I'm a title. Click here to edit me.
Weaknesses of Elevator Access Control
Controlling Access Using Elevators
Security at many high-rise buildings is provided using a card access control system in the elevator. This system typically involves installing a card reader in the elevator, and making connections between the access control system and the elevator control system. The system is designed so that an access card is required to operate some or all of the floor selection buttons in the elevator car.
The access control system is typically programmed so that a user's card only works on the specific floors to which he or she requires access. For example, employees who work in the Accounting Department have access only to the Third Floor, while employees working in the Advertising Department have access only to the Fifth Floor. Floors that contain things such as the Cafeteria or Fitness Center would typically be accessible to all employees. Some employees, such as senior executives or facilities maintenance personnel, might be given access to all floors.
Security control of the elevators may be implemented at all times, or only during specific times. For example, it is common to allow free access to all floors during normal business hours, but restrict access at nights and on weekends. Some floors, such as those containing the Data Center or Executive Offices, may be kept secured at all times.
Elevator access control can be used in conjunction with other types of access control or can be used alone. For example, in many cases, using an access card in the elevator only allows you to travel to the elevator lobby on the selected floor. Once in the elevator lobby, you must use your card a second time on a controlled door between the elevator lobby and the secured interior area of the floor. In other cases, the elevator provides direct access to the interior area of the floor - once you step off of the elevator, you are within the secured area.
Social Aspects of Elevators
Most people who ride elevators unknowingly follow a set of unwritten rules regarding their use. These rules affect how you board the elevator, how you stand when in the elevator, and how you exit the elevator. A number of articles have been written on the proper etiquette to be followed when using elevators, such as holding a door open for a person rushing to get on the elevator, or offering to push the floor select button for another person when standing next to the elevator button panel.
Providing security controls on elevators is contrary to social norms and may create conflicts between doing what is good for security and doing what seems natural. In most cases, the desire to be polite overpowers any concerns about security, greatly weakening the level of security that can be provided by an elevator access control system.
Security Vulnerabilities of Elevators
There are numerous security vulnerabilities that exist when using elevator access control. Some of the ways that an intruder can compromise elevator security include:
Join the Group
People without a valid access card can enter the elevator car and ride to secured floors along with other passengers. Stepping on and off of elevators with other people is completely natural, and it is rare that anyone will stop and challenge a person getting off of an elevator on a secured floor. The busier the elevators, the bigger this problem becomes.
Go For a Ride
People rarely notice when another person stays on an elevator, assuming that they must be continuing on to another floor. This often allows an intruder to gain access to a specific secured floor by simply boarding an elevator and waiting until it is called to the desired floor. In a busy building, this can usually be accomplished by riding the elevator for just a few minutes.
Share a Card Swipe
Most interfaces between access control systems and elevator control systems are one-way only and don't provide feedback to the access control system when a floor selection button is pressed. When a user who has multi-floor access privileges uses his card, the selection buttons for all authorized floors become activated and remain activated for several seconds after his card is used. This allows a second person to "piggyback" on the access privileges of the first person by selecting a secured floor immediately after the first person has used his card.
Use Fire Service Override
Elevator security controls are completely over-ridden when the elevator is placed in "Fire Service Mode". This mode of operation is required by building codes to permit use of the elevators by firefighters during emergencies. The elevator is placed into Fire Service Mode using key-operated switches in the lobby and in the elevator car.
Unfortunately, the keys used with these switches are often standardized between all elevators of the same brand, and in some cases, all elevators within a specific geographical area are all keyed alike. This allows anyone who has a fire service key to any elevator to have a key that operates all elevators. Most fire service keys are also available for purchase online from a variety of sources. Anyone who has a fire service key has access to any floor without needing to have an access card.
Tips for Improved Elevator Security
Recognize that access controlled elevators provide only a moderate level of security and can be compromised in many ways. Because of this, elevators should never be used as the only means of controlling access into high-security areas.
If at all possible, provide barrier walls with card reader controlled doors between elevator lobbies and interior areas on every secured floor. This technique should always be used to control access to high-security floors.
When appropriate, use optical turnstiles or other similar devices to control access into the main elevator banks in the building lobby.
Consider using card readers at hall call stations at some or all floors. This requires users to first use their access card to call the elevator, and then use it a second time in the elevator car to select their floor.
If your access control system supports it, consider connecting outputs from the elevator floor select buttons as inputs to the access control system. This can be used to immediately reset the card reader output when a user presses a floor select button, preventing a second user from piggybacking on the first user’s card swipe. This also permits the access control system to know which floor select button was pressed when a card was used, allowing more accurate activity reporting.
The topic of elevator security and the ways in which an intruder may attempt to circumvent security measures using the elevator should be included in Employee Security Awareness training sessions. Employees should be taught to not give unknown people access to controlled floors and to immediately report anyone that they feel may be suspicious.
Ask your elevator company if they can provide a dry-contact output from the elevator control system that closes anytime that the elevator is placed into Fire Service Mode. This output should be connected as an input to your access control or security management system so that security and/or facilities personnel are immediately notified when any elevator is switched to Fire Service Mode.
Consider providing video surveillance cameras at all elevator lobbies and in each elevator car. These cameras can permit security personnel to observe suspicious activity (such as lingering in an elevator waiting for it to be called to a specific floor). Cameras can also be used to provide a visual record of who accessed each floor and when.
If you have any questions about this article, or need help in providing improved security for your elevators, please contact us.
Using Voice Messaging Systems In Security Applications
Since security systems were invented, audible warning devices have been used to "sound the alarm" when the security system is activated. In earlier years, bells and vibrating horns were the type of audible device most frequently used. In more recent times, sirens and other types of electronic sounding devices are commonly used in place of the bell or vibrating horn.
In a modern building, there may be literally dozens of different types of audible warning devices in use. Fire alarm systems, emergency exit alarms, elevators, electronic article surveillance systems, access control systems, and intrusion alarm systems can each have their own audible warning device. In an industrial setting, there may also be audible warning devices on production equipment, assembly lines, and on forklifts.
With so many different types of audible warning devices in use, it is sometimes confusing to building occupants when an alarm sounds. Is it the fire alarm? An emergency exit alarm? Or has a piece of production equipment jammed?
A "voice messaging system" can be used to supplement or replace many types of traditional audible warning devices. As its name implies, a voice messaging system plays a human voice when it has been activated. For example, if the fire alarm system has been activated, a voice messaging system could be be used to play a warning message that says "The fire alarm system has been activated, please evacuate the building immediately." The voice messaging system provides a clear and easily understood message to building occupants, and provides much more information than a simple bell or siren does.
Early voice messaging systems used an audio tape to record and play the message. These systems were expensive and not entirely reliable due to the potential for the tape to jam. Due to recent developments in electronic technology, there are a number of different types of digital voice messaging systems now available. These systems use an electronic memory chip to store the voice message and are very reliable.
There are two types of digital voice messaging systems available. The first type is what I call a "central voice messaging system". The central voice messaging system works in conjunction with a building public address (PA) system. Central voice messaging systems are used to broadcast a message throughout the entire building. These systems are ideal for situations where it is necessary to warn all occupants of the building, such as when the building fire alarm system has been activated. Central voice messaging systems are available in versions that have 4, 8, or 16 or more separate message "channels". Each channel has a unique voice message which can be activated separately. For example, if a building had four separate wings, a separate message could be played when the fire alarm was activated in a specific wing: .." or "the fire alarm system in the East Wing has been activated", or "the fire alarm system in the West Wing has been activated...", etc.
