THE PUBLICATION FOR PROFESSIONAL SECURITY MANAGEMENT
Security Director of the Year
•
•
The City Planner
Silvia Fraser has spent her first year at the City of Mississauga implementing an ambitious new plan for the security division. She’s also planning for the next decade and beyond.
By Neil Sutton
Breach notification comes into effect on Nov. 1. Almost every organization suffers a data security breach of some kind, so preparation is paramount.
By Theo Van Wyk
COVER PHOTO: SANDRA STRANGEMORE
Neil Sutton
ASMARTER SECURITY
Outside influences and educational opportunities help to foster new ideas and team-building
bout a month ago, I attended a smart building technology forum in Toronto hosted by Anixter.
The sessions were sometimes quite technical in nature, but engaging nonetheless, particularly when they focused on how technology is changing work culture. My interest lay in how security technology is evolving to meet the needs of today’s (and tomorrow’s) smart facilities. Or, put another way, how the demand for smarter and more efficient buildings has encouraged people to look at surveillance technology in new ways and use video data for purposes other than security, like determining room occupancy rates quickly and accurately.
“People
and technology are finding new ways to play to their strengths.”
Group Publisher Paul Grossinger pgrossinger@annexbusinessmedia.com
Publisher Peter Young pyoung@annexbusinessmedia.com
Assistant Editor Ellen Cools ecools@annexbusinessmedia.com
During a question period, I raised my hand to ask the speaker to clarify a point about smart home standards versus smart building standards. The next question came from a familiar voice in the middle of the room. It was Silvia Fraser, head of security for the City of Mississauga.
Really, I wasn’t surprised to see her there. Fraser has proven herself to be inquisitive about all kinds of matters, security and otherwise.
When I first met Fraser, she was a supervisor within the City of Toronto’s security department and also a manager for the Union Station Transit Secure program. “This has been the most challenging project of my career,” Fraser told Canadian Security magazine back in 2009. Now, almost a decade later, she would likely respond differently.
Canadian Security’s editorial advisory board selected Fraser as Security Director of the Year for 2018 after only a year in her current role at Mississauga. It’s unusual, but not unprecedented, for a nominee to receive the award early in their tenure, and Fraser’s track record speaks for itself.
One of the things Fraser does best, I think, is utilize her “non-security” experience to make her department that much better. She is quite vocal about security departments in general becoming better at articulating their value proposition to stakeholders and vocalizing their accomplishments. In this case, we’re pleased to be the ones to acknowledge Fraser’s achievements and we look forward to hearing more in the future.
By the way, you can read more about Anixter’s smart building session and how security technology is adapting in the October issue of Canadian Security’s sister publication, SP&T News.
From my perspective, both people and technology are changing quite rapidly in this field, and finding new ways to play to their strengths. It’s exciting times for security and I have no doubt we’ll be celebrating the accomplishments of free thinkers like Fraser for years to come.
Art Director Graham Jeffrey gjeffrey@annexbusinessmedia.com
Account Coordinator Kim Rossiter krossiter@annexbusinessmedia.com
111 Gordon Baker Rd, Suite 400, Toronto, ON M2H 3R1 (416) 442-5600 • Fax (416) 442-2230 Web Site: www.canadiansecuritymag.com
Canadian Security is the key publication for professional security management in Canada, providing balanced editorial on issues relevant to end users across all industry sectors. Editorial content may, at times, be viewed as controversial but at all times serves to inform and educate readers on topics relevant to their individual and collective growth and interests.
Canadian Security is published six times per year by Annex Business Media.
Publication Mail Agreement #40065710
Printed in Canada I.S.S.N. 0709-3403
Subscription Rates
+ HST;
Circulation Anita Singh asingh@annexbusinessmedia.com Tel: 416-510-5189 Fax: 416-510-6875 or 416-442-2191 111 Gordon Baker Rd, Suite 400, Toronto, ON M2H 3R1
Secure 2018, hosted recently in Toronto by the Retail Council of Canada (RCC), focused on three areas of risk: fraud protection, data security and loss prevention.
Attendees heard experts speak about a range of topics, from racial bias in retail to cybersecurity to the impact of cannabis legalization.
