CS - July - August 2017 by annexbusinessmedia

WHAT TO EXPECT FROM ASIS

INTERNATIONAL IN DALLAS

PAGE 6

SECURITY SUMMIT TAKES ON TRUMP EFFECT PAGE 7 WHERE ARE WE NOW WITH GUARDING REGULATIONS? PAGE 20

July/August 2017

THE PUBLICATION FOR PROFESSIONAL SECURITY MANAGEMENT

Cool in a crisis

Emergency managers discuss training, technology, cyber-threats, and the future of the profession

INTEGRATE

SECURE

Everything you need to stay secure. G4S brings innovation to the forefront to help you leave risk behind. We can assess, equip, integrate and staff an end-to-end solution to secure your people, property and assets. It’s physical security for your company and emotional peace of mind for your people, all created by the integration of our unique products. To learn more about G4S Integrated Security Solutions, please visit www.g4s.ca or call 1-888-717-4447.

COVER PHOTO: SANDRA STRANGEMORE

Neil Sutton

WA FRIENDLY REMINDER

Why security reinforcement never really goes out of style

hen I initially read the first line of a recent Canadian Press story quoting Saskatchewan privacy commissioner Ron Kruzeniski I thought I’d stepped back in time.

According to the article: “Saskatchewan’s privacy commissioner says it’s time for a ‘culture of caution’ for government organizations and the public as they navigate the digital world.”

My first thought upon reading this was, isn’t it a little late to start a campaign urging digital caution? But then I realized, as I read on, it’s almost immaterial to impose timelines on digital security. The ubiquity of Internet access has created a culture where checking your email, posting on social media, or even shopping online is about as easy as breathing in and out, and requires little more effort. It’s no wonder most people are complacent about their digital security and all the more reason why “a culture of caution” is as timely as it’s ever been.

“A ‘culture of caution’ is as timely as it’s ever been.”

I think security professionals can sometimes overlook the fact that the people they are charged with protecting can be indifferent to security procedures, whether they’re logical or physical. I’ve been writing about this industry for long enough now that I can’t walk into a mall without noting the company logos on the security guards’ uniforms and taking stock of where the security cameras are placed (as well as guessing how old they might be). Anyone who actually practices security and has studied CPTED will have a far more trained eye and will pick up on the dozens of things that I’ve probably missed. But you really can’t expect most people to have the slightest clue beyond what their common sense would tell them.

The CP story continues: “[Kruzeniski] said employers need to be clear about what staff can do with their work-issued smartphones, particularly because those phones could have personal or health information about someone. He questioned what would happen if an employee allowed their children to play with the phone at home.”

The reality is that a lot of people only use one device for personal and business use — a situation that is also acknowledged by the commissioner in the article — which is creating an almost untenable situation as far as digital security is concerned. It is ridiculously easy for a device to be viewed or accessed by a third party if it is exposed to a public Wi-Fi signal, and yet that warning goes unheeded by the majority of people you see with their laptops open in a coffee shop. (A recent Symantec study indicates more than half of public Internet users can’t tell the difference between a secured and unsecured Wi-Fi network.) In the physical security world, an analogue might be tailgating. No matter how many times you remind people not to hold the door open to strangers, they’re going to do it anyway. It’s human nature — people are hardwired to do so and don’t want to appear impolite. In high security locations, mantraps or turnstiles become a necessity to counteract this instinct.

By the time I’d read to the end of the article on the privacy commissioner, I’d almost completely reversed my position. Reminding people of the importance of security, digital or physical, is always appropriate and never more so than now.

Group Publisher Paul Grossinger pgrossinger@annexweb.com

Publisher Peter Young pyoung@annexweb.com

Editor Neil Sutton nsutton@annexweb.com

National Account Manager Jennifer Dyer jdyer@annexweb.com

Art Director

Graham Jeffrey gjeffrey@annexweb.com

Account Coordinator

Trish Ramsay

tramsay@annexweb.com

COO Ted Markle

tmarkle@annexweb.com

President & CEO Mike Fredericks

Editorial and Sales Office

80 Valleybrook Dr., Toronto, Ontario M3B 2S9 (416) 442-5600 • Fax (416) 442-2230

Web Site: www.canadiansecuritymag.com

Canadian Security is the key publication for professional security management in Canada, providing balanced editorial on issues relevant to end users across all industry sectors. Editorial content may, at times, be viewed as controversial but at all times serves to inform and educate readers on topics relevant to their individual and collective growth and interests.

Canadian Security is published six times per year by Annex Business Media.

Publication Mail Agreement #40065710

Printed in Canada I.S.S.N. 0709-3403

Subscription Rates Canada: 1 Year $40.95 + HST; U.S.A. (payable in US dollars): 1 Year $70.00; International (payable in US dollars): 1 Year $80.00

Circulation Tel: (416) 510-5189 Fax: (416) 510-5170 asingh@annexbizmedia.com 80 Valleybrook Drive, Toronto, ON M3B 2S9

The contents of Canadian Security are copyright by ©2017 Annex Publishing & Printing Inc. and may not be reproduced in whole or part without written consent. Annex Business Media disclaims any warranty as to the accuracy, completeness or currency of the contents of this publication and disclaims all liability in respect of the results of any action taken or not taken in reliance upon information in this publication.

Jason Caissie Profile Group

Ken Close Trillium Health Partners

Ashley Cooper Paladin Security

David Hyde Hyde & Assoc.

