INTERNATIONAL FOUNDATION FORCULTURAL PROPERTY PROTECTION
Under normal circumstances (when open to the public), many museums, libraries, historic sites, live collection institutions, and other cultural properties staff their facilities 24 hours daily, to include late night patrols and monitoring station/control room operators. IFCPP is not, by any means, recommending elimination of these positions during current closures. If you can afford to do so, these positions should be maintained (and even strengthened) during current closures. Personnel making nighttime patrol rounds should be following predesignated routes either electronically or by written instructions. Any activity or facility irregularities should be documented and acted upon as soon as practically possible. Security control room staff should be acting in accordance with established Post Orders, and a current manual of operations. All such positions should be regularly checked by supervisory staff, at all hours.
There are, without a doubt, numerous institutions unable to continue after-hours staffing due to budgetary restrictions. Many other cultural properties are only able to lock the doors after normal business hours and hope for the best. During current closures, institutions are forced to maintain irregular and continually changing hours of operations and staffing.
The security of most institutions is also dependent upon properly selected, installed, monitored, and maintained electronic systems. As we all know, there is no guarantee that all systems are always operating as intended, or properly reporting conditions as expected.
What steps may be taken to enhance the protection of the institution, without the presence of around-the-clock security staff, and possibly, without the physical presence of security personnel at any time during current closures? Valuable collections warrant special protection measures, even when budgets won’t allow for the staffing we would prefer. The following measures should be taken into consideration:
Secure the perimeter. Any and all access points should be properly protected. These include doors, windows, ventilation screens, elevator shafts, skylights, rooftop access, loading docks, or any other place where entry may be gained. Each of these points should be alarmed, or secured with impenetrable bars or grates.
Alarm systems should be selected and/or upgraded after a professional process has determined the most practical and cost-effective systems available. Every device on the system should be tested in accordance with manufacturer specifications. Current closures might provide a convenient opportunity to test all security and fire protection systems while visitors are not present.
Video surveillance should cover the perimeter of the building(s), recording all motion, at all times. Collection storage and all exhibit areas should be monitored by video surveillance as well. IP-based systems allow authorized users to view live video remotely, from any location where Internet access is available.
Locking systems should be modern systems with limited distribution of keys and keycards, especially for perimeter doors. All exterior and some interior doors should be protected by electronic alarms and locking systems. Distribution of keys and keycards should be closely tracked, with recovery of keys at the time of termination of employment (or extended leave). Keys accessing collections storage spaces and other sensitive interior areas should not be taken out of the building, and stored in secure key cabinets. These keys should be checked out and tracked, via electronic software or hard-copy logs.
Monitoring of electronic security and fire protection systems should be by a UL Certified Central Alarm Monitoring Station, with alarm transmission by reliable communications systems. Backup/redundant transmission should also be installed, and alarm panel back-up batteries should be inspected and replaced every 3 years.
A third-party (contract) patrol service, should be retained (or available through an advance service agreement) to perform regular perimeter checks on all facilities, and/or supplement existing security personnel, as needed.
Please contact us if we can offer direction or advice for your specific concerns.
Stay safe and healthy as we all weather the storm together!
Reposted from Security Management Magazine
Many security leaders tout the importance of excellent customer service, and guard force managers are frequently tasked with ensuring that their officers are on point. But how many security managers have ever taken a moment to look behind the curtain and examine the psychology of first impressions?
Understanding first impressions is invaluable in the field of security operations. Frontline security officers are often the very first salespeople for businesses, so their appearance and body language are both key. And the psychology of first impressions also applies to physical spaces, which may set the tone for user experience even before the client walks through the front door.
Yet despite their importance, first impressions in security operations are often underestimated and misunderstood by leadership.
A common axiom that circulated for years held that an individual has seven seconds to make a good first impression when meeting someone. However, the latest psychological research reduces the seven-second window considerably. In fact, scholars like Alexander Todorov argue that it takes only one-tenth of a second to establish a first impression.
In his book Face Value: The Irresistible Influence of First Impressions, Todorov describes a study in which participants were shown face photos of two actual (but unknown to the participants) political candidates in a real election. The participants were asked to decide which face looks more “competent.” Most chose the same face—they seemed to agree on what “competence” looks like.
Moreover, this judgment of perceived competence was also a largely successful predictor of who would win the election. The candidate whose face most people saw as “competent” also turned out to be the election winner. Essentially, the study illustrated Todorov’s theory—within one-tenth of a second, individuals make a judgment about a person’s competence, intelligence, and trustworthiness, and that judgment affects the way they make decisions.
This does not mean that first impressions are necessarily accurate. However, the brain makes these assumptions at lightning speed based on what information is immediately available. Given this, it seems only natural to ask: how much weight do first impressions carry?
Let’s take a quick look at a U.S. president to answer this question. In Malcolm Gladwell’s book Blink: The Power of Thinking Without Thinking, the author explains how Warren G. Harding, the 29th president of the United States, started his political career with a great first impression—one that went way beyond the example of competence cited earlier in this article.
“Many people who looked at Warren Harding saw how extraordinarily handsome and distinguished-looking he was and jumped to the immediate—and entirely unwarranted—conclusion that he was a man of courage and intelligence and integrity,” Gladwell writes. Ultimately, Harding turned out to be a bad president, according to majority consensus; history has assessed him to be corrupt and incapable. The lesson here is that regardless of whether a first impression is accurate, it can be very powerful.
Why do we give so much weight to our first impressions? In The Art of Thinking Clearly, author Rolf Dobelli explains that this phenomenon of making substantial judgments based on a first impression is called the halo effect. “The halo effect occurs,” Dobelli writes, “when a single aspect dazzles us and affects how we see the full picture.
In the case of Harding, voters were so impressed by his dazzling physical presence that they attributed several admirable qualities to him. “The halo effect increases the weight of first impressions, sometimes to the point that subsequent information is mostly wasted,” writes Daniel Kahneman in his book Thinking, Fast and Slow.
Thus, even if the first impression is wrong, it carries great weight. It has sticking power; it is difficult to dislodge. Effectively, if you make a bad first impression, it may take a disproportionate amount of time and effort to reverse the negative effects.
The speed and weight of first impressions come into play in the context of corporate security. Think of all the interactions security staff may have with employees, clients, and visitors. In the security operations world, interactions are often very short, sometimes involving little to no conversation. Yet impressions are quickly forming.
Let’s start at a front gate, where vehicles enter a corporate campus. An employee pulls up, looks at the officer, produces a badge, and keeps driving.
The research shows us that, even with less than a second’s worth of interaction, the employee will likely make a range of judgments about that security officer, and potentially make even broader assumptions about the entire corporate security team of the company. Those impressions may or may not be accurate, but research shows us that these judgments will likely be lasting ones.
Given all this, it is fair to assume that most security leaders would like for that first impression to be a positive one. Especially when one considers the strategic importance of first impressions in various key situations.
For example, imagine a scenario where a company is looking to hire a senior-level executive for a crucial role. Looking for the cream of the crop, the firm conducts a national search, with interviews held at the corporate headquarters. When the candidates arrive at the campus, the first person they meet is the uniformed security officer at the front gate. Imagine the ripple effect of a positive or negative first impression of that officer.
