Commissionaires offers a complete suite of services including threat-risk assessments, guarding, mobile patrol, digital fingerprinting and cyber security solutions.
Security education for everyone
Getting the security message across isn’t always easy, but a friendly approach and C-suite buy-in can work wonders.
By Will Mazgay
Safer globetrotting
Pay attention to your surroundings and always be prepared before entering a new country.
By Matthew Porcelli
Empathy in health-care security
Hospital environments can be fraught with emotion and tough times. Security departments that show compassion will get results.
By Martin Green
Effective shift management for security guards
Use technology effectively, equip your guards with the right tools, and recognize that fatigue will impact job performance.
By Shahbaz Hussain
Shifting the advantage
The cybersecurity arms race is real. Know what your opponent is thinking in order to keep up and maybe get ahead.
By Derek Manky
By Neil Sutton
ISECURITY IN THE 2020s
How the profession will continue to grow in a new decade
joined Canadian Security magazine way back in 2007 — by quite a margin, Canadian Security is the longest I’ve spent at any single publication over my journalism career. I’m never at loss for trends to follow, stories to tell or new topics to cover. So with more than a decade behind me, it’s time to take a look at what the next 10 years will bring.
“Automation also affects physical security.”
This first issue of the 2020s is an ideal one to examine rising trends. In this issue we cover climate change, travel security, young professionals, data breaches, training, soft skills, technology enablers and more.
I think by far the biggest shift in the last decade has been the idea that security departments can measure and operationalize risk, which can provide an organization more options rather than simply narrowing them.
Here’s a few more trends I expect to continue: More automation. Realistically, a human can’t keep up with the demands presented by relentless network attacks, necessitating ever more complex machine responses to the problem. There’s also the issue of the skills shortage in cybersecurity. If there aren’t enough people to help defend a network infrastructure, automation may be the only valid option. This came up in my conversation with RSA’s CSO Shawn Edwards (see p. 6) and is discussed in greater detail by Derek Manky of Fortinet on p. 28. On the surface, this applies more readily to network defence, but automation also affects physical security. We’ll likely see more of the low-level decision making (what constitutes a physical threat) deferred to machines then escalated to a human if/when action has to be taken.
Security’s role on the world stage. Not to overstate the situation, but this is a big one. Over the last 10 years, we’ve seen global terrorism go into overdrive, active shooter incidents make headlines and a disturbing number of vehicular attacks on pedestrians. In the last decade, this has been brought home to Canadians by incidents like the shootings on Parliament Hill in 2014 and the Toronto van attack less than two years ago. Emergency services may be the first to respond to a crisis situation, but security professionals are going to play an increasingly important role, particularly with their expertise in risk assessment and disaster planning.
Frontline steps up. The so-called “mall cop” image of frontline security is a tough one to shake. Security’s image came under scrutiny in the guarding roundtable Canadian Security hosted last year. Opinion was divided, but it was expressed that senior levels of security are mobilizing in the right direction (a seat at the C-suite table and more decision-making power) whereas frontline still faces a difficult time in terms of public perception. On the more positive side, professionals who are immersed in security know the value that frontline security can bring to an organization and as first responders. It just might take a little longer for the rest of the world to catch up.
Group Publisher Paul Grossinger pgrossinger@annexbusinessmedia.com
Associate Publisher Jason Hill
jhill@annexbusinessmedia.com
Editor Neil Sutton nsutton@annexbusinessmedia.com
Associate Editor Will Mazgay wmazgay@annexbusinessmedia.com
Canadian
Media Designer Graham Jeffrey gjeffrey@annexbusinessmedia.com
Account Coordinator
Kim Rossiter
krossiter@annexbusinessmedia.com
Circulation Manager
Shawn Arul
sarul@annexbusinessmedia.com Tel: 416-510-5181
COO
Scott Jamieson sjamieson@annexbusinessmedia.com
www.canadiansecuritymag.com
Canadian Security is published four times per year by Annex Business Media.
Publication Mail Agreement #40065710 Printed in Canada I.S.S.N. 0709-3403 Subscription
Tap Into Canada's Leading Markets
Security Canada Trade Shows are held in six powerhouse markets at the forefront of the Canadian security industry. Spanning key cities from east to west, these markets are home to thriving businesses and leading professionals that want to remain ahead of the curve - - and they do it by attending Security Canada Trade Shows. Exhibit at one or all six of these trade shows to meet them face-to-face.
EAST
Laval, Quebec
April 22, 2020 ALBERTA
Edmonton, Alberta
May 6, 2020
OTTAWA
Ottawa, Ontario
May 27, 2020
WEST
Richmond, British Columbia
June 17, 2020
ATLANTIC
Moncton, New Brunswick
Toronto, Ontario
Oct. 21 – 22, 2020
Sept. 16, 2020 CENTRAL
RSA’s CSO: Security should be adaptive and flex with the user
Riskcan be measured and put to the test: this much is acceptable; that much is too much.
It all depends on what the organization is willing to accept and the role of the security professional is to provide the necessary guidance.
There was a time when security was more binary with yes or no answers. Talking to Shawn Edwards, it’s clear that the perception of risk and the resulting conversations with the C-suite have shifted over the years, leading to a different relationship between the security department and the rest of the business.
Edwards is vice-president and chief security officer at RSA, a cybersecurity and risk management solutions division of Dell Technologies. His responsibilities include RSA and security aspects of Dell’s other businesses as well.
Edwards has some interface with the physical side of security at RSA, but largely through Dell’s physical security program, which provides the entire organization with guards, travel advisories, etc.
“They cover all those elements for me, so it’s almost like a managed security service, but within the Dell family,” he explains.
Prior to joining Dell, he was at Visa for seven years, where he led their cyber defence program.
Risk and culture
In today’s security culture, physical and digital risk share a similar approach “in the sense that there’s a risk assessment, a risk evaluation and then there’s a risk appetite evaluation,” says Edwards.
“Physical risk would be a good example where there’s very low risk appetite, whereas perhaps with operational risk or business risk, you have to be a little bit innovative, therefore you’re willing to accept a little more risk. Where that delta is between what level you’re willing to accept and where your maturity level is today kind of dictates risk mitigation.”
Edwards says the weakest points of a network tends to be the end points, i.e. people connected to the network via laptops or other devices.
“The greatest value and the greatest risk comes from where the human meets technology.”
“In my opinion, the greatest value and the greatest risk comes from where the human meets technology,” he says. With that understanding, security can adapt to human behaviour — people typically being creatures of habit.
— Shawn Edwards, RSA
For RSA, the concept of “digital risk management” is a big one. Edwards describes it as an “amplification” of risk. Given the speed of business and the rapid progress of digital technology, risk models need to keep pace with that velocity. It’s changed the conversation between security and business-focused aspects of the organization and created a new dynamic, he argues.
Edwards attends weekly leadership meetings that include RSA’s senior management. Not every conversation may pertain to security, “but the interesting thing is, I’m at that table and I’m having that conversation.”
If, for example the organization wants to move a product to the cloud, “right away, I know that’s happening and I can start educating them on the risks… Having that conversation early and often is really going to help solve a lot of problems.”
Flexibility
At RSA, the concept of “adaptive authentication” speaks to the idea that security can be both flexible and smart.
“At RSA, we have a product called NetWitness. [It has] this capability called user and entity behaviour analytics,” says Edwards. “What that means is it understands that the person at the laptop always operates like this. They always come from this location or these locations. It understands behaviour — up at eight, ends at five. If all of a sudden at two o’clock in the morning from Uzbekistan they see a login, that’s an anomaly.”
Authentication and security should be smart enough to flag unusual behaviour, as well as recognize that people, while often predictable in their work and network access habits, do not all view security the same way. The easier you make security for the end user, says Edwards, the more likely you are to win their acceptance.
“If I have to type in my PIN, I’m OK with that,” he says by way of example. “But if I can do the facial recognition instead, that’s easier. I do want that frictionless experience as well, but I still want the security. I’m willing to sacrifice certain things — maybe my thumbprint or my face — in order to actually gain that frictionless experience. Some people may not…. Authentication has to flex with the people that are using it.”
— Neil Sutton
Shawn Edwards, RSA
CALENDAR
March 3, 2020
Security • Police • Fire Career Expo Toronto, Ont. www.emergencyservicesexpo.ca
March 18-20, 2020 ISC West Las Vegas, Nev. www.iscwest.com
April 16, 2020
ASIS Toronto Best Practices Seminar Toronto, Ont. www.asistoronto.org
April 22, 2020
Security Canada East Laval, Que. www.securitycanada.com
Security Canada Central Toronto, Ont. www.securitycanada.com
New app to bring on-demand approach to guarding
Anew app aims to take some of the heavy lifting out of the guarding industry, offering what is essentially a guard-on-demand service for clients with specific or short-term needs.