The second type of voice messaging system is what I call a "stand-alone voice messaging system". The stand-alone voice messaging system is a small self-contained unit that is designed to be used with one or two speakers. The stand-alone voice messaging system is ideal when it is necessary to broadcast a voice message only at a specific location. For example, a stand-alone voice messaging system could be used at a card reader controlled door in place of the traditional audible sounder. If the door was propped open, the system would play a voice message such as: "Warning - this door has been held open too long - please close the door behind you." Stand-alone voice messaging system are available with one or two voice message channels. These systems can cost as little as $250 installed, making them inexpensive enough to use in a wide variety of situations.
There are endless possibilities for using voice messaging systems in security-related applications. I'm sure that you can think of several uses for these systems in your own facility. Here are a few applications that we have encountered:
Large distribution warehouse: Central voice messaging system used to annunciate emergency exit alarms on exterior warehouse doors. Allows emergency exit alarm to be heard throughout warehouse; allows supervisors to quickly respond to specific door where alarm originated.
Large office building: Central voice messaging system tied to intrusion alarm system, plays warning message when intrusion alarm system has been armed. Prevents false alarms caused by employees who may still be in building when the intrusion alarm system is turned on.
Corporate headquarters building: Central voice messaging system connected to panic button installed at main receptionist's desk. Activating panic button plays discrete message over building paging system to notify emergency response team that receptionist requires assistance.
Hospital: Stand-alone voice messaging system connected to motion detector located at head of stairway leading to emergency exit door. Employees approaching the stairway are reminded that the door that they are headed to is for emergency use only and should not be used as an exit. Result: reduced false alarms.
Heavy industrial facility: Stand-alone voice messaging system connected to motion detector located at entrance to chemical handling area. Employees approaching this area are reminded that they must carry respirator and other safety equipment when entering this area.
Distribution center: Stand-alone voice messaging system connected to manual pushbuttons located at truck entrance to facility. Truck drivers can press button to receive specific driving directions to the destination to which they are headed.
Using Near Miss Reporting in Security
Near Miss Reporting
Near-miss reporting is widely used in accident prevention and safety in industries such as manufacturing, transportation, aviation, and healthcare. Near miss reporting is based on the premise that for every serious injury accident that occurs, there were many, many more "near misses" where there was the potential for an accident to occur, but nothing happened. By reporting, investigating and analyzing these near misses, the number of future accidents can be greatly reduced.
What is a "Near Miss"?
A near miss is an unplanned event that did not result in an accident or injury, but had the potential to do so. Only a lucky interruption in the chain of events prevented a tragic incident from occurring. Near-misses are also sometimes call "close-calls", "narrow escapes", and "lucky breaks".
Examples of near misses include:
An employee uses a ladder that is too short and stands on the top rung and reaches for something that is too far away. The employee falls off the ladder, but lands on a stack of rubber mats. The employee is badly shaken but uninjured.
A truck is backing up without a warning device and the driver is not looking behind him. A worker is nearly struck but manages to jump out of the way just in time.
A medical assistant mixes up medications on her cart and is about to give a patient the wrong medication. A nurse notices the mistake and stops the medication from being administered just in time.
A trailer is parked at a warehouse loading dock, but it's wheels have not been properly chocked. When a forklift drives in to the trailer, the trailer rolls away from the dock about 10'. Had this occurred when the forklift was entering or leaving the trailer, a serious injury accident could have been the result.
Why is the Reporting of Near Misses Important?
Some safety experts estimate that for every 1 serious injury accident that occurs, there are 29 minor injury accidents, and over 300 near misses. Because of the large number of near misses that occur relative to the number of accidents that occur, they are a rich source of data for identifying and analyzing the causes of accidents. Organizations that diligently report,investigate, and analyze near misses are often able to improve safety and greatly reduce the number of accidents that occur.
How Can Near Miss Reporting be Applied to Security?
It is our opinion that the basic principles of near miss reporting can be directly applied to security. Like in safety, near misses occur almost daily in almost every security program. For every serious loss or security incident, there are many, many more near misses where a loss could have occurred but didn't.
Examples of near misses in security include:
A receptionist fails to follow proper security procedures and inadvertently lets an unauthorized person into a highly-secure area of the building. As it turns out, this person was selling magazine subscriptions and caused no harm to the facility.
A laptop containing highly sensitive employee information is left overnight in an unsecured meeting room. The laptop is discovered the following morning by a janitor and is turned in to the Security Department.
A box of high-value merchandise is found stacked next to an outdoor trash dumpster by a warehouse manager. It is obvious that an employee placed this merchandise here with the intent of stealing it and planned to return after work to pick it up. The merchandise is returned to the warehouse before it can be taken.
The time schedules on the access control system were incorrectly programmed, causing the exterior doors to unlock several hours before the start of the business day. This condition persisted for several days until it was finally noticed by an early-arriving employee. No one appears to have improperly entered the building during this time.
In each of these cases, there was the potential for a loss to occur, but due to fortunate circumstances, the loss didn't happen. These are security "near misses". We estimate that for every 1 serious security incident, there are 10 minor security incidents, and as many as 100 security near misses.
Understanding what happened and why in each near miss situation is important in order to identify vulnerabilities in your security program and to take action to correct them. When major security losses or injuries do occur, employees often look back in hindsight and see that there were many warning signs (near misses) that this type of event was likely to happen, but these signs were ignored.
Most organizations have some form of security incident reporting system in place, but these systems don't always do a good job of tracking near misses. Often, if nothing is actually lost or stolen, an incident report is not filed. Employees often don't want to take the time to fill out an incident report if they can avoid it, and sometimes fear that reporting a near miss will get them or someone else in trouble.
We recommend that existing security reporting systems be expanded to track near misses, and that employees at all levels in the organization be encouraged to report security near misses. The following is recommended:
An environment should be created where everyone openly shares their thoughts on keeping the facility safe and secure. Every employee has a role to play in the security and loss prevention process. Employees should be educated on the value of reporting security near misses and understand the important role that they play in the reporting process.
A simplified process for reporting security near misses should be developed so that they can reported quickly and easily.
Employees should be able to report security near misses without the fear of disciplinary action. A mechanism to report near misses anonymously should also be provided.
Every security near miss should be investigated to determine its root cause and to identify weaknesses in the system that allowed the event to occur.
Use the information gathered from investigating security near misses to improve security systems and procedures.
Openly share the lessons learned from security near misses with all employees. When a new system or procedure is put into place as a result of a near miss, explain both the vulnerability uncovered and how the new system or procedure is expected to help correct this vulnerability.
Please contact us if you have any questions or need help in creating a security incident reporting system for your facility.
Also see related article: Security Incident Reporting System
Use of LED Lighting for Security Purposes
Having good outdoor lighting is a critical element in providing effective security at your facility. Having good lighting can discourage crime, make it easier to identify criminals, and make your employees and guests feel safer and more secure.
History of Outdoor Lighting
Since the late 1800's, a variety of different types of technology have been used to provide outdoor lighting. Initially, open arc lamps were used to provide outdoor lighting, but these were soon displaced by the incandescent lamp, which quickly became the standard for both indoor and outdoor lighting.
In the late 1940's, mercury vapor light fixtures were introduced, and offered the advantages of increased brightness, energy efficiency, and relatively long lamp life. One downside of mercury vapor lamps was the bluish-green color of the light that they produced, which many people found unpleasant. Despite this disadvantage, mercury vapor lights became a popular choice for outdoor lighting and street lighting in the 1950's and 1960's.
