Totally Secure

Tuesday, May 1, 2007 - 11:37

Physical and electronic security is becoming more complex even as it remains paramount to business interests. David Braue discusses the changing nature of total corporate protection.

In January this year, as part of a guerilla marketing campaign in Boston, electronic devices were used depicting the Mooninites, characters from the Aqua Teen Hunger Force cartoon. Boston authorities, thinking the devices looked suspicious, closed down roads and waterways to investigate. It paralysed the city.

If nothing else, the event - which cost its perpetrators $US2 million in fines - showed that when it comes to security, nobody can afford to have a sense of humour.

But what would you or your staff do if unidentified devices showed up on your property? There has always been something unsettling about security. It is a concept every manager understands as essential, yet one in which most executives are still sorely under-educated. Even those who understand it worry that the bad guys know something they don't, that an Achilles heel is exposed.

The solution, traditionally, has been to outsource security to large men who patrol the premises and stare at monitors. While it may have been okay to let someone else take care of security in the past, more onerous governance requirements mean that managers cannot afford to be anything less than hyper-vigilant.

After all, the unseen enemy outside also has nearly unfettered access to tools of the trade that are vastly more sophisticated than those available just five years ago. Fortunately, businesses now have more options as well; the key for managers is securing both the funding and the will to keep up the defence.

"People are starting to get in a more preventative [mode] now, instead of saying 'something has happened and what do we do now?'," offers Michael Ramsay, Managing Director of security consulting firm Charter Security, which specialises in retail security and loss prevention for a range of blue chip clients.

All these clients are taking proactive steps to improve surveillance of their stores, both in terms of auditing employee performance and supporting employees when dealing with issues such as chronic shoplifters. In many cases, this simply means adding more video cameras, which has the side benefit of improving monitoring of site safety: "They really are becoming a management tool, and there's an audit trail for any type of accident or incident on site," Ramsay says.

Decades ago the major threat to goods-focused companies would have been the classic break and enter, but today's threat matrix has expanded with concerns over natural disasters, undetected employee fraud, internet-borne information attacks and potential terrorist strikes. With business supply chains often extending across the country or around the globe, the number of potential points of exposure continues to grow.

This is particularly the case when it comes to information technology security, since business managers depend on the assurance of others that critical customer and business data is protected from threats inside and out. Buoyed by public awareness of chronic virus infections and fear over theft of personal information, security vendors will be more than happy to sell you their latest and greatest tools for keeping the nasties at bay.

The key, as with so many other challenges, is to find someone you trust who understands your own security imperatives, and has the resources and ability to match it. In more and more cases, this means bolstering the traditional patrols of burly security guards with a range of surveillance and communications technologies offering more security possibilities than ever.

Sleep with one eye open

Apart from the guard, perhaps no security tool has been more widely used and appreciated than the security camera. Many have bristled at suggestions of open surveillance in public places, but the prevalence of closed-circuit television (CCTV) cameras makes it harder for wayward deeds to go undocumented. CCTV footage has been indispensable in ferreting out nightclub hooligans, identifying the September 11 and London Underground bombers, and myriad other high-profile security incidents in recent years.

In closed corporate environments, a well-designed camera infrastructure remains a basic line of defence; but new technologies make it easier than ever to deploy. Melbourne's Essendon Airport, a tier-two facility that has seen a resurgence in usage since it was bought by a Linfox-Becton joint venture in 2001, recently found out just how easy the process has become after a $1.9 million project in which it installed more than two dozen Canon VB-C50 surveillance cameras at strategic locations around its site.

Normally, such work would require extensive under-runway wiring, at high cost and significant potential business interruption - a real no-no in airports and other constantly operating environments. The cameras, however, use wireless transmission technology to constantly beam their signals back to a central monitoring and recording point. This seemingly simple difference sped up installation and kept costs to a minimum, allowing management to focus more time and effort on making sure the cameras provided blanket coverage of the site.

"We're often interfacing security with other systems," says Lior Rauchberger, a Director of Melbourne-based Urban Intelligence, a security consultancy that guided the Essendon Airport project and specialises in linking complex elements of security systems. This task, says Rauchberger, has become far easier since today's security tools are designed for interoperability, usually through internet protocol (IP) support that makes virtually any device accessible via the internet.

This product shift allows managers to deliver security environments they could only have dreamed of just a few years ago. For example, one law firm for which Urban Intelligence did some work linked the card identification system with the building lifts and lighting systems. When an employee swipes their ID card after hours, the system knows which floor they work on and automatically takes them there - and makes sure the lights in the appropriate area are on.

