New Zealand Security - April-May 2020 by Defsec New Zealand

April/May 2020

New Zealand Security Magazine

Gary Morrison on Covid-19 and lockdown uncertainty

New access control standards a welcome addition

A New Zealand strategy for protecting crowded places from attack

Opinion: Much to be done in response to violent extremism

New Zealand Security Association CEO talks about the importance of creating certainty in an unprecedented period of unknowns

The soon-to-be released strategy will rely on unprecedented engagement between Police and businesses and community

April / May 2020

Andrew Thorburn provides insights into the new AS/NZS 60839 Australian/New Zealand access control standards

Dr Richard Shortt provides his perspectives on the Christchurch Mosque Attacks â&#x20AC;&#x201C; and lessons for government â&#x20AC;&#x201C; twelve months on

www.defsec.net.nz

NZSM

e c u r i ty I

S â&#x20AC;&#x2122;s

mited 30 y Li e

Loktr

y tr s u

ervicing N

Loktronic Supply during Covid-19 Lockdown In the last month we have significantly increased our stock holding and do not anticipate any supply issues. Additionally, we have extra large stocks of our house brand products, being those items branded Loktronic, Loktrenz and ViTECH We have established the following protocols: a) We will be trading normally until 5 p.m. on Wednesday 25 March 2020. b) From Thursday 26 March until further notice our door will be locked and one person will be on site to take phone calls and process any urgent orders. c) Please place any orders by e-mail from a recognized e-mail address. d) Send any e-mails to mail@loktronic.co.nz e) Any e-mails from addresses that we do not recognize will be checked to ensure that they are not scams. f) We will acknowledge all orders by e-mail. g) For Auckland based clients who wish, we will arrange a time for orders to be collected from outside our door. h) We will arrange for courier delivery for all other orders. We can be contacted during normal business hours on our trunk line, 09 623 3919. If our duty person is busy and unable to answer promptly, please leave a message and we will return the call at the earliest opportunity. We wish you all well and look forward to a return to more normal times. Peter Calvert Director Loktronic Limited

Loktronic Limited Unit 7 19 Edwin Street Mt Eden Auckland P O Box 8329 Symonds Street Auckland 1150 New Zealand Ph 64 9 623 3919 Fax 64 9 623 3881 0800 FOR LOK mail@loktronic.co.nz www.loktronic.co.nz

security security

The Complete Security Solution The Complete Security Solution Expand your offerings to cover intrusion from DSC, video from exacq and access from Expand yourcontrol offerings to kantech cover in one singlefrom solution. intrusion DSC, video from exacq and access control from kantech in one single solution.

INTRUSION VIDEO INTRUSION VIDEO

ACCESS ACCESS

For a total solution from a single trusted source Visit: tycosecurityproducts.com Call:solution +61 0499688921 +61 499 688 921 For a total from a single trusted source Email: bts-emea-tycosales@jci.com bill.sakellariou@jci.com Visit: tycosecurityproducts.com Call: + 64 (0) 27 272 1798 Email: chris.whiting@jci.com

The all-in-one integrated solution provides the best of video surveillance, intrusion detection and access control all from one single, trusted partner. You can deliver a full solution to yourall-in-one customersintegrated with ease solution and business owners and security The provides the best of video personnel canintrusion managedetection all aspects of access on-premises surveillance, and controlphysical all from security from a single interface kantech one single, trusted partner. You -can deliveroraexacq. full solution to your customers with ease and business owners and security personnel can manage all aspects of on-premises physical security from a single interface - kantech or exacq.

CONTENTS ISSN Print 1175-2149 ISSN Online 2537-8937

The Interview: Gary Morrison on Covid-19 and lockdown uncertainty............................................................................................................... 8 How intelligent video surveillance supports smart mobility................................................................................................................................ 10 A New Zealand strategy for protecting crowded places from attack................................................................................................................ 12 Protection during a pandemic – how security solutions can help keep people safe................................................................................... 16 Uniview supports pandemic response with suite of body temperature solutions....................................................................................... 18 New access control standards a welcome addition.................................................................................................................................................20 Inner Range’s Inception now integrates with Hanwha WiseNet Wave VMS....................................................................................................24 International Standards: An explainer..........................................................................................................................................................................26 Security Training and Professional Development SIG.............................................................................................................................................28 Creating security culture requires leadership from security.................................................................................................................................30 A note of caution on the digital document revolution...........................................................................................................................................36 Our Journey - A week in the life of a business dealing with Covid-19................................................................................................................40 Cyber threat evolution – cyber security, physical security, and the importance of staying up to date..................................................42 Fatalities from terror attacks continue to decrease.................................................................................................................................................44 Assessing cyber risks to your access control system...............................................................................................................................................46 Opinion: Much to be done in response to violent extremism..............................................................................................................................50 NZSA CEO’s March Report................................................................................................................................................................................................52 Professional Investigators: No rest for criminals in lockdown..............................................................................................................................54

