Learning from Industry Leaders
WHEN THE ASIS INTERNATIONAL 54TH ANNUAL Seminar and Exhibits kicks off at the Georgia World Congress Center in downtown Atlanta on September 15, the doors will open to a record number of educational opportunities. The event will offer more than 175 sessions for security practitioners of all levels; sessions have been peer-reviewed and selected from a field of entries in a highly competitive submission process. Eighteen sessions will be offered in Spanish; an additional nine sessions will be simultaneously translated from English into Spanish.
There will also be special educational programs on the weekend prior to the seminar. To exemplify the caliber of learning that will be offered, this article provides a sneak peek at several of the offerings.
Several years ago, a large pharmaceutical company made a new hire. It wasn’t until this year—and after promoting this individual to a management position—that the employee was discovered to be a mole for the anti-animal-experimentation movement.
The employee was considered a vociferous leader of the movement and had headed large-scale demonstrations. The Internet was replete with photographs and stories of these efforts, which to the company’s chagrin, it realized it would have discovered before hiring the individual if it had bothered to look.
Even companies that contract out employee background checks and other investigations are ignoring the rich mine of information publicly available on the Internet, says Edward Appel, chief executive officer of iNamecheck, LLC, who will be leading a session on mastering Internet searching and analysis for investigation and security on Tuesday, September 16, from 11 a.m. to 12 p.m.
“Last year, at the Seminar and Exhibits, I went around the floor of the exhibit hall and talked to representatives of the vendor companies that do investigations, and not one said that they do a comprehensive Internet search as part of an investigation,” he says.
“More than 80 percent of Americans use the Internet, and the younger they are, the more likely it is that they use it; the more affluent and better educated, then the more likely they use it,” Appel states. “Some people believe that the Internet is a totally anonymous place. Of course, it’s not.”
Among the tracks that users leave behind, some show evidence of activities that, while legal, betray questionable judgment and socially unacceptable behavior—for example, a job applicant posting photos of himself drunk or engaged in sexual acts. There can also be information about illegal activities, as in one case Appel’s company investigated, where a soldier with technical training was manufacturing electronic boxes that allow televisions to receive pay-for-view television channels for free. “So, here’s a guy using his U.S. military technical training to undertake an organized criminal activity,” he says.
Despite the availability of this type of evidence, notes Appel, “The problem with people who commit crimes online is that very few of them are ever caught [and, therefore,] a company can’t eliminate them based on their arrest record, because they haven’t been arrested.”
What often passes for a comprehensive Internet search during the employment screening process, says Appel, is a quick look on MySpace and Facebook by a human resource employee. “They don’t have policies and procedures for the checking they’re doing,” he states. Worse, employers fail to inform applicants that the Internet is included in the company’s background investigation and request consent.
“A very large percentage of people today lie on their résumés and applications about their past employment, Social Security numbers, their education, and their criminal record, and that’s dangerous for the employer and workers, and it raises all sorts of liability questions. The employer is expected under law in most states to maintain a safe workplace,” he says.
The data available online can go a long way to help a company verify that what an applicant says is true. As an example, Appel says that his company was asked by a Fortune 100 pharmaceutical firm to investigate one of its heads of research after hearing unsettling rumors. This individual was a full medical doctor and had a background in research that appeared formidable on paper.
“I asked who had done the background investigation on him, and they said it was a major investigative firm—one of the top three or four such firms in the United States and that they had done a full background check before he had been hired,” Appel states. Using an Internet software tool that queries more than 200 search engines and databases, Appel quickly discovered that the individual in question had been debarred from U.S. government research three times for scientific misconduct to which he had admitted.
“He had published charts that were completely false and had published other people’s writing as his own. The company never would have hired him if they had known that up front,” he says.
Nor might the employer have known if the Internet investigation had been restricted to the four major search engines: Google, Ask, Livesearch, and Yahoo. “On a good day you might get about 40 percent of what has been on the Internet in the last 30 days,” says Appel. “That includes searching all variants of names.”
While the software that iNamecheck uses is proprietary, there are some publicly available search tools that will help. One software tool that Appel uses is Copernic, by Montreal, Quebec-based Copernic, Inc. “For a fairly small amount of money they provide a desktop search engine,” he says, then adds a caution, “But people should not have the illusion that if they use Google and Copernic that they have done a comprehensive search.”
A researcher must constantly study what types of information are newly placed on the Internet and what kinds of search engines are coming online around the world. The U.S. Library of Congress Web site’s (www.loc.gov) Portals to the World section can help. It includes a list of nations and their respective search engines.
Appel’s recommendation to companies is first to decide whether information from the Internet is going to play into hiring. “If it’s not, then the people down in human resources need to be told to not Google the candidates,” he says.
If Internet information will factor in, companies should develop a systematic comprehensive search and a policy with set limits. “Companies need to decide what they want to know and why they want to know it,” he says. It cannot be left up to the personal morals or beliefs of individuals to decide whether a candidate should be excluded from consideration based on the results of an Internet search.
