The programme increases the number of people within an organisation who behave appropriately to safeguard the workplace

Organisations have a duty of care to protect their employees wherever they work. But in the increasingly complex world that we all live in, the ability to deliver a risk-commensurate and cost-efficient security programme that adds real value to a business is extremely challenging, according to IFSEC International 2016 speaker Frank Cannon. He will be speaking on developing an employee security awareness programme in the Security Management Theatre at IFSEC International in London on 23 June.

Benefits and challenges of security awareness programmes

SourceSecurity.com: In what ways does a good employee security awareness programme add value to a business?

Cannon: Simply put, it increases the number of people within an organisation who behave appropriately to safeguard the workforce and protect its property. Through enhanced vigilance and informed awareness, the employees identify and report suspicious conditions or people at the earliest opportunity, so triggering a proportionate response by others. This early notification helps to minimise the negative consequence of crime and thus saves money. 

SourceSecurity.com: Why is implementing an employee security awareness programme such a challenge?

"The location, audience, time
available and importance of the
security message often dictate
how and when the security
awareness programme is delivered"

Cannon: To be effective, a security awareness programme must have the support of senior executives and then resonate with the workforce. It is necessary to identify a series of key security messages that are consistent with the security risks, but that also echo the organisation’s beliefs and vision statement. The pitch, tone and proportionality of the security message must complement the day-to-day working culture of the target audience. There is no one-size-fits-all programme that can be used to create a security culture, but more there’s a need for a cognitive process that requires an informed approach to harness the views of numerous stakeholders. Once initiated, the programme must adapt to the changing work environment and security risks.  

The challenge is convincing leaders to invest funds based on the likelihood that an undesirable event will have a negative impact on the business and/or convincing the workforce to change their behaviours to minimise the impact of such events.

Logistics of security awareness training

SourceSecurity.com: If all employees are effectively part of the wider security team, how do you distinguish between their roles and those of security professionals?

Cannon: A “team” is a group of people with a common purpose; in this instance, the purpose is to safeguard all those within the team and to protect the property they use or own. Communication is the essence of good teamwork and by encouraging each and every member of the team to observe, listen and communicate, it allows others to take appropriate action to address any fears or concerns. Non-security professional members of staff become the “alarm” or information gatherers, leaving the security practitioners to respond or analyse and plan. 

SourceSecurity.com: What does a security awareness training programme look like? 

Cannon: My belief is that “training” is a process to develop skills or practical ability, whereas “education” is the giving and receiving of knowledge or theoretical competence. A security awareness programme is an educational process to help employees observe events or people through a “security lens” and help them recognise an abnormal situation that may place people or property at risk.

In a security awareness programme, the message being communicated must be relevant, important and personal to each person
Initial inductions, promotional courses, trade training, team meetings, periodical
workshops and quarterly town halls all provide good platforms to engage workforces

SourceSecurity.com: What are the main elements of such a programme?

Cannon: Prior to the development of a security awareness programme, the security threats and associated risks against the organisation, its workforce or its assets require assessment. You then have to create an integrated security programme with a proportionate blend of physical, technical and procedural elements. The security procedures set out behavioural expectations for employees, so that a pre-determined outcome is achieved. Only then can an employee awareness programme be developed to communicate with the workforce. 

A programme consists of numerous methods (or tools) to communicate security expectations to active participants. These consist of key messages, each of which amplifies specific issues that, when put together, help to create a security culture. This isn’t a tangible asset or outcome but more a way routine business is carried out. Key messages are developed with the support of stakeholders and should complement an organisation’s culture, beliefs and operating processes. 

SourceSecurity.com: What format does the training take (classroom/online/reminders/refreshers etc.)?

Cannon: Security education is a continually evolving process that takes advantage of opportunities as they appear. Initial induction, promotional courses, trade training, team meetings, periodical workshops and quarterly town halls all provide good platforms to engage the workforce.

"By encouraging each and every
member of the team to observe,
listen and communicate, it allows
others to take appropriate action
to address any fears or concerns"

The location, audience, time available and importance of the security message often dictate how and when the security awareness programme is delivered. This can range from regular (3 to 5 minute) “security moments” at the start of routine meetings, to a full day workshop involving larger audiences. A tradesperson with little access to a computer may benefit from a “toolbox talk” at the start of the day, whereas an office worker may learn more through an online e-package. For those with time – or for the more important security risks – a workshop or standalone meeting may be the most appropriate forum. Alternatively, a well-designed poster may successfully convey the simpler messages. 

