Reposted from Security Management

​It is one thing to expect the unexpected. It is quite another to accept the unexpected. Denial is a powerful thing, and even the best of us can be convinced that our plans are comprehensive and our preparedness complete. 

The key ways to overcome this sort of complacency are to link crisis management and business continuity meaningfully, and to incorporate Adaptive Business Continuity principles that enable an organization to react quickly to the unexpected.

Consider that the past few years alone have seen increasingly active Atlantic hurricane seasons, major cyberattacks against global corporations, and secondary losses of key infrastructure following major disasters. Organizations in the public and private sectors are asking their teams to do more with less while also performing to higher standards. The need to recover quickly from losses is as important as ever, while in many cases the resources are thinner than they used to be. These realities require new and innovative approaches.

In addition, as our society grows increasingly interconnected, businesses, organizations, and governments will depend upon one another’s services to tighter and tighter tolerances. Utility and communications regulators, for example, are demanding that companies meet stricter reliability standards. This trend will continue for the foreseeable future.

Meanwhile, the costs and consequences of large-scale incidents will grow. Disaster events claimed more than 11,000 victims globally in 2018. The estimated losses from natural and manmade disasters in 2018 are estimated to be $155 billion, with global insured losses estimated to be around $79 billion, according to data from the Swiss Re Group. 

These conditions paint a frightening picture, but therein lies the opportunity. A well-crafted business continuity program, clearly linked to crisis management activities, can be a source of value for an organization—not only in response to disaster, but on “blue sky days” too. The business continuity (BC) program and its practitioners can become meaningful business partners with the organization.

A Tall Order?

Great organizations confronted with crisis can choose to accept the unexpected, adopt a new normal, and bring out the best in themselves and their people. In doing so, they take a position of strength that recognizes crisis as a form of change and redefines it for a better future. 

To do this, the organization needs to be poised in its response—not just when a crisis or business interruption occurs, but ahead of it. Done skillfully, a business continuity program can not only enable a better response, but also foster continuous improvement and identify areas of operational improvement along the way.

Security managers are in a key position to influence their organizations if they adopt practical notions in their BC approach. And, in some cases, it is the security manager who is tasked with creating a new BC program where none existed, or worse—with reviving one that has languished.

How does one proceed? By connecting BC to the delivery of continuous improvement and operational value and by linking crisis management and BC in a meaningful way.

To achieve the best outcome, business continuity depends on the planning and preparation effort that comes along with response and recovery. This is where the true blocking and tackling of BC work takes place. 

Some industries and regulators are decidedly prescriptive about the required activities of BC programs under their purview. They mandate activities such as assessing risk, completing a business impact analysis, obtaining buy-in from senior leadership, training, validation, testing and exercising, documentation, and communication. This is especially true in the financial sector and in the healthcare industry.

Good Practice Guidelines from the Business Continuity Institute and the standard ISO 22301 are good starting points where such accredited certification is needed or preferred. However, such traditional practices are not the only route to a meaningful BC program. 

​Pitfalls of Tradition 

In some cases, the activities and approaches traditionally associated with continuity planning can pose an obstacle to implementing a program. While these may have their appropriate place within many BC contexts, they can also present challenges. 

This is especially true in cases where an organization may have greater latitude in designing a new program or revising an existing one, or in organizations with a culture that favors iterative, agile processes over linear, sequential ones. In these cases, it may be preferable to place the primary focus on quickly delivering value.

For example, a core concept of much BC planning activity is the focus on recovery time objectives (RTOs). The use of RTOs is intended to help quantify recovery needs, prioritize response activity, and drive planning activity. 

However, employing time as a target, instead of simply a restriction, can be problematic. In practice, many times RTOs and recovery point objectives (RPOs) are subjective or even arbitrary. They are best applied where truly static, precise, and predetermined time restrictions exist, such as regulatory time limits, violations, or specific matters of health and safety. Otherwise, the effort undertaken to arrive at and assure an RTO may not return value. In other words, if it is clear that failing to meet a six-hour time frame for service restoration will result in a regulatory fine of a specific dollar amount, the decision making process becomes quite straightforward because investment in meeting the RTO can be clearly weighed against the risk of penalties.

Another cornerstone of the BC world is the business impact analysis (BIA). While the BIA can be an invaluable tool for the BC practitioner, it can also be a subject fraught with confusion. 

In actuality, the proper sequence of service restoration will always depend on the exact nature of the post-disaster situation. As such, responses need to be flexible and adaptive. This is especially true in today’s environment where the cause of a service outage might not be immediately obvious—as in the case of a deliberate cyberattack.

As a consequence of all this activity, an overwhelming amount of documentation can be generated which needs to be guarded, maintained, and updated. But rarely is it used in actual response activities. In some cases, BC and response plans are so voluminous that they could not possibly serve a practical purpose in a real emergency. They become the proverbial shelfware.

Lastly, traditional methods emphasize obtaining exclusive senior-level executive support and doing so at the outset. While important, it can be more meaningful to engage at many levels in the organization. 

The real danger here is slipping into a trap where the organization is carrying out extensive business continuity activity for business continuity’s sake, which only delivers value on an arbitrary or periodic basis and could create a false sense of preparedness in departments where little actually exists. The goal, instead, should be to explicitly link to the organization’s objectives and to deliver value incrementally and continuously. 

A Practical Approach

Consider some of the following practical approaches in connecting BC to the delivery of continuous improvement and operational value. These are notions borrowed directly from the approach called Adaptive Business Continuity. Five of Adaptive BC’s core principles, outlined here, are essential for better partnership between crisis management and business continuity. 

