The programme increases the number of people within an organisation who behave appropriately to safeguard the workplace
A security awareness program is an educational process to help employees
 observe events or people through a “security lens”

Organizations have a duty of care to protect their employees wherever they work. But in the increasingly complex world that we all live in, the ability to deliver a risk-commensurate and cost-efficient security program that adds real value to a business is extremely challenging, according to IFSEC International 2016 speaker Frank Cannon. He will be speaking on developing an employee security awareness program in the Security Management Theatre at IFSEC International in London on 23 June.

Benefits And Challenges Of Security Awareness Programs

SourceSecurity.com: In what ways does a good employee security awareness program add value to a business?

Cannon: Simply put, it increases the number of people within an organization who behave appropriately to safeguard the workforce and protect its property. Through enhanced vigilance and informed awareness, the employees identify and report suspicious conditions or people at the earliest opportunity, so triggering a proportionate response by others. This early notification helps to minimize the negative consequence of crime and thus saves money. 

SourceSecurity.com: Why is implementing an employee security awareness program such a challenge?

"The location, audience, time
available and importance of the
security message often dictate
how and when the security
awareness program is delivered"

Cannon: To be effective, a security awareness program must have the support of senior executives and then resonate with the workforce. It is necessary to identify a series of key security messages that are consistent with the security risks, but that also echo the organization’s beliefs and vision statement. The pitch, tone and proportionality of the security message must complement the day-to-day working culture of the target audience. There is no one-size-fits-all program that can be used to create a security culture, but more there’s a need for a cognitive process that requires an informed approach to harness the views of numerous stakeholders. Once initiated, the program must adapt to the changing work environment and security risks.

The challenge is convincing leaders to invest funds based on the likelihood that an undesirable event will have a negative impact on the business and/or convincing the workforce to change their behaviors to minimize the impact of such events.

Logistics Of Security Awareness Training

SourceSecurity.com: If all employees are effectively part of the wider security team, how do you distinguish between their roles and those of security professionals?

Cannon: A “team” is a group of people with a common purpose; in this instance, the purpose is to safeguard all those within the team and to protect the property they use or own. Communication is the essence of good teamwork and by encouraging each and every member of the team to observe, listen and communicate, it allows others to take appropriate action to address any fears or concerns. Non-security professional members of staff become the “alarm” or information gatherers, leaving the security practitioners to respond or analyze and plan. 

SourceSecurity.com: What does a security awareness training program look like? 

Cannon: My belief is that “training” is a process to develop skills or practical ability, whereas “education” is the giving and receiving of knowledge or theoretical competence. A security awareness program is an educational process to help employees observe events or people through a “security lens” and help them recognize an abnormal situation that may place people or property at risk.

In a security awareness programme, the message being communicated must be relevant, important and personal to each person
Initial inductions, promotional courses, trade training, team meetings, periodical
workshops and quarterly town halls all provide good platforms to engage workforces

SourceSecurity.com: What are the main elements of such a program?

Cannon: Prior to the development of a security awareness program, the security threats and associated risks against the organization, its workforce or its assets require assessment. You then have to create an integrated security program with a proportionate blend of physical, technical and procedural elements. The security procedures set out behavioral expectations for employees, so that a pre-determined outcome is achieved. Only then can an employee awareness program be developed to communicate with the workforce. 

A program consists of numerous methods (or tools) to communicate security expectations to active participants. These consist of key messages, each of which amplifies specific issues that, when put together, help to create a security culture. This isn’t a tangible asset or outcome but more a way routine business is carried out. Key messages are developed with the support of stakeholders and should complement an organization’s culture, beliefs and operating processes. 

SourceSecurity.com: What format does the training take (classroom/online/reminders/refreshers etc.)?

Cannon: Security education is a continually evolving process that takes advantage of opportunities as they appear. Initial induction, promotional courses, trade training, team meetings, periodical workshops and quarterly town halls all provide good platforms to engage the workforce.

"By encouraging each and every
member of the team to observe,
listen and communicate, it allows
others to take appropriate action
to address any fears or concerns"

The location, audience, time available and importance of the security message often dictate how and when the security awareness program is delivered. This can range from regular (3 to 5 minute) “security moments” at the start of routine meetings, to a full day workshop involving larger audiences. A tradesperson with little access to a computer may benefit from a “toolbox talk” at the start of the day, whereas an office worker may learn more through an online e-package. For those with time – or for the more important security risks – a workshop or standalone meeting may be the most appropriate forum. Alternatively, a well-designed poster may successfully convey the simpler messages. 

The critical element of a security awareness program is that the message being communicated must be relevant, important and personal to each person. He or she must identify with the message and understand a personal benefit for changing an otherwise acceptable behavior to help increase the levels of protection for themselves, their colleagues or the property they are responsible for. 

Effective Physical And Cyber Security Awareness

SourceSecurity.com: Does the security awareness program include information security as well as conventional physical security?

Cannon: If the organization, its management or the security risk assessment identifies a cyber risk that requires employees to behave in a specific way, then information security can be included in the program. Anything that adds to the protection of personnel or assets can be included, including health and safety, environmental or community interaction.  

