INTERNATIONAL FOUNDATION FORCULTURAL PROPERTY PROTECTION
Reposted from ZDNet
What is a DDoS attack?
A distributed denial-of-service attack (DDoS attack) sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all.
While a DDoS attack is one of the least sophisticated categories of cyberattack, it also has the potential to be one of the most disruptive and most powerful by taking websites and digital services offline for significant periods of time that can range from seconds to even weeks at a time.
How does a DDoS attack work?
DDoS attacks are carried out using a network of internet-connected machines – PCs, laptops, servers, Internet of Things devices – all controlled by the attacker. These could be anywhere (hence the term 'distributed') and it's unlikely the owners of the devices realise what they are being used for as they are likely to have been hijacked by hackers.
Common ways in which cyber criminals take control of machines include malware attacks and gaining access by using the default user name and password the product is issued with – if the device has a password at all.
The size of a botnet can range from a relatively small number of zombie devices, to millions of them. Either way the botnet's controllers can turn the web traffic generated towards a target and conduct a DDoS attack.
Servers, networks and online services are designed to cope with a certain amount of internet traffic but, if they're flooded with additional traffic in a DDoS attack, they become overwhelmed. The high amounts of traffic being sent by the DDoS attack clogs up or takes down the systems' capabilities, while also preventing legitimate users from accessing services (which is the 'denial of service' element).
A DDoS attack is launched with the intention of taking services offline in this way, although it's also possible for online services to be overwhelmed by regular traffic by non-malicious users – for example, if hundreds of thousands of people are trying to access a website to buy concert tickets as soon as they go on sale. However, this is usually only short, temporary and accidental, while DDoS attacks can be sustained for long periods of time.
What is an IP stresser and how does it relate to DDoS attacks?
An IP stresser is a service that can be used by organisations to test the robustness of their networks and servers. The goal of this test is to find out if the existing bandwidth and network capacity are enough to handle additional traffic. An IT department using a stresser to test their own network is a perfectly legitimate application of an IP stresser.
However, using an IP stresser against a network that you don't operate is illegal in many parts of the world – because the end result could be a DDoS attack. However, there are cyber-criminal groups and individuals that will actively use IP stressers as part of a DDoS attack.
What was the first DDoS attack?
What's widely regarded as the first malicious DDoS attack occurred in July 1999 when the computer network at the University of Minnesota was taken down for two days.
A network of 114 computers infected with Trin00 malware all directed their traffic at a computer at the university, overwhelming the network with traffic and blocking legitimate use. No effort was made to hide the IP address of the computers launching the traffic – and the owners of the attacking systems had no idea their computers were infected with malware and were causing an outage elsewhere.
Trin00 might not have been a large botnet, but it's the first recorded incident of cyber attackers taking over machines that didn't belong to them and using the web traffic to disrupt the network of an particular target. And in the two decades since, DDoS attacks have only become bigger and more disruptive.
Famous DDoS attacks: MafiaBoy – February 2000
The world didn't have to wait long after the University of Minnesota incident to see how disruptive DDoS attacks could be. By February 2000, 15-year-old Canadian Michael Calce – online alias MafiaBoy – had managed to take over a number of university networks, roping a large number of computers into a botnet.
He used this for a DDoS attack that took down some of the biggest websites at the start of the new millennium, including Yahoo! – which at the time was the biggest search engine in the world – eBay, Amazon, CNN, and more.
Calce was arrested and served eight months in a youth detection centre after pleading guilty to charges against him. He was also fined C$1,000 ($660) for conducting the attacks – which it's estimated caused over $1.7 billion in damages – and went on to become a computer security analyst.
Famous DDoS attacks: Estonia – April 2007
By the mid 2000s, it was apparent that DDoS attacks could be a potent tool in the cyber-criminal arsenal, but the world was about to see a new example of how disruptive DDoS attacks could be; by taking down the internet services of an entire country.
In April 2007, Estonia was – and still is – one of the most digitally advanced countries in the world, with almost every government service accessible online to the country's 1.3 million citizens through an online ID system.
But from 27 April, Estonia was hit with a series of DDoS attacks disrupting all online services in the country, as well as parliament, banks, ministries, newspapers and broadcasters. People weren't able to access the services they needed on a daily basis.
Attacks were launched on multiple occasions, including during a particularly intense period of 24 hours on 9 May – the day Russia celebrates Victory in Europe day for World War II, before eventually falling away later in the month.
The DDoS campaigns came at a time when Estonia was involved in a political dispute with Russia over the relocation of a Soviet statue in Tallinn.
Some members of Estonian leadership have accused Russia of orchestrating the attacks, something that the Kremlin has always denied.
Famous DDoS attacks: Spamhaus – March 2013
The Spamhaus Project's goal is to track the activity of spammers on the web in order to help internet providers and email services with a real-time list of common spam emails, posts and messages in order to prevent users from seeing them and potentially being scammed.
But in March 2013, Spamhaus itself fell victim to cyber criminals when 300 billion bits of data a second was launched at it in what was at the time the biggest DDoS attack ever, and one that lasted for almost two weeks.
Cloudflare dubbed it 'The DDoS' attack that almost broke the internet' after the web infrastructure and web-security company stepped in to mitigate the attack against Spamhaus – and then found cyber attackers attempting to take Cloudflare itself offline. But the impact of the attack was much greater because the sheer scale of the attack caused congestion across the internet.
Famous DDoS attacks: Mirai – October 2016
In probably the most famous DDoS attack to date, the Mirai botnet took down vast swathes of online services across much of Europe and North America. News websites, Spotify, Reddit, Twitter, the PlayStation Network and many other digital services were either slowed down to a crawl or completely inaccessible to millions of people. Fortunately, the outages lasted for less than one day.
Described as the biggest online blackout in history, the downtime was caused by a DDoS attack against Dyn, the domain name system provider for hundreds of major websites. The attacks was explicitly designed to overload its capability.
What helped make the attack so powerful was the Mirai botnet had taken control of millions of IoT devices, including cameras, routers, smart TVs and printers, often just by brute-forcing default credentials, if the devices had a password at all. And while the traffic generated by individual IoT devices is small, the sheer number of devices in the botnet was overwhelming to Dyn. And Mirai still lives on.
How do I know if I'm under DDoS attack?
Any business or organisation that has a web-facing element needs to think about the regular web traffic it receives and provision for it accordingly; large amounts of legitimate traffic can overwhelm servers, leading to slow or no service, something that could potentially drive customers and consumers away.
But organisations also need to be able to differentiate between legitimate web traffic and DDoS attack traffic.
Capacity planning is, therefore, a key element of running a website, with thought put into determining what's an expected, regular amount of traffic and what unusually high or unanticipated volumes of legitimate traffic could look like, so as to avoid causing disruption to users – either by taking out the site due to high demands, or mistakenly blocking access due to a DDoS false alarm.
So how can organisations differentiate between a legitimate increase in demand and a DDoS attack?
