So is security required these days? In today’s world the number of businesses without security is far greater than the number of businesses with a security presence. Is that a bad thing, or is that acceptable? The answer is not black and white in many cases.
To have a security department of any size requires more than just someone saying we need or we do not need security. However, there are plenty of business owners out there that have made such decisions in the past, and that is likely still happening today. So let’s address those businesses that have made the decision that they do not need a security department.
First, in most cases there is no statutory requirement to have a security department. There are some states and cities that require security measures, such as security cameras or alarms in some types of businesses, but very few require security officers.
The reasons that I have heard over the years regarding not having security officers is the costs, or there is no need to have them because there is very little crime.
Why Have Security
There is no doubt that the cost of security can be high depending on the number of officers and level of services that they provide. I have also seen businesses that were spending millions per year on security staff and without question they were not getting a decent return on their investment.
In this case I am talking about security officers performing services that had nothing to do with security, more so the officers were doing things such as delivering food and mail; washing cars; working on plumbing and so on. Basically, in those cases you get what you pay for. There is a commercial on television these days that shows a bank robbery in progress and the customers look to the security officer to help them. However, the officer says he is only there to monitor and report things, nothing more. This type of example plays right into the question regarding why have security if they cannot do anything.
Look at it this way, if you have security officers are they protecting your assets or are they just window dressing?
Do You Need Security
When the time comes to make a decision whether or not to have security officers on staff it is best to conduct your due diligence either way. One of the more sound processes to determine the direction your organization should take is to conduct a comprehensive security assessment so as to determine your risks, threats, and vulnerabilities. Making a decision to have or not have security has to be based on factual information, not personal opinions or biases.
Again, not all businesses have a security presence and remember that some businesses have security and it is ineffective. There is and always will be the concern with costs, but in some cases businesses cannot afford to not have security.
So do you know if your business needs security or not? If you have security have you evaluated their effectiveness lately?
When it comes to workplace security risks and safety there is no doubt that the average person expects to have a safe work environment. In fact the OSHA General Duty Clause 29 U.S.C. § 654, 5(a)1 requires that: Employers are required to provide their employees with a place of employment that “is free from recognizable hazards that are causing or likely to cause death or serious harm to employees.” That being the case how safe do you feel at work?
An interesting survey conducted by CareerBuilder® clearly demonstrates that many employees that do not feel safe in their workplace. The reality is that almost a quarter of workers do not know what to do in the event of an emergency! This aligns with my findings over the years.
Employee’s Role in Workplace Security Risks & Safety
Employees have a critical role in workplace security risks & safety and yet one of the most often stated responses that I get during a security risk assessment is that employees do not know what is expected of them or what they should do during an emergency. I have even had security officers say that they are not sure what to do. Really? Can this be possible? Absolutely!
When this comes up I make a point of determining the root cause of these statements.
In one recent case where security staff told me that they were uncertain on how to do their job, or what was expected, it was determined that management had in place all of the information that the security staff would need, yet the security officers did not have access to it.
There was yet another time when the security staff was operating under policies that they were not allowed to see or read; yes, you read that right!
The fact is that there are some very respectable emergency management and security plans in place in many businesses, some of which are best practices, but if that information is not shared with the staff how can we really expect them to respond in an appropriate manner?
Workplace Security Risks
Since there are more businesses out there in today’s world that do not have a security staff on duty, businesses really rely on their management and staff to manage their security. If done properly that can be very effective, but if you are not sharing your plans with staff you may be increasing your risks, and therefore your liability exposure.
Even those businesses that have security officers on duty know that the officers cannot be in all places at all times, and they too understand the importance of training all staff in their role of safety & security, or at least we hope that that is the case.
The best means in which to determine how your staff feels is to ask them. I cannot begin to tell you how many times management has been taken aback by my findings and asked; how did you get staff to tell you that? Simply put; I asked them.
If you assume that staff knows what their role is with security or responding to an emergency you might be wrong. If you have not put in place a training program that includes an annual refresher to ensure that employees know what to do, your organization may be at risk. There is no way to predict how an employee will react if they have not been trained to the point of memory reflex, as history has proven that many people will react or respond in ways that cannot be predicted.
