Reposted from The Northern State Conservation Center

by Joan Baldwin

Nothing changed this week, and yet everything did. Pandemic numbers continued to climb, all while public health officials predict the worst is still to come. Lines for food banks grew as the number of unemployed multiplied. Museums and heritage organizations made headlines with massive layoffs of front line staff. Midst it all, those of us lucky enough to work from home, found our worlds simultaneously shrink to the size of our houses or apartments and expand to the farthest reaches of the world as we spend more and more time online.

This week I've been thinking about separation. As museum folk, our livelihood depends on our interaction with things - paintings, documents, buildings, living things or objects. Suddenly, we're apart. Apart from the stuff we care for, caring that comes in many forms, through leadership, advancement, scholarship, education, conservation or transportation. Whatever our role, we're separated. And in this case we're separated not just from the heartbeat of our museums or heritage sites, we're separated from colleagues, our human communities, volunteers, tiny children, bigger children, budding artists and scientists, families, and elders.

Is there such thing as a good separation? How do you manage disconnection yet stay attached? How many novels, plays and movies take shape when one character announces they must leave, but they'll be back? How do relationships deepen between absent friends? Does absence make the heart grow fonder?

And what sustains us through a separation? It used to be letter writing. Now, not so much. Are separations also defined by how we choose to fill the absence?

This week I read a wonderful piece by John Stromberg, director of Dartmouth's Hood Museum to his community. Stromberg talks about the Hood's commitment to art "by all, for all." But more exciting to me is his open acknowledgement that however empathetic and caring the Hood's exhibitions were, now the museum is closed, he acknowledges his staff must pivot. He writes:

As the Hood Museum staff continues to transition to our new digital work format, we are challenged to revitalize and update a key tenet of what we do: putting individuals in direct contact with original works of art and each other. How do we move forward without the physical proximity that has been critical to our practice? Can digital means replicate the intimacy of face-to-face dialogue about today's most pressing issues?

So must separation incorporate a willingness to change and grow?

Then there is the Philbrook Museum of Art whose relationship with its community, both virtual and actual is a marvel, thanks in part to the leadership of Scott Stulen, a multi-talented artist who admits his directorship is about putting community building into "overdrive."[1] Who doesn't want to know a place that in a matter of days changed its tagline to "Chillbrook Museum of Staying Home, Stay Home, Stay Social" as if this were just another day in the life. The Philbrook's  website makes you believe all your emotional and intellectual needs are in hand. Whether it's listening to podcasts, hearing a tiny concert or participating in a children's art class, it's clear that separated or not, the museum percolates along, even for those of us who've never been to Tulsa, OK. This week the Philbrook put its money where its mouth is, announcing it is expanding its edible garden in order to support the food bank. How could anyone forget a place that offers so much for so many, and who manages to be winsome, and serious, musical and witty, all at the same time? 

Maybe a good separation is about enhancing what's already there, making it richer in the absence of human contact?

Although Old Salem Museum and Gardens closed ahead of some North Carolina museums and heritage sites, the door was barely shut before it launched #wegotthis, a series of online events that included the History Nerd Alert and the Old Salem Exploratorium. About a week ago, it began transforming its historic gardens into Victory gardens to support the city's Second Harvest Food Bank. That prompted another online series called Two Guys and a Garden. In addition Old Salem has put its head pastry chef back to work producing 50 loaves of bread a day for the food bank, while its head gardener offers videos on seed starting. 

Does giving back make an organization more memorable? Is it easier to ask, once you've given?  

Last, but not least, Raynham Hall Museum, The Frick (What's not to like about Friday cocktails with a curator?) and the Tang Teaching Museum: All used Instagram before the pandemic, but since COVID-19, they've ratcheted things up, speaking directly to their audience, making connections between collections and past epidemics, illness, inspiration, art and spring. And there are many more museums and historic sites you know who, despite separation, are enriching connections, building bridges, and creating new audiences.

So what makes a difficult thing like separation doable? Ah...wait for it....because maybe it's similar to museum life back when things were normal: How about honest, authentic communication that builds outward from mission and collections to connect with community? Opportunities abound for learning the "how-to's" of social media, but knowing your own site, and your own community, and translating your organizational DNA to images, video, tweets and Instagram, that's on you. Because when the separation is over-and it will be-how will your organization be remembered? As the site that closed its doors and then 10 weeks later woke up like Rip Van Winkle? Or as the online friend who made people laugh, taught them some stuff, and helped out the community?

Stay safe. 

Reposted from Artnet News

A little over three weeks ago, museums’ relied-upon income from tickets, event rentals, and retail essentially fell to zero overnight. Now, museums large and small across the United States are steadily laying off and furloughing staff as they grapple with their new financial reality. Many are hoping to find some relief through the new payroll loan program offered by the federal government—but that process is already proving to be far from simple.

The latest major institution to make cutbacks is the Museum of Fine Arts, Boston, which announced it would remain closed through June 30 and will furlough around 300 staff members—more than 40 percent of its 750-strong workforce—as a result.

The museum estimates that it will experience a loss of between $12 million to $14 million due to the three-and-a-half month closure, according to WBUR. In a statement, an MFA Boston spokesperson said it would “implement cost containment measures, utilize endowment funds to the extent possible, and furlough staff eligible for unemployment insurance and new government programs.” 

The spokesperson added that all eligible employees would receive full health care benefits and the museum planned no layoffs at this time. The MFA Boston’s director Matthew Teitelbaum will also reduce his compensation by 30 percent during this period. (His 2018 salary was $841,921, according to tax records.)

Elsewhere in the city, the ICA Boston is paying all full-time, part-time, and scheduled hourly employees through June 30 and is submitting to the US small business payroll program, a representative confirmed.

No word yet on when museums can expect to hear back on eligibility, but according a Chronicle of Philanthropy report, executives at nonprofits across the country reported confusion “akin to a bank run” when it came to the Paycheck Protection Program, a loan from the government designed to incentivize small businesses to keep their workers on payroll. Complaints included overwhelmed bank websites, confusing information about eligibility criteria, and “a persistent fear the program will leave small nonprofits high and dry in the rush for funds.”

