Hanwha Techwin, a global supplier of IP and analog video surveillance solutions, has announced its top 5 key trend predictions for the security industry in 2020. They include AI end-to-end security solutions, cybersecurity, cloud-based data insights, privacy protection and vertical specialised solutions. AI End-to-End Security Solutions As AI becomes more broadly adopted across industries, it is likely to be more widely incorporated in video surveillance in the upcoming year. Edge-based AI (wh...
Multi-discipline distributor, Oprema has been accredited ISO 9001 certification for their Quality Management Systems (QMS) following a 2-day audit. Established by the International Organisation for Standardisation (ISO), the ISO 9001:2015 standard provides a framework for organisations QMS built around the concept of continual improvement. Quality Management Systems (QMS) An effective QMS in place helps provide focus to a business and allows the organisation to identify key processes Having...
DigiCert + QuoVadis have been certified in the Netherlands and Belgium to provide remote Qualified Electronic Signatures for customers using its cloud-based Digital Signing Service (DSS) platform. QuoVadis, acquired by DigiCert in January 2019, is an accredited Qualified Trust Service Provider (QTSP) in the Netherlands and Belgium under the EU eIDAS regulation 910/2014 and is able to offer EU trust services to all member states, as well as in Switzerland under ZertES. eIDAS Qualified Electroni...
Corps Security has been re-awarded its contract with Walsall College for a further five years following a competitive tender. The ongoing partnership involves static guarding, control room management, patrolling, and front-of-house and student services assistance across all four campuses. Security Contract Walsall College, based in the Midlands, has been rated outstanding by Ofsted and is the largest provider of courses in the borough. The college’s main campus is in Wisemore, with other...
HID Global, globally renowned provider of trusted identity solutions, has announced that it has expanded its digital certificate family to offer an Extended Validation (EV) Code Signing (EV CS) certificate that protects software from tampering and forgery. Customers who download software that has been digitally signed with the IdenTrust TrustID EV CS certificates can identify the source and launch its applications or other code without receiving an ‘Unknown Publisher’ warning from t...
Tamworth-based trade association, DHF (Door & Hardware Federation), has, this week, launched its CSCS-approved card partner scheme in collaboration with the Automatic Door Suppliers Association (ADSA). The DHF CSCS card provision is for those who work with industrial doors, domestic garage doors, automated gates & traffic barriers and metal or timber doors. CSCS cards for construction workers “Whilst not a legislative requirement, CSCS cards are supported by the government and pr...
Fugue, the company delivering autonomous cloud infrastructure security and compliance, has announced the release of the Fugue Best Practices Framework to help cloud engineering and security teams identify and remediate dangerous cloud resource misconfigurations that aren’t addressed by common compliance frameworks. Users can deploy the Fugue Best Practices Framework within minutes to improve the security posture of their Amazon Web Service (AWS) cloud environments. Cloud misconfiguration, primary cause of data breaches Cloud misconfiguration is the number one cause of data breaches involving public cloud services Cloud misconfiguration is the number one cause of data breaches involving public cloud services such as those offered by AWS. The scale, complexity, and dynamic nature of cloud infrastructure environments often leads to significant misconfiguration events that traditional security analysis tools fail to prevent or detect. According to Neil MacDonald at Gartner, “Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes.” While compliance frameworks such as the CIS Foundations Benchmarks address a number of cloud misconfiguration risks, recent major cloud-based data breaches were possible due to misconfigurations not necessarily covered by these standards. The Fugue Best Practices Framework is designed to complement standards such as the CIS Foundations Benchmark to provide additional protection against today’s advanced misconfiguration attacks. Fugue Best Practices Framework “Enterprise cloud and security teams are recognising that their current cloud security posture leaves them vulnerable to newer and more sophisticated misconfiguration attacks,” said Phillip Merrick, CEO of Fugue. “The Fugue Best Practices Framework gives cloud teams a simple tool to quickly identify these misconfigurations in their cloud environment and the most comprehensive security against cloud misconfiguration risk when used in combination with a framework like the CIS Foundations Benchmark.” The Fugue Best Practices Framework includes rules covering the following cloud vulnerabilities: Identity and Access Management (IAM) misconfigurations that can provide bad actors, including malicious insiders, with the ability to move laterally and discover resources to exploit S3 bucket policy misconfigurations that can be exploited in order to take data exfiltration actions VPC Security Group rule misconfigurations that can enable malicious access via Elasticsearch, etcd, and MongoDB services Enhancing cloud infrastructure security Fugue will continue to add new rules to the Fugue Best Practices FrameworkFugue will continue to add new rules to the Fugue Best Practices Framework as new misconfiguration attack vectors are identified. The Fugue Best Practices Framework joins a growing number of out-of-the-box cloud compliance frameworks Fugue provides, including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC2. Fugue also supports custom rules using Open Policy Agent, an open source policy as code engine, making it easy for enterprise cloud teams to create cloud infrastructure policies tailored to meet their specific use cases and security requirements. The Fugue Best Practices Framework is available now for all Fugue customers and can be used with a 30-day free trial.
ExtraHop, global provider of cloud-native network detection and response solutions, has announced that it has joined the Microsoft Intelligent Security Association (MISA), which brings together an elite group of security-related companies partnering with Microsoft to defend against threats facing hybrid enterprises today. ExtraHop also announced a new integration between the ExtraHop Reveal(x) platform and Microsoft Azure Sentinel enabling faster threat investigation and remediation. ExtraHop Reveal(x) and Microsoft Azure Senitel integration ExtraHop Reveal(x) is the first cloud network detection platform to offer in-depth integration with Azure Sentinel ExtraHop Reveal(x) is the first cloud-native network detection and response vendor to offer in-depth integration with Azure Sentinel. Through this integration, high-fidelity alerts from Reveal(x) can be used to automate responses based on an organisation’s unique security policies. The integration also allows for the creation of customisable Jupyter Notebooks that security and development operations teams can use for threat hunting and investigation. Additionally, customers can now access Reveal(x) dashboards within Azure Sentinel for unified access to real-time threat analysis. Enterprise security “Cloud has forced a reckoning in enterprise security, driving the shift from perimeter-based ‘prevent and protect’ strategies to ones that increasingly center on visibility, detection, and response,” said Raja Mukerji, Chief Customer Officer and Co-founder at ExtraHop. "Through the Microsoft Intelligent Security Association and by integrating with solutions like Reveal(x), Microsoft is enabling the next frontier of cybersecurity.” Sarah Fender, Group Program Manager, Microsoft Cloud + AI Security said, “ExtraHop’s integration with Azure Sentinel enables our mutual customers do more. By connecting data, insights, and automation workflows with ExtraHop’s Reveal(x) network detection and response offering, Azure Sentinel customers benefit from extended visibility across their cloud networks, empower their defenders to act quickly in response to threats.”