The app, called Numze, has been in development for some time. Company co-founder Paul Carson, a security industry veteran, says that Numze is similar in approach to popular ride-sharing mobile technology, allowing security guards to register as the service provider and clients to procure their services, all mediated through the app.
Licensed guards can register their information with Numze, including business and personal references. A follow-up call is placed by the company to the guard and a determination is made as to whether they will be added to the service. Guards will like it, says Carson, because they can choose the number of hours they work, as well as the clients they work with. They can also choose their method of payment and how frequently they would like to be paid (daily, weekly, bi-weekly or monthly). He estimates that guards may be paid 15 per cent more than the industry norm.
hither and yon through the industry. If they’re a bad guard, they get cycled through a number of companies. But you, as a client, don’t know that [history]. With this app, you get to rate the guard,” he says. “If the guard has done great work — fantastic. If the guard has done mediocre work, we find that out too. It drives efficiencies and it drives process improvement all the way through.”
A more radical notion for the established industry is that the guard can rate the site, adds Carson. If a single site receives enough poor ratings from guards, a problem may lie with the employer rather than the employee, he says. The onus shifts to them to improve or they’re unlikely to find guards in the future to staff their site. “We’re allowing guards to make informed decisions as to where they’re working and vice-versa.”
The service launches first in Ontario, according to Carson, with plans for B.C., Alberta, Quebec and even the U.S.
Potential clients can register for an account and request the number of guards they need and when they need them. The app will also ask questions of the client, such as the availability of washroom facilities or other particulars. Once the job is made available on the app, a guard can accept and the app facilitates a direct communication between client and guard.
Like a ride-sharing app, the client can rate the guard and vice-versa, which creates a checks and balances process on both ends. The rating system is designed to hold the guard to a higher standard than what’s sometimes seen in the industry, says Carson. “Guards come
A development roadmap for the Numze app will see multiple versions with additional features provided later in 2020. At press time, the app was in registration-only mode via Google Play with wider availability for clients coming in February. An App Store version will also be available.
For Carson, Numze represents a sea change in the industry. “It’s a process improvement through a myriad of different steps that is light years ahead of where the industry is right now,” he says. “We’re bringing technology to logistics. The security guard industry, amongst other things, is human logistics.”
Adds Carson, “It’s going to be an interesting time in the security industry. People can work how they want and where they want. And that’s the motto.”
— Neil Sutton
health care security
Learning from the best in health-care security
Focus On Healthcare Security, held Dec. 5 in Toronto, provided healthcare security professionals with an opportunity to learn from the industry’s best.
The presentations touched on such varied topics as fentanyl, de-escalation techniques and managing major events like the Toronto
Raptors championship parade this June. More than 100 security professionals attended the event, which was supported by the International Association for Healthcare Security & Safety, Paladin Security, AppArmor, Compugen, GardaWorld, Securitas and Convergint Technologies. Details about the 2020 event will be available soon.
Noreen Milne, manager, security services, Unity Health Toronto, was recognized by IAHSS with the organization’s Ontario chapter security and safety leadership award. The award was presented by Martin Green (left) and Paul Greenwood (right). Milne and Greenwood also led the Raptors parade seminar.
Event sponsor AppArmor is a provider of custom-branded mobile safety apps.
Alan Butler, president of IAHSS and senior vice-president, healthcare security for HSS Inc., provided an update on IAHSS partnerships and initiatives.
Detective John Margetson, Toronto Drug Squad, Toronto Police Service, led a seminar describing the scope of Canada’s fentanyl crisis and its impact on the health-care system.
Steve Summerville, president of Stay Safe Instructional Programs, provided a presentation on de-escalation techniques in health-care environments.
Event sponsor Paladin exhibited at Focus On Healthcare Security and also presented a business case study.
By Josh Darby MacLellan
Support your local young professional
Starting out in a career in the security sector can be daunting, and I will call out anyone who pretends they had it all figured out from day one.
Even seasoned young professionals (YPs) sometimes feel like they are fumbling around in a dark room, trying to find the light switch. It can be a stressful, scary and intimidating stage in life. The support that ASIS International offers YPs, and that we can offer each other, can alleviate a lot of that angst. Simply knowing that someone you respect and is highly successful had the same troubles you currently face can be reassuring.
threat environments, whether from a gang of bank robberies or the latest ransomware. Through sharing information and support, they can help mitigate security threats.
“Knowing that someone you respect had the same troubles you currently face can be reassuring.”
There’s no question that YPs are propelling ASIS’s progression. The YP International Council brings in YPs to ASIS from across the globe for cross-education, program collaboration, and professional projects. This is a milestone year for the YP Council as it will celebrate its 10th anniversary on Sept. 21, 2020, in Atlanta during the ASIS GSX conference. The council continues to drive ASIS with initiatives like Operation Silent Chapters 2.0 which reinvigorates regions experiencing a lull in ASIS activity. Further, the International Risk & Resilience Webinar Series Volume 4 is set to kick off in late February 2020 in partnership with the ASIS Italy Chapter. Through activities like these, the YP Council is creating career development opportunities for YPs when it is arguably most crucial.
This type of support system for YPs is rare to find. Even sectors with vibrant industry associations often lack dedicated forums for those new to their careers. I’ve had dozens of conversations with friends outside of the security industry who envy what ASIS provides.
In addition to the international level, I’ve witnessed the support YPs offer each other locally and nationally. As chairperson of the ASIS Toronto Chapter YP Committee, I couldn’t be prouder of the team. (Huge shout out to Kyle Klein and Romaine Levy!) I consistently observe YPs from across the sector helping each other out. From offering advice about certifications to sharing job vacancies, YPs are constantly stepping up. As a co-ARVP (Assistant Regional Vice President) for Canada’s YP program, I’ve had the privilege of participating in a national forum in which YP liaisons from every Canadian chapter support each other and the YPs in their regions with events, advice and networking.
Beyond standard YP-to-YP support, we in the security sector are uniquely positioned to co-operate with our competitors. In the financial sector, workers in most departments typically don’t befriend their counterparts in other banks, but in corporate security and information security, they often do. Competing organizations in a tough market unite in facing very similar
If you don’t already, I would encourage you to make time for others — especially those who you perceive can offer you nothing in return, because those are the people who will appreciate it the most. Yes, it takes time to meet with a YP-in-need for coffee and give them advice, review their resume/cover letter, or connect them with someone from your network, but you rarely know when you’ll be the one in need.
We are all busy, all the time, but managing your time to fit in supporting those YPs around you is a worthwhile pursuit. At the very least, direct them to ASIS and the support network we have established for 2020.
Josh Darby MacLellan is the chair of the ASIS Toronto Chapter YP Committee and co-ARVP of ASIS Canada’s YP program.
Josh Darby MacLellan
By Winston Stewart
OUTLOOK: CLOUDY
Climate change has become a crucial aspect of security decision-making and planning
As the world’s attention focuses on the many potential threats of climate change, the spotlight has continued to shine on the most obvious risk factors.
Think everything from rising coastal waters and the potential for catastrophic flooding, to immense insurance liability exposures and the mass migration of people attempting to flee some of Earth’s changing weather patterns.
Often overlooked is the role that security professionals will play in responding to climaterelated incidents. In many ways, these threats could reshape the future of the security industry, just as they force the business community into unprecedented action to ensure operational continuity as weather patterns become increasingly unpredictable.
disaster response plans (EPDRPs).
“In many ways, these threats could reshape the future of the security industry.”
These strategies should be focused on emergency-related risk analysis and assessment, reviewing absolutely everything that could go wrong, then highlighting business assets and processes that require protection. That could include everything from developing evacuation plans for office personnel and a roadmap to maintain business continuity during an extreme weather event, to being able to shift production or storage of data should a climate-related emergency compromise a facility or render it inaccessible.
To be clear, having an EPDRP is no longer a nice-to-have for organizations. Risk mitigation is now a focus across supply chains, not only internally.
Take a recent incident in Toronto as just one example. When torrential rains flooded the city’s downtown core in 2018, millions of residents were inconvenienced by the high waters. But for two men the situation was far more dangerous.
When the duo entered a basement elevator in their workplace at the peak of the storm, they quickly realized it was out of service. Then, within seconds, water began pouring into the space and rose to more than two metres. The men climbed to the highest point inside the lift, gasping for air. Luckily, they had been able to make a call to police before it was too late and were eventually rescued.
While this was an unusual circumstance, it underscores the dangers that extreme weather events can pose to an organization. As the residents of communities such as Fort McMurray, Alta., have learned in recent years — not to mention areas prone to extreme heat and dryness such as parts of Australia — water can sometimes be the least of our worries. Fire can sweep through a town or city in a matter of minutes, causing extreme devastation.
