Reposted from IFSEC Global

Marking the one-year anniversary of a fire that destroyed the UK’s oldest hotel – the Royal Clarence Hotel – the FRS is emphasizing the importance of conducting regular fire-risk assessments.

(In the wake of the Royal Clarence Hotel blaze, fire safety consultant Alan Cox posed a series of questions that need answering if lessons are to be learned.)

Built with long-abandoned methods and materials, heritage architecture poses unique challenges and risks in the built landscape when it comes to fire engineering.

Things become more complicated still as structures are reinforced and adapted for modern use over time.

Priceless architecture

And the cost of damage caused by fires extends beyond financial costs to the loss of priceless architecture and artefacts of enormous cultural import.

“Older buildings have unique features such as hidden voids and cavities supported by dry timber construction,” said Paul Bray, community safety protection manager at Devon & Somerset FRS. “Fire can easily travel undetected within these voids.

“The challenges of fighting a fire in a terrace of ‘heritage’ or buildings of substantial age are substantial. The fact that the fire is hidden also makes it almost impossible to tackle internally and externally without a major dismantling of the building fabric.

“Heritage is all that has been passed to us by previous generations. The term has become synonymous with the places, objects, knowledge and skills we inherit that are valued for reasons beyond their mere utility.” Historic England

While responsible persons are limited in what they can do to protect buildings that were built with little consideration for fire safety, there are still measures they can take to reduce the risk and impact of fire, suggests Bray.

“Even with the most attentive fire prevention and protection measures (such as fire alarms and fire separation), it cannot always be guaranteed that a fire will be contained and prevented from causing destruction. It can be significantly reduced through by the development of a comprehensive pre-survey of the impact on surrounding buildings during the construction phase.

“We therefore advise that a full set of records, drawings, photos and other information is stored and is made available to us for use in any heritage building in the event of a fire. This would contribute to forming the basis of how the service will deal with each building in the event of a fire.”

Devon & Somerset FRS notes that there is no standardized format for recording or presenting the findings of a fire risk assessment. However, those responsible for protecting heritage buildings should always produce and regularly review clear and comprehensive documentation. Once the risks are identified and assessed, they can then set out to reduce them.

Fire risks in heritage buildings

Devon & Somerset FRS has set out the following risks to consider relating to heritage buildings:

• Sources of ignition and fuel
• Potential for fire to spread through the building
• Adequacy of the fire alarm system
• Means of access and escape
• In rural areas: Water supplies and access for fire appliances
• Any valuable contents you wish to prioritise

Sometimes seen as disruptive to the building’s original fabric, protective measures taken are not always welcomed in the heritage sector, admits Devon & Somerset FRS. Physical installation of systems can also be seen as challenging.

However, you can take suitable protective measures that are sympathetic to the building’s historic fabric of the building.

The fire safety management plan should incorporate a business continuity plan, Devon & Somerset FRS advises. Should a fire occur, restoration work can then proceed promptly.

Being prepared for the worst-case scenario will vastly improve your chances of recovering quicker recovery rate.

Devon & Somerset FRS offers further guidance on heritage buildings here. 

See Original Post

Reposted from NSCC November 15, 2017 e-newsletter

The October 15, 2017 Collections Caretaker Newsletter had an item titled Museum Boards -- Leadership Wish List. It echoed many of the issues explored in my PhD research on museum leadership (1994-98) published as Leading With Passion: Change Management in the 21st Century Museum(2004 - Alta Mira Press).

Chapter 5 in Leading With Passion focuses specifically on trust and the director-trustee leadership interface. It's a fraught interface. Two levels cooperating, colliding, and colluding. It's important to nurture relationships of trust. Accept there will always be conflict, especially during periods of change. There will also be predictable role confusion - who does what, when, and where. Effective conflict resolution skills and practicing principles of restorative justice can help repair damaged relationships. Clarify governance. What does this actually mean? What does it look like when it is working well? Sort out who does what re: policy development, financial planning, and legal responsibility so there are no surprises described in the press.

Finally, get a handle on succession planning for both levels of leadership-- museum directors and trustees. I had a meeting in September 2017 with a mentor from the Emerging Leaders Program funded by the Australia Council for the Arts. The mentor shared issues from the 2017 program compared to issues identified in my research for Leading with Passion (1998 - 2002). There is still a shallow pool of potential leaders for both museum director and trustee roles. Twenty years ago, I offered advice that every director and trustee needs to mentor at least six (6) people to 'take their place' over the next ten years. Whether these people applied for and landed the jobs was not the point. This is what the Australia Council for the Arts has to say about their program: [1]

Over the years Australia Council programs such as the Emerging Leaders Development Program (ELDP) have made a positive impact on the sector and individual careers. As with many capacity building investments, the full extent of the impact of these programs will be realized over the long term. The Australia Council is now working in a different funding environment and has reinforced commitment to supporting the sustainability and capacity of the sector. To ensure our investment is focused, a new strategic approach has been adopted to deliver leadership development. In 2015, the Australia Council completed detailed needs analysis by consulting with various arts leaders including alumni from existing programs. These arts leaders identified the need for a bespoke program to develop their leadership capabilities. We are continuing from an existing base of capacity building programs and will draw on the expertise as well as address the needs of past alumni in future program developments. Participants of the program will have access to a wide variety of internal subject experts with deep sector knowledge and expertise.

