Is your security program reactive or proactive when dealing with threats?

Security breaches and failures cost US companies more than $50 billion every single year. In 2016, more than 1 in 10 businesses suffered from a security incident. With so much on the line, why is it that more than two-thirds of businesses lack any kind of security plan? Simply put, most companies are not equipped to deal with the myriad of security risks they face. Criminals target companies of every size and in every sector. For threat actors, there is no target too big or too small when they are considering committing a crime. When businesses fail to have a security program in place, any crime can erupt into a dangerous or expensive crisis.

The first step in developing a proactive security program is a security assessment.  Security assessments (physical or cyber) help an organization learn the risks, threats and vulnerabilities associated with their assets.  Once the risks, threats and vulnerabilities are identified, the security professional or company normally works with the company to help lessen the probability that a security incident will occur.  You can never truly eliminate everything but lessening the impact or even mitigating the occurrence won’t occur without understanding what you are protecting your business from.

Without proper and regular security assessments, your business or organization is open to numerous external and internal threats. Take, for example, the Y-12 National Security Complex, located only a short drive from Knoxville, Tennessee. Y-12 manages the uranium for every single nuclear weapon in the United States nuclear arsenal. Historically, the biggest threat facing the facility was the Soviet Union. Therefore, all security plans were aimed at defending from malicious Soviet actors. However, the security approach of the facility did not evolve to reflect the changing threat landscape of the 21st century. Nearly two decades after the dissolution of the USSR, the Y-12 faced a major security threat from a completely unexpected organization.

On a summer night in 2012, three individuals breached the security of the Y-12 facility. They were able to gain access to the grounds by cutting three separate perimeter fences. Taking advantage of malfunctioning cameras and sensors, they entered the facility unseen. Even when alarms went off, security guards presumed them to be false and took no action. The individuals made it all the way to one of the most secure places in the entire facility. They stood only a few feet away from a stockpile of enriched uranium large enough to create more than 15,000 nuclear warheads. The three individuals spray painted religious messages and splashed human blood all over the facility. They had free roam of the facility for more than two hours before security forces eventually discovered and apprehended them.

How did three individuals essentially walk in to what was thought to be one of the most secure facilities in the country? Were they highly trained foreign spies? Trained hostile actors from a terrorist group? Disgruntled former employees? Surprisingly, the three individuals were an 83 year-old nun, a 57 year-old house painter, and a 64 year old retiree. None had any training or expertise, yet they were able to easily defeat Y-12’s security.

Y-12 suffered from an outdated security approach, broken technology, and neglected procedures. The National Security Complex, despite its name, was not prepared for the risks it faced. Congressional hearings after the incident saw numerous members of the security team grilled for their failure. The response was to halt nuclear-related operations for more than two weeks to focus solely on security training. The Complex was in crisis mode and was unable to carry out normal operations until a plan was put in place. Post-incident reviews indicated that proper security assessments and tests would have discovered the security shortcomings and potentially stopped the event from occurring.

From the Y-12 incident to the thousands of security breaches that happen every year, it is clear businesses and organizations need to take a proactive approach to protecting themselves and their employees. It is vital that organizations do routine security checks and develop auditing processes to identify gaps.  However, it is also important for companies to look into third party security consultancies like Freedom Consulting LLC to help them get a fresh look at their current security program & trainings.  The morale of the story is that security assessments can thwart security incidents which continue to cost businesses over $50 billion dollars a year.  Contact us now to get your free security assessment estimate.