Sherri Ireland

Security Exclusive

Mark LaLonde

Simon Fraser University

Bill McQuade

Final Image

Carol Osler

CALENDAR

September 13, 2017

Security Canada Atlantic Halifax, NS www.securitycanadaexpo.com

September 19, 2017

Retail Council of Canada’s Loss Prevention Conference Mississauga, Ont. www.rcclpconference.ca

September 25-27, 2017 (ISC)2 Security Congress Austin, Tex. congress.isc2.org

September 25, 2017

ASIS International Canada Night Dallas, Tex. www.asisonline.org

September 25-28, 2017

ASIS International Seminar and Exhibits Dallas, Tex. www.asisonline.org

October 4, 2017

Focus On Drones Toronto, Ont. www.focusonseries.ca

October 18-19, 2017

Security Canada Central Toronto, Ont. www.securitycanadaexpo.com

October 26 - 27, 2017

Securing New Ground New York, N.Y. www.securingnewground.com

November 13, 2017

SecTor Toronto, Ont. www.sector.ca

November 15-16, 2017

ISC East New York, N.Y. www.isceast.com

November 29-December 1, 2017

PM Expo Toronto, Ont. www.pmexpo.com

December 6, 2017

Focus On Health Care Security Toronto, Ont. www.focusonseries.ca

APSA awards recognize dedication and professionalism

The Association of Professional Security Agencies (APSA) recently handed out its annual Security Guard and Security Guard Supervisor of the Year awards in recognition of front line security professionals who have gone above and beyond what is expected of them.

The awards were presented on June 28 in Toronto to Atilio Canas, a security guard for Lyndon Security Services, who currently works at Nova Chemicals in Sarnia, Ont., and Jacob Davidson, a supervisor with Russell Security Services Inc. (RSSI), employed at North Bay Regional Health Centre, Ont.

Canas received his award from his employer Ernie Hehn, president and general manager of Lyndon Security, who stressed the importance of recognizing security staff for their contributions and hard work.

Canas moved to Canada from El Salvador 25 years ago. A police officer in his native country, Canas sought similar work in Canada.

He learned English here and worked as a crossing guard for Lyndon Security, while going to school. He was soon moved into a security position and took on a full-time role with Lyndon Security client Nova Chemicals. Canas was nominated for the Security Guard of the Year award by Lyndon Security and with the full support of Nova Chemical. Both praised his dedication, diligence and positive attitude to his work.

During the award presentation, Hehn noted that Canas has “always conducted himself as the utmost professional.”

Canas says he was notified that he had won the award approximately two weeks earlier — senior leaders from both Nova Chemical and Lyndon surprised him during one of his shifts.

Canas says he’s seen some changes in security over the years he has worked in the field — most notably after the 9/11 attacks changed both perceptions and procedures, but through it all he has remained consistently dedicated. “I enjoy talking to

people,” he says. “I do my best every day. When I go home, my conscience is clear that I tried my best to do a good job.”

Jacob Davidson was also unaware that he had been nominated for an award. “I received a phone call from Joe Maher, president and CEO of Russell Security,” explains Davidson. “He said, ‘You were nominated and you were successful in receiving the award.’ It was a little bit of a shocker.”

Davidson works as a charge constable (shift supervisor) at North Bay Regional Health Centre. He has worked at the hospital for eight years, the last three with RSSI. In his nomination, both RSSI and the hospital noted his ability to rise to the challenges that come with health-care security. Davidson’s nominees observed his professionalism when dealing with difficult circumstances and also his volunteer efforts for hospital fundraisers and North Bay community-based services.

Davidson has participated in hospital walk-runs, BBQs and social events to raise money. He helped organize pink epaulettes for the security staff to wear in support of breast cancer awareness as well as green ribbons to promote mental health awareness.

Don Leschuk, vice-president of operations at RSSI, noted at the award presentation that Davidson is on hand to participate in volunteer committees even at the end of a 12-hour shift. He described Davidson as “the epitome” of good people in security, “a decent human being.”

— Neil Sutton

Jacob Davidson, RSSI and Atilio Canas, Lyndon Security

By Neil Sutton

ASIS adds new elements to the mix for Dallas

ASIS

International is in the midst of some changes to better meet the needs of its members and constituents, according to its CEO, Peter O’Neil, many of which will be reflected in its upcoming annual seminar.

ASIS’s Seminar & Exhibits, the organization’s 63rd, will be held in Dallas this year, Sept. 25-28.

“This is the first year of what will be many years of changes coming for the ASIS seminar. This year it was about the footprint, it was about making sure the education we’re curating is truly the best of the best,” says O’Neil, who took on the role of CEO and executive vice-president in January 2016. The organization will offer more than 180 education programs this year and has moved some of the sessions onto the trade show floor, offering what it’s calling a “Learning Lab” environment.

networking event on the exhibit floor on Tuesday evening.

Peter O’Neil, CEO, ASIS International

Another major change this year is that a small selection of the educational sessions will be live-streamed online (accessible for a registration fee) and later archived. The keynote addresses, with the exception of opening speaker, former U.S. President George W. Bush, will also be made available online. At press time, confirmed keynote speakers included futurist Scott Klososky, as well as Edward F. Davis, former Police Commissioner of Boston Police Department and Rick DesLauriers former Special Agent in Charge (SAC), Boston Division, FBI, both of whom will address their roles in the aftermath of the Boston Marathon bombing.

the education.”

O’Neil indicates that more sessions are likely to be made available online at future ASIS events. He says that the organization as a whole is trying to be more transparent and inclusive, as well as strike a better balance between operating as a global organization while still offering meaningful and useful services at the local level.

The organization has developed a detailed roadmap for its future, focusing on six high-level objectives: Global Network; Professional Competency; Knowledge and Learning; Event Preparedness and Response; Branding; and Organizational Operations and Performance. ASIS has also hosted “town hall” teleconferences, inviting 500 of its senior leaders to participate.

ASIS is also “doubling down” on networking opportunities, says O’Neil, adding that he recognizes the value and learning opportunities that conference attendees may glean through increased social interaction. One of the additions this year will be a happy hour

“One of the things ASIS has not done in the past is a virtual conference,” explains O’Neil. “We’re going to be beginning our first one this year.

