Share thisThe application of security, in many ways, is similar to the philosophical question, “If a tree falls in the woods, and there is no one there to hear it, did the tree really make any noise when it fell?” Specifically, as it relates to a security program, how can we measure the effectiveness of a security program without having an incident?
Laboratories, universities, pharmaceutical companies, and research facilities are at risk to a number of threats including espionage, terrorism, sabotage, theft, diversion, etc. These threats will manifest themselves through determined internal and external opportunistic aggressors. For these two, any organization should attempt to layer security controls towards the detection of determined aggressors. Determined aggressors can take on many forms including simple thief to organized domestic terrorists and persons working independently of organized terrorism groups, typically referred to as lone wolves.
During the course of my employment as a security consultant, I have determined that security assessments can answer the “what-if” or hypothetical lapses in security. They can also validate potential vulnerabilities though an actual test of the security program itself. We can apply controls to hypothetical security concerns, but real vulnerabilities may go undiscovered. Through this process, I have identified obscure vulnerabilities and innovative low cost security controls. Anyone can conduct this type of assessment—the discoveries that are made can be eye opening—and upon correction, can harden the target (building) and delay a determined aggressor.
The following describes the thought process of a determined aggressor.
Surveillance
A determined aggressor will, without a doubt, conduct surveillance on a target facility. To limit detection, surveillance will be sporadic or will be done by teams. They will document patterns of pedestrian, vendor, and employee access. To do so, they will have to have direct line of sight on the facility. To be effective, target surveillance will have to occur during day and evening hours and will evaluate all aspects of the building. To counter this, the application of signage on the site notifies persons of trespassing, precludes parking, loitering, skateboarders, and prohibits video and photography of the site which can delay the documentation/pre-surveillance by an aggressor to the site and points of vulnerability. During one of our assessments, an employee thought our inaction was suspicious and contacted security. This was excellent, however, when security arrived, they asked me what I was doing here. I indicated that I was “waiting for my mom.” The security officer continued to ask, “What’s your Mom’s name.” I had already identified a woman within the company whose name I would give, if detected. The security officer told me, “your mother is not here right now,” to which I replied, “Then I guess I should leave.” As a result of this engagement, we identified a number of commensurate controls:
- Fence the entire property and control visitor and staff access.
- Challenge responses and request personal identification for persons being questioned. Inability or refusal to produce documentation would raise additional alerts.
- The facility should have open and collaborative information sharing with government entities.