By Brad Moody and Brian Straightiff

Unlike traditional methods that compartmentalize physical and cyber security, Lowers & Associates’ innovative strategy to security assessments unifies both realms seamlessly, emphasizing a holistic understanding of vulnerabilities and threats.

Traditionally, annual penetration tests focus only on digital assets. However, Lowers & Associates understands that some digital assets are exploitable through physical vulnerabilities. L&A developed a plan encompassing four pillars; external scans, internal scans, physical security, and social engineering, that not only slashes costs but also significantly enhances the breadth of an assessment.

Comprehensive Security Assessment: Exploring the Four Pillars

1. External Scan:

Utilizing advanced tools like Nessus, professionals conduct in-depth external scans. These assessments mimic real-world scenarios, identifying vulnerabilities visible from outside the network perimeter.

2. Internal Scan:

Authenticated access to applications provides a unique perspective, simulating potential insider threats. By identifying vulnerabilities specific to internal access, this scan offers invaluable insights into an organization’s security posture.

3. Physical Assessment:

Evaluate physical security conditions that allow bad actors to penetrate a facility to access networks and devices. Access controls, personnel, CCTV, and alarms are a large component in limiting the opportunity for exposure that allow risk.

4. Social Engineering:

Social engineering, the human element in security assessments, serves as a bridge between physical and cyber security. Spear phishing campaigns using Open-Source Intelligence (OSINT), target specific individuals within the organization. By exploiting human behavior and preferences, these campaigns reveal the organization’s susceptibility to attacks that cross the digital and physical boundaries.

The Fusion of Physical and Cyber Security:

The innovative aspect of this approach lies in its ability to merge physical and cyber security seamlessly. Instead of viewing security in silos, this strategy recognizes that physical and digital security are interconnected. For instance, social engineering extends beyond the digital realm, incorporating techniques like impersonation and elicitation to exploit human vulnerabilities physically and digitally.

The impact of this unified approach extends beyond identifying vulnerabilities. Following the assessment, organizations can actively address the identified weaknesses. By implementing targeted security awareness training and periodic simulations, employees become adept at recognizing and responding to both digital and physical threats.

Conclusion:

This integrated approach to security assessments heralds a new era in safeguarding organizational assets. By embracing both physical and cyber security, businesses can fortify their defenses comprehensively. In an era where threats are multifaceted, this holistic understanding of security vulnerabilities is not just an approach—it’s a necessity. As organizations navigate the evolving landscape of security challenges, this unified strategy stands as a testament to the proactive stance required to ensure a secure digital future.

Disclaimer: Portions of this conversation have been edited for length and clarity, and certain locations and details have been modified for privacy reasons.

Standard Operating Procedures (SOPs) are exactly what they say on the tin – a calculated and tested directive used as a foundation for an operation or individual tasking.  At L&A, we often use a tree as an example of the mechanics behind an SOP: the roots provide the foundation from which the procedure grows; the trunk is the day-to-day actions and the branches are the end deliverable result.

However, a tree will grow wild if permitted.  And left unchecked, SOPs will do the same thing.  Unfortunately, the question we most often run into when assessing a business and its SOPs speaks to the reason why avoidable risk exists in the first place: If the SOP isn’t broken, why should we fix it?

As with everything we do in risk mitigation, questions are good, but the bottom line here is that there is no single answer as to “why” fix an SOP.  For an SOP to remain viable, it needs to remain malleable while also staying strong in the face of adversity.  This means SOP’s need to be challenged, as the current times, technology and industry attitudes constantly change around it.  Periodic and systemic reviews and tests are just as integral to the SOP as the original calculated and tested directives that comprise the SOP itself.  Some businesses might excel at the review and update process, but even then, they can sometimes fall short by failing to communicate those documented SOP changes to all relevant staff.

As part of #OurStory series, Daniel Cootes, AIExpE and Client Relationship & Operations Manager for Lowers & Associates UK office, shares some insights into his experience assessing an operation in Asia whose SOPs weren’t so much incorrect but existed in an environment where uncertainty was not a risk the insurer was willing to ignore.

So, somewhere in Asia, there’s an operation.  The insurer of this operation, our client, needs to determine what type of coverage the operation (their client), needs, so they ask you to assess the active threats in the area.  It turns out these threats include local gangs, natural disasters and ISIS.  Walk us through securing a facility like this for the insurer – where do you start?