In general, an outage caused my legitimate traffic will only last for a very short period of time and often there might be an obvious reason for the outage, such as an online retailer experiencing high demand for a new item, or a new video game's online servers getting very high traffic from gamers eager to play.
But in the case of a DDoS attack, there are some tell-tale signs that it's a malicious and targeted campaign. Often DDoS attacks are designed to cause disruption over a sustained period of time, which could mean sudden spikes in malicious traffic at intervals causing regular outages.
The other key sign that your organisation has likely been hit with a DDoS attack is that services suddenly slow down or go offline for days at a time, which would indicate the services are being targeted by attackers who just want to cause as much disruption as possible. Some of these attackers might be doing it just to cause chaos; some may be paid to attack a particular site or service. Others might be trying to run some kind of extortion racket, promising to drop the attack in exchange for a pay-off.
What do I do if I'm under DDoS attack?
Once it's become clear that you're being targeted by DDoS attack, you should piece together a timeline of when the problems started and how long they've been going on for, as well as identifying which assets like applications, services and servers are impacted – and how that's negatively impacting users, customers and the business as a whole.
It's also important that organisations notify their web-hosting provider – it's likely that they will have also seen the DDoS attack, but contacting them directly may help curtail the impacts of a DDoS campaign – especially if it's possible for the provider to switch your IP address. Switching the IP to a new address will mean that the DDoS attack won't have the impact it did because the attack will be pointing in the wrong direction.
If your security provider provides a DDoS mitigation service, it should help reduce the impact of the attack, but as seen with attacks like Mirai, especially large attacks that can still cause disruption despite the presence of preventative measures. The unfortunate thing about DDoS attacks is that while they're very simple to conduct, they're also very effective, so it's still possible that even with measures in place that services could be taken offline for some time.
It's also important to notify users of the service about what is happening, because otherwise they could be left confused and frustrated by a lack of information. Businesses should consider putting up a temporary site explaining that there are problems and provide users with information they should follow if they need the service. Social-media platforms like Twitter and Facebook can also be used to promote this message.
How do I protect against DDoS attacks?
What makes DDoS attacks effective is the ability to direct a large amount of traffic at a particular target. If all of an organisations' online resources are in one location, the attackers only need to go after one particular target to cause disruption with large amounts of traffic. If possible, it's therefore useful to spread systems out, so it's more difficult – although not impossible – for attackers to direct resources towards everything at once.
Monitoring web traffic and having an accurate idea about what regular traffic looks like, and what is abnormal traffic, can also play a vital role in helping to protect against or spotting DDoS attacks. Some security personnel recommend setting up alerts that notify you if the number of requests is above a certain threshold. While this might not necessarily indicate malicious activity, it does at least provide a potential early warning that something might be on the way.
It's also useful to plan for scale and spikes in web traffic, which is something that using a cloud-based hosting provider can aid with.
Firewalls and routers can play an important role in mitigating the potential damage of a DDoS attack. If configured correctly, they can deflect bogus traffic by analysing it as potentially dangerous and blocking it before it arrives. However, it's also import to note that in order for this to be effective, firewall and security software needs to be patched with the latest updates to remain as effective as possible.
Using an IP stresser service can be an effective way of testing your own bandwidth capability. There are also specialist DDoS mitigation service providers that can help organisations deal with a sudden large upsurge in web traffic, helping to prevent damage by attacks.
What is a DDoS mitigation service?
DDoS attack mitigation services protect the network from DDoS attacks by re-routing malicious traffic away from the network of the victim. High profile DDoS mitigation service providers include Cloudflare, Akamai, Radware and many others.
The first job of a mitigation service is to be able to detect a DDoS attack and distinguish what's actually a malicious event from what's just a regular – if unusually high – volume of traffic.
Common means of DDoS mitigation services doing this include judging the reputation of the IP the majority of traffic is coming from. If it's from somewhere unusual or known to be malicious, it could indicate an attack – while another way is looking out for common patterns associated with malicious traffic, often based on what's been learned from previous incidents.
Once an attack has been identified as legitimate, a DDoS protection service will move to respond by absorbing and deflecting the malicious traffic as much as possible. This is helped along by routing the traffic into manageable chunks that will ease the mitigation process and help prevent denial-of-service.
How do I choose a DDoS mitigation service?
Like any IT procurement, choosing a DDoS mitigation service isn't as simple as just selecting the first solution that appears. Organisations will need to choose a service based on their needs and circumstances. For example, a small business probably isn't going to have any reason to fork out for the DDoS mitigation capabilities required by a global conglomerate.
However, if the organisation looking for a DDoS mitigation service is a large business, then they're probably correct to look at large overflow capacities to help mitigate attacks. Looking at a network that has two or three times more capacity than the largest attacks known to date should be more than enough to keep operations online, even during a large DDoS attack.
While DDoS attacks can cause disruption from anywhere in the world, the geography and location of a DDoS mitigation service provider can be a factor. A European-based company could have an effective US DDoS protection provider, but if that provider doesn't have servers or scrubbing centres based in Europe, the latency of the response time could prove to be a problem, especially if it causes a problem for re-routing traffic.
When deciding on a service provider, organisations should, therefore, consider if the DDoS protection network will be effective in their region of the world. For example, a European company should probably consider a DDoS mitigation provider with a European scrubbing centre to help remove or redirect malicious traffic as quickly as possible.
However, despite all the ways to potentially prevent a DDoS attack, sometimes attackers will still be successful anyway – because if attackers really want to take down a service and have enough resources, they'll do their best to be successful at it. But if an organisation is aware of the warning signs of a DDoS attack, it's possible to be prepared for when it happens.
See Original Post
Reposted from The New York Times
Early one afternoon in June, the Congolese activist Mwazulu Diyabanza walked into the Quai Branly Museum, the riverfront institution that houses treasures from France’s former colonies, and bought a ticket. Together with four associates, he wandered around the Paris museum’s African collections, reading the labels and admiring the treasures on show.
Yet what started as a standard museum outing soon escalated into a raucous demonstration as Mr. Diyabanza began denouncing colonial-era cultural theft while a member of his group filmed the speech and live-streamed it via Facebook. With another group member’s help, he then forcefully removed a slender 19th-century wooden funerary post, from a region that is now in Chad or Sudan, and headed for the exit. Museum guards stopped him before he could leave.
The next month, in the southern French city of Marseille, Mr. Diyabanza seized an artifact from the Museum of African, Oceanic and Native American Arts in another live-streamed protest, before being halted by security. And earlier this month, in a third action that was also broadcast on Facebook, he and other activists took a Congolese funeral statue from the Afrika Museum in Berg en Dal, the Netherlands, before guards stopped him again.
Now, Mr. Diyabanza, the spokesman for a Pan-African movement that seeks reparations for colonialism, slavery and cultural expropriation, is set to stand trial in Paris on Sept. 30. Along with the four associates from the Quai Branly action, he will face a charge of attempted theft, in a case that is also likely to put France on the stand for its colonial track record and for holding so much of sub-Saharan Africa’s cultural heritage — 90,000 or so objects — in its museums.
