Global Security Exchange Las Vegas, Nev. www.asisonline.org
INKAS continues evolution beyond cash and transport
INKAS
Security Services, as a company, is going through a period of reinvention. Known for its armoured transport and cash handling business, there is a lot more in development, according to president and CEO Victor Goodman.
Goodman, who joined last year, is a veteran of the banking industry and a former top executive with INKAS competitor Brinks.
“To make a long story short, I am very keen and interested to take this business to the next level.”
Goodman doesn’t envision a large departure from INKAS’ core businesses — those are in the midst of expansion plans too, as the Toronto-based company rolls out its business across Ontario and into parts of Quebec and Alberta. However, the cash business is likely to occupy a smaller portion of INKAS’ business going forward, he says.
“We cannot be singularly focused,” he says. “As such, we need to have a broader scope on where we’re headed as a security company… We are not a one-trick pony.”
The company manufactures armoured
vehicles to various specifications, including cash and valuables transportation, as well as luxury vehicles. But of increasing interest are different yet related industries like security software development.
The company’s software division, AppGear, has created products including a visitor management system called iLobby. Used internally by the company, it is also marketed to Fortune 500 companies as well as major infrastructure facilities like airports. The software, now almost three years old, “started off with just the functionality that we needed,” explains Paul Khakhan, CEO of AppGear, but has since “morphed into a solution that can accommodate the bigger needs of different types of organizations.”
“We push outside of the market boundaries,” adds Goodman. “And to push outside of the market boundaries, you have to build your own technology. That has been our roadmap from the very beginning.
“Our goal is to bake in a deep level of innovation with every product and service we provide. With research and development being a pivotal factor in our growth, we recognize the importance of continuing to push the boundaries, in order to further elevate INKAS as a brand.”
— Neil Sutton
A new vehicle from INKAS, the Iveco Daily 6 for cash management and transportation of valuable assets, designed for the European market.
Victor Goodman, INKAS
Collaborating against counterfeiters
At the 22nd annual Fraud and Anti-Counterfeiting Conference last December, law enforcement and private industry came together to discuss the problem of counterfeiting, identify tactics to pursue against counterfeiters, and learn how to work better together to protect Canadian industries.
On the last day of the conference, Detective Robert Whalen, from the Toronto Police Service, 55 Division, and Ron Wretham, president and COO, Investigative Solutions Network Inc., discussed what law enforcement, prosecutors and industry can do to help one another.
They focused specifically on the process of obtaining and executing search warrants, testifying in court, seizing evidence and providing proper disclosure.
Whalen began by explaining what he needs from private industry to obtain a search warrant.
First, he needs background on the individual, whether lawyers had served him or her before, if there had been complaints, etc.
When investigating a potential counterfeiter, he also requires surveillance. In Toronto, he explained, the police have a mobile support unit for surveillance. However, “if I go to them and say I want to put a surveillance team on a group of counterfeiters, it goes under the homicide calls, it goes under the sexual assault calls, it goes under the robbery calls, it even goes under the parking enforcement calls.”
reports and arrange a backup team just to send someone into a store.
In contrast, private industry does not face the same constraints. They can buy counterfeit products, and provide police with authenticity reports, photos of the products, etc.
Additionally, private industry, law enforcement and prosecutors can work together when executing a search warrant.
“We, as private industry, are doing a lot of the heavy lifting.”
— RonWretham, Investigative Solutions
He suggested that private industry can help by providing suspected counterfeit products to the police as evidence.
“We as police are sort of tied in with a lot of red tape if we want to put an undercover into a particular location,” he explained. Police have to fill out
For example, Whalen and Wretham worked together to make multiple arrests and confiscate counterfeit products at the Pickering Market.
Before working with private industry, Whalen explained, he had to bring in 20 or 30 police officers and two or three security guards to confiscate counterfeit product at flea markets.
In contrast, with private industry’s involvement, only two or three police officers were needed.
“Things have flipped and now we, as private industry, are doing a lot of the heavy lifting and providing resources,” Wretham elaborated.
With 15 members of private industry and only four police officers, they came
to Pickering Market and executed 30 search warrants.
The group went into Pickering Market when it was closed. The police broke the locks on the booths, and one police officer supervised as industry members took the counterfeit products. They then took pictures and samples of what they needed, and a team came in to bag it.
“Another police officer was by the truck outside and he was on the computer with a representative from our firm,” Wretham elaborated, “and he was logging every bag that came out and every sample that left the premises. It was checked by us and by the police.”
Once they had gone through a booth, the police officer would seal it and put a new lock on it.
After this experiment, industry and police have followed this example. Additionally, Pickering Market changed its contract with vendors to specifically prohibit the sale of counterfeit products, on penalty of eviction. Ultimately, police arrested five vendors and cautioned the other 25.
“That was an example where industry did all the heavy lifting and the police said, ‘We will do this again,’” Wretham said.
— Ellen Cools
Ron Wretham, president and COO, Investigative Solutions Network; and Robert Whalen, Toronto Police Service
By Ellen Cools
Team spirit between MLSE and Toronto police
Kevin Kempcke, director of security, Maple Leaf Sports and Entertainment (MLSE), strongly advises security directors to work with local partners, particularly local law enforcement and emergency responders.
Kempcke, who spoke at a recent ASIS Toronto chapter meeting, said his organization has strengthened its relationship with first responders through a new program, ERP — Emergency Response Portal.
Previously, “we couldn’t connect to the Toronto Police due to privacy … and we’ve been able to secure this technology to help us mitigate that,” he said.
ERP is a communication tool currently used by police across Ontario. The police can alert security staff to citywide incidents or incidents near
the facility via text, voice or email, and security can alert police to incidents inside the venue.
If there was an incident outside the Air Canada Centre, “police will say, ‘Hey, I want to look at your Bay Street cameras,’” Kempcke explained. “They’ll ask for an invite. Because of the privacy commission, we have to have a paper trail. So a password will be created, I will send it to them, I’ll accept them to view only, no recording, and they can view my camera.”
