BT Intruder Alarms: Communicators & Communication Systems

In the age of massive data breaches, phishing attacks and password hacks, user credentials are increasingly unsafe. So how can organisations secure accounts without making life more difficult for users? Marc Vanmaele, CEO of TrustBuilder, explains. User credentials give us a sense of security. Users select their password, it's personal and memorable to them, and it's likely that it includes special characters and numbers for added security. Sadly, this sense is most likely false. If it's anything like the 5.4 billion user IDs on haveibeenpwned.com, their login has already been compromised. If it's not listed, it could be soon. Recent estimates state that 8 million more credentials are compromised every day. Ensuring safe access Data breaches, ransomware and phishing campaigns are increasingly easy to pull off. Cyber criminals can easily find the tools they need on Google with little to no technical knowledge. Breached passwords are readily available to cyber criminals on the internet. Those that haven’t been breached can also be guessed, phished or cracked using one of the many “brute-force” tools available on the internet. It's becoming clear that login credentials are no longer enough to secure your users' accounts. Meanwhile, organisations have a responsibility and an ever-stricter legal obligation to protect their users’ sensitive data. This makes ensuring safe access to the services they need challenging, particularly when trying to provide a user experience that won’t cause frustration – or worse, lose your customers’ interest. After GDPR was implemented across the European Union, organisations could face a fine of up to €20 million, or 4% annual global turnover Importance of data protection So how can businesses ensure their users can safely and simply access the services they need while keeping intruders out, and why is it so important to strike that balance? After GDPR was implemented across the European Union, organisations could face a fine of up to €20 million, or 4% annual global turnover – whichever is higher, should they seriously fail to comply with their data protection obligations. This alone was enough to prompt many organisations to get serious about their user’s security. Still, not every business followed suit. Cloud security risks Breaches were most commonly identified in organisations using cloud computing or where staff use personal devices According to a recent survey conducted at Infosecurity Europe, more than a quarter of organisations did not feel ready to comply with GDPR in August 2018 – three months after the compliance deadline. Meanwhile, according to the UK Government’s 2018 Cyber Security Breaches survey, 45% of businesses reported breaches or attacks in the last 12 months. According to the report, logins are less secure when accessing services in the cloud where they aren't protected by enterprise firewalls and security systems. Moreover, breaches were most commonly identified in organisations using cloud computing or where staff use personal devices (known as BYOD). According to the survey, 61% of UK organisations use cloud-based services. The figure is higher in banking and finance (74%), IT and communications (81%) and education (75%). Additionally, 45% of businesses have BYOD. This indicates a precarious situation. The majority of businesses hold personal data on users electronically and may be placing users at risk if their IT environments are not adequately protected. Hackers have developed a wide range of tools to crack passwords, and these are readily available within a couple of clicks on a search engine Hacking methodology In a recent exposé on LifeHacker, Internet standards expert John Pozadzides revealed multiple methods hackers use to bypass even the most secure passwords. According to John’s revelations, 20% of passwords are simple enough to guess using easily accessible information. But that doesn’t leave the remaining 80% safe. Hackers have developed a wide range of tools to crack passwords, and these are readily available within a couple of clicks on a search engine. Brute force attacks are one of the easiest methods, but criminals also use increasingly sophisticated phishing campaigns to fool users into handing over their passwords. Users expect organisations to protect their passwords and keep intruders out of their accounts Once a threat actor has access to one password, they can easily gain access to multiple accounts. This is because, according to Mashable, 87% of users aged 18-30 and 81% of users aged 31+ reuse the same passwords across multiple accounts. It’s becoming clear that passwords are no longer enough to keep online accounts secure. Securing data with simplicity Users expect organisations to protect their passwords and keep intruders out of their accounts. As a result of a data breach, companies will of course suffer financial losses through fines and remediation costs. Beyond the immediate financial repercussions, however, the reputational damage can be seriously costly. A recent Gemalto study showed that 44% of consumers would leave their bank in the event of a security breach, and 38% would switch to a competitor offering a better service. Simplicity is equally important, however. For example, if it’s not delivered in ecommerce, one in three customers will abandon their purchase – as a recent report by Magnetic North revealed. If a login process is confusing, staff may be tempted to help themselves access the information they need by slipping out of secure habits. They may write their passwords down, share them with other members of staff, and may be more susceptible to social engineering attacks. So how do organisations strike the right balance? For many, Identity and Access Management solutions help to deliver secure access across the entire estate. It’s important though that these enable simplicity for the organisation, as well as users. Organisations need an IAM solution that will adapt to both of these factors, providing them with the ability to apply tough access policies when and where they are needed and prioritising swift access where it’s safe to do so Flexible IAM While IAM is highly recommended, organisations should seek solutions that offer the flexibility to define their own balance between a seamless end-user journey and the need for a high level of identity assurance. Organisations’ identity management requirements will change over time. So too will their IT environments. Organisations need an IAM solution that will adapt to both of these factors, providing them with the ability to apply tough access policies when and where they are needed and prioritising swift access where it’s safe to do so. Importantly, the best solutions will be those that enable this flexibility without spending significant time and resource each time adaptations need to be made. Those that do will provide the best return on investment for organisations looking to keep intruders at bay, while enabling users to log in safely and simply.

