Tuesday, September 30, 2008

Corporate Security Excellence

The latest group of security professionals to convene at our training centre for Security Management Stage 3 has been busy studying and debating the nuances and implications of the subject and the global nature of corporate business. In particular, the group (which represents oil, gas, transport and production industries) has focused on risk assessment for a notional business which requires a strategic 7-year security plan to support planned global expansion and restructuring.

This week, the course will accelerate with intensive study of information leakage and the risks and problems facing corporate organisations against the background dynamics of the modern world. Our current and past alumni will also know that the group is facing the challenge of the course project presentation which takes place on the final day of the course.

Already, the delegates are seeing the benefits of the world view discussed during SM3 – one has already provided input into an important company initiative using the subject material that he has covered.

The next Security Management Stage 3 takes place in Kuala Lumpur, Malaysia, 9 - 20 February 2009. Contact Janet for details.

Transport Security Focus – Fooling a GPS Navigation System

Many companies use GPS systems to track and direct their vehicles and assets. Reliance on these systems is increasing and will no doubt increase further as technology develops. Of course, and as usual, criminals will exploit any technological weaknesses in order to intercept transported assets and conduct robberies or thefts. A recent report indicates that GPS technology can now be ‘spoofed’ or manipulated to redirect vehicles from planned routes and thus lead them to vulnerable locations.

GPS tracking is one of the aspects of transport security covered in the forthcoming Security Management Stage 2 Course and the report is available through this link: GPS Report

Monday, September 29, 2008

Ten Baseline Security Standards for Home PC Security

Policeman sacked after P2P data leak

The officer, who worked for the Metropolitan Police Department in Tokyo, accidentally revealed the details via peer-to-peer (P2P) file-sharing software on his PC.He had allegedly installed the Winny file-sharing software on to his machine and was unaware that sensitive data was being made available to other users via the P2P network.According to reports, the personal details of 12,000 people related to criminal investigations have been spread across the net from the officer’s computer and around 6,600 police documents have been compromised, including interrogation reports, victim statements, and classified locations of automatic licence plate readers.

The story above illustrates the inherent risks of allowing unapproved software to install itself on PCs. Most P2P software installs itself via the Internet, often accompanying a downloaded media file. P2P software is used extensively among teenagers to share media files.

Business sensitive information can be exposed when employees are allowed to use home PCs to process business data. Discussions on ARC Training courses reveal that this practice is more common than many companies realise, the essential problem being that businesses are failing to communicate to their employees that this is expressly forbidden. And there are serious compliance and liability exposures when company holdings of personal private data are processed on home PCs.

At very least, home PCs should be protected to the following 10 baseline standards:

1. ANTI VIRUS SOFTWARE Up-to-date anti virus software should be installed. (Free at http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html
2. AUTHENTIC WINDOWS The system should use a registered (legal) copy of Windows, which should be updated (patched) automatically – in some parts of the world, over 50% of households are using bootleg Windows, which can expose data to extreme risk.
3. FIREWALL The system should have a firewall stronger than the one provided by Windows. Zone Alarm is recommended (Free at www.zonealarm.com)
4. SPYWARE PROTECTION The system should be protected against, and regularly scanned for data-stealing spyware. (Free from www.SpySearchDestroy.com)
5. P2P There should be no P2P file sharing software installed.
6. PASSWORDS The system should be protected by a strong (alphanumeric) password. A Windows password is good; a boot-sector password is better. Individual MS Office document passwords can be broken in minutes using web-based tools.
7. ENCRYPTION The system should include an encrypted area. (Free from www.truecrypt.org), or folders at least should be password protected. (Free from www.folder-password-expert.com).
8. WI-FI If wi-fi is used, it should be secured to WPA standard. (An earlier encryption standard, WEP, has many weaknesses).
9. VPN AND ENCRYPTED EMAIL – Two considerations for secure communications.
10. HARD DRIVES Even after deleting or reformatting hard drive data remains recoverable. Hard drives, upon disposal, should therefore be degaussed, disintegrated or wiped using special software. You should never simply delete data and send to local recycling, as your bank details may end up with a scammer on the other side of world! (Try the free Eraser tool to irretrievably delete data http://www.heidi.ie/node/6 )

Sunday, September 28, 2008

Selecting Perimeter Intrusion Detection Systems

With a nuisance alarm rate of 3% and a probability of detection of >95%, RFI immunity and one of the lowest per metre costs, fiber optic perimeter intrusion detection systems may seem the ideal choice to provide early warning of intrusion into large sites. See:
http://cim.pennnet.com/display_article/319242/27/ARTCL/none/none/1/Fiber-optic-technology-updates-old-fashioned-security-/

But what are the drawbacks and the alternatives, and do they work well with a rattly chain link fence? This, and many other subjects are covered during the core skills Security Management Stage 1 Course, a postgraduate-level, university-accredited programme which takes place in the UK during the period 17-28 November 2008. Click on the link below for full programme details.

http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1

This course may be used to obtain credits towards the Middlesex University Work-Based Learning Studies MSc (Corporate security Management).

