Locks, Vaults, and Fences

Locks are only a delaying mechanism. That’s it. They don’t keep bad guys out, they merely impede progress. Walls do the same thing, as do fences. Good security relies on layers of protection. Distance to separate a building from a street, a locked front door to slow entry, a hidden safe to protect documents or valuables. Each layer can be defeated, but each adds time for a response.

Valuable items can only be protected with an overwhelming response. Locks and vaults are not sufficient, yet most businesses think they are. Consider the “rooftop burglaries” by jewelry thieves in Texas who knocked off a series of jewelry stores over a period of months. They disabled sophisticated alarm systems and entered through holes they cut in the roof. Then they spent six to ten hours to cut through commercial grade safes before gaining entry to the valuables inside. It’s no surprise that Monday mornings keep every police force in the nation busy to complete damage and theft reports. That’s when business owners return to the office to find broken windows, missing merchandise and evidence of other crimes.

The US Federal Reserve Bank of New York has an engineering marvel beneath the massive building at 33 Liberty Street to house gold bullion for the United States and other countries. A vault constructed on the bedrock below lower Manhattan. Here’s a description from their documents:

“The gold also is secured by the vault’s design, which is a masterpiece of protective engineering. The vault is actually the bottom floor of a three-story bunker of vaults arranged like strongboxes stacked on top of one another. The massive walls surrounding the vault are made of a steel-reinforced structural concrete.”

“There are no doors into the gold vault. Entry is through a narrow 10-foot passageway cut in a delicately balanced, nine-feet-tall, 90-ton steel cylinder that revolves vertically in a 140-ton, steel-and-concrete frame. The vault is opened and closed by rotating the cylinder 90 degrees. An airtight and watertight seal is achieved by lowering the slightly tapered cylinder three-eighths of an inch into the frame, which is similar to pushing a cork down into a bottle. The cylinder is secured in place when two levers insert large bolts, four recessed in each side of the frame, into the cylinder. By unlocking a series of time and combination locks, Bank personnel can open the vault the next business day. The locks are under “multiple control”—no one individual has all the combinations necessary to open the vault.”

The Federal Reserve has a good system – they even have a dedicated, uniformed, armed protection force to provide security.

An armed response force is the element most companies neglect. Too often companies and individuals rely on government supplied police to fill that role. Corporate security teams rely on police departments to prioritize resources in their favor, but plaques and free lunches aren’t worth much when the police department is inundated and overtasked during and after a major local crisis. Enormous sums are spent to house and monitor valuables, but active defense might include an unarmed security officer in a blazer with a two-way radio, left without any means to produce a credible threat to a motivated opponent. When chaos rules, 9-1-1 forces become reporters, not responders. Organizations must plan to be self-sustaining and deliver integrated control over the entire security defense and response lifecycle.

Risk Management

Business Continuity and Asset Protection

Sound protection for data, Intellectual Property, real property, and other day-to-day assets companies and senior management must secure demands that plans and procedures recognize threats posed by employees with access to those assets. Security managers tend to spend effort on low probability events including, tornadoes, fire, civil unrest and others while ignoring the risks their own employees create.

In 2009 a programmer at Goldman Sachs stole code used by the bank to run their high-speed trading operations. Sergey Aleynikov worked as a programmer at Goldman Sachs, and left his job with “hundreds of thousands of lines” of source code. Although he was prosecuted, the charges were thrown out. From the Guardian, “Because Aleynikov did not ‘assume physical control’ over anything when he took the source code, and because he did not thereby ‘deprive [Goldman] of its use,’ Aleynikov did not violate the [National Stolen Property Act],’ the court wrote in its decision for United States v Aleynikov.”

More recently Syrian President Bashar al-Assad was betrayed by a security staffer who carried a bomb into a staff meeting. Syria is conducting a war and the senior leadership team has been holding frequent planning meetings. This is an organization that is already on the highest alert, yet the blast killed Defense Minister Dawood Rajiha, Deputy Defense Minister Assef Shawkat (al-Assad’s brother-in-law), and Hasan Turkmani, a security adviser and assistant vice president.

In case you think Syria is an extreme example consider this case. In December, 2009, another suicide bomber attacked a CIA operations center in Khost, Afghanistan which killed eight Americans. Most were CIA agents. Like the Syrian attack, the suspect was well-known to the people he targeted. A week after the bombing, NBC news published an article that identified the attacker as Humam Khalid Abu-Mulal al-Balawi, 36, a Jordanian Doctor and al-Qaida sympathizer from Zarqa. The CIA planned to use him to infiltrate Al-Qaida as a double-agent.

Internal threats are real and have potential to cause serious damage. And none of the expensive firewalls, access control systems, alarms, fire-suppression, locks, gates, fences and security systems companies are already sustaining can prevent loss from a Trojan Horse. You must consider ways to compartmentalize data and assets and limit the damage caused by theft or malicious destruction employees can do to a company or organization.