There’s only so much a corporation can do to counteract the threat of a major incident. You can ask everyone to be vigilant and to report anything suspicious, but you cannot stop someone intent on deliberately starting a fire, threatening a work colleague with a knife or something much worse. And of course, most businesses recognise that even routine events – such as burst pipes, IT system failures, extreme weather event or power outages – can have significant consequences unless they are quickly brought under control. Training security officers Governments and organisations across the world are increasingly encouraging businesses to re-assess risks and to plan for and conduct drills for major emergencies. This is driving different agencies and companies to invest in new skills, resources and systems, and encouraging businesses to routinely re-evaluate their emergency response strategies. UK police forces are increasingly training security officers in the public and private sectors on how best to react to potential terrorist incidents For example: UK police forces are increasingly training security officers in the public and private sectors on how best to react to potential terrorist incidents, as part of the UK government’s Action Counter Terrorism programme. And organisations including the Association of University Chief Security Officers (AUCSO) and Higher Education Business Continuity Network (HEBCoN) are developing customised training for their members to improve their own response and business continuity plans. Mass notifications systems Whether an organisation is facing a terrorist attack or a severe weather event, follow up reports consistently identify that the same types of challenges are common to all crisis situations, with similar errors often occurring again and again. Typically, these are centred on three key areas: poor communications, fractured command and control structures, and delayed deployment of resources. Communications skills and technologies clearly play a pivotal role in how effective an organisation is in responding to major incidents, particularly when it comes to assessing the situation and its implications, moving people towards safety and providing updates as an incident unfolds. However, when an organisation is considering its technology options, emergency response and mass notification systems (MNS) are often touted as the ideal platform to deliver all the required critical communications and ongoing updates. UK police forces are increasingly training security officers in the public and private sectors on how best to react to potential terrorist incidents Emergency notification system All the incident reporting, command and control, and communications functions have been brought together on a single platform But, if an organisation does not know exactly where all its staff or students are, and it cannot see the location and availability of its first responders and other emergency coordinators relative to them and the incident, then how useful is it to send a top-down alert to everyone? And what about fast moving or multi-centre incidents, where previously agreed evacuation procedures, recommended actions or mustering points may need to change if an incident takes an unexpected turn? Many organisations may have been lulled into believing that an emergency notification system will allow them to confidently handle all the communications aspects of virtually any crisis. In reality, too many businesses are still unaware that there are now much more sophisticated and proven technologies where all the incident reporting, command and control, and communications functions have been brought together on a single platform. Using live map tracking The benefit of using these advanced and more integrated approaches – often categorised as mobile distributed command and control systems – is that they enable faster and better decision making in a crisis using real-time feedback and two-way dialogue with those closest to the emergency. And they avoid the risks of any potential delays, miscommunications or mistakes that can happen when an organisation is under pressure to respond and often switching between multiple systems. Leading universities and multi-national corporations are already using new mobile/web-enabled platforms to improve their incident response These next generation emergency management platforms have been specifically designed to enable real-time mapping of an organisation’s security assets and its users on a single screen and to fully integrate it with a highly targeted geo-fenced notification capability. The mass notification aspect of the system can then be used to advise specific groups on the best actions to take at their location as an incident develops. The use of live map tracking enables real time mapping of an organisation's security assets  Segmented messaging Many leading universities and multi-national corporations are already using these new mobile/web-enabled platforms to plan, manage and improve their incident response, leading to 50% faster reactions and more positive outcomes.During a crisis, users can receive push notifications so the security centre can immediately see their exact location and advise them accordingly The systems have been widely adopted within the higher-education sector, but they are equally applicable to any large company with multiple international sites or those situated in research or corporate campuses where the bulk of assets and people are based in one or more key locations.  