Saturday, September 27, 2008

CCTV Headcams

Door supervisors at entertainment facilities in the UK are being equipped with portable CCTV headcams. Headcams have been used by police in the UK for some time, but reductions in cost make these devices now within the reach of private security staff. Within the corporate context, they are particularly useful when “policing” protests.

The unit comprises a pocket-sized storage and viewing system, linked to a camera worn at the side of the head with the aid of a strap. It is described as an Archos Gen 5 Helmet Camera, and is connected to an Archos Gen 5 Portable Media Player. Together, the two units cost less than $500.

The press article about door supervisors and headcams can be found at:
http://www.kent-online.co.uk/kol08/article/default.asp?article_id=48491

Thursday, September 25, 2008

Responding to Pharmaceutical Counterfeiting

Pharmaceutical companies face the dilemma of how to respond to well-organized criminal groups that manufacture, transport, and distribute counterfeit medicines indiscriminately. Several innovative multinational manufacturers took the lead by establishing PSI, the world’s only organization devoted exclusively to the collection and analysis of information on pharmaceutical crime. PSI collects data on such illicit activities as counterfeiting, illegal diversion, and theft. A full report on PSI can be found in the latest edition of Police Chief Magazine. http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=archivecontents&issue_id=82008

The management of illicit trade and counterfeiting is one of many advanced security management topics covered in Security Management Stage 3 (SM3). The next SM3 course is due to take place in Kuala Lumpur, Malaysia, 9th – 20th February 2009. Contact David for details.

If You Want an Automatic Notification Each Time a New Story Is Posted….

Go to http://www.changedetection.com and sign up for their free service

Wednesday, September 24, 2008

Crime Prevention

Useful baseline crime prevention measures can be found at the following link: http://www.solgps.alberta.ca/safe_communities/crime_prevention/Publications/Working%20to%20Fight%20Crime%20Fact%20Sheet.pdf courtesy of the Alberta State Solicitor General and Public Security Office. The guidance is particularly useful for small to medium-sized retail establishments.

Crime prevention is covered in detail on Security Management Stage 1, 17-28 November, a university-accredited core-skills programme that has been attended by hundreds of security managers worldwide. Click here for content details.

A New Type of Whole Vehicle IED Scanner Is Deployed in the US

Source: USA Today

A controversial new X-ray technology is being tested that could stop potential terrorists from blowing up a car bomb at one of the nation's airports, homeland security officials in the US say.
The Transportation Security Administration (TSA) is running a test at a North Carolina ferry terminal of a 21-foot-high arch-like machine that shoots low-intensity X-rays at cars as they pass through. The photos show whether explosives or drugs might be in the car. Each vehicle takes approximately 30 seconds to scan – must faster than any previously deployed technology – and has the ability to scan occupants at the same time.
The technology, called backscatter X-ray, is in use at several airports to screen passengers. Privacy advocates have denounced scanning people as invasive because the X-rays can see through clothes.

For the full story click here. http://www.usatoday.com/news/nation/2008-09-17-car-scanner_N.htm?csp=34

Tuesday, September 23, 2008

Disturbances at the Main Gate: Understanding Crowd Dynamics

The US Army FM 3.19-15 Civil Disturbance Operations provides a useful insight into crowd behaviour and dynamics, especially when agitated. While the army’s crown dispersal methods are definitely not recommended in the corporate context, the first part of the manual makes for very interesting reading:

“Understanding crowds and how individuals and groups form crowds through the gathering process is important because these issues apply to the dynamics of a crowd. Under most circumstances, gathered crowds are orderly and present little or no problems for authorities. Crowds consist of people who, although very motivated and passionate, are also subject to their own need for creature comforts. Rainy, cold, and nasty weather has a way of disheartening all but the few highly motivated and disciplined individuals. If problems exist, they usually fall into the following three categories:

Public disorder. Public disorder is a basic breach of civic order. Individuals or small groups assembling have a tendency to disrupt the normal flow of things around them.

Public disturbance. Public disturbance is designed to cause turmoil on top of the disruption. Individuals and groups assembling into a crowd begin chanting, yelling, singing, and voicing individual or collective opinions.

Riot. A riot is a disturbance that turns violent. Assembled crowds become a mob that violently expresses itself by destroying property, assaulting others, and creating an extremely volatile environment.