Daniel Cootes
The thought process here begins with how to answer one question, really: Could an attacker cross this facility’s perimeter, suppress the security onsite, get to the vault, breach that vault, take what they want and then get back out?  Intelligence leads us to believe that, yes, this sort of attack is possible, but you also ask, is it likely?  Where this mine is located, it’s certainly possible, but most of this type of gang activity is in the bigger Southeast Asian cities.  Also, this insured has a fantastic piece of nature looking after them, because we’re talking about an operation in the middle of a jungle where it’s pretty much two roads in and two roads out with hours of driving required through dense trees. But you start by recognizing, yes, there is a possibility of this scenario happening, obviously, and go from there.

With an understanding of the facility’s threats, the landscape around it, the likelihood of an attack, the personnel involved, what kind of recommendations did you end up making and how did you reach those conclusions?

Daniel Cootes
Given the parameters and all the different angles that they had, I made some recommendations of what we thought was acceptable, the operation then came back with what they thought was acceptable based on their operational and cultural perspective.  Ultimately, it’s about being realistic, and how easy would it be for the operation to implement the updates.  Something like this didn’t need to be nuclear bomb proof, so we looked first at the gate and fencing that they had, for example.  It was all about 10 years old and in the jungle, things get rotten quickly – it’s hot, wet and horrible, right?  And so, they had to commit to review that fencing every six months.  We talked about upgrading their roving patrols. We also looked at upgrading their CCTV.  Technology nowadays is so inexpensive, there’s no excuse to not have it.  There are some other very specific things we did for them that I won’t go into, but a good deal of it comes back to their standard operating procedures and making sure their people are following those.

SOPs are incredibly important, and you were able to assess this facility’s risk entirely through a remote process – how did you do that?

Daniel Cootes
Lots of questions. I kind of like to start from the outside and work my way in.  If I turned up at the site, I tried to build the picture of what was in front of me, and what would stop me from getting in.  I mentioned the gates already, but I also had questions about their guys on the gates, which guys had access to the CCTV or any alarm systems and how the gates locked – some of these gates might be left open during the day, some of these sites run 24 hours as well.  It again comes back to being collaborative and flexible and understanding what’s realistic for them to be able to lock the gate and which of their guys on the gate is involved in that process.  Really, you just keep peeling back as many layers of the onion as possible and what it takes to get to the good stuff in the vault.

When you get to the vault, the questions become things like what were they doing to prevent attackers from getting into that space, how well-trained and well-armed their guys were, are the guards their own guys or an outside security company, how are they actually screening these people.  You just keep pulling the wool at the jumper and ask all these types of questions.  At the same time I’m asking these questions, I have to try and be realistic.  I might want them to have a military response, but it’s about understanding what they’ve got and how they can deploy it. I again would go back to the SOPs, who wrote them and how – was the person accredited?  How old are the SOPs, what’s changed since then?  Have those updates been made and communicated?

All this assumes a breach by people, bad actors.  How do you go about mitigating the risk of a natural disaster?

Daniel Cootes
For us and our work, we must think specifically about what insurers are actually insuring.  Most have their policies they write for people of course, but in this instance, the high-value goods are what they’re focused on.  So, the primary question we need to be able to answer here is: If there is a natural disaster, will this be a total loss with respect that it will never be seen ever again?

For example, let’s say there was a fire in the Louvre gallery and there were no fire suppression systems. Once the Mona Lisa has been burned to smithereens, it’s gone.  However, with something like a precious metal, there’s a good chance we can salvage that after a mudslide through excavation or the like, depending on where it ends up.  Ultimately though, you can’t really mitigate a mudslide, right?  And that’s what insurance is for, those unforeseen, unfortunate circumstances.  What you can think about, though, is how the valuables are stored.

When we talk about vaults with cash inside, fire is a risk, so you ask questions about fire suppression systems – what’s in place, what do we need to put in place.  For a mudslide, what we can be conscious about is trying not to have the goods scattered all over the place once the slide is over and do our best to keep it in at least a defined area.  Because as long as we can get to the vault, it’s not a total loss.  So, it was more about how they controlled the inventory – once it comes out of the mine, it’s processed, heads straight into the vault, it’s labeled and locked, check that off the list.

So, talking then about ISIS, how does that factor into the risk mitigation process?  That seems like it would bring a whole outside set of geopolitical and other type of problems.