Device Authority, a pioneer in Identity and Access Management (IAM) for the Internet of Things (IoT), announced it has been accepted into the Venafi Machine Identity Protection Development Fund. For decades, code signing has been used to verify the integrity of software, and nearly every organisation relies on it to confirm their code has not been corrupted with malware. Code signing keys and certificates are used in a wide range of products, including firmware, operating systems, mobile applications and application container images. Unfortunately, organisations often struggle to secure and protect code signing operations because they don’t have a solution that allows them to consistently enforce policies across locations, tools and processes. As enterprises embrace and adopt IoT devices, code signing usage will continue to grow at an exceptional rate. Many organisations use home-grown solutions to fulfill code signing requirements for IoT use cases, but these tools often lack the visibility, automation and intelligence needed for proper protection. Automated solution Historically speaking, it’s very difficult to secure code signing operations for IoT devices Using their sponsorship from Venafi, Device Authority will provide a new turn-key code signing and update delivery extension to KeyScaler powered by Venafi Next-Gen Code Signing to connect security team policy and controls to secure the code signing process. Device Authority’s KeyScaler platform provides an automated solution to provision unique certificates, signed by a pre-configured Certificate Authority, to IoT devices – without requiring any human intervention. Additionally, Device Authority will create a new Certificate Authority service connector for the Venafi Platform. This will allow KeyScaler customers to use the Venafi platform as a source for certificate issuance. "Historically speaking, it’s very difficult to secure code signing operations for IoT devices,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. “When developers sign code, IoT updates can be ripe for attack. As we’ve seen with Stuxnet, stolen code signing keys and certificates are powerful cyber weapons.” IoT cyber security “Attacking the code signing process can provide cyber attackers with control over a fleet of IoT devices. We’re pleased to work with Device Authority, a global IoT cyber security leader, to integrate with Venafi Next-Gen Code Signing to protect IoT.” “Venafi is a technology pioneer in the machine identity protection market. They understand the challenges of protecting IoT device identities and the applications they send data to. Being accepted into their development fund is a huge success for the Device Authority team and we are excited to complete the development and integration in the coming months,” said James Penney, CTO of Device Authority. Comprehensive protection for machine identities Venafi’s Machine Identity Protection Development Fund is a $12.5 million initiative to protect all machine identities. Funded developers will create integrations that accelerate the delivery of comprehensive protection for machine identities across complex enterprise networks. The Development Fund is a global initiative and will increase the visibility, intelligence and automation required for machine identity protection. The Machine Identity Protection Development Fund encourages recipients to build integrations across any technology that creates or consumes machine identities, including: Cloud and hybrid cloud infrastructure. DevOps. Containerisation. Secure Shell (SSH). Code signing. Robotic Process Automation (RPA). Artificial intelligence, machine learning and big data analytics. IoT Blockchain distributed ledger technology
Confederation of European Security Services, CoESS and Euralarm have published a joint brochure on cyber security. The first copy of the brochure ‘Cyber security - Threat or Opportunity? It’s up to you!’ was launched during the General Assembly of CoESS held on 11 October in Rome. Cyber security breaks up the borders between product development, design, installation, operational continuity and alarm response. The guidelines highlight that when addressing cyber security, it is important to understand that all steps are inter-related in a security supply chain. ‘Cyber security - Threat or Opportunity? It’s up to you!’ CoESS and Euralarm's brochure covers the complete supply chain for the fire and security market With CoESS and Euralarm as publishers of the brochure, it covers the complete supply chain for the fire and security market – from manufacturers of products to private security companies and their customers. The brochure highlights in an understandable language the risks and responsibilities for each stakeholder in the chain and what companies need to do to mitigate these risks – both from a human and technological perspective. Many are not yet aware of the importance of these, sometimes simple, measures for the security and reputation of their business. Importance of cyber security Cyber security is a top priority for businesses and governments. Many large, but also small enterprises already have structures and people in place to enhance resilience against the risks of cyber security. But with a rapidly increasing number of devices connected to a network, the cyber security risks are getting bigger. Taking measures to enhance resilience against cyber-threats is therefore crucial - for business continuity of fire and security companies and their customers; security of data and assets; and both the industry’s and its clients’ reputation. Cyber security rules and regulations The brochure informs the reader about cyber security risks and solutions in the different phases Although most of the products offer tools to provide a level of protection and many companies have internal cyber security rules and procedure in place, the importance of the human factor in achieving and maintaining cyber security is often forgotten. With the joint brochure, CoESS and Euralarm want to create awareness that, with the right security measures, cyber-threats can be mitigated. The brochure looks at the whole supply chain and gives recommendations on the role of companies, their employees and end-users in carrying out security measures to minimise cyber security risks. This requires an awareness that each part of the chain needs to implement its own measures. Cyber security risk mitigation The brochure also highlights what is already being done to mitigate existing risks and what companies can do in order to ensure the integrity of the chain. On a step-by-step basis the brochure informs the reader about cyber security risks and solutions in the different phases.
Teijin Aramid has announced its participation at Milipol Paris 2019, global event for homeland security and safety, which takes place at the Villepinte Exhibition Center in Paris, France. From November 19 to 22, at booth 5N122, globally renowned manufacturer of premium aramids will show how their para-aramids Twaron and Technora, meta-aramid Teijinconex and ultra-high molecular weight polyethylene (UHMWPE) Endumax can add value to highly efficient protective equipment for police, justice, border patrol, military and armed forces. Personal protection and body armour equipment Teijin Aramid will showcase a wide range of materials providing personal protection in many ways. It’s products Twaron, Teijinconex, and Endumax offer outstanding capabilities bringing added value to body armour equipment, such as uniforms and turnout gear, protective vests, helmets, and inserts. Twaron and Endumax can help protect against bullets, fragments, as well as stabbing with sharp objects. Both offer a high strength, excellent energy absorption and a high modulus of elasticity, enabling superior protection against a wide range of violent treats. What’s more, both provide long-term stability and impact resistance. Resistance against heat, chemicals Furthermore Teijin’s aramids Twaron, Technora and Teijinconex can offer inherent resistance against heat, flame and chemicals. They neither burn or melt, meaning they both add value to military and police turnout gear.
CSCUK - Cyber Security Connect UK – renowned forum for Chief Information Security Officers (CISO), has called for the cyber security community to respond to the UK Government policy paper published on 11 September 2019 about post-Brexit cyber security. Cyber security certification The British Government has asked for the cyber security industry in the UK to provide views and opinions about the proposed approach to cyber security certification following the UK’s departure from the EU. The British Government has asked for the cyber security industry in the UK to provide views and opinions Martin Smith, Cyber Security Connect UK Conference, The Security Company and SASIG Chairman and Founder, has called on the cyber security community in the United Kingdom to use this opportunity to reinforce the importance of ensuring that the highest standards are retained by the UK once it departs the European Union. Maintaining the high standards of cyber security Mr Smith stated, “As the data economy and IOT (Internet of Things) continues to thrive, we must ensure that the general public have trust in the products, services and processes that businesses and government agencies provide. It is paramount that the level of cyber security remains robust enough to ensure that our digital economy continues to function safely and securely. I would encourage all cyber security professionals to bring the key issues to the attention of the UK Government.” The Department for Digital, Culture, Media and Sport is asking for responses to be submitted by the 8th October 2019.
