Physical security - in SA at least - is in many ways not overlooked. However, posting a guard at the door and fitting grates to the windows are no cure-all.
One local company, which will remain nameless for obvious reasons, suffered a theft of computer equipment that contained work-in-progress and sensitive information. The damage in lost productivity and potential damages arising from the loss of confidential information about the company and its clients was considerable. Reputations - and heads - were at risk.
A few months after installing better perimeter security and posting an unarmed guard at the door, the guard was found assaulted, hogtied, and scared witless in the men`s room one morning. Thirteen more computers had disappeared. More incidents followed.
A CCTV system was put in place, but no further incidents were recorded. Arguably, the job was at least aided and abetted by an insider.
We have normal locks, two gateways, and an alarm.
IT director of a Cape-based organisation
One respondent to an ITWeb questionnaire - and the only one to remain nameless without requesting it - believes his own customers are "usually overly paranoid" and lists his company`s physical security measures as: "None of the above. We have normal locks, two gateways, and an alarm. The costs are almost nothing - the alarm response unit charges R150 a month."
Another, who did request anonymity, lists measures including a secure data centre requiring about five different layers of access control by means of tags, biometric scanners and CCTV, among others.
I dread [the gas-based fire suppression mechanism] going off. R30 000 to fill the tanks.
Anonymous Unix administrator
A third names a gas-based fire suppression mechanism among the physical security measures to protect the company`s band printers. At around R60 000 each, "we don`t need them melting," he says.
"The fire suppression costs in the region of R60 000 itself, and annual maintenance costs about 20% to 30% again. I dread it going off," he says. "R30 000 to fill the tank."
Not to mention a couple of Unix administrators lost to suffocation.
Evidently, approaches to physical security vary wildly, and costs can become a significant issue. But what makes for a good security strategy?
Defence in depth - and in foliage
According to Rory Steyn, partner in specialist security firm Nicholls-Steyn Associates, any good security strategy must be initially comprehensive.
"Too many people have a reactive policy - corporate fraud, attacks on personnel, or theft, and all of a sudden they try to solve a particular problem," he says. "You need an all-encompassing look at things before they happen: from the guard at the gate to the integrity of your computer systems, to the safety of the chief executives."
Too many people have a reactive policy.
Rory Steyn, partner, Nicholls-Steyn Associates
As always, individual circumstances vary.
"A highly classified government installation housing servers or network equipment will obviously have a considerably higher level of physical security, say, than a school library running a campus network," observes Jim Menendez, senior manager of global IT security at Computer Sciences Corporation (CSC), who recently visited SA.
While security surveys do not result in the immediate dramatic effect that accompanies a criminal apprehension, it is much more cost-effective to prevent, or minimise, the opportunity for theft in the first place.
A minimum standard must be set to protect the interests of the business.
Jim Menendez, senior manager, global IT security, CSC
As with any investment, the costs and risks must be evaluated, and a strategy devised to significantly reduce the risk while containing the cost.
"However, to ensure a satisfactory level of security, a minimum standard must be set to protect the interests of the business," Menendez says.
Particular emphasis - especially in IT organisations - should be placed on the security consciousness of employees. Hacking scares most managers, although few South African companies are well protected, even electronically. But the risk associated with employee habits - writing passwords on sticky notes, failing to change passwords frequently or picking hard-to-crack ones, neglecting to raise alarm when an unknown person wanders about the office - is much higher.
Vocal, and forceful, support for security procedures from top management down is the only way to create that consciousness.
Menendez emphasises the importance that all staff apply sensible document and data controls, to protect existing and potential business.
He points out that no security measure will ever ensure 100% security.
"The best security is a combination of deterrents rather than one single formidable barrier," he explains. "This layered approach to security - referred to as `defence in depth` - can be applied to all areas of the business."
Menendez notes that although good physical security practices can help reduce the threat of a "disaster" from many sources, disaster recovery plans should work on a worst-case scenario, with Murphy`s Law being the yardstick.
"No amount of physical security planning will deter a major earthquake," he says.
One might not immediately see the connection between flora, hinges and light flares, and it would make an unnecessarily nasty quiz question.
Yet, considering the future growth of plants - as concealment or visual obstruction -in landscaped surrounds, positioning of exterior lighting vis-`a-vis CCTV cameras or guards, and ensuring that hinges of external doors are recessed and capped are all part of the remarkably thorough and comprehensive response to interview questions Menendez offered.
It includes a nine-page summary of security areas that his company would take into consideration for an installation housing servers or network equipment.
One shudders to think what the average cash-handling organisation faces.
Dilbert would love this
What price a CEO? Surely not mirror-shaded heavies...
The image of small-time pop stars surrounded by glaringly obtrusive mirror-shaded men surreptitiously muttering into mikes inconveniently placed on the collars of bulging leather jackets is not, says Steyn, the perception his company wants to propagate.
Among his more prominent clients, Steyn names former president Nelson Mandela, for whom he acted as team leader.
"I`ve done royalty, other heads of state, sports teams, celebrities and businessmen. But we keep our client base confidential," he says. "We do provide references on request, but we don`t talk about it much. We want to keep our services discreet. We want to pass someone off as a personal assistant."
Businesses typically overlook in-transit measures.
