The Need for Physical and IT Security Convergence

The Need for Physical and IT Security Convergence

March 01, 2007 – Jeffrey Bennett

Business security professionals make it a point to study their craft and learn ways to counter evolving threat. Business intelligence methods need to continue to keep up with technology to analyze and prevent the internal and external influences that can ruin the enterprise. The threats corporations face include: theft, vandalism, workplace violence, fraud, and computer attacks. Through a system of identification, analysis, risk assessment operation security and prevention, astute managers can mitigate risks.

Theft affects all. On average the median loss of theft of cash and non-cash assets is $223,000 (ACFE). The costs of theft are passed on to consumers to bear the cost of the loss. A simple way for companies in retail to get back from a bottom line loss is to pass the costs on by increasing the top line. Raising prices is a symptom of theft, but not a cure. It does nothing by itself to stop the activity other than punish the innocent.

Many companies have invested in security staff. This staff focuses efforts to identify and prevent theft. Many businesses have created "loss prevention" jobs. The whole career is oriented on identifying risky behavior, observing others, investigating theft, and finding methods of reducing risk. In retail, they may be secret shoppers; in transportation they may be monitoring cameras and patrolling as guards, or dressed in business suits advising in board rooms.

Information technology (IT) and lessons from business intelligence (BI) can be applied to detecting and preventing theft. For the internal threat, access can be controlled by badge or biometrics. Capabilities of these can limit access by employee, time of day, and certain days of the week. For example, employees that work in the warehouse can access their warehouse doors, but cannot gain entry to the supply department. Those who have janitorial privileges with their access cards can only do so during work hours and not when the business is closed.

Other IT help includes closed circuit television (CCTV). This is a great deterrent and detection device for both the internal and external threat. Current technologies allow the use of tilt/pan/zoom cameras that can record digital data for months. This data can be reviewed to see the habits and patterns of suspect customers and employees. All of this leaves a data trail that can be put into a data warehouse. Besides employee protection and assistance roles, this data can be mined to see patterns and recognize traits of potential perpetrators. For example, a supply bin in a warehouse may suffer shortage at each inventory. The installation of a CCTV device would provide digital feedback of whether or not supplies are being stolen and who is doing the stealing.

Sabotage and vandalism is a constant threat and can be categorized with workplace violence, criminal trespass activities, and industrial espionage or in conjunction with a theft. Though it is a rare, its costs are heavy and depending where in the supply chain the product is, the expense may fall on the company or the customer. Here supply chain is a generic term, but is used to identify an IT tool that provides and automated tracking of inventory and information along business practices. These practices can include campuses, apartments, retail, transportation, factories and other industries.

Security solutions to detect and prevent include monitoring the workplace and removing the internal threat, building security in depth to prevent the external threat, training employees on operation security, and employing loss prevention techniques. Other effective measures against vandalism and sabotage include volunteer forces, employee incentive programs and other organizations such as neighborhood watch programs. Industry, churches, community activity centers and schools have learned the value of relying on volunteers. Volunteers serve as force multiplies that report criminal activities like vandalism to the proper authorities.

Employee workplace violence makes huge headlines for a very good reason. It is shocking behavior with the most serious events resulting in multiple deaths. These incidents lead to law suits, low morale, a bad reputation for the company and leaves families and victims devastated. In 2003, workplace violence led to 631 deaths, the third leading cause of job related injury deaths (BLS).

This is acts of abuse physical or verbal that is taken out on employees, customers or other individuals at a place of business. For the purpose of this paper, the workplace is identified as a corporate building, warehouse, gas station, restaurant, school, taxi cab or other place where people engage in business.

Not all violence in the workplace end in death. They range from simple assault to much worse. What ever the level of crime, innocent people are attacked at the work place. In the corporate world this may be shocking. In other industries like law enforcement, retail sales and health care systems it is much different. These three have the most incidents. The US department of Justice conducted a study on workplace violence from 1993 to 1999. In this study they found that 1.7 million workers fell victim to many types of non-fatal crime. These crimes include, rape, assault, robbery, and sexual assault. These studies don't always mean employee on employee violence, but include outsider on employee violence and vice versa (DETIS).

