Kris Polly: What should water agencies be mindful of when thinking of the security of their facilities?
Phil Ball: Generally, you will be dealing with two human factors: the people inside your site and the people visiting your site. Just as in a school, you want to have a single point of entry; buildings with multiple points of entry are very hard to defend and control. Having a single point of entry allows you to control the flow of people. Active shooters, for instance, generally plan to gain access to a large group of people. Preventing them from doing this frequently deters them.
It is also a good idea to screen the people coming into the building. If there is a problem, the receptionist should be able to press one button and use the intercom system to notify those in the building. That allows people to lock the doors, turn off the lights, and silence their phones.
A lot of law-enforcement and government agencies have a difficult time screening potential employees. They are tempted to lower their standards in order to fill empty positions. But inviting a bad employee into your operation could end up being a negative thing for the rest of your employees and your operation as a whole. Once you have a problem employee, you have to document his or her problems, especially anger-management issues, and deal with potential lawsuits. The best indicator of future behavior is past behavior. There needs to be strict limitations on what you permit. The shooter who killed several people at the Navy Yard
in Washington, DC, had arrests and violent offenses that were overlooked during his background screening. Imagine the liability that that company now faces because of a poor background investigation.
If a police officer has one conviction for domestic violence, his or her firearm is taken away and he or she can never be a police officer again. You do not want someone with an anger-management issue having access to deadly force. In a water district, you do not want someone with an anger-management issue having access to your other employees; you have a fiduciary responsibility to protect them. If you disregard that and hire a person like that anyway, you own that liability.
Another thing to be aware of is cybersecurity, which right now is a greater threat than active shooters. Cyberattacks on utilities and water agencies are a growing problem. I am working with a sister company with a potential merger ahead, and we have realized that to cover our water district clients, we need to protect not only their physical security but also their information. Placing limitations on what people can download and put on their computers is critical. It may be fun to play a little game on the computer over your lunch hour, but malware items can be embedded in innocent-looking games. I have actually been at a location where an information attack came through a game.
The attacker was not looking for information on customers—he or she was actually looking for the floor plan and the emergency response plan for the facility. I was standing with the IT technician as the attack was happening, and he asked me why the attacker was looking for these specific things. I told him that if someone were planning an assault on a government facility, this information would be extremely valuable. That caused a shutdown of the site’s mainframe, and we ended up having to wipe everything. That was a really frightening experience for the IT technician and the other employees of the facility.
You need to be situationally aware of threats to prevent them; that is why my company is called the Situational Awareness Institute. It is critical to be aware of threats and to have a contingency plan to prevent and deter them and limit their effects should they occur, be they physical, cyber, or financial. If you hire someone like me who deals with bad people, we can tell you what vulnerabilities they are looking for and secure them so that they will move on to easier targets.
Kris Polly: Would you please talk about the importance of having a panic button and an immediate response to threats? Also, how should agencies coordinate with local law enforcement?
Phil Ball: That is an interesting question. The FBI is now recommending that agencies invite local law enforcement into their buildings before there is a problem so that they can see their layout. We have seen local law-enforcement agencies go to government facilities for meet-and-greets and tours. From then on, the guys who are going to respond will know the layout of the facility. That will help them get to you and help you in an emergency situation.
I cannot tell you how many government and private businesses have very expensive phone systems but don’t know how to use them. If you ask an employee how to press one or two buttons and page the entire building, most of the time he or she can’t. Often, he or she says that there is one specific person in the office who knows how. Everyone in the office should know how to do things like that. As we like to say on the firing range, everyone is a security officer; everyone’s eyes and ears are valuable; and if there is a problem, everyone needs to know how to address the problem or alert others.
Training employees on the indicators of possible violence is important. Different employees will have different ideas about what constitutes a threat based on their own subjective experiences and judgment. We want to put empirical data in front of them and establish a clear threshold for reporting potential threats. That can allow management to make decisions on whether law enforcement needs to be involved. You have to establish clear policies for your employees that state that if someone comes in and does specific things, the employees need to report it, no questions asked.
