Bernie Youngblood, Director of Marketing at Detection Systems and Engineering, started working in security decades ago. Back then he was responsible for the development and execution of a national program for a CCTV camera manufacturer. A lot has changed in that time—especially technologically—but the basic need for corporate security has remained the same.
“Is security important?” Bernie asks. “If you look at what’s happening in the world—politically, economically, with civil unrest—the world is not a happy place. Will corporate security continue to be important? Yes. It’s getting more important every day. And every day I’m surprised by how lackadaisical people are about it.“
This lackadaisical attitude shows itself in many ways. Sometimes it’s being lax about security altogether—after all, “It can’t happen here!” But more often, it shows itself in a “quick fix” attitude, with businesses flocking to solutions and products without asking:
“Will buying this, installing that, or doing the other thing address the threats we face?”
We sat down with Bernie at the end of 2019 to discuss which corporate security solutions are most underrated and overrated.
Bernie started his security career, back in 1995, focused on security cameras. His opinion on their security impact today:
“Tremendously overrated. There’s currently a fascination with video surveillance—which makes it very easy to sell cameras. But the camera doesn’t magically make you safe. The only thing most cameras do is take a lot of pretty pictures of people stealing your stuff.”
He points to the 2017 Las Vegas shooting outside the Mandalay Bay Hotel. This attack resulted in 58 deaths and more than 800 injuries. “They likely had hundreds of cameras in and around that building, and the guy operated for a week undetected. He passed in full view of dozens of cameras, as he loaded box upon box of guns and ammunition into his hotel room.”
Make no mistake, there are certainly counterexamples. The 2019 attack on a synagogue in Halle Germany—targeting a community at prayer on a holiday—could have been devastating had it not been for a properly monitored security camera. But this is the exception more than the rule.
“There’s probably 100 cameras within 1,000 feet of this building,” Bernie notes. “And what are they doing? They’re writing data to hard-drives. No one is watching those cameras, no one is paying attention. Even if you put a guard in a chair in front of those monitors, watching those feeds, that won’t likely solve the problem. The more screens you put in front of him or her, the less they’re going to see. Until we can leverage that data through the proper application of AI, we’re going to see decreasing returns: Add ten cameras to a ten camera system, without proper planning, and you’ll half the benefit, not double.”
Corporate Security and Cybersecurity
Cybersecurity isn’t just underrated; “it’s a train wreck. An absolute train wreck. People don’t take it nearly seriously enough—and people are the weakest link.”
Physical and cybersecurity rely on each other. We’ve long known that the easiest way to gain access to a computer system is physically. But we’re also now seeing the reverse: with the rise of the “Internet of things” (including remotely controlled and administered access control and security camera systems) a remote compromise in a network system can facilitate a complete compromise of your physical security, too.
“In defense of the industry, the Internet was designed to be unbounded. How do you secure something that was designed to be unconstrained? There’s only so much you can do before your employees can’t get anything done because the system is so locked down. Still, with all the stories you read about cities and corporations falling prey to ransomware, it’s really amazing you don’t see more organizations being shut down this way. Indeed, if criminals were well organized and coordinated, they could hold the world ransom.”
In his work, Bernie sees this as a “serious and escalating” threat. As just one example, Bernie has seen a rise in “phishing as a service” (PHaaS). At one time, criminals launching a phishing attack needed some skills. They had to craft the phony emails, spoof their origins, prepare realistically looking log-in pages to fool the target, and so on. With these PHaaS services—of which there are 5,000 or more currently operating—criminals can pay a small fee (as little as $50 to $80 per month), and a talented (if amoral) computer programmer will do all the hard work for them.
Employee Satisfaction and Corporate Security
Another big underrated corporate security measure is employee satisfaction. “Security must be comprehensive,” Bernie notes. And, if ‘see something, say something‘ is your first line of defense, in order to be successful, workers must feel like saying something.
But are most office workers sufficiently engaged to step up and thwart a crime? According to a 2016 study commissioned by the International Interior Design Association (IIDA) and the Business and Institutional Furniture Manufacturers Association (BIFMA), only about half the U.S. office workforce qualified as “highly satisfied”. This same study found that a jaw-dropping 90 percent of US workers would not “always take action to protect the organization from potential problems.”
“According to FBI statistics,” Bernie adds, “70 percent of cyber intrusions are initiated by internal actors. It’s your own people who—for profit, for spite, for revenge—assisting or stewarding or instigating these events.”
These are not the actions of “highly satisfied workers… who willingly give their time to support co-workers, and drive the success of an organization.”
This goes hand-in-hand with employee satisfaction. According to Bernie, the corporate security benefit of a good human resources department is “Underrated. Severely underrated. HR plays a huge role in security. Not only the type of candidates they’re bringing in but the manner in which they screen them, onboard them, train them—and compensate them. Even cybersecurity specialists will tell you, ‘the greatest threat vector in any organization is the people’; they’re the ones who open the doors, they’re the ones who click on the emails.”
Bernie points back to the Mandalay Bay attack. “In fact, the security changes that they’ve since made in order to avert future attacks were all process, policy, and procedure changes. They’ve cost very little to implement. Security isn’t always about technology.”
“Underrated. It’s not sexy. It’s expensive. But, boy oh boy, does it work.”
Think again about that synagogue attack in Germany. This house of worship had recently upgraded their door—and it kept a heavily armed, highly motivated attacker at bay. While he shot the doors over and over again, more than 70 congregants safely sheltered within. They even returned to their prayer service while waiting for law enforcement.
But perhaps most vitally: The door looked like any old door.
“With cameras, you get a lot of cameras, you hang them, it looks like you’re doing something for security. You have that ‘security theater’—which can be important: It does help make people feel safe.”
But the unobtrusiveness of access control can be one of its greatest assets. We know that criminals change their behavior when they see cameras. Sometimes this may deter the crime altogether. At other times, it simply leads to them changing their approach. But when an attacker cannot gain access to your facility—and thus cannot survey the extent of your corporate security measures—they cannot even begin to prepare to defeat them.