Are Access Control Card Readers Enough? Re-Evaluating Employee Screening Processes
By Neil Sandhoff, Vice President of North America at Evolv Technology –
When it comes to security in the workplace, many organizations are starting to question whether access control card readers are enough. Even more, just like many school children feared returning to school this year, employees are becoming increasingly afraid to go to work – this is the new reality and one that we haven’t encountered before.
As organizations turn their attention to protecting their staff, many have started exploring employee screening options. However, the introduction of any new technology or process brings questions and concerns, and organizations and security teams will need to consider a variety of factors. For example, while employees are calling for new security measures to keep them safe, they will be wary about anything that might slow down their process of getting into work or getting to meetings on time.
Let’s explore nine steps organizations should take to implement a successful and non-invasive employee screening process.
Step 1 – Determine the value of keeping your employees safe
Leadership needs to understand the value of creating a safe environment. They should ask themselves the hard questions like whether any employees or visitors pose a risk to the organization. Did someone leave on bad terms or get fired and not go quietly? Can anyone access your building entrance? Evaluating the level of risk, potential threats and value of creating a safe work environment at the beginning will help shape the overall process.
Step 2 – Identify the impact of not having employee screening
Beyond employee requests, management teams need to think about their larger business, and the consequences something like an active shooter incident could have on their future and profitability. They should ask themselves, “is my business at risk if I don’t put in security?” An active shooter incident can have both an immediate and long-lasting economic impact on an organization.
Step 3 – Define policies and end goals
Before diving in, it’s important to clearly define the goal of implementing an employee screening system. What are you looking to achieve? Are you looking to account for every person who enters the building or only identify specific persons of interests? Are you looking to detect guns and knives? What about non-metallic threats like suicide vests or PVC pipe bombs like we recently have seen in the news? These are points to consider as organizations build out their strategy.
In addition, some industries that work with unions will need to review the union policies before moving forward with the selection process. Unions have varying agreements, some of which require that employees be paid during screening time. Having a firm understanding of what these policies will help ensure compliance down the road.
Step 4 – Perform various assessments
Organizations should run a variety of assessments to help identify the type of employee screening that best fits their needs. For example, knowing they will be met with questions about cost, management should plan on running a financial assessment to determine what they can afford and how it will be paid for.
In addition, organizations should run a threat assessment to fully understand what threats it’s vulnerable to based on office location, design, number of employees, etc. Remember, there is no one-size fits all solution and while talking to similar organizations to get a sense for what they are doing can be helpful, every building has its own unique set of opportunities and challenges. Running a threat assessment provides organizations with the insights they need to develop a screening plan that fits their requirements and vulnerabilities.
Management should also conduct an assessment on the employee experience. Is throughput, speed, limited or no divestment of personal items during screening important to your employee’s experience? If so, only a limited number of employee screening technologies will be acceptable to your plan. Also, take strong consideration into privacy laws and employees’ perception of privacy and obtrusive practices during the screening process throughout the process.
Step 5 – Identify and evaluate employee screening technologies
Armed with a budget and knowledge of potential vulnerabilities, organizations can start exploring the specific employee screening solutions on the market that fit their needs. Factors to consider include detection capabilities, alarm rates, speed, and the number of people/guards to operate such systems.
It’s also important to consider the employee experience. Remember, employees are concerned that new processes will slow down their process of getting to work each morning or make it difficult for them to perform their job efficiently. To ensure the experience is a smooth one, look for solutions that keep people moving, limit physical touching and allow employees to keep track of their belongings.
Step 6 – Concept of Operations (CONOPs)
A well thought out, documented plan on how to implement and conduct screening operations is critical. Work with vendors and other organizations who have implemented employee screening to learn best practices. Document the CONOPS for various deployments that can account for changes in your security posture. Most organizations develop CONOPs for daily use and different CONOPs to employ during heightened levels of security where the threat risk is greater.
Step 7 – Develop and roll out a communications strategy for employees
While many employees today are calling for their organizations to implement more stringent security practices and processes, management teams still need communicate the new processes to employees in an official way. There are a lot of positive messages companies can share with employees about employee screening that demonstrate corporate commitment to employee safety. Environments that haven’t had any type of employee screening in the past such as hospitals, office buildings, warehouses and other large organizations are sharing more information about their employee’s desire to work in a safer workspace.