Twenty years ago, we needed to create a pool of potential leaders for director and trustee roles. It is a perennial challenge!

Born in the USA and resident in Australia, Dr. Sherene Suchy is a member of the Australian Association of Social Work and the International Council of Museums. She completed her PhD on the museum director's leadership role and change management. Publications include books such as Leading With Passion (2004) andKeepsake: Memoir on the Museum of You & Estate Planning (2016) as contributions to museum management. 

Reposted from WBFO.org

Authorities say Daniel Witek, 54, was a volunteer at the museum in the spring of 2013, when he stole historical writings addressed to Anson Conger Goodyear. Witek then offered to sell the stolen documents to autograph dealers in New York City and New Jersey.

Born in Buffalo, Goodyear was a businessman, military officer, postwar European relief executive and humanitarian, author, founder of the Museum of Modern Art and collector of modern paintings, rare books and historical manuscripts. The Goodyear family in America is traced back to Stephen Goodyear, a founder of New Haven, CT and deputy governor of Connecticut from 1643 to 1658.

His historical documents include family correspondence, diary and scrapbooks, speeches and writings, business papers and military-related correspondence.

Witek was convicted of mail fraud, sentenced to six months time served and ordered to pay $2,100 in restitution.

See Original Post

Reposted from UNESCO.org

Recognizing the importance of protecting cultural heritage from attack in times of conflict, Irina Bokova, Director-General of UNESCO, and Fatou Bensouda, Prosecutor of the International Criminal Court (ICC), today signed a Letter of Intent formalizing and further enhancing their collaboration.

The signing of the Letter of Intent took place in the margins of an international high-level panel on “Responding to Cultural Cleansing, Preventing Violent Extremism” at UNESCO Headquarters, in which both Ms Bokova and Prosecutor Bensouda participated.

“The deliberate destruction of cultural heritage not only affects peoples’ historical identity but fuels sectarian violence and hampers post-conflict recovery and peacebuilding. UNESCO and the ICC must strengthen their cooperation for the protection of cultural property in armed conflicts, as this is a humanitarian and security imperative”, said Ms Bokova.

Praising UNESCO for its crucial work, Prosecutor Bensouda emphasized that more can be done, adding that “an effective strategy to address the destruction of cultural heritage requires a multi-faceted and collaborative approach.  UNESCO is a natural partner for my Office and, the ICC more broadly, in confronting the scourge of attacks against cultural heritage within the Rome Statute framework. This Letter of Intent is a recognition of that important relationship and paves the way for continued cooperation.” She added: “cultural heritage is the embodiment of the continuity of the human story, a celebration of our commonality and the richness of our diversity.  We all have a duty to protect cultural heritage. With close collaboration with UNESCO, we hope to make a difference.”

The recent historic ruling of the ICC in the case of the destruction of shrines and mausoleums in Timbuktu (Mali), the first of its kind before the Court, sent a clear signal that intentional targeting of cultural heritage is a serious crime that causes significant suffering to those immediately affected and beyond, and should not go unpunished. The Court subsequently issued a Reparation Order, establishing that the victims of such crimes were entitled to compensation.

The importance of prosecuting those responsible for war crimes against cultural heritage was echoed in the ground-breaking UN Security Council Resolution 2347, adopted in March 2017, the first ever to condemn the unlawful destruction of cultural heritage.  These unprecedented developments have led over the past years to frequent exchanges and collaboration between UNESCO and the ICC Office of the Prosecutor, based on the convergence of aims within their respective independent mandates.

As attacks against culture have regrettably become more frequent, the need for a stronger and more articulated framework of cooperation has become apparent. In addition to expertise UNESCO has provided in the context of the Al Mahdi case, cooperation has also been at the non-operational level, for example through participation in the ICC Office of the Prosecutor’s new policy initiative on cultural heritage, which is scheduled for finalization and adoption in 2018.  The Letter of Intent signed today builds on these efforts, further solidifying the existing relationship, with a view to establishing a comprehensive cooperation agreement in the near future.

 See Original Post

Reposted from The Local

A former employee of a Stockholm museum has been charged with theft after he admitted stealing the museum's exhibits.

The man, who worked at the Royal Coin Cabinet in the capital's old town, said he stole coins from the museum's vault and smuggled them out in his pockets before selling them to a coin dealer. 

He has been charged with stealing objects from both the Royal Coin Cabinet and Gothenburg City Museum, receiving a total of 1.2 million kronor in payment. At the trial, which began on Monday, he admitted stealing 42 items and said the money had gone on holidays and clothes as well as other items.