That’s why it’s incumbent upon security professionals to be proactive in drafting comprehensive emergency planning and
Many organizations are now issuing RFPs that require vendors to provide detailed EPDRPs explaining how service or production will continue in the event of an unforeseen event, how their data will be protected and — perhaps most importantly — how their organization will take steps to ensure the client’s brand won’t be adversely impacted by an emergency, however unexpected or beyond an organization’s control.
Because security professionals are typically on the emergency and disaster response frontlines, it’s crucial to provide a complete briefing to your security team outlining a proscribed set of response measures, along with adequate training in everything from facility lockdown procedures to tactics to manage large groups of people in an emergency.
As climate-related challenges reshape our approach to security in the decade ahead, avoiding unnecessary liability and extraneous costs, maintaining productivity and preserving your organization’s bottomline performance depend on a high degree of proactive planning.
Winston Stewart is the president and CEO of Wincon Security (wincon-security.com).
By Tim McCreight
KNOW YOUR THREATS
The challenges may change, but they do not apply universally to your enterprise
W’e’ve left the 2010s behind us, and are moving into the 2020s!
It’s always interesting to hear the predictions from others about “new” threats we’re going to face and why we’re not ready. I think I’ve heard that for every decade I’ve been in security, things are going to get worse, technology is both helping and hurting us, and people are the weakest link.
Over the years I’ve changed my response when hearing these predictions. I don’t immediately react to every scary news story. Now I focus on the risks facing my organization and what my team can do to reduce these risks. It took me a little while to change, though! For the longest time I would read a pundit’s thoughts on new threats or possible attacks, and I’d spend weeks researching this prediction only to realize it wasn’t going to affect my organization. It took me learning a new philosophy to realize how much time I had wasted in the past, instinctively reacting to every potential threat.
in place, how long has the asset been there, and who “owns” the asset.
“The approach is the same whether it’s a cyber threat or a physical threat.”
Asset management isn’t easy! Most companies have an idea of what they own, but that changes as soon as projects kick off and new assets start coming into the environment. How many of you have worked on a project in your organization and found some assets you didn’t know you have? It happened to me often, especially in the cyber space. I remember working on a couple of projects where we found devices in our network and no one could remember how they got there, let alone who owned them. It’s funny when I look back on those projects now, but at the time it was a real concern. How could something be installed and running on a network and not have an “owner”? What risks did these assets pose to the network, to the IT environment, and to the company?
Following an Enterprise Security Risk Management (ESRM) approach gave me a way to focus my attention on what’s important to my organization, and not chase new threats that may not pose a risk to my company. It starts with gaining a greater appreciation of the assets my organization has in place and are planning to purchase in the future. I now spend my time trying to piece together the puzzle that is my company’s asset library — what do we have
When new threats are predicted, I now take time to figure out if we’re vulnerable to the threat. I’ll spend time working with other teams to determine if our assets are exposed to the threat, and what the risk is to our organization. The approach is the same whether it’s a cyber threat or a physical threat. The benefit of using ESRM to design your security program is knowing risk is risk. It doesn’t matter if it’s a logical or physical risk, the approach is the same — understand your assets, assess your risks, mitigate those risks, and focus on continual approval.
If you’ve designed your security program following the ESRM methodology, those New Year’s predictions about threats to your organization can be managed better. Wouldn’t it be great if you read about a new threat and realized it won’t impact your organization based on the assets you know are in place? That knowledge about your organization gives you greater clarity about your risk posture and how you need to respond to these predictions.
And you can actually get some sleep.
Tim McCreight is the manager, corporate security (cyber) for The City of Calgary (www.calgary.ca).
Cyber security needs more women
By Olivera Zatezalo
Cyber security is critically important to Canada’s economic growth. As telecom operators begin deploying 5G wireless technology, nearly every aspect of the modern Canadian economy will come to rely on broadband: intelligent cars, smart homes, innovative healthcare, and better connectivity for Canada’s far north.
That makes the shortage of cyber security professionals a growing challenge. A survey by the Toronto Financial Services Alliance (TFSA) and Deloitte shows demand for cyber security talent growing 7% a year, with 8,000 unfilled cyber security jobs forecast by 2021.
The problem is not limited to Canada. The world needs an estimated 3 million more cyber security professionals than it currently has. As it happens, there’s a large pool of untapped talent waiting to pick up the slack: women.
Historically underrepresented in the field, women make up roughly one-quarter (24%) of the world’s cyber security workforce, according to an April survey by
(ISC)², a cybersecurity training company.
Yet although men outnumber women by three to one, women tend to have better credentials, and proportionately fill more leadership roles than men. For example, 52% of women surveyed held a post-graduate degree, versus 44% of men, while 7% of women occupied senior roles such as chief technology officer, a title held by only 2% of men.
Women in cyber security are also younger: 45% are millennials, vs. 33% of men. This suggests that in the coming years, women have a shot at making the cyber security field more diverse. That’s encouraging news, as research shows diverse groups generally outperform homogenous groups when solving problems. The reason, according to Scott Page, a professor at the University of Michigan, is that diverse groups have “more and different ways of seeing a problem, and thus, faster and better ways of fixing it.”
Despite being well positioned to diversify Canada’s talent pool, women entering a male-dominated field may feel isolated or afraid to speak their minds. As someone
who has experienced this myself, I advise women to find a mentor – specifically, one who works in a different field than yours. This runs counter to the standard career advice, which is to find someone who understands your profession and can tell you how to navigate its complexities. This counsel suffers from two flaws.
First, as a practical matter, there are relatively few women in cyber security, so finding a female mentor in the field will be hard. Second, if you concentrate solely on professional advancement, you risk missing out on the broader benefits of mentorship. The best mentors, in my experience, are those who understand your personality and encour-
age you to take on new challenges. We are all going through uncertainty in our career from time to time, and we need someone who can help us put things into perspective and provide that extra bit of clarity in challenging times.
Another standard bit of advice is to venture outside your comfort zone. For women in cyber security, that likely means living outside your comfort zone on a more or less permanent basis. I have done this since immigrating to Canada from Serbia 25 years ago, moving to a new country and learning a foreign language and culture, then taking a job at Huawei, a company that has come under intense scrutiny. Recently, I began representing the
company in media interviews – a big step for an immigrant with an engineering background. As more aspects of our lives go online, the shortage of cyber security professionals will become a pressing challenge for Canada and the world. If you’re a woman who’s interested in technology, and you’re looking for a career path with growth potential and positive social impact, consider cyber security. Together we can rise to meet the daunting security challenges of the digital economy and bring greater diversity to a field that’s in dire need of our help.
Olivera Zatezalo is chief security officer at Huawei Canada.
By Yves Duguay
A SHIFT IN THE LANDSCAPE
Amid uncertainty, invest in what you can control
Data breaches affecting the credit and privacy of millions of people and the bottom line of many companies; weather patterns causing recurrent floods and natural disasters; cyberfrauds and ransomware touching small or large businesses and municipalities; mass shootings and terrorist attacks that have become unfortunately too prevalent — watching news reports nowadays is not only an exercise in resilience, it’s an indicator of a new reality, a shift in the security landscape, creating more uncertainty.
the threat scenarios that you should consider, to assess your state of preparedness and to identify a strategy to improve this capacity. Ideally, your strategy should include:
• A governance model, such as those developed for emergency management, that will foster a collaborative mindset among the various entities involved in the resolution of the event/ incident, with relevant policies and standard operational procedures (SOPs);
“More than anything else, this strategy must be directed and championed by the senior management and the board.”
Faced with this growing insecurity, we have to wonder who or what will be the next target, and how frequently will this impact the next victim!
You are faced with a choice — to wait and improvise, or to invest in what you can actually control:
• By assessing and adjusting your risk profile correctly;
• By improving your preparedness to manage incident, events and emergencies quickly and effectively.
Since 9/11, the civil aviation industry and the governments supporting it have invested massively to reduce vulnerabilities, making it more difficult for terrorists or cyber criminals to breach the numerous aviation security layers. The terrorist threat, like water, follows the path of least resistance.
As a result, attackers have adjusted and are now targeting large corporations; financial institutions; critical infrastructure, like power grids; sports and cultural events; mass transit or other public targets where they can inflict significant losses and obtain maximum visibility or financial gains, with a minimal output of resources.
Regardless of the type of attack or threat, there are just so many courses of action at your disposal, when dealing with a bomb threat, a cyberattack or a natural hazard.
In fact, most of what you can do, such as alerting employees, shutting down systems and evacuating a building, apply to many of
• An incident management system (IMS), with an interoperability capacity;
• An audit of your state of preparedness and of your IMS, using scenarios and playbooks;
• Communication tools and technology to inform, direct, supervise, control and document the actions delegated to employees and partners, during an incident or event;
• An awareness and security training program, including simulations and exercises, and;
• A systematic process to assess, learn and improve from previous incidents and events.