“The fact that I had to pay my own money to see what had been taken by force, this heritage that belonged back home where I come from — that’s when the decision was made to take action,” said Mr. Diyabanza in an interview in Paris this month.
Describing the Quai Branly as “a museum that contains stolen objects,” he added, “There is no ban on an owner taking back his property the moment he comes across it.”
President Emmanuel Macron pledged in 2017 to give back much of Africa’s heritage held by France’s museums, and commissioned two academics to draw up a report on how to do it.
The 2018 report, by Bénédicte Savoy and Felwine Sarr, said any artifacts removed from sub-Saharan Africa in colonial times should be permanently returned if they were “taken by force, or presumed to be acquired through inequitable conditions,” and if their countries of origin asked for them.
Only 27 restitutions have been announced so far, and just one object has been returned.
The Quai Branly funerary post, according to its museum label, was a gift from a French doctor and explorer who went on ethnological missions around Africa. But to Mr. Diyabanza and his associates, the museum’s contents are all the products of expropriation. As he said in the live-streamed speech before seizing the item, he had “come to claim back the stolen property of Africa, property that was stolen under colonialism.”
Mr. Diyabanza, who faces a separate trial in Marseille in November, said in the interview that fury had led him to remove the object in a spontaneous and unpremeditated act, and that he had chosen the post because it was “easily accessible” and not bolted in place.
“Anywhere that our artworks and heritage are locked up, we will go and get them,” he added.
Mr. Diyabanza is not alone in staging museum actions. On Friday, a London court found Isaiah Ogundele, 34, guilty on a harassment charge over a protest in a slavery-related gallery at the Museum of London. According to a statement from the museum, the demonstration took place in January in front of four African works on loan from the British Museum.
The worry among museum administrators and cultural officials is that such actions will multiply, wreak havoc inside museums and scuttle restitution talks between Europe and Africa.
Dan Hicks, a professor of contemporary archaeology at Oxford University and curator at the university’s Pitt Rivers Museum, which has extensive colonial-era holdings, described Mr. Diyabanza’s intervention at the Quai Branly as “a visual protest,” tailored for social media, that involved a role reversal: a cultural object was being seized in Europe on behalf of people in Africa. He said the episode was “about objects in museums and how we feel about them” and raised questions about “culture, race, historic violence, history and memory.”
“When it comes to the point that our audience feels the need to protest, then we’re probably doing something wrong,” he added. “We need to open our doors to conversations when our displays have hurt or upset people.”
The funerary post was absent on a recent visit to the Quai Branly museum. A spokesman for the museum declined to answer questions about its condition and location, but a guard said that it was being restored. The only traces of it were a few holes on the display platform, where it normally stands.
The Quai Branly spokesman said that the museum strongly condemned the June action. It was a civil party in the case and would be represented at the Sept. 30 hearing, he added.
In court, Mr. Diyabanza and his four associates will be defended by three lawyers.
“We are going to put slavery and colonialism on trial on Sept. 30,” said one of the lawyers, Calvin Job. “We are leading a legitimate battle against unjust accusations.”
The French state has “objects in its collections that are the product of theft,” Mr. Job added. “If there are any thieves in this case, they’re not on this side of the bar, they’re on the other side.”
Hakim Chergui, another of the lawyers, said that Mr. Diyabanza’s action should not be viewed as an attempted theft but as a political statement. He was confident the defendants would be acquitted, because France did not prosecute people on political grounds, he said.
“We’re not talking about a bunch of swindlers who wanted to steal a statue to resell it,” he said. “These are clearly people who have a political message and who, through a militant act, want to engage with public opinion.”
The interview with Mr. Diyabanza and the lawyers took place at an outdoor cafe near the Rosa Parks subway station in the north of the French capital. Mr. Diyabanza wore an ivory necklace, a black beret and a map of Africa pin.
As a teenager in what was then Zaire, he said, his mother told him that, sometime in the 19th century, European colonizers seized three important objects — a sculpted cane, a leopard skin and a bracelet — from his great-grandfather, a provincial governor in Congo who had received the objects as symbols of power and authority from the country’s king.
“This heritage was savagely snatched away,” Mr. Diyabanza said. “The story I heard from my mother shaped my thinking, and it gave me a strong desire to see this heritage make its way back home one day.”
As he spoke, a cyclist riding by recognized him from social media videos, and stopped to talk. “We follow you, we support your ideas, and we encourage you a lot, but be careful,” said the cyclist, Abdel Adekambi, a French math student of Nigerian-Beninese descent.
Reposted from AAM
It’s a Thursday afternoon in July and the Museo de Arte de Puerto Rico (MAPR) is almost empty. Director Marta Mabel Pérez is in her office, leading a virtual hub of staff and other professionals through crisis management, reopening protocols, and plans for the future. She has faced the devastation of the 2017 hurricanes and recent earthquakes. Now she is busy supporting her employees, ensuring her museum complies with new health and safety regulations, and encouraging the territory to formally integrate heritage protection into its COVID-19 response.
Meanwhile in Texas, Steve Pine, a decorative arts conservator at the Museum of Fine Arts, Houston (MFAH), says all staff who can work remotely do. Those on the premises must wear masks and physically distance. When distancing is difficult in shared spaces, staff split work weeks on-site and from home, just one of many strategies the museum developed to help keep them safe while continuing their important work. Pine is involved with the statewide heritage emergency network TX-CERA, Texas Collections Emergency Resource Alliance, making Texas hurricane-ready. Now he focuses on collaborating with local networks to battle the crisis facing all museums and sharing information on new best practices.
Finally, on the East Coast, Ben Haavik is responsible for the maintenance and preservation of thirty-seven historic house museums and landscapes for Historic New England, the oldest and largest regional heritage organization in the nation. He champions emergency preparedness and oversees response after one of New England’s famous storms damages a tree or floods one of the homes. Now, his job includes integrating safety guidance for COVID-19 from five different states and twenty-two different towns.
We recently sat down with these three veteran disaster risk managers to brainstorm about planning for weather emergencies amid the new normal. As we spoke to them, their institutions were in different stages of reopening: The MAPR had a soft reopening in mid-July for members, the MFAH re-opened in mid-May, and Historic New England reopened six of its thirty-seven sites in mid-July but has no intentions of opening the remainder this year.
COVID-19 has added a new layer of complexity to the time-consuming process of hurricane preparedness: protecting the health of all involved. This makes it harder to enact “the usual” response to a natural disaster. “We do storms all the time—big storms, small storms, trees down, buildings damaged, and collections damaged. It happens. This was so different,” Haavik says. “We were in uncharted territory. It’s personal health. I can quantify building and landscape damage and whether it’s risky or not. I couldn’t quantify this.”
As we figure out how to integrate COVID-19 considerations into hurricane readiness planning, there are three primary areas to consider:
Normally, hurricane preparedness and response at a cultural institution is an all-hands-on-deck affair. In the past, Haavik noted, “if you had a hurricane hit and someone was sick, they would still probably report to work and help you clean up afterwards. It is a much different environment today.”