year 10 guarantee ENJOY a

20851

on Loktronic Indoor Electromagnetic Locks!

*Standard terms & conditions of sale apply.

The VPN is back but don’t forget device hygiene.....................................................................................................................................................56

Industry Associations

www.security.org.nz

www. asis.org.nz

www.masterlocksmiths.com.au

0800 367 565 www.loktronic.co.nz

www.skills.org.nz

www.nzipi.org.nz

April / May 2020

VUpoint NVR

Maximizing Securitywith integrated Alarm & Video

Live view

Alarm Verification

Recording

The new VUpoint NVR,a superior plug & play recording system,combined with unrivaled alarm verification capabilities, provides a unique video offering of complete NVRand IP cameras solution. Installing video & alarm? RISCO’sintegrated solution is your best choice.

Full P2PVideo Solution

A variety of NVRs& IP Cameras to tailor a solution for every application.

April / May 2020

One App. Integrated Solution

Integrated with RISCO’s professional security systemsfor real time alarm verification, Live View and recording.

Event evidence backup, remote admin management and advanced cyber security.

For more information about VUpoint NVR,please visit

www.AWLNZ.com

ALLIANCE Wholesale NZSM 5

ICT & Security – from Entry to Enterprise

FROM THE EDITOR Welcome to the April/May 2020 edition of New Zealand Security Magazine! Due to Alert Level 4 lockdown and fact that printers are closed, this edition will be released online only, and will be available in PDF via the Defsec website and Issuu. Each article will also be posted to the Defsec website and circulated individually on LinkedIn and our other social media channels. If you haven’t done so already, I welcome you to bookmark the Defsec site – www.defsec.net.nz – which is the online home of NZSM, Line of Defence and Fire NZ magazines, to subscribe to our email newsletters via the form on our website, and to also follow us on LinkedIn via the address listed on this page. Unsurprisingly, COVID-19 is a major focus of this edition, with several articles featuring commentary and analysis on the pandemic, the lockdown and associated issues. From the outset, I wish to acknowledge the industry leadership of the NZSA and its CEO Gary Morrison, who have not only been providing updates to its members on an every-other-day basis (and sometimes daily), but have also actively gained certainty for the industry by taking an early position in relation to security as an ‘essential service’ and by helping ensure supply of guarding labour and PPE into the sector. I’d also like the acknowledge all the work being done out there by security guards, crowd controllers, patrol officers, technicians and other security professionals providing essential services in challenging circumstances. Also in this edition, Andrew Thorburn provides insights into the new Australian/ New Zealand access control standard, highlighting the importance of the standards for the entire supply chain from manufacturers to installers to end users. With the government’s ‘Protecting Our Crowded Places from attack: New Zealand’s Strategy’ to be launched in the near future, I take a sneak peek at the document and identify areas of convergence and departure from the 2017-published Australian version. It is now over a year since the Christchurch Mosque Attacks when 51 members of our community were stolen from us by a cowardly, senseless, despicable attack. In his analysis, Dr Richard Shortt provides his perspectives on violent extremism and New Zealand’s changed threat landscape. We also catch up on all the latest from the NZSA, NZIPI and our excellent sponsors, and much, much more. A day prior to this release of this magazine, many within the industry would have received the sad news of the passing of Michael Pepper. Michael was well known and widely respected among security professionals throughout New Zealand as a teacher and mentor. He gave generously of his knowledge and time to support many through their studies and certifications, and contributing in many ways to the professionalisation of the industry. An exemplary figure within our community, he will be missed by many. Rest in Peace, Michael. Nick Dynon Auckland facebook.com/defsecmedia twitter.com/DefsecNZ linkedin.com/company/ defsec-media-limited Upcoming Issue June / July 2020 Wholesalers and Manufacturers Perimeter Protection, Alarms, CCTV

Disclaimer: The information contained in this publication is given in good faith and has been derived from sources believed to be reliable and accurate. However, neither the publishers nor any person involved in the preparation of this publication accept any form of liability whatsoever for its contents including advertisements, editorials, opinions, advice or information or for any consequences from its use. Copyright: No article or part thereof may be reproduced without prior consent of the publisher.