Concerning homicides at the workplace, it is very expensive. For the risk of sounding cold, the average mean cost of a work related homicide from 1992 to 2001 was a round $800,000. The total cost of homicides during those years was almost $6.5 billion (ASIS). These cold hard facts derived from the National Institute for Occupational Safety and Health (NIOSH) are what industry must deal with in creating their risk management plan. It is a tough but necessary evil that must be calculated.

When dealing with these facts and creating a mitigation plan, industry has to make choices to protect the workplace. The company has two obligations. The first includes the legal responsibility of the employer to protect and safeguard against preventable harm. This includes all those who work in or visit the workplace. The second responsibility is to handle incidents and investigations, discipline and other processes appropriately (ASIS). It is as important to respect the rights of all persons involved throughout the prevention and investigation processes.

All departments in the enterprise are involved in the prevention and detection. All can contribute to the design, construction, and use of the data warehouse necessary for executing this type of prevention and detection. Each part could maintain a data mart with senior managers mining from the entire warehouse. In this scenario, all team members would build the data base with discriminating features. Alone, these features would probably not mean much, but any behaviors or habits when combined, may identify an abuser.

The more serious discriminators would be identified and "non-hire" criteria. For example, one discriminator that would prevent a person from getting a job would be a history of violence. This would be identified in during the employee pre-employment screening phase. Another would be specific questions about performance during the interview that might indicate propensity for violence or not being able to work well with others.

By building these rules, all sources could contribute to the database to identify high risk people throughout the employment. Rules could be input that when breached, could help management make a determination of who might be a threat to harmony in the workplace. For example, HR can input results of pre-employment background checks, job interview records and disciplinary actions within the company. Managers could provide information from performance reviews about questionable comments. Employees could make anonymous tips about other employees concerning their behavior.

Employees' may not be the threat. Nature of customers, friends and family members could provide risk to the work place. These criteria could be identified as well. Employees who have abusive partners or spouses and employees who perform in risky environments such as retail must be considered in the risk analysis and data warehouse input.

Some additional mitigating factors for employee workplace violence include traditional security methods. Additional lighting in darker areas, an armed guard, security cameras and panic alarms do wonders to give employees a peace of mind as well as help prevent violent behavior. Knowing security is in place deters the criminal element. These security measures could be linked in a network to provide feedback and evidence for use in analyzing and determining actions to prevent this behavior.

Occupational fraud describes the use of "one's occupation for personal enrichment through the deliberate misuse of resources or assets" (ACFE). Whether an employee feels entitled to his fair share, is disgruntled or other reasons, this crime is costly. The median cost to business for this scheme is $159,000. Some reported fraud cases have cost upward of $1 billion (ACFE). Fraud accounts for approximately five percent of losses of their annual revenues or $652 billion in fraud losses.

This crime can be broken down into three categories: Asset misappropriation, corruption, and fraudulent statement. Examples of asset misappropriation include fraudulent invoicing, payroll fraud, and skimming revenue. Corruption can involve bribery and conduction business laced with undisclosed conflict of interest. Fraudulent statement covers booking fictitious sales and recording expenses in the wrong period (ACFE).

Fraud losses affect small business the greatest. For example, compared to the median loss of all businesses, small businesses suffer median losses of $190,000. Losses like these can devastate an unwitting company and fraud can continue for 18 months before being detected (ACFE). Whenever possible, business should focus on reducing both the mean cost of a fraud incident as well as the time it takes to reduce the fraud discovery timeline.

Out of all industries, fraud causes the highest median losses per scheme in whole sale trade, construction and manufacturing. Government and retail has the lowest losses per scheme (ACFE). These industries have a huge impact on costs of finished product. Wholesale trade, construction and manufacturing all wrap up the costs in the final product. Of course the costs aren't recovered immediately. In construction and some manufacturing, the jobs are bid on and regardless of losses; the project must be completed at or below cost of bid. However, later bids may be higher as a result to gain back costs.

Believe it or not, the position of who commit fraud is directly related to the cost of the fraud. For example, the losses caused by owners or executives in a business are 13% higher than the losses caused by employees (ACFE). Managers may not be sticking product in their pockets and sneaking out the door. People in higher positions can be found falsifying travel reports, creating false accounts, diverting payment and other crimes. Some of this is evident as we continue to prosecute chief officers involved in huge schemes.

