Small Business to Protect Online Presence Through Target Hardening

In one of my previous post I argued that in cyber-warfare, we’re all made collateral victims for lack awareness. The following article from the WSJ harkens back to that notion. It describes how small business have been left to fend off increasing sophisticated tactical attacks, because they’re seem as soft targets of opportunity.  A simple strong password policy and management and go along way to achieve target hardening.  It’s sure to be the most sensible thing we all can do to protect our confidential information.

 

Passwords 101: How to Protect Your Company’s Data
Wall Street Journal (10/28/09) Richmond, Riva

Strong password protection is essential to ensure the security of company data. Small companies often do not employ the same level of protection as large companies, making them even more vulnerable to a breach. Experts say that small companies should take the time to teach employees better password strategies. Workers should choose passwords that are difficult to guess- with at least seven characters- including numbers, capital letters, and symbols. They should also have different passwords for different company and Web applications, and should change these passwords at least every 90 days. These passwords should not be written down or recorded in any way, and should not be shared with anyone. System administrators should also be sure that they can control which employees have access to data, and that they cut off access for former employees. There are a number of technologies that can help companies achieve these objectives, but the first step any company needs to take is to look at its own specific security needs. As Todd Chambers, an executive at access-management company Courion Corp. says, “There is a risk-management process that every business should go through.” Such an assessment should take into account the sensitivity of data the company stores and how much damage would be done to the company and its customers if that data were to be breached. If the company does not store sensitive data, employing the services of competent IT personnel may be sufficient to protect information. However, companies that do have sensitive data should consider hiring security experts to set up and maintain an adequate cybersecurity system.

http://bit.ly/VTWt2

 

Advertisements

In a turbulent world organizations ready Evacuation Plans for international staff

By Francisco Mateo, CPP, CFE

Picture this, you’re company has worldwide operations including some places where it might be stable today, but has a long history of violence.  You’d be amazed at the number of countries you can come up with.  For the sake of brevity we’d not list them, but the fact remains that we live in a turbulent world where risk is asymmetric and extremely unpredictable. History offers many scenarios to illustrate the point; like:

“American executives isolated in towns throughout Lebanon during the Israeli-Hezbollah conflict. Businessmen in Chad stuck in a hotel in the capital, N’Djamena, as rebels bore down on the city.” 

And is not just corporate travel that is impacted by these risk scenarios. Staff at every company vacation all over the world.  Some adventurers get their thrills in some of the world’s riskiest places.  For instance:

“Ten years ago, 62 tourists and tour guides were massacred at the Temple of Hatshepsut, in Luxor. In 2004, bomb attacks on hotels in the Sinai killed 34. The following year, blasts in downtown Sharm accounted for the deadliest attack in the country’s history, killing 85. Two dozen others were slaughtered in 2006 in the Red Sea resort of Dahab.”

Now, it’s clear that employees must assume and properly mitigate their risk situation. Indeed companies are not obliged to extend aid to the staff in their own time, but it’d be a great value added service to get your people to safety when crisis strikes.  That is precisely the aim of an Evacuation Plan (EP), to get your people out of hotspots when things go awry.

As security and travel practitioners, we are always stressing the need to be prepared for the unthinkable.  We’re consistently preaching the prevention gospel to our business travelers and expatriate staff.  Our toolkit is first equipped with well crafted travel security awareness plans  which helps make our travelers and expatriate staff more resilient through training and timely information.  But we know that risk trends are like water, travelers could be faced with fluid situations which may not work in their favor. A comprehensive EP should allow us to extricate our travelers or expatriate personnel out of a hotspot in a safe and timely manner.

What are the elements of an effective country evacuation plan?

As an initial step your organization’s Crisis Management Team (CMT) must take on responsibility for the evacuation planning and execution.  The CMT is well suited for the task since they are most likely to know the risk the organization is exposed to and has created plans to mitigate them.  This superior knowledge bodes well for identifying and quickly reacting to conditions that would merit staff evacuations

That said, planning an evacuation is an exacting business with many moving parts.  A crisis event that merits an evacuation of staff must account for a number of potential eventualities that may include:

  • political – military instability or upheaval
  • a break-down in law and order, and a consequent state of chaos, or anarchy
  • an unacceptable deterioration in living conditions
  • widespread criminal and/or terrorist actions
  • war in the region
  • natural disasters such as flood, famine, earthquakes, disease and epidemics

All the scenarios mentioned above are likely to lead to situations where there are unacceptable dangers to life, or where business activities cannot profitably be pursued. The response to such scenarios is likely to be full or partial evacuation of expatriate personnel and dependants as well as foreign business visitors.

