Wednesday, April 30, 2008

Kidnap Risks to Travellers

One of the negative outcomes of crime prevention activities is that a crime may not be eradicated, but instead displaced to another place, target or time. A further potential consequence, especially when the adversaries are organised criminals, is that interdiction of one type of crime may lead to a corresponding increase in another.

This is the case in Mexico, where Mexican authorities’ successful interdiction operations against drug smugglers has lead to a dramatic rise in kidnaps for ransom. Some sources estimate that drug gangs are now responsible for 30 to 50 kidnappings a day in Mexico and that ransoms often run to $300,000 if the victim is returned alive. Sometimes, gangs hold several victims at a time. The risks to business travellers should not be underestimated!

For more on this story, click here.

For access to free resources on this and other security management subjects, click on the link below:



Tuesday, April 29, 2008

ASIS CPP Certification

For the 25 security manager and consultant candidates sitting the ASIS CPP certification examination in the UK on 3 May, this is a very intensive week of final examination preparation under the guidance of Barry Walker CPP and Phil Wood MBE CPP PSP.

In addition to covering the core security management knowledge domains, the CPP certification places great emphasis on general management principles, which constitute 11% of the examination questions.

Yesterday candidates discussed the various theories of motivation, including Malsow, Herzberg and McGregor.

The basic human needs, according to Maslow are (from lowest to highest) physiological needs, security needs, belonging needs, esteem needs and self-actualisation needs (the synthesis of ‘worth’, ‘contribution’ and perceived ‘value’ of the individual in society). The basic assumption of Maslow’s theory is that motivation cannot be advanced unless each successive need is satisfied.

Herzberg took a complementary approach, arguing that there were specific negative motivational factors that have to be addressed before the positive motivational factors can take effect. His analysis, based on 200 middle class professionals in the USA, identified the demotivational factors as: over-supervision, poor salary, poor working conditions and poor interpersonal relations. Fix these, Herzberg argued, and then move onto the truly motivating factors such as recognition, interesting work, opportunity for advancement and being given responsibility.

McGregor’s theory argues that there are essentially two types of managers - those who believe employees need to be rewarded, coerced, intimidated and punished in order to work (Theory X), and those who believe employees will work willingly because work is a natural human activity (Theory Y).

Several useful links to leadership and motivational theories can be found on the ARC weblinks page at:

http://www.arc-tc.com/pages/resources_publications.asp

For information on the next CPP Review Programme (in preparation for the Nov 1 examination) click below:

http://www.arc-tc.com/pages/asis_cpp_psp.asp#asis1

Security Management Training Focus: Protecting Vital Human Assets

The Protection of “People at Risk” was one of the topics discussed in detail by delegates attending last week’s Security Management and Coordination Course in Oman.

From an Arabian Gulf perspective, delegates identified three risk groups: high net-worth or high profile senior local employees; expatriates; business visitors. The group consensus was that it was business visitors who were at greatest risk due to their unfamiliarity with their surroundings and lack of cultural awareness. Other groups doing this exercise previously have often placed expatriates ahead of visitors in the risk ranking due to expatriates' inherent sense of “adventurism”!

Moving on to discuss travel security awareness for their staff travelling overseas, the group felt that while free-to-access services offered by organisations such as the UK FCO were a good and accurate starting point, business travellers required more detailed information. The group felt that a traffic light system (green – low risk; orange – medium risk: red – high risk) was preferred, with these indicators being broken down into the following categories:

General Crime
Political Unrest
Corruption
Terrorism
Kidnap

The tutor, David Cresswell, felt that from his own many experiences in travelling to over 50 countries, there should also be a special box for taxi driver risk!

For more on Business Travel Security awareness training for your travelling staff contact David.

For more on the one-week Security Management and Coordination Course click below:

UK: http://www.arc-tc.com/pages/other_accredited_sm.asp#s1

Overseas: http://www.arc-tc.com/pages/reg_train.asp

Protecting Critical National Infrastructure

PROPOSED laws to allow companies to snoop on their workers' emails are needed to protect vital electronic infrastructure from terrorist attacks, Australian Deputy Prime Minister Julia Gillard says.

The Australian federal government is developing new counter-terrorism measures which include changes to the Telecommunications Act that would allow companies which make up the nation’s critical national infrastructure to read workers' emails.

To read which sectors are considered CNI in Australia click here.

ARC’s new Protecting Critical Infrastructure course takes place 14-18 July. The course will focus on best practice in protecting critical infrastructure against a range of adversaries, from simple criminals, through cybersaboteurs to terrorists. Click here for more details.

Monday, April 28, 2008

Warn Your CEOs! - Coordinated Attempt to Break into Computers of Top Executives Reach Unprecedented Levels

Last year (and continuing into this year) it was “recruitment” emails with a malicious .rtf attachment addressed personally to top executives. (Even security managers eager to advance their prospects are falling for the scam and laying bare all of their security plans!) When the .rtf file is opened the data on the target computer is compromised. And it needn't be an .rtf file; similar attacks have been seen using .doc files. For more on this click on the link below:

http://www.news.com/Trojan-attack-targets-top-executives/2100-7349_3-6209930.html

Then early last week CEOs were targeted with fictitious subpoenas. The targeted executives are directed in an email to an authentic-looking US Government website. Executives who click on the link in the email are then told that they need to download a plug-in in order to read the subpoena. That plug-in is actually malicious software. About 2,000 executive were tricked into compromising their computers.

For more on this attack click below:

http://www.pcadvisor.co.uk/news/index.cfm?newsid=12753

Then on Thursday of last week CERT reported that a large number of legitimate websites have been compromised with malicious code. The hackers injected malicious code into hundreds of thousands of reputable web pages, turning them into launchpads for attacks that silently install malware on the machines of those who visit them. The UK's Civil Service, the United Nations and websites of city firms were among those who had been hacked.

The compromised websites contain injected JavaScript that attempts to exploit multiple, known vulnerabilities. Users who visit a compromised website may unknowingly execute malicious code.