NZSM New Zealand Security Magazine

Nick Dynon Chief Editor Nick has written for NZSM since 2013. He writes on all things security, but is particularly fascinated with the fault lines between security and privacy, and between individual, enterprise and national security. Prior to NZSM he clocked up over 20 years experience in various border security and military roles.

Contact Details: Nick Dynon, Chief Editor Phone: + 64 (0) 223 663 691 Email: nick@defsec.net.nz Craig Flint, Publisher Phone: + 64 (0) 7 868 2703 Email: craig@defsec.net.nz Postal and delivery address: 27 West Crescent, Te Puru 3575, Thames, RD5, New Zealand

April / May 2020

NZSM

INTERVIEW

The Interview: Gary Morrison on Covid-19 and lockdown uncertainty In this exclusive NZSM interview, the New Zealand Security Association CEO talks with chief editor Nicholas Dynon about the importance of creating certainty in an unprecedented period of unknowns. ND: What’s the NZSA’s current focus? GM: A lot of our focus now is shifting onto how we can provide staff for the industry, and particularly redeployment from other industry sectors. Basically, MSD can’t support the [Skills for Industry] program we were running, as they’re currently one hundred percent focused on the government support package. So, what we’re looking at doing now is rather than focusing on the MSD process we’re talking to anyone who’s been displaced and wants to look at the security industry, and seeing if we can find them employment. It just requires some changes in how we do things to make it work, and that’s what we’re working on at the moment. We’ve already been pre-paid a reasonably substantial amount of money by the MSD, and they’ve just said “go and do your best to get people into employment; that’s the focus, and we’ll support you, and once the whole thing gets sorted out then we’ll work out what’s fair.” We’ll work our way through it when we get there. I think it’s the right thing for us to be doing. We’re in a pretty sound financial position so it’s not as if we can’t afford to do it.

increase in demand and I think that’s starting to really ramp up at the moment. As far as I’m aware, every manned service provider is either adequately resourced or is looking for resource. There’s nobody who is saying that they’ve got surplus staff. Even those providers who have tended to specialise in event security have been actively redeploying those staff into guarding work. And even on the electronic side, I’m not aware of any company that has had to lay staff off or go down that track. There may be people taking enforced leave, but no redundancies or lay-offs have come through to our attention. ND: It would appear that some contracts/projects may have been delayed due to the uncertainty and the lockdown. GM: I think that will come through. The other side to it is that there is also work identified at the moment that we’d say is of ‘public safety interest’, which has come

about due to the lockdown, and there may be a heightened awareness of how vulnerable some customers are as well. As an example, I was talking to a provider just shortly before who has been asked to do a fairly urgent install at a fast food outlet site. They are non-essential, in fact they’re closing up, and that’s where their issue is. They’re traditionally a 24/7 site and don’t have any form of alarm security whatsoever. They’re thus extremely vulnerable during the period of the lockdown, and they’re gaining a security awareness that they didn’t have previously. I don’t think it will be that long before we see some looting issues and things like that. As we saw in Australia with the bush fires, it can bring out the worst in people. Some people are just naturally inclined to do that, and there are now people who are under some fairly extreme financial pressure, so I think things like that may start to get highlighted.

ND: It appears we’re seeing an upsurge in demand for security guarding. Is this the case? GM: Definitely. It hasn’t been across the board, but generally there’s been an

April / May 2020

ND: What about on the security consultant side? GM: Work for consultants has definitely slowed down, and unless its involved in essential services – which would be not a considerable amount of work – I don’t think there is a lot of work. A couple I’ve talked to have definitely slowed down considerably. I am aware of one consultant who is just looking to do some guarding just to supplement their income. Having said this, we probably don’t have a lot of independent security consultants. You could probably count them on a couple of hands. There’s not a hell of a lot there once you take out those consultants selling product and so on. Those on the sales side are probably still in their roles because the distributors are still providing equipment for the integrators. ND: I gather than BDMs in integrators and so on may start to feel a little uncertain about things in coming weeks? GM: I think they will, and there’ll be people within security companies in a number of roles who may feel quite concerned, but I still think they’re in a much better position than the majority of industries. It’s that glass half full type of approach and about looking on the bright side. There is protection there for people for a 12-week period, so it’s not a good