Risk Management

Duty of Care and Duty of Loyalty

Duty of Care is the idea that Corporations are responsible for the security of their employees during travel and when engaged in activities that support the company’s interests. The European Union’s Duty of Care Act is the most prominent regulation in Europe to codify this requirement. The EU spells out how companies should behave regarding employee safety and security, but the United Kingdom took this a step further with the UK Manslaughter Act that allows companies to be held criminally liable for harm that come to their employees. The regulation applies to UK employees abroad, or the non-UK Company employees while they are in the UK to conduct business. These regulations jump-started the Duty of Care industry in Europe and North American Corporations are still playing catch-up.

Duty of Care describes the set of behaviors, planning, and actions companies must take to safeguard their employees. Duty of Loyalty is the concept of employee compliance with their employers’ efforts on their behalf. If a company makes a car service available, or requires employees to meet minimum safety guidelines, Duty of Loyalty is the force that compels an employee to meet those standards. Companies that go out of their way to create a high quality of life for during employee travel and are proactive about serving travelers on the road will generate much higher loyalty. Companies undermine their employees loyalty through cumbersome or overly-restrictive policies and should strive to strike a balance that rewards loyal behavior while not driving the employee to another company.

Risk Management Travel Management

The Safest Room in Every Hotel

You will find the safest rooms on the third and fourth floors away from the front of the building and at least one room away from elevators or stairs. Why? Simple – fire. The most common, fire truck carried, tallest, three-section ladder only extends forty-feet, and weighs 220 pounds. Fire can spread through stairwells and elevator shafts quickly so a buffer room is a good idea and high rooms cannot be reached with most ladders.

Unfortunately terrorism is another risk hotel guests face; room locations away from the building’s main entrance tend to offer better protection against blasts, overpressure shockwaves and projectiles. Blasts occur disproportionately on the street level in front of the lobby entrance. In high risk locations, it makes sense to keep your drapes closed (to catch broken glass), and sleep on the bed away from windows (when two beds are present). You should also remember to carry a small doorstop with you and secure your room when you’re in it.

It’s easy to remember to stay low in case of fire, but most people don’t understand how quickly the super-heated gas a few feet above the floor can cause severe burns to delicate lung tissue. Think about the heat you feel from an oven at 350°F? Now think about what one deep breath of air heated to 900°F could do? If you do need to leave your room during a fire, don’t use elevators and don’t leave skin exposed; put a wet, cotton t-shirt around your head, and a pair of cotton socks (not synthetic) on your hands as an impromptu pair of gloves. Touch doors and doorknobs with the back of your hand before you open them, and don’t stand in front of the opening until you know it’s safe to do so.

A few more hotel tips – it’s a good habit to make your first trips to the lobby via the primary and alternate emergency exits closest to your room (you’ll be familiar with them should you need to use them in the dark).

Never take metal keys with you when you leave the hotel – leave them at the front desk and have a staff member give it back to you when you return. And don’t leave room keys in sleeves marked with your room number or the hotel name. Always leave a note addressed to yourself or a colleague at the front desk when you leave by yourself. List your intended destination, who you’re meeting with and when you intend to return. This will give potential rescuers an enormous head start should something unplanned happen.

This isn’t a complete list, but adopting these habits will give you an advantage if you’re ever faced with an emergency or crisis while you’re away from home.

Featured Risk Management Travel Management

Recipe to Riot: How the LAPD Keeps the Peace

The US Supreme Court recently upheld the right to videotape Police in action by denying an Illinois request to review a Federal Court’s decision to prohibit Cook County from prosecuting people for “eavesdropping” on Police. See more here. This is an important decision – it means that citizens and watch groups may monitor law enforcement through photographic methods and continue to disseminate their findings via social network sites like twitter, youtube, facebook and instagram – all with first amendment protection.

Videotapes and photographs showing Police in action have an important history. Sometime in early 2007 I became acquainted with William Bratton, Chief of Police, and his senior staff including Chief Earl Paysinger. A few weeks after our first introduction Chief Paysinger asked me to review the Police Departments’ customer service procedures and make recommendations about how they might improve service to the citizen’s of Los Angeles. Earl thought my previous law enforcement experience, combined with my experience dealing some of American’s best customers, the movie studios, offered a good backdrop to draw from. Over the following months and after a series of interviews and ride-alongs, including one with Sergeant Al LaBrada with the Gang Crimes unit, I felt comfortable that I understood the LAPD’s general operations, but I wrestled with actionable recommendations that could make a meaningful difference.

Service levels or satisfaction scores as defined by typical corporate surveys or ratings didn’t feel like the right metric to capture what Earl had asked for, but within weeks something happened that clarified the problem for me. On May 1, 2007, a large group of people marched in MacArthur park to protest for citizenship for illegal immigrants. The march and skirmishes between police and protesters have come to be known as the May Day Melee. There was clear videographic evidence that depicted excessive force by the LAPD against peaceful protesters and reporters. The tapes were aired repeatedly by local media and led to widespread criticism of the LAPD’s actions from a broad spectrum of Angelenos.