Some institutions are not even in a position to wait to see if they qualify for government aid. The South Street Seaport Museum in downtown New York City said projected revenue losses have already forced it to reduce staff to a skeleton crew. In a statement, the museum’s president, Captain Jonathan Boulware, called the effects of COVID-19 “devastating” and “immediate.” The museum expects operating revenues to be roughly half of what they anticipated.

“We have already taken dramatic corrective action, laying off nearly 20 program staff last week,” he said. “As of next week, every remaining staff member will be furloughed or have their compensation sharply reduced.”

Even more starkly, other institutions are shuttering for good. The Indianapolis Contemporary (I/C), formerly known as the Indianapolis Museum of Contemporary Art, has announced plans to close permanently after 19 years of operation. The board decided it was not “economically feasible” to continue amid the impact of coronavirus and other financial strain.

Those institutions that do have enough financial stability to forge ahead are doing their best to scrimp, save, and reshuffle. The Detroit Institute of Arts, which has already survived serious financial challenges and economic downturns during the city’s bankruptcy, announced today that it would postpone two exhibitions originally scheduled for June, including the highly anticipated “Van Gogh in America,” which will now open in October 2022.

A DIA representative confirmed that the museum, like a number of others we contacted, is working with their bank to apply for federal government support. But at the moment, leadership is preparing the upcoming fiscal year budget and has not made any concrete decisions regarding staff beyond a salary and hiring freeze “for the foreseeable future.” The spokesperson added: “Our priority is to keep our talent and avoid layoffs at this time. As the COVID-19 situation evolves, we will continue to monitor the museum’s financial position and make adjustments if required.”

In New York, the Brooklyn Museum—which also applied to the Paycheck Protection Program—has committed to paying and providing benefits to its full staff, including part-time employees, but only through April 17, according to a representative, “while we explore all possible ways to keep our team as whole as possible during these uncertain times.”

The Morgan Library & Museum has not furloughed or laid off any staff, but it has put in place a six-month freeze on non-essential hiring and a salary freeze for the rest of the fiscal year. “We are actively reshaping and rethinking how we present the museum online and embracing the current moment in which every cultural institution must also become a media company,” a spokesperson said.

Meanwhile, the Queens Museum furloughed 30 full-time and part-time employees on March 30, including front-of-house personnel, curators, educators, maintenance workers, and security staff. Already “in a precarious situation with regards to our cash flow,” according to a spokesperson, the museum was forced to cancel its annual gala, and now anticipates losses of more than $900,000 between now and July. “These losses will have a huge and sustained impact on our operations,” the spokesperson added.

See Original Post

Reposted from Artnet News

With museums around the world still shuttering indefinitely, the financial fallout for institutions remains to be seen. But now, a new survey from the Network of European Museum Organizations offers an up-close glimpse at how museums are coping with the closures, and what the effects on their operations have been.

The survey is still open through April 17, but the first round of responses, from 650 museums in Europe—including every nation in the EU—as well as the US, the Philippines, Malaysia, French Polynesia, and Iran, has already been illuminating. Some of the biggest museums that attract the most tourists have seen 75–80 percent of their income disappear overnight.

Of those institutions that provided figures about income loss, 70 percent are losing more than €1,000 every week the closures continue. At the top end are the Kunsthistorisches Museum Vienna and the Stedelijk Museum and Rijksmuseum in Amsterdam, which say they are losing hundreds of thousands of Euros every week. Private museums are also especially hard hit, with many reporting that they will lose their entire budget during closures, which may become permanent.

Almost every museum that participated in the survey was currently closed, with only a handful of exceptions in Sweden, Austria, and Albania. Many were unsure when they might reopen, with estimates ranging from mid-April to as late as September.

The biggest impact seems to be on international exhibitions, which are being canceled as international loans fall through. Thus far, 70 percent museums have avoided laying off staff, but freelance workers haven’t been so lucky; about twice as many institutions are putting their contracts on hold. And longterm infrastructure projects are being widely paused as uncertainty over budgets and financial prospects grow.

The one sector that’s growing, of course, is museums’ online presence. Sixty percent of respondents have been stepping up their digital game, and 40 percent have seen online traffic go up, some by as much as 500 percent.

The survey includes a call to action, in the hopes that lawmakers will help museums survive these troubled times. “We urge governments to invest in Europe’s cultural heritage in the future, to support what binds us together, while so many other things drive us apart,” read a statement from the Network of European Museum Organizations.

Other museum groups have been pushing for government relief as well, such as the American Alliance of Museums and New York’s Metropolitan Museum Art, which last month called for a $4 billion infusion for the cultural sector. (It got less than five percent of that.)

Now, Italian museum leaders are taking up the cause, calling for the establishment of a “national fund for culture,” the Art Newspaper reports. More than 2,000 signatories, including the heads of National Museum of 21st Century Art in Rome and Venice’s civic museums, have put their name to a Change.org petition that insists that “we have to make Italian culture live, to give it oxygen… [or] the repercussions… on the vast world of cultural enterprise are extreme and could be fatal.”

See Original Post

Reposted from Artnet News

A blast at the construction site of the Humboldt Forum museum in Berlin has caused damage to the building’s entranceway and left one worker injured. On an otherwise clear blue day, thick black smoke billowed up above the historic museum island on Wednesday morning, where the prestigious, albeit controversial, museum is under construction.

After two vats of molten tar caught fire and engulfed construction materials, some 80 firefighters were dispatched to the site. The fire was quickly brought under control, according to a spokesperson from the museum. Officials are looking into the specific causes of the fire more closely, but it seems that it was not caused by premeditated action.

“Because the tar emitted a lot of smoke, it looked really dangerous but it only caused surface damage to the museum’s façade,” Michael Mathis, a spokesman from the museum tells Artnet News, also confirming that a worker was unfortunately injured from smoke inhalation. He said that the museum’s planned partial opening in September will not be delayed due to the incident. The opening has already been pushed back one year from its original date in fall 2019.

The spokesman added that the global health situation is currently posing a much more considerable threat to the institution’s planned opening, as it has created delays in the delivery of building material, and impacted the workers’ ability to be on the site. Berlin is on lockdown, with most businesses closed, though construction sites are exempt from the ban. A statement from the museum says that officials will be consulting on the progress of the construction work in the second half of April.