“I stole things that I thought were good. Valuable, sought after. Sometimes I took several things at the same time,” the museum employee said in the trial, according to SVT.

The coin dealer who bought the items is also suspected of receiving stolen goods.

See Original Post

The security insight you need…right at your fingertips! Here is your monthly recap of Allied Universal blog posts. Don’t wait for this email. Receive your industry updates as soon as they are available! Subscribe here.

Staying Prepared All Year Long 

By Katy Samaha

The theme for the 2017 National Preparedness Month, observed in September, was “Disasters Don’t Plan Ahead. You Can.” Though the official observance has passed, it shouldn’t deter businesses from adopting plans to be prepared all year long. Whether natural or man-made, emergencies can wreak havoc and result in loss of lives and property. However, not all emergencies become disasters—the difference is in how effectively people respond. For security professionals, emergency preparedness training is critical for high profile events and localized situations including civil disturbances, medical emergencies, hazardous material release and power failures.

Extending Your Options and Quality of Work through Collaboration 

By Jonathan Kassa

Safety and security on a college or university campus is critical. The right blend of resources can create a dynamic security program that helps campus community members feel safer, deter crime, improve safety awareness and control costs. The Clery Center video, Part of the Fabric, describes the role of campus security professionals as integral stakeholders in a comprehensive campus community-based public safety model. It’s one of a suite of free 5-10 minute videos with accompanying companion guides that assist institutions of higher education to deliver consistent, pertinent training for their public safety and security professionals.

Featured Blog Topics ...

Managing Tabletop Exercises for Improved Preparedness 

By Paul Caruso 
You have real opportunities to improve your organization’s readiness to manage a crisis. Developing emergency preparedness plans is critical, but a challenge arises when the planning efforts end with the plan creation. While it is better to have a plan than to be completely unprepared, a constant state of readiness is only possible if the plan is challenged and practiced. Tabletop drills are an excellent way to practice, evaluate – and ultimately, improve – an emergency preparedness plan.

Risk and Resilience in the Security Sector 

By Ty Richmond 
What’s the worst that can happen if your company has no enterprise security risk management plan? Organizations are exposed to a wide range of evolving threats that can create a multitude of security risks. A company without a comprehensive risk management plan could face serious repercussions ranging from a supply chain breakdown of a product line, reputational damage, revenue loss, market credibility and shareholder devaluation. The protection of the enterprise is vital to the viability and survivability of your company. 

William J. Powers, III, CPP, CIPM II, CIPI
IFCPP Advisory Board Member & Sergeant at Arms

​​​​​William J. Powers, III, CPP is director of facilities at the Clark Art Institute in Williamstown, Massachusetts. The Clark’s 140-acre campus includes five buildings that house museum galleries, an art history library, an auditorium, research facilities, a sophisticated physical plant, and offices. The campus also has an expansive landscape, including a reflecting pool, woodland meadows, and walking trails. The Clark’s permanent collection includes American and European art amassed during the first half of the 20th century by Francine and Sterling Clark.

To secure this eclectic campus, Powers oversees 12 full-tim​​e employees and a 60-person contract security staff. In his 22 years at the Clark, Powers has seen much growth in the institute’s programs and facilities, including a recent $170 million expansion and renovation. “I worked very closely with the security consultant on product selection,” says Powers. “I am proud to say that the installation and implementation of the choices were seamless.” The result, he adds, is a system that is a model for other institutions.

Powers’ biggest challenge is responding to HVAC alarms. “The museum requires very stable climate control 365 days a year,” he says. “I have found that if you follow acknowledged best practices you can have peace of mind.” He credits his affiliation with ASIS International for giving him access to the latest best practices, as well as subject matter experts.

Two achievements helped Powers reach his current status. The first was completing his master’s degree. At the time, Powers was supporting two children in college, and attaining that degree seemed impossible. But he applied for and was selected as a recipient of an ASIS/University of Phoenix scholarship. The second was when Powers received his Certified Protection Professional© (CPP) certification. “These two events really lifted my confidence and proved that I was a true professional,” he says.

Powers was an ASIS volunteer leader for many years before pursuing the CPP, and knew peers who had their CPPs. As past chair of the ASIS Cultural Properties Council and current member of the Awards Committee, “I wanted to be recognized that I am in those positions for a reason.” Studying for the CPP also pushed Powers to review guidelines and best practices that he otherwise might have overlooked. In his position, he must understand all facets of security—physical, electronic, and cyber. By earning his CPP, he says, “I confirmed my competence in all aspects of security management,” he adds.

Powers never expected to be in his current position. A trained auto mechanic, his first job was in the facilities department of a museum. He eventually became director of facilities at that institution, which included oversight of security.