While it is clearly the remit of IT Departments to take action to protect their corporate sites against attack, it is imperative that somebody in every organisation is appointed to take responsibility for educating corporate computer users about the fast growing range of sophisticated scams and frauds that now pose an unprecedented threat to sensitive corporate data.

Security Management Training - Feedback

Click here to read what past delegates have said about ARC Training security management courses.

Lock up Your Laptops – The EU Wants to Get Tough!

The EU is calling for the introduction of new data protection legislation which would compel businesses to inform customers in the event of a data breach involving the loss of personal data. This would presumably include laptop s and data sticks, which have been the focus of numerous data loss stories recently.

Meanwhile in the UK the Information Commissioner has been notified of almost 100 data breaches by public and private sector organisations since the loss of 25 million people's details by HM Revenue and Customs last November, according to figures released this week.

Half of the 28 private sector security breaches were by financial services companies.

For more on both of these stories click below:

http://www.out-law.com/page-9053

http://www.out-law.com/page-9066

IFSEC, 12-15 May 2008

If you are visiting IFSEC, the UK’s premier security exhibition, 12-15 May at the NEC Birmingham, please do call in at the ARC stand to say hello. We are in Hall 7 - Stand 460.

Friday, April 25, 2008

The Latest Developments in Biometrics

Source: Information Age

Biometric technology is an industry characterised by “disappointment and broken dreams”, according to David McIntosh, the former chairman of the Intellect Association for Biometrics. Even those with a keen interest in promoting it cannot deny that false promises, clunky technology and intrusive approaches have done little for its cause – particularly within the private sector. Where biometric technology has flourished, it has been at the hands of government officials as part of large-scale government-mandated implementations, focusing on areas such as border-control and crime-prevention: passports and visa programmes.

But biometric developments are far from quiet on the corporate security front. One of the UK’s biggest casino groups, for example, is now deploying facial recognition in order to welcome its customers as they step through the door. Likewise, many UK banks are implementing voice recognition to authenticate telephone customers.
Businesses in Saudi Arabia are increasingly using the technology to immediately identify high-value customers. Meanwhile, the use of biometrics at ATMs and point-of-sales is also emerging – particularly in Asia – in order to deliver smoother services while simultaneously ensuring strong security.

And the article continues with news on interesting developments in voice recognition, keystroke recognition, vein recognition and gait analysis. Click here.

http://www.information-age.com/magazine/february-2008/features/304936/biometric-diversity.thtml

Developments in Biometrics will be one of many security technological developments covered in the new Specifying Security Technology Course, 21-25 July 2008. Contact Janet for details.

Thursday, April 24, 2008

Conference Report – Web Fraud Is Skyrocketing - Will You or Your Company Be Next?

Sites offering medical histories, information about the shipment of goods and corporate e-mail and pension details have all been uncovered. While credit card details are cheap, selling for only a few dollars, the logfiles of big companies can go for up to $300 (£150), he told the BBC News website. (Thieves Set Up Data Supermarkets).

The sophistication, complexity and exponential growth of these crimes are overwhelming law enforcement agencies and legislation-producing bodies, and ARC Training warns that 2008 is set to be a very miserable year for hundreds of thousands of individuals and companies as their sensitive data becomes compromised.

A key countermeasure is raising awareness, but with reports of security managers themselves becoming victims of scams such as 419s, and IT administrators in many companies not taking the lead in promulgating the types of scams that are prevalent, it is difficult to determine where the responsibility for delivering awareness lies.

Perhaps the security management community needs a Scam Summit of its own!

Security Surveying and Design Training

The infamous English weather did its best to damp the enthusiasm of the delegates on the latest Security Surveying and Design course, held in Goring on Thames this week. Working in both rain and sun, they spent the day doing a detailed practical survey at a working business establishment.

Their survey site, in a slightly run-down part of a local town, required them work through the full survey process from risk assessment to the final written report and management presentation. Using information gathered from the on-site inspection, environmental survey and interviews with management, they compiled an accurate risk assessment for the business and were able to judge the strengths and weaknesses of the protective system.

The site work completed, they returned to the training venue to compile the final written report, in which they offered the company an extensive range of solutions to reduce the risk levels. These recommendations and the rationale behind them were judged by the course director, Peter Horsburgh CPP, PSP who role-played the Managing Director of the client company at the final management presentation.

One delegate said ‘Having to follow the complete process showed us the pitfalls of not working to a logical system and allowed us to put into use the full range of tools we learned at the beginning of the week. Having done the survey in a training environment makes it easier for us to use these techniques in the real world’.

For details of the next Security Surveying and Design Course in the UK click here.

And for the forthcoming Security Surveying and Design Course in Nigeria click here.

Wednesday, April 23, 2008

PAS 68:2007 - A Standard for Protecting Facilities against Vehicle Attack

PAS 68:2007 has been prepared to address the needs of organizations who wish to have assurance that vehicle security barriers will provide the level of impact resistance that they seek.

Many systems are available that are either promoted or considered suitable for use as vehicle security barriers. As their characteristics differ in both function and form, a comparative means of assessing their performance is required.

PAS 68:2007 specifies a classification system for the performance of vehicle security barriers and their supporting foundations when subjected to a single horizontal impact.

For more information click here.

Brainstorming the Risks Posed by USB Data Sticks – Recommendations to Improve Security

The proliferation of USB data sticks presents formidable problems for information security, and many information security managers have declared this as their number #1 concern. Furthermore, less than 20% of companies have effective safeguards in place.

The threats are significant. Not only could an ill-intentioned employee escape with the entire corporate “crown jewels” on a single USB data stick, but these devices have become the third most prevalent source of virus transfers, behind websites and emails. Furthermore, a number of organisations have suffered a negative impact on reputation recently when data sticks containing personal ID-related information has been lost.

Delegates attending this week’s Security Management and Coordination Course have produced a set of procedures, which they believe if followed, will significantly reduce the risks presented by these devices. Their suggestions are as follows:

1. There should be a policy which forbids employees bringing personal USB flash drives onto site.

2. Those issued with laptops should undertake not to use personal, or other users’, USB devices in their laptops – especially if those users are from outside the company.