“The pictures of the fire above the castle portal scared us all,” German culture minister Monika Grütters says in a statement, expressing her thanks to the actors on site “for being so level-headed and carrying out the evacuation very quickly.”

Set in a rebuilt royal Prussian palace, the Humboldt Forum will host non-European ethnographic collections and an Asian collection. The $700 million development project has ignited fierce debate in Germany on the subject of the restitution of objects acquired during the colonial era. Germany had several colonies in eastern Africa, including Namibia, and the country’s state collections contain Benin Bronzes that are known to have been looted by British soldiers from Benin City, modern-day Nigeria, in 1897.

See Original Post

From IFCPP 

Under normal circumstances (when open to the public), many museums, libraries, historic sites, live collection institutions, and other cultural properties staff their facilities 24 hours daily, to include late night patrols and monitoring station/control room operators. IFCPP is not, by any means, recommending elimination of these positions during current closures. If you can afford to do so, these positions should be maintained (and even strengthened) during current closures. Personnel making nighttime patrol rounds should be following predesignated routes either electronically or by written instructions. Any activity or facility irregularities should be documented and acted upon as soon as practically possible. Security control room staff should be acting in accordance with established Post Orders, and a current manual of operations. All such positions should be regularly checked by supervisory staff, at all hours.

There are, without a doubt, numerous institutions unable to continue after-hours staffing due to budgetary restrictions. Many other cultural properties are only able to lock the doors after normal business hours and hope for the best. During current closures, institutions are forced to maintain irregular and continually changing hours of operations and staffing.

The security of most institutions is also dependent upon properly selected, installed, monitored, and maintained electronic systems.  As we all know, there is no guarantee that all systems are always operating as intended, or properly reporting conditions as expected. 

What steps may be taken to enhance the protection of the institution, without the presence of around-the-clock security staff, and possibly, without the physical presence of security personnel at any time during current closures?  Valuable collections warrant special protection measures, even when budgets won’t allow for the staffing we would prefer.  The following measures should be taken into consideration:

Secure the perimeter.  Any and all access points should be properly protected.  These include doors, windows, ventilation screens, elevator shafts, skylights, rooftop access, loading docks, or any other place where entry may be gained.  Each of these points should be alarmed, or secured with impenetrable bars or grates.

Alarm systems should be selected and/or upgraded after a professional process has determined the most practical and cost-effective systems available.  Every device on the system should be tested in accordance with manufacturer specifications. Current closures might provide a convenient opportunity to test all security and fire protection systems while visitors are not present.

Video surveillance should cover the perimeter of the building(s), recording all motion, at all times.  Collection storage and all exhibit areas should be monitored by video surveillance as well. IP-based systems allow authorized users to view live video remotely, from any location where Internet access is available.

Locking systems should be modern systems with limited distribution of keys and keycards, especially for perimeter doors.  All exterior and some interior doors should be protected by electronic alarms and locking systems.  Distribution of keys and keycards should be closely tracked, with recovery of keys at the time of termination of employment (or extended leave). Keys accessing collections storage spaces and other sensitive interior areas should not be taken out of the building, and stored in secure key cabinets. These keys should be checked out and tracked, via electronic software or hard-copy logs.

Monitoring of electronic security and fire protection systems should be by a UL Certified Central Alarm Monitoring Station, with alarm transmission by reliable communications systems. Backup/redundant transmission should also be installed, and alarm panel back-up batteries should be inspected and replaced every 3 years.

A third-party (contract) patrol service, should be retained (or available through an advance service agreement) to perform regular perimeter checks on all facilities, and/or supplement existing security personnel, as needed.

Please contact us if we can offer direction or advice for your specific concerns.

Stay safe and healthy as we all weather the storm together!

Reposted from Security Management Magazine

Many security leaders tout the importance of excellent customer service, and guard force managers are frequently tasked with ensuring that their officers are on point. But how many security managers have ever taken a moment to look behind the curtain and examine the psychology of first impressions?

Understanding first impressions is invaluable in the field of security operations. Frontline security officers are often the very first salespeople for businesses, so their appearance and body language are both key. And the psychology of first impressions also applies to physical spaces, which may set the tone for user experience even before the client walks through the front door.

Yet despite their importance, first impressions in security operations are often underestimated and misunderstood by leadership.

Lightning Fast, Yet Weighty

A common axiom that circulated for years held that an individual has seven seconds to make a good first impression when meeting someone. However, the latest psychological research reduces the seven-second window considerably. In fact, scholars like Alexander Todorov argue that it takes only one-tenth of a second to establish a first impression.

In his book Face Value: The Irresistible Influence of First Impressions, Todorov describes a study in which participants were shown face photos of two actual (but unknown to the participants) political candidates in a real election. The participants were asked to decide which face looks more “competent.” Most chose the same face—they seemed to agree on what “competence” looks like.

Moreover, this judgment of perceived competence was also a largely successful predictor of who would win the election. The candidate whose face most people saw as “competent” also turned out to be the election winner. Essentially, the study illustrated Todorov’s theory—within one-tenth of a second, individuals make a judgment about a person’s competence, intelligence, and trustworthiness, and that judgment affects the way they make decisions.

This does not mean that first impressions are necessarily accurate. However, the brain makes these assumptions at lightning speed based on what information is immediately available. Given this, it seems only natural to ask: how much weight do first impressions carry?

Let’s take a quick look at a U.S. president to answer this question. In Malcolm Gladwell’s book Blink: The Power of Thinking Without Thinking, the author explains how Warren G. Harding, the 29th president of the United States, started his political career with a great first impression—one that went way beyond the example of competence cited earlier in this article.

“Many people who looked at Warren Harding saw how extraordinarily handsome and distinguished-looking he was and jumped to the immediate—and entirely unwarranted—conclusion that he was a man of courage and intelligence and integrity,” Gladwell writes. Ultimately, Harding turned out to be a bad president, according to majority consensus; history has assessed him to be corrupt and incapable. The lesson here is that regardless of whether a first impression is accurate, it can be very powerful.