Follow this link to read the OSHA General Duty Clause 29 U.S.C. § 654, 5(a)1
Risk of Security Breach
Think about how many times over the last six months that security threats have been in the local, national, or international news. It seems as if they are everywhere these days; real or perceived!
It is almost daily that a news story breaks in which at some point a news commentator or a law enforcement official mentions that they are looking at the incident as a possible terror attack. Does this mean that terror attacks happen that often? No, what it means is that a terror attack is often the first thing that comes to mind until proven otherwise. However, no one knows for certain how many of these incidents actually have a terrorist element that goes unnoticed.
Real or Perceived Security Threats
It is very common in the security consultant world that when threat, real or perceived, is on the minds of people the security experts will often get a call. Although that can be good for staff morale and will often lead to improved security measures, you really need to consider that any changes that are made are long term, not just to calm down the staff. All too often security experts will make recommendations to an organization only to find out later that the recommendations were not implemented. This happens for a number of reasons.
Those reasons can be budgetary, philosophy, or a number of other factors. The important thing to remember is that when your organization asks a security expert for assistance, and they provide it to your management, that you just do not ignore their findings.
Refusal to Accept Security Recommendations
Years ago I met with an organization’s administrative team who had retained another security consultant 3 years prior for a full security review of their organization. While sitting down with the Senior VP I was handed the previous consultant’s report, which was about 200 pages. The VP stated “We have not accepted this report.” Really? As I sat there and looked at the report I asked the VP what she meant by the statement that they have not accepted the report? She went on to say again, “We have never accepted this report.” At that point I was confused so I asked, did you pay for the security report? The VP said, “Yes.” So I asked; is this the report that they generated and you have in your possession? The VP responded, yes. Needless to say I followed with a comment along the lines of, you requested that they conduct a security assessment and write a report, they did so, and you paid them for their services and have their report, I am sorry but how is it that you have not accepted the report?
The point being made here is that they for all practicable purposes requested, received and paid for the document. It was however agreed that they did not like the findings upon review of the report, but acting as if it does not exist is not a well thought out business strategy.
Security Assessment Report Next Step
If your organization requests a security consultant to conduct a review and your management team does not agree with or accept any part of the findings, at least document your rationale. You may have a very legitimate reason for not following a recommendation, and there may be no issue with not following through with it. However, document why and be as detailed as possible. Your legal counsel will likely appreciate your due diligence.
Security Assessment Second Opinion
In the example above it is not hard to imagine where the administrators felt as if they did not agree with the findings, and in response they just pushed it aside and acted as if it did not exist. So after a long discussion we agreed to a new security assessment prior to our security expert’s review of the existing document. This was to ensure that there were no preconceived biases on our part. Upon completion of a new security assessment, and a review of the document it was our opinion that many of the findings and recommendations were spot on. The organization did accept and act on over 90% of our findings; many of which were considerably close to the original security assessment findings.
The point to be taken away from this is that the original assessment process, intent, scope, and expected outcomes were not explained clearly upfront. Thus there was disbelief and a major misunderstanding when the report was delivered and reviewed. If your organization finds itself in a similar situation give us a call, we can assist you in ascertaining the validity of the findings and recommendations.
Employee Theft Costs $60 Billion Annually
If you have employees there is a risk of employee theft. That is not to say that all employees are thieves, because they are not, but do we know for sure who we can trust?
You only have to read through the daily news to see where an employee stole from their employer. In some cases those employees are very well liked and trusted and yet they have been found to be embezzling hundreds of thousands of dollars.
Did you know that in 2015 United States retailers lost a reported $60 Billion due to shrinkage, and that is up from $57 Billion in 2014? Additionally, this report – the US Retail Fraud Survey – identified employee theft as the prevalent source of loss to retailers.
Employee Theft Indicators
First we will start with the qualification that the true indicators of employee theft can be affected by the type of business, economic status of the geographical area in which the business is located, and in many cases the hourly wages of the staff. That is not to say that only low paid employees are at risk to steal from their employer, because even management staff paid over $100K annually can be a thief. So what can us as business owner’s watch for that may be warning signs of employee theft?
Let’s start by saying that if you are not tracking inventory losses you are not likely to know if anything is amiss at your business. If there is a way for staff to manipulate the inventory numbers, or bypass loss control measures, your business is also at risk.
