Introduction: The purpose of this article is to present some basic concepts of how to…
Low or No-Cost Security Measures
As states and counties begin to allow life to return to normal because the effects of and fears of the COVID-19 pandemic begin to wane, businesses are starting to re-open and people are beginning to return to work. Early signs are that the economy is going to recover, but in the short term, profits have been lost and debt may even have accrued to keep the business alive. In this environment, many capital plans will likely have to be cancelled or at least postponed, and this includes security improvements. While waiting for the security budget to recover, there are many low or no-cost security measures that could be implemented to provide much of the needed risk reduction.
A frequently overlooked cost saver is the existing employee pool. Depending on the size of the organization, this could be a relative army of eyes and ears that are already on the payroll. “Security is everyone’s business” may sound trite, but it is absolutely true. For example, during an interview with the staff of a hospital emergency department, the head nurse indignantly told a story about the time a suspicious character walked through the emergency department and “nobody” stopped him to check him out. This “nobody” comment was repeated like a mantra throughout the interview. Looking around, the people in scrubs clearly outnumbered people without scrubs; perhaps five to one or better. “By ‘nobody’” I asked, “exactly who are you talking about?” “Why, a security officer of course” was her reply. There were three security officers on duty to cover a whole medical center and about 700 other employees, yet the emergency department head nurse assumed a security officer was the only one who could approach a person who seemed out of place. Now, we aren’t talking about employees executing a full-blown hostile challenge every time someone suspicious is spotted. Any employee can get a feel for the intent, motives, or stability of a stranger by asking simple questions in a helpful manner: “Can I help you?” “Are you looking for someone?” “Do you need directions?” If the response sends up alarm signals, the employee can then back off and notify security to respond. This is an example of employees helping to detect a potential problem, but helpful and cheerful employees are also a great deterrent. The one thing a bad guy does not want is to be noticed. Multiple employees making eye contact and greeting them lets them know that they have been noticed and that will likely cause them to move on to other locations where the employees do not take such an interest in a new face.
Alert, vigilant, and participating employees do not just spring into existence. Written policies, procedures, and manuals create the foundation of an employee security program. They lay out expectations of employees and inform them of their role in the security program for controlling access, being vigilant, reporting suspicious behavior or workplace violence indicators, and protecting keys, combinations, and passwords. Creating a written security program does require a minimal investment to create, mostly in time. But even if a security consultant is needed to help with originally setting up the written security program, the modest investment reaps a high return on investment in terms of improved security.
Training employees is the equivalent of exercising for good health. Most organizations already have training programs in place for other subjects so the cost to add security elements is minimal. Initial orientation training on employee payroll, safety, sexual harassment, etc. can be joined by a module on security matters. Like many of these other programs, regular refresher training should be required; again, a security refresher module can be easily added to an employee’s time away from their regular work that is already scheduled and budgeted for. In between these formal training sessions, security training can be reinforced by security tips and reminders at pre-shift briefings, in employee newsletters, bulletin boards, and electronic message boards.
Physical security penetration testing is another low cost/high impact process that can keep security on the top of mind for employees. Penetration tests are simulated security breaches to observe the reaction of people, procedures or technology. If the simulated breach is detected and stopped, the organization can celebrate and promote the success. If the penetration test results in security breach, the communication can be used as a “teaching moment” and a reminder/retraining of the expected outcomes when a threat emerges.
Not all employees readily accept their role as a member of the security team. Some may have an aversion to reporting crimes, incidents, signs of impending workplace violence, or suspicious activity. Whether they do not want to be seen as a “snitch,” fear retribution, or think they’ll be ridiculed if what they report turns out to be nothing, many will turn a blind eye rather than stepping forward. An anonymous telephone hotline or other anonymous reporting mechanism can be the mechanism for getting these folks to step forward and be heard. A large organization may be able to set up its own hotline, but smaller organizations will likely find a third-party contractor serves the purpose well. The existence of the hotline needs to be a frequent subject of newsletters and bulletins. These days many people are used to the anonymity that they get online. Web-based comment forms that do not require a name or email address to post a comment will likely get a lot of traffic.
Changes to the physical security program can also be low or no cost and reap benefits far beyond the modest investment. A very basic access control principle is to reduce the number of entry and exit points to the absolute minimum, preferably just one (we’d prefer none if we only had the technology to beam people in). There are several benefits to this. If guards or electronic access controls are required at all entry points, a reduction in entry points, of course, reduces cost. Another benefit is that it increases the presence of employees at the remaining entry points so that more eyes and ears are traversing these critical choke points.
Just as your car, home, or even your body requires regular inspections and maintenance, security measures are kept functioning properly in basically in the same way. Is there security lighting? It needs to be inspected regularly, burned out fixtures replaced promptly, and fixtures cleaned periodically for maximum output. Security cameras? They also need to be inspected periodically, refocused as necessary, have the lenses or domes cleaned, and even seasonally adjusted for lighting conditions. Fences need to have rips, cuts, or tears repaired promptly to show all who may be watching that security is taken seriously. A “clear zone” on the inside and outside of fences needs to be maintained by taking out vegetation that obscures the fence, is damaging it, or provides a means to climb over it. Keeping stored materials away from a fence is critical; a forklift is a fence’s worst enemy. Doors, particularly access-controlled doors, need to be checked routinely to ensure they are closing and latching on their own. If not, the closer, the latch, or even the air pressure inside the building will need to be adjusted to ensure it closes and latches on its own, every single time. Just like taking care of your car is cheaper than dealing with a major repair bill, taking care of equipment is much cheaper in the long run than having to replace them.
Not many of us use the full capabilities of the computers or software we use every day, and the same is unfortunately true of access control and video surveillance systems. Access control systems can readily be used to provide some level of intrusion detection with door sensors and motion sensors reporting to a monitoring point through the access control system; no need for a separate “burglar alarm” system. The addition of a burglar alarm panel to route the alarms to a monitoring station makes full use of the sensors inputting to the access control system. Most access control systems can display alarms on an electronic map; it just must be loaded and programmed.
Of all the low cost security measures, integration of currently owned access control and video surveillance systems can perhaps provide the greatest return on investment When integrated, video cameras can be programmed to respond to alarms from the access control system. The video is “tagged” with the alarm, and the alarm and associated video are saved in the same database for archiving or evidentiary purposes. Surprisingly, many organizations have access control and video systems that are totally compatible for integration, yet for whatever reason they have not done so. Shame on their installation firms for not identifying this capability to their clients.
Security programs come in all shapes and sizes; and rightly so. Security should be tailored to the organization’s risk and the organization should undertake an assessment to determine what their program should look like, but fear of potential cost should not stop the process. An assessment should determine a desired end-state and the organization should then formulate a plan to reach that end-state in a reasonable length of time. As part of that plan, implementing low or no-cost security measures should take on a priority to reduce risk as much as possible while longer lead-time measures are working their way through the budget and the procurement process. Making employees part of the program, maintaining what is already in existence, and squeezing maximum use out of existing systems should all be part of the near-term implementation plan.