Being part of a crowd of people has certain effects on different people. Each individual in a crowd is susceptible to behaving in a way that is contrary to their normal behavior. Some reasons for these behaviors are as follows:

Crowds provide individuals with a sense of anonymity. With so many others, an individual realizes that he is just another face in the crowd, giving a sense of invulnerability.

Crowd and individual behaviors are impersonal by nature. The “them-against-us” attitude affords those within the crowd the ability to freely (without hesitation or reservation) be verbally abusive, throw objects, or attack anyone who gets in the way.

Crowds provide individuals with the idea that their moral responsibilities have shifted from themselves as a person to the crowd as a whole. Large numbers of people discourage individual behavior, and the urge to imitate others within the crowd is strong. Individuals look to others around them for cues of what to do next, disregarding their own background and training. Often, it is only the strong, well disciplined person who can resist the prevailing behavior of a crowd.

Crowd behavior influences the actions of both the disorderly individuals of the crowd and the authorities tasked to control them.”

To download a copy of this manual, click here http://fas.org/irp/doddir/army/fm3-19-15.pdf or email David.

The Perils of Arming Security Guards

Many multinational companies have a policy of not using armed guards except in extreme circumstances. Where armed guards are used, great care should be taken to ensure that they are well trained and psychologically suited, and that the guidance given to guards pays heed to the UN Basic Principles on the Use of Force and Firearms. http://www.unhchr.ch/html/menu3/b/h_comp43.htm.

One scenario for which it is difficult to train, but which nevertheless needs to be anticipated if armed guards are deployed, is that of a crowd disturbance at the company gates turning violent. Under these circumstances the discharge of a weapon as a warning could create an effect opposite to that desired, especially if dealing with a crowd that is already angry.

This is precisely what happened in India on Monday, when dismissed workers at the Indian subsidiary of an Italian firm staged a violent protest at the company premises. According to police, a gunshot by a panicking guard led to the workers going on the rampage and bludgeoning the CEO to death. In addition to the death of the CEO, 10 workers remain in a critical condition in intensive care.

Monday, September 22, 2008

CRISIS MANAGEMENT FOCUS: Preparing for the Worst: What Characterises the Better Performing Organisations?

According to the Institute for Crisis Management, the number of “newsworthy crises” has grown from just over 6,300 in 1996 to more than 10,500 in 2005. Increasing technological complexity and “tight coupling” of events and consequences make accidents more likely or “normal,” meaning inevitable and expected, in organizational life, and technological systems are becoming even more interdependent, vulnerable, and problematic in their intended and unintended consequences. Globalization is exacerbating these trends as distances shrink, people and goods move faster and farther, communication networks become more complex and indispensable, and technological advances spill over one from one domain into another almost effortlessly.

Yet levels of crisis readiness among organizations remain low and poorly understood. A 2007 survey by PricewaterhouseCoopers found that while almost 50 percent of top executives’ organizations had experienced a crisis such as “a hurricane, an infrastructure collapse, a shift in regulatory mandates or armed conflict” in the prior three years, only a quarter of the surveyed executives expected a “major occurrence within the next three years.”

A free-to-download report from New York University entitled Predicting Organisational Crisis Readiness examines the special characteristics that appear to distinguish those organisations that are physically and "intellectually" equipped to successfully manage a crisis from those that are likely to suffer significant long-term impact. The report focuses on several areas of readiness, including:

- Monitoring trends in the external environment and risk mapping
- Proactively developing external relationships
- Scenario planning
- Building strong internal teams
- Authority sharing and flexible decision-making process
- Establishing and equipping a crisis management team
- Building in structural redundancy
- Providing strong day-to-day leadership
- Not letting risk aversion drive all decisions
- Conducting vulnerability assessments
- Institutionalising concerns of the community and other stakeholders

To download a copy of the full report, go to http://www.arc-tc.com/pages/resources_publications.asp#C and navigate to the heading Crisis Management. Then click on the second link under this heading.

Crisis management is covered in detail as a one-day workshop during Security Management Stage 1. Click here for details. To discuss your in-house crisis management training needs contact Phil Wood MBE.

Sunday, September 21, 2008

Business Travel Security: Reducing the Risk of Becoming a Hotel Bombing Victim

The Marriot Hotel truck bomb attack on Saturday is a stark reminder of how vulnerable – and attractive - hotels are to terrorists. As devastating as the attack was, the death toll would have been significantly higher had the hotel not have had a secured perimeter, which created stand-off between the weapon and the target. It is a fact that each time the distance between a bomb and its target can be doubled, the blast pressure is reduced by a factor of eight – and it is blast pressure which causes catastrophic building collapse, such as was seen in Oklahoma in 1995. And suicide bombers know that they can guarantee catastrophic collapse if they can smash their vehicle into the lobby before detonating it.

