Reposted from Security Management

As security professionals, we see vulnerabilities every day: homeowners who don’t arm their security systems; businesses with inoperable cameras and propped open back doors; unaccounted–for keys, missing badges, broken locks, and no visitor control; work computer passwords that are weak, reused, shared, or written on a sticky note; no emergency plan, practice, or provisions. Despite regular reminders about the risks in the world, why do these lapses keep happening? Perhaps the increasing number of security breaches and violent attacks leave us numbed to their significance. Or the topic is purposely avoided, when confronting the rising threat feels overwhelming or uncomfortable. 

Many industry insiders see security from a data-driven perspective—there is risk probability, which is lowered by the effectiveness of an array of countermeasures. However, most risk models are not holistic, because they don’t address the important psychological and sociological factors at play. The human element is perhaps the most difficult to address in the security realm, yet the one that can make or break our efforts.

Consider the vulnerability mitigators—the site managers and security teams who have assumptions, biases, and blind spots, unconsciously impacting their decisions and compounding risk. There are five emotional traps in soft target security: hopelessness (“There is not much we can do to prevent or mitigate the threat.”), infallibility (“It will never happen here.”), inescapability (“It is unavoidable, so why even try?”), invulnerability (“It cannot happen to me.”), and the most dangerous, inevitability (“If it is going to happen, there is nothing I can do about it anyway.”). These beliefs, even if subconscious, can sabotage security efforts. Vulnerability mitigators are just as susceptible to these traps as average people. 

Wait, there’s more! Adding to this complex brew is security fatigue, a phenomenon first observed in the cyber realm. A security study conducted by the U.S. National Institute of Standards and Technology (NIST) in 2016 sought to measure respondents’ online activities, computer security perceptions, and the knowledge and use of security icons, tools, and terminology. Unexpectedly, many participants mentioned “security fatigue,” along with a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance when it came to cyber hygiene. 

This very same security fatigue is now reflected in the general populace, weary of inconvenient physical security measures and now facing a loss of personal communication and online privacy in the name of an often abstract concept: the greater good. 

Now factor into the equation a palpable sense of denial about the threat, manifested by a lack of urgency to mandate changes in the wake of a massacre. There is a persistent belief an attack was a “one-off” event which won’t occur again, with a unique and lone attacker. Mass shooting events are often hastily put behind us, and society moves on quickly to resume normalcy. Consider that London, with one of the best counterterrorism programs in the world, fell victim to two ISIS terror attacks by vehicle on adjacent bridges within a 10-week period. Lessons learned from the first attack on the bridge near Westminster on 22 March 2017 did not translate to robust security measures on other bridges. 

The location of the second attack on 3 June 2017, the London Bridge, was a stated target of both al Qaeda and ISIS for more than a decade. Typical of copycat attacks, terrorists learned from the first attack and improved their methods, using a larger vehicle to mount the London Bridge curb and mow down pedestrians on the sidewalk. They also left the vehicle in a popular restaurant district and went on a stabbing rampage, while wearing fake suicide vests to amplify the terror effect. 

Although contradictory to denial, there seems to be a new level of acceptance regarding mass attacks, seeing their near daily occurrence as a “new normal.” During the mass shooting at a STEM school in Colorado in May 2019, none of the major national news networks broke away from political coverage to report on the unfolding crisis. On the first anniversary of the Santa Fe High School shooting in Texas (10 killed, 14 wounded), many social media comments indicated people did not recall the event. Perhaps society has numbed to the point where extremely violent events are no longer shocking. This complacency is dangerous; it means we’ll settle for security that is “good enough” and take the more comfortable path of least resistance. Organizations may choose to roll the dice, and just deal with an event if it arises.

The bottom line is that this cauldron of emotions and behaviors is not only a dangerous and exploitable phenomenon, but also extremely detrimental to our efforts to secure venues and protect people. Acknowledging the existence of these behaviors and mindsets is part of the solution, but there are tangible steps we can take in our work to meet them head on and mitigate. 

​Seek First to Understand… 

Not everyone shares our sense of urgency, scope, or motivations about security. Several years ago, I consulted on a federally funded project in a U.S. city to secure several high-density commercial public buildings from terrorist attack. 

One of the site managers resisted our efforts and did not embrace recommendations coming from a thorough vulnerability assessment. Frustrated, I asked: “What will you say to family members if an employee or customer dies during an attack on your property, one you could have prevented with enhanced security measures?” He looked me in the eye and said: “Why would I talk to the family members?” 

As a military officer, I prepared for and performed casualty notifications, and the welfare of my troops and their families was my responsibility. I found the manager’s statement shocking, but instructive. My paradigm and principles about security might not be shared by others, and that’s alright. 

Prior to presenting ideas or solutions, we can ask questions to clarify cultural nuances at the worksite that may impact our work. Perhaps the most important yet underrated communication skill is listening. Engaging in a true dialogue will help clarify and build trust before introducing ideas and solutions. 

​…Then to Be Understood

I teach a graduate level communications course for security professionals, and the curriculum includes aptly packaging and marketing the message. Why? Because of the aforementioned psychological factors like security fatigue, combined with the standard resistance to change. The way you communicate your security recommendations will change how those recommendations are received. 

​​In the last year, I have worked with religious leaders, luxury hotel managers, hospital administrators, high school principals, and security leads for professional sports teams. Security is not a one-size-fits-all proposition, yet the same methodologies apply. For instance, we encourage churches, which are soft targets, to simply lock their doors during services, when the majority of fatal attacks occur. Businesses, on the other hand, have different vulnerabilities; they might install a 24/7 access control system to prevent unauthorized entry and protect proprietary information. 

To determine what communication strategies to deploy, assess the client’s biases, assumptions, and concerns. Do they demonstrate any of the five emotional traps when talking about the security environment? Understanding these complex behavioral and emotional responses is important when tailoring the security message. Message delivery is also critical—how can the client best process our information? I have my security students take a learning preference instrument called VARK (Visual, Aural, Read/Write, and Kinesthetic). Understanding learning styles helps us access information in a way where we will not only gain knowledge, but internalize and retain it for a longer period of time. As a professor, I deliver course material based on the student’s VARK preferences for improved learning and retention of information.

