BROWSE ALL ARTICLES BY TOPIC
Security: Hit or Miss?
Are your employees gate keepers? They should be.
by Richard D. Sem
A couple of years ago, at an unnamed food processing facility in a Midwestern city, I entered through a propped open exterior door and, without benefit of any escort or identification, I strolled through the facility's raw material storage areas, mixing room, control room, executive offices and finished product storage without being stopped or questioned by even one employee. I then left by the same route. Although this was done with the client's approval, I could have been an irate ex-employee or a person dedicated to doing harm such as contamination. This plant had a comprehensive physical security program and yet their advanced electronic access control system was easily rendered useless by careless and unconcerned employees. More often than not, security programs miss the mark and are far from being strategic and synergistic systems that truly prevent and protect. Many firms believe that a guard at the gate, a card reader at the door and a camera on the dock will do the job. Security is perceived as a non-productive expense and even as a necessary evil. Security budgets are minimal until the significant loss is discovered, and then over-reaction and over-spending becomes the rule. So, what comprises a practical and effective security program? How much do we need to spend on security? How much security is enough? Where have we missed? I would like to discuss several concepts that are often neglected in security planning, keeping in mind that each facility's culture, neighborhood, history, layout, functions, budgets and values vary greatly.
A security assessment or survey, conducted by in-house or contract staff, can identify your site's particular threats, risks and vulnerabilities and should evaluate and recommend enhanced and new security countermeasures. It is critical to periodically stand back and look at your operation through different eyes- the eyes of one who wishes to do harm. That is easier said than done, and it is difficult to see the forest for the trees when you work in a facility every day. One approach that has evolved since the terrorist attacks is a powerful tool in eliciting involvement, understanding and buy-in by all relevant staff and departments. This is a team-based assessment in which a group of appropriate staff (e.g. security, safety, EHS, human resources, IT, operations, facilities management, shipping and receiving, warehousing, transportation, etc.) gather to work through steps that extract their perspective and hopefully arrive at relative consensus. Such steps may include identifying critical assets and likely targets, potential threats and methods of attack or compromise, consequences, potential adversaries, attractiveness to compromise, and an evaluation of existing and planned physical and procedural countermeasures. Keep in mind that security ideally is a proactive and preventive discipline driven largely by deterrence, or making yourself less attractive as a target and reducing opportunities to do harm. It is much less costly and disruptive to prevent a loss from occurring than having to deal with the aftermath of a loss incident. Security should be a strategic and synergistic system in which all security measures, whether physical or procedural, complement and reinforce each other. All too often firms "throw" security measure such as cameras or guards at a problem without standing back and considering how the loss or threat can truly and cost effectively be mitigated. Security should not be a stand-alone function, but should complement and reinforce existing safety, environmental management, emergency planning and human resources processes. Security should be a careful balance between control and protection and productivity, flow, morale, safety and convenience. A security program that is perceived as unduly disruptive and inconvenient will often be resisted and even undermined. In addition to the often discussed counter-terrorism planning and contamination prevention, don't forget other potential security-related losses and threats such as sabotage, arson, theft and pilferage, vandalism, trespassing, workplace violence, activist disruption, etc. The early stages of theft and workplace violence, for example, will often escalate into more serious events if not addressed.
Some of the most useful and cost effective security measures are not the typical physical measures, but are procedural. For example, the most powerful, least expensive and most often neglected security measure is security awareness by all employees. Attentive employees would have stopped, questioned or at least reported me when I improperly accessed that plant. Your people should understand and appreciate that security doesn't begin and end with the guards and other security measures, but is their responsibility, too. Many firms have a high level of safety awareness, and that can often be leveraged to build a higher level of security awareness. Other often neglected procedural measures include policies and plans, hotlines or other alternate and confidential/ anonymous reporting systems, incident reporting and trending processes, background screening, employee/visitor/contractor identification, mail and package controls, workplace violence/sabotage prevention and response systems, collaboration and liaison with neighbors and local police, etc. A related issue is that, while many firms have controls on their employees, there are typically many others in the facility who you don't know and who have few or no loyalties to your organization. These persons include contractors such as contract cleaners, security guards, HVAC repair people, and temporary help staff as well as non-company truck drivers. Many firms, especially since 9/11, have been imposing tighter controls on these people such as requiring auditable background screening, close supervision, restricted access and worn identification. While most food and beverage facilities have fairly comprehensive emergency planning and response programs, those programs typically deal with emergencies and disasters that are of an accidental nature, such as natural disasters, explosions and releases, fires, injuries, etc. Your emergency plans should also address incidents that are purposefully caused including terrorist attack, activist attention, arson, contamination, bomb threats, sabotage, workplace violence, strikes and labor disruptions. Security liabilities are evolving. While such liabilities formerly involved facilities that dealt directly with the public such as retail stores, malls, hospitals, hotels and parking structures, in recent years industrial facilities such as food and beverage producers and transporters have found themselves involved in security litigation, usually involving issues of workplace violence prevention and response or harm caused by contamination or sabotage. The courts, in such cases, look for what is reasonable, prudent and practical; considering each site's function, history, location, vulnerabilities and risks; and considering the standards for sites of comparable composition. Don't forget your overseas operations when planning your security. Facilities, especially those that are locally known as American-owned, may be more vulnerable and attractive as targets than domestic facilities. Security can and should be a vital part of any firm's management and planning. It should not be an afterthought, nor should it be thought of as a non-productive "necessary evil." A properly developed and managed security program, just like a strong safety or environmental protection program, should be a point of pride and a true contributor to the organization's success and profitability. -FQ
Dick Sem is a security consultant with 35 years of security management experience. He served as director of security for Waste Management, vice president of Pinkerton/Securitas, and was president of the International Security Management Association (ISMA). He is board certified as a Certified Protection Professional and is president of Sem Security Management (www.semsecurity.com), a security consulting practice located between Chicago and Milwaukee. Reach him at 262-862-6786 or Dick.Sem@SemSecurity.com.