The police access cameras and information through a dashboard. Kempcke showed attendees the Air Canada Centre’s dashboard, and demonstrated how the ERP works.
When first responders arrive on the scene, they will have “access to the cameras, they’ll know where any gas lines are, emergency shut-off. They’ll have our floor plans,” said Kempcke.
“This is not video management software, it’s designed to be interoperable with all police, fire and paramedics, and all camera systems on the market,” added Mark Macy, CEO and managing director, ERP, who was also in attendance.
“This is a continuum of public safety,” Macy said.
“That’s a piece of technology that’s been so important and it’s increased our relationship with our first responders, with Toronto police,” added Kempcke.
Kevin Kempcke, MLSE
Green, Manager, Security, Telecommunications & Emergency Preparedness, Baycrest Health Sciences, and immediate past-president of IAHSS, closed off the day with a look at the past, present and future of health-care security.
Green
presented the IAHSS Ontario Chapter Leadership Award to Aidan West, Manager Integrated Risk Services, North Bay Regional Health Centre. Jeremy Bertrand accepted the award on West’s behalf.
A CLINICAL APPROACH TO SECURITY
In December, Canadian Security hosted its final event of 2017: Focus On Health Care Security. The seminar, attended by more than 100 security professionals, emphasized topics including: emergency management in health care, frontline security, data management best practices, and the future of training and certification.
Martin
(left)
Martin
A panel of health-care experts takes a closer look at issues affecting frontline security.
Craig Barretto, president at Nexgen Security Inc. and president of the Toronto Chapter of (ISC)², offered advice on how to recognize malware and ransomware.
Attendees had the opportunity to mingle with a wide range of vendor sponsors at the event.
By Martin Green
MORE RESOURCES REQUIRED
Minimum standards are not enough to prepare security professionals for the challenges of health care
When I first started working in health-care security in 1985, it was a very different world.
Security technology was bare-bones basic. CCTV systems were connected to time-lapse VCRs, card access systems were rudimentary. There were no computers, video analytics didn’t exist, there were no cell phones and nightly patrols were conducted with an old Detex Watchtour clock.
A lot has changed over the past decades. Our laws have changed, our technology has changed, our demographics have changed, our funding has changed and the public’s expectations have changed. What has not really changed are the training requirements for most security guards in hospitals across Canada.
program designed specifically for health-care security personnel. The IAHSS certification is the best means to ensure that your staff are properly trained to understand and implement the important functions within your health-care facility on both a daily basis and when the unexpected occurs.
“In many hospitals, health-care security officers are the first and last people the public may encounter in your facility.”
Training and licensing requirements vary from province to province across our country. At the lowest end of the spectrum is Newfoundland where security guards do not require any training, testing or are even required to have a licence.
Other eastern provinces are not much better. Licences are necessary in Nova Scotia, Prince Edward Island and New Brunswick, but mandatory training or testing is not required.
In many hospitals, health-care security officers are the first and last people the public may encounter in your facility. They are your public ambassadors, and are often your fire department, police department, customer service department, hazardous response team, dispute and resolution mediators, and a long list of other duties.
The provincially mandated minimum standards do not properly educate or prepare security staff to work in a health-care facility. With all of the duties and responsibilities that are given to them, it is incumbent upon the facility to ensure that its staff are properly trained to handle these often complex and challenging responsibilities.
The International Association for Healthcare Security and Safety (IAHSS) is the only organization that provides a certification
Recently, a report on violence in health care from the province of Nova Scotia stated:
A good security program may result in fewer injuries to staff, patients, and visitors. It helps staff feel supported and results in fewer losttime incidents. Security can have a positive impact on patient safety, including the ability to follow a designated care plan. For this reason, security personnel should be considered part of the care team.
To ensure high quality security personnel, the length and content of security training programs should meet the standards set out by the International Association for Healthcare Security & Safety (IAHSS).
Security personnel must be trained before they work in a health-care setting. They should be offered ongoing training that is delivered by qualified personnel.
The job of a security guard in a hospital has changed over the years. Gone are the days of night watchmen.
Health-care facilities that rely on only the most basic of security guard training are opening themselves up to possible civil or criminal litigation for negligence or for failing to provide adequate security.
Security staff should have the best possible training, not just the minimum required training. A facility can reduce its risk by ensuring that all security staff have received adequate training.
Martin Green is the Manager, Security, Telecommunications & Emergency Preparedness at Baycrest Health Sciences in Toronto and immediate past president of the International Association for Healthcare Security and Safety (IAHSS). Green presented at Canadian Security’s Focus On Health Care Security seminar last December.
By Jason Caissie
GOALS FOR THE NEXT 40
The security industry has come a long way, but there is still work ahead
Forty years is a long time, all things considered.
In 1978, I wasn’t born yet, the Certified Protection Professional (CPP) designation was a year old, and the concept of information security meant something altogether different than it does today.
But I think we can all agree that what has changed the most is the security professional himself or herself. No longer strictly a middle-aged white male former policeman, but an increasingly diverse, educated professional who is able to speak the language of business.
“Our first priority must be to ensure that the public views security as a professional career.”
Perhaps it’s time for a bit of self-reflection so that we can chart the direction of the security industry over the next 40 years. Improve the image of the security professional. Our first priority must be to ensure that the general public views a role in security as a professional career, because that visibility will translate into greater recognition among senior management AND attract better and more diverse talent to security roles. Public education in this manner does not come quickly or inexpensively and this will take the entire industry coming together (and spending together) to make this change. Increase awareness among information security professionals. Too often, it’s us versus them. They don’t know we exist, or they think we’re all retired cops collecting a pension who only call them when our laptops don’t work. And why should we care about them? Take a look at the growth of their budget or head-count in your organization over the last 10 years and compare it to your own! Threats in the InfoSec space get much of the public attention, so promoting our role and professionalism to this group is almost as important as promoting it to the public. But this goal is all about small wins and creating relationships with your peers inside your organization or within related organizations (vendors, clients, professional associations).