Once the students realize that even our small classroom of security professionals consists of a variety of learning styles, they understand the importance of tailoring the security message and delivering it to their supervisors, coworkers, or clients in a way that will be understood and acted upon. 

For example, a few years back, I visited a “megachurch” just for a quick walk around with the head of security. They had a good security plan, including gated entry and license plate scanners. However, the two-story glass atrium of the main church building was unprotected on both sides, and vehicles had an unobstructed approach from the main road. The security team approached the pastor with a proposal to harden the area, but the pastor didn’t read past the first sentence, stating he was opposed to “ugly barricades.” Based on his love of photography, we decided the visual approach might work best to tell the story; the pastor agreed to fund the project after seeing photographs of attractive bollards such as fountains, benches, planters, and lighting. By tailoring our communication approach to connect with this particular person’s interests, we could overcome misconceptions about security and produce a safer environment. 

We can help clients and stakeholders out of their emotional traps and still accomplish our security goals. One approach is to identify the reason for pushback, and then adjust language to better connect with the audience. For example, I was contacted by a local emergency preparedness agency regarding a “Stop the Bleed” (STB) initiative, generously funded by the state government. Although the group was offering training for free, they were unable to find any school, church, or business willing to host the program. Upon further questioning, we learned the venues associated STB with active shooter training, which they were also resisting out of fatigue and fear. 

I provided talking points to the agency with compelling reasons for STB training, avoiding the active shooter perspective. I used plain language and included data regarding the increase of stabbing attacks in our country and how taking immediate action could have saved lives. The paper also covered travel safety and how stabbings are on the rise worldwide, appealing to those who travel internationally for business or leisure. I relayed a story regarding an American man who was trapped in the rubble after the devastating earthquake in Haiti; by properly dressing a heavily bleeding wound on his leg, he was able to stay conscious and facilitate his rescue, as well as save the limb. I actively sought to remove “active shooter” and related trigger words from the STB equation without watering down the need for the STB program. It worked. 

Substituting the word “safety” for “security” is another tactic. For instance, a local church is located on a blind curve, next to a very busy, dangerous road. From a counterterrorism perspective, I was concerned about a vehicle purposely driving into the crowded parking lot or the building. Instead of talking about terrorist tactics with the pastor, I presented data regarding the rise of distracted drivers in our area and the number of fatalities in the vicinity of the church. He decided to install an attractive bollard system to protect churchgoers and the structure from an out-of-control vehicle. This is another example of tailoring the message to the audience to bypass an emotional trap, without downplaying the need for preparedness. 

Communication lapses are not limited to small-scale campaigns or proposals, either. The U.S. government, with its massive public relations machine, has failed at times to convey security messages in the appropriate manner for the topic at hand. After the attacks on 9/11, the Department of Homeland Security (DHS) tried to educate the public on how to protect themselves. On 10 February 2003, in response to intelligence indicating terrorists were planning a weapons of mass destruction attack against the United States, DHS issued an advisory directing Americans to prepare for a biological, chemical, or radiological terrorist attack by assembling a disaster supply kit. Panicked citizens cleared store shelves of duct tape and plastic to seal homes and offices against nuclear, chemical, and biological contaminants. The DHS eventually faced ridicule over what was seen as an over-reaching response to a veiled threat, and the advisory was jokingly referred to by comedians as “duct and cover.”

A DHS Ready.gov campaign in 2004 with amateurishly drawn cartoon characters was also mocked and rendered ineffective. It was the wrong tone and method to communicate about this topic, and therefore the campaign fell flat.

The language we use is as important as our actions; it can either motivate or repel. 

Since these DHS communication challenges, the threat has not been adequately portrayed to the public, perhaps to not cause alarm. Despite terrorist attacks and hundreds of foiled plots in the United States from 2005 to 2011, the color-coded alerts of the Homeland Security Advisory System (HSAS) never budged from yellow (elevated threat). In 2011, DHS replaced HSAS with the National Terrorism Advisory System (NTAS), which was meant to address criticisms of HSAS, providing alerts specific to the threat with a specified end date. However, the NTAS is also rarely used to communicate with the public. Social media platforms are dormant, and NTAS advisories average one every six months. 

My work is predicated on the idea that if citizens are aware of the threat and educated to respond, they are less afraid. They become force multipliers for law enforcement and first responders.

​Fear, Uncertainty, and Doubt

Using internal security language heavy on acronyms or lingo is not always helpful with stakeholders and clients, nor is fear-mongering. The saying “It’s not a matter of if, but when” is often heard among security professionals when discussing the likelihood of another cyberattack, active assailant incident, or terrorist attack. However, depending on the audience, we should avoid these euphemisms in the consultative environment. Illustrating this point, an elementary school teacher recently tweeted her dismay that a security contractor made this statement during active shooter training. She didn’t find it motivational in the least, but overblown and hysterical.

Remember that the fear of a violent incident or attack is not always top-of-mind for people. The Chapman University Survey of American Fears provides an annual look into the fears of average Americans, using a random sample of 1,190 adults from across the United States. In 2017 and 2018, terrorism and crime fears dropped out of the top 10, now replaced by government corruption, environmental, medical, and personal financial concerns. Whether fatigue, denial, acceptance, or feelings of invulnerability have played a role, or Americans would merely rather focus elsewhere, data indicates terrorism and crime are not at the forefront of concerns for the average American.

Certainly, the odds of being part of a terrorist attack or mass shooting are extremely slim. The CATO Institute studied terrorist attacks perpetrated in the U.S. by foreign-born actors, including the 9/11 attack, and found that from 2001 through 2017, the chance of an American being murdered by a foreign-born terrorist was one in 1,602,021. On the other hand, the odds of dying from a car accident is one in 102; assault by firearm, one in 285; lightning, one in 114,195; and aircraft accident, one in 205,552, according to the National Safety Council. However, that does not mean that we should neglect to prepare for violent incidents. 