Today, Powers mentors young professionals coming into the field, reminding them that private security can provide a career path that is personally and financially rewarding if they work towards professional certifications. To that end, Powers advises taking a CPP review course and investing time in studying for the test. The payoff, for Powers, is obvious: “I am now a more effective, well-rounded security professional.”

Reposted from ASIS 

See Original Post

Reposted from Slate.com

Climate-resilient design is on the rise. Museums, seeking to protect their priceless art, are on this cutting edge.

When Superstorm Sandy ripped through New York City in October 2012, it did not discriminate. At the construction site of the new Whitney Museum of American Art, chief operating officer John Stanley recalls “mechanical equipment bobbing like corks” in the floodwaters. And at the Rubin Museum of Art, a few blocks uptown, and upland, the museum lost power—a necessity for preserving the artifacts from environmental damage—and the backup generators weren’t enough to keep the facility running. “We thought if we do lose power, in the history of New York City, it would be for a day or two,” executive director Patrick Sears says. “No one really anticipated we could go without power for a week.”

But as once-rare storms like these become more common and more consequential (Sandy caused an estimated $70 billion in damage, behind only Hurricane Katrina), coastal communities are reorienting to a world where they might be underwater at a moment’s notice. And museums are leading the charge when it comes to bolstering up in the face of extreme weather—after all, financially speaking, they might have the most to lose. Along the Eastern Seaboard, from Miami to Manhattan, curators are going to extremes to safeguard their art. And in doing so, they’re testing out ideas and processes that might later be adopted by everyone else who lives on the coast.

Looking back, Stanley says the timing of Superstorm Sandy was actually fortuitous for his museum, the Whitney. Because it was early enough in construction, the team was able to revise its plans with water in mind. “We searched the world for flood experts and engineers,” he says. With the help of WTM Engineers in Hamburg, Germany, the Whitney design team re-evaluated the entire site and, as the Atlantic reported in 2015, built one of the most flood-resilient structures in town.

All along the Eastern Seaboard, from Miami to Manhattan, curators are going to extremes to safeguard their art.

As a result of lessons learned in Sandy, the museum is waterproof up to 16½ feet thanks to its raised elevation and carefully selected materials. It’s also got walls galore: A 500-foot-long mobile wall can be constructed in less than seven hours to protect the museum from a storm surge’s impact, and a 14-by-27-foot flood door can withstand the force of a semitruck floating (or flung) across the West Side Highway. Stanley says it cost just $10 million more to disaster-proof what was, in total, a $220 million project. And though the safeguards haven’t been tested the hard way, he’s confident they’ll rise to the occasion if—or rather, when—another disaster unfolds.

Some museums farther south on the Atlantic seaboard have already lived to see their hurricane-resistant designs tested by storms. Employees at the Salvador Dalí Museum in St. Petersburg, Florida, recently weathered Hurricane Irma with little damage. Back in July, a videographer for the Washington Post filmed inside the “surreal shelter from the storm.” To protect the precious collection, the Dalí relies on 18-inch-thick walls, which are built to withstand the winds of a Category 5 storm, and fortified glass, which can hold up under the pressure of Category 3 winds. As with so many other museums, the Dalí’s decision to gird its infrastructure seems financially sound: If its walls were breached, the largest collection of Salvador Dalí paintings in the world, priceless and carefully preserved over the past century, could be lost in an instant.

The architectural features that make the Whitney, Dalí, and similar spaces so safe have recently begun to proliferate far and wide, thanks in part to consumer demand and new municipal standards. Perhaps the purest emblem of this surge-priced survival model is the new residential American Copper Buildings. Like the Whitney, these structures sit in Evacuation Zone 1, but on Manhattan’s eastern shore. While it seems damage from another hurricane is all but guaranteed, the waiting list for a unit in one of the American Copper towers is long.

That’s due primarily to the fact that the $650 million buildings, which were started before Sandy hit, reportedly go beyond even the city’s newest resilient design codes—and look great doing it. Connected by a three-story skybridge, the two towers have an elevated lobby that makes them virtually waterproof. The building is also served by rooftop backup generators that promise enough energy to run the elevators plus one fridge and one electrical outlet in each apartment indefinitely. In January, the New York Times wrote this glowing report:

There is a breathtaking view of the mid-Manhattan skyline, pierced by the Empire State Building, from the 48th floor of the taller of two new copper-clad apartment towers along the East River, just south of the United Nations.

No plutocrat will enjoy it, however. This impressive penthouse aerie is hogged by five emergency generators. The window is already blocked by a bank of electrical switchgear. For the developers, giving up premium space to machinery is insurance against an ominous future: They want tenants in the towers’ 760 apartments to be able to live in their apartments for at least a week, no matter how high floodwaters may reach nor how long the power is out.

Sure, in the face of an impending storm, residents will still have to get the hell out just like any other New Yorker adhering to evacuation mandates. But American Copper promises them a return to a clean, safe, and electrified home.

Only 39 percent of Americans have a disaster preparedness plan.