Now, people are worried about keeping themselves safe—and about being contagious themselves. This changes the dynamic of how organizations, setting staff well-being as the highest priority, can operate during an emergency.
Overcoming a staffing plan change is one concern. Primary and back-up staff could be ill or need to take the place of someone who is ill. Another concern: how to disseminate “situational awareness” and up-to-date information widely within the organization, so that those available can take on the response roles needed.
One strategy all the experts said they would consider is deploying professional resources inside and outside the organization differently. Here are some possible approaches:
Preparation for the next crisis is never far from the thoughts of people who protect the patrimony of their communities. In Puerto Rico, which faces multiple threats, Pérez and her staff have regular dedicated meetings to prepare for extreme natural events—not only hurricanes, but also COVID-19, earthquakes, and even fireballs (or meteorites, which actually occurred in January 2020). At these meetings, Pérez says, “We review the whole plan for what we have to do, how we have to react, and who we have to train.”
This moment makes preparation more difficult, with multiple layers of emergency to plan for. All three institutions concurrently have health and safety protocols to develop, personal protective equipment (PPE) to stock, and emergency plans to review and adapt. To consolidate some of this planning, adaptive practices could include the following:
As staff learn how to return to work safely, the most basic museum functions are shifting. Every day brings a new challenge: issues like building management, the place of culture in emergency management agency plans, or updating the institution’s disaster plan.
The three museums have all experienced this. Haavik is already on version eight of a COVID-19 safety plan he made with his staff, as the situation continually evolves. Pine, when asked about updating the MFAH disaster plan to incorporate pandemic response, says he would like to enhance PPE and have teams remain as units throughout preparation and recovery, thus limiting the number of staff needing to quarantine should one member develop symptoms and require COVID testing. Pérez is relying on the procedures she worked with the Smithsonian Cultural Rescue Initiative (SCRI) and HENTF to develop after the two 2017 hurricanes. She says, “We have all the training that you [SCRI and HENTF] gave us. We have all the collections logged and we are prepared. Now it is not only the collections staff but everyone in the museum that needs to be trained.”
Best practices to develop as part of regular operations could include the following:
While all of our experts agree that disaster plans must be updated to incorporate response to a pandemic, they are not yet ready to formalize any action steps; they are still trying to navigate the unknown as best they can. In time, they will pursue thoughtful planning and revisions. For now, they will continue to document their actions and activities so they can look back—at some point—and gauge what worked and what didn’t.
We asked each of our experts what they would most like to share about past experiences in preparing for major storms.
Pine says the keys are preparation and networking. Institutions are stronger together, he believes, and no organization should have to do this alone. Networking also gives you access to talent and experience that you might not have. He has confidence in the Alliance for Response, a local-network model and program of FAIC, which fosters connections between cultural stewards and the local emergency management community, from firefighters to healthcare workers. “Being aware of ways to find paths and connectivity to that community is going to make the preparation so much better informed and the response so much more successful,” Pine says.
Pérez emphasizes the importance of cross-training staff. She prefers to work with everyone at her institution rather than using a hierarchical approach. This ensures that everyone knows exactly what to do in an emergency. She says it is vital to identify who will coordinate the response for you, choosing a person who has the intuition and knowledge to make decisions in a changing environment. She is a strong supporter of ACE PR, Alianza Cultural para Emergencias de Puerto Rico, the heritage emergency network formed after the 2017 hurricanes that can assist cultural institutions before and after disasters. Integrating museum professionals into local and, in her case, territorial emergency management planning is also a key step. The way forward is to convince decision makers that “taking care of collections is an essential function to save patrimony,” says Pérez.
Haavik agrees with the importance of networking. There are always going to be emergencies, and involvement with a statewide coalition can help ensure a coordinated and effective response. He belongs to the statewide network COSTEP MA, Coordinated Statewide Emergency Preparedness in Massachusetts. He also encourages a post-response review of actions undertaken. The goal, he says, is to respond better at the next emergency, to look for the things you can change while understanding that you can’t do everything. Incremental growth in expertise is a sign of progress. “For me,” he says, “it was looking at major tree damage after storms. We started investing in tree care and now we don’t have to clean up as many trees.”
Thinking about hurricane readiness during the pandemic can feel overwhelming. However, you don’t have to do it alone. Connecting with heritage networks and exchanging ideas with colleagues boosts your ability to adapt and respond. Strong planning and communication among staff provide confidence to implement the emergency plan and contribute to the resilience of the organization.
Reposted from AAM
Many museums are struggling with when, and whether, to open, reclose, and reopen. These enormously difficult decisions may determine whether the organization survives the current crisis. After experiencing the first two stages of this cycle in early July, the San Diego Natural History Museum (The Nat) have decided to remain closed through the remainder of the year. In today’s guest post, President and CEO Judy Gradwohl explains how she and her colleagues decided the best way for The Nat to survive 2020 is to focus on actions online, and in nature, rather than reopening their doors.
–Elizabeth Merritt, VP Strategic Foresight and Founding Director, Center for the Future of Museums
It may seem counterintuitive to voluntarily stay closed, especially after the effort expended on our short-lived reopening, but that is exactly what we decided to do at the San Diego Natural History Museum. The decision to remain closed for the duration of 2020 still makes good programmatic and economic sense, despite the fact state and local authorities have given museums the green light to reopen.
There are obvious disadvantages to a prolonged closure, especially one we bring on ourselves. We are forgoing interactions with visitors, along with the educational value and admissions money we usually generate. Some members join to receive free admission, so with no new foot traffic we are expecting a decline in new memberships. With other neighboring museums open, our self-imposed closure could generate negative publicity. And an extended closure prolongs the furlough of our frontline staff.
As significant as these losses are, we expect them to be outweighed by the benefits of staying closed.
Certainty and greater safety in a chaotic world: I’m sure every museum leader can relate to the anxiety, inefficiencies, and unknowns caused by a constantly moving target. Months of preparation went into our reopening. We removed or altered touchable exhibit elements, provided hand sanitizing stations, stocked up on personal protective equipment, installed temperature reading stations for staff, implemented one-way traffic patterns, and developed an entirely new marketing campaign to welcome people back safely.
We were ready, we opened, we welcomed guests with open arms (figuratively, and from behind plexiglass barriers). And five days later, a rise in COVID-19 case numbers mandated the closure of California museums for the second time. It was a vast disappointment to close almost immediately after opening. Every subsequent week that passed required recalculating our budget and cash flow, and increased concern about losing summer admissions—our biggest season of the year.
The decision to stay closed through the end of the year gives us a fixed point to work toward and a more certain planning horizon. We can channel energy and work toward the projects we want to accomplish rather than worriedly monitoring a burgeoning problem.
Ability to reprogram our time and energy: Instead of waiting and lamenting a fall without school visits, our closure helps focus our energy on what we can accomplish instead of what we can’t. With 100 full-time employees remaining on staff, we have a significant workforce to devote to our scientific research, conservation work, education, and planning for the future. Our biological and paleontological fieldwork has increased, resulting in significant finds, a successful binational translocation of red-legged frogs, reintroducing a locally extinct species to Southern California, and increased protection of numerous species.
