Back to Contents of Issue: November 2004
by Kevin C. Desouza and Yukika Awazu |
|
WE'VE been inundated with issues of technological security. Open up an information technology or business magazine and you will be hard pressed not to find an article that talks about viruses, worms, trojan horses, software vulnerabilities, et cetera--risks that have materialized into security disasters.
TECHNOLOGY SYSTEMS ARE increasingly at risk from attacks by unscrupulous individuals. But businesses have gotten so caught up in technological security that they have forgotten the more basic, yet salient, notion of physical security. By physical security, we mean securing your office buildings and other physical assets from unauthorized access, usage, movement and destruction. Physical security has lost its glamour recently, taking a back seat to issues of technological security. However, an organization can be brought to the ground in seconds if the right perpetrator is able to breach physical security and gain access to sensitive areas in an office building. One of us just wrapped up a consulting project for a large financial institution (let us call it Gamma) based in the United States. The project was simple and straightforward. Gamma had just finished a review of its security procedures, protocols and practices. Confident about the strengths of its security regiment, Gamma asked us to see if we could gain access to one its office suites. There was only one condition: We had to gain access using unauthorized mechanisms. They did not provide us with any information (such as blueprints of the office layout) or access mechanisms (such as ID cards). We were able to breach Gamma's security protocols in less than 10 minutes, even though the company's budget for security issues ran into the millions of dollars. Here is how it happened: Our man got dressed in a pair of jeans and a T-shirt and grabbed a FedEx envelope from his office. He then rode the subway to the bank's location and went to the reception desk. The reception desk was used for tenants of the office building. He introduced himself as "Kevin," using his real name. The receptionist said "Hello, Kevin. How are you? To whom are you delivering your mail?" Kevin never said he had mail to deliver. Actually, he was just there to get a sense of the building premises. But an opportunity for a security breach had opened that could not be wasted. Kevin replied: "Yes, I am, and it sure is a nice day today. Can you please let me know how I get to the reception desk of Gamma Bank?" The receptionist gave out the floor number of the reception desk and also informed Kevin that the mailroom was on a different floor. Then, without checking identification or even calling up Gamma's receptionist, she pointed him to the elevator. Kevin went to the floor that housed the mailroom and was greeted by another employee. She advised him that the package (a blank FedEx envelope) could be left with her and he could leave. Kevin insisted that the package had to be hand-delivered to the Chief Operating Officer. The mailroom attendant was eventually convinced, and decided to escort Kevin to the main office floor. She helped Kevin pass through the main reception desk, once again without checking for identification, and then pointed him toward where the Chief Operating Officer's suite was located. Kevin now had access to the main office floor, and by asking two more employees, eventually reached the designated office suite. This security breach led the executives of Gamma to rethink a major component of their security plans--protecting the physical organization from intruders. Gamma's measures to ensure protection of their offices were simply inadequate. But Gamma is not alone in this deficiency. Most organizations are vulnerable to physical security breaches. A lot of money and resources have been diverted to ensuring technological security, many times at the cost of physical security. Ensuring physical security is a much easier task to achieve than the elusive goal of protecting technology from vulnerabilities. However, organizations have become careless in this area, and many have the misconception that ensuring technological security is much more serious than physical security. Yet to conduct the break-in described above, there was absolutely no technology involved. Failure to protect..................................... A large percentage of the personnel thrown into a "security" role do not have the necessary knowledge, experience, or skills. We spoke to over 60 different private security personnel who were charged with protecting office buildings in the downtown Chicago area. Over 85 percent of them had never attended a university or had any training in aspects of crisis management, security, or law enforcement. Of the 15 percent that had attended universities, most were college dropouts and had minimal training in security management. Also, most of the job descriptions for security personnel were vague in their description of minimal requirements for hiring. As one of our respondents put it: "In the interview … the most important question was if I knew how to use a walkie-talkie." If we do not hire high-caliber personnel, we should not expect much in terms of protection. To be effective, security personnel must have requisite knowledge in the areas of security, crisis management and law enforcement. Without these skills, we might as well leave our doors wide open to intruders. Second, most organizations view their physical security measures as an expense, not an asset. As such, the first line of thinking is: How I can reduce this expense? Amid shrinking budgets and difficult growth periods for organizations, any method of reducing expenses is likely to be welcomed by management. Most organizations outsource their security management functions, many times to the lowest bidder, without executing due diligence in evaluating the capabilities of the security vendor. In downtown