Category Archives: Risk

Planning an Active Shooter Drill, Why Once is Not Enough

Posted on by 0 Comments

Almost every day I get a note that a hospital or corporate facility is planning to have an Active Shooter Drill.  That is always good news because it is a critical part of preparedness that protects not only against an active shooter incident, but also prepares the staff for other emergencies, but it may not be enough.

I’ve found that to be really effective, drills need to be supplemented with short training sessions, and also awareness programs that teach staff to be on their toes, or “situationally aware”.   Security awareness training doesn’t have to be a full time job and it doesn’t have to be expensive.

One of the best ways to create an on-going security awareness program is to make a 12-month calendar, with an activity for each month, or better yet, every two weeks.   Here’s a list of activities I use:

1.  Start with a one page newsletter.  You can have the marketing department help, or use WordPress to design your
own newsletter and email it out to all the staff.  Whether your staff is 100 people or 6000 people, it’s a great way to promote the security program.

2.  Send out very short emails highlighting news items about security incidents at other companies, especially ones in your industry, for example, hospitals.  If there’s a terrible incident at another hospital, cut and paste the story and email it to everyone.  In fact, if you’re an IAHSS or ASIS member, their publications have great stories about different security situations.

3.  Use seasonal reminders.  Now that it’s late October and daylight savings time is almost over, send an email reminding staff how to stay alert when they leave the facility after dark and head for their car.  How to use the escort service, if that’s available, or how to use your keys as a weapon in a potential incident.

4.  Buy posters to put in the cafeteria, or in the elevators that serve as reminders about the concept of staying alert and aware of your surroundings at all time.

I have interviewed more than 8000 staff members in the last 10 years, and they welcome these reminders and feel more secure just because you are keeping awareness up.   Remember, it also reminds everyone that there is a Security Department, and that is working every day to keep them safe.

The Department of Homeland Security also provides free brochures and charts you can print out and give to employees, or you can email them for the staff member to print out and put in their purse.  There are wallet sized cards, and lots of other great information you can use in your own active shooter awareness program.

Check out the preliminary OIG Report, which was leaked to Time Magazine on their swampland.com site at

Read more: http://swampland.time.com/2013/09/16/exclusive-navy-yard-dropped-its-guard-pentagon-inspector-general-says/#ixzz2f6qWCshc

 

 

What’s Your Active Shooter Risk? How to Assess the Threat!

Posted on by 0 Comments

Just the idea of an Active Shooter in your organization, whether you’re a military base, like Fort Hood, and the Washington Navy Yard, or a school like Sandy Hook, a beauty shop, a cracker factory in Philadelphia, a retail mall, a movie theatre, a grocery store parking lot, or a hundred other places, is a terrifying thought.

I lived about 3 miles from one of the shooting sites, a gas station, used by the Beltway Snipers back in October, 2002.  They killed ten people, totally at random, and critically injured three others.   Both of the snipers were sentenced, and John Muhammad was killed by lethal injection in 2009.

If you lived in the DC area, do you remember how scary it was just to pump gas into your car,  people were huddled against the side of their cars in the gas stations, and hidden by their shopping carts at the local Home Depots.

The fear of the Active Shooter comes from the seeming randomness of the action, which means there’s no way to prevent it, unless you give up, stay home, and hide under the bed all day.

But there are things you can do.  Instead of thinking of an Active Shooter incident as a totally unique situation, it’s really a form a Workplace Violence, Gas Station Violence, Parking Lot Violence and other related forms of random violence.   In fact, the Department of Homeland Security has identified quite a few steps you can take to keep yourself safer if you are in the vicinity of an active shooter (http://www.dhs.gov/active-shooter-preparedness).

Most of the shooters are mentally ill.  Normal individuals do not enjoy planning and killing strangers, and it is usually a last ditch effort, with the suicide of the shooter as the grand finale.   Their actions can sometimes be identified early, and the police can be alerted, or the Human Resources group at work, or even the local Sheriff can intervene before it gets to the actual shooting.

Signs that someone is having trouble negotiating their life, especially if that someone is a gun fanatic, with their living room full of AK-47 assault weapons and hollow point bullets, is not hard to spot, because these individuals often leave lots of warning signs, like:

  • Irrational Posts on Facebook or inappropriate tweets.
  • Threats made against friends and family.
  • A dropoff in personal hygiene, as the person gets more obsessed.
  • Problems negotiating their personal life.
  • Demonstrating signs of isolation and groundless paranoia

Organizations can protect themselves from an potential active shooter through a combination of specific controls that include elements like access control, continuous monitoring of cameras, employee awareness and training programs, clear cut evaluation routes, regular active shooter drills, and hardening of facilities, to name a few.