Now, imagine the company is also hosting a prospective client at the same campus, with a major sales deal on the line. The client faces the same first impression experience at the front gate, with the same gate officer. A negative first impression could hurt the deal’s chances for success.
In sum, if security personnel are literally on the front lines of the business, it is critically important that they make the best impression possible. But what goes into an impression?
The easiest way to approach this topic is by distinguishing between impressions of people and places. In the context of corporate security, various people may represent a security team, from frontline officers to leaders who represent the corporate security function in board meetings, sales meetings, and audits.
However, first impressions extend beyond person-to-person interactions. Physical spaces and components thereof—like front lobbies, perimeter fences, or even lighting—can contribute to a first impression of a brand or company location.
Start by understanding some key ingredients to the “people” side of first impressions.
Uniform messages. What should security officers’ uniforms look like? The answer is more important than you might think.
There is a surprising amount of research devoted to the psychological effect of uniform color. In an article in Made to Measure, The Uniform Magazine,Bernadette Doran explains how different colors can directly affect moods. Black uniforms, for example, are associated with “anger, hostility, dominance, and aggression.”
In the article, Doran discusses a study in which participants were shown a variety of potential police uniforms then graded them as good or bad, nice or mean, and in a variety of other ways. “The all-black color scheme was viewed most negatively on six of the seven scales,” Doran writes, “and the light blue shirt and navy blue pants created the most positive impression on all seven scales.”
In the corporate security context, when a visitor encounters a front gate guard, a security receptionist, a foot patrol officer, or a guard force commander, usually one of the first things noticed is the uniform, if one is being worn. Managers should consider how the uniform helps inform the impression of the security officer. Does it make the officer seem friendly and approachable, or aggressive and intimidating? And whatever the effect, does it match the intended image of the operation?
For example, it may be appropriate and consistent for uniforms at a top-secret nuclear weapons testing facility to be more on the intimidating side. But the security department at a Fortune 500 corporate headquarters complex might want to convey a more welcoming and friendly impression.
Is the security team’s appearance in line with the intended impression? Security leaders can gain additional insight by asking core stakeholders how the security team’s appearance can contribute to the intended impression of the office and operation overall. Strive for message consistency: If stakeholders want to project a friendly and welcoming environment, black-on-black uniforms should likely be avoided. Something as simple as the color of a shirt can be more impactful than many assume.
Body language. Most security leaders know quite a bit about body language. Investigators often rely on body language to help determine if someone is being truthful, deceptive, or just nervous. Body language is just as important when it comes to informing a first impression.
According to a study by UCLA professor Albert Mehrabian, body language is the single most powerful piece of information for the creation of a first impression. In fact, according to research, 55 percent of the impression is derived from body language and appearance, 38 percent from the person’s voice, and 7 percent from the person’s language.
For example, a security officer is standing at the gate in a neatly pressed blue uniform. A visitor pulls up to the front gate to check in for a meeting on campus. The visitor cheerfully says, “Good morning, officer!” The officer, with arms crossed and eyes looking at a computer screen, quietly says, “Good morning,” with a serious face and pursed lips.
Think about how quickly this first impression has gone downhill. In the same interaction, different body language and tone of voice could have reversed the first impression. In that scenario, the officer’s arms aren’t crossed, he is making direct eye contact with the visitor, and he cheerfully says “Good morning” with a smile on his face. In an interaction that lasts for less than seven seconds, body language and tone of voice are absolutely crucial in determining the nature of the first impression.
A prime example of location-based first impressions is familiar to most homebuyers: “curb appeal.” In an article on the Dig This Design online publication, Susan Daniels says this about the concept: “Improving the exterior of your home with paint or new siding goes a long way towards making great first impressions.”
Of course, making a bad first impression is also possible. As Daniels explains, “In any form, clutter makes your property look uninviting. Any passerby looking at the property will look away if it’s cluttered.” Like first impressions of people, first impressions of physical spaces can be made quickly and be based on limited observation. Just as with people, the first impression of a place may or may not be accurate, but it nonetheless influences judgments and decisions.
In a security context, certain design and architectural decisions, such as perimeter fencing and guard houses, can have a direct impact. Security professionals often capitalize on these features so that they will have a deterrent effect in the crucial first impression phase.
But this effect can be taken to another level. The design of lobbies and workspaces can also have a direct emotional and psychological impact on those who use them, from the moment of entrance. That impact also relates back to the perceived security of a place.
While security directors are not architects, it is still imperative to spend time on determining where design, architecture, and security intersect, and to be mindful about that intersection point.
Luckily, there is plenty of research to educate us about this intersection point. In the foreword of the book Inquiry by Design: Environment/Behavior/Neuroscience in Architecture, Interiors, Landscape, and Planning, John Eberhard writes, “We know now that certain levels of light and noise in neonatal care units can interfere with critical sensory development in premature infants. We know that specific features of their physical environment can support healthy behavior among people with Alzheimer’s disease.”
Such research makes it clear that physical spaces can and do have an impact on health and well-being. These spaces can also affect stress and anxiety levels.
Other types of physical spaces can also have calming effects, as researchers discovered in the Oregon prison system.
In her article “Using Nature Imagery to Calm Prisoners,” Janice Wood describes a unique experiment in Oregon in which nature videos were shown to a certain population of maximum-security prisoners during their daily exercise period. The results were impressive. According to Wood, “Inmates told researchers they felt calmer after watching the videos, with the calm emotions lasting for hours…. They also reported that they felt the videos helped improve their relationships with staff, and that remembering the videos helped them calm down when they were angry.”
Not only did the prisoners report on the positive emotional effects of the nature imagery, but there was also a measurable impact on behavior. The experiment results indicated that the prisoners who viewed the videos committed 26 percent fewer infractions than the prisoners who did not.
Other studies have also revealed the connection between physical design and mental health. This connection quickly links to risk factors that relate to violence at work. If a space can be designed with intentional calming effects in an effort to reduce stress, could this design also help decrease the likelihood of an act of workplace violence?
During design, new construction, or renovations, it behooves security professionals to think beyond the basics of fences and turnstiles. Those are indeed important, because they are an important part of a first impression for a visitor, client, or employee. But it is equally important to envision the entire office environment, and how it can help provide holistic and sustainable safety for all of those who enter.
Security leaders may not be architects, but they can still can add value to the planning and decision-making process by being able to articulate the connection between design and the ultimate goal of creating a safe place.
The research cited above provides a few key takeaways that security managers can act on, almost immediately, to help leverage the power of the first impression.
Both body language and uniform color play a key role in forming a first impression. Given this, it is crucial to examine how frontline personnel are trained to portray themselves—verbally, visually, and with body language—when interacting with customers.
Similarly, teams should be empowered to examine all of the ways in which they interact with stakeholders.
Security leaders should take the time to interact with stakeholders and ask what the security team can do to further promote a welcoming, safe, and healthy environment. What type of work environment are site leaders hoping to provide to employees? Security professionals can seek ways to add value to that vision. This could be done through well-trained and well-informed personnel or through recommendations for physical designs that contribute to mental health and positive, long-lasting first impressions.
See Original Post
A round lock sat in the front of Joseph Bramah’s shop in London with a challenge displayed on the window: whoever could pick the Bramah Precision lock would win 200 guineas (roughly $30,000 today). That challenge would remain for 67 years until A.C. Hobbs—an American locksmith—took up the gauntlet.