Fraud is difficult to detect and many schemes can continue for long periods of time before they are detected. Detection can be accidental, the result of a tip, an audit (internal, external or surprise), hotline or as referred to by law enforcement. Focus and discipline could be perceived as the best means to detect fraud. Paying attention to patterns, verifying paperwork and checking records is time consuming, but must be performed.

The most successful but less used method to detect fraud involves the input of employees. Training employees on fraud and awareness cuts down on the time span of a fraud as well as the overall cost. Training increases morale in many ways and creates a team like atmosphere. Business can gain from the proper training. Employees are a great resource in fraud prevention. There has been great success with using hotlines and anonymous reporting to detect and deter fraud (ACFE).

Information technology (IT) and lessons from business intelligence (BI) can be applied to detecting and preventing fraud. We have already mentioned that employee and hotline tips are most effective but business doesn't take advantage of this. Computer links could be set up on corporate sites to allow employees to report fraud. Some methods could include survey, direct question and answer, or just a space for reporting.

The audit, hotlines and tips are effective after or during the commission of the lengthy fraud period. These are all reactionary events. What about being proactive? Many companies have the capability to automate almost everything. Time sheets, accounting, billing, production and supply chain records are often on a server. Most require supervisor approval or at the very least have the capability of real time monitoring. This information can be integrated into a company version of a data warehouse and be manipulated according to the input rules. Specific habits of employees can be pulled to look for and address financial inconsistencies.

As mentioned earlier, businesses have employed access control measures such as card scanners, code readers and biometrics. They leave a trail of employee activity and regardless of position all are required to enter information to gain entry. Computer keyboard activity can be limited by password protection and all media should go through the security department before introduction or removal. All of this leaves a data trail that can be put into a data warehouse. Besides employee protection and assistance roles, this data can be mined to see patterns and recognize traits of potential perpetrators.

Finally, computer attacks are a huge risk to all businesses. The threat of hackers, malicious viruses, and those who hijack websites and hold financial transactions for ransom are just a few serious events of which the security manager must the aware. Data can be destroyed, reputations can be ruined, and lives can be stolen. These attacks can cripple an enterprise and could take months or years to recover. Businesses need to have IT tools to detect and combat this type of threat as soon as possible. Identity protection and other computer related incidents requires the same type of protection afforded to an employee as in the section about employee workplace violence.

Worms and viruses are quickly destroying years of input. These threats appear innocently enough in the beginning and when the right time comes, they activate. They recreate themselves, and spread through out networks and stand alone systems. Hackers continually knock at the internet portal trying to learn passwords and the inner most secrets of protect to exploit for espionage, theft or horrible fun. Hijackers enter a system and threaten to cripple financial transactions until payment is made; extortion in high-tech form.

Unprotected systems perpetuate all the above threats. Businesses that get involved either innocently as naive contributors or as the hapless victims suffer greatly financially and productively. There is another cost that could take longer to recover from. This is the of their valuable reputations with their customers. A technically illiterate or unprotected business has no excuse when dealing with customers or partners. Embarrassing things happen when a virus or cyber trail leads to a witless company. Industry cannot take the risk.

There are many existing security methods available to help companies take the offense against such attack. As the in the above examples, this effort takes the coordination, input and involvement of all business units and departments in the organization. This cannot be given to the security department alone to handle, however such actions should be accountable to one department.

There are new positions created called Chief Security Officer (CSO) and Chief Information Officer (CIO). The hot new topic for these positions is convergence. Convergence is the alignment of physical and information security under the same department. According to CSO Magazine, this should be run by one point of contact being the CSO. This can align physical security, information security, compliance and privacy under one function. This enables the security executive to address Insurance Portability and Accountability Act and Sarbanes-Oxley with focus and intent (CSO Online).

Other aggressive measures that can be taken are password protection, rules on internet use, firewalls and internet access blocking. These can be regulated with the convergence concept. Software already exists to help generate and protect passwords on network and stand alone systems. These help ensure not only that authorized users are accessing the systems, but they also provide a basis for auditing systems. This is vital to protect a company from the threat of social engineering. Information technology can track who used which system to access which information. The user leaves an automatic automated electronic trail.

