Three weeks ago, I began the new "Friction Fridays" series by asking if you were prepared for an emergency or a disaster. Then, I did my best to "rub you raw" over the fact that I was absolutely certain you were not.
My job was to make it really tough on you – to get you thinking about what would happen if some disaster impacted your place of business. But I also told you that I would do my best to interject some tips to help you get “Red Dirt Ready,” as Homeland Defense calls it.
We've previously covered a number of logistics related to Disaster Recovery and Business Continuity, including to how would you might deal with a "Disaster of One" or a "Disaster of More" that impacted your employee workforce.
But I'm afraid I have not yet done a good enough job of rubbing you raw. There is still more on my plate when it comes to making you face the possibility of a disaster in your midst.
Nearly 10 years ago I attended a physical security workshop given by Jayson E. Street. The workshop was titled, “Steal Everything, Kill Everyone and Cause Total Financial Ruin!” The subtitle was, “...or how I walked-in and misbehaved.”
Street provided a very entertaining presentation, complete with illustrations, on the topic of physical penetration based upon his unique style of "penetration testing."
In one video clip, he walked through a hotel and picked-up cleaning products from a storage closet, He then proceeded to the kitchen and poured chlorine into a boiling pot of soup.
If it wasn’t for the fact that he left a large note saying, "Your soup now contains chlorine bleach," the soup could very well have been served to unsuspecting patrons.
In another depiction, Street obtained the name and photograph of an IT manager from the internet profile of a business. He also observed the name of their IT repair vendor on a van doing work at the company.
The next day, as soon as he saw the IT manager head out the front door for lunch, he gave him a cordial greeting on the sidewalk in full view of the company receptionist. His intention was to make it appear as if he and the IT manager knew each other.
After they parted ways, he entered through the font door and introduced himself to the receptionist as a technician from their regular IT vendor, explaining that he had just confirmed with Mr. IT Manager that he should pick up his computer for service.
In less than 10 minutes, Street was carrying the IT manager’s computer out the front door, leaving behind only his business card with the imprint, “Your physical security has just been breached.”
Of course, the reality is that Street had been hired by both the hotel and the other business as a consultant to find flaws in their physical security.
I’m using Street's escapades to point out that not every disaster is a natural disaster. Man-made misbehavior can be just as disastrous as a flood, earthquake, tornado or wildfire.
Disaster as Close as Your Front Door
It was a hot August morning and the sun was shining brightly. Shortly after 7 a.m., Patrick Sherrill entered his workplace at the U.S. Post Office in Edmond, Okla. Moments later, Sherrill killed postal supervisor, Richard Esser, Jr. Next, he killed fellow postal worker, Paul Michael Rockne, and proceeded to shoot 18 others. That day, he killed 14 people. The violence ended less than 15 minutes after it began, when Sherrill shot himself in the head.
Far too many people remember this incident, unfortunately, only as the catch phrase,“going postal,” coined about the disaster.
The incident clearly shows that a disaster of this nature is as close as the front (or back) door of your business without proper physical security. While we rely on our receptionist to greet those entering our business, most of us have nothing in palace when it comes to the type of security it takes to prevent somebody from "going postal” within our workplace.
Unsecured Nightmare Waiting for Misbehavior
While moving into a new building, a company found the perfect place to locate their network server and telephone equipment. It was a large closet located adjacent to the front reception area secured by two large doors that locked together.
They went about installing a small portable air conditioner in the closet and venting the unit exhaust into the ceiling space.
Not long after it was up and running, they noticed there was insufficient cooling in the closet for the equipment, even with the air conditioner. To resolve the issue, they simply removed both doors, leaving the closet completely open in an attempt to improve the circulation and reduce heat build up.
Once you're past the receptionist’s desk, you're out of her sight. In three or four more steps, you find yourself in front of this closet, which contains the entire information technology and communications infrastructure for the business.
I can just imagine Jason Street walking in and spilling of a large cup of Coke in one of the open areas of the closet. The result of such misbehavior would be total havoc. You can only imagine what would occur if someone undertook more drastic measures.
Can it be that the excessive heat from the server closet creates a mirage hiding the potential disaster lurking from a lack of security for the firm’s information lifeblood?
Physical Security is No Joke
If you had a solid gold ingot that you used as a paperweight on your desk – say, worth $150,000 – would you feel comfortable leaving your door open every day at lunchtime?