“The annual meeting has to live longer than the week that we’re in a city,” he adds. “For all the investment of time and effort we put in, the stuff we do there has to live longer. A big chunk of that is

“We have a very big challenge ahead of us to drive member value, but to do it ‘glocally,’” says O’Neil. “There’s been a renewed commitment in how we develop and service our chapters. For an organization, we’ve got to have people or groups — chapters — at that local level, providing products and services and experiences in those areas that make people want to join. That increases our membership numbers, which in turn increases our clout.”

The 2016 edition of ASIS International’s annual seminar event was held in Orlando, Fla.

2017

Canadian Security magazine and SP&T News recently hosted Security Summit Canada, offering security perspectives from across the industry. The two-day event included a keynote address from John Mack, executive vice-president, Imperial Capital as well as panels and presentations covering everything from home security systems to the international threat landscape.

A panel discussion on Canada’s threat landscape featured Bonnie Butlin, co-founder and executive director of the Security Partners’ Forum, Victor Goodman, president and CEO, INKAS Security Services and Han Koren, president, AFIMAC Canada. Canadian Security editor Neil Sutton moderated.

Popa, president and CEO, Informatica Corp., provided a presentation on cyber-security hits and misses of 2017.

Luciano Cedrone, vice-president, national security, Brookfield Property and Malcolm Chivers, director corporate security, Canadian Bankers Association were two of the panelists featured on the end users’ perspective presentation. Not pictured: Brian Claman, director, national security and life safety services, GWL Realty Advisors.

Mahesh Saptharishi and Colin Bodbyl, chief technology officers from Avigilon and UCITOnline, discussed the role of surveillance today. Jimmy Palatsoukas, Genetec’s director of product marketing, joined the conversation remotely.

Claudiu

Imperial Capital’s John Mack kicked off the event with a detailed presentation on the state of the security industry from a product and investment perspective.

Veronica Kitchen, associate professor of political science, University of Waterloo opened day 2 with a presentation on Canadian Security in the Age of Trump.

DEFENCE AGAINST FRAUD

Layer your approach in order to make ecommerce more robust

With each passing day, more and more consumers are making the switch to online shopping. And why wouldn’t they? It’s quick, reliable and easy. As a consumer, you can have nearly any item you can imagine delivered to your door (in some cases same day) without ever having to leave the house.

It is for that same reason that ecommerce fraud is growing at an exponential rate. Fraudsters are attracted to the same “quick and easy,” as they too can now order goods without ever having to set foot inside a retail store. They can comfortably use stolen credit cards while hiding behind the anonymity of a public computer and a forwarded mailing address, never once having to worry about physical security measures like chip and PIN or being recognized on CCTV. In many cases, the fraudsters can have the goods in their hands before the victim even knows their card was compromised.

“If you can prevent the order from ever happening, you are already one step ahead.”

place orders in bulk. Verified by Visa and MasterCard SecureCode are two solutions that can be easily implemented into the checkout process for additional validation. It is also crucial to capture as much meta-data as possible about the computer/user making the purchase. Such elements as IP address or Device Fingerprint are extremely beneficial as they can act as important data points that can be used to identify patterns and trends.

When trying to prevent fraud in person, you can typically work with front line sales associates to help recognize warning signs, such as unusual behaviours by the suspect, cards that appear damaged and fall back to swipe, or discrepancies between the cardholder information and the person making the purchase. Chip and PIN technology is also a significant deterrent since it prevents most fraud attempts as criminals seldom have their hands on the true card and the PIN.

When dealing with online fraud, however, you lose the ability to pick up on those abnormal behaviours and also have to deal with the risk of accepting the order as a “card not present” transaction as there is no chip/ PIN involved. Because of this, a well-built fraud prevention strategy for your ecommerce business is crucial to preventing chargebacks.

The first line of defence is your checkout process. If you can prevent the order from ever happening, you are already one step ahead. When putting together a strong fraud mitigation plan, try to find ways to build in “human” verification elements such as CAPTCHA. This helps prevent fraudsters from creating bots that can automatically

The second line of defence involves the order passing through a series of business rules and fraud validation checks to decide on whether you should accept or reject an order. These rules can be as simple as ensuring the billing and shipping addresses match or that the CVV number matches what is on file with the bank. Alternatively, the rules can be as complex as validating the total number of orders placed by a specific IP address within a certain time frame or looking at orders over certain dollar amounts utilizing foreign currency credit cards. The more rules you can put in place, and the more you can layer rules on top of one another to help make your decisions, the more this will ultimately lead to a successful fraud prevention strategy.

Despite your best efforts, not every order will be caught through the fraud review process. Therefore, the final step is always a thorough review on any fraud chargebacks received for your online orders. This can give you insight on how that particular fraud order could have been prevented and will allow you to tweak your rules to catch orders like it in the future. The more often this takes place, the better chance you have at stopping the orders at the source. As an ecommerce retailer, without any proactive measures to detect and prevent fraud, you are opening yourself up to a fraud chargeback on every order. While this is certainly a risk of doing business in today’s fast paced ecommerce environment, it is certainly a risk you can control.

Matthew Robertson is acting DVP, retail operations, and director of loss prevention for Sears Canada (www.sears.ca).

Providing a secure shopping environment to your customers

Integrated and specialized retail security services for commercial properties’ owners and managers.

At GardaWorld, we act as ambassadors by being visible, open and accessible to assist the public; from providing directions to their favourite store to reuniting separated family members. Dressed in either a concierge-like attire or a military uniform, they protect your brand, your assets and your customers.

