Skip to content

Page156

Guards

Guards are a dynamic control that may be used in a variety of situations. Guards may aid in inspection of access credentials, monitor CCTVs, monitor environmental controls, respond to incidents, act as a deterrent (all things being equal, criminals are more likely to target an unguarded building over a guarded building), and much more.

Professional guards have attended advanced training and/or schooling; amateur guards (sometimes derogatively called “Mall Cops”) have not. The term “pseudo guard” means an unarmed security guard.

Guard’s orders should be complete and clear. Written policies in binders sitting on shelves are not enough: the guards must be directly made aware of security risks. Guards are often attacked via social engineering, so this threat should be directly addressed via security awareness and training.

Learn by Example

The Isabella Stewart Gardner Museum Heist

A real-world example that illustrates this issue is the Isabella Stewart Gardner museum heist in Boston, Massachusetts. Two men who appeared to be police officers rang the buzzer on a museum door at 1:24 AM on March 18, 1990. Two amateur security guards (both college students) buzzed the “policemen” in.

The guards were bound and gagged in the basement within minutes. The thieves worked their way through the museum, stealing 13 works by old masters. These included works by Degas, Manet, Vermeer, and Rembrandt (including Storm on the Sea of Galilee, Rembrandt’s only seascape).

Over 20 years later, the crime has never been solved and the artwork (valued at hundreds of millions of dollars) remains lost. The retired museum security director said that “all guards who worked the night shift were warned in writing not to admit police officers who had not been directly summoned by the museum ... the policy was written into the museum’s security manual, kept at the guard desk” [51].

Ensuring that written policies are read and understood is a required part of security awareness. As the Isabella Stewart Gardner heist teaches us, you cannot assume that a policy sitting on a shelf in a binder will be effective.

Additionally, never hire an amateur to provide a professional service. Sites with critical assets to protect (such as banks and museums) should always hire professional physical security staff. Always perform a thorough and accurate risk analysis before deploying guards (amateur or professional).

Dogs

Dogs provide perimeter defense duties, guarding a rigid “turf.” They are often used in controlled areas, such as between the exterior building wall and a perimeter fence. Dogs primarily serve as both deterrent and detective controls. A site without dogs is more likely to be physically attacked than a site with dogs (deterrent), and dogs alert security guards through barking (detective).

The primary drawback to using dogs as a perimeter control is legal liability. Most security dogs are trained to “corner” a suspect (they are usually trained not to bite if the intruder is not moving). Unfortunately, many people do not know this (or simply panic and run at the site of a menacing guard dog). Many guard dogs are trained to attack a fleeing suspect.

Tragedies have occurred when authorized personnel accidentally leave a building and enter a secured area between the building and the fence perimeter (such as accidentally leaving via a fire door).

Restricted Work Areas and Escorts

Areas may be restricted by space (“authorized personnel only” areas) or time (visitor badges that are good for a specific period of time). One common attack is reusing old visitor badges for a later attack; this attack can be mitigated through time-based visitor badge control. Examples include electronic badges that automatically expire, printing the valid date and time usage in bold on the badge, and using different colored badges for different days of the week.

Regular personnel or security guards, depending on the security policy of the site, may escort visitors. All such staff should be made aware of security dangers regarding escorts, such as social engineering attacks. All personnel should be trained to challenge any visitor who lacks a proper badge or escort, or to call security to report the incident.