Step 8 – Take time to train security teams on the new system
With a system in place, the next step is training the security team and employees on how to use the new system. It’s important that each member of the security team gets a hands-on training opportunity and employees get information on what to expect.
Step 9 – Go live and make adjustments along the way
Once the system is operational, monitor the process and make adjustments as necessary. Get input from a variety of groups within the business to determine what’s working and what isn’t. Communicate about changes through the same strategy employed in step 7 to ensure employees feel part of the decision and process.
As employee screening becomes more prevalent across all industries, organizations are looking for the right solution to meet their individual needs. By following the steps outlined above, organizations can find the purpose-built device and the right process to keep their employees safe.
Check out our blog to learn more about improving the physical security screening experience.
Security Screening in the 21st Century: An Interview with Mark Sullivan, Former U.S. Secret Service Director
By Melissa Cohen, Vice President of Marketing –
Earlier this month, I sat down with Mark Sullivan, security industry consultant, former director of the United States Secret Service from 2006 to 2013, and board member for Evolv Technology. We discussed how the threat landscape has shifted in recent years and what people screening should look like today and in the future.
Melissa Cohen: Mark, you have an extensive background in security and have watched firsthand as security threats have evolved over the years. Is the world getting more dangerous? How has the shift in the threat landscape enabled attackers to carry out more mass casualty events?
Mark Sullivan: I understand why many people have anxiety about our world today and perceive it as becoming more dangerous. All too often we are witnessing the horror of terrorist attacks occurring around the world. In our own country we experienced the devastation and pain caused by mass shootings at schools, at the workplace and even houses of worship. These attacks are happening in open areas where historically we have felt safe and there wasn’t a need for any type of security.
Mental health issues, hate, radicalization and the ease of acquiring weapons, in most instances high powered shoulder weapons, has created a situation where they’ve kind of spawned off of each other. Potential attackers may see what other people have done with weapons and decide that’s not a bad way to go. They might even calculate that they won’t make it out alive – and if you’re dealing with someone who’s not concerned with being killed that’s a difficult adversary to stop.
MC: Given these threats, what types of businesses are you seeing conduct more people screening and how has this evolved? Are there any types of organizations for which screening is not a good option?
MS: There are a variety of businesses and organizations I have worked with that are concerned with the safety of their employees, congregations, patrons, fans, clients and contractors. They are also concerned with their brand and want to protect that as well. Today more and more buildings are checking your ID, taking your picture, directing you to an elevator and controlling where that elevator is going. This level of screening wasn’t happening 20 years ago and becomes more common every day.
However, for many types of businesses like hotels, it’s difficult and cost prohibitive to control every single exterior door with a security officer or to conduct sweeps of every piece of luggage entering the hotel. We all want to feel safe, but what is the impact of securing every door, or the process of screening every piece of luggage? And at what cost to the visitor experience. For example, would it increase hotel room prices? What kind of process would that create for checking in? Any organization has to weigh the risks to experience with the benefits of enhanced security. Something like TSA PreCheck is a great model for cutting down on the risk, but we do need to streamline the process for people who don’t need to be screened every single time.
MC: Along those lines, what should the screening experience look like for consumers and organizations?
MS: I think there’s a fine line between doing nothing and recommending we hunker down because there’s a perceived threat or boogeyman around every corner. We live in a democracy. People want their freedom. We don’t want to deal with security every place we go.
From the consumer’s perspective, 20 years ago, we never gave any thought to having screening at a professional sporting event. Now you go to a college game and you’re screened. What’s unthinkable not long ago is now commonplace. Today, part of the experience of going to a show or a game is planning for how long it will take to go through the scanning process. Similarly, from a business or venue’s perspective, they’re looking at their overall security plan and constantly reevaluating whether they need to have screening for their Broadway show or cruise ship or at the train station. For these “nontraditional” types of venues, it’s a matter of choosing the right technology and the right level of hassle-free screening to still allow for a superior visitor and employee experience.
MC: Do you think society can afford to not have more screening? What’s the right way to go about it to balance experience, risks and the changing threat landscape?
