Facility Security Officers (FSO) study their craft and learn ways to counter evolving threats. Threats to enterprises include: theft, vandalism, workplace violence, fraud, and computer attacks. Through a system of identification, analysis, risk assessment operation security and prevention, FSOs can help to mitigate those risks.

Traditional Security Risks

Though FSOs primarily protect classified information, they may be involved in more traditional security disciplines. For example, the costs of theft may affect how the defense contractor charges for products and services and asking the customer to bear the cost of the loss. The way to recover loss is to pass the costs on by increasing the top line. Raising prices to recuperate loss is a symptom of theft, but not a cure. Many companies have invested in security staff focused on identifying and preventing loss. These “loss prevention” jobs are oriented on identifying risky behavior, observing others, investigating theft, and finding methods of reducing risk. In retail, they may be secret shoppers; in transportation they may be monitoring cameras and patrolling as guards; in white collar businesses they may be dressed in business suits advising in board rooms.

Information technology (IT) and lessons from business intelligence (BI) can be applied to detecting and preventing theft. For the internal threat, access can be controlled by badge or biometrics. These IT capabilities can limit access by employee, time of day, and certain days of the week. For example, employees that work in the warehouse can access their warehouse doors, but cannot gain entry to the supply department. Those who have janitorial privileges may only do so during work hours and not when the business is closed.

Other capabilities include closed circuit television (CCTV). This is a great deterrent and detection device for both the internal and external threat. Current technologies allow the use of tilt/pan/zoom cameras that record and store digital data. This data can be entered into a data warehouse. Besides employee protection and assistance roles, this data can be mined to see patterns and recognize traits of potential perpetrators. For example, a supply bin in a warehouse may suffer shortage at each inventory. The installation of CCTV would provide digital feedback of whether or not supplies are being stolen and who is involved.

Sabotage is a reportable threat according to the National Industrial Security Program Operating Manual (NISPOM). Sabotage must be reported to the FBI. For internal protection, it can be categorized with workplace violence, criminal trespass activities, and industrial espionage or in conjunction with a theft. Though rare, costs are heavy and expense may fall on the company or the customer. IT tools are available that provide automated tracking of inventory and information along business practices. These practices can include campuses, apartments, retail, transportation, factories and other industries. For classified information, the IT tool is the Information Management System (IMS). The IMS is required by NISPOM and can be used to provide up to date status of classified information from reception to dissemination or destruction.

Workplace Violence

Employee workplace violence makes huge headlines for a very good reason. It is shocking behavior with the most serious events resulting in multiple deaths. These incidents lead to law suits, low morale, a bad reputation for the company; and most significantly leaves families and victims devastated.

There are a number of levels to workplace violence, including seemingly minor incidents which may become huge issues.. The company has several obligations. The first includes the legal responsibility of the employer to protect and safeguard against preventable harm. This includes all those who work in or visit the workplace. The second responsibility is to handle incidents and investigations, discipline and other processes appropriately. It is as important to respect the rights of all persons involved throughout the prevention and investigation processes.

Human resources managers in defense industry may understand the more serious discriminators that could be associated “non-hire” criteria. For example, one discriminator that would prevent a person from getting a job would be a history of violence. A highly accurate and timely pre-employment screening program is vital. Another would be specific questions about performance during the interview that might indicate propensity for violence or not being able to work well with others.

Employees themselves may not be the threat. Nature of customers, friends and family members could provide risk to the work place. These criteria could be identified as well. Employees who have abusive partners or spouses and employees who perform in risky environments such as retail must be considered in the risk analysis and data warehouse input.

Some additional mitigating factors for employee workplace violence include traditional security methods. Additional lighting in darker areas, an armed guard, security cameras and panic alarms do wonders to give employees a peace of mind as well as help prevent violent behavior. Knowing security is in place deters the criminal element. These security measures could be linked in a network to provide feedback and evidence for use in analyzing and determining actions to prevent this behavior.

Occupational Fraud

Occupational fraud is another risk. Whether an employee feels entitled to their fair share, is disgruntled or other reasons, this crime is costly. When involving classified information, it can be detrimental to national security. This crime can be broken down into three categories: Asset misappropriation, corruption, and fraudulent statement. Examples of asset misappropriation include fraudulent invoicing, payroll fraud, and skimming revenue. Corruption can involve bribery and conduction business laced with undisclosed conflict of interest. In defense contracting International Traffic in Arms Regulation or Federal Acquisitions Regulation violations could also fall under fraudulent activity.

Defense contractors face a level of fraud threat. Higher costs can occur at higher employee positions. For example, managers may not be sticking product in their pockets and sneaking out the door. However, falsifying travel reports, creating false accounts, diverting payment and other crimes are more impacting. Fraud is difficult to detect and many schemes can continue for long periods of time before they are detected. Detection can be accidental, the result of a tip, an audit (internal, external or surprise), hotline or as referred to by law enforcement. Focus and discipline could be perceived as the best means to detect fraud. Paying attention to patterns, verifying paperwork and checking records is time consuming, but must be performed.

