Session Coverage From The 60th Annual ASIS International Seminar and Exhibits
Educational Sessions for Every Area of Security
During the educational sessions at the ASIS International 60th Annual Seminar and Exhibits, security concerns on the top of every attendee�s list were discussed by both ASIS and (ISC)�, which collocated its Annual Security Conference with the Seminar and Exhibits. All registered attendees could attend both ASIS and (ISC)� sessions with no additional fee.�
All sessions were grouped into tracks and given an experience level that best matched the session content. The approximately 220 ASIS sessions were organized into fifteen tracks; most aligning with the topics covered by ASIS councils, such as information security, investigations, and physical security. Others addressed topics of interest to security sectors such as homeland security, government/military, and system integrators.
The (ISC)� Security Congress complement of 77 sessions added another nine educational tracks of specific interest to IT security managers. The topics related to specific business sectors such as healthcare security, various business applications such as cloud security and digital forensics, and IT concerns such as malware and governance, compliance, and regulations.
Here is a sampling of the many informative sessions held in Atlanta.
By conducting effective interviews that probe deeply into the candidate�s job and personal history, professionals in charge of hiring can save their companies the burden of dealing with an unlawful or poorly performing employee later on. That was the topic of the Monday educational session �Are You Really the Person I Hired?� which was sponsored by the ASIS Information Asset Protection and Preemployment Screening Council.
Angela Nino, an investigator at Wicklander-Zulawski & Associates, is an experienced interviewer and often instructs on the topic of preemployment screening. She presented attendees with helpful tools and techniques that will aid employers in getting the truth about a candidate�s history, even information that is not on their application. �Applicants will disclose information if they believe that you�re going to find out anyway,� she noted. �If they don�t tell me now what I might find later, they�re not going to have the opportunity to explain that.� Looking for behavioral clues, such as nervous tics when an uncomfortable question is raised, is a good indicator further questioning on a topic is needed, she said. For example, when asking a candidate about recreational drug use, if the person fidgets or gives a verbal response before it is their turn to speak, that could be a sign that they have more to reveal about their behavior.
Rationalizing the behavior in question also helps a job applicant to open up, such as using the phrase �no one is perfect� before asking about their criminal history. �If we rationalize as we go into a question, it helps them feel better when they answer that question,� she said.
Nino also suggested asking open-ended questions that start with words like when, where, why, and how, which will evoke a more lengthy response from the applicant. Letting them do most of the talking is key, Nino noted.
Nino reassured participants that if they follow this effective interview process, the best candidates will rise above the others. �If you�re looking for reasons to like them even though these other bad things exist, don�t hire them. Good people will qualify themselves.�
In the education session �Conducting Threat, Risk, and CPTED Assessments in the 21st Century,� speakers outlined the key steps in making a threat risk assessment, as well as some of the physical security concepts of Crime Prevention Through Environmental Design.
Inge Sebyan Black, CFE, senior national account manager, Stanley Convergent Security Solutions, said that she breaks down a threat risk assessment at its most basic level to three questions: �What can hurt me?�, �How bad can it hurt?�, and �What can I do about it?� �It sounds very simple, but that can also be really involved,� she said.
Then, when conducting an actual assessment, five steps should be followed: identify all assets, locate weaknesses, identify vulnerabilities, gauge the likelihood or probability of the threats, and sketch out the potential impact of the threat. Different potential threats can also be classified as minor, moderate, or severe.
Other speakers included Lawrence Fennelly, president of Litigation Consultants, Inc; and Marianna Perry, CPP, training and development manager, Securitas Security Services USA, Inc. The session was sponsored by the ASIS Crime and Loss Prevention Council.
Corporate investigations can be a daunting task in today�s global society, but developing valuable resources and contacts can make investigations more manageable, said Siti Subaidah Naidu in a joint presentation Monday afternoon.
Naidu, past president of the World Association of Detectives and founder of the ASIS International Malaysia Chapter, presented �International Corporate Investigations: Success Is Easier Than You Think� alongside Eugene Ferraro, CPP, PCI, chief ethics officer of Convercent, Inc.
The two focused their remarks on teaching attendees of the Seminar and Exhibits how to traverse legal minefields and the value of developing trusted resources outside of one�s home country.
