Managing Risk on the Global Stage
In this article:
Bart Szafnicki follows the news every day. Mainly, it’s because his colleagues will be racing towards the action to break or report on a story. Szafnicki is Vice President Corporate Security for Turner Broadcasting System, Inc. (TBS, Inc.), which has brands and businesses all over the world, including CNN.
“Our CNN colleagues are always racing to global emergencies and dangerous parts of the world,” Szafnicki explains. “So one of our biggest challenges is keeping them safe. They are constantly in high-risk areas, and they are at the forefront of our security plan. We partner with CNN International on a regular basis, and we work with them to help mitigate the risks, maintain levels of security and allow those international correspondents to do their jobs.”
Securing the global enterprise in a world interconnected as never before means that risks are significant and constantly emerging. A problem on one side of the globe – an earthquake, an oil spill, political unrest, a coup, a faulty supply chain or vendor, internal theft, cyber crime and the increasing risks of BYOD – can radiate out and threaten to undermine even strong enterprises.
Risk: how it’s managed and mitigated is key to an organization’s brand, success in the market and long-term health and growth. Despite a downturn in the global economy, many organizations, such as Turner Broadcasting, have plans to expand globally. But key to that expansion and global growth is managing risk. And sometimes that risk comes from within.
Corporate security at Comcast Corporation recently discovered a massive internal theft ring by former Comcast employee Alston Buchanan. He was one of five men recently arrested for allegedly defrauding the cable company out of $2.4 million, according to CBS Newsand the Philadelphia Inquirer.
Buchanan and others are believed to have sold service upgrades to more than 5,000 Comcast customers at an off-the-books discount. The customers got their premium channels while Buchanan and his associates – as many as 23 people – allegedly walked away with the cash.
The scheme unraveled when Comcast corporate security got involved. Buchanan illegally accessed the equipment room of a Comcast subcontractor at its office and allegedly installed an unauthorized computer that he used to remotely access and manipulate the accounts of customers enrolled in the scheme. Following a power outage, corporate security aimed a security camera at the equipment area, knowing that a third party would have to return and reactivate the unauthorized computer. Buchanan was allegedly seen accessing the equipment area on security footage the following day.
The five arrested persons are charged with criminal conspiracy, theft of services, dealing in proceeds of unlawful activity, computer theft, computer trespass and numerous related charges.
Beyond mitigating risks to CNN’s global correspondents, Szafnicki says that he is increasingly focusing security resources on data protection, cyber security and workplace violence. “We completed a compliance and review process to find out how security can more closely work with other Turner departments to go more holistically after risks in those areas to mitigate them,” he explains.
To help with those efforts are the resources from Time Warner, Turner’s parent company. “Leveraging our global security team is key to our success,” he explains. “For example, Time Warner has a regional security director in Hong Kong who we rely on heavily for incidents in the APAC region. We leveraged that relationship the days after the Japan tsunami where we have a significant operation in Tokyo,” he says.
Ultimately, he says, “The goal is to be proactive versus reactive. We want to be on the front end of issues. The better that we can prepare our staff and Turner employees helps the whole security process in the long run if the incident happens.”
Szafnicki points to two incidents where he believes Turner global security did just that. The first is when a man with a gun attacked a woman at the Omni Hotel in Atlanta, which is adjoined to CNNheadquarters, and killed her. Security isolated the man immediately and prevented the situation from escalating and moving into a crowded atrium of the hotel.
The second incident was across the world in Mumbai, when the Taj Mahal hotel was attacked in 2008. “We had people at the hotel, and we were able to help them during that situation. I don’t attribute that only to our great work: there were some smart people involved who used cool heads and communicated well,” he says.
“I like to think of our global security effort as evolving,” he says. “For example, we are creating programs like Safety and Security Week and reaching out to people on a proactive basis.”
Another company that is expanding globally is W.W. Grainger, Inc. The company is a Fortune 500 industrial supply company founded in 1927 in Chicago. It provides products such as motors, lighting, material handling, fasteners, plumbing, tools and safety supplies to Grainger’s two million businesses and institutions in 157 countries.
