Security basics to protect your employees and your business
The role of Security within an organization (business entity or otherwise) took on new meaning as a result of the tragic events of September 11, 2001. Since that time, and as a result of ongoing risks to organizations, both internal and external, the concept of “Corporate Security” has shifted from a “nice to have” service to one that is now a “must have.” While many organizations are not able to staff a full time, proprietary Security Director, it is possible, and increasingly necessary, to have a security expert provide your organization with advice and consultation on basic and foundational security concepts. With minimal effort and expense, these foundational concepts can drastically enhance your organization’s security posture which will, most importantly, increase the safety and security of your employees as well as the resiliency and sustainability, and therefore the viability, of the organization. However, with so much to consider where does an organization start when attempting to increase their security awareness and posture. According to Lawrence J. Fennelly in The Handbook of Loss Prevention and Crime Prevention, Third Edition, “The greatest protection of an organization’s collective assets is provided when a comprehensively designed security system integrates an appropriate mix of electronic, physical and procedural security measures.” This article will provide you with some quick wins to significantly enhance your organization’s security posture while addressing the appropriate mix that Fennelly references.
Unlike traditional law enforcement, which is predominantly reactive, Corporate Security services are expected to identify and mitigate risks preemptively, before an incident can negatively impact an organization’s employees, operations and/or reputation. The four “D’s” of prevention is a basic corporate security, crime and loss prevention tenet which outlines the objectives of preventing any loss. The four “D’s” of Prevention are as follows;
The process by which a security professional identifies the operations and/or the areas of an organization which require the greatest amount of security attention is called a risk assessment*. During this process there are four key components that are evaluated and assessed to determine the appropriate security posture and a “Fit for Purpose” designed security system or the security improvements needed to mitigate the identified concerns.
Once the four components of a risk assessment are completed and the information evaluated and synthesized, the security recommendations that follow will assuredly mitigate the risks identified and make for a more secure organization. More often than not, the security recommendations made, following a risk assessment, will be done so with the intention to deny, deter, delay and/or detect the identified risk.
Based on a number of factors, including but not limited to the following; industry, location, size of organization, operations, laws and regulations, organizational culture, etc., there is a great deal to consider when determining the appropriate, “fit for purpose” security posture for any given organization. A risk assessment, budget constraints, organizational input and other factors will assist in arriving at the appropriate security program for each organization. However, for the purpose of this article and without considering the above factors, there are eight primary and basic security concepts that, when utilized appropriately and with proportionality, can drastically and quickly enhance an organization’s security posture.
Risk Assessment/Security Survey
Access Control (Employee Identification, Visitor Management)
Access control features and policies regulate the flow of people, vehicles and materials into, out of, and within a protected facility. Having the ability to properly manage and control access to a location, property or building is a fundamental security concept that, when managed thoroughly, can greatly reduce risk to an organization. Being able to differentiate, identify and manage authorized personnel from unauthorized personnel at the earliest point in the screening process and at an appropriate distance from a “protected space/area” is critical to controlling access. Some of the simple ways to implement and manage access control is by having separate, and a limited number, of entrances for employees versus visitors, requiring all employees to wear an identification badge while at work, requiring visitors to register in advance and wear an expiring visitor badge while on company property. There are also numerous technological options (card access proximity systems, biometric options, keypads, etc.) that can support access control objectives. Clearly, there are a number of organizational and Security considerations that must be evaluated when creating an access control policy.
Advance planning and preparation are key considerations when it comes to crisis management.