It’s essential to understand people’s practical fears and concerns so we can properly tailor and package the security message. Residents who ignore risks of terrorism, active assailant incidents, and crime are not security’s eyes and ears. They won’t see threats or connect dots; they are the not the force multipliers we hoped for. Since fear can paralyze people instead of motivating them to action, language is again the game changer. For instance, the “lone wolf” moniker is sensationalistic and causes fear. The word “wolf” conjures a stalking, stealthy, hungry predator roving about, acting at will. In the security research realm, we are now addressing the lone wolf as a lone actor. 

In my work, I use an effects-based system with my clients so they can visualize violent scenarios in an unemotional, data-driven way. Think of ways to lessen fear in your security work to enhance your message and motivate people to take action. 

The underlying message to soft target organizations is that security professionals acknowledge their fatigue, fear, and hope that the storm clouds will pass them by. However, doing nothing because it’s easier than confronting the rising threat is not only naïve, it is irresponsible. A permissible environment is exactly what bad actors want, will wait for, and exploit. It is our job to continue fighting societal trends and underlying psychological impulses driving people away from security and into danger. Understanding our role and how to best engage is crucial. 

See Original Post

Reposted from WCVB

The iconic Plymouth Rock, the landmark that marks where the Pilgrims landed the Mayflower 400 years ago, has been vandalized with graffiti, photos from the scene show.

It was among several historic landmarks that appeared to have been tagged by vandals.

Photos from the scene also show red paint on a statue and red paint sprayed on a stone bench.

The photos also show a large clam shell painted with a photo of the harbor and Mayflower tagged with red graffiti. 

Plymouth is commemorating the 400th anniversary of the landing of the Pilgrims at Plymouth Rock this year. It was not immediately clear if this graffiti incident had any connection to the celebration.

Plymouth Rock is managed by the Department of Conservation and Recreation for the Commonwealth of Massachusetts as part of Pilgrim Memorial State Park. 

The Plymouth Area Chamber of Commerce said four graffitied shells have been cleaned by the department of public works. The chamber said there were still some specks of paint that will be removed on Tuesday. "Please do not attempt to help us remove any of the remaining specks as many chemicals can harm or even destroy the shells as well as any type of pressure washer," the chamber said. 

Officials ask anyone with any information about who may be involved with the vandalism to contact the Plymouth Police Department. 

The chamber said they plan to press charges against the individuals involved.

See Original Post

Reposted from Security Management

Wildfires erupted in California in October 2019, endangering thousands of homes and businesses and leading to the evacuation of more than 200,000 people. Extreme winds—with gusts up to 80 miles per hour—spread and fed the flames. Californians faced sudden blackouts as utility companies sought to mitigate the risk that live power lines would blow over and start new fires. According to CalFire, more than 189 buildings were destroyed.

While the California 2019 fire season was less disastrous than 2018’s, some experts say it marks a shift in wildfire patterns.

Recent research by climate scientist Janin Guzman-Morales at the Scripps Institution of Oceanography at the University of California, San Diego, suggests that as the climate warms, Santa Ana winds may become less frequent. However, warming patterns are also likely to change precipitation patterns, shifting California’s wildfire season from dry fall to even drier winter, with longer, more intense fires later in the year, The New York Times reports.

Meanwhile, in southern Australia, unpredictable winds and severe drought conditions brought wildfire season early. As of mid-November 2019, fires had burned 1.65 million hectares (about 4 million acres) in New South Wales—more than the state’s burned area in the previous three years combined, and months before the year’s “bushfire” season typically peaks in January or February. A large swath of the Australian population along the east coast, including the city of Sydney, has been exposed to smoke from the bushfires, which can affect respiratory and cardiovascular health.

Changing weather patterns in Australia are exacerbating fire risks. The Australian Bureau of Meteorology (BOM) warned communities to prepare for more severe fire danger throughout the 2019–20 summer, which shows a higher than normal chance of above-average day and night temperatures for most of the country, and a higher chance of drier than average conditions for eastern Australia.

More volatile, unpredictable wildfires are forcing security and business continuity managers in fire-prone regions to reconsider their continuity plans. In California, grocery store owners scrambled to find backup generators and refrigerated trucks on little notice during blackouts. Supply chains were disrupted as highways were shut down. Organizations had to cope with mass workforce unavailability due to evacuations.

Overall, continuity challenges from wildfires fall into two camps: business challenges and personnel challenges, says Rinske Geerlings, principal consultant at Business As Usual, a business continuity planning and consulting firm based in Sydney, Australia.

Personnel challenges can involve health issues related to fires—such as worsening asthma from smoke inhalation. In Sydney, some businesses had to turn off their air conditioning systems to prevent bushfire smoke from entering workplaces, but summer heat was already climbing—upward of 34 degrees Celsius (93 degrees Fahrenheit)—forcing businesses to choose between smoke and heat, neither of which are good for staff, Geerlings says.

In addition, wildfires affect employees’ physical safety and ability to access the workplace, and their emotional availability for work, Geerlings says. “Staff may not have the mind-set to think about work due to the emotional impact of a fire, even if the business has prepared for disaster with a remote work plan,” she adds.

According to Sam Stahl, CBCP (Certified Business Continuity Professional), a business continuity management consultant based in Colorado, employees’ availability during wildfire events depends on preparedness. Insurers are more stringently inspecting conditions around homes and businesses for fire hazards, he says, and organizations can double down on this messaging by encouraging employees to plot out backup evacuation routes, clean up brush around their homes, and develop plans for remote work.

Regarding business challenges, the three essential aspects to business continuity are access to assets, people, and a place to work, Stahl says, and wildfires often disrupt at least one of those three. He recommends organizations that can facilitate remote work begin planning and practicing how to keep business on track without employees in the office.