There have been many hotel vehicle bomb attacks in the past, and there will continue to be hotel vehicle bomb attacks in the future; between 2001 – 2005 there were typically 3 major attacks each year. Organisations placing staff in prominent hotels in known risk areas should pay attention to how they well they are secured. (ARC will be happy to discuss with you which countries are assessed as having a higher risk of hotel bomb attack). Are there “stand-off” vehicle and driver checks? Are vehicles being searched correctly? For example, in the majority of car bomb attacks, the explosive charge is in the boot. Are there factors that make a particular hotel a target?

There is also a need for guests to be advised on how to practice safe behaviour in hotels. This means not sitting close to windows or other glazing components (in guest rooms or public areas) and reducing the time spent in restaurants and lobby bars if they are at the front of the hotel, and especially if they are glazed. Guests should also familiarise themselves with the hotel layout on arrival, especially escape routes, which may be plunged into darkness in the event of an attack. The lobby is perhaps the area of greatest risk, especially at predictably busy times, so if waiting for transport, for example, it is safer to wait in the guest room and wait for the driver to call on arrival. (The lobby and “public” areas are not only vulnerable to vehicle bombs, but also hand-placed bombs, such as suitcases, and walk-in suicide bombers).

For those planning conferences at hotels, consideration should be given to properties which have basement conference rooms, especially if they are at the back of the hotel (the front of the hotel is usually considered to be the “threat” side).

Thursday, September 18, 2008

Five Steps for Stopping Insider Fraud and Data Theft

Source: Wall Street Technology

The threat of insider fraud appears to be increasing. Insider data theft accounted for nearly 16 percent of all data breaches in 2008, up from 6 percent a year earlier, according to a study by the Identity Theft Resource Center. And perhaps more alarming, customer data stolen by an employee is misused more frequently than data obtained through an external breach, a recent study by ID Analytics reveals.

Phil Neray, VP of database security company Guardium, says there are two main reasons for the rise in the insider threat: Demand for sensitive corporate data has increased, and there is now a thriving black market where fraudsters can buy and sell this type of data.

ARC's new Fraud Investigations Course takes place 1-3 December 2008. Led by a former senior UK police fraud investigator and now serving magistrate, the course will draw on real-life examples to illustrate the risk posed to companies. For more details click below:
http://www.arc-tc.com/pages/accredited_investigation.asp#f3

Click on the link below for the Five-Step "Insider Threat" Management Strategy
http://www.wallstreetandtech.com/advancedtrading/showArticle.jhtml?articleID=210004190&cid=RSSfeed_TechWeb

Wednesday, September 17, 2008

Global Kidnap Top Ten Hotspots?

Source: Clayton September K&R Extortion Monitor

"According to a report released in Mexico by a Christian organization, promoting global peace through Christianity, Mexico is ranked first in a list of countries affected by kidnappings, followed by Iraq. According to the NGO, kidnappings in Mexico are related to the appearance of drug cartels and organized crime. The report claims that 7,000 kidnappings took place in Mexico during 2007, which are only part of the real figures. According to the report, an average of three or four kidnappings take place daily in Mexico. Kidnappers’ main targets are successful businessmen and members of the middle class. This type of crime also affects other Latin American countries where the number of cases has increased dramatically in past years and new practices are invented. According to the report the top ten countries affected by kidnapping are: Mexico, Iraq, India, South Africa, Brazil, Pakistan, Ecuador, Venezuela, Colombia and Bangladesh. Ecuador and Venezuela now rank above Colombia, which was ranked first in 2000 with 3,000 kidnappings annually, most of which were associated with the country’s internal conflict. It appears that the Colombian problem of a few years ago is now being copied in Ecuador and Venezuela where in many cases Colombian guerrilla and former paramilitaries have cooperated with local kidnapping gangs."

ARC Comment: Kidnap risk assessment based on statistics alone hide the real kidnap risk. For example, many tourists and business people enjoy trouble-free visits to many of the above destinations, whereas areas such as the Niger Delta, which doesn’t feature in the above top ten represents a high kidnap risk for business travellers.

How to assess the real risks to business travellers is discussed in detail during a one-day workshop which forms part of Security Management Stage 2. Forthcoming dates for this very popular advanced programme are 13-24 October 2008, 9-20 February 2009 and 29 June – 10 July 2009.

For more details click on the following link:

http://www.arc-tc.com/pages/university_acredited_sm.asp#sm2

A Hard Drive towards Security

Following recent high profile data loss incidents, companies are beginning to follow the example set by government departments in hard disk accounting and disposal. Delegates attending Security Management Stage 1 (17 – 28 November 2008) are taught during the programme’s Information and IT Security Workshop that all hard drives in a business should be accounted for and that they should be disposed of in one (or a combination) of the following ways:

- Degaussing
- Data overwrite using a special program designed and approved for this purpose
- Disintegration
- Incineration to 1500 degrees Celsius

With the amount of data that amasses on computer hard drives virtually all drives in a business could be classified at least “confidential”. And an often poorly appreciated fact is that drives usually still contain any data that has been deleted. Even reformatting does not completely erase data.