Rory Steyn, partner, Nicholls-Steyn Associates
The tendency to scoff at the idea of bodyguards - or executive protection officers, as they prefer to be known - belies research that shows that all of us are most at risk on our roads. Many companies have reasonable levels of security at the workplace, and almost all executives have comprehensive security in their homes, but between those two is a high-risk zone.
"Businesses typically overlook in-transit measures," says Steyn. "The majority of executives, for example, prefer to drive themselves, often citing perceived invasion of privacy with a driver."
Corporations are thinking very seriously about executive protection, because it impacts on the bottom line.
Rory Steyn, partner, Nicholls-Steyn Associates
However, South African road conditions, driving skills and gratuitous crime, make self-driving a risky proposition.
"There is a definite trend developing that corporations are thinking very seriously about executive protection, because it impacts on the bottom line," Steyn adds.
Interestingly, the trend seems to be driven not by local businesses, but by multinationals that set up offices and send executives to SA.
The Web site of SafeHouse Security, a US-based security services company, typifies the view American companies - sometimes justifiably - have of conditions in foreign climes.
"Internationally, the threat is multi-fold. Narcotics traffickers often control large areas of those nations where the production or transportation of illegal drugs is common. Political terrorist groups are active in many countries, often specifically targeting foreigners as a means of `making their statement` (as witnessed by the recent assault on the Japanese Embassy by the Tupac Amaru in Lima, Peru). Professional gangs of kidnappers are becoming common throughout much of the developing world, demanding ransoms in the millions of dollars, often operating with the passive or sometimes even active support of the local police. Some companies even find themselves operating in regions where with extreme civil unrest or tribal warfare (sic). To further complicate matters, there is significant crossover and cooperation between the various groups. Political terrorists may carry out kidnappings of businessmen, using the money they earn to finance acts of political violence."
Executives often sue if they`re not adequately protected.
Rory Steyn, partner, Nicholls-Steyn Associates
Well, that should scare anyone into forking out some cash - albeit surprisingly little compared with the remuneration of a typical chief executive - for executive protection.
Steyn confirms the American perception: "Some 90% of our services are provided to business executives, and we have a healthy balance of foreign and local clients. A lot of US multinationals take executive protection very seriously. Almost every large US corporation will have a security department with a person to focus exclusively on executive protection."
He says that the negative perception of security in places like SA makes executive protection necessary simply to recruit executives to come here.
"Executives often sue if they`re not adequately protected and something does happen," he adds.
Quis Custodiat Custodes?
This old Latin phrase is not an injunction to keep your customers in protective custody while they`re on-site. While visitor registration, escorts and due care are indeed recommended in these circumstances, the phrase pinpoints an age-old problem that besets security.
Who, indeed, will watch the watchers?
Most companies...handle the selection [of security contractors] in-house with little or no knowledge of the security field.
Roger H Schmedlen, president, Loss Prevention Concepts
In a booklet by Roger H Schmedlen, president of Loss Prevention Concepts, one learns: "Some businesses employ the services of outside security consultants to develop bid specifications for qualifying contract security agencies under consideration for the security service contract at their facilities."
This is, of course, an exercise guaranteed to prompt alarmed (and alarming) whimpers from cost-shy financial directors. It can also lead to "jobs for buddies" and other dubious practices. But DIY security planning is an even worse solution, as Schmedlen points out:
"Most companies...handle the selection in-house with little or no knowledge of the security field. Often the sole criterion for selection is the low bid. This usually results in substandard service, which provides a false illusion of security, but does little to limit risk."
Having a third-rate company perform security operations could seriously damage the image and integrity of a company.
Jim Menendez, senior manager, global IT security, CSC
Menendez agrees: "Although outsourcing security can be an attractive option due to the cost implications, it is vital that serious questions are asked of potential operators. Having a third-rate company perform security operations could seriously damage the image and integrity of a company. Customers won`t look at the guarding company and apportion blame. They will look at those employing them."
Adds Schmedlen: "In some cases, the quality of security officers assigned is so poor that overall exposure becomes considerably greater than if there were no security personnel at all on site."
But at least the FD can relax - until the non-security is breached, that is.
Good security practices can enhance the company image.
Jim Menendez, senior manager, global IT security, CSC
"Security can be perceived by some purely as an overhead," says Menendez. "However, good security practices can enhance the company image in the eyes of potential clients. Conversely, lack of security will discourage them. Bad press concerning security issues can have the same effect."
The initial bidding process is an important measure that can, it is claimed, contain costs.
"Ill-considered security issues during the bid and transition processes can conceal contractual difficulties and unforeseen costs," Menendez explains.
He advises the allocation of a senior manager or - if the size of the task allows - the appointment of a full-time security professional, to ensure that both costs and the overall security strategy are managed effectively.
Either way, consulting with an expert company in the field will prove fruitful. The number of issues to consider is baffling to most non-experts.
Have you, for example, made sure that your security company has adequately accounted for and documented gaps in the 10-year employment history of its entire staff? What do your employees do with that unsatisfactory draft of key sales opportunities, or the executive`s itinerary?
Oddly, while unnecessary risks with investments cause sleepless nights, many managers can sleep perfectly soundly without satisfactory answers to these questions.
Share