Typically, systems provide users with a smartphone app that they can use to call for immediate emergency or first aid support when at work, or to report something suspicious which could prevent an apparently minor incident from escalating into a full-scale emergency. During a crisis, users can receive push notifications, SMS and E-mails asking them to open the app if they are not already logged in, so the security centre can immediately see their exact location and advise them accordingly. Supporting dispersed mustering Now that communications can be more nimble, responsive and flexible this can support the increasing numbers of planners are recognising the advantages of dispersed mustering. This is a strategy that has been developed to reduce the risk of secondary attacks on unprotected people complying with instructions to evacuate from premises and gather in what are, effectively, exposed locations. It is now acknowledged that evacuees waiting outside for any length of time are more vulnerable to targeted attacks or to injury, from flying glass for example. With dispersed mustering – a strategy made more effective by these new mobile distributed command and control systems - a building’s occupants can be advised not to go outside, but to move to known safe internal locations. People in each specific area can then be kept regularly updated. Many corporations are now using new mobile/web-enabled platforms to improve their incident response Coordination between response agencies The software platforms can be integrated with an organisation’s fixed security infrastructure to take real-time sharing of information First responders are permanently logged in, so the emergency operations centre can see their exact locations in real-time and can advise what actions to take in mustering people or in setting up and protecting security cordons. Bringing everything together on one platform, with real-time feedback and in a fully integrated system also removes what is often seen as the weakest communication link in managing any major incident: the need to rely on conventional two-way radio as the sole means of communication between the command and control centre and its first responders and other team members on the ground. The software platforms can be integrated with an organisation’s fixed security infrastructure to take real-time sharing of information to a new level for improved collaboration, coordination and communications between users, the incident management team and external agencies. Improving emergency response strategies One of the most powerful features of some of these new systems is the ability to record and view all alerts, responses and the detailed conversations between first responders, emergency coordinators and other parties. This allows the systems to be used to simulate major incidents involving inputs from the emergency services and other key agencies and to ensure the organisation’s crisis management plans have been fully tested against a range of possible incident scenarios.

As we approach National Safe Schools Week (October 21-27), it is appropriate for a conversation to begin regarding establishing standards for K12 school security. Currently no standards exist for assisting schools navigate the complexity of understanding what they need, how much it will cost and how they will secure their learning environments. Security industry experts The Partner Alliance for Safer Schools (PASS) is one of the organisations at the forefront of establishing security standards for schools. In 2014, the Security Industry Association (SIA) and the National Systems Contractors Association (NSCA) formed PASS, which brought together a cross functional group of members including school officials, safe schools’ consultants, law enforcement and security industry experts to collaborate and develop a coordinated approach to protecting K-12 students and staff. School administrators are often contacted repeatedly by organisations with multiple safety and security products PASS has provided valuable insights regarding an ‘All Hazards’ approach to school safety and security. In fact, PASS suggests that school administrators are challenged with two decisions: Determining what they need to do How to prioritise Safe school environment School administrators are experts in running schools and providing education. However, most are not security experts and do not understand the complexity of implementing a comprehensive physical security and safety program across their districts. Still, they are often contacted repeatedly by organisations with multiple safety and security products. School administrators are experts in running schools and providing education, but most are not security experts  Some of these organisations recognise their products are just pieces of a safe school environment puzzle and how they fit in, whereas others focus on specific applications and do not understand how their specific solutions may affect life safety codes and Americans with Disabilities Act law. (Note: Many ‘barricade devices’ fall into this latter category and actually introduce liability concerns with the unintended consequences of their use.)Schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis Even for experts, the plethora of options and disparate systems required to integrate a safety and security approach at schools is daunting. The ongoing challenge is integrating access control, video, mass notification, and/or visitor management products into a single, effective, and appropriate system the owner can understand, utilise, and afford and that meet local codes and ADA laws. In the absence of standards, schools are likely to amass a collection of devices that do not constitute a comprehensive solution. Lack of consensus In years past, the our industry and commercial buildings adhered to legacy codes – like Building Officials