But more than anything else, this strategy must be directed and championed by the senior management and the board. The tone must be set at the top.
The security landscape and the threat environment
Before assessing and building this capacity to respond and react, the process is usually initiated with a traditional threat, risk and vulnerability assessment (TRVA), which should be reviewed periodically.
This assessment will lead to the development of a security strategy, policy, plans and procedures to respond effectively and to recover quickly from all hazards, whether man-made or natural.
The results of this analysis are often found in the form of a risk matrix used by many organizations to assess its vulnerability
and tolerance to risks, considering the potential human and financial impact that these hazards can have on their employees, customers, operations and reputation.
As our current security environment is constantly shifting, it is thus imperative to reconsider and re-evaluate our risk profile along with our state of preparedness regularly, notably by reaching out to public and private
security partners in your community.
You can no longer simply plan as a function of what you expect or what you have seen or experienced before. You must learn how to navigate in a sea of uncertainty.
Accordingly, you should:
• Build a capacity to anticipate, monitor and detect, through human and technological sources;
• Inform and communicate with all those affected, employees and stakeholders;
• Liaise with partners, associations, security agencies, regulators and law enforcement;
• Respond and protect by actioning emergency plans/ playbooks quickly and effectively;
• Control and adjust as the event or incident unfolds, using a trusted and proven methodology and governance model;
• Recover and return to a normal state of operations as quickly as possible, by identifying your critical assets, systems, people and finally;
• Learn from your performance to continuously improve, regardless of the source or type of the risks.
Yves Duguay is the president of HCiWorld, a security consultancy group based in Montreal (www.hciworld.ca).
By Kenrick Bagnall
THE DATA BREACH RIPPLE EFFECT
Stolen credentials may trigger subsequent and repeated cyber attacks
I’m often asked to provide input on basic personal cybersecurity best practices individuals can follow to better protect themselves as they navigate an evolving and complex digital landscape. In the industry, regular use of these guidelines is sometimes called practicing good “Cyber Hygiene.” The advice I provide most often has to do with what is arguably one of the most important digital credentials each of us has, our email address.
From online shopping to banking to gaming, virtually every internetbased service requires an email address for setup, and will, in most cases, use that same email address as your account name to access that service. This is all well and good, however, there are a couple of inherent issues with this and they lead to what I call “the data breach ripple effect.”
“We should do everything we can to add layers of security around our personal information.”
Based on my experience, I see many victims of cybercrime using the same email address for multiple systems/websites and using the same password in each case. Once compromised, the same credentials can then be used to access “your stuff” on other platforms. The protection and security of personal financial information is something that most people take seriously. To that end, they may take extra precautions like having strong passwords for their online banking or online shopping where a credit card is attached to the account.
Let’s start with a basic issue. Not all email is secured with encryption. In their Transparency Report, Google says that “not all email providers are using encryption and because of that your messages are as open to snoopers as a postcard in the mail.” Unless you are using an email application, service or plug-in that supports TLS (Transport Layer Security), you are sending postcards each time you click send.
Equally problematic but something we can personally take control of is how we use our email addresses. Most people will have at least two email addresses. One email address connected to their place of business, employment or college/university, and also a personal email address. In most professional and academic environments (sadly not all), system administrators will implement constraints around the structure of the email address and the complexity of the associated password, for example the number and type of characters that may be used. When it comes to personal email addresses, there may be some password constraints and of course field level validation to ensure email addresses are not duplicated on the same platform. At “yourfavoritesite.com” there can only be one youremailaddress@yourfavoritesite.com. That all sounds reasonable, so what’s the problem?
The fact is that most people use one personal email address for everything. When signing up for online banking, an Amazon account, a Netflix account and the email list for their favorite travel site, an alarming number of people are using the same credentials in each instance.
The next consideration is to examine the level of security provided by each online service. It stands to reason that organizations, like highly capitalized companies in the financial services sector, may have larger cybersecurity budgets. It would therefore also stand to reason that this would result in more secure systems/ websites. So now ponder this: If the same treasure was behind two different walls, and one wall was 10 meters high while the other was 100 meters high, which wall would you try to scale? For the same reward, the answer is clear.
We next consider the cyber adversary. Less secure websites present softer targets. Knowing that so many users will connect to online services using the same credentials, cyber criminals are first compromising what would be considered softer targets and exfiltrating user credentials including but not limited to usernames and passwords, email address, physical addresses and dates of birth, and in some cases credit card details. Consider the September 2019 data breach of the popular mobile game, Words with Friends, by Zynga. According to cnet.com, this breach “may have resulted in the theft of
information from more than 200 million players accounts, including names, email addresses, login IDs and more.”
Like ripples across the pond, a hacker will use your account login and password across multiple applications and systems until they have success. This impact is rapid and can have catastrophic implications. The methods are sophisticated and, in some cases, automated. One breach, leading to another, leading to an even more impactful breach.
The December 2019 breach of LifeLabs is another example of a nonfinancial based platform leaving the potential for victim credentials to be used on other platforms. According to cpomagazine.com, about 40 per cent of Canadians were impacted when login IDs and passwords were stolen by cyber criminals. These credentials could subsequently be used in a cascading ripple across multiple platforms
continuing the victimization.
So, what can be done about this? When it comes to your personal online safety and security, the onus is on each one of us to be as vigilant as possible. In an ideal world, we would all have a different email address and account login ID and password for each online service we use. However ideal, this is sometimes not practical. I’m going to suggest a few other approaches that may help.
1. If you only have (or only want to use) one personal email address, assign a different password to it for each online service you use.
2. To help with all the passwords you have to remember, use a password manager program. Search some reviews and pick a highly rated one.
3. When an online service offers “two factor authentication” — the ability to verify your identity using an
additional credential — use it. It’s another layer the cyber-criminal has to get through to get to your information.
Good cybersecurity cannot be achieved with a single solution. We should not completely rely on the security infrastructure of the online services we are using. We should, whenever possible, do everything we can to add layers of security around our personal information and make it as difficult as possible for the cybercriminal to succeed. Stop the data breach ripple effect before it even starts. And remember, when a data breach is discovered, contact your local law enforcement to report the crime and allow for a proper investigation to take place.
Kenrick Bagnall is a Detective Constable with the Toronto Police Service Computer Cybercrime Unit (C3) Twitter: @KenrickBagnall.
Q Q A & A
John Altilia manager, team security, Toronto Raptors
John Altilia has an enviable job. He’s courtside for Raptors games and travels with the team.
Altilia has been manager of team security for the Toronto NBA team for 10 years. A former Toronto Police detective constable, he spent the last few years of his policing career working part-time in a non-paying position as the NBA’s security representative in Toronto. When he retired from the police, he accepted a full-time role with the Raptors — a position that puts him in close contact with players, coaches and staff. On any day of the week, Altilia could be at a game, accompanying players to a restaurant or charity event, or scouting the next arena or hotel in another city. Last year was a special year for the Raptors and Altilia’s responsibilities stepped up during the team’s playoff run and NBA championship victory. He spoke to Canadian Security before the 2019-2020 regular season started about his life with the Raptors and the feeling that comes from being part of a winning team.
Canadian Security: What is your role when you go on the road with the team?
John Altilia: When I go to Detroit [for example], we fly in, I’ll call their [security] guy and say, “Is the city cool? Is there anything I need to know?” When I go to his arena… the league has set up security to be templated, so almost exactly the same. When you look on the court, you’ll see what you’re used to, such as security behind the benches, security at the opening where the stands meet the court, behind the baskets to the corners — anything that’s open. You kind of get used to that always being the same. We use each other’s security teams when it comes to different venues.
CS: Do all the NBA team security managers know each other?
JA: Yes. Every year, we have an NBA security meeting that we all attend. We have conference calls once a month to update each other, in case there’s certain issues. “Has anybody come across this?” We kind of bounce things off each other. That’s done by the league as well.
CS: Do you also work with Scotiabank Arena (the Raptors’ home venue) security personnel?
JA: Yes, those relationships have been there for a long time. We deal with the director of security for Scotiabank Arena. That includes NBA security as well. If it involves something within the NBA rules, then we involve the NBA security rep at Scotiabank Arena. We all know each other. It’s a very positive work environment. We work with each other and educate each other with regard to the rules and regulations.
John Altilia, on the Raptors’ victory parade route
CS: What are you looking for during a game?
