Technology offers as many risks as benefits for the physical security industry, as David Ward of Ward Security explains.
Technology promises many things when it arrives, but more often than not real world application and the way people interact with technology comes as a surprise, and inevitably has a bearing on the future direction of that particular technology.
The classic example is the explosion of SMS (text) messaging on mobile phones. When the service first launched in the early 1990s, phone carriers offered it as a free service underestimating its inevitable popularity. As soon as it became obvious how popular this quirky function was becoming, they wasted no time in monetising it. The explosion in text messaging was of course the driver that reversed the trend for mobile phones to get ever smaller. Screens needed to be bigger to accommodate text messaging, and on the back of steadily enlarging screens rode further applications that led us to the huge screens we have today. The real world application dictated the direction of the technology.
The great challenge of any technology is understanding how users will interact with it and how it will evolve. This is particularly the case when introducing technology into the commercial operational arena. It is ultimately foolhardy for a business to introduce a technology into the operational environment based only on the vision of the developers and their expectation of how it can and will be used by people (your employees). The reality is often very different and technology ‘in the wild’ can present unforeseen problems and risks for all businesses, not least security suppliers.
This of course has been the great challenge of Bring Your Own Device (BYOD). Now widely accepted, BYOD is great as a concept – employees are comfortable using their own devices in the work place, and this in turn does away with the considerable capital expenditure for the business of providing hardware to their workforce. When you consider the cost of smartphones, tablets and laptops, what’s not to like?
Of course the reality is a great deal more problematic. Without having control over employees’ mobile phones, tablets and laptops, businesses initially lost control over their own data security. And thus an entire industry was born to address the issue.
The risks to the organisation are widely recognised. Loss or theft of the device is the obvious risk, especially if the owner has not put adequate locks and safeguards in place, but there is also the risk of the device owner falling prey to a targeted attack where they perhaps unwittingly install spyware or malware through visiting a malicious website, opening an infected email, or even downloading an app that contains malware.
The social benefits and risks of own use device in security guarding
It is important to recognise that the issue of risk extends beyond the widely recognised concerns about network and data security, and not enough attention is paid to the issue of reputational risk posed by own use device.
Using physical security as an example; most, if not all security guards carry their own smartphones. They can be an essential tool in delivering effective security, especially if a management or communications app has been installed, or if the security company uses a cloud solution (Software as a Service) for management of staff and guarding contracts. At the same time it is only reasonable to expect the guard to also use the device for personal use, be it communicating with family and friends or social media. Access to social media can make a long guarding shift more bearable, but herein lies the risk.
A throwaway comment on Facebook could reveal operational details that could prove invaluable to criminals. Also, ill-considered comments can also cast both the security company and the client organisation in a bad light.
There is also the risk posed by well-meaning, but ill-judged use of mobile technology and social media as part of the service delivery. An example might be where a guard is tempted to post a picture of suspects on social media. The intention may have been good, but such an action carries a number of legal and operational risks, not least being the risk that the people pictured are innocent of any wrongdoing. Any resulting legal action not only damages the reputation of the guarding company, but also the client organisation.
It is therefore crucial for security companies to have in place strict guidelines governing not only the use of own devices, but also governing how social media is used in relation to work and in the workplace.
Corporate guidelines governing social media in the workplace are commonplace. Too many organisations have learned the hard way that comments on social media, whether justified or not, can impact on the corporate reputation, including how the company is viewed as an employer and its working environment. Too many have also learned the hard way that ill-judged or amateur PR messages on behalf of the organisation can cause problems and damage reputation, which is why so many organisations entrust their social media communications to experts.
However, within the physical security industry these risks are magnified. Corporate and client reputation is just a part of the picture, and it is important to fully understand the operational risks. To borrow a well-recognised World War II slogan ‘Careless talk costs lives’. It is not inconceivable that a throwaway comment on social media could provide the key piece of information that allows a terrorist to plan an attack. It may sound dramatic, but these are the issues that security guards need to understand and avoid if they are to continue using their own devices and social media in the workplace.
Off the shelf applications
As the internet and mobile technology has become ubiquitous, so the number of cloud-based applications has grown. Online management tools abound and this has largely done away with the need for extremely costly bespoke application development. There was a time when an organisation would need to engage the services of programmers and developers to produce the functionality they dreamed of. The same applied to marketing tools such as websites. But where once you would need to employ a web designer, today you can manage the development of a website using services such as WordPress or SiteBuilder for a fraction of the cost. The technology has moved on and now most business-critical management and marketing functions can be handled by popular web-based tools.
However, businesses still need to consider their own security when using ‘off-the-shelf’ applications. Do they provide the levels of data security that a bespoke app would provide? The organisations that provide these services will themselves be high value targets for cyber criminals, so they need to be able to reassure their users that their security, and your security by extension, is more than adequate. If it is not there will be a significant risk of devastating data loss and business interruption – something that few security suppliers could survive unscathed. Imagine if one of these online suppliers were to be hacked and details of all your security contracts were stolen. The risks to your clients would be significant, as would the risk to your own reputation as their security supplier.
Equally, security companies need to be vigilant as to who has access to business critical applications, and to what levels employees have access. This would seem to be obvious, yet all businesses should regularly audit their procedures in this regard. Just because an application is off-the-shelf does not mean you should allow the default settings to stay in place that all other users receive when they sign up.
Technology has revolutionised the physical security industry, and will continue to do so. The tools of the modern security supplier, from CCTV and remote monitoring, to communications and management, have helped us all do a better job for our clients. But as an industry we must remain vigilant in understanding the vulnerabilities new technologies bring with them. These vulnerabilities will be as much social as they are technical. Fortunately, you don’t need to be a technical expert to understand the social vulnerabilities.