Naidu noted that private investigators are still relatively unknown in the corporate world in Asia. Few are employed. �Corporate investigation is still very, very new. It is very much a legal or financial institution kind of work, but the scope is great,� Naidu explained.
Often, the work that corporate private investigators do is done by the finance department, which is responsible for ensuring that companies are performing due diligence. However, private investigators in the corporate world can �provide backup� for the federal authorities, who are often focused on criminal investigations instead of business ones.
Aiding in this backup role are relationships that private investigators can develop with resources in other countries.
Also, from a common sense approach, developing contacts in foreign countries that can act for you, especially in Asia, can help with the bottom line as investigators don�t have to pay to send a colleague to the country to do research. �Your extended arm can do a lot for you,� Naidu said, from interacting with clients in person, providing additional contacts within the country, or providing a reference of regulations applicable to that nation that differ from United States and European standards.
For instance, data privacy laws vary widely from the United States to Europe to Asia, and some types of information, such as tax refunds and criminal records, may be legal to obtain in some places but illegal in others. Having a resource that understands this and can help investigators move through the red tape can quickly become an invaluable tool during a high-stakes investigation.
Additionally, understanding what types of information are legally and ethically obtainable can also help investigators tailor their �shopping lists� of information they�re looking for in various parts of the globe. This can also prevent corruption in the future if investigators are aware that types of information they acquire was obtained illegally by a resource.
The Affordable Care Act (ACA) does not target the security industry, but it will impact companies when they implement a cost-effective solution to the Employer Mandate on January 1. To illustrate how companies can maintain or achieve compliance with the ACA, Eddie Sorrells, CPP, PSP, presented �How the Patient Protection and Affordable Care Act Affects the Security Industry,� on Monday morning.
Sorrells, COO and general counsel for DSI Security Services, is the author of the ASIS white paper on the Affordable Care Act. He brought a unique perspective to ACA compliance as he has a law degree and 24 years of experience in security. In his presentation, Sorrells addressed the most important challenges facing contract security companies as they work to maintain compliance with the ACA.
The ACA was signed into law in 2010 and many of its major reforms have already taken place, such as the Individual Mandate, or will take place in 2015. Sorrells highlighted some exemptions in his presentation, explaining that the Employer Mandate will not apply until 2016 to employers with at least 50 but fewer than 100 full-time employees if the employer provides an appropriate certification that is described in the ACA rules. These employers must also offer coverage to at least 70 percent of their employees in 2015 as one of the conditions for avoiding an assessable payment. This will then be upped to 95 percent in 2016, or employers will be subjected to fines.
One difficult aspect of becoming compliant with the law for contract security providers is that there can often be confusion about whether security officers are full-time employees and require a benefits package under the ACA.
Under the ACA, full-time employees are classified as employees who are reasonably expected to work 30 hours or more each week. Security officers, however, often have variable work schedules and can sometimes be regularly under or over that 30-hour mark.
In some instances, to avoid providing health insurance for security guards, companies will attempt to limit all guards to less than 30 hours per week. However, Sorrells said that companies should think carefully before adopting this policy as it could result in higher turnover rates and training costs, and has the potential to impact client relations if guards are limited in their work hours.
Some alternatives to this strategy that Sorrells offered are limiting the number of full-time officers, not offering compliant plans and paying the ACA penalties instead, dropping spousal coverage, offering security officers full-time health coverage regardless of their hours, or a combination of approaches.
Sorrells urged that companies need to work with their legal counsel, insurance providers, and accountants to find a solution that best meets their individual needs.
Attendees heard about recent changes in regulations that dictate maritime security operations during a Monday session with Laura Hains, CPP. About 90 percent of everything bought and consumed in the United States arrives in the country by vessel, so cargo and container security is more important than ever, said Hains, a security consultant and U.S. Customs and Border Patrol veteran.
There are three main standards that dictate security standards for ships: the Safety of Life at Sea (SOLAS), which were the first set of ship construction guidelines created in 1914; the International Maritime Organization (IMO), a United Nations special agency; and the International Ship and Port Security (ISPS) Code, which enhances security measures.
Each standard has been updated during the last century because of new threats and issues, Hains explained. SOLAS recently added additional guidelines focused on making vessels more environmentally friendly, and ISPS now requires training and equipment to use when recovering a person from the water�which happens on cruise ships more often than is believed, Hains noted. Regulations for lifeboat release equipment and communication between firefighters on board were also passed recently in response to disasters such as the Costa Concordia.