3. Companies should use enterprise-wide software to manage access to all USB ports. This should be extended to laptops when not physically connected to the corporate network.

4. Companies should issue USB flash drives to users on a need basis. These should be engraved, serial numbered and accounted for.

5. There should be destruction procedures for all old devices.

6. The capacity of devices should not exceed that which is consistent with operational requirements. Excess capacity should be blocked by special software.

7. Software should be used to block the types of files transferable to the devices. Databases and .xls files, for example, should be blocked from transfer as a matter of course.

8. Devices should have password or biometric access as standard.

9. Devices should offer encryption, preferably “on the fly” by default.

10. There should be loss reporting and “damage limitation” procedures.

11. When not in use, devices should be secured.

12. The network should be able to identify and alarm, in real time, when somebody attempts to use an unauthorised USB device in a controlled port.

13. Consideration should be given to RFID tracking of devices when on site.

14. There should be spot checks on authorised users to ensure compliance.

15. There should be “sheep dip” procedures on a spot-check or demand basis for users who take devices off site.

If you have more suggestions please contact us!

Tuesday, April 22, 2008

Security Coordination and Management Training - Let's Bring the Programme to You!


Fourteen delegates from across the Middle East and South Asia converge on the beautiful Sultanate of Oman to take part in the one-week Security Coordination and Management Course, led by David Cresswell CPP PSP.

Such is the international popularity of this course that it is being run concurrently in Saudi Arabia by Phil Wood MBE CPP PSP.

For more information on how this training can be brought to your region or organisation, contact Janet.

Maritime Security – Oil Tanker Attack

A suspected pirate ship fired on a Japanese oil tanker Monday off the eastern coast of Yemen, leaving a hole from which hundreds of gallons of fuel leaked, officials said. No one was injured.

The 150,000-ton tanker Takayama was attacked about 270 miles off the coast of Aden in southwestern Yemen while it was heading for Saudi Arabia, its Japanese operator, Nippon Yusen K.K., said in a statement.

Piracy and terrorism are two primary reasons for the introduction of the ISPS Code, an internationally binding code for the security of maritime assets. ARC Training is a UK Department for Transport – Transport Security (TRANSEC) approved provider of maritime security training. Courses are held annually in the UK, and can be delivered on-site anywhere in the world.

For details click here.

The Security Practitioner Programme for UK-Based Security Officers

The Security Practitioner programme is the ideal development path for security officers. It allows you to evaluate the skills and knowledge of your security officers without disrupting their normal working routines. So, if you have trained your security officers in basic security principles, coached them on site-specific duties and they have gained some valuable practical experience, but you want to test that they are putting into practice what they were taught - then the Security Practitioner programme can help you. You can evaluate their knowledge and skills, you can identify and address additional training needs in a cost-effective manner and the security officer is rewarded for their achievements with a national qualification.

This programme also attracts generous funding from the LSC and Skills for Security have secured a simple method for small and medium sized companies to not only access this funding easily, but also help with the administration process involved. If you would like to learn more about Security Practitioner, Skills for Security are collating initial interest at the moment so that we can organise a series of free regional events throughout the Summer to inform employers about the benefits of the Security Practitioner programme and also discuss the funding opportunities available to you.

If you would like to register your interest to attend one of these events, please e-mail info@skillsforsecurity.org.uk and we will be happy to send you further details.

Sunday, April 20, 2008

ARC's New Website: Your Feedback Invited


We would like to have your views on the ARC Training website http://www.arc-tc.com/ .

Our intention is that it should be a portal through which you can access a wide range of resources about security management. Please let us have your ideas to develop the site further and we will do our best to make it into a valuable one-stop security management resource.

Forthcoming Courses

Security Management Stage 3
12-23 May
The third stage of a university accredited programme which can lead to an MSc

*
Kidnap Risk Reduction and Response Workshop
14 May
Ideal for security managers and travelling staff alike
*

Business Espionage and Investigating Information Leaks
19 May
Learn how to catch the information thieves and leakers - most companies have them!
*

Retail and Supply Chain Security Management
2-4 June
A new programme developed and delivered by former heads of security for leading UK retailers
*

Advanced Investigation Techniques
23-27 June
An ideal programme for international delegates - delivered by senior former police investigation instructors
*

Security Management Stage 2
30 June – 11 July
The second stage of a university accredited programme which can lead to an MSc
*

Security Risk Management Workshop
30 June
The logical base on which a security management programme should be built
*

**New for 2008**
Protecting Critical Infrastructure
14-18 July
*

**New for 2008**
Specifying Security Technology
21-25 July
*

Security Management Stage 1
4-15 August 2008
The first stage of a university accredited programme which can lead to an MSc
*

Security Coordination and Management
1-5 September 2008
A comprehensive introduction to the essentials of security management
*

Click here for more information.

Militant Leaders Threaten to Escalate Armed Conflict

Source: Clayton Consultants quoting IRIN

In a demonstration of support for Henry Okah, who the Nigerian government put on trial in April, militant leaders have said that they will escalate armed conflict. “We have pulled out of any peace talks, we have not disarmed so there really is no progress since Henry's arrest,” the spokesman for the Movement for the Emancipation of the Niger Delta (MEND) who goes by the name of Jomo Gbomo wrote in an April 13 email. Gbomo said that militants would target oil installations even if the oil companies repair pipelines.

“It only takes a few minutes to destroy what took years to build.” The militants in the MEND alliance had become fragmented in recent years, but Okah's arrest may now be unifying them, said Elias Courson, a professor of political science in Port Harcourt. “Okah has enemies and friends in the Niger Delta,” Courson said. “But [by arresting him], the government is rallying support for him.”

The Clayton Kidnap “Top Ten” for April

Raw quantitative data is not a reliable basis on which to assess the risk of kidnap, if Clayton’s April K&R and Extortion Monitor is anything to go by. For example, the USA occupies 8th position, ahead of traditional hotspots such as the Philippines, Honduras, Somalia and Iraq!