One of the best preventive measures is to conduct an Active Shooter Risk Assessment, which is similar to other security analyses, except that it is focused on a particular set of threats related to an Active Shooter Incident.   As part of my annual Threat Trend Reports, I’ll be releasing a new set of threat data about the Active Shooter, to help organizations calculate their risk of
having such an incident.   For example, did you know that the number of active shooter incidents has jumped from 1 in 2002
to 21 incidents in 2010?

ActiveShooterIncidentsbyYear

 

 

 

 

 

 
Locations have changed, too, and we found that

About 25% of active shooter incidents occur in schools,
About 25% in retail locations, and
About 37% in workplaces.

In future blogs, we’ll be looking at each element of the active shooter incident, and providing more information to keep
your organization safe.

 

 

Chemical Security Programs Affected by Government Shutdown

Posted on by 0 Comments

CFATS is an essential defensive program to monitor the security of the chemicals used in the U.S. CFATS stands for the Chemical Facility Anti-Terrorism Standards. The program is run by the Department of Homeland Security and is vitally important because chemicals can be used in bombs and chemical attacks.

To avoid giving terrorists and possibly drug dealers access to the raw materials that are used in the manufacture of chemicals, chemical facilities, like manufacturing plants, distribution centers, etc., are supposed to be actively monitored by security personnel who are trained in chemical security.

Fertilizer chemicals were purchased to blow up the Oklahoma City Murrah Federal Building. Chemicals are in every medication you take, including sensitive heart medication, and other pharmaceuticals that mean life or death to those to take them.

Rep. Bennie Thompson (D-Miss.) said in a statement to Global Security Newswire Friday that the incident at a fertilizer plant in West, Texas, “brought into focus the need to secure dangerous chemicals against accidental or malicious release or detonation.

Imagine if a terrorist was able to insert a poisonous ingredient in a statin manufacturing plant – over 15 million Americans now take statins to reduce their cholesterol.   Or imagine a poison ingredient put into pool chemicals, or something like putting water into jet fuel. Think catastrophe!

In fact, CFATS was just geared up because of a Presidential Executive Order issued in August, 2013, after the deadly blast in West, Texas that killed 14, most of them firefighters.  The order instructed federal agencies to review safety rules and create new strategies for plants that store hazardous materials. The order also included a review of potential new guidelines to improve storage and handling of ammonium nitrate, the explosive material that caused the West. Texas fertilizer plant explosion in April 2013.

Already this week, chemical companies that had DHS inspections scheduled for this week received notice that the site visits would be postponed indefinitely. Likewise, the review of security plan documents is also expected to be frozen, as DHS employees who normally do this work have been furloughed.

A critical meeting scheduled for this week, which included industry leaders, DHS, EPA and Occupational Safety and Health Administration officials  was canceled as a result of the government shutdown, which creates prolonged uncertainty for industry regarding what new regulations they might have to comply with and whether companies will have another opportunity to weigh in on possible changes.

Now the program has been shutdown and critical employees furloughed.

Chemical security is a critical chokepoint because of the potential for major disasters, whether accidental or intentional.

Security programs should be immune from political shutdowns that threaten the safety and security of the entire country.

 

 

 

Capitol Hill Security Incident Scares Congress- Could it Happen To You?

Posted on by 0 Comments

The Capitol Hill Security Chase and Shooting yesterday gave a bad scare to everyone – including Senators, Congresspeople, tourists, furloughed federal employees and staff who still have their jobs.

The atmosphere on Capitol Hill was already so toxic that almost everyone jumped to the (incorrect) conclusion that it was
a disgruntled voter, and so there was shock when:

1.  It was a young WOMAN
2.  There was a 1 year old child in the back seat
3.  The driver of the car was not armed and mentally ill, (probably schizophrenic).

Where are you going today on a beautiful Fall Friday?  Almost anywhere you’re planning to go has had a
major security incident in the past three years…. whether it is:

A school
A movie theatre
A mall
A hospital
The office
A public building
A hair salon

And if a security incident did happen where you were, are you confident you’d know what to do?