Refine security education for all levels of security professionals. Security-related college programs with fantastic co-op placement opportunities are common in Ontario,
and elsewhere in Canada, to the best of my knowledge. But graduates from these programs struggle to find good employment within the security industry and are often forced to start work as a security guard — a job for which they didn’t need to attend college. Educational offerings at the college level need to be more widely recognized by the industry, and the best ways of doing that are participating in course design/delivery and hiring the graduates. And while the CPP and other professional designations are great for confirming a common understanding of security principles, they are not a substitute for formal education for senior security professionals, which should be a graduate-level degree program.
Provide pathways for young people in the industry. Finding a job as a young person fresh out of school can be daunting and security professionals are not always the most welcoming, suspicious as we are! Networking geared towards Young Professionals within associations like ASIS is a great start, but these young people need mentors. Whether through a formal and structured process or just someone you stay in touch with, making yourself accessible to young people as a mentor is a great way of improving our industry.
Improve the gender (im)balance within the industry. The good news is that by pursuing these first four goals, we will probably already make an impact on this one; the bad news is that it still won’t be enough. Women make up a small portion of our industry and both the image and character of our profession suffer as a result. This too will take time, and we need to ensure our industry is both an attractive, and a safe, career choice for everyone. That means promoting fairness and transparency, discouraging an “old boys club” atmosphere and encouraging new approaches and styles. There’s some food for thought. Agree or disagree?
Jason Caissie is the vice-president of operations for The Profile Group and a past chair of the Toronto chapter of ASIS International.
TIME TO CHANGE PERCEPTIONS
ESRM can help us redefine what it means to be a security professional
During 2017, I watched as our profession and ASIS International began down the Enterprise Security Risk Management (ESRM) path. We declared ESRM as one of our cornerstone objectives, touted its return at our Annual Seminar and Exhibits with sessions and workshops, and structured an ASIS Board Initiative to begin inserting ESRM into the DNA of our society.
Now, the hard work begins.
“We need to challenge ourselves to view our work differently.”
We need to challenge ourselves to view our work differently. I want to challenge the security professionals reading this column to identify themselves as risk professionals, and look at how their role can help enable their organizations by identifying and managing risks.
I know, some folks are going to say “but, Tim, I’m just a….” and fill in the blank with their current assignment. They may be a security guard at a facility, an information security analyst in a Security Operations Centre, or a loss prevention manager at a retail location. And their perception of their role is they complete a task, or series of tasks, for their employer.
I understand that’s how you get your paycheque, but what if you looked at your current role and figured out how it supports the business objectives of the organization by adopting ESRM principles? Let’s look at just one of the above examples and try to adjust our perception.
You’re a security guard at a building, but can’t link your role to ESRM principles. You have regular tasks to complete: rounds to conduct, facilities to check, reports to write, incidents to report. From an ESRM perspective, what if you looked at your role as continually conducting risk assessments for the physical assets of the organization? What if you considered every tour of the facility as an opportunity
to identify potential risks facing the organization, or to ensure that the physical assets the organization needs to operate are available and functioning properly? What if, instead of simply driving around the perimeter fence, you assessed the fence line from a risk perspective? What if you proactively reviewed that same fence line based on ESRM (what are the objectives, what assets do you have, what risks are facing the assets, what can you do to reduce the risk) and reported on potential vulnerabilities, not just its current state?
It seems like such a small change, but it’s a big step toward understanding and embracing ESRM principles and philosophies. These slight adjustments to our perception, to how we view our role as security professionals in an organization, begin the industry’s shift to ESRM. We shouldn’t wait for a new publication, standard, tool or certification to begin this journey — we can take small steps every day in our current roles and begin to see how our “tasks” can be looked at through the ESRM philosophy.
I’m not asking our industry to simply disregard our current mandates, and to not fulfill our contractual obligations to the organizations we serve. That’s not the point I’m trying to make — just the opposite. What I’m challenging security professionals to do, from this point forward, is continue providing their services, but begin seeing their daily tasks through an ESRM lens. This doesn’t involve rewriting contracts with companies or renegotiating job duties. It’s a subtle, practical and pragmatic approach to seeing our world through an ESRM perspective. We need to begin looking at our roles as if we are already engaged with the business, understand the assets required to achieve their objectives, and identify and help manage risks to these assets.
You don’t need to wait any longer — join me on this path in 2018.
Tim McCreight is the president of Risk Rebels Consulting Ltd. (www.riskrebels.com).
SEEKING SHELTER
A closer look at cyber insurance, its potential role in your organization, and what we still don’t know yet
By Ellen Cools
While cybersecurity may be a source of endless discussion in the security industry, cybersecurity insurance is a topic that CISOs and security directors may not be as well versed in.
What does it cover?
Put simply, cybersecurity insurance protects a company against a cyber incident.
According to Dominic Jaar, partner and national leader, forensic technology service at KPMG, a cyber incident could be a case of ransomware or a Distributed Denial of Service (DDoS) attack. It could also be an instance in which a hacker accesses your system, “downloading a large volume of intellectual property, therefore
devaluing either your brand or the amount of money you spend in R&D,” he explains.
Grace Crickette Taylor, vicechancellor for administrative affairs at the University of WisconsinWhitewater and a risk and compliance specialist, adds that there are a number of different categories cybersecurity insurance can cover.
This ranges from covering the “destruction, corruption or theft of electronic information assets/data,” to “business interruption loss caused by a material interruption to your computer system due to a breach of computer or network security,” to cyber extortion and cyber terrorism.
While there are a wide variety of cyber incidents, Imran Ahmad, partner at Miller Thompson LLC, believes there are three main “buckets of cost” that cyber insurance can cover.