A more accurate assessment of kidnap can be made by informed analysis of the raw data in combination with reliable intelligence, a service provided by a number of travel risk management companies. In many countries, such as India which occupies position #6, the risk is highly specific and travellers to the main business centres have little to worry about by way of kidnap risk. In Nigeria, which occupies position #3, there is a very real danger to expatriates and visitors, but this is confined to the Delta area of the country, especially Port Harcourt.

But which country took the top spot in April? You will have to read on at:

www.claytonconsultants.com/en/assets/pdf/krem-archive/KRE-Monitor-Apr-2008.pdf

Security Management Antiterrorism Feature: Blast Walls

Concrete blast walls and jersey barriers are an obvious, inexpensive and rapidly-deployable form of mitigation against moving vehicle bombs, but may not be the best long-term solution.
One of the problems with concrete barriers is that if the blast occurs adjacent to the blast wall, the shock wave travelling though the wall will create spalling on the inner face, leading to the displacement of small concrete projectiles which have the capability to inflict fatal injuries.

One solution is to use a bi-steel wall such as that manufactured by Corus (www.corussecurity.com/en/company/corus_bi-steel/). The unique patented steel/concrete composite material offers superior protection from blast. Bi-Steel is approved for use by the UK and US governments for blast protective buildings work and meets the performance standards of PAS 68:2007, the accepted UK classification system for vehicle security barriers.

Blast walls and other anti-terrorism defences are discussed in detail on Security Management Stage 2, during the Corporate Response to Terrorism workshop. The workshop can be attended on a day delegate basis, if desired.

For more information on Security Management Stage 2 or the Corporate Response to Terrorism workshop click on the links below:

http://www.arc-tc.com/pages/university_acredited_sm.asp#sm2

http://www.arc-tc.com/pages/one_day_workshops.asp#c3

International Security Management Gathering in Oman

David is in Oman this week conducting Security Coordination and Management training for fourteen security managers from across the Middle East and South Asia. Sectors represented include banking, heavy industry, education, infrastructure and property development, high-value goods retail, petroleum and gas, communications, and government.

Day one saw the group introduced to the fundamentals of security risk management, and delegates learned how to use a simple methodology to bring together probability, impact and vulnerability in order to generate a value for risk, and were introduced to a range of risk mitigation strategies.

All delegates appreciated that an accurate security risk analysis was the foundation on which proactive security management programmes should be built.

For more information on our regional overseas training schedule click on the link below:

http://www.arc-tc.com/pages/reg_train.asp

Security Management Training Focus –Saudi Arabia


Phil reports that his Security Management and Coordination course, held in collaboration with SWCC in Jedda, Saudi Arabia, is going exceptionally well. The delegates, many of whom are new to security, are covering a range of management and coordination subjects and taking first steps towards a better understanding of the underlying issues and themes in modern corporate security. The 16 delegates are working hard and already looking forward to applying their learning in the workplace.

ARC can provide in-house training such as this for your company or organization in a location of your choosing in order to provide in-situ, business orientated security skills and learning for your managers, be they experienced in the subject or otherwise.


For more information on our on-site training capabilities click on the link below:






Saturday, April 19, 2008

Biometrics Insecurity

Source: ASIS International

British security consultant Matthew Lewis has carried out a proof of concept attack demonstrating that biometric systems suffer from fundamental vulnerabilities. Lewis has developed a "biologger" capable of detecting and capturing data from iris scanners or fingerprint readers as it is routed across a computer network.

Analyst James Turner warns that consumer data may be in greater danger of theft with biometric authentication systems. "The problem with biometrics is that instead of a user's password or swipe card becoming a target of attack, the user becomes the target themselves: Their voice, their eyes, their fingers, their hand geometry, and so on," he says.

For more information on biometrics and a wide range of other security management topics click on:

http://www.arc-tc.com/pages/resources_publications.asp

For more on the above story click here.

Warn Your Bosses! - Coordinated Attempt to Break into Computers of Top Executives across US

Source: The New York Times

Last week thousands of high-ranking executives across the US received e-mail messages that appeared to be official subpoenas from the United States District Court in San Diego. Each message included the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.

A link embedded in the message purported to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. This lets the criminals capture passwords and other personal or corporate information.

Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack.

Contact David for more information on how ARC Training can provide your staff with information security threat and countermeasures awareness training.

Friday, April 18, 2008

Business Continuity Planning: The Next Pandemic – How Will It Affect You?

The RUSI Critical National Infrastructure this week prompted an interesting discussion about the extent to which we should be planning for a flu pandemic.

Expressing surprise that the issue appeared to be so far down the UK government’s agenda, the head of the German critical infrastructure protection was unequivocal in his warning. A pandemic is a likely scenario in the future and his government has already carried out nationwide exercises to test continuity plans.

It is difficult to estimate in a future pandemic the percentage of the population that could be come infected, but two points are important to note. First, once infected, the mortality rate is over 50%. Second, if human-to-human transmission of the H5N1 does threaten to develop into a pandemic, governments may take drastic steps to limit its spread, fueled by the inevitable media frenzy.

For the latest story on H5N1 and its continuing mutation, click here.

For business continuity resources click here.

To discuss your business continuity training needs, contact Phil Wood MBE.

Security Management Resources: A New Single Gateway to the Best of the Net

Click here to be taken to a new ARC Training page designed to serve as a single gateway to dozens of invaluable Net resources on a wide range of subjects (please email David if you have additional suggestions). Current topics include:

Asset Marking, Biometrics, Business Continuity, Business Travel Security, Business News, CCTV, Corporate Social Responsibility, Convergence, Counterfeiting, Crime Prevention, Crisis Management, Critical Infrastructure Protection, Drug Abuse, Emergency Management, Fraud, Glossaries, Health and Safety, Homeland Security, Identity Theft, Information Security, IT Security, Kidnap and Ransom, Laptop Security, Maritime Security / ISPS Code, Phishing, Online Publications, Risk Management, Security Risk Management, Standards, Technical Surveillance, Terrorism, Voluntary Principles on Security and Human Rights.

The list is being added to on a regular basis.

Please note that if you are unable to see the links you should open your browser window to maximum.