We have already seen a blossoming of inventive and well-received online programming. Our education staff have shifted their focus to people who can’t or won’t visit by creating digital resources to help schools, aftercare programs, and other caregivers. With a combination of pre-recorded and live programming, they are expanding upon our traditional standards-based school visit program to help students experience nature and meet our scientists.
Our monthly evening lectures and adult programs moved online and became more frequent. We are now hosting webinars with more participants than would fit in our 300-seat theater, and people log in from around California, the nation and the world. We held our first evening talks entirely in Spanish, bolstering our binational mission, and featuring our Mexican colleagues. We’ve seen people attend our virtual programs who might never have stepped foot inside the building. Our Canyoneers, volunteers who usually lead in-person, guided hikes, have curated “best of” hikes for the fall season and are providing online guidance for hikes people can do on their own.
Refocusing on mission: Our organization started nearly 150 years ago as the San Diego Society of Natural History, and we still operate under that legal name. We have always been larger than our physical facilities, and now is no exception. As we close our beloved building and fling open our digital doors, we have the ability to highlight the full range of our mission. Social media that previously was devoted to programming, and attracting visitors is helping everyone understand and enjoy nature in our region, and showcase scientific research and conservation efforts. In place of behind-the-scenes tours and other events for supporters, we are providing frequent updates documenting our accomplishments and how we are delivering on our mission during the shutdown.
Some members join for the discount admission, but many support us because they believe in our cause. We have seen some attrition, but not as much as we had anticipated—a testament to how much people believe in our work. Communication and online member events are focusing on strengthening ties with members through our scientific work, in addition to special programming.
Opportunity for minor construction projects: We are hoping to complete small construction projects that were already approved and funded. It is easier and potentially less expensive to work in public-facing areas of the building while it is closed to the public. Projects include a new ramp for accessible entry to back-of-house portions of the Museum, and converting offices to an exhibition gallery.
How can we afford to keep this many staff and stay closed? It poses major challenges, but we are fortunate to have diversified sources of income. Our scientific staff also run consulting businesses, which return significant funding to the Museum to maintain our collections and provide general operating support. We have an active program of grants to support projects, related salaries, and experimental projects.
Philanthropy always plays a major role in our annual budgets, and this year in particular, successful fundraising will be critical. We are privileged to have a supportive community that helped us meet a $500k challenge grant, closing the $1M gap generated by our closure in July and August of this year.
We entered the closure last spring from a position of financial strength, carefully managed our cash, and were able to secure a forgivable Paycheck Protection Program loan from the U.S Small Business Association. We instituted austerity measures by limiting spending, cutting back on work by our as-needed part time staff, and after we re-closed in July, we furloughed most frontline staff. We’re still closely monitoring our cash, analyzing scenarios that move our reopening date back in 2021, and understanding whether we can reopen on select days around the holiday season.
It was a bold and potentially risky move to keep the Museum closed and focus on actions online and in nature, a decision that was made possible through support from a visionary board and staff. On the other hand, it gives us the impetus to refocus our efforts where they will make the most impact. This is challenging work that requires retooling and rethinking. We feel that, in the future, our model will need to blend onsite, online, and nature-based activities, and this extended closure gives us the opportunity to develop the skills and tools we need to get there. Ultimately, the hope is that we will emerge from the pandemic stronger. We are in a chrysalis, not crawling into a burrow to hibernate, and when we emerge we will have grown, strengthened and transformed.
Reposted from Artnet News
Last week, the Queens Museum reopened to the public for the first time in just over six months. Like other institutions across New York, the museum took a financial hit due to its extended closure, but the effects of the virus were particularly damaging in its home of Corona, Queens, and can still be felt to this day.
That’s why, even as the museum unveils a slate of new exhibitions, it is also operating as a food pantry.
Partnering with La Jornada, a volunteer-led hunger-relief organization from nearby Flushing, and the Together We Can Community Resource Center, a local nonprofit, the Queens Museum is continuing weekly Wednesday food distributions for Corona residents, which began on June 17, for the foreseeable future.
“The food pantry is doing essential work, to provide food for families in our immediate neighborhood as long as we can and as long as it’s needed,” Sally Tallant, the museum’s director, told Artnet News. “And I’m sad to say I think it’s going to be needed longer than any of us would have expected in a first-world country.”
As the epicenter of New York City’s outbreak, the neighborhood of Corona has had 5,156 documented virus cases to date, or one for every 22 people, according to the New York Times. Of those, 447 people have died.
With 63 percent of its residents foreign-born—more than any other zip code in the city—and a substantial number of those undocumented, Corona has a large population that was ineligible for federal relief, such as expanded unemployment benefits and stimulus checks. A quarter of residents lack health care. Many are essential workers whose jobs required them to work on the front lines.
It did not take long for the museum to realize that Corona was bearing the brunt of the burden, and it quickly took action.
“When people started to get sick back in March, we formed a coalition with the Hall of Science, the Queens Theater, Flushing Meadows Corona Park, and a number of community organizations to try and work out what we could do collectively to support our community at that time,” Tallant said.
Thanks to the museum’s community organizer, Gianina Enriquez, the museum already had a relationship with La Jornada, and was ready to respond to growing food insecurity in the neighborhood.
“What’s really evident on Wednesdays when the collection is happening is that there’s an incredible need,” Tallant said.
To date, the Queens Museum has fed 9,650 families in Corona, and hopes to scale up to be able to feed 1,000 families a week. Nor is it the only museum to spring into action as a food pantry: the Brooklyn Museum has also been hosting a food-distribution center.
Tallant also hopes that food-pantry beneficiaries will stick around to visit the museum now that the galleries are open again.
“We’ve made the museum free admission at this time,” Tallant said. “We don’t want to put any financial barriers in the way.”
But she understands if visitors’ return is gradual. “All of us are trying to relearn how to be back in the world with some trepidation,” Tallant acknowledged. “This is a very scary moment globally.”
The institution is offering a quartet of fall exhibitions, including an outdoor installation from New York City Department of Sanitation artist-in-residence Mierle Laderman Ukeles thanking service workers for their tireless work.
With work by 12 artists, another show, titled “After the Plaster Foundation, or, ‘Where can we live?’” looks at housing politics, home ownership, and eviction issues. A show of recently donated photographs, “Bruce Davidson: Outsider on the Inside,” features a series of photos documenting the Civil Rights Movement in New York.
“Bruce Davidson took amazing pictures of New York and it seems really pertinent to look at the city and how it’s changed over time,” Tallant said. “The exhibitions all feel incredibly timely.”
Reposted from Security Management Magazine
How do you hire from a distance? Office closures and social distancing measures brought on by the COVID-19 pandemic have forced the contract security guarding industry to change how it recruits, evaluates, and hires new personnel, and while many changes are temporary, others can present long-term opportunities for improvement.