The impact of data
One session, “Digital Commerce: Misconceptions and Opportunities,” was presented by Louis Davis, Moneris’ director of core payments and retail solutions, and Matt Crawford, Moneris’ director of emerging and value-added services.
According to Davis, digital commerce (or ecommerce) has become increasingly popular. In fact, cash only represents 13 per cent of point-of-sale transactions in Canada today.
Moreover, while there are concerns about data security, ecommerce is actually more secure than cash, he maintains. Cash is difficult to trace, Davis explained, and employees moving cash to be depsosited at a bank are at a greater risk of being robbed. In contrast, data transmitted in contactless transactions can be managed carefully.
“There are regulations not only from a government perspective, the PCI [Payment Cards Industry] Council, card brands, also have fairly strict rules about how that data is managed,” says Davis.
Additionally, there are mechanisms
that help secure the data, including tokenization, whereby a pseudo number (a token) is created that represents the card number. Those tokens can be used in a number of ways — they indicate what was bought, the price, when the transacting occurred, etc. If a consumer requests a refund, “that data that was captured on the original purchase comes back, and [retailers] can actually verify [it].” All this makes it very difficult to compromise the information.
Moreover, data can help retailers manage fraud by showing anomalies in purchase patterns and store transactions.
“We can identify the user of a transaction [through biometrics]. There’s a solution in the market that looks at how you interact with your device, for example,” Crawford added. And “as digital commerce becomes more ubiquitous, the security measures are following along.”
Removing the plastic card
In an interview with Canadian Security after their session, Davis and Crawford further discussed the rapid evolution of digital commerce.
“According to Moneris’ Q2 contactless data,” said Davis, “the total number of contactless transactions grew by 31.83 per cent.” And this growth will only continue as digital commerce integrates with Internet of Things (IoT) devices.
For example, there is currently a pilot program in place that would allow
a car to transact a payment for gasoline automatically without the driver ever having to present their credit card at the pump.
“It’s accelerating…the removal of the plastic card from the environment,” Crawford explained. “Essentially anything that can store data becomes a credit card in the more traditional sense and facilitates payment.”
While the development of more IoT endpoints can pose a security risk, Crawford and Davis believe that the security concern is no greater than those that already exist.
“I think that it’s just a matter of the maturity of that technology versus what we have now,” Davis concluded.
Porch pirates
But physical theft remains a concern among retailers, as York Regional Police’s Andrew Quibell, detective, financial crimes unit, and Rob Vingerhoets, detective constable, financial crimes unit, explained in the session, “The Porch Pirates: ‘Addressing’ the Issue of Porch Theft for Retailers.”
“Porch pirates” — thieves who steal packages delivered to consumers’ front porches — are very difficult to stop. They are very bold, in some cases impersonating Canada Post or UPS workers, and are very organized and prepared — not simply opportunistic criminals. And while technology advancements, such as smart security cameras and video doorbells, can help law enforcement identify the perpetrators, nothing can be done to stop the crime, said Vingerhoets and Quibbell.
For retailers, this means a balance must be struck between risk and customer experience. Additionally, they must create more risk-based discussions among their employees and customers. Law enforcement can help by encouraging retailers to share their experiences with each other and law enforcement.
The No. 1 solution? Raise awareness among the public.
— Ellen Cools
Rob Vingerhoets (left) and Andrew Quibell, York Regional Police, with moderator Rita Estwick, Canada Post, presenting on the issue of ‘porch pirates.’
Louis Davis (left) and Matt Crawford from Moneris presenting at Retail Secure 2018.
In an age of state-sponsored hacking and increased cyberattacks, trust is crucial. Your physical security equipment is a potential entry point to your critical infrastructure –and not every manufacturer has your network’s best interests at heart.
At Genetec, we place the emphasis on transparency and trust – and select our partners accordingly. It allows our users to focus on what really matters: the successful operation of their business.
genetec.com
Are you asking the right questions about the connections you’re making? Take a closer look genetec.com/trustyournetwork
By Sylvain Arsenault
ASIS Montreal golf tournament benefits Shriners Hospital for Children
On Sept. 11, ASIS Montréal chapter 196 held its annual golf tournament at La Madeleine golf club in Ste-Madeleine, Québec.
This year, ASIS Montréal decided to associate this event with Shriners Hospital for Children – Canada, located in Montréal.
