Agriculture/Farming/Food Manufacturing

Budget Trends:

Increased:             67%   

Decreased:           33%

No Change:           0%

Security Budget/Employee         $800.24

Security Budget/Revenue           .23%

 

Critical Issues:

• Budgets

Food Defense and Regulatory Changes

Enterprise Risk Management

• Training
 

Food defense is the protection of food products from intentional adulteration by biological, physical or radiological agents. It manages risks including physical, operational and personnel security.

“Food defense did not begin with DHS, it started with Tylenol,” explained one security executive, during a recent interview. Yet among security leaders in this sector, navigating regulations that may not improve the safety and security of our nation’s food supply is a challenge. Combining increased regulatory requirements with downsizings/restructurings and budgets reductions can have a negative impact on preparedness and risk management.

While all of the companies in this sector compete for market share, they also collaborate with law enforcement when it comes to risks. Several joint projects have been created to identify the probability of certain threats, such as terror, just as these companies do with weather or natural disaster to manage their risk to food supply disruptions. The collaborative approach has enabled companies to assess threats and identify whether a threat is credible.

Food defense is a very broad tent including such new threats as Asian carp, which are threatening the Great Lakes and its $5 billion industry. President Obama recently named John Goss as “carp czar” and invested $80 million to keep the carp from the Great Lakes. Asian carp can fly out of the water with enough force to kill a person, they eat everything in their path and local fisherman often use baseball bats to catch them.

The regulatory issues impacting the food defense industry bleed between food safety and food defense. For example, improving supply chain management is a broad initiative and includes both e Coli (food safety) and the intentional adulteration of wheat gluten and milk formula with melamine in 2007 and 2008 (food defense). As a result, organizations are required to better integrated current security programs into the business units or create new, separate security operations within the business units.        

Current legislation being considered in Congress will require food and beverage companies to modernize their food defense programs. At the center of food defense is the USDA Food Safety and Inspection Service (FSIS), which is expanding its reach and requiring greater food defense programs and the ability to inspect those programs. Experts in the sector have warned that terrorists may target the food supply and that organizations should anticipate and prepare for potential attacks at the board level. 

Business Services

Budget Trends:
Increased           29%

Decreased          0%

No Change        71%

Security Budget/Employee         $1,031.24

Security Budget/Revenue           1.33%

 

Critical Issues:

• Compliance

• Budget

• Technology Upgrades/Project
   Management

• Cyber Security

• Business Continuity Planning

• International Security

• Insider Threats

• Training

• Counterintelligence

Business Services, by its nature, requires its employees to work in a consultative capacity at a client organization most of the time. Last year the concept of shared risk was identified within this sector. When your employee is working at a client location, you anticipate that the employee will have a reasonable level of security. Similarly, that organization expects that your employee will behave in an appropriate manner.

The North America recession, coupled with emerging market business growth opportunities, has ignited international risk management programs as more business units push their services and their people in geographies with higher risks and less security in place. The challenge in this sector is to align with the business units and get to “Yes” to allow business to do business. As a result, travel policies, programs and management have been relocated within security. Employees now have a 24/7 resource that provides services from weather related flight delays to people tracking and emergency health or security services on a global scale.

At a more complex level are employees in high-risk environments that are housed in a secure compound or area with restricted movements. These people require rest and recreation leaves on a regular basis, so logistics for safe and appropriate travel (they are representing the brand) require polices and planning.

Understanding the risks to the organization both externally and internally includes training employees on protecting company assets, especially the intellectual property of their clients as well as their own. Training employees to understand and adhere to polices and security best practices is a key element for successfully managing risks. Externally, counterintelligence efforts to identify risks, such as organized crime, in a specific area are proving successful. Business service companies compete for business, but they have also pooled their resources to identify threats and share information.

The move for business resilience and emergency management within the security function has been a business driver for this sector. Companies are able to remain in place and function for their clients, avoiding lost time and revenue due to outages or evacuations.

As the business has increased, so has security spending in this sector. Yet, security is finding ways to economize, especially in credentialing employees for multiple access or identification requirements. By centralizing this function, companies are able to get people where they need to be in a more efficient manner.

Construction, Real Estate & Property Management

Budget Trends:
Increased      50%
Decreased     0%
No Change   50%

Security Budget/Employee $1,400
Security Budget/Revenue 1.23%

Critical Issues:
• Training
• Funding/Budgets
• Physical Security Enhancements


According to The Society of Industrial and Office Realtors (SIOR) Commercial Real Estate Index, commercial real estate is predicted to be flat after 11 consecutive quarterly declines. High unemployment rates continue to push down vacancies, rents and new construction demand. However, the forecast shows a flattening in this market. And in an attitudinal survey of more than 700 local market experts, nearly nine in 10 indicated “new commercial development is virtually nonexistent in their market areas, and rent concessions are reported almost everywhere.” The National Association of Realtors does not forecast an upturn in office or warehouse space before 2011. 