JA: When you’ve been doing it for this long, or when you have a surveillance background, you kind of just look for something that stands out. Maybe it’s a fan who’s trying too hard, looking too closely, focusing on something other than kind of taking it all in. During the game, it’s trying to understand the flow of the game, how it’s kind of building up, the temperament of the players. Whether it’s observing the interactions of players and fans, or a fan interacting with a player. You’re trying to prevent anything from happening. And, of course, if there’s an altercation on the court, we assist the officials. If there’s an altercation between two players, we will assist as peace keepers.
CS: What is your first thought when you roll into the next city?
to do these things again. People say, “It’s just security,” but there’s the business side of it as well.
CS: What was it like being with the team through the playoffs and the finals?
JA: It was unbelievable. It was a great learning curve. As a group of people that support the team, we all chip in to make sure that they’re focused on the task at hand.
If there’s one thing that I can say, it’s probably making sure that everything was taken care of, that nobody had to worry about anything. That goes for the coaching staff, the players and the staff. We made sure that our locker room was very, very quiet.
“It was unbelievable to come out and see that kind of crowd and the emotion that was involved.”
JA: It’s to get [the team] into the hotel — depending on the hotel, how busy the hotel is and what’s going on in the city. If there’s conventions or any reason why the hotel would be busy. It’s kind of allowing them to flow throughout the hotel. We’re checking the lobby, we’re checking floors, we’re making sure that [the players are] settled OK. And we’re getting there at one or two o’clock in the morning. Usually by then it’s pretty quiet, but the [next] morning, we’re down in the lobby, making sure the buses are on site, probably within an hour before the departure of the team.
CS: What is your role if players want to go out?
JA: If players want to go shopping or they want to go out for dinner as a team, we will escort them to and from the restaurant. We’ll order vehicles for them and we’ll attend the event with them. That’s for appearances, dinners… If there was team dinner, we would attend.
CS: And the players are all familiar with this set-up?
JA: Yes, they know that we’re going to go around [with them]. It may be a player that’s going to go to dinner with his family. A lot of times, you have players going out to dinner with explayers. We’ll go and make sure everything is calm. We’ll sit away from the table and let them enjoy their evening and keep them within eyeshot. When it’s time to go, we order the cars to come and pick us up.
CS: What about for personal appearances?
JA: When they’re doing their own appearances, maybe through their agency or their agent, we attend them as well. The reason being, we want to be in support of the player and also provide a service to them. That service is, of course, security but [also] being there to be a voice sometimes, if need be.
At the end of the day, you want the player to enjoy the event. That’s really our purpose. The business side of it is, you’re there to support them, to get them through it and understand what’s going on around them, so they’ll be willing
We just wanted the players and coaches to focus on what they had to focus on. We didn’t want to disturb them whatsoever. It was kind of crazy, but it was very calm because everybody knew what they had to do to make this work. It wasn’t a lot of excitement because they knew the goal had to be obtained. A lot of focus. Wherever we could help with that, we did.
The league gets heavily involved when it’s the finals and the semi-finals. They take over the credential side of it. There’s a lot of moving parts in regards to post-game interviews... you’re escorting players back and forth and there’s the timing of when different coaches are going in to do their interviews and coming out.
It’s long hours… it’s just a whole different animal. But it was great. It was great to be involved in it. I hope we do it again, because it was a lot of fun.
CS: What was your experience of the Raptors’ victory parade in downtown Toronto?
JA: It was unbelievable to come out and see that kind of crowd and the emotion that was involved in the crowd. The emergency services from Toronto Police that assisted us were unbelievable. Their patience in dealing with the crowd was so positive. And at one point, when we got really congested, I had to get out on foot and help with it. I was walking the parade route. I left my bus and we had other security from Scotiabank [Arena] on the bus. The crowd was great — excited but great. It was an exhausting day.
CS: What do you enjoy most about your job?
JA: I think it’s different. The emotional roller coaster is kind of neat. It’s a great group of people that we work with under Masai [Ujiri, president of the Toronto Raptors]. We’re all very close in regards to achieving a goal. I think that’s the fun part of it. It’s something I’ve done for a long time and I’ve really enjoyed it. It’s been a great, great career. Not only did I have a great police career, to be able to do something like this and to go through 21 years of this and achieve what we did as a team is unbelievable. I wake up every morning and appreciate what I have.
Security for the PEOPLE
Need an effective security training program? Don’t be boring, don’t be scary and give away prizes
By Will Mazgay
While security departments in corporations and institutions are largely focused on day-today operations, managing risks, and securing personnel and assets, a crucial function of these business units is to ensure that the rest of the organization takes safety and security as seriously as they do.
Experts believe that training for non-security staff, as well as the promotion of a strong security culture, are both a must for any organization that is committed to the safety of its people and assets.
Crafting the message
Brian Claman, managing partner for Brian Claman & Associates, a security consultancy and managed services firm, says security training can be broken down into two categories: awareness training that drives culture and technical training.
Claman says, “A client wants us to give training on what kinds of
emergencies can occur in a commercial office space, such as bomb threats, water leaks, protests. But they have no program. So we decide to create awareness training of the things they have to think about. Let them paint a picture in their mind what the threats look like so they can self-assess their ability to deal with it.”
Brendan Monahan is an associate director with Novartis Pharmaceuticals in charge of business continuity and crisis management and chair of the ASIS International Crisis Management and Business Continuity Council. He says, when it comes to delivering training, he has had success with in-person briefings and lectures, as well as short “TED Talk” style video presentations because they are concise and casual in tone.
kind with it, whether it’s a training they had at a previous job that worked or didn’t, whether it’s something they went through themselves or a friend of theirs did.”
“I like to start usually with a storytelling approach, give people a baseline that anyone can connect with.”
— Brendan Monahan, Novartis Pharmaceuticals
Carmela Demkiw, senior director, corporate security services for Rogers Communications, says the key to crafting a strong training program is to make it collaborative and stress accountability. “It has to be that employees understand it’s their business. So that’s the premise we start with: it’s not our job, it’s everybody’s job.”
Monahan says, “I like to start usually with a storytelling approach, give people a baseline that anyone can connect with, rather than diving into anything that’s scary, fear-inducing or anything like that. I prefer to start with something allegorical to get people on the same page. And that connects people to the message you’re trying to tell.”
He explains that many employees may find subject matter like active shooters and workplace violence scary or upsetting, so it’s important to tread lightly with those topics. “Maybe the most important thing for us to remember, as security professionals, is what we do is kind of specialized, and most people don’t do it every day, so we really have to meet people where they are on these topics.”
Monahan also says that when delivering in-person training, it’s helpful to encourage participants to offer their own experiences with the subject matter. That way, “you’re not alone in front of a room, presenting yourself as the only authority on the subject.” He continues, “Especially questions like active shooter training, people have experience of some
Delivering content Demkiw explains that the largest portion of security training at Rogers is dedicated to the retail side of the telco’s operations. “We have things like robbery prevention, opening and closing procedures, situational awareness and conflict resolution.” She says retail employees are also taught strategies for fraud prevention and spotting counterfeit money.
Beyond retail, Demkiw says, “We’ve also just launched an emergency preparedness program that we’ve worked on with our health and safety team, and that’s for all employees across the organization.”
Demkiw says her team also provides toolkits with safety and security information to managers, that “they can discuss in their monthly meetings or team huddles.”
Robert Kilfoyle, director of public safety and emergency management for Toronto’s Humber College, says for college employees, training revolves around conflict, de-escalation and dealing with difficult students, along with more general awareness of emergency preparedness. “We talk about fire alarms and what to do in those types of incidents, active attacker, lockdown and that sort of thing. We’re just transitioning now over to the Run, Hide, Defend model of active attacker
Image: BraunS / E+
response.” He says the plan is to roll out a formal active attacker training program, likely in the spring.
Kilfoyle says his department gets its message across both by attending employee orientations and department meetings, and by posting through an internal web portal for employees. “We often will send out notices or reminders through that.”
Rogers also relies heavily on an internal intranet for mandatory, yearly training, according to Demkiw. “We make sure that any new policies or changes to existing policies are posted on there.” She explains that her department also uses community boards specific to certain company sites to inform people working at those offices of specific concerns. “Whether it’s a parking concern or it’s a tailgating concern, then we make sure that we address that on that community’s board, and they understand, ‘we need to work on this.’”
Keeping staff engaged
Claman says building a security training program and introducing employees to concepts is just the beginning. Teams need to keep staff engaged. “Employees notice when the training is getting stale.”
Claman says a web portal with fresh content can hold employees’ attention, explaining that departments should post security incidents and how they’re dealt with to make the teaching process feel more real and less theoretical. However, the content needs to be consistently updated. This approach applies to inperson training as well, according to Claman. “Talk about actual incidents that have occurred, so employees know what works and what doesn’t for solutions… The training has to be exciting, sexy and relevant to their world.”