In about 1970, high-pressure sodium light fixtures came into use. High-pressure sodium lamps are very energy-efficient and quickly replaced the mercury vapor lamp as the preferred choice for outdoor and street lighting. Initially, people were turned off by the orange-yellow glow produced by the high-pressure sodium lamp, but they gradually became accustomed to this type of light. Today, high-pressure sodium lamps are the most popular type of lamp used in outdoor lighting applications.
Despite their popularity, high-pressure sodium lamps are not the best choice for all outdoor applications. In particular, the orange-yellow glow produced by the high-pressure sodium lamp makes it unsuitable when there is a need to accurately identify or display colors. Objects viewed under high-pressure sodium lamps may appear to be different than their actual color; for example an object that is blue may appear to be purple. This is undesirable in some applications, such as at auto dealerships, where it is desirable to display vehicles in their actual colors, or in security applications, where it may be necessary to accurately identify the colors of clothing and vehicles.
To meet the need for an outdoor light source that properly displays colors, metal halide lamps started to be used in some exterior lighting applications starting in the early 1980's. Metal halide lamps produce a true white light that allows colors to be properly displayed, overcoming this limitation of the high-pressure sodium lamp. Unfortunately, metal halide lamps cost more than high-pressure sodium lamps, are less energy efficient, and don't have as long of an operating life. Because of these reasons, metal halide lamps have not widely displaced high-pressure sodium lamps and are generally only used where their benefits outweigh the increased costs.
Other types of light sources have been used in outdoor lighting over the years, including compact fluorescent, low pressure sodium, and several others, but none of these have become widely-used alternatives to the high-pressure sodium lamp.
A New Concept in Outdoor Lighting
Recently a new type of lighting known as "LED lighting" has been introduced. "LED" stands for light-emitting-diode, a semiconductor-based light source that creates light through a process known as "electroluminescence". While most people think that LEDS are a new development, they have actually been around for more than fifty years. However, for most of these years, LEDs were only capable of producing a relatively small amount of light and their use was confined to things such as digital displays and indicator lights. Recent developments have created LEDS that are capable of producing much higher levels of light, allowing them to be used in general lighting applications in place of incandescent or other types of lamps.
The benefits of LED lighting are many and include:
Energy savings: LED lights allow a 60% to 90% reduction in the amount of energy used.
Long-life: LED lights can last up to 10 years or more.
Better color rendition: LED lights are available that produce near white light, allowing colors to be displayed accurately.
More directional: LED lights can be directed to the specific area where light is needed, avoiding "light pollution" in unwanted areas.
Instant-on capability: LED lights can be turned on and off instantly, making them suitable for use with motion detectors and in other security applications.
Ruggedness: LED lights are made of solid-state components and have no filament or glass envelope to break.
Friendly to the Environment: LED lights contain no toxic materials.
Controllable: LED lights can be dimmed and controlled for color.
Flexibility: LED lights are available in a variety of form factors, including wall mounted fixtures, pole mounted fixtures, bollard fixtures and strip lighting fixtures. LED lamps that are direct replacements for incandescent and other types of lamps are also available.
Almost all of the major lighting manufacturers see LED lighting as the wave of the future and are rushing to bring LED products to the market. GE, Phillips, and Osram Sylvania all have LED products available on the market today and plan to introduce many more in coming years. It is reported that some manufacturers have abandoned research on other types of lighting technology because they can't see it competing with LED technology in the future.
Costs of LED Lighting
At the present time, the cost of LED lamps and fixtures can be four to ten times the cost of traditional lamps and fixtures. Despite the significant savings in energy and maintenance that can be achieved using LED lighting, it can take three to five years worth of savings to pay for the initial purchase price. This length of time often exceeds the "return-on-investment" (ROI) criteria used by many commercial businesses when deciding on whether or not to make a capital investment.
However, many local power companies want to encourage the use of energy-saving technologies such as LED lighting and may offer one-time rebates and/or a reduced rate per kilowatt hour if LED lighting is installed. Some organizations may also be eligible to receive grants from government agencies to fully or partially fund an upgrade to LED lighting. This can alter the economics of the investment decision and may help justify the purchase of LED lighting.
Should You Upgrade Your Security Lighting to LED?
It is the opinion of Silva Consultants that LED lighting is becoming the preferred choice for all outdoor security lighting. However, we are hesitant to recommend that all facilities immediately upgrade to LED lighting at this time.
It is our opinion that this emerging technology will only get better and cheaper over the next several years, and that those who can postpone making an upgrade at this time probably should. Often those who are "early adopters" of any technology come to regret it just a year or two later when the same or better products are available at half the cost.
We suggest the following:
If your facility has an immediate need to upgrade its lighting, go ahead and consider the use of LED light fixtures as an alternative to traditional high-pressure sodium or metal halide fixtures.
If you don't have a need to immediately upgrade your lighting, take some time to research LED lighting but consider postponing your upgrade plans for a year or two.
If you want to take some "baby steps", experiment by using LED lighting fixtures on a limited basis now. For example, try replacing some of your existing wall pack light fixtures with an equivalent LED wall-pack fixture, or buy some LED lamps as replacements for some of your incandescent lamps.
Have questions about the use of LED lighting for security purposes? If so, please contact us.
Also see related article: Evaluating Your Parking Lot Lighting
Three Dirty Little Secrets about Video Surveillance Systems
Dirty Little Secret #1 - Security Cameras Rarely Serve as a Deterrent to Crime
Despite an almost universal belief otherwise, there is no conclusive evidence that video surveillance systems serve as a deterrent to crime. While a few studies have shown that there may be a decrease in crime when cameras are installed in certain settings, such as publically-operated parking garages, there are many more studies that have shown that the installation of security cameras has no effect whatsoever on crime rates.
While more independent studies are needed, the evidence at this point suggests that security cameras rarely prevent crimes from occurring, and almost certainly don't deter crime to the degree that is implied by many sellers and installers of video surveillance equipment.
As security consultants, we receive video recordings from our clients almost weekly showing criminal acts in progress. Most of these acts are committed brazenly in front of a camera, confirming that the presence of a camera served as no deterrent.
The following should be considered when contemplating the deterrent effect of video surveillance cameras:
Most people who engage in criminal behavior don't have the same thought processes that honest people do and don't consider the long-term consequences of their actions.
Many people who commit crimes aren't thinking rationally at the time they commit them. They may be drunk, high on drugs, or suffering from some form of mental illness.
Smart criminals are well-aware of the limitations of video surveillance systems and may plan their crimes around them. They may commit crimes just outside of the range of cameras, or wear simple disguises to conceal their identity.
People become desensitized to the presence of video cameras after a short time. While there may be an awareness of cameras when they are first installed, they soon become part of the environment, making regular occupants of the area almost oblivious to their presence.
Many law enforcement agencies lack the resources to investigate and prosecute minor property crimes, even if good images of the perpetrators are available. Many criminals know this and blatantly commit crimes in front of video cameras, knowing that there is little chance that they will be caught or prosecuted.
Dirty Little Secret #2 - Most Recorded Video is Useless as Evidence
The goal of most video surveillance systems is to provide recorded evidence when a crime has been committed, allowing the criminal suspect to be quickly identified, captured, and prosecuted. Ideally, the recorded video would show the criminal in the act: stealing the computer, vandalizing the car, or assaulting the victim. Images on the recorded video would provide a good picture of the suspect, allowing his facial features, clothing, and any distinguishing marks to be clearly recognized. When the suspect is captured and brought to trial, the video evidence would be compelling enough that a jury would be convinced of the suspect's guilt "beyond a reasonable doubt".