The first bucket is legal fees. That means “everything from running an investigation from a legal standpoint to notification to individuals to dealing with regulators,” he says.
Second is the forensics or investigation aspect of a cyber incident, and making sure systems resume normal operations. According to Ahmad, this is probably the biggest cost covered by cybersecurity insurance. He estimates that insurers cover about 70 per cent of the cost of any incident.
The third bucket is providing crisis management consultants who can handle the PR and media strategy.
Greg Markell, president and CEO of Ridge Canada, a Canadian Managing General Insurance Agency that provides cyber insurance products, consulting and loss control services to insurance agents and brokers, says they chose to focus on cyber insurance because they saw an “underserved market.”
“Previously, the Canadian insurance market was providing the
same applications and base policy language to companies that were $1 million in revenue to $1 billion, whether they were hospitals or widget manufacturers,” he says. “With this in mind, we continue to see an opportunity to help our broker partners with their conversations surrounding the transfer of the residual cyber risk that worries their clients.”
However, there is no standard for how much risk insurers absorb if an incident occurs.
“It’s all over the map to be honest with you,” says Dave Tyson, CEO of CISO Insights and a past president of ASIS International.
This is mainly because it is a very new area of insurance. While actuarial tables have been in place for 50 or 100 years for car insurance, for example, Tyson estimates that there is less than 10 years of data available for cyber insurance.
However, given the pervasiveness of breaches and hacking, Kirsten Bay, CEO of solutions developer Cyber adAPT, believes it’s no longer about if an incident will occur, but when.
“Customers say, ‘Well, you know I haven’t been hacked yet,’” she says, but “we see very significant indicators of compromise, and we see the adversaries trying to break in, akin to checking the windows and the doors.”
The impact of IoT
This is especially the case as Internet of Things (IoT) devices become more popular. As companies use more connected devices in their daily operations, cybersecurity insurance will change to reflect this. “The risk level or … the cybersecurity threat surface, is going to increase exponentially,” says Ahmad.
As such, he believes that doing the groundwork before buying an insurance policy will be even more important. Insurers will look at whether vulnerabilities in one IoT device will lead to vulnerabilities throughout the company, and whether companies have layers of technology or security to ensure that this cannot happen.
Depending on how IoT devices are
integrated in the company, “insurers are going to want to see that you’ve done that diligence,” Ahmad says.
Additionally, insurance firms may ask if you have reviewed your contracts with the providers of your IoT devices to guarantee that these devices have built-in security.
they decide to cover or exclude from an insurance policy,” he explains.
“If I had to look in 10 or perhaps 15 or 20 years from now, I would say cyber insurance would fluctuate every second, based on the risk that will be assessed by the system,” he adds.
“The cybersecurity threat surface is going to increase exponentially.”
“What insurers are probably going to start asking for, and I’ve started to see this already, is, in your contracts, have you asked for security? Have you asked for them to give you indemnities in case something happens where their security was weak because of the hardware, and then what did you do on top of that to additionally protect yourself?” explains Ahmad.
Bay says she has also seen this happening.
— ImranAhmad, Miller Thompson
“In terms of indemnifications,” she says, “I have seen, in service-level agreements for vendors, that you have to fully indemnify very large companies against an event, if … you were the initial entity by which that attack started to evolve.”
However, the strength of a cyber policy also depends on “connectivity, the type of user base you have, the type of individuals and the type of work they do,” she says. It also hinges on the type of industry the company works in.
Consequently, as IoT devices become commonplace, Bay says insurers will have to look at networking and the segmentation of networking differently because risk mitigation will be part of that discussion.
Meanwhile, Jaar believes that as IoT becomes more prevalent, more data will be gathered in real-time from different devices and systems.
Therefore, insurers will be able to determine the correlation between particular events, systems, approaches or companies.
This, in turn, “will enable insurers, as the market matures, to be extremely granular in how they price and what
Collaboration is key
So what does this mean when it comes to buying cybersecurity insurance?
Both Bay and
Taylor say integrating the security practitioner or CISO into the overall business discussion is imperative to purchasing the correct policy.
Many companies, Bay says, view CISOs and security managers as separate from the rest of the business.
When buying insurance, the company should develop a “different communication structure where they’re integrating the security practitioner into the overall business discussion so they can be much more impactful in providing a view of what sort of risks can be mitigated through insurance and other risk policies,” she explains.
Taylor adds that CISOs and security managers should “partner with your chief risk officer and other experts, not just during the insurance buying process, but throughout the year with evaluation of the risk.”
She also suggests implementing a Security Enterprise Risk Management Program (SERMP) to help “keep a pulse on the exposure/risk and allow you [the CISO or security manager] to be prepared to present your organization in the best light to the insurance underwriters and obtain the broadest coverage at the optimum price for your organization.”
Jaar agrees that more collaboration is necessary for larger companies, since the CISO or CIO generally is not an insurance specialist, and a company’s insurance specialist is rarely an IT or security specialist.
“It needs to be a joint effort, talking
amongst specialists,” he explains, “and if the expertise does not exist internally, then [large organizations should] rely on third party independent advice.”
However, he finds that in smaller organizations, the biggest mistake is undervaluing or overvaluing the insurance.
Some CISOs say they should take the most expensive premium because their company does not invest in IT and information security. The opposite also applies; some say they should take the smallest premium because their company is highly invested in security services, he explains.
“I think at both extremes, it’s a massive mistake,” Jaar says. “Even if you have the most robust system, methodologies and team in place, you may still want to have the most expensive insurance policy if the risk you’re trying to cover cannot be mitigated through the highest level security.”
partnership between your cybersecurity team and your insurance team, and/or any risk managers that are involved in the decision-making.”
Additionally, CISOs and security directors should be aware that buying a cyber policy is not holistic, says Taylor. She advises leveraging the insurance program to provide holistic coverage for information technology.
IT has a number of risks, “so the complexities of your insurance program need to align with the complexity of your information technology,” she explains.