We had the privilege of having Georges Laraque, former NHL player, as honorary president of our golf tournament and also vice-president of the Shriners International Council of Governors, David Merrett, present at our event.
The golf tournament was a success with more than 80 participants, volunteers and sponsors. Together we collected $3,265, which was given to
the foundation of Shiners Hospital for Children – Canada.
ASIS International also awarded the ASIS Montréal chapter the 2018 Community Service Award for hosting the golf tournament to benefit sick children. They sent a $1,000 cheque to the foundation for this event.
Again, ASIS Montréal demonstrated its capacity to mobilize people for events that are to the benefit of our community.
Thanks everyone for this fantastic achievement.
Sylvain Arsenault is the president of ASIS Montréal chapter 196.
LETTER TO THE EDITOR
Re: Canadian Security 40th anniversary issue (July/Aug 2018)
Your 40th anniversary issue was excellent. It could have been “more excellent” if it had featured an article on the evolution of women in security. We have industry groups that are focused on women in security but they look at today’s situation. It would have been interesting to know what it was like in the ’70s and hear from women about the challenges they have faced. Data on the current situation would also have been interesting — knowing what the current hurdles are could help women advance in the industry.
I did see women well represented in the articles in the magazine and I appreciate that. However, if you look at one hundred pictures of security events and personnel, you see a lot of old white guys in suits. I think we still have a way to go to make our industry demographically representative.
Thanks for the excellent work that you do. I look forward to every edition of Canadian Security.
Len Babin, CPP, ABSP Primoris Associates Inc. Montreal, Que.
If you would like to submit a letter to the editor, please visit www.canadiansecuritymag.com/submit-letter-to-editor
Sylvain Arsenault, president, ASIS Montreal chapter, NHL great Georges Laraque, and Jonathan Trépanier, secretary, ASIS Montréal chapter, presented a cheque to Shriners Hospital for Children in Montreal.
#1 Home Security Company in Canada
125 years of security expertise
Monitoring Centres across Canada
Bilingual Service
SHARE THE WEALTH
GSX and other such gatherings are an opportunity to network and collaborate
I’m writing this article in advance of 2018’s Global Security Exchange (GSX).
I hope I had a chance to meet the readers of this column at this event, to talk about the security industry in general and Enterprise Security Risk Management in particular. I enjoy attending and participating at GSX — it’s a chance to network with global security peers, share experiences and identify common goals and objectives to focus on as a profession.
security team, and your executive leadership, are ready for a new approach to enterprise security. But that change in thinking is what organizations need to do if they want to remain successful in the years to come.
“ESRM works, and ASIS is here to help!”
If you’ve been reading this column regularly, my last article was a call to action for security professionals. I asked the readers of this column to reach out, contact me, and tell me how you’re using the principles and philosophy of ESRM to benefit your organization or the organizations you help through your services.
I’m hoping that as we return to our organizations after being re-energized at GSX, we seek out opportunities to identify how ESRM can help organizations reduce risks and achieve strategic objectives. You may be focused on one aspect of your security program, and now see a way to use an ESRM approach to create a more business-focused solution to a problem. Or you could be in the initial phases of an enterprise security program review, and want to look at a different framework to reduce risks to your critical assets. Perhaps you’re assessing your business resilience plan and realize that work completed for this project could easily transfer into an ESRM framework.
The courses presented at GSX were designed to involve the audience, engage them in positive dialogue and present different aspects of a risk-based, business-focused approach to security. From the full day event that gave attendees the opportunity to create an ESRM-based security program, to fireside chats in a more intimate setting, the messaging was the same — ESRM works, and ASIS is here to help!
to at a differen yo as business resilience that work complet could transf
Over the next few years, the ASIS Boardsponsored initiative will continue to provide education, awareness, training material and exposure to different aspects of the ESRM framework and philosophy. A guideline has been developed for ASIS members, and will be made available for review during the latter part of 2018 and into 2019. A tool to help members assess the readiness of their organization to adopt ESRM principles is being developed and will allow ASIS members to conduct maturity assessments in their own organizations. ESRM education and awareness materials will continue to be created and will soon be available to ASIS members, including an introductory session that can be presented at the chapter level.