While this type of scenario is often played out on television shows and in movies, it rarely occurs in the real world. Most users of commercial video surveillance systems are deeply disappointed when they discover that the system that they have purchased can't provide recorded video that is useful as evidence. This dissatisfaction usually comes to light when the user reviews recorded images in an attempt to investigate a crime after the fact. Complaints frequently heard are: “I can see the person, but can’t identify who it is”; “I can see the person, but I can’t see what they are carrying”; "I can see a car, but can't tell the make or model or read the license plate"; “when I enlarge the picture, it is nothing but a blur!” ; "the view of the camera is blocked in exactly the area that I want to see".
Most problems related to the quality of recorded images can be attributed to the following:
Too few cameras with too wide a field-of-view: Cameras can view a wide area, or provide a high-level of detail, but not both. Many cameras are set to view an excessively large area, which makes it impossible to positively identify people at most points within the scene. A study by the FBI suggested that, in order for a person's face to be positively identified, the person must equal approximately 120% of the vertical height of the video image. To get this type of image requires an extremely narrow field of view, allowing each camera to cover only a very small area. While not everyone agrees with this study, almost everyone admits that most cameras installed today have fields of view that are set too wide to allow facial recognition throughout most of their coverage area.
Improper viewing angle: To best identify a person, a camera needs to have a relatively straight-on shot of the person's face. Many cameras are installed too high, at the wrong angle, or pointed so that they only see the side of the face or the back of the head. For example, at building entrances, it is common to only have a camera inside pointing out towards the door. While this camera can provide a good view of someone entering the building, it can only see the back side of a person exiting.
Blind spots in coverage area: There are lots of obstructions in settings such as parking garages or warehouses. Cameras can't see through structural columns, parked trucks or stacks of pallets, often creating conditions where large portions of the facility cannot be seen by a camera.
Improper lighting conditions: Cameras need to have an adequate amount of light in order to see. More importantly, the lighting needs to be uniform throughout the viewing area. Too little light or the combination of bright areas and dark areas within the viewing area will usually produce a poor quality image.
Improper recording resolution setting: There is a trade-off between the video resolution used for recording and the amount of time that images can be stored on the recording device. The higher the resolution, the less recording time. In many cases, the resolution setting has been set to an unacceptably low rate in an attempt to maximize recording time.
While all of the problems identified above are solvable, the cost of doing so can be prohibitive in many applications.
Although it is relatively easy and cost effective to get good quality recorded video in small, confined areas such as at building entrances or at teller's windows, it can be much more challenging and expensive to cover large open areas such as parking garages and warehouses.
Most property owners don't want to spend the money that it takes to properly provide evidentiary quality video coverage throughout their facilities, as this can require many more cameras and much more recording equipment than they originally planned on installing. Instead, they choose to install far fewer cameras than are actually needed and hope for the best. They are often aided and abetted in this effort by security integrators, who would rather sell just a few cameras than none at all.
The net result: a video surveillance system that fails to meet the owner's needs and is incapable of providing recorded video that is useful as evidence.
Dirty Little Secret #3 - "Megapixel" Security Cameras Won't Cure All Video Surveillance Problems
New high-resolution video cameras have been introduced in recent years and these cameras are now becoming popular in the video surveillance industry. Offering resolutions of up to 16 megapixels (MP) and higher, these cameras promise to provide a quality of video that is substantially better than that provided by traditional standard definition (SD) cameras.
Many manufacturers and security integrators have been quick to tout the benefits of these cameras, claiming that they are the cure to all of the weaknesses of traditional video surveillance systems. Some of the claims that we have heard by manufacturers include: "one megapixel camera can replace up to ten of your standard fixed-position cameras"; "there is no longer any need for pan-tilt-zoom cameras - our 360 degree megapixel camera can view and record all areas all the time"; and "our megapixel cameras will finally allow you to positively identify faces and read license plates throughout your parking lots"…, etc.
Our actual experiences in seeing megapixel cameras in use at some of our clients facilities paints a somewhat less flattering picture. While megapixel cameras can be beneficial in many applications, it is our opinion that the capabilities of megapixel camera have been greatly oversold by many manufacturers.
Some of our findings include:
Megapixel cameras work best in indoor applications where lighting is adequate and doesn't vary significantly throughout the day. In these conditions, megapixel cameras are capable of providing a significantly better quality image than that provided by a standard definition camera.
Using high megapixel cameras in outdoor applications can pose challenges. While the image quality provided during the day can be great, the image quality at night can suffer when lighting conditions are less than ideal.
The increased resolution provided by megapixel cameras can provide an improved ability to make out facial details and license plates when the camera's field of view is properly focused on the area of interest and lighting conditions are correct. In some cases, this may allow the use of fewer cameras to cover the same scene, however it is still unrealistic to expect a single megapixel camera to cover a large area. Thinking that you can install just a handful of megapixel cameras to get evidentiary quality video coverage throughout your entire parking garage is unrealistic.
The installation of megapixel cameras can't solve problems such as blockage of view, improper viewing angle, and poor lighting conditions.
The quality of images produced by megapixel cameras can vary greatly by manufacturer, particularly in real-world surveillance applications. Cameras with a higher megapixel rating don't necessarily produce better quality images than cameras with a lower megapixel rating.
Our conclusions: megapixel cameras can provide improved performance in some applications, but they are not a "magic bullet" that will automatically solve all of your video surveillance problems.
Video surveillance systems can be a useful tool when designed and installed correctly, and when the user has realistic expectations about what they can and cannot accomplish. In many cases, users will install video surveillance cameras as a "quick fix" when they are having a security problem, without considering that cameras may not be the correct solution. Cameras installed under these circumstances are almost always a waste of money.
We recommend that clients develop a comprehensive security plan for their facility before making the decision to install security cameras. This plan should be based on a security risk assessment and address all aspects of security including security policies and procedures, employee training, architectural security, and electronic security systems.
While video cameras can be part of your overall security plan, they are rarely a security solution in themselves.
If you need help in assessing your security needs, preparing a security plan, or reviewing your video surveillance system, please contact us.
Top 15 Problems Found During a Security Assessment
Over the past 35 years, Silva Consultants has conducted more than 1,500 physical security assessments for a wide variety of different types of clients. While each project is unique, certain problems seem to come up time and time again.
The following is a list of the top fifteen problems that we have found when conducting physical security assessments for our corporate clients. Check this list to see of any of these problems may exist at your company:
There is no real support for the company's security program from senior management. Members of the leadership team fail to follow security procedures themselves, setting a bad example for the rest of the company's employees.
Employees don't receive formal security awareness training and lack knowledge of the company's security policies and procedures. Employees have not been properly trained on how to deal with events such as workplace violence.
Employees fail to take basic precautions to protect company-owned and personally-owned assets. Offices, desks and workstations are frequently left unlocked; high-value items such as laptop computers, purses and backpacks are left unsecured.
There is poor supervision of the contract security guard service used at the company. Too much reliance is placed on the contract security agency to properly supervise its own security guards, with little of no oversight provided by the client who hired them.
There are poor visitor control procedures: visitors aren't required to verify their identity, some types of visitors come through back entrances and don't sign in, visitors are not properly escorted in and out by employees, many visitors fail to sign out when they leave.