Exercise first. In the strictly sequential approach often favored by traditional BC practitioners, testing and exercising come during later stages of the cycle, after plans and assessments have been completed. 

But discussion-based tabletop exercises are the single most powerful tool an organization can use to identify gaps in planning and address assumptions in both crisis management response and BC. Dollar-for-dollar, there is no better value. So why not start there? By walking through a scenario as a group, a team can quickly and easily spot gaps and identify solutions. 

Such exercises can be lightweight and even informal. The key is to have a direct, focused approach driven by one or two clearly defined objectives. 

For example, the objective of this exercise might be to assess the initial size up and response to an unplanned event; to evaluate the escalation protocol defined in the planning documents; or to review the organization’s ability to activate the crisis management plan.

By driving toward the objective, a planning team can steer away from overly complex exercise scenarios. Inevitably, the discussion will uncover lowhanging fruit of an operational nature; the exercise players will establish closer personal connections; and the collective team will identify gaps around the predetermined objectives. 

Consequently, the results are both of immediate value and can be used to drive action planning over the medium and longer term. And, in doing so, the team has also established clear connections between BC and crisis management capabilities.

Simplify documentation. Elaborate crisis management and BC plans that are hundreds of pages long are a detriment in three critical ways. First, they require extensive—often labor intensive—maintenance and continuous updates. Second, they are not practical in an actual crisis. Lastly, these are not value-generating activities. BC activity and documentation for its own sake is a common pitfall. 

Simplify plans so they can be internalized and recalled easily by the people that need to know them. Where appropriate, checklists are an excellent tool.

The exceptions, of course, are cases where such plans are mandated or regulatory requirements, such as in the finance and healthcare industries. Absent any compliance or other compelling need, voluminous documentation should be replaced by slim, user-oriented playbooks. 

A practical example of this is an organization with a 75-page corporate incident response policy. Key leaders in the organization had acknowledged that because of the policy's length, it was universally ignored—posing a critical risk. The solution was to reduce the most significant end user elements of the policy—what the responder truly needed to know first—into a one-page infographic. 

The infographic was introduced to the working teams through a series of short, focused tabletop exercises. Teams were asked to use—and break—key aspects of processes contained in the infographic. 

In the course of the exercises the teams also uncovered critical communications gaps and assumptions and were able to address them. They formulated the catchphrase “Don’t Hesitate to Escalate” to drive home their solution to the communications problem. In doing so, they delivered immediate value to the organization, improved operational efficiency, and established a basis for continuous improvement of their BC and crisis management capabilities. 

Continually improve. The most compelling case a BC professional can make to a client or constituent is that the cost and effort required of proposed BC-related activities will offer some immediate payoff, as well as continuous, iterative improvement throughout the process. 

Free from documentation for its own sake and a strictly sequential BC cycle, the BC professional discovers the opportunity to take more of a role as a partner in the business. Where performance measures like RTOs are needed, along with taking an inventory of key business processes, discussion around these topics should not focus on an arbitrary target. 

Rather, an opportunity exists to engage stakeholders about their goals for the organization and to rationalize the findings of their assessments—challenge them to apply their own intuition to the targets and see if they pass the test of common sense. And by asking why the target is there, call into question how it may be reached on a “blue sky day” more efficiently. 

The BC process can be a source of continuous improvement by providing a venue for these conversations among stakeholders. People are eager to share personal experiences of working through crises—with outcomes that were positive or negative for the organization—especially in a setting where that experience can add value.

For example, one organization recognized that its list of key business processes was extensively detailed and complicated. A very candid, common sense discussion reduced this list from dozens of items to six, only one of which was considered critical. Consequently, the BC management process was simplified, and the crisis management response framework was easier to internalize.

Plan for effects. The causes of catastrophe are innumerable. We cannot plan for every eventuality, and even if we could, our best laid plans often get overtaken by the events. Instead, we should focus on effects. 

Generations of military leaders have understood that  “No plan survives first contact with the enemy.” The notion is familiar and often repeated in more contemporary contexts, but perhaps best by Mike Tyson: “Everyone has a plan until they get punched in the mouth.”

Consider the extreme weather phenomena experienced by the U.S. Northeast in 2011 and 2012. In the fall of 2011, the area experienced a nor’easter and Hurricane Irene in rapid succession. The following fall in 2012, it experienced yet another nor’easter and Superstorm Sandy.

All four events can easily be described as storms, natural disasters, or extreme weather. The acute causes of the localized emergency were highly specific, however. Each storm had its own unique character: inland flooding, coastal flooding, a snow event, or a tree event. Some would argue that this calls for four unique types of plans—or that each cause needs a corresponding plan. 

On the contrary, the effects of these catastrophes are much fewer. The effects will only be the unexpected unavailability of people (staff), places (facilities), or things (resources and critical suppliers). 

Focusing on effects makes for much simpler, more meaningful and manageable planning. 

Know the business. Above all, the people responsible for carrying out any BC or crisis management activity need to know the business. BC practitioners should align closely with operational teams at every level of the organization—not just at the senior leadership level. Having executive support is beneficial to driving outcomes, but the discovery of ground truth comes from frontline teams. The best BC professionals don’t just drive an arbitrary BC cycle. They understand the people, places, and things that make the business unit tick—and why. 

If we consider crisis management an unexpected opportunity to change, then BC should serve as the practical, sense-making corollary. In other words, the lessons learned in acute responses to crises can be sharpened into operational improvements and ultimately greater resilience when incorporated by the BC process.