According to Kroll, a leading risk consulting company, undetected criminal activities on multimillion dollar construction projects can increase construction costs as much as 20 percent. Projects also fail or result in serious long-term liability. The ROI model for companies in this sector to manage risk and prevent theft is measurable and significant.
 
The significant trend has been to build security in at the design stage and reduce reliance on security officers, thereby controlling access and increasing video surveillance. At the high end of the market, HVAC, elevators, fire, security and lighting management are integrated within an overall building management solution.
 
Access control continues to be a challenge for commercial real estate locations and their management as workplace violence escalates. Due to the typical multi-tenant nature of these facilities, visitor management is a significant risk and policies regarding escorting fired employees out and removing access permissions (both physical and logical), preventing access by former employees or enabling visitors to gain access to areas in which they do not belong is critical to managing risk and reducing liability. Collaboration – including technology, training and policies – is key to preventing access related events.

Diversified Companies

Budget Trends:
Increased 40%
Decreased 0%
No Change 60%

Security Budget/Employee $997
Security Budget/Revenue .29%

Critical Issues:
• Funding/Budget
• Crisis Management
• Domestic Terrorism
• Business Resilience
• Workplace Violence
• Security Employee Retention
• Institutional Buy-in
• Supply Chain Risk
• Managing Security Technology


General Electric is as big, diverse and complex as a company comes in this day and age. The global security organization focuses on the security infrastructure issues such as regulatory, travel and executive protection. It also sets strategy and integrates enterprise risk management with other departments, including IT and Environmental Health and Safety. Due to the many unique businesses and people within GE, from nuclear to appliance manufacturing to banking, the security leaders at those units are able to create programs that meet their unique requirements for risk management. “Every day we demonstrate our relevance by anticipating and solving problems,” said Frank Taylor, VP and CSO at GE in a recent Security magazine interview.

Anticipating risks and threats in the diversified sector is particularly challenging by its nature. For example, the unsuccessful Times Square terror attack on May 2, 2010 near Viacom’s headquarters was not identified as a risk, despite warnings. After airing an episode of South Park that included a depiction of the Prophet Muhammad, the radical Islamic web site revolutionmuslim.com warned the show’s creators they were at risk for producing the show. But it was not anticipated that the Comedy Channel, owned by Viacom, would be at risk for airing it. In fact, Fox News covered the web site posting and a Comedy Central spokesperson was asked to comment on the threats against South Park when the web site posted its warning.
 
Budgeting and finance is a significant challenge, especially during the recession. Blanket budget reduction across a diverse organization without mitigating specific risks in a specific and possible expanding business unit creates gaps in security programs and increases risk.

 

Education: K-12

Budget Trends:
Increased 38%
Decreased 25%
No Change 38%

Security Budget/Employee $532.47
Security Budget/
Operations Budget .68%
Security Budget/Student $56.77

Critical Issues:
• Funding/Budget
• Technology
• Staffing and Hiring
• Crowd Control
(school-related events and sports)

Budgets are the biggest issue impacting the K-12 sector. Compliance with fire and life safety requires fixed spending, thereby reducing the ability to manage risk in a very dynamic threat environment with strained resources. “Doing more with less” is the new normal. 

While school shootings get the headlines, most of the incidents school security officials face includes drug and alcohol abuse, theft and assaults. Newer challenges include the use of social media for taunting, “sexting” and cheating. While violent deaths such as suicide are a focus, the web site schoolsecurity.org reports that since a height of 49 in the 2002-2003 periods (August-July) the level has declined to 11 in the latest year and 13 for the prior 2008-2009 year.
 
Vigilance, training and counseling are key reasons for the decline, including implementing technology to prevent access and to monitor activity. Many larger school districts have invested in risk management programs for prevention.
 
Cyberbullying is a new challenge within the social media world, and schools are just beginning to understand and manage it. Phoebe Prince from South Hadley, Mass. was a victim of violence both in school and online. In January of this year Prince committed suicide, and since then, nine students have since been arrested and face charges, including statutory rape, violation of civil rights with bodily injury, criminal harassment and stalking. The incidents that led to her death had been reported to school faculty, staff and administrators.
 
The K-12 market is focused on crisis management and routine lockdown drills and investments in security technology are paying off with efficiency and effectiveness. “Students cannot learn if they are not safe,” says Superintendent Robert Buron of the San Antonio ISD. And creating a safe environment in today’s economic climate requires solid policies for identity management, access control, asset protection and people tracking and monitoring. The planning also extends beyond the school property itself and into neighboring areas to be successful and best manage risks.
 
