On our blog we love to look at different takes on cultural differences. Understanding culture and how it impacts your business isnt just about dos and dont's. It is SO much more and this little piece on culture and security highlights nicely how culture impacts pretty much everything we do from handshakes to security fences.
According to Grant Hatchimonji, culture both positively and negatively influences the strength of physical perimeter security. In his article on CS Online, he states that this type of security differs between different facilities, as budgets and protected assets vary per company.
However, he believes a facility’s geographical location and culture also play a role.
After all, different countries have different physical perimeter securities. Hatchimonji states that the United States, for example, have less strict measures compared to the rest of the world. Eric Milam, managing principal at Accuvant, says that measures such as tailgating protection and man traps are much more common in Europe, for example, than in the US.
Bill Besse, vice president of consulting and investigations for Andrews International LLC, says that even though many companies located in European countries can decide what measures to implement for themselves, some countries have nation-wide rules to which all companies must comply.
He states that in places where terrorist attacks have taken place, the government often interferes in perimeter security. He gives the example of Istanbul, where important buildings are equipped with magnetometers and baggage and parcel screening. Moreover, even though everyone has to go through a security check before entering a building of importance, Besse says nobody is bothered by this: it has become part of Turkish culture. He adds that for India and Israel, for example, the situation is no different.
Milam says he discovered that social engineering is a great way to bypass strict perimeter security measures.
He gives the example of a request he received from a Japanese company that asked Accuvant to test their security. His staff had no trouble at all entering the building: the pictures of the employee and contractor badges of the company his team found online and the dumb attitude his two employers adopted made it very easy for them to enter the building. They even took pictures of themselves with the guard when they left!
The team also chose a convenient time for their arrival, as they made sure it was night time in the US. That way, the Japanese company would be hesitant to call their headquarters as everybody would be asleep. Milam says the submissiveness that can be found in the Japanese culture meant his people could do as they pleased – the Japanese simply wanted to remain respectful and thus didn’t question their actions. He states that he encountered the same situation in companies he pen tested in China, but in the Netherlands as well.
Gender in Spain
In Spain, however, Malim and his team had a little more trouble entering a company. When he pen tested an oil refinery company there, he met a fierce obstacle. He and his team created a letter that stated his people should be helped in any way possible. This letter was signed with a forged signature of the chief legal officer. Malim’s goals was to access an open conference room, but at the front desk, he was bombarded with questions by a middle-aged lady who wasn’t impressed by his letter. Milam was lucky enough that the lady decided to take his request to the head of the plant, who did believe his letter. Again, he says, security crumbled because of a cultural aspect: apparently, men overrule women in Spanish culture.
Milam believes the lady from the front desk would have scared off less persistent intruders. Simple measures, such as limited egress points or one entrance for employees, he says, are often quite effective.
Getting your security right
According to Hatchimonji, the expansion of perimeters must also be taken into account when a company plans its security. Besse thinks companies must have several perimeters zones, as this means intruders are spotted earlier and don’t have access to their target when they succeed in entering the first zone.
This doesn’t mean the outermost security zone isn’t important, Hatchimonji says – the earlier trespassers are hindered in their actions, the better. Besse adds he learned that intruders like to take the path of the least resistance and quickly move on when they fail to breach a perimeter. Thus, he says, companies must make sure they aren’t the softest target in the area. However, he believes being the hardest target in the area isn’t always recommended as this involves a great deal of money. Moreover, Besse says, sometimes the hardest targets are seen as the most attractive ones.
Thus, Hatchimonji concludes, to ensure the maximum possible security, companies on a budget should take a close look at the risks they are running. After determining what their losses might be, they can then decide on their level of protection.