The following are guiding principles that are part of the pre-planning and execution of any EP best practice procedures:

Pre-Planning:

  • Enable rational and logical decisions to be made; and create a decision-making organization
  • Establish reliable sources of information/intelligence
  • Establish communication requirements
  • Delegate duties and responsibilities to expatriate personnel
  • Establish and set up procedures aimed at enhancing the security of the evacuees
  • Implement such procedures quickly and efficiently

Execution: 

  • The safety and well-being of the employees and dependants is of the utmost
  • importance
  • Alert states and triggers are clearly defined
  • The decision making authority, and individual responsibilities, are clearly defined and understood
  • Timely and accurate situation reports and up-to-date threat assessments must be available to assist balanced judgments by the CMT and the organization’s senior management
  • Reliable communications and reporting procedures are in place
  • Affected employees and dependants would be well briefed on relevant components of the plan
  • Updated records of the locations and contact details of all potential evacuees would be maintained
  • Necessary administrative details and support would be pre-planned
  • Business continuity and recovery plans are in place and up to date
  • Security of personnel in an atmosphere of fear, speculation and rumor would be maintained
  • Close liaison with relevant political, law enforcement and diplomatic missions would be maintained
  • Non-expatriate staff are neither endangered nor financially disadvantaged.

A decision to evacuate a country is obviously of vital importance to the continuity of the business. For that matter a short span of control must be maintained on the decision making process. The senior most executive in-country acting as the CMT leader and in close coordination with the organization’s board of directors (or designee) should have the final say of when to evacuate.

Means of Evacuation:

 If an evacuation is inevitable and the situation requires the activation of the EP, commercial flights will be favored. However, there is a high probability of overcrowded or incapacitated national and international airports. Some airlines may cease flying to areas of conflict. A crucial provision in the EP should account for evacuation through:

  • Airborne evacuation by chartered or corporate aircrafts or helicopters
  • Overland evacuation by chartered coaches or private convoys
  • Where practicable, sea evacuation by chartered boats

Developing Alarm Triggers

Although crisis events seldom give warnings, the type of events that would trigger an evacuations follow a cascading sequence of events that can be interpreted through a series of alert states.  It’s the duty of the security/safety practitioner to advice the CMT on a prudent course of action if economic, political or social environment would progressively deteriorate.

 

 

 

Alert State One

 

 

Alert State Two

 

Alert State Three

 

Alert State Four

 

Natural Disaster

 

Threat of natural disaster in region  Serious natural disaster with loss of some essential services. Loss of all essential services with risk of disease and epidemic Sudden loss of all essential services with high risk of disease and epidemic
 

Civil unrest

 

Militantdemonstrations and protests Civil unrest, rioting etc., making local travel unsafe; paralysis of some services Loss of all essential services and significant risk when traveling locally Sudden violent protests and demonstrations paralyzing … making local travel impossible

 

Political and Military unrest

 

Political agitation  Considerable disruption to government with loss of some essential services Political take overLoss of all essential services Sudden coupRebellionLoss of all essential services
Cooling in diplomatic relations Severing of diplomatic relations  Hostile diplomatic relations Seizure of foreign owned assets
Regional armed conflict Spread of regional conflict Major conflict involving … Unforeseen major conflict involving  …
Policies disagreeable to international community Imposition of international sanctions Serious shortage of essential commodities  

 

Threat of Violence and/or Terrorism

Threat against foreign people  Threat against  your employees and assets Terrorist action against your staff or other foreign companies Threats of kidnapping, or assassination of your employees
Isolated terrorist action  Effective terrorist action Major terrorist campaign Sudden terrorist campaign launched in … 

The Alert State are defined as follows:

 

Level Situation Outline actions
Preparatory Phase Political and security risk factors justify the preparation of an evacuation procedureBusiness activity can continue as normal Activate the CMTMonitor the threat in co-operation with Security PractitionerReview and update the EP
Alert State OneCaution Potential for the security situation to deteriorate rapidly Business travel is possible with careful considerationCMT meets once a week for monitoringUpgrade security

Keep EP ready for immediate implementation

Alert State TwoStand-by Security situation and/or country instability represents a risk to employees, families and physical assets Avoid non-essential business travel (Market and Zone restriction)CMT meets once a week for monitoringActivate Task Force (TF) for co-ordination

Security at high level

Minimize local movement

Undertake a local security assessment and

  • if the threat is manageable, dependants and visitors can remain on site with evacuation procedures ready to activate
  • if the threat is not manageable, ordered the withdrawal of dependants and visitors.
Alert State ThreeEvacuation with stay behind presence Business severely disrupted and high risk of exposure to staff CMT in co-ordination with TF withdraw all expatriate staff but stay-behind group of key staff remain on siteAssistance and logistic provided by evacuation transport providerSecure all sites including residences, other assets and information
Alert State FourEmergency evacuation Extreme risk to personnel and company assets CMT in co-ordination with TF withdraw all international staff 
Relocation Phase Initial temporary basing of evacuated personnel in an another country rather than their home Implement Business Continuity PlansDecide whether to repatriate staff or keep them in the temporary locationAdministrative and HR management
Return Phase It is now considered safe for certain or all personnel to return to country/site Progressive re-deployment of resourcesReactivation of business operationReverse Alert State actions

 

 

Like any crisis plan the EP should consider Make the decision to partially, or fully evacuate expatriate personnel under any circumstances.  The plan should contemplate the many things that can go wrong during a crisis (breakdown in communication, mandatory curfew, martial law etc.)  .  Consider also the financial resources needed to see the evacuation to a successful completion.  Consider also the decision making and delegation of control and responsibilities.  If the senior executive is incapacitated or unable to carryout his/her duty during a crisis event, who’d assume the decision making responsibilities?  Develop your CMT task and duties and make them part of your EP.  Each incumbent should be familiar with their duties and responsibilities as well as the others within the CMT.  This can be achieved by rotating CMT duties among its members and conducting mock drills to those ends.

Communication

Communication is one of the pillars of crisis plans without an effective communications at all levels important task would go uncompleted compromising the eventual success of the EP.  Start by developing a contact list of all devices for your CMT.  Many emergency communications services offer automated call trees which seamlessly send out message blasts to designated individuals in your tree.  Make use of cutting edge crisis technology to gain speed and efficiency when executing an evacuation. 

While communicating externally the preparation of a statement also requires careful planning and consideration.

  • Never make a statement without first making sure that the key messages you wish to express have been properly defined.
  • Make sure you are aware of as much of the context as possible of the situation you will be discussing.
  • Call upon the services of the Corporate Communications who can help give you a better understanding of the aspects you are not necessarily familiar with.
  • Make sure you can refer to dispositions implemented previously in order to prevent the type of incident you are going to discuss (forms filled in prior to the event).
  • Make sure you are aware of all the information that may be referred to during the statement (forms filled in prior to the event.
  • Concentrate on the key messages you identified beforehand.
  • Keep the statement simple, concise, precise.
  • Do not extrapolate, branch out on another subject, or try to hide part of the truth; be honest sincere and credible.
  • Do not accept responsibility or place responsibility on a third party for the facts.
  • Always bear in mind that what is stated to the press will be read by all the company’s audiences, both internal and external.

Order of Evacuation

The general chronology of an evacuation will be:

 All dependants of expatriate employees, business visitors and third party employees.

  1. Non-essential staff.
  2. Stay-behind and remaining key staff.

Business Continuity

Continuity of the business concern is also of vital importance and should be treated as such in the EP.  Even under crisis situations certain products must get to market.  To ensure continuity of your business, Identify key facts about the operation; identify primary and secondary sites, as well as subsidiaries.  Consider the situation how is business likely to be disrupted? How can business continue under alternative management measures? Designate a person responsible for business operation during an evacuation and lay out their protocols.  Develop a contingency arrangement for all sites and business area (Sales, production, supply chain, finance IT, etc.).   Develop the means of communication enabling remote advice by proxy from central location away from the conflict.  Take into considerations the priority in providing services or products to your costumers.  Arrange proper protection for stay-behind staff, assets and products.      