MS: Well, it’s really not just about having people physically screened. It’s also about having the appropriate information or intelligence to make informed risk management decisions. For example, in a business setting, many companies today are doing more to monitor not only what is occurring outside of their business but also within their business. One of the biggest risks to a business or organization today is the “Insider risk or threat.” Many businesses are continually updating their databases on employees to keep an eye out for potential risks and watching what they do on social media. There’s so much internal and external data and information companies need to be aware of now.
For all businesses and organizations considering employee screening, it’s important to work with the right security partner who understands there are different types of threats, and different mitigation strategies for each individual threat. You have to consider people, brand, profile, policy, procedures – there is no one silver bullet that will protect you fully. You need a robust security plan, and the appropriate technology to support it.
Airports Moving Ahead On Secure-Area Employee Screening
By Bill McAteer, Account Executive at Evolv Technology –
On July 19, Eugene Harvey, a former baggage handler at Hartsfield-Jackson International Airport in Atlanta, was sentenced to 30 months in prison. His crime: smuggling 135 guns into an employee-only part of the airport, and then having a conspirator sneak them onto commercial flights in his carry-on bags.
He was caught nearly four years ago, but the incident continues to reverberate in aviation security circles. Though there have been other smuggling schemes by airport workers before and since, this one seemed to sound the wake-up call. Suddenly, U.S. Senators were calling for stricter federal regulations on airport worker screening. And, many aviation security veterans, including myself, were suddenly more alert to the potential for carnage by disgruntled or radicalized employees determined to smuggle in weapons for attacks either on flights or in the airport itself. Those concerns have translated into action. Several airports are planning on making major upgrades to fortify their “plane-side” perimeters. Just to be clear, I’m not talking about investment in more cyber-tools to analyze workers’ online history for clues. I’m talking about physical screening of real-world humans, to search for real-world weapons.
Making employees and contractors queue up like passengers just to get to work was unthinkable not long ago. Even when TSA was created after 9/11, it issued no mandates for employee screening. In the aftermath of Atlanta incident, several airports initiated physical screening of employees, searching for weapons as they entered their work areas (the secure/sterile areas of the airport). More recently, airports began using the FBI RapBack program, which will send real-time alerts to airports whenever an aviation worker is arrested, has a conviction of a crime or shows up on a terror list.
But the industry is moving at least as fast as Washington, and probably faster. Market leaders are pushing beyond mandates, and deploying, testing or just looking hard at solutions like ours. At the Global Security Exchange (GSX) conference in Vegas last month, I was impressed by the number of attendees that hung around for the last session of the day, to hear me and my fellow panel-mates talk about “Aviation Lessons on Combating Insider Threat.”
I shouldn’t have been so surprised, airports are under the gun as never before to provide additional layers of security to include employee screening . Airports are sensitive and do not want to risk delays because employees were stuck at security checkpoints. And adding physical screening at major airports is a problem of massive scale. Half—yes, half— of visitors to U.S. airports each day are employees or contractors, according to former TSA director John Pistole and Evolv Technology advisor. More than 40,000 people work in secure areas at Hartsfield, alone.
From my travels, I see airports experimenting with a wide range of physical screening technologies and strategies. But some best practices are becoming apparent. Here a few:
- Identity is crucial – Airports understand there is no one size fits all application for screening every worker. That would be inefficient and ineffective in both monetary and cultural terms. Asking employees to essentially extend their commute by standing in security queues to get to work isn’t advisable in our low unemployment economy. It’s far better to treat different types of employees according to their risk profile. New contractors with major holes in their work history and access to heavy equipment should be screened more often and more rigorously than long-time employees with office jobs. Time matters, too. A concessionaire that sells donuts and coffee to the morning shift every day should get closer scrutiny if they unexpectedly show up at a cocktail party for top executives.
- Get random – While screening every employee would be safest, it’s not realistic or necessary. In fact, as much as we like selling Edge systems, we don’t recommend it. The important thing is that employees at least have the expectation that they may be screened at any time.
- Training works – Nobody likes the thought of a potential terrorist or lone-wolf shooter in their midst. Research suggests that awareness training is effective. Every employee with a badge should receive training in areas relating to mass casualty events some areas to consider are behavioral recognition, a version of “run, hide, fight”, trauma first aid and other areas where they can help during an event.
Of course, nightmare scenarios will always be possible—and almost impossible to predict. I spent most of my career as a Commander with the Port of Seattle Police Department, and my heart went out to the security team at Seattle Tacoma International Airport when a deeply-troubled ground service worker hijacked a turboprop off the tarmac and took a joyride before crashing into an island in Puget Sound in August.
