Hi-Tech-Consulting

Building Security: 7 Basic Blunders
CSO Online (10/01/09) Vol. 8, No. 8, P. 22; Goodchild, Joan

There are seven mistakes security managers commonly make that compromise the physical sureness of their buildings. First is assembling a guard services contract without inside knowledge of how the company is managed. Second is prioritizing appearance and aesthetics over effectiveness. Tim Giles, a security consultant and former head of IBM’s security operations in the U.S. and Canada, says technologies such as hidden cameras and ground-level lighting are often pretty to look at, but do little for perimeter security. A third misstep is failing to secure all of a building’s entrances. “Every door is another opportunity to get in,” Giles reminds. Fourth, allowing upper-level managers and executives to be lax on the rules, such as monitoring other employees to see if they are wearing ID badges. Fifth is neglecting to properly learn new security technologies. “Companies will have a contractor come in an install the cameras, and then there is no follow up to learn how to really use it,” Giles says. A sixth error is failing to lock and secure critical rooms within a building. Overdoing security is another frequent misstep committed by security managers. “I’m opposed to going into a facility and having them do as much security as they can do,” he said. “If you overdo it to where it doesn’t make sense, within six months people will have figured out ways to get around security and it will be a waste of money. It has to match the risk and culture of the business.”

Fostering Awareness
Security Management (10/09) Vol. 53, No. 10, P. 108; Kelly, Lee

Although implementing and maintaining security technologies and policies are an important part of efforts to protect sensitive corporate data, companies can also reduce security threats to their information by providing their employees with security awareness training. An effective security awareness program should be tailored to the different types of employees a company may have. Although all employees should receive the same basic security awareness training, some employees–including those in the IT and security departments–should receive additional training designed specifically for them. IT employees, for example, need to be educated about which information is sensitive and needs the most protection, while security employees should be trained on what types of suspicious activity to look for and how to respond to security breaches, among other things. In addition to being tailored to the various types of employees, effective security awareness training programs should also incorporate new methods for informing workers about security programs, including the use of messages from managers delivered to employees via printed media such as the corporate newsletter or bulletin board notices. Managers may also want to consider using Internet-based meeting software to communicate with employees who are not in the office on a regular basis and using data from security applications to illustrate data security rules. In addition, security awareness training programs should provide incentives for employees who follow security policies. Finally, security training programs should include metrics that help managers see how they are valuable.

Galleon Case Prompts Firms To Plug Leaks
Wall Street Journal (10/23/09) Sharma, Amol; Pulliam, Susan

Companies are currently undertaking extensive damage control measures following criminal allegations brought against Galleon Group founder Raj Rajaratnam that allege he was involved in an insider-trading scheme that also involved a number of corporate executives and employees. Companies with possible ties to the investigation include Intel Corp. and Google Inc. Intel has assured its partner, Clearwater Corp., that the company’s information is safe after Intel managing director Rajiv Goel was accused of leaking information to Rajaratnam regarding Clearwater’s plans to merge with Sprint Nextel Corp. in March 2008. Google, for its part, has suspended ties with investor-relations firm, Market Street Partner, while the firm conducts an internal investigation into Shammara Hussain, a former employee whom prosecutors maintain passed along sensitive information about Google.

U.S. Appeals Court Upholds Convictions of Animal-Rights Activists Charged Under Terrorism Statute
Associated Press (10/15/09)

The 3rd U.S. Circuit Court on Wednesday upheld the convictions of six animal-rights activists charged with conspiracy to violate the 1992 Animal Enterprise Protection Act, which aims to protect animal research labs from illegal and violent protests. The activists, who are members of a group known as Stop Huntingdon Animal Cruelty, were originally convicted in a 2006 trial in New Jersey for posting the home addresses of contractors and officials at Huntingdon Life Sciences–a company that has been criticized for allegedly abusing animals at a facility in the U.K.–on their organization’s Web site. Some of the Huntingdon officials and contractors were harassed or had their homes vandalized or attacked after their addresses were posted. Among the officials who were targeted was Andrew Baker, the chairman of a Huntingdon holding company. During the animal-rights activists’ trial, Baker testified that protesters broke windows and threw smoke bombs into his home in Los Angeles. Baker also testified that protesters plastered the door of his daughter’s New York apartment with pictures depicting his death. The activist claimed that they were simply exercising their right to free speech by posting the addresses of Huntingdon officials and contractors on Stop Huntingdon Animal Cruelty’s Web site. But Judge Julio Fuentes of the 3rd U.S. Circuit Court disagreed, saying that the posting of the addresses constituted a “true threat,” and is thus not protected speech. The activists are considering appealing the ruling.

Experts: U.S. Worker-on-Worker Violence Under-reported
Reuters (10/05/09) Wulfhorst, Ellen

There were 444 homicides in U.S. workplaces last year, down from nearly 900 in 1995, according to government statistics. Most of those deaths involved robberies of taxi drivers and clerks. The number of homicides involving an employee who kills a colleague stands at roughly 100 per year, according to Tom Tripp, the co-author of “Getting Even: The Truth About Workplace Revenge.” However, some experts say that the number of instances of worker-on-worker violence may be underreported and undercounted. There are a number of reasons why the number of reported instances of employee-on-employee violence may not be accurate. For example, the definition of workplace violence is unclear. Some experts say workplace violence is limited to physical violence or work days lost, while others say it includes verbal abuse, stalking, and threats. In addition, threatening or harassing behavior is often not reported by workers who witness it because they feel that it is none of their business, said Richard Denenberg, the author of “The Violence-Prone Workplace.” Although the prevalence of worker-on-worker violence may not be known, experts do know the cost such violence has for businesses. According to statistics, businesses across the country lose more than $120 billion a year as the result of lost productivity, lost wages, interrupted business, and security and legal expenses associated with workplace violence.

Investigation Mandate Grows — So Does Liability for Doing Them Wrong
Security Director’s Report (10/09) Vol. 2009, No. 10,

Workplace investigations involving employee misconduct have been complicated by numerous federal corporate governance and financial disclosure laws like Sarbanes-Oxley and the Foreign Corrupt Practices Act, as well as new security laws at the state level and new accounting rules. To minimize liability, companies should address the investigation process before an investigation is needed. Companies should have a plan to coordinate investigators, records managers, and information technology staff with regard to electronic information storage, e-mail accessibility, and backups. They should conduct an audit of the communication devices and tools used by employees, such as instant messaging and text messaging on cell phones and Blackberries, since the company’s ability to access the communications transmitted on these devices depends on who owns them. A workplace privacy policy is crucial, as employees can bring claims against companies for violating their privacy. However, employees cannot reasonably expect privacy or privilege when employers distribute notices that ban the use of company systems for personal use; deny personal privacy with regard to information stored, created, or sent via company e-mail, voice mail, or Internet; and indicate that the company can monitor all data on its systems. Additionally, during the beginning stages of the investigation, investigators should determine the individuals who may have relevant documents and information in their possession; create a plan to assemble pertinent documents from the systems and employees involved in the investigation; select interviewers who have no ties to the investigation; and ensure privacy policies are up to date, have been distributed, and are enforced.