Beyond Run, Hide, Fight: What 3 Recent Active Shooter Incidents Taught Us About Being Prepared

By Lowers & Associates,

Beyond Run, Hide, Fight

Active shooter incidents have become a new normal in our society. As of Sept 24, 2019, there had been an average of 1.24 mass shootings per day in 2019, killing 377 people and injuring another 1,347 victims.

“Run. Hide. Fight®” has been the mantra of training set down by the Department of Homeland Security. We are instructed to run and escape if possible; hide if escape is not possible, and fight as an absolute last resort. While this run, hide, fight mantra offers a lot of value to give people a course of action and to help them feel more confident and prepared in the event of an active shooter scenario, there is more to the equation when it comes to prevention and preparation. It’s time to face this fact.

Here, we look at three recent incidents that should serve to remind organizations that there is much more to consider.

Historic District in Dayton, Ohio

In the early hours of August 4, 2019, a 24-year old gunman with an AR-15-style assault rifle and 250 rounds of ammunition killed nine people and injured another 27 in the Oregon Historic District of Dayton, Ohio. The perpetrator was killed by police within 32 seconds of the first shots. A search of the shooter’s home uncovered evidence of his obsession with violence and that he had expressed a desire to commit a mass shooting.

The organization Childhood Preparedness, which provides resources for early childhood professionals with emergency preparedness planning, response, and recovery, formed the following takeaways from both the Dayton shooting and the El Paso shooting, which happened in the same weekend.

Lessons Learned:

Active Threat Training Saved Lives: Dayton law enforcement agencies received previous training in active shooter response, and their quick action saved countless lives.

Citizen Training Is Important: The key to citizen survival in both the Dayton event and other mass shootings was to quickly identify the sound of gunshots.

Running Is Always an Option: In this situation, running was, in fact, a good idea. Running from the gunfire to a safe location away from the shooter helped save some lives. However, some individuals froze and needed to be prompted by others to run. Individuals who chose to lay on the floor suffered multiple injuries and were trampled by others running from the area.

Stop The Bleed Training Can Help: Participants at the scene aided first responders by treating the wounded with basic first aid, CPR, and even applying tourniquets, such as belts, to the wounded. Tourniquet use is a crucial element of Stop The Bleed Training, which teaches bystanders how to stop severe bleeding before professional medical help arrives on the scene.

Townville Elementary School

On September 28, 2016, in a small town 40 miles outside of Greenville, South Carolina, a fourteen-year-old opened fire at Townville Elementary School playground, shooting three students and a teacher. One of the students, a six-year-old boy, later died, as did the shooter’s father, who had been killed earlier in the day by his son. The suspect was apprehended by a volunteer firefighter after his gun jammed on the playground, just 12 seconds after he first pulled the trigger.

Dr. Joanne Avery, Superintendent of the district, candidly shared her experiences in dealing with the immediate response to the shooting and its aftermath, in a School Safety Webinar sponsored by Raptor entitled, Lessons Learned and Changes We Made After an Active Shooting.

Lessons Learned:

Quick Response is Crucial:  The majority of active shooter events, 69%, end in five minutes or less and 67% are over before the first police arrive. “Speedily moving towards engagement with the shooter should be the primary guideline when teaching active shooter response tactics,” according to the FBI’s report, A Study of Active Shooter Incidents in the US Between 2000 and 2013.

Shooters Do Their Research:  Active shooters study and learn from past events in order to inflict the largest amount of damage. “They want their events to be deadlier” and that “they’re on the clock…so they try to get as much damage done as quickly as they can.”

Rural Areas Are Not Immune:  The majority of school shootings have occurred in semi-rural and rural areas, which means it can take between 12 and 15 minutes for first responders to arrive.  Dr. Avery says this is one of the reasons her school was chosen by the shooter.

Create a Drill Calendar:  Have regular active shooter response training with employees and (in the case of schools) students. Create different types of scenarios (e.g., lockdowns, times of day, types of weapons used, outside vs inside).

Know How to Lock Down: You need to be able to have things in place to inform people within the building about the shooter’s whereabouts and a clear evacuation plan. In some situations, training on how to confront the shooter may be warranted.

Dr. Avery stresses that “the first action that anybody should make if they see an active shooter on campus is…to shout ‘lockdown’, call the front office, and then call 911.”

Las Vegas Country Music Festival

On October 1, 2017, between 10:05 and 10:15 p.m., a shooter opened fire from his suite on the 32nd floor of the Mandalay Bay Hotel on a crowd of 22,000 concertgoers at an outdoor music festival. Firing more than 1,100 rounds of ammunition, he killed 58 people and wounded 422; a total of 851 people were injured during the panic that ensued. The shooter, a 64-year-old man, was found dead in his room from a self-inflicted gunshot wound. His motive remains officially undetermined.

