Risk
Is a Paper Security Assessment a Risk to Your Company?
About the Author
Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.
He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.
In 2010, a team of thieves hit an Eli Lilly warehouse in Connecticut, stealing $60 million worth of drugs and deftly skirting the warehouse’s security measures, including cameras, the alarm system, and motion detectors.
Three years later, an insurance company sued Eli Lilly’s security provider, ADT Security, and its former parent, Tyco Integrated Security. The allegation? The thieves had gotten hold of a copy of the security assessment ADT had done the month before the heist.
A federal court in Florida found that Tyco and ADT were not responsible for the break-in, but experts remain convinced that the thieves had insider help, not just in the Connecticut heist, but in other warehouse thefts where security countermeasures were avoided or disabled.
Whether or not the thieves used a copy of the security assessment to plan that particular heist, there’s a lesson to be learned from the Eli Lilly break-in: a narrative risk assessment may itself pose risk to your organization.
How a narrative risk report can become a liability
We’ve written about the issues with narrative risk assessments before. Often I’ll visit a potential client and see a paper security report on their shelf. The company might have paid $20,000 to $50,000 for the report, but they also may have never opened it. After the initial presentation from the consultant about the organization's vulnerabilities, the narrative report tends to become a $50,000 paperweight.
This happens for a number of reasons. Maybe the language is too dense, or it’s just difficult to find the correct information. But even if leadership doesn’t want to read the report, you know who would want to? Criminals.
A risk assessment can act as a blueprint for criminals. Everything, from your vulnerabilities to the placement of cameras, and even the square footage of each of your sites, is included in a risk assessment. So is a list of necessary remediations, and an overview of the improvements that have been made. And while digital reports are often behind several layers of security, a narrative report is rarely as well-protected. Some are just sitting out in the open, on a bookshelf.
Concerned about your risk assessment? Talk to an expert.
Why it’s difficult to manage paper reports
There is often a lot of concern about controlling access to digital documents, but document control is often more difficult when it comes to hard copies. Organizations simply don’t think of the availability of certain paper documents. They may not have locked file cabinets, or if they do, the key may be kept nearby. Workers might leave documents lying out in the open, or reports may be displayed.
This is part of the reason we developed our platform. Technology like ours allows for secure login and encryptions, no need to print or email reports to anyone. Instead we offer a secure portal and the ability to share permissions through our system.
This is a much higher level of security than is possible with hard copies, and because we offer the ability to track remediations and compare sites, there’s a better chance that leadership will read it, and thieves will not.
Need a security assessment tool that can quickly and easily compile a report? Schedule your personalized demo today