The critical element of a security awareness programme is that the message being communicated must be relevant, important and personal to each person. He or she must identify with the message and understand a personal benefit for changing an otherwise acceptable behaviour to help increase the levels of protection for themselves, their colleagues or the property they are responsible for. 

Effective physical and cyber security awareness

SourceSecurity.com: Does the security awareness programme include information security as well as conventional physical security?

Cannon: If the organisation, its management or the security risk assessment identifies a cyber risk that requires employees to behave in a specific way, then information security can be included in the programme. Anything that adds to the protection of personnel or assets can be included, including health and safety, environmental or community interaction.  

SourceSecurity.com: How can you measure the effectiveness of such a programme?

Cannon: This is challenging and is often why organisations tend not to invest in security awareness programmes. I often say that the success of my programme is when I have leaders or supervisors discussing personal safety or asset protection as part of routine business. An organisation with an effective programme (or security culture) has security as part of its operational planning process, listed within job descriptions and part of its meeting agenda items.

Success is when employees are routinely reporting suspicious people or events, where employees are willing to participate in workshops or practice drills, where they change their behaviours based on advice received and where they seek out security awareness materials for use within their own teams. The ultimate goal is to have an incident- and injury-free working environment so that the incident statistics support a downwards trend. The security risk level can change overnight, however, so incident trends are not always a true reflection on the success of a security awareness programme.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Ron Alalouff Contributing Editor, SourceSecurity.com

In case you missed it

COVID-19 worries boost prospects of touchless biometric systems
COVID-19 worries boost prospects of touchless biometric systems

Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads. No longer in favour are contact-based modalities including use of personal identification numbers (PINs) and keypads, and the shift has been sudden and long-term. Both customers and manufacturers were taken by surprise by this aspect of the virus’s impact and are therefore scrambling for solutions. Immediate impact of the change includes suspension of time and attendance systems that are touch-based. Some two-factor authentication systems are being downgraded to RFID-only, abandoning the keypad and/or biometric components that contributed to higher security, but are now unacceptable because they involve touching. Touchless biometric systems in demand The trend has translated into a sharp decline in purchase of touch modality and a sharp increase in the demand for touchless systems, says Alex Zarrabi, President of Touchless Biometrics Systems (TBS). Biometrics solutions are being affected unequally, depending on whether they involve touch sensing, he says. Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads “Users do not want to touch anything anymore,” says Zarrabi. “From our company’s experience, we see it as a huge catalyst for touchless suppliers. We have projects being accelerated for touchless demand and have closed a number of large contracts very fast. I’m sure it’s true for anyone who is supplying touchless solutions.” Biometric systems are also seeing the addition of thermal sensors to measure body temperature in addition to the other sensors driving the system. Fingerscans and hybrid face systems TBS offers 2D and 3D systems, including both fingerscans and hybrid face/iris systems to provide touchless identification at access control points. Contactless and hygienic, the 2D Eye system is a hybrid system that combines the convenience of facial technology with the higher security of iris recognition. The system recognises the face and then detects the iris from the face image and zeros in to scan the iris. The user experiences the system as any other face recognition system. The facial aspect quickens the process, and the iris scan heightens accuracy. TBS also offers the 2D Eye Thermo system that combines face, iris and temperature measurement using a thermal sensor module. TBS's 2D Eye Thermo system combines face, iris and temperature measurement using a thermal sensor module Another TBS system is a 3D Touchless Fingerscan system that provides accuracy and tolerance, anti-spoofing, and is resilient to water, oil, dust and dirt. The 2D+ Multispectral for fingerprints combines 2D sensing with “multispectral” subsurface identification, which is resilient to contaminants and can read fingerprints that are oily, wet, dry or damaged – or even through a latex glove. In addition, the 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue. The system fills the market gap for consent-based true on-the-fly systems, says Zarrabi. The system captures properties of the hand and has applications in the COVID environment, he says. The higher accuracy and security ratings are suitable for critical infrastructure applications, and there is no contact; the system is fully hygienic. Integration with access control systems Integration of TBS biometrics with a variety of third-party access control systems is easy. A “middleware” subsystem is connected to the network. Readers are connected to the subsystem and also to the corporate access control system. An interface with the TBS subsystem coordinates with the access control system. For example, a thermal camera used as part of the biometric reader can override the green light of the access control system if a high temperature (suggesting COVID-19 infection, for example) is detected. The enrollment process is convenient and flexible and can occur at an enrollment station or at an administration desk. Remote enrollment can also be accomplished using images from a CCTV camera. All templates are encrypted. Remotely enrolled employees can have access to any location they need within minutes. The 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue Although there are other touchless technologies available, they cannot effectively replace biometrics, says Zarrabi. For example, a centrally managed system that uses a Bluetooth signal from a smart phone could provide convenience, is “touchless,” and could suffice for some sites. However, the system only confirms the presence and “identity” of a smart phone – not the person who should be carrying it. “There has been a lot of curiosity about touchless, but this change is strong, and there is fear of a possible second wave of COVID-19 or a return in two or three years,” says Zarrabi. “We really are seeing customers seriously shifting to touchless.”