Monahan says switching up the delivery of training can be helpful. “Whether it’s incorporating multi-media or gamifying the training, so people have to engage with a video and maybe click on things to expose new content.”
Demkiw says it can be very difficult to keep training interesting. “It’s not a one-time process you put in place. We’re constantly looking for new ways to add training, new ideas that would make it
engaging for the employees.” Beyond introducing new concepts, Demkiw says one surefire way to grab employee attention is with prizes. “When we do a lobby launch we always have swag to give away because that makes a difference, it makes people come and listen and hear what you have to say.”
Monahan says whatever method teams use to keep training engaging, it’s important to get feedback and listen to how people are responding to it. “So often we become prescriptive, and we’re not responding to what people are telling us about how they’re internalizing these messages.”
Getting buy-in, showing value Monahan says, regardless of what your training looks like, getting buy-in from senior leadership and other departments is crucial to any program’s success. “To the extent possible, have them model it for people.”
Monahan also notes that corporate communications is a strong ally that can help get leadership, other departments and everyone else in the organization on the same page. “I like to sit side-byside with communications and have those people understand what security’s priorities are and reach out to them regularly for help crafting messages and delivering messages. Corporate communications is your friend.”
Demkiw agrees that forming relationships with corporate communications and human resources is key to ensuring security’s message resonates with the rest of the organization. With human resources specifically, “unless you have buy-in from them to help you deliver your message, you’re not going to get anywhere.”
When it comes to the actual message that security is transmitting to the rest of the organization, Monahan says linking it to broader company strategy is helpful. “Every company has a set of corporate values, and it’s more and more popular to drive those messages down to the frontlines of management to make sure we’re synced up with company strategy and that what we’re doing is fully aligned across business units and across leadership levels.”
Demkiw says to get buy-in from other departments, “we want to be able to be seen as helping them deliver their programs. We want to be a business enabler. We don’t want to say no all the time or tell them they can’t do something and that way they know they can come to us when there actually is a problem because we’re making compromises with them and working with them.”
Monahan agrees that security needs to position itself as a positive entity within an organization. “When you’re crafting the message, avoid the themes of fear, uncertainty and doubt. Take a more modern view that we’re partners in the business and the businesses are our clients. We’re going to make this work for you and not the other way around.”
Claman says to win over other departments and leadership, quantifiable metrics that show the value of security training programs are critical. “Identify the threats and risks, quantify the risks, and report on them… You can say employees are safer, but how do you know that? How do you measure that?” He explains that a measurable benefit like a reduction in thefts can help show that a security program is working. “It’s got to be a measure that’s defensible to the company’s CFO.”
Humber’s Kilfoyle says his department tracks the success of their program by measuring calls to service. “As people become more aware of our services, people will use them more.”
To measure the effectiveness of training at Rogers, Demkiw says, “We have weekly updates on the percentage of employees that take our training.”
While metrics can provide a business case for security programs, Monahan says one of the most powerful ways to persuade senior leaders of their importance is to put them through decision-making exercises.
“Take a business through an exercise where they have to make decisions and respond to a notional incident, like a crisis management exercise… When you put a leader in a position where they have to pretend to make decisions they never want to make, it becomes real and it helps them separate the theory from the practice,” he says.
Be smart overseas
Awareness and preparation can help mitigate travel risks
By Matthew Porcelli
The public perception of the travel industry is portrayed as glamorous and carefree. Unfortunately, there is a darker side to leaving the comfort of our safe zones, but there are methods and best practices that can aid travelers and ensure a safe return home.
Threats facing the traveler
Terrorism, kidnappings, human/drug trafficking and theft are just some of the nightmares that travelers face every year. But realistically, petty thefts are more common compared to their more headline-grabbing counterparts. The largest threats facing travelers involve criminal activity such as theft of money and travel documents (e.g. a passport).
Trends of the aggressor
Criminal acts are rarely committed on a whim. The more lucrative the payoff, the more time the criminal entity will study the target. Even if a criminal has been taken off the streets and sent to a correctional facility, the threat does not end there. Many prisoners train each other in pickpocketing and diversion techniques. Once the inmate is released, it is only a matter of temptation and opportunity and the travel setting is a prime hunting ground.
Unintentionally advertising vulnerability
Individuals in unfamiliar territory are easy to spot — both for security/law enforcement practitioners and aggressors. For example, a bewildered tourist searching for his or her tour group — fully dressed with cameras, backpack, and looking distracted — is the equivalent of a homing beacon for the aggressor.
Carelessly flaunting money, credit cards and a passport in easily accessible areas only makes it that much easier for the aggressor to reach his/her objective. Body language is also studied by aggressors. The Sistine Chapel in the Vatican displays one of the most impressive examples of Renaissance artwork, Michelangelo’s “The Creation of Adam.” While all eyes are towards the ceiling studying the fresco, there is another art form occurring. But unfortunately the victim does not realize until it is too late and notices funds are missing from their rear pocket.
Poor choices = poor results
Although travelers are most vulnerable to victimization while in transit, accommodation choices play a huge factor in the probability of theft and the safety of the traveler. Hostels are inexpensive and normally situated near tourist hot spots. Saving money during an excursion seems like a win. But, how much are people willing to sacrifice when it comes to safety and security? Some of the most horrific events have occurred in hostels to naïve travelers.
However, it is important to realize that not all hostels have negative backstories — on the contrary many are considered as lower end hotels. Furthermore, some hotels can be just as dangerous. The traveler must choose wisely and really ponder what the return on investment will be for staying in safer accommodations.
Best practices
How does one travel with peace of mind? Prepare, prepare, prepare! Before embarking, make sure to research the area that will become your temporary home away from home and follow these steps:
• Study the cultural, customs, and political climate of the country and city you will be traveling to. The Canadian and United States governments have programs such as, “Travel Advice and Advisories,” and the “Smart Traveler Enrollment Program,” that send free email alerts to travelers.
• Prior to arrival, make sure to register and know where the local embassies are located.
• Familiarize yourself with the local law enforcement and security services and know how to identify them in the event of an emergency.
• Never carry original documents or an abundance of funds. Copies of passports should be kept on a person while out in the “field.” The original should be locked away at the hotel/ hostel or entrusted to an onsite security coordinator or designated party. Do not carry all your money with you at one time. Only bring the money that will sustain you for the day, and above all, keep it hidden.
Matthew
Porcelli
is
co-chair
of the ASIS International Young Professionals Council and assistant secretary of the ASIS Global Terrorism, Political Instability and International Crime Council.
COMPASSION IN HEALTH CARE
A family crisis illustrates why security can, and should, be about so much more than protection
By Martin Green
Ifirst started working in health-care security in 1985.
A hospital was the absolute last place in the world that I ever thought I would work.
They are usually horrible places. No one is ever happy to come to a hospital unless they are having a baby or visiting one. For everyone else, hospitals contribute to unhappy memories. Sometimes people come to a hospital to see someone for the last time and to say goodbye to them.
had a health issue in his life before this.
It started on a Friday morning. I received a phone call at work that my oldest son (who lives in the suburbs of Chicago) had been rushed to a hospital. There were no details, just the name of the hospital. I tried calling the hospital, but was unable to get any information from the emergency department.
Martin Green
In 35 years, I have changed my perspective, including my dread about coming to work in a hospital. I have learned to love working in health care and I have thrived. But nothing prepared me for what happened to my family last September.
“My son almost died.” That’s the worst thing that I have ever told anyone. Ever! As a health-care security professional I have heard lots of people say that, but it was never me. I have transported hundreds of bodies in and out of morgues, witnessed probably thousands of individuals deal with grief, fear and loss. But it was never me.
My son is only 32 and had never
They promised that someone would call me back when they could. I waited. I was having a meeting in my office with one of our nurse managers at the time and she said, “Why are you still here? You should leave.” But I had no details, other than that he was in hospital. There was no point in leaving, especially since he was in Chicago. What could I do?
About 20 minutes later, I received a call from the doctor in the emergency department with details. My son had been found by his room-mate convulsing on the living room floor. He had vomited and was aspirating the vomit. The room-mate had rolled him over into the recovery position, most likely saving his life. My son was on a respirator, in a medically-induced coma. He was in lifethreatening condition.
I had no option but to immediately
book the next available flight to Chicago, rush home, grab my passport and pack a bag. As I waited for my flight, while I was in the air, and as I was driving to the hospital terrible thoughts were going through my mind. Was my son going to die? Was I going to have to plan a funeral and bury my son? How do you get a body across the border? What am I going to do with all of his assets? What if he survived but was now disabled? For the first time in ages, I prayed, and I sent a Tweet asking others to do the same.
