Employers Must Create Workplace Violence Action Plans

Posted by ASIS:
From “Employers Must Create Workplace Violence Action Plans”
Occupational Health & Safety (06/07/18) Davis, Jessica

Speaker Bo Mitchell, President of 911 Consulting and a retired police commissioner, on June 7 laid out for attendees of #Safety2018, “The Fatal Flaws in Your Active Shooter Protocol,” the statistics on workplace violence and how employers should prepare. Almost all active shooter situations are over in 4-5 minutes, which means it is difficult for police to deploy in time. Because officials can’t arrive instantaneously, Mitchell said, the true first responders in a workplace violence incident are the employer and employees, and training them to call the police is not enough. In active shooter situations, the Department of Homeland Security says to Run, Hide, and Fight. According to Mitchell, this protocol’s fatal flaw is that the first step should be Alert. He stressed that in a chaotic workplace violence situation, employers must have multiple methods to alert employees as to what is happening and what areas to avoid. He listed options such as a PA system, two-way radios, panic alarms, or alerts via cell phones, text messages, or locked computer screens. He emphasized that redundancy and multiple alarms are best. Appropriate response and protocol in an active shooter situation is complex and not intuitive, Mitchell said, so there are many points that are vital to include when training employees. He underscored that the main duty of police when entering an active shooter situation is to find the shooter, and that employees should be trained to understand that police officers cannot help them emotionally or medically in this instance.

Researchers Find Amazon Alexa Can Be Hacked to Record Users

From “Researchers Find Amazon Alexa Can Be Hacked to Record Users”
eWeek (04/25/18) Kerner, Sean Michael. Posted by ASIS.

The security firm Checkmarx on April 25 disclosed it has found that a malicious developer can trick Amazon’s Alexa voice assistant technology to record everything a user says. It is currently unclear if any hackers have ever exploited the flaw, which is not in the Amazon Echo hardware, but rather is an abuse of functionality in the Alexa Skills feature set. Developers can extend Alexa’s technology by building skills that provide new functionality for end users. Checkmarx found that there were several unbounded parameters that were available to Alexa skills developers that could have enabled a malicious developer to record and even transcribe what a user says, even after the user had finished communicating with the device. “Customer trust is important to us, and we take security and privacy seriously,” an Amazon spokesperson stated. “We have put mitigations in place for detecting this type of skill behavior and reject or suppress those skills when we do.” The Checkmarx research found that an attacker could manipulate an Alexa Skill, which can be installed by unsuspecting users and doesn’t require any physical access or tampering with the Amazon Echo smart speaker. “The problem is that the attack we described leaves no trace, so a naïve user will not be able to know,” said Erez Yalon, manager of application security research at Checkmarx. “It makes sense that with the info they have now, Amazon can check if the Amazon Store hosts any malicious Alexa Skills.”

People Are Often Too Embarrassed to React to Emergencies at Work — Here’s How to Stay Safe Should the Worst Happen

From “People Are Often Too Embarrassed to React to Emergencies at Work — Here’s How to Stay Safe Should the Worst Happen”
Business Insider (04/09/18) Cain, Áine. Posted by ASIS.

Threat management and workplace violence expert Dr. Laurence Barton says employers should encourage workers to trust their instincts and remain “situationally aware” on the job, instead of emphasizing shooting drills and tactical exercises. He says employers need to adopt flexible emergency plans and policies that empower employees to trust their intuition, rather than static ones. For example, instead of telling workers to evacuate the building and meet up at another location, Barton said to order employees to evacuate and keep moving until they feel safe. Static plans can endanger lives, in the event of unforeseen circumstances, such as an attacker who is familiar with the contingency plans. A flexible plan should encourage individuals to do whatever they need to do to make themselves safe. He says workers struggle to follow their intuition at work, because they are lulled into a false sense of security and are fearful of appearing paranoid in the workplace. When dangers arise in the office, people often experience a sense of disbelief and paralysis. Barton has interviewed numerous survivors of violent workplace incidents, many of whom describe freezing up and not acting on the opportunity to flee. A situationally-aware person would identify a potential threat, such as loud popping sounds, trust their instincts and take decisive action such as evacuating the building.

YouTube Shooting Puts a Focus on Workplace Security

From “YouTube Shooting Puts a Focus on Workplace Security”
New York Times (04/06/18) Hsu, Tiffany; Nicas, Jack. Posted by ASIS.