The BC professional’s biggest client in any organization is operations. Delivering value during crisis means having close integration between business continuity, crisis management, and the real needs of the business.

If we accept that organizations will continue to be challenged in unexpected ways by the external environment—and that this will result in losses—we have to look at how our BC efforts match with the demands placed upon them. 

The organization that is in a position of strength is one that has truthfully inventoried itself, assessed its own assumptions, and made use of what it learns along the way—not just in the moment of crisis or business interruption. 

The path to this outcome can follow a traditional, prescriptive route as defined in the ISO and the Good Practice Guidelines—but it can also take more innovative and ongoing forms by linking BC and crisis management to the goals and orientation of the organization. A more practical, agile, and lean approach like the one outlined by Adaptive Business Continuity is likely to provide more value—and at a faster pace—than traditional practices we currently have in place.  

See Original Post

Reposted from The Business Journal Daily

In the wake of mass shootings in Dayton and El Paso, the safety and security of those at local institutions across many sectors, from education to entertainment, is being revisited.

A multilayered approach to active shooter scenarios is in place at Youngstown State University. Ron Cole, public information officer, said the YSU police department consists of almost 30 full-time officers and 100 part-time commissioned officers who go through regular training relating to situations that may occur on campus.

“Most recently, we’ve updated a lot of our emergency operation plans across campus,” he said. “Every building has an emergency operation plan, which outlines what should be done in the event of a variety of situations on campus.” 

All classroom doors received new locks that automatically lock when the door is closed and the recently expanded PenguinAlert system ensures the safety of all students with emergency text alerts, he said. Students can sign up for PenguinAlert at YSU.edu/PenguinAlert. Additional communication will be going out before the academic year starts to outline safety precautions, including a video that will show how to respond to an active shooter scenario.

“We have a good crisis communication plan that puts into place a variety of actions we would take in the event of an emergency in terms of how to communicate to students, to faculty, to the community, the media,” Cole said.

On campus and as well as in the city, police officers at the Youngstown Police Department participate in two cycles of annual training to ensure the safety of the community.

“During those in-services, we have done responses to active shooter training a number of times so the officers are familiar with it,” said Chief Robin Lees. “Our community police officers are trained in the new alert training, which is a response to an active shooter typically in a workplace environment.”

The training is available to local businesses in the Youngstown area as well, and would serve employees and management well if they find themselves in an active shooter situation, Lees said.

“You want to evacuate or take cover, and these are assessments you have to make on your own,” he said. “You need to be practicing good crime prevention to begin with. Know your surroundings and understand who and what is around you. If you feel somebody is suspicious or see something that looks unusual, don’t keep that to yourself.”

Active shooter safety education programs have been put into place at the Ohio National Safety Council in Youngstown, including running, hiding and fighting defenses others can take advantage of should they find themselves in an active shooter scenario.

“I think that as they describe them as soft targets, it makes all of us a little more aware of those places that we go everyday,” said Larry Kingston, executive director of the local National Safety Council chapter. “We need to check out things like exits. Anything that sounds like a gunshot, even though you might think it’s a firecracker, you need to react to it and get away from it.”

Addressing cultural things such as the younger generation being involved with social media and the dark web will further impact the safety of others, Kingston said.

“If we hear somebody say something that is very harmful, they want to kill people, they want to eliminate people of a certain culture, a certain color, we need to notify the police and let the police sort it out before it gets to the extreme,” Kingston said.

Safety precautions are taken daily at the Eastwood Mall Complex in Niles. People have to be aware of soft targets, said Joe Bell, spokesman for the Cafaro Company.

“That could be your church, that could be your daycare center, any place of businesses,” he said. “We have to get into the mind frame of thinking about where you are at any given time of the day and how you would defend yourself or save your life.”

Fourteen years ago, safety precautions were upgraded within the mall complex in light of the Sept. 11 attacks and continued to be updated, Bell said. With shopping malls being crowded with people, it’s an easy target for an active shooter.

“We have run a variety of scenarios and training programs since that time with our own internal security, with our tenants, our employees and local law enforcement so they can drill on these types of scenarios,” Bell said. “It’s been very helpful. People have learned a lot about how to operate in an environment like an enclosed shopping mall.”

Training exercises are done as often as possible, which entails real life scenarios people undergo during an emergency. Last week at the Cafaro corporate headquarters, employees were engaged in active shooter training to understand the basis for attacks like this and the best ways to defend themselves, Bell said.

“We’ll bring in local police chiefs, other first responders and have them in on the planning, and very often, local volunteers will act as victims or shoppers,” Bell said. “It’s very realistic with guns firing blanks. Police officers will be doing everything they would do should shots start being fired in a mall.”

Over the last 12 years, the security of customers, employees and artists has increased at the Covelli Centre. Metal detectors have been added at entrances at the Youngstown Foundation Amphitheatre and the Covelli Centre, and security has doubled over the last five years, said Ken Bigley, vice president of the JAC Management Group.

“We don’t open the doors to any event without an armed, uniformed police officer on-site,” Bigley said. “We’ve created a relationship with [U.S. Department of] Homeland Security to stay on the forefront of any alerts or messaging that’s going out from Homeland Security.”

Active shooter training courses have also been implemented for the security and event staff at the Covelli Centre and the amphitheater. Safety is always taken seriously with the event calendar filled with family and children related shows, said Phoebe Breckenridge, marketing and sales coordinator.

“We never want anyone to feel unsafe when they come here,” she said. “We aim to be a safe, fun place for people to come to for entertainment.” 