“Do you know if you have the network power in place to support a full work from home day?” Stahl asks. It’s a good practice to have each employee work from home one day a month, just to practice and find any gaps in capabilities or resources, he says. That way, in a crisis where 40 people are working remotely, employees know what to do and the infrastructure already exists to support them.

However, some organizations are not built to accommodate remote work. For example, manufacturing organizations cannot continue production if employees cannot make it to the facility—or if the facility itself is damaged by fire.

“At the moment, the fires are so widespread and long-lasting that it’s harder to search for continuity options,” says Geerlings. “Options for suppliers are getting smaller and smaller. That’s a growing business continuity challenge—there are hardly any continuity options, like alternative locations or alternative suppliers, that are not also affected by the fires.”

For example, she says if an organization is looking for a repair business to fix a burned warehouse, maintenance companies are currently so overloaded that clients are facing months-long delays.

Volatile winds are also throwing a wrench into continuity managers’ plans. Organizations were receiving hourly updates on the fires’ progress, which meant business continuity professionals could not plan days in advance but mere hours, and they had to be ready to adjust those plans at a moment’s notice, Geerlings says.

The widespread nature of the fires is forcing continuity planners to think more broadly and creatively for solutions. Regional backup suppliers are likely just as affected by the fires as their clients, so organizations should think about leveraging suppliers and partners in different states or regions. They could send certain jobs to be processed in a different area of the country unaffected by the fires, Geerlings says.

Some organizations are even considering adding their competitors into their business continuity plans, she adds. Especially for organizations without remote work options, such as manufacturing organizations that require physical assets or equipment, developing a memorandum of understanding (MOU) with a similar competitor could ensure that production does not cease entirely during an extreme weather event or fire.

“Businesses will need to be more creative and come up with plans B, C, and D,” Geerlings says.

See Original Post

Reposted from Security Management

Recent active assailant attacks on cultural festivals, entertainment districts, and event venues are causing Americans to second-guess attending large-scale public events, and terrorist incidents and mass attacks are driving concerns globally as well. However, physical threats are not the only risks consumers face at events.

More than one in five Americans say they have cancelled plans or considered cancelling plans to attend a large-scale public event due to concerns about physical attacks, according to the 2019 Unisys Security Index. A large majority (83 percent) of Americans are concerned about a criminal attack at large-scale events such as concerts or sporting events; 50 percent reported being “extremely” or “very concerned” about physical attacks.

Worldwide, 57 percent of survey respondents report being seriously concerned that a criminal attack may affect attendees. Consumers in the Philippines, Malaysia, and Colombia had the highest concerns (86 percent to 74 percent), while consumers in New Zealand, TheNetherlands, and Germany had the lowest concerns (35 percent to 39 percent) about attacks at large-scale events.

Security awareness climbs swiftly after large-scale attacks. Following the attack on two mosques in Christchurch, the percentage of New Zealand survey respondents who said they are seriously concerned about terrorism rose from 29 percent to 51 percent.

Unisys conducted additional research on this topic, diving into more detail in seven countries (Australia, Brazil, Germany, Mexico, Philippines, the United Kingdom, and the United States). The Index found that 39 percent of respondents in those countries said they would think twice about attending a large-scale event, and one-quarter have changed their plans to attend.

“We’re trying to balance safety and security measures with the experience of the fans; we certainly don’t want to do anything to deter that experience,” says Daniel Ward, assistant director of curriculum for the National Center for Spectator Sports Safety and Security (NCS4) at the University of Southern Mississippi. “It’s very easy for someone to stay home and watch an event on their 4K television, so the competition is stiff now. We aren’t going to be able to bring people in if we aren’t making them feel safe and secure and making sure that they are having a good experience.”

Venues are also proactively reaching out for resources and training from the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and its nationwide network of Protective Security Advisors (PSAs), who work with schools, faith-based organizations, and event venues to improve security capabilities through vulnerability assessments, technical assistance, and facilitating training and exercises, says Brian Harrell, CPP, assistant director for infrastructure security at CISA. Recent attacks on crowded places and soft targets have driven increased interest in these services and resources, he adds.

Event security professionals—especially for smaller events or those without permanent venues—should strive to improve their cross-organization information sharing, says James DeMeo, CEO of Unified Sports and Entertainment Security Consulting LLC.

“The threat continuum is ever-evolving and ongoing, in terms of physical security and the integration of technologies,” DeMeo says. “The sharing of information is paramount among key leaders entrusted with duty of care protecting those spaces.”

“Effective communications between law enforcement, venue directors, and security personnel is essential in guarding fans,” he adds. Smaller venues or events might lack the resources that national organizations or associations have, but they can reach out to local fusion centers for information sharing, DHS resources, or educational tools.

Beyond concerns for their physical safety, however, event attendees are also leery of data security when out at concerts, fireworks displays, or sporting events. When asked about data safety at large-scale events, 57 percent of global respondents said they are seriously concerned about having their personal data stolen when using public Wi-Fi at large events. Concerns are highest in Latin America, where 69 percent of respondents fear for their personal data when on public Wi-Fi at events.

While convergence of physical and cyber risks has been a frequent refrain for security practitioners, the 2019 Security Index was the first time Unisys heard similar perspectives from a broad consumer base, says Tom Patterson, chief trust officer for Unisys. Consumers had nearly equal levels of concern regarding cyber and physical or kinetic risks—and their potential interconnectivity—at events.

“To see cyber and kinetic events coming together in consumers’ minds was truly telling and something that we—as an industry—need to address,” Patterson says.

For U.S. survey respondents, 81 percent reported at least some level of concern about theft of their personal data when using public Wi-Fi, and 78 percent were concerned about theft of credit card data via public Wi-Fi.

Globally, 26 percent of attendees who still plan to attend large-scale events will take extra precautions to secure mobile devices and wallets. However, only 15 percent say they are keeping alert for suspicious or threatening behavior.

Patterson advises event attendees keep devices patched and updated before attending events and using virtual private networks (VPNs) or cellular data to reduce Wi-Fi risks. This requires some pre-event preparation, he adds, so venues and event security professionals will need to reach out and advise customers about virtual and physical safety beforehand—without scaring them.