Though JDS Development Group, which owns American Copper Buildings, may have been leading the charge on resilient design, the rest of New York City’s new construction is quickly catching up. After Sandy, the Mayor’s Office of Recovery and Resiliency set about studying the metro area’s weather and climate vulnerabilities and crafting solutions. Recently, the city began implementing new building codes, and all new construction is now held to these updated resiliency standards. “We’re not just doing one-off resilience projects. We’re baking resilience into the entire capital program,” the city’s chief resilience officer Daniel Zarrilli says.

Even with the support of the city, resilient design can be hard to scale. Retrofitting old buildings is harder than raising more capital to bolster new designs, according to many architects. Raising an existing single-family home on stilts, as many thousands of East Coasters have done since Sandy, can cost more than $100,000—on a house that’s maybe only worth $400,000. That means that while the Whitney’s resilience costs were less than one-twentieth of the new project cost, the owner of an existing home is looking at resilience costs as high as one-fourth of their total property value. While some local and federal support has been made available to storm victims, the costs of these programs have quickly ballooned—even after many withdrew their applications due to overwhelming bureaucracy and out-of-date flood maps.

It’s clear that equitable resilience will take not just effort and money, but time. “There will just be a slow changeover of the entire housing stock in New York City that slowly meets these codes,” Simon Koster of JDS Development Group says. Given that 66 percent of New York City’s buildings were built before 1960 and aren’t likely to change over in the near future, this doesn’t seem particularly hopeful.

But other less intensive measures are being taken to ensure New Yorkers weather the next storm—and museums can serve as a model here, too. The Rubin, which showcases art from the Himalayan region, didn’t have the budget to undertake big post-Sandy capital improvement projects. While the board paid for a few big-ticket items like a stronger, waterproof roof, it’s poured most of its efforts into better training and communication. “We’re thinking about manual ways, simple ways, things you can buy on Amazon,” Sears says. One of his favorite investments is a windup cellphone charger that doesn’t require an electricity source.

Unlike 18-inch concrete walls, disaster plans like these can be constructed by anyone. But a 2015 Federal Emergency Management Agency survey showed only 39 percent of Americans have their own plan in place. The Rubin, which has a disaster plan 153 pages long, believes this has to change. Other museum strategists agree: “You can call it paranoia, or you can call it strategy,” says Kathy Greif of the Dalí Museum. “I prefer to call it strategy.”

If museums are so prepared, could they help the rest of us—literally? Not really. Unsurprisingly, you won’t be weathering the next hurricane from inside the Met. Though all of the museum leaders I spoke with agree that human lives matter more than paintings, serving as a shelter still seemed to compromise their central mission, which is protecting their collections. Even if it could theoretically provide reprieve, the Whitney sits on the leading edge of Evacuation Zone 1, which means people should be headed out of the neighborhood, not into even the most disaster-proof buildings. The Rubin, meanwhile, wouldn’t physically have the space to serve as a shelter during a flood, as art typically hung in lower-level galleries would be moved into many of the hallways and upper galleries. In the end, its strategies like these that will save the precious artwork. But it’s clear they’ll limit room for, well, people.

See Original Post

Reposted from ASISOnline

Active shooter simulation exercises are undoubtedly the most effective way to prepare for a real-life scenario. These scenarios mimic the stress and chaos of an actual event and reinforce the principles of survival taught in active shooter training programs. 

But in recent years, some companies have taken that idea to the extreme, conducting surprise active shooter drills on unsuspecting employees, students, and teachers. 

Michelle Meeker, an employee at a Colorado nursing home, filed a federal lawsuit against a local law enforcement officer and her workplace in July 2014 for being taken hostage during one such drill. Meeker had no idea it was a simulation, according to The Wall Street Journal, and tearfully begged for her life as the “gunman” forced her into an empty room. She sued for damages after being so traumatized from the event that she quit her job. 

Similarly, an Oregon teacher filed suit against her workplace after a man dressed in a black hoodie and goggles burst into her classroom and brandished a gun loaded with blanks, then pulled the trigger. “You’re dead,” the gunman said to her, and walked away. The teacher believed she might have really been shot and was going to die, OregonLive.com reported in April 2015. 

At a middle school in Winter Haven, Florida, teachers and students alike were terrified when two armed police officers swept through classrooms with weapons drawn in November 2014. Parents were outraged, the principal was suspended, and the school resource officer reassigned in the aftermath, according to The Washington Post. 

And these aren’t just recent phenomena. Security Management has reported on these types of incidents for at least 20 years.

Such training methods cause unnecessary panic and trauma. While the simulations themselves are a critical part of any effective active shooter training program, these kneejerk reactions to the proliferation of mass shootings accomplish nothing, as the focus in the aftermath is on people’s confusion and anger. Rather, the most effective way to prepare for a potential active shooter event is to combine announced simulated exercises with training materials that constantly reinforce the principles of the program. 