An emergency management plan describes the actions to be taken by an organization to protect employees, the public, and assets from threats created by natural and man-made hazards. Every business, large or small, public or private, should have some form of an emergency management plan. Organizations need to have an established crisis/emergency management plan that provides the framework and structure to manage emergency events. Failure to do the necessary planning could seriously impact an organization’s ability to minimize loss of life, loss of assets and business downtime, should an event occur. It is important that the organization take the following steps in the creation of their crisis/emergency plan;
- Define what a crisis/emergency is for the organization
- Establish an Emergency Response Team (ERT) with appropriate members of the organization
- Establish a protocol for communicating with all employees (for operational and situational awareness) as well as executive leadership (for advice and consent)
- Develop plans for the organization’s response to a crisis/emergency (**with the below items in consideration)
- Conduct training for the ERT as well as the broader organization (given their respective roles and responsibilities)
**The four phases of crisis/emergency planning include the following;
- Mitigation- ways to reduce risk to life and damage to property
- Preparedness- advanced planning to address crisis/emergency situations
- Response – how to deal with and react to the situation
- Recovery- restoring the work environment after the crisis or emergency
Security Policies and Procedures
Security policies and security procedures are different yet they both provide the guidance and structure needed to deliver security services in the manner expected by management. Policies indicate management’s position, statement, purpose or direction. A policy indicates what management would like. A procedure, on the other hand, are the detailed steps management requires its employees to follow to achieve the desired results. A procedure indicates how management wants something done. Clearly, policies and procedures are complimentary documents and should be created with this in mind. There are many benefits of written and codified security policies and procedures. Among the benefits are consistency in performance, reduction in decision time and enhancement of controls. Additionally, the existence or absence of a written policy/procedure could be a significant factor in a legal matter. The security manual should act as the repository of all written policies and Standard Operating Procedures (SOP’s) that pertain to the security function.
Physical/Technical Security (CCTV, Card Access, Physical Security Modalities)
Physical and technical security measures are important components to an organized, cohesive enterprise security program. Physical security features include, but are not limited to; fences, bollards, gate arms, doors and locks, etc. Technical security features include, but are not limited to; card access readers, closed caption tv cameras (CCTV), Pan/Tilt/Zoom (PTZ) cameras, intrusion detection alarms, environmental/condition alarms, etc. Dependent on your organization’s risk profile (following a Security Assessment), some of these features, or a combination of them, may be appropriate in coordination with the rest of the enterprise security program.
IT security and Cybersecurity are the protection of internet-connected systems, including hardware, software and data, from cyberattacks. In a computing context, security comprises both cybersecurity and physical security as both are used by enterprises to protect against unauthorized access to data centers and other computerized systems (and the information contained therein).
Investigations (Background and Misconduct)
An investigative function (internal or outsourced) is an integral part in identifying and mitigating risk and liability for an organization. Having the ability to ascertain whether an employee has committed fraud, misconduct or violated a company policy or law is critically important. Background Investigations are investigations conducted prior to employment or an engagement to better understand the credentials, history, capabilities, character, reputation and criminal history of an individual. Due Diligence investigations are investigations conducted on a business entity (including principals of the business) prior to a merger, acquisition or other business affiliation. The review includes financial reports of the business, business affiliations and relationships, as well as business leadership. An internal or outsourced investigative function can identify and mitigate risk for an organization which enhances the security posture and capabilities of an organization.
Supply Chain Security
An organization may take all of the appropriate precautions to safeguard their employees and products “in house,” but who are they entrusting to deliver their products to clients and customers. A hijacked or lost truckload of a company’s products will have an extremely negative impact on any business, its reputation and the trustworthiness of the product lost or stolen. All of which are entirely avoidable when the proper care and concern is taken through the implementation and management of a robust supply chain security program. Such a program will evaluate the risks associated in the supply chain in reviewing the product’s “cradle to grave” path. Through the creation and implementation of policies and procedures, the use of technology and partnership with industry leading global logistics security services companies, and public sector programs (CTPAT), or a combination thereof, an organization’s supply chain security program can be significantly enhanced.
Clearly, there are many more concerns, considerations and nuances when it comes to Corporate Security. However, the eight subject areas listed and explained in this article; Risk Assessment/Security Survey, Access Control, Crisis Management, Security Policies and Procedures, Physical/Technical Security, IT Security, Investigations and Supply Chain Security are the key, foundational security considerations that, if implemented and managed, can significantly increase the security posture of an organization. And, when these programs are managed in coordination with one another the organization’s security posture is increased exponentially with minimal effort and expense. In closing, the concept of identifying risk preemptively through a risk assessment and in developing a security posture with an eye towards the four “D’s” of prevention while considering these eight foundational subject areas is an integral part to an organization’s security program.
Need help with corporate security? Contact Crucible today.