“It’s not just insuring your system or your data, but understanding where your data goes.”
Additionally, if the board of directors or leadership wants cyber insurance, strengthening and changing the policies and procedures of the company’s IT expertise environment might be necessary, she says.
money on closing the hole so you don’t get hacked, or should you just pay the insurance to try to reduce the pain if you do get hacked?” he explains.
These are the types of questions he believes CROs, CISOs and other decision-makers should address together to determine where their money is best spent.
Tyson says that he has seen many organizations who, in the process of purchasing cyber policies, had to make very detailed disclosures about their security operations.
“It’s important, I think, for cybersecurity folks or security risk managers in general to make sure that they’re answering these questions in a way that doesn’t put their companies at risk,” he adds.
“What happens if the insurance company gets breached? Now the information that they have on you about all of the inner workings of your security is publicly available,” he says. “So you’ve actually got a vendor security risk associated with this information.”
For Ahmad, the biggest mistake CISOs and security directors make when looking to buy a cybersecurity policy is assuming it’s “one size fits all.”
“They think there’s one single product that will just be perfect for their organization, but it’s not that way. You have to have a real conversation with folks, especially on the insurance brokerage side, to figure out what works for you,” he explains.
“Working with the security industry to focus on client-oriented solutions will be paramount to provide companies with the necessary solutions and protections for an increasingly challenging operating environment,” adds Markell.
Integration
This extends beyond choosing a policy. Integrating your cybersecurity insurance into an overall risk mitigation strategy also involves collaboration.
“Like any good business strategy,” adds Tyson, “you have to have a good
“There’s a misconception in the market that you can just transfer the risk automatically,” adds Ahmad.
“The insurers will make you go through a questionnaire and make sure your risk profile is as low as possible so you can get the best premiums in place.”
Likewise, it’s important to remember that employee training, penetration testing and risk assessment are still necessary, he says.
“I think you have to do all of that, and then add the insurance piece,” he explains. “It just mitigates some of the costs relating to risk — it doesn’t take away the entire risk.”
However, Tyson says that when integrating a cyber insurance policy into a risk mitigation strategy, you should also account for the likelihood that the policy will be executed.
“A simple example would be if you have known cybersecurity holes or issues that you can fix for $1 million, and a cybersecurity policy is $1 million, the question is should you spend the
The future of cyber insurance
Consequently, Tyson is not convinced that cybersecurity insurance is a necessity right now.
“I think that there are cases and there are investment scenarios where it makes sense,” he says.
But he finds that, ultimately, “it’s about ensuring that you have the right analysis, just like any other business insurance or risk management process.”
However, cyber insurance will only become more popular, Markell says.
“This is absolutely a growth market within the insurance industry. Current penetration rates globally and Canadaspecific are rising, and the prevalence of incidents is not decreasing,” he says.
Bay, Jaar and Ahmad also believe cyber insurance will gain importance.
“Given how pervasive cyberattacks are these days, [given] what feels like this ocean of adversaries who have many different ways of penetrating a network and an environment, it just is an element of protection that companies need to have,” Bay concludes.
GardaWorld protects your employees and assets in any situation
Risk management and consulting services to help protect your people and assets
Our team draws from GardaWorld’s in-house and unique expertise to determine the best service offering to plan for recovery efforts. We are able to collaborate with both your teams and public forces to ensure that your people and business are taken care of in the event of a disaster.
GardaWorld’s national control centre operates 24 hours a day, 7 days a week, all year round and is supported by four additional control centres. Our operators constantly monitor clients’ sites and employees on the field to assist and coordinate rapid emergency responses. Our disaster recovery and safety services include:
—————————————————————
■ Fast deployment of mobile patrol units
■ Audits and security risk assessments
■ Evacuation procedures
■ Rescue in high altitude and confined spaces
■ Industrial firemen and first responders
■ Access control and crowd control services
■ Consulting and operational support
Contact us for more information
1 855 GO GARDA (464 2732) garda.com/patrols
Finding a shot in the dark
How recent improvements in gunshot detection technology can improve response times
By Joe Oliveri
The difference between life and death can be greatly impacted by the quick response from security and law enforcement teams, and with today’s emerging technologies, there are security solutions available to help detect an active shooter and alert the appropriate parties.
Intelligent technology to help protect patrons
Gunshot detection technology could easily be misinterpreted as a heavy lift for security and IT departments; however, risk managers and building owners might be surprised to learn that gunshot detection systems can be easily integrated into existing infrastructure. Access control, alarm panels, video surveillance, mass notification and mobile application technologies, among other traditional security features, are compatible with active shooter detection systems. While billions are spent annually on security systems, syncing the shooter detection system with an existing system can be a powerful addition to an overall security strategy to help protect patrons from gun violence.
Dating back to World War I, gunshot detection technology originally relied solely on acoustic feedback to detect a gunshot. Unfortunately, acoustics proved to be difficult to depend on alone due to sounds being misinterpreted. Today, new advancements, such as sensors that can spot infrared flashes as an additional way to confirm a gunshot, can be implemented with traditional security systems like video surveillance to enable more accurate and near real-time notifications. This dual authentication helps to reduce false
alerts and cuts down on the time previously needed to have an expert verify the acoustics of a gunshot. Beyond the gunshot detection itself, live video surveillance footage and building floor plans can be integrated to provide first responders with the most up to date status and an enhanced understanding of the situation. This permits emergency personnel and security professionals to be alerted within seconds of the first shot, allowing them to more efficiently respond to the area where the event is occurring.
Where gunshot detection technology is most valuable
Areas where there is a constant flux of people are the most vulnerable to gun violence. The most susceptible areas range from entertainment venues like casinos and concert spaces to facilities like schools and hospitals. All of these locations experience high volumes of traffic across different levels or floors, which poses security challenges when it comes to identifying suspicious or criminal activity.