The change from physical keys to electronic access controls, for example, makes it easier to manage. Unlike mechanical doors, electronic systems can be monitored centrally, so once a person leaves via an access card, the door locks behind, preventing reentry. In most cases, the doors are being retrofitted versus replaced in the K-12 market. This allows for access ID cards to be used by students for school bus trips, entering and exiting facilities and tracking school lunch purchases.

Education: Colleges and Universities

Budget Trends:
Increased 47%
Decreased 6%
No Change 41%

Security Budget/Employee $2,145
Security Budget/
Operations Budget .99%
Security Budget/Student $458

Critical Issues:
• Funding/Budget
• Security Technology
• Training
• Hiring/Retaining Personnel
• Drugs/Alcohol Abuse
• International Expansion
• Facilities Management
• Student Mental Health Issues
• Student Compliance

Three years after the Virginia Tech massacre, the United States Secret Service, Department of Education and FBI released their report, Campus Attacks: Targeted Violence Affecting Institutions of Higher Education. One key outcome of the report was the 2008 amendment of the Jeanne Clery Disclosure Act that requires colleges to have a campus emergency response plan. 

In addition to the nearly 18 million students attending more than 6,500 higher education institutions are 3.6 million employees. While the Clery Act reports on risk management and security failure, the vital task of successful prevention is where this sector is targeting its investments.
 
During 2005-2008, 237,599 crimes were reported to the Department of Education in compliance with the Clery Act. Most of those were burglaries (137,785) and some were automotive theft (37,910). But it is the 174 murders and 46 negligent manslaughters that capture news headlines and keep security executives awake at night.
 
The most interesting finding of the Campus Attacks report is that in 29 percent of the violent incidents, the victim reported that the attacker demonstrated hostile manners such as threats, harassment or physically aggressive behavior.
 
The complexity of managing risk increases dramatically as colleges allow outside organizations to do business on their campuses, such as fast food, coffee shops or outsourced bookstores. Those employees are not the college’s employees. 

The Campus Attacks report concludes that the College and University sector simply has to do more to identify individuals, assess the intent and ability of those individuals to execute a threat and ultimately, manage that threat to disrupt an attack.

Finance/Insurance/Banking

Budget Trends:
Increased               36%

Decreased             14%

No Change            43%

 

Security Budget/Employee         $930

Security Budget/Revenue           .67%

 

Critical Issues:

• Funding/Budget

• Globalization

• Training

• Security Technology

• Cyber Crime

• Regulatory Compliance

• Retaining Personnel

• Terrorism

• Mobile/Contract Work Force

 

 

In addition to the friendly security guard at the door, banks have video cameras, monitoring centers and sophisticated best practices to thwart would-be thieves. Yet, the FBI’s most recent report on bank robberies shows that during the third quarter of 2009, there were 1,212 reported violations of the Federal Bank Robbery and Incidental Crimes Statute. There were 1,184 robberies of financial institutions and 28 burglaries reported between July 1, 2009 and September 30, 2009.

Assets, including cash, were taken in 90 percent of the incidents, totaling more than $9.4 million. Yet more than $2.2 million was returned. Acts of violence were committed in five percent of the incidents, resulting in 26 injuries, five deaths (the perpetrators), and 32 people being taken hostage.

The bigger risk for this sector is cyber crime, insider threat and insurance fraud. The boom in online banking has resulted in a boom in phishing and online scams to gain access to bank accounts. According to the FDIC, in the third quarter of 2009, hackers stole $120 million from consumer accounts. Small businesses are also facing cyber crime, but their commercial deposits are not covered by the protections that protect consumer accounts. The FBI focuses cyber crime as its third largest priority after terror and intellectual property theft, and estimates losses in the hundreds of millions of dollars due to hacking into ATM machines and electronically forging transfers.

Internal threats are equally vexing. The biggest reported case of data theft by a financial insider was Bank of America, which recently agreed to pay for credit monitoring, identity theft insurance and reimbursement for losses to as many as 17 million consumers who dealt with its Countrywide Financial mortgage unit.

In another example, the personal information of 3.3 million student loan customers recently was exposed. Educational Credit Management Corp. said the data included names, addresses, Social Security numbers and birth dates of borrowers.

The increases in regulatory compliance, damage to brand and cost of making customers whole after a breach are driving this sector to better secure online accounts, educate customers to keep access information secure and protect confidential information.