In July 2019, the Las Vegas Metropolitan Police Department released a comprehensive After Action Review report about the event, which included a set of 93 recommendations to prepare for the future.

Lessons Learned:

Plan Ahead with Partners: Work with local government and community organizations, including neighboring police, fire, hospital, and coroner officials, to be better prepared and have a more coordinated response.

Become Less of a Target: Responding officers should remove reflective vests so that they are less of a target to shooters.

Have Trauma Kits On-Hand: For large scale events, have more trauma kits on hand available to paramedics and other responders.

Secure High-Rise Buildings: Secure high-rise buildings that oversee open-air crowds and train more officers to stop a shooter in an elevated position.

If we’ve learned one thing from these devastating incidents, it’s that preparation is key. Whether it’s understanding the sounds of gunfire, having trauma kits on hand, or even being prepared to attack and take down a gunman, these actions save lives. Acting quickly and decisively means all the difference.

Every active shooter scenario will be different, but the point is that organizations must have some level of preparedness for each phase of a shooting event – before, during, and after. Those strategies should include:

  • reducing the likelihood of a workplace shooting through comprehensive risk mitigation (e.g., threat assessments, training, physical security);
  • having response plans in place in the event of an active shooter scenario (e.g., evacuation routes, communication with law enforcement); and
  • managing the aftermath of an event (e.g., employee support, public communications).

Once in place, plans must be continually updated, drills practiced, and changes communicated regularly.

Keeping your employees, customers and other stakeholders safe and your business protected is a 24/7/365 endeavor. To learn more, download our latest whitepaper, “Coming to Grips with the Known-Known of Active Shooter Incidents.”

4 Key Sources of Cryptocurrency Exchange Risk

By Lowers & Associates,

It is no secret that cryptocurrency is captivating audiences and opportunists on a global scale. By utilizing the cryptocurrency model of block chain technology, users can perform transactions more quickly and anonymously. As such, many believe cryptocurrency was initially created to facilitate illicit activity such as human trafficking and narcotics. That impression has since been replaced as more and more people discover the ability to purchase goods and services without bank fees and potentially a higher gain on the amount of currency invested in the blockchain system.

Still, many risks remain. And the crypto exchanges are looking for new ways to mitigate these risks, which include:

Dispersed Risk:

Spreading risk is a widely accepted way to succeed in the financial market. But the complex way in which certain risks are dispersed across anonymous networks or computers in a crypto exchange makes is difficult to pinpoint the exact source of a threat or risk in the system.

Anonymity:

The anonymous, digital nature of cryptocurrency transactions means there is a natural lack of control and physical security. This allows new opportunities for someone with malicious intent.

Lack of Control:

Typically, network administrators and advanced computer engineers can develop robust controls to ensure the cryptocurrency is able to be stored and used as appropriate. But what happens if the device is stored on a thumb drive and is stolen or damaged? What happens if someone performs a tiger kidnap and forces transactions to take place?

Potential for Significant Loss:

Unlike in a vault robbery where millions of dollars in bulky and heavy currency takes multiple trips to remove from a vault, the same amount can be removed in seconds with a thumb drive into an anonymous sea of computers.

These and many other areas of risk are driving the cryptocurrency exchanges to invest in insurance. Insurance syndicates and others are responding by addressing how to validate the actual quantum of the currency and how to define the policies and exclusions that will protect these growing networks.

Meanwhile, the cryptocurrency exchanges will continue their efforts to identify and mitigate current and future threats to the trust and safety of their networks.

  Category: Risk Management
  Comments: Comments Off on 4 Key Sources of Cryptocurrency Exchange Risk

7 Components of Risk Assessment for Crypto Cold Storage Service Providers

By Lowers & Associates,

Cryptocurrencies have two faces that present two different sets of custodial issues. One face of these digital assets is that they are weightless strings of binary code that can be flashed around the globe instantaneously. They are accessed through a network of servers with heavy encryption at every step the main custodial tactic.

The other face is physical. Cryptocurrency investors have become highly aware of the fact that “hot” storage of digital assets (storage in an online encrypted file) is more risky than “cold” storage in an offline “wallet” because the online storage methods have proven vulnerable to hacks of different kinds (phishing, social engineering, etc.). The custodial risks of offline cold storage have a lot in common with the physical risks of other small but highly valuable items, but they include some digital risks as well.

A growing number of firms ranging from startups (like Bitgo) to financial giants (like Fidelity) have devised or are in the process of devising cold storage services—a kind of vault for digital assets—for the growing number of investors who want better protection for their crypto assets. A cold storage vault provider has to assess the risks of digital assets in offline storage and devise methods to mitigate them. Note that these risks exist in a largely unregulated system where normal fiat currency controls do not exist.