Keith Blakemore, CPP, Director, Security & Loss Prevention, recently hired a director of international security to add to his team’s responsibilities, one of which is due diligence in higher risk, but emerging global markets. Other areas of risk include loss of product from the company’s facilities and distribution centers.
“Security has been an active business partner with our corporate M&A team to do due diligence to make sure know we know the company that we are buying, but also importantly, to learn as much as we can about their risk environment and any existing security programs that company may have in place. We can then give our finance colleagues a cost of integrating a company into the W.W. Grainger team. We want to allow and support our company’s international growth strategy,” he says.
And it doesn’t matter if that growth is in a high-risk area or not. “We have a successful business in Mexico,” Blakemore explains, “but it’s also a high threat environment, primarily for the people who work and travel there. Despite that, we recently built a new distribution center there, and so we are now taking as many of our programs, practices and standards, and applying them to that new facility. we can make to mitigate risk, reduce costs and increase profits. We look for ways to leverage our resources and help our business partners better understand risk on a global basis.”
One way that many global organizations are managing risk is to employ a threat analyst, a professional who paints a picture of the overall operating environment and allows a security team to better focus resources against the most credible and high-impact risks to a business. A threat analyst helps a security operation to tailor a fit-for-purpose security program by collecting relevant intelligence from multiple sources, assessing it, determining the specific business impact to a company and then communicating it in the right form to the right leaders at the right time.
Jack Suwanlert is Director of Global Support & Intelligence, Global Safety & Security for Marriott International Inc. He supports company security operations worldwide and intelligence and risk management in investigations, fire, security, occupational health, business continuity and more. Marriot has about 100 executives in its risk management operations, he notes.
“Being in the hospitality industry, we are open 24/7, so we are always trying to balance between security and hospitality. We look to employ the right people in our hotels who know how to project security and look welcoming,” he says. “With risk analysis we try stay ahead of the game, even before we sign a contract to make a hotel one of ours. We work with architects and design companies during construction phases, because it’s easier to put vehicle barriers or metal detectors in the construction phase instead of retrofitting them. Once the hotels are opened, we continue to provide intelligence, looking at threat on a daily basis.”
Bill Skidmore is a Senior Analyst with the Intelligence Analyst Unit for BP. “Some situations move so fast that we rarely have the opportunity to write anything in length or in depth,” Skidmore says, “but what we do provide supports the business in terms of business development strategies, and crisis response management and response. For example, if we see an area where political instability might increase, we can help that manager in that country manage risks. We always focus the business discussion on security and risk management, and we don’t get too distracted about things beyond their control. It’s more about framing and putting it into context so that the people in operations can take the right measures.”
The recent “Arab Spring,” the wave of demonstrations and protests occurring in the Arab world that began in December 2010, took much of Skidmore’s resources, he says. “For our business security managers, we gave them a broader perspective of what was going on in the region, so while they were ‘in the weeds’ type of stuff, we gave them guidance and gave a heads up to other business interests on how the riots might affect BP staff and operations.”
“The year 2011 was the perfect storm for the global threat analyst,” adds Jean Gordon Kocienda, Global Threat Analysis, Corporate Security Programs, Global Government Services Group for Cisco Systems in San Jose, Calif. “We did predict that there would be a lot of trouble in the Arab region and that there would be risk, but could anyone see that coming? It would have been impossible. It was similar with the tsunami in Japan. No one could have predicted the level of destruction that took place.”
Kocienda is Cisco’s first Global Threat Analyst. “This is a new and evolving role that has emerged with globalization and the after effects of 9/11 and other events,” she says. “There may not have been this specific type of role 15 years ago, but now, multinational companies are seeing that they cannot get by without one.
“I try to take geopolitical, environmental and economic trends and put them into context. And that context is different for everyone in this business. For Cisco, it’s about keeping our networks safe and our customers’ networks safe. There are a lot of risk analysts who focus on key global events. But for everyone, it’s taking information and specifically tailoring it into what does it mean for my business; how does the Arab Spring affect my business? It’s like a meteorologist looking at the cloud swirling overhead and trying to predict the storm.”