The Cruise Vessel Safety and Security Act (CVSSA) established requirements to ensure the safety of passengers and crew, including standards for documenting crimes, resources onboard for sexual assault victims, and railing height requirements. However, Hains said the CVSSA, which was passed in 2010, is not enforced because the training is not realistic.
�The Caribbean is where all American cruise ships go. The problem is these ports and the people don�t have the proper training�and these are the people taking care of the safety of passengers,� Hains explained. The CVSSA does not take this into account, she said, so the training is not realistic or useful.
Another security concern is how well containers are screened and scanned. The Security and Accountability for Every (SAFE) Port Act dictates that one hundred percent of cargo containers should be screened or scanned, but this is not effective, Hains said. The scanning process, which often involves tracking cargo on a computer system, was not meant to be a terrorism deterrent, Hains noted.
On Monday afternoon, in the session �Creating a Corporate Security Strategy Aligned with the Business Strategy,� Malcolm Smith, CPP, group head of security and safety services for Nedbank, Ltd., explored the idea that security is both an operational and a strategic activity, and that strategy must be consistent with the business objectives of the organization.
Smith showed how a range of analytical models, including a resource analysis, a value-chain analysis, and an industry analysis, could be mapped out and then fed into an overarching strengths, weaknesses, opportunities, and threats (SWOT) analysis for a company. The findings in the SWOT analysis could help form an alignment model, so that a company�s business strategy, security strategy, and operational plan can all be properly aligned. For example, if one objective of business strategy is to reduce costs and grow revenue, and the security strategy is to maintain security operational excellence, then an operational plan aligned with those objectives may be to use a value-based procurement system that saves money but does not compromise performance.
Conducting a workplace investigation can start at the human resources department, but it has the potential to end up in a court of law. The ubiquity of mobile devices makes the information subject to litigation seem practically boundless, with everything from text messages and e-mails to photos and videos being potentially discoverable.
Two experienced investigators presented a hands-on demonstration on Monday in the session �Hands-On Digital Forensics Investigations,� showing attendees how to conduct a mobile forensics investigation at the organizational level to ensure that they can track down any mishandled or deleted or stolen information. The session was sponsored by the ASIS Information Technology Security Council.
Andrew Neal, director of forensic technology and consulting at TransPerfect Legal Solutions, explained the various levels of mobile operating systems where data could potentially be stored, even when the user believes he has deleted that data: manual, logical, file system, and physical, which is where the most baseline phone information exists. �If you can�t find it in a physical acquisition, you�re not going to find it.�
Third party chat apps, like Snapchat and Google Plus, can also muddy the waters when it comes to collecting digital evidence, because that data is not stored on the device itself but rather the cloud. Additionally, stealing sensitive data can be easily hidden on a mobile device.
�A lot of the investigations we do at a corporate level deal with intellectual property theft, and cell phones make [crime] that much easier,� said Daniel Andriulli, digital forensics manager at TransPerfect Legal Solutions. �There are many more avenues of committing these intellectual property thefts.�
The presenters stressed that sometimes companies will need to employ higher-level investigative techniques and law enforcement to find the data they�re looking for. �There are a lot of limitations with cell phones. We can�t always pull everything, and the deleted data you�re looking for may not be there,� noted Andriulli. �And it depends on the phone, manufacturer, and model.�
Several years ago, Michael Moberly had a conversation with a senior official in agricultural development from a developing country. Their discussion, though brief, has stuck with Moberly ever since as he has researched product piracy and intellectual property theft. �You have something I want and I�m going to get it,� the man said to Moberly, referring to pirating agricultural GMOs. �But when I get it, I can mitigate hunger and starvation in my country and save millions.�
Regardless of the motivations behind the act, the theft of intellectual property and product piracy continues to be a problem for numerous companies. Moberly explained this challenge in his presentation �Product Piracy: A Global Economic Risk� on Monday afternoon, saying corporate espionage is an �extraordinary issue� that�s �not going away any time soon.�
This is partly because the Internet has made it easier to steal tangible and intangible assets from companies than ever before. Also, intangible assets�such as intellectual capital, relationship capital, and structural capital (processes)�are becoming more valuable to companies, estimated to make up most at least 80 percent of businesses� value. These values are not recorded on balance sheets or in financial statements, but if stolen can have a huge impact on the company�s ability to compete in the marketplace.