How about when went? Are you just going to leave that gold on your desk to tempt the cleaning lady?
I would venture the answer is "no" to both questions.
How would you secure your office, your building and credential your staff, right down to the cleaning lady, to protect your gold ingot?
You'd probably take almost every precaution you could, like installing a safe on premise, and lock up the gold every time it was out of your sight.
Who knows, you might even put bars on all the windows, install a security surveillance system, alarms, and maybe even use a watch dog. Companies use to use watch dogs a lot for a lot less than to protect gold. Today, they are too worried about having a lawsuit filed by the intruder if the dog attacks.
But I want to rub you really raw now by asking, "Isn’t the rest of your business as valuable, or even more valuable, than that imaginary gold ingot?"
What about your proprietary information? Or how your company does business? What about that job you're about to submit bids on next week? Don’t you think your competition would like to know just how much your bid is going to be?
What about that network server in the closet? Sure, the box of hardware only cost about $7,500, but what about the value of your information and the software you have running on it?
And the worst misbehavior of them all, someone who enters your place of business with the intent to do harm to one or more of your employees. It could be a disgruntled former employee, a competitor who you beat out on last week’s bid, even an unhappy wife who just found out her husband was cheating on her with the supply clerk. Maybe, just maybe, for whatever reason, your business is randomly chosen as a target of terrorism.
Physical Security Demands Your Attention
Physical security isn’t just for large companies. Small businesses like yours need physical security to protect your physical, intellectual, informational and manpower assets from employees and outsiders. Physical security is all about keeping every aspect of your small business safe. Here are some things you should consider:
Professional Assessment and Assistance
Begin with with an inspection and assessment of your company and its procedures to determine by a physical security professional. I'm not necessarily suggesting you need to have the "King of Misbehavior," Jason Street, pop by for a visit, but I would venture a guess that there are qualified firms to perform this work within 40 miles of your location.
Define Company-wide Physical Security Policies
Everyone in your company should have a clear understanding of what the policies are and the penalties for breaching them. After all, one seemingly small breach could mean the difference between life and death.
Establish Access Control at Appropriate Levels
Everything from the front door to the most critical internal information hot spots warrant attention.
I love using movie examples in my stories. Well, in one of the James Bond movies, Goldfinger broke into America’s Gold Depository at Fort Knox. He managed to get past the electrified fence, through the hardened steel doors, even past the vault door. Once inside, the gold was still tucked away in cages behind steel bars. The point being that even if a security cleared worker had access to the vault, he still couldn’t get to the gold without being able to open the cages.
In your business, the extent of, and authority for, access should be dependent upon just how valuable a specific location in your business really is. Your physical security expert can help you identify these areas and the appropriate degree of security for each.
Monitoring is Essential
I would venture a guess that the local convenience store on the corner has better monitoring of its store interior and premises than you have at your place of business.
Monitoring what happens in and around your small business not only helps alert you as to suspicious activity before it becomes misbehavior, but it also creates a record when misbehavior does occur.
There are not too many misbehavers who are going to take videos of their soup poisoning routines, and then turn them over to you when they are done, like Street would.
Security System including Panic Alarms
Every small business needs a security system for protection in exactly the same way it need an uninterruptible power supply to safeguard its essential equipment. The system must be monitored 24 hours a day by an outside company, so that if an emergency occurs they can take the appropriate action night or day.
Security words and pass codes must be given to only those trusted personnel who are authorized to give the OK, no matter what situation befalls the company.
Don’t be afraid to make use of the system at the first sign, or even hint of, trouble. A little noise from an alarm system can go a long way in discouraging misbehavior.
The company not only needs to have a policy that defines emergency communications, but also the means to effect emergency communications. This could be as simple as your intercom, paging or telephone system, or perhaps as sophisticated as an emergency notification system that sends a text message to the cell phones of every employee.
Centralized Crisis Location and Secure Areas
Where do employees go for a secure zone? Perhaps it’s the same place as for an approaching tornado? What about injured workers? Is there a designated crisis or first aid location on premise? Is law enforcement, security, fire department and emergency medical services aware of these areas? Are those areas prepared for a disaster of misbehavior?
If you find yourself having been rubbed raw by this article, you probably are not ready for a crisis situation. If your physical security is lacking you must take steps today to secure your small business, even if you take the first step of calling a physical security expert.
Remember – "going postal" isn’t just a catch phrase, it’s a real possibility.