The oil and gas market is driven by a number of technology trends, political issues, waves of supply and demand, and regulations. At times, it seems like the market is in a constant state of ebb and flow, with business affected by traditional drivers, such as government mandates and operational efficiencies, and other non-traditional markers, like challenging weather conditions (consider the 2017 hurricane season as an example). Additionally, the global economy continues to grow, propelling increased energy demand. But like nearly every other market today, the oil and gas market is on the brink of a sea change. According to Deloitte’s 2018 outlook on oil and gas, “the digital revolution is here.” The sheer volume of information and data generated by digital devices, such as those associated with the Internet of Things, will allow producers to leverage rich data and combine it to deliver smart, efficient solutions. The rise of digital technologies is unleashing new ideas across the oil and gas industry and even though we are in the beginning stage of being able to harness the power of these types of technologies, innovative ideas are emerging — all designed to support the core business, reduce internal investments, deliver products faster, boost efficiencies, and enhance safety. Maximised operations and increased ROI This ongoing growth propels energy producers to embark on extensive exploration and production activities to meet increased demand This is welcome news because there are a number of challenges facing the oil and gas industry, from improving reserve replacement and ensuring workplace safety to reducing operating costs and limiting downtime. All of these objectives must be achieved while maximising operations and increasing overall return on investment. Never has it been more crucial for critical infrastructure organisations to demonstrate a focus on safety, security, and collaboration. Here's why: Growth and demand According to the U.S. Energy Information Administration, world energy consumption will grow by 56 percent between 2010 and 2040. This ongoing growth propels energy producers to embark on extensive exploration and production activities to meet increased demand. As energy-centric organisations look to emerging markets or remote regions to source production, safety becomes even more mission-critical to their success. Compliance Continuous demand is only one challenge; compliance with industry and government regulations is another significant hurdle that must be maintained or there is risk of production shutdowns. For example, the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS) impose comprehensive federal regulations for high-risk chemical facilities, requiring organisations to conduct vulnerability assessments. This is just one of many regulatory procedures sites must follow to conform to environmental protections, safety precautions, and safe handling of hazardous materials. As energy-centric organisations look to emerging markets or remote regions to source production, safety becomes even more mission-critical to their success Threat protection, mitigation, and collaboration In addition to meeting the requirements of regulatory procedures, mitigating risk in this industry propels leaders to develop stringent strategies to ensure robust protection of people, property, and assets, effective and efficient response to incidents when they occur, and procedures and protocols to ensure business continuity in emergency situations. Energy providers require comprehensive safety planning and technology systems that can augment the capabilities of on-site and remote personnel. In recent years, video solutions have become the standard for monitoring facilities, assets, and employees, and now these organisations require enterprise-class solutions that can help gather intelligent data that allows for enhanced security and safety efforts but also focus on processes that enhance operational efficiencies. Cyber-attacks are becoming increasingly more complex and sophisticated in the oil and gas market IT security is also a concern. Cyber-attacks are becoming increasingly more complex and sophisticated in the oil and gas market. An IT breach can cause operational havoc, risk to the public, and damage to an organisation’s brand. Adopting a continuous improvement approach to a security strategy safeguards and helps protect valuable company information and reduces the likelihood of an incident. Also, collaboration between IT and physical security leaders and the correlation of both departments' data makes it much easier to identify a potential breach before havoc ensues. The digital age With the rise of the digital revolution and the demand for data to improve insight, oil and gas producers and businesses need to find new ways to capture data, correlate it as needed, and then leverage it to make the most informed decisions. Software platforms are being used in a wide variety of applications to provide a single pane-of-glass view that allows operators to gain critical insight into operations. By collecting intelligence from digital sensors, such as video surveillance cameras, open-source Web intelligence, building systems, crowdsourcing, weather sensors, mobile devices, and more, operators can detect potential risks and manage and respond to situations more efficiently. Furthermore, information can be shared easily with multiple agencies, employees, citizens, and first responders — especially valuable in the event of a safety incident where rapid response is paramount. By creating a single enterprise-wide view across disparate systems and technologies, organisations experience improved response times, lowered operational costs, and increased employee safety. Cyber, traditional security, digital devices, and situational awareness technologies combine to deliver an integrated, automated, and adaptive architecture to efficiently mitigate advanced threats in real time or forensically Traditional command centers Intelligent solutions, such as those derived from the idea of artificial intelligence, help organisations make sense of vast amounts of data. These integrated applications, such as advanced video analytics and facial recognition, can automatically pinpoint potential breaches and significant events, and send alerts to the appropriate personnel, departments, and agencies. These solutions can be powerful in unifying disparate command center technologies within the oil and gas industry, fusing critical data input from emergency calls and responder activity to enhance situational awareness. With traditional command centers relying mostly on call and radio updates, visibility can be limited, but new digital platforms enable operators to oversee a situation and engage with and direct the response force. Overall, these types of automated functions deliver a simplified and modernised operating environment. The future is the Intelligent SOC Oil and gas facilities can implement a proactive approach to safety and better mitigate threats and protect assets All of these digital solutions are designed to take center stage within the Intelligent Security Operations Center (ISOC). To combat advanced, multi-stage threats, oil and gas facilities are transforming the traditional SOC into the next-generation unified ISOC with an integrated platform for detection, investigation, communication, and response. Cyber, traditional security, digital devices, and situational awareness technologies combine to deliver an integrated, automated, and adaptive architecture to efficiently mitigate advanced threats in real time or forensically. Energy providers operate in challenging, fast-moving environments in which opportunities, requirements, and regulations can vary widely, change quickly, and evolve significantly over time. As the idea of the digital age continues to transform this market, new technologies will be more widely used to improve business operations from exploration and extraction to transportation and distribution. With the right technology, strategic partnerships, and enhanced situational awareness, oil and gas facilities can implement a proactive approach to safety and better mitigate threats and protect assets, while continuing to focus on achieving business goals that will sustain supply and demand for years to come.
According to the reports of not-for-profit organisation Gun Violence Archive, the year 2018 has seen 323 mass shooting incidents as of November 28 in the United States. This number is 346 for the year 2017 and 382 for 2016 (more statistics are available here), with “mass shooting” defined as cases where four or more people are shot or killed in the same time period and location. While definitions of mass shooting vary with organisations in the US, the count of over 300 incidents per year, or about once per day on average, is simply alarming. It raises public safety concerns, ignites debates and protests, which in turn lead to public unrest and potentially more violence, and increases costs for governments from the regional to federal level. Most importantly, the loss of lives demands not only improvement in post-incident handling and investigation, but also new prevention technologies. Gunshot detection solutions AI weapon detection offers a more efficient alternative to prevent active shooting There are several gunshot detection solutions in the security market, commonly used by law enforcement agencies to detect and locate gun fires. These systems function based on acoustic recordings and analyses and often in combination with signals detected by sensors of the optical flash and shockwave when a gun is fired. However, gunshot detection by nature dictates that the law enforcement can only react to a shooting incident that has occurred. With fast action, law enforcement can prevent the incident from escalating, but lives that are lost cannot be recovered. With the development of artificial intelligence in object recognition, AI weapon detection offers a more efficient alternative to prevent active shooting: AI can visually detect guns based on their shapes before they are fired. The AI is trained to recognise firearms in different shapes, sizes, colours, and at different angles in videos, so that the AI weapon detector can be deployed with existing cameras systems, analyse the video feeds, and instantly notify security staff when a gun is spotted. Comparison of the advantages for law enforcement and public security agencies Legacy gunshot detection using sensors AI weapon detection Reactive measure: detect after guns have been fired Proactive measure: detect before guns are fired Time to action: within 1 second Time to action: within 1 second Unable to provide visual data about shooter(s) Can provide data about shooter(s) based on the camera recording: clothing, luggage (backpack, handbag, etc.), facial features, vehicle Unable to track the location of the shooter(s) before and after shooting because of the lack of sound Can track the shooter(s) using AI Person & Vehicle Tracking, AI Face Recognition, and AI License Plate Recognition False detection caused by similar sound such as fireworks and cars backfiring Minimal to no false detection, as AI can distinguish different types of handguns and rifles from normal objects (umbrella, cellphone, etc.) Require physical deployment of gunshot detection sensors Can be used with existing camera systems, do not require special hardware Complicated to deploy, require highly trained professional Easy to deploy as an add-on to existing video surveillance system - Can integrate with gun-shot detection to create a “double knock” audio and video active shooter alert system Gun-shot detection advantages In addition to advantages for law enforcement and public security agencies, this type of visual-based pre-incident detector has three-fold advantages for the public: Save lives by spotting the shooter before the shooting event. Minimise the chaos entailing an incident: panic and chaos caused by a shooting incident often adds to injury, as people run, fall, trample on others… With an AI weapon detector, when a gun is spotted, the system sends an alert to security staff, who can quickly control the situation in an organised manner and apprehend the intending shooter. Can be added as a SaaS (Security as a Service) component to small business and home surveillance systems, e.g., intrusion detection alerts (home invasion incidents with firearms number over 2500 per year nationwide). For a complete active shooter detection system, video-based AI detector can operate in conjunction with gunshot detectors for enhanced security. Traditional X-ray based weapon detection or metal detection entrance systems are complicated and expensive; with AI video technology, active shooter detection system can be cost-effective, and after all, what price tag can one put on a life? Written by Paul Sun and Mai Truong, IronYun