It was the worst time of my life. For almost four days, I lived at his bedside, barely sleeping. He was young and strong and in good health. He fought, we fought, the doctors fought and he recovered. After being admitted to the hospital in critical condition on a Friday, he was discharged the following Thursday. There were a few after effects. He was tired and weak and needed time to rest, but he was healthy and alive. As I write this, he has made a complete and full recovery.
Throughout this entire ordeal, there was something that I noticed. I saw the power of customer service in action. Every single person that I interacted with at the hospital — whether they were a doctor, a nurse, a cleaner or a security guard — displayed exceptional customer service. This experience demonstrated to me, more than ever, what health-care security is all about. It gave me a fresh perspective and a renewed commitment
to ensuring that my health-care facility is as safe as it can possibly be, but also to ensure that all of my staff are trained to the highest standard for customer service.
Typically in a health-care security training program, we concentrate on concepts related to use of force, liability, risk management, emergency code response, report-writing, patrol, workplace violence, security-sensitive areas and other typical health-care security issues. But do we provide enough training in customer service? Do we stress the importance of customer service?
There are several books and programs in the health-care world that discuss customer service. Many healthcare leaders have read the bestselling book, “If Disney ran your hospital” by author Fred Lee, published in 2004. He describes the concept of making a visit to a health-care facility as pleasurable as visiting a Disney theme park. Other hospital leaders have a variety of different models. At my hospital we utilize the AIDET (Acknowledge, Introduce, Duration, Explanation and Thank you) program. This seems very simplistic and in some cases unrealistic. But it works. I have seen it and experienced it firsthand. As mentioned earlier, people are afraid in a hospital; they are dealing with stress, fear and grief. They don’t want to interact with a security guard at the best of times, but certainly never with a bad-tempered, rude or unhelpful one.
As we move forward with our advances in health-care security training, we must focus on the importance of customer service. Security personnel are normally the most recognizable employees in any health-care facility. We are commonly the only staff who wear a uniform that clearly indicates what department we work in and what service we provide. People come to us for help and directions.
Using the principles of AIDET, we need to teach and train our staff to:
• Acknowledge the person/people that they are speaking to. Security guards need to stop and take the time to let the person know that they have been seen and that they will be helped. Your security staff
needs to make eye contact, smile and acknowledge family or friends in the room.
• Introduce themselves to the people they are interacting with. It doesn’t have to complicated, just a simple “Hello, my name is _____ and I’m with security, how can I help you?”
• Duration: Tell your visitors how long it will take to help them or how long they will have to wait.
• Explain step-by-step what they can expect next, answer questions and let the client/co-worker know how to contact you.
• Thank the client, family or coworker for their time, patience and co-operation.
I have witnessed and experienced first-hand how this approach can make people feel at ease and more comfortable when they interact with a member of the security team.
The first and most important step in the Use of Force continuum is Officer Presence. Security guards often have an intimidating presence. There are occasions where that can be useful, but more often than not, it can lead to increased tension. A friendly, welcoming approach will often have a very positive result.
Over the years, I have learned to practice the AIDET approach when I deal with the public. When a security guard needs to have what could potentially be a negative interaction with a member of the public, it can be made easier by the approach and demeanor of the guard. A tempered and restrained approach can often lead to a reduction in tension and agitation.
Customer service is perhaps the most important role that a security guard can offer to their health-care facility. A customer service approach to security can only benefit your health-care organization. I have seen it work and after my recent experience with my son, I now have an even better understanding of how important and impactful it can be.
Martin Green is manager of security, telecommunications & emergency preparedness at Baycrest Health Sciences and the 2017 past president of the International Association for Healthcare Security and Safety (IAHSS).
Effective shift management FOR SECURITY GUARDS
Five tips to drive success, optimize employee performance and recognize their value to the organization
By Shahbaz Hussain
The Canadian security guarding market is experiencing a growth spurt with unprecedented competition across the spectrum from enterprise-sized companies to midmarket companies and even startups.
While many of these businesses are competitive regarding price and contract, the true differentiator in this crowded field is high-level delivery of the security guarding service itself. Superior delivery provides a core element demonstration of how well security guards perform duties on shift, and crucially, how guarding companies manage those shifts. Below are five key success factors for effective shift management:
Detailed, correct briefing for each shift
A security company may have hundreds if not thousands of security guards on duty across a large number of client sites daily. Each client site can have a variety of different shift requirements and duties for each guard. In order for each shift to be completed successfully, every security guard needs to be briefed, especially those who are client facing.
threats, new developments, operational changes on the client site, etc. These shift supervisors are in turn responsible for ensuring that the briefing they receive cascades down to the officers on the incoming shifts. Poorly briefed security guards invariably deliver poor service, and clients interacting with these guards will witness this first hand.
Operate with the right equipment, emerging technology
“When security guards feel overworked and exhausted, morale suffers.”
Supervisors should brief their shift supervisors about key issues, potential
Here, of course, we are talking about hardware, including traditional tools such as wand devices, radios and flashlights. But even more important today is the growing use of mobile devices across the modern guarding industry. With smartphones becoming globally ubiquitous, intelligent security companies can now take advantage of feature-rich apps and software platforms that offer new capabilities in managing the shift process, e.g. GPS technology, which ensures a
guard’s location is always known. These emerging tech tools are constantly improving. They make it easier for supervisors to communicate with officers and manage shifts, particularly from a command and control perspective.
Data drives the monitoring process
Related to hardware and software needs, accurate data is critical to proper shift management: it drives the monitoring process. Data is derived from business intelligence and data analytics collected in the field by security officers who use their apps to report security-related incidents and other shift anomalies. The data is then processed and made available to supervisors in real time. Collected data continuously streams in and populates dashboards that supervisors view regularly for the duration of their shift. Data-driven dashboards can be used, for example, to display when a new security guard reports for duty, report risks encountered on a shift or patrol, detail how many reports are submitted by guards, and show who is submitting the most reports and why. Based on the data received
and reviewed, supervisors can be more proactive, and even determine which skills and equipment the guards require for their duties on the next shift.
Time off reduces fatigued-driven mistakes
The most important factor here is to ensure that officers are scheduled to work planned shifts lasting a set amount of hours, with regular periods off duty. This will maximize their physical health and well-being. When officers are fatigued, they can take things for granted or make mistakes.
As all security professionals know, most negative events happen when officers are tired, so physical fitness, getting plenty of rest between shifts, and being alert has a major impact on shift effectiveness and goes a long way to eliminating or mitigating mistakes. Also, when security guards feel overworked and exhausted, morale suffers, which could also result in expensive staff turnover and the potential loss of clients.
Always have replacements at the ready
Shift planning can’t be underestimated. If someone calls in sick and no one is in the queue to replace them, it can be a serious problem, especially if the client becomes aware of the situation. You need an active, accessible pool of well-trained and equipped security guards on standby, all providing detailed information on availability. That way, if an emergency arises, you will be covered.
While this may seem like a “nice to have” extra feature, it’s not. It’s a bottom-line critical area. Shift continuity is baked into a successful security guard shift management strategy. Without continuity, safety issues can arise which can result in seriously long-term harm to the company’s reputation. A poorly managed shift can negatively impact everyone involved — the security officer, their supervisors, the security company, and the client — and incur lasting damage to the business’s longterm success.
On the upside, smart shift management increases efficiency
and productivity, delivering true accountability. A smart shift management strategy offers a comprehensive overview of what’s happening: no detail is left to chance. Also, it can help manage client expectations, so customers will be happy and committed to their security partners for the long term.
In the end, following these five
success factor strategies will go a long way towards ensuring an effective shift management process, which in turn will drive world-class customer service, low customer turnover and increased profitability.
Shahbaz Hussain is the regional sales director, Canada, for Trackforce Valiant (www.trackforce.com).
advantage Shifting the
Preparing for what your adversary may do next can help you win the cyber “arms race”
By Derek Manky
For most organizations, 2020 planning means looking at financial projections, staffing needs, and setting KPIs to evaluate success. For me, it also means getting into the head of our adversaries to see how organizations will need to bolster their cyber defences and set security budgets for the coming year.
Every year, I gather together the latest in cybercrime and threat trends to project what the cybersecurity landscape will look like, both for the near and long term. While this needs to be an ongoing exercise, setting aside specific time a few times a year is essential.
The reason cybercriminals continue to successfully maintain the upper hand in the ongoing cyberwar is because they
are able to predict and exploit gaps that many IT teams, overwhelmed by the day-to-day crush of trying to keep up with things like digital transformation, simply overlook. Like any “war,” to win the cyber arms race, we need to take time to look at the entire threat landscape, evaluate our potential attack surfaces, predict our opponents’ moves based on available intelligence, and then prepare ourselves.
So, what did 2019 bring, and what can we do to armour ourselves for 2020?