Daniel Cootes
What we’ve seen ISIS do in Africa, is something that could happen at this operation’s location.  We asked the operation if they’d thought about a branch attacking them to, not just steal from, but take over the operation.  They had, fortunately, and were doing things to keep tabs on the local gangs, they also had access to the military with a few guys onsite, in addition to a few policemen.  These were people that were trained in weapons systems, could fight back while a call for more help went in.  From there, we dug into questions about their communication capabilities, ran down the list of who controlled those processes, how many satellite or cell phones were available, internet capability, back-up power and generators, and just, again, kept pulling at the thread.

For this operation, ISIS presented a viable threat and was something they needed to include in their SOP, and my assessment was that they needed to refresh some things around that.  The likelihood that they could get in, launch an attack, steal something and either leave or occupy to some degree was slim, but it’s good for both the operation and the insurer to be thinking about.

What about this experience was impactful for you personally or for the client?  Clearly the whole process resonated with you.

Daniel Cootes
As I mentioned, the SOP’s were dated, in fact the person who had written them was no longer there.  Over time, things had clearly changed in their operations, so while the SOPs weren’t wrong per say, they had to update them in line with the way the business was operating currently.  They were looking to potentially hold more stock, for example. So, we didn’t reinvent the wheel, the SOPs were written by a pretty competent person, but what they realized they needed to do was pull them out of the drawer more often and compare them to what was going on in the world. What problems are out there and keeping their procedures relevant?

For me, there’s always two benefits to this type of work.  One, you’re pleased you’re helping keep people safe, and two should a loss happen, I did everything on the insurers’ behalf possible to mitigate the risks and insure these high value goods, to mitigate every conceivable threat in that respect.  For us, the client is always primary, we want to make sure they aren’t hit with any kind of major loss.  If we’ve done our jobs right, we can avoid that.  For me, SOPs are key, keeping them relevant.  They’re awesome to have, but if they’re stuck in a drawer and don’t see the light of day for 10 years or until there’s a problem, that’s not going to work out for anyone real well, is it?

Active shooter incidents have become a new normal in our society. As of Sept 24, 2019, there had been an average of 1.24 mass shootings per day in 2019, killing 377 people and injuring another 1,347 victims.

“Run. Hide. Fight®” has been the mantra of training set down by the Department of Homeland Security. We are instructed to run and escape if possible; hide if escape is not possible, and fight as an absolute last resort. While this run, hide, fight mantra offers a lot of value to give people a course of action and to help them feel more confident and prepared in the event of an active shooter scenario, there is more to the equation when it comes to prevention and preparation. It’s time to face this fact.

Here, we look at three recent incidents that should serve to remind organizations that there is much more to consider.

Historic District in Dayton, Ohio

In the early hours of August 4, 2019, a 24-year old gunman with an AR-15-style assault rifle and 250 rounds of ammunition killed nine people and injured another 27 in the Oregon Historic District of Dayton, Ohio. The perpetrator was killed by police within 32 seconds of the first shots. A search of the shooter’s home uncovered evidence of his obsession with violence and that he had expressed a desire to commit a mass shooting.

The organization Childhood Preparedness, which provides resources for early childhood professionals with emergency preparedness planning, response, and recovery, formed the following takeaways from both the Dayton shooting and the El Paso shooting, which happened in the same weekend.

Lessons Learned:

Active Threat Training Saved Lives: Dayton law enforcement agencies received previous training in active shooter response, and their quick action saved countless lives.

Citizen Training Is Important: The key to citizen survival in both the Dayton event and other mass shootings was to quickly identify the sound of gunshots.

Running Is Always an Option: In this situation, running was, in fact, a good idea. Running from the gunfire to a safe location away from the shooter helped save some lives. However, some individuals froze and needed to be prompted by others to run. Individuals who chose to lay on the floor suffered multiple injuries and were trampled by others running from the area.

Stop The Bleed Training Can Help: Participants at the scene aided first responders by treating the wounded with basic first aid, CPR, and even applying tourniquets, such as belts, to the wounded. Tourniquet use is a crucial element of Stop The Bleed Training, which teaches bystanders how to stop severe bleeding before professional medical help arrives on the scene.

