Intrusion & Access Control Shooting Demonstrates Vulnerabilities Of Run Hide Fight Response.aspxNewsroom Shooting Highlights Challenges of Securing Open OfficesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-06-29T04:00:00Z, Lilly Chapa<p>​A 38-year-old Maryland native allegedly opened fire on an Annapolis-based newsroom​, killing five people and providing a grim reminder that security best practices are not one-size-fits-all. </p><p>The suspected shooter, Jarrod W. Ramos, had a longstanding grievance with <em>The Capital Gazette</em> stemming from the paper's 2011 coverage of a harassment charge against him. He pursued—and prolongated—legal action against the reporter, publisher, and judge involved. He also started a website and several Twitter accounts berating the newspaper.  ​</p><p>In 2013, the paper and one of the targeted reporters contacted police to discuss filing a restraining order or misdemeanor charges due to the prolonged harassment but ultimately decided to not follow through for fear of further antagonizing him, <a href="" target="_blank">the <em>Baltimore Sun</em> reports</a>.  </p><p>The reporter and the publisher involved in the legal proceedings from more than seven years no longer work at <em>The Capital Gazette.</em></p><p>"If you fire somebody or have an incident with them, it's typical to feel that their retaliation is going to be in the near future, but that's not necessarily true," says Michael Crane, CPP, security consultant and attorney at Securisks. "You hear stories where people come back after a year or two—and in this case, it was after five or more years."</p><p>Crane—who is also the chair of the ASIS Active Assailant Working Group—notes it appears that the paper followed security best practices after the threats escalated in 2013.</p><p>"Between his lawsuit and the threats that he made, that certainly should have given them an increased sense of surveillance or security," Crane says. "What you want to do in that type of situation is conduct an assessment to harden your facility. I'm assuming that part of the newspaper contacting the police was putting in access control on a locked front door so nobody could just walk in without being buzzed in."</p><p><em>The Capital Gazette</em> shares a building with several other commercial tenants. The shooter entered through the building's rear entrance and, despite closed access to the newsroom, was able to enter by shooting through a glass door or window. <em>The Capital Gazette</em>—like many newsrooms and office spaces—has an entirely open floorplan, with glass windows all around the room, reporters working at desks in the middle, and half-walls along one side for editors' offices, <a href="">according to CNN</a>.</p><p>As the gunman proceeded to systematically fire his 12-gauge pump-action shotgun along the room, some employees ran to the back door. However, before entering the building, the gunman had barricaded the door. One man who tried to force the door open was shot and killed. </p><p>The rest of the employees hid as best they could under desks and behind filing cabinets. After less than two minutes of shooting, police arrived and the shooter ceased his attack to hide under a desk, before being captured by responders.</p><p>"The police were there in 60 to 90 seconds—that's absolutely tremendous and should be applauded," <span style="background-color:#ffffff;">says </span><span style="background-color:#ffffff;">Kevin Doss, CPP, PSP, CEO at Level 4 Security. </span>"However, five people were killed in less than 90 seconds. These happen quickly, so performing a threat assessment, hardening facilities, planning procedures, and training are all critical—you're only going to have a split second to react."<br></p><p>Building a training program based on an organization's specific needs and threat points--and that implements both physical security measures and procedures--is imperative for success, Doss explains. Media organizations, for example, are higher-risk targets because they publish news that is bound to cause grievances. </p><p>"You can take a basic program, and then we talk about site specifics, and that’s where a risk assessment is critical," says Doss. "You can’t use a cookie-cutter approach to an asymmetrical threat like active shooter because that threat can change characteristics. People are going to have a plan of attack before they show up, and this guy did—he had a plan to lock people in."</p><p>Doss has trained U.S. federal agencies using the U.S. Department of Homeland Security's Run. Hide. Fight. active shooter protocol and now uses a similar approach when training organizations. He notes that he is working with more companies that have open offices—often featuring open workspaces and glass instead of walls and doors. Active shooter training must account for this increasingly-popular type of workspace, he tells <em>Security Management.