See Original Post

Reposted from Irish Legal News

A man who suffered an injury to his knee requiring surgery after he slipped on the stone staircase at the National Museum of Ireland has been awarded €67,000 in the High Court.

Criticising the Museum for its failure to provide the court with CCTV evidence of the fall, or present witnesses who had viewed the footage, Ms Justice Bronagh O’Hanlon found that the accident was caused by the Museum’s negligence in failing to provide a hand rail for people to hold onto the entire way down the staircase.

Background

The plaintiff, Warren Baldwin, is a 70-year-old man from Sydney, Australia, who came to Ireland on holidays in June 2016. On 5 June 2016, Mr Baldwin was visiting the National Museum of Ireland when he lost his footing while descending the main balcony stairway, and suffered severe personal injuries loss and damage as a result.

After the accident, Mr Baldwin was brought by ambulance to St James’ Hospital where he spent over 15 hours on a trolley waiting to see an orthopaedic surgeon. Mr Baldwin was diagnosed with a quadriceps rupture, and a retraction of the rectus ligamentous muscle (consistent with a partial tear of the quadriceps tendon). Mr Baldwin was administered painkilling medication which he continued to take until he was seen by his own GP in Sydney. Upon his return to Australia, an MRI confirmed that Mr Baldwin had suffered a full thickness tear of more than 50 per cent of the quadriceps tendon, requiring surgical repair.

Before the accident, Mr Baldwin was described as being very active and a keen golfer. In her evidence to the court, Mr Baldwin’s wife said the accident slowed him down by about 50 per cent and that walking became painful for him after a while. A consultant in emergency medicine who examined Mr Baldwin also believed that the injuries seriously curtailed him playing golf, walking, and gardening, and that psychologically he was much slower.

Omnia praesumuntur contra spoliatorem

Mr Baldwin’s claim was based on the Museum’s alleged negligence, breach of duty, including breach of statutory duty, nuisance and/or misfeasance in the design, construction, upkeep, maintenance, management, care, supervision and inspection and control of the premises – particularly the main balcony stairway.

The Museum argued that Mr Baldwin’s fall was entirely his own fault, and relied heavily on an accident report form which recorded that Mr Baldwin had missed the last step and fell (which was inconsistent with Mr Baldwin’s description of his fall). An orthopaedic surgeon who gave evidence on the Museum’s behalf said that Mr Baldwin’s ongoing difficulties were age-related. He also said that Mr Baldwin would have had a better chance of repair had his operation been sooner – i.e. the following day, rather than a number of weeks after the accident.

Ms Justice O’Hanlon found Mr Baldwin to be “a very credible witness who came to court in good faith and travelled from Australia to bring his case to trial. He … gave his evidence in a very candid normal way without embellishing matters in any shape or form”. She said the court “had no doubt but that he was doing his best to give a true and fair recollection of matters as he perceived them”.

Considering the inconsistency between the accident report form and Mr Baldwin’s description, Ms Justice O’Hanlon was highly critical of the fact that the CCTV evidence of the fall was not made available to the court, nor were employees of the Museum who viewed the CCTV called as witnesses. She said Mr Baldwin was entitled to rely on the maxim omnia praesumuntur contra spoliatorem where all things are presumed against the party that has destroyed evidence. 

Negligence

Ms Justice O’Hanlon said that on the balance of probabilities, Mr Baldwin lost his footing on the third last step and fell into the landing below. She said that the stone steps in question were “shiny and slippy”, and that if there been an adequate and safe handrail system, Mr Baldwin would not have suffered the injury he did. Ms Justice O’Hanlon also accepted the evidence from Mr Baldwin’s engineer that because of how the railings ended prematurely before the bottom step, there was a tendency for this to cause people towards the centre in descending the stairway. She said she was entitled to draw an adverse inference from the Museum’s failure to call evidence to assess the stairway or address the handrail issue.

Finding that it was reasonably foreseeable that a person could suffer such a fall, even though it was a rare occurrence, Ms Justice O’Hanlon said the accident was caused by the negligence of the Museum in failing to provide a safe system – in particular a railing for a person such as Mr Baldwin to hold onto the entire way down the staircase.

Ms Justice O’Hanlon awarded €65,000 in general damages, together with agreed special damages in the sum of €1,989.59, giving a total award of €66,989.59.

See Original Post

Reposted from Securitas Security Services, USA, Inc.

Extreme heat can be hazardous for those who work or spend extended time outdoors. While the heat itself can be threatening, the addition of what weather forecasters refer to as the “heat index” can exacerbate conditions. The heat index is the combination of high temperatures, humidity and direct sun exposure that contributes to heat stress. Those who work or play outside on a hot day should take basic precautions to protect themselves from the heat, sun exposure and other hazards.

Excessive Heat Events

U.S. summers commonly produce heat waves—several consecutive days of excessively high temperatures in a given geographic area of the country. Because of the health hazards posed by excessive heat, the National Weather Service (NWS) developed the following heat-related alerts:

An excessive HEAT WATCH is issued when a severe heat event is likely to occur in the next 24 to 72 hours. A watch provides sufficient notice to prepare for a potential extreme heat event.

An excessive HEAT WARNING or HEAT ADVISORY means an excessive heat event is in progress, imminent or expected. Either of these is issued within 12 hours of the onset of extremely dangerous heat conditions. A warning is used for conditions posing a threat to life or property. An advisory is issued for less serious conditions that cause significant discomfort or inconvenience, which, if caution is not taken, could pose a threat to life or property.

