Effective Security Risk Assessments
All too often I have had the opportunity to review security risks assessment reports completed by other “security experts”. It many cases it has always amazed me that businesses have retained these “experts” and spent thousands of dollars for their work, only to find that they missed numerous risks and vulnerabilities.
Having a professional security risk assessment completed on a business can be a financial burden for some smaller businesses, but in the long-term it may save them a lot more. You really need to know that the firm that you are retaining has the experience and is qualified to do the work.
Remember the adage, you get what you pay for? Well that low-bid is likely an indicator that the person is learning on the job, and if so it is at your expense. All too often people will tend to go with that low bid or seek out a free service from the police or a security guard company.
In the case of the guard company, I have interviewed numerous management teams that were providing security services to my clients, and not once have I found one that truly understands what a security risk assessment is; not one! Now do not get me wrong, there are qualified firms out there that can do a proper assessment, and I have seen their work, but none of them have been retained by my clients.
The main issue is that the police may be able to give you some good crime prevention recommendations, but not many of the officers know what technology is available, reliable, and needed for your security risks or vulnerabilities.
As for the guard companies, it has been my experience that many of them have regional and or site managers that have no clue on how to conduct an assessment. Again, there are such companies out there, and they are the exception to this statement. Those incompetent vendors that are out there are mainly in the business of providing warm bodies. When I have asked them what their highest risks are for their client, there is often a long pause as they looked at each other for an answer. That in and of itself says it all, they have no clue as to what they are protecting against.
There will be times when your security measures will not prevent a security breech of your facility. For example, if your business is located in a strip mall, or in a business district that is in what many call the “downtown” of your city, there are likely additional security risks that you need to consider.
I have visited numerous businesses and found that their security measures were above average, yet when I looked at where their business was located, I found that their adjoining businesses were exposing my clients. This issue is often overlooked and for the most part that is because the person assessing the security is not taking a holistic approach to their methodology. By that I am referring to the fact that among other things they were looking at the exterior walls, normally in the front and back of the business, and giving no consideration to common walls with their neighbors.
Over the years I have seen numerous cases where a business was burglarized, and yet there were no signs of forced entry. In many of those cases the security alarm was activated, but when the police checked the building all looked secure, so they went back in service. The following day, or in some cases days later, the business owners in the adjacent businesses found their business had been broke into, and they found that the walls that are shared with their neighbors had also been compromised.
There are a few concerns with the above examples, one being that the business owners failed to respond to the alarm activation. What is often the case is that many businesses rely on their security technology and take no steps to ensure that they are professionally designed and setup. An example of that is that I have worked with business owners that determined that they only needed glass break sensors and a contact sensor on the back door. However, they still had break-ins where the person came through a wall, floor or roof, and other that the suspect hid out in the business until they closed for the night.
When we look at the potential security vulnerabilities we need to look up, down and all around. We also must consider the fact that the adjoining business may be increasing our risks and as a result, we need to determine how best to address that.
High-Rise Security Risks
When conducting security risk assessments in a high-rise, one really needs to look at the security risks for each of the business types in that building. For example, when conducting a security assessment of a medical equipment business in a 10-story building, I located a bank, retail pharmacy, and daycare all in that same building. Considering that each of those business types have inherent security risks that other businesses may not have, I must consider those risks and come up with mitigation strategies that my client needs to consider.
In the above case there was a high-risk for an active shooter, based on past incidents and additional security threats related to two of those businesses. Those threats had nothing to do with my client, but my client’s staff and customers all had to walk past the higher risk businesses when coming into and exiting the building.
As far as the active shooter risk, my client had devised a plan that their staff would use the fire exits (stairwells) to get out of the building if there was an active shooter in the bank. What they did not consider was that two of the stairwells were located where the ground floor exits were near the front and back doors of the bank. So, in this case it would not be a wise decision to evacuate the staff and customers out those two exits, and instead maybe they would need to shelter in place. There is a lot more to this assessment that I cannot disclose, but my point is that we must think outside the box to ensure that we have looked at all possible security risks.
How To Conduct A Security Risk Assessment
There are a lot of so-called experts out there advertising their services, and lately the number of them has increased due to layoffs or the fact that many businesses have closed for good due to the COVID19 issues. The reality is that most of those so called “experts” do not understand how to conduct a proper assessment. The reality is that they have never conducted a security risk assessment on their current or former employer’s facilities.
There are also software programs that you can use to conduct security risk assessments if you want to go that route. But there are risks with those programs as well.
For example, the programs often have numerous pre-programmed questions that the assessor can answer, often multiple choice or true and false. I have looked at every one of those programs and they do not have all the questions that you need to be considering when conducting a proper security risk or threat assessment. Look at it this way, if you do not have the flexibility to ask the same questions in different ways, you are likely not getting the full picture.
Each and every question that is asked should have the ability to do a deep dive into the subject or issue, and not be just answered with a checkbox. Not once have I personally experienced where a question was answered and did not lead to numerous other questions in order to validate the response.
Look at it this way, you can purchase that software and appear like you know what you are doing, but in the end you are getting answers to questions that cannot be explained in detail and canned text responses that are pre-programmed into the software. Is it possible that the pre-programmed responses will be 100% accurate or even relevant to the client? No, it is not. It is just a canned text answer to a checkbox that the assessor clicked on, and nothing more.
Another concern with the software is that you are only getting access to the vendors software online, and your information is stored on their servers. That means that you do not own the software, you are only paying a fee to use it.
This also means that your information is not on your network, and if you do not audit the vendors servers for ISO compliance or HIPAA, you may be placing your employer or client at risk. Is it possible that a person can access your files online and expose your business to a privacy or liability risk? Sure it is; it may also be possible that the vendor may be looking at your files in an effort to improve their software. It all comes down to you performing your due diligence and ensuring that your information, or that of your client, will be secure and never compromised.