Over the last decade, the contract security industry has seen marked changes in both the applicant pool and the officer skill sets required by customers. A more recent development has been interviewing and conducting applicant processing and onboarding remotely as much
In particular, the 2008 financial crisis changed the landscape for security talent management. While many industries faced setbacks, the recession presented unexpected benefits for contract security companies.
From 2008 to early 2017, hiring for security firms was a straightforward activity in the United States. Given the generally high but stable unemployment rate and slowly growing economy, the labor pool was both diverse and plentiful. It was not uncommon for a security officer applicant to have substantial life experience or college degrees. The stability of the security industry offered steady employment, albeit rarely at an individual’s prior salary range. Turnover—always an issue in most service industries—tended to be more manageable; keeping a job often trumped seeking a new job.
During this same period, technology finally found its way to contract security. Unprecedented industry consolidation, driven by a wave of retiring owners and uncertainty with the U.S. Affordable Care Act, led national and international firms to differentiate themselves through technology and service. This, however, required a different level of security officer skill set.
One important area of service that has fundamentally never changed in the contract security field is that security personnel are expected to show up when and where they were supposed to, look the part through uniformity, understand their responsibilities, be prepared to document both the routine and the extraordinary, and know the right person to notify when necessary.
However, the sophistication level and visibility required of today’s security officer stands in stark contrast to what was needed just a few short years ago. Primarily, the evolution has centered on the demand for more extensive training and the ability of each officer to perform, communicate, and respond professionally in a seemingly ever-growing range of safety and customer service-related areas.
Customer expectations for proficiency have never been greater. Security officers must be prepared to control access, welcome important guests and escort each to their destination, interact with local law enforcement, lead evacuations, respond to medical emergencies, de-escalate tense situations, and mitigate risk.
Technology tools and the skills to use them efficiently have become the industry standard, with a goal of maximizing officer performance and collecting risk management data. Today’s security officer is searching for and locating potential threats, while controlling access using technologically advanced surveillance systems. Routine security officer functions now include electronic incident reporting, camera monitoring, and collecting patrol tour data, which is accessible in real time.
Security companies have also created online programs to make training more accessible, markedly enhancing the skills and knowledge of each officer. Professional security officers now actively pursue computer skills and additional training as a path to upward mobility.
Between 2016 and 2018, numerous industries that had been idling during the recession reentered the hiring competition with gusto. For contract security firms, educated and experienced applicants seeking employment and stability evaporated. The trouble was: prospective and current clients’ service needs had not evaporated in the slightest.
Veteran hiring, long a panacea for security firms, was in vogue. As the Iraq War wound down, veteran recruitment became a highly publicized hiring initiative in multiple industries, substantially reducing a crucial and previously consistent security industry employee base. Compounding this challenge, many mature men and women retired or left the workforce. This senior applicant pool, a critical part of the infrastructure of a stable security company, couldn’t be replaced in anywhere near the numbers needed. Suddenly, almost every conversation between industry executives centered more around recruitment, hiring, and retention than any other managerial obstacle.
With this evaporation of veterans and mature candidates, the era of the millennial security officer arrived and with it would come a bushel full of new generational challenges.
Recruiters and talent management experts have devised many strategies for attracting and retaining highly educated millennials—an age range that generally includes people born between 1981 and 1996. Most of these recruitment efforts emphasize values alignment, flexible schedules, being tech savvy, and personal investment in the work. The true question for the private security industry, though, was how would the strata of entry-level, hourly millennial service workers fare?
Security hiring has commonalities and stereotypes. Previously, successful job applicants arrived on time or a few minutes early for an interview, were polite to the receptionist, dressed up for the opportunity, and seemed generally interested in the job for which they were applying.
However, the tight labor market changed the caliber of job applicants, especially for entry-level jobs. Suddenly the average applicant exuded an air of boredom and disinterest. Tattoos, piercings, and colored hair went from rare to common.
During interviews, staffing specialists faced conflicting demands—a need for officers and a group of applicants that refused to work for the rates offered. Pay and billing rates—many of which had remained unchanged or barely affected since late in 2008—now faced strong upward pressures. Heightened demand for frontline guarding services during the pandemic only made recruiting and training qualified candidates more challenging.
The mission during COVID-19 was to reduce time spent “in the office” during processing in every imaginable way possible, including while recruiting and hiring security personnel. Technology provided solutions.
The year 2020—due to more modern software, cost-effective access to video, and the need to minimize in-person interaction—will probably be seen as the inflection point when security officer processing became primarily remote. Fully remote processing may currently be a bridge too far, but the groundwork for continuing these trends lies before us. When necessity dictated the change to remote employee processing, the industry responded quickly.
Recruitment. Recruiting today barely resembles the version of just a decade prior. Long gone are the days of newspaper advertisements.
Advancements in job posting sites have seen many come and go, and sites are constantly jockeying for position. For example, Indeed.com is currently the “king of the hill” for security officer job listings, given that LinkedIn and Monster.com have generally focused on white collar applicants. Glassdoor is seeking to transition from a place for employees and applicants to complain about employers to a more well-rounded employment platform.
Social media advertising is inexpensive and can be targeted, but it comes with the vitriol that even seemingly random commenters care to tag ads with—editing comment sections is a new but essential task for human resources.
Remote interviewing. After the onset of the COVID-19 pandemic, organizations worldwide were almost immediately affected by the requirements of social distancing and limits to the number of people in an office. Human resources departments converted almost instantly to the various video platforms, and screeners sought to maximize video conferencing tools to visually observe applicants and their mannerisms.
As the author’s company pivoted to remote interviewing, Erica Montoya, the firm’s human resources director, found that the crucial components of an in-person interview, such as punctuality, attentiveness, and overall effort into being ready for a job interview were still applicable. Her team of staffing specialists readily agreed. Each had stories of exceptional applicants who interviewed well, along with funny tidbits—including an applicant who commenced baking brownies during the interview.
These changes may have implications beyond the duration of the pandemic. Several aspects of winnowing the applicant pool had already lent themselves to modernization, such as applying through an employee portal, often with a “screening” function in the process separating the potential successes from the likely failures. Other efficiencies, such as a secondary six to eight question screening phone call, will most likely fold into the video interview.
Dr. Benjamin Dobrin, dean of the D. Henry Watts School of Professional Studies at Virginia Wesleyan University, believes that wholesale commitment to distance interviewing—while born out of the necessities of the pandemic and associated social distancing precautions—will likely remain in effect long-term.
“This has been a jump start, if you will, for businesses still practicing traditional hiring techniques,” Dobrin says. “Those that have been slow to embrace interviewing technology were just forced to make a quantum leap. History tells us that once the waters recede, the pluses of non-present interviewing will lead to even more widespread adoption.”
Paperwork. In early March 2020, there were a few variations in how traditional hiring paperwork was completed. Across the United States, some security officer candidates arriving for processing started their day with a clipboard, a pen, and the usual suspects: I-9s, tax forms, and handbook acknowledgments.
Fast-forward a few short months, and the clipboard is all but obsolete. Software that captures digital signatures eliminates touching shared objects like pens, and it means paperwork can be completed in the safety and comfort of one’s home. Doing so reduces risk and potential exposure to both the processor and new employee, and it carries the inherent message that the organization cares about its employees and their health, which is definitely a sound message to have ring out loud and clear to people joining the team.
