The 9 Worst Practices for Threat and Vulnerability Assessments

They say the best way to succeed is to learn from your mistakes. But I think the best way to succeed is to learn from other people’s mistakes! If you’re constantly looking for new ways to improve your threat and vulnerability assessments, here are some big mistakes other consultants have made that you can learn from. These are the nine most common “worst practices” I see security consultants doing when they conduct risk assessments.

1) Be Intrusive

Clients hate wasting their time, and anytime you go onsite it’s an intrusive event. You’re there to understand everything you can—but how do you get that information? If you’re doing a face-to-face interview, you’re asking your client to set aside a major portion of their time to answer 50 or 100 questions—or even hundreds of questions.

Years ago, we had a project for the VA that required us to use a guideline called the Physical Security Design Manual. It was a large document that was basically just a compliance list. We turned those guidelines into assessments, and it resulted in 807 questions! It was a huge assessment, and more than half of the questions had to be asked, because they couldn’t be observed in an assessment. Imagine how long a face-to-face interview would have been.

We didn’t want to waste the client’s time, so we found a better solution than face-to-face interviews. Instead, we sent the questions in advance by putting them in an online portal. This allowed the client to bite off small chunks a bit at a time, on their own time. They were also able to assign the right people to answer the questions. It also reduced our time onsite and allowed us to focus our visit on the visible inspection itself. The client completed the survey ahead of our inspection, and we used that information to prepare more thoroughly for the assessment.

Do whatever you can to minimize interruptions that take your customers away from their business. Every minute they have to spend assisting you is more time away from the work that sustains their company.

Handpicked related content: How to Deliver the Quickest Vulnerability Assessments in the Industry

2) Skip the Game Plan

I’ve seen security consultants do interviews without a set questionnaire. They start by asking about the company, then go down rabbit trails with follow-up questions. They miss important details and forget to ask important questions. It’s important to follow up on incidents or concerns, but you need to have a plan.

Others use questionnaires that aren’t tailored to the client’s particular industry. Not all industries, sectors, or geographical locations are the same. For example, an elementary school in California will be different from an elementary school in Michigan. You should address earthquakes instead of tornadoes. If you’re not identifying the specific nuances within each individual placement, you’ll create a huge problem.

Many consultants don’t have a defined process—they just wing it. That creates a lack of standardization, and it’s one of the risk and vulnerability industry’s greatest problems. Because nothing is standardized, details fall through the cracks, and there’s no guarantee that your assessment delivers any value.

Always have a game plan. Tailor your questions ahead of time to the specific context of your client, and be sure to use the same process for all your assessments.

3) Do All Your Assessments at the Same Time of Day

When is the best time to conduct an inspection for a risk assessment? At the start or end of the workday? At noon? Evening? Dead of night? Yes!

Conditions change during the day. You’ll spot different risks at peak times than when the building is empty. Lighting changes will reveal different issues. The quiet hours will spotlight things you won’t see during the busiest times.

Don’t settle for a one-and-done site visit. Your client needs a 360-degree risk assessment that reveals all of their issues. Their facility has risks and vulnerabilities 24/7, not just during work hours.

4) Make Assumptions

We were inspecting a VA hospital and checked an external fire escape. We could tell that each door had an external lock, but we decided to physically check each of the doors from the outside to be sure the locks were working.

It was a six-floor hospital, and the first five fire-escape doors were locked. But the sixth one, on the top floor, was unlocked. It happened to exit from the executive conference room, and the head of the hospital was in the middle of a meeting when we discovered the problem.

If we had been a disgruntled employee, or an angry family member of a patient, that hospital could have had a serious issue on their hands.

Just because a door has a lock, that doesn’t mean it’s always locked. Never assume anything. Always ask. Check every door.

5) Regurgitate Information

Clients hate being told what they already know. With a passion. They’re paying you by the hour to write informative reports that give them deeper insight into their business and facilities. The worst thing a security consultant can do is to charge a client for a report they could have written themselves for free.

Your reports should be insightful, actionable, and professional-looking. Use good branding, and make sure it doesn’t look like you’re using a Microsoft Word template. Anything that appears generic or cheap will be a sign that you don’t have good business experience.

Handpicked related content: Top Things Your Physical Risk Assessment Customers Wish You Were Doing

6) Send Reports by Email

Email is never invulnerable to attack. Anything you send by email could be hacked. Whether it’s an image, a PDF attachment, or the body of your email itself, it could get intercepted. Never send private information by email.

Don’t even use an unsecure computer to write the report. If you take notes on paper, be sure to secure them so they’re not lost, stolen, or seen by the wrong people. Create reports from your office or the client’s site—don’t go to a public copy center.

The best way to keep your client’s data safe is to store electronic data on a secure cloud server.

7) Don’t Test the Systems

Test everything. Just because a system is in place, that doesn’t mean it’s working. We look at so many different aspects regularly, it’s easy to just ignore things. We become complacent. But every system needs to be tested whenever possible.

We did some testing for a hospital’s HUGS system. HUGS is an infant abduction prevention system, where a bracelet is placed around a baby’s ankle. If the tag falls off the baby, loses its signal, breaks, or enters certain areas on the premises, security doors lock magnetically to prevent an abduction.

The hospital had just implemented the system, and they wanted to be sure that it was as safe as they expected it to be.

To test the system, we set up a scenario where a baby doll was placed in a patient room on a specific date. The staff was given the date of the test. The “assailant” had no security background or training. She wasn’t given any special privileges to the facility or special information. Her goal was to kidnap the doll from the nursery and get out of the building and off campus.

The assailant conducted surveillance of the hospital for a week. She identified the exits, security systems, and her strategy. On the date of the scenario, she successfully gained access to the room, picked up the baby doll, exited the building, and drove away with the doll. The HUGS system worked as designed, but a flaw was identified. Without the test, the hospital would never have known—until it was too late.

As security consultants, we need to have permission to test things out. That might mean gaining access to restricted departments or being onsite during restricted times.

8) Go Alone

We never send one consultant to do an inspection. Always send a pair of consultants, for a few reasons:

• Two pairs of eyes are better than one. It’s easy to miss details, no matter how much experience you have. A second consultant will always see something you won’t.
• It covers your butt. If you see something that’s dangerous or illegal, it’s a lot harder for the client to deny it if there’s another witness.
• The work goes quicker. When two people share the load, you can get more done in less time. We recommend pairing a senior and a junior consultant. This way the junior can work to document issues, while the senior works with the client and provide information. This will also teach the next generation, like an apprenticeship.

Always do your inspections in pairs.

9) Believe the Client

Most of the time, people want you to know the truth. They want to know about the problems they have at their company, and they want to practice continual improvement. But there’s also a fear of losing their jobs. Employees will want to protect themselves, avoid getting in trouble, and cover up bad practices.

It’s tempting to take their word for it, but their word isn’t always trustworthy. Assume that people will lie to you, and get visual confirmation anytime you can—even if it’s inconvenient.

Want more great content to help you succeed in your consulting business? Subscribe to our blog!