Security: Changing Views of the Terrorism/Technology Connection  

The 2001 World Trade Center attack propelled the private/corporate security function into a highly professional and technical domain. Security concerns have climbed out of the basement, up into executive offices.

Sun Tzu, an ancient Chinese military strategist, said that you should attack where your enemy is not prepared — go where he doesn’t expect you. The implications of that advice for today are that good security professionals know their enemy so they can protect and defend personnel, property, equipment, and proprietary information. A foundational component of “knowing your enemy” is proactively learning terroristic strategies and incorporating technological advances designed to defeat the enemy. That hasn’t always been the usual approach.

Traditionally, and prior to the attacks on September 11, 2001, the primary function of the security guard was similar to that of a Wal-Mart greeter — saying, “Good morning,” “Good night,” or “Let me help you with the package.” Approximately a year after the 1993 terrorist attack on the World Trade Center (WTC), Jack Morris, a law enforcement intelligence professional, questioned why so many corporate security operations in the western world were still performing their duties like antediluvian guards and not like modern-day protectors. The protecting of company assets was a reactive function, not a proactive one, and was mostly directed toward personnel safety, locking doors, and preventing equipment theft.

On September 11, 2001, more than 3,000 people died in the terrorist attack on the World Trade Center. Some of the victims were security personnel assigned to the WTC. The catastrophic events of that day forever changed the traditional roles of security management. The term “terrorism” now resonates on the lips and in the minds of security personnel. As terrorism goes, so goes technology. For security professionals, the terms are intertwined.

For example, as part of a global program to improve security and reduce workforce anxiety, New York – based Lehman Brothers now deploys personal safety emergency kits with every PC and workstation it installs. Ken Damstrom, global head of security operations at Lehman Brothers, indicated that the kits include a gas mask, safety goggles, and a whistle to indicate a need for assistance during an evacuation.

In his 2003 book, Effective Security Management, C. Sennewald argued that terrorist attacks have transformed security services into a professional occupation that is a vital and integral component of American business and industry. For security professionals the issues of terrorist attack, corporate theft, proprietary theft, personal safety, and others have created an access control matrix monster posing an enormous security challenge.

Prior to the events of 9/11, American corporate executives were beginning to realize that proactive security management increased their profitability. Executives had viewed terrorism as an international problem; as such, profitability for effective security measures was their motivating force. Today, terrorism has become a clear reality for corporate America. The professional security department’s role of being a proactive protector of assets, proactive trainer, and proactive manager has become far more complex.

The Pre-9/11 View of Terrorism

Even after the terrorist attacks on the WTC in 1993 and on the Murrah Federal Building in Oklahoma City, which killed 12 and 169 persons, respectively, most security procedures for high-rise facilities didn’t change. As E. Levy noted in an article published in 2000, it is not uncharacteristic of human nature to allow the horrors of the past to quickly fade into memory. Levy’s study addressed the issue of whether the 1993 WTC and Murrah Federal Building bombings motivated building security managers to develop defensive plans against terrorist attacks. Seventy-seven percent of the respondents, from San Diego and Boston, indicated that crime, not terrorism, was the motivating factor behind upgrading building security systems. Upgraded security measures included access controls, alarms, surveillance TV, patrols, staff awareness training, contingency plans, perimeter fortification, standoff distance, and window fortification. Only the most high-profile buildings used fortifications measures, and few facilities maintained or enforced vehicle parking restrictions in their parking garages.

According to Tom Cavanagh, The Conference Board’s corporate security expert and author of a 2004 report, most mid-market companies agree that spending on security is a sound business investment, but the majority see it as an expense that must be minimized. In Cavanagh’s survey, 61% of businesses indicated that security provides value for their firms and a positive return on investment, but 39% said that security is simply a cost that must be tightly controlled. Cavanagh found strong support for security spending in “critical industries”: transportation, energy and utilities, financial services, media and telecommunications, information technology, and healthcare.