With the coming of a New Year, we know these things to be certain: death, taxes, and… security breaches. No doubt, some of you are making personal resolutions to improve your physical and financial health. But what about your organisation’s web and mobile application security? Any set of New Year’s resolutions is incomplete without plans for protecting some of the most important customer touch points you have — web and mobile apps. Every year, data breaches grow in scope and impact. Security professionals have largely accepted the inevitability of a breach and are shifting their defense-in-depth strategy by including a goal to reduce their time-to-detect and time-to-respond to an attack. Despite these efforts, we haven’t seen the end of headline-grabbing data breaches like recent ones affecting brands such as Marriott, Air Canada, British Airways and Ticketmaster. App-level threats The apps that control or drive these new innovations have become today’s endpoint The truth of the matter is that the complexity of an organisation’s IT environment is dynamic and growing. As new technologies and products go from production into the real world, there will invariably be some areas that are less protected than others. The apps that control or drive these new innovations have become today’s endpoint — they are the first customer touch point for many organisations. Bad actors have realised that apps contain a treasure trove of information, and because they are often left unprotected, offer attackers easier access to data directly from the app or via attacks directed at back office systems. That’s why it’s imperative that security organisations protect their apps and ensure they are capable of detecting and responding to app-level threats as quickly as they arise. It’s imperative that security organisations protect their apps and ensure they are capable of detecting and responding to app-level threats as quickly as they arise In-progress attack detection Unfortunately, the capability to detect in-progress attacks at the app level is an area that IT and security teams have yet to address. This became painfully obvious in light of the recent Magecart attacks leveraged against British Airways and Ticketmaster, among others. Thanks to research by RiskIQ and Volexity, we know that the Magecart attacks target the web app client-side. During a Magecart attack, the transaction processes are otherwise undisturbed Attackers gained write access to app code, either by compromising or using stolen credentials, and then inserted a digital card skimmer into the web app. When customers visited the infected web sites and completed a payment form, the digital card skimmer was activated where it intercepted payment card data and transmitted it to the attacker(s). Data exfiltration detection During a Magecart attack, the transaction processes are otherwise undisturbed. The target companies receive payment, and customers receive the services or goods they purchased. As a result, no one is wise to a breach — until some 380,000 customers are impacted, as in the case of the attack against British Airways. The target companies’ web application firewalls and data loss prevention systems didn’t detect the data exfiltration because those controls don’t monitor or protect front-end code. Instead, they watch traffic going to and from servers. In the case of the Magecart attacks, the organisation was compromised and data was stolen before it even got to the network or servers. Today’s proven obfuscation techniques can help prevent application reverse engineering, deter tampering, and protect personal identifiable information and API communications Best practice resolutions The Magecart attacks highlight the need to apply the same vigilance and best practices to web and mobile application source code that organisations apply to their networks—which brings us to this year’s New Year’s resolutions for protecting your app source code in 2019: Alert The key to success is quickly understanding when and how an app is being attacked First, organisations must obtain real-time visibility into their application threat landscape given they are operating in a zero-trust environment. Similar to how your organisation monitors the network and the systems connected to it, you must be able to monitor your apps. This will allow you to see what users are doing with your code so that you can customise protection to counter attacks your app faces. Throughout the app’s lifecycle, you can respond to malicious behavior early, quarantine suspicious accounts, and make continuous code modifications to stay a step ahead of new attacks. Protect Next, informed by threat analytics, adapt your application source code protection. Deter attackers from analysing or reverse engineering application code through obfuscation. Today’s proven obfuscation techniques can help prevent application reverse engineering, deter tampering, and protect personal identifiable information and API communications. If an attacker tries to understand app operation though the use of a debugger or in the unlikely event an attacker manages to get past obfuscation, threat analytics will alert you to the malicious activity while your app begins to self-repair attacked source code or disable portions of the affected web app. The key to success is quickly understanding when and how an app is being attacked and taking rapid action to limit the risk of data theft and exfiltration. Protecting encryption keys is often overlooked but should be considered a best practice as you forge into the new year with a renewed commitment to app security to ensure your organisation’s health and well-being in 2019 Encrypt Finally, access to local digital content and data, as well as communications with back office systems, should be protected by encryption as a second line of defense, after implementing app protection to guard against piracy and theft. However, the single point of failure remains the instance at which the decryption key is used. Effective encryption requires a sophisticated implementation of White-Box Cryptography This point is easily identifiable through signature patterns and cryptographic routines. Once found, an attacker can easily navigate to where the keys are constructed in memory and exploit them. Effective encryption requires a sophisticated implementation of White-Box Cryptography. One that combines a mathematical algorithm with data and code obfuscation techniques transforming cryptographic keys and related operations into indecipherable text strings. Protecting encryption keys is often overlooked but should be considered a best practice as you forge into the new year with a renewed commitment to app security to ensure your organisation’s health and well-being in 2019. Protecting applications against data breach According to the most recent Cost of a Data Breach Study by the Ponemon Institute, a single breach costs an average of $3.86 million, not to mention the disruption to productivity across the organisation. In 2019, we can count on seeing more breaches and ever-escalating costs. It seems that setting—and fulfilling—New Year’s resolutions to protect your applications has the potential to impact more than just your risk of a data breach. It can protect your company’s financial and corporate health as well. So, what are you waiting for?
The task of protecting shared spaces, such as offices and schools, has become increasingly complex, particularly with ever-rising political tensions and the difficulties of assessing threats for schools, workplaces and law enforcement. Given the randomness of when and where a violent person may strike, those who manage facilities need an emergency plan, as well as robust training, detection and awareness. To gain more insights into dealing with such threats, we interviewed John Torres, President of Security and Technology Consulting, Guidepost Solutions. Guidepost Solutions is a global team of investigators, security and technology consultants, and compliance and monitoring experts. They provide security design and consulting, investigations, and compliance and monitoring leadership for critical client needs. Torres has extensive investigative and security experience. Previously, he served as the Special Agent in Charge for Homeland Security Investigations in Washington, D.C. and Virginia. His background includes more than 27 years of experience providing investigative and security management for the U.S. Departments of Homeland Security and Justice, including serving as the Acting Director and the Deputy Director of U.S. Immigration and Customs Enforcement. Q: Why is it difficult for schools, workplaces and law enforcement to assess threats of violence? How can they differentiate between a threat and a non-threat? Torres: With mobile technology and social media, threats are more than just physical. Schools are often not screening student social media accounts and are restricted in what they can and cannot monitor due to privacy laws. Proactive business and educational institutions are working closely with law enforcement, providing training and increasing awareness of potential threats or abnormal behaviour. Proactive business and educational institutions are working closely with law enforcementEmerging tools include software that allows monitoring of students’ school-issued email and file storage accounts. Communications software and apps provide real-time notification of emergency messages to students, parents, employees and the community to provide critical instructions during an emergency. The combination of training and new tools has enabled trends and threatening language to be identified and appropriate authorities notified. Q: What tools and/or insights can Guidepost Solutions add to the mix? What are the elements of a “comprehensive risk assessment?” Torres: Comprehensive risk assessments include adopting a tiered approach to assessing the school or office and the surrounding environment. A typical approach includes site perimeter review, identifying gates, fencing, vehicle barriers etc., the parking lot, building exterior, interior paths of travel and individual classroom measures. Review and observation of systems including mass notification, video surveillance, access control, intrusion and visitor management, etc. are critical to ensure that they are equipped to maintain functionality in the event of power loss etc. As an insight, always engage with people, they have the knowledge of each unique facility. Elements we can add to the mix include assessments, physical security improvements and mass notification systems, as well as emergency response training, operational policies and procedures, and behaviour analysis. Q: How can the elements of a risk assessment be translated into recommendations of specific technologies or processes (such as video surveillance and/or access control)? Torres: Risk assessments often drive and identify the need for technologies to be implemented into the security programs of schools, business or places of mass gathering, such as stadiums, convention centers and houses of worship. Risk assessments often drive the need for technologies to be implemented into places of mass gatheringRisk assessments help identify weaknesses in security procedure and then often support phased security enhancement programs as funds become available for investment. Each entity is different, and stakeholders should be included. For example, video surveillance may be a priority at one location but controlling the main point of entry may be more important at another. Technology and process recommendations must meet the operational needs and support the goals of the security team and operational managers. Q: How can the risk of an incident be mitigated and lives protected? Torres: While multiple steps are helpful, all of them in combination are key to implementing a comprehensive security plan. They include: Assessments – physical, cyber and procedural Physical Security Improvements – visitor management, fencing and barriers, locks and cameras Emergency Response Training – law enforcement coordination; muscle memory response Mass Notification Systems – current software, clear concise directives, testing Operational Policies and Procedures – termination, evacuation, communication, intervention Behavioural Analysis. Q: What are the elements of behaviour analysis? Torres: They include things like changes in appearance and behaviour, including social media behaviour, and isolation from family or friends. They also include studying or taking pictures of potential targets, and real or perceived bullying. An individual may advocate violence or hate, and/or consume violent extremist information/propaganda. He or she may talk about traveling to places that sound suspicious, and/or have an obsession with weapons. Q: What is the role of training? Torres: Training is critical regarding emergency situations in schools, be it a fire drill, earthquake, lockdown, active shooter situation, etc. Training and drills educate those present, including employees and staff, with information about actions that may save lives and reduce casualties in a real emergency. Training is critical regarding emergency situations in schoolsTraining should hold people responsible and set standards for acceptable behaviour. There should be a plan that is implemented, including practice and drills. You should also provide training and communication skill building classes. Develop intervention strategies. Work with HR and legal (and others as appropriate). Finally, document everything. Q: What challenges still remain? Torres: Cultural and behavioural change remains at the forefront of schools and businesses when addressing safety and security measures. A large percentage of violent acts may be preventable if a bystander shares his/her concerns with the proper authorities. According to the FBI, perpetrators exhibited behavioural indicators in 93% of incidents. And bystanders had prior knowledge in 81% of school attack incidents and 80% of terrorist-inspired behaviours or activities before an attack. Q: What progress are you seeing? Torres: With each tragedy that occurs, leaders are engaging with safety and security head on. There is a shift in schools and businesses to engage with professionals that can help them understand what they do not know. Simple things such as improved communication and enforcement of policies and procedures can have a tremendous positive impact on an organisation’s security posture. Assessments and technology upgrades are important and effective, but it all starts with acknowledging the need to provide and maintain safe and secure environments for students, employees and the community.
