It’s easy to grow complacent with all the latest technology and techniques in place. Today’s electronic systems do offer the ability to monitor almost anywhere and reliably detect  any incursion. Closed-circuit television,  intrusion detection systems,  biometric access control, and similar technologies can tighten the net around a facility as never before, but no technology is infallible if the on-site personnel and policies and procedures are lacking.

Ironically, some of the elements typically built into a system to bolster alertness, such as the requirement to make regular entries in a log, have an equal potential to be distracting. When is the ideal time to make one’s move on a newly fortified perimeter? Consider those minutes when the eyes and attention of the officers are riveted on the logbook.

Give Away Nothing

After spending a pot of money to upgrade a security operation, too many people don’t give enough thought to keeping it a secret. The less perpetrators know, the more likely they are to make bad decisions.  Additional officers are a common element in a strengthened security program, whether temporary or permanent, but they aren’t as effective if the criminals know they’re present. At some facilities, where security personnel come to work fully clad in their distinctive uniforms, the malefactors need only count how many officers reported for the shift to know what they are up against. By simply having security staff report in civilian clothes, then suiting up on the job, important information is denied the enemy. If one then takes care to quietly replace officers out of sight of the perimeter, even the exact time of shift changes can be kept secret. Think about it: Why make an obvious ceremony out of the changing of the guard which announces to the world an optimum time for creating mayhem? Even the location of the security command center should be kept secret, if possible.  Is  this high-tech? Hardly, but keeping the enemy in the dark is good strategy. It also shows that all the answers aren’t to be found in the laboratory.

“Black Hat” Probes Are a Must

Nothing is as effective for keeping a security operation on its toes as testing its integrity by trying to poke holes in it with penetration exercises. It is often an eye-opener to find out how porous many perimeters, which were thought to be secure, really are. Unless periodic unannounced trials are part of the ongoing security protocols, overconfidence and declining vigilance weaken any system, no matter how expensive or elaborate.

Typically, a group from the local (or adjacent) police department is assigned to play an invader, commonly referred to as “Black Hat” or “Red Cell” operations, and it is imperative that staff or supplementary personnel not recognize them. One cannot get honest reactions during sting activities with known company executives and security officials playing the roles of infiltrators. Strangers must play these parts and  have no rules of fair play. 

In fact, it is the so-called “dirty tricks” which are most instructive about system vulnerabilities. While security personnel are often looking for the midnight, clandestine sting, the most successful operations are often performed in broad daylight. A woman carrying a baby, for example, can often gain access simply by asking, while those seeking entry surreptitiously might meet stiff resistance. The same results can sometimes be achieved by using an elderly person as an infiltrator, particularly if he (or she) has the name of  an employee  and claim they are a son or daughter or grandchild. 

Posing as a vendor to the organization who has urgent business with someone inside is a story that is all too often believed. 

Another amazingly effective ploy is to simply approach a door to a restricted area with one’s arms full. If that person “looks right,” a simple request for help usually induces  a visitor, contractor or staff member to open the door. As many as 90% of “secure” doors can be compromised using this single, simple method. 

A fake pass, which looks to be authentic and may have one or more official looking signatures, also has a high rate of success when it is first exposed to on-site personnel or utilized in a “tailgating” entry exercise. 

The Object Is Education, Not Humiliation

All of the above strategies will work best the first time personnel are exposed to them, and less well as they begin to recognize patterns of deception. This, of course, is the object. Infiltrators must remember that their job is not to simply embarrass security personnel (though a small dose of that can be a powerful motivator), but to elevate their awareness of the potential deviousness of the foe. The object should not be to demonstrate that the invading force can foil them forever. Praise should be applied liberally as the people become more suspicious and harder to dupe.

An extremely useful tactic in these operations is to ask on-site personnel how they might go about defeating the system. It is astonishing how creative staff members can be in finding ways to crack the code, so to speak. Such exercises often reveal hidden intelligence in staff members, earmarking some for immediate, or future, advancement – making internal headlines for security awareness after the headlines.

About the Author: W. Douglas Fitzgerald, CPP, CFE, CSE, Sr. Vice President, Director of Security & Technology at HDR Architecture, Inc., can be reached at 455 South Orange Avenue, Suite 300, Orlando, FL 32801; phone (407)481-9944; or E-mail: wfitzger@hdrinc.com.