As for panic buttons, I would suggest the Solo Protect, which is a device that can be issued to each employee. It has GPS tracking, and wherever the employee is, if he or she feels threatened, he or she can touch a button on the back of the device and call for help. The device looks like an identification card. The device opens a two-way communication link so that other coworkers can hear everything that is going on and assess whether the employee needs help. You can train employees to give code words that can act as signals for help while not alerting the potential threat that he or she is being monitored.
Kris Polly: It is essential that every agency have a security plan in place. Would you please tell our readers about the basic elements of a security plan?
Phil Ball: The basic elements are building security and having a way to identify and monitor personal behaviors. There is a legal concept called respondeat superior, which means that an employer is responsible for everything that an employee does. A security plan involves making sure that
employees know where all the exits are and know the most up-to-date emergency numbers for local first-response agencies. Another part of the security plan is making sure that you have correctly functioning fire alarms and smoke detectors. You also need functioning fire extinguishers that are available to employees. A lot of people do not know this, but a fire extinguisher is a good self-defense weapon. We offer a course on how to use a fire extinguisher for that purpose in extreme situations. Making sure that all your employees are on the same plan and making sure that everyone is on the same page will make things go much more smoothly should a problem arise. We have worked with several agencies that require their employees to know the security plan; they can face consequences if they do not.
Kris Polly: Would you tell our readers about the importance of video surveillance and of having a visible monitor that displays surveillance footage?
Phil Ball: I have some customers with high-resolution surveillance all over their facilities, but no monitor displaying that fact for everyone to see. I would always suggest installing a monitor displaying a high-resolution feed of all of the cameras’ footage so that people see it as soon as they come in. You also want to post some verbiage suggesting that there are other cameras in the building not visible on the monitor, so that no one attempts use the monitor to circumvent the camera system. Bad guys are always plotting to circumvent your system, so sometimes you need to do a little psychological operation to keep them guessing. There is no way to prevent crime, but you can displace it by eliminating as many vulnerabilities as possible. A monitor that people see as soon as they walk into a building is an excellent deterrent.
Kris Polly: If an agency is concerned about its security, what is the first thing it should do?
Phil Ball: The first thing to do is to make a plan and have a professional assessment of security risks and needs. The assessment can provide a list of existing vulnerabilities and suggestions to reduce risk and increase security, organized in a tiered fashion according to severity.
Kris Polly: When an agency contracts a security professional to do an assessment, what key elements need to be addressed?
Phil Ball: What we have done in the past, whether we are working with a water district or a casino, is to sit down and
read every page of an agency’s security policies. That is one thing that most security assessments do not do. We read the policy manual and make specific recommendations on how to tighten it up. I can’t tell you how big a vulnerability it is to have people using policies and procedures that expose them to legal liability and physical danger.
Looking at the physical site is important, but so is looking at the physical behaviors of the employees. Sometimes certain behaviors have become institutionalized despite never having been approved. One thing that comes to mind are workplaces where everyone carries big lock-blade knives. There should be some type of safety training for that; otherwise, it is deliberate indifference and becomes a huge liability for the company.
The security assessment should also look at crime prevention through environmental-design recommendations for the physical building that will deter criminals, lower liability, and help contain an incident if it does occur. The security professional should also make recommendations on the equipment that you are issuing to employees.
Kris Polly: Is training part of this equation?
Phil Ball: Most definitely. This is a perishable skill for employees, just like playing a musical instrument. You want to have trainings on a regular basis so that you can keep security at the top of your employees’ minds. We find that when people who have not been trained well are under extreme stress, they will go into fight-or-flight mode, which greatly diminishes their executive-thinking skills. You want what you learned in training to become instinctual. If an employee has to stop and think or find a list of procedures, that greatly increases risk. I was on a crime scene a couple of months ago where a life was lost. When I asked what the agency’s training was for this situation, I was told that they had had training on this issue, but that it had last happened years ago. You can either invest money in competent training, or you can invest a lot of money in litigation insurance. We have tracked information on this matter and found that after about 16 months have passed since the last training session, liability exceeds the amount of money that another training session would cost.