“Most people at a large event will see security right at the beginning when they get there—they’ll go through a metal detector perhaps or have their purse or backpacks checked,” Patterson says. “They’re aware of the security there, but they’re not really aware of the layer after layer after layer of security that goes into these large events.” He recommends peeling back the layers enough to give attendees a glimpse of the effort that goes into event security, which can help improve attendees’ trust in the organization.

One key to improving event attendees’ attentiveness is ensuring they have a way to report suspicious behavior, says Ward. “‘See Something, Say Something’ is a great campaign, a great program, but in many cases, we forget to give them the capability to say something,” he explains. “A lot of venues have used signage in prominent locations so fans can see where to text something to, or on video boards before an event or during breaks so fans know if they see suspicious behavior or an issue they need to bring up to the venue to text it to this number. We’re giving [them] more tools and resources.

“We do understand that when people come to events, it’s to let their hair down and not to be overly cautious,” he adds. “So we want them to be able to say something to us, but we’ve also increased our capacity to notice things through technology.”

DeMeo recommends emphasizing attendee security education and awareness through campaigns and promotional materials, noting that “an educated fan is a safe fan.”

Venues are combining printed posters, graphics on digital screens, public service announcement videos, and social media messages on top of more traditional posters or season ticket holder emails to connect attendees, employees, vendors, and contracted security personnel with security information, Harrell says. However, it’s essential to share not just how to contact security personnel but why.

“It’s always more impactful when individuals recognize why it’s important for them to report suspicious activity,” he says. “Messages should try to motivate individuals to report suspicious activity—to protect themselves, their family and friends, their community, and the activities that they enjoy participating in, including attending large events.”

See Original Post

Reposted from ABC St. Louis

Thanks to modern technology and some expert detective work, a nearly 400-year-old painting that had long been attributed to an unknown artist in Rembrandt’s workshop has now been judged to have been a work of the Dutch master himself.

For decades, the Allentown Art Museum displayed an oil-on-oak panel painting called “Portrait of a Young Woman” and credited it to “Studio of Rembrandt.” Two years ago, the painting was sent to New York University for conservation and cleaning.

There, conservators began removing layers of overpainting and dark, thick varnish that had been added over centuries — and they began to suspect Rembrandt himself was responsible for the original, delicate brushwork underneath.

Conservators used a variety of tools, including X-ray, infrared and electron microscopy, to bolster the case that it was the work of one of the most important and revered artists in history.

The scientific analysis “showed brushwork, and a liveliness to that brushwork, that is quite consistent with other works by Rembrandt,” said Shan Kuang, a conservator at New York University’s Institute of Fine Arts who restored “Portrait of a Young Woman.”

Outside experts who examined the 1632 painting after the completion of its two-year restoration concurred with the NYU assessment that it's an authentic Rembrandt.

When “Portrait of a Young Woman” was bequeathed to the museum in 1961, it was considered to be a Rembrandt. About a decade later, a group of experts determined that it had been painted by one of his assistants. Such changes in attribution are not unusual: Over the centuries, as many as 688 and as few as 265 paintings have been credited to the artist, according to Mehalakes.

The museum has not had the painting appraised — and has no intention of selling it — but authenticated works by Rembrandt have fetched tens of millions of dollars.

The painting, currently in the museum’s vault, will go on public display starting June 7.

See Original Post

Reposted from Fox61

Police say they have made an arrest for a break-in that occurred early Tuesday morning at the Greater Middletown Military Museum.

Officials said Thursday a person of interest was taken into custody on separate charges, following the investigation of a different home burglary in the same neighborhood Wednesday night.

Police identified that man involved as 22-year-old Isaiah Nemecek, of Middletown.

He was charged with 3rd-degree Burglary, Possession of Burglary Tools, 1st-degree Criminal Mischief and 6th-degree Larceny and is being held on a $100,000 bond.

Video shows Nemecek wearing a mask, swinging an ax to break the handle on the back door of museum.

According to a release, Nemecek already had two failure to appear warrants when he was taken into custody. 

Middletown officials initially said the two burglaries were linked, but now say the home incident is still under investigation.

During investigation, officers were able to recover an item from the museum burglary.

Police say when Nemecek was unsuccessful at the back door, they turned attention to the front of the building busting through two sets of glass windows. 

"It’s a really remarkable place," said museum volunteer Joan Liska. "We are just so upset that someone would do that to us."

The shattered glass covered the floor of the museum when Liska arrived Tuesday morning. Surveillance footage captures a hooded Nemecek by the back door trying to get in. 

"He left a lot of broken glass around. Broke into one of our display cases and took a few items out of it," said museum president Ken McClellan.

McClellan was alerted of the break-in when alarms triggered around 4 a.m. The museum is lined with donated uniforms and items from Middletown Veterans. The artifacts are used to tell their stories to ensure their legacy lives on forever. McClellan says they are thankful that nothing else was damaged.

"A lot of the things we have are frankly irreplaceable," said McClellan. "Some of the things we have might be valuable to collectors but not really to the common person."

Middletown police responded to the property quickly. They sent a K-9 unit out to track the thief’s movements.

"They did not locate the suspect at the time but they were able to gather evidence which was very well needed," said Lt. Heather Desmond. 

The track led to the area behind Veterans Memorial Park near Barbara Road. Middletown Police are asking people who live nearby to check their home surveillance cameras for any sign of the suspect.

"This is probably one of the most disrespectful things that someone could do is to break into the museum and disrespect our veterans," said Lt. Desmond. 

Volunteers at the museum say the community has stepped up to help them recover through donations. One local business has already offered to repair the glass.

"The volunteers are coming trying to help us get right back up. That’s what military do. They support each other," said Liska. 

Middletown police are asking anyone who may have any home surveillance in the area to review their footage between the hours of 10 PM Monday to 7 AM Tuesday. 