</em></p><p>"Look at your workspace from a survival capability," Doss says. "If it was all open space, there are very few places to hide. At that point train yourself--what could I do if a shooter gets here? If door is barricaded, look at breaking a window or looking at another method. That’s where training comes into play because you don’t want to figure that out during an emergency. You want a planned course of action to train on. If you’re not trained on it, you won’t know to do it."</p><p>Crane agrees, noting that even open office environments should ensure that there are safe places to hide, such as bathrooms or conference rooms with locked doors. Doss points out that while glazing is common in many offices and allows for natural surveillance, it's also the weakest barrier. Hardening that vulnerability by using polycarbonate or bulletproof glass, or adding a shatterproof film, can help in such instances. </p><div><p>Crane discusses the challenge of assessing the true danger of a person—either an insider or someone in the community—with a longstanding grudge. Threat assessment teams are helpful in keeping track of terminated employees or customers or people who have been making threats.</p><p>"You have to look at active assailant as a subset of a workplace violence incident, which has been going on for years," Crane explains. "The majority of our workplace violence incidents are domestic related and can spill into the workplace. However, as rare as it is, active assailants do happen. Recognizing behavior and doing something about that behavior, contacting the police, increasing security, limiting access into your facilities, training as to run-hide-fight, those are the only things you can really do."</p><p>Doss says threat assessments not only help harden a facility but allow for the detection of potential bad actors. While good assessments are costly, he recommends high-risk organizations conduct them yearly. </p><p>"I may not be a threat this year, but I may be escalating toward becoming an actual threat, and the only way you’re going to find that out is to track these types of incidents or behaviors," Doss notes. "Active shootings never happen all at once, there’s always a building and progression--some type of behavioral issues prior to them committing the act. That’s where we have an opportunity to identify these behavioral characteristics and intercede."<br></p><p>For small businesses and houses of worship, there are a plethora of resources on how to conduct a threat assessment and make sure every employee receives basic active shooter training. "This problem is only getting worse, and we need to become more proactive from organizational side of things because we have a responsibility to provide safe workplace for employees," Doss says.​</p><p>The shooter had to be identified via facial recognition software because the fingerprint analysis system was taking too long. Police searched his home in Laurel, Maryland, about 30 minutes from the newsroom, and found evidence of the origination of the planning. He is being held without bail and has been charged with five counts of first-degree murder. Security at newsrooms across the country has been increased as a precaution. ​</p></div>

Intrusion & Access Control Shooting Demonstrates Vulnerabilities Of Run Hide Fight Response.aspx2018-06-29T04:00:00ZNewsroom Shooting Highlights Challenges of Securing Open Offices Charleston International Airport Modernizes Security with Pivot3 Chain Company Makes Access Control a Priority Fatalities in Texas School Shooting Peril.aspx2018-04-01T04:00:00ZPersonnel Peril No Chances Governor Unveils Major School Security Plan In Wake Of Shooting the Fire for Help BLANCOS SUAVES CON PSIM's-New-in-Access-Control.aspx2017-11-20T05:00:00ZWhat's New in Access Control? Lockdown Procedure Prevented Tragedy in Rancho Tehama Soft Targets with PSIM in Shared Spaces Review: Biosecurity the Solution and Secure bajo Control and Cloud Access Control Systems to the Masses

 You May Also Like...'s-New-in-Access-Control.aspxWhat's New in Access Control?<p>​Innovation in access control is quietly heating up. The industry is ready to implement innovations on a broad scale that have been just out of reach. Demand for virtual credentials is growing, facial recognition technology is both technically and economically feasible, and migration to the cloud is increasing—and increasingly beneficial. Over the next few years, market adoption of these advances will transform the ways security professionals operate and organizations benefit from their access control systems. </p><p><strong>Virtual credentials and mobile access technology</strong></p><p>The demand for virtual credentials and mobile access is intensifying, driven in part by younger members of the workforce who never go anywhere without their smartphones. Suffice to say, most employees wouldn't turn their cars around for a forgotten physical credential, but they'll certainly restart their commutes to collect forgotten