All of these activities still rely on you, the security professional, to engage and share your experiences. We need to hear from different organizations, different leadership teams, and different countries on how well ESRM can work (or is already working) in your environment. As ASIS continues to become a truly global society, our appreciation of how ESRM works across organizations, countries and cultures is critical to ESRM’s success.
E y t a pro or even yo program. It’s a daun at your sec and det
Regardless of the project, I’m hoping you return from GSX with more knowledge about ESRM and how you can apply the principles to a project, an initiative or even your whole security program. It’s a daunting task, looking at your existing security program and trying to determine if your
We need to learn from our fellow security professionals tasked with protecting our people, property and information in all corners of the world. Share your ESRM experience!
Tim McCreight is the principal consultant for Online Business Systems (www.obsglobal.com).
Incorporating SALTO’s proven reliability and stability in cloudbased access control, SALTO KS - Keys as a Service - offers a solution that every business is looking for with vastly better functionality and performance than is possible with a traditional solution.
SALTO SYSTEMS INC.
950 Rue Valois, Suite 104
Vaudreuil-Dorion, QC, J7V 8P2
Phone: 514-616-2586
Email: info.canada@saltosystems.com
www.saltosystems.com
SALTO KS provides a flexible access control management system that requires no software installation or the added expense of a fully-wired electronic product. All that is needed is an online device with an Internet connection.
www.saltoks.com
councillors, including our clients and our staff, and readjusted the plan,” she says.
“I spent a lot of time looking at the way the security unit is structured and making sure that, fundamentally, it’s supporting what we want to provide.
“It’s not just next year or the year after, but in 10 years. I want to know where we’re going to be in 10 years. I want to know how we’re going to get there.”
“She has been championing change and she wants to make a difference,” says Raj Sheth, the City of Mississauga’s director of facilities and property management. “She has a get-it-done attitude.” Sheth is also Fraser’s senior director and the individual who submitted her nomination for the Security Director of the Year award.
Long-term goals are nothing new to Fraser. Fraser moved to Canada from Romania 23 years ago without speaking fluent English. She took odd jobs to get by and eventually found work as a security guard in the City of Toronto. Fraser accelerated through the supervisory ranks within the city’s security department, carving out a 15-
year career, before switching gears and taking on management opportunities at the City of Toronto’s housing department. Fraser moved back into security full time when she accepted the head of security position at Mississauga last year.
(You can read a more comprehensive account of Fraser’s rise to management in the July/Aug issue of Canadian
Security, where she is profiled as the recipient of Canadian Security’s inaugural Community Leader Award.)
So where does Fraser see the City of Mississauga’s security division a decade from now? Realistically, the status of any security department 10 years hence is educated guess work. There are too many variables to consider. But it’s the variables that really interest Fraser. The
Raj Sheth, director of facilities and property management, says Fraser is committed to positive change.
From left: George Cook, transit enforcement officer; Shallu Ram, transit enforcement officer; Paul Mercier, municipal law enforcement officer; Silvia Fraser; Dan Haines, supervisor, transit enforcement; Breanne Hadley, transit enforcement officer
PHOTOS: SANDRA
more you understand the variables and measure them, the more you can position security as a proactive organization that can mitigate threats rather than simply respond to them.
Operational Excellence, perhaps the most comprehensive of the three areas of focus in the security plan, is about the development of standard operating procedures, staff training and incident reporting. Standardization is also key to achieving metrics, something Fraser places great value on. Metrics can be used to make business cases, quantify performance and make adjustments on the fly.
Fraser is effusive when it comes to most aspects of security, but it’s probably when she’s talking about staff that she becomes the most animated. When Fraser started to implement the new security plan, she says she “moved some pieces forward a lot quicker,” including a “focus on people.”
Fraser is responsible for a team of 78 security personnel, including two security managers, nine supervisors and frontline staff. The department itself oversees security in public areas including parks, libraries, city transit and municipal facilities. Within the larger department, there is a security operations unit and a crime prevention unit, as well as security systems.
She engages in what she calls “visioning sessions” with staff, helping them to articulate security’s role in the broader city structure. “I strongly believe that our staff have to be engaged in the
planning process. I could come up with a vision, I could come up with a plan, but if our staff or our clients don’t believe in it or in why we’re doing this, then that’s a problem.”