Thursday, April 17, 2008

UK CPP Demand Set to Double Again in 2008

The increase in demand for the CPP Certification has seen the UK ASIS Chapter, in conjunction with ARC Training, add an additional examination date (and review programme) to the annual schedule.

Twenty seven candidates are registered to sit the May 3rd examination, and demand is already high for the next examination preparation programme, which begins with distance learning in June, leading to a Nov 1 examination.

The UK now has over 100 “board-certified in security management” CPPs, and applicant numbers are literally doubling on a year-on-year basis. The following sites provide further information on the CPP and how to apply:

http://www.arc-tc.com/pages/asis_cpp_psp.asp

Or contact David directly.

When Using Installers and Equipment Providers – A Cautionary Tale

The UK Office of Fair Trading has accused 112 construction companies of rigging bids for contracts. It said the firms colluded among themselves while bidding for contracts, leading to customers, such as local authorities, having to pay too much. The regulator added that in a few cases firms entered into agreements whereby the successful tenderer would pay a sum of money to those that lost out. The cartel practice involved the use of false invoices.

Unfair contractor practices are not limited to the construction industry, according to some independent security consultants who can cite similar cases to the above occurring in the security equipment supply sector.

The internationally-recognised ASIS Physical Security Professional (PSP) certification covers in detail many aspects to do with the specification, supply, project management and installation of new security systems.

For more details click here.

What Would You Do for a Bar of Chocolate?.................... That? Surely Not?

What would you do for a bar of chocolate?.................... That? Surely not? Read on here.

Wednesday, April 16, 2008

How to Open up the Data on Your Entire Computer (and Possibly the Network) to Foreign Hackers with just One Click!


All you need to do if you want to compromise you company's most valuable data is to click on either "unsubscribe" or "more newsletters"!

Tuesday, April 15, 2008

Specifying Technology – Scam Alert!

Understandably, security managers try to deliver the best possible security at the most cost-effective rates. Great care is always needed, especially when specifying requirements for technology and CCTV systems in particular. info4security, a security publication, reports an elaborate scam whereby companies are being seduced into paying up front for systems which then are not delivered. In addition to the obvious scam, the report also highlights the fact that security companies’ contact details were collected by the scammers at trade fairs and conferences. The lessons? Protect your identity and don’t pay up front for equipment without conducting due diligence on the supplier!

This is the story:

http://www.info4security.com/story.asp?sectioncode=10&storycode=4118404

Latest Training Team News

For the latest training team news and to find out if an ARC trainer will be training in your region in the near future, click on the link below:

http://www.arc-tc.com/pages/news_training.asp#PH

Maritime Security Management Focus: Piracy

The recent action by French commandos to release hostages taken by pirates off Somalia highlights the continuing threat worldwide. Pirates pose a serious risk to life and property and their attacks in several world hotspots often result in death, injury and significant financial losses.

The extent of the problem, which reaches back through history, but is now chaacterised by pirates using high-tech weapons and equipment, is continuing unabated and requires significant efforts by law enforcement and intelligence agencies. This link will take you to a comprehensive site covering piracy and other transport security issues.

For information on TRANSEC-accredited maritime secuity management training click here.

Managing Intelligence Gathering Activities in the Corporate Environment

One of yesterday’s sessions at this year’s ASIS International European Security Conference dealt with how to manage an intelligence gathering operation in a corporate security management setting. Dr Christoph Rojahn, a former German government BND intelligence officer now working in corporate security, cited the traditional security/business relationship in which a company buys an overseas asset and then instructs the security manager reactively to “put a fence around it”.

Much better, he argued, is a situation in which the security manager is proactively involved in gathering intelligence to ensure the success of all future organisational plans and activities. The business case for this is convincing, as new ventures can run into a range of costly obstacles if risks aren’t adequately mapped beforehand, with intelligence gathering a key source of input into the risk analysis process. Examples include:

- Unforeseen changes to the regulatory environment and revocation of licences
- Companies becoming the target of adversity
- Aggressively hostile competitive environment
- Potentially corrupt suppliers or distributors
- Endemic corruption
- Criminality or human rights abuses within guarding sector

There are numerous examples in which companies could have avoiding vast losses had they gathered the necessary intelligence prior to commencing a new operation or entry into a new market.

Both Intelligence Gathering and Business Expansion – Security Considerations (for example entry into a new market) are two new subjects added to the syllabus of the Security Management Stage 3 Course for 2008. The course takes place in the UK 12-23 May 2008. Contact Janet for more information or to reserve a place, or visit the ARC Training website at www.arc-tc.com.

Monday, April 14, 2008

Are You Prepared to Handle the Employee Mental Health Consequences of Terrorism?

Over the weekend UK Home Secretary drew attention again to the very real terrorism threat in the UK. Unlike in the days of the IRA, a terrorist attack in the heart of a busy financial or commercial district of a city such as London is expected to happen without warning, and if a vehicle is used as a weapon casualties could be greater than anything the UK has experienced before.

When considering the impact of terrorist attacks in which workforces are caught up, companies would be wise to examine research from the US following the Oklahoma and 9/11 attacks, in which up to 1/3 of employees displayed symptoms of post traumatic stress disorder. Fortunately, most recovered fairly quickly, but the resolute British “we won’t be put off by terrorism” attitude may well be put to the test if an Oklahoma-magnitude event were to occur in the heart of London, and our business continuity plans may well as well as we had hoped.

For more on post traumatic stress disorder following terrorist attacks click below:

http://ajp.psychiatryonline.org/cgi/content/full/164/2/189

Global Food Crisis - A Strategic Threat

Businesses at large and global society in general face many geopolitical and macro-economic issues from global warming to political upheaval. The changing face of the world, and the pace of change, have direct implications for businesses as new and possibly unanticipated risks emerge. The latest strategic threat to global stability and security is a rapidly developing global food shortage, which is already sparking civil unrest and is beginning to cause alarm amongst politicians, economic analysts and environmental groups.