and Code Administrators International Inc. (BOCA), Uniform Building Code (UBC), Southern Building Code Congress International Inc. (SBBCI), and International Conference of Building Officials (ICBO) – which have traditionally been revised every three years, while local jurisdictions decided what versions to adopt and enforce. Currently, however, there is a move toward the International Building Code (IBC), which is published by the International Code Council (ICC) and includes standards and guidance for commercial buildings on doors, windows, and other openings.A risk assessment is the next step toward developing a comprehensive security plan, and begins with developing a trend analysis Still, despite this migration of codes from a patchwork of local decisions to global guidelines, there remains a lack of consensus around school security. The current fragmented approach causes confusion regarding how new schools are designed and how to retrofit existing school buildings, whose average age is 45+ years. Right protection equipment One can point to the fact that there hasn’t been one student lost in a school fire in over 50 years as testament to standards like NFPA 80 and NFPA 101 being referenced in model building codes. Additionally, schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis. It’s not just having the right protection equipment in the building, it’s also having a procedural layer in place to make sure everyone knows their roles and responsibilities in the event of fire. The stress of the actual event can limit ones’ ability to think clearly. Practice makes perfect. Why would we approach school security any differently? School security is a team effort, and it is important to understand all the areas security impacts and involves School security is a team effort. It is important to understand all the areas security impacts and involves. PASS suggests starting with a basic team consisting of: Security Director Local Law Enforcement School Administrator Integrator Door and Hardware Consultant IT Director Comprehensive security plan Quantifying and mitigating risk are the jobs of security professionals and school administrators A risk assessment is the next step toward developing a comprehensive security plan. This often begins with conducting a trend analysis requiring the collection of data from a variety of public and private sources. The challenge is to pull these pieces into a usable and easily understood format that provides a guide for current and future risk concerns. Risk assessment and mitigation can never eliminate risk. Quantifying and mitigating risk are the jobs of security professionals and school administrators. Data from the following sources can help measure risk: Campus: Review incident report trends for at least the past 36 months. Area and city: Review crime data from local law enforcement for the surrounding neighborhood and city. Screening procedures: How is hiring conducted? Anonymous tip reporting systems: Enabling students, staff members, parents and the community to anonymously alert administrators to perceived and actual threats. Social media monitoring: such monitoring can provide important information that can be used to identify risks. Monitoring social media could help measure risk for school safety Delay adversarial behaviors These assessments can then be incorporated into the best practice approach of Layered Security. Layered security combines best practice components within each layer that effectively deter, detect and delay adversarial behaviors. Layered security works from the outside in. As one layer is bypassed, another layer provides an additional level of protection. The asset being protected is at the center of the layers – students, staff and authorised visitors. PASS defines five layers of Security:As one layer is bypassed, another layer provides an additional level of protection District Wide Property Perimeter Parking Lot Perimeter Building Perimeter Classroom/Interior Perimeter Appropriate Tier target Each layer can be broken down into Tier levels with Tier 1 being basic and Tier 4 being the highest level of security (Figure 1) . It is important to understand that the demographics of individual school buildings varies, even within the same district. Security experts will quickly point out that ‘if you’ve seen one school, you’ve seen one school’. The assessments will determine the appropriate Tier target. Figure 1 Each layer includes essential protective elements, or components, of security. Every layer does not necessarily include all seven of these common components, and a layer may include additional components unique to that particular layer. Safety and security components Policies & Procedures People (roles & training) Architectural Communication Access Control Video Surveillance Detection and Alarms While components are not listed in a priority order, three components included in all layers are policies and procedures, the roles and training of people, and communication. These components often perform a function in every layer and every tier in each layer. Three tools come together in the PASS approach as outlined in the new 4th Edition of the PASS Guidelines (Figure 2) - the Layers are established and defined, a Checklist/Assessment breaks down each layer into tiered best practices which then tie into the guidelines where a narrative explains each best practice in more detail. Figure 2  Schools need not reinvent the wheel when it comes to school security planning. Following the best practices of Risk Assessments and Layered Security will ensure that every school building in a district will have a unique and comprehensive plan that is tailored to their individual needs.