There is poor compliance with the company's identification badge wearing policy; many employees and vendors don't wear their badges, badges are worn in the wrong location or hidden, pictures on badges are outdated and unrecognizable.
There are gaps in security background check procedures; while procedures for regular employees may be good, there is improper reliance on vendors and contractors to background check their own employees; some types of contract employees may go unscreened.
There is poor control of keys issued to employees: no justification for who gets issued which keys, no good record of who has been issued keys or when, no procedures for dealing with lost or missing keys, no assurance that keys are turned in when an employee leaves the company.
There is no good system in place to track thefts, losses and other security incidents: many incidents go unreported, there is no follow-up on incidents, and a quarterly or annual report that summarizes incidents is not prepared or analyzed.
There are poor procedures for handling confidential information: sensitive documents are found left lying in unsecured areas, confidential file cabinets have inadequate locks, confidential information is placed in regular trash or recycle containers rather than shredded.
Doors at building entrances and at secured interior areas don't close properly or are left unlocked or propped open by employees.
There is poor control of shipping/receiving/loading dock areas: doors are left open while unattended, valuable merchandise is left unsecured on the dock, and delivery drivers allowed to wander into secured areas.
Employees managing and monitoring the company's electronic security systems don't really know how to use them. Only a small fraction of the security systems capabilities are being used.
Electronic security systems are not thoroughly tested on a regularly scheduled basis.
There is inadequate lighting in the company's exterior parking areas and along the exterior pathways to the building.
If you need Security Assessments conducted for any of your facilities, or need help in solving any of the problems listed above, please contact us.
The Receptionists Role in Security
Most companies and organizations have a receptionist at their front desk or main building lobby. Duties of the receptionist typically include greeting visitors, answering the telephones, and the handling of incoming mail. At some companies, the receptionist may perform other duties such as filing, the scheduling of conference rooms, managing employee schedules and other clerical functions.
In addition to their other duties, receptionists also play a critical role in the building's overall security program. Receptionists are often given the task of signing in visitors, issuing visitor badges, controlling access in and out of the building, and observing suspicious activity. This is particularly true at buildings where no security officers are provided and the receptionist serves as the first (and sometimes only) line of defense against unwanted guests and intruders.
Because of the crucial role that they play in security, it is important that tools be given to receptionists to allow them to effectively perform their security duties. Here are some suggestions:
The receptionist's security responsibilities should be formally defined and included in the receptionist's job description. When both a receptionist and a security officer are assigned to work in the lobby, the specific roles and responsibilities of each should be clearly defined.
People who are assigned to be a receptionist should have the personality and aptitude necessary to perform this job. Receptionists should have a cheerful and outgoing personality, enjoy working with people, and have the ability to deal with conflict when necessary. Many people who are excellent at doing other types of clerical work may be unqualified to work as a receptionist or be uncomfortable when performing this role.
Receptionists should receive formal security training that includes guidelines for spotting suspicious behavior and techniques to verbally de-escalate potentially dangerous situations.
The building lobby should be designed in such a way that the receptionist is not the only thing that stands in the way of an intruder entering the building. A well-designed lobby can greatly increase the effectiveness of the receptionist and greatly improve building security. (See Designing Lobbies for Good Security).
The receptionist's primary job should be to greet visitors. If the volume of visitor traffic is relatively low, the receptionist can be assigned other duties, but these duties should be of a type that can be stopped immediately when a visitor arrives. Duties assigned to the receptionist should not require the receptionist to leave the lobby area.
It is common practice for the receptionist to also serve as a telephone operator and to answer the organization's main telephone line. We discourage this practice because the telephone operator role can be a time consuming job during certain periods of the day, and because the receptionist cannot immediately stop talking on the phone when a visitor arrives. We also think that it is unwise to give everyone sitting in the lobby the opportunity to overhear incoming telephone calls.
Good visitor control procedures should be established and communicated to all employees. To automate the visitor sign-in process, consider the use of an electronic visitor management system. (See Introduction to Electronic Visitor Management Systems).
We highly recommend that all incoming deliveries and packages be received at the mailroom or shipping/receiving department, not at the receptionist's desk. If this is not possible, receptionists should receive training on the spotting and handling of suspicious packages, and a separate storage area for packages should be provided near the receptionist's desk.
The receptionist's desk should include a panic alarm system that allows help to be summoned quickly in the event of an emergency. (See Introduction to Panic Alarms).
If you have questions, or need more information about the role of the receptionist in security, please contact us.
Testing of Intrusion Alarm Systems
Remember when your intrusion alarm system was first installed?
You may have experienced several false alarms during the first year that your system was in operation. Some of these false alarms may have been due to "user error", caused by you or one of your fellow employees. Maybe you also had a false alarm or two due to defective equipment.
Several years have gone by and the false alarms seem to have disappeared. You dutifully turn your system on every night, and turn it off every morning. Everything seems to be working fine. Is it?
A test by one company of its intrusion alarm systems revealed some disturbing results. This company had Silva Consultants perform random tests at approximately fifteen of its facilities located within the western United States. The intrusion alarm systems at these facilities ranged from three to seven years in age and were installed by a variety of both local and national alarm installation companies. Some of the problems that we identified during these random tests included:
Motion detectors in a warehouse that were completely blocked by inventory. In one warehouse that was examined, every interior motion detector was blocked by merchandise.
Magnetic door contact switches that were disconnected from the system. Most of these switches were "temporarily" bypassed during service calls and were never reconnected to the system. At one facility, switches on 13 of the 28 overhead doors were bypassed.
Glass breakage detectors that had their sensitivity setting set to zero. In an attempt to reduce false alarms, the system installer had set the sensitivity settings so low that even a hurricane breaking every window would not cause these detectors to set off an alarm.
Alarm control panel that was disconnected from phone lines, preventing the monitoring center from receiving alarm reports. In one case, the customer had upgraded his telephone system more than three years earlier. The telephone line connections to the alarm panel were accidentally disconnected at that time, and the problem was not discovered for three years! All the time the customer was paying for monitoring and was feeling good because the system wasn't having any false alarms!
Defective control panel. Control panel allowed customer to turn system on and off normally, but would not send alarm to monitoring center when alarm was tripped. Problem later determined to be caused by lightning damage.
Systems not properly interconnected. At one facility, a critical freezer temperature monitoring system was supposed to be connected to the intrusion alarm system to permit monitoring by the alarm company. Upon testing, it was discovered that the final connections between the two systems was never made - each installer had assumed that the installer of the other system would take care of the final connections. This problem existed in the system since the day it was installed and yet was not discovered until the system was tested by Silva Consultants two and a half years later.
The conclusion: intrusion alarm systems should be tested regularly to assure that they are in proper working order.
Suggestions for Testing
Tests of intrusion alarm systems at "average risk" facilities should be conducted at least annually. Systems at "high risk" facilities should be tested at least quarterly. (Your insurance company may require more frequent tests.)
Tests should be conducted by a company other than the one who installed and/or services the existing system. Alternatively, the system may be tested by the regular installation and service company provided that the tests are witnessed by the owner of the facility or the user of the intrusion alarm system.
Every device in the system should be tested. Open every door, trip every motion and glass break detector, activate every panic button or hold-up alarm device. Remember, if it seems like too much trouble to test a particular device, it is likely that the system installer felt the same way when he first put in the system. These "hard-to-test" types of devices are the ones that need testing the most.
If the system is monitored, have the monitoring center provide a written report showing which alarm zones were received and when. As most monitoring centers are now computerized, it is usually not a problem to have a report printed and emailed to you just after completion of the test.