A 2000 article by M. Stone provides some economic insight into the apathetic stance of property owners. Stone indicates that terrorism was widely seen as one of the principal security threats to international business — not domestic U.S. business. Stone uses a straightforward definition of terrorism: Kill one, frighten a thousand. It’s the level of fear that shapes our perceptions of the terrorist threat. The odds of business people or assets being involved in direct acts of terrorism are relatively low. However, business is often caught in the crossfire of political disputes. Attacks on the economic infrastructure of a country will inevitably involve business interests. Research completed in 2003 by the Department of Homeland Security indicated that the private sector owns 85% of the critical infrastructure in the U.S. For that reason, business views terrorism as a significant and sustained threat.

Although the issue of terrorism in the U.S. was not proactively addressed by private/corporate security entities before the 9/11 attacks, such was not the case in England. In December 1992, the City of Newcastle, England, in a cooperative initiative between private security and local police, installed a 16-camera monochrome closed-caption TV (CCTV) system to provide general public security and proactively attack crime and terrorism. As a result, crime dropped in the targeted area.

Post-9/11 Areas of Concern

Since 9/11, corporate security professionals have had to reevaluate and reanalyze areas of significant risk and vulnerability. Five major vulnerability areas — access control, mailrooms, corporate protection, cyber/IT protection, and target hardening — are a continuous security challenge. Security managers have to balance various levels of protection and limited access against the possibility of impeding efficient operations.

Access control. In 2004, J. Engebretson, writing in Security Distribution and Marketing, indicated that corporate security managers had rethought their need for security gates since 9/11. Historically, security gates were simply a deterrence measure that denied access to the honest. Today, security gates and fencing are designed to prevent unwanted vehicle and/or pedestrian entries. These gates can cost thousands of dollars and have a life expectancy of approximately five years. Consequently, corporate security managers have to automatically budget the cost of their replacement and maintenance.

The use of pass access cards, anti-pass-back access cards, and ground loops enhances the security of access gates. Pass cards are used to obtain entry into a secured area but are not required to exit the area. The anti-pass-back access system requires that an access card be used for entering and exiting a secured area. The ground-loop system is similar to the sensors used at traffic control lights. Sensors are imbedded in the driveway, and as a vehicle passes over them, it activates the gate-closing mechanism to prevent piggybacking or vehicles entering through the unprotected exit gate.

Some facilities are using turnstile access and exit gates for employees. Employees have to have an access card to activate the turnstile. Additionally, anti-piggy-backing controls are installed on the turnstiles. Engebretson recommended that the access system have remote audio and opening capabilities that are monitored by CCTV. Some facilities are also designing a multiple-use smart card that provides employees with a single card for all access requirements.

Mailroom challenges. A 2004 article by C. Giusti indicated that postal inspectors had encountered approximately 20,000 incidents of suspicious substances since the October 2001 anthrax incidents. He recommended that a risk assessment be conducted by a qualified security professional that considers account assets, vulnerabilities, threats, countermeasures, and consequence management for immediate and surrounding areas. Mail services should be separated from other facility areas as much as possible. Doing so could significantly reduce the number of victims if there were a terroristic attack. A corporation must also consider the ancillary legal effects of an event that disrupts the operations of other businesses.

Giusti recommended that the mailroom have an independent ventilation system to prevent heating-ventilation-air conditioning (HVAC) cross-contamination. The mailroom must have a high level of access control, and CCTV must monitor the area. Additionally, security and life-safety systems should be integrated. To address potential breaches of security by employees, Giusti suggested that personal items should not be allowed in the mailroom.

One of the most important areas of concern is the actual mail screening process. Mailroom employees must be trained to identify suspicious packages and look for potential explosive devices and possible hazardous materials. Training must also include safety response protocols, isolation, and decontamination procedures.