See Original Post

Reposed from TechRadar

According to a study by OneLogin about the future of work, more than half of CIOs expect a rise in employees working remotely, while 97% say that soon their workforce will be widely dispersed across geographies and time zones. Businesses are being forced to adapt to the rising demand for a dynamic working environment, which can manifest as anything from workers bringing their own devices to work to employees using corporate machines at home as part of a flexible work schedule. However, this increases the security burden through the need for better identity management.

Millennials, the Flexible Generation

This rising demand for flexible working environments seems to be spearheaded by the digital native generation. As Millennial and Generation Z workers come of age in the workplace, they will begin dictating corporate norms. Indeed, 93% of CIOs believe that the pace of business evolution will accelerate by 2025, correlating with a maturing workforce. 

Studies have shown that digital native workers are significantly less willing to accept substandard technological solutions. According to an annual public survey by flexjobs, 69% of professionals cited flexibility in the workplace as a critical issue when evaluating potential employers. Clearly it is essential that corporations keep up to date with technological trends in order to satisfy their workforce and reduce the ever-increasing skills gap.

Raising the Bar for Password Security

The question remains, however, where do organisations draw the line in supporting flexible work practices? With the increase in remote working, companies depend less on secure corporate networks and more on the simple password to protect company assets. As nearly 80% of security breaches involve the abuse and misuse of privileged credentials, one of the biggest threats to corporate security is employee passwords. This is no surprise considering the sheer volume of passwords that personnel have to remember. 

The average enterprise uses 2,500 unique applications, making identity management a nightmare for most IT teams. It is not uncommon for a single employee to have anywhere between 20 and 200 passwords to remember when accessing these accounts which results in frequently reusing passwords. Password reuse which could have dire consequences as organisations transition into a hybrid state where their software catalog is split between in-house applications hosted on-premises and cloud-based SaaS applications. 

Identity assurance and data integrity are crucial to adhering to internal security policies, external compliance regulations, and preventing headline-producing and career-altering security breaches. However, when business applications containing sensitive corporate data are accessed from unsecured and unmoderated devices, it provides a range of opportunities for hackers to access data.

Developing Mature Flexibility

The modern workplace has witnessed the rise of trends such as bring your own device (BYOD) which means that increasingly, employees are using their own phones, laptops, and tablets rather than company issued devices. The line between the personal and professional is further blurred with employees adding consumer SaaS applications, such as Evernote for organizing tasks, on corporate devices. 

Understandably, third-party applications installed on personal devices and connected to a corporate network open a can of worms when discussing the topic of identity access management. For example, if a personal device with the login credentials to corporate sites is stolen, it would be catastrophic, not just to the victim but also to business operations.

While flexible working conditions can increase efficiency and employee morale, they also present several risks. Think, for example, of the caricatured worker fervently typing at a Starbucks, or the commuter replying to emails on the train. Both employees pose a potential threat to corporate identity management departments because public Wi-Fi networks are simple to sabotage, and sensitive information is easily lost when employees lack the appropriate security training. 

This risk is accentuated when users rely on personal devices that lack corporate cybersecurity measures. If we want to continue the trajectory of flexible working, it is essential to ensure that every worker is logging on to company networks safely and securely using a mobile device management solution.

Suggested Security Steps

When considering methods of extra security procedures there are two forms of identity and access management (IAM) that enterprises can implement to secure themselves and those include: Single Sign-on (SSO) and Multi-Factor Authentication (MFA). Implementing these critical procedures provides an extra layer of security that prohibits access to critical applications without additional authentication checks. 

With SSO, the user’s access to an application or website relies on a trusted third-party to verify that individuals are who they say they are. This method not only makes sign-in easier but also keeps it more secure. Moreover, MFA can employ biometric security procedures that require extra credentials such as voice recognition, facial scanners or fingerprint checks. This not only provides an additional layer of defence, but also verifies what user is logged in and making changes to critical applications, which simplifies compliance to regulations like GDPR.

Appreciating the Application of Applications

As the reliance on cloud services and cloud-based applications increases and the acceptance of remote working evolves, attackers will begin looking for new vectors to exploit. In order to combat the needless loss of sensitive data, organisations must implement endpoint security strategies that both enable an increasing number of people to work remotely, while also ensuring they are doing so securely.

With younger generations entering the workforce every year, expectations of flexible work practices will continue to increase. The more apathetic organisations are towards evolving work cultures and the associated security concerns, the more likely it is that attackers are going to breach the limited safeguards put in place and compromise sensitive company information. 

Aside from implementing SSO and MFA, it is essential that organisations remain several steps ahead of would-be cybercriminals by employing sufficient safeguards. Companies must ensure they instill good cybersecurity awareness into all their employees, particularly those working remotely. Only by prioritizing security safeguarding and removing archaic and easily breached methods of authentication can security best practice be upheld for all workers, regardless of where in the world they are.

See Original Post

Reposted from KOMO News

Two bonsai trees worth thousands of dollars that were stolen from the Pacific Bonsai Museum on Sunday were both mysteriously returned Tuesday night, according to a museum press release. 

Two suspects were seen on the museum's security footage when the trees were stolen Sunday morning, but when police arrived, no suspects were found. 

At about 11 p.m. Tuesday, security guards reportedly discovered the two trees sitting on the road leading to the museum. 

The trees were especially valuable because of their historical significance. One, a Japanese black pine, was grown from a seed in a tin can by Jizaburo Furuzawa while he was imprisoned in an internment camp World War II.

According to the release, the trees were found to be in fairly good shape.

“The Silverberry suffered some damage. It has some broken branches, probably due to improper transportation and handling, but both bonsai trees and their pots appear to be intact, which means they can return to being on public display," museum curator Aarin Packard said in the release. 

The Silverberry bonsai will be placed back on public display Wednesday, while the Japanese black pine bonsai will return as the centerpiece for the museum's upcoming exhibit "World War Bonsai: Remembrance & Resilience," which opens May 8.

“We are deeply grateful for the tremendous outpouring of support from the community and from the media who raised awareness of the bonsai’s disappearance,” said Pacific Bonsai Museum executive director Kathy McCabe in the release.