For example, entertainment venues serve as a meeting place for people to enjoy themselves in an exciting atmosphere. However, the constant flow of people presents safety hurdles for security personnel. Not only do they need to keep the public safe, but they also need to protect staff and any talent presenting at the venue from a potential violent situation. By integrating active shooter technology with their current security system, entertainment venues can better keep all parties safe and speed up any necessary responses from law enforcement to a harmful incident because of the more accurate information gathered through the technology. Having the correct location of where an active shooter event
is happening can also help start lock down procedures or evacuations faster for staff and visitors to keep them out of harm’s way.
Improving response rates
Reducing response time to a potential threat is crucial for high trafficked areas. The near real-time information provided by gunshot detection technology is a quicker and more effective way for law enforcement and first responders to receive the information they need to properly address a situation. Upon arriving to a gun violence scene, first responders speak with witnesses, security teams and building or venue management to gather intel. They also review the video surveillance systems and the footage captured during the event. When combined with the latest gunshot detection technology, these systems can support their response efforts through the plethora of additional information they are able to attain. Collecting the most accurate information is critical for response teams as data shows that most active shooter incidents are over within minutes, and police are trained to neutralize an active shooter as soon as possible.
Active shooter technology is a long-term investment that can ultimately improve security measures far into the future for soft targets such as entertainment venues. While hopefully it never needs to be used, the technology can help minimize lives lost and accelerate response time by providing vital information to first responders, security personnel and building or venue managers to help keep patrons safe.
Joe Oliveri is the vice president and general manager, security, for Johnson Controls Building Solutions North America (www.johnsoncontrols.com).
Busy, open areas with heavy pedestrian traffic, like malls and entertainment venues, may be vulnerable to attack and thus may benefit the most from the integration of gunshot detection technology.
Q Q A & A
Awith Alex Manea,
Chief Security Officer, BlackBerry
lex Manea has worked with the Waterloo, Ont.-based company for 11 years now, first as a product manager within its security division, and more recently as director of security, then chief security officer. Canadian Security recently spoke with Manea about the transition and how he works with customers to cater to their security requirements.
Canadian Security: What is your role in BlackBerry?
Alex Manea: When I joined BlackBerry, I was very much focused on the product management side of things — working with high-end customers like the U.S. government, like major U.S. corporations, to understand their security needs. And so over time, my role has evolved into more of an executive level role where now I look over all of BlackBerry’s security strategy and make sure that we’re staying one step ahead of where the market is going and where the hackers are.
CS: Who looks after the security of the physical infrastructure?
AM: Mike Webber looks after the internal security of BlackBerry. His title is CIO. The CIO is responsible for protecting BlackBerry as a corporation from external hacks and the CSO is responsible for protecting BlackBerry customers… The majority of the physical security falls under the CIO organization.
CS: What is your relationship with customers?
AM: Really, the big thing I try to understand is, what do customers need and what are they looking for when it comes to security? Different customers obviously have different levels of security needs. When I travel down to Wall Street, for instance, you’re going to
get a certain set of security requirements. They’re going to be different than government security requirements [or] individual security requirements that are much more focused on privacy. Every single customer set and every single customer base has different security requirements. My job is to understand all of those requirements and try to figure out how we translate those
BlackBerry’s corporate headquarters in Waterloo, Ont.
into product requirements and give customers what they really need. At the same time, we also start running into the “innovator’s dilemma” where customers won’t always know what they need or won’t always tell you what they need. A lot of my work involves working with external entities like security researchers and hackers and understanding what are they looking at, not just in terms of products but in terms of the industry as a whole and what are the key trends that we need to be aware of if we want to stay ahead of the game.
CS: Serving so many different industries, each of which has different challenges, how do you stay ahead?
AM: It’s always a challenge. Really, the big thing that we look at is, what are the common factors across all of the different regulatory bodies and are common across all of the different
markets. If you look at, for instance, a market like Europe, there’s a lot of talk about GDPR (General Data Protection Regulation), but the reality is [with] GDPR, a lot of the requirements are basic security principles, and basic security know-how. We can take a lot of the stuff that we do for GDPR and apply it to the North American market and the Asian markets as well. Where there are specific requirements for specific markets, we have to start evaluating those and see how we meet those requirements without stepping on the toes of other countries or other regions of the world.
CS: How much of that is poured back into the R&D of future products?
AM: Pretty much 100 per cent of it. It’s important to understand that when it comes to security development, there tends to be a long lead time with getting all the requirements into the products. A lot of what of I focus on is not, what are the requirements today but what are the requirements two, three, five years down the road? Those are the types of timelines that we’re looking at for R&D, especially if the requirements require a fundamental re-architecture of a specific product or a specific solution. A lot of what we do is about looking to where the market is going and focusing there rather than necessarily focusing on the specific requirements of today.
CS: How is your role evolving over time?
AM: What I see about my role is it’s becoming much more strategic. If you look at where CSOs and CISOs were five to 10 years ago, it was very much tactical, very much reactionary: “Oh my God, we’ve been hacked! What do we do now?” That was very much the mindset of CSOs. These days it’s becoming a lot more proactive and much more [about] not “How do we recover from this fire?” it’s “How do we prevent forest fires?” To me, that’s the right approach that every CSO should be taking — being more proactive and figuring out how you build a strong platform that’s less vulnerable to hacking rather than focusing on what happens once you’ve been hacked.
By Derek Knights
YOUR FELLOW MILLENNIALS
Not Everyone Gets A Trophy –How to Manage the Millennials
By Bruce Tulgan Wiley
ISBN: 9781119190752
BruceTulgan’s new volume is the revised, updated version of his similarly titled “Not Everyone Gets A Trophy – How to Manage Generation Y” I reviewed almost nine years ago.
It’s time to revisit it in this new edition subtitled “How to Manage the Millennials.”
Tulgan is a lawyer and management consultant specializing in “generational diversity.” He’s observant, too.
Almost everyone born in first-world societies since about 1990 grew up with a computer in the house and as a learning tool at school.
