Food safety. Companies whose business is part of the food supply chain should treat all government directives and guidelines like mandates—because anyone sickened by their agricultural products will take that tack, according to the lawyer who helped write a consolidated compliance matrix for food giant Kraft Foods, Inc.
Presenters James Pastor of SecureLaw, Ltd., and Mark Powers, North American regional food security manager for Kraft, collaborated on Kraft’s Food Defense Initiative Committee, which assembled all relevant laws, regulations, directives, and guidelines into a single matrix to track compliance. Separately, the effort grouped all of the doctrines’ security requirements by function to eliminate both omissions and redundancies companywide.
Pastor and Powers showed how the maze of companywide compliance efforts can be distilled into a single-page chart for presentation to executives, with government doctrines along the top of the page and security functions down the left-hand side. Checked boxes show where the company is on track, empty ones show where more work—and funding—are needed.
While compliance with laws and regulations are clearly required, Pastor said that companies should follow all other government recommendations, including directives and guidelines, with the same diligence. After contamination or a foodborne-disease outbreak, the company would not want to tell the public that it did not observe a guideline because it was optional. “I’m here to say that’s not going to fly, Pastor said. “The bigger the issue, the more tragic the issue, the less relevant excuses are going to be.”
As part of the same session, Deborah Allen, CPP, director of product stewardship and security for Potash Corporation, provided an overview of current and emerging regulatory requirements for the food and agriculture supply chain. The government isn’t just putting out regulatory requirements; it is also helping owner-operators limit risk and ensure compliance, Allen said. The Strategic Partnership Program Agroterrorism, for example—a collaboration of the U.S. Food and Drug Administration, the FBI, and the departments of Agriculture and Homeland Security—offers training and tabletop exercises for the food and agriculture sector.
Parking facilities. There’s a reason why the darkened corridors of parking garages get such a bad name: they are the largest single source of accidents that result in injury, according to an expert in parking garage design. And then there’s the problems that aren’t just accidents.
Randy Atlas, CPP, founder of Atlas Safety and Security Design Inc., rolled off a litany of horrible things that can and do go wrong regularly in parking garages: car accidents, theft, assault, carjackings, rapes, and murder. “It’s shocking and appalling how often attacks occur in parking lots,” Atlas said during a presentation that offered a multimedia extravaganza of news, television, and movie clips.
“Why do things go bad in parking facilities?” Atlas asked. He said that most of the time, it’s the negligence of the facility’s owner-operators. Atlas recounted multiple cases where a parking garage owner’s short-sightedness ended in injury and death. For example, one hotel in Key West, Florida, was sued successfully after a crack addict went on a rampage in its parking garage, beating a woman with a hammer, almost abducting her, and then driving off with her car. The hotel exposed itself to negligence when it didn’t provide security guards during business hours on the assumption that they weren’t needed during the day. The woman won millions of dollars in damages.
The solution, according to Atlas, is to design crime prevention and safety into the structure. Because parking garages come in all shapes and sizes, there isn’t a single standard to secure them. High-rise parking garages limit visibility, while subterranean garages produce blind spots that can easily be exploited by criminals, and even terrorists. But there are best practices such as good lighting, strategic placement of CCTV, security guard patrols, strong vehicle barriers, and perimeter protection.
When Atlas investigates parking garage incidents, he says he always finds multiple ways in which the attack or accident could have been prevented. But the absolute worst thing a parking garage can do is put up dummy cameras that create an illusion and expectation of security. If something does happen, that dummy camera will be a clear sign that the garage acted negligently.
Data security. Organizations must constantly protect themselves against an onslaught of cyberattacks. This requires employing many common protective measures, such as running antivirus programs and firewalls. But a few oft-overlooked defensive measures include creating stronger policies on passwords and more IT-security accountability, said IT executive and consultant Steven Yanagimachi at his seminar session.
A security advisor at Chicago-based Boeing, Yanagimachi listed some of the many threats corporate networks face. They include packet sniffing, in which software is used to monitor network activity, and man-in-the-middle attacks, in which one computer intercepts traffic intended for another.
But one of the biggest threats, he said, involves employees opening e-mail attachments that contain difficult-to-detect malware, such as key loggers that capture data via keystrokes. Many companies could benefit from reminding employees not to open attachments from unknown sources, he said.
Companies should strengthen password policies as well, Yanagimachi said. They should check passwords’ strength, particularly when they are hosted on a centralized database. In many cases, he added, traditional password authentication may no longer be sufficient. Companies should also consider the use of cards or badges that authenticate users with an encrypted computer chip, he said.
Yanagimachi also suggested regularly running network scanning tools. Such tools can detect whether vulnerable programs are running, for example, or whether necessary security software is off. He further suggested greater security accountability. He said that he regularly files reports, for example, on detected vulnerabilities. Managers are then required to report back within a few weeks, describing what corrective steps were taken.