Silicon Valley firms are known for corporate headquarters that resemble universities, where employees mingle with tourists, executives stroll between meetings without an obvious security detail, and collaborations take shape out on the quad. However, such places are difficult to secure. The shooting this week at the headquarters of YouTube, a Google-owned company in San Bruno, Calif., has highlighted the security risks of Silicon Valley’s relatively open corporate campuses — particularly as tech companies’ expanding influence angers more people online. The risk is not confined to the tech sector. Many companies across the country are similarly exposed, reflecting an open-door policy that for generations has pervaded corporate America, where safety training has long focused on fire drills, earthquake-sheltering procedures, and accident cleanup. Many companies now send their security personnel to gun ranges to test active-shooter threats in virtual reality. Insurance providers are offering lower premiums for corporate clients with stronger security. “If you can’t protect the work force, you’re putting your entire operation at risk,” says Arnette Heintze, a former Secret Service agent who runs a security consulting firm. Companies of all kinds have stepped up security. General Mills has made physical changes to its building in Minneapolis to better prepare for an active shooter situation. Wendy’s has installed upgraded security cameras throughout its headquarters in Dublin, Ohio; set up advanced access control systems that can lock down different parts of the facility; and upgraded its phone systems with emergency messaging capabilities.

Lawmakers Seek OSHA Standard on Workplace Violence Prevention in Health Care

From “Lawmakers Seek OSHA Standard on Workplace Violence Prevention in Health Care”
Safety and Health Magazine (03/14/18) By ASIS.

Thirteen House Democrats have introduced the Health Care Workplace Violence Prevention Act, legislation intended to curb workplace violence in healthcare facilities. The proposed bill would direct OSHA to create a standard that would require healthcare facilities to develop and implement facility- and unit-specific workplace violence prevention plans. The legislation follows regulation enacted in 2014 in California, which went into effect in 2017, directing Cal/OSHA to develop a workplace violence prevention standard. The California law implements an April 1 deadline for all covered healthcare employers in California to develop and issue plans to prevent workplace violence and ensure the safety of patients and workers. The federal bill, introduced by Rep. Ro Khanna (D-Calif.), is similar in that it mandates that workplaces create and implement comprehensive violence prevention plans with input from doctors, nurses, and custodial workers. “The Health Care Workplace Violence Prevention Act puts a comprehensive plan in place and is a national solution to this widespread problem modeled after the success seen in California,” Khanna says. National Nurses United (NNU), the nation’s largest union of registered nurses, applauded the bill. The proposed federal standard calls on hospitals to assess and correct for environmental risk factors, patient specific risk factors, staffing, and security system sufficiency, according to NNU co-president Deborah Burger.

How Access Controlled Revolving Doors Can Protect Businesses From Crime

From “How Access Controlled Revolving Doors Can Protect Businesses From Crime”
SecurityInformed.com (03/09/18) Thomas, Tracie. By ASIS.

Keeping the entrances and exits to a building secure is an extremely high priority for most organizations. Architectural revolving doors may not always be top-of-mind when designing a new security system. However, with recent technological advances—and considering that they occupy less floor space and are excellent at reducing unwanted air infiltration into an interior—it is time to consider their role in a complete physical security plan. Revolving doors can be a reliable solution for providing the first line of defense against unwanted entry. They are often deployed in buildings where public use is needed during the day, but controlled access is required in the evening. Thanks to technology employing electricity, today’s manual revolving doors are more capable than ever before. New security features include emergency security lockdown, remote locking, and access control integration. For example, facility staff can electronically lock the door in place by pushing a remotely located button, or an access control system can lock the door automatically at a specific time of day. Notably, standard revolving doors are not equipped to prevent tailgating, or an unauthorized person following an authorized person through an entrance. If this is a concern, revolving doors should be the first of several layers of physical security. Overall, standard revolving doors can be a simple, cost-effective, and easy to implement solution that helps prevent unwanted entry and keeps building interiors safe.

Weapons in the Workplace

From “Weapons in the Workplace”
Security Management (03/18) Sorrells, Eddie. Posted by ASIS.