Hikvision and Dahua have been added to a U.S. government list of entities “reasonably believed to be involved, or to pose significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.” In effect, inclusion on the list restricts the export of equipment to the two companies because of their alleged involvement in “human rights violations and abuses” related to a Chinese government campaign of repression, mass arbitrary detention, and high-technology surveillance against minority groups. Hikvision and Dahua have contracts to sell equipment that provides video surveillance capabilities in the Xinjiang Uighur Autonomous Region (XUAR) of China. The minority groups targeted are Uighurs, Kazakhs and other Muslim minorities. Hikvision and Dahua have contracts to sell equipment that provides video surveillance capabilities in the Xinjiang Uighur Autonomous Region of China The decision to add Hikvision and Dahua, among 26 other “entities,” to the list was made by the United States End-User Review Committee (ERC), composed of representatives of the Departments of Commerce, State, Defense, Energy and (where appropriate) Treasury. A majority vote of the panel is required to add an entity to the list, and a unanimous vote is required to remove or modify an entity. The 26 other entities include the Chinese government’s bureau in XUAR, 18 subordinate municipal and county public security bureaus and one other subordinate institute. Specific licenses (government approval) are required for any transaction in which items are exported, reexported, or transferred (in country) to any of the entities on the list; or in which the entities act as purchaser, consignee or end user. Loosely speaking, inclusion on the list prevents Hikvision and/or Dahua from buying any component parts from U.S. manufacturers. Indirectly and more broadly speaking, the measure affords a new downside to the Dahua and Hikvision brands in the U.S. market. Anyone concerned about human rights abuses might hesitate to buy from the two companies, although the entity list does nothing to prohibit sales of the company’s products. Dahua and Hikvision statements In a company statement, Dahua has “express[ed] strong protest to such decision, which lacks any factual basis, and call[ed] on the U.S. government to reconsider on it.”’ Indirectly and more broadly speaking, the measure affords a new downside to the Dahua and Hikvision brands in the U.S. marketThe Dahua statement continues: “As a global business entity, Dahua adheres to the business code of conduct, and follows market rules as well as international rules. Dahua is actively working to ensure our investment and business operations around the world comply with all applicable laws and regulations. Regarding the decision of U.S. government, we have actively taken various measures, and we will continue providing outstanding products and services to our customers.” Hikvision has released the following statement: “Hikvision strongly opposes [the] decision by the U.S. Government and it will hamper efforts by global companies to improve human rights around the world. Hikvision, as the security industry’s global leader, respects human rights and takes our responsibility to protect people in the U.S. and the world seriously. Anyone concerned about human rights abuses might hesitate to buy from the two companies "Hikvision has been engaging with Administration officials over the past 12 months to clarify misunderstandings about the company and address their concerns. In January 2019, Hikvision retained human rights expert and former U.S. Ambassador Pierre-Richard Prosper to advise the company on human rights compliance. Punishing Hikvision, despite these engagements, will deter global companies from communicating with the U.S. Government, hurt Hikvision’s U.S. businesses partners and negatively impact the U.S. economy.” “The U.S. Government and Department of Commerce cannot and will not tolerate the brutal suppression of ethnic minorities within China,” said Secretary of Commerce Wilbur Ross in making the announcement. “This action will ensure that our technologies, fostered in an environment of individual liberty and free enterprise, are not used to repress defenseless minority populations.”
Workforce management systems gather and analyse information and anomalies from security officers in the field. The information ranges from direct observations entered via mobile or desktop apps by officers on duty to reports from cleaning staff, the maintenance department, and CCTV operators. Taken together, the information yields business intelligence and data analytics at no additional cost. Trackforce is a provider of workforce management solutions specific to the security industry and its unique operational requirements. From tracking guard tours to managing incidents and officers remotely, the platform improves officer accountability, optimises operations, and delivers actionable insights via a live dashboard to reduce vulnerabilities and enhance efficiencies. The platform is customisable and scales to each client’s business. Platform to control and identify risks “Corporate security teams deal with issues related to operational risk, facility security levels and design basis threats, and must contend with manmade, naturally occurring, and technological events,” says Guirchaume Abitbol, CEO and founder of Trackforce. “We provide them a platform that enables them to control and identify risks, deliver their service, and maintain security best practices.” Trackforce uses live monitoring to ensure quality control and to upgrade situational awareness, delivers real-time incident notifications Trackforce serves large security guard companies and global organisations in diverse vertical market sectors and is expanding in facilities management. More than 200,000 professionals at over 20,000 customer sites in 45 countries use the platform. Trackforce uses live monitoring to ensure quality control and to upgrade situational awareness, delivers real-time incident notifications, and generates data-rich analysis and key performance indicators (KPIs) that enhance monitoring and reporting. Reduces corporate risk Better management of corporate risk is a benefit of security workforce management. The Trackforce platform reduces corporate risk in four areas by: Managing multiple sites, located anywhere, with various threat levels, cultural differences, operating procedures, and regulations. Supporting a security budget and investment in new solutions by providing data necessary for budget approval. Keeping management informed about outsourced security services partners with relevant data, analytics, and transparency. Providing real-time data on risks and incidents so operations can be quickly optimised to ensure top-level security services. Identifying potential threats and risks The platform rapidly and accurately collates data (implied data or trends) based on user-selected parameters. Data- and intelligence-rich reports become available to managers from any location via a dashboard. All necessary information is displayed on a single screen in an uncluttered format.The ability to analyse current and historical data in real time empowers security managers to track patterns Reports can be downloaded and shared with stakeholders. The ability to analyse current and historical data in real time empowers security managers to track patterns, identify potential threats and risks, and implement preventative actions and strategies. Using data intelligence as benchmark Security teams will use data intelligence as a performance benchmark for resources required to accomplish site goals. They will also use this information to pilot and rationalise resource needs for impending contracts based on historical, descriptive (what happened), diagnostic (why did it happen), predictive (what will happen) and/or prescriptive data (how can we can make it happen). “For example, when a large company incurs incremental computer equipment theft, a supervisor can use the platform to review historical reports and identify patterns and anomalies,” says Abitbol. “The supervisor could then identify and proactively implement targeted strategies to mitigate the theft, such as modifying security routes, increasing patrols, or adjusting asset management protocols.” Enhanced control of security resources The Trackforce platform has been designed to serve clients at multiple regional and national locations and is available in many languages. The Command Center allows a security supervisor based at a central location to easily manage officers on multiple sites. The Command Center provides greater oversight and enhanced control of security resources The Command Center provides greater oversight and enhanced control of security resources. Management can compare locations and evaluate security with a customisable reporting dashboard for each site. The uniform platform uses the same reporting templates and processes for each secured and managed location, thus ensuring consistency and accurate benchmarking. Trackforce’s workforce management solution has low cost and presents a low barrier to entry, with systems that can be implemented in a short time.