Disconnect the system from it's primary power source to test the back-up battery systems. This can usually be done by simply unplugging the low-voltage transformer that is plugged into the wall near the panel. Operate the system for ten to fifteen minutes without power and then trip the system to make sure that it still works OK.
If the system is monitored, unplug the connections between the alarm panel and the telephone lines. Leave unplugged for about five to ten minutes to make sure that the panel's telephone line supervision feature is working correctly.
If you have questions, or need help in developing testing procedures, please contact us.
Ten Ways To Get Poor Performance From Your Guard Company
Don't bother to provide a written specification outlining your requirements when you go out to bid for a contract security guard agency. After all, they are supposed to be experts in their field and should know what to provide you without being told.
Don't ask the contract security agency about the type of salary, training or benefits that they provide for their security officers. These questions are an internal matter and are none of your business.
Always select the lowest bidder. Guard agencies are all the same - why not get the lowest price?
Don't bother to teach the security officers anything about the way your business operates. After all, there is so much turnover in the guard business that it is a waste of time to teach the security officers anything.
Don't provide written operating procedures for the security officers. If you must provide something in writing, be sure that it is outdated or that it conflicts directly with something that you verbally told the security officer.
Don't provide a person at your company for the security officer to contact in case he encounters a problem after-hours. Let him solve the problem on his own; after all, that is what you are paying him for.
Give the security officers plenty of non-security duties to perform. This is a good way to reduce employee "head count" at your company and make it look like you are doing the same work with less people. If possible, have the security officers perform duties that will degrade the officer in the eyes of your employees. Having the security officer deliver newspapers, wash company cars, or bring in lunches for employees are all good ways to show that the officer is a "gopher" rather than a security professional.
If you have a sophisticated security system that must be monitored, always select security officers who have no technical background and are uncomfortable around computers. Don't train the officers on the proper use of the monitoring equipment. (It is fun to set off several alarms and then watch an inexperienced security officer try to figure out how to silence them.)
Don't bother to monitor the performance of the contract security agency. You have better things to do on weekends than to come in and check up on the security officer.
Don't bother to communicate regularly with the management of the contract security agency. What good will complaining do anyway? When things get too bad, fire the present security agency and go out to bid again.
(Sarcasm intended - these are the things that you should NOT do if you want to successfully utilize contract security officers at your company.)
Ten Common Security Design Mistakes Made by Architects
We have been working with architects for over 35 years and love them.
Most architects are creative, hardworking professionals that have the best interests of their clients at heart. But unfortunately, most architects have received little or no training on security, and often don't give proper consideration to security issues when designing a new building.
Sometimes, what is necessary for good security is in conflict with the artistic vision that the architect has for the building, and he or she chooses to ignore security considerations unless otherwise prodded by the building owner.
Here are common security design mistakes made by architects:
#1 - Architect Doesn't Consider the "Big Picture" When Designing Security for the Building
When many architects think of security, they think of electronic security systems, such as access control or closed-circuit television systems, and often don't consider the broader implications that the design and layout of the building can have on security.
Security is much more than just electronic security systems. Almost every aspect of the building design can have an impact on physical security. Site layout; the locations of entrances, stairways, and elevators; the design of the lobby; and the physical separation of functions within a building all have a direct and lasting effect on how well a building can be secured. Many elements of building construction, including doors, windows, lock hardware, landscaping, and lighting can either make security better or make security worse depending on how they are designed.
Mistakes made during the design process are often difficult or impossible to correct once the building is constructed. Poorly designed buildings increase security risks, and can make operating the security program on an ongoing basis much more expensive than necessary.
#2 - Architect Doesn't Consider Security Early Enough in the Design Process
Often, the first time that the subject of security comes up is late in the design process, when the architect starts asking the owner, "OK, where do we put the cameras and card readers?" (related to #1 above).
Sometimes, a security consultant is brought in once the owner starts finally thinking about how the building will be operated, but this is often at the stage when construction documents are just being finalized. At this point, there is a strong reluctance to alter the design in any significant way, and it may be costly to make the changes necessary to provide good security.
#3 - Architect Relies on Electrical Engineer or Security Systems Vendor for Security Design Expertise
Because many architects think security is electronic security systems (related to #1 above), they often rely on security system vendors or the project electrical engineer for security design advice. While these individuals can do a good job of designing the security systems once the owner's requirements are known, they generally lack the expertise necessary to conduct a risk assessment and develop a comprehensive security program for the facility, of which electronic security systems are only a small part.
#4 - Architect Relies Exclusively on Owner for Guidance
Many architects look exclusively to the owner to tell them exactly how the building should be designed from a security standpoint and what types of security systems should be used.
It is rare that an owner actually has the level of security expertise necessary to do this. Being a user of security systems doesn't make someone qualified to design the physical security of a new building.
Often, the owner will simply tell the architect to "do what we are doing at our present building", regardless of whether or not this makes sense for the new building.
It is interesting that an architect wouldn't dream of designing the structural, mechanical, or electrical systems in the building based solely on input from the owner -- qualified engineers in each of these disciplines would be brought in to provide their expertise. Yet frequently the architect relies exclusively on the owner to provide the security design of the building.
#5 - Architect Provides Inadequate Physical Separation Between Public and Non-Public Facilities
Private office buildings often contain facilities within them that are intended for use by the general public. This can include restaurants, public parking garages, observation decks, and meeting rooms made available for use by outside parties.
The separation of public and non-public areas is essential in providing good security, yet many architects fail to fully consider this during the design of the building. Common mistakes include:
Placing public facilities well within the secured building area, requiring that public users pass through secure areas in order to reach their destination. An example would be a public meeting room that was located within the Finance Department on an upper floor. This would require that public users pass through the Finance Department on their way to the meeting room.
Designs that require that public users have access to elevators or stairways that also provide access to non-public areas.
Placing amenities such as restrooms within secured areas and allowing public users to have access to these facilities.
Having parking garages where there is no physical separation between public parking areas and employee parking areas.
Having common shipping and receiving or trash disposal facilities that give non-employees access to critical areas. An example would be a trash compactor located within a shipping/receiving area that needed to be used by caterers providing food for an after-hours event in a public meeting room.
Failing to consider the different operating hours of public facilities. For example, a restaurant may open earlier or close later than the main building. This can cause complications when using shared lobbies, elevators, or parking garages.
#6 - Architect Provides Inadequate Physical Separation Between Floors or Departments
Many buildings are designed using an "open-office" concept, where the floors are largely open, and there are few if any walls that subdivide the floors. In multi-story buildings, the architectural design often calls for open staircases that provide free access between some or all of the floors.
While there are many benefits to an "open" architectural design, it greatly complicates security. An intruder who gains access to one area has complete access to all areas. It is difficult or impossible to do a "lock-down" of the facility in order to minimize damage that can be caused by an armed or violent intruder. A dishonest employee who decides to steal property or information from the company now has access to not only the department in which he works, but to the entire company.
#7 - Architect Fails to Consider Conflicts Between Egress Requirements and Security Requirements
Building and life safety codes require a means of emergency egress out of every area of the building. Often, at least two points of emergency egress are required out of any given area. This can create conflicts when the path of egress requires passage through a secured area.
For example, a public meeting room may be located directly adjacent to the Information Technology (IT) Department. The emergency exit stair for the floor is located within the IT Department, requiring that public users pass through a door between the meeting room and the IT Department in order to gain access to the stair. This prevents the door from being locked, and requires the use of a "work-around" such as an exit alarm or delayed-egress device.