This articles was originally published in the magazine as "Going Global and Going After Risk."
By Jeff Schmidt, Executive Global Head of Business Continuity, Security & Governance, BT Global Services
Every aspect of work these days has shifted: today’s business world bears no resemblance to the workplace of our parents.
Work is no longer performed solely in the 8-5 office of yesteryear, and the driving reason is that business technologies are no longer exclusively used for work, saved and shut down at the end of the day. Home and work spheres have merged and re-formed. We’re more connected, more of the time, and our choice of technology reflects who we are.
Enter the generation of “bring your own device” or BYOD, the growing trend of workers who use personally-owned mobile devices to instantly access company resources in addition to their personal applications.
The many benefits of BYOD are obvious – familiarity and satisfaction of using your choice of device, the flexibility, convenience and portability of devices that suit your lifestyle, the advantages to having “anytime, anywhere” access to information.
According to recent global research BT conducted, some 60 percent of employees say their employers permit them to connect personally-owned devices to their corporate network for business use. More than three-quarters of survey respondents say BYOD access provides their organization with a competitive advantage, and more than half of IT decision-makers believe that mobility and consumerization can boost productivity, efficiency and customer service responsiveness.
However, as many tout the value of BYOD, the security risks inherent in remote access to company data are keeping security executives awake at night. In large part, CIOs and IT managers are cautious and distrustful of BYOD, for good reason. According to our recent research, four in 10 organizations surveyed indicate they have a history of BYOD-related breaches in security. Nearly half the respondents believe that BYOD practices may threaten auditing and compliance obligations. Other concerns cited include loss of infrastructure control and data as well as the danger of a company’s restricted, proprietary information getting into the wrong hands when an employee’s device is lost or stolen.
But the BYOD trend continues regardless, forcing security to develop, implement and enforce appropriate security measures to ensure their organization’s assets are protected while still enabling the benefits of BYOD to be realized.
The answer to this conundrum lies in recognizing that BYOD is a disruptive trend you need to meet head-on. You win against BYOD by embracing it, by taking a proactive approach to working with employees, business partners and clients to understand their needs, then developing security policies that increase business value and productivity, while concurrently protecting corporate assets and managing costs. Focus on securing corporate information rather than on securing the devices. A critical success factor is to ensure continuity in security policies between laptops, tablets, smartphones, personal and corporate devices.
How to Manage the Risks?
To effectively manage the risks associated with BYOD access, first identify the needs and requirements of your organization. Who in your company wants or needs to access the corporate network from their personal devices? What systems do their devices utilize? Should you limit how many devices you support? What IT infrastructure, software and licensing is required? What sort of access do you want to allow – to emails, customer databases, financial documents?
You also need to establish a clear policy and then a combination of the right tools to implement it, the trust with which to deliver it to employees and the operational processes that everyone understands and buys into. Particularly essential is educating the workforce why security measures – and the BYOD policies – are essential to the protection of corporate data. To help employees understand the need for controls and gain acceptance and compliance, you should tailor training and education to explain why such protections are necessary and what the risks are to the individual and the company of not having them in place. When someone understands the rationale behind policies, they’re more likely to steer clear of actions that could potentially harm the company and its assets – and importantly, could jeopardize their job.
Create the framework for managing employee-owned devices and include detailed rules for network access. Ensure appropriate levels for authentication and enforce a strong authentication policy, including passwords. Make sure you know what and who is connecting to your network and to what data. Use a mobile device management system, allowing administrators to set policy and then apply that policy across multiple device platforms.
Classify data so access is appropriate to the user. Encrypt commercially sensitive information. Monitor network traffic on a 24/7 basis to detect threats and understand events – and be ready to quickly take remedial actions as circumstances dictate.