School was likely the last place they picked up a book made of paper. Electronic devices were a primary mode of communication — none likely used a phone with a cord after five years old. Parenting was collaborative and children were equal (or nearly) partners in decision-making.
generation in the workplace but we are the annoying minority now. The older of these “kids” are approaching 30 and increasingly in management positions in major corporations.
They dislike it if we point out what they don’t know and remind us that “if I need to know it I can find it in 15 seconds if the Wi-Fi is decent.” It’s hard to argue with that.
“It will be hard to get your senior managers to read this book with an open mind.”
Facing challenges in funding and enrollment, universities morphed from institutions of higher education to quasiagents of corporate and private sponsors and promoted the “customer experience” to attract tuition dollars. It seems they graduate students more from an obligation to a contract than to provide an adequately educated person to society.
Dinosaurs like me may bemoan a dearth in the depth of knowledge in this
Tulgan tells us “millennials are NOT a bunch of disloyal, delicate, lazy, greedy, disrespectful inappropriate slackers with short attention spans” but people who “want leaders who take them seriously … who set them up for success … not leaders who humour them (and) pretend they are succeeding no matter what…”
He backs that up with 10 fascinating and informative chapters that draw you in like mystery thrillers and evoke emotions like anger and frustration but still reveal a satisfying resolution.
He shows what today’s business leaders need to learn through stories and examples from both the longterm infrastructure (we dinosaurs) and millennials themselves. Each time you
recognize yourself, it’s a little humbling. We are not the bad guys but neither are the millennials. Tulgan describes what each side needs to do to blend two distinctly different “mettles” into one strong alloy. Each needs to melt and harden and some of the chapters, such as “Give Them the Gift of Context”; “Teach Them How to Manage Themselves”; “Teach Them How to Be Managed by You”; and “Retain the Best of Them, One Day at a Time” describe how to do that.
Here’s a challenge I predict, though. It will be hard to get your senior managers to read this book with an inquisitive, open mind, and learn from it.
But many will. Millennials perhaps won’t. But keep pushing. It’s the best way to see into the minds of the others — and the stories in this book are from both sides of a still-spinning coin.
I reread this book (delighted to find it had been updated) after reviewing the excellent “The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters,” by Tom Nichols. At the time, I recommended business managers read Tulgan’s book. I’m mirroring that recommendation here.
Derek Knights, CPP, CISSP, CFE CIPP/C, PCI, is the senior manager, strategic initiatives, global security and investigations, at the TD Bank Group (www.tdbank.com).
CYBER GOALS FOR 2018
WithDavid Masson is the Country Manager, Canada, for Darktrace.
2017 now behind us, many CIOs are looking ahead. They’re grappling with big questions but the No. 1 priority should be cybersecurity.
The traditional approach to cyber security is outdated With an advanced threat landscape that doesn’t discriminate hospitals from corporate giants, how can companies keep their networks safe? The first step is to realize that traditional approaches to cybersecurity are outdated. Most legacy tools are inherently retrospective, relying on past attacks to inform defence strategies about future ones. As such, they are only able to stop known attacks under certain circumstances and miss out on important categories such as unknown threats, third-party vulnerabilities and insider threat. As more sophisticated and stealthy attacks emerge, security solutions must also evolve. Businesses can’t afford to let success hinge on outdated security protocols, but rather they need to embrace a more future-forward approach to cybersecurity in order to meet the threats of 2018 and beyond.
The introduction of genuine machine learning that learns from live data in complex networks is a crucial step forward. It represents a paradigm shift in cybersecurity by going beyond knowledge of past attacks, harnessing AI technology capable of detecting and neutralizing emerging cyber-threats, without relying on any prior knowledge. It’s a defence platform uniquely capable of helping organizations stay one step ahead of tomorrow’s attacker.
You can’t protect what you can’t see Many CIOs and IT departments think they have a good handle on the number
of devices that connect to their network. But with networks exploding in digital complexity no human security team can account for every device on the network. It is hardly surprising then that most times our technology deploys into a network, we find upwards of 30 per cent more devices than expected. Today’s networks include physical, virtualized, Cloud, non-traditional IT, and industrial control systems. This proliferation of inroads into the network opens up new opportunities for cyber criminals to strike through the weakest link. New forms of attack are inconspicuous, moving laterally in networks before sounding off any alarms. Subtle changes in the ‘normal’ pattern of life in a network are incredibly difficult to detect and yet they are the harbingers of the most sophisticated and lethal cyberattacks.
Attackers aren’t just stealing data — they’re manipulating it Today’s subtle and sophisticated attacks strike at the heart of the digital economy: the integrity of data. Covert threat-actors are no longer motivated by financial gain alone. Instead, they also want to cause long-term, reputational damage to individuals or organizations through the erosion of trust in the accuracy of data itself.
This scenario is particularly worrying for industries that rely heavily on public confidence. While some high-profile breaches like 2016’s DNC attack and the alleged tampering of the U.S. presidential election may seem straight out of a movie, tomorrow’s cyber-attacks will make it harder than ever to parse fact from fiction.
Consumer devices will be held for ransom and this will impact your business
Ransomware has plagued companies around the world. The pernicious malware encrypts critical files at a speed that is virtually impossible for any human to keep up with and demands hefty fees from affected companies if they want to regain control of their information assets. Hospitals that have gone digital
over the recent decade are prime targets. From life-saving medical equipment to critical patient records to diagnostic devices and staff computers, hospitals are exploding in digital complexity, while also lacking the resources to keep ahead of an intensifying cyber climate. In 2018, it’s incredibly likely that we will continue to see a new type of extortion on a micro level, as consumers are targeted across a range of connected objects. Imagine getting home and turning on your smart TV only to find that cyber criminals are running a ransomware attack on your device. Would you pay $50 to unlock it? And if this could happen in your home, imagine the implications for your business.