smartphones. </p><p>The benefits are simple: convenience, compliance, and satisfaction of workforce demand. Everyone carries their phone, security professionals enhance their management capabilities, and employees can stay on the move. By including the credential in a mobile device, embedded in an app, organizations can also provide novel security capabilities, such as threat reporting and virtual photo ID. </p><p>The good news is that virtual credentials and mobile access technology have progressed to the point that they are easier to implement. Migration is straightforward, and implementation does not need to be all-or-nothing. Instead it can be taken in phases leading to an interim hybrid approach that includes physical and virtual credentials. </p><p><strong>Facial recognition</strong></p><p>Facial recognition offers the advantage of using existing access control rules, while reducing the friction of the user experience. </p><p>Picture a busy New York City high-rise office building with turnstiles that control access to an elevator lobby. There are always a few employees who have to search their pockets or backpacks to fish out a physical credential. Implementing facial recognition eliminates that bottleneck. The software scans people as they approach the turnstile and transmits a virtual credential to the access control system. Where a line might otherwise have formed, authorized employees now pass through turnstiles efficiently. </p><p>Facial recognition access control is no longer out of reach. Today's computing power can be combined with increasingly high-definition cameras and advanced recognition algorithms to bring the costs of implementation way down. </p><p><strong>Access control in the cloud</strong></p><p>The access control server is the nerve center of an access control system, but it no longer needs to physically exist. The increasing prevalence of the cloud eliminates that necessity. </p><p>Rather than dealing with the maintenance of a physical server, the speed and convenience of the cloud can handle everything a hardware box used to. This advance allows for increased scalability. And it provides flexibility in how security professionals purchase and use access control servers. Now the integrator or manufacturer can reduce end user burden and cost by ensuring that systems are backed up and updated remotely.<strong> </strong></p><p><strong>What's next?</strong></p><p><strong></strong>Innovations in access control systems will drive the industry over the coming years. Novel credentials, such as mobile access and face recognition technology, combined with cloud-based servers will deliver an altogether improved experience. </p><p><em>John L. Moss is CEO of S2 Security.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Carry Conundrum<p>​When around 800 Black Lives Matter protesters marched through downtown Dallas, Texas, on the night of June 7, they were flanked by 100 police officers assigned to protect the event.</p><p>The march started out peacefully; officers wore short-sleeved summer uniforms instead of riot gear to show unity with the protesters, and activists stopped to talk and take pictures with officers. </p><p>But when gunfire erupted, targeting those officers, chaos ensued. Adding to the confusion were the 20 to 30 protesters who were decked out in tactical gear and carrying rifles slung over their shoulders—Texas allows the open carry of firearms.  </p><p>Police, unsure of where the shots were coming from, chased after the fleeing citizens carrying weapons. Many were questioned, and one was named a person of interest—a photo of the man in camouflage and carrying a rifle was circulated around the Internet until he turned himself in for questioning. </p><p>Ultimately, the man who fired the shots was not a part of the protest and had been waiting in the fringes for an opportunity to start shooting. He killed five police officers before being killed himself by law enforcement. </p><p>In the aftermath of the shooting, which was the deadliest incident for U.S. law enforcement since 9/11, tensions flared around the rights of citizens to wield guns. Less than two weeks after the Dallas shooting, a man shot and killed three police officers in Baton Rouge, Louisiana, and a man fired into a group of Bastille Day revelers in Nice, France, before driving his vehicle into the crowd and killing 84 people.</p><p>Lieutenant Robert Sellers with the Ohio State Highway Patrol was acutely aware of these events leading up to the U.S. Republican National Convention, which was being hosted in Cleveland and began less than 24 hours after the Baton Rouge shooting. </p><p>Like Texas, Ohio is one of the 45 states with open carry laws, and Sellers knew that people would be exercising their right to open carry at the convention. The Ohio State Highway Patrol was one of the law enforcement agencies called upon to provide security at the event.