How to maximise your body temperature detection systems
How to maximise your body temperature detection systems

There are many companies jumping into selling temperature detection systems to the state, local governments, hospitals, airports and local businesses, but do they know how to drive one? Anyone can get behind a car and drive it into a wall by accident. The same can happen with a temperature detection system.  The first thing you should ask is “does my firm have a certified thermographer?”. If not, the firm are at risk of getting a low quality system that is being resold to make quick cash. Businesses that are doing this do not know how to operate it properly. Asking the right questions Secondly, you should ask whether the system is NDAA compliant. NDAA compliance means that your temperature detection equipment is protected by U.S. law. Does your system have a HSRP device (blackbody)? HSRP (Heat Source Reference Point) is a device that will allow the camera to detect the correct temperature a distance. Even if the room temperature does change throughout the day, treat it as a reference point for the camera to know the temperature at that distance. Can your system scan mutliple people at once? Can your system scan mutliple people at once? This is a bad question but often asked since most systems will say yes. For ease, everyone wants to scan many people at once, but the best practice according to FDA and CDC guidelines is to run one person at a time for best accuracy. Why? The HSRP (blackbody) device tells the camera what the correct temperature is at a given distance away from the camera. Every foot you are away from the HSRP device will be off by 0.1 degrees roughly. If you are in a room full of people, let's say 6, in view of the camera, every person that is not next to the HSRP device (5) will be given an inaccurate reading. Hence why it is so important to run the system correctly with just one person at a time. You will also need to follow the 6 feet rule. If you take that into consideration, one at a time at 6 feet apart, the device should tell you how you need to run the system. Sensitivity of thermal imaging Is your system’s sensor accurate enough? The FDA recommends an error of ±0.5°C or better. When looking for a system, make sure it is better than what they recommend. I would recommend ±0.3°C or better. Do not purchase a system over ±-.5°C degrees as you are doing yourself and your customers or employees an injustice.  Another thing to look at is how many pixels it can determine the temperature from. Some cameras can only tell the temperature of 6 points on the screen, whilst others can take a temperature reading from each pixel. Take a 384x288 camera, for example, which would be over 110,000 points of temperature taking on a single image.      Thermal cameras are very sensitive, so there are a lot of do’s and don’ts. For example, the system cannot see through glasses or hats. On the below image you can see a person with the visual camera on the right, whilst on the left side is through a thermal camera.  Both are pointing at the same area. It is clear the person on the left side is “invisible” to the thermal imaging camera. Demonstrating the sensitivity of thermal imaging If you are a company who wants to detect the temperature of customers or employees though the front door, window or a car window, the answer would be no. You need a clear line of sight without any interference to scan for temperatures. Other things you need to look out for is wind and distance away from the HSRP (blackbody) device. Air and distance away from the HSRP device will make the system less and less accurate the more space between the device. Air and distance away from the HSRP device will make the system less and less accurate Thermal imaging and COVID-19 If you have a clear line of sight, is there anything I need to know? The answer is yes. Reflective materials such as metal can interfere with your temperature readings. Reflective materials are easily picked up from the thermal side so pointing at a medal, glass or anything reflective can cause inaccuracies within the system. In the age of COVID-19, temperature detection systems are more important than ever. Organisations must get a system in place to help scan for high temperatures in order to reduce the spread of the virus.

What are the security challenges of the oil and gas market?
What are the security challenges of the oil and gas market?

Protecting the oil and gas market is key to a thriving economy. The list of security challenges for oil and gas requires the best technology solutions our industry has to offer, from physical barriers to video systems to cybersecurity. We asked this week’s Expert Panel Roundtable: what are the security challenges of the oil and gas market?