Progress is being made. The results of a Deloitte survey, The Faceless Threat, revealed that this sector is moving from being late adopters to trying new technologies and solutions to becoming innovators or early adopters for risk management and security. Those identified as innovators or early adopters jumped from 18 percent to 26 percent (2009 versus 2010). Their five biggest priorities are:

 

Identity and access management                     46%

Data protection                                                     39%

Security infrastructure improvement                 36%

Regulatory and legislative compliance            34%

Training and Awareness                                     33%

Government (Federal, State & Local)

Budget Trends:
Increased               10%

Decreased              40%

No Change             50%

Security Budget/Citizen   $494

Security Budget/Revenue           7.5%

 

Critical Issues:

• Budget/Funding

• Training

• Security Technology

• Regulatory Compliance

• Business Continuity

• Asset Protection/Theft

 

The Department of Homeland Security (DHS) is heavily invested in prevention in this sector, as its core mission explains:

1.         Prevention of terrorism.

2.         Protection/prevention of border security.

3.         Management of immigration and prevention of illegal immigration.

4.         Prevention of cyber crime and cyber terror.

5.         Resilience and response to events and disasters.

6.         Strengthen the homeland security enterprise.

 

Keys to this program are two major investments that are exciting and showing results. First are the University-based DHS Centers of Excellence (CoE). There are 16 CoE’s, three of which are internationally-based. The other 13 are located within leading Universities such as USC, MSU, Texas A&M, John Hopkins, UNC, Purdue, Rutgers, the University of Maryland and more. 

A critical government security issue is whether they employ military or civilian assets? If a terrorist is in Yemen we can kill him. If he is in the U.S., it is not ok to kill him and we arrest him.

Mike Chertoff, former DHS director, expects DHS to focus its efforts in the coming years on:

1. Security that can be employed by military or civilian authorities quickly to make awareness and intelligence available to identify threats and the proactive use of information to take action. For example, recently, the U.S. stopped two individuals going to Somalia to train to be terrorists as a result of this activity.

2. Bio terror sensors and sound sensor technology will continue to be deployed to gain information faster and analyze it for improved situational awareness. The goal is to improve security without slowing processes, so acceptance relies on technology being friendly to all stakeholders.

3. Cyber-terrorism. A secure architecture is required to protect the Internet while enabling service and access.

4. Border security will continue to be a major issue for DHS, Congress and the public.

On the money front, many state and local security and emergency operations programs are funded by DHS, especially through FEMA. The ten FEMA regions drive preparedness goals for 50 states and six regions through its $4 billion budget.

Most of the FEMA grants go to fire departments and to state agencies, including state level DHS or Offices of Emergency Management. You would think it would be easy to hand out that sort of green to the many unprepared communities across our land. But it is not. Often the grantees underestimate costs, get a grant and then engage the system integrator or contractor, only to learn they can build half a fire station. Environmental red tape can delay a project past the grant’s deadline. If the grantee does not seek an extension, the grant is lost.

The FEMA grant program directorate is a one-stop shop with great customer service and transparency for all stakeholders to ensure that preparedness is achieved and funds are well invested. From 2003-2007, 56 percent of their $10.6 billion in grants went to five core capabilities:

  Communications

  Critical Infrastructure

  Hazardous Materials/Weapons of Mass Destruction

  Emergency Planning

Chemical, Biological, Radiological, Nuclear and Explosives (CBRNE) Detection

Healthcare/Pharmaceutical

Budget Trends:
Increased               80%

Decreased              0%

No Change            20%

 

Security Budget/Citizen   $375

Security Budget/Revenue   7.5%

 

Critical Issues:

• International Travel/Employee Security

Business Continuity/Crisis Management

• Regulatory Compliance

• Budget/Funding

• Physical and Intellectual Property

• Workplace Violence

• Supporting Business Goals

 

The Healthcare sector is defined by companies that research, manufacture and distribute healthcare related products including pharmaceuticals, medicines and services. It is unique from hospitals and medical centers that provide healthcare related services
to patients.

The healthcare sector protects its product from:

  Counterfeiting

Theft in the supply chain

  Prescription drug diversion

  Fraud: Doctor/Recipient/Pharmacy

  Intellectual Property

  Property Damage

  Internal Threats

The Center for Medicines in the Public Interest estimates that counterfeit medicine sales will reach $75 billion worldwide this year (a recent Wall Street Journal blog by Carl Bialik questions this estimate. See Dubious Origins for Drugs, and Stats About Them. 9/9/10).

Still, a recent report in Israel by Yossi Nissan of the Israel Business News estimated that one percent of Israeli’s take counterfeit drugs. Between 2007-2009, 438,410 fake Viagra pills were identified by Pfizer, just in Israel. 

Recently, Dr. Marla Ahlgrimm of Madison, Wisc. was arrested by the FBI. She and her alleged partner Balbir Bhogal are accused of shipping millions of pills from India with the identical coloring and markings of Viagra and other prescription drugs.