High visibility and tracking proactive customer touch points help deter undesirable activity while ensuring the safe enjoyment of the property. Our solutions focus on reducing risks to help businesses be more proﬁtable:

■ Highly-trained security guards

■ Loss prevention services

■ Patrols and alarm response units

■ Event security services

■ Access control

■ Security assessments and ﬁre prevention

■ Administrative support

■ Parking management

1 855 GO GARDA (464 2732) garda.com/ps

By Mel Gedruj

ON THE ROAD

The security of trains and trucks is vital for the justin-time supply chain

Moving people on roads and rail and delivering goods such as food, machinery and parts is big business in North America.

Public Transit security relies on two modes of operation: rail and buses. While they face many similar risks, rail-based systems deal with fixed links while buses may use alternate routes if need be. Due to the frequency of use, it is not always practical to institute metal detectors, bag search and other technologies used at airports. If we add that traditionally rail transit security was more concerned with insuring that all passengers have paid their fare, it paints a challenging picture to achieve desirable outcomes.

“The public is largely unaware of how often the [cargo theft] problem occurs.”

As for others, it expanded their security awareness. The American Public Transit Association is a rich source of standards and guidelines. They cover all aspects from CPTED to video, access control and security lighting. Transit security is a challenging field and requires extensive resources, which smaller municipalities often lack. In the case of large subway transits, police services maybe directly providing security while special constables or their equivalent would be involved in fare and bylaw enforcement. This setup is due to the fact that police officers are professionally better trained and equipped to deal with violent crime.

To remind us how deadly transit terrorist attacks can be, recall that on a hot August 1980 day, a bomb exploded at the Bologna train station at 10:25 a.m. causing the largest amount of casualties in Italy since the second world war.

In Madrid, on March 11, 2005, later dubbed 3/11, 10 simultaneous bombs exploded on four different commuter trains causing 192 fatalities and thousands of injured commuters. The July 7 London bombing is remembered as 7/7. It affected both the “underground tube” and double decker buses, and resulted in 52 deaths and hundreds of victims. The most recent attack was in the Brussels’ metro last year.

Bus bombings are even more frequent and too numerous to list here.

The events listed here are at the extreme end of the security spectrum but there are other threats that manifest themselves on a more frequent basis — attacks on drivers and conductors and passenger-on-passenger violence in many cases resulting in injuries and often making transit less appealing to the general public.

So what can be done? Transport Canada’s Transit Secure initiative from 1986 to 1989 was an extensive program to identify and address security risks for both rail and bus transit that delivered a marked improvement, at least in larger cities.

Cargo theft is sometimes viewed as a victimless crime. A truck or trailer is stolen, the cargo is insured and when nobody has been physically harmed, the public is largely unaware of how often this problem occurs. Police services do not usually have an adequate number of officers dedicated to cargo theft as there are many other more pressing law enforcement demands. Another cargo security stream is when trucks carry trans-border shipments. To streamline the cross border cargo traffic arriving by sea and destined to the U.S., the Integrated Cargo Security Strategy was concluded in 2015.

Another initiative is the pre-inspection by U.S. border services on the Canadian side of the border to preclear trucks entering the United States. U.S. Homeland Security publishes guidelines for cross-border cargo traffic, requiring drivers to undergo a background check and establish rules of how cargo can be picked up or delivered.

Finally, the Custom Trade Partnership against Terrorism is a public-private sector program constituting another security layer to facilitate the movement of goods.

In these days of just-in-time delivery, any disruption of the supply chain may lead to depletion of food stocks in supermarkets and spare parts in manufacturing plants.

Mel Gedruj, OAA, CSPM is the president of V2PM Inc., specialized in municipal security management planning.

By Tim McCreight

THINK LIKE A STAKEHOLDER

Take the time to examine a risk issue from the perspective of your C-suite

The fun part of any Enterprise Security Risk Management (ESRM) program is starting with some interesting “what if” questions.

As a security professional, you’ve asked these types of questions so many times when you begin a risk assessment: what if there was a flood in the downtown core? What if a fire started in a data centre? What if a forest fire forced you to evacuate your building, and the building burned to the ground? Well, these are questions I have looked at over my career.

The second phase of the ESRM lifecycle focuses on identifying and prioritizing risks to the assets you documented in the first step. This is where a lot of time and effort goes into ESRM — and where some different approaches must be considered by security professionals.

In past lives, I conducted my risk assessments through the lens of a security practitioner. I’d begin “in the parking lot,” starting at the perimeter of my facility and then working my way into the core of a building. It was a very methodical approach, and time-consuming. And it was very security biased — I wasn’t concerned about talking to anyone other than security team members, and I was more worried about the principles of physical security, creating layered defences, and defining clear boundaries to reduce my risk exposure.

Over time, I’ve learned that we need to step out of our role as security professionals, and take on the perspective of other stakeholders across the organization. We need to expand our viewpoints and look at the risk scenarios from someone else’s

vantage point.

We should consider how our executives or CEOs would look at the risks we’re uncovering. Would they worry about these risks, or accept them as part of the path to achieving business success? Thinking like a shareholder is another way to challenge our opinion on the risk assessment process, and offers a unique opportunity to look at risk differently.

Another stakeholder group we many times forget is our customer or clients — those who our organizations serve and who buy our products, consume our services, and keep us in business. If we identified several risks facing our organization, and presented them to our customers, what would be their reaction? Would they be concerned if their personal information was compromised, or would they react in a more subdued manner? Would clients be upset if our manufacturing process was copied by a competitor, or would brand loyalty keep them coming back to buy our products? This exercise is a fascinating way of exposing our risk assessment process to a variety of audiences, with different viewpoints and needs.