Stay Hydrated

 When working outdoors in elevated temperatures, experts recommend drinking about five to eight ounces of water every 15 to 20 minutes to stay sufficiently hydrated and maintain a safe core body temperature. Studies show that after only one hour in extreme heat conditions, a person’s alertness and endurance are compromised.

After two hours, the effects of heat stress—including cramps, fatigue, decreased strength and reduced coordination—may set in. Maintain proper hydration by drinking before, during and after exercise to replace body fluids. By the time you feel thirsty, you’re already dehydrated. Water is best for hydration, but sports drinks, which contain electrolytes lost in perspiration, are an alternative.

Cool water is absorbed more quickly by the body than warm or very cold fluids. Avoid coffee, tea and alcoholic beverages, all of which act to dehydrate the body.

Protection from the Sun

Sunlight contains ultraviolet (UV) radiation that causes premature aging of the skin, wrinkles and skin cancer. The amount of damage from UV exposure depends on the strength of the light, the length of exposure and whether the skin is protected. Protect yourself from the sun’s harmful rays by covering up. Wear a wide-brimmed hat and tightly-woven clothing—preferably a long-sleeved shirt and long pants. Gauge the protection offered by your clothing by trying to see your hand through the fabric. If you can, the garment offers minimal protection.

Eye protection is important too. Wear UV-absorbent shades. Some studies have shown a greater incidence of cataracts among those who do not wear sunglasses in bright sunlight.

Use sunscreen with a sun protection factor (SPF) of at least 30, and limit your exposure. UV rays are most intense between 10 a.m. and 4 p.m. and are present even on cloudy days.

A Useful App

OSHA and NIOSH have developed an app available through the App Store or on Google Play. The Heat Safety Tool can be used for planning outdoor work activities based on how hot it feels throughout the day. Learn more about the app at https://www.cdc.gov/niosh/topics/ heatstress/heatapp.html

Recognize and Respond

Heat-related illnesses can be very serious. Be familiar with the risks and signs. If someone becomes ill from the heat, move the person to a cooler area and call for help. Do not leave the person alone.

Headache, dizziness, or fainting; lethargy and clammy skin; irritability or confusion; and thirst, nausea or vomiting are all signs of heat exhaustion. Provide assistance to keep the situation from escalating.

Confusion, passing out and seizures as well as an inability to sweat may indicate that a person has heat stroke. This is a serious condition. SEEK HELP IMMEDIATELY.

If a person is not alert or seems confused, he or she might have heat stroke. CALL 911 IMMEDIATELY. Administer first aid and apply ice as soon as possible.

Additional Resources

Several resources are available to help you learn more about staying safe in hot weather.

• www.osha.gov which includes the OSHA Heat Stress Quick Card
• www.noaa.gov/weather
• www.cdc.gov which includes print-ready card about Protecting Yourself from Heat Stress
• www.medlineplus.gov

For more information on this and other security related topics, visit the Securitas Safety Awareness Knowledge Center at:

http://www.securitasinc.com/en/knowledge-center/security-and-safety-awareness-tips

Reposted from NorthJersey.com

The days of an open-door policy with employees and visitors allowed to move freely about work premises are over, security experts say.

Today, office buildings are equipped with technology and personnel to carefully monitor who goes in and out of a workplace and spend more effort than ever before screening potential employees and looking for warning signs in current ones.

“Two decades ago, roughly around the time we had our first major school shooting, I don’t think offices were doing anything at all,” said John Dony, director of the Campbell Institute at the nonprofit National Safety Council. “It was only in the past two or three years, when we’ve seen a much bigger spate of events at office workplaces as well as factory floors, has there been a turn in attention to that.”

Workplace shootings take at least 300 lives a year, according to a 2018 report by the Bureau of Labor Statistics. In 2016, nearly 400 people died from bullet wounds at work, an increase of 83 shootings since 2015.

So companies have focused much of their attention on tightening access through technology such as electronic badges and video surveillance, rather than bolstering security with gun-carrying guards, Dony said.

The most secure buildings prevent a familiar lunch vendor from entering a work area, said Robert McCrie, deputy chairman of the Department of Security, Fire and Emergency Management at the John Jay College of Criminal Justice. Some buildings have extended monitoring to the elevators, remotely controlling where a visitor can go.

McCrie envisions that technology advancing further. Casinos use video analytics to identify people who are banned from the premises, and retailers and offices eventually will too, he said.

For now, most offices use low-cost methods like discouraging employees from swiping in people without access badges, buying things that can be used as barricades in conference rooms and staging active-shooter drills to beef up security, Dony said.

The most effective tool against gun violence is recognizing signs that it might occur, McCrie said.

Research on mass workplace shootings — with three or more victims — has shown that shooters are often disgruntled employees who have been warned about their work performance or terminated from their job, have a poor relationship with co-workers, are prone to anger and have an affinity for guns, he said.

“People who have shot others are described as loners, individuals who could flare up over seemingly nothing,” McCrie said.

As the profile of a disgruntled, disengaged worker has become clearer, employers have adjusted their screening criteria accordingly, McCrie said. Social media has played an increasingly important role in weeding out problematic personalities.

“That’s the first line of defense,” he said. “Employers need to take time to make sure the individual they hire is a good fit in all ways.”

See Original Post

Reposted from Dark Reading

Getting your company smartphone or laptop stolen from your car isn't just a hassle; it can have large regulatory ramifications, too. Visibility is the answer.