Hobbs brought a great deal of experience to the table. He had gained recognition in America for demonstrating to bank managers that their locks could be picked, so they should be replaced with locks of his own invention.
At the Great Exhibition hosted in London in 1851, Hobbs announced after successfully picking a Chubb “Detector” lock that he would open Bramah’s creation. Bramah’s sons set Hobbs up with a workspace above their shop. For 52 hours, Hobbs worked at the lock until he successfully picked it.
Hobbs’ success became known as The Great Lock Controversy, striking fear into the hearts of everyone who had previously used the Bramah lock—including the Bank of England—because they believed it could not be picked. Their sense of security was shattered.
Since then, methods for locking doors and controlling access have changed with the times and technology advancements. Now, instead of having a guard monitor and log when a door is unlocked and opened in a facility, and then verify that that individual is allowed to do so, most organizations rely on access control systems. And often, these systems are connected to the Internet—making them vulnerable to cyber intrusions.
“Older access control systems were not meant to be tied to the building network or the organization’s network,” says Coleman Wolf, CPP, CISSP, senior security consultant for Environmental Systems Design, Inc., (ESD) and a member of the ASIS International IT Security Council. “There are adapters that can be used to put those on the network. They function just fine. I can access the control panel from my desk, but the security isn’t always the best.”
The access control system is “meant to provide a function, but either the device was not built to have password protection or the person who installed it wanted to get it up and running, so they didn’t put in the effort to install the security with it,” Wolf adds.
By connecting an access control system to the Internet, the system becomes part of the Internet of Things (IoT). Typical IoT devices include thermostats, electrical outlets, light switches, refrigerators, smart speakers, and doorbells. They also now include—in the security arena—cameras, alarm systems, smoke detectors, locks, and other access control devices, says David Feeney, CPP, PMP (Project Management Professional), and advisory manager of cyber and physical security risk services at Deloitte.
“Before IoT, everything that was connected to a network was a network device in the traditional sense,” explains Feeney, who is past chair of the ASIS Physical Security Council. “Now, almost anything can be a network device. And while the computer industry has had decades to incorporate security into its products, services, and overall DNA, IoT is essentially a toddler—growing rapidly but with most of its maturation still ahead.”
All of these IoT devices face a “gauntlet of cyber threats,” Feeney says, including malware, man-in-the-middle attacks, brute force attacks, dictionary attacks, IP spoofing, denial of service and distributed denial of service (DDoS) attacks, session hijacks, and more.
“The difference that IoT brings is that the attack surface—the aggregation of all points at which an attacker can gain access—is now exponentially larger once access control and other IoT devices are added to the network,” Feeney adds.
It might seem obvious why someone would want to compromise an access control system: to unlock the doors to a building to gain entry.
“The first thing that people think about is that once they’re inside the system, they have control over the system so they can unlock doors or disable sensors—things that are part of the actual mission of the access control system itself,” Wolf says.
For instance, in a worst-case scenario at a highly controlled environment like a hospital, a compromised access control system could be used to lock surgeons out of an operating room or open doors to the pharmacy.
But there’s another equally concerning reason someone might want to hack an access control system, Feeney adds.
“Your natural first thought might be that access control systems are attacked because attackers want to gain access to an area, and the system is standing in their way,” explains Feeney. “That is one reason. But the reason is often that an attacker simply wants access to the network, and an access control system is as good an entry point as any other.”
Regardless of the method of infiltrating an organization, attackers are often looking to infiltrate the network and then move within it to gain access to more sensitive or valuable information.
Hackers used this method during the infamous Target breach in 2013. They compromised a third-party vendor, obtained valid credentials from an unknowing authorized user, and connected to Target’s network using its vendor-portal process. The malicious actors then leveraged this access to obtain payment card data and personally identifying information about Target customers.
“Maybe there are employee databases where they could steal information,” Wolf says. “Or they could use that access to spread ransomware, where files and systems could be encrypted and held hostage—forcing the organization to pay to free up that information.”
Leveraging an intrusion into the access control system to the organization’s building system could also pose safety risks to employees—such as setting off a fire alarm—or equipment.
“If you’re able to control the HVAC system, you could prevent cooling of data center space, so servers start to overheat and fail,” Wolf says. “And that can cause interruption of business or operations.”
Despite the numerous vulnerabilities that exist, there are myriad ways to mitigate the risk of compromise to an access control system.
“I work with a lot of clients who don’t have any drawings of where their devices are—they are flying blind,” Wolf says. “They don’t know, if something goes wrong, where to go and what component to look at.”
The first step for security professionals with an existing access control system that is connected to the network is to fully understand the system—where the readers are, how it works, how it is connected to the network, who has access to the system, and who has administrative privileges over it. Then, all that information should be documented.
“Identify where everything is and, probably most importantly, how those devices intercommunicate with each other and the outside world,” Wolf adds. “An Internet connection is one thing, but with older systems we’ll see a DSL line or dial-up modem connections to systems so a contractor can log in and make changes to the system.”
These systems may have been installed decades ago. People often forget about those connections, which could be used by malicious actors to infiltrate access.
Wolf also recommends security professionals working with an existing access control system connected to the network assess if it meets the organization’s current security requirements.
For those in the fortunate position of installing a new access control system, the process should start with a “soul-searching discussion” on the risks and benefits of connecting that system to the Internet, Feeney says.
“If there isn’t a significantly compelling benefit to essentially adding a door to your network, it is arguably not worth doing,” he explains. “In the case of access control, there may be a strong case for doing this—especially if the desired end goal is moving to the cloud. In this case, be sure to leverage best practices to incorporate security into your new network architecture.”
The organization should consider if the access control system should be on a network separated from other assets. Doing this will help mitigate the risk that an intruder will use the access control network to obtain corporate information.
“If the ultimate goal is to move your access control system to the cloud, this network separation can still be done at the organization level,” Feeney says. “The separate access control or IoT network will connect to the cloud infrastructure. The original corporate network will separately protect all other assets. So, if the access control network’s connectivity is compromised, the attacker will not get access to the corporate network.”
Once a decision is made about what network the system should reside on, the organization should designate who is responsible for that network and the day-to-day management of it. This is critical because the system will require regular patching and updates to mitigate new security threats.
“Often an organization’s IT department is better equipped to maintain the system because—if they’re a good IT organization—they will have a patch management process in place to make sure that the network switches and all the network servers are up to date,” Wolf says.
When purchasing the actual access control system, the individual responsible—such as the physical or IT security representative—should ask vendors how data from the reader to the master console is protected, says Darrell Brown, CISSP, information security program manager at La-Z-Boy Incorporated and member of the IT Security Council.
“Is that data in transit encrypted? At what level? And what is the right fit for my company?” Brown adds.
Organizations should also ask how often the vendor itself issues patches to its products, and what the process for issuing those patches is.
“Proactively query your providers about patches and security updates to your hardware,” Feeney recommends. “Many access control devices traditionally get patches because customers request a feature or report an error that requires the patch. Instead, patch these devices like you do your computer—proactively as part of a comprehensive security strategy.”
Organizations should also have a robust master service agreement that outlines expectations and the responsibilities the vendor has to the organization.
“Have clear lines that delineate who owns what part of the system,” Brown adds. “Who’s responsible? Where’s the backup? Is there a backup? How do we ensure failover to it?”