For a report on hard drive disintegration click on the link below:
http://www.csoonline.com/article/448123/Data_Breaches_Spark_Hard_Drive_Shredding_Boom?page=1


For more on Security Management Stage 1 click below:
http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1


To learn more about the fill list of topics covered in the Information and IT Security Workshop contact Janet.

Tuesday, September 16, 2008

Advanced Level Security Management Training

The university-accredited Security Management Stage 2 Course, 13-24 October 2008, is an advanced level programme designed to enhance security managers’ ability to implement security risk management programmes that will make a quantifiable contribution to organisational loss reduction goals. Proceeding from the assumption that participants have a thorough knowledge of the fundamentals of security management (as covered in Security Management stage 1, or the ASIS CPP) this course focuses on developments in security risk management and addresses a range of complex issues, including:

Developing Security Risk Management Methodologies
Business-Integrated Security Operations Management
Integrating Security Technology
Developments in CCTV
Fraud Risk Management & Ethics
Investigations Management & Forensics
Transport & Distribution Security
The Corporate Response to Terrorism
Protection against Non-Conventional Weapons (CBRN)
Business Travel Security Management
Information Security Management
Convergence of Physical & IT Security
Selecting a Guarding Contractor
Finance & Budgeting
Business Continuity Management

The course includes a multi-site security strategy and design project, and a one-day crisis management exercise. For details click here or email Janet by clicking here.

Monday, September 15, 2008

Security Management Resources – Updates

If you are a past delegate of a Security Management Stage 1, 2 or 3 course, you will have received a CD or a data stick containing a vast collection of security management resources.

These collections are being continually added to and you can access the latest set of documents by signing up to the ARC Extranet http://www.arc-tc.com/extranet/login.asp

The service is free of charge and all publications are downloadable to your computer. And if you haven’t attended any of the above-listed courses you can still sign up to our GUEST collection.

Kidnap Victim Tracking – Seduced by the Large Print

On a number of courses recently, during both Kidnap Risk Reduction and Security Technology workshops, some delegates have pressed the instructor to provide more information about a revolutionary tracking device they have read about – a minute satellite receiver/transmitter, about the size of a grain or rice, which can apparently be injected under the skin to provide real-time GPS updates of a person’s position, should be or she be kidnapped.

Invariably, they stare at the instructor in disbelief when they are told that subcutaneous GPS transceivers do not yet exist, but that the device they have read about is really a subcutaneous RFID chip which communicates with a larger battery-powered GPS device, which has to be worn externally on the body – in many ways defeating the need for a subcutaneous device, and the inevitable “surgery” that the kidnappers will carry out in order to find the implant!


Selecting and specifying security technology is one of many subjects coverered during Security Management Stage 2, 13-24 October 2008. Click here for details.

Good Building Design Key to Keeping Bad Guys Away

Source: The StarPhoenix

Expensive locks didn't help a Canadian company when its offices were robbed a few weeks ago, in broad daylight. The thief who made off with the computers was identified and caught through the vigilance of someone in the building who noted a suspicious character lurking about.


This experience points to the importance of natural surveillance for crime prevention, one of the principles of CPTED (Crime Prevention Through Environmental Design). CPTED, an approach that originated in the 1960s, is based on a theory that the proper design and effective use of the built environment can reduce crime and the fear of crime.


Research into criminal behaviour shows the decision to commit a crime or not is heavily influenced by cues about perceived risk of being caught. CPTED strategies increase a criminal's perceived risk of detection using three main strategies: Natural surveillance, natural access control and natural territorial reinforcement.

CPTED is one of a number of crime prevention strategies covered during the postgraduate university-accredited Security Management Stage 1 Course, 17-28 November 2008. For more information on this programme, successfully completed by hundreds of security managers worldwide, click here.

Free-to-Download Video Clip on Executive Travel Security

Business travel security is one of many subjects covered in depth during the forthcoming Security Management Stage 2 Course, 13-24 October 2008. Click here for more details.

An interesting short video on executive travel security overseas can be viewed by clicking on the following link. Alternatively, email David for a copy of the video clip.

http://www.forbes.com/video/?video=fvn/eti/er_eti060208&partner=contextual

Private Security Staff to be Given Powers to Fine for Disorderly Behaviour?

Source: Guardian.co.uk

Powers for council wardens and private security staff in the UK to issue fixed-penalty notices and on-the-spot fines for disorderly behaviour are being considered by the police and Home Office ministers. Chief constables are also looking at using security staff to tackle community problems in places where police involvement might be seen as excessive.