From San Francisco to Denver to Washington, DC, a "smash-and-grab" car crime wave appears to be striking the nation. In the month of April alone, vehicle break-ins averaged 51 per day just in San Francisco, with mobile phones, laptops, and tablets on the list of most in-demand and easy-to-snatch items.

In light of this, it's important to look at the IT security risks businesses are exposed to as a result of such crimes. The reality is that while mobile devices may be sitting in a parked car, they're likely connected to a corporate network. Add to that the fact that half of IT professionals surveyed reported a data breach resulting from a lost laptop, and the global average cost of a breach is more than $3 million, and it's not a good mix.

Against this backdrop, there's an important facet to the smash-and-grab situation that must be addressed: breach notification laws. Many countries and states have laws requiring notification to authorities and affected parties in the event of a data breach. In California, for instance, the state's S.B. 1386 data breach notification law includes notification requirements for organizations in situations where data might have been exposed.

Now, there's a chance that you do have a "get out of jail free" card, so to speak, if you can demonstrate that the data was encrypted. Unfortunately, without proof of encryption, you have no card to use. This means that it's critical not only to have encryption on the device but to be able to demonstrate that it was switched on in order to mitigate direct losses and to prevent the embarrassment of having to make a public mea culpa for it.

When devices are "dark" or unmanageable and outside the control of IT, they pose a significant threat. When company employees cite "cars and transportation" as the No. 1 location where they've experienced IT theft, the security status of these devices can't be a question mark — especially not when sensitive, possibly regulated data subject to breach notification laws is involved.

To prevent both economic and reputational loss, you need visibility. (Note: Absolute is a vendor of visibility technology, along with a number of other companies.) In fact, you need two types of it: ongoing visibility, which allows you to see that security controls are switched on and take the proper steps to secure sensitive data; and post hoc visibility, which allows you to prove it after a theft like a smash-and-grab when S.B. 1386 comes knocking. Without a clear line-of-sight, though, there is no way to know all resources — data, devices, users, and apps — are secure.

Sadly, security investment strategy can easily miss the mark here when, as former 451 Research analyst Javvad Malik says: "An informal method that is often seen at companies that have lower security maturity is spending just the minimum amount required until the next breach or incident is reported. Conversely, other companies spend freely, though not necessarily wisely, until their budgets have been exhausted."

Case in point: When a security leader approaches the CFO with a request to spend money on device safeguards because the organization recently experienced a stolen laptop, she or he will probably get budget approval. Down the line, in the likely event that the stolen laptop scenario repeats itself, if that security leader can't show that encryption was switched on, then the organization missed half of the value of the amount it spent. The technology may or may not have protected the company's data, but it certainly didn't protect the security leader's backside because the company doesn't have the visibility to know one way or the other.

t's important to understand your environment, know what hardware you have, and then go beyond the devices themselves to include intelligence around the applications or software on them, looking at what applications are being used by an individual. All of this insight helps you assess risk. At the end of the day, it's about properly protecting your organization's data, deriving value from all of your security budget, and breathing a bit easier despite the frequency of device losses and theft.

See Original Post

Reposted from ArtNet News

Italy has stepped forward to help Brazil’s National Museum get back on its feet after a fire destroyed its building and millions of artifacts and specimens in its historic collection. Italian officials will send hundreds of ancient artifacts on long-term loan to Rio de Janeiro, as well as provide expert assistance to help restore salvaged objects.

Speaking in Rio de Janeiro on Wednesday, Italy’s undersecretary for cultural heritage, Lucia Borgonzoni, announced that it would make 2,000 loans available from the National Archaeological Museum of Naples, and the site of Herculaneum nearby, according to the Rio Times.

The offer of expertise and 20-year loans comes shortly after the director of Brazil’s National Museum, Alexander Kellner, traveled to Europe to gain support and raise funds to rebuild the museum after the fire last September devastated its the 200-year-old building. Around 90 percent of the collection is estimated to have been lost or damaged. The most priceless item in the collection, the remains of Lucia, the oldest human remains in the Americas, was luckily retrieved shortly after the fire. The National Museum was the largest natural history museum in South America, and one of oldest scientific institutions in Brazil.

The loans from Italy include ancient Roman marble statues and paintings on plaster. The first works are due to arrive in 2020. They will be exhibited at the Italian Cultural Institute and the Italian consulate in Rio until the national museum is rebuilt. “We can lend a hand in this recovery phase to save as many things as we can save,” Borgonzoni said, according to ANSA.

International help is sorely needed by the beleaguered, skeletal museum. In May, Kellner said the institution urgently needed $250,000 in order to “be able to breathe.” The German government gave money in the immediate aftermath last year, and pledged further assistance for the rebuild.

The Brazil-Italy partnership also seeks to re-establish an important part of the Brazilian collection that has a special link with Italy. The 19th-century Sicilian princess, Teresa Cristina, was the wife of Emperor Dom Pedro II of Brazil. She brought hundreds of items from the Herculaneum archaeological site with her when she moved to Brazil. The artifacts eventually became part of the permanent collection of the National Museum.

Elisabetta Canna, a conservator at the Herculaneum archaeological park, who is a world leader in restoration, was part of the Italian delegation in Brazil this week. She will take a leading role in the monumental task of restoring archaeological pieces salvaged from the fire and retrieving still-buried items, including, hopefully, those from Cristina’s trove.

“Each piece is like a patient, it is necessary to take into account a series of factors to define how to act. Even the water used to put out the fire is one more element that can cause damages,” Canna told the Brazilian news site Oglobo. “A tragedy like the one that struck the museum could be transformed into an opportunity to raise public awareness about the preservation of these collections,” she said.