She maintains an open door policy with staff, offering advice and mentorship, as well as a more prescribed training program. Mississauga’s security department, like many security departments, experiences the turnover of career-minded guards to law enforcement and other professional pursuits, but “it’s great,” says Fraser. “They’re getting the experience they need to get.”
Shallu Ram, a transit enforcement officer working for the city, says she’s met with Fraser a number of times.
“She’s invited myself, and anyone on our frontline team, to come and speak with her in regards to not only career development, but also anything to do
with personal development,” she says.
Ram says Fraser counselled her to assess her priorities and make a plan. Ultimately, she aims to go back to school and earn a psychology degree.
“As a leader, I think the most important aspect is to understand your frontline staff and be closer to them,” offers Fraser. “For me, it’s even more than that. It’s about being there as a mentor and really helping them go where they need to go.”
A major goal for Fraser and the city’s security plan is building bridges between departments and with the community at large. Whether that means engaging with city councilors to share a common vision or working with the city’s IT department, Fraser is dedicated to weaving security more effectively into the city.
She says her meetings with stakeholders are about “really listening to what their concerns are, and standing back and saying, ‘OK, where are we going?’ Yes, we want to prevent things — nobody’s going to argue with that. But how? So now we’re talking about the ‘how.’”
Fraser’s experiences outside of security during her time in Toronto contributed to her understanding of the broader implications of municipal management, she says. When she took the position with Toronto’s City-Wide Real Estate Program, she wanted to learn more about how the city manages land and property, as well as governance as a whole. She also went back to school to study public administration. “As I moved
Fraser and team. The O Canada art installation is located inside Mississauga City Hall. The letters were fabricated by Imagine It – 3D, and painted by Amrita Virdi and members of the community.
Shallu Ram, a transit enforcement officer, has met with Fraser for personal and professional development.
PHOTOS:
away from security and looked back, it was really one of those ah-ha moments,” she explains.
“What we really appreciate with Silvia is how she’s instilled a culture of collaboration, of communication,” says Paul Damaso, director of arts and culture at the city. Damaso’s department is responsible for organizing and running large-scale public events, which also entails working closely with security.
of Mississauga’s Smart City working group and she has completed the Lean Green Belt certification, a methodology that emphasizes continuous improvement and efficiency optimization.
“She has been championing change and she wants to make a difference.”
— Raj Sheth, Director of facilities and property management
“We really look at security as being a partner and not just a service provider,” adds Damaso. “She’s really instilled that in her team.”
Fraser was also invited to be part
(All members of her division have subsequently earned their Lean White Belts based on her encouragement.)
The Lean approach also helped in the development of standard operating procedures and to improve approaches to data collection and documentation, she says.
The third pillar that Fraser is responsible for is managing the security infrastructure on an ongoing basis — perhaps less glamourous
seminars include: • Crisis Management: Receiving Toronto Van Attack Victims
• Marijuana in the Workplace: How Health-care Security Professionals Should Respond
• IAHSS in Focus: Current Initiatives, Future Plans and the Growth of Partnerships
than the big goals of transformation and outreach, but it’s the engine that keeps the department moving. The major responsibilities that fall into that category are maintaining services and equipment like access control and intrusion detection.
Fraser is the first to admit that while she has been extremely active in her first year of service at Mississauga, there is still a great deal more work ahead. But she’s approaching this role as she has approached all others: an opportunity for growth and an opportunity to make a difference.
When asked to sum up her future plans, and those of her department, she responds, “Be more intentional.”
“We’re really talking about risk management here. We really are in the business of reducing or mitigating risk. What I’m doing with the unit is, let’s do it methodically, let’s do it with a lot of information, let’s do it thoughtfully.”
Preparing for Canada’s new data privacy rules
Organizations should be well-acquainted with the new breach disclosure policy coming Nov. 1
By Theo Van Wyk
Companies are becoming increasingly aware of the consequences of not protecting client data. Over the past several years, there have been a number of highprofile security breaches that have led to falling share prices, long term reputational damage and hefty recovery bills. The cost of illpreparedness can be immense, which makes it very important for Canadian companies to think ahead to when the new “Breaches of Security Safeguards” rules of the Digital Privacy Act come into effect on Nov. 1, 2018.