These different perspectives allow us to look at the value of our assets, and the impact of a threat against the asset, in a variety of ways. If we can consider these different perspectives when we start assessing risks and evaluating our assets, we gain greater insight into the organization than your typical risk assessment exercise. An asset that may be critical to a department may not have any value to a client or the CEO. Using multiple perspectives and viewpoints helps create a more accurate picture of the assets we have and need to protect. This also changes how we will prioritize the risks facing these assets — our goal in using the ESRM framework is to consider all viewpoints during this phase to gain a complete picture of our risk profile. This expanded view lets us work through the prioritizing of risks more effectively, and with fewer debates between the security professional and the organization. Well, hopefully.

Tim McCreight is the director of strategic alliances at Hitachi Systems Security (www.hitachi-systems-security.com).

Cooler heads PREVAIL

Emergency managers, educators and experts meet to discuss the technology and trends impacting their profession

In June of this year, Canadian Security magazine gathered experts and practitioners for a roundtable discussion sponsored by Calian. The participants offered their perspectives on the state of emergency management education and training, the growth of the profession, the technology tools they use (or in some cases, don’t use), the role of social media and how cyber-security concerns are creeping in.

Canadian Security: What are the major technology trends and challenges you are facing in emergency management?

Douglas Grant: I think social media is becoming more properly integrated into the field. Where I’m starting to see a slowdown is the implementation of command and control software in projects within emergency management doctrine.

Alain Normand: For something we only use once a year, we don’t want to spend tons of money. People are used to Word, Excel, Outlook, maybe SharePoint, maybe a couple of others, and that’s it. If it doesn’t look the same as what they’re using every day, they’re coming in and saying, “How do I do this again?” You don’t have time during an emergency

to start training them on software. So we’re not using (dedicated emergency management) software. We’re basically going with the tools we have — we have Outlook groups, we have Word documents, we have pdfs, and we print a lot of stuff. We’re just taking what people are using on a day-to-day basis and we’re just tweaking it slightly.

DG: I think there is value to some of those (dedicated emergency management) tools, but I don’t think that people appreciate that it’s probably going to be of most value if you’re already at the very top of your game.

If you can guarantee that everybody in your organization is extremely highly trained and really uses these tools on an ongoing basis, then they probably can contribute effectively, but unfortunately that isn’t really the reality in a lot of cases.

CONFIRMED SPEAKERS:

• Mark Aruja, Chairman, Unmanned Systems Canada

• Colin Giles, UAS Program Coordinator, Aviation Services, Ontario Provincial Police

• Ciara Bracken-Roche, Dept. of Sociology, Queen’s University

• David Cooke, founder and chief pilot, Canda

emergency. I want to know them beforehand. I want to know who they are, what they do. Seeing them in action and doing the training, that’s where you really get to know the skillset.

KM: At George Brown, we’ll have discussions and lecturing, but it’s the simulation at the end, the practical [aspect] of applying those components of emergency management. If you look at the learning pyramid, you’re only going to retain what you’ve learned anywhere from 80-85 per cent by the time you leave without applying that knowledge. Has training evolved? Absolutely.

CS: How has social media and the immediacy of information changed emergency management practices?

AN: It’s really changed the rules. It used to be, when something happens we have to plan a press conference for tomorrow morning at 10 o’clock and that was the first information people would get about it. But today, with social media, you can’t wait until the next day. That press conference has to be right away. We’ve had to step up the game tremendously. It’s given us more challenges. At the same time, the information is much more readily available. People verify things and you cross-reference the information that’s out there and you get a pretty good picture. It’s rare that you get wrong information [via social media]. People do have a certain respect for the truth. It’s been quite useful for us. We have people and that’s their job — in an emergency, you’re sitting there, you’re monitoring all the tweets that are coming in, you’re checking Facebook.

TL: One of the big challenges is staying on top of it. You will never get ahead of it. But now there’s this expectation that when an event happens, they’re going to send a tweet to the municipality and they’re expecting a response right away. So it’s changed the way communications groups have had to staff an EOC or support an EOC. But in terms of situational awareness, it has been huge. [For example] the VIA Rail train derailment in 2012 in Burlington, Ont. Before word ever made its way up to the region, the event was over. The train derailed and within 45 minutes, everybody was out. The only people that were left were the three casualties. Everybody was

on their way to hospital and the first responders had done their piece. It was social media that flagged it. You were getting real-time pictures.

SS: Social media users have become our other responders. It’s part of our organization now, really. My other thought was that, during the ice storm… You can’t depend on it [because] everything was down during that time. With emergency management, you have to think of different ways to communicate. Social media is definitely one of the major ones, but you have to think of non-technology avenues also.

DG: There’s always going to be challenges, but I think the municipalities have been much more successful in utilizing social media for disaster management operations. If you look at a lot of private sector organizations or critical infrastructure, I think they’ve really struggled to understand what a disruptive entity social media can be. If you look at nuclear… they’ve followed the traditional communications strategies for social media, which is, if there’s a statement coming out from the organization, that takes approval all the way up to the board of directors, which can be one to two weeks. The idea that you need to trust somebody enough, who could be somebody inside the organization who’s not senior leadership, to give out immediate public information, without the time to review and vet that, is a real struggle for a lot of organizations. The flip side of that is getting them to

understand that Twitter and social media is not just a marketing tool where you can promote your new hamburger that coincides with the release of the new Marvel movie, it’s a powerful tool.

CS: How do cyber-security concerns fit into your role as an emergency manager?

TL: There’s not an organization out there that’s not at risk of cyber-attack. I’m fortunate that I work for an organization that recognizes the reality. Cyber climbs up our HIRA (Hazard Identification Risk Assessment) every time. It’s not necessarily a targeted attack. It might be malware or ransomware or something that’s just totally random and not targeted at a particular organization, but it has the ability to take down your network. If you’re a first responder, it could take down your radio system, your computer systems.