As a point of fact, we worked with a very large scale tourist destination where the majority of visitors were from countries outside the United States. While conducting a normal security risk assessment we found that employee cashiers were manipulating the cash registers, in essence taking advantage of both the customers and the business. This had been going on for years and no one in management knew of it. However, had they had an inventory control system in place, and conducted regular and surprise audits proactively, they would have caught this early on.
In another case a trusted executive assistant of a finance department, who had been with the organization for 20+ years and who had been able to control the books without oversight, was able to embezzle over $1 Million. There were warning signs, such as the fact that the employee was living way beyond the means of their salary. This employee also was able to convince the CFO that there was no need to hire an outside auditor to review the financial records, because the executive assistant could save the company money by doing the audit internally. It was only after the CFO resigned and a new CFO was hired and requested a full audit by an outside entity that the embezzlement was uncovered. In the end once investigators completed their report they documented dozens of warning signs that had been present and were ignored by everyone. The employee was terminated, prosecuted, convicted and sentenced to prison. The real kicker with this case is the fact that I advised the COO ten years earlier that the organization should be conducting background checks on staff with fiduciary and financial management responsibilities.
Policies Regarding Employee Theft
If you do not have any policies in place, or you have policies but have not reviewed and updated them in over 3 years, it is time to get to work.
Policies do not prevent employee theft, but they do lay the ground work and set the rules. Set the expectation upfront and be sure to include a Zero Tolerance statement, and mean what you say. The policy should also speak of the employers rights to search anything that the employee brings into work (e.g. backpacks, purses, duffle bags….); and employees are subject to video monitoring and that they consent to such. It is also a good idea to include verbiage that employees are required to participate and cooperate with any investigation, and if they refuse they could be terminated.
Cash Security Measures
There are numerous ways in which a cashier can divert cash receipts to their personal use, as well as numerous ways that management can identify such activity in the early stages and manage the revenue stream from the time that the money leaves the customer hands until it is deposited in the bank. The point being that management has to know and understand the ways in which funds can be diverted and demonstrate a strong position on cash security management.
Random cash register audits are easy to conduct without warning, and can actually determine a diversion in progress. When conducting security risk assessments at locations that utilize cash registers we will always inquire as to how often management conducts surprise cash drawer audits. Over the years we have on numerous occasions observed very perplexed looks on manager’s faces when this subject comes up. After a minute or so they will often understand what we are asking for, and then they will state that they do the cash counts often. However, not once have they conducted an audit on the spot, nor could they provide any documentation of any cash drawer audits ever being performed.
There any many things that your organization can and should do to provide the proper security measures for your businesses financial assets, and contrary to the opinions of some they are not costly or time consuming. There are proven loss prevention strategies that can be utilized to protect your revenue stream, but if you do not know and follow them there is no telling if all of the revenue that your business generates actually makes it into your business banking account.
After an extended break as a result of a very busy schedule where we were unable to keep up with the publishing of the Protection Connection™, we are pleased to say that we are back with your security news source.
We have heard numerous times over the last several months that our readers have requested that we continue to publish our newsletter, and we appreciate all of the great comments about how valuable and useful the information has been to other security professionals and business owners. So the Protection Connection™ is back and is in a new format that is user friendly! What’s new?
We all know that our world is changing by the minute, and many of the changes are a result of security threats from a number of different sources. With those threats, and the real or perceived sense of vulnerability, security experts tend to find that there is never enough time in a day, so often times some things have to be put on hold. That being the case, we were unable to keep up with our newsletter. However, the Protection Connection™ is back!
Security News Format Change
Basically we have changed our newsletter format from a downloadable format and caught up with times. What this means for you the reader is that our newsletters will come to you in an email format, with links to our stories. This gives us the opportunity to use additional space as needed for the articles, as well as link them to other previously published articles or other related information resources.
We continue to encourage you to share and like our stories on social media, and if there is a topic that you would like to see discussed in a future edition, please let us know.
As always, we thank our readers for your support and kind words. Our goal is to provide you the security professional a resource to invoke your thought process. We do not preach to you, we try to give you ideas and help you consider factors outside of your comfort zone.
Sign up to our newsletter mailing list here.