It may well be that there is no preventing such edge cases. But if there is any silver lining, it’s that this tragedy once again has the powers-that-be in Washington calling for federal regulation–and has industry executives looking for ways to keep their employees and facilities safe, while proving they can regulate themselves without onerous amounts of help.
Combating Insider Threats at Airports
By Chris McLaughlin, Vice President, Global Solutions, Evolv Technology –
The shift in the threat landscape has impacted multiple industries from entertainment to education. Today millions of people are vulnerable in places where, in the past, they could freely gather. For airports, which already require several security procedures and screening processes, the shift has resulted in the need to further secure non-traditional areas of the facility.
This need is partially being driven by the uptick in insider threat incidents that have taken place at airports in recent years. With new insider threats like a baggage handler smuggling several handguns onto flights, and an avionics technician showing a willingness to transport explosives to a secure part of the airport, the U.S. Department of Homeland Security Transportation Security Administration (TSA), airport authorities, and airlines are installing more physical security protocols to protect the vulnerable areas of the airport.
Let’s explore what we need to address insider threats at airports, the current processes that exist and how new, innovative technologies are addressing that need.
Security that Considers the Pace of Commerce
The Current Process: For decades, airport insiders have been given extensive access to almost all parts of the airport with identity verification serving as the primary tool for screening employees.To remain operational, employees need this level of access; however, it makes implementing new screening processes difficult as employees encounter dozens of access points daily.
The New Solution: When considering new employee screening processes, an important question to ask is, “will this process unduly slow employees down and make it difficult to do their jobs?” If the answer is yes, then you will want to consider another option. To help, look for options that do not require employees to empty their pockets or take off their shoes and belt.
Automating the Employee Screening Process
The Current Process: In addition to ID checks, there are currently a number of different processes being used for employee screening at airports. In a few cases, airports use traditional x-ray systems and magnetometers, which are costly to operate and invasive for all employees. At the other extreme, airports use physical pat downs, which while more cost effective, are much more invasive for selected employees.
The New Solution: As an alternative, airport managers should look for automated systems. These systems offer a variety of benefits. For example, instead of manual processes like bag searches and metal detectors, guards can maintain focus on the employees coming to work, responding to threats only when they present themselves.
Leveraging Innovative Technologies to Take a Proactive Approach to Security
The Current Process: Today, the screening systems have limited capabilities. For example, they cannot analyze data quickly and are not technologically advanced enough to perform consistently.
The New Solution: Innovative technologies such as artificial intelligence (AI) and sensors offer airport managers a number of benefits. AI has the power to analyze data quickly and identify patterns in real-time. In a screening scenario, this application eliminates the need for full hand wanding or physical full-body pat downs as the technology itself alerts guards if someone is carrying an item of interest and tells them where to search.
Scalable Solutions for Pop-Up Deployment
The Current Process: Not all airport budgets support a 100 percent screening model. While we applaud those that can commit the resources, there is strong evidence that supports random, unpredictable employee screening models as well.
The New Solution: Random, unpredictable screening stations are not only effective but also offer flexibility as conditions change. Solutions that are designed for pop-up deployment allow airport managers to set-up employee screening stations at different access points throughout the airport for various amounts of time.
Flexible Solutions to Meet Specific Needs
The Current Process: This is a complicated process and often times, identifying where, and how, to start can be the biggest challenge. Because of this we see airports choosing NOT to strengthen security in lieu of reverting to a costly and cumbersome “one size fits all” solution that is expensive.
The New Solution: Each airport needs its own flexible solution that can be adjusted based on their specific needs, budget and risk factors. There is no perfect security solution; however, those that that strategically balance security, access, usability, and cost can ultimately provide the best long-term protection against an evolving adversary.
Airport operations are extraordinarily complex. At their most basic level, if security measures make it impossible for employees to get to work on time, airplanes won’t get off the ground on schedule. To incorporate additional layers of security that improve the employee screening process, airport managers should look to maximize their resources. In today’s new world paradigm, it is the combination of identity and physical security that will enable airports and airport managers to successfully protect against insider threats.
Check out this case study to learn more about how Oakland International Airport is leveraging innovative technology to enhance its employee screening process.