The welcome mat
The persistent lack of cyber hygiene practices by most organizations is like setting out a friendly welcome mat by the door. Our latest Threat Landscape Report shows that cybercriminals were
more likely to target vulnerabilities from 2007 than they were from 2018/2019 — and the same holds true for every year in between. That’s because too many organizations still fail to patch, upgrade or replace vulnerable systems. It’s why, over three years later, Mirai still sits in the top five of our quarterly list of most prevalent botnets. There is no reason to spend time and resources developing new malware when organizations continue to make it easy to use the same exploits over and over.
Overwhelm and overpower
Another strategy preferred by cybercriminals is to target as many attack vectors as possible. For example, our research found that criminals are increasingly targeting publicly facing edge services, perhaps in response to organizations training personnel and upgrading their email security gateways to combat phishing. By keeping pressure on all attack vectors, cybercriminals can quickly exploit opportunities that
present themselves when IT teams take their eye off the ball for any of them.
Interestingly, this same strategy undergirds the power of swarm-based attacks, a future attack strategy that I have been monitoring for some time. In this case, intelligent swarms of customizable bots, grouped by specific attack function and engineered to share and learn from each other in real time, could potentially target a network by attacking it on all fronts simultaneously, thereby overwhelming the network’s ability to defend itself.
5G: The perfect incubator
More worrisome, there is a new technology approaching that will potentially accelerate and multiply current threats — 5G. Of course, most of us have only been hearing about the many benefits of 5G, such as its ability to deliver 10X performance over current connections and its ability to drive the next stage of digital transformation by enhancing everything from smart
cars and smart cities to delivering rich media and enable true edge networking. However, it is also potentially the perfect incubator for new malware operating at unprecedented speeds and in highly collaborative ways.
Because 5G-enabled edge networks will be able to create local, ad hoc networks on the fly that can quickly share and process information and applications, groups of compromised devices could also work in concert to target victims at 5G speeds — raising the possibility of the development of the first functional swarm-based attacks. Given the intelligence, speed and localized nature of such an attack, few current security technologies would be able to effectively fight off such a strategy.
“Cybercriminals were more likely to target vulnerabilities from 2007 than they were from 2018/2019.”
cybercriminal and turning the game around by using the strategies and technologies used to compromise us to defend us instead. That means adopting an intelligently integrated approach that leverages the power and resources of today’s enterprise to see the entire threat landscape, correlate security intelligence to harden vulnerabilities and identify exploits, and marshal all available resources in a coordinated response to an attack.
At the same time, legacy security tools could simply be unable to keep up with the performance requirements of 5G-enabled devices and applications.
Organizations will need to look for new tools designed to accelerate critical security functions by leveraging things like purpose-built security ASICs that can provide the power and scalability that 5G networks will require. Otherwise, their security systems will undermine the value of any 5G investments, and they will need to be on the constant lookout for individuals or groups inside their organization looking to bypass security bottlenecks.
We can
still
gain the upper hand
Ever since the first hacker intercepted the first packet moving between two devices over 40 years ago, cybercriminals have had the upper hand when it comes to security. While IT teams need to remain ever-vigilant across every potential threat vector, criminals only ever need to find a single overlooked system to meet their objectives.
Fortunately, there is a way for us to break out of this cycle. It starts by getting into the head of the
Emerging tools like machine learning and AI represent some of our best hopes for being able to get out in front of cybercriminals. As AI progresses, it will begin to function like a human immune system that hunts for, detects, and heals the threat at hand — digitized white blood cells, if you will. Over time, it will not only be able to detect a threat in its earliest stages, but identify it based on its cyber fingerprint to predict and stop its next moves before they occur. Combined with advances in things like advanced deception technologies, organizations stand the first chance in nearly half a century to get out ahead of their cyber adversaries.
We need to start today
For 2020, the good news is there are some clear things organizations can do to protect themselves. Commit to patching vulnerabilities, upgrading operating systems, replacing aging devices, or implementing truly effective proximity controls. Next, consolidate and integrate your security systems to extend visibility and control across your existing and planned network environments using a security-first strategy.
And begin preparing now for the challenges of things like 5G, and the opportunities presented by AI and machine learning.
Derek Manky is chief, security insights & global threat alliances at Fortinet (www.fortinet.com)
PRODUCT FOCUS ACCESS CONTROL & BIOMETRICS
Smart locks
PDQ
pdqSMART-STP stand-alone smart locks operate by smartphone. Popular applications include offices, co-working spaces, retail, hospitality, clinics, vacation homes, Airbnb, schools, daycare and more. The locks can operate by smartphone, PIN access code, smart watch and key. Scheduling is available for up to 100 unique users with an audit trail of 25 events on the app. Five lock types are available: Grade 1 and Grade 2 Cylindrical, Grade 1 Mortise, Heavy-Duty Deadbolt and Heavy-Duty Exit Device Trim. www.pdqsmart.com
Facial recognition integration
RealNetworks
SAFR for Security integrates SAFR, a facial recognition platform for live video, with leading VMSes to provide enhanced visibility and situational awareness. Available as a standalone solution or integrated with VMSes, SAFR for Security provides 24/7 monitoring to detect and match millions of faces in real time, delivering a 99.86 per cent accuracy rate. When SAFR for Security is paired with a VMS, the integrated experience includes video overlays within the VMS to identify strangers, threats, concerns, unrecognized persons, VIPs, employees, or other tagged individuals in live video. Security teams can customize real-time alerts to automatically notify them when persons of interest appear on a video camera feed, or make use of automated bookmarking to conduct forensic analysis. SAFR for Security attaches rich metadata to video footage so security professionals can search by time range, location, category, person type and registered individual. www.safr.com
Bluetooth reader
ProdataKey
When installed as part of a pdk io access control system, the new “touch io” Bluetooth reader allows users who have installed a mobile credential on their smart phone to enter a controlled door by simply touching their hand to the reader. There’s no need to unlock the smartphone, or even remove it from a pocket or purse. For employees preferring not to use mobile credentials, the readers are also compatible with traditional key cards and fobs. The touch reader differentiates between the use of an electronic credential and encrypted Bluetooth authentication. www.prodatakey.com
Key enclosure
MedixSafe
The KARE MINI Key Access Ready Enclosure (KARE) is a smaller, more compact version of the standard KARE heavy duty key control cabinet. More than a place to store keys, it gives the user control over their keys by limiting access to authorized users only and knowledge of who has accessed keys and when. It is equipped with a Wiegand output card reader that integrates into a user’s existing access control system. The KARE MINI allows users to access important keys using their existing cards. The cabinet can be locked at all times to safeguard assets and prevents access by unauthorized personnel. The KARE MINI is compatible with HID as well as Multi-Class prox cards. medixsafe.com
Cloud-based access control
RS2 Technologies
RS2 Technologies announced the addition of the ACT365 Cloud-based Access Control and Video Management Solution to its line of access control solutions. As a cloud-based solution, the ACT365 remote diagnostics and servicing capabilities provide RS2’s reseller channel with the convenience of troubleshooting issues from their mobile device or web browser to determine whether a site visit is necessary, streamlining operations. ACT365 delivers a solution providing both access control and video management in a web-based platform that allows users to quickly update or remove user permissions, view cameras or open a door directly from a mobile phone, tablet or PC. The scalable solution offers management of multiple sites from a single, unified interface without the added expense of local servers and IT resources.
www.rs2tech.com
VMS with facial recognition Avigilon
Avigilon Control Center (ACC) 7.4 video management software incorporates artificial intelligence-powered facial recognition technology. The new “appearance alerts” capability is designed to help organizations accelerate response times by identifying people of interest in enterprise settings. People of interest are identified based on a secure, controlled watch list created and maintained by authorized users at the commercial organization. For organizations that use the new ACC software and license their Avigilon cameras for facial recognition, cameras will seek to identify potential matches based on the watch list.
www.avigilon.com
We’ve got your back
From pre-travel to landing back home, we take care of your employees.
Our Travel Security program helps you keep an eye on your employees traveling abroad to ensure their safety. Reduce the risks and give your people access to the resources they need in the event of a problem. We make it simple to improve how you fulfill your duty of care by managing your employees’ travel security in real time, 24/7, wherever they are in the world.
Inform
Risk management is all about being proactive. We do this by educating your employees about the countries they are visiting, and the risks they might face.
Monitor
Our program lets you keep an eye on your employees while they travel, thanks to state-of-the-art technology and our advanced dashboard system.
Respond
When it comes to your employees, it’s reassuring to know that they have access to emergency services for their protection at all times while abroad.
The three pillars of our program - Inform, Monitor, Respondmake travelers aware of potential risks and give them access to various resources in the event of a problem.
Sunday, June 7 to Tuesday, June 9, 2020 The Westin Harbour Castle
