Following are a few article summaries that can provide you with a small taste of the original content available to you every day through our daily digital offerings, which are offered free through LossPreventionMedia.com. In addition to our daily newsletter, a comprehensive library of original content is available to our digital subscribers at no cost to you. Visit our website to gain access to all of our content. You can also follow us on Facebook, Twitter, and LinkedIn.
After Las Vegas: The Evolution of Active-Shooter Protocol
By Bill Turner, LPC
It has been several weeks since gunman Stephen Paddock shot and killed fifty-eight people and wounded almost 500 others in Las Vegas. Initially, there was some criticism that it took law enforcement up to seventy-five minutes to get to the shooter’s room in the Mandalay Bay Hotel.
The latest information shows that, in fact, the first officers arrived on the hotel’s thirty-second floor at approximately the same time that the shooting stopped. In the midst of total chaos, officers first had to determine where the shooting was coming from, and once determined, they had to then find the exact location of the shooter within the hotel.
Anyone who looked at the exterior pictures of the broken windows in the Mandalay Bay Hotel realizes that was no easy task. [EDITOR’S NOTE: After this article was written, MGM Resorts, the owner of Mandalay Bay, raised questions as to the accuracy of the timeline of the shooting as it was originally reported. No conclusions have been reached at this point.]
Regarding active-shooter response, there is no silver bullet that guarantees 100 percent positive results for law enforcement and individuals. The situation in Las Vegas made incident response even more difficult. Methods are still evolving and being debated. But one trend is common: a more aggressive response.
One thing unique about the Las Vegas incident is that the shooting came from above. This marked only the second time that a major active-shooter incident was carried out from a highly elevated location. The first was the University of Texas tower shooting on August 1, 1966. On that day, Charles Whitman climbed to the observation deck of the main building, from where he shot and killed fifteen people in an hour and a half.
At the time, standard active-shooter response from law enforcement was to have the first officer on scene establish a perimeter to contain the suspect and victims within that perimeter. This approach maximized officer safety and protected the public outside the scene. It also minimized equipment and training costs for law enforcement and allowed time for SWAT to arrive. But these reasonable tactics assumed perpetrators were rational and would negotiate and release hostages.
A lot has changed since then. Today, law enforcement often faces suicidal attackers whose desire is to inflict maximum casualties, including themselves. Establishing a perimeter and negotiating with the shooter is no longer effective in all situations.
This was made clear in the Columbine, CO, school shooting of 1999. Police established a perimeter and waited a long time to enter the building and to attempt to confront the shooters. Because of this delay, many more students were killed.
After Columbine, law enforcement began to develop more aggressive active-shooter response protocols. First officers on scene were taught to immediately enter and attempt to engage shooters, using whatever equipment they carried with them. This tactic assumed most attackers were relatively incompetent and could be silenced by a well-trained responder.
The Active-Shooter Response Evolution
Attackers have changed. As a result, modern active shooter response training has changed. Nearly all law enforcement officers are now highly trained and often have active-shooter kits in their patrol cars. Today, many officers will immediately enter an area to confront shooters. The theory is that, when confronted with law enforcement, shooters will turn their attention to them and away from victims. These tactics have proven reasonably successful, although the emergence of highly motivated terrorists, whose weapons go way beyond guns, has necessitated continual evolvement of active-shooter response tactics.
Although not universal, recent guidelines include:
- Assess the situation and report immediately.
- Move the public away from the danger zone if possible.
- Take cover from gunfire but not cover from view (concealment).
- Adjust response based on the situation—await heavily armed forces, negotiate, or immediately confront perpetrators.
In addition, many law enforcement agencies are adopting MACTAC training—multi-assault counter-terrorism action capabilities. The concept behind MACTAC is that every officer from every agency in a given region is trained in the same way regarding response to an attack.
In an interview after the Las Vegas incident, Clark County Sheriff Joseph Lombardo emphasized the cooperation and joint training of all Las Vegas first responders, including the fire department. While he didn’t directly reference MACTAC, the fact is that law enforcement in Las Vegas began training together around MACTAC protocols in 2009.
“OK,” you say, “that is active-shooter response for law enforcement, but what about me?” While only the GET OUT and maybe the HIDE OUT responses were applicable in the Las Vegas incident, overall guidelines for citizen active-shooter response remain fairly constant, as follows:
- GET OUT—evacuate immediately, moving away from gunfire.
- HIDE OUT—if you can’t evacuate, take immediate cover, hopefully in a locked room. In addition, barricade the door if possible.
- TAKE OUT—attack the shooter (with anything you have) if you have no other choice.
Obviously, no one ever wants to be caught in an active-shooter situation. Fortunately, the odds are against it. But understanding active-shooter response tactics and methods, both for law enforcement and individuals, will go a long way to keep you safer, just in case.
The Complete Guide to Ensuring Staff Compliance with Your Company Security Policy
By Garett Seivold
All workplace security behaviors have either a positive or negative outcome. Positive security behaviors help safeguard assets; negative behaviors put them at risk.
Loss prevention policies are the starting point for encouraging positive security behavior. And security practices—such as monitoring, training, and enforcement—drives employees’ capacity and motivation to adhere to a given company security policy and support a retailer’s asset protection effort. In short, at the source of asset protection are a retail organization’s LP policies and practices.
How Can You Get Workers to Follow Your Company Security Policy?
Clarity helps. A company security policy should plainly define acceptable and unacceptable behavior. Doing so helps to improve compliance and removes ethical dilemmas that lead to worker stress and negative behavior.
Compliance with security and LP policies also requires that they fit work practices and requirements. For example, research has shown that violations of company cyber-security policies often occur when security policies, such as restricting access to computers, conflict with workers’ perceived need for access. This type of conflict can often lead to problems, such as personnel circumventing security controls by propping open doors that require special key access.
When workers don’t “own” a security protocol, they often circumvent it. Company security policy guidelines and procedures are often judged by employees with respect to:
- Their relevance (are they necessary?);
- Their effectiveness (do they actually improve security?); and
- Their user-friendliness (are they understandable and not overly cumbersome to implement?).
When any company security policy requires extra effort, employees weigh the extra effort—consciously or subconsciously—against benefits for them, in the context of their production tasks.
LP executives may identify ways to encourage policy compliance by conducting organization-wide auditing on questions such as:
1. Is training on LP policies adequate?
2. Do security and asset protection policies and procedures make sense to line workers?
3. How can employee commitment to a company security policy be enhanced?
One key tool in this endeavor is an employee survey that specifically solicits employees’ opinions and attitudes regarding security policies, including how compatible they are—or aren’t—with their job duties and production tasks. By looking at security compliance through the eyes of employees, LP executives can start to manage compliance, something that is not possible if they simply write security rules and tell employees, “Follow this.”
Overall, according to a national security survey by Security Director’s Report and LP Magazine, 40 percent of organizations have surveyed or interviewed employees in the last twelve months to learn their perceptions of security policies, such as how policies may support or conflict with their work practices. It is most common among publicly traded firms, especially business and professional services companies. It is slightly less common among retail organizations at 29 percent.
In addition to providing LP executives with key data, surveying employees about a company security policy may, by itself, improve compliance with them. Psychology studies show that when people have a chance to express contradictory views, it helps to bring attitudes in line with their beliefs. So, for example, an employee survey on office supply policies not only helps a security team to understand the attitude of workers toward this issue, but also might help remove inconsistencies and steer the corporate culture in the right direction. In short, merely asking a question such as, “Are you aware of the company’s policy on the removal of office supplies for personal use?” helps workers adhere to it.
Asset protection departments must also be careful that routine enforcement of security rules does not create antagonistic views toward security culture. Sometimes employees skirt security procedures—not because of deliberate indifference or antagonism toward security, but because of some external or temporary pressure.
In this case, a harsh rebuke of an employee may result, unnecessarily, in creating a bad attitude toward security. Instead, security leaders should sensitize their staff to the consequences of the mistakes they make with respect to violating security policies, according to Michel Kabay, PhD, of Norwich University. Rude treatment of employees for a violation of security procedure can cause employees to be less likely to comply with security policy in the future—and will certainly result in employees being less likely to encourage others to comply, says Kabay.
Equifax Security Breach Affected 143 Million. Why?
By Timothy Crosby
When reading the statements coming from Equifax, there seems to be a lot of information in what they fail to say. It is clear the organization simply does not understand certain cyber-security basics. It is also evident that leadership has not fostered, nor do they appear to currently be fostering, a corporate culture of cyber security. The recent breach poses a huge threat to consumers, corporations, and retailers alike, especially with the holiday season approaching; the personal data of the 143 million Americans could be used to access profiles that shoppers have created on retail sites. Action must be taken now.
FACT: Every patch management system fails from time to time. This can occur when systems are not added or are incorrectly removed from the patch management inventory or when connectivity was lost partway through the patching process.
Blaming any one person, function, or process shows a fundamental lack of understanding about cyber security. When it comes to patch management, there needs to be a positive and negative validation process in the form of emails and logs reviewed by someone not responsible for applying patches.
Once it is determined that the patches have been applied, a validation of the effectiveness of the patches needs to occur. Independent security scans need to be performed at the end of the patch cycle to verify the effectiveness. The security scan will answer some of the following questions:
- Did the patches actually get applied?
- Did the patches undo a previous workaround or code fix?
- Did all systems get patched?
- Are there any new critical or high-risk vulnerabilities that need to be addressed?
It is typical for patches to overwrite workarounds or “hot fixes,” making systems susceptible to older vulnerabilities. It is also common for a system to be missing from the inventory. The assessment needs to include network ranges, not just the host IP address listed in the patch management inventory.
Lastly, the assessment will catch the human-introduced issues, such as keeping the default credentials “admin” on an external facing or production web application, as demonstrated by the Equifax site in Argentina.
Finally, a properly configured scan engine or security assessment tool (updated daily) will catch and alert the team of new critical or high-risk vulnerabilities discovered since the start of the patch management cycle. The “bad guys” will be scanning for all systems vulnerable to any newly discovered attack vector.
The shorter your patch management cycle is, the smaller your vulnerability window. If it is longer than thirty days or based on a software development lifecycle (SDL) that can take months or a year for a production patch to be approved, you might want to reconsider. It is better to break an application occasionally rather than compromise security. Pick a press release: “Equifax Application Unavailable for Two Hours” due to an applied patch or “Equifax Security Breach Affects 143 Million.”
The leadership at Equifax did not foster a corporate culture of cyber security. Everyone should be accountable for their actions. If someone failed to apply a patch, they should be held accountable, as should those responsible for checking the work, those running post-patch security scans, and those responsible for the patch management policies and procedures.
If the corporate culture is based on a shared responsibility for success and failure, then cyber-security programs will be effective. Conversely, if the corporate culture looks for scapegoats for failures and leadership feels they are above or exempt from the data security best practices, then there are gaping holes in network security.
There was probably a failure in risk assessment, change management, or business continuity/disaster recovery (BC/DR) programs, but a poor patch management cycle, coupled with a corporate culture of blame shifting, was likely the most direct path to one of the worst published cyber-security breaches in history.