The transition was not without its challenges. Multigenerational employment pools communicate very differently. Montoya and the processing portion of her team found themselves revising flow charts to account for remote processing tasks. Email was the only effective method for detailing what items needed to be completed remotely, as well as what identification documents must be brought for the inter-office visit.
The trouble with email, though, is that not all applicants check it regularly, with reasons frequently split along generational lines. To mitigate the risk that essential tasks might go unread, mature candidates receive phone calls reminding them to look for emailed processing task lists, whereas younger applicants receive text message reminders.
Training videos. Across the security industry, the spectrum of pre-assignment training videos had often been limited to an office-provided terminal with a VHS tape, DVD, or Web link, usually supervised to ensure that materials were viewed and comprehended.
A mass migration towards providing pre-assignment subject matter remotely has been aided by two developments. First, content can be set up so that it cannot be fast-forwarded or skipped, but otherwise employees can learn at a pace that works for them. This eliminates the concern of “pencil whipping” information that is important for officers to know: attention to detail, customer service, daily and incident report writing, and the use of force continuum.
The second benefit of remote viewing is the ability to embed quiz questions throughout the subject matter or as a comprehensive final quiz. Failure—either because the applicant was unable to absorb the content sufficiently or not paying attention at all and winging it—is a strong indicator that a person is destined to fail in their role as a security officer. For these reasons, completing videos remotely easily passes the test for streamlining processing.
Orientation. Few things can match being welcomed in person with a clearly delineated list of expectations and responsibilities, the chance to meet coworkers, a comfortable environment that invites questions and feedback, and the opportunity to rub elbows with the company’s support staff.
Social distancing and infection mitigation pushed this type of orientation into the realm of “the way we used to do it.” Blessedly, with so many meeting software platforms, a combination of prerecorded and live orientation material can accomplish much of the same goals at a substantially reduced risk.
Uniforms. Paperwork, pre-assignment videos, and orientation lend themselves much more easily to software and remote technology than the age-old process of issuing uniforms. When an officer visits the office to pick up his or her uniforms, even after calling ahead to a uniform room manager with sizes, it makes the most sense to have the officer try the items on then and there.
If an in-person office visit is required, the employer can maximize the officer’s visit by completing any additional tasks—such as providing an actual copy of the Employment Handbook and the employee’s first weekly schedule, confirming healthcare choices or dependents on tax forms, and meeting the account manager in person—in one short, concise session.
History shows us that times of great strain and upheaval often end up being catalysts for marked change, and for the private security interview and hiring process that adage has proven true. It is doubtful that even a partial regression will occur after COVID-19, given the ease and efficiency of digital interviewing and the degree to which it highlights an applicant’s familiarity and comfort with technology. If someone cannot manage a Zoom or Webex interview, how effectively can they be expected to use a mobile device complete with accountability and reporting software? The transition to a more digital age arrives in time for the tech-savvy millennial generation, who won’t think twice about remote processing.
Clients’ expectations grow as the world becomes more complex and risks—both old and new—are added to the list of security officer tasks and concerns. Finding people who will be alert, attentive, pleasant, and professional in appearance has historically been the source of success for private security human resources staffing specialists. Their tasks are aided by technological advances, but complicated by generational tendencies and public health roadblocks.
“We are living through arguably the most accelerated amalgamation of technology and public health concepts in human history,” says Dobrin. One thing will always be for certain though: human resources staff must function in a constant state of urgency and innovation, given that the phone rarely stops ringing and the operations department’s “needs lists” will always be in the email inbox early each morning.
Reposted from The Chicago Tribune
The Ruth Bader Ginsburg exhibition at the Illinois Holocaust Museum is likely to transform from a tribute to a memorial in the coming days, as Illinoisans take advantage of the local opportunity to spend time with the late Supreme Court justice’s story and personal effects.
For the rest of the exhibition’s run, scheduled through Jan. 3, tickets are available via the Holocaust Museum website and are included in the $15 general admission.
Wednesdays are free days through the end of the year at the museum, but tickets are required to attend on those days.
Demand for the “Notorious RBG” show, which I reviewed (favorably), when it opened in February, is expected to be high and compounded by the museum limiting attendance and opening hours due to COVID-19 restrictions. New, post-COVID hours see the museum only open Wednesdays-Sundays, and it will also close Sept. 28 for Yom Kippur.
The show was on track to be one of the most popular in the museum’s history when the pandemic forced its temporary closure in mid-March. Because of the closure, the institution was able to extend the show’s run through the Jan. 3 date.
“The exhibition is based on the hit 2015 book of the same title” and was developed by L.A.'s Skirball Cultural Center, I wrote in February. “It derived from a viral Tumblr account merging Ginsburg’s persona, especially her fierce Supreme Court dissents, with fragments from the late rapper the Notorious B.I.G.”
Despite how that may sound, it offers a respectful, enlightening treatment of her life and career as a pioneering feminist lawyer then Supreme Court Justice.
For those unfamiliar, the museum covers the mid-20th century Nazi mass murder of European Jews and others, along with other exhibits related to Jewish topics and to genocide. Its telling of the Holocaust story is one of the Chicago region’s most compelling and haunting museum exhibitions.
The COVID-19 pandemic seems like an inflection point for the safety and security industry, and I can’t help but think back to past crises and the changes they precipitated—namely the 9/11 terror attacks.
Seemingly, out of nowhere, America was vulnerable. The security industry was at the forefront and had to keep up with sweeping U.S. federal changes, including the Aviation and Transportation Security Act, the Patriot Act, the Enhanced Border Security and Visa Entry Reform Act, and the International Code Council’s post-9/11 building codes. Task forces sprang into action—groups such as state-led counterterrorism bureaus, federally mandated security consultants, and Joint Terrorism Task Forces. The security apparatus in America crossed its Rubicon and irrevocably committed to making the nation a harder target against domestic and international threats.
The security sector today faces a similar inflection point with COVID-19. Once again, urgency is forcing innovation. Security manufacturers are springing to market with incredible new ideas, disruptive technology, and equipment, similar to reactions in the post-9/11 world. Technology is rapidly propelling business transformation.
This time, however, businesses are looking to the U.S. Centers for Disease Control and Prevention (CDC) for guidance on how to safely return to the office. Guidelines to mitigate the spread of COVID-19 are focused on stay-at-home initiatives, promoting social distancing, wearing appropriate personal protective equipment (PPE), and screening for elevated temperatures.
Upsettingly, however, these safety guidelines have begun taking on partisan division in today’s polarizing political climate. It was heartbreaking to hear about the murder of Family Dollar security officer Calvin Munerlyn in May 2020; Munerlyn was shot and killed while on duty for enforcing Michigan’s state-mandated face mask policy. Violent reactions to CDC guidelines are all too common.