According to the Pharmaceutical Security Institute (PSI) the numbers are staggering. Counterfeiting increased 9.2 percent over the past year. PSI has identified 808 counterfeit pharmaceuticals in 2009, a 36-percent jump from 2008. And it found counterfeit drugs in 118 different countries. Of great concern are the 531 incidents where the counterfeit products reached the legitimate supply chain, including licensed wholesale distributors and/or pharmacies in 48 countries. PSI noted that 472 of the 978 seizures made included “commercial” size shipments.

The actual number matters less than the risk of death or injury due to counterfeiting. Peter Pitts, president of the pharmaceutical industry-backed Center for Medicine in the Public Interest said in Carl Bialik’s WSJ article: “To belittle the problem of the developing world because of numbers you can’t substantiate is very unfair. If we wait to count the bodies, we only have ourselves to blame.”

The industry has used innovation that includes adding inert substances to the product, known as excipients, for the covert identification of genuine pharmaceuticals. The FDA has also identified that a paper trail through the supply chain, including chain of custody, is the fastest and least disruptive way to track shipments. RFID tags on each container combined with optical secure labeling technologies are also proving effective.

In addition to product security, this sector faces many of the similar risk management challenges of other sectors, including employee travel and security, insider threats and physical security issues. For example, earlier this year, thieves stole $75 million in drugs from an Eli Lilly & Co. warehouse in Connecticut by cutting a hole in the roof. 

Hospitals/Medical Centers

Budget Trends:
Increased               41%

Decreased              23%

No Change                        36%

Security Budget/Employee         $1,123

Security Budget/Revenue           3.08%

Critical Issues:

• Budget Funding

• Staffing/Manpower

• Training

• New Facility/Construction

• Asset Protection

• Security Technology

• Regulatory Compliance

• Workplace Violence

• Access and Crowd Control

• Employee Travel

The Hospital/Medical Centers sector is defined by those companies that provide healthcare related services to patients. It is unique from the Healthcare sector, which is defined by companies that research, manufacture and distribute healthcare-related products, including pharmaceuticals, medicines and services.

Workplace violence is rampant in this sector. Recent studies have documented the dangerous work environment that nurses face. More than half of the 3,465 health workers surveyed last year by the Emergency Nurses Association reported they’d been hit, spat on or physically assaulted while on the job. About 25 percent said they had experienced 20 or more acts of physical abuse during the previous three years.

And more than half of the nurses surveyed for Violence Against Nurses Working in U.S. Emergency Departments cited one or more of the following as precipitating factors when they experienced abuse:

  Patients or visitors under the influence of alcohol or illicit drugs

  Psychiatric patients being treated in the emergency department

  Crowding

  Prolonged wait times

  A shortage of emergency department nurses

At Danbury Hospital (Connecticut), a nurse was shot by an 85-year-old gun wielding patient. OSHA found that the hospital had failed to provide adequate safeguards and fined them $6,300. There is not a big call for increased security spending when the fine costs a fraction of the solution.

As a result, CSOs in this sector noted training, budgeting/staffing and workplace violence among their most critical issues. At the same time, this sector is facing increased regulatory compliance to reduce risk for both patients and employees. For example, one regulation impacting hospitals that accepts Medicare and Medicaid patients and money (Centers for Medicare and Medicaid Services) requires a standard of security, including risk management programs related to secure access control, emergency room violence and visitor management.

In addition to regulatory pressure and fine avoidance, hospitals are relying on technology to better track visitors, restrict access and monitor employee, patient and visitor behavior. At leading hospitals in this sector, the security officers act as greeters to first identify risky behavior, securely escort people and respond to events.  

Beyond the day to day issues of workplace violence, asset tracking and regulatory compliance, hospitals face heightened guidelines for business resilience and emergency planning. Hospitals need to plan for the possibility of both an evacuation and a rush of patients and that requires the designing, training and practicing realistic drills in a 24/7 work environment, all on a limited budget.

Overall, budgets increased in this sector due to increased risks, events and construction/expansion. But perhaps it’s not at the level needed to support such a significant rise in security related events. 

Hospitality/Casinos

Budget Trends:
Increased               30%

Decreased             20%

No Change            40%

Security Budget/Employee         $499.57

Security Budget/Revenue           .59%

 

Critical Issues:

• Budget/Funding

• Security Technology

• Training

• Regulatory Compliance

• Crisis Management

• Counter Intelligence

• Internal Theft

• Terrorism

• Liability

 

The Hospitality/Casinos sector has been altered to measure hotels with casinos and hotels without casinos to give better metrics to the participating benchmarking organizations. Among the participating hotels, the number of keys in the organization ranged from 500 for a single location hotel/casino to more than 400,000 for a global chain.