The LAPD manages thousands of public contacts each day and responds to millions of 9-1-1 calls per year, but only periodic incidents that lead to rapid escalation and threats to life and property. The “customer service problem” was not about how to say “please” or “thank you” during daily transactions. It was far easier. It could be distilled to a command problem about how to respond when Officers are involved in a long tail event. Moreover, it wasn’t just a ‘problem’ where Officers were involved. There were even more ingredients that could be isolated to help the LAPD identify and predict future events.

A review of the May Day events at MacArthur Park, combined with a quick look at previous flare ups and riots including the acquittal of LAPD Officers charged with assaulting Rodney King during a traffic stop in 1991 (the beating was videotaped and led to widespread anger at the LAPD) provide clues about the circumstances that lead to these events.

The May Day Melee was embarrassing to the City of Los Angeles, but it should be viewed as a bad situation that was defused successfully. Within days of the initial event William Bratton suspended senior Officers, and acknowledged what most people could see clearly on the evening news – the LAPD was wrong, they had overreacted, and they were going to change. Chief Bratton’s treatment of his organization wasn’t without complaint. There were Officers who criticized his handling of the department in the aftermath, but videotapes allow anyone with youtube access to question Ground Commanders’ actions – and sometimes Officers make the wrong call.

My recommendations to the LAPD follows: keep doing what you’re doing, but be alert for situations that include the following ingredients:

  1. Predisposition to mistrust the Police.
  2. Incident occurs that a majority of residents see as an abuse of police power or overreaction.
  3. A video tape or photographic evidence exists. The video removes all reasonable doubt about the facts in the case.
  4. The public views the recording repeatedly with quotes from community leaders that condemn the acts and call for justice or retribution.
  5. A muted/hollow or tone deaf response from the police.

When all five conditions are present Police, Military Commanders, and Government leaders must break away from the script and change number 5. They must get in front of problems – and leaders don’t make them better by ignoring public opinion.

Looking back at the acquittal on April 29th, 1992, is useful. The response was immediate and it triggered six days of rioting in Los Angeles, led to more than 50 deaths, and caused over $1 Billion in property damage. It’s worth thinking about – a careful plan, executed well might have minimized it.

Risk Management

Vehicles Are Deadly

Vehicles are Deadly. The distinction between Cover and Concealment is an important starting point. Concealment occludes visibility to a target, while cover provides material to protect the target from projectiles. Bushes, curtains and plastic garbage bags could provide concealment, but only eighteen inches of dirt, sand or rock will stop a .50 BMG or fragmentation from a 155MM High Explosive shell. Most homeowners underestimate how soft the drywall and studs are in contemporary homes. In fact, a standard 9mm full metal jacket (FMJ) round fired from a 4” Glock19 can pass through four walls before stopping in the fifth. Some rifles can do the same thing to cinderblock. These results do two things: first, prove that walls do not offer cover; and second, demonstrate that many gun owners are unrealistic about where their rounds will end up once discharged.

The Box-O-Truth Web site is a terrific resource to learn how ammunition really behaves after it leaves the barrel. The Author and host, Don, known to readers as “Old_Painless”, is a retired Police Officer and gun enthusiast. He spends a lot of time to create realistic situation to test ammunition against targets with real-world applications. You can find his work here: http://www.theboxotruth.com/. You should spend some time on his site.

Vehicles are Deadly. They offer the illusion of safety (since so many people think they provide cover – but they don’t), but vehicles are deadly for another reason. They concentrate fire. Let’s use a car with four occupants as an example. Each occupant merges to become one target in the vehicle. One or more shooters will engage a car before firing at a single dismounted target. Vehicle occupants are subject to accidental hits – if the driver is targeted, but rounds hit another occupant, the shot is still a “Hit” but it was accidental. If four suspects ambush a vehicle, all four weapons act to destroy it.

Dismounted targets are discrete and not usually pursued with the same concentrated fire. When an occupant dismounts they will simultaneously draw fire away from the vehicle, and offer a much smaller target. As they move farther away from each other they become separate targets and much less susceptible to accidental “Hits.” Distance is a good defense since people able to double their distance from a shooter will reduce their surface area by 75%.

Vehicles are not a substitute for adequate cover. They offer concealment only, and vehicles tend to draw heavy weapons. If disciplined aggressors have small arms and one heavy weapon – they will put heavy fire on a vehicle before engaging soft-targets. The proliferation of .50 Cal BMG rifles reinforces everything described here. To learn more check out Don’s review titled the “Buick ‘O Truth” a car that gave him a chance to examine damage from small arms fire and penetration by high-powered rifles. The results will encourage you to hide somewhere else, as any bullet can penetrate the car and even the engine offers little protection.

Risk Management