As if securing our organizations wasn’t already complex enough with myriad bad actors and tactics, we now must factor in the growing insider threat to organizations.

In military terminology, the insider threat is a “fifth column”—one or a group of insiders who secretly sympathize with or support an enemy and engage in acts of espionage or data gathering for the larger group’s planning efforts, or subversion, thus destabilizing the organization from within.

 The U.S. government has several insider threat programs to protect can’t-fail national special programs, including those in the nuclear realm. Information and lessons learned from this realm would be of benefit to other organizations struggling to address their insider threat challenges.

At 11:30 AM ET on Wednesday 29 September, Jennifer Hesterman will present on Insider Threat: Cross Applying U.S. Government Strategies to the Private Sector. Hesterman joined ASIS TV host Chuck Harold to discuss this topic. Register for an All-Access pass to attend this session digitally or in-person.

There are six questions that are always asked in post-incident reports. If we can answer these questions in post-incident reports, why can’t we answer them while an at-risk individual is progressing up his or her pathway to violence?

At 2 PM ET on Wednesday 29 September, Jason Destein and Rick Shaw will present on the Six Fundamental Questions That Identify At-Risk Individuals on Their Pathway to Violence. They will discuss the pathway to violence and examine the stages where the warning signs exist and what methods are available to discover a pathway to prevention.

Destein and Shaw join ASIS TV host Chuck Harold to discuss this topic. Register for an All-Access pass to attend this session digitally or in-person.

While monitoring for root causes of insider risk and addressing precipitating events in the insider-threat kill chain are established best practices, political extremism represents a unique challenge. On one hand, employee extremism can threaten the organization’s workforce, brand, and reputation and may result in significant financial loss. On the other hand, organizations must consider legal issues, free speech rights, privacy interests, employee morale, and workplace culture.

While not easy, determination of a “comfort zone” between these competing factors, tripwires, and response plan must be done in advance. Using case studies as illustrations, presenters of the Political Extremism and Insider Threat Early Warning session at GSX 2021 will outline a formula for dealing with political extremism and insider risk decision-making, with pointers on tailoring these strategies for specific organizational types. 

Presenter Elsine Van Os, CEO, Signpost Six, joins ASIS TV host Chuck Harold to discuss this delicate topic. Register for an All-Access pass to attend this session digitally or in-person when it takes place at 2 pm ET on Monday 27 September.

By Amit Samani

Across the world, drone regulations are being passed, aimed at supporting the productive use of drones in our society and leading to the inevitable increase in the number of drones in our skies. Airspace security is becoming a wide-scale, cooperative effort, with capabilities like Remote ID being launched globally to monitor cooperative drone activity. By applying smart airspace security intelligence and insights, security teams can identify the compliant drones while exposing unauthorized or hostile drones.

Preparing for & Mitigating Against Drone Threats

How should security teams react when an unauthorized drone enters protected airspace? Key to the success of a smart airspace security program is developing proactive response protocols in the event of a drone incursion. 

Before developing airspace security standard operating procedures (SOPs), security teams must first uncover patterns in their drone activity and answer the following questions:

• How many drones are in my airspace?
• What time of day, and on which days, are drones appearing?
• What kinds of drones are being flown?
• What are the most common areas for drone activity? 

Using these questions as a guide, security teams can use airspace security intelligence and insights to advance their response protocols before, during, and after a drone incursion.

Before the incursion:

• Practice with your security team: Airspace security programs should begin under ideal, “blue sky” conditions
• Engage local law enforcement: Work with local law enforcement to determine the information they require to approach and apprehend an unauthorized drone pilot

During the incursion:

• Respond to automated alerts: Alarms are triggered as soon as a drone is detected
• Deploy security team to follow drone, and approach or apprehend pilot: By using flightpath information and localization of the drone, security teams can efficiently collect the evidence needed to locate a pilot
• Protect assets with passive countermeasures: This can include lowering blinds, monitoring WiFi networks, leading people away from exposed areas, or halting operations
• Alert local law enforcement: Local law enforcement can deploy additional resources to apprehend drone pilots

After the incursion:

• Build a threat profile: Summaries of drone activity, provide information such as most frequent times and days drones appear and drone hotspots
• Update security procedures: It may be that drones are appearing during shift changes, shipping/receiving, or concurrent with significant events at the site, such as game days or executive meetings
• Post “No-Fly-Zone” signage: Aerial trespassers will think twice with awareness of the risks they take when flying in your airspace

Prevent Losses with Results-Driven, Smart Airspace Security Programs

The consequences of drone incursions can be costly, from operational downtime to physical property damage and even data breach. Installing and launching a smart security program will deliver complete airspace situational awareness. A philosophy of develop, test, and enhance is essential for security teams and must be considered adjacent to the technology investment. 

Amit Samani is the Vice President of UK and Americas for Dedrone. Join Amit at GSX Learning Session, “Achieving Complete Airspace Security Amid Loosening Drone Usage Regulations and Emerging Threats” on 29 September at 11:30-12:30 PM ET, located the Offensive Strategies: Preparing for an Attack Theater. Meet the Dedrone team at Booth #2114.