What do the new regulations mean?
The Digital Privacy Act is an extension of the Personal Information and Electronic Documents Act (PIPEDA), a federal law that oversees the way private companies collect, use and store the private data of customers. On Nov. 1, companies will need to comply with two main areas:
• Breach disclosure: Companies
that suffer a Personal Identifiable Information (PII) data breach will be required to disclose the incident to the Office of the Privacy Commissioner and to affected individuals in a timely manner. Disclosure must further include both a public announcement and direct communication with the parties involved.
Getting prepared
“The corporate mindset needs to be ‘when we are breached,’ not ‘if we are breached.’”
• Record keeping: Companies that suffer a data breach will be required to keep all records associated with the incident for a minimum of two years.
Companies that fail to comply with these regulations could face fines of up to $100,000 per record breached. That doesn’t include any additional fines from the Privacy Commissioner’s Office for negligence or civil litigation damages that arise from the incident. These rules apply to all companies in Canada, regardless of size.
Companies need to ensure they have policies and an incident response plan in place for Nov. 1. If an organization thinks it can wait until it’s attacked, it will be too late. The findings from Scalar’s 2018 Security Study show that companies should be prepared to be breached: 9 in 10 Canadian companies suffered a security breach last year. Of those companies, 41 per cent had private data exposed. The corporate mindset needs to be “when we are breached,” not “if we are breached.”
The first order of business for any organization needs to be the creation of an incident response plan along with a detailed map of security guidelines. The aftermath of a security breach is stressful — that’s not the time to be building a plan. Companies should take steps to ensure that every department is prepared in the event of an incident:
• Work with both the legal and communications teams to build an appropriate response plan.
• Work with security partners to map out monitoring and security measures.
• Proactively update the response plan as needed.
• Complete table top rehearsal exercises to ensure key stakeholders are familiar and comfortable with the IR plan. Having a rehearsed incident response plan will help organizations effectively respond to a breach, but also ensure they understand and disclose information as required by the new Digital Privacy Act regulations.
The best defence
With the risk of a fine of up to $100,000 per record breached for non-compliance, it’s crucial that companies are prepared for the new regulations on Nov. 1. Once a response plan is in place, organizations should consider a complete IT security
EXPERT ADVICE
PHISHING
Tplan to prevent and detect breaches. Some items that should be on any checklist include:
• A policy and process review to understand how data is collected, used, stored and destroyed.
• A Threat Risk Assessment to understand which threats are most relevant to your organization based on how you conduct business.
• Security controls to protect against breaches.
“Every organization needs to take concrete steps to prepare for a potential breach or risk very real fines.”
• Monitoring and detection systems to detect breaches and store breachrelated information.
• At rest and in-transit data encryption.
• Systems for data storage, destruction and retention.
Whether large or small, every company should have a resilient IT security program in place to mitigate the risks of a costly cyber breach. Adequate preparation can prevent larger expenses in the future.
Companies today are collecting and storing vast amounts of customer data. With the government introducing new legislation about the safeguarding of that data, every organization needs to take concrete steps to prepare for a potential breach or risk very real fines under the Digital Privacy Act.
Theo Van Wyk is the chief technology officer –security, Scalar Decisions (www.scalar.ca).
LESSONS
Bryan Pollitt is the vice-president of services for ISA (www.e-isa.com)
he human element remains a key area of concern when it comes to cyberattacks: from an employee losing a laptop on public transit to ex-employees who still have access to corporate networks. This is not new.
While organizations have traditionally made investments in technology to combat cybercrime, what’s needed now is a more co-ordinated approach to social engineering. This means getting away from the traditional model of herding people into a room and bombarding them with information.
Instead, organizations need to take a more dynamic approach to training staff
when allocating budget for cybersecurity spending. With a traditional cybersecurity training approach, businesses have no way of determining their ROI. They are throwing money at the problem without getting any tangible results.
Better results can be achieved by bringing in a third party to implement a more tactical approach to security awareness. In this scenario, they would not only teach staff about cybersecurity and their role in helping to prevent attacks, but actually test employees on their knowledge in a real-life situation.
