Large Venues Reviewing Security Measures

Venues that attract crowds, such as large sports events and concerts are reviewing their security measures, both inside and out, to prevent an attack such as the suicide bombing after an Ariana Grande concert in Manchester, England, that killed at least 22 people.

Most venues have strict rules about bags, backpacks and coolers. Some check items thoroughly before allowing them inside an arena and others do not permit them at all. Venues also employ security detail to check those attending events as well as plainclothes detail to monitor the crowd. In the Unites States, the Department of Homeland Security warned that the U.S. public may experience increased security at public events.

Hong Kong’s AsiaWorld Expo, where Ariana Grande is scheduled to hold a concert in September, said it plans to improve security at all concerts and events. Besides baggage inspection, there will also be metal detectors and search dogs, it said in a statement.

According to the South China Morning Post, the Hong Kong venue said it will begin using metal detectors to screen for potential threats, in addition to its usual backpack and baggage inspections. It also said it would consider using search dogs for any suspicious items or requiring visitors to wear security straps to track them while in the venue.

One mega event, the annual Indianapolis 500 over Memorial Day weekend, took to heart the task of keeping attendees safe. Adding to security planning measures for more than 300,000 attendees was the safety of Vice President Mike Pence, who was expected to attend—and arrived on Sunday morning.

Indy 500 crowd, May 26, 2017. Photo by Dana Garrett

Reuters reported that the Indy 500 has a Homeland Security SEAR 2 (Special Event Assessment Rating) designation, which means federal assets can be brought in to enhance security efforts during the event.

The Indy 500 is regarded as the world’s largest single day sporting event. Only venues on par with the Super Bowl and the Democratic and Republican conventions are given higher security ratings. Local, state and federal agencies contributed to security efforts at the Indy 500, including sniffer dogs, license plate recognition equipment and multiple security checkpoints to enforce restrictions.

There are those who believe, however, that even with enhanced measures, terrorist acts cannot be completely anticipated or stopped.

“Whatever is done—and in this case it’s British intelligence which is considered among the best in the world—it won’t prevent such incidents happening,” Jean-Charles Brisard, president of the Centre for the Analysis of Terrorism told Reuters. “You can bring back the perimeter, add security gates and as many controls as you want, but that will not change the fact that a determined individual will carry out his act if he is not caught before.”

Fewer Sleepless Nights for Compliance Executives

Improved compliance programs, sufficient resources and board access have meant fewer concerns about personal liability for compliance executives, according to a study by DLA Piper.

In its 2017 Global Compliance & Risk Report, DLA Piper found that 67% of chief compliance officers surveyed said they were at least somewhat concerned about their personal liability and that of their CEOs, which was down from 81% in 2016. And 71% said they made changes to their compliance programs based on recent regulatory events, up from just 21% a year earlier. The study found that globally the compliance function is becoming more independent and prominent in large organizations.

There still remains room for improvement, however, most notably in compliance’s relationship with boards of directors. Directors, surveyed for the first time, were more uneasy, with 82% expressing at least some concern about personal liability. “This is likely related to other findings that show lingering kinks in communications channels and a persistent lack of training for directors. Together, these findings indicate that the relationship between the compliance function and boards needs work—despite efforts taken by organizations to upgrade their compliance program,” DLA Piper said.

In 2016, 77% of compliance executives said they had sufficient resources, clout and board access to support their ability to effectively perform their jobs. This year the number rose to 84% who said they felt that way. The improvement is possibly a reflection of the increased percentage of respondents who had the resources to make changes to their compliance program, compared to 2016, according to the survey.

While more respondents said they are increasingly able to affect change, obtain the resources they need and access senior leadership, however, a larger number said their budget was not high enough to accomplish their goals, from 28% in 2016 to 38%.

Boards had a different view, with 53% of directors agreeing strongly that their compliance group had sufficient resources, clout and board access. This was compared to just 29% of CCOs, which could indicate that CCOs are not effectively communicating their needs, the company said.

Of concern was that many directors appear to be receiving inadequate reporting and training on compliance matters. About a quarter of both CCOs and board members said the compliance function at their organization reports to the board less than once per quarter.

Of training, the report said that in light of a perceived heightened liability exposure for directors, it is puzzling that 44% of director respondents said they hadn’t received any training on compliance issues. Given evolving compliance standards and regulations—such as new Securities and Exchange Commission guidance on conflict minerals and updated DOJ guidance on corporate fraud—it’s arguable that training is more important than ever. Failure to engage in training could amount to a breach of fiduciary duty.

Almost half of respondents, 46%, identified monitoring as the weakest part of their compliance program. Monitoring, however, is particularly important in managing third-party risk, as regulators remain focused on violations related to third parties and as companies struggle to manage sprawling global organizations, DLA Piper said.

Top tools companies use to rate their compliance program:

Workforce Drug Positivity Rate Highest Since 2004

Workforce use of illicit drugs across the board—including cocaine, marijuana and methamphetamine—has climbed to the highest rate in 12 years, a study by Quest Diagnostics found.

Overall positivity in urine drug testing among the combined U.S. workforce in 2016 was 4.2%, a 5% relative increase over last year’s rate of 4%—the highest annual positivity rate since 2004 (4.5%), according to an analysis of more than 10 million workforce drug test results.

“This year’s findings are remarkable because they show increased rates of drug positivity for the most common illicit drugs across virtually all drug test specimen types and in all testing populations,” Barry Sample, senior director of science and technology at Quest Diagnostics Employer Solutions, said in a statement. “Our analysis suggests that employers committed to creating a safe, drug-free work environment should be alert to the potential for drug use among their workforce.”