Townville Elementary School

On September 28, 2016, in a small town 40 miles outside of Greenville, South Carolina, a fourteen-year-old opened fire at Townville Elementary School playground, shooting three students and a teacher. One of the students, a six-year-old boy, later died, as did the shooter’s father, who had been killed earlier in the day by his son. The suspect was apprehended by a volunteer firefighter after his gun jammed on the playground, just 12 seconds after he first pulled the trigger.

Dr. Joanne Avery, Superintendent of the district, candidly shared her experiences in dealing with the immediate response to the shooting and its aftermath, in a School Safety Webinar sponsored by Raptor entitled, Lessons Learned and Changes We Made After an Active Shooting.

Lessons Learned:

Quick Response is Crucial:  The majority of active shooter events, 69%, end in five minutes or less and 67% are over before the first police arrive. “Speedily moving towards engagement with the shooter should be the primary guideline when teaching active shooter response tactics,” according to the FBI’s report, A Study of Active Shooter Incidents in the US Between 2000 and 2013.

Shooters Do Their Research:  Active shooters study and learn from past events in order to inflict the largest amount of damage. “They want their events to be deadlier” and that “they’re on the clock…so they try to get as much damage done as quickly as they can.”

Rural Areas Are Not Immune:  The majority of school shootings have occurred in semi-rural and rural areas, which means it can take between 12 and 15 minutes for first responders to arrive.  Dr. Avery says this is one of the reasons her school was chosen by the shooter.

Create a Drill Calendar:  Have regular active shooter response training with employees and (in the case of schools) students. Create different types of scenarios (e.g., lockdowns, times of day, types of weapons used, outside vs inside).

Know How to Lock Down: You need to be able to have things in place to inform people within the building about the shooter’s whereabouts and a clear evacuation plan. In some situations, training on how to confront the shooter may be warranted.

Dr. Avery stresses that “the first action that anybody should make if they see an active shooter on campus is…to shout ‘lockdown’, call the front office, and then call 911.”

Las Vegas Country Music Festival

On October 1, 2017, between 10:05 and 10:15 p.m., a shooter opened fire from his suite on the 32nd floor of the Mandalay Bay Hotel on a crowd of 22,000 concertgoers at an outdoor music festival. Firing more than 1,100 rounds of ammunition, he killed 58 people and wounded 422; a total of 851 people were injured during the panic that ensued. The shooter, a 64-year-old man, was found dead in his room from a self-inflicted gunshot wound. His motive remains officially undetermined.

In July 2019, the Las Vegas Metropolitan Police Department released a comprehensive After Action Review report about the event, which included a set of 93 recommendations to prepare for the future.

Lessons Learned:

Plan Ahead with Partners: Work with local government and community organizations, including neighboring police, fire, hospital, and coroner officials, to be better prepared and have a more coordinated response.

Become Less of a Target: Responding officers should remove reflective vests so that they are less of a target to shooters.

Have Trauma Kits On-Hand: For large scale events, have more trauma kits on hand available to paramedics and other responders.

Secure High-Rise Buildings: Secure high-rise buildings that oversee open-air crowds and train more officers to stop a shooter in an elevated position.

If we’ve learned one thing from these devastating incidents, it’s that preparation is key. Whether it’s understanding the sounds of gunfire, having trauma kits on hand, or even being prepared to attack and take down a gunman, these actions save lives. Acting quickly and decisively means all the difference.

Every active shooter scenario will be different, but the point is that organizations must have some level of preparedness for each phase of a shooting event – before, during, and after. Those strategies should include:

• reducing the likelihood of a workplace shooting through comprehensive risk mitigation (e.g., threat assessments, training, physical security);
• having response plans in place in the event of an active shooter scenario (e.g., evacuation routes, communication with law enforcement); and
• managing the aftermath of an event (e.g., employee support, public communications).

Once in place, plans must be continually updated, drills practiced, and changes communicated regularly.

Keeping your employees, customers and other stakeholders safe and your business protected is a 24/7/365 endeavor. To learn more, download our latest whitepaper, “Coming to Grips with the Known-Known of Active Shooter Incidents.”

Risk management is a top priority for businesses that seek to avoid or minimize potential losses. Often, their efforts are focused on the threats that are most likely to transpire and could result in the most significant damages, those “high-probability, high-impact” events such as product liability lawsuits or employee theft. These organizations direct an inordinate amount of their attention to the upper right quadrant of the Risk Impact/Probability Chart because they believe, understandably, that these will be resources well spent.