Thank goodness companies have IT security specialists to protect those vital business systems that are the target of so many sophisticated hacker attacks. Sure, physical security professionals have to protect some systems, such as business controls or other less sensitive systems.

The thing is, those business control and security systems are increasingly tied to each other and other business systems. And the business control and security systems can be the easiest for hackers to attack and exploit. Uh oh.

The learning sessions at GSX 2021 will feature theaters carrying themes where like sessions are grouped. Kicking off the Offensive Strategies theater at 10 a.m. EDT on Monday, 27 September, Coleman Wolf, CPP, will lead a session on “Hacking Building Controls for Fun and Profit: Security Risks to Cyber-Physical Systems.” In the session, Wolf will give participants knowledge and strategies to try to prevent the “uh oh” from ever happening.

This session and all other Offensive Strategies Learning Theater sessions will be available in-person at GSX and livestreamed to all digital attendees. Register now for an All-Access Pass so you don’t miss it!

Wolf is a 25-year security management and security engineer veteran, currently serving as senior security consultant at ESD Global, Inc. The GSX Blog caught up with Wolf to gain insight on the issue of the vulnerabilities of business control systems.

What are the vulnerabilities of these systems and why should people care?

Building control systems were not traditionally built with security of the system in mind. They were self-contained systems, nearly impervious to external access—it would take physical breach to compromise them. That’s all changed. More and more, these systems are connected to each other and to other systems, becoming part of the larger IT infrastructure. A lot of people will build a connection between a building control or operational control system and, for example, a remote access IT system, but they would build this connection without first really thinking through the security ramifications of that.

One of the reasons is because the building controls were not seen as highly valuable targets. Maybe someone gets in and gains access to turn the lights off. Annoying sure, but it’s not worth expending a ton of resources to stop a practical joker when the resources could be used to fortify actually mission critical systems. One of the things we’re going to spend some time on in the session is how wrong this perception is. Not only can they be an access point to do additional damage, a hacked building control system can cause serious harm to a company.

If these systems are becoming more vulnerable, why not just revert to more self-contained, unconnected systems? What are the advantages to the interconnected trends you describe?

The main reason why they are interconnected and connected to business systems is for functionality and intelligence. It generally starts with there being a business reason to remotely monitor a system. Maybe you want the ability to see what is happening in a system at home during off hours, so you can decide if it needs immediate response or if it can wait. Or maybe you have a portfolio of different sites and locations and you want to monitor them from a central location.

In addition to the functional reasons, companies realized that they can use information from these systems to improve. As the systems grew more intelligent within the building, and different systems could start talking to each other, we now have this intelligent building platform. You can pull actionable data, build dashboards using intelligence from a variety of systems, and make strategic decisions. An example that relies heavily on building control data might be operating at peak energy efficiency—the savings to a company with a large footprint could be significant.

What do you say to a physical security professional who sees it as IT’s job to secure building control and security systems from cyber attacks?

Everyone in the session will leave with a good understanding of the differences between operational technology and systems and information technology and systems. Where the responsibility for securing OT vs. IT systems lies is in a state of flux. Traditionally OT rested in facilities, not IT. The operations folks didn’t want to be burdened by IT controls. Similarly, IT folks recognized that these systems were different animals, and they didn’t want the responsibility of securing systems that sat outside the traditional IT framework and thus did not have various IT protections and protocols built into it. This is probably another reason this is such a high risk for an organization. Companies are beginning to understand that both OT and IT systems need to be managed holistically under the umbrella of risk management.

I’m the physical security professional and one of the operational technology systems under my purview is hit successfully with an attack. What do I need to be thinking about?

There are two fronts. You’re going to be pressured first and foremost to resume operations ASAP. That’s somewhat at odds with the other front, which is forensics to identify what the cause is and, in the case of something like ransomware, you’ve got complex political calculations to make: Do you pay the ransom and hope that your operations will return to normal? Do you pay the ransom and hope that other malware other bad actors won’t try to hold you for ransom again? A lot of companies are finding it might be more prudent to go ahead and pay that ransom because the compromised system is crippling operations.

So those are the two primary things you will have to deal with. In the best situation you’ve got a business resumption, emergency response plan for cyber incidents. Some companies will incorporate this into a comprehensive business continuity plan.

In a lot of ways, you’re talking about a different approach or mindset. How do you get people responsible for building controls and people responsible for IT security to speak the same language?

In traditional IT and cybersecurity approaches, you look at what they call the CIA triad, which stands for confidentiality, integrity, and availability. Those are the elements that need to be addressed. When you look at these building controls and operational controls systems, you have to add something to that mix. You have to add safety. If these systems are compromised, it’s not just the business aspects you have to worry about, you have to add the health, safety, and well-being of anyone—staff, customers, the public—who might be in an environment that is affected by one of the compromised systems. Going back to the attitude that hacking a building control is akin to perpetrating a practical joke—turning the lights off. The breaches can be very serious in any number of ways.

And finally, I’m hoping to do a bit of a demonstration. A demonstration that will show just how easy it is to identify, locate, and access some of these systems—and discuss what people need to about the vulnerabilities.