Crossword Cybersecurity plc, has announced that Stevenage Borough Council, Peterborough City Council and East Hertfordshire District Council (‘the Councils’), will use Rizikon Assurance to manage compliance with the GDPR (General Data Protection Regulation) with their suppliers and for wider information governance. GDPR compliance GDPR makes many requirements of organisations, including taking adequate steps to ensure data is both encrypted and anonymised, so that in the event of a breach, the data cannot be exploited. Infringements under GDPR can lead to fines of €20 million, or 4% of annual global turnover for an organisation. Data breaches can be accidental, through the loss of a laptop for example, or as a result of an intentional breach or cyber-attack With a combined residential population of over 430,000, the Councils have a duty to ensure that the personal information of all residents is adequately protected against the risk of data breach, either by the Councils themselves or the third-party suppliers and agencies with which they work. Data breaches can be accidental, through the loss of a laptop for example, or as a result of an intentional breach or cyber-attack. GDPR risk exposure Using Rizikon Assurance, the Councils will improve the process and accuracy of securing third party assurance. This will support compliance with GDPR, and establish a way to manage on-going assurance checks when needed at regular intervals. Additionally, the Councils will be in a position to identify GDPR risk exposure across their supplier portfolio, so that remedial action can be taken to improve the protection of citizen data. Jake Holloway, Director responsible for Rizikon Assurance, commented, “The role of every public service organisation is to serve its citizens, often holding personal information about them on many sensitive topics such as health, benefits and education. With that comes the responsibility of ensuring that information is protected, especially when it needs to be shared with partner organisations.” Rizikon Assurance Jake adds, “Rizikon Assurance will help any organisation dramatically improve the speed and reliability of its third-party assurance processes, covering areas such as GDPR, health & safety, the Modern Slavery Act and any other requirements that they may have. It moves third party assurance from a siloed and reactive activity, to a connected, proactive continuous process that delivers a complete view of third-party risk.”
Manufacturer ROCKWOOL International A.S. has chosen Nedap’s Global Client Programme to secure its offices and factories worldwide. AEOS, the physical security platform by Nedap, installed during the programme, enables ROCKWOOL to establish a truly global security policy and unified work processes. An advanced project rollout, the Global Client Programme is developed for large multinationals and offers several benefits, including standardisation across sites, shorter implementation times and cost efficiencies. Standardising company’s security measures The Global Client Programme connects all of ROCKWOOL’s factories and office premises, and standardises the company’s security measuresROCKWOOL has 28 factories across the world. The Global Client Programme connects all of these factories and ROCKWOOL’s office premises, and standardises the company’s security measures throughout the world. Fokko van der Zee, managing director at Nedap Security Management, says: “The implementation of a standardised security solution across the world is a complex process. It involves a large project spanning many years and involving many stakeholders, and demands a high level of project management. In the absence of a structured program with defined guidelines, a global security rollout is likely to be a stressful execution. That’s why we set up our carefully designed Global Client Programme.” ROCKWOOL Digital Service Lead, Matthew Thorne, agrees: “We’ve worked with Nedap over the past few years and recently became a member of their Global Client Programme. Now we’re equipped with the people and tools we needed to standardise our physical security solution. The Global Client Programme also minimises risk and guarantees compliance. It really meets our needs in every possible way.” Central security platform saves money The programme helps achieve cost savings by avoiding initial setup costs per site and having one central security platform instead of severalThe Global Client Programme is designed to ensure monitoring and control during every step of the rollout process. Timon Padberg, responsible for business development at Nedap Security Management, explains: “The repetitive nature of local site deployments allows us to work with models and templates, such as standard proposal and calculation documents. We can therefore produce a scalable process that ensures uniformity and a consistently high quality of implementation across each site.” By using the Global Client Programme, ROCKWOOL is aiming for uniformity and alignment across all sites. The programme also helps achieve cost savings by avoiding initial setup costs per site and having one central security platform instead of several. Moreover, there are significant savings on operational and maintenance costs due to shared services and economies of scale.
Premier League football club Everton FC has deployed SureCloud’s GDPR suite to manage and monitor its data and GDPR compliance, enabling the club to work towards GDPR compliance, optimise internal processes and position it strategically for the future. The solution replaced Everton FC’s manual data mapping and processing methods. Manual data mapping and processing Everton FC’s databases are extensive, containing details on over 32,000 season ticket holders and over 600,000 registered fans, with details on around 360 employees, players, agents, suppliers, and individuals associated with the club’s community charity and partner school. Much of this information is sensitive. This data and all of the processes associated with it were being manually managed and tracked in a series of Excel spreadsheets. With multiple requests and queries to respond to every day, the club’s Data Protection Officer was struggling to record and manage smaller ad hoc queries, incidents, and tasks. With GDPR due to place much tighter restrictions on how the club processed, managed and shared its data – as well as on the reporting of any incidents that did occur – the club needed a more comprehensive and reliable tool in place before 25th May 2018. SureCloud platform The club approached its long-standing IT support provider NCC to find a solution. NCC recommended the SureCloud GDPR Suite, delivered on the SureCloud platform. After SureCloud had successfully demonstrated the ability to provide full visibility for management and automation of GDPR processes across the organisation, Everton FC selected its cloud-based suite of solutions. Two dashboards were created according to Everton FC’s specific needs Two dashboards were created according to Everton FC’s specific needs: one to show all data mapping and transfers, including where data is being held and who it is being shared with; and one showing incidents and requests, including a subject request register and incident tracker path. This gives an immediate overview of which requests are still outstanding, such as a request for an individual’s personal information to be erased from the database. SureCloud GDPR Suite The five applications Everton FC chose to deploy from the SureCloud GDPR Suite were: GDPR Program Tracker - to enable the club to map all its disparate data and workflows using intelligent risk-based questions GDPR Management – to provide all mandatory GDPR business-as-usual processes Information Asset Management - to record and maintain the club’s entire data inventory Compliance Management for GDPR - to help Everton FC speed up their process of attaining compliance and on-going real-time risk remediation Incident Management for GDPR – to meet the GDPR requirement to log, track and notify the ICO of any data breaches, should an incident arise Ian Garratt, Data Protection Officer at Everton FC said: “The penalties for not achieving GDPR compliance are severe – up to 4% of our revenues, or €20 million. It was imperative that we got a solution in place that could not only help us achieve GDPR compliance but would also make it quick and easy for us to demonstrate that compliance at any point, on request. SureCloud’s GDPR Suite fit the bill.” Centralised data management Now, all of Everton FC’s disparate data are mapped, risk-assessed and tracked in a single centralised system “We are now tracking and recording every single data request in a centralised way. With NCC’s support, SureCloud’s solution has brought a comprehensive clarity to our data processing that was impossible to achieve with manual spreadsheets. The system is so intuitive; it has helped us streamline multiple processes and undertake impact assessments that we couldn’t handle before.” Now, all of Everton FC’s disparate data are mapped, risk-assessed and tracked in a single centralised system. All changes and requests are automatically tracked so that activity records and data audits can be produced at the click of a button. Should an incident like a suspected data breach occur, it is identified and reported immediately and automatically. The club’s data protection team can select which asset has been affected and immediately determine the severity of the incident and whether it needs to be reported to the ICO. Should it need to be escalated, the report is available instantly. Data processing, documentation and risk management Ian Garratt added: “The SureCloud GDPR Suite isn’t just a compliance tool; it’s a comprehensive management tool. We now have a continuous, real-time status of where we are and what we need to be doing in terms of data processing, documentation and risk management. It would have simply been impossible to achieve this manually. SureCloud has not only helped us to work towards GDPR compliance they have optimised our internal processes and positioned us strategically for the future.” In addition to deploying five applications within the GDPR suite, SureCloud is currently adapting its Incident Assessment tool to meet Everton FC’s specific requirements.