Lastly remember that most crisis conditions arise suddenly and would allow lengthy deliberation about what to do.  A well formulated evacuation plan would give you the flexibility to operate your business anywhere in the world while maintaining your personnel safe, protecting your assets, product and perpetuating business operations. Your shareholders would not expect any less.  The truth of the matter is that such plans were reserved for exotic hot spots, but in our fragmenting world where risk is asymmetric and extremely unpredictable these scenarios are fast becoming the norm anywhere.   If you plan well, you’d execute diligently and get back to operations faster. This would ensure the most leverage from the opportunities every crisis intrinsically provides.

Security Practitioners, The Neo-Centurions

By Francisco Mateo, CPP, CFE

The decline of the Roman Empire preceded a gradual breakdown of the Roman Empire’s economy; thanks in part to the constant barbarian invasions; this demonstrates a striking similarity to the watershed moment we are witnessing today. Globalization has created empires of wealth around the world, but an economic decline and the rise of a global illicit economy, threaten to impose new regimes based on intricate, interlocking networks.

To protect the legitimate global economy the 21st century security practitioners would resemble more a Centurion from antiquity.  Able to command legions of other security practitioners across networks, co-opting their services based on expertise and results orientation; banding together to tackle their clients’ toughest asset and people protection challenges across geographic boundaries. 

The rise of these Neo-Centurions is predicated on the growing risk of highly organized; vertically integrated (But flexible) criminal syndicates, which would continue to rise and challenge the global economy as we know it today.  Since organized crime actors maneuver in the shadows, aided by geography, often in so-called failed states, it superimposes the need for a more astute, defensive player to counterbalance the onslaught on corporate entities and business in general.  What it calls for is a network of well trained security practitioner networks to become significant stakeholders (in the raise for profit assurance) and engage organized criminal networks in asymmetrical conflict at a superior level.    

Centurion qualities like being “vigilant, temperate, active and readier to execute the orders he receives than to talk; Strict in exercising and keeping up proper discipline among his soldiers” are well suited for today’s security practitioners. We’d operate like a fleet of agile ships navigating through rough waters, through discipline and well timed execution.  For some time we have ponder the skill sets needed to triumph on the business battlefield, much like the centurions did throughout their conquest campaigns.  It has been said that:

“In addition to law enforcement and military skills, a security leader must understand his or her firm’s business from finance and strategy to business continuity, competition and profits. The security leader must employ executive leadership skills appropriate to the corporation as a whole. He or she must be able to communicate, manage large projects, create strategies, assemble cross-departmental teams, execute plans and more.

A security leader must understand IT security and must maintain an awareness of emerging issues that may affect the company. He or she must follow legislative and regulatory trends, developments in globalization, trans-national crime, security research and development, and other trends that may one day alter the corporation’s fortunes.”  

Much like the centurion, the security practitioner must be able to both apply the knowledge and skills aligned with the next-gen security leader and teach its team how to implement them in their execution. I recently saw a precise description suited to the new practitioner “A security leader is a visionary, someone who can drive strategy and who understands the levers of power in the corporation, and someone who can clearly articulate his or her vision. He or she must also exhibit the ability to produce results, lead people, delegate and develop employees.”   

Our civilization is undergoing an epochal change requiring the restructuring of economic, societal and overall power structures.  The transition could be tortuous for many organizations.  Security organizations are not exempt.  We must respond to a fragmenting world by developing new paradigms in operations.  The redesign is already underway, sadly without much input from business security professionals.  But is not too late, security practitioners can still take the helm by postulating new protection schemes. If our future is headed towards neomedievalism than we must hone in the skills of the next-gen security practitioners to create those networks of cross-skill professionals that can nimbly tackle security issues our organizations would face.