</p><p>“At the convention, you had thousands of people from across the nation who were there to participate in the political process, whether that be actually attending the convention, or if it was just to be there and make a statement of their views to the crowd,” Sellers tells Security Management. “We did have open carry advocates who had rifles march right into downtown, but they were perfectly within their lawful right to do so.”</p><p>The day before the convention, Cleveland Police Patrolmen’s Association President Steve Loomis urged Ohio Governor John Kasich to suspend open carry laws during the event, citing concerns about copycat attacks following the Baton Rouge shooting. </p><p>Kasich’s office rejected the request in a statement, noting “Ohio governors do not have the power to arbitrarily suspend federal and state constitutional rights or state laws as suggested.”</p><p>Sellers notes that while the police union’s request was in the interest of safety, “open carry demonstrations are just a part of protecting people exercising their rights as a whole.” (Loomis did not respond to a request for comment.)</p><p>The national convention had two levels of security: no firearms were allowed in the space directly around the convention center and within the building itself, as dictated by the U.S. Secret Service. Outside the secure area, including in designated public demonstration areas, attendees could legally carry guns. </p><p>“We remained visible around people open carrying, so that the public could see that we were there and monitoring the situation and would be reassured that nothing bad was going to happen,” Sellers explains. “It wasn’t a show of force—there were a lot of cops there—but we were very soft in our approach, we engaged the people, let them know that we were there to maintain order and allow them to exercise their rights.”</p><p>The approach is one Sellers says officers use on a day-to-day basis, not just at big events like demonstrations or the convention. If officers get a call about someone walking around with a gun, they have to tread carefully, he explains. </p><p>“Just because the person is open carrying and maybe has been reported as doing so, you can’t just stop and question him about it,” he notes. “That goes back to reasonable, articulable suspicion that a crime has or is about to occur.”</p><p>Law enforcement ideology wasn’t as straightforward in the aftermath of the Dallas shooting, though. Dallas Police Chief David Brown said that the open carry advocates at the protest complicated officers’ efforts to identify the shooter.</p><p>“We’re trying as best we can as a law enforcement community to make it work so that citizens can express their Second Amendment rights,” Brown said at a press conference. “But it’s increasingly challenging when people have AR-15s slung over their shoulders and they’re in a crowd. We don’t know who the good guy is versus the bad guy when everyone starts shooting.”</p><p>Brown suggested that state legislators look into the issue. A law allowing handguns to be carried openly went into effect on January 1—the open carry of rifles in Texas has long been legal—and handgun owners could open carry on public college campuses after a campus carry law went into effect August 1. </p><p>There has been vocal opposition to the measures, especially by campus safety groups—three University of Texas professors have sought a preliminary injunction to stop the implementation of the law. Police associations have generally opposed the gun legislation, and the Dallas County Sheriff’s Association, along with Dallas Mayor Mike Rawlings, say they support city ordinances that would ban open carry during large events, like protests. </p><p>Police officers aren’t the only ones grappling with how to safely address citizens with guns. Lieutenant Michael DeStefano works on the training division of the Brevard County Fire Rescue in Florida and says fire and EMS first responders are helpless when dealing with armed citizens. Florida is a concealed carry state, but where DeStefano works, all county employees other than law enforcement are prohibited from carrying firearms on the job. </p><p>DeStefano says that he has responded to calls only to have a gun pulled on him, either by patients with dementia who forgot they called for help, or for more sinister reasons. </p><p>“If there are weapons involved, we’ll stage about two blocks away and wait for the police to get there and secure the scene before we make entry,” he tells Security Management.  </p><p>DeStefano says that his team hasn’t received any hand-to-hand combat instruction, and the most training they have for dealing with an unexpected concealed carrier is active shooter training. </p><p>He notes that first responders have recently been given a more involved role in an active shooter situation: they are to follow armed police or SWAT officers into the scene of the shooting to aid victims while the officers clear the area. However, even in that situation, first responders can’t do much to defend themselves, he adds.