That brief incident at the Capitol showed how in literally one minute, the situation goes from what
passes for normal at the Capitol, to total chaos, fear and terror.   The situation was handled correctly.

The communications systems were in place to send out a quick “Shelter In Place” order, and to keep
people updated.   The poor tourists and staff who were walking in the area were laying on the ground,
hiding behind trees, and had no idea what was going on – so they probably experienced the greatest fear.

The Capitol Hill police, the first responders, were probably not expecting to have the driver be a woman
with no political agenda, if you see a car trying to rush a barracide, the logical assumption is that they
have an explosive device and are trying to get closer to the target, but that was no true in this case.

So before you venture out for the weekend, keep these tips in mind, write them down and keep them in your purse or wallet.

1.  Be Situationally Aware – note where you at all times, how close a door is, or an alternate route for
your car when you’re in traffic.

2.  Spend 30 minutes deciding how you would react in an emergency shooter situation, and make a plan,
like deciding to use your car keys as a weapon, or keeping pepper spray in your purse.

3.  Remember to turn the sound off on your cell phone, if you’re caught in a developing security incident.

4.  If police are on the scene, follow their directions quickly and exactly.

5.  Have a local emergency number pre-set in your phone so you can call for help.

As they find out more about the Capitol Hill incident, this will probably be catalogued as an isolated incident,
which took place at a very inappropriate time, and a very inappropriate place, but it’s another wake up
for everyone.

Everything can change in a New York minute — be ready, just in case it changes for you!

 

 

Has it Been Only Two Weeks since the Navy Yard Shootings?

Posted on by 0 Comments

 

When i wrote my blog about the Shootings at the Washington Navy Yard on September 16th, I got some nasty notes about “Why did you have to write about this so soon after it happened?”

Well – I guess the fact that after about 15 days, no one can even remember the incident (8 people shot to death); the name of the shooter (Aaron Alexis), or much of the details.  It seems that people have decided that it was a mentally distributed person, so couldn’t have been prevented.  This is completely wrong.

One of the issues that security directors have is how to make their organization aware of the active shooter threat without terrifying them.  How do you get a large group of people out of the “It can’t happen here” mindset?   One of the main ways to bring an issue back home is by using the incident as a security awareness notice.

Write a “Lessons Learned” email and send it to everyone in the organization.  Follow it up with a purse and wallet card with reminders on what to do when faced with an Active Shooter situation.

NavyYard-smallKeep everyone informed on what happens after the incident – how the injured are doing, and more importantly, what changes the organization has made to ensure that it won’t happen again.

Try doing a simple threat-risk assessment to illustrate to management what the chances of having an active shooter incident actually are, based on the industry, the region, and the number of problems/complaints that employees have expressed in the past.

Don’t let anyone forget that this can happen to any organization, no matter how well funded, or how secure they think they are.  Remember, if it could happen in a DOD military facility – it could happen to YOU!

Navy Yard Shooting Highlights Effect of Cuts to Navy Security

Posted on by 0 Comments

Security professionals around the entire were shocked and dismayed when they turned on the news and saw the historic Washington Navy Yard locked down, surrounded by emergency vehicles, and looking for an active shooter.

All the shock, the outrage, the Defense Department reaction, the involvement of the overlapping law enforcement jurisdictions, has apparently been already forgotten by the public, moved to the virtual ‘old story’ pile by the latest news of a mall shooting in Kenya, meeting at the UN, and the politics as usual in Washington DC.

If you graph it online, you can see the dramatic spike and then the dramatic drop-off in interest by the general public. This highlights what the security community has to deal with, in the context of a 24 hour news cycle.

My perspective on the event was personal because one of my very best friends was in Building 197 that day, a former navy commander, now a contractor, who went to work at 5 am that morning, and finally returned home at 9 pm that night.  Unlike many shootings, the PCs, smartphones were all up and operational during the event, so people were instantly able to communicate with friends and relatives as the event unfolded.

NavyYard-smallRumors ran rampant that it was terrorism related, that there were three shooters, then that rumor switched to two shooters and eventually to only one shooter, Alexis Aaron, a mentally disturbed young man who had previous events of gun violence and yet had a top secret security clearance at the time of the shooting.