More at the following link:

http://www.guardian.co.uk/society/2008/aug/27/localgovernment.localgovernment?gusrc=rss&feed=politics

Thursday, September 11, 2008

Business Travel Security – Racism

There are many good free-to-access resources on the internet which provide advice on country-specific risks to travellers. Some of the best can be found on the respective foreign ministry websites of the USA, UK, Canada, Australia and New Zealand (listed under the Business Travel Security section on the ARC Website: http://www.arc-tc.com/pages/resources_publications.asp#B )

Subscription services offer similar products, but these usually provide more in-depth analysis, with risks broken down into categories, often using a red, orange, green (traffic light) indicator system. Typically, these categories include Kidnap, General Crime and Street Violence, Political Stability and Unrest, Terrorism etc.

Rarely, however, are the issues of racism and sexual harassment given their own category indicators. Perhaps this is because these are sensitive issues. But for those planning to send staff overseas these should be very real concerns.

For example, if a female employee is being asked to travel to a country in which it can be reasonably expected that she will be sexually harassed and propositioned, isn’t there a duty of care on the company to identify, assess and manage this risk, however sensitive?

Similarly, if an employee of South Asian or Afro-Caribbean origin is required to go to a country such as Ukraine - where, according to Amnesty International, minorities are living in a climate of fear of thousands of racist skinheads, who have allegedly killed four foreigners this year (http://news.bbc.co.uk/1/hi/world/europe/7499364.stm ) - surely there must be a duty of care, and a mechanism, to assess, and manage, this significantly elevated risk of becoming a victim of violence.

These delicate issues have been raised at recent ARC Training Business Travel Security Workshops, where delegates, themselves often representing diverse ethnic backgrounds, unanimously agree that while companies should not discriminate over whom they send on overseas business assignments, these special risks must be identified, assessed and managed.

For more on business travel security awareness training contact David.

Lose a USB Data Stick and You Could Lose $$$Millions!

Once again the thorny issue of data stick (flash drive) security has raised its ugly head in the UK. Recently, a contractor which lost a data stick containing details of thousands of convicted prisoners was punished by the resultant loss of a $3 million contract. A further $16 million of contracts is under review. See:

http://news.bbc.co.uk/1/hi/uk_politics/7608155.stm

There are some undeniable truths in the issue of data stick insecurity, which expose companies to potentially serious reputation damage, expensive lawsuits and possibly heavy fines. Some of the key points are as follows:

1. Over 50% of companies take no measures to protect against data stick misuse, despite a suite of technical and procedural measures being readily available.


2. Companies typically hold two types of sensitive information: proprietary information and personal private information. Loss of the former could lead to loss of competitive edge. Loss of the latter could lead to public humiliation and ID theft.


3. Few companies encrypt data sticks as standard, despite such encryption being readily available – and free. This, however, is a two-edged sword. If an employee secretes stolen information on an encrypted data stick you will not be able to access the information to prove that it is there.


4. Rarely in companies is there a single point of responsibility for data stick management – this is unfortunate since it leaves the news media – or the courts – to decide the guilty party in the event of a data loss made public.


5. Many companies that entrust their sensitive data to 3rd parties do not take into account those parties’ handling of data security.


6. In the UK, according to surveys over half of all office employees admit to having stolen computer-based information from work.


7. A data stick costing less than $100 can store up to 5 million documents.


8. At least half of all computer users admit to having lost a data stick at one time or another.

For more click on the link below:

BBC NEWS Technology Warnings over USB memory sticks

Wednesday, September 10, 2008

Ways in Which We Can Help You Improve Your Security

ARC Training’s on-site training activities have been many and varied during 2008. Examples include:

Crisis and business continuity management training in Africa for a leading multinational manufacturer

Crisis and business continuity management training for security managers and consultants in both the Middle East and the Far East

Practical security surveying training for security managers from Asia

Security management training for property development companies in Dubai

Security management training for a state water authority for a major Middle East country

Business security representative (security focal point) training for multi-tasked managers throughout the world

CPP certification training for security managers of the Bangladesh Security Manager Forum (now transforming into an ASIS Chapter)

Crisis management training for the maritime ports authority of one of the busiest ports in the Middle East

Crisis management training for a government agency in the Middle East, and information security training for a government security agency in Europe

University-accredited security management training for a multinational oil and gas company in Africa

Sector-specialised oil and gas security management training for a multinational oil and gas company in India

On-site security staff training for the data processing centre of a major multinational bank

Security awareness workshop for a major multinational manufacturer

Investigations management training for security managers from a multinational oil and gas company

Fraud investigations training for security managers in the Middle East

If you would like to discuss your organisation's in-house training requirement (security management, crisis management, business continuity management or investigations) with an ARC Training specialist please contact Janet.