</p><p>“The biggest problem that we have with the training is that when we attach ourselves to the SWAT team, if they’re engaged with the shooter, we’re told to go into the nearest room and barricade ourselves,” DeStefano says. “If for some reason the SWAT officers are engaged and they go down, now we become victims because we’re not armed.” </p><p>DeStefano notes that the decision to arm first responders is a department- by-department decision, and he recommends at least one member of every crew be armed on a voluntary basis, and that formal training be added on both weapons use and hand-to-hand combat. </p><p>“That way, if something does happen, we have that person who’s armed and has formal training on how to engage,” he explains. “The only time we’d be firing a weapon is in self-defense, not engagement—we aren’t sworn law officers who can make a judgment of who we should engage. It’s strictly a self-defense scenario." ​ ​</p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 No Chances<p>​Security processes are working properly if nothing happens, as the adage goes—much to the chagrin of the security manager looking for buy-in from the C-suite. But if something does go wrong at an organization, the error lies in either the company's risk profile or its implementation of mitigation procedures. Using risk management principles to create a risk profile and implement procedures to mitigate those risks should leave no gray areas for an incident to occur, says Doug Powell, CPP, PSP, security project manager at BC Hydro. Security Management sat down with Powell, the 2017 recipient of the Roy N. Bordes Council Memb er of Excellence Award, to discuss how to create a mitigation program that only gets stronger after a security incident.​</p><h4>Weigh the Risks…</h4><p>A basic tenet of risk management principles is understanding what risks an organization faces by conducting a thorough risk assessment. "For me, nothing should happen in the security program in terms of making key decisions around protection principles until you've been through your risk management exercise, which will do two things for you: tell you where you have gaps or weaknesses, and what the priority is for addressing those," Powell says. </p><p>Look for the risks that are high-probability, low-impact—such as copper theft—and low-probability, high-impact—such as a terror attack—and build a protection plan that primarily addresses those, Powell says. </p><p>"You use that prioritization to get funding," he explains. "I tell people there's a broad spectrum of risks you have to consider, but there are two that you focus on that I call the board-level risks—the ones the board would be interested in because they could bring down the company."​</p><h4>…And Use Them to Build a Strategy</h4><p>Establishing those risk categories will not only help get buy-in from the C-suite but frame the company's security strategy.</p><p>"You should never say something like, 'well, the copper losses are so small that we're not going to deal with this at all,' in the same way you're not going to say that you'll never likely be attacked by terrorists so let's not worry about it," Powell says. "With that in place, you should have an effective mitigation strategy on the table."​</p><h4>Flesh Out the Baseline…</h4><p>While getting buy-in may rely on emphasizing the impact a risk can have on business operations, the security team needs to have a well-rounded understanding of the risk itself. Powell illustrates the distinction by using an example of how protesters might affect critical infrastructure.</p><p>"It's one thing to say that there's risk of work being disrupted or of a pipeline being taken out of service by protesters, but it's quite another thing to say that in the context of who these protesters are," according to Powell. </p><p>"You have one level of protesters who are just people concerned about the environment, but all they really do is write letters to the government and show up and carry picket signs to let you know they are concerned. The more extreme groups are the ones that would come with explosives or physically confront your workers or who would blockade machinery," Powell explains.</p><p>While these two groups of people both fall under the protester category, the risks they present—and how to respond to them—are vastly different.</p><p>"You have to understand the characteristics of your adversaries before you can adequately plot the seriousness of the risk," Powell explains. "Would it be serious if our pipeline got blown up? You bet it would. But who has the capability to do that? Are they on our radar? And what's the probability that we would ever interact with them? There's a bit more than just saying it's a bad thing if it happens."​</p><h4>…And Keep It Updated</h4><p>Don't let an incident be the impetus for conducting a new risk assessment. Creating a governance model will facilitate regular reviews of the risk assessment and how it is conducted.