Chicago, most security guards barely earn $8 to $12 an hour in wages, with minimal fringe benefits. With such salaries, we cannot expect to attract the best and brightest to take up security positions. And with such low pay, the security personnel can more easily be subject to manipulation by unscrupulous individuals. For example, if we wanted to get access to an office space and found a security guard who was having a hard time making ends meet on his salary, chances are high that we could get access to the space after a bit of convincing--or upon offering a bribe. Organizations put themselves at risk by creating environments where allegiance is tested. Would you pay your best software programmer or salesperson minimal wages? If you did, they would probably leave for another organization. And if they stayed, they would probably perform below their true potential. We need to start thinking in a similar fashion when it comes to security personnel. Security personnel are like puppets in uniforms. In the majority of organizations they lack significant authority or accountability. Put another way, there are always ways to get around them. Consider the following case. In one organization, a security guard was fired after not allowing a person without an ID card into the office building. The security guard did his job; he was hired to prevent unauthorized individuals from entering the building. However, the person he stopped was a senior member of the organization's management team. Due to questioning, the senior official of the organization was delayed--and the vigilant guard was relieved from his post. After this incident, do you think any security guard at this organization will stop a person who happens to look like a senior manager? Security guards have a hard time enforcing security rules. For example, in most organizations there is a rule stating that you must display your ID at all times. But try walking around your office premises for a day without your ID and see if you are ever questioned by a security guard. Unless we give security personnel requisite authority, they will not be successful in protecting our assets. Just like the police have the authority to ensure that all citizens abide by the laws, security personnel must have the authority to enforce security policies. Five steps to security.............................. It's not surprising that most Defense and Intelligence Sector (DIS) organizations do not view security as a cost item. To the contrary, such organizations go to great steps to ensure that their assets are protected from unauthorized access, sabotage and vandalism. DIS organizations often have their own internal security personnel and resist outsourcing this responsibility to a third-party. To be in charge of security matters at a DIS organization, one must have a proven track record, the necessary knowledge and skills--and must be tested for allegiance to the organization. There are extensive training modules provided to security personnel to ensure that they have the requisite knowledge needed to perform their duties. Security personnel at DIS organizations have the authority to take action against security breaches. In the most general sense, they can remand or quarantine a staff member for alleged security breaches. Investigations into failure to adhere to security protocol can significantly impact one's chances for promotion, or in some cases can even lead to the suspension of security clearances and the loss of one's job. Extensive training is a necessity. Security policies and practices are not static. They need to be updated on a regular basis as new information on threats becomes available. It is critical to have an appropriate asset management system. An organization must have a way to tag its assets--e.g., with serial numbers on the computer system--and also have ways to gather information from sensitive assets in real-time. For example, the door used by employees to enter the office must be able to emit real-time information as to who has just entered. This is possible through monitoring logs of ID card swipes and by viewing a video camera feed. RFID (Radio Frequency Identification) tags can be helpful here. If attached to an asset of interest, they can be used to track the movements of the asset, tampering with the asset and other activities. RFID tags can emit information in real-time that can be monitored by security personnel. Finally, it is important to centralize the security function. The centralized security unit must have links to the financial, information system and human resource functions of the organization. These links will be critical in taking measures required to protect the organization. For instance, if the security unit discovers an employee is committing acts of theft, they must have the capability to instantly freeze the employees' access to information systems, stop payment of paychecks, and begin to take legal action. These will call for collaboration with members of the information technology, human resource and financial divisions of the company. Management of security is a strategic matter for all organizations. It must be given the attention, resources and care that other strategic management activities command. Kevin C. Desouza is the President and founder of The Engaged Enterprise and is the director of its research institute--Institute for Engaged Business Research [IEBR]. Desouza has authored over 80 articles for prestigious business and academic journals. In addition, he has written Managing Knowledge with Artificial Intelligence (Quorum Books, 2002), and has co-authored Managing Information in a Complex World (M.E. Sharpe Inc., 2004). Yukika Awazu is the Vice President and co-founder of The Engaged Enterprise and is a senior research fellow at IEBR. Awazu has authored a dozen articles for prestigious business and academic journals. |
Note: The function "email this page" is currently not supported for this page.