SourceSecurity.com: How can you measure the effectiveness of such a program?

Cannon: This is challenging and is often why organizations tend not to invest in security awareness programs. I often say that the success of my program is when I have leaders or supervisors discussing personal safety or asset protection as part of routine business. An organization with an effective program (or security culture) has security as part of its operational planning process, listed within job descriptions and part of its meeting agenda items.

Success is when employees are routinely reporting suspicious people or events, where employees are willing to participate in workshops or practice drills, where they change their behaviors based on advice received and where they seek out security awareness materials for use within their own teams. The ultimate goal is to have an incident- and injury-free working environment so that the incident statistics support a downwards trend. The security risk level can change overnight, however, so incident trends are not always a true reflection on the success of a security awareness program.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Ron Alalouff Contributing Editor, SourceSecurity.com

In case you missed it

How Security Best Practices Can Help “Back to Work” Post COVID-19
How Security Best Practices Can Help “Back to Work” Post COVID-19

We are slowly returning to normal after the COVID-19 pandemic that has swept the world.  The journey to normality is going to see a large number of changes, and the physical security arena is set to be front and center in both implementing changes to keep the rest of the organization safe and within their own policies and procedures. Our return to work journey can be broken down into a number of areas for consideration. This is by no means an exhaustive list but will highlight the areas in which a security team can offer valuable insight and direction, and also some areas that end users may wish to consider as security leaders. Processes and procedures Employees returning to a site is going to be a major step for any organization, and this is where security leaders are going to be called upon to help. In these times of enforced social distancing, lockdown procedures, deep cleaning and personnel interaction protocols, each COVID protection program has a process to follow and this is the first place a security operations team may lend their experience. Physical security is built upon and relies on procedures and processes that must be strictly followed to be successful. These processes may be translated into the wider organization to help minimize confusion as the site becomes more populated. It is also a good time to review your own policies and procedures to ensure that they are adapted to meet the needs of the organization as people return to work. It is likely that you will have to increase the number of patrols or guards at access points, and you may have a new investigative process to consider for track-and-trace requirements, should there be a positive COVID-19 result. Monitoring The Security Operation Center (SOC) is likely to become an even more important part of the day-to-day operations on site. It acts as the centralized point for monitoring and incident management and may be subject to greater strain, incidents and demands than before. Ensuring that your SOC is suitable and equipped to handle these operations is key. While you may not have enough security staff to actively monitor your entire camera estate, video analytics provide a key ally. Many VMS manufacturers have simple video analytics built into their software, but there are specific tools available to help detect infractions around social distancing: people counting in a specific area to avoid over-crowding and a de facto fail on the social distancing measures; mask or PPE wear detection to ensure that people are appropriately dressed for their own protection; and people movement monitoring makes sure your employees aren’t bypassing the one-way system that you’ve implemented. An alert can be set up to identify when employees get within 6 feet of each other A particularly useful technique here is object distancing, where an alert can be set up to identify when employees get within 6 feet of each other for an extended period of time, aiding you in social distancing requirements. A second is built on wrong direction monitoring and will ensure that the one-way systems you create are being followed by staff and public alike as the analytic is capable of determining direction of travel for a pedestrian. A more advanced analytic may be the detection of PPE and ensuring that staff are wearing the appropriate masks and protective gear, although this is relatively dependent on strong camera positions and ensuring that the field of view is appropriately configured. There are a number of options to integrate with your access control systems, both physical and technology based. Thermal cameras and temperature probes may be used at entry points to ensure that anyone with a fever isn’t admitted to a location (although be careful when selecting a thermal camera and do thorough research on the temperature variation that it is able to detect). Human-to-human interaction Your physical security team is often the first human point of contact for your employees and often the most important. It may be necessary to increase your patrol and guard workforce temporarily to ensure that all entrances are covered and that entry procedures are tightened up or enhanced. I am confident that employees won’t mind an extra minute or two at the entrance for the improvement in their own health and wellbeing. If you do have an incident, perhaps where an employee is felt to be breaking the rules by not distancing appropriately, or ignoring mandated procedures, then your guard and patrol teams become vital peacekeepers in defusing and de-escalating the incident. Those same team members should also be trained in incident control and investigation, and with a well configured security environment (surveillance, electronic access control, personnel checks, etc.), they should form the basis of the track and tracing process of all staff that were on site and in contact with an infected employee should the worst happen and you have a positive COVID test returned. Protecting your security personnel Physical security operations team should be fully equipped with appropriate PPE This leads to my final point: your physical security operations team should be fully equipped with appropriate PPE, both while on patrol and in the SOC. Installing plexiglass panels between monitoring stations and spacing the monitoring stations appropriately should be the minimum first step. If your team is large enough, implementing a split A and B team is another possibility, with no interaction or risk of cross contamination between the teams, and a deep cleaning of the SOC and each guard station at the end of every shift. This ensures that you’ve covered at least 50% of your personnel in case of a COVID-positive event to keep operations moving, but also helps to create a contained working environment for this critical security function. If you have the space and the equipment, creating a secondary SOC, or engaging a remote GSOC (Global SOC) provider will improve your monitoring capabilities (GSOC companies are usually equipped with the latest video monitoring technologies) and reduce the risk of cross contamination. As you’ve read, there are many ways in which your physical security operations team can aid you in a successful return to work, playing a vital function in monitoring, managing and interceding in your organization. One final note: thank you to those front-line personnel for their tireless efforts in keeping us safe and healthy.