Why do we give so much weight to our first impressions? In The Art of Thinking Clearly, author Rolf Dobelli explains that this phenomenon of making substantial judgments based on a first impression is called the halo effect. “The halo effect occurs,” Dobelli writes, “when a single aspect dazzles us and affects how we see the full picture.

In the case of Harding, voters were so impressed by his dazzling physical presence that they attributed several admirable qualities to him. “The halo effect increases the weight of first impressions, sometimes to the point that subsequent information is mostly wasted,” writes Daniel Kahneman in his book Thinking, Fast and Slow.

Thus, even if the first impression is wrong, it carries great weight. It has sticking power; it is difficult to dislodge. Effectively, if you make a bad first impression, it may take a disproportionate amount of time and effort to reverse the negative effects.

The Formation of Security Impressions

The speed and weight of first impressions come into play in the context of corporate security. Think of all the interactions security staff may have with employees, clients, and visitors. In the security operations world, interactions are often very short, sometimes involving little to no conversation. Yet impressions are quickly forming.

Let’s start at a front gate, where vehicles enter a corporate campus. An employee pulls up, looks at the officer, produces a badge, and keeps driving.

The research shows us that, even with less than a second’s worth of interaction, the employee will likely make a range of judgments about that security officer, and potentially make even broader assumptions about the entire corporate security team of the company. Those impressions may or may not be accurate, but research shows us that these judgments will likely be lasting ones.

Given all this, it is fair to assume that most security leaders would like for that first impression to be a positive one. Especially when one considers the strategic importance of first impressions in various key situations.

For example, imagine a scenario where a company is looking to hire a senior-level executive for a crucial role. Looking for the cream of the crop, the firm conducts a national search, with interviews held at the corporate headquarters. When the candidates arrive at the campus, the first person they meet is the uniformed security officer at the front gate. Imagine the ripple effect of a positive or negative first impression of that officer.

Now, imagine the company is also hosting a prospective client at the same campus, with a major sales deal on the line. The client faces the same first impression experience at the front gate, with the same gate officer. A negative first impression could hurt the deal’s chances for success.

Impression Ingredients

In sum, if security personnel are literally on the front lines of the business, it is critically important that they make the best impression possible. But what goes into an impression?

The easiest way to approach this topic is by distinguishing between impressions of people and places. In the context of corporate security, various people may represent a security team, from frontline officers to leaders who represent the corporate security function in board meetings, sales meetings, and audits.

However, first impressions extend beyond person-to-person interactions. Physical spaces and components thereof—like front lobbies, perimeter fences, or even lighting—can contribute to a first impression of a brand or company location.

Start by understanding some key ingredients to the “people” side of first impressions.

Uniform messages. What should security officers’ uniforms look like? The answer is more important than you might think.

There is a surprising amount of research devoted to the psychological effect of uniform color. In an article in Made to Measure, The Uniform Magazine,Bernadette Doran explains how different colors can directly affect moods. Black uniforms, for example, are associated with “anger, hostility, dominance, and aggression.”

In the article, Doran discusses a study in which participants were shown a variety of potential police uniforms then graded them as good or bad, nice or mean, and in a variety of other ways. “The all-black color scheme was viewed most negatively on six of the seven scales,” Doran writes, “and the light blue shirt and navy blue pants created the most positive impression on all seven scales.”

In the corporate security context, when a visitor encounters a front gate guard, a security receptionist, a foot patrol officer, or a guard force commander, usually one of the first things noticed is the uniform, if one is being worn. Managers should consider how the uniform helps inform the impression of the security officer. Does it make the officer seem friendly and approachable, or aggressive and intimidating? And whatever the effect, does it match the intended image of the operation?

For example, it may be appropriate and consistent for uniforms at a top-secret nuclear weapons testing facility to be more on the intimidating side. But the security department at a Fortune 500 corporate headquarters complex might want to convey a more welcoming and friendly impression.

Is the security team’s appearance in line with the intended impression? Security leaders can gain additional insight by asking core stakeholders how the security team’s appearance can contribute to the intended impression of the office and operation overall. Strive for message consistency: If stakeholders want to project a friendly and welcoming environment, black-on-black uniforms should likely be avoided. Something as simple as the color of a shirt can be more impactful than many assume.

Body language. Most security leaders know quite a bit about body language. Investigators often rely on body language to help determine if someone is being truthful, deceptive, or just nervous. Body language is just as important when it comes to informing a first impression.

According to a study by UCLA professor Albert Mehrabian, body language is the single most powerful piece of information for the creation of a first impression. In fact, according to research, 55 percent of the impression is derived from body language and appearance, 38 percent from the person’s voice, and 7 percent from the person’s language.

For example, a security officer is standing at the gate in a neatly pressed blue uniform. A visitor pulls up to the front gate to check in for a meeting on campus. The visitor cheerfully says, “Good morning, officer!” The officer, with arms crossed and eyes looking at a computer screen, quietly says, “Good morning,” with a serious face and pursed lips.

Think about how quickly this first impression has gone downhill. In the same interaction, different body language and tone of voice could have reversed the first impression. In that scenario, the officer’s arms aren’t crossed, he is making direct eye contact with the visitor, and he cheerfully says “Good morning” with a smile on his face. In an interaction that lasts for less than seven seconds, body language and tone of voice are absolutely crucial in determining the nature of the first impression.

A Sense of Place

A prime example of location-based first impressions is familiar to most homebuyers: “curb appeal.” In an article on the Dig This Design online publication, Susan Daniels says this about the concept: “Improving the exterior of your home with paint or new siding goes a long way towards making great first impressions.”

Of course, making a bad first impression is also possible. As Daniels explains, “In any form, clutter makes your property look uninviting. Any passerby looking at the property will look away if it’s cluttered.” Like first impressions of people, first impressions of physical spaces can be made quickly and be based on limited observation. Just as with people, the first impression of a place may or may not be accurate, but it nonetheless influences judgments and decisions.

In a security context, certain design and architectural decisions, such as perimeter fencing and guard houses, can have a direct impact. Security professionals often capitalize on these features so that they will have a deterrent effect in the crucial first impression phase.

But this effect can be taken to another level. The design of lobbies and workspaces can also have a direct emotional and psychological impact on those who use them, from the moment of entrance. That impact also relates back to the perceived security of a place.