For example, the third party could start by implementing internal phishing campaigns to get a baseline that determines where an organization is in terms of click rates for opening nefarious emails. Once a baseline is established, they would follow up with training modules to educate staff, with the goal of lowering the click rates in subsequent internal phishing campaigns. By making it
progressively more difficult for employees to discern whether follow-on phishing campaigns are legitimate email messages, the test enables users to become savvier.
The reason for specifically using email is it’s still the No. 1 area of concern for IT leaders, and how the “bad guys” might compromise an organization due to an employee falling prey to a phishing scam. That’s why the best approach to combatting cybercrime requires a combination of technology that can scan incoming emails and implementing programmatic training for employees.
Technology is not foolproof and that’s another reason why it’s important to focus on the human element, which relies on users to discern a legitimate email from a malicious one, along with engaging in acceptable behaviour, duties and responsibilities.
That, combined with the approaches outlined above, could save a business from being the catch of the day.
By Derek Knights
SOCIAL MEDIA AS A WEAPON
Messing with the Enemy: Surviving in a Social Media World of Hackers, Terrorists, Russians, and Fake News
By Clint Watts Harper Collins
ISBN: 9780062795984
Ifyou’ve ever wondered how, why or even if Facebook, Twitter, YouTube, and other social media affected the U.S. elections or destroyed Al Qaeda and gave rise to ISIS, here’s your answer.
The book is, “Messing with the Enemy: Surviving in a Social Media World of Hackers, Terrorists, Russians, and Fake News.” Author Clint Watts, a CIA and FBI veteran, is now a senior fellow at the Foreign Policy Research Institute and a senior fellow at the Center For Cyber and Homeland Security at George Washington University.
Watts opens his book like a thriller. He chronicles how, after leaving the FBI and entering academia and private practice, he used social media to “mess with the enemy.” He tracked down a suspected terrorist’s location, and even engaged him in Twitter conversations.
of terror-related social media from the leaden delivery of Bin Laden’s speeches on videos sent to TV stations or posted on pre-9/11 internet forums and bulletin boards to the more modern, active and inspiring posts.
These latter posts — videos and tweets — recruited jihadi “fan-boys” from western countries to head to various war-zones.
“Author Clint Watts walks us through clandestine worlds and nefarious plots in ‘malicious’ detail.”
Watts lured him to his blog, knowing that when he read it, he would immediately comment on Twitter. The comment told Watts his target accessed his blog, and using the analytical metadata the blog’s web page collects, Watts noted recent accesses from Somalia.
But this isn’t the only story in the early chapters. He explains the evolution
The old guard of Al Qaeda lost the ideological internal battles with new, techno-savvy upstarts who wanted instant gratification, not Al Qaeda’s longerterm plans as plotted by Bin Laden. But in doing so they lost control — there’s a very interesting part of the book that discusses Al Qaeda’s business practices, where they seem more like harried middlemanagers dealing with recalcitrant employees.
Issues in the Middle East are not the main topic of this book — the use of social media is, and very soon Watts takes us to the rise of Vladimir Putin, and the two-decade change from postSoviet military might as a tool to gain and maintain control, to, as the author writes, “Active measures...the tagline for the Soviet campaign to defeat the West ‘through the force of politics
rather than the politics of force.’”
Here is where we find the genesis of the effects we here in Canada and the U.S. are experiencing now.
You see, Putin’s plan, borne from his experiences in the KGB, includes targeting people “ripe for influence and manipulation.”
Clint Watts walks us through clandestine worlds and nefarious plots in “malicious” detail.
He’s a good writer and the reader will be able to follow what he’s saying, but it’s a complex book and requires a great deal of attention from that reader. The book is divided into chapters but it’s really one long thread of activity.
Add to the mix the Crimea and Panama Papers and WikiLeaks and more; and the U.S. election — “The Russians didn’t have to hack election machines; they hacked American minds.”
This fascinating study should be required reading for anyone in the corporate intelligence and security worlds.
External politics affect businesses, for sure, but these same tactics can be used directly against private companies and individuals.
We security professionals pooh-pooh this unseen power of social media at our peril; maybe at everybody’s peril!
Derek Knights is the principal of Knights Business Writing Services.