Corporate protection. Writing in 2004, J. Simovich maintained that executive security is the responsibility of in-house security professionals. They must ensure that executives and others involved in travel understand the importance of addressing protection issues in the early stages of the travel planning process. This concept is of major importance when a trip is outside of the U.S. Security professionals should complete a travel risk assessment and develop mitigation strategies. The risk assessment should consider the history of the site, country, and region, specifically regarding political stability and crime/violence issues. The State Department can provide important risk assessment information.

Simovich further recommended that security professionals develop a logistical plan for international travel. This plan should be based upon the Secret Service’s 11-point advanced planning technique, which includes points of contact, motorcades, arrival and departure points, the target’s movement, and schedule and room/living quarters. Security professionals must also develop the executive’s travel itinerary. Additionally, they must keep abreast of new threats and maintain their skills through continuing education/training.

Cyber/information protection. In 2004, M. Kanok estimated that the theft of proprietary information costs corporations and business approximately $70 billion a year. The loss comes from employees leaking confidential and sensitive information by way of CDs or e-mail. Surprisingly, information technology (IT) departments focus more attention on incoming information than on the outflow of confidential material.

Kanok found that there are three common methods of stealing or leaking confidential information: identity theft by temporary workers, loss of core intellectual property from outsourcing agreements, and posting confidential and sensitive information on electronic message boards.

If a corporation establishes and enforces information distribution policies, then proprietary information leaks can be prevented. Start with a risk analysis, conducted by the security and IT departments, to identify the communication platform(s) that are most vulnerable to information leaks. Categorize all data and information and prioritize it into levels of confidentiality — top secret to public access. Companies should also establish access authorization levels and invest in security monitoring and leak detection software. Finally, monitoring and enforcement policies must be developed and implemented.

Target hardening. Terrorism is the weapon of the weak because it targets the defenseless and innocent. Terrorists want to cause the most death and destruction possible. To effectively guard a corporation or facility against a terrorist attack, a security professional has to transform the facility from a soft target into a hard target.

A security professional needs to complete a threat/vulnerability assessment of each facility and each operating component/section of a corporation. V. Ready’s 2003 article stressed that a threat/risk/vulnerability team has to be formed. That team should include security managers, operations managers, IT managers, executive management, and safety personnel. Designers and builders of the facility or IT systems should provide additional informational support and suggestions.

Ready identified three major areas that need to be addressed to help create a more hardened facility:

• Information operations: Convince terrorists that a facility is not a soft target by implementing observable enhanced security measures and creating media press releases promoting the enhanced security measures and their visible integration into local police/security networks.

• Operational security: Minimize the number of people who have access to sensitive information, create physical barriers to prevent terrorists from observing operations, and develop countersurveillance terrorism plans.

• Vulnerability improvements: Integrate physical security measures and surveillance/intrusion detection technology, design and implement target-hardening measures, develop an effective command/control/communications/intelligence network, and have a professional, well-trained security force that is coordinated with local law enforcement.

A year before 9/11, M. Stone provided similar recommendations regarding risk management. He said that minimizing the risk of becoming a terrorism victim is not complicated, but it is not possible to guarantee 100% immunity from a direct attack. Stone also argued that the most effective approach to ensure that proper risk/vulnerability assessments are completed is to have the support of top executives. To that end, he recommended a two-pronged approach toward risk management:

• Evaluation: Assess the impact and likelihood of the risk of terrorism as part of the global risk management program; develop proactive intelligence to consider how, why, and when terrorist attacks are likely to occur; and have an integrated security force.

• Management and training: Develop and implement a full-scale and continuing training program for all employees and secure all assets with various levels of access control.

Both Ready and Stone stress that because risk profiles are constantly changing, security measures and countermeasures have to be continuously updated based upon the latest intelligence information available. Additionally, security measures must be flexible enough to meet the ever-changing terrorist threat. The job of the security professional is continuously evolving and changing to meet today’s threats.