By Luann Edwards

Security professionals: You might not realize this, but you have a superpower. It helps you predict the future, enhance physical security, and generate return on investment. It’s your data, and with it you can demonstrate and deliver measurable value for your organization.

At GSX+ on Wednesday 23 September, Louis Boulgarides of Ollivier Corporation and Jonathan Moore of AMAG Technology presented The real story of how analytics affect physical security. This session looked at security systems data, the capabilities of new analytics technology, and how insights from these can deliver organizational ROI. (If you missed the session, you can watch it on demand here until December 31^st.)

“Data analytics take sources from multiple systems in the organization and analyzes behavior and other trends to yield important information.”

Moore set the stage by outlining the sources of data that exist within the security function:  access control, video surveillance, alarm management, and incident management systems are just a few. Analytics have grown increasingly sophisticated in this space. They give today’s security professional the ability to analyze the past, predict the future, and help you identify ways to solve problems you might not have realized even existed.

“Security tech is helping educate the larger business on how to analyze and become more proactive for better decision making,” shared Kristin Lennardson, protective intelligence programs with the Association of International Risk Intelligence Professionals.

As I attended this session, two important themes became clear: Security systems data can paint a complete picture that benefits the entire organization. And, it is critical that you build relationships with leaders across departments to understand their needs and challenges to identify where your own data can help.

Consider this hypothetical scenario: You’re in a Zoom meeting with your counterparts from across the organization, and you note that more employees are entering your building each week per data from your building access system. Your facilities management team takes this information to identify where they need to increase cleaning protocols in high-traffic areas due to COVID-19. Your IT colleagues can factor this in as they ensure that their cyber security efforts and connectivity levels align with the number of remote workers versus those in-house. And if an employee is accessing the building at times that are outside of his normal routine, it might give human resources an indication that he’s considering leaving the company. One data insight, multiple applications.

Not surprisingly, the information that your colleagues can share with you can inform your own program. With strong relationships and communication across departments, you can understand your colleagues’ unique challenges and motivations and create real value through aggregated data. This shift changes the view of the security function from one of overhead to that of a strategic partner. The speakers outlined the likely needs of key players in an organization to help you visualize how this collaboration might look.

One of the greatest opportunities for security technology and data is presented through this “new normal” of COVID-19, as Boulgarides explained. Security professionals are now creating “security, safety and health programs – the scope has broadened a great deal.”

Social distancing, monitoring the number of people in a location, contact tracing, and assessing mask-wearing compliance tend to be manual tasks, but those with the technology in place will be able to automate some of those activities. Think about a turnstyle or an access control system that can also count how many people enter or exit.

“Security is still viewed as a grudge purchase, especially in the economic times like we find ourselves in now.” Edward Baes, head of security consulting at BUROHAPPOLD, shared with ASIS recently.

When security systems provide data that saves an organization money and automates processes in addition to its security objectives, the value is right there in the analytics.

Luann Edwards is a social media marketing consultant and blogger. She is the founder of Socially Professional, a social media marketing consultancy, based in Providence, Rhode Island, USA.

by Randall Rosenbaum, Executive Director, Rhode Island State Council on the Arts

I’m the director of the Rhode Island State Council on the Arts, and as such, the director of public art for the State of Rhode Island. In September, I “attended” a Global Security Exchange Plus (GSX+) virtual presentation by Art Hushen, the President of the National Institute of Crime Prevention in Tampa, FL. Art was going to talk about “Corporate and Public Art as a CPTED Strategy”.

Since my degree is in music education I had to first discover what CPTED stood for, what it meant, and how public art applied to Crime Prevention Through Environmental Design.

Art did a masterful job connecting the dots for me as an arts professional and advocate for public art in our community. We advocate for public art as a way to enhance and enliven a community, and so does Art. What Art adds to the conversation are all the arguments that we should be using in convincing people to support the inclusion of art – in all its forms – into and around their buildings and communities. As budgets grow tighter, the resistance to art increases. The added benefits of art, as explained by Mr. Hushen, may help those who don’t entirely “get” art, and may not be enthusiastic about spending money from their budget to commission work.

I understand the concept of “Territorial Reinforcement” (although never by that name), and how art can and should be a reflection of the community in which it resides. I never in a million years would have thought about “Natural Surveillance” as a benefit of public art, and the way that art, strategically placed, can help focus people’s attention so that it focuses attention – even of passersby – and helps promote a safe environment.

I was particularly taken with Art’s examples of work that helps extend the footprint and designate entrances to buildings (“Celebrated Entryways” and “Focal Points”) while at the same time promoting a safe and secure environment. And his examples of the placement of human-like sculptural pieces and murals that mimic an apartment house façade with people looking out the windows, all designed to discourage “bad behavior” from unruly folks, was particularly enlightening. It made me long for statistics that measure the decline in police activity around areas where such artwork is located.

I came away from Art’s presentation with a new vocabulary to use in my work, one borrowed from a field that is highly respected and different from the fields in which I operate. I can’t wait to employ this language in my next meeting with a potential public art client.