This article, published on 13th April in the UK ‘Observer Newspaper’ gives an overview of the problem and the potential implications:

http://www.guardian.co.uk/environment/2008/apr/13/food.climatechange

ARC encourages all of its alumni to take the strategic view and to examine the context in which such threats can emerge and damage their own organizations. As with growing concerns about water, oil, gas and even metals such as copper becoming ever more scarce, this issue will be amongst those that shape global society in the coming years. Are you and your business thinking ahead and anticipating the inevitable impacts? Do you have robust contingency plans and the strategic vision to meet theses challenges?

ARC covers the issues of strategic planning, business continuity and crisis management in several of its courses. If you would like to know more, please contact Janet/David/Phil.

Thursday, April 10, 2008

MANPADS

The constant threat of suicide bombings has drawn our attention away from another ever present terrorism threat – the use of MANPADS to down commercial airliners.

A MANPADS is a portable shoulder-fired anti-aircraft missile that is capable of downing a commercial airliner. Such weapons are in the arsenal of many insurgent groups, and there have been numerous examples of terrorists trying to get their hands on them.

There have been six attacks against commercial jetliners since these missiles appeared in the 1970s. Three were in Africa, one in Afghanistan, and two in Iraq. Of the six attacks, two (both in Africa) were successful in bring down the airliner. Rear-engined aircraft, such as the Boeing 727, are more susceptible to defeat.

The US government is engaged in the latter stages of MANPADS evaluation programme, which would see US commercial aircraft being equipped with counter-MANPADS pods, especially when they are flying into areas where MANPADS are considered to be a threat.

More on this story can be found by clicking below:

http://www.globalsecurity.org/security/systems/c-manpads.htm

http://hstoday.us/index.php?option=com_content&task=view&id=2611&Itemid=149

For a full explanation of what MANPADS are and how they work, click below.

www.csis.org/media/csis/pubs/060101_manpads.pdf

ARC's New Web Site


The new ARC Training website is now up and running at http://www.arc-tc.com/

Our intention is that it should be a portal through which you can access all manner of things to do with security.

Please let us have your thoughts and we will do our best to develop it along the lines that you request.

Security Management: Managing the Constant Threat of Terrorism

One of the questions which delegates will face in the Security Management Stage 1 end-of-course examination tomorrow is:

Which of the following best represents the types of corporate/public targets that terrorist seek to attack?

a. Military convoys, police stations and government installations
b. Private airfields, taxis and heavy goods vehicles (trucks)
c. Shopping malls, places of entertainment or sport, public transport infrastructure, critical national infrastructure, major events, hotels, aviation, central commercial districts, landmark or iconic buildings or structures, tourist attractions
d. Overseas companies which are identified as being owned by Ireland, Spain or Greece


Naturally, the answer is C. On the 1 April the UK Sun newspaper reported a “dry run” by terrorists targeting the London Eye landmark. See:

http://www.thesun.co.uk/sol/homepage/news/article983172.ece

This iconic, landmark target had also been on the 7/7 (London Underground) bombers’ list, according to the Daily Telegraph:

http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/04/06/nplot06.xml

Advice and downloadable PDF documents on how to protect public places and events against the threat of terrorist attack can be found on the website of the police National Counter Terrorism Security Office:

http://www.nactso.gov.uk/

Tension Mounts in Algeria - Attempted Slaughter of Foreign Oil Workers Thwarted

The Algerian newspaper, Al-Khabar, this morning is reporting an attempted slaughter of Chinese oil workers on a compound in Algeria. According to the newspaper, the attack, carried out by what the army is describing as “terrorists”, was thwarted.

http://www.elkhabar.com/quotidienFrEn/lire.php?idc=114&ida=105000

Anticipation Mounts as CPP Approaches

As the first of this year’s two CPP week-long preparation sessions approaches, anticipation is mounting amongst the record 27 candidates who have registered for the examination on May 3rd. Having followed a distance learning and study programme, there is less than a month to go before the big day and as the learning tasks have increased in difficulty and complexity the work rate has increased accordingly.

The residential preparation session, beginning Monday 28th April, and led by Barry Walker, is well subscribed and will give candidates the opportunity to further consolidate their knowledge through a combination of presentations, workshops and practice testing. The high standard of distance learning task submissions augurs well for the examination itself and we anticipate high percentage pass rates on the day.

If you are interested in ASIS certification and preparation programmes, those for CPP and PSP will begin again in the summer for the November examinations. Places are already filling up, so contact Janet for further details.

Aviating Security: Airport Behaviour under Scrutiny

Passing through airport security can be stressful and sometimes intrusive. At busy times tempers become frayed and people sometimes display unusual and uncharacteristic behaviour. Interestingly, the US Transportation Security Administration, has invested significantly in ‘behaviour detection’, primarily to discover potential terrorists passing through security. One of the methods of the scheme is to detect facial expressions which indicate stress – which potentially could bring the TSA to focus on every traveller passing through stringent security!

This short article gives interesting background – particularly on the numbers of personnel screened using behaviour detection.

http://www.star-telegram.com/national_news/story/564545.html

Wednesday, April 9, 2008

Counterfeiting - A Bitter Pill

A recent report in the UK’s Daily Telegraph provides detailed background on the growing threat of counterfeit medicines. The problem, which is widespread, and on a global scale, shows no sign of abating and affects the range of drugs and medicines produced by multinational pharmaceutical companies.

Aside from the obvious effects on company profits, counterfeit medicines pose a serious threat to health, particularly as some of the ingredients used may actually be toxic. To read this comprehensive report – follow this link:

http://www.telegraph.co.uk/health/main.jhtml?xml=/health/2008/04/05/sm_medicines05.xml

Sunday, April 6, 2008

Security Management Training Courses: Forthcoming Events

Security Surveying and Design
21-25 April
Learn how to DIY!
*
Security Management Stage 3
12-23 May
The third stage of a university accredited programme which can lead to an MSc
*
Kidnap Risk Reduction and Response Workshop
14 May
Ideal for security managers and travelling staff alike
*
Business Espionage and Investigating Information Leaks
19 May
Learn how to catch the information thieves and leakers - most companies have them!
*
Retail and Supply Chain Security Management
2-4 June
A new programme developed and delivered by former heads of security for leading UK retailers
*
Advanced Investigation Techniques
23-27 June
An ideal programme for international delegates - delivered by senior former police investigation instructors
*
Security Management Stage 2
30 June – 11 July
The second stage of a university accredited programme which can lead to an MSc
*
Security Risk Management Workshop
30 June
The logical base on which a security management programme should be built
*
Protecting Critical Infrastructure
14-18 July
*New for 2008*
*
Specifying Security Technology
21-25 July
*New for 2008*
*
Security Management Stage 1
4-15 August 2008
The first stage of a university accredited programme which can lead to an MSc
*
Contact Janet for more information.