In Mississauga, we recognize that as a huge risk to our organization, our response, our business continuity. It could be a data breach. That’s a huge impact on the city. Does it impact the community? Not necessarily, but it could. You can do some pretty crazy things with a cyber attack. You can turn off the HVAC and melt down the server room. It’s not a short-term recovery if you lose your data centre. If you hack into a public institution, you can get into other public institutions if they’re on the same network.

KM: There’s a video that we often use in our courses — the Aurora Project.

It’s a bit outdated but it hits home. You have a simulated control room where a hacker hacks into a 27-ton generator. He overwhelms the power generator … you actually see this 27-ton machine jump. You can imagine, a lot of the things that we depend on come through computers. If somebody really thought about it, they could hack in and destroy [critical infrastructure] and do a lot of damage to a small community. Cyber security is definitely something that our department is really looking at and we are currently developing a cyber-security course.

SS: Starting off in this [industry] in 2005, everybody was talking about natural disasters. That’s what we trained and exercised on. Now it’s become more technology-based. Even this year, we’re looking at a cyber-security exercise. The City of Markham is participating in a North America-wide exercise — a cyber attack of an electrical grid.

DG: It’s tough to understand. Most people in their organizations don’t understand computer science… and it’s easy to discount stuff you don’t understand, especially with the state of global affairs right now and the fact that it’s much easier to weaponize a cyber attack than it used to be, I think. Yes, we’re seeing organizations taking it more seriously and yes, it’s climbing up the HIRA, but they don’t know what to do with it.

It’s similar to what Alain has said, it doesn’t matter about the cause, it matters about the impacts. You can incorporate cyber-security into a risk management portfolio but just treating it like any other hazard and just looking at the downstream impacts. Does it matter if your power goes out from a cyber attack or if it goes out from severe weather? On the prevention side it does, but in the downstream impacts, it doesn’t. It’s the same response mechanism. There are things you can do to deal with this that don’t require you to get a three-year computer science degree. You can work with your IT guys and incorporate them into a program that will allow you to be more resilient.

Make access smart and even more secure.

Keyscan iCLASS® high frequency (13.56Mhz) contactless readers are powered by SEOS®. The SEOS platform offers more choices, functionality, flexibility and applications providing the highest level of secure communication between devices. Keyscan iCLASS SEOS readers are mobile ready and will only authenticate Public Key SEOS smart credentials — to make your access system even more secure. Visit keyscan.ca

Keyscan iCLASS® SEOS® Public Key High Frequency Readers

Keyscan iCLASS® SEOS® readers are mobile ready using either Near Field Communication or Bluetooth Low Energy and operate with SEOS smart credentials to prevent compromise and sustain the highest level of security.

MANDATORY TRAINING STANDARDS: WHERE ARE WE NOW?

Use of force, specialty skills and training remains a contentious issue for guard licensing.

By Mike Burgess

Five years ago, I wrote, “There is an old saying that comes from the Huna tradition that says, ‘For everything in life you must pay attention. To the degree you do not pay attention, you pay with pain.’” Wise words to be sure, but still falling on deaf ears it seems.

Twenty-two recommendations of the Shand Coroner’s Inquest resulted in legislation changes and new training standards in some, but not all, Provinces in Canada. The response by Ministries that oversee Guards and Private Investigators has been disjointed, to say the least and there is still no common path forward. So where are we today, five years on? We now have mandatory 40-hour “basic training” courses in most of Canada, but there are still some Provinces where a person with a clean criminal record can simply apply for a licence, pay a fee and is instantly a guard. Arguably the core issue in the Patrick Shand case, use of force training, has gone mostly ignored with one or two exceptions.

This contentious part of security licensing is use of force, specialty skills training and testing. This issue remains unresolved in most of the country. For those who have attempted it, no two are on the same page.

Shand inquest recommendation: “Security practitioners whose duties may include making arrests or the lawful application of force should be re-certified

annually with respect to Use of Force Training.”

“Mandatory training should be delivered by qualified trainers certified by the Ministry.”

Here’s where we are today with this: Some Provinces prohibit guards from carrying handcuffs and/or batons, some don’t mention them at all except as equipment that may be issued upon obtaining permission. Some require refresher training in the use of handcuffs, but not the use of physical force, once every three years. Some require “certification” in an American-based system that was originally designed for police and corrections. Still others are not prepared to address the issue at all.

To quote one Ministry official, where the standards were contemplated then set aside, “the Provincial government feels it has no place in interfering with the internal operations of private security. If a company and its clients feels they should train and equip their guards in the uses of force for the protection of persons or property, the criminal and civil accountability for their actions in a given case ultimately rests with them and not the government. They have no more authority to act than any other citizen.”

As Provinces continue to contemplate what they should or should not do in regards to use of force training standards I am reminded of what the courts call “the two step test.” The Supreme Court stated in 2003 ... “reasonable force” in the context of a given case may have to have regard not only to what force is necessary to accomplish the arrest, but also to whether a forcible arrest was in all the circumstances a reasonable course of action in the first place. This is the true core issue, in my opinion, surrounding use of force and arrest by persons who are not police officers.

More than one Provincial government official has commented to me that “they want nothing to do with the issue of vetting use of force instructor’s credentials. Due diligence matters relative to Occupiers Liability are best left to the companies themselves to determine.” Despite this, a couple of Provinces now have requirements in place to be an approved instructor in the use of force. A scary thought if you fully understand the implications and potential backlash of this.

In my work as a subject matter expert, I often am called to give subjective opinions on standards

and marked departures. Fault or responsibility, based on carelessness or lack of due diligence involving a marked departure from the “norm,” is ultimately based on an objective test by the court. That test involves assessing a person’s or company’s actions against the standard of the reasonable person and/or industry. Those standards are not set by any Provincial Ministry, they are dictated by a jury of our peers in a courtroom.