See Original Post

Reposted from The Virginian-Pilot

More than 20 million Americans are laid off or fired from their jobs each year. Most go quietly and move on. Steven Leet was the exception.

Fired from his job stocking parts at a Morgan Hill, Calif., Ford dealership Tuesday afternoon, the 60-year-old San Jose man lingered for nearly two hours and then barged into an open office where his two supervisors were meeting. He shot them to death, then walked outside and fatally shot himself.

It’s still quite rare for employees to kill their co-workers on the job.

“But they do happen,” said Wayne Maxey, a retired cop and district attorney investigator who’s now an executive consultant in workplace violence prevention with Workplace Guardians of Temecula, California. “One of the big obstacles is that a lot of organizations just kind of assume it’s not going to happen here.”

Over a five-year period from 2011 to 2015, 312 employees were killed on the job by a co-worker, an average of about 62 a year, according to the Bureau of Labor Statistics. By comparison, robbers killed more than twice as many workers — 721 — over those years.

A 2014 FBI study on “active shooter” incidents in the workplace, schools and other public places from 2000 to 2013 indicated they alarmingly are on the rise. There was just one in 2000, the report said, but 30 in 2017, the most ever recorded by the FBI over a one-year period, according to a follow-up study.

That 2018 FBI study, however, said mass shooters typically telegraph their slide toward violence, offering hope that alert observers could intervene and head off tragedy.

“In the weeks and months before an attack, many active shooters engage in behaviors that may signal impending violence,” the report said. “While some of these behaviors are intentionally concealed, others are observable and — if recognized and reported — may lead to a disruption prior to an attack.”

Police have not revealed any warning signs about the Morgan Hill shooter.

The 2018 study examined 63 mass shooters and found few demographic trends other than that most were male. More than three out of four spent a week or more planning their attack, and more than half used legally acquired firearms. Only one in four had been diagnosed with a mental illness. In two-thirds of cases, at least one victim was targeted.

The shooters typically were experiencing multiple forms of stress, the report said, such as depression, financial strain, problems at work or school, marital strife and conflicts with friends and peers.

And they typically showed four or five observable and concerning behaviors before erupting in violence, the report said. Those most commonly included increased signs of depression, anxiety or paranoia; discord in relationships with family, friends, or colleagues; expressing intent to harm people; confused or irrational thinking; and a decline in work or school performance.

But the FBI report said that observers often are reluctant to act on their concerns “for fear of erroneously labeling a friend or family member as a potential killer.” And authorities “struggle to decide how best to assess and intervene, particularly if no crime has yet been committed.”

Morgan Hill police are still investigating Tuesday’s shooting that took the lives of Brian Light, the dealership’s service director, and Xavier Souto, the parts manager who was Leet’s supervisor.

Police said that after Leet was fired at 4:15 p.m., he spent about half an hour at his car in the parking lot, went back to the dealership parts department where he had worked and stood outside an open office where Light and Souto were meeting before entering just after 6 p.m. and opening fire. Surveillance video indicated they did not appear concerned about Leet lingering at the dealership after he was fired.

After searching Leet’s home, police found a dozen legally owned guns but no evidence he planned the bloody attack. And they had no answer to what prompted Leet’s firing, whether he knew it was coming, what he said to the employees he spoke with between being fired and shooting his boss, and whether anyone at the dealership knew of his affinity for firearms. Leet lived alone, and co-workers and neighbors described him as a quiet man who kept to himself.

Steve Fuentes, the owner of Sunnyvale Ford who was Light’s boss before he joined the Morgan Hill store about a year ago, said that most dealerships consider their employees like family, and if someone is fired, “it’s atypical to escort them off with security.”

But, after the shooting in Morgan Hill, Fuentes said he reached out to Sunnyvale authorities.

“There is an active shooter program they offer that we will get ourselves enrolled in,” Fuentes said, “and be as proactive as we can in case that kind of thing, God forbid, ever happens at our store.”

Consultants like Maxey who advise employers in avoiding and dealing with mass shootings say that while “active shooter” drills can help in a crisis, “there’s so much more to do before that.”

“In most cases, people don’t snap,” Maxey said. “There’s usually a progression.”

Security consultant Aric Mutchnick, president of Experior Group, said even large companies often lack clear protocols for handling employee terminations and keeping them from turning violent. He conducts role-playing exercises and points out areas where employers may inadvertently make things worse, like having security escort a fired worker to his desk with a box in front of co-workers.

“Is it the walk of shame?” Mutchnick said. “That’s not conducive to a pleasant experience.”

Even small details like the layout of the room where employees are given the bad news can amp up anxiety and tension — is it small and cramped, does the worker feel trapped? — Mutchnick said.

What happens before and after an employee gets fired are also important, Mutchnick said. Employers should clearly spell out grounds for termination and give workers opportunities to improve, he said, and they should follow up with fired workers in the weeks afterward to check on their well-being.

But co-workers need to have a means to confidentially report concerns about a colleague to company executives, experts said.

“In most of these cases, there is some behavior that occurs that can be detected,” Maxey said. “The big challenge is that in a lot of these cases people have seen these changes but they didn’t report it to the organization.”

See Original Post

Reposted from Ashtree Books

Theft of books has occurred for centuries, but cultural institutions don’t always want to talk about it. We speak with collection managers who protect some of our most valuable artifacts.