If we took a poll three weeks ago and asked people which facility would they judge to be the safest, the results
would probably look something like this:

1. Military Base in the U.S.
2. Hospital
3. Regional Mall
4. Police Station

Unfortunately – this is more like a list of the places where a shooting is more likely to take place.  As all the work in workplace violence statistics shows, a domestic Military Base has been the site of two mass shootings in only the last 4 years.  This includes the twelve killed and eight wounded at the Washington Navy Yard, as well as the thirteen killed and twenty injured at the Fort Hood shooting in late 2009.  That’s an average of 6 killed each year, and 8 injured, and doesn’t take into account any random shootings, training-related injuries, only the mass shootings.

Hospitals have increased in violent incidents every year for the last ten years, and we just witnessed a mass shooting at a Kenyan Mall.

However, the hospital and the mall are both completely OPEN, they want people to come in, they don’t control access at all.
This is what is so surprising about the Navy Yard shootings, the lack of security, lack of enough armed guards, lack of current background checks, lack of metal detectors, lack of retina scanners, and every other usual form of security control.

Speculation is that the key controls were missing because of budget cuts, which means that the Navy made the decision to reduce security controls, instead of cutting other, less critical programs.  The incident makes a strong case for examining the potential Return on Investment for security controls!

Even if the shooter’s background check was “current”, it certainly had not been updated based on his own recent events, and brushes with the police, and, of course, the anger and mental health problems appears again, and is shrugged off as too tough to manage and track.

However, it is a wake up call for the U.S. Navy, the Department of Defense, the U.S. Capital Police, and a variety of other organizations who “Secure” the Washington DC Capitol zone, and it leads to more questions than answers.

Already, the questions are starting about what controls SHOULD be in place for all military bases, and, naturally, re-examining the background check process and how it could be updated and improved.

Let’s not forget this time.

 

 

 

 

Is Extreme Heat a New Deadly Threat?

Posted on by 0 Comments

We are currently in the grip of a terrible heat wave in the western states.  Death Valley, California almost beat it’s previous record of a 130, with a National Weather Service Thermometer recording 129.9.   The highest temperature ever recorded on Planet Earth is 132.

Despite all the news coverage of hurricanes, homes torn apart by tornadoes, and tropical storms, the deaths from excessive heat kill more people annually than almost all the other natural disasters (except for tsumanis and 7.0 and above earthquakes).

Deaths from excessive heat include both cardiac arrest and breathing issues.  “Heat-related illnesses and deaths are preventable. Taking steps to stay cool, hydrated and informed in extreme temperatures can prevent serious health effects like heat exhaustion and heat stroke,” said lead author Ethel Taylor, a researcher who works with the CDC.

Because extended heat waves put a strain on electrical loads and may trigger power outages, it is important for companies to have a Plan for Extended Extreme Heat.
Plan for a situation without electricity for 3 or more days.

Having just survived a week in south Florida without AC, and growing in Los Angeles, also
without air conditioning, here are a few tips to stay cool:

1.  Stay wet to facilitate evaporate cooling.  Wear a wet T-shirt and keep your clothes
damp.

2.  Make sure pets are ALWAYS in a shady place and give them plenty of cool water.

3.   Buy ice and use it to rub on children’s arms and legs to keep them cool.

4.   Use fans and swamp coolers if electricity is available.  Coleman makes fans that
run on batteries if electricity goes out during a heat wave.

5.   Wake up earlier and use the cooler morning hours for outside tasks and stay
indoors during the heat of the day.

And, if it’s blistering hot where you are — DO NOT USE FIREWORKS.  Areas that
are already dry, including shake roofs, will burn more easily under such extreme heat!

AND wherever you are, STAY COOL.

 

My Pool got Hit by Lightning – Are You Next?

Posted on by 0 Comments

My swimming pool got hit by an adjacent lightning strike!   The lightning strike hit a tree about 6 houses down from my home in Maryland.  I heard the lightning strike at the time (midnight), and I still remember that it was so loud the beagles dived under the bed.

But the next morning, when I woke up, I looked out from my 2nd floor window and saw something that looked like two fried eggs floating in the pool.  It took me about 2 minutes to realize that they were the pool lights, floating in the pool, still tethered by the electrical lines.

The lightning strike was so sharp and close that it broke the lights out of their plaster enclosures and now there they were, fully electrified, floating right in the water.  It took me eight calls to find someone who would come and fix the lights, turn off the electricity and get the lights out of the pool.

If a lightning strike could do that from 6 houses away, what could it do to a person? Because it’s Lightning Safety Week, I looked up some interesting stats from the National Weather Service – check out these stats:

Your chance is being struck by lightning in your lifetime is 1 in 3000!