Kidnap Resources

Two useful publications on kidnap risk reduction are available free-to-download on the Clayton Consultants website. Click on the links below to download or, alternatively, email David for copies of either to be emailed to you.


2008 Kidnap RiskBrief

Personal Security Handbook

Tuesday, September 9, 2008

Maritime Piracy Hotspots Report – Nigerian Waters World’s Most Dangerous, According to IMO

Reported acts of maritime piracy, defined by the International Maritime Organisation as - “an act of boarding or attempting to board any ship with the apparent attempt to commit theft or any other crime, and with the apparent intent or capability to use force in the furtherance of that act” – have continued to reduce, according to the International Maritime Bureau 2007 Annual report.

Against this general decline, two notable hotspots which have seen dramatic increases in piracy activity are the Gulf of Aden and Nigeria. In Nigeria, reported attacks in 2007 were up 350% on 2006, accounting for about 1/5th of all attacks worldwide. And in August 2008 the US Navy declared the Gulf of Aden a Maritime Security Patrol Area, deploying ships and aircraft to police it.

The 2007 Annual Piracy Report, which contains details of the methodology used in many of the attacks, can be obtained from the ICC International Maritime Bureau http://www.icc-ccs.org/main/index.php

Alternatively, email David for a copy.

What Happens to Your Data When It Has Been Compromised by an Insider?

Source: CSOonline.com

Recent studies suggest that over 60 percent of data breaches originate from an internal source or event. One reason for this is that in today's data-rich environment organizations continue to struggle with the 'human element' at the heart of data security. It can be extremely difficult to balance the protection of sensitive data with granting access to employees who need it to complete their daily job requirements. To that end, organizations have implemented several new security measures including employee education programs, data access monitoring, and strict policies regarding USB ports and portable devices. Although these are steps in a positive direction, little has been done to study and understand how the data is exploited once it leaves an organization.

Read on here:

http://www.csoonline.com/article/443371/Monitoring_the_Enemy_Within_Reflections_on_a_New_Internal_Data_Theft_Study

Thursday, September 4, 2008

If You Want an Automatic Notification Each Time a New Story Is Posted….

Go to http://www.changedetection.com and sign up for their free service

Carjacking Risk Management

Urban myth would have it that carjacking is only a South African problem, but there are alarming statistics from places as diverse as the US and India to suggest that this is a risk that exists almost everywhere. There are a number of basic precautions that security managers can advise staff to follow to reduce this risk. These include:

Be aware of car-jacking hotspots, and areas at night such as ATMs, self-service petrol pumps, fast food drive-throughs. By day, take care at remote tourist lay-bys (pullouts).

Before leaving, plan a route to avoid dangerous areas. If you need to drive in unfamiliar areas, try not to drive alone, especially at night. The majority of carjackings occur between 2000 – 2300 hrs, and at weekends.

Always drive with your windows up and car doors locked. Regularly check your mirrors and scan ahead for potentially dangerous situations.

When you’re coming to a stop at a junction, leave enough space to manoeuvre around other cars. If you sense trouble, this will allow you the room needed to get away.

Carjackers sometimes hit a car from behind and then pull a weapon when the victim gets out to investigate. If you think you have been bumped intentionally, try not to don't leave your car.

If a suspicious-looking person approaches your car, drive away carefully. In extreme situations, you might even consider going through a red light.

Don’t assist other motorists in low traffic areas who appear to have broken down. .

Use caution when you enter or leave a parking lot. Park in well lit areas where you can see and be seen by others. When getting in or out of your vehicle always be aware of what is going on around you.

Wednesday, September 3, 2008

Human Rights, Community Engagement and Operating in Conflict Areas – Resources for the Oil and Gas Sector

A range of useful free-to-download resources on community engagement, operating in areas of conflict, and human rights considerations can be found at the following link:


http://www.ipieca.org/activities/social/social_publications.php#6


The resources are specifically aimed at the oil and gas sector. Community engagement, operating in areas of conflict, and human rights considerations are amongst the many subjects currently being studied by delegates attending a special oil and gas-focussed Security Management Stage 1 Course in Delhi. The course will be repeated during the period 22 September – 3 October 2008. Contact Janet for details.

ID Fraud: Managing the Insider Threat

Historically, companies found it relatively easy to protect data stored as hard copy. Then along came computers and the advantage shifted to the adversary. But the range of adversaries was relatively confined, since there had to be a clear objective in targeting corporate sensitive information – it had no value to the average criminal.

Now the landscape has changed dramatically with the computerisation of personal private (employee and customer) data, and the concerted efforts by organised criminal gangs to get their hands on it. Credit card details, home addresses, national insurance numbers are all being targeted.