And while the system is being installed and implemented, security professionals should ensure that the process follows best practices for maintaining good cyber hygiene. This starts with disabling default passwords to create strong, unique passwords for the system, and limiting administrative privileges.
ESD frequently encounters operating systems set up to automatically give administrator privileges to any users.
“Most people don’t need that, and by restricting that, you’re ensuring that if a bad guy were to gain access using one person’s credentials, they wouldn’t have the ability to have administrative rights over the whole operating system,” Wolf says.
Access control systems, like all locks, can be compromised by motivated actors given the right circumstances. Security practitioners should not assume that the system itself is secure.
“Security is ideally a shared responsibility between consumer and provider,” Feeney says. “You’ll find this to typically be the case. But where the separations of responsibilities lie can differ greatly. For that reason, always check your service level agreement to understand what security responsibilities your provider has and what is left to you as the consumer.”
Who would the CEO of your organization most likely invite to a round of golf: the CFO or you? The answer to such a question would be revealing—and it shows a great deal about security professionals and how they are viewed by their contemporaries.
It has become a truism that in order to maximize effectiveness, one must have a seat at the table in the C-suite. And communication skills will likely play a paramount role in whether or not the organization’s ranking security professional ultimately earns that seat.
Business executives realize that, like it or not, their usefulness to others is regularly assessed and measured. That continual evaluation is reality. Security professionals who aspire to earn a place in the C-suite should realize that this situation is their reality, too.
Given this, security professionals who regularly speak and write in the language and style of the military and law enforcement run the risk of being valued differently from those who have MBAs and can communicate in the language of a modern business executive. Regardless of the ultimate value of their contributions, if security professionals communicate more like law enforcement officers than business executives, they will eventually be treated as such, and be compensated accordingly.
Much has been written on the broad topic of management and leadership development. But there is less guidance on the more specific area of executive communication, and the importance of these skills to the leader’s success. This is unfortunate, because in the workplace the language and presentation of an idea can be nearly as telling as the idea itself. Sometimes, a staffer will take his or her cues from this language when trying to evaluate the significance of the idea itself. A sound idea, poorly expressed, can be unfairly dismissed.
First and foremost, security professionals must recognize that one’s professional success is not just the product of doing a job well. It also depends on the ability to effectively communicate and adapt.
A manager cannot succeed by resting on the laurels of past accomplishments. However justifiably proud a security professional is about past accomplishments and successes, he or she should realize that current customers—whether internal or external—were not necessarily the direct beneficiaries of those past triumphs. In order to provide value, professionals must be able to continually and effectively communicate with colleagues and customers whose needs and expectations are in the present.
Consider that the three most used business language phrases in 2018 were “we’re on the same page,” “action plan,” and “game changer,” according to linguists. These terms are still heard frequently in workplaces, including security departments. Why might this be?
These phrases imply the need for action. When used in conversation, they communicate recognition of the increased productivity that will likely result when people get on the same page and agree to pursue a well-considered action plan. When executed properly, the resultant output is often a game changer. The phrases themselves may be getting a bit shopworn, but they still reflect the importance of teamwork and effort.
In addition, “getting on the same page” also has relevance when considering effective executive communication. To be on the same page as a C-suite executive often requires the ability to adopt a higher-level perspective.
For example, a manager is briefing the CEO about a security-related operational development. Before the conversation starts, the security professional should consider how the situation might look from the CEO’s perspective: How might this security development impact the company as a whole? Is there any long-term significance for the company? Can this development somehow help enable overall business growth?
Considering similar questions in advance—including how security can contribute to these business goals—helps a security professional show that he or she is on the same page as the executive. This preparedness and consideration helps establish the manager’s bona fides as a voice worth listening to.
Communicating big picture impact may also assist a manager with another key communication component: getting to the point. Most C-suite executives have multiple demands on their time, so a security briefing that seems to go on and on may not be well received. Big picture summaries serve as an effective way to end the communication: “The bottom line here is that this situation could be pervasive enough to impact…” Proposing solutions can effectively underline the conversation, but here the manager must be careful. In some cases, a solution may not be apparent, and it is dicey to suggest one that has a high possibility of failure.
Nonetheless, it is advisable for the manager to prepare for possible questions. For example, the manager can think about what might be unclear, especially to a non-security specialist, and have a thumbnail explanation at the ready. This can help professionals avoid getting bogged down with unnecessary detail as they struggle to explain concepts. If a manager is not exactly sure what the root of the confusion is, clarifying questions (e.g. “So what you want to know is how the funding aspect works?”) can help, so the manager does not waste executives’ time providing the wrong information.
In conjunction with preparing for questions, it may also be helpful for professionals to keep any arguments or proposals they are making as tight as possible. Avoid exaggeration or alarmism when discussing a problem. Double-checking statistics and spending time on the logical flow of arguments are good ways to do this. This can take additional preparation or a rehearsal, but it is usually worthwhile.
For many security professionals, the majority of communications involves staff and coworkers, as opposed to C-suite executives. In most workplaces, employees vary in age, but recently a relevant trend has emerged. Millennials—people born between 1981 and 1996, currently aged 24 to 39, according to the Pew Research Center—are now the largest generation in the U.S. labor force.
By dint of this statistic alone, it is likely that a sizable portion of most companies’ employees will be in this age range. And a tried-and-true rule for communication is to know your audience. Social change and dynamics are shifting rapidly in many workplaces today, and clear and appropriate expression is more important than ever. If a company’s workforce is majority millennial, it behooves a manager to know some of this age group’s common qualities and attributes, so that communication style and content can be shaped for maximum effectiveness.
Those who study generational differences and behavioral patterns say that many millennials bring vitality and passion into the workplace, plus a strong desire to be heard. Many millennials also tend to openly seek recognition, fairness, and justice, regardless of their place on the organizational chart. For them, the rigidity and dogma of the past are obstacles to progress.
Security professionals should consider what these characteristics mean in terms of communication effectiveness. Millennials’ strong interest in being heard suggests that professionals should ensure their communications solicit input and feedback. Younger employees’ interest in seeking recognition suggests that professionals should regularly recognize them in their communications. And their interest in fairness and justice suggests that managers should pay attention to those factors when explaining company policies and actions.
While some communication methods suit certain demographics over others, some tips are universal. For example, always speak to someone, not at someone.
When verbally communicating, a manager should not attempt to either impress or suppress the other party—he or she should not try to approach the conversation as a competitive contest in which the winner wrests control from an opponent. Unfortunately, some professionals do strive for conversational control, either by piling on self-acknowledgments or actively minimizing the partner’s participation.
Instead, a manager should strive to acknowledge the conversation partner’s point of view. Doing so validates the other party and demonstrates the manager’s interest in their input. Such an acknowledgment reflects active listening, and it communicates positive recognition. In addition, such acknowledgment may lead to further discussion of their idea. This can give a manager more insight into the idea, and ultimately he or she can respond more intelligently.
As remote workforces expand and digital communication becomes the default, a manager should err on the side of professionalism.
When communicating electronically, avoid shouting. DO NOT USE ALL CAPS or end your message with “..……,” “??????,” or “!!!!!!!”. The overuse of casual text abbreviations (lol, omg) should also be avoided.
