, or your willingness to live and enjoy your life. -- Because you are afraid. How many people were unwilling to fly on an a commercial flight after 9/11? How many will be fearful of trains, subways and buses now? Was it effective today? We'll know that when we look at how it may change the behavior of the 'many.'

Next let's look at what we can do to prepare, cope and prevail.

Back to the basics

2005-07-06T14:36:00.000-07:00

I started a post recently concerning some burglaries that had occurred in the Southeast, but as I looked back on my previous post- which was way out of hand – I decided it might be best to take step back. Why? Well given that many working in the security industry lack a strong grasp of the basics, I figured it might be a good idea to put a few of the fundamentals down before I try and tackle another huge topic – like arson. What a mess that was. I’ll work to keep a sort of “staccato” tempo to this since it can get boring quick… I know I sat through classes on in for years.

Security, as a profession, is an odd duck. Not many people – at least none that I have met – grow up wanting to work in security. Many had original aspirations for careers in law enforcement, others from the military, and others fell into it by happenstance (especially in the early days of computer networking). Further, the security industry, as we know it, is widely believed to have grown out of WW II. The specifics are not important right now, but security ‘in general’ goes back to the earliest days of commerce with merchant guards - and so on… What is important is the fact that many of the early practitioners came from government agencies – such as police, intelligence or military. Keep this in the back of you mind. With these individuals coming from such varied places, the methods were and are anything but standard. Although we are getting better, there are far too many that do not understand the basics.

So what is the role of security? The canned answer in any textbook is “to protect the assets of the company.” Unfortunately this leaves a lot to be desired but you get the point. It is fundamentally different from law enforcement because it is not necessarily trying to enforce the “law” but instead to defend the organization from threats that cause losses. The morality of a security program can be found rooted in the principles of self-defense.

The fundamental concepts within the security industry are Deter, Detect, Delay and Deny. These are the common concepts used in the process of planning security. Deter the miscreant. Otherwise detect them (preferably as soon as possible). Delay their success – with the intention of increasing their likelihood of apprehension, and finally to deny them the value of the asset. We’ll discuss these far more as time goes on, but they are considered to foundation for everything else.

The basic terms of security are assets, threats, weaknesses, vulnerabilities, risks, and countermeasures. Assets are the tools that allow an organization to do whatever it does, and they are what is protected from threats. Mind you these are non-market-based threats, which are those things that don’t come from fair play. Vulnerabilities are exploitable weaknesses. Risks are the probability that a threat may be realized and what level of loss it may cause – it is pretty much everything before it put in a blender. And finally, countermeasures are anything that is done, established, or constructed to thwart the successful completion of a threat.

That’s about enough of this for now. These things do get long quick, eh?

More later…
Rob
/

Fires - arson or accidental - devastating events

2005-06-26T09:31:00.000-07:00

This is a rather weighty topic to begin our discussions, but then why shy away from it anyway.

Apparently a fire was discovered at a church in South Bend, Indiana on Sunday, June 19, 2005, and in the initial investigation a "gas can" was found inside. It is still under investigation by local and federal authorities. What draws even greater attention to this incident is the fact that on June 29, 2004 another chapel on the 47-acre grounds was also burned down. That fire had been attributed to "a juvenile act." They did not have insurance to cover either loss.

To further quote another significant piece of the article....

"That's the bad part, " he [Emmick - the monastery administrator] said. "We really haven't recovered from the fire last year with all the collateral damage -- gas lines, electric lines. Now we got this one -- it's a little overwhelming."

So now what is there to discuss about this, or rather theses, incidents? It's in the hands of the police, right? Wrong. Pretend it is you and your organization in this situation, and I'll pretend it's a client. There are a couple of perspectives that this needs to be considered from. Such as the prevention and management of future events, the response to both of these events, and their resolution.

First - It has happened twice so how does the organization prevent it from happening again.
This is not to say that insurance should be sought immediately, since this won't prevent it from happening. However, we will come to the insurance side soon enough. Just how does one prevent an arsonist or fire destruction for that matter?

There are a number of methods and ideas that jump to my mind. Let's start at the beginning... It's all a function of access. How much, how easy and for how long. If this can be managed differently then it may be possible to prevent or to at least mitigate the potential loss. Since problems, or threats, stem from people (with the exception of natural events) we need to focus our efforts on disrupting theirs. We can do by altering the physical environment, increasing the presence of guardians, or with the application of technology. Yes, sprinklers do tend to do wonders when they are installed, but they are expensive to retrofit and this may violate codes dealing with historic sites.