Have employees agree in writing to a remote wipe of their device in the event of loss, decommissioning or theft. Also obtain their agreement to password requirements to access corporate email and general file shares. As well, establish a clear, mandatory process for revoking access to your gateways when an employee leaves your organization. And importantly, incorporate a spirit of constant review into your BYOD policies to ensure you’re staying ahead of the consumerization wave and continually making it work to your advantage.
Beyond frequent evaluation of your BYOD policies, constantly test your systems and processes – and don’t just test them, try to break them. Testing for success is good – testing to try to get to failure is better.
Ultimately, with the right security technologies in place, combined with comprehensive BYOD policies that employees understand and endorse, your organization can enjoy the best of the opportunities that BYOD offers while still ensuring that the company’s assets remain secure and protected.
About the Author:
Jeff Schmidt is Executive Global Head of Business Continuity, Security & Governance at BT Global Services, responsible for all aspects of the security-related products and services BT offers its clients, from overall business strategy, through market research and solution design to delivery and support.
Protecting Museum of London Collections
Officers securing Wembley Stadium, an Olympic soccer venue in west London, reported that a set of internal keys used on searches at the venue were missing. While detectives failed to find the keys, there was no evidence of criminal offenses — suggesting that police probably misplaced the keys.
“There is absolutely no security concern in relation to the stadium as measures were taken immediately to secure all key areas of the venue,” police said in a statement.
The key incident appeared harmless, but it was embarrassing for officials who are already on edge defending security arrangements for the London Games.
Beyond the Olympics, for visitors to London, learning about the history of the city is an engaging and interactive experience at the Museum of London (MOL). The city’s history, from prehistoric times to the present, is brought to life at the Museum through interactive exhibits, displays of original artifacts found during archaeological digs and everyday items used throughout London’s past. The history of London’s rivers, trade and migrations are recreated and exhibited at the Museum of London Docklands, located at West India Quay.
The exhibits are created from the Museums’ large collections, which are housed both at the Museums and at the London Archaeological Archive and Research Centre (LAARC), part of the Museum’s Department of Archaeological Collections and Archive. Based in Hackney, the LAARC also holds the recorded information of the more than 7,500 archaeological sites that have been excavated in Greater London over the past 100 years.
To help safeguard the exhibits and collections as well as maintain the safety and security of the staff, visitors and premises, the Museum of London relies on physical security systems including a high tech automated key control and asset management system. At each of the three locations, the Museum utilizes a KeyWatcher Illuminated system to hold and track keys to offices, exhibit halls, display cases, special areas of the Museum, collection storage areas and other work areas or rooms that have controlled access.
According to Ken Boutayre, Security Supervisor for the Museum of London, “Securing the access to our collections both on display and in storage is critical, and the key control system has been an invaluable tool to help us achieve that objective. Its automated tracking and key usage reporting capability have helped to upgrade our security operation and remove the ever-present concern of lost keys.”
The key control system allows authorized individuals to access specific keys from the key cabinet while keeping the other keys locked in place. Each individual key is secured to a locking mechanism with built-in memory chip; data from the chip is stored when a key is inserted into or removed from a key slot. To access a key, users need only enter their PIN code and if the criteria entered match the information stored in the system database, the key cabinet will unlock and the authorized key can be removed or returned to any open slot in the cabinet.
User authorization and programming of the system for all three locations is established by the Security department. For example, outside personnel were needed to assist in developing and crafting a recent exhibit on Charles Dickens; the security team was able to set temporary permission levels for selected guests to access keys for particular work and storage areas. Keys were only available for access during regular work hours, and if the key was not returned as scheduled, an email alert was sent to security operations.
In place for approximately five years, the Museum’s key control system is network facilitated to enable the Security team to more easily program the system. With its on-screen history display, the team can track who has accessed or returned keys and when. The automated record keeping can also help to reduce the number of man hours spent searching for keys or following up on incidents.
“The system’s effectiveness in managing the key control process has helped us to secure the three facilities,” says Boutayre. “Every transaction is automatically recorded and there is simply no opportunity for logging errors. It saves valuable time in the event of an incident because we always know the whereabouts of every key or who has had it and when it was returned.”