Artificial intelligence will be used as a weapon
Artificial intelligence is exciting for many reasons, but it’s not only in the hands of the good guys. In 2018, we are likely to see attackers using AI to wield highly sophisticated and persistent attacks that blend into the noise of busy networks.
We have already seen the first glimpses of attacks going in this direction with automated polymorphic and metamorphic malware. Polymorphic malware, which changes its attributes mid-attack to evade detection, has reinforced the obsoleteness of signaturebased detection methods. It self-learns and understands its environment and network before choosing its next action. Automation has also been a major factor in the resurgence of ransomware. Based on this, we anticipate that artificial intelligence threats will be similar, with AI-powered malware sitting silently on a network, observing its surroundings and learning how to disguise itself.
PRODUCT FOCUS ACCESS CONTROL
Biometric scanning hardware
Shuttle Computer Group
The BR06 Series of intelligent, all-in-one biometric scanning hardware features faster recognition speeds, a larger user database and lower power consumption. The BR06, BR06V2 and BR06S also initiate secure door access; models differ by OS, CPU, and Internet access options. Shuttle’s BR06 Series can be customized for only facial recognition, only fingerprint, and/or only NFC/RFID card reading for single-, double-, or triple-authentication. The BR06 and BR06V2 connect to a server for identity verification; the BR06S is a standalone system that is plug-and-play. The BR06 Series starts with a seven-inch LCD touch-screen panel. Each has two cameras, one for IR camera and one colour; a fingerprint scanner; a speaker for audible confirmation; and an RFID reader. us.shuttle.com
Exit devices
ASSA ABLOY
Push notification feature 3xLOGIC
3xLOGIC announced a new push notifications feature has been added to its infinias access control software. Users receive push notifications directly to their mobile device using 3xLOGIC’s Site Access mobile app available for both iOS and android devices. infinias
Push Notification allows users to proactively manage their access control system. With infinias Push Notification, users can be notified when a door is propped open, left open, or in an override state, such as Lockdown. Users are also notified when there is any activity before or after normal work hours. The infinias rules engine generates the notifications allowing the user to program who to notify, what hours of the day to notify them, from which doors to receive notifications, and define the specific events which trigger notification. www.3xlogic.com
Wireless keypad
The new EX Series Exit Devices feature flexible designs, with simple and adjustable installation. Complete with four models, EX Series features impact bumpers to reduce sound; a horizontal and vertical guide with return control for smoother operation; the universal hardware kit for aluminium, hollow metal and wood installations; modern, contoured design with matching metal end caps and cut-to-length in field installation options. Models include: EX88 Interlocking Rim Exit Device; EX89 Pullman Rim Device; EX76 Concealed Vertical Rod Exit Device; and EX80 Dummy Push Bar. The Exit Devices come in three different lengths: 30-inch, 36-inch and 48-inch and can be cut to length in the field and metal end caps specifically designed to cover any cuts. All models of the series come with a universal hardware kit.
adamsrite.com/Exits
Emergency exit option
Yale
The A-ALR Emergency Exit Option for 6000 Series Exit Devices from Yale Commercial has all the features of an alarmed exit device and is suitable for commercial applications concerned with loss prevention. The product features a durable aluminum rail design with ANSI/BHMA Grade 1 certification. The built-in alarm is powered by a 9V battery and sounds at 90 dB at 10 ft. from the device. Other features include several alarm modes, low battery warning, tamper resistance and a red LED indicator to display that the device is armed.
www.yalelocks.com
Danalock
Danapad is a wireless, smart access keypad that enables homeowners and businesses to manage secure access for delivery, contractors, cleaning and pet services, and those without a smartphone or access to the smart home system such as children, elderly residents or visitors. Danapad’s small footprint (35mm x 82mm) provides an out-of-the-box solution that requires no permanent alteration to the door or entry area. Designed for all weather extremes, Danapad works well in hot and cold climates and can withstand the effects of salt, fog, and rain. Danapad is managed via the Danalock App, a Cloud-based access control application that enables the user to provide one of three levels of access to guests: permanent, recurring, or temporary/one-time. Visitors enter their four- to 10-digit pin codes into the keypad, which connects to the smart lock via Bluetooth to unlock the door. www.danalock.com
Door controller
Johnson Controls
Johnson Controls announces the Kantech KT-1 single door controller with embedded simplified access control software for one door systems. With KT1’s new Standalone Mode, using a dedicated web browser, the KT-1 Ethernetready single door controller can be controlled and managed via web based software. EntraPass software is not required, which the company says makes the KT-1 a viable option for small businesses and individuals with basic access control needs. www.kantech.com
ASSESS DELIVER DESIGN OPTIMIZE
Everything you need to stay secure. We will assess, design, deliver and optimize an end-toend solution to secure your people, property and assets. Utilizing the results of our risk assessment process, we collaborate with you to deliver resolutions for identified risks. We help you meet standards and exceed compliance regulations, from development through installation and ongoing maintenance.
For more information on G4S’s security solutions, please visit www.g4s.ca or call 1-888-717-4447.
Conquer the dark
The H4 IR PTZ camera
The Avigilon H4 IR PTZ camera line combines patented Avigilon self-learning video analytics with zoomable infrared (IR) technology to provide broad coverage and exceptional image quality in a range of lighting conditions and environments.
With a powerful zoom lens and IR technology, the H4 IR PTZ allows users to see up to 250 meters (820 feet) in complete darkness. The camera’s IR projection angle and distance automatically adjust based on camera zoom lens movement, ensuring the scene is illuminated consistently across the field of view for high-quality, detailed images.
• Exceptional image quality with 1.3 MP and 2 MP resolutions
• Avigilon self-learning video analytics
• Powerful 45x and 30x zoom lens technology
• Fast and precise pan-tilt-zoom capabilities
• Zoomable infrared (IR) technology up to a 250-meter (820-foot) range
• Rugged housing design and built-in wiper for tough environments