#8 - Architect Provides Too Many Building Entrance Points
Buildings are often designed with way too many points of entrance. Sometimes this is done for perceived employee convenience, or because a door is required for emergency exit and the architect decides to make this door a point of entrance as well. Sometimes, additional points of entrance are provided in an attempt to resolve a poorly designed internal circulation system.
Having too many entrance points increase security risks and makes it difficult to properly control access in and out of the building. Having out-of-the-way employee entrances can cause an increased number of security violations (tailgating, door propped open, etc.) and place employees at risk. Having unnecessary entrance points increases initial security system costs as well as the costs for ongoing maintenance. Each unneeded entrance door is an additional point of potential failure in the building's security system
#9 - Architect Relies Exclusively on Elevators to Provide Security
Multi-story buildings are sometimes designed where the elevators provide direct access to an open floor area. Often, the point on the floor where the elevator lands is unattended, allowing anyone who steps off of the elevator to have free access to the entire floor.
To provide "security" for the floor, the architect specifies card readers for the elevator, requiring that employees use their access card in order to get to the floor. This arrangement fails to consider the ease in which an intruder can gain access by following an employee on or off the elevator; or by simply walking into the elevator and riding it until it reaches the desired floor.
(See related article: Weaknesses of Elevator Access Control)
#10 - Architect Specifies Doors or Locks that Look Good But Work Poorly
Architects often want to give a distinctive look to their buildings and often choose to use specialized or customized doors and/or lock hardware to achieve this goal. Unfortunately, most doors and hardware that fall into this category provide poor security and cause long-term maintenance headaches for the owner.
Examples of problematic types of doors and hardware include:
Doors over eight-feet tall.
Automatic sliding doors (unless specifically designed for security use).
Accordion doors (such as used for fire separation or as movable partitions).
Doors or lock hardware that are custom-made for a specific project, or are principally used in a foreign country.
Electric bolts and electromagnetic shear locks.
Any type of floor-mounted electric locking device.
A good security consultant can keep architects from unintentionally doing things that compromise security. Smart architects include a security consultant on their design team, and smart owners insist that they do so.
For more information about avoiding design mistakes that compromise security, please contact us.
Six Low-Tech Ways in Which Your Competitors May Be Spying on You
When people think of industrial espionage, they envision scenes from movies like James Bond or Mission Impossible, where the spy scales the wall, bypasses the alarm, forces open the safe, and makes off with the secret documents, barely avoiding capture. In other scenarios, people envision an industrial spy sneaking into the corporate boardroom to plant a listening device, or using sophisticated methods to tap into the phones or the computers carried by company executives.
While these types of attacks do occasionally happen, and receive a lot of sensational press coverage when they do, they are actually quite rare. Most actual industrial espionage is done using far more mundane methods, some of which can actually be legal.
Here are six low-tech ways in which spies may be able to gather intelligence on your organization:
Taking a Walk Around Your Building or Campus
It is amazing how much business intelligence a person can gather by simply walking around the exterior of your buildings and looking through your windows. This is particularly true in open campus settings where the public is allowed to roam freely between the buildings.
Things that can be observed by looking through the windows commonly include:
Whiteboards or presentation pads that have sales data, marketing plans, or new product launch information written on them.
Prototypes of new products and packaging.
Materials associated with new advertising campaigns or promotions.
The names, job descriptions, and contact information for company employees.
The names of customers and suppliers.
Smart spies are aware of this easy method of gathering intelligence and may make regular trips to your campus to gather information by simply walking around.
Looking Through Your Trash
Your trash and recycling bins can be a treasure trove for someone attempting to gather intelligence on your organization. Despite policies to the contrary, many employees continue to throw documents containing confidential information into the trash without shredding them first. Some items, such as prototypes of packaging for new products, can provide a competitor with valuable product development information yet are often thrown into the regular trash.
Sometimes, employees will follow proper disposal procedures when working at their desk, but fail to think about security when disposing of documents in places such as cafeterias or outdoor seating areas that may be open to the public.
Smart spies may attempt to gather confidential information from your trash, either directly, or by using an inside party to help them (such as a janitor, recycling company driver, etc.)
Overhearing Employee Conversations
In many cases, restaurants, bars, or coffee shops located near your campus may become informal gathering places for your employees. A person seeking to gather intelligence on your company can strategically place themselves so that they can overhear conversations taking place among employees.
As an example, we have a client who has a Starbucks store located about a block away from their headquarters in downtown Seattle. This store is used as a frequent gathering place for employees throughout the day, who can be identified by the company badges that they are wearing. By sitting in the vicinity of these employees, we were often able to overhear confidential business being discussed. One time, we were even able to overhear a group of employees rehearsing a sales presentation that they were planning to make to a major government agency later that day.
Smart spies may attempt to identify the places that are the likely hang-outs for your employees, and may deliberately go to these places in an attempt to overhear employee conversations.
Monitoring Social Media and Forums
Employees sometimes unknowingly disclose confidential company information when posting on business and social media sites such as Facebook and LinkedIn. Engineers, scientists and researchers often openly share information on technical forums and sometimes inadvertently disclose trade secrets and other information that their employers would rather keep private.
Smart spies will identify your key employees, and then attempt to monitor their postings to social and business media sites and forums. Most of this information is public and freely available.
Sometimes, something as innocent as posting your business travel plans can provide information that is useful to a spy. For example, one company learned that two of their major competitors were planning a merger because of frequent trips made by senior executives between the two cities in which the competitor's respective corporate headquarters were located.
Talking with Your Vendors
Most companies rely on a wide range of different types of vendors, including suppliers and contractors, to support their business operations. In many cases, these vendors are considered valued business partners and are given access to some of the company's most important secrets.
While most vendors have honorable intentions, they typically don't do business exclusively with you and probably also have similar relationships with some or all of your competitors. Sometimes in an attempt to appear knowledgeable or to make a sale, a vendor may deliberately or accidently leak confidential information about your company. Sometimes, these leaks may be the actions of an individual vendor employee and not sanctioned by the vendor company itself, but this doesn't make them any less damaging.
Smart spies may deliberately target your vendors and suppliers to obtain confidential information about your company. They may pose as a potential customer wanting to buy a product or service, or as a reporter from a newspaper or magazine. They may even pose as someone from your own company, asking the vendor to send or otherwise disclose confidential information directly to them.
Talking with Your Current and Former Employees
Your current and former employees know a lot about your company. Sometimes, without knowing it, they can inadvertently disclose information that can be damaging to your company. They can be particularly vulnerable in social settings, where alcohol is be being consumed and their guard is down.
Smart spies may specifically develop relationships with your current or former employees to gather confidential information. The spy may get introduced through a "friend-of-a-friend", or offer the employee a job or lucrative consulting assignment that can be performed without interfering with the employee's regular job. Spies are especially likely to target employees with personal or financial problems, or employees that have issues with drug or alcohol abuse.
One + One Can = Five
It should be kept in mind that intelligence gathering is a cumulative process. While any one piece of information in itself may not be of much value, a collection of multiple pieces of information can be assembled over time into something that is extremely valuable. A good spy recognizes this, and can often take a tiny scrap of leaked information and develop it exponentially into something that can be very damaging to your company.
For example, an overheard conversation in a coffee shop + a packaging prototype found in the trash + sales projections observed on a whiteboard + forum postings by an employee bragging about a new technology + material order information provided by a vendor can = a fairly complete picture of a new product that you are planning to launch. This information could allow an unscrupulous competitor to beat you to market with a copycat product, causing your company to lose revenue and possibly suffer great financial harm.
