Although the attacks of Sept. 11 weren’t the first time terrorists had struck, the magnitude of the assaults — combined with the subsequent anthrax attacks — has changed the way organizations address the risks of terrorism. Today we see everything from barriers surrounding buildings to screening procedures that have produced long lines of people waiting to enter a facility.
Are those measures appropriate? Are they effective? Before these questions can be answered, a risk assessment must be completed. An effective security program can only be designed on the basis of a risk assessment.
A security program should integrate technology, architecture and operations. The appropriate use of components depends upon the culture, style and capabilities of the corporation. Overemphasis on one of the components can lead to an inefficient program; so can ignoring an element. What’s more, prudent security programs are designed to be able to expand and contract as risks change — to be ratcheted up and down without significant equipment modifications and minimal inconvenience to users.
Systems like access control, CCTV surveillance, intrusion detection, package screening, weapon detection, asset monitoring and others are the tools that can make security operations more efficient. It may not be possible to provide staff at each door to screen people entering the building, but systems can provide identity verification in a quick and efficient manner.
Effective security programs include technology that can adjust to the level of the known or potential threat. Identity verification systems are beginning to rely less on the card issued to a person and more on the biometrics to identify people.
In applying technology, consider the layered approach. Don’t rely on one screening level to properly protect an entire facility. Apply one layer of screening at a vehicle entrance to ensure that at least one person has access authority to enter the facility. Do not attempt to verify all occupants of the vehicle unless there are sufficient lanes, systems or staff to effectively accomplish this and the threat assessment indicates that the site and facility represent a high enough risk.
The second layer should be at a building perimeter, where a card access system could verify that each person attempting access is authorized. Cards should be issued to employees and contractors that visit the facility often. Many facility executives and security directors complain that they can’t get staff to comply with the requirement of wearing or carrying their badge. The key to obtaining acceptance from staff is creating the need for the card. If they need to use it often, they will learn to carry it. Again, expediting this process achieves the involvement and acceptance of staff.
The next and perhaps final layer may be biometric identity verification of a person attempting to enter a lab, evidence room, computer room, pharmacy or other critical area.
It is important to ensure proper implementation of security technology. Public law enforcement resources are being stretched beyond their capacities; these agencies can ill afford to respond to false alarms. The proper design, installation and maintenance of the security technology system are critical aspects to an effective security program.
Another important security component is the protection of communications entry ports. These are technological entrance doors that, if left unprotected, can allow someone access to data, communications and operating systems. Some experts believe that this may be the method for the next wave of terrorism.
Some facilities can limit their point of ingress and egress to only one or two entrances. These facilities can more heavily depend on architecture to assist the security program. Regardless of the number of perimeter doors, each one should be capable of being locked to prevent undesired ingress but, if necessary, provide emergency egress.
In light of the recent incidents, facility executives should review their building doorways and see if the number of “legal” entrances can be reduced.
Space requirements are an architectural consideration, one that has been often overlooked. If magnetometers and explosives detection devices become a screening requirement in some buildings, there is a need to provide sufficient queuing room and effective segregation of people entering from those exiting.
Space should also be carved out for the security command and communications centers. Too many buildings rely on the front desk for the monitoring and communications center. This is a vulnerable location for such a critical function.
Another architectural consideration is segregating areas like mail rooms and entrance lobbies from the remainder of the building. Areas where packages are delivered and have yet to be screened may need to be environmentally and physically separated from the building to prevent introduction of a dangerous package into the building before it can be screened. The same consideration applies to building lobbies. The area outside of the screening point may need a hardened physical separation, including its own HVAC system.
Landscape architecture can provide a natural or softer security protection outside the building. Using natural berms can provide a building with protection against vehicles and bomb blasts. Instead of straight access roads that lead to a front door, winding roads can keep vehicles from achieving sufficient speed to ram into a building entrance.
Security staffs must be properly trained, appropriately located and sufficient in number to provide efficient deterrence, screening, surveillance and response to security incidents. If there are long lines at the entrance screening point, there is either not enough staff to handle the operation or not enough technology to assist.
Too many security programs are undermined by employees not being willing to participate in the process because it is too much of a “hassle.” Do not underestimate the intelligence of employees; they can easily detect when a security staff person is not effective. Staff should be trained and properly supervised. For example, to be credible with employees, the security staff must be knowledgeable enough to know what a suspicious package looks like.
It is clear that facility executives need to establish communications with appropriate federal and local public law enforcement agencies to receive timely notice of increased security threats and activity. Organizations must rely on the federal agencies to effectively investigate and provide notification of impending threats.
Security programs should be dynamic, not static. There is a need for testing and practicing of the procedures and for keeping the program up to date. As architectural changes occur, the program should be adapted appropriately. As technology improvements appear, consideration should be given to incorporating effective new systems.
Periodic tests should be conducted. Can someone enter the building without proper identification? Did that new door provide a means of bypassing the secure perimeter? Is the security staff vigilant to security issues? Do staff members know how to operate the systems they have available to them? Is there enough staff to perform the services required?
Finally, evacuation procedures should be tested on a regular basis. Regularly scheduled drills should sensitize the staff into following the procedures in an orderly manner. An efficient evacuation plan depends on the training occupants receive and their knowledge of what to do before it becomes critical to do it.
Although it is impossible to prevent all acts of terrorism, it is possible to take reasonable steps to prevent or mitigate the effect of the vast majority of these incidents. We may no longer have wide open buildings; however, we do not need to go into the bunker to work each day.
Lauris Freidenfelds is a security consultant for Sako & Associates, Inc., a subsidiary of The RJA Group. He has more than 25 years of experience in the development, design and management of security programs and is a member of the American Society of Industrial Security.
In the past, most organizations did little to address terrorism because the probability of an incident was deemed small. For some facilities, that probability may have increased significantly; for others, the change has been slight. But it is reasonable to say that not every facility is a target for terrorists.
On the other hand, it is time for every building to evaluate or re-evaluate the threat levels and see if security programs effectively address the appropriate levels of threat. Those risk assessments now must address collateral damage as well. What’s more, the evaluations may need to consider bombs or biological or chemical agents.
Basic risk considerations include:
Impact considerations include the following:
The effects of the events on Sept. 11 continue to ripple across the world of real estate, raising new awareness of security threats on facilities. As a result, security plans are being dusted off and updated. To help with that effort, the American Society of Industrial Security (ASIS) and the editors of Security Management have just released Counterterrorism and Contingency Planning Guide.
The guide contains 35 articles broken down into nine subject areas: counterterrorism, air security, risk assessment, disaster management/business continuity, access control, data protection and recovery, preemployment screening, awareness training and travel security.
It offers a logical progression of information from assessing risks to putting security plans into action that matches key areas of importance with experts who have experience in those areas, says Sherry Harowitz, editor of Security Management magazine.
“We’ve been doing this a long time and have amassed quite a body of expertise,” Harowitz says.
The articles address real world situations using primarily case studies. Most authors are security directors for facilities and consultants, who can lean on their experience in the field in dealing with everything from building occupants to budgets, Harowitz says.
“It’s real practical information on how to protect facilities, not abstract advice,” Harowitz says.
ASIS is the largest organization for security professionals, including managers and directors of security as well as facility executives responsible for security. ASIS publishes Security Management, which is a monthly security magazine focused on security, and Security Industry Buyers Guide, which is a comprehensive guide to more than 3,000 suppliers of security products and services.
Proceeds for the sale of Counterterrorism and Contingency Planning Guide will go the ASIS Foundation’s fund to benefit the families of security professionals who lost their lives in the attacks of Sept. 11. For further information call 703-519-6200 or visit the Web site.