The risk management challenge for this sector has increased as a result of the Mumbai terrorist attacks and recent suicide bombings, most recently this past August at the Muna Hotel in Somalia where six MPs, five government officials and 21 civilians were killed in a terrorist attack. Suicide attacks in Indonesia and the Mumbai hotel siege have forced this sector to reevaluate risk and security programs.

This is a significant business issue for this sector because corporate travel programs are being relocated to the security department in many enterprises. And they are tracking hotel and airline safety records and security programs. Those that do not meet their security criteria will not get that company’s business. Plus, there is the threat of social media and Internet sites posting negative guest experiences and reviews by individual and small business travelers. Yet only 50 percent of those participating in the survey have an emergency management or evacuation plan in place.

This sector is also vulnerable to cyber crime, especially credit card hacking and fraud. Recently, HEI Hospitality, an owner of Marriott’s, Sheraton’s and Westin’s hotels notified more than 3,400 guests that their credit card data had been compromised due to a point of sale (PoS) intrusion. The Payment Card Industry (PCI) sets Data Security Standards for protecting this data and it released new security requirements earlier this year.

Casinos are facing a recession in gaming revenue but an increase in those that believe they can successfully steal from casinos. And while they are focused on protecting their guests, they are very intent on protecting their casino floor and their money. Like the broader hotel space, casinos are battling budget cuts, competition for qualified surveillance and security employees and an increase in thefts and fraud attempts at their facilities by both guests and employees.

While the most frequent issues CSOs in this sector face include internal theft issues, guest safety and slip and fall frauds, the risk management issues are growing. Across this sector, the realization that they cannot “hire and spend” their way to managing risk has resulted in new security technology investments to better manage access, monitor activity and maintain a constant and consistent level of security within budget constraints.

Industrial & Manufacturing

Budget Trends:
Increased               27%

Decreased              18%

No Change                        55%

Security Budget/Employee         $465.44

Security Budget/Revenue           .98%

 

Critical Issues:

• Brand Protection

• Funding/Budget

• Regulatory Compliance

• Security Technology

• Training

• Cyber Security

• Business Continuity/Crisis Management

• Emerging Markets

• Geopolitical Risk/Global Unrest/Economic Instability

• Intellectual Property

• Workplace Violence

At the top of the critical issues list is protecting the brand as related to counterfeit products. According to Brian Monks, vice president of anti-counterfeiting operations for Underwriters Laboratories, “counterfeiters operate much like drug smugglers.” The North American and European markets are receiving fake electrical goods with brand name logos that are indistinguishable from the real ones. Buyers reacting to low prices create an increased risk of fire damage, injury or death, as reported in Electrical Apparatus by Richard Nailen. Jim Hutton, global CSO at Proctor and Gamble adds, “I am amazed by their speed and sophistication.”

Having intellectual property stolen by foreign nationals or insiders to create counterfeits is a key “brand protection” issue and one that CEOs are just beginning to pay attention to. Typically a CEO’s timeline is short, and protecting IP at the R&D stage receives a low priority. The FBI’s program to educate and help companies secure their IP has been effective. About one-third of all economic espionage investigations are linked to Chinese government agencies, research institutes, or businesses, according to the FBI. 

Counterfeiting is a $600 billion business, and according to the World Counterfeiting Organization, it hits most manufactured products. In 2006, the U.S. Congress estimated that 15 percent to 20 percent of all goods manufactured in China were counterfeit goods. Jeff Kessler at Imperial Capital reported that the most effective way to attack counterfeiting is through “layering” and that the most frequently used technologies are: 

Bar Coding Lost or Date Codes             67%

Printing                                                       46%

Tampering                                                 27%

Bar Coding NDC or UPC                        24%

Mass Serialization using Bar Codes     15%

RFID tagging of items                               13%

Taggants or markers                                8%

Special Substrates or materials               7%

Mass Serialization using RFID                5%

Holography                                                4%

This sector is still feeling the global recession’s impact on sheltered facilities that still need to be secured and the increased risk at those facilities for valuable commodities, including copper tubing or idle equipment to be stolen as well as liability risk for trespassers who may be injured or killed.

Ongoing manufacturing operations require global policies for all employees, facilities and business partners to ensure both security and safety goals that appropriately identify and manage risks. Tightening supply chain policies to only accept deliveries from approved and recognized partners integrated with “chain of custody” security measures through authorized distribution partners is key to protecting brands. Training is central to implementing and enforcing the policies and programs that bring regulatory compliance, product integrity, asset management and people identification and tracking together. Manufacturing requires a fluid supply chain and resourcing of both valuable and sometimes hazardous/regulated goods.         