Some experts recommend that, when replying to emails, a manager should always take an “executive pause” before firing back an angry reply. If the email that the manager has received is a provocative or accusatory one, the manager may want to set it aside and come back to it later, in order to send a more measured response.
Remember also that electronic communications, including text messages, are discoverable in the event of litigation. Childish or disrespectful communications can be embarrassing or worse for a security manager if he or she must later testify before a judge or magistrate.
In addition, curtail multitasking. Emailing while chatting with a coworker is not only rude, but it hinders the manager’s ability to learn. Verbal communication in the workplace is a great way to exchange information. While multitasking is sometimes praised by professionals as a way to enhance productivity, it can produce misunderstandings when mixed with verbal communications.
In addition to verbal and electronic communication, be aware of body language.
Many human resources professionals and some security professionals have received training on the use and interpretation of body language. This can often be useful.
For example, experienced fact finders know that when they are being told something less than truthful during an investigatory interview, putting down their pen and notepad silently communicates disbelief of what was just said.
Looking away during a conversation demonstrates a lack of interest in what is being discussed. Managers must be mindful of these messages.
Body language offers a manager an effective way to convey openness with a clear listening stance. Giving executives and coworkers alike full and comfortable attention while speaking, without distracted gestures like fidgeting and checking the time, is a boon for effective communication. It conveys interest and respect, and it engenders confidence that the communication will be productive. It also shows that a manager leads by listening, which in the end is one of the most quietly effective leadership styles of all.
Reposted from ZDNet
The vast majority of ransomware attacks targeting the enterprise sector occur outside normal working hours, during the night or over the weekend.
According to a report published today by US cyber-security FireEye, 76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during nighttime over the weekdays, and 27% taking place over the weekend.
The numbers, FireEye said, were compiled from dozens of ransomware incident response investigations from 2017 to 2019.
The reason why attackers are choosing to trigger the ransomware encryption process during the night or weekend is because most companies don't have IT staff working those shifts, and if they do, they are most likely short-handed.
If a ransomware attack does trigger a security alert within the company, then there would be nobody to react right away and shut down a network, or the short-handed staff would have a hard time figuring what's actually happening before the ransomware encryption process ends and the company's network is down & ransomed.
FireEye says that most of these types of sneaky nighttime/weekend ransomware attacks are usually the result of a prolonged network compromise and intrusion.
The cybersecurity firm says that ransomware gangs breach a company's network, spend their time moving laterally to as many workstations as possible, and then manually install ransomware on all systems and trigger the infection.
The time from initial compromise to the actual ransomware attack -- known as a "dwell time" -- is, on average, three days, according to FireEye.
In all these cases, the ransomware is triggered at the attacker's behest, and not automatically once a network is infected -- which has been the old mode of operation for most ransomware strains.
Today, most ransomware gangs are in full control of their ransomware strains and they very carefully decide when it's the most suitable time to lock down a network.
Microsoft calls these types of incidents "human-operated ransomware attacks." In a report published last week, the OS maker included tips on securing networks and setting up detection rules to spot ransomware gangs during the "dwell time," and before they trigger their final payload and lock down companies.
FireEye said that since 2017, human-operated ransomware attacks have gone up 860%, and incidents now impact all sectors and all geographical locations, and not just North American companies.
In the cases FireEye investigated the most common infection vectors were:
Brute-force attacks against workstations with RDP (Remote Desktop Protocol) ports open on the internet Spear-phishing against a company's employees and using one infected host to spread to others
Drive-by downloads (employees visiting a compromised website and downloading malware-infected files).
Just like Microsoft in its report last week, FireEye is now urging companies to invest in deploying detection rules for spotting attackers during their pre-infection "dwell time."
"If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection," FireEye said.
Reposted from ArtNet News
It is hard to believe, but it was less than five weeks ago that Madrid’s art museums were thronged with visitors and its international art fair, ARCO, was in full swing. Now, the city’s art institutions are shuttered indefinitely and the fair’s venue has been transformed into a temporary field hospital. The director of Madrid’s Reina Sofía Museum has been working to keep his institution operating remotely in the hopes that it can serve as a beacon to those looking for inspiration. He reports that although some of his staff members are sick, none have died, and that they have kept their jobs thanks in part to Spain’s governmental assistance program. Borja-Villel has led Spain’s national museum of Modern and contemporary art since 2008 and also serves as a leading member of the Institute of Radical Imagination. As experts predict the coronavirus death toll has peaked in hard-hit Spain, the curator and art historian reflects on what the pandemic might mean for society and cultural life in the future.
Nobody could imagine this a month ago. Many of us were complaining about the state of the world in general, about how the health care system had been weakened, about the need to care more for nature, but no one could have imagined the emergency would develop so quickly, and that things would go this badly. There will be a “before” and an “after” this crisis. It will be a paradigm shift, just as everything changed after World War II.
The economic effects are going to be almost like a postwar situation when it is clear that what has happened is that the system failed. Things should not be like they were before. We will need something like a Marshall Plan for society and, of course, for culture—not to rebuild things as they were, but rather to imagine new worlds in which caring for other people and other species should be central.
In the art world, there are many things that need to be reconsidered. Eventually, museums will reopen, but will people be afraid of being close to one another? Will we be able to continue developing large exhibitions that are anti-ecological? Maybe blockbuster exhibitions are over. Maybe we should think more about process and research.
When the Reina Sofía reopens—certainly to begin with—we will have to limit the number of people in the Guernica room. But in addition to managing visitor flow safely, we also need to be careful that we do not turn into a society in which people are not empathetic, in which they are afraid even to touch each other. We cannot let public spaces disappear. There is an element of joy, of learning, and of democracy in being together with other people.
Right now, we are working with l’internationale, a confederation of European museums, to curate a visual manifestation of the balcony singing that has become so popular and uplifting in Italy. We have invited 14 artists initially to participate, but everybody will be included. We are asking them to create an intervention in their window, or on their balcony. They have complete artistic freedom, of course, but we are asking them to reflect on what it means to be on lockdown, and to imagine a better future. It is important to remember that human beings cannot be separated from nature, the importance of joy, and the importance of care.
Fortunately, we have always been big believers in archives, so we have a huge resource that until now we have not been able to fully activate. We also have a radio program, we have videos, we have documents on our website. We are now working to make more of this material available for free. We always imagined that, eventually, we would make it free, so we have already paid for the rights.
At the same time, we are developing new programs online. One is a poignant lecture by the art historian José Emilio Burucúa, which he was supposed to deliver at the museum. He traveled through Paris but was caught there when the lockdown began. When he went back to Argentina, he had to go into quarantine, so we did the lecture through Zoom. It was very emotional. The title was, “Like a Bird, Hope Flies.”
Reposted from Security Management
Mechelle Vinson needed a job. So, she went into the Meritor Savings Bank and met Vice President Sidney Taylor to see if they were hiring. They were, Vinson applied, and she was hired as a teller-trainee under Taylor’s supervision.
During her four years with the bank, Vinson was promoted to teller, head teller, and assistant branch manager. She also endured a pattern of sexual harassment by her supervisor, Taylor.
Shortly after her probationary period at the bank was over, Taylor invited Vinson to dinner and propositioned her for sex. She initially refused but was afraid she would lose her job, so she ultimately said yes.