Here are seven risks providers need to assess and address:

1. Is the safe or vault the right kind for the level of risk, for the value of the asset?

The physical security of the vault must be strong enough to match the value of the asset. Since literally billions of dollars in value can reside on a tiny device, physical resistance to penetration is not a trivial matter.

2. Are digital threats adequately controlled through electronic and physical means?

Digital assets are vulnerable to magnetic or radio radiation, by malicious intent or by accident. Storage areas should be shielded, including all access routes on the premises. No devices capable of memory or carrying magnetic fields can be allowed in the vicinity of the asset.

3. Is physical access to the vault properly controlled?

Almost every armored car robbery begins with the thieves evaluating the access route. To generalize, cold storage providers have to do the same kind of assessment and control the risks. CCTV coverage of access areas is essential, and recordings should be kept 30 to 45 days. Guard presence is required, with escorts for people asking to access the vault.

4. Do procedures sufficiently check the identity of individuals seeking access?

The absence of a legal system of Know Your Customer controls means that storage providers have to develop other means for identifying the people who seek access. This includes every person involved in the chain of custody, such as drivers, guards, and managers. The level of control established by the entities in the chain of custody will vary, and could introduce risks during hand-offs.

5. Are dual control procedures in place at each step in the access process?

Every hand-off and every episode of access to the asset should be under dual control, with appropriate segregation of duties.

6. Are logs maintained to document access and hand-offs of assets, either in or out?

In addition to the CCTV record, every event in the vault that includes access to an asset should be logged according to an established procedure. Personnel on the ground should make the entries and sign off on them.These records should maintain an audit trail including the nature and value (if known!) of the digital asset.

7. Is every member of the staff researched for security and trained in all procedures for control?

Training and understanding of the mission of the vault, as well as job-specific duties, must be verified for every vault employee. Again, outside individuals in the chain of custody may present unknown risks, so efforts should be made to determine the level of control they are under.

Many of these risks are familiar to vault service providers in the cash management industry. For some risks, the addition of digital cold storage is a matter of extension of policies that already exist. However, the addition of the digital issues, especially since cryptocurrencies do not have an external source of control like a fiat currency has, raise the level of risk and the related need to mitigate risk for cryptocurrency.

Download and read Lowers & Associates new white paper, Custodial Crypto: Transportation and Storage, to get a broader understanding about how crypto affects custody.

Defining the Risk of Cryptocurrency

By Lowers & Associates,

The fundamental risk of cryptocurrency (‘crypto’), aside from market risks, is custody. Simply put, the high value of crypto, with the equivalent of over $100 billion in circulation (at this time), provides ample motivation to steal it.

Hot vs Cold Storage

If the crypto is stored in a “hot” (online) environment, strong encryption is the essential safeguard, but the entire environment must be secured. The digital asset and the private encryption key that accesses it must be stored separately. Since the online account storing the asset is generally known to the public through the blockchain, the biggest risks are hacking attacks on the online storage or theft of the private key. Whoever holds the private key controls the asset.  History has shown that online storage is highly vulnerable to theft.

If the crypto or its private key are held in “cold” storage (offline)—as many experts recommend—then both digital and physical risks exist. As large and more traditional investors choose cryptocurrencies for value stores and transactions, the cold storage option is likely to increase. The need for strong encryption remains, and specific kinds of threats against digital assets, like electromagnetic radiation, have to be mitigated.

That said, once the crypto and its private key are in the physical realm, many of the risks of crypto are similar to those that apply to compact high value objects like gems, bearer bonds and cash. A small cold storage “wallet”—a digital device that might be the size of a thumb drive—can hold and transfer any amount of cryptocurrency. These tiny devices are highly vulnerable to damage or theft, and even if a thief does not get the private key, they can still hold it for ransom.

A second major source of risk to crypto is the very reason it exists: it is outside of any traditional currency ecosystem, without the insurance and security protocols that accompany fiat currencies. No institution is monitoring crypto transactions, and no law enforcement agency is routinely tracking suspicious actors. In fact, the identities of investors in crypto may not be publicly known.

Financial institutions are beginning to evolve private ways to duplicate some of the protections of traditional currencies, like Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols. Cash in Transit providers are building on their experience in cash management to devise secure ways to store and transport crypto.

Crypto is still in the wild west phase. It is growing very rapidly, and a financial system is developing to make it a reasonable option to fiat currencies.

For more information about the risks of crypto, and how to manage them, request a copy of our new white paper Custodial Crypto Transportation and Storage: Understanding and Mitigating the Risks.