April / May 2020

position but when you look at the total industry I think that it’s a very small proportion that would be in that situation. I’ve talked to probably 40 or 50 CEOs and GMs in the last week or so, and what really comes through is that planning is at the forefront of what they’re doing, and I’ve been impressed by the approach adopted by a lot of the businesses. It’s a changing scenario every single day, and people will always feel that changeability. I think that a lot of our businesses are coping well with that. The biggest challenge I’ve been hearing about is that of uncertainty. Businesses can cope with change but uncertainty’s a real difficulty, and that’s why we’ve taken the view around the ‘essential services’ definition that we have. [ This interview was conducted prior to the government 25 March Covid-19 update that identified security as an essential service. The NZSA had come out publicly ahead of government stating that security is an essential service, and had also lobbied government to that effect] We’ve taken the philosophy that we should take a lead on it and say “this is best practice for our industry, our workers and our customers,” and if someone wants to challenge us at a later date they can. If they’ve got a good argument we’ll change, but otherwise we’ll lobby and say that what we’re doing is the right thing to be doing.

I think it’s that uncertainty at the moment that I’ve seen people really struggling with. They just don’t know how to handle the situation where they have not been given a clear direction as to what they should be doing. No doubt that’s also a challenge for government at the moment. If someone turns around at some stage and asks why we did what we’ve done, I’ll say that we looked at what happened overseas, we followed best practice, we looked at the public safety and we considered all those factors and this is what we see it to be. In the absence of any clear directive I believe it’s the right way to go. ND: Any advice to uncertain members of the industry? GM: My suggestion is to talk to people. If you’re uncertain, talk to us, talk to your network and to people you trust and respect, and don’t be afraid to ask questions. It’s something that no one has ever dealt with previously, so don’t be afraid to say what you think or to ask questions. We’ve got to be operating for the good of the country. I’m aware of one provider who made comment that he wouldn’t make any staff available to another provider to help their business, and to me that’s the wrong attitude. Everybody’s in this.

NZSM

How intelligent video surveillance supports smart mobility The ease of getting from point A to point B, the effective movement of goods and services, and the flexibility and integration of various modes of transportation are key aspects of mobility today. Smart Mobility has been a key theme in the transportation industry for a while. The idea is to keep traffic flowing and help people to get where they need to be, in a smarter way. To this end, industry players are now innovating and introducing advanced technologies and solutions. Examples include intelligent traffic management systems, free-flow tolls, autonomous driving, smart location solutions, and more. At the same time, traffic congestion, aging infrastructure, rapid urbanisation, and increasing sustainability demands are also intensifying the need for smart mobility solutions. One way to overcome these obstacles is to use intelligent video surveillance technology for improved traffic management, making the roads safer and more efficient for every user, while also reducing emissions.

Perceptive intersections Relying on intelligent video analytics, traffic video cameras identify traffic build ups at intersections by counting numbers of vehicles crossing an intersection and detecting their speed, while also counting the number of vehicles queueing in realtime. Aggregated data informs the system when to switch traffic lights to red or green. Intelligent optimisation for traffic signals ensures more effective traffic flow. The benefits? Improved safety on the roadways; intersection reconstruction can be avoided; drivers can be advised about

the speed of their route, forecasted by traffic signals; reduced wait times and stress for commuters; reduction of harmful emissions; and positive impact on public satisfaction. Road safety Traffic incidents can be disastrous, not merely for causing congestion on the roads but sometimes far worse â&#x20AC;&#x201C; resulting in injuries and even fatalities. These incidents have many causes, not the least of which is drivers willfully violating traffic laws. Video technology can aid in detecting all kinds of events â&#x20AC;&#x201C; for example, illegal parking, running a red light, wrongway driving, speeding, and making illegal U-turns can all be detected by smart camera technology.