After that initial incident, Taylor repeatedly demanded sexual favors from Vinson and had sex with her an estimated 40 or 50 times. He also fondled her in front of other employees, exposed himself to her in the women’s restroom, and raped her.
Vinson never reported the harassment to the bank or Taylor’s supervisors because she was afraid of him. But after she was terminated for taking extended leave, Vinson filed suit against the bank claiming she was subject to sexual harassment by her supervisor—a violation of Title VII of the Civil Rights Act of 1964.
Meritor Savings Bank attempted to have the case dismissed, claiming that because Vinson never reported Taylor, the bank could not be held liable for his behavior.
Vinson’s case made its way through the court system before landing at the U.S. Supreme Court. In a landmark ruling, the Court held that sexual harassment is a form of sex discrimination that is prohibited by U.S. federal law. It also held that just because the bank had a procedure to report the harassment—and Vinson chose not to use it—does not mean that the bank was shielded from liability.
“…the bank’s grievance procedure apparently required an employee to complain first to her supervisor, in this case Taylor,” wrote Chief Justice William Rehnquist for the Court. “Since Taylor was the alleged perpetrator, it is not altogether surprising that respondent failed to invoke the procedure and report her grievance to him. [Meritor’s] contention that [Vinson’s] failure should insulate it from liability might be substantially stronger if its procedures were better calculated to encourage victims of harassment to come forward.”
Vinson applied for that job in 1974. Rehnquist wrote his opinion for the Court in 1986. And yet, decades later, sexual harassment in the workplace remains an ongoing problem. In 2018, the most recent year that data is available, the U.S. Equal Employment Opportunity Commission (EEOC) filed 41 lawsuits alleging sexual harassment occurred—more than a 50 percent increase in suits from 2017.
The EEOC also saw a 13.6 percent increase in the number of sexual harassment charges individuals filed with the commission in 2018, and it recovered nearly $70 million for victims through administrative enforcement and litigation—up from $47.5 million in 2017.
One positive, however, is that after the #MeToo Movement took off in 2017, there is greater awareness and acknowledgment of the existence of sexual harassment in the workplace.
“When #MeToo arrived, the big change was the degree that people are willing to speak up and speak out,” says EEOC Commissioner Victoria A. Lipnic. “There’s now a recognition and focus on culture. That was not the case prior to October 2017. That was something that we in our task force report in 2016 made a big, important point about—that culture more than anything matters.”
Lipnic joined the EEOC nearly 10 years ago when she was appointed by then U.S. President Barack Obama and approved by the U.S. Senate to serve as a commissioner. At the time, Lipnic says she was “appalled” at the number of sexual harassment complaints the EEOC continued to see nearly 30 years after the Vinson case—and so was her fellow commissioner, Chai R. Feldblum.
“I talked to all of our offices around the country, and they said that if the EEOC wanted to, we could have a docket of nothing but harassment cases—and more specifically, nothing but sexual harassment cases,” Lipnic says.
So in 2015, the EEOC created the Select Task Force on the Study of Harassment in the Workplace to examine the extent of harassment, what allows it to flourish, and how to prevent it. What the task force found—through interviews with stakeholders, experts, and victims—was disturbing. Almost one-third of the 90,000 charges the EEOC received in 2015 were allegations of workplace harassment. But despite the nearly 30,000 claims it received, the task force learned that most harassment is never reported.
“The least common response to harassment is to take some formal action—either to report the harassment internally or file a formal legal complaint,” Lipnic and Feldblum explained in a report released in June 2016. “Roughly three out of four individuals who experienced harassment never even talked to a supervisor, manager, or union representative about the harassing conduct.”
Most individuals chose not to report the harassment out of fear of disbelief, skepticism, or inaction on their claim. Instead, most people attempted to avoid their harasser, deny or downplay the situation, or ignore, forget, or endure the behavior.
While sexual harassment affects all people, it predominantly impacts women. The task force found that “anywhere from 25 percent to 85 percent of women report having experienced sexual harassment in the workplace,” according to the report. The percentages vary due to how questions about harassment at work are worded.
For instance, when the term was not defined in the survey, 50 percent of women said they had experienced sexual harassment, and 25 percent of women said they had been sexually harassed in the workplace. When asked if they had experienced one or more sexually based behaviors, such as “unwanted sexual attention or sexual coercion,” 60 percent of women said they had been sexually harassed, either inside or outside the workplace.
And when women do experience sexual harassment at work, they often turn to family members, friends, or colleagues for support, instead of formally reporting it.
Risk factors. To better understand why sexual harassment occurs in the workplace, the task force also looked at environmental risk factors that affect organizations.
It found that harassment is more likely to occur in homogenous workforces, where the workforce has little diversity.
“For example, sexual harassment of women is more likely to occur in workplaces that have primarily male employees, and racial/ethnic harassment is more likely to occur where one race or ethnicity is predominant,” according to the report. “Workers with different demographic backgrounds from the majority of the workforce can feel isolated and may actually be, or appear to be, vulnerable to pressure from others.”
Milk tea restaurant chain Tapioca Express and two of its franchises in San Diego, California, were recently charged with allowing the owner to harass young Filipino female employees, taking advantage of time alone with them to make unwanted sexual advances.
Tapioca agreed to pay $102,500 to settle charges brought by the EEOC that all three companies failed to prevent and correct the harassing behavior.
“We commend the young women for coming forward to shine a light on the harassment to which they were subjected,” said Christopher Green, director of the EEOC’s San Diego Local Office. “Their strength may give courage to other young people or those in the Asian American and Pacific Islander community who may be suffering harassment or discrimination in the workplace to come forward as well.”
However, the task force found that workplaces that are “extremely diverse” are also at risk because workers from different cultural backgrounds may be “less aware of laws and workplace norms,” which can allow harassment to occur.
Another risk factor is workplaces where workers do not conform to workplace norms, such as a male employee acting more feminine in a male-dominated work environment. The task force also found that “coarsened social discourse”—even outside the workplace—can make harassment seem more acceptable.
“For example, after the 9/11 attacks, there was a noted increase in workplace harassment based on religion and national origin,” the report explained. “Thus, events outside a workplace may pose a risk factor that employers need to consider and proactively address, as appropriate.”
Other risk factors include organizations with a high number of young employees who may not understand that their actions are a form of harassment; workplaces with significant power disparities, such as factories with plant managers and assembly line workers, or the military; organizations that rely on customer service and client satisfaction; and workplaces where employees are engaged in monotonous tasks because boredom may lead to bullying or harassment.
Chipotle Mexican Grill, Inc., recently agreed to pay $95,000 to settle EEOC sexual harassment and retaliation charges that stemmed from Austin Melton, a 22-year-old manager at a San Jose Chipotle store at the time, who endured physical and verbal harassment from his female supervisor.
Melton’s supervisor propositioned him and his then-girlfriend for sex, “touched him inappropriately, and posted a ‘scoreboard’ in the main office to track the staff’s sexual activities,” according to the EEOC. “When Melton reported the harassment, he faced further mistreatment including being locked in a walk-in freezer…. After Chipotle failed to adequately address the harassment, Melton quit.”
The position at Chipotle was Melton’s first job after high school, and in an EEOC press release he said he found it hard to speak up about the harassment at work and to report it to the EEOC when no action was taken to stop it.