One best practice to review in this sector is that used by chemical companies, such as Dow Chemical, which is using experts to study their sites vulnerabilities based on methods developed at Sandia National Labs and that adhere to the American Chemistry Council’s Responsible Care Security Code. Dow exceeds this code and integrates its Emergency Services and Security auditing and process safety programs to create an integrated approach to risk management. Dow has also committed to continuous improvement and sustainability programs at its facilities. Despite this enterprise-wide program, a recent Greenpeace inspection at a 5,000 acre Dow Chemical production plant with 65 facilities in Freeport, Tex. found security lacking with easy access to hazardous materials.  

Information Technology, Communications & Media

Budget Trends:
Increased               29%

Decreased              42%

No Change                        29%

Security Budget/Employee         $8766

Security Budget/Revenue           75%

 

Critical Issues:

• Security Technology/Convergence

• Intellectual Property

• Regulatory Compliance/Program Documentation

• Global risk management due to
   expansion and business requirements

• Employee Travel

• Budget/Funding

• Crisis Management and Emergency Planning

• Workplace Violence

Protecting intellectual property is among the most critical business issues impacting this sector. Software companies, for example, spend significantly and work with government agencies globally to identify and stop illegal software counterfeiting and unlicensed duplication. Media companies work to prevent illegal distribution of movies and music. And the hardware companies, like Apple, fight a constant battle against iPhone, iPod and iPad confidential information leads.

Two Apple episodes noted by Gizmodo include the infamous Apple iPhone 4G prototype being left in a bar by an engineer and an Apple engineer showing the company’s new iPad to Steve Wozniak, Apple co-founder and to an employee. Due to Apple’s security policies and procedures, the engineer who left the iPhone in a bar did not violate Apple policies – he did not leak information, act with malice or violate his NDA. However, the engineer who had permission to remove the iPad from the secure area after midnight on its launch day, but apparently not to show it off, did so for two minutes outside and was fired. Navigating policy, training people to understand and follow policies and managing security in this environment to protect intellectual property is among the role’s greatest challenges.

Traditional global risk management challenges related to infrastructure issues including upgrading security technology and aligning with business goals to support global expansion, including employee travel and increased risk management are critical areas of focus. The impact and consolidation of business resilience into the security role is also noted among survey participants.

Internal threats are significant in this sector by the nature of the employees’ skill sets and the mobility of the company’s products and intellectual property. Having clear policies, training and monitoring software to identify a virtual custody chain on access to information requires coordination between IT and security programs.

While the challenges are significant in this sector, the budget pressure was not as significant as in other sectors. Programs for corporate and physical security to protect employees in the workplace and while traveling, implementing effective business resilience programs and adhering to compliance legislation require funding, management and effective policies and training.


Retail/Restaurants/Convenience Stores/Food Service

Budget Trends:
Increased               44%

Decreased              17%

No Change             39%

 

Security Budget/Employee         $939

Security Budget/Revenue           35%

 

Critical Issues:

• Loss Prevention including:

         Shrink Reduction/Inventory
         Control/Return Fraud

         Organized Retail Crime

         Internal Theft

         Burglary/Robberies

• Security Technology

• Funding/Budget

• Staffing/Training

• Regulatory Compliance

• Supply Chain/Distribution

• People Security/Safety

• Product Tampering

  

Despite the decline in retailing and dining out due to economic conditions, security spending in this sector was strong with 83 percent of participants having increased or equal budgets versus 2009. Fueling this investment is the increase in shrink due in large part to organized crime and to the recession that has led more employees and guests to steal.

The August 2010 Annual Retail Theft Survey by Jack L Hayes International shows the loss prevention challenges and results of increased LP programs. The results are staggering. According to the report, 15 of the 25 retailers had an increase in shoplifting apprehensions, while 20 of 25 retailers reported a decrease in dishonest employee apprehensions. More than 1 million shoplifters and dishonest employees were apprehended in 2009, a 15 percent increase over 2008. More than $163 million dollars in goods were recovered.

While the shoplifter apprehensions increased, the dishonest employee apprehensions decreased. Yet, one in every 28.4 employees was apprehended for theft from their employer in 2009. And dishonest employees steal about 6.6 times more than shoplifters ($728.90 versus $110.14).

The Hayes report addresses overall shrink issues for retailers, but within these numbers is the troubling growth of organized retail crime. The National Federation of Retailers reports losses from ORC Rings between $15 billion to $30 billion annually and 89 percent of their members reported being victims of ORC. The problem has become significant enough that legislation has been introduced to establish a new unit within the Department of Justice to investigate and prosecute ORC. Unlike the shoplifter who typically steals products for personal use, ORC members are professional thieves who consider stealing and reselling goods for a profit their vocation and main source of income.