Companies also need to revise existing policies and procedures to take the Internet into consideration. For example, “People need to be asked on application forms ‘have you ever been in trouble using an info system and if so, what happened?’” he states.
Additionally, applicants need to be asked to disclose their virtual identities, and consent forms need to be revised to include permission for an Internet search.
Next, says Appel, companies need to set policies and procedures for validating the information they retrieve. A roommate or family member, for instance, can use e-mail accounts and other logons without an applicant’s knowledge. There are also myriad Internet users who have the same or closely matching names.
“With more than a billion users and 600 to 700 million individual IP addresses, there will be many nonidentical matches. So there has to be a professional decision as to whether or not information is attributable and whether or not it has any bearing on the employment. The adjudication policy has to be fair,” he advises.
In the last few years, concludes Appel, “Sociologically, we have changed the way we use the Internet, and companies have not adapted very well to that fact.” But conducting background and other security- related checks based on good policies and procedures can reduce liability, cost, and effort.
As part of the special programming on the weekend before the opening of the Seminar and Exhibits, the ASIS Critical Infrastructure Working Group (CIWG) is sponsoring an educational forum directly relating to the nation’s 18 critical infrastructures and key resources as identified by the U.S. Department of Homeland Security (DHS). The event will feature noted critical infrastructure and disaster preparedness experts and will include an all sector, tabletop exercise.
The forum, which will take place Sunday, September 14, will feature Mary Landry, director of governmental and public affairs, U.S. Coast Guard, discussing pandemic influenza preparation; WSB-TV investigative reporter Mark Winnie exploring crisis communications from the media’s perspective; Steve King, deputy director of the Sector Specific Agency, Executive Management Office, DHS, addressing sector specific agency planning for critical infrastructure and key resources; Paula Scalingi, Ph.D., president of the Scalingi Group, vice-chair of the Infrastructure Security Partnership, and director of the Pacific Northwest Center for Regional Resilience, speaking on developing bio-event resilient infrastructures; and Donald Kauerauf, deputy to the chair of the Illinois Terrorism Taskforce, exploring the coordination of resources during a crisis. (Additional speakers will be confirmed closer to the event date.)
A four-hour tabletop exercise will be conducted by a professional team from Michigan State University (MSU), and assisted by subject matter experts from the fields of crisis management, business continuity, disaster recovery, and homeland security. Brit Weber, MSU program director of the Critical Incident Protocol Community Facilitation Program will lead the forum, assisted by other subject matter experts from the fields of crisis management, exercising, business continuity, disaster recovery, and homeland security.
The simulated crisis scenario will target the 18 critical infrastructure sectors—food and agriculture, water, public health and healthcare, emergency services, defense industry, communications, energy, transportation systems, banking and finance, chemical, postal and shipping, information technology, national monuments and icons, nuclear, dams, government facilities, commercial facilities—and recently added critical manufacturing—in addition to law enforcement, fire service, and media.
Participants in the exercise will be divided by sector or group discipline. The 18 critical infrastructure sectors will be split into nine groups, which will facilitate more interaction by participants during the exercise. Additionally, there will be three other groups representing police, fire, and media.
The simulated crisis will cover a large geographic area that will affect the 18 critical infrastructure sectors in differing degrees of intensity, but it will not impact the area enough to make it completely uninhabitable. The scenario will be developed by MSU under the guidance of a small subcommittee within the Critical Infrastructure Working Group.
Facilitation will be done using PowerPoint. The participants will sit in one of the assigned 12 groups, and the exercise will consist of four segments, starting with the basic scenario and escalating through two segments that concern the response actions, and then concluding with a segment addressing the recovery activities and wrap-up.
After the facilitator has completed segment one, the groups will be directed to answer certain questions and record their key points on flipcharts. Additionally, the groups will be directed to select a spokesperson. They will be given a period of 25 to 30 minutes for discussion. The facilitator will then have the groups report their key actions to the total group.
Business Continuity Planning
A related Tuesday session, sponsored by the ASIS Council on Utilities Security, will explore and attempt to demystify business continuity planning (BCP) for utilities, critical infrastructures, and other organizations. BCP is an ongoing process supported by senior management and funded to ensure that the impact of potential losses is identified, viable recovery strategies and plans are maintained, and continuity of operations is ensured through personnel training, plan testing, and maintenance.
“Security has a role in emergency response planning, disaster recovery planning, and in continuity planning,” says session speaker Robert Hulshouser, CPP, manager of corporate security services for the Las Vegas Valley Water District and Southern Nevada Water Authority. “Depending on what the event is, it could be a major role or a supporting role, but security is everywhere. It should be part of any BCP initiative that security be involved.”
As part of his presentation, which will take place on Tuesday from 11 a.m. to 12 p.m., Hulshouser will advise attendees that the ASIS Continuity Planning Guideline is an excellent resource to use throughout the BCP process. Released in 2005, the guideline addresses a series of interrelated processes and activities, including readiness, prevention, response, recovery/resumption, testing and training, and evaluation and maintenance, that will assist in creating, assessing, and sustaining a comprehensive plan for use in the event of a crisis that threatens the viability and continuity of an organization.