For most private employers, the issue of guns in the workplace is complex. There is currently no U.S. federal law regulating weapons at private workplaces, and while many state legislatures have taken up the issue, these laws vary in terms of their restrictions and make it difficult for employers operating in multiple U.S. states to implement one overarching weapons policy. By understanding the legal landscape surrounding firearms on work property, and establishing policies within the employers’ legal rights that properly address workplace violence, security professionals can help ensure a safe work environment without infringing on the legal rights of their employees. Notably, 23 states have some form of “parking lot laws” that allow employees to have firearms in their locked, private vehicles while parked on company-owned property. Meanwhile, more lawsuits can be expected regarding employee termination based on gun-free workplace policies. Florida, for example, passed a law in 2008 that prohibits employers from discriminating against any worker, customer, or invitee for exercising the right to keep and bear arms. Policies on workplace violence should include a thorough explanation of state law regarding guns on workplace property and outline how to respond to employees who are potentially violent. When firing any individual considered to be high-risk, companies should consider providing a security escort to the parking lot. Organizations should also train security officers in the use of de-escalation techniques. Finally, for workplaces that must comply with parking lot laws, organizations may consider increasing security in parking areas, such as adding an access control point, conducting patrols, installing video surveillance systems, and implementing proper lighting.

Massachusetts Hospital Makes Security Changes After Nurse Stabbed 11 Times

From “Massachusetts Hospital Makes Security Changes After Nurse Stabbed 11 Times”
Campus Safety Magazine (09/27/2017) Brennan, Amy

Harrington HealthCare System’s Southbridge, Mass., hospital began implementing new security measures in September following the June stabbing of a nurse by a former patient. Elise Wilson was working as an emergency room nurse on June 14 when 24-year-old Conor O’Regan stabbed her 11 times. Doctors say Wilson almost died from tremendous blood loss. Investigators say O’Regan picked Wilson at random and was seeking revenge for what he considered to be unsatisfactory treatment at the hospital three weeks prior for a wrist injury. He told court physicians that he heard voices telling him to “be a warrior.” Hospital administrators say the new security measures include limitation of visitors in emergency departments and mandatory bag searches at Harrington’s Southbridge and Webster locations. Each patient in the emergency departments will be limited to two visitors. Added public safety officers will manage visitors as they arrive. Public safety officers will also now carry batons, pepper spray, and handcuffs. “There are very strict guidelines and circumstances under which these tools would be used, and that is being communicated during the training being taken by our Public Safety Department,” says Harrington vice president Harry Lemieux. Many hospital employees, including public safety staff, will participate in de-escalation training and defensive tactics. On-site training and drills will also be rolled out with department and building-specific protocols. Two walk-through metal detectors have also been placed at emergency room entrances and additional security cameras and panic buttons have been installed throughout the hospital.

Mitigating Active Shooter Risks

From “Mitigating Active Shooter Risks”
PropertyCasualty360 (08/16/17). Posted by ASIS.

Security professionals should prepare their companies for the possibility of an active shooting, as the number of incidents involving active shooters has risen steadily over the last 15 years. Keith Plaisance of Global SHE Solutions says implementing an active shooter program is similar to preparing for a fire drill, and survival depends on having a plan with three specific options: run, hide or, fight. Preparing for an active shooter scenario involves the development of a workplace violence policy and plan, emergency response plans, training, and exercises. For the workplace violence policy, the employer should establish acceptable workplace behavior, affirm the company’s commitment to take action and provide a safe workplace for employees, and address physical violence as well as threats, bullying, harassment, and weapon possession. Plaisance says a reporting mechanism should be in place letting employees know who to approach with concerns. He also recommends creating a threat assessment team within the company. Companies should test plans to determine effectiveness and identify potential problems, presenting plans to employees in regular training. Companies should also conduct a detailed physical security assessment, with the goal of denying unauthorized access and protecting property, personnel, and operations.

Microsoft PowerPoint Used as Attack Vector to Download Malware

From “Microsoft PowerPoint Used as Attack Vector to Download Malware”
Neowin (08/15/17). Reposted by ASIS.

Trend Micro researchers have discovered that a vulnerability in the Windows Object Linking Embedding (OLE) interface is being exploited by cybercriminals through Microsoft PowerPoint in order to install malware. The interface is commonly exploited by the use of malicious Rich Text File (RTF) documents. The attack starts with a phishing email that contains an attachment. The message appears to be some sort of order request, with the attached file supposedly containing shipping details. The provided document is a PPSX file, which is a type of PowerPoint file that only allows the playback of the slideshow, and is not editable. Should the victim download and open it, the content will only display the text “CVE-2017-8570,” a reference to a different vulnerability for Microsoft Office. Instead, the file will launch an exploit for the CVE-2017-0199 vulnerability, and will then begin to infect the host computer with malicious code being run through PowerPoint animations. A file called “logo.doc” will then be downloaded, an XML file with JavaScript code that runs a PowerShell command to download a new program called RATMAN.exe, a trojanized version of a remote access tool called Remcos.