IT Security: Younger Workers More Savvy but Less Disciplined - 75% of Workers under 30 Have Downloaded Unauthorised Software at Work

75 percent of workers in the US born after 1980 have downloaded unauthorised software onto their work computer for personal use, compared with an average of 25% for those born before 1980.

More at:

Information Security: Clamping Down on Thumb Drive Insecurity

Source: ASIS International

In an effort to improve security, Washington state has distributed 150 thumb drives to unit supervisors in the Division of Child Support who manage collections teams in 10 field offices. The state plans to distribute 50 more thumb drives to unit supervisors soon.

Brian Main, the division's data security officer, says the new devices have several features that will help to improve security at the division. For instance, the thumb drives can be integrated with Web-management software that can centrally monitor, configure, and prevent unauthorized access to the devices.

In addition, the thumb drives automatically delete all of their content in the event someone tries to access it 10 times with an incorrect password. The new thumb drives will replace the portable storage devices that were previously used by employees and later recalled by the division. Many of those devices had been purchased by division employees themselves, which caused a number of problems for security personnel. The old storage devices will eventually be destroyed.

More here.

Investigations Training: “An Excellent Course that Met my Needs Very Well”

“An excellent course that met my needs very well”

At the conclusion of ARC Training’s Investigating and Interviewing Skills course delegates reflected on their experience during this highly interactive 3 day programme. The course, delivered by Angus Darroch-Warren, gives participants a comprehensive grounding in the essentials of security investigation, including the management and methodology of investigations, disciplinary practice and procedure, and the preparation and presentation of a case. Highly practical exercises develop skills such as interviewing and evidence handling whilst theoretical elements instruct delegates in essential legislation relevant to this discipline.

The next Investigation and Interviewing Skills Course will take place in the UK, 3-6 November. Contact Janet for more information or to reserve a place.

Identity Fraud - Risks to Business

The risks to a business posed by ID fraud are significant:

1. Customer data or employee personal data can be used for nefarious purposes, such as cloning, or obtaining new, credits cards and bank accounts.

2. Your reputation can be tarnished as an incompetent custodian of personal information.

3. You can be sued, or worse, prosecuted in certain circumstances.

4. You company’s details, or those of your clients, can be used by criminals to set up credit with suppliers.

And all this can begin with the loss of a USB datastick, one of many growing information security problems that the security/IT departments of many businesses are failing to address at their peril.

In the UK the British Crime Survey has revealed that 2% of adults have had their identity stolen in the past year.

The British Security Industry Association on its website presents the following real-life case studies:

Several banks and other financial institutions have been reprimanded by the Office of the Information Commissioner for disposing of customers' personal information in bins outside their premises. An investigation found information such as details of a bank transfer for £500,000 outside a Nottingham bank and paying-in envelopes with customer names and telephone numbers, sort codes and account numbers, outside the branch of a bank in Manchester.

An investigation by Experian revealed a number of lapses of information security: a travel agent discarded photocopies of passports, with passport numbers, dates of birth and photos of customers; an educational establishment threw away full financial details of applicants to courses; a mortgage broker disposed of numerous completed mortgage applications containing full financial details of its clients; a PR agency binned its clients' confidential PR strategies, embargoed press releases and bank account information.

An experiment carried out by IT consultancy Navigant Consulting revealed that second-hand PCs contain enough personal data to be a security threat to the previous owner. Data found on second-hand PCs included: names, addresses and photos; staff budgets; and payroll schedules – including names and salary details, bank account standing data payments and receipts.
For more on this fast growing risk, click here.

Thursday, April 3, 2008

Operating in Areas of Conflict. An IPIECA Guide for the Oil and Gas Industry

It is generally understood that companies working in the extractive industries, and particularly in the oil and gas sector, need to be aware of the impacts of their operations on conflict and vice versa. Failure to understand and address local dynamics in regions of known or potential conflict can be costly to companies in terms of impact on employee safety, normal business operations, social licence to operate, reputation and future opportunities.

Oil and gas companies have accumulated considerable experience of working in areas of conflict. However, basic knowledge of, and training in, conflict risk and conflict management is not always readily available to company personnel.

The purpose of a new guide issued by IPIECA, the International Petroleum Industry Environmental Conservation Association, is to provide, in a simple and accessible format, basic guidance on risk assessment and risk management in conflict settings that oil and gas companies might face. These include conflicts between companies and local communities which are directly related to the presence and operations of the companies themselves, as well as wider social and political conflicts in which companies are not directly involved but which are very likely to impact on companies operating in such conflict environments.

The guide is a collaborate effort by many leading oil company representatives, and can be downloaded from:



Security Management Feature: Copper Wire Theft - Assess Your Vulnerability Now!

With scrap market values at record highs of several thousand dollars a tonne, copper wire theft has reached epidemic proportions, especially in Europe, North America and Australia. Much of the stolen wire is smuggled by organised criminals to China, where the construction boom is creating a huge increase in demand. Typical targets of copper thieves include the electricity grid network, the rail network, street lighting and the communications network.

The thieves are fast and audacious. For example, there have been several instances where high voltage copper wire overhead power lines on railways have been removed overnight.

The potential consequential losses involved in copper wire theft are almost too high to assess. At local level electricity grids can be taken off line, and entire communications networks can be brought to a standstill for prolonged periods of time.

Security managers are urged to:

1. Identify locations on site where copper wire is stored or used, and to increase protection. In addition to physical security protection, covert asset marking greases such as that which leaves a “DNA fingerprint” can be used.