A sound method of detecting fraud involves the input of employees. Training employees on fraud and awareness can help detect it early and reduce costs. Some of this training is already conducted during security awareness activities. However, instead of just training cleared employees, the FSO can help reduce fraud by tailoring the security awareness to uncleared employees as well. Training increases morale in many ways and creates a team like atmosphere.

Information technology (IT) and lessons from business intelligence (BI) can be applied to detecting and preventing fraud. Employee and hotline tips are most effective. Computer links could be set up on corporate sites to allow employees to report fraud. Some methods could include survey, direct question and answer, or just a space for reporting.

The audit, hotlines and tips are effective after or during the commission of the lengthy fraud period. These are all reactionary events. What about being proactive? Many companies have the capability to automate almost everything. Time sheets, accounting, billing, production and supply chain records are often on a server. Most require supervisor approval or at the very least have the capability of real time monitoring. This information can be integrated into a company version of a data warehouse and be manipulated according to the input rules. Specific habits of employees can be pulled to look for and address financial inconsistencies.

Access control measures such as card scanners, code readers and biometrics are increasingly effective. They leave a trail of employee activity and regardless of position all are required to enter information to gain entry. Computer keyboard activity can be limited by password protection and all media should go through the security department before introduction or removal. All of this leaves a data trail. Besides employee protection and assistance roles, this data can be mined to see patterns and recognize traits of potential perpetrators.

Computer Security

Computer attacks are a huge risk to all businesses. The threat of hackers, malicious viruses, and phishing are just a few serious events of which the FSO should be aware. Data can be destroyed, reputations can be ruined, and lives can be stolen. These attacks can cripple an enterprise and could take months or years to recover. Businesses should have IT tools to detect and combat this type of threat as soon as possible. Worms and viruses are quickly destroying years of input. These threats appear innocently enough in the beginning and when the right time comes, they activate. Threats continually knock at the internet portal trying to learn passwords and the inner most secrets to exploit for espionage, theft or fun. Unprotected systems perpetuate all the above threats. Victims suffer greatly financially and productively.

There are many existing security methods available to help companies take the offense against such attack. Protection takes the coordination, input and involvement of all business units and departments in the organization. It cannot be given to the security department alone to handle, however actions should be accountable to one department. Other aggressive measures include password protection, rules on internet use, firewalls and internet access blocking. These can be regulated with the convergence concept. Software already exists to help generate and protect passwords on network and stand alone systems. These help ensure not only that authorized users are accessing the systems, but they also provide a basis for auditing. Information technology can track who used which system to access which information. The user leaves an automatic automated electronic trail.

Companies should have strong firewall capabilities to protect information from both leaving and entering the enterprise system. These firewalls help prevent hacking, high-jacking and malicious viruses. The firewall needs to be updated regularly with updates. Most importantly, checking and running analysis identifying the threat is vital. This identification should track where the threat is coming from, how often the defenses are probed, what the threat using to probe the defenses is, and what times of day are the threats the strongest. Analysis should identify strengths and weaknesses that the adversary is trying to exploit. When is the IT asset most vulnerable? Are our passwords easy to break? How much intrusion would it take to stop our operations?

Internet discipline is also vital. An enemy doesn’t have to break down defenses to wreak havoc, many times they are invited in by unwitting victims. When employees visit unauthorized websites, download unauthorized software, transfer data from a home computer or forward corrupted email, they can cause just as much harm. Blocking websites, allowing only IT personnel to upload software, and screening all mobile media or preventing all media such as CDs and other portable storage devices is crucial to protecting the enterprise.

Protecting the enterprise with security in depth will solve many problems. This includes previously mentioned biometric or card reader access devices, alarms and CCTV cameras. These are available IT devices that are popular and effective at monitoring employee movement and activity. Vital risk assessment detail is captured in a data warehouse to better analyze events and proactively mitigate risks before damage occurs. Traditional methods of stove piping traditional or IT security do not produce effective results. Neither does segmenting business units. When the one department handles all internet activity, human resources execute the laying off offenders, finance department handle all payroll discrepancies and accounting performs all audits, the result is a broken chain of incomplete activity.

The willing participation and information sharing could be better handled in the form of a committee. Each respective department can do their day to day activities, but results can be presented to the entire group to help detect and determine any one of the threats addressed in this paper.

Study the Craft of Security

FSOs and security professionals should continue to make it a point to study their craft and learn ways to counter evolving threat. Business intelligence methods should also continue to keep up with technology to analyze and prevent the internal and external influences that can ruin the enterprise. The threats corporations face include: theft, vandalism, workplace violence, fraud, and computer attacks. The role of security to converge traditional physical protection with the capabilities of IT systems is necessary. Tools of IT can provide a great benefit to enterprise as a system of identification, analysis, risk assessment operation security and prevention, astute managers can mitigate risks.

Related News

Jeffrey W. Bennett, SAPPC, SFPC, ISOC, ISP is a podcaster, consultant and author of NISPOM, security, and risk management topics. Jeff's first book was a study guide for security certification. Soon after, Jeff began writing other security books and courses, and started his company Red Bike Publishing, LLC. You can find his books, ITAR, NISPOM, PodCast and more @ www.redbikepublishing.com.