To succeed in business, one must be brilliant at one thing. In many cases it’s a skill, such as art, coding, engineering or design. Or that one brilliant attribute can also be a personality trait or a business process. No business will be successful unless it is at least adequate, and preferably superb, in product development, sales, and customer engagement - not to mention finance, planning, marketing and recruiting. Too many VMS producers are trying to do all these things themselves when they should be doubling up on what they are best at and leveraging the rest. It is a new mindset. Instead of obsessing about which ‘me-too’ product to supply, software producers could make their first priority finding complementary and compatible partners. Developing a partnership ecosystem One partner might see the opportunity to sell a solution. Another partner might know a better way to distribute a product. A third partner might provide the vertical expertise to get the customer a perfectly tailored solution. By leveraging partners and developing a partner ecosystem, a company will tend to have more unique offerings and the ability to execute faster in an ever-changing world. All this additional partner horsepower is still no guarantee a company will succeed but partnerships will also give a company a feedback channel. Many stand-alone companies plod along, never quite failing, but never getting better either. Partners are less likely to tolerate business limbo. They will be quick to utilise great products, and less wedded to the concept if it doesn’t prove out. Because the partners are in close contact with the market, they are the first responders to changing or developing needs. This is why a company should listen very closely to their partners: They are the feet on the street and the ears to the beat! Open platform matters Producing software takes time, and producing great software takes even longer All of this is not possible, however, if a company produces closed platform software. This is software whose functions can only be changed by the original developers. Producing software takes time, and producing great software takes even longer. This means low agility. The partners might identify great opportunities, but before the closed platform software producer can react, the opportunities might be gone - or worse, be grabbed by competitors. The slow reaction capabilities of closed platform providers will frustrate partners and may lead to the worst of all complications in a partnership: distrust. Add-on modules and intrinsic scripting When the products are based on an open platform, however, they are adaptable. Then the partners have the ability to change the solution through the open software architecture. Not by changing the basic code (that would be open source) but by add-on modules and intrinsic scripting abilities. Total integrated solution Open platform means that the partner can easily extend and enhance the software into a total integrated solution Open platform means that the partner can easily extend and enhance the software into a total integrated solution to fulfill the customer’s needs with the minimum of effort. This gives agility, and agility means fast go-to-market abilities. Just what is needed in this fast-moving world. There are some important things to note here. The ways to extend and enhance the software have to be easy and well documented. The partners must have access to training and knowledge sharing. (It does not help to have a system for extending the capabilities of the software if the partners have to guess at the process and the documentation is rudimentary.) Open access is key It is important that the business philosophy is based on openness, giving the partners full access to all relevant information. And openness is a two-way street: By being open for your partners, you also have to be open about their business. A partner might be able to develop a highly sophisticated solution but be unable to market the solution. By building a catalogue of partner solutions easily accessible to customers, openness extends to ensure open access to the partners. Openness is not something a business can just tack on to their approach. It has to be in the DNA of the business from the start. In a Harvard Business Review article entitled ‘Predators and Prey: A new ecology of competition,’ JF Moore says: “A business ecosystem, like its biological counterpart, gradually moves from a random collection of elements to a more structured community.” Structured business ecosystem Milestone has seen this progression within the company's ecosystem Milestone has seen this progression within the company's ecosystem. They introduced training and certification requirements as part of the partnership success structure, ensuring knowledge is shared and also used in a way that is most mutually beneficial for all involved. Moore also writes: “Every business ecosystem develops in four distinct stages: birth, expansion, leadership and self-renewal.” At present, Milestone and its partners are entering into the ‘leadership’ stage, where video enabling is creating opportunities beyond those offered by a traditional video surveillance system, and into areas that provide additional business benefits to our customers. Video enabling “A leader must emerge in the ecosystem,” Moore says, “to initiate a process of rapid, ongoing improvement that draws the entire community toward a grander future.” This is the role Milestone has played in leading the industry towards the video enabling phase and redefining the industry’s expectations of what a surveillance system is capable of. In the article, Moore underlines that “executives whose horizons are bounded by the traditional industry perspectives will find themselves missing the real challenges and opportunities that face their companies.” Getting connected Connectors are those people with a wide range of contacts across different social circles In his book The Tipping Point, Malcolm Gladwell describes what he calls ‘The Law of the Few,’ which says: "The success of any kind of social epidemic is heavily dependent on the involvement of people with a particular and rare set of social gifts." This is based on the 80/20 principal, “which is the idea that in any situation roughly 80 percent of the 'work' will be done by 20 percent of the participants." He goes on to identify three types of people with these gifts: Salesmen, who are skilled in persuasion and negotiation; Mavens, who collect and disseminate useful information; and Connectors. Connectors are those people with a wide range of contacts across different social circles who can make introductions and create links between otherwise disparate individuals. Milestone, key connector in physical security industry In the wider scheme of things, Milestone effectively acts as a ‘Connector’ in the business ecosystem and in the overall physical security industry. Milestone brings together companies who are brilliant in their respective fields and make it easy for them to work together to create a valuable solution for the customer. The company provides the environment for that to occur and work closely with them to ensure that the end result is useful and effective. At Milestone, partners realised that significant investments in education and training was required to create the demand for the company's products and solutions that the conservative physical security industry required. The value of partnership was learnt and the ‘open’ approach adopted, which was a central part of the thinking behind our software. Adopting the Scandinavian management model Milestone effectively acts as a ‘Connector’ in the business ecosystem and in the overall physical security industry Milestone extended this approach to the entire business model, creating the ecosystem that has been the driving force for success. And while the company embraced the best of the Scandinavian management model, its inclusiveness and encouragement of creativity, they still needed to have the courage to make changes to the business, changes which would ensure the best possible position to take on whatever challenges the future might hold. Milestone partner ecosystem Milestone have always worked in a partner-driven business mode. The company from the start was designed to be open and partner oriented. The Milestone partner ecosystem is a fundamental part of its mindset and daily operations. It is one of the major reasons for getting the company to the position where it is today. To be in a company without the partner component would be like cutting the internet and phone cables while reverting to telex and written paper letters! The company would be developing products in the dark, not knowing the demand. Open business world Today, Milestone's partners are delivering optimal solutions to mutual customers, building a better and open business world with video as a business enhancer. All thanks to the company's open platform and community approach. To have a flourishing partner ecosystem, one must think not as a corporation but in human terms. Because companies don’t think, humans do. In all senses of the word, there is one thing that will contribute more to the success of a partnership than anything else; 'Give before hoping to receive'.
The Security Industry Association (SIA) has expressed strong support for MI HB 5828 and HB5830, two bills designed to improve school security across the state of Michigan. Michigan Legislation In a letter to Michigan House of Representatives Committee on Appropriations Chairwoman Laura Cox and Vice-Chair Rob VerHeulen, SIA CEO Don Erickson praised the bills’ creation of a comprehensive school plan and fund to enable local districts to procure security solutions to protect students from malicious perpetrators and update building code requirements to include security measures. “Sadly, our nation’s schools have increasingly become a soft target for mass violence – at Sandy Hook Elementary, recently at Stoneman Douglas High School and in many other attacks,” said Erickson. “We support holistic approaches to improving school safety and security in response to these tragedies – recognising there is no single action that can be taken that will, by itself, make our schools safe.” SIA is a co-founder of the Partner Alliance for Safer Schools (PASS), a consortium of school security experts Improving school security SIA represents about 900 security and life safety solutions providers – companies that develop, manufacture and integrate technologies that help keep people and property safe from hazards. These industry leaders strive to introduce robust security solutions integrated into our nation’s K–12 public schools, private academic institutions, colleges and universities. In addition to serving member organisations working to improve security in schools and other environments, SIA is a co-founder of the Partner Alliance for Safer Schools (PASS), a consortium of school security experts that developed threat- and income-based guidelines for schools housing grades K–12 to implement appropriate, layered security measures. These guidelines are available to help guide school investments. Additionally, PASS provides integrators with risk assessments and white papers that can be used when working with schools to evaluate and establish the best security protections for their buildings. SIA believes state assistance like that in the Michigan legislation is a start to addressing key security gaps in schools and is especially critical to high-risk school districts or those with limited budgets.
