Your Real Risks
By Desiree Hanford - April 2008 - Security
To anyone who understands risk, some of the most unnerving stories about security involve facilities where nothing bad has happened — at least not yet. These are facilities where vulnerabilities exist but haven’t been discovered or addressed yet.
Case in point: the headquarters of a large health care company. A security review determined that anyone in the lobby could go straight into the rest of the building without being stopped. But the audit recommendations to address that problem languished in the hands of company executives. Six months later, the company found itself embroiled in tense collective bargaining negotiations. One day, a group of people barged in through the front door, raced through the lobby and disappeared into the heart of the building. The stunned receptionist could do nothing but call the police and hope that nothing happened until they arrived.
Think that a security breach like that — involving an obvious vulnerability — is an isolated case? Look around many facilities, and it’s not difficult to spot security risks: a door propped open, poor lighting in the parking lot, a window cracked open or an unlocked gate. And obvious risks like those are only the beginning. Facilities face a wide range of potential threats. The real question is, which vulnerabilities are most likely to be exploited?
There are plenty of excuses not to address that question. An office building may be deemed too small to require a detailed security audit. Or its out-of-the-way suburban location may be judged safe because it does not face obvious, high-profile risks. Cost is often an obstacle. So is the lack of an on-site person who is directly responsible for security.
Excuses aside, experts agree that conducting an audit is paramount to making sure that everyone and everything in a building is as safe as possible.
“In order to really do anything from a security standpoint, you have to know what your risks are,” says Jeffrey Dingle, assistant director of special projects for the Lockmasters Security Institute. “How can you make security decisions if you don’t have a clear understanding of what your problems are?”
Some buildings are clearly high-risk and therefore demand that special attention be paid to security. A good example is a nuclear power plant, says Paul Benne, a senior associate of technology and a security specialist with Syska Hennessy Group. The Nuclear Regulatory Commission has specific guidelines for how those facilities should be secured, and it’s not just the release of nuclear material into the air that has to be addressed. Many of those plants, for example, have regularly scheduled deliveries of chemicals via truck or rail. That schedule requires evaluations on which roads leading to the plants have the most risks. Moreover, the possibility that someone may try to sabotage the truck or train delivering the chemicals should also be considered, Benne says.
The definition of what constitutes a high-risk building has changed over time. For example, the threat of terrorism has created a demand for specialized research buildings to study and respond to a biological event.
The federal government is looking closely at the security of those biological labs, says Steve Blair, a principal and managing director with CUH2A. Two types of assessments are typically conducted on those labs: a bio-risk assessment that focuses on handling and containing biological agents, and a more traditional security assessment that addresses outside threats, such as someone trying to enter the facility.
“If you’re designing a facility with agents that are lethal, the community wants to know what you’re doing to protect it,” Blair says. “It’s a sensitivity and not just a process.”
But for every building that is closely scrutinized because it is clearly at high risk, there are many more facilities where risks have never been adequately identified. And a building need not be a landmark to face significant risks. A good example is a branch bank located near the entrance ramp to a highway. “Someone who understands risk assessment sees that a financial institution has branches located where other financial institutions have had robberies,” Benne says. “Those (new) branches will then be seen as high-risk and added security measures would be put in place.”
Time for Action
Dingle, who had been the security manager at the Atlanta corporate headquarters of Home Depot, recommends that formal security audits be done on a regular basis, noting that there are three occasions in particular when they should be conducted. The first is when a site is being considered for a new building. There are commercial and consumer crime statistics companies available that conduct threat and risk assessments based on geographical location. Their assessments detail what the crime and murder rates are for a specific address and compare those rates to those of the city and county, Dingle says.
“Many times you’ll find that the differences are miniscule,” Dingle says. But if one location has a greater crime rate, it may have an impact on the decision.
A security audit should also be conducted when a significant change has been made to an existing facility, such as an addition, and when there’s been a serious incident, Dingle says. In the latter, the goal is to find out why an incident occurred and how it can be avoided in the future.
A security audit is a three-step process, Dingle says. “First, where do you stand today? What are your policies? Procedures? Equipment? Second, where do you need to be? Third, if there’s a significant gap between where you are and where you need to be, how do you fill that gap?”
Risk assessment can go beyond a security audit and try to determine how survivable a business is if something catastrophic occurs. A number of companies went out of business after the World Trade Center collapsed on Sept. 11, while others survived but got “a big wake-up call,” Benne says. “You can’t, for example, put all the data in one location. You need redundancy. Companies have to ask how they’ll continue operating if they want to keep the doors open after an emergency.”
Despite the benefits of security audits, many companies don’t do them because of the expense, says Sean Ahrens, project manager of security, consulting and design services for Schirmer Engineering Corp. He says that the average security audit costs between $10,000 and $50,000.
