Do the Hard Work: How to Improve Your Security Posture
Dr. Jennifer Hesterman, Colonel, US Air Force (retired) is security consultant to ABS Group. She is a counterterrorism and target hardening expert. With more than 36 years of experience in national and homeland security, Dr. Hesterman helps public locations and events identify and lessen their vulnerability to violent attack. She authored “Soft Target Hardening: Protecting People from Attack,” the ASIS Security Industry Book of the Year for 2019.
Securing a public facility or event can seem overwhelming in the current threat environment. Detecting and deterring an active shooter, a malicious insider, or a cyberattack is a daunting, but achievable goal.
Target hardening, also referred to simply as hardening, refers to strengthening security of a building, worksite, or event to better protect it and its occupants from a terrorist or violent criminal attack. More specifically, the goal of hardening activities is to deter would-be bad actors from attacking and diminish their potential for success if they do.
Go Back to the Basics
When evaluating soft target locations, the first questions are not about cameras, locks, and badges (tactical level issues), but rather they are strategic in nature: “When did you last complete a threat, vulnerability, and risk assessment?” Many schools and places of worship do not know about these tools or how to use them. Many other public facilities and small businesses only perform risk assessments. Risk = Vulnerability x Threat, so all elements in the equation require attention.
Understand the Threat. When conducting a threat assessment, it is suggested that you start by identifying adversaries, their intent, and capability, then review tactics from past attacks at similar locations to estimate the threat to the organization. Thanks to the Internet, anyone can access this information. Some of the best information on foreign terrorist organizations is provided by the National Counterterrorism Center. The FBI’s terrorism page contains updated information on international and domestic threats. DHS’ National Terrorism Advisory System communicates timely information about terrorist threats. Every State has an Office of Homeland Security and Preparedness with a corresponding website. For information on threats to critical infrastructure, you can subscribe to InfoGram, a product from The Federal Emergency Management Agency (FEMA), an agency of the Department of Homeland Security (DHS). Another valuable resource is InfraGard: a partnership between the FBI and the private sector. Membership includes business executives, academia, and those who work in one of the 16 critical infrastructure sectors. The threat environment is constantly evolving with each plot and attack, so it’s necessary to stay engaged.
Assess Vulnerability. Understanding the threat is important, but the ability to deter attack is amplified by understanding vulnerability. Vulnerability can be considered as the psychological, sociological, or physical characteristics that leave an asset unprotected or exploitable for attack. Typically, the emphasis is on physical security vulnerabilities, but the human factor can make or break our security efforts. Thinking “it will never happen here” or “it will never happen to me” can add to vulnerability. Other emotional traps include inevitability (“If it is going to happen, there is nothing I can do about it anyway”), complacency, and denial. Security leaders should get more engaged to fight these traps and build a more resilient culture through continuous education and campaigns.
Whether or not a security consultant is involved, it is advisable that the responsible manager perform a vulnerability assessment (VA), preferably with the staff. This fosters communication around security topics and brings all points of view to the table. The most thorough assessments are those with both quantitative (data) and qualitative (descriptions) factors being analyzed. Another you might consider is the CARVER methodology, which is used extensively by the government and private sector.
Calculate Risk. It’s finally time to tackle the risk assessment. This is the process of identifying the likelihood of an event arising from threats and vulnerabilities, and analyzing the impact if the event occurs. Before you jump in and start scoring and rack-ing/stacking risks, consider reading Risk Analysis and Security Countermeasure Selection and using a color-coded risk assessment matrix. As part of your risk assessment, you can also conduct a business impact analysis (BIA) to determine the potential impacts to the interruption of time sensitive or critical business processes. Some questions you might want to ask: How well do our current security solutions mitigate identified risks? What other risks do our security solutions cause (ripple effect)? What costs and tradeoffs do our security solutions impose or create?
Use Layered Defense
All organizations should protect 3 things: people, assets, and data. But remember the old adage: If everything is important, nothing is important. Which resources are essential to your operation and require the highest protection?
Identify Your Critical Assets. Examples include your cyber infrastructure; restricted areas; specialized tools and equipment; personally identifiable data and sensitive or nonpublic information; intellectual property; the leadership or those who may be targeted for their unique knowledge or access; supplies like keys, uniforms, badges, badge-making equipment, weapons, ammunition, fuel, hazardous material, and vehicles. Consider the impact of their loss to operations. Do contractors or suppliers have responsibility for your critical assets, and what safeguards do you have in place for their protection?
Identify the Primary Target. Pose this question: “If a bad actor can get to ___, they would inflict the most severe damage to our operation.” Focus first on protecting this asset. Put it at the center of a “bullseye” and put layers of security around it. View these rings as tripwires to detect the bad actor and obstacles to deter and delay their approach.
Layered defense is a tactic the military uses to protect its most important assets. As the Vice Commander at Andrews Air Force Base, I had multiple targets to protect - but none as important as Air Force One and the President when on the installation. Security moved out beyond the flightline in concentric rings, to the buildings, the roads, the base fence, and beyond.
When protecting a physical asset, consider locked cabinets and safes, locked interior doors, electronic badging, and biometrics. Limit the number of entrances to the building and the number of keys for after-hours entry. But don’t forget: security doesn’t start at the front door! Secure the parking structure and lots, as well as the land around the building. Studies show human security far outweighs cameras as a deterrent. Remember: bad actors will generally seek the path of least resistance.
Establish a relationship with the businesses around your worksite. As an example, establishing communications with the managers of the hotels, fast food franchises, and gas stations surrounding Andrews Air Force base paid dividends several times and helped avert challenges to base security. These relationships served as force multipliers and provided a critical overwatch; eyes and ears “outside the wire.” If someone is conducting surveillance or discussing a plot targeting your facility, their help may provide early-or sometimes the only warning.
The outermost layer is the Internet. Who is talking about your organization or event and ideating about an attack? This includes disgruntled customers or employees. There are now applications that instantly scan social media for keywords. A large mall in the Midwest used this technology, which allowed its security team to detect and thwart a flash mob event which would have likely resulted in property damage or injuries.
After completing the security assessments and establishing layered defense, it’s time to evaluate the tactical-level security activities. In the next article, we’ll discuss three simple, low cost/high impact security measures.