While security directors are not architects, it is still imperative to spend time on determining where design, architecture, and security intersect, and to be mindful about that intersection point.

Luckily, there is plenty of research to educate us about this intersection point. In the foreword of the book Inquiry by Design: Environment/Behavior/Neuroscience in Architecture, Interiors, Landscape, and Planning, John Eberhard writes, “We know now that certain levels of light and noise in neonatal care units can interfere with critical sensory development in premature infants. We know that specific features of their physical environment can support healthy behavior among people with Alzheimer’s disease.”

Such research makes it clear that physical spaces can and do have an impact on health and well-being. These spaces can also affect stress and anxiety levels.

Other types of physical spaces can also have calming effects, as researchers discovered in the Oregon prison system.

In her article “Using Nature Imagery to Calm Prisoners,” Janice Wood describes a unique experiment in Oregon in which nature videos were shown to a certain population of maximum-security prisoners during their daily exercise period. The results were impressive. According to Wood, “Inmates told researchers they felt calmer after watching the videos, with the calm emotions lasting for hours…. They also reported that they felt the videos helped improve their relationships with staff, and that remembering the videos helped them calm down when they were angry.”

Not only did the prisoners report on the positive emotional effects of the nature imagery, but there was also a measurable impact on behavior. The experiment results indicated that the prisoners who viewed the videos committed 26 percent fewer infractions than the prisoners who did not.

Other studies have also revealed the connection between physical design and mental health. This connection quickly links to risk factors that relate to violence at work. If a space can be designed with intentional calming effects in an effort to reduce stress, could this design also help decrease the likelihood of an act of workplace violence?

During design, new construction, or renovations, it behooves security professionals to think beyond the basics of fences and turnstiles. Those are indeed important, because they are an important part of a first impression for a visitor, client, or employee. But it is equally important to envision the entire office environment, and how it can help provide holistic and sustainable safety for all of those who enter.

Security leaders may not be architects, but they can still can add value to the planning and decision-making process by being able to articulate the connection between design and the ultimate goal of creating a safe place.

Takeaway Tips

The research cited above provides a few key takeaways that security managers can act on, almost immediately, to help leverage the power of the first impression.

Both body language and uniform color play a key role in forming a first impression. Given this, it is crucial to examine how frontline personnel are trained to portray themselves—verbally, visually, and with body language—when interacting with customers.

Similarly, teams should be empowered to examine all of the ways in which they interact with stakeholders.

Security leaders should take the time to interact with stakeholders and ask what the security team can do to further promote a welcoming, safe, and healthy environment. What type of work environment are site leaders hoping to provide to employees? Security professionals can seek ways to add value to that vision. This could be done through well-trained and well-informed personnel or through recommendations for physical designs that contribute to mental health and positive, long-lasting first impressions.

See Original Post

Reposted from Security Management Magazine

A round lock sat in the front of Joseph Bramah’s shop in London with a challenge displayed on the window: whoever could pick the Bramah Precision lock would win 200 guineas (roughly $30,000 today). That challenge would remain for 67 years until A.C. Hobbs—an American locksmith—took up the gauntlet.

Hobbs brought a great deal of experience to the table. He had gained recognition in America for demonstrating to bank managers that their locks could be picked, so they should be replaced with locks of his own invention.

At the Great Exhibition hosted in London in 1851, Hobbs announced after successfully picking a Chubb “Detector” lock that he would open Bramah’s creation. Bramah’s sons set Hobbs up with a workspace above their shop. For 52 hours, Hobbs worked at the lock until he successfully picked it.

Hobbs’ success became known as The Great Lock Controversy, striking fear into the hearts of everyone who had previously used the Bramah lock—including the Bank of England—because they believed it could not be picked. Their sense of security was shattered.

Since then, methods for locking doors and controlling access have changed with the times and technology advancements. Now, instead of having a guard monitor and log when a door is unlocked and opened in a facility, and then verify that that individual is allowed to do so, most organizations rely on access control systems. And often, these systems are connected to the Internet—making them vulnerable to cyber intrusions.

“Older access control systems were not meant to be tied to the building network or the organization’s network,” says Coleman Wolf, CPP, CISSP, senior security consultant for Environmental Systems Design, Inc., (ESD) and a member of the ASIS International IT Security Council. “There are adapters that can be used to put those on the network. They function just fine. I can access the control panel from my desk, but the security isn’t always the best.”

The access control system is “meant to provide a function, but either the device was not built to have password protection or the person who installed it wanted to get it up and running, so they didn’t put in the effort to install the security with it,” Wolf adds.

The Basics

By connecting an access control system to the Internet, the system becomes part of the Internet of Things (IoT). Typical IoT devices include thermostats, electrical outlets, light switches, refrigerators, smart speakers, and doorbells. They also now include—in the security arena—cameras, alarm systems, smoke detectors, locks, and other access control devices, says David Feeney, CPP, PMP (Project Management Professional), and advisory manager of cyber and physical security risk services at Deloitte.

“Before IoT, everything that was connected to a network was a network device in the traditional sense,” explains Feeney, who is past chair of the ASIS Physical Security Council. “Now, almost anything can be a network device. And while the computer industry has had decades to incorporate security into its products, services, and overall DNA, IoT is essentially a toddler—growing rapidly but with most of its maturation still ahead.”

All of these IoT devices face a “gauntlet of cyber threats,” Feeney says, including malware, man-in-the-middle attacks, brute force attacks, dictionary attacks, IP spoofing, denial of service and distributed denial of service (DDoS) attacks, session hijacks, and more.

“The difference that IoT brings is that the attack surface—the aggregation of all points at which an attacker can gain access—is now exponentially larger once access control and other IoT devices are added to the network,” Feeney adds.

It might seem obvious why someone would want to compromise an access control system: to unlock the doors to a building to gain entry.

“The first thing that people think about is that once they’re inside the system, they have control over the system so they can unlock doors or disable sensors—things that are part of the actual mission of the access control system itself,” Wolf says.

For instance, in a worst-case scenario at a highly controlled environment like a hospital, a compromised access control system could be used to lock surgeons out of an operating room or open doors to the pharmacy.

But there’s another equally concerning reason someone might want to hack an access control system, Feeney adds.