“This issue remains unresolved in most of the country. For those who have attempted it, no two are on the same page.”

way.” The judge’s comments are etched in my mind now as I see their point: “Consensus between people within an industry does not necessarily make the untrue true.” Standards can be set, regulations written, however at the end of the day the acid test is the court for reasonableness.

that have implemented changes to legislation. That’s the good news. The bad news is that the toughest issue is still yet to be fully addressed, in my opinion.

I was reminded by a judge during my testimony, that there is no such thing as “best practice” when it comes to the courts. The court accepts what is known as “successful practice” to refer to the “way things have always been done…and everyone is doing it this

Today licenced guards can still move directly into positions such as loss prevention, where they may make arrests on a daily basis. No training in the use of force is required. This may change with time but there does not seem to be the political will to do so.

Issues surrounding uniforms, dogs, identification, records keeping, oversight bodies, portability of licences, seems to have been addressed in those Provinces

At a keynote speech a few years ago I was asked, “How do we raise the level of training standards nationally, especially amongst contracted security?” I answered by saying “respectfully…look in the mirror. You get what you ask for and what you insist upon. Don’t let the industry or government dictate standards that are ultimately unacceptable to you. Redefine what ‘trained’ means to you and is acceptable to the courts and write that into all your RFPs and contracts.” Government standards are minimums only; you need to set your bar above that.

Mike Burgess is the president of M.D. Burgess And Associates Inc. (www.securitytrainingsupport. com) and is a court-recognized subject matter expert in security training and the use of force.

CYBER ATTACK BILL SHOCK

RJon Draper is the head of Cyber Defense Strategy at BAE Systems (www. baesystems.com)

ecent research by BAE Systems found some startling disconnects when it comes to cyber security within organizations.

A survey of more than 800 top executives (C-suite leaders) and IT Decision Makers (ITDMs) in eight major countries found a large disparity in what each group believes the cost of a successful cyber attack to be. ITDMs estimated, on average, $19.7 million; C-suites said $12.4 million — and 42

percent of them said only $1.5 million.

Perhaps the ITDMs’ estimate is higher because they are closer to operations and see the volume of threats, implement security measures and do the dirty work of incident response and/or disaster recovery.

The perceived cost of a cyber attack also affects the amount businesses spent on defence. C-suites believe that 10 per cent of their organization’s IT budget is spent on cyber security. ITDMs say 15 per cent. This means that when an attack does occur, the C-suite and ITDMs are at risk of experiencing high costs that were unforeseen, meaning adequate budget was not allocated, also known as “bill shock.”

To avoid bill shock, C-suites and ITDMs need to make full, informed assessments of the threats they face, the risk of successful attack and

the consequent costs of recovery. Organizations must be realistic about the threat landscape and fully aware of the defences in place.

Our research also found that a significant number of C-suites and ITDMs believe the other is responsible in the event of a data breach — 35 per cent of C-suites say their IT teams are responsible and 50 per cent of ITDMs think responsibility sits with senior management.

C-suites and ITDMs should work closely together, analyzing current implementations and processes to come to an accurate conclusion. Once organizations know what they have and what they need when it comes to cyber security, they’ll know where they need to invest — and hopefully avoid nasty surprises.

By Derek Knights

GET TO THE TRUTH

Truth-Focused Interviewing for Investigators, 2nd Edition

By: Kevin Byrnes Canada Law Book

ISBN: 978-0-7798-7321-0

Onthe back cover of “TruthFocused Interviewing for Investigators, 2nd Edition” is a blurb about the book’s author, Kevin Byrnes. He is a police detective in Ontario, a teacher and a student (of Neuro-Linguistic Programming and Psychology), and a member of Human Potential Consultants Inc.

Det. Byrnes book is one of the best books on interviewing I’ve read — and I’ve read a few! In a dozen chapters, over 180 pages, the author deconstructs the interview process and demystifies it for the newbie and the expert alike. And experts should read this book, because no matter how good an interviewer you are (and you’re probably not as good as you think you are) there are plenty of tips and tactics here you can use.

and ultimately how to build confidence. He’s forthright in his statements, admits challenges, debunks some myths and supports others. He stresses the importance of being fit for the interview — rested and attentive and comfortable.

I’ve never met the author, but I’ll bet I could pick him out in a crowd within 30 seconds of hearing him speak. He wrote this book in a conversational style — it’s very folksy. Even on the page, it seems to build a rapport and it really feels like he’s there, telling you the story.

“He stresses the importance of being fit for the interview — rested and attentive and comfortable.”

The chapters take the reader first to identifying the wrong things to do, so many of which I have seen in myself over the years, and then into building a better interview model, how to build a rapport,

And there are stories — which he adeptly uses to illustrate the points he makes. While these stories and anecdotes are primarily policebased, the concepts hold true for civilian interviewers.

There are well over 100 pages of excellent information in this book. I recommend it without hesitation to any investigator. Well, almost without hesitation. It’s 100 pages of excellent information in a 180-page book, but, there are some typos and grammatical issues. But don’t hold the author responsible for those — that’s the editor’s and publisher’s job. You can’t hold the author responsible

for the layout, either, at least not all of it. Open the book almost anywhere and massive blocks of black text on a bright, white background glare at you. It’s intimidating and hard to read.

But you can hold the author responsible for paragraph and sentence length. Det. Byrnes’ style serves him well in one way but does him a disservice in another. Long, wordy sentences, with no inflection or “body language” (something he discusses a lot in the book) detract from full comprehension. Readers have to work harder to glean usable data from long sentences. Don’t give them so many; extra words can be obstacles. Maybe he self-edited, but even so, the publisher should take more care. I sincerely believe a third of this book consists of unnecessary words.

I’ve gushed and I’ve ranted. This book deserves both. Reading unnecessary words is a chore, but you’ll survive. I haven’t read this book’s previous edition, so I can’t say what’s changed or if it’s an improvement, but I’m not worried about it. The book’s failings keep it from being an out-of-the-park home run, but it scores nonetheless.