The Opioid Crisis and Your Public Restrooms: Mitigating the Risks

By Lowers & Associates,

Opioid Crisis and Restrooms

As the opioid crisis continues its rise in the U.S., an unexpected threat has confronted businesses and other entities that offer public restrooms. It turns out more and more public restrooms are being used by addicts as a relatively safe, clean, and private place to get high.

For their part, the businesses who operate these restrooms report more cases of syringes and drug remnants left behind. Overdosed individuals (dead and alive) are being found by unsuspecting employees and customers in increasing numbers.

The situation of opioid use and public restrooms, which NPR referred to as “ground zero in the opioid epidemic,” presents businesses with a difficult decision. Do they restrict access, close their restrooms entirely, or keep their restrooms open and find other ways of managing the risks?

4 Aspects of Risk Mitigation:

Addict or not, no business owner wants to have someone die or harm themselves, especially on the company’s property. The opioid crisis is forcing business owners and managers to find ways to ensure the safety and convenience of customers and staff who use the restrooms, while also considering measures to increase the safety of addicts.

Measures taken must be based on a clear-eyed risk assessment. Managers cannot simply hope the addicts will go away.

There are several aspects of risk mitigation, some purely local managerial actions and others involving police or policy responses. Here we look at four areas you may want to consider in addressing the issue:

1. Access Control

The first thought for many owners is access control. If an addict cannot get into a restroom, problem solved. However, it’s harder to do than you might think. Here are some tactics companies have tried:

  • Keys or lock combinations controlled by staff can limit access. However, these are also easily defeated, as the addict could just linger near the door until someone exits, then grab the door before it closes.
  • Some businesses station a guard next to the restroom entrance and require a receipt for access. To combat this, according to the NPR report, an addict named ‘Eddie’ says he just gets a receipt from the trash.
  • Design can help in some cases. Airports, for example, usually have restrooms that are permanently open via hallways that block visibility from the main corridor, removing the privacy that the addict needs. This can be an overly-expensive or impossible undertaking for many businesses.

2. Adaptation

Given that addicts exist and will continue to exist, some owners have modified restrooms to limit the attractiveness of the room for the addict.

  • Restrooms can be modified to be less accommodating by removing shelves, cubbies, ceiling tiles, or other hiding places where an addict might store drugs or paraphernalia.
  • A popular tactic has been the use of blue lighting, which makes it more difficult to find a vein for injection. However, many addicts will inject anyway, increasing the chances of a botched attempt that spreads blood and potentially disease.
  • Some managers even train staff to use naloxone, a drug that can reverse opioid overdoses, in case someone is found passed out. Naloxone is widely available.

3. Policy

Public intervention to reduce the risk of overdosing deaths is controversial, part of the wider debate over criminalization versus rehabilitation. Several states have considered laws to permit “supervised injection facilities,” though these may run afoul of Federal law. Nevertheless, there have been several public policy attempts that businesses might look to for inspiration in forming their own policies.

  • CNN reports that Health Canada has approved a number of “safe injection sites” where addicts can use openly in a controlled environment. One site in Vancouver has been operating since 2003 and has not had a single person die even though there were 6,000 cases of overdosing.
  • A city could install “Portland loos,” named after the Oregon city where they were invented. The loos have no running water, no mirrors, no porous surfaces, and limited privacy because police can peer into them at top and bottom.
  • One ambitious example is the Corner Project in New York City, a syringe exchange program. The Project offers a restroom to users which its managers insist is just a restroom, not a supervised injection facility. There are no medical personnel on site, but an intercom is used to check on users, there is naloxone on site, and employees can quickly enter if necessary.

4. Design

A number of agencies have stipulated how restrooms should be designed to increase safety for addicts to use as injection havens. Public restroom managers may be able to adopt some of these practices.  One example is from the New York state “Syringe Exchange Policies and Procedures” guide.

  • Restrooms should support hygiene: cleaner injections reduce risk of infection.
  • Tables and other surfaces should be a non-porous material for easier cleaning.
  • Staff should have a means to access the restroom at all times.
  • Doors should swing out, not in, so a collapsed addict does not block entry.
  • Intercom systems for two-way communication are desirable.
  • The restroom needs a regular cleaning schedule.
  • A biohazard box for used needles, drugs, or bloody patches should be provided.

The unfortunate reality is that there are millions of people who are addicted to opioids and too many of whom graduate to injection. If managers want to continue providing access to public restrooms as a valued service to their customers, they will have to address the risks that addicts pose. How is your company addressing the concern? Talk to a Lowers & Associates risk management consultant for a complete risk assessment and advice.

  Category: Risk Management
  Comments: Comments Off on The Opioid Crisis and Your Public Restrooms: Mitigating the Risks