It is unclear at this time who returned the trees or why they were taken.

See Original Post

Reposted from Security Management

Coaching is a crucial function of managing. Every effective leader must be able to do it well. Such is the philosophy of Cherissa Newton, coauthor of the book Coaching for Results and a leadership expert at the Center for Management and Organizational Effectiveness (CMOE). It’s also the view held by many seasoned security managers like David Barton, the chief information security officer at Stellar Cyber, who previously served as director of security for AT&T and corporate security group manager for Sprint over his long management career.

“Hopefully as a leader, you realize sooner rather than later that being a good coach to your team is part of being a good manager,” Barton says. “You can’t have one without the other.”

What differentiates coaching from managing? As Newton defines the concepts in a recent CMOE analysis, managing often involves day-to-day tasks like conducting meetings, assigning tasks, making departmentwide decisions, and dealing with staff conflicts.

Coaching, on the other hand, is defined by Newton as “a two-way communication process between different members of the organization aimed at influencing and developing the employees’ skills, motivation, attitude, judgment, ability to perform, and willingness to contribute to an organization’s goals.”

Both are crucial to effective leadership. According to Newton, the benefits of adding coaching to your management style can include enhanced performance, improved productivity, higher employee engagement and retention rates, and a stronger culture of trust in the workplace.

A Two-Way Street

The coaching definition’s opening phrase, “a two-way communication process,” is one of the most crucial aspects of coaching, according to veteran managers like John Torres, head of the security and technology consulting practice at Guidepost. Torres has more than 27 years of experience in federal investigative and security management for agencies such as the U.S. Department of Homeland Security (DHS). As an acting director for U.S. Immigration and Customs Enforcement (ICE) from 2008 to 2009, he oversaw 20,000 employees and a $5 billion budget.

Torres says that working on many different teams early in his career gave him an opportunity to observe “good bosses and bad bosses.” Bad managers, he says, usually acted as the self-styled “smartest guys in the room.”

“They were like, ‘This is how it’s done,’ and there was no room for questions, even when you often knew there were other ways to do it,” Torres explains.

In contrast, good managers always maintained two-way communication—even when they knew that they were the smartest person in the room, he says. Those managers did not let their high knowledge level preclude them from being open to other opinions. “They had the ability to communicate and to listen,” Torres says.

And two-way communication helps enfranchise an employee, which can significantly boost engagement and retention, Barton says.

“Team members want to feel that they have a say in the direction of the team and how that relates to the overall direction of the company,” Barton says. “Lacking a two-way approach, communications feel dictatorial, and not team-orientated. Team members want to know they make a difference.”

And team members also want to know what is expected of them, says Chris Stowell, one of the coaching experts at the CMOE. “They want an opportunity to do their best work every day,” he says. Coaching facilitates this; it allows for productive two-way discussions about expectations, results, and suggestions on how to enhance performance. “We may not always like what we hear, but ultimately, we want to do better, be better,” he adds.

Not One-Size-Fits-All

Good coaching effectively addresses a truism that holds at every workplace, experts say: each employee is a unique individual.

That means that learning styles, productivity levels, workload tolerance, and preferred means of recognition differ from staffer to staffer. Sometimes the differences are slight; sometimes they are staggering. But one-size-fits-all management is not the most effective way to help employees fulfill their individual potential or maximize their contributions to the organization.

“Each person learns differently and thrives under different management styles. It’s our job as a coach/mentor to understand these differences, embrace them, and then lead appropriately,” Barton explains.

In one of his previous security positions, Barton suspected that a team member was in the wrong role. After a few weeks of observation and directed questions, Barton made a realization.

“This person was not driven by technology—something essential for an engineer—but rather by people. So I spent a few days with this person discussing my perspective—only for them to agree (after I assured them their job was secure),” Barton says. “I then reached out to some of my peer leaders who led customer-
facing teams and helped my team member move to the other department. They thrived and became a great contributor to our company.”

Individual coaching proved useful for Torres when he was in federal law enforcement, managing a certain type of young idealistic federal agent who did not like to say “no” to any assignment. Soon that agent was “working around the clock.”

Torres was able to coach the agent about the importance of not taking on a workload that would greatly increase the risk of burnout. “You can coach about work–life balance, to help ensure that they can stay focused and not go down a rabbit hole,” he explains.

Learning about the individual employee is especially important when it comes to another crucial aspect of coaching: recognition. “Recognizing a staffer’s accomplishments plays a significant role in coaching,” Barton says.

“For accomplishments you see daily or weekly, acknowledge them! Part of your role as a manager is to see growth, even small steps, from someone on your team,” he continues. “It is pretty easy to throw out a ‘well done’ via email, Slack, or text.”

Stowell adds that coaching, which regularly recognizes accomplishments, does wonders for staff retention. “That’s very critical to ensuring that you can keep successful employees,” he says. But here again, the individual needs of staffers matter. “Everyone is different,” Stowell says. “Different people have different levels of recognition requirements, so to speak.”

Thus, some employees prefer one-on-one acknowledgment of accomplishments, while some like more public recognition. In terms of rewards, some prefer material assets like gift certificates, raises, or bonuses, while others like work–life balance enhancements like extra time off or vacation time.

“Team members are motivated by different things, such as money, public recognition, or promotions,” Barton says. “The manager also needs to think about reactions from the team and from other peer managers. Bigger organizations have processes for promotions, so it’s best to work with HR to ensure your promoted employee’s experience is done right.”

In addition, a particularly potent form of recognition in coaching is one that cites the details of the accomplishment—details that might have been missed by others but which are noticed by the appreciative manager.

“Noticing the details is a powerful tool. I develop a sense of how my team wants feedback, and I also show them I notice the details,” Barton says. “This is important if you want people to think they can learn from you.”

Trust Building

Coaching that recognizes details and serves as a learning tool for employees builds trust within the organization.