A new global security operating model would require both the nimbleness and leveraged that a contract security center of expertise (Shared Service Center).  Whether it is on a retainer or charged per service the aim is to reduce shared service cost, by simplifying what support functions we’re expected to deliver and eliminate nonessential activities by focusing on what’s most important to the business.  The key here is to focus on the most essential processes, eliminating steps that don’t truly contribute to the business.  Many security-related services could be effectively conducted on a need-to-be-in-situ basis.  Of course, some security practitioners will always be sourced locally from strategic locations overseas to handle particularly sensitive, specialized, or high-risk tasks.  As a recent RAND report stated “Although globalization is promoting homogenization in some sectors, significant cultural, language, political, and societal factors still make each country unique. Our need to understand these countries in their true complexity is increasing, not diminishing.”

Why centurions and not the Knights which are more appropriate of the medieval age protection professionals?  The answer lies in a conceptual interpretation and allegory I’m attempting to draw. I know that I’m generalizing on one of the most significant period in the history of human kind, but bare with me on that part; my focus is to turn the security organization on its head as we project forward to events over the horizon.    

Under the new operating model economies-of-scale would require a reliance on teams of security practitioners that assemble for specific protection projects.  The teams are assembled from the legions of global security practitioner networks being formed today.  These flexible organizational structures are more inline with the way Centurions skillfully organized their fighting units to protect conquered territory.  They were essentially leaders of small, nimble division of a larger army.  Likewise the security practitioner would lead small, independent teams of professionals paired together based on their subject-matter-expertise, applied to the protection needs of organizations from disparate industries, across boundaries.

History has important lessons. I’m sure that centurions were instrumental in protecting even the far flung reaches of the Roman Empire. But even their discipline and superior knowledge of warfare were not enough to offset the larger economic and social forces that prompted the decline.  Today the operating risk environment is changing dramatically and complex issues (global illicit economy, regional wars, etc.) affect global businesses.  The neo-centurion (Security Practitioners) applies acquired analytical abilities to postulate new organizational designs, which lead to competitive protection of people, assets reputation and brand services.

How Not To Get Kidnapped in China (Via Forbes)

I came across this article through one of my network on LinkedIn.  I thought it would be important to share with all of you here.  It’s an excellent exposé (first hand account) of a phenomenon that occurs with increasing regularity.  In a nutshell kidnapping in China as reflected in the article is not a tactic used by syndicated crime groups as we know to be the MO around the world.  It is rather the result of a lack of knowledge from cavalier western businessmen about local business culture and customs.

http://bit.ly/2JR68n

 

The Geopolitics of Climate Change

Are we witnessing an increase in the intensity of weather events and disasters related to climate change?  I’d like to think it’s all hype, but when the US Intelligence Community is considering climate change; changing weather patterns and rising sea level as part of military planning for the first time this year, we all should at the least be concerned. The big picture question is, could it lead to worst disasters, even war? According to Amanda Dory, Dep. Asst. Sect. of Defense/Strategy, the implications of climate change could be likely triggers.

Don’t Go There!

I found the slideshow interesting from travel and security perspective.  Often times we focus too much attention on the risk that crime represents and neglect other factors that are equally important to evaluate before setting out to these choice places around the world.  Thanks to Peter and his crew we can obtain advance intel.

http://bit.ly/PP5BS

Peter Greenberg’s guide to the must-miss places of the world. Peter Greenberg is the travel editor for NBC’s “Today” show, CNBC and MSNBC, the author of The New York Times best-sellers “Don’t Go There!” and the “Travel Detective” book series, and host of the nationally syndicated Peter Greenberg Worldwide Radio show.

Random Thoughts on Security and Profitability

Security can absolutely contribute to a company’s profitability. The security organization achieves significant cost reductions on risk mitigation investments; while reducing its Annual Loss Expectancy (ALE) year over year; despite a global downturn where the security risk scenarios have taken a turn for the worse.  All in all corporate cost/risk reduction efforts have a positive impact on the Working Capital margins and thus overall company profitability.  That reminds me of Thomas Matthews’ called to action at ASIS 2009 in Anaheim. In a nutshell he encouraged jump in front of trends and learn the lean principles and how they can be applied in our service delivery.