</p><p>"If you do it well at the head end, you should be mitigating to those standards," Powell says. "Risk doesn't happen once a year, it's an ongoing process where you establish the baseline, mitigate to the baseline, and start watching your environment to see if anything bad is coming at you that you should be taking seriously because the world is dynamic."</p><p>Consistent monitoring of threats allows the mitigation strategy to be adjusted before weaknesses are discovered and exploited.</p><p>"The monitoring aspect is critical, and after an incident you might say that the reason your mitigation plan failed is you simply didn't monitor your environment enough to realize there were new risk indicators you should have picked up," Powell says. "The risk management process is dynamic, it never stops, it's continually evolving, and whether something happens to cause you to reevaluate or whether you reevaluate because that's your normal practice, that has to happen."</p><h4>Establish a Process…</h4><p>Through risk management, a security incident occurs when the risk assessment was not accurate, or the mitigation processes were not properly carried out. After an incident, security managers should never feel blindsided—they must identify the shortcomings in their processes.</p><p>"When something critical happens, the first thing you will do is go back to your risk profile and ask yourself some key questions," Powell advises. "Did we get it right? Did we miss something? How did this incident occur if in fact we had our risk profile correct? Or did our mitigation planning not match well with the risk profile we had developed? If we had this assessed as low-risk but it happened anyway, maybe we got something wrong. If it was high-risk and it happened anyway, what was the cause?"</p><p>If the security program matches the risk profile and an incident still occurred, it's time for the organization to change the baseline.</p><p>"Did we understand our adversary?" Powell asks. "Was it someone we anticipated or someone we didn't anticipate? If it was someone we anticipated, how did they get in to do this thing without our being able to stop it or understand that they were even going to do it? Do we have the right security in place, did we do the right analysis on the adversarial groups in the first place? What did we miss? Are there new players in town? Is there something going on in another country that we weren't aware of or ignored because we didn't think it impacted us over here in our part of the world?"</p><p>And, if it turns out that the risk profile was inaccurate despite proper governance and maintenance, don't just update it—understand why it was wrong. "Look at whether your intelligence programs or social media monitoring are robust enough," Powell suggests.</p><p>"If you had 10 or 100 metal theft incidents in a month, you want to go back and ask why this is continuing to happen," Powell notes. "We've already assessed it as a risk and tried to mitigate it. For me, the two things are intrinsically connected. If you're performing risk management well, then your mitigation programs should mirror that assessment. If it doesn't, there's a problem, and that's what this review process does, it gets you into the problem."​</p><h4>…And Use It Consistently</h4><p>Whether it's copper theft or a terrorist attack, the incident management process should be carried out in the same way.</p><p>"That should always be a typical incident management process for any kind of event," Powell says. "What varies is input, but the methodology has got to be identical. If it's metal theft, it's a pretty simple thing—we have some thieves, they broke into a substation, removed ground wires, and as a result this happened. What can we do to mitigate that happening at other substations in the future? </p><p>If it's a terrorist attack, of course a lot more people will be involved, and you'll be asking some very challenging questions. The process becomes a lot more complex because the potential for damage or consequence value is much higher, but the methodology has to be the same all the time."</p><p>"Overall, whether you're looking at a security breach that happened because you exposed your cables and the bad guys were able to cut them or whether it was a new, more dangerous group coming at you that you weren't aware of, or because you neglected to identify the risk appropriately—all of this has to go into that evaluative process after something happens," Powell says. "Then you have to reestablish your baseline, so you're going back into that risk analysis and move to mitigate it according to what that new baseline is. If something bad happens that's what you do—go back to the baseline and discover what went wrong, and once you know, you seek to mitigate it to the new baseline." </p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465