The chief goals of these programs are to eliminate the threat and to teach victims to survive. However, as an attack is taking place, no training will completely ensure the safety of those involved or guarantee that the shooter will be taken down. 

The human factor is unpredictable—but with proper training and repetition, an effective response will become ingrained in the actions of employees. Certain movements will become a part of one’s muscle memory, thus aiding the individual during an actual shooter event. The benefits of such programs can aid participants in a number of real-life emergencies, not just active shooter situations. 

Program components. An active shooter scenario will put any crisis plan to the test, and its success or failure rests in how well and how often people are trained to respond to an incident. Conducting a simulated exercise that mimics an active shooter event is the best way to acclimate employees to the factors involved in these crises. 

Hiring specialized companies that facilitate training and simulation can help organizations close  the gaps that they may not have otherwise noticed. These firms bring with them both expertise and experience that businesses lack.  

To develop effective response tactics, security personnel should understand what environmental and human factors typically occur during a shooting, which they can then simulate in training exercises. Loud noises—including gunshots, screams, breaking glass, alarms, and public address announcements—are to be expected. Consulting companies can provide such noises over speakers during the simulations to heighten the stress and reality of the scenario. The physical environment will be in disarray as high concentrations of people flock to exits or seek cover. There is also the possibility of visual trauma, including seeing the shooter as well as wounded or deceased victims.

The duration of the event should be considered when conducting training. While the length of the active shooter event may last anywhere from minutes to hours, police response and investigation may require witnesses and victims to be involved for up to several hours. 

Psychological stress is also inevita­ble. Each person will process the shooting in different ways, and the nervous system response will kick in and possibly override any training received. Similarly, physical stresses may be imposed upon the body, including having to run, navigate stairs, lift or push heavy items, or possibly carry a wounded victim to safety. 

To ilustrate this, active shooter training programs in corporate, educational, and religious settings often include a 150-pound dummy that trainees practice dragging to experience the unaccustomed physical exertion. 

Given the various scenarios that have occurred in real-life active shooter situations, simulations should vary so that participants can’t anticipate the gunman’s actions. Having him enter from different points and take various routes through the facility will keep the trainings fresh. 

The drills can be conducted as often as quarterly or as infrequently as once a year, depending on the size and capabilities of the company. Fire, police, and EMS personnel should be involved in at least one training per year. Tabletop exercises among key staff are also a good option to refresh critical decision making skills. 

These simulations should be supplemented with training materials that reinforce the principles practiced during simulation. Reminders about the importance of awareness and preparedness can be placed in company newsletters or on websites. Classroom trainings to introduce basic concepts that will be practiced during the programs are encouraged, but they need not be repeated as often as the training scenarios. 

The same training and preparedness principles deployed by these programs apply to other emergencies, like severe weather or medical events. During an earthquake, for example, similar physical stressors and environmental conditions are present, and there can be panic, confusion, and communication issues. Active shooter programs will apply and reinforce responses to a range of possible scenarios. 

A community center in the California Bay Area recently set up an effective active shooter program. The center’s campus includes about five buildings and a school. The center formed a crisis response team from its core employees, and everyone on the team has a distinct role in the event of an active shooter or any emergency, including a severe weather event or medical crisis. The team rotates every few months so each person receives training for every role. 

As part of the active shooter training, the center purchased communication equipment, including radios, to deploy in case cellular towers go down. The company also established a command post during simulation trainings where team members could wait for police response. Redundancy is built into the roles so that if one person falls victim to the active shooter or emergency event, someone can step in and fulfill that person’s response protocols.  

Popular protocols. One popular active shooter response protocol is the U.S. Homeland Security Department’s “Run, Hide, Fight” program. It was designed as a simple means for people to recall what to do during an event in just three verbs, but this approach may oversimplify the human response mechanism.

Running at the first sign of gunfire may not always be the best option depending on where the shooter is, how far one has to go to reach safety, and whether there are small children in tow, for example. To hide or shelter in place can be a lifesaving response, provided that the room can be locked and barri­caded with heavy furniture to offer cover from potential gunfire. 

Hiding below a desk or on the floor does not guarantee cover if the shooter breaches the door. Hiding adjacent to a door, not in front of it, is recommended. This way, if a responder needs to engage the shooter in a fight by positioning himself or herself near the door, the shooter can be taken by surprise. If the door isn’t locked or barricaded well and the shooter comes in, a responder may have to improvise and find something to throw at the shooter.

It’s possible that there isn’t sufficient cover in a room. Such was the case in the mass shooting at a health department in San Bernardino, California, in December 2015 that left 14 people dead. Survivors reported that they deployed the skills they had learned earlier in an active shooter training course by hiding behind tables and chairs, but the large room was mostly open space without much cover. In these scenarios, attempting to stay outside of the line of sight, in the peripheral vision of the shooter, is the best cover. 