It’s often not easy for a security director to justify spending money on a security audit when nothing bad has happened in or around a building, Dingle says. Recommending that an audit be conducted is much like making a sales pitch to management. The reason? A security director is competing with others on the staff who want money to be spent on new computers or the replacement of a compressor.
Audits also aren’t conducted because there hasn’t been an incident in or near a building and so no one feels the need to look for weaknesses, Benne says. That misses the point of doing a security audit. The goal is to be proactive in organizing a plan to handle different types of threats.
“Having a plan could pay off when partnering with an insurance company,” Benne added. “If you can show them that you’ve done an audit, an insurance company may lower your premium, so there are some benefits that are outside of just mitigating risk.”
Another reason security audits are neglected is because it is assumed that the risks facing the facility are so clear, and the appropriate countermeasures so straightforward, that a detailed analysis of security risks seems superfluous. For example, administrators at a school that has several open perimeter doors may decide to lock all those doors in a reaction to violence at another school, Benne says. And while the doors may stay locked for the next several months, at some point security typically becomes lax once again if another incident doesn’t occur. An audit can help structure and focus to security efforts.
This isn’t to say that security incidents at a similar type of building, or strategies used by comparable facilities, aren’t important parts of the security decision-making process. Robert Lang, assistant vice president for strategic security and safety at Kennesaw State University, has studied school shootings to help evaluate ways to address the risks facing his institution.
What people forget, he says, is that incidents like those at NIU and Virginia Tech are typically over in three to five minutes, which means the police likely won’t be on the scene until after an incident is already over.
“We’re trying to do a lot of good things and it’s based on best practices of others,” he says. “But you usually don’t find out about the best practices until after things happen.”
Piece of the Puzzle
Clearly, a review of strategies used by comparable facilities is an essential component of a security plan. A facility executive responsible for K-12 schools, for example, should be aware that other schools have put an increasing focus on perimeter security, so that no one has unchallenged access. “So when someone walks in, they can get to a certain point and then they have to be vetted by signing in, showing credentials and being checked out before they can progress further into the building,” Benne says. “At most schools, and this is slowly changing, you can just come in and wander around.”
Knowing how other schools are addressing security risks can help educational facility executives make decisions about their own buildings, but knowledge of industry trends is no replacement for a security audit.
An audit is especially important when the installation of security systems is being considered. Facility executives may decide to add video cameras because a similar building did so. But if there are no provisions for monitoring the cameras, they won’t achieve the goal of improving security. “Organizations make short-term changes that lack the thoroughness of a well-thought-out plan,” Benne says.
Organizations that don’t conduct security audits often end up with knee-jerk reactions to incidents. Suppose a company is having its products stolen but it’s unclear exactly how that’s occurring, says Lauris Freidenfelds, a vice president of RJA/Sako. Feeling the need to take some action, the company’s management might decide to put cameras throughout the facilities. However, if the products are being put in briefcases, cameras won’t spot the thefts, Freidenfelds says.
Although getting input from the local police department may be useful in the audit, simply asking the police for advice about ways to improve security is no substitute for an audit. Police focus on law enforcement, which is different than securing a building. “Law enforcement responds to criminal activity and security is designed to mitigate criminal activity,” Benne says.
Some organizations have a security audit conducted and then fail to act on its recommendations. Taking that approach, however, opens management to liability because there’s an obligation to fix the items that the audit found, says Dingle. An audit is likely to find more problems than there are dollars to address them. At that point management needs to set priorities, determining what situations and events are possible, what their probabilities are, and whether their impacts would be catastrophic, minor or something between the two.
“These are tough decisions,” Dingle says. “How do you invest money in things that might never happen?”
Of course, if audit recommendations are ignored, and an incident occurs, the company must deal with the effects of the incident as well as the cost of countermeasures, which will surely be taken. In the case of the health care company that ignored the audit recommendation to improve lobby security, the intruders wound up in the office of a facility manager, who called the security manager demanding to know how the breach could have occurred. The security manager pulled out the audit report, which had warned of the risk of such an incident. “Companies don’t fully understand the cost associated with the risk,” says Ahrens, whose company had conducted the audit. As a result of the incident, the lobby was compartmentalized to preclude the possibility of a similar event in the future.
What facility executives and security directors need to remember is that there is no way to prevent all security incidents, Dingle says. If a security breach occurs, there will often be recriminations, with people saying that management and others involved in security should have seen it coming. “But there’s a huge list of things that can happen,” he says. “The goal from a security standpoint is to identify things most likely to occur and take reasonable steps to prevent them.”
Desiree Hanford is a freelance writer who spent 10 years as a reporter for Dow Jones. She is a former assistant editor of Building Operating Management.