2. Clear foliage from vulnerable areas to increase natural surveillance, especially at night.

3. If you are in a remote location and served by copper wires, extend your vehicle patrolling to outside your perimeter at night to create deterrence.

4. Actively engage the local police and share intelligence. Make them aware of your vulnerabilities and expectations, and ask them to make you aware of the local copper wire crime situation.

5. Carry out an extensive vulnerability assessment to determine the organisation’s/facility’s critical dependences on services provided by copper wire, including those provided both internally and externally. In the case of external services, utility providers should be lobbied to increase security spending.

6. Investigate the use of alternative technologies, such as fibre optics for communication and copper weld, the market value of which is less than for copper wire.

To get an idea of what could be targeted in your organisation, google the words copper wire theft and read the 100,000 results!

Security Management Courses: International Security Managers from the UK, the Middle East, Africa and Asia Pacific Share Best Practice in the UK


Fifteen security manager delegates from around the world have gathered in the UK to attend the ARC Training Security Management Stage 1 Course.

The syllabus is extensive, covering the essential core areas of corporate security management best practice, and including a very detailed security risk analysis and design project. Many of the participants are using the course as part of a route to earning a MSc on Corporate Security Management. The course constitutes 30 of the 180 credits required.

Day 2 of the programme saw the participants addressing the issue of security operations management and how to better integrate with the business.

Drawing on their many varied experiences, some of the suggestions put forward were:

1. More emphasis on the softer and generic business management skills, such as communications and interpersonal skills, managing change, leadership, influencing, negotiating, finance, customer interface skills, decision making, internal marketing , and project management skills.

2. Encouraging greater involvement of line management in the day-to-day management of security through relationship building, recognising that security is not a set of physical measures but a condition, which can only be achieved with the collective strength of all employees. In this regard, security awareness training of non-security staff, and allocation to the same for local compliance of security measures was suggested.

3. Making security relevant and interesting to all employees by providing an “extended service”, to provide briefings to staff on particular areas of personal security concern, such as computer security, ID theft, robbery risk reduction and domestic security.

4. Diversification of the security management role to increase the return on security investment. Security managers have a useful contribution to make in the areas of crisis management and business continuity preparation, due diligence and vetting, and the facility or enterprise risk management programme.

The next Security Management Course takes place 4-15 August 2008. Contact Janet for details.

Identity Theft - When the Very Worst Happens

Read on at:

http://news.bbc.co.uk/1/hi/magazine/7326736.stm

Security Education to Be Taught in Schools Next Year in the UAE

Source: Gulf News

Security education will be included as part of the UAE school curriculum starting next year.
Major General Dr Jamal Al Merri, Dubai Police's Deputy Commandant General, praised the security education programme, which comes under the direction of President His Highness Shaikh Khalifa Bin Zayed Al Nahyan and His Highness Shaikh Mohammad Bin Rashid Al Maktoum, Vice-President and Prime Minister of the UAE and Ruler of Dubai, to include the programme of the security education as part of a national curriculum to be taught in the country's schools from next year.

Many London-Based Companies Unprepared for Inevitable Further Terrorist Attacks

Source: Businessinsurance.com

Some companies in London are unprepared for a terrorist attack, according to research by Marsh Ltd. In a survey conducted at a seminar on terrorism, more than one-third of delegates from large and medium-sized companies in the Greater London area said they did not have emergency response, crisis management and business recovery plans integrated in their business continuity management framework or risk management strategy.

Marsh surveyed more than 80 attendees at the seminar in London. “While there is little that businesses can do to prevent a terrorist attack, much can be done to mitigate its impact by forming robust BCM plans, running exercises to rehearse their effectiveness, and managing the risk in their supply chain, or understanding the insurance implications,” said Andrew Ketteridge, a business risk consultant at Marsh, in a statement.

IT Security Management - Malware Has Quadrupled in Past 2 Years - Some Simple Precautions to Keep You Safe

Source: Washington Post

The number of malicious software programs vying to take up residence on unsuspecting computer users' hard drives has quadrupled in the past two years, according to German security experts AV. In the first two months of 2008, AV Test found more than 1 million samples of malware spreading online.

Much of the malware harvests financial and personal data, which is sold to groups that turn the information into cash through identity fraud. Cyber criminals also use infected machines to anonymously attack others, relay junk e-mail or host fraudulent Web sites advertised through spam.

A special emphasis is placed on creating malware that exists peacefully with infected computer systems, doing its work quietly in the background. Today's cyber criminals are continuously updating the malware they have managed to install on victims' computers, replacing older malicious files with new ones to keep them hidden. And anti-virus programs aren’t sufficient defence. For many users, some of the most tenacious intruders cannot easily be removed without reinstalling operating systems.

Malware enters the corporate computer chain via a number of vulnerabilities. These include:

- Infected websites. Even seemingly legitimate websites can be infected.
- Poor thumb drive discipline.
- Picking up CDs at international exhibitions.
- Poor home PC security, leading to malware passing via laptops to corporate networks.
- Opening email attachments.
- Clicking on links in emails from unknown or spoofed sources.

Remember than once inside your firewall, some data-stealing malware can then remain undetected.

ARC Training’s Information and IT Security Workshop addresses these and many other common data security vulnerabilities. Dates are:

7 April 2008
11 August 2008
24 November 2008

Or on-site, on request. Contact Janet.
For more on the story above click below:

http://www.washingtonpost.com/wp-dyn/content/article/2008/03/19/AR2008031903614.html

Security Management Training: Security Supervisors in Lagos


ARC is continuing its successful collaboration with Cardinal Security Services in Lagos, Nigeria, with its Security Supervisors' Course. The course, attended by 20 delegates from various industries, is designed to provide skills and awareness of the specific requirements for supervising security operations and associate manpower.


Phil, who is leading this course, has been particularly impressed by the delegates' enthusiasm and business knowledge and notes that between them they have a wide range of business, management and security degrees and qualifications - all this in addition to over 300 years collective experience in the security profession!