Further hindering companies� ability to protect themselves from corporate espionage are the number of policymakers, company C-suites, and management teams who struggle to �get their arms and heads around� precisely why cybersecurity and economic espionage prevention initiatives are essential from the outset of any business initiative, Moberly explained. This, along with the prevalence of cyber-economic espionage, can produce substantial�if not debilitating�effects on a company�s value and its sources of revenue, profitability, competitive advantages, growth potential, and overall economic sustainability.
Despite the prevalence of corporate espionage in society, some reports seem to dramatize the costs and losses attributed to cybercrime and economic espionage. Moberly said that he has read every major study on the topics in the past 25 years and has found that they are �somewhat competitive� in that they appear to broaden the ranges of dollar losses and adverse economic impacts.
One study he mentioned that backed his findings was released by the Center for Strategic and International Studies (CSIS) and McAfee in 2013. After the study was completed, CSIS Director for the Center for Technology and Public Policy Program Dr. James Lewis said he believed that �the upper limit of the costs-losses attributed to cyber-economic espionage might be somewhere under one percent� of the world�s gross domestic product. However, this still could correlate to losses, specifically attributed to China, reaching as much as $140 billion annually or 580,000 jobs.
There is a lot of fiction that needs to be separated from fact when it comes to terrorists crossing into the United States from Mexico, said border security analyst Sylvia Longmire during a Monday afternoon session. Understanding what threats are real is important to keeping the country safe and using resources wisely. And although tales of extremist Muslims crossing the border from Mexico to the United States make good television, Longmire stressed that analyzing both sides of the story is crucial.
There are between 20,000 and 40,000 Muslims living in Mexico, but the presence of Hezbollah members in the region is unknown. However, thousands of Hezbollah sympathizers have been entering the United States for years, Longmire said, but typically just to raise money for the cause by selling knockoff goods.
�People don�t know about them because they�re not blowing stuff up, they�re just making a lot of money,� Longmire explained. �No operational members of Hezbollah have ever been arrested, just folks who have been coming here to raise money. If you�ve ever been to any major city and bought a fake purse or shoes or anything, there�s a good chance that money is going to a terrorist group.�
Longmire said it�s hard to nail down the number of Muslims entering the United States via Mexico, but looking at Special Interest Alien (SIA) and Other Than Mexican (OTM) numbers�classifications for people caught crossing the border who aren�t Mexican citizens�can show helpful trends. For example, the number of OTMs has been historically low, but last year there were more OTMs than Mexicans caught crossing into the United States.
SIAs are people from specially designated countries�often based in the Middle East�that might pose a security risk to the United States, Longmire explained. The immigration patterns of SIAs can give clues to what�s going on in the region. Over the past two years, Somalis and Iraqis have been seeking asylum from the strife in their countries. This is typically given to them, but Longmire warned that extremists from the two countries may be sneaking into the United States with real refugees.
�Every now and then, you see a news report about a rancher where they find different artifacts along the border and it gets into the news cycle and they�re like, �Oh my god, I found this on the border, this is certain evidence that we�ve had terrorists crossing from Mexico into the United States!�� Longmire said.
She gave a number of examples of such �evidence,� including photos of an English-to-Urdu dictionary, a crumpled prayer mat, and extremist military patches, which went viral and fueled speculation of an imminent threat. However, the dictionary was intended for an English speaker to learn Urdu, the prayer mat was actually a soccer jersey, and the patches were from a defunct anti-Islamist air brigade.
Longmire also debunked a story about Iranian extremists working with Los Zetas, a Mexican drug cartel, to assassinate the Saudi Arabian ambassador in Washington, D.C. She said the plot was thought up by two men and was never financed or approved by Iranian officials, and Los Zetas was never involved at all.
In the world of hospitality, no two venues are the same. �Every place is as different as a fingerprint,� said Russell Kolins, CEO of Russell Kolins PI PC, and the culture of an establishment, its location, its entertainment, and its owner�s philosophy are integral to understanding the security needs of each individual venue.