While a substantial investment in loss prevention tagging and RFID technologies has been made to reduce shrink in the supply chain as well as by employees and shoplifting, the numbers are not proving that these investments are truly effective. Further, retailers cannot “outman” the problem with security personnel. Innovative technologies will continue to be critically tested by both retailers and retail thieves.

Transportation, Logistics, Supply Chain, Distribution & Warehousing

Budget Trends:
Increased               56%

Decreased              11%

No Change             33%

Security Budget/Employee         $640.71

Security Budget/Revenue           .37%

 

Critical Issues:

• Budget/Funding

• Cargo Theft

• Regulatory Compliance

• Security Technology

• Fraud

• Workplace Violence

• Border risk and violence

• Business Continuity

• Supply Chain

• Training

• Background/Personnel Checks

 

The size and scope of this sector makes security a daunting task. As a result, the only successful approach is business first, which means a risk management focus. By first identifying the greatest risks and then mitigating those, security professionals have a significant opportunity to protect the most valuable assets and reduce losses.

Among the most effective mitigation techniques is to instill a security-minded culture among employees and contractors to keep an open eye and report suspicious activity or irregular visitors. Supporting that goal requires regular training, security audits and technology to restrict access, know when an access policy has been violated and use surveillance for situational awareness.

Regulatory compliance is also driving security and risk management investments in this sector. Department of Homeland Security regulations such as TWIC, CFATS, C-TPAT, MSTA and Rail Security Standards all require implementation and reporting programs to achieve and document compliance. Identification badges, inventory tagging/controls, surveillance and creating restricted areas reduce risk and improve security.

A challenge for this sector is that the size of the problem is unknown. Unlike retail loss prevention that has significant benchmarking and participation, the size of cargo theft is unknown. A recent interview in Risk Management Monitor by Emily Holbrook with Michael St. Hill, director of insurance services for ISO crime analytics, noted that in the first quarter of 2010, LoJack reported 212 cargo theft related supply chain
disruptions.

“It’s very hard to determine accurate trends without national statistics. There are reports out there that estimate cargo theft as a $30 billion problem, but there are other reports that state that it’s a $5 billion problem. Regardless of where we are in the spectrum, it’s still a huge problem that is continuing to grow,” said Michael St. Hill in the interview.      

One new solution that will help companies in this sector better measure the problem and therefore the true cost to business and risk mitigation investment needed is CargoNet.

“CargoNet is the first nationalized system that addresses the problem of cargo theft through data sharing. With that system in place, we would now be able to aggregate accurate data,” explained St. Hill. 

 

Utilities and Energy (Power, Electric, Gas, Nuclear, Water)

Budget Trends:
Increased               40%

Decreased             20%

No Change            40%

 

Security Budget/Employee         $56,296

Security Budget/Revenue           8.56%

 

Critical Issues:

• Regulatory Compliance

• Workplace Violence

• Asset Protection/Theft

• Security Technology Projects

• Training

Enterprise Risk Management

• Crisis Management

• Cyber Security

• Travel Security

 

 

Utilities are at the heart of the

U.S. economy and its critical infrastructure. “Unfortunately, most critical infrastructure control systems were not designed with security in mind,” says Andrew Ginter, CSO of Industrial Defender, which provides products and services to assure the availability, reliability and security of our critical infrastructure. For example, earlier this year a malware program, which targeted Siemens AG control systems, enabled data to be found and stolen from SCADA systems and thus revealed that the U.S. power grid could be controlled by terrorists or foreign governments.

The shift to a smart grid in this sector has created a new industry that focuses on cyber security guidelines. The National Institute of Standards and Technology (NIST) issued its first Guidelines for Smart Grid Cyber Security, which includes a framework to assess risks and prevent attacks in a layered or “defense in depth” approach to address the diversity and evolution of cyber threats.

On the physical side of security, perimeter protection to ensure accurate credentials to detect or prevent intrusion, especially at remote locations, is getting significant attention and investment. This has been critical for water service providers. One resource is the web site waterisac.org, which was created by drinking water and wastewater utility managers to:

  Provide tools for identifying and managing risks.

  Help managers target limited resources where they are most needed.

  Arm utility directors and security personnel with critical knowledge and best practices.

  Communicate threat warnings and incident reports to water systems, 24/7/365.

  Save time and effort by serving as a clearinghouse for government and private resources.

This sector also benefits from regulatory compliance in the form of DHS grants. DHS funding to meet compliance goals and improve security for critical infrastructure will continue to be a major driver for projects in this sector.

As utilities align security with business goals that require modernizing the control systems to a network vulnerable to malware and cyber attack, security must focus on enterprise risk management and ensure the products being purchased to manage the utilities processes are secure from unintended access.