To fight back against the shooter, responders must be able to identify and take advantage of improvised weapons in their environment and use them as the shooter enters the room. If not practiced previously in a live realistic setting, the fight phase can end horribly for the responder. Expecting someone to fight back against an armed assailant if they have never practiced that before is unreasonable. 

Due to these concerns, as well as the unpredictable nature of active shooter events, organizations implementing “Run, Hide, Fight” should carefully consider supplementing it with extensive training tactics in their active shooter programs. 

Program costs. Several firms offer active shooter response programs and training for organizations. The cost of active shooter programs will vary based on factors such as the number of parti­cipants, number of buildings on the campus, and number of drills coordinated with first responders. 

A flat fee of $5,000 for a small organization may cover a day’s training plus educational materials, such as posters, booklets, online tools, and assessments. Offering ongoing training as part of an onboarding hiring process will incur recurring fees but will help the organization be better prepared.

Some programs offer to certify people as active shooter response instructors for $500 and more. There are other providers that offer armed response training for the cost of $1,500 per person. 

The steps outlined in this article will help an organization set the groundwork for establishing an effective active shooter response program. Companies should tailor the program to their individual needs and ensure that all employees are trained on proper protocols. 

If a thorough risk assessment is completed, incident response plans are put in place, and trainings and simulations are carried out on a regular basis, the organization’s efforts may ultimately save lives. 

See Original Post

Reposted from SCMagazine.com

The threat is huge. The response? Not so much. Or at least the response isn't on par with the threat when it comes to ransomware.

Even as ransomware continues to threaten industries, costing organizations an estimated $1 billion in 2016 and predicted to be even more expensive this year following WannaCry, Petya and other high profile outbreaks, many organizations skip out on some obvious steps that could help them prevent future infections, such as properly training employees on online safety, actively monitoring their networks, ensuring systems are patched, and properly backing up important files to name a few precautions, do.

Until IT departments start taking these threats seriously and taking a more proactive approach, organizations will continues being hit with otherwise preventable attacks. Known vulnerabilities with available patches are providing gateways for criminals to infect entire networks such as with WannaCry and it's crucial that organization ensure they're systems are up to date to prevent repeats.

WannaCrypt ransomware was distributed through the EternalBlue Windows SMB vulnerability, a flaw that was patched in March 2017 but was heavily exploited in the May 2017 WannaCry attacks and June 2017 NotPetya attacks. The attacks didn't have to be as damaging as they were.

SiteLock Web Researcher Michael Veenstra told SC Media that beyond the ever-present need for strong data loss contingencies, the most important thing an administrator can do is maintain effective security policies across the board that ensure systems are maintained and patched in a timely fashion.

“The EternalBlue vulnerability was patched on all supported Microsoft operating systems two months prior to the WannaCry outbreak, and one month before the existence of the vulnerability was publicized by a leak from the Shadow Brokers,” Veenstra says. “Organizations affected by this attack would have been saved countless dollars – between paid ransoms, incident response, and immaterial costs like the loss of customer trust – if the servers on their network were kept up-to-date.”

Ignorance of how ransomware attacks work also contributes to the spread of ransomware infections. Employees often aren't aware of best practices to prevent attacks. Human errors can prove just as dangerous, if not more so, as unpatched systems, meaning that organizations should work to better educate employees on how to spot phishing attacks and admins should enable backups and contingency plans in the event of mistakes, researchers say.

“According to Verizon's DBIR Report, the use of social actions, like personalized phishing emails, increased from 8 percent to 21 percent of malware incidents in 2016,” Cyberbit Chief Technology Officer Oren Aspir tells SC Media. ”By training employees to avoid phishing emails the majority of ransomware will be avoided.”

There's an added bonus for putting effort into training. Preventing phishing attacks can also curb other cyberattacks as well, Shalabh Mohan, vice president, products and marketing, at Area 1 Security

“Phishing is the root cause for a majority of all cybersecurity incidents; and that includes ransomware breaches,” Mohan says. “In order to truly protect against ransomware, organizations should look towards stopping phishing attacks comprehensively for their end users, irrespective of what attack vector it may be coming from.”

STEALTHbits Technologies Chief Technology Officer Jonathan Sander told SC Media the while there are very good platforms that can ramp up user awareness of these threats, the real trick is to find ways to keep the damage to a minimum in the case where ransomware does get in.

Experts agree, Dean Ferrando, SE Manager – (EMEA) at Tripwire told SC Media “organizations should continually test their backups and implement a streamlined restoring process to reduce the impact an attack will have on trade” in case an infection slips through.

One of the biggest ways to reduce the damage of a ransomware attack is by ensuring all important files are frequently backed up in a safe place in the event of a compromise.

“Fresh backups are key to remediating after a ransomware attack, and destructive attacks more generally,” Chris Doman, a security researcher at AlienVault, tells SC Media. “It's also important that the backups are located somewhere that the ransomware can't touch” since it's possible for ransomware to infect backups as well.