“Your natural first thought might be that access control systems are attacked because attackers want to gain access to an area, and the system is standing in their way,” explains Feeney. “That is one reason. But the reason is often that an attacker simply wants access to the network, and an access control system is as good an entry point as any other.”

Regardless of the method of infiltrating an organization, attackers are often looking to infiltrate the network and then move within it to gain access to more sensitive or valuable information.

Hackers used this method during the infamous Target breach in 2013. They compromised a third-party vendor, obtained valid credentials from an unknowing authorized user, and connected to Target’s network using its vendor-portal process. The malicious actors then leveraged this access to obtain payment card data and personally identifying information about Target customers.

“Maybe there are employee databases where they could steal information,” Wolf says. “Or they could use that access to spread ransomware, where files and systems could be encrypted and held hostage—forcing the organization to pay to free up that information.”

Leveraging an intrusion into the access control system to the organization’s building system could also pose safety risks to employees—such as setting off a fire alarm—or equipment.

“If you’re able to control the HVAC system, you could prevent cooling of data center space, so servers start to overheat and fail,” Wolf says. “And that can cause interruption of business or operations.”

Mitigating Existing Risk

Despite the numerous vulnerabilities that exist, there are myriad ways to mitigate the risk of compromise to an access control system.

“I work with a lot of clients who don’t have any drawings of where their devices are—they are flying blind,” Wolf says. “They don’t know, if something goes wrong, where to go and what component to look at.”

The first step for security pro­fessionals with an existing access control system that is connected to the network is to fully understand the system—where the readers are, how it works, how it is connected to the network, who has access to the system, and who has administrative privileges over it. Then, all that information should be documented.

“Identify where everything is and, probably most importantly, how those devices intercommunicate with each other and the outside world,” Wolf adds. “An Internet connection is one thing, but with older systems we’ll see a DSL line or dial-up modem connections to systems so a contractor can log in and make changes to the system.”

These systems may have been installed decades ago. People often forget about those connections, which could be used by malicious actors to infiltrate access.

Wolf also recommends security professionals working with an existing access control system connected to the network assess if it meets the organization’s current security requirements.

Starting from Scratch

For those in the fortunate position of installing a new access control system, the process should start with a “soul-searching discussion” on the risks and benefits of connecting that system to the Internet, Feeney says.

“If there isn’t a significantly com­pelling benefit to essentially adding a door to your network, it is arguably not worth doing,” he explains. “In the case of access control, there may be a strong case for doing this—especially if the desired end goal is moving to the cloud. In this case, be sure to leverage best practices to incorporate security into your new network architecture.”

The organization should consider if the access control system should be on a network separated from other assets. Doing this will help mitigate the risk that an intruder will use the access control network to obtain corporate information.

“If the ultimate goal is to move your access control system to the cloud, this network separation can still be done at the organization level,” Feeney says. “The separate access control or IoT network will connect to the cloud infrastructure. The original corporate network will separately protect all other assets. So, if the access control network’s connectivity is compromised, the attacker will not get access to the corporate network.”

Once a decision is made about what network the system should reside on, the organization should designate who is responsible for that network and the day-to-day management of it. This is critical because the system will require regular patching and updates to mitigate new security threats.

“Often an organization’s IT department is better equipped to maintain the system because—if they’re a good IT organization—they will have a patch management process in place to make sure that the network switches and all the network servers are up to date,” Wolf says.

When purchasing the actual access control system, the individual responsible—such as the physical or IT security representative—should ask vendors how data from the reader to the master console is protected, says Darrell Brown, CISSP, information security program manager at La-Z-Boy Incorporated and member of the IT Security Council.

“Is that data in transit encrypted? At what level? And what is the right fit for my company?” Brown adds.

Organizations should also ask how often the vendor itself issues patches to its products, and what the process for issuing those patches is.

“Proactively query your providers about patches and security updates to your hardware,” Feeney recommends. “Many access control devices traditionally get patches because customers request a feature or report an error that requires the patch. Instead, patch these devices like you do your computer—proactively as part of a comprehensive security strategy.”

Organizations should also have a robust master service agreement that outlines expectations and the responsibilities the vendor has to the organization.

“Have clear lines that delineate who owns what part of the system,” Brown adds. “Who’s responsible? Where’s the backup? Is there a backup? How do we ensure failover to it?”

And while the system is being installed and implemented, security professionals should ensure that the process follows best practices for maintaining good cyber hygiene. This starts with disabling default passwords to create strong, unique passwords for the system, and limiting administrative privileges.

ESD frequently encounters operating systems set up to automatically give administrator privileges to any users.

“Most people don’t need that, and by restricting that, you’re ensuring that if a bad guy were to gain access using one person’s credentials, they wouldn’t have the ability to have administrative rights over the whole operating sys­tem,” Wolf says.

Access control systems, like all locks, can be compromised by motivated actors given the right circumstances. Security practitioners should not assume that the system itself is secure.

“Security is ideally a shared responsibility between consumer and provider,” Feeney says. “You’ll find this to typically be the case. But where the separations of responsibilities lie can differ greatly. For that reason, always check your service level agreement to understand what security responsibilities your provider has and what is left to you as the consumer.”

See Original Post

Reposted from Security Management Magazine

Who would the CEO of your organization most likely invite to a round of golf: the CFO or you? The answer to such a question would be revealing—and it shows a great deal about security professionals and how they are viewed by their contemporaries.

It has become a truism that in order to maximize effectiveness, one must have a seat at the table in the C-suite. And communication skills will likely play a paramount role in whether or not the organization’s ranking security professional ultimately earns that seat.

Business executives realize that, like it or not, their usefulness to others is regularly assessed and measured. That continual evaluation is reality. Security professionals who aspire to earn a place in the C-suite should realize that this situation is their reality, too.

Given this, security professionals who regularly speak and write in the language and style of the military and law enforcement run the risk of being valued differently from those who have MBAs and can communicate in the language of a modern business executive. Regardless of the ultimate value of their contributions, if security professionals communicate more like law enforcement officers than business executives, they will eventually be treated as such, and be compensated accordingly.