How can managers increase their chances that they will build trust through their coaching? First off, it should be proactive rather than reactive coaching, Stowell says. To be more proactive, a manager can make coaching part of a daily routine and be ready to take advantage of small issues and developments as coaching opportunities aimed at elevating performance. This is especially effective in ensuring that coaching does not devolve into a reactive series of corrective conversations when things go wrong, he says.

Of course, there are times when coaching needs to be corrective, but there are ways a manager can do this without discouraging the employee.

“First, I think it is key to make sure you do it in private—shaming people does not build loyalty with your performers. That only builds fear and mistrust, and potentially your own team will start to throw others under the bus,” Barton says. “It can spiral.”

But learning this lesson can be difficult for new security managers, who may sometimes be feeling the pressure of a high-stress situation when trying to correct a staffer’s mistake, Torres says. “Often, that’s not something they teach you early on in your career,” he explains. “And in a heated moment, you can say the wrong thing.”

Given this, it often helps to adopt a measured mind-set so that heated moments can be avoided. It behooves a manager to dispassionately diagnose the root cause of the mistake, Torres explains. Was the mistake purely an issue of employee judgment? Or are there underlying policies and operating procedures that are creating vulnerabilities? Or is it a case of an overworked employee who is making more mistakes due to fatigue? “You take the attitude of, ‘How can we help you do this better?’” Torres says.

Overall, this type of mindful coaching, which focuses not on the mistake but on stronger future results, shows that the manager cares about the staffer, and that also helps build trust. “Everyone wants coaching to some extent, because coaching is an investment. People want to know you care enough to invest in their success and coach them through their failures,” Barton explains.

Be Coachable

In his work as a coaching consultant for CMOE, Stowell has noticed a few recent trends among leaders who are considered successful coaches, and he shared practices that other leaders who aspire to improve as coaches could benefit from.

One is “coaching on the fly,” which is more likely to take place in a workplace that is also a fast-moving production environment, or one that is that is highly matrixed. In some of these types of organizations, managers are increasingly prepared to do “quick hits” of brief developmental conversations that have value for both participants. And although they are short, these brief coaching episodes can still take preparation on the manager’s part, Stowell says.

In Barton’s view, many fast-moving security workplaces could benefit from some coaching on the fly. “Coaching is a just-in-time response, as well as a thoughtful planned activity. A good leader has to be prepared for both approaches and take into account the situation, the team member, and the coaching needed,” Barton says.

Another trend is coaching across teams, Stowell says. In many organizations, cross-functional teams are becoming more popular as a means of breaking down silos and soliciting a wide range of ideas and viewpoints. This gives team members and team leaders the opportunity to coach other members and leaders, even if the managers have no formal leadership authority over the coworkers they are coaching.

However, in cases where there is no formal leadership authority, it can help if the coach is “a little bit provisional” in approaching the conversation, Stowell explains. So instead of saying something like “you did this wrong, please fix it,” the team member may offer “an observation around security such as ‘from my perspective, here’s what I am seeing, and here’s what the potential risk is.’ You’re bringing them into the conversation,” Stowell says.

In the end, experts like Stowell say that everyone in an organization should be both coachable and a potential coach, whether they are a new employee or a manager, a line worker or a senior executive, young or old, experienced or new.

“I should be able coach my leader and say, ‘From my perspective, here’s some feedback and insight,’” Stowell says.

Torres has seen the importance of this throughout his career. Back in the day, when federal agencies were using computer banks, Torres remembers some older agents who badly needed technological coaching from younger employees. “They were deathly afraid of going near the computer. They were happy to be working on an old typewriter,” he says.

Now, in the era of high-definition cameras and social media saturation, Torres takes advantage of the younger expertise in his senior role at Guidepost. “I continue to be coached by the younger generation,” he says.

The future may hold even more challenges, such as coaching in virtual environments as organizations employ more remote teams and video conferences, Stowell says. In such situations, he recommends coaches do regular checks for understanding, such as asking staffers to briefly summarize information that was just conveyed, and be especially mindful of their tone of voice. “There are more opportunities for misinterpretations,” he says.

See Original Post

Reposted from ZDNet

Hackers intercepted talks between an art dealer and a Dutch museum to scam the museum out of millions, and while they walked away with their ill-begotten proceeds, the victims are now fighting over who is responsible. 

As reported by Bloomberg, London-based veteran art dealer Simon Dickinson and Rijksmuseum Twenthe were in the midst of negotiations over the acquisition of a valuable painting by John Constable, a 1700 - 1800's landscape painter from England. 

In particular, it has been reported that the 1855 painting, "A View of Hampstead Heath: Childs Hill, Harrow in the Distance," caught the eye of the museum's director after they visited a European art fair in 2018.

Conversations took place over email for months, and at some point during the talks, cybercriminals sent spoofed messages to the museum and persuaded Rijksmuseum Twenthe to transfer £2.4 million ($3.1 million) into a bank account from Hong Kong. 

As a result, the art dealer was never paid for the painting. It is not known who is responsible for the theft.  

In the aftermath of the scam, both Simon Dickinson and Rijksmuseum Twenthe are claiming the other side is responsible. 

A lawsuit has been launched at a London High Court. The museum, based in Enschede, the Netherlands, claims that the art dealer's negotiators were roped into some of the spoof emails, and yet did not spot the scam.   

The museum's lawyer has argued that this silence should be considered "implied representation," according to the publication. 

In response, Simon Dickinson says that the dealer did not detect the presence of the eavesdropper and the museum should have double-checked the bank details before transferring any cash. 

Each side is also accusing the other of being the source of the theft by allowing their systems to be compromised in the first place.

Rijksmuseum Twenthe is seeking damages. On Thursday, the court threw out initial claims that the dealer was negligent -- but said that amended claims for damages may be considered.  

In the meantime, the museum is holding on to the painting, Bloomberg says, despite Simon Dickinson being unpaid -- and is also preventing the dealer from selling the artwork on to any other collector. According to Artnet, the judge must now decide on who owns the painting. 

Neither Rijksmuseum Twenthe or Dickinson have commented on the case.  

See Original Post