Add to the mix today's many-headed, constantly recording CCTV surveillance systems, many of which are small enough to be all but invisibly hidden in sensitive areas, and you've got a much higher level of workplace security than ever. It is entirely possible to monitor the activities of customers and employees at multiple outlets, spread across the country or the world, and then initiate a security response from a single desk.

Video images are, naturally, archived, but they can now also be transmitted - as still images or video clips - straight to managers' mobile phones for instant action. Even if an alarm isn't tripped, intelligent software tools can monitor incoming video feeds and alert managers if a permanent or semi-permanent object unexpectedly appears or disappears.

The contribution of such systems to employee and workplace safety is significant, and their presence can go a long way towards documenting management's due care should questions ever arise down the track. By combining various security equipment, and increasingly reliable and popular extras such as voice recognition, fingerprint scanning and other biometric identification, it is now possible to back even the most ambitious corporate security policy with enforceable action.

Towards a unified policy

You do have a comprehensive corporate security policy, right?

This, of course, is the formal written document that highlights the potential risk factors - identified during a comprehensive security audit - and the official response to those risks. The policy should address as many contingencies as possible, with clear actions and repercussions for particular incidents, and penalties for violating the policy. Your policy should also allow for formal training in identified problem areas, which is critical for ensuring that deficiencies don't stay that way for long.

Many employers may feel pressure from employees to shape security policies with kid gloves, or out of fear of falling foul of workplace laws. Here, openness during the policy-making process - as well as frank assessments of potential penalties for breaches - becomes critical.

"Staff will really rise to this challenge if you give them the opportunity," says Ramsay. "We're not asking employers to be confrontational, just proactive. We tell retailers to have a look every six months, and every three months if you have a real problem area. You've got to demonstrate a real duty of care."

Information security

IT may not be your direct responsibility, but information security is particularly important to address when dealing with your total corporate security defence. Given that the typical company's cache of critical goods and data is often balanced 50/50 in the real and virtual worlds, lax network security can be just as big a problem as poor perimeter defences.

In today's internet age, after all, your network may be just as easily attacked by someone on the other side of the globe as someone parked outside your building with a parabolic microphone or wireless local area network (LAN) snooper. The problem becomes even more pointed because there are an increasing number of situations - such as telecommuting, access from mobile phones and wireless LAN access - where temporary holes in network security are necessary but must still be protected from exploitation.

The worlds of physical and information security may seem quite different, but they share similar objectives and, increasingly, a similar vocabulary. This has led many traditional security companies into joint engagements with IT security specialists; you should be prepared to consider both realms within the same vision.

Although it's advisable to have an IT person handling the day-to-day management of your company's information defences, it's equally important that person be involved in discussions about the company's overall security objectives rather than being stuck in a back room with the computers. Increasingly popular IT paradigms, such as ITIL (Information Technology Infrastructure Library), reflect both business and information security as fundamental elements.

Whatever the case, ongoing support is essential. Make sure IT have enough funding for ongoing staff training; that they have formal processes for data protection as well as for keeping up with new viruses and newly discovered systems vulnerabilities; and consider evaluating an external managed security provider who can take some of the pressure off your own staff.

"We've got to be careful that we don't [minimise] the importance of security," says Andrew Barkla, Asia-Pacific General Manager of consulting giant Unisys. "Any manager has a responsibility, within the context of the business processes they are overseeing and the people fulfilling them, to map out the security blueprint that underpins the interactions they have with other stakeholders. Complacency is just not going to be accepted as an excuse."

Whether they're involved in physical security or information protection, getting to know and love your security employees is essential in making sure your overall security infrastructure is up to scratch. Although you'll probably never have to negotiate with kidnappers or blow up illuminated boxes making obscene gestures, taking responsibility for a total approach to corporate security now - before it's tested - will ensure you can better deal with whatever the world throws at you.

Key points for security

  • Increasingly strict governance requirements support a case for continuous monitoring of sensitive areas.
  • A formal, comprehensive written security policy is essential to outlining and enforcing the company's security objectives.
  • Since employees are a major source of security breaches, penalties for detection must be spelled out early and explicitly to avoid later confusion.
  • New, internet-connected security equipment can be pieced together in innovative and useful ways.
  • Don't treat IT as a world unto its own; total corporate security involves physical and information infrastructures, with openness and support essential.