The key to safely moving forward is striking the right balance between technology and humanity, and robots are uniquely positioned to respond. Robots are nonpartisan and unbiased, and they can accomplish all CDC-recommended critical tasks while reducing human exposure and breaking the chain of infection.
Robots can not only monitor people’s behaviors through machine learning algorithms, but they can also respond and correct issues as they happen. Utilizing two-way video and voice communications, robots can gently change people’s behavior in the workspace while limiting human exposure to COVID-19.
Elevated temperature is a primary symptom of COVID-19. Traditional methods for businesses to conduct temperature checks are difficult to scale, unreliable, and put those administering the tests at risk. Robots can be used to conduct reliable skin temperature scans through non-invasive measurement of skin temperature via tear duct scans. Using thermal imaging calibration from blackbody radiation (small devices capable of emitting a known constant temperature) paired with a thermal camera, robots can alert employers of anyone with a temperature exceeding 100.4 degrees Fahrenheit. Remote operators can then direct that person for secondary screening, without putting people in harm’s way.
Robots can screen for elevated temperature, verify PPE compliance, and enforce social distancing guidelines while avoiding additional exposure for security officers and other building occupants. Robots provide perfect recall, unlimited attention, and no bias. They are a solution to a difficult situation, and an ideal way to add automated solutions to an existing security program.
Reposted from KTAR News
Swastikas and a racial slur were spray painted at the property of an African American history museum in downtown Phoenix over the weekend.
Authorities say the vandalism was found Sunday on the sidewalk and a column in front of the George Washington Carver Museum and Cultural Center.
The Phoenix Police Department is investigating the incident.
Phoenix Mayor Kate Gallego condemned the vandalism in a tweet and said the city’s anti-graffiti program would work to remove it.
The Carver Museum’s mission is to preserve and share the stories of African American experience in Phoenix.
When open, the privately managed museum doesn’t charge admission but depends on donations from visitors and partners to operate.
A GoFundMe campaign has been started to raise money for enhanced security at the venue and to expand exhibits and programming.
This has been a make-or-break year for physical security departments, and how they handle their response to the pandemic will pave the way for executive buy-in—or loss of credibility. From how people enter a building to how they interact with others onsite, physical security professionals have been tasked with mitigating risk and ensuring safety more than ever before.
To address emerging risks, many organizations are rushing to adopt security solutions to keep their businesses operational and compliant with newly established health and safety standards. According to recent research conducted by Traction Guest, the overwhelming majority (92 percent) of enterprise security and risk professionals report that physical security is of greater strategic importance to their organization now than it was before the pandemic. With onsite health and safety concerns at an all-time high, 87 percent of businesses plan to increase spending on physical security going forward.
While it’s encouraging to see businesses investing more in physical security programs, not all risk mitigation measures are made equal. When managers deploy countermeasures without first understanding and addressing the company’s own specific risk posture, they are contributing to “security theater”—a concept that refers to security measures that make people feel more secure without doing anything to actually improve their security.
In response to the pandemic, what steps should enterprises take to ensure they are truly securing their business and protecting employees and visitors versus simply participating in security theater?
To provide value to the business without entering into security theater, a security leader must begin by understanding the risks his or her company is actually facing. Each company has its own unique physical security risks, and security professionals must allow those risks to inform how they implement new technologies and procedures.
While organizations should run risk assessments on a regular and ongoing basis, most risk assessments tend to take place after a specific event or incident. COVID-19 has created a point in time where all companies must reevaluate their physical security program to factor in both current and future pandemic-level threats. If you haven’t already, it’s time to dust off those risk evaluations and take a serious look at your security posture.
While there are certainly industry standards and best practices available as a framework for your program, there is no one-size-fits-all approach to physical security and protecting your business. In fact, the industry standard or buzzworthy solutions may not be the best fit for every organization.
Begin by assessing your company’s overall risk from a corporate, brand, and executive perspective. This high-level overview will provide you with a broad base of the most critical and potentially damaging risks your company faces.
Next, conduct risk assessments on a site- or location-specific level. While this task can be tedious depending on the size of your organization, this level of granularity is vital to an effective assessment. You will need to factor in location-based considerations, such as what type of facility you are securing, how much revenue the facility brings in, if there are irreplaceable assets or operations involved at this site, and any other facility-specific risks.
Once your location-specific assessment is complete, begin evaluating risk from a business unit perspective. Don’t forget to include the security department in this stage of the risk assessment; a worst-case scenario would be for your department to be the one that buckles in the event of an emergency situation.
After completing a multifaceted risk assessment, you will be left with a comprehensive overview of all of the risks your organization faces. This assessment, however, does not include your company’s risk tolerance level.
Every company has a varying degree of risk it is willing to accept. Speak candidly with senior leadership, legal advisors, and other stakeholders about the level of risk your company is prepared to take on. Then you can begin to determine what the appropriate countermeasures are to address and mitigate your organization’s risk. These countermeasures can be both technological and procedural, but they must be tailored to meet the specific needs of the business.
For every countermeasure you put into place, you should determine how effective it is at eliminating your actual risk. For example, if you are trying to keep bad actors out of your facility, consider an access control system that can address that particular challenge. This step is critical in eliminating security theater, so as to not introduce systems that won’t have any substantive impact on the company’s risk posture.
Another strategy to tackle risk more effectively is to partner with your cybersecurity counterparts. Physical and cybersecurity leaders should focus on cooperation—whether that be through collaborating on response plans or conducting risk assessments together. This partnership creates a more comprehensive view of the organization’s overall risk posture and allows leaders to implement solutions that address risk from a unified security standpoint.
Policy enforcement and governance are vital when establishing an effective risk management strategy. Many businesses today have great intentions when implementing new physical security technology. Without policies in place to govern and maintain these systems, enterprises are unfortunately unable to track whether the countermeasures they have put in place are effectively managing risk. Enter security theater.
Without managing systems properly, it’s easy to introduce new risks into the business. For example, a company may spend significant resources adopting a new access control system. But how many people at the company have multiple access badges? And how many employees lost a badge that might have fallen into the hands of a malicious actor? Improper management of countermeasures almost guarantees that there will be weak spots in the system. In fact, that shiny new access control system may be allowing more bad actors in than before.
The pandemic has spurred the C-suite to recognize that ineffective health and safety protocols expose their people and their businesses to serious risk. As a result, senior leadership is more concerned with physical security than ever before, advancing many security and risk professionals into a strategic position within the business.
Physical security leaders must remain laser-focused on identifying risk, implementing measures with which to address that risk, and enforcing policies to keep those systems operational—only then can they provide true value for the business. We have entered into a new world order, in which effective physical security is of the utmost importance to the business. Security theater can place your company’s brand reputation on the line, not to mention lead to potential harm to employees and visitors. It is no longer about convenience or security theater, but instead about maintaining business operations and protecting the health and safety of everyone onsite.
ConferenceMembershipTraining & CertificationDonate to IFCPP
TRAINING & EVENTS
1305 Krameria, Unit H-129, Denver, CO 80220 Local: 303.322.9667
Copyright © 2015 - 2018 International Foundation for Cultural Property Protection. All Rights Reserved