Electronic actuator
Southco
Capable of accommodating higher mechanical loads, the AC-EM 10 Electronic Actuator facilitates the electronic actuation of Southco’s R4-10 Rotary Latch series and other latching mechanisms. When connected to an electronic access control device, the actuator can be used to remotely actuate a mechanical latch to open or unlock a door or panel. Its small profile design and gear motor operation makes it ideal for concealed applications where physical space is limited. IP55-tested for water and dust protection, the AC-EM 10 can be retrofitted using a standard cable connection for manual override.
www.southco.com
Mantrap portal solution
Boon Edam
The Circlelock Combi is a “half portal” solution that helps security executives prevent unauthorized entry into high security areas currently using fire-rated swinging doors. The Combi was designed as a retrofit option to address the risk that exists with swinging doors — once an authorized user opens a swinging door, other people may also gain access (“piggybacking”). The Circlelock Combi attaches to an existing fire-rated door, converting it into a mantrap solution that prevents piggybacking 24/7 and eliminates the need for manned supervision. A cylindrical solution with a single sliding door on one end and an opening on the other end, the Combi is mounted to an existing wall and swing door. Using Boon Edam’s StereoVision2 detection technology in the ceiling to scan the compartment and ensure a user is alone prior to unlocking the swing door, users can choose to prevent piggybacking for inbound and outbound traffic. www.boonedam.us
Electric door strike
Camden Door Controls
The CX-ED1410 is a Grade 1 ANSI fire strike for UL fire rated doors/frames with cylindrical locksets. It offers selectable 12/24V, AC/DC voltage, fail safe/fail secure operation and includes an ANSI square faceplate and trim plate. The CX-ED1410 is designed to deliver application flexibility over several years. Rated UL 90 minutes for fire and UL 1034 burglary listed, the strike features a 3/4 in. latch projection.
www.camdencontrols.com
AD INDEX
Power supplies
ASSA ABLOY
Securitron AQ Series Power Supplies are available in 1-16A variants to support single door systems to enterprise access control systems. Customers can use any combination of the seven power supplies and nine distribution boards in any UL-listed enclosure and maintain UL certification. The new power supplies provide better than linear performance, with dual and single voltage options, up to 93 per cent efficiency, thermal shutdown protection with auto restart and an integrated or dedicated battery charging circuit to prevent overvoltage on locking devices.
www.assaabloy.com
Entrance control system
Orion Entrance Control
The new DoorGuard system, which utilizes LIDAR technology, uses the S3 sensor developed by Quanergy. The sensor communicates directly with Orion’s technology systems and the Infinity Remote Lane Control software to link to perimeter doors and stairwells. The DoorGuard unit is mounted above a door and integrates to the access system and Orion’s Infinity software. The LIDAR technology generates half a million data points per second with signal processors that calculate the Time-of-Flight (TOF) of each light pulse for greater accuracy. It is designed to detect one credit per person. It can detect people trying to enter a building by tailgating and can set off warnings if a door is open for too long. www.orioneci.com
Smart card reader
Innometriks
The Cheetah SE High Assurance smart card reader from Innometriks provides end users with a compact, high-assurance reader for installations requiring two-factor authentication to meet federal credentialing requirements. Cheetah SE readers can integrate into existing physical access control systems for authentication and network environments for administration. The reader provides tiered authentication levels designed to enable the incremental rollout of PIV-enabled access points and is able to read FIPS-201 based credentials. Using a secure browser connection, end users can manage enterprise installations and network-based firmware upgrades from a central location. With support for Software House RM Reader functionality, end users can remotely activate cameras, doors and other events.
www.innometriksinc.com
Secured Entry, Simplified H4 Video Intercom
Remote Entry Control
The H4 Video Intercom integrates a 3 MP camera with a high-performance intercom featuring exceptional wide dynamic range, low-light, noise reduction and echo-cancelling technologies for clear viewing, and two-way communication with visitors.
Using Avigilon Control Center (ACC) software, operators can receive, review and respond to intercom requests, and remotely grant access.
Avigilon Appearance Search™ Technology
Incorporates the unique characteristics of a person’s face to search for the same individual even if items such as their clothing change over time.
LightCatcher™ and Infrared Technologies
Provides clear image detail in a broad range of challenging lighting conditions, including nighttime.
Vandal- and Tamper-Resistant Housing
Aluminum construction provides reliable strength and durability in both surface and flush mount models.