Hulshouser stresses—as does the guideline—an all-hazards approach to BCP. “Any number of events or incidents can occur that may affect an organization’s ability to continue its essential operations or business functions,” he explains. “Natural disasters such as tornados, hurricanes, earthquakes, and major storms can be devastating to entire communities and regions, including their businesses and public services. Of course, human-caused events such as acts of terrorism and hazmat-related incidents can similarly impact communities and organizations. Although the threat of terrorism has demanded a great deal of our attention in recent years, BCP must include an all-hazards methodology if it is to be effective.”
“After 9-11, we thought about terrorism a lot, but there are all sorts of things that can happen. Accidents happen, and if they are not detected in time, they can lead to bigger accidents, such as in the case of a chemical spill. In the utilities industry, we often say that the biggest threat isn’t the terrorist but the person who’s digging in a place he shouldn’t be. And storms can have far more of an impact than terrorism,” Hulshouser states.
Among the steps that the ASIS Continuity Planning Guideline proposes are assigning accountability; performing a risk assessment and a business impact analysis; agreeing on strategic plans; developing a crisis management and response team; compelling compliance with corporate policy; exploring mitigation strategies; and developing avoidance, deterrence, and detection strategies.
“In the utilities industry, I think that we are really good at planning for, and responding to, emergencies, disasters, and other contingencies. BCP is the overall planning umbrella that enables our businesses to continue effective operations and to survive beyond emergency response,” says Hulshouser.
Until this decade, says Neville Cramer, president of Immigration Enforcement Solutions, LLC, the majority of illegal immigrants in the United States were from Mexico or South America, and they gravitated toward jobs in agriculture, landscaping, construction, and service industries such as hotels, restaurants, and carwashes. Now, however, other nationalities have also moved into certain business sectors. As an example, “West Africans are now heavily involved in the security guard industry and building maintenance. This is where the risk increases significantly, because a security guard who’s given unfettered access to a building that contains significant amounts of proprietary materials and personnel information that can be used to create false identities is quite different from a migrant worker picking tomatoes,” he states. “In many cases these people are very well educated and they are, in some instances, into some very sophisticated types of crime.”
Many of these illegals, 40 percent of whom enter the United States legally as tourists or as students, are trained overseas to conduct crimes here, says Cramer. “This group has nothing to fear because their only real punishment is deportation and that just means going back home… They have no fear of our justice system.”
Cramer’s presentation, titled “Security and Illegal Aliens in the Work Force,” will take place on Monday from 11 a.m. until 12 p.m. He says that the session is targeted toward professionals in human resources, facilities management, background investigations, data security, and anyone who deals with the hiring of personnel. “This is about who you hire, how you’re doing the hiring, and the vulnerabilities that we are now facing because of the estimated 15 to 20 million illegal immigrants in the country.”
The 1986 Immigration Reform and Control Act required that, when hired for a new job, employees prove that they are legally entitled to work in the United States. Employers are required to verify the identity and eligibility to work for all new employees.
An employment eligibility verification form (I-9) must be completed and kept on file by the employer. In addition, employees must present original documents, not photocopies. The only exception is an employee may present a certified copy of a birth certificate. On the form, the employer must verify the employment eligibility and identity documents presented by the employee and record the document information on the I-9 form.
The problem, says Cramer, is that counterfeit documents are everywhere, and there is no mandatory system that employers use to verify the documents they are given. “We have allowed the I-9 to be a paper tiger,” he states.
Cramer is frustrated by the refusal of some companies to use the Web-based EVerify system, part of a voluntary program run by the U.S. Department of Homeland Security in partnership with the U.S. Social Security Administration to help certify that employees who have been hired by companies are not in the country illegally.
“It is very fast; the response is in a matter of minutes,” he says. “It verifies the name, date of birth, and Social Security number.” If any of these items do not verify, there is a secondary verification process to discover whether there is an error in the data and make corrections.
E-Verify is free and only requires that a company register and sign a memorandum of agreement. Although thousands of employers have registered, Cramer says, “Most employers say that until the government mandates using E-Verify, they won’t use it because of unfair competition. They claim that if they use it while other competitors don’t, then they will lose money.”
What that translates to, according to Cramer, “is if a company doesn’t use e-verification, then it can hire whomever it wants—probably knowing they are illegals, but choosing not to verify the employee’s documents.”
Arizona is currently the only U.S. state that mandates E-Verify use. Cramer says that another 47 state legislatures are looking at passing similar laws. Illinois, however, has signed a law that forbids employers from using the service.
Cramer, who in 1986 developed SAVE, the original verification system at U.S. Immigration and Naturalization Service that was the ancestor of E-Verify, says that during his session, “I’ll try to tell security professionals what they need to know about the issue so that they can subsequently take it to their executives to show them what their vulnerabilities are.”
For additional information or to register for the ASIS International 54th Annual Seminar and Exhibits, visitwww.asisonline.org or telephone ASIS Member Services at 703/519-6200.
Ann Longmore-Etheridge is associate editor of Security Management.