Ethics is a particularly important subject in an industry such as fire and security because the result of unethical actions might make the difference in life and death. For example, if an employee acts unethically when servicing a fire extinguisher, the result could be to burn down the building.

Although ethics is not a common topic of discussion in the fire and security industry, perhaps it should be. Chubb Fire and Security is a company that provides an example of how an emphasis on ethics can benefit a company, their employees, their customers and the whole world.

Fire safety and security risks

The fire and security industry is different than others because lives and people’s safety are on the line,” says Harv Dulay, Director of Ethics and Compliance at Chubb Fire and Security. “Our purpose is to protect clients from fire safety and security risks. This is a business where no one should take short cuts. It is important to do the right thing all the time, every time, and it’s about protecting lives and property.”

At Chubb, we have a code of ethics, our ‘bible,’ that is issued to employees when they start"

At Chubb, we have a code of ethics, our ‘bible,’ that is issued to employees when they start,” says Dulay. “Within the bible are core fundamental rules about what’s acceptable and not acceptable. We lay it out for employees very specifically. They understand and embrace the code of ethics, which is based on trust, integrity, respect, innovation and excellence.”

If you get those right, the business moves in the right direction. A key piece of our ethics policy is based on trust. We relate to others with openness, transparency, and empathy. It makes Chubb a better place to work and enables us to provide better service to customers.”

Fire audit

For Chubb, ethics is not just theoretical, but ethical concepts play out every day in practical ways. An example might be an engineer who goes to a customer’s site and is asked to do a task that is outside his or her duties and/or not allowed under the ethics policy. The pressure might be even greater if the employee is struggling to meet a sales figure. The code of ethics addresses specific situations and outlines the behavior that is expected.

In another example, a customer asked a Chubb technician to forge a certificate saying the customer had previously passed a fire audit in order to validate his previous year’s insurance. Showing ethical integrity, the technician was able to cite the company’s Code of Ethics and refuse to do it. The technician also reported the situation to his Ethics and Compliance Officer. Customers benefit, too.

Delivering ethics excellence

It’s a message heard from the top down, from everyone in the company"

One of Chubb’s sales associates immediately reporting a situation in which all the tenders and competitors’ prices were visible as they prepared a tender for upload to a customer portal. Not only did the sales associate deliver ethics excellence by reporting the issue, he also helped a grateful customer who thereby avoided anti-trust issues, says Dulay.

Ethics is not just a current issue,” says Dulay. “It’s embedded in our values and has been since the beginning. Ethics is making sure people do the right things.” Ethics is integrated into the Chubb business model, and everyone knows what is expected of them. “It’s a message heard from the top down, from everyone in the company.”

On-Line training modules

Ethics discussions begin for employees at Chubb when they join the company; clear instructions about ethics are included as part of employee induction. There are nine modules of ethics training during employee orientation, and a discussion with an Ethics and Compliance Officer is part of the onboarding process.

The training program includes information about ethics, company expectations around ethics, where to go for questions about ethical issues, and details of the anonymous ombudsman program. Additionally, field staff are trained by their supervisors via regular face-to-face ethics toolbox talks. Office staff complete a series of on-line ethics training modules regularly. A series of supervisor-led trainings encourage managers to deliver face-to-face ethics training to their team, citing real-life examples. Healthy discussions are encouraged to deal with any ‘gray areas.’

Worldwide implementation of data security

Some 14,000 employees globally have multiple options when it comes to reporting an issue

Dulay estimates that ethics and compliance officers spend about half their time answering questions and clarifying for employees what’s expected in the code of ethics. Some 14,000 employees globally have multiple options when it comes to reporting an issue, and there are full-time Ethics and Compliances Officers in every country where Chubb does business.

A reflection of Chubb’s global approach to compliance is their worldwide implementation of data security requirements of Europe’s General Data Protection Regulation (GDPR); the company saw the benefits of the program for any jurisdiction. Training and education are part of Chubb’s investment in ethics. For example, a recent module on ‘respect in the workplace’ covered the need to create a company culture in which everyone feels respected. “Training and continuous communication are embedded in the organization,” says Dulay.

Managing potential conflicts proactively

We invest in the process,” says Dulay. “We have had employees who left the company and then come back. They realized the importance of ethics and rejoined us. We start with the foundation that we would rather lose business than give up our ethical standards,” says Dulay.

Some business is not worth getting if you don’t adhere to your values"

We won’t abandon our policies even if there is money at stake. Some business is not worth getting if you don’t adhere to your values. We manage potential conflicts proactively by creating and instituting methods in which employees have access to tools they can use to be successful and adaptable in times of change,” says Dulay. “Also, we will not tolerate retaliation against any employee who reports wrongdoing – regardless of the outcome of the investigation.”

Forming good ethics behavior

And while there is no specific monetary value assigned to good ethical practices, success can be measured. “We measure it by people’s conduct, the number of cases we have, and awareness,” says Dulay. “It’s good for employee morale, and it’s good for customers and our business. It’s not measurable, but it is fundamental for business and customers.”