Things That You Can Do To Prevent Low-Tech Spying
Employee security awareness training is the single most important preventive measure that you can take to prevent low-tech spying. Employees need to be made aware of the things targeted by industrial spies and the methods that may be used by spies to gather information. Most employees are oblivious to the risks of corporate espionage and often compromise security for the sake of convenience or in an attempt to be helpful to others.
Develop effective procedures for the disposal of sensitive documents and other confidential information. Conduct random inspections of trash and recycle bins to make sure that confidential material is not being disposed of improperly. (See related article: Are You Throwing Your Company Secrets In The Trash?.)
Walk around your buildings to see what a spy could observe from the outside. If necessary, move whiteboards and presentation screens so that they cannot be observed from the outside. Make employees who have offices on the exterior of the building aware that the things that they have in their offices could potentially be observed by a spy. In general, anything that contains information that has not yet been released to the public should not be displayed within exterior offices.
Educate and frequently remind employees of the potential risks of posting company-related information on social media sites and in forums.
Educate and frequently remind employees about the risks of discussing company business with outsiders, especially in social settings. Employees should be particularly cautious when talking with people who they have just met or who appear to take an unusual interest in their work. Employees should also be cautious about being overheard when discussing company business in a public setting.
Develop procedures for managing projects that involve confidential information. Use non-descriptive code names for projects. Compartmentalize projects to the greatest extent possible and only allow authorized employees to have access to project areas. Share information about the project with employees on a need to know basis. Limit the amount of confidential information shared with vendors. Don't think that NDAs (non-disclosure agreements) alone will provide adequate protection of your intellectual property.
Periodically use search engines such as Google to search for information about your company and your key employees. Visit business and social sites to see what is being written about your company and its employees.
If you have questions, or need help in developing security systems or procedures to prevent industrial spying, please contact us.
Should You Always Take The Low Bid
As the security manager for your company, you have just designed a new video surveillance system to observe your parking lots. You prepared a written bid specification, and submitted it to several security systems contractors in the local area. You conducted a pre-bid walkthrough with all the bidders to fully explain the system that you require.
It's two weeks later and you have received three bids. One is for $140,000, one is for $120,000, and one is for $75,000. What gives? How can there be so much disparity in the bid prices?
The low bid of $75,000 is well below the $125,000 that you budgeted and you sure have a lot of places where you could use that extra $50,000. Should you accept the low bid?
As a general rule, a variation of 10% to 20% in security system bids is normal. Variations of greater than this sometimes occur, but a bid that is 50% lower than the next lowest bid should always raise a warning flag.
Most qualified security systems contractors pay about the same wages to their employees and usually pay about the same prices for their equipment. Although some larger companies purchase in volumes that allow them to receive reduced prices for equipment, this savings is often offset by the increased administration and overhead costs incurred by the larger company.
Large variations in bid prices or an unusually low bid can be caused by any one of the following:
Contractors not proposing equal quality equipment. This is often occurs when there is no bid specification or when the specification does not clearly define the equipment requirements.
Contractors not proposing same quantity of equipment. This most often occurs when the quantity of equipment is not clearly spelled out in the bid specifications or other design documents. If the specification says "provide cameras to view parking lots" and does not spell out the number of cameras or camera locations then this type of variation is almost certain to occur.
Contractors not proposing same type of accessories. One contractor may be providing equipment with all available accessories, another may be providing a "bare bones" configuration. For example, one contractor may be providing environmental camera housings that include a sunshield, a heater, and a blower. The other contractor may only be providing a simple outdoor housing with none of these accessories. Unless accessory items are clearly called out in the specifications, major deviations in bid prices can be expected.
Contractors underestimate or overestimate amount of installation labor required. This is the one of the most common reasons for deviations in bid prices. Estimating the labor required for any given installation is not an exact science and is highly subjective. Unlike other construction trades, there are no recognized industry standards for estimating the installation of a security system.
Mistakes made in estimating. Bids are often put together hurriedly and under pressure. It is not uncommon for an estimator or salesperson to be finishing up the bid only hours before it is due. We have evaluated hundreds of security system bids and have found mistakes in a large percentage of them. Often when we evaluate a bid that is substantially lower than the others we find that the bidder has left one or more major cost items out of his or her bid.
Contractors proposing different levels of after-the-sale support. Items such as training, system programming and configuration, and warranty service are not free and cost the contractor money to provide. Each contractors idea of what constitutes "training" may differ greatly. One contractor may be planning on hiring a professional trainer from the manufacturer to conduct formal classroom training, another contractor may be only planning on having one of his technicians spend a few hours with you briefly explaining the system. Unless requirements for training and other support services are clearly spelled out in the bid specifications, this can be a major cause of discrepancies in bid prices.
Contractor deliberately underbids job (good motives). This is often known as "buying a job", and can be done for several reasons. In some cases, a contractor is relatively new and wants to use your job as a "showcase" that he can use as a reference to obtain future jobs. In other cases, a well-established out of state contractor may want to establish a local office in your city and wants to get the job to establish a local presence. A contractor may also see the potential to do lots of future work with your company and may underbid this particular project in order to get his "foot in the door" with your company.
Contractor deliberately underbids job (bad motives). There are a small number of unscrupulous contractors who deliberately underbid jobs with the intention of going after change orders in order to complete the job. These contractors are experts in finding weaknesses in your specifications and will take advantage of every ambiguity and omission. While much more common in the general construction trades than in the security industry, there are a few security systems contractors who take advantage of this technique, particularly on government jobs.
We recommend that you proceed with caution when evaluating an unusually low bid. There may be legitimate reasons why a bid is unusually low, and it is important that you fully understand these reasons before you enter into contract with the low bidder or dismiss the low bid out of hand. Here are a few suggestions for evaluating low bids:
Ask the low bidder and the second lowest bidder for a detailed, line-by-line itemization of their bids. The itemization should list quantities and types of equipment, manufacturer and model number, and unit cost for each item. Some bidders are hesitant to provide this level of detail, but it is the quickest way to identify discrepancies or omissions in bids.
Have each bidder provide an installation schedule that shows how they intend to complete the installation and in what time period. Make sure that the schedule indicates the number of installers and other employees that will be on site during each period of the installation.
If not clearly spelled out in the bids, have each bidder provide specific details about how they intend to provide training, system programming and configuration, and warranty service for this project.
Check references of low bidder to see if they have a demonstrated track record of completing projects of this size and type. Request financial statements to determine if low bidder has financial resources to perform a project of this magnitude.
If an obvious problem hasn't been identified after having completed the steps above, arrange a face-to-face meeting with the owner or general manager (not just the salesman) of the company submitting the low bid. Be frank; explain that his company has submitted a bid that is substantially lower than the other bidders and that you would like him to explain how this is possible.
Consider retaining the services of an independent security consultant to evaluate your bid specifications and each bid proposal.
If everything checks out to your satisfaction, consider awarding the contract to the low bidder with the provision that he provide a performance bond for the project. This type of bond typically costs between 2% and 5% of the contract price and is a usually a good investment. The performance bond protects you in two ways. First, if a contractor has the ability to obtain such a bond, it is a good sign that he is experienced and financially solvent. Secondly, if the contractor defaults on the project, the bonding company will step in and pay to have the project completed by another contractor.
Please contact us if you have any questions, or need help in evaluating bids for security products or services.