“Austin was simply trying to do his job, as he worked to support himself and his girlfriend,” said EEOC Trial Attorney James H. Baker. “He faced conditions that no employee should have to accept in exchange for a paycheck.”
The task force also pointed out that isolated workspaces, decentralized workplaces, workplaces that tolerate or encourage alcohol consumption, and workplaces with high value employees are also risk factors for harassment.
“Superstars” are individuals seen as bringing high value to their employer, such as high-earning investment traders, surgeons, professors, or law firm partners who attract lucrative clients, the report explained.
“These workplaces provide opportunities for harassment, since senior management may be reluctant to challenge the behavior of their high value employees,” the report said. “The high value employees, themselves, may believe that the general rules of the workplace do not apply to them. In addition, the behavior of such individuals may go on outside the view of anyone with the authority to stop it.”
For instance, in December 2019 rideshare company Uber entered into a nationwide agreement to strengthen its business culture against sexual harassment and retaliation—and pay $4.4 million to resolve charges brought by the EEOC.
The commission began investigating Uber in 2017 and found reasonable cause to believe it permitted a culture of sexual harassment and retaliation against individuals who complained about the behavior. As part of the settlement, Uber agreed to create a system to identify employees who have been the subject of more than one harassment complaint. The system will also identify managers who do not respond to concerns of sexual harassment in a timely manner.
“In particular, employers should take note of Uber’s commitment to holding management accountable and identifying repeat offenders so that high-performing, superstar harassers are not allowed to continue their behavior,” said EEOC San Francisco District Director William Tamayo in a statement. “The tech industry, among others, has often ignored allegations of sexual harassment when an accused harasser is seen as more valuable to the company than the accuser.”
Prevention. While organizations need to have procedures to report and investigate claims of sexual harassment in the workplace, they can also take steps to proactively prevent the behavior in the first place.
In its research, the task force found that to effectively do this, organizations need to have commitment from leadership to create a diverse, inclusive, and respectful workplace. Not only is this the right thing to do, but it is also financially beneficial to the organization.
“At the tip of the iceberg are direct financial costs associated with harassment complaints,” according to the EEOC report. “Time, energy, and resources are diverted from operation of the business to legal representation, settlements, litigation, court awards, and damages. These are only the most visible and headline-grabbing expenses.”
Other expenses, which cannot always be calculated, include decreased workplace performance and productivity, increased employee turnover, and reputational harm.
The report recommends that leaders create a “sense of urgency” about preventing harassment in the workplace, such as assessing risk factors that can predicate harassment.
“For example, if employees tend to work in isolated workspaces, an employer may want to explore whether it is possible for the work to get done as effectively if individuals worked in teams,” the report explained.
Organizations should also have policies and procedures in place to address harassment, and conduct training so the policies can be followed. This means putting resources—money and time—towards this effort.
“Employees must believe that their leaders are authentic in demanding a workplace free of harassment,” according to the report. “Nothing speaks to that credibility more than what gets paid for in a budget and what gets scheduled on a calendar.”
One organization that is putting these recommendations into practice is Deloitte, which hosts an annual Inclusion Summit to bring together individuals from different backgrounds and experiences to hear from leaders and experts about advancing inclusion within Deloitte itself.
In 2019, Deloitte held a Day of Understanding across its U.S. offices to create a space for candid conversations around diversity, inclusion, and unconscious bias.
Deloitte also made a concentrated effort to diversify its cybersecurity workforce—one-third of which are female, including its recently promoted principal, Deborah Golden, who is the first woman to lead the company’s U.S. cyber practice.
“I’ve been here for 24 years, and we’ve always had some form of women in business, diversity, and inclusion program—and we’re continuing to evolve those programs,” Golden says.
This is not always the case across industry, she adds, but Deloitte made a commitment at the leadership level to create a diverse organization where is everyone is welcome.
“Deloitte 100 percent does that,” she says, adding that Deloitte participated in a Pride Ride and other activities in June 2019 to mark LGBT Pride Month. “It’s not only something our executives support—but actively participate in.”
And once leadership makes its commitment to creating a diverse and harassment-free workplace, it then needs to hold those who violate the policies and procedures accountable.
“These accountability systems must ensure that those who engage in harassment are held responsible in a meaningful, appropriate, and proportional manner, and that those whose job it is to prevent or respond to harassment, directly or indirectly, are rewarded for doing that job well, or penalized for failing to do so,” according to the report.
Frontline supervisors have an especially important role because they are often the first to observe behavior at work. They are also often the first people to whom individuals will complain.
“They have to know how to correctly respond—that they don’t just brush it off,” Lipnic says, meaning they need to be trained on how to handle allegations of harassment. And security professionals have a doubly important role to play.
“I’ve spent years on this topic now, and it’s struck me that it’s a coincidence of our legal system that harassment is considered a form of discrimination—that’s just how the law developed,” she explains. “But on a very practical level, it’s a safety issue. And there’s such an opportunity for people who are engaged in the safety of workplaces to gain greater depth on the topic, demonstrate greater engagement, and work on a partnership basis with the leadership of organizations.”
For instance, Lipnic says security professionals can take an active role in conducting climate assessments of their organization so they understand how employees feel about their safety or factors that could encourage harassment.
It is also critical for security officers to have this understanding because they need to have firsthand knowledge of what situations employees find themselves in that impact their safety. This understanding is especially valuable when organizations are planning special events, such as a company party where clients and alcohol might be present—both factors that could increase the risk of sexual harassment. (See “The Intoxication Issue,” Security Management,February 2019)
“Security officers are trained to recognize risk, and if we have learned anything from the #MeToo Movement, I hope that it’s the degree of risk that so many people are in in all kinds of workplace environments,” Lipnic adds.
Reposted from Protocol
Cybersecurity experts fear that the chaos caused by coronavirus provides an opportunity that hackers will take advantage of — and there's already evidence that foreign adversaries, including Russia and China, are launching coronavirus-related cyberattacks.
Companies are increasingly vulnerable to cyber intrusions due to various disruptions caused by the coronavirus outbreak. Many are making sweeping changes to their networks, asking most or all employees to work from home, and may have to deal with critical IT workers getting sick or having to juggle work with taking care of kids. It all adds up to an opportunity that the most sophisticated hackers have been waiting for, said Nico Fischbach, global CTO of cybersecurity firm Forcepoint.
"Nation states play the long game — they have their list of targets and wait for the right moment to get in their systems … This is the perfect time. There's so much noise and so much change," he said.
Those fears were amplified earlier this week after reports of an apparently unsuccessful attempt to compromise the Health and Human Services Department's computer systems. In a Monday press briefing, a reporter asked HHS Secretary Alex Azar if the attack originated from a foreign country like Iran or Russia. Azar said that HHS is investigating the source of the activity, but he didn't want to speculate. Attorney General William Barr told the Associated Press there would be swift and severe action if the attack is linked to a foreign government.
Ben Read, senior manager for cyber espionage analysis at FireEye, said there are already signs that some countries are taking advantage of coronavirus fears. FireEye has been involved in investigating some of the most high-profile nation-state attacks in recent years, including the 2014 attack against Sony that was linked to North Korea and the 2016 attack on the Democratic National Committee that was attributed to Russia.