So we shall assume that sprinklers are out of the question. How much time does a determined person required to start an effective fire in or on the remaining buildings? If we do nothing else, how can we reduce this window of opportunity? The arsonist(s) must penetrate the property line, advance to and enter the building, prepare the site (as an arsonist does), and escape while evading detection. By planning the fire the arsonist may be able to further limit the chance that the fire will be detected before it is firmly established when it is discovered. This ensures that no one will actively attack the fire until the fire department has arrived. Pretty dirty thinkin' huh. It's a must for the best protection planning. Thus our only real option is to shorten the amount of time it takes to detect a fire. How can this be done? Some will say start from the inside and work out, while others will go the other way. My advice is to pick a direction, plan it through, and then test it in the other direction.

For convenience we will begin with the outer perimeter or property line. This is 47 acres of land. To visualize it consider that if it were square than it would be roughly 436 meters on each side. That's over four football fields on a side - lots of perimeter. And the diagonal from each corner - using Pythagorean Theorem - is over 600 meters. Lots of turf to cover, right? Well maybe not, given how much the property line includes, it may be worthwhile to find a moremanageable area within to monitor. Either way the question becomes how is it to be monitored. Technology could be applied with motion activated lights, or a portable "motion detecting" alarm sensor. The specifics here aren't the point. Clearly, unless there are volunteers to literally watch over the land throughout the night, every night, technology might be the answer.
Or maybe the line of defense is drawn closer to the buildings or at the buildings themselves. Maybe motion activated sprinklers might be used to annoy an intruder on their way to the building. Motion activated lighting might be used too. However neither of these will necessarily be effective without some form of notification and investigation. So regardless of whether an alarm sensor or other motion activated device is used it is absolutely necessary to investigate their activation. Now, the manpower intensive method, as was used before such technology as was true in ancient Rome, are fire patrols - or vigiles as they were called in Rome. Maybe the buildings are inspected every 15 - 30 minutes. Patrols should then be visible, and noisy, to encourage the intruder to flight rather then fight. This is quite manpower intensive, but it may be the low cost option if there are volunteers willing to assist, or a guard service willing to donate the time to the church. This naturally brings us the interior of the building the installation of smoke detectors. And why stop there when other detection devices may be helpful as well. Such as motion sensors and the like. All of which are available in portable units, meaning not permanently installed, that utilize wireless communications. In some cases, these are designed to communicate over a wireless network connection for easy integration, management and communications with network computer systems.

Now that was entirely too long of a post. We undoubtedly will revisit this topic in the future. If nothing else we will discuss more on fire and arson - how to respond, assist with the investigation and so on. As for the issue of insurance... Many older structures are simply too expensive to insure given there historic qualities and so an organization must accept that risk. But above are few thoughts - and I mean just a few - on how to mitigate that risk. But remember that insurance can't bring it back properly once it's gone. This we will most certainly discuss more in the future.

Until then...
Rob
/

The beginning.....

2005-06-23T12:19:00.000-07:00

This is the start of what I can only hope will be a useful tool to a lot of people. After searching the web many times I have been unable to find many that are discussing how to protect houses of worship. That's right. Churchs, Mosques, Synagogues, and Temples of all kinds need to be protected. The times are changing or maybe they have just changed, but these facilities are often targeted for arson, burglary, robbery, and many other crimes. Why? Well, quite simply, they are soft targets for the bad guys. Unfortunately all the things that are most important to these locations for their members and visitors are also what often draws the attacker. However, it is not necessary to either give up these values and interests that make us want to visit houses of worship or to remain entirely helpless either.

This is the place where we will discuss how risk management works and how to apply it to sacred places. It's a process - not a product. This is a theme that will be repeated many times here. Effective programs require a systems approach... and so on with lots of industry jargon and complex mystical terms. This is the place where safety and security will be addressed the way it was meant to be, simply! It is not hard and it most certainly is not mystical. It should be methodical and well thought out. I should blend with an organization's culture. It should exist for the sake of the organization. So if it is going to work, it must work for the organization and support those goals.

Some risks are unavoidable, some avoidable, but all are managable in some way. First we recognize their existence and then we figure out how to best to deal with them.

Whenever there are no inquires to drive our discussion, we will make comments about articles in the news. Yes, believe it or not it would appear that from media sources that a house of worship somewhere in the U.S. is a target of crime everyday. Expand that to the world and it's gotta be a certainty.

Keep coming back. With a little luck you'll learn something that might prevent a problem at your location!!!