Keeping the food supply safe was not an issue for Furman Foods back in 1921, when John W. Furman canned 360 glass jars of tomatoes with his wife, Emma, and their six children. Just as food processing practices have evolved over time, so too has the nation’s approach to securing food processing facilities. Today, Furman Foods uses ID cards as the first step of a greater plan to enhance its plant security. Furman Foods is a family-owned business. By 1969, the company had sold a million cases of tomatoes and was complementing its tomato crop with beans, peppers and other vegetables sold under the Furmano’s name. The company’s roots are planted firmly in the soil of the Susquehanna River Valley of Pennsylvania. Despite this remote location, Frank Furman, Vice President of Quality, is ready to take the facility to the next level of security and quality. “The need is here,” he said. “Everything is coming together at once. Not only does security make good business sense, but it also is something we need to do for our customers.” Food safety and security While the company has focused on food safety for many years, the U.S. Food and Drug Administration’s (FDA’s) Bioterrorism Act of 2002 made security a top concern for food producers such as Furman’s. Title III of the act specifically addresses protecting the safety and security of food and drug supplies. In addition, because Furman Foods provides food for U.S. Department of Agriculture (USDA) food programs, it is subject to USDA security measures. Security isn’t new to the company. It began incorporating additional security measures shortly after September 2001. The well heads for the water supply are locked and checked daily, for example, and a third-party security service is on duty during off-hours. Delivery truck doors now must be sealed, the company’s computer systems have new access controls in them, and locks now adorn all bulk storage areas, such as those for corn sweeteners and vinegar, some of the most vulnerable areas in the company. An important part of the security system at Furman’s is a new ID card program Time and attendance tracking An important part of the security system at Furman’s is a new ID card program. “We needed to replace our time clocks,” said Mark Slear, Systems Administrator, “so we took advantage of the opportunity to introduce employee ID cards to track time and attendance.” “I wanted some kind of control so that people who don’t work here don’t get in,” Furman said, “Despite the fact that we are located in a rural area, we still were seeing people here who shouldn’t be here. We had to figure out some way to limit access.” In the past, the company had pre-printed, pre-numbered, bar coded cards for hourly employee access. Employees were assigned a number, but that was it. HID Fargo Printer/Encoder Slear and Furman selected the Fargo DTC550 Direct-to-Card Printer/Encoder with lamination capabilities from ID Wholesaler (www.idwholesaler.com), a Fargo Value-Added Retailer and the largest online reseller of photo ID products. “I looked around quite a bit,” said Slear, “and all of my research kept coming back to Fargo.” Furman’s warehouse employees require a stronger card to withstand the everyday wear and tear associated with their active jobs" “We determined that Furman Foods needed a higher level of security than a basic photo ID card could offer,” said Shane Stark, Account Manager, ID Wholesaler. “The FDA keeps tight regulations on who has access to food processing areas. Along with using bar codes and magnetic encoding for security measures, Furman’s warehouse employees require a stronger card to withstand the everyday wear and tear associated with their active jobs. This led us to lamination and a Mylar card, which offers greater durability.” Slear was also interested in the printer’s speed. “When we ramp up during the summer, we produce a year’s worth of product in three months,” he said. “We have to print a lot of ID cards quickly to accommodate our seasonal workers.” Security access cards Furman’s bought the Fargo printer in October, took employee pictures in November and began issuing new ID cards in January. The ID cards contain a full photo, and the program includes all employees, even the extra 300 that are hired during the July-to-October busy season. While tracking time and attendance with the ID cards was the company’s first concern, Slear and Furman were thinking ahead when they chose an ID card printer, knowing that security needs would be enhanced down the road. “We added a magnetic stripe and photo in preparation for future security,” said Slear. “We haven’t defined yet what else we might do, but much of it will be driven by FDA and USDA directives.” “We liked the fact that the DTC550 printer can print on proximity cards if we decide to upgrade our ID cards someday,” said Slear. Furman agreed. “Eventually, we will go to smart cards, especially for the room where our ingredients are mixed,” he said. “We need to limit this area to those who are designated to be there. They will have to swipe an ID card for access. We chose a printer that will allow us to upgrade the cards, knowing that sooner or later we’ll have to go further with security.” Our product and industry knowledge enable us to assess our customers’ needs and present options that meet their requirements" Comprehensive identification solutions “Everything has been going well,” Slear said. “The person printing the cards picked up on it quickly.” Slear gives high marks to ID Wholesaler for their customer service. “Every time I talk to Shane, I get the answers I need,” he said. “He also checks in from time to time, just to see how things are going.” “Our product and industry knowledge enable us to assess our customers’ needs and present options that meet their requirements and their budgets,” said Jennifer Clancy, Marketing Manager, ID Wholesaler. Currently there are three variations to the Furman’s ID cards: yellow background for employees, green background for visitors and blue background for vendors. “Certain vendors are allowed on site without an escort,” said Furman. “For instance, because we are a kosher facility, once a month a rabbi comes in to check our operations. He has his own vendor ID card and is pre-approved, so he can move throughout our facility unescorted.” Facility security One of our big concerns is having someone follow a carded employee into the plant Furman Foods prides itself on its strong values, its quality products, its sustainability and its food security. Yet Furman isn’t satisfied. “We are still not where we should be,” he said. “We have come a long way, but we have a long way to go. If I could wave a magic wand, we would have one entrance, where everybody has to enter and exit. This entrance would be secured by a card reader, so individuals would have to swipe an ID card to get in. One of our big concerns is having someone follow a carded employee into the plant. Restricted areas should require special access cards, and I’d like a fence around the entire facility, with a guard shack where everyone checks in and out,” he further added. Right now, there are multiple entrances for traffic. The facility is very spread out, and the road in front is a public road. Photo ID access card Yet, all agree that the ID cards are an important step on Furman Foods’ journey toward enhanced security. “A safe workplace is fundamental,” said Clancy. “Photo ID cards provide at-a-glance validation that the card wearer is authorised to be on the premises. This is especially important for food manufacturers.” “I tell our employees security is only going to get tighter,” Furman said. “More safeguards will be put in place. We are in the food business. If we don’t have safe foods, we don’t have jobs.”
Round table discussion
The definition of a standard is “an authoritative principle or rule that usually implies a model or pattern for guidance, by comparison with which the quantity, excellence, correctness, etc., of other things may be determined.” In technology markets, such as physical security, standards are agreed-upon language, specifications or processes that are used across the board by multiple stakeholders to enable easier interconnectivity and smoother operation of systems. We asked this week’s Expert Panel Roundtable: How are standards shaping change in the physical security market?
Statistically speaking, incidents of terrorism are unlikely to impact most businesses and institutions. However, the mere possibility of worst-case-scenario attacks is enough to keep security professionals awake at night. Compounding the collective anxiety is the minute-by-minute media coverage when an attack does occur. The immediacy of the shared experience of global tragedy impacts us all – including security system decision-makers. We asked this week’s Expert Panel Roundtable: How is the rise in terrorism impacting the physical security market?
The concept of how security systems can contribute to the broader business goals of a company is not new. It seems we have been talking about benefits of security systems beyond “just” security for more than a decade. Given the expanding role of technologies in the market, including video and access control, at what point is the term “security” too restrictive to accurately describe what our industry does? We asked the Expert Panel Roundtable for their responses to this premise: Is the description “security technology” too narrow given the broader application possibilities of today’s systems? Why?