It's also important to understand that cloud storage can also become corrupted and plan accordingly to prevent cloud backups from becoming compromised as well. As more organizations move to the cloud, researchers warn organizations to keep track of the blind spots that could arise from using these platforms. 

“In the cloud, you get huge advantages in agility but it's also harder to maintain an accurate assessment of your entire environment,” Tim Prendergast, CEO at Evident.io., says. “New functionality is turned on, updates are deployed, and default settings run counter to your policies; no one organization can see and respond to everything going on.”

Prendergast says ransomware in the cloud takes advantage of unprotected data, services and servers operating in company cloud environments and that once the malware has infiltrated the environment through one of many potential weakness, it locates and encrypts unprotected data and systems to fuel ransom demands for Bitcoin, Ethereum, or other digital currencies.

“An organization that carries out an effective data-backup strategy for servers and for user-endpoints is far more likely to successfully recover from a ransomware event than the organization that puts their faith in the criminal's ability to assist in a recovery,” says Scott Keoseyan, threat intelligence leader at Deloitte Risk and Financial Advisory Cyber Risk Services.

Organizations should also ensure they have the proper tools to effectively monitor their networks and spot potential attacks before they can cause major damage.

Keoseyan saysa comprehensive vulnerability management program that provides a continuous monitoring outlook of an organization's publicly-exposed assets, is critical and that the information gathered must be fed into a remediation process that includes timelines and SLAs for mitigation and remediation.

“Incident response, disaster recovery and business-continuity planning had been moving in the direction of understanding things like ‘how to acquire bitcoin to pay ransoms' but it is critical that these key cyber-security and IT processes be adapted to account for scenarios where recovery via ransom is not an option.” Keoseyan says. “This means that an organization that carries out an effective data-backup strategy for servers and for user-endpoints is far more likely to successfully recover from a ransomware event than the organization that puts their faith in the criminal's ability to assist in a recovery.”

Some researchers recommend going above and beyond, if possible, to ensure their systems are protected. Eldon Sprickerhoff, founder and chief security strategist at eSentire, says the majority of his clients have taken better-than-usual precautions against ransomware which include the technical hardening of systems, improved analysis of attachments through upstream email services, local firewall/mail server, hardening of workstations including improved patch rigor, restricted access, removal of local administrator, disabling macros through GPO, endpoint solutions, and more.

Sprickerhoff says these measures were coupled with coupled with a better sense of what's appropriate from a backup/restore perspective. He notes that even with training employees can still be at risk in which one of his clients was tasked with opening another employee's email since the other employee was on vacation and almost exposed the network to malware.

“Even though they had ransomware-specific training, they disabled all of the protections and became infected when they opened an email with ransomware.” Sprickerhoff says. “We identified and shot down the attack immediately, and the client restored quickly from backup.”

He says these types of scenario underscore the necessity for a multi-pronged approach that includes technical precautions, training, eyes-on-glass, rapid incident response and backup/restore capabilities.

Sander had a similar experience that testifies to the importance of monitoring networks for unusual activity and taking alarms seriously. As soon as an alarm went off signaling unusual activity everyone including the Engineer though it was a mistake but soon they learned it wasn't and found themselves in an all-out ransomware attack. Ultimately the attack didn't spread far and the firm only lost a few files on the first machine that was hit with the attack which belonged to a user who clicked a malicious link. And most of that user's files had already been backed up which minimized loses even more.

And while it's important to take every measure to prevent and minimizing attacks, researchers emphasized there is no silver bullet to preventing ransomware attacks and that firms have to remain diligent against the threats.

"There is no fool-proof method to completely avoid ransomware attacks, you can only try to prevent some from succeeding, minimize the damage of those that succeed and reduce the time and effort of recovering from such an attack.” Mounir Hahad, senior director of Cyphort Labs, says, adding that you can't afford the time to decide if you should pay the ransom or not as you are under attack.

Other experts agree. Ilia Kolochenko, CEO of web security company High-Tech Bridge, contends “we'll hardly invent any groundbreaking techniques to fight ransomware without following cybersecurity fundamentals.”

Until companies “perform holistic risk assessments to establish a cybersecurity strategy with a priority-based roadmap, any “local” solutions will likely fail or give temporary relief,” Kolochenko says. “Comprehensive inventory of all your digital assets, their proper maintenance and patch management, security hardening and continuous monitoring - are among the pivotal processes, essential to reliably preventing ransomware.”

Prevention is key and using tools like AV, Sandbox, IDS, spam filtering, Threat Intelligence feeds in addition to frequently backing up systems will help organization remain resilient against ransomware attacks.

“Once an adversary encrypts your data, your options to deal with the attack get very limited, very fast,” Sanjay Kalra, co-founder and chief product officer at Lacework, tells SC Media. “The most important defense against a ransomware attack is to be prepared before it happens.”

See Original Post