Much has been written on the broad topic of management and leadership development. But there is less guidance on the more specific area of executive communication, and the importance of these skills to the leader’s success. This is unfortunate, because in the workplace the language and presentation of an idea can be nearly as telling as the idea itself. Sometimes, a staffer will take his or her cues from this language when trying to evaluate the significance of the idea itself. A sound idea, poorly expressed, can be unfairly dismissed.

Getting on the Same Page

First and foremost, security professionals must recognize that one’s professional success is not just the product of doing a job well. It also depends on the ability to effectively communicate and adapt.

A manager cannot succeed by resting on the laurels of past accomplishments. However justifiably proud a security professional is about past accomplishments and successes, he or she should realize that current customers—whether internal or external—were not necessarily the direct beneficiaries of those past triumphs. In order to provide value, professionals must be able to continually and effectively communicate with colleagues and customers whose needs and expectations are in the present.

Consider that the three most used business language phrases in 2018 were “we’re on the same page,” “action plan,” and “game changer,” according to linguists. These terms are still heard frequently in workplaces, including security departments. Why might this be?

These phrases imply the need for action. When used in conversation, they communicate recognition of the increased productivity that will likely result when people get on the same page and agree to pursue a well-considered action plan. When executed properly, the resultant output is often a game changer. The phrases themselves may be getting a bit shopworn, but they still reflect the importance of teamwork and effort.

In addition, “getting on the same page” also has relevance when considering effective executive communication. To be on the same page as a C-suite executive often requires the ability to adopt a higher-level perspective.

For example, a manager is briefing the CEO about a security-related operational development. Before the conversation starts, the security professional should consider how the situation might look from the CEO’s perspective: How might this security development impact the company as a whole? Is there any long-term significance for the company? Can this development somehow help enable overall business growth?

Considering similar questions in advance—including how security can contribute to these business goals—helps a security professional show that he or she is on the same page as the executive. This preparedness and consideration helps establish the manager’s bona fides as a voice worth listening to.

Communicating big picture impact may also assist a manager with another key communication component: getting to the point. Most C-suite executives have multiple demands on their time, so a security briefing that seems to go on and on may not be well received. Big picture summaries serve as an effective way to end the communication: “The bottom line here is that this situation could be pervasive enough to impact…” Proposing solutions can effectively underline the conversation, but here the manager must be careful. In some cases, a solution may not be apparent, and it is dicey to suggest one that has a high possibility of failure.

Nonetheless, it is advisable for the manager to prepare for possible questions. For example, the manager can think about what might be unclear, especially to a non-security specialist, and have a thumbnail explanation at the ready. This can help professionals avoid getting bogged down with unnecessary detail as they struggle to explain concepts. If a manager is not exactly sure what the root of the confusion is, clarifying questions (e.g. “So what you want to know is how the funding aspect works?”) can help, so the manager does not waste executives’ time providing the wrong information.

In conjunction with preparing for questions, it may also be helpful for professionals to keep any arguments or proposals they are making as tight as possible. Avoid exaggeration or alarmism when discussing a problem. Double-checking statistics and spending time on the logical flow of arguments are good ways to do this. This can take additional preparation or a rehearsal, but it is usually worthwhile.

Know Your Audience

For many security professionals, the majority of communications involves staff and coworkers, as opposed to C-suite executives. In most workplaces, employees vary in age, but recently a relevant trend has emerged. Millennials—people born between 1981 and 1996, currently aged 24 to 39, according to the Pew Research Center—are now the largest generation in the U.S. labor force.

By dint of this statistic alone, it is likely that a sizable portion of most companies’ employees will be in this age range. And a tried-and-true rule for communication is to know your audience. Social change and dynamics are shifting rapidly in many workplaces today, and clear and appropriate ex­pres­sion is more important than ever. If a company’s workforce is majority mil­len­nial, it behooves a manager to know some of this age group’s common qualities and attributes, so that com­munication style and content can be shaped for maximum effectiveness.

Those who study generational differences and behavioral patterns say that many millennials bring vitality and passion into the workplace, plus a strong desire to be heard. Many millennials also tend to openly seek recognition, fairness, and justice, regardless of their place on the organizational chart. For them, the rigidity and dogma of the past are obstacles to progress.

Security professionals should consider what these characteristics mean in terms of communication effectiveness. Millennials’ strong interest in being heard suggests that professionals should ensure their communications solicit input and feedback. Younger employees’ interest in seeking recognition suggests that professionals should regularly recognize them in their communications. And their interest in fairness and justice suggests that managers should pay attention to those factors when explaining company policies and actions.

Speak To, Not At

While some communication methods suit certain demographics over others, some tips are universal. For example, always speak to someone, not at someone.

When verbally communicating, a manager should not attempt to either impress or suppress the other party—he or she should not try to approach the conversation as a competitive contest in which the winner wrests control from an opponent. Unfortunately, some professionals do strive for conversational control, either by piling on self-acknowledgments or actively minimizing the partner’s participation.

Instead, a manager should strive to acknowledge the conversation partner’s point of view. Doing so validates the other party and demonstrates the manager’s interest in their input. Such an acknowledgment reflects active listening, and it communicates positive recognition. In addition, such acknowledgment may lead to further discussion of their idea. This can give a manager more insight into the idea, and ultimately he or she can respond more intelligently.

Electronic Communication

As remote workforces expand and digital communication becomes the default, a manager should err on the side of professionalism.

When communicating electronically, avoid shouting. DO NOT USE ALL CAPS or end your message with “..……,” “??????,” or “!!!!!!!”. The overuse of casual text abbreviations (lol, omg) should also be avoided.

Some experts recommend that, when replying to emails, a manager should always take an “executive pause” before firing back an angry reply. If the email that the manager has received is a provocative or accusatory one, the manager may want to set it aside and come back to it later, in order to send a more measured response.

Remember also that electronic communications, including text messages, are discoverable in the event of litigation. Childish or disrespectful communications can be embarrassing or worse for a security manager if he or she must later testify before a judge or magistrate.

In addition, curtail multitasking. Emailing while chatting with a coworker is not only rude, but it hinders the manager’s ability to learn. Verbal communication in the workplace is a great way to exchange information. While multitasking is sometimes praised by professionals as a way to enhance productivity, it can produce misunderstandings when mixed with verbal communications.

