In all the recent active audits we conducted at various organizations and companies the main conclusion was about the importance of employees in the security array. Yes, you are reading this correctly, the employees are integrated into the security system even though their professional purpose is not at all related to security and they also have no training to perform security operations on their own.
Anyone who expertly and correctly analyzes their facility through an attacker’s mindset will discover and understand that the adversary who succeeds in passing the first security rings will reach the last security ring and encounter the employees rather than the security guards, so that in practice where the opponent is at his or her final attack destination within the facility, it is the employees who are in the vicinity . In this situation, the employees are the only ones who can recognize the opponent as an anomaly and act to expose the adversary in real-time.
When you think about it, every employee is like an advanced and sophisticated camera. They have eyes to see (the lens), they have ears to hear (the microphone) and they have the intelligence and thinking to process the data and make a decision (the software). Now begin to understand and test how many “cameras” you have in the last security ring and where. The gap we noted in all the active reviews we made regarding the employees in an organization, company or business revealed the reason why employees failed to hear and see the opponent in their work environment even though they are standing very close to them, is that the employees’ ‘’programming’’ was not calibrated to the appropriate settings to be cognizant of anomalous persons who perform unusual activities.
The employees have never undergone briefings or professional training that prepares them and enables them to locate the aggressor in their work environment.
Organizations, companies, and businesses realized that a security guard and camera could not be placed everywhere in the facility and were able to integrate the employees in the security system elevated the response against physical assaults in an impressive way. This requires a managerial decision to allocate professional and proper resources that will make every employee quality and smart “camera”. A kind of camera with analytics in it.
Why are there still so many organizations, companies, and businesses that haven’t done this?
Here are examples of such organizations:
A company that has not been harmed by an aggressor and is not aware of the threats and dangers and is likely to open its eyes only after an unusual event has occurred.
A company that consciously does not consider it appropriate to invest resources in its security system beyond what is required of it and will probably open its eyes only after an unusual event has occurred.
A company that runs forward and invests many resources and budgets in protecting information from outside attacks and neglects or forgets about physical security.
Regarding the first two companies, I do not have too much to say except to wish them good luck and I wish that they would never be attacked.
In contrast, I tell the third company that it is likely to be infatuated with the popular cyber phenomenon like many other companies and will explain that in recent years many organizations, companies, and businesses have invested a great deal of money in responding to cyber threats and rightly so, since such threats can do serious and sometimes irreversible damage, but when it comes at the expense of physical security it is clear that exposure to existing threats remains high. In tandem with the rise in cyber investment, the risk management issue has improved and has become more sophisticated, leading to more and more executives and security managers to define a targeted threat list that is only relevant to the facility and its characteristics. I think any such list, as targeted, must always include threats related to physical attacks on the facility, and not just remote assaults.
There are adversaries who are capable of penetrating into the facility during its operating hours who know how to pass the security system on their way to the server room and the sensitive offices/rooms/warehouses that include valuable information and / or equipment, etc. As mentioned, in these places inside the facility, if the opponent meets these people, they are the workers and not the security guards.
An employee with no awareness of threats and dangers that exist in his or her area and without training and tools to deal with them will not be able to identify the aggressors in real-time and certainly will not be able to deal with them, and worse, due to the employees’ lack of knowledge these employees may help aggressors enter a forbidden place and even accompany them without knowing their bad intentions.
A mid-level opponent can recognize phenomena within the organization that create loopholes and gaps in security arrays, and knows how to exploit them to his or her advantage while manipulating the hapless workers to help him or her without knowing and understanding what they are actually doing. The adversary fools untrained employees with relative ease. This is usually not the fault of the employees because they have not been trained to do so and will not be alert to the dangers in their sector while performing their routine work.
Factually, an unskilled employee will fail most times when the opponent manipulates him or her and when they encounter each other the employee will be tempted to open the door even though it has an entry control system, believe the opponent’s assumed identity and role, forget the procedures and lose even the basic suspicion found in each person. There are situations where the opponent is so compelling that even an employee who suspects something is wrong feels self-insecure and able to muster up the courage to stop for a moment and ask the right questions or simply call the security forces at the facility.
In order for an employee to be a part of this last and most professional security ring in the array, one must first understand the existing deficiency, then allocate budget and resources to it, and ultimately the employees must be given appropriate training. The goal is not to make the employee’s security guards. The goal is to teach employees to identify anomalies in their sector while performing their duties as required and without interfering with their professional vocation. It is possible to reach a situation where the employee sees a person in his vicinity and is suspicious.
Employees are your best camera in areas where there are no security guards and there may be no cameras too, so all you have to do is get employees to raise their heads and use their eyes (the lens) to identify who is near them and whether they are familiar and have the authorization to be in the area, listen to the noises (microphone) in the environment so that even if the employees are busy with their routine work with eyes downward, they will not lose one’s hearing ability to help them know that something unusual is happening near them, and eventually it is imperative to equip the employees with clear and unambiguous settings that will make this the software that connects what the eyes see and what the ears hear into a decision making process that decides whether a person is anomalous that needs to be addressed immediately.
Whoever does what I wrote will add to the security system tens or hundreds or thousands of human smart cameras that will make it difficult for the adversary’s life and significantly improve the response to the aforementioned threats.
Remember that security needs to be done by integrating the employees!