The work we do as a company can impact people’s lives so it is important that everyone has an understanding of the importance of their role,” says Dulay. A common misconception about ethics is: “If no one is watching, it must be ok.” However, Dulay says it is the things employees do when no one is watching or checking in on them that form good ethics behavior. During training, Chubb emphasizes that ethics is about doing the right thing, all the time even if no one is watching.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Larry Anderson Editor, SecurityInformed.com & SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SecurityInformed.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SecurityInformed's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

Water Plant Attack Emphasizes Cyber’s Impact On Physical Security
Water Plant Attack Emphasizes Cyber’s Impact On Physical Security

At an Oldsmar, Fla., water treatment facility on Feb. 5, an operator watched a computer screen as someone remotely accessed the system monitoring the water supply and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. The chemical, also known as lye, is used in small concentrations to control acidity in the water. In larger concentrations, the compound is poisonous – the same corrosive chemical used to eat away at clogged drains. The impact of cybersecurity attacks The incident is the latest example of how cybersecurity attacks can translate into real-world, physical security consequences – even deadly ones.Cybersecurity attacks on small municipal water systems have been a concern among security professionals for years. The computer system was set up to allow remote access only to authorized users. The source of the unauthorized access is unknown. However, the attacker was only in the system for 3 to 5 minutes, and an operator corrected the concentration back to 100 parts per million soon after. It would have taken a day or more for contaminated water to enter the system. In the end, the city’s water supply was not affected. There were other safeguards in place that would have prevented contaminated water from entering the city’s water supply, which serves around 15,000 residents. The remote access used for the attack was disabled pending an investigation by the FBI, Secret Service and Pinellas County Sheriff’s Office. On Feb. 2, a compilation of breached usernames and passwords, known as COMB for “Compilation of Many Breaches,” was leaked online. COMB contains 3.2 billion unique email/password pairs. It was later discovered that the breach included the credentials for the Oldsmar water plant. Water plant attacks feared for years Cybersecurity attacks on small municipal water systems have been a concern among security professionals for years. Florida’s Sen. Marco Rubio tweeted that the attempt to poison the water supply should be treated as a “matter of national security.” “The incident at the Oldsmar water treatment plant is a reminder that our nation’s critical infrastructure is continually at risk; not only from nation-state attackers, but also from malicious actors with unknown motives and goals,” comments Mieng Lim, VP of Product Management at Digital Defense Inc., a provider of vulnerability management and threat assessment solutions.The attack on Oldsmar’s water treatment system shows how critical national infrastructure is increasingly becoming a target for hackers as organizations bring systems online “Our dependency on critical infrastructure – power grids, utilities, water supplies, communications, financial services, emergency services, etc. – on a daily basis emphasizes the need to ensure the systems are defended against any adversary,” Mieng Lim adds. “Proactive security measures are crucial to safeguard critical infrastructure systems when perimeter defenses have been compromised or circumvented. We have to get back to the basics – re-evaluate and rebuild security protections from the ground up.” "This event reinforces the increasing need to authenticate not only users, but the devices and machine identities that are authorized to connect to an organization's network,” adds Chris Hickman, Chief Security Officer at digital identity security vendor Keyfactor. “If your only line of protection is user authentication, it will be compromised. It's not necessarily about who connects to the system, but what that user can access once they're inside. "If the network could have authenticated the validity of the device connecting to the network, the connection would have failed because hackers rarely have possession of authorized devices. This and other cases of hijacked user credentials can be limited or mitigated if devices are issued strong, crypto-derived, unique credentials like a digital certificate. In this case, it looks like the network had trust in the user credential but not in the validity of the device itself. Unfortunately, this kind of scenario is what can happen when zero trust is your end state, not your beginning point." “The attack on Oldsmar’s water treatment system shows how critical national infrastructure is increasingly becoming a target for hackers as organizations bring systems online for the first time as part of digital transformation projects,” says Gareth Williams, Vice President - Secure Communications & Information Systems, Thales UK. “While the move towards greater automation and connected switches and control systems brings unprecedented opportunities, it is not without risk, as anything that is brought online immediately becomes a target to be hacked.” Operational technology to mitigate attacks Williams advises organizations to approach Operational Technology as its own entity and put in place procedures that mitigate against the impact of an attack that could ultimately cost lives. This means understanding what is connected, who has access to it and what else might be at risk should that system be compromised, he says. “Once that is established, they can secure access through protocols like access management and fail-safe systems.”  “The cyberattack against the water supply in Oldsmar should come as a wakeup call,” says Saryu Nayyar, CEO, Gurucul.  “Cybersecurity professionals have been talking about infrastructure vulnerabilities for years, detailing the potential for attacks like this, and this is a near perfect example of what we have been warning about,” she says.  Although this attack was not successful, there is little doubt a skilled attacker could execute a similar infrastructure attack with more destructive results, says Nayyar. Organizations tasked with operating and protecting critical public infrastructure must assume the worst and take more serious measures to protect their environments, she advises. Fortunately, there were backup systems in place in Oldsmar. What could have been a tragedy instead became a cautionary tale. Both physical security and cybersecurity professionals should pay attention.

What Are The Positive And Negative Effects Of COVID-19 To Security?
What Are The Positive And Negative Effects Of COVID-19 To Security?

The COVID-19 global pandemic had a life-changing impact on all of us in 2020, including a multi-faceted jolt on the physical security industry. With the benefit of hindsight, we can now see more clearly the exact nature and extent of that impact. And it’s not over yet: The pandemic will continue to be top-of-mind in 2021. We asked this week’s Expert Panel Roundtable: What have been the positive and negative effects of Covid-19 on the physical security industry in 2020? What impact will it have on 2021?

Expert Roundup: Healthy Buildings, Blockchain, AI, Skilled Workers, And More
Expert Roundup: Healthy Buildings, Blockchain, AI, Skilled Workers, And More

Our Expert Panel Roundtable is an opinionated group. However, for a variety of reasons, we are sometimes guilty of not publishing their musings in a timely manner. At the end of 2020, we came across several interesting comments among those that were previously unpublished. Following is a catch-all collection of those responses, addressing some of the most current and important issues in the security marketplace in 2021.