To continue our discussion about a full-spectrum approach to security and a follow up to our post on Physical Security, we wanted to discuss elements of Personal Security. This will complete the three pillars, if you will, of security – information, physical and personal – and provide a more encompassing assessment of your security posture.
So what is Personal Security. It can be about your own self and the security measures you apply to protect yourself. It can also be about your company’s emphasis on security related matters that pertain to an individual. And it can be a combination of them. Because we are focusing on a full assessment, we want to look at a combination of them.
What this will not be about is hiring a personal security element to protect you in hostile or dangerous areas. If you have this need, there are probably other places to look. And if you are traveling anywhere in the world or living overseas, you should consult these Travel Tips from the State Department. We will certainly incorporate some of the principles of this, but this will not be our focus in this post.
What you should see is that some of personal security areas of consideration blend perfectly into physical security and information security.
We don’t want you to walk away from this post thinking that you should be suspicious of your employees or co-workers. What we do want you to become is alert and aware to behavior that could lead to a threat to your organization. At the end of the day, we want your business to have the discussion and make the determination for yourself. And along the way we hope you incorporate some of these suggestions to make your overall security program effective.
As a business or a SOHO here are some areas to think about:
- What is the crime rate in your area? Are you putting your employees in danger with the workplace location.
- What is the response time of law enforcement or fire and rescue departments? If something does happen in your location, how long will it take for them to reach you? If it’s outside your comfort zone then you may need to consider alternate plans such as hiring a security guard.
- Do you employ cameras to observe your workplace? Does it record and save? If you have a theft after hours, how can you protect individuals personal property left at the office? How do you protect your business?
But if you look at another element of personal security, let’s look at your actual employees. Do you do any type of background reviews or assessments of potential applicants and current employees?
- Do you review social media profiles? Sure, you want to look for inappropriate behavior patterns, but are you also looking at them for what they say about work? Are they potential victims of a social engineering or phishing attempt. We know hackers review social media too. Do they talk about the office and give away information that might highlight a vulnerability?
- How close do you scrutinize previous employment? Why did they leave? How do you verify that? Not just for what type of employee but also to begin to identify a possible Insider Threat? Maybe they were asked to get a job with your company? How can you find out.
- What type of desk do they keep? This can tie into your physical security inspections and ensure that they are maintaining a good security posture.
- What type of security related training do your employees have in their current position? What type of training do potential applicants have when applying for the position? This can help you identify your gaps in training and plan training events.
- What are your employees doing online? Yes, this is where information and network security blend in with personal and physical security. How are you monitoring what they download? How are you monitoring/blocking their access to certain information?
- How often do you interact with your employees or co-workers? For a malicious-Insider Threat, there is usually an event in their life that makes them become a bad actor. Sometimes it’s a financial issue, maybe there is a ethical or moral dilemma they are facing at home and at work, or perhaps they were approached by someone. Not that everyone is going to share personal information, but regular engagement with your employees or co-workers can help at least identify a change in behavior and some follow up. And follow up doesn’t have to be an interrogation. But by knowing your employees or co-workers, you can see a change and express genuine interest or empathy. And this might be the difference between a good employee and a threat.