Although there are films and books dedicated to the theft of rare items from cultural institutions – think The Map Thief and American Animals – it’s not often that we hear about theft from our cultural institutions. Whether it’s at the National Library of Australia or Museums Victoria, a lot of quiet work is being done by keepers of our most precious books to ensure they are not taken.

‘There’s not a lot of writing and research around theft and I think that’s particularly because cultural institutions are pretty reluctant to talk about it,’ said Maryanne McCubbin, Head of Strategic Collection Management at Museums Victoria.  

‘They get very embarrassed when theft of their material occurs from time to time; they see it as a breach of their trust of the public to look after collection material.’

McCubbin oversees a range of services across all of the collections including conservation and storage databases and collections on exhibition.

‘My role is to try and prevent theft,’ she told ArtsHub. ‘In my view, you can’t really do that properly unless you know the typology of the theft that you’re dealing with.’ 

Through her position, McCubbin became interested in researching theft from collecting institutes, to gain a wider understanding about why they occur, a subject which forms the premise for her talk at Melbourne Rare Book Week.

‘I’ve really focused on looking at histories of theft from libraries, archives and museums up until the 1960s in Australia,’ she tells ArtsHub. ‘I focus, to date, particularly on theft in Australian museums, but I’ve also started to look at books and associated material from libraries in Australia.’

Alongside her historical research, McCubbin keeps an eye on current thefts as they occur from museums and libraries around Australia.

See Original Post

Reposted from CNN

By several accounts, security was present and conspicuous at the Garlic Festival in Gilroy, California, over the weekend.

The Gilroy Police Department had a "compound" on site, the police chief said. Patrons at the family-friendly food festival reported seeing officers on horses and motorcycles.

Yet, a 19-year-old, identified by police as Santino William Legan, was able to cut through a back fence and begin shooting people at random. The mayhem Sunday left three people dead and at least 12 injured.

It also put a spotlight on soft targets, places like festivals, schools and churches where people often think they can let their guard down and live freely and safely. Another shooting at a festival in New York Saturday that left one dead and 11 injured also emphasized the precariousness of such spaces.

Law enforcement experts say that despite heavier security at festivals, schools and churches, there's really little that can be done to prevent attacks from happening.

"No one would associate the Garlic Festival with an attractive target," said James Gagliano, a CNN law enforcement analyst and retired FBI supervisory agent.

Patrons offer different views of festival security

Police were present all three days of the festival, Gilroy Police Chief Scot Smithee told reporters Monday.

"We actually create a police compound where we have a command center, a booking area, you know, all the things you would need to run a major operation like this," Smithee said. "The officers are deployed throughout the park and they're assigned to different regions of the park so they're spread out, we don't have officers all in one spot."

Christian Swain, whose band TinMan was performing when the shooting broke out, told CNN "the event was well-covered with security and we'd seen them as we came in to set up and play."

Other patrons reported good levels of security with Gilroy police on horses and motorcyles.

But Sukhraj Beasla, who attended the festival with her family, said security was a little too relaxed.

"They were just kind of like checking the surface level of the bags. I noticed on the tables they had metal wand detectors not being used, there were no pat downs," she said. At one point, she said she and her family got lost and left the festival grounds, and got back in with ease.

"We were making jokes that you could've gotten off the street and walked in," Beasla said.

Experts say Garlic Festival wasn't a high risk event

Several experts said the Garlic Festival wasn't an event that would warrant high levels of security.

"Even if everyone would've gone through a checkpoint, it wouldn't have stopped this guy from doing what he did," Gagliano said.

The shooter was "committed to getting in," he said and found a way to avoid the security protocols. That does not mean the Gilroy Police Department was ill-prepared, he said.

"All security considerations are based on what your analysis is of the threat," Gagliano said. "This wasn't an event that was going to have high-level politicians or political overtones, this was a Garlic Festival. They probably looked at it and said ... the fence should be an enough of a deterrence." 

Three officers responded to the shooter within one minute, Smithee said.

Juliette Kayyem, a CNN national security analyst, said the challenge with events like the Gilroy festival and other soft targets -- areas like schools or churches -- is improving security.

"We get better about securing them because everything we're hearing is that entry was secure, that there was a strong presence, an assailant like this will find another way in," she said.

Philip Mudd, a CNN counter terrorism analyst and former CIA counterterrorism official, said protecting soft targets isn't "doable in a perfect way."

"There is no way across America in 50 states, that if you want perfect security, to keep somebody from cutting a fence that you can have it," he said.

Is it possible to prevent soft target shootings?

Still, enhancing security in parks, restaurants, shopping centers and special event venues, among other public locations is "essential to preserving our way of life and sustaining the engine of our economy," the US Department of Homeland Security said in the "Security of Soft Targets and Crowded Places Resource Guide" published in April.

The guide provides resources including links to training for citizens and businesses. It also calls on everyone -- business owners, first responders, government agencies and the general public -- to do what they can to protect their communities.

Gagliano says Homeland Security and the FBI both teach people four steps in dealing with an active shooter: run, hide, fight and tell.

These steps, Gagliano said, include finding a way to evacuate a dangerous situation, finding some form of shelter (a locked door or behind a tree), confronting a suspect if there is no other option and calling law enforcement as soon as possible.

He also said people generally need to be aware of their surroundings, something law enforcement officials call "relaxed alertness." This includes knowing exit areas and not being glued to a cell phone.

The Garlic Festival organizers are sure to make drastic changes next year, Gagliano said, but putting every officer in Gilroy isn't the answer.

"These are the times we're existing in right now," he said. "Somebody was able to cut a fence and come in."

See Original Post