Since late February, FireEye has observed two Chinese groups targeting entities in Vietnam, the Philippines, Taiwan and Mongolia with phishing attacks that use legitimate statements by political leaders and authentic statistics and advice for people worried about the disease. Malicious files included in the emails carry various payloads that can do things like log a user's keystrokes or provide a backdoor into a device, allowing the hackers to access it at a later time.
FireEye said it also intercepted a similar phishing email sent to Ukranian entities from an espionage group that supports Russian interests. The content of the email appeared to be copied from a legitimate document. Another phishing attack directed at a South Korean nongovernmental organization was linked to North Korean hackers. That email, sent in late February, included governmental health-related instructions and was titled "Coronavirus Correspondence."
It's impossible to know how successful these and other attacks have been so far, but Read suspects organizations are falling for it. "If something isn't working they would usually change things up, and we've seen these kinds of attempts increase, not decrease, so I assume it's working." He added that other factors, like the fact that "every company you've ever given your email address to is emailing you to tell you what they're doing" makes it more likely that people have their guard down when spotting phishing attempts. "People are very hungry for information right now," he said.
Some organizations might find out that they've been compromised only when an attack is carried out, Fischbach said. "It's very likely that we'll find out six to 12 months from now [that many organizations have been breached]," he said.
One bright note is that the attacks don't seem to be more technologically sophisticated than the ones companies typically deal with, Read said. Standard security procedures, anti-malware tools, and phishing email detection software will still prevent many of these attacks, he said. But additional user education is needed to help identify suspicious emails that carry legitimate coronavirus information. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency recently warned companies of such attacks, and advised them on how to improve their cybersecurity posture during the pandemic.
Although FireEye has identified coronavirus-related attacks from China, Russia and North Korea, it hasn't noticed any linked to Iran, Read said. That could be because Iranian phishing attempts haven't been detected, or because the virus has hobbled the country's hacking apparatus. "There are big questions in my mind that we don't have answers to. How do these outbreaks affect Iranian cyberespionage if the people behind the keyboards are getting sick?" he said. "We're still seeing Chinese activity, but you might see more of an impact in Iran because they have a pretty severe outbreak and fewer resources than the Chinese government."
Reposted from Politico
As the novel coronavirus reshapes virtually every facet of American life, it’s also coloring how aspiring terrorists plot attacks. And that shift has caught the attention of American national security officials.
Law enforcement and intelligence officials are watching the virus’s impact on potential terrorist threats — how it is accelerating the plans of some would-be attackers, while presenting macabre new targets of opportunity to others.
Homegrown violent extremists are a particular worry. In an interview, John Demers, the assistant attorney general for national security at the Justice Department, said the department and the FBI are closely monitoring how the virus is shaping their plans.
“They do get ideas about, ‘How can I try to weaponize this virus?’” he said. “It’s something we’re focused on, together with the FBI — and making sure on the intel side that we’re on top of whatever’s showing up.”
Officials are also tracking the way the pandemic could influence terrorists’ strategies on timing and targets for more conventional attacks, Demers said.
“Are they going to accelerate any of their plans?” he said. “Are they going to see windows of opportunities? Obviously a lot of public places are less crowded, but others, like hospitals, are more crowded. Are they going to see these windows of opportunity to take advantage of?”
International travel has gotten particularly complicated because of the pandemic, with the U.S. closing its borders to a host of countries and airlines slashing their flight schedules as demand plummets. Transportation Security Administration (TSA) data shows it checked one-tenth as many travelers on Thursday as it did a year earlier.
“We still have a few cases of people who want to travel to other countries and engage in terrorist activities,” Demers said. “How is this impacting travel plans? Is it accelerating them or deferring them for folks as flights shut down?”
The questions aren't merely theoretical, according to Demers, who suggested that authorities are already observing terrorists change their behavior as the virus alters transportation patterns.
The Justice Department last week charged a Pakistani doctor with trying to help ISIS. The doctor, who was temporarily working in the U.S., initially planned to get to Syria by flying into Amman, Jordan. But, according to a DOJ press release, his plans changed when Jordan closed its borders because of the pandemic. He then decided to fly to Los Angeles and, from there, travel to Syria on a cargo ship. He was arrested at the Minneapolis-St. Paul International Airport on March 19.
Demers said the virus could also give terrorists new ways to attack.
“There are worries that people could try to weaponize their own illness by trying to infect other people,” he said.
Joshua Geltzer, a terrorism expert who previously worked in the National Security Division and is now at Georgetown Law, concurred that the virus may provoke threats in new ways.
Social distancing might raise the risk of homegrown radicalization, he noted, as isolated people with loads of free time get pulled down disinformation rabbit holes online.
“The idea that that can lead to particularly deranged interpretations of events and generate an extreme response, even violent action –– I think that threat gets magnified given the social isolation that we as a country are understandably adopting,” Geltzer said. "I feel like the past month and this virus have taken a dangerous information environment and really ratcheted up how lethal, how directly lethal it can be."
by Stevan P. Layne, CPP, CIPM, CIPI
All individuals and institutions are experiencing significant impacts from the COVID-19 pandemic (and, most likely, the worst part isn’t over). If we continue to head in the same direction, with closed businesses, rising unemployment, and little or no income, people will inherently become increasingly desperate. Federal, state, and local governments are stepping in to assist where they can, but resources are limited on all fronts. Will assistance efforts put food on the table (and for how long)? It’s important to look at statistics, as well as human nature. When people become desperate, criminal activity increases. Even previously law-abiding citizens may resort to drastic measures to feed their families.
Where outright theft is concerned, over 90 percent of losses from cultural institutions involve someone connected to the institution. These losses, as far as we know, are not generated by desperate people. Internal theft is mostly committed out of greed or opportunity.
Remember, valuable collections are not the only assets that warrant strict protection. Theft can include cash, merchandise, computers, tablets, audio-visual equipment, electronics, supplies, and other expensive assets. Small objects are most easily removed without detection. Large objects are vulnerable as well, if someone has the time and opportunity to make proper arrangements.
What this means to management is that our protection efforts need to be absolute. Perimeters must be impenetrable, at every point. Intrusion and access control alarms must be tested regularly, and performing as intended. Every member of proprietary and/or contract security staff must be properly screened, hired, trained, and monitored. A responsible member of management that understands the entire security program must be designated to monitor all protection activity and security officer performance.
During current institutional closures, all persons (staff, volunteers, contractors), regardless of rank or position, should be thoroughly screened/identified upon entering or leaving facilities. Every parcel, bag, and container should be professionally searched upon entry and exit to mitigate internal theft.
Video surveillance is a valuable tool, if properly specified, selected, placed, installed, monitored, and tested. While video surveillance, and security and fire protection alarms perform a valuable function, technology alone cannot take the place of an alert, well-trained, and properly supervised patrol officer (in terms of reliability and effectiveness). With the current and significant decrease of regular staff working within our institutions, the importance of proper security inspections, patrols, and physical searches becomes even more critical.
We are all particularly vulnerable during closures, and disrupted operations. Please stay safe and diligently maintain recommended health practices.
Contact us if you have concerns about your unique facilities or assets. We can help directly, or refer you to someone who can.
ConferenceMembershipTraining & CertificationDonate to IFCPP
TRAINING & EVENTS
1305 Krameria, Unit H-129, Denver, CO 80220 Local: 303.322.9667
Copyright © 2015 - 2018 International Foundation for Cultural Property Protection. All Rights Reserved