Sold on, such data can cause huge damage to individual victims. At the “basic” end of the scale credit cards details can be sold on to fraudsters. At the more sophisticated end of the scale entire identities can be cloned for the purpose of gaining credit with banks, or financing activities such as gambling. Recently, a victim lost both his family and job after his identify was cloned fraudulently from an on-line shop and used to access child pornography websites. It was month’s before the police cleared him. And there are estimated to be thousands of innocent victims in the UK not aware that they have an illegal "twin"!

Wall Street Technology online magazine has recently published five basic steps that companies should take in order to manage this risk. In brief they are:

1. Establish policies. Companies must put in place policies that define authorized and unauthorized access to sensitive data.
2. Provide training. "You have to train employees as to what's acceptable and unacceptable, and what kinds of things are just considered bad practice, such as leaving spreadsheets on an unattended file server."
3. Enforce policies with technology. Many companies have policies but they don't have a way to enforce them.
4. Institute oversight processes. You have to make sure that if you're creating audit reports and generating real-time alerts that there's an established process to review these exceptions and address them.
5. There must be high-level support for data security to be effective.

Data security is covered in detail during Security Management Stage 1, 17-28 November. Full details of this course, which has been attended by hundreds of security managers from almost as many countries, can be found at http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1.

Security Management Talent Development

Security professionals have been working hard this week during the latest Security Coordination and Management Course. The group, including managers from retail, oil and gas, power and security guarding disciplines have been looking at fundamental security management issues, based on risk assessment and analysis.

Although their experience and knowledge levels vary, the group approaching the course with vigour and determination and its members are learning rapidly from each other the range of matters which can arise in security operations globally.

Having made this excellent start, we expect the delegates to be able to establish themselves within their organisations as innovative and thinking security professionals, who can add real human and financial value to the businesses aims and objectives.

If you are interested in the challenges and benefits that ARC’s courses can provide, please check our website http://www.arc-tc.com/ for details or contact Janet.

Tuesday, September 2, 2008

Crisis Readiness - New Report for Download

Source: HStoday.us

Like individuals, organizations often define themselves by how they respond and perform in crisis situations. While no two organizations (or individuals) respond to crises in quite the same way, there are, according to a new report from New York University’s (NYU) Center for Catastrophe Preparedness and Response (CCPR) and The Public Entity Risk Institute (PERI) titled Predicting Organizational Crisis Readiness, a common set of core characteristics which can allow us to predict which corporations and public agencies, whether large or small, will be most capable of resilience when faced with managing crisis or catastrophe.


The first core characteristic of a crisis-ready organization, is awareness and alertness towards the external environment. Crisis ready organizations, says the report, “closely observe their environment so as to be able to predict crises BEFORE they affect the organization.”
Another core quality of resilient organizations is that they have developed a culture “that welcomes error reporting,” and “establishes processes that reward error discovery and reporting and a continual search for system improvement.”


Crisis-ready organizations most often cited by sources additionally were said to have systems in place that help organizations determine what is working and what is not by using objective systems to benchmark, test and measure progress.


ARC Training’s 1-day Crisis Management Workshop takes place on 25th November. For more information on this, or to discuss in-house bespoke crisis management training and exercising, contact Janet Ward.

For a link to the full copy of the NYU report, click below:

https://www.riskinstitute.org/peri/images/file/POCR-finalreport.pdf

What Can Be Done to Better Protect USB Memory Sticks Following the UK Prisoner Details Data Loss Blunder?

Recently the UK government was forced to admit that files containing details of every UK prisoner have been lost in a new data blunder. A contractor working for the Home Office mislaid a memory stick with the information as it was being moved between computers. The files contain the names addresses and dates of birth of 33,000 prolific offenders who have committed at least six serious crimes in the last year.

For many organizations USB memory sticks and data loss are a public humiliation incident in the waiting, since the majority of companies do not exercise proper care and control over such devices. And this latest incident, one of many thousands, will be sure to focus the attention of the media on this growing problem.

To put sensitive data unencrypted onto a memory stick is regarded by the UK’s Information Commissioner as negligence. It could also be argued that for an organization to fail to address this problem by failing to make available encryption for memory sticks and controlling their use with corporate systems could also be a breach of duty. Spectacular fines have been inflicted on companies for data loss in the past, such as Nationwide, which suffered the theft of an unencrypted laptop from an employee’s home, and lost not only the data, but £1 million in a subsequent fine.

Various simple encryption options are available for memory sticks, including Steganos (for a fee) and TrueCrypt (free). For details click on the links or search on Google. If you need help in setting up an encrypted drive on a USB datastick using TrueCrypt email David.