I was doing an assessment at a chemical facility. It was just me and two other people, and we were on our own. An employee saw us snooping around and approached us. “Can I help you?” he asked. We told him we were conducting a risk assessment for his company. Instead of taking our word for it, he called the main office to verify that we were legitimate.
That was exactly what he should have done. But that’s not what happens at many companies. Chances are, your organization is either complacent or paranoid when it comes to risk and security. Both are dangerous. Here’s why.
An overwhelming majority of security problems happen because of good old-fashioned human error. Whether it’s laziness, ignorance, or denial, someone made a bad decision and your organization has just become compromised.
Probably the biggest human error is simply believing, “It’ll never happen to us.” Others realize that one day an event will happen, but they’re willing to assume the risk.
Often, corporate culture is a greenhouse for complacency. Security is deprioritized, or leadership takes a casual approach to it. Trust is placed so highly as a corporate value that safety and security are seen to compromise the mission of the company.
Hospitals tend to be among the most complacent organizations. A hospital is an open facility. You want patients to get healthy. You want them to see visitors. But hospitals also deal with a population of individuals who are mentally sick or desperate. And family members are sometimes desperate, because they’re helpless to do anything. Patients and visitors bring in their dramas from outside—for example, parents in a custody battle whose child is hospitalized.
How are each of these scenarios likely to play out? Often, nothing happens. But sometimes, it does happen. And the hospital needs to be ready for it, or people will get hurt.
Related Content: How Often Should You Do a Risk Analysis? More Often Than You Think
The solution to complacency isn’t paranoia—but that’s what often happens. A shocking incident occurs to someone else—a bombing at a school, or a gunman at a church—and suddenly every similar organization thinks it’s going to happen to them. And they go too far in their response to a perceived threat.
That’s how the TSA began. When the TSA started, it became incredibly hard to do business as usual. Everybody was a suspected terrorist. Even children were suspects. Everything was a threat—including pens and nail clippers. A color-coded threat alert system was devised, but the Department of Homeland Security ditched it for another system, because it was always at red.
Paranoia has one good effect: it gets people to act. But it feeds on fear, and that leaves you vulnerable in other ways:
- Overspending on unnecessary protocols
- Reducing your productivity due to heavy-handed procedures
- Alienating your stakeholders or injuring the innocent
- Blinding yourself to real threats while focusing on imagined ones
Paranoia is seductive because it creates an illusion of security. Sadly, many security consultants capitalize on fear to win customers. Watch out for that tactic—they’re selling solutions you don’t actually need.
One final word on paranoia. Many companies that buy into a paranoid view of security tend to have a heavy-handed, distrusting culture to begin with. It often starts at the top and trickles down through management. Every employee is a potential thief or potential leak.
The irony is, that kind of atmosphere is actually likely to increase the number of incidents, like a self-fulfilling prophecy. Because your employees are resentful, and they find minor ways of acting out in response. They’re more likely to steal small items, because they feel the need to “stick it to the Man”.
The best security plans are the ones that don’t need to change when something happens. When 9/11 happened, I was at a pharmaceutical company. They thought, “We could be next. We’re on the list.” So they increased their guard posts—more security, more people, and more precautions. For about a month they tripled the guard services.
But a good security plan already has the right people in the right place all the time. There should never be a need for an increase (or a decrease) in security.
One of the best security programs I’ve seen is a manufacturer of a military vaccine. They understand that they’re high risk for potential attack. They do everything you can imagine to ensure their security.
- They have a bomb-sniffing dog when you come in through the front gate.
- They use mirrors that go under your car to make sure there’s nothing underneath your car.
- All the guards are armed.
- There’s proper lighting.
- There’s a large fence with razor wiring.
- There’s an anchor-based barrier to prevent trucks from driving through the front gate.
That’s not paranoia, that’s realism. They’ve identified that there’s a credible threat to their organization from a risk-based perspective.
How to Do It Right
When it comes down to it, there are three things you need to have in place to make sure you create a culture of risk realism, instead of complacency or paranoia.
Hiring is a critical practice, but many companies are incredibly unpurposeful in their hiring strategies. Hire for:
- Character. Only hire responsible, proactive, conscientious people who will invest themselves into the well-being of your company. Never settle for uninterested individuals who can’t think beyond their job description.
- Teachability. If your employees aren’t teachable, you’ll run into a wide range of human error all the time. One day, it’ll bite your company in the butt.
- Solid background. Many companies hesitate to do a criminal background check or conduct drug testing. Do your due diligence. Check references and vet your candidates thoroughly.
Train every employee to know that it’s their duty to respond, notify, or observe events that happen—to be more aware. If they spot something suspicious, they should report it. If they see some people walking around where they don’t belong, they should call security and double-check.
Every employee is part of your company’s security team.
People tend to abdicate their responsibilities because they rely on technology to do it for them. They know there’s a camera in the corner, so they assume someone is monitoring the lobby. But that’s not how security cameras work—they’re retrospective. No one can afford to be complacent because of technology.
The electronic access control panel on your front door won’t stop anybody who’s serious about getting in. It takes trained employees to make the system work.
Want to get the best training in security? Check out our new partner, Ataata. They provide score-based risk assessment for information security, based on human error. They’ll help train your employees what not to do.
Schools do tornado and fire drills. Flight attendants run through emergency procedures on every flight before takeoff. When something happens, you don’t want an unprepared person clogging things up and making a mess.
Ataata Demo from Ataata on Vimeo.
It’s not good enough just to have a plan, you have to test your plan. You have to know that it actually works. Just because you have it on paper, that doesn’t mean it’ll work. You need to test it to evaluate it and understand it. Make adjustments, test again, repeat.
Related content: Penetration Test: Infant Abduction System
Reorient Your Corporate Culture for Risk
Neither complacency nor paranoia will keep your company or your people safe. Blind faith and blind suspicion are both blind. Instead, take the steps you need to create a culture of risk realism. Acknowledge the risks that really are there, without giving into fear. Plan, prepare, and practice until you have a system in place that’s appropriate for your company.
Need help evaluating your company’s risk and vulnerability? See how Circadian Risk can help.