In addition to verbal and electronic communication, be aware of body language.

Many human resources professionals and some security professionals have received training on the use and interpretation of body language. This can often be useful.

For example, experienced fact finders know that when they are being told something less than truthful during an investigatory interview, putting down their pen and notepad silently communicates disbelief of what was just said.

Looking away during a conversation demonstrates a lack of interest in what is being discussed. Managers must be mindful of these messages.

Body language offers a manager an effective way to convey openness with a clear listening stance. Giving executives and coworkers alike full and comfortable attention while speaking, without distracted gestures like fidgeting and checking the time, is a boon for effective communication. It conveys interest and respect, and it engenders confidence that the communication will be productive. It also shows that a manager leads by listening, which in the end is one of the most quietly effective leadership styles of all.

See Original Post

Reposted from ZDNet

The vast majority of ransomware attacks targeting the enterprise sector occur outside normal working hours, during the night or over the weekend.

According to a report published today by US cyber-security FireEye, 76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during nighttime over the weekdays, and 27% taking place over the weekend.

The numbers, FireEye said, were compiled from dozens of ransomware incident response investigations from 2017 to 2019.

The reason why attackers are choosing to trigger the ransomware encryption process during the night or weekend is because most companies don't have IT staff working those shifts, and if they do, they are most likely short-handed.

If a ransomware attack does trigger a security alert within the company, then there would be nobody to react right away and shut down a network, or the short-handed staff would have a hard time figuring what's actually happening before the ransomware encryption process ends and the company's network is down & ransomed.

FireEye says that most of these types of sneaky nighttime/weekend ransomware attacks are usually the result of a prolonged network compromise and intrusion.

The cybersecurity firm says that ransomware gangs breach a company's network, spend their time moving laterally to as many workstations as possible, and then manually install ransomware on all systems and trigger the infection.

The time from initial compromise to the actual ransomware attack -- known as a "dwell time" -- is, on average, three days, according to FireEye.

The rise of human-operated ransomware attacks

In all these cases, the ransomware is triggered at the attacker's behest, and not automatically once a network is infected -- which has been the old mode of operation for most ransomware strains.

Today, most ransomware gangs are in full control of their ransomware strains and they very carefully decide when it's the most suitable time to lock down a network.

Microsoft calls these types of incidents "human-operated ransomware attacks." In a report published last week, the OS maker included tips on securing networks and setting up detection rules to spot ransomware gangs during the "dwell time," and before they trigger their final payload and lock down companies.

FireEye said that since 2017, human-operated ransomware attacks have gone up 860%, and incidents now impact all sectors and all geographical locations, and not just North American companies.

In the cases FireEye investigated the most common infection vectors were:

Brute-force attacks against workstations with RDP (Remote Desktop Protocol) ports open on the internet Spear-phishing against a company's employees and using one infected host to spread to others
Drive-by downloads (employees visiting a compromised website and downloading malware-infected files).

Just like Microsoft in its report last week, FireEye is now urging companies to invest in deploying detection rules for spotting attackers during their pre-infection "dwell time."

"If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection," FireEye said.

See Original Post

Reposted from ArtNet News

It is hard to believe, but it was less than five weeks ago that Madrid’s art museums were thronged with visitors and its international art fair, ARCO, was in full swing. Now, the city’s art institutions are shuttered indefinitely and the fair’s venue has been transformed into a temporary field hospital. The director of Madrid’s Reina Sofía Museum has been working to keep his institution operating remotely in the hopes that it can serve as a beacon to those looking for inspiration. He reports that although some of his staff members are sick, none have died, and that they have kept their jobs thanks in part to Spain’s governmental assistance program. Borja-Villel has led Spain’s national museum of Modern and contemporary art since 2008 and also serves as a leading member of the Institute of Radical Imagination. As experts predict the coronavirus death toll has peaked in hard-hit Spain, the curator and art historian reflects on what the pandemic might mean for society and cultural life in the future.

Nobody could imagine this a month ago. Many of us were complaining about the state of the world in general, about how the health care system had been weakened, about the need to care more for nature, but no one could have imagined the emergency would develop so quickly, and that things would go this badly. There will be a “before” and an “after” this crisis. It will be a paradigm shift, just as everything changed after World War II.

The economic effects are going to be almost like a postwar situation when it is clear that what has happened is that the system failed. Things should not be like they were before. We will need something like a Marshall Plan for society and, of course, for culture—not to rebuild things as they were, but rather to imagine new worlds in which caring for other people and other species should be central.

In the art world, there are many things that need to be reconsidered. Eventually, museums will reopen, but will people be afraid of being close to one another? Will we be able to continue developing large exhibitions that are anti-ecological? Maybe blockbuster exhibitions are over. Maybe we should think more about process and research. 

When the Reina Sofía reopens—certainly to begin with—we will have to limit the number of people in the Guernica room. But in addition to managing visitor flow safely, we also need to be careful that we do not turn into a society in which people are not empathetic, in which they are afraid even to touch each other. We cannot let public spaces disappear. There is an element of joy, of learning, and of democracy in being together with other people. 

Right now, we are working with l’internationale, a confederation of European museums, to curate a visual manifestation of the balcony singing that has become so popular and uplifting in Italy. We have invited 14 artists initially to participate, but everybody will be included. We are asking them to create an intervention in their window, or on their balcony. They have complete artistic freedom, of course, but we are asking them to reflect on what it means to be on lockdown, and to imagine a better future. It is important to remember that human beings cannot be separated from nature, the importance of joy, and the importance of care.

Fortunately, we have always been big believers in archives, so we have a huge resource that until now we have not been able to fully activate. We also have a radio program, we have videos, we have documents on our website. We are now working to make more of this material available for free. We always imagined that, eventually, we would make it free, so we have already paid for the rights. 

At the same time, we are developing new programs online. One is a poignant lecture by the art historian José Emilio Burucúa, which he was supposed to deliver at the museum. He traveled through Paris but was caught there when the lockdown began. When he went back to Argentina, he had to go into quarantine, so we did the lecture through Zoom. It was very emotional. The title was, “Like a Bird, Hope Flies.”

See Original Post