By Stevan Layne, CPP, CIPM, CIPI
Published in the March 2010 issue of Today’s Facility Manager
Administrators, facility managers (fms), business owners, and even protection professionals are tired of hearing the term “active shooter.” It seems to be the buzz phrase of the year, and it has become the impetus for numerous workshops, seminars, planning sessions, video productions, and untold legions of paperwork. The problem is…there’s still a problem.
In the first months of 2010, there were tragic events in Missouri, Florida, Georgia, Illinois, Alabama, Colorado, and certainly other states as well. It has become difficult to keep up with the frequency of these incidents.
It is impossible to predict, with any certainty, when some current or former employee, visitor, contractor, customer, or complete stranger will go off his or her medication, reach the saturation point of personal problems, go over the limit in a domestic dispute, or have an unrelated psychic episode—any of which may result in a deadly attack. Unfortunately, it happens.
Realistic Management Approaches
Ultimately, fms are responsible for providing a safe environment for anyone and everyone on the property. This includes protection from crazy people with weapons. The very real and practical consideration is in determining the threat level, the ability to deter or mitigate the threat, and if all prevention measures fail, how to deal with an active shooter on the property.
Fms do have choices. They can board up the windows, seal off all building penetrations, put rolled concertina barbed wire around the building perimeter, and require strip searches at every entry door…or not. Assuming that process would violate the basic tenants of good customer service, there must be more reasonable precautions available.
From information technology department layoffs to reductions in facility spending, the current economic climate is a breeding ground for risky behavior that could lead to workplace identity theft. These factors make the installation of proper procedures in the office imperative for preventing a costly data breach.
In 2009, there were 492 workplace data breaches caused by a variety of circumstances—from an investment firm improperly disposing of medical records to court records being left in an outside dumpster. In total, more than 222 million private records containing sensitive information were exposed, which is six times the 2008 total. [Source: 2009 ITRC Breach Report, Identity Theft Resource Center, December 2009.]
Businesses can be extremely vulnerable to data breaches. This makes it especially important for facility professionals to protect personal information in the workplace, especially information contained within paper documents. Yes, paper documents are still around—and they’re still at risk.
In a study commissioned by the Alliance for Secure Business Information (ASBI), a group of thought leaders in the areas of business security, 49% of respondents whose companies have been affected by a data breach stated one or more of the breaches involved the loss or theft of paper documents. Additionally, 56% of respondents stated more than half of their organizations’ sensitive or confidential information is contained within paper documents.
[This Web-based survey was launched August 12, 2008 and was closed August 21, 2008. Debriefing of respondents and analysis was completed August 30, 2008. The margin of error on all adjective scale and Yes/No/Unsure responses was 3.5%. The final sample consisted of 819 individuals who work in IT operations, IT security, data protection, and compliance in large organizations in a variety of industries.]
Data breaches are largely preventable. The first and easiest step to preventing this costly crime is to ensure employees are destroying all proprietary documents adequately. In support of this effort, facility managers (fms) should consider keeping shredders conveniently located near desk spaces or in communal printing areas to encourage use.
The following tips should be followed in support of a safe document environment in the workplace:
• Develop office guidelines for all employees outlining proper procedures for protecting information.
• Encourage employees to log off computers and lock workstations or office doors at the end of each day. All confidential documents should be filed away rather than left on desks.
• Limit the use of social security numbers in the workplace, especially on items such as employee identification badges, time cards, or paychecks.
• Avoid leaving documents in communal copiers, shared printing spaces, conference rooms, or other open areas for extended periods of time.
Sileo is a member of the Alliance for Secure Business Information (ASBI), a group of industry thought leaders on a mission to help educate businesses and their employees about ways to prevent complex data breaches in the workplace. For more tips and insights into how to protect your workplace from a harmful data breach, visit www.fellowes.com/asbi.
This begins with a professional assessment of the facility’s protection assets and hazards. The assessment needs to be performed by a security professional who is not involved in the sale of products or services. Law enforcement can offer some assistance in this area. However, fms should be aware that law enforcement crime prevention specialists have great advice to offer on many levels, but they rarely have any expertise in the use of electronic systems, contract security management, or long-term protection planning.
The assessment must take into consideration all of the following elements:
- Environment: area crime rate, public access, prior incidents (at the facility);
- Policies: including procedures;
- Staffing: security, maintenance, and any others;
- Physical security: natural and man-made barriers;
- Electronic security: proper application and use of systems; and
- Training: security awareness, alarm response, and patrolling.
Once fms have determined their state of readiness, they can begin to plan how to deal with any actual or perceived threats.
Response choices to armed assaults are limited for fms. Whether or not they have an armed response capability, fms must first do whatever they can to move victims and potential victims out of harm’s way—while at the same time attempting to remove, isolate, or mitigate the threat. The time it takes to find a resolution is essential.
Notification to law enforcement and persons at risk must be simultaneous. Potential victims need to be evacuated, or safeguarded in place. Suppression of the attack may not be possible.
To Arm Or Not To Arm?
The arguments pro and con about armed security could go on indefinitely. Even if fms arm the entire staff, there’s no guarantee an attack can be avoided. In a recent incident, one worker shot another worker at a UPS facility. A third worker then shot the first worker. Initial reports indicate a feud among workers. So how do fms plan for armed workers attacking each other?
All of these situations call for realistic, professional planning and preparation. Does the facility publish and/or post a policy restricting anyone from bringing weapons onto the property? Is there any form of package inspection coming in or going out? How far away is a law enforcement response in an emergency? Do fms have a designated area or areas for “protect in place” arrangements?
If an incident of this magnitude takes place, who’s in charge within the facility? This is not the police, and not the fire department. If the designated person in charge is not on the property, then who steps in as the alternate? Does the entire staff know who’s in charge, every day?
What tools are available for notifying managers and staff? Is there a practical exercise in dealing with this type of emergency? Were local police involved? Have protection coverage gaps been filled? Is the facilities staff fully trained to deal with such an incident? Are there up to date, published policies and procedures? Fms should make sure to collect or create the following items:
- Emergency notification list;
- Approved vendors (contractor of choice) list;
- Lockdown procedures;
- Protect in place procedures;
- Emergency evacuation plan;
- Skills inventory;
- Emergency operations plan;
- Business continuity plan; and
- Disaster recovery plan.
Unfortunately, few companies are prepared to deal with workplace situations that make headlines regularly. Operations plans are always “being worked on” or “in draft at present.” Surveillance systems and alarm systems are “being upgraded…some time.” Radio coverage within the facility is great, except for those areas where there is no coverage.
How long can fms afford to wait on making proper arrangements, taking necessary precautions, or training for the ultimate? Sadly the answer is ironic: many fms don’t really feel the need to prepare for any of these things—until they need them. For fms, the best bet is to be ready for an armed assault, preferably before one takes place.
Layne is CEO and principal consultant for Layne Consultants International. In addition to being a published author with several security related books, he is a former police chief, public safety director, institutional security director, and a graduate of the FBI’s Police Management Program. He is also the founding director of the International Foundation for Cultural Property Protection (IFCPP). Layne will be the keynote speaker at the The TFM Forum in Innisbrook, FL, where he will give a presentation on this topic.