Derek Knights, CPP, CISSP, CFE CIPP/C, PCI, is the senior manager, strategic initiatives, global security and investigations, at the TD Bank Group (www.tdbank.com).

PRODUCT

Access control platform

Tyco Security Products

C•CURE 9000 v2.60 offers advanced access control policy enforcement and customization, after-hours reader groups, expiring clearances and other notable features, as well as increased operational efficiency. This latest version of the C•CURE 9000 security and event management platform also supports IPV6 address protocols for the iSTAR Ultra door controller and introduces a new C•CURE 9000 Web Client user interface. Enhancements give end users the ability to configure the platform to create a new event after a number of consecutive rejections. With this feature, end users can define the threshold for event creation by configuring the number of consecutive retries allowed within a given time period. www.swhouse.com

Electronic lock Southco

Optical turnstile

Orion Entrance Control

The OBSG-LG-CV-Wave Turnstile is an Optical Barrier Swing Glass-Low Glass-Clear View Wave turnstile with an open look – accentuated by 3/8-inch transparent glass on the sides and 3/8-inch tempered swing glass. Integrated into the pedestal is the Safran MorphoWAVE biometric reader that captures fingerprints with one contactless movement or “wave.” The throughput yield is one person per second which provides any lobby with a modern option for turnstile security. Also offered by the company: Infinity Remote Lane Control Software (IRLC-SW) and Surface Pro 4 Touchscreen/ Armodilo Case.

www.orionECI.com

Access control integration

The H3-EM Electronic Locking Swinghandle with Integrated Multi-class RFID Reader includes the same intelligent electronic locking and monitoring features as the standard H3-EM, but also reads HID 125 kHz RFID credentials and 13.56 MHz iCLASS smart card based credentials. The H3-EM with Integrated Multi-class RFID Reader features provides an integrated HID SE smart card reader and supports multiple readers. The H3-EM features integrated LED indicators for visual status of equipment access as well as simple, singlehole panel preparation that is compatible with industry standard enclosures for OEM integration or field retrofits. When connected to an access control system, the H3-EM enables the user to track and record access to the electronic locks, providing an audit trail. www.southco.com

Mini escutcheon

Salto Systems

The SALTO XS4 Mini escutcheon’s compact design enables security professionals to upgrade security and replace mechanicalkey-operated door locks with the latest electronic access control solution suitable for a wide range of customer applications. Its zinc alloy construction and Mifare-DESFire and BLE (Bluetooth Low Energy) technologies allow it to work with conventional smartcards and/or via SALTO’s JustIN Mobile app. Power is supplied via three AA batteries, with battery life good for up to three years of normal operation. When batteries run low, the XS4 Mini has audible and visual indicators. www.saltosystems.com

AD INDEX

Anixter 27 www.anixter.ca/security

ASIS 24 securityexpo.org/ste

Avigilon 15 www.avigilon.com

CANASA 23 www.securitycanadaexpo.com

Commissionaires 21 www.commissionaires.ca

dormakaba 19 www.keyscan.ca

2017 • www.canadiansecuritymag.com

Vicon Industries

The Valerus video management solution now includes integrated connectivity with VAX, Vicon’s access control solution. The integration, which enables the display of live and recorded Valerus video from inside the VAX interface, is simple to program and free with the purchase of either system, regardless of the number of cameras or card readers in use. Current Valerus and VAX customers can update to the latest version of Valerus software, which is available for download, without additional licensing, from Vicon’s website. With this new integrated solution, each camera managed within a Valerus system can be associated with a specific door and card reader, enabling the VAX interface to automatically display Valerus video that correlates with each swiping event. www.vicon-security.com

Cloud concierge solution

Galaxy Control Systems

Galaxy Cloud Concierge offers end users a Cloud-based, fully hosted and managed access control and monitoring solution that integrates video surveillance, visitor management, elevator control, locks and turnstiles into a unified platform. Galaxy Control Systems offers Cloud Concierge in three configurations: an on-site, user-managed, Cloud-based system; a remote Cloud-based, user-managed integrated system; and a remote Cloud-based, reseller/integrator managed integrated system. Cloud Concierge incorporates AES encryption to ensure the security of access control data. cloud.galaxysys.com

Focus on Drones 16 focusonseries.ca

G4S 2 www.g4s.ca

Garda 9 www.garda.com/ps

Salto Systems 28 www.saltosystems.com

Securitas 22 www.securitas.ca

Winsted 17 www.winsted.com

Access control is more than a reader and panel on a door

As part of a layered approach to physical security, total access control is an integrated security system that extends beyond the building to the perimeter, gate or fencing and extends inward to protect valuable assets and infrastructure such as data centers and control rooms. Enhance security at all levels of your facility with new and traditional access control solutions such as:

· Cloud, mobile and biometric readers and credentials

· Intercoms, visitor management systems and turnstiles

· Electronic key management and door locking hardware

Leverage Anixter’s extensive technical resources, supplier relationships and integrator network to simplify the process of designing, testing and deploying a security solution to fit your budget and needs.

For more information, contact your Anixter representative or visit anixter.ca/security.

Incorporating SALTO’s proven reliability and stability in cloudbased access control, SALTO KS - Keys as a Service - offers a solution that every business is looking for with vastly better functionality and performance than is possible with a traditional solution.

SALTO SYSTEMS INC.

950 Rue Valois, Suite 104

Vaudreuil-Dorion, QC, J7V 8P2

Phone: 514-616-2586

Email: info.canada@saltosystems.com www.saltosystems.com

SALTO KS provides a flexible access control management system that requires no software installation or the added expense of a fully-wired electronic product. All that is needed is an online device with an Internet connection.

www.saltoks.com