The positivity rate in urine testing for cocaine increased for the fourth consecutive year in the general U.S. workforce and for the second consecutive year in the federally-mandated, safety-sensitive workforce. Cocaine positivity increased 12% in 2016, reaching a seven-year high of 0.28%, compared to 0.25% in 2015 in the general U.S. workforce, and 7% among federally-mandated, safety-sensitive workers to 0.28% from 0.26% in 2015.

Marijuana positivity continued to climb in both the federally-mandated, safety-sensitive and general U.S. workforces. In oral fluid testing, which detects recent drug use, marijuana positivity increased nearly 75%, from 5.1% in 2013 to 8.9% in 2016 in the general U.S. workforce. Marijuana positivity also increased in both urine testing (2.4% in 2015 versus 2.5% in 2016) and hair testing (7.0% in 2015 versus 7.3% in 2016) in the same population. Among the federally-mandated, safety-sensitive workforce, which only uses urine testing, marijuana positivity increased nearly 10% (0.71% in 2015 versus 0.78% in 2016), the largest year-over-year increase in five years.

In Colorado and Washington, the first states in which recreational marijuana use was legalized, the overall urine positivity rate for marijuana outpaced the national average in 2016 for the first time since the statutes took effect. The national positivity rate for marijuana in the general U.S. workforce in urine testing increased 4% (2.4% in 2015 compared to 2.5% in 2016).

Positivity for amphetamines (which includes amphetamine and methamphetamine) continued a year-over-year upward trend, increasing more than 8% in urine testing in both the general U.S. and federally-mandated, safety-sensitive workforces compared to 2015. According to Quest, this rise over the past decade has been driven primarily by amphetamine use, including certain prescription drugs such as Adderall.

After four straight years of increases, in 2016, urine testing positivity for heroin held steady in the general U.S. workforce and declined slightly among federally-mandated, safety-sensitive workers.

Positivity for prescription opiates—including hydrocodone, hydromorphone and oxycodones—declined in urine testing among the general U.S. workforce. Oxycodones have seen four consecutive years of declines, dropping 28% from 0.96% in 2012 to 0.69% in 2016. Hydrocodone and hydromorphone both showed double-digit declines in both 2015 and 2016 (0.92% in 2015 to 0.81% in 2016) and (0.67% in 2015 to 0.59% in 2016), respectively.

This decline may be due to the fact that state and federal authorities have made efforts in the past few years to place tighter controls on opiate prescribing in order to address the opioid crisis.

North Korea Now Suspected in Ransomware Attack

The massive cyberattack that has struck businesses, government agencies and citizens in more than 150 countries may be tied to hackers affiliated with North Korea. Called WannaCry, the ransomware encrypts the victim’s hard drive and demands a ransom of about $300 in the virtual currency bitcoin.

According to the Washington Post:

Several security researchers studying “WannaCry” on Monday found evidence of possible connections to, for instance, the crippling hack on Sony Pictures Entertainment in 2014 attributed by the U.S. government to North Korea. That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.

The New York Times reported that the malicious software, based on a vulnerability included in the National Security Agency tools published by the Shadow Brokers hacker group, was distributed via email. The ransomware takes advantage of vulnerabilities in Microsoft Windows systems, generating the largest ransomware attack to date. Although the flaw was patched by the company months ago, the wide spread of the attack illustrates how many users fail to update their software. Institutions and government agencies affected included the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.

Organizations are advised to save their data and take other measures to avoid being hacked. Kroll said that while the particular ransomware variation involved in hundreds of thousands of incidents has now been rendered largely harmless, its cyber security and investigations team “strongly recommends that organizations recognize that a small change in the malware code could reactivate it. So action should be taken in conjunction with your technology unit to reduce your risk and prepare for inevitable future similar attacks. If the malware has entered your network, it has the ability to spread—and spread rapidly.”

According to Kroll:

  • Obsolete versions of Microsoft Windows are particularly vulnerable. We understand that there may be very specific circumstances that require you to use versions that are no longer supported, but now is the time to revisit the topic. See if there is any way you could use a supported operating system running a virtual version of the operating system you need.
  • Microsoft has been working to roll out updates that can fix the underlying security weakness that this malware exploits. You should make sure that both your personal and business machines running Windows are updated. We know that many people don’t want to take the time to close out all their files and restart their computers to allow updates to occur, but this is an important defense against the WannaCry ransomware. As an indicator of how serious the threat is, note that Microsoft has even released a security patch for the old Windows XP system. Please take steps to assure that all relevant machines running the Windows operating system are updated.
  • Organizations that don’t have well-thought-out backup and recovery plans are also very vulnerable. Management should be asking if there is a plan to assure that all important files are backed up in a way that will prevent a ransomware infection from attacking both the primary files and the backups.

President Trump ordered homeland security adviser Thomas P. Bossert to coordinate a government response to the spread of malware and find out who was responsible. According to the Times:

“The source of the attack is a delicate issue for the United States because the vulnerability on which the malicious software is based was published by a group called the Shadow Brokers, which last summer began publishing cybertools developed by the National Security Agency.”

Government investigators, while not publicly acknowledging that the computer code was developed by American intelligence agencies, say they are still investigating how the code got out. There are many theories, but increasingly it looks as though the initial breach came from an insider, perhaps a government contractor.

In a report, How to Protect Your Networks from Ransomware, the U.S. government recommends that users and administrators take preventative measures, including:

  • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
  • Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
  • Set anti-virus and anti-malware programs to conduct regular scans automatically.
  • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.