But what about the oft-overlooked lower right quadrant of risk management, those “low-probability, high-impact” events? Consider human-caused or natural disasters like tsunamis, active shooters, stock market crashes, or major oil spills. These events, dubbed Black Swan events by author Nassim Nicholas Taleb, while infrequent in occurrence, have massive economic consequences that extend well beyond the initial point of impact.

In this blog, we present three strategies to help businesses mitigate their risks and gain control over the scope of loss should a ‘Black Swan’ incident happen.

1. Conduct Scenario-based Planning

Scenario-based planning is different than its more common counterpart, strategic planning. “Scenario planning attempts to capture the richness and range of possibilities, stimulating decision-makers to: consider changes they would otherwise ignore,” noted economist Paul J.H. Shoemaker in his paper, Scenario Planning: A Tool for Strategic Thinking.

Shoemaker uses the following to illustrate his point:

When Brigadier General Billy Mitchell proposed early in the 20^th century that airplanes might sink battleships by dropping bombs on them, U.S. Secretary of War Newton Baker remarked, “That idea is so damned nonsensical and impossible that I’m willing to stand on the bridge of a battleship while that nitwit tries to hit it from the air.”

In scenario planning, managers don’t just brainstorm scenarios based on their current experiences, which can lead to overconfidence and tunnel vision, but rather “construct a series of scenarios that can expand their imaginations to see a wider range of possible futures.” They need to find a balance in planning for specific known events and those that are rare or unexpected and then identify commonalities that are relevant to both kinds of disruptions. This provides a better long-term perspective and forces companies to be proactive, rather than reactive, in mitigating potential threats.

2. Carry Out a Threat Assessment

Once an organization has identified a set of likely commonalities from high-impact events, it must conduct threat assessments against them. If we have a retail presence and a tornado suddenly wipes out the entire area around our business, do we know how we’ll proceed? How can customers buy from us when our store no longer exists? Do our employees know our emergency preparedness protocols? If any of our suppliers were also impacted by the tornado, do we have other backup options? Do we have a disaster recovery plan? What about business interruption insurance? How will we notify the public, our lenders and suppliers, and other stakeholders about the status of our situation?

The assessment should cover, at a minimum, the following areas:

• Human Safety
• Immediate Physical Damage
• Long-term Disruptions (Supply Chain, Lenders)
• Communication (Law Enforcement, Victims, Employees, Bystanders)
• Reputation Management
• Overall Business Continuity Plan

3. Prepare a Comprehensive Situation Response

Much, but not all of the needed responses to a high-impact event will have been identified during the threat assessment. It’s essential that management teams don’t simply stop at the threat identification phase, however, but that they take the next step of creating and disseminating those plans, keep them up-to-date, and review or practice them regularly.

Strategies around each of the threat areas above should be developed. For example, employee lists and associated contact information need to be current and accessible. Evacuation drills need to be practiced. Redundant, offsite data storage needs to be in place. Buildings need to be brought up to code and made secure.

Because ‘Black Swan’ events are characterized by high uncertainty, it may be challenging for businesses to quantify their likely economic impact. For this reason, the authors of the book, Dynamic Risk Analysis in the Chemical and Petroleum Industry, recommend that “the notions of cost and benefit need to be broadened.” They advise using “a disproportion (adjustment) factor…in favor of safety” when quantitative data is unavailable.

Planning for the Unknown

Writer Alan Gleeson sums up the low-probability, high-impact planning dilemma well in his article, Why Planning Becomes More Important with Uncertainty. “Since time immemorial, people have sought to predict the future. Until the emergence of the relatively modern concept of ‘risk’ and the development of probability theory in the 17th century, predictions about the future had traditionally been the preserve of soothsayers such as Nostradamus. … All these years later, and despite our progress, we still lack the ability to predict the future. Nevertheless, by considering various risks and probabilities, we can aim to understand some likely future scenarios to a greater degree.”

If your organization seeks strategies for mitigating risk and planning for ‘Black Swan’ events, please contact Lowers & Associates.

Risk practitioners tend to categorize risks based on the level of knowledge about the occurrence (known or unknown) and the level of knowledge about the impact (known or unknown).[1]  Known risks can be prioritized by level of impact and likelihood of occurrence and a plan forms accordingly. … Continue reading