Kolins focused on that topic in �Hospitality Security: Mistakes Made, Lessons Learned,� which he copresented with Leslie N. A. Cole, Sr., CPP. In their presentation, Kolins and Cole discussed some of the common missteps that owners make in the hospitality industry and how those can be mended to create a more secure environment for patrons and employees.
Kolins also discussed the need for written documents detailing the proper procedure for evicting a patron from an establishment. If these rules aren�t documented, employees need to know the proper procedure and how to execute it. Writing the policy down may or may not be a good move for a business, depending on advice from its legal counsel, �but knowing the rules and how to enforce them is extremely important,� Kolins explained.
He also said that bouncers in the hospitality industry �don�t need the big biceps.� Bouncers should be professionals with good communication skills that can �get the job done.�
Instead of presenting a mock trial as in previous years, Barry A. Bradley and Gary J. Bradley of Bradley & Gmelich spiced things up with a series of mock depositions.
In �Defending Security Policies and Practices at a Deposition,� the Bradley cousins, who specialize in security law, deconstructed security policies and practices during live depositions and video clips of real encounters between a security officer and a grocery store customer.
Assisting in the presentation by acting out the mock depositions were ASIS Board of Directors Chair Geoffrey Craighead, CPP, vice president of Universal Protection Service; Bonnie Michelman, CPP, director of police, security, and outside services for Massachusetts General Hospital; and Roy Rahn, CPP, vice president at Universal Protection Service.
While acting out the depositions, the Bradleys showed the tricks and tactics lawyers use to persuade juries and how security companies can craft their documents and practices to avoid or minimize after-the-fact scrutiny that results from a civil suit.
Cynthia Hetherington, president of Hetherington Group, told attendees Tuesday why they might want to double-check what they�ve shared publicly on social media. This advice was offered during the session �Resources for Monitoring the Internet for Threats.� As a cyberinvestigator, Hetherington says it�s easy to find a plethora of professional and personal information online, even if someone has privacy settings enabled on their social media accounts.
�Everyone�s all worried about people looking at their Facebook accounts,� Hetherington said. But the easiest way to find information on somebody? �LinkedIn. Now that�s what we�re looking for in this environment. From there, we start getting to the other things that I want to find out about you. These are the leads that I�ll use to track you down.�
Even a mention of a hobby, sport, or supported cause could give people like Hetherington enough information to find other online accounts. �I don�t hit the gate, I look for the open window around the back,� Hetherington noted. �Even if you�re locked down and very secure and don�t talk, your kids do or your spouse does.�
This type of passive monitoring could spell trouble for businesses trying to protect themselves from hackers and competitors looking for intellectual property, as well as loose-lipped executives who post personal or travel updates online.
It can also be used as a tool to monitor employees, Hetherington explained. She showed the audience examples of employee profiles that inadvertently shared insider company information or showed signs of violence, which could be critical in stopping an attack by a disturbed coworker before it happens.
Hetherington said that if companies are planning on screening or monitoring employees using social media, they should develop a policy to protect themselves. Legally, social media monitoring is ambiguous when it comes to privacy concerns because so many people voluntarily share personal information online.
During the Tuesday educational session �Creating Force Multipliers with Video Analytics and Uniformed Security,� participants learned about utilizing video analytics to decrease costs and increase workforce effectiveness.
Cale Dowell, Thrive Intelligence, discussed using video analytics in a more robust, proactive way that can help eliminate the need for someone to monitor multiple video feeds. �There are a lot of human errors that can be introduced when keeping human eyeballs on a video surveillance feed,� he said, noting a statistic published in Buyer Beware that said after 22 minutes of continuous video monitoring, an operator will overlook up to 90 percent of onsite activity. With video analytics, video surveillance can be utilized to work for the end user in a more cost-effective way. �You can get that person back from behind the desk and in the field.�
Dowell pointed out the differences between motion detection, which alerts when there is a pixilation change, and video analytics, which watch for specific, triggering events that alert the security operator. �Analytics only focuses on the target,� he said.
The session also highlighted current industry challenges, including increasing security while simultaneously controlling costs, keeping up with the new technologies that are available, and applying them in a way that reduces dependency on labor without reducing security. Dowell pointed out that many organizations are leveraging video analytics for operational security and marketing purposes, as well. �With analytics, you�re getting access to a few more budgets, it�s not just security,� he said.