From 2006 – 2012, about 2300 people were struck by lightning and 238 people were struck and killed by lightning in the US.

2/3rds of the deaths were to people enjoying outdoor leisure activities.

82% of all fatalities were to men.

70% of the lightning deaths occurred in the months of June, July, and August.

Only 10% percent of people struck by lightning actually die, but 70% of those that survive

a lightning strike have serious long-term effects from the strike, including fear, depression and debilitating physical injuries.

STAY SAFER THIS SUMMER, and teach these tips to your kids, too.

  • Get out of pools, away from beaches, lakes or ponds.

  • Never stand by a tall tree during a lightning storm

  • Drop or get away from metal objects like golf clubs, umbrellas, etc.

  • Get indoors or into your car if you can’t get inside.

  • Stay indoors for 30 minutes after the last flash you see.

 

And have a wonderful, active summer?

Why HIPAA Risks are Growing Every Day

Posted on by 0 Comments

If you’re a healthcare employee, you already know alot about the HIPAA Rules. You’ve probably received training on how to protect Health information, and have heard about all the fines being levied against everything from small hospices to the largest hospitals (like Massachusetts General Hospital).
Because HIPAA is a federal law, there are expensive penalties involved in HIPAA mistakes (breaches). Fines have ranged from millions of dollars to $50,000. Here are just a few of the recent fines.

Shasta Regional Medical Center –            $ 275,000, June 2013

Hospice of Northern Idaho                         $ 50,000, January, 2013

BCBS Tennesee –                                 $ 1,500,000 March 2013

State of Alaska –                                   $ 1,700,000, June 2012

Phoenix Cardiac Surgery –                        $ 100,000 April 2012

Mass General Hospital –                         $ 1,000,000 February 2011

There have been dozens of other fines, many in the millions of dollars, and, with the passage of the new HIPAA Omnibus Rule, which takes effect on September 24, 2013, there will be many more.

If you are a healthcare organization, you need to address the risk of a potential HIPAA Fine. And the fines not the worst part, because the “resolution agreement” you sign, forces your organization to file all sorts of quarterly reports, meet with regulators for years to come, and those ongoing activites are even more expensive than the fine!

The Office of Civil Rights (part of the U.S. Dept. of Health and Human Services), is self-funded from these fines, and they use the money from the fines to start even MORE enforcement activities.

The basics you need to have in place to reduce the risk of a HIPAA fine include 1) having a Risk Analysis done in the past 12 months, 2) having HIPAA Training conducted annually for EVERY employee, 3) Updating all your Business Associate agreements, 4) developing a robust security awareness program, just to name a few.

HIPAA compliance-related fines are a risk that should be considered by every healthcare organization, no matter how big or how small, because your bottom line, AND your reputation may depend on it!

 

Snowden’s Shameful World Tour

Posted on by 0 Comments

Being a security person, and believing that extrodinary measures are required to keep us safe from
the increasing terrorist threat…   I maintain that Edward Snowden is a total coward, now that he has launched his travel from the US to China to Russia, and presumably, Cuba, Venezuela and Equador.

His judgement on many things is in question, especially in taking advice from another coward, Julian Assange, who’s been living in a small Embassy in the UK for a year.

Perhaps he could make a case that he thought US taxpayers had a right to more details about their tax dollars at work – the NSA’s surveillance programs, but he certainly DOES NOT have the right to disclose any classified program information to other nations, like China and Russia – just to name 2.

He DOES NOT have the right to stir up suspicions between nations, sort of a misguided meddler, basically selling out US secrets to a hostile world, and who knows who’s paying for all the international travel?  Is he handling out secrets for free, or is he selling out our country for financial gain?

His cowardice is illustrated by his total fall into the “What’s Good for Me” logic, which totally ignores issues of national security, destruction of trust between nations, and these actions compromise every statement he’s made so far.

He made himself into a 7-day media star.  He got his 15-plus minutes of fame, and now, he obviously has done a little more thinking about his choices, so he’s totally intent on protecting himself from any penalities, any recriminations, any dialogue with the US over the far-reaching implications of his bad choices.

For these reasons, and quite a few more, and mostly because I believe that he threatens our hope for a more peaceful world, I hope that other nations will grab him, return him to the US – to face the music he chose.

More distrust, more self-absorbed leakers, more lack of respect for the laws that govern civilized countries, is just not something we need right now.