What Are The Challenges Of Retrofits, And How Can They Be Overcome?
What Are The Challenges Of Retrofits, And How Can They Be Overcome?

Retrofit projects provide new levels of physical security modernisation to existing facilities. However, retrofits come with their own set of challenges that can frustrate system designers and defy the efforts of equipment manufacturers. We asked this week’s Expert Panel Roundtable: What are the biggest challenges of retrofit projects, and how can they be overcome?

Why Cloud-enabled Physical Security Must Be Part Of Your Long-term Digital Strategy
Why Cloud-enabled Physical Security Must Be Part Of Your Long-term Digital Strategy

COVID-19 and the resultant lockdown saw an unprecedented demand for cloud-enabled technologies across Europe. Such services enabled people to stay connected and allowed some businesses to relocate personnel and continue to operate successfully. With enterprise-focused video conferencing mobile app downloads showing a weekly 90% increase in comparison to pre-COVID-19 figures, it’s clear that cloud services have proven invaluable in these challenging times. Now, as the benefits to business of cloud technology become apparent, and the grip of COVID-19 begins to loosen, senior decision makers must consider the learnings from the past few months and look to apply them to boost productivity, streamline costs or become more agile in the long term. Digital transformation presents some enticing advantages for those companies that have been slow to adapt. The physical security industry, traditionally video surveillance cameras (CCTV) and access control, will have witnessed how cloud infrastructure is not only cost effective and safe, but is a force multiplier for connecting platforms, services and people with potent business benefits. The future is VSaaS and ACaaS In today’s modern, connected world, dated technologies are giving way to their cloud-enabled successors, video surveillance as-a-service (VSaaS) and access control as-a-service (ACaaS). In this context, cameras and readers are added to a network as IoT devices that bring security systems up to date and represent a vital component in any modern, cyber-secure digital strategy. Frictionless access control has meant touch free access to buildings But better security is just one benefit of a much greater system that can bring real value. Built in analytics, for example, that utilize the data from network video cameras and smart access control devices, produce valuable business insights that help to inform and automate decision making. In the recent pandemic, frictionless access control has meant touch free access to buildings; while occupancy tools have helped retailers adhere to strict government guidelines on social distancing. And as more security equipment becomes connected to the wider IT network, the advantages have not been lost on the IT industry that is expressing more than a passing interest in the adoption and management of such systems. Morphean recently conducted a survey of 1000 IT decision makers across the UK and Europe, with the purpose of providing clarity around their security purchasing intent in the 2020s. Findings revealed that as many as 84% of IT managers are currently using or considering VSaaS or ACaaS systems, pointing to an appreciation of the convergence of physical security and IT security, and a willingness to embrace systems when integrated with IT in the cloud. An adaptable business model with recurring revenues Of course, it is not just the IT industry that is changing mindsets towards hosted physical security. As a result of COVID-19, end customers are demanding it too and found it easier to scale at speed when business circumstances changed. Rather than being tied to fixed IT infrastructure on premises, a hosted solution offered greater dexterity as operational challenges around the pandemic arose. Businesses were able to customize and scale quickly to meet ongoing need without the need for large upfront capital investment, instead, paying for the convenience as-a-service out of operational expenditure as a monthly cost. This is the proven business model of cloud, yet the security industry has been slow to adopt it. One key challenge is the way in which the prevalent business models in the sector operate. VSaaS is still alien to installers and integrators used to selling hardware on narrow margins, reliant on existing financial arrangements with distributors to fund new equipment. Transitioning to sales cycles based on monthly licences rather than up-front purchases won’t be easy, but the security channel must learn how if it is to remain competitive and drive new business opportunities. This recurring revenue model will be interesting for the physical security industry who will have witnessed uncertainty and, in some cases, a downturn in revenues as decisions around capital expenditure were put on hold during the crisis. Instead, convenient and recurring monthly payments will have put the installer on a firmer footing and guaranteed ongoing vendor support backed by the latest software updates and firmware upgrades to ensure delivery of a high quality service that’s always up to date and online. What is driving your digital strategy? VSaaS and ACaaS provide a flexible and fluid security and business solution Cloud is here to stay. Its resilience and ability to connect the world during the COVID-19 pandemic has proved its worth, even to the uninitiated who have now witnessed first-hand the value of connected systems. VSaaS and ACaaS provide a flexible and fluid security and business solution to meet the demands of a rapidly evolving industry, where the changing threat landscape means investing in the cloud is an investment towards success. CEOs and CIOs within the physical security reseller industry must learn the lessons and apply the learnings to drive their businesses forward in the ‘new normal’ where hosted security solutions must surely play a major part to expand their offering to a wiser customer base. Cloud-enabled physical security solutions represent an investment into improving security and operations, and a chance to forge new business relationships to face the challenges of an ever changing world.