Companies need a firewall to protect information from both leaving and entering the enterprise system. These firewalls help prevent hacking, high jacking and malicious viruses. The firewall needs to be updated regularly with updates. Most importantly, the CSO or CIO should be checking and running analysis identifying the threat. This analysis of threat and defenses can be conducted the same way as military strategy.

This identification should track where the threat is coming from, how often the defenses are probed, what the threat using to probe the defenses is, and what times of day are the threats the strongest. For operations security, the chief should look at what makes their business so tempting to the threat.

When a chief information or security officer analyses his own operation, they should be trying to identify strengths and weaknesses that the adversary is trying to exploit. When is the IT asset most vulnerable? Are our passwords easy to break? How much intrusion would it take to stop our operations? Are just a few questions that must be analyzed along with external threat analysis.

Internet discipline is also vital. An enemy doesn't have to break down your defenses to wreak havoc. Just like old vampire lore, all you have to do is invite them in. When employees visit unauthorized websites, download unauthorized software, transfer data from a home computer or forward corrupted email, they can cause just as much harm. Blocking websites, allowing only IT personnel to upload software, and screening all mobile media or preventing all media such as CDs and other portable storage devices is crucial to protecting the enterprise.

As mentioned in other paragraphs, protecting your company with security in depth will solve many problems. This security in depth includes previously mentioned biometric or card reader access devices, alarms and CCTV cameras. These are available IT devices that are popular and effective at monitoring employee movement and activity. The chief can also store vital risk assessment detail in a data warehouse to better analyze events and proactively mitigate risks before damage occurs.

As mentioned throughout this paper, somebody needs to take charge of organizing a multiple business unit task force to protect the company. Traditional methods of segmenting units and having them work in a vacuum do not produce effective results. When the IT department handles all internet activity, human resources execute the laying off offenders, finance department handle all payroll discrepancies and accounting performs all audits, the result is a broken chain of incomplete activity.

The willing participation and information sharing is better handled in the form of a committee. Each respective department can do their day to day activities, but results can be presented to the entire group to help detect and determine any one of the threats addressed in this paper.

We began with the news reports of businesses needing to protect their personnel and the assets. We showed examples from the headlines of people coming to places of business to conduct senseless acts of terrorism and violence and the need for having a corporate culture or environment to address the different types of threats. This culture involves quickly evolving the role of security to become the protector of personnel, facilities and product. This evolution will enable them to use IT as a tool to help detect and deter risks to the enterprise.

Having said that, we can conclude that security professionals need to continue to make it a point to study their craft and learn ways to counter evolving threat. Business intelligence methods need to continue to keep up with technology to analyze and prevent the internal and external influences that can ruin the enterprise. The threats corporations face include: theft, vandalism, workplace violence, fraud, and computer attacks. We have reviewed the roles of security to converge traditional physical protection with the capabilities of IT systems. The IT can provide a great tool to enterprise as a system of identification, analysis, risk assessment operation security and prevention, astute managers can mitigate risks.

Works Cited:

ACFE. 2006 ACFE Report To The Nation On Occupational Fraud & Abuse, Association of Certified Fraud Examiners, Austin, TX, 2006

American Society of Industrial Security, Workplace Violence Prevention and Response, ASIS International, 2005

Detis. Violence in the workplace, 1993-1999. NCJ 190076. December 2001

Berinato, Scott; Carr, Kathleen; Datz, Todd; Kaplan, Simone and Scalet, Sarah. CSO Fundamentals: ABCs of Physical and IT Security Convergence. CSO Magazine. []

Cummings, Maeve; Haag, Stephen; Phillips, Amy, Management Information Systems for the Information Age. McGraw-Hill. New York, NY 2007

Jeffrey W. Bennett is a corporate security officer and holds the Industrial Security Professional (ISP) certification. Jeff is also the founder of LayMentor Ministries. This organization teaches volunteers how to lead with concepts similar to those taught in most MBA programs. Additionally, Jeff writes and teaches on the ISP certification. For more information on this article, practice test questions and the upcoming book, visit:

Jeff is also the author of the Adventure novel Under the Lontar Palm available on line at or in major and online bookstores.

Article Source: