In the 1970′s, the Hewlett Packard company popularized a style of management known as “Management by Wandering Around” (MBWA). MBWA was made famous in the 1982 management book “In Search of Excellence” written by Tom Peters and Bob Waterman.

The basic theory behind MBWA is that managers, rather than staying in their offices and reading reports, should walk the floors of their company to observe what is actually going on. These walks should be done randomly and unannounced so that the manager sees actual conditions rather than something staged by employees in anticipation of the manager’s visit. By making these visits on a random basis, the manager can gain a realistic picture of what is really happening at the company.

Security by Wandering Around

We highly recommend that security managers (or other managers in charge of security) institute a similar practice, something we call “Security by Wandering Around” (SBWA). This practice involves the security manager making frequent, unannounced inspections of the facilities that they manage, both during the work day, and at night and on weekends.

Here are some ideas for things that should be looked at when making SBWA inspections:

• If your company has a employee identification badge wearing policy, are all employees properly displaying their badges? Are non-employees wearing visitor badges? Are unidentified people walking through the building?
• Are doors and file cabinets that are supposed to kept locked actually kept locked?
• Take a look at unattended employee desks and workstations to see what’s lying on the desk. Unsecured confidential information? Unsecured laptops? Unsecured personal property (purses, wallets, etc.) Are passwords written on sticky notes attached to a keyboard or monitor? Are keys or access cards lying on the desk?
• Take a look in office trash containers. Have sensitive documents been placed in the trash instead of being shredded or placed in shred bins?
• Have sensitive documents been left lying in copy machines or printer?
• If a commercial shredding service is used, are shred bins overflowing?  Can documents easily be pulled or “fished” out of the slot in the bin?
• Observe what goes on at the reception or security desk in your building lobby. Are proper visitor sign-in procedures being followed?  Are certain people passing by the desk without stopping or being observed? Are unauthorized deliveries being received at the desk? Do the people staffing the desk appear to have too much or too little to do?
• Observe your shipping/receiving loading docks. Are dock doors being left open when they are unattended? Has high-value merchandise been left unattended on the docks? Are vendors or employees using the dock as an unauthorized building entrance or exit point?
• Observe employee entrance doors. Are employees individually using their access cards to enter the building, or are employees holding the door open for others? Are employees propping open the doors?
• Inspect stairways and emergency exit doors. Are stairways being improperly used for storage? Are emergency exit doors blocked or obstructed?
• Walk the entire perimeter of your buildings. Are all exterior doors, windows and hatches properly closed and latched? When opened, do doors close and latch on their own, or do they need to be pulled shut?
• Take a look through the exterior windows on the ground level of your building. Do you see confidential or proprietary information openly displayed or written on whiteboards? What could a competitor learn by looking through your windows?
• Take a look at your landscaping. Is it overgrown in some places? Does its obstruct lights or security cameras? Does it obscure windows or prevent direct visual observation of parking lots and walkways? Does landscaping provide convenient hiding places for criminals?
• Walk the entire perimeter of your site. Is fencing loose or broken in any areas? Are materials stacked too close to the fence? Does it appear that there are unauthorized points of entry to your property? Are security signs properly placed and clearly visible? How is the overall housekeeping of the site?
• Check exterior trash and recycle containers. Do they contain confidential documents that should have been shredded? Are trash containers that are supposed to be kept locked actually kept locked?
• During the night, check the lights in the parking lots, along the walkways, and at the exterior of the building. Are there burned out lights? Are light fixtures in need of cleaning?
• If you use security officers, observe their activities at various times throughout their shift without them being aware of your presence. Are officers properly attired? Are they making patrols at the assigned times? Are they following proper patrol procedures? Do they appear to be observant while making patrols, or are they just going through the motions? Do officers appear to be spending time on personal activities (phone calls, texting, school homework, etc.) rather than doing their jobs?

SBWA inspections should not be confused with formal security assessments or surveys: the SBWA process should be informal and free-flowing. The goal is to get an overall sense of what is going on at the facility, not to mark-off specific items on a form or checklist.

SBWA inspections should be conducted at least monthly. If you have never done this type of inspection before, prepare to be shocked. Avoid the temptation to place blame or to immediately start fixing problems that you have found. Instead, make notes of what you have observed. Then, after taking time to reflect on the data, put together a long-term plan for correcting the deficiencies that you have identified.

Most security and loss prevention managers are very qualified to perform their jobs. Many have had years of previous experience in law enforcement or the military and consider themselves to be experts in security matters. These security managers are often reluctant to bring in an outside security consultant, often stating the following reasons:

 ”No one is more familiar with my company’s security needs than I am – there is no way an outside consultant could tell me anything that I don’t already know”

“I am supposed to be the company’s security expert. Won’t my boss think I’m incompetent if I ask to bring in outside help?”

“Consultants are expensive – there is no way we could afford to hire one, not on our security budget”

“Working on this project (security design, policy manual, training program, etc.) will be enjoyable and a nice break from my normal routine. Who cares if I’ve never done anything like this before – I’ll learn as I go along. Bringing in an outside consultant would spoil my fun…” 

The security manager’s reluctance to use outside help is interesting given that most practitioners in every other profession regularly use consultants to provide specialized expertise or to render an outside opinion. For example, medical doctors almost always bring in other professionals such as radiologists, hematologists, and other specialists when a patient’s condition warrants it, and wouldn’t dream of trying to do everything themselves. Similarly, top-rated attorneys almost always bring in other attorneys with specialized expertise when bringing complicated legal cases to trial.

Smart security managers should recognize that they cannot be an expert on everything, and that bringing in outside help is a sign of strength, not weakness. The benefits provided by an outside security consultant can include:

• The consultant has the ability to provide a fresh, unbiased opinion. Sometimes the security manager can be too close to a situation to see it clearly.
• The consultant has experience with similar security problems and conditions at many other companies and organizations. Most problems are not unique and others have figured out answers to them before. A good consultant is familiar with solutions that have worked at other facilities and can immediately transfer this knowledge to you.
• The consultant has up-to-date knowledge of security best practices and the latest security technology.
• The consultant has no need to temper his opinions for political reasons— he can “tell it like it is” without fear of retribution. Many security managers are afraid to bring up important issues within their organization because they are afraid of stepping on toes or making enemies.
• The consultant has the ability to work full-time on your project and does not have to juggle the multitude of daily responsibilities that the security manager has.
• The consultant has experience in conducting formal consulting assignments, writing reports, and making presentations. Many security managers have great security knowledge but are not expert writers or presenters.
• The consultant has done similar projects many times before and can do the job more quickly and efficiently than the security manager can. For example, a security manager may have been called upon to write a policy manual maybe once or twice in his career, where a good consultant has probably written similar manuals dozens or even hundreds of times before.
• A consultant can bring in technical expertise that the security manager doesn’t have. Things such as designing security for a new facility, developing a workplace violence program, or preparing an RFP for a new video surveillance system are often best done with the help of a consultant who is an expert in these areas.
• An outside consultant can often have more credibility with your senior management team and can often sell ideas that the security manager alone cannot. Rightly or wrongly, a consultant and security manager can present the same idea, but senior management will accept it when presented by the consultant – while they would reject it if it was presented by the security manager.
• A consultant can often save the organization time and money by doing things more efficiently, avoiding costly mistakes, and preventing the purchase of unnecessary equipment or services.

When we conduct a security assessment for a client, we frequently see a direct correlation between how well a facility is maintained and how well the security program at this facility works. When we see dirty floors, lots of clutter, or burned-out lights, we often find that security at that facility is also very poor. Conversely, when we see a well-maintained facility, we usually find that the security program at that facility is also very effective.

Good site maintenance is an important part of your facility’s overall security program. A poorly maintained site can actually encourage acts of vandalism, graffiti, and other crime. The following site maintenance tips are suggested:

• Keep the site clean and free of debris.
• Avoid storing equipment or materials outdoors except in enclosed yard areas. If materials or equipment must be stored in an open area, it should be neatly stacked in an organized manner.
• Don’t let your exterior areas become “bone yards” for unused furnishings or equipment – promptly dispose of unneeded items.
• Do not store pallets or other items next to fences. Try to maintain at least a five-foot “clear zone” on both sides of the fence.
• Promptly repair cracked or broken windows.
• Clean interior and exterior light fixtures regularly.
• Trim trees and other landscaping so that clear sight lines are maintained and so that light fixtures and security cameras are not blocked.
• Keep walls, ceilings and floors clean. Paint walls and ceilings a light, reflective color to increase the effectiveness of lighting and improve visibility.
• Graffiti should be removed or painted over as soon as possible after it is discovered. Prior to removing graffiti, take several photos of it. (Local law enforcement officials often request photos of graffiti so that they can identify the “tags” of specific gangs or graffiti vandals.)

Security procedures are often seen as things that getting in the way of doing business. Whether it is a locked door, or a rule that prevents an employee from installing a new software application on his desktop computer, many people see security procedures as things that slow them down and prevent them from getting things done.

When you are the security director for your business, or a manager of a department that has security as one of its many responsibilities, you are often in the position of having to say “NO” to employee requests. When you see things that you think have potential to cause harm to the organization and the people that you are charged to protect, your first reaction is to prohibit these things. While this response is natural, it is typical of the “old school” way of thinking in the security profession, where the need to provide good security takes priority over all else.

While this way of thinking was prevalent in the 20th Century, it has given people who manage security the image of being the “company cop” – stogy, unbending, and an obstacle to productivity. Consequently, these people are never really seen as a part of the management team, and are rarely invited to strategy planning sessions and are often the last ones to learn about new developments in the company.

The 20th Century security manager is going the way of the dinosaur. To survive in the 21st Century business environment, security professionals must be “business enablers” that help the business move forward and contribute value to the bottom line. Managers responsible for security need to think more like business people and less like cops. As a part of this shift in thinking, managers need to find ways to stop automatically saying “NO” when other business units suggest doing things that may conflict with standard security practices

While there are some things that are and must remain absolute “NOs”, there are many requests that can be safely accommodated without jeopardizing security if they are approached in a positive and creative way. Instead of saying “NO”, try to find a way to say “HOW”. In other words, instead of telling someone that they can’t do what they want to do, tell them how they can do what they want to do while at the same time minimizing security risks.

For people who have been in the security business a long time, this shift in thinking can be a real struggle. You must set aside your normal prejudices and start thinking outside of the box. Here are a few things that you should consider when making the transition to the Don’t Say “No” – Say “How” way of thinking:

• Try to really understand the mission of your organization and what it’s trying to accomplish. Do everything in your power to support and not interfere with this mission.
• Consider the time it takes for your employees to comply with each security system or procedure, and consider the indirect costs of this lost productivity. For example, if a security procedure delays each employee by five minutes each day, and you have 200 employees who are paid an average of $30 per hour, this procedure is costing your company $500 per day, or around $123,000 per year.
• Consider how employee morale will be impacted by each security procedure. People who feel that they are not believed or trusted by the company have a hard time making a positive contribution to the company’s goals.
• Consider the image that your security procedures convey to your customers, visitors, and the general public.
• Don’t inconvenience everyone to prevent improper behavior by a small minority of employees.
• Don’t put big procedures or systems in place to solve small problems.
• Don’t put permanent procedures or systems in place to solve short-term problems.
• Don’t react to each new theft or security violation by creating a new security procedure. Consider the big picture and only institute new systems or procedures when absolutely necessary. When in doubt, error on the side of not instituting a new procedure.
• Consider accepting certain losses if the security procedures necessary to stop these losses cost more than cost of the losses themselves. Be sure to factor in the cost of employee inconvenience when making this analysis.  

 (I first heard the phrase Don’t Say “No” – Say “How“ at a presentation made at the ASG Security Summit by Bret Arsenault, CISO at Microsoft, on March 8, 2011. Listening to Bret’s’ presentation inspired me to write this Security Tip).

Purpose

While employees can be the company’s most valuable asset, some employees can also pose a security risk. Despite what many people think, crimes committed by “insiders” greatly outnumber crimes committed by outsiders at most companies. In fact, in many organizations, it is believed that as much as 80% of all security losses can be attributed to acts committed by people inside the company. In addition to the company’s own employees, these “insiders” can include employees of vendors, contractors, and temporary employment agencies who have access to the facilities.

As a general rule, the habits and behavior of people tends to be fairly consistent; people generally do today what they did yesterday, and will do tomorrow what they did today. This rule can be applied to criminal behavior: people who have committed crimes in the past are more likely to do so today, while people who have been honest in the past are more likely to continue to be honest today and in the future

To be sure, there are exceptions to this rule. There are well-publicized cases where people who have never previously been in trouble with the law go on a rampage and commit a sensational crime. There are also cases where people with an extensive criminal history turn their life around and become exemplary citizens. But by in large, past behavior is a fairly reliable indicator of how people might perform today.

Because of this fact, employers can benefit greatly from learning as much about an applicant as possible before making a job offer. Traditional sources of information include the employment application, resume, and letters of reference from previous jobs. Checking and verifying things such as employment history, education, degrees earned, and certifications and licenses is a usual part of most hiring processes. But these traditional sources of information often don’t provide data concerning the applicant’s criminal history. In fact, some references may be reluctant to provide any unfavorable information, including criminal history, because of legal concerns or because they may fear retaliation from the applicant.

To learn whether or not an applicant has a criminal history, a specific “security background check” should be conducted for each individual prior to employment. This process is also sometimes called “security screening” or a “criminal history check”.

Type of Security Background Checks

Some very large companies have the resources to conduct security background checks using in-house staff, but this is the exception rather than the rule. Most companies lack the staffing as well as the knowledge and skills to properly conduct a security background check, and instead outsource this process to an outside service provider.

There is a wide assortment of different types of security background check services available. At one end of the spectrum are simple on-line services where the applicant’s name and date of birth can be entered into the computer and instant results can be obtained. This type of background check can cost as little as twenty dollars. At the other end of the spectrum are full-scale security background investigations that can take months to complete and can cost tens of thousands of dollars to perform.

There are a number of different types of background checks that fall in-between these two extremes. These background checks differ primarily based on how extensive a process is used to determine the applicant’s criminal history. Simple checks may only search the records of the counties and states where the applicant has claimed to live. More elaborate checks will do a search of national as well as local databases, and independently verify the applicant’s social security number and past addresses. In general, the more comprehensive a background check is, the more that it costs.

We recommend that the type of background check that is conducted be appropriate for the type of job that the applicant is being considered for. As an example, a candidate applying for a job as the chief financial officer would warrant a more thorough background check than a candidate applying for a job as a landscaper. Any position of trust where an employee would have an opportunity to commit a significant theft or act of fraud should require a comprehensive pre-employment security background check.  Jobs that place an employee in contact with children or other vulnerable persons should also require a more thorough security background check.

We suggest that any security background check include at least the following:

• Social Security Number (SSN) verification: Confirms applicant’s name against the SSN provided and identifies any possible alternative names or alias’s that may have been associated with this SSN.
• Address verification: Confirms applicant’s current and previous addresses.
• Local criminal record search for felony and misdemeanor convictions.
• National criminal record search for felony and misdemeanor convictions.
• Sex offender registry search for known sex offenders.

Determining Disqualification Criteria

Once the results of the background check are received, the employer must make a determination to accept or disqualify the applicant. If the background check does not uncover any adverse information, the path of action is fairly clear. However, if the check does reveal a history of either felony or misdemeanor convictions, the employer must decide if these convictions are grounds to disqualify the candidate.

The first reaction of most employers is to automatically disqualify anyone who has any type of previous criminal conviction. However, the Equal Employment Opportunities Commission (EEOC), the federal agency that enforces the civil rights laws, has ruled that automatically disqualifying people who have criminal records from jobs is discriminatory. To quote one source:

 “The EEOC has ruled repeatedly that covered employers cannot simply bar felons from jobs, but must show that a conviction-based disqualification is justified by “business necessity.” The legal test requires employers to examine (1) the job-relatedness of each conviction, (2) the nature of the crime committed, (3) the number of convictions, (4) the facts surrounding each offense, (5) the length of time between the conviction and the employment decision, (6) the person’s employment history before and after the conviction, and (7) the applicant’s efforts at rehabilitation. According to the EEOC, the job-relatedness inquiry is the most important, and focuses on whether the job position applied for presents an opportunity for the applicant to engage in the same type of misconduct which resulted in the conviction…”.  

It is recommended that employers establish guidelines in advance that state the types of offenses that would disqualify an applicant from each type of job. These guidelines should be developed jointly by your security manager, human resources manager, and legal counsel, and should be based on the “business necessity” test described above. Once established, guidelines should be consistently applied.

Vendors, Contractors, and Temporary Employees

One common mistake is to have an extensive security background check procedure in place for your own employees,

yet fail to require pre-employment background checks for the employees of vendors, contractors, and temporary agencies. Many of these employees have the same access to your facilities as your own employees and can pose an equal or greater security risk. In fact, some types of contract employees, such as janitors, are given master keys to the building and often work at times when no one else is around.

Many companies assume that the contract employer conducts security background checks on its own and there is no need for any further precautions. While many contractors and vendors do conduct background checks, many times these are not as comprehensive as needed, and in many cases, employees are sent to your site before the results of their background checks are received. We have also seen numerous cases where contract employees somehow slipped through the cracks, and a contract employee with a criminal history was sent to one of our client’s buildings. Often, these discrepancies are only discovered after the contract employee has committed a crime or other unwanted act.

We recommend the following:

• All contracts with vendors, contractors and temporary employee agencies should include a requirement that security background checks be conducted. The contract should specify the type and scope of the background check that is to be conducted, as well as specify the types of past criminal offenses that would disqualify a candidate.
• Background checks for contract employees should be at least as stringent as those required for your own employees.
• Written confirmation that each individual contract employee has satisfactorily completed the background screening process should be required before the employee is given unescorted access to your facilities.

Consequences of Failing to Conduct Security Background Checks

It is our opinion that failing to conduct adequate security background checks is a lot like playing Russian roulette – sooner or later, it will get you. The larger your workforce, and the greater your turnover, the more likely you are to have a problem.

Failure to conduct background checks places your company’s assets at risk and can result in the loss of both physical and intellectual property. In addition, failing to conduct adequate background checks may place your company in a position of legal liability if someone you hire causes harm to a third-party as a result of your failure to take adequate precautions.

Three examples of such situations are:

1. A person with prior convictions for aggravated assault was hired as a parking valet. This parking valet got into an altercation with a customer and threw him to the ground, resulting in a serious head injury.
2. A registered sex offender is hired as a computer support technician. This technician sexually assaulted a female employee while both were working alone in a building late at night.
3. A man and wife who both have previous convictions for mail fraud and forgery are both hired by the same contract janitorial company. While working as janitors assigned to different customers, both gain access to human resources and payroll files to obtain information necessary to steal the identities of employees. More than 100 individual employees were victimized as a result of these actions.

In all three cases, the employer failed to conduct a background check, even though the past criminal histories of these employees could have provided an indication that they were likely to commit a similar act again. In all three cases, the victims of these crimes could sue the employer, alleging that it was negligent of the employer to hire these people without adequately checking their background, and as a result of this negligence, the victim was harmed.

One of the biggest influences on security decision making today is the fear of legal liability and lawsuits. There have been numerous court cases involving claims of “negligent security” on the part of property owners and business operators.

Most states require that property owners take reasonable steps to protect tenants, employees and customers from foreseeable harm. Employers also have a responsibility to provide a safe workplace for employees and this generally includes protection from criminal acts that are foreseeable. Schools, day care centers, hospitals, and other facilities also have a duty to provide a reasonable degree of security for their students, patients, employees, customers, and visitors.

When a property owner or business fails to take reasonable steps to provide adequate security, and a person suffers loss or injury as a result, a lawsuit alleging “negligent security” may be filed. Settlements resulting from these cases can easily involve hundreds of thousands or even millions of dollars. The costs of defending against such a lawsuit can be very significant, even if the property owner eventually wins.

The key to winning or losing these cases usually involves an interpretation on the part of the court as to whether or not the specific crime or event was “foreseeable”, and if so, whether or not “reasonable” steps were taken on the part of the property owner or business to prevent such an event from occurring. Because there are generally no laws or standards that regulate the types of security measures that a private business must have, courts and juries often rely on the testimony of security experts to determine what was “foreseeable” and “reasonable” given the specific facts of the case.

While it is impossible to completely prevent a negligent security lawsuit from being filed against your organization, having a well thought-out security program in place can reduce claims and increase your chances of defending yourself against a frivolous lawsuit.

A review of negligent security cases reveals numerous security deficiencies that are used as the basis for the majority of lawsuits. By learning about these common deficiencies in advance, you can better plan your security program and avoid making the same mistakes made by others.

The following are some common deficiencies in security programs that could be used as the basis for a negligent security lawsuit. While any of these deficiencies alone may not constitute negligence on the part of the organization, they should be seen as “red flags” that warrant further consideration and possible attention:

• Inadequate or outdated security plans and procedures.
• Not consistently following established security plans or procedures.
• Lack of adequate employee training.
• Lack of adequate physical security measures.
• Lack of adequate security staff.
• Failure to conduct security background checks on employees and contractors.
• Poorly maintained facilities – broken doors and locks, burned-out lights, overgrown landscaping, etc.
• Inoperative or poorly maintained security system equipment: defective cameras, inoperative panic alarms, etc.
• Ignoring complaints about crime or security from tenants, employees, customers and guests.
• Failure to take workplace violence threats seriously.
• Inconsistencies in security staffing that are not supported by risk assessment data; for example, having security officers on duty at some times but not others solely to reduce costs.
• Inconsistencies in security systems that are not supported by risk assessment data; for example, having cameras in one area of the facility but not another exclusively for budgetary reasons.
• Over representing or overselling the level of security that is provided; for example, using statements such as “totally secure facility”, “completely safe”, “crime-free”; stating that areas are under “24 Hour Surveillance” when in fact they are not.
• Reducing the level of security provided at the facility for budgetary reasons without a corresponding reduction in the level of security risk.
• Ignoring increased levels of crime in the surrounding neighborhood and failing to make corresponding improvements in the facility’s security program. 
• Failing to provide a level of security that is equal to or greater than that provided in similar neighboring facilities.
• Failure to adequately protect confidential information such as employee records, medical records, credit information, or proprietary information owned by others.

Many security managers are so caught up in their daily jobs that they sometimes lose track of just exactly what the purpose of their company’s security program is.

Many security programs have simply been “pieced together” over time, with new security procedures often added to address specific security problems that have occurred over the years.

In many cases, the security manager has inherited a security program that was designed by his or her predecessor, and may not know the reason why many of security procedures being followed were instituted in the first place.

At least once a year, the security manager should pause and objectively reevaluate the company security program. Some of the questions to be asked include:

• What company assets (people, property, information) are the most important to protect?
• What are our greatest threats?
• Who are our most likely attackers?
• What would be our “worst nightmare”?
• What do senior management and our employees expect from the security program?
• If our security program could accomplish only one thing, what would it be?
• What are the limitations of our present security program? Are this limitations understood by employees and management?
• Does our security program focus on protecting our most important assets?
• Are our security procedures and systems responsive to the current level of risk faced by the company?
• How can the present security program be improved?

If it has been a long time since a complete evaluation of the security program has been conducted, it is often helpful to conduct a formal “security assessment”. The “security assessment” is a structured process for analyzing a company’s security program.

Although the security assessment can be conducted by the security manager, it is often beneficial to use an outside security consultant to conduct the security assessment. A good security consultant has extensive experience in conducting security assessments and can offer an unbiased outside opinion.

Often, senior management will be more inclined to implement recommendations made by an outside consultant than they would be to implement recommendations made by the security manager.

A formal security assessment should be conducted at least once every three years. Other times when a security assessment should be considered are:

1. When a major facility renovations are being considered.
2. When a new facility is being designed.
3. When the company is planning a significant increase in the work force.
4. When the company is entering a new line of business.
5. When the organization is about to go through downsizing or restructuring.
6. After a significant security incident or major loss has occurred.