April / May 2020

By using deep learning technology, cameras can recognize these events and traffic authorities can be immediately notified and take necessary actions even before traffic incidents occur. Scenarios include stopping a driver who is occupying an emergency lane, or notifying a driver who parked their car illegally. Furthermore, ticketing systems can be incorporated to further regulate driving behaviors. Benefits here include incident prevention, better driver performance, and increased safety on the roads and streets, to name just a few. Public information Sharing information is key to keeping city drivers and travelers informed. Intelligent communication about warnings and updates helps everyone save time, avoid frustration, and simplify everyday mobility. This can be done via traffic guidance screens displayed at highly visible locations, such as congested areas, transportation hubs, shopping malls, and city plazas â&#x20AC;&#x201C; or even at your fingertips on your favorite mobile apps! Traffic video cameras generate real-time data of traffic flow and incidents, sending it to a central platform to further fuse with data from third-party systems such as radar and GPS systems. They also disseminate traffic information, including traffic status, warning and advisory notices, as well as parking status. The benefits are improved public awareness of traffic information, improved travel convenience, overall enhancement of mobility in the city, and more.

April / May 2020

The Hikvision practice Hikvision has accumulated sophisticated experience in traffic management both at home and abroad. Product lines offer versatile solutions to resolve multitudes of problems in urban traffic management, traffic incident management, highway management, and more. Going deeper, itâ&#x20AC;&#x2122;s essential to note that efficient signal control management is dependent on the quality of traffic data, system algorithms, and the hardware devices in use; it is also closely related to the mobile environment, such as road conditions, historical traffic conditions, and urban infrastructure. Because of this, no single solution solves traffic congestion everywhere. Hikvision believes that only by working closely with city authorities, public safety organisations, consultants, even academia and other relevant stakeholders, can applications and operational processes be developed to achieve the best possible outcomes. The possibilities for traffic video data are endless, especially now that it can employ artificial intelligence for advanced functionality. Harnessing its power will make all the difference, but the ultimate goal remains the same: safe and smooth traffic, smart mobility, and improved quality of human life. For more information on Hikvisionâ&#x20AC;&#x2122;s Intelligent Traffic System Solution, please visit: https://www.hikvision.com/en/ solutions/solutions-by-industry/traffic/.

NZSM

A New Zealand strategy for protecting crowded places from attack The soon-to-be released New Zealand strategy for protecting crowded places from attack will rely on unprecedented engagement between Police and businesses and community, writes chief editor Nicholas Dynon.

New Zealand’s Counter-Terrorism Strategy was published on 18 February, the same day it was green-lighted by Cabinet Decision ERS-19-SUB-0026: Looking Forward: Strengthening New Zealand Against Terrorism and Violent Extremism (September 2019). But most New Zealanders wouldn’t know it.

Initially, the lack of a fanfare-filled hard launch was the likely result of a decision to maintain status quo in the lead-up to the 15 March first anniversary of the attacks that prompted the Strategy in the first place. Then came Covid-19 and the need for the national security system to focus on the response to the most significant national health emergency in generations. One of the documents mentioned in the Strategy is Protecting Our Crowded Places from attack: New Zealand’s Strateg y, which, NZSM understands, was to be publicly released by the end of March. With Covid-19 Alert Level 4 lockdown in place, we expect that this release will be delayed due to the lockdown and the focusing of resources on the Covid-19 response.

Nicholas Dynon is Chief Editor of Defsec Media’s defence, security and safety publications. He has reported widely on – and advocated for – crowded places strategies since the release of the ANZCTC strategy in 2017.

Benefitting from previous iterations As reported in the October 2017 issue of NZSM, Australia’s Strategy for Protecting Crowded Places from Terrorism was launched on 20 August 2017 by the then Prime Minister Malcolm Turnbull. Although released by the Australian Attorney General’s Department, it was published under the auspices of the Australia New Zealand Counter Terrorism Committee (ANZCTC).

April / May 2020

This followed the release three years earlier of the UK Protecting crowded places from terrorism guidance on 14 November 2014, itself preceded over several years by a raft of ‘counter terrorism protective security advice’ documents specific to certain categories of crowded places, including ‘places of worship, major events, health, higher and further education’, ‘stadia and shopping centres’, ‘visitor attractions and bars, public houses and clubs’, and ‘hotels and restaurants & commercial centres’. A straw poll conducted among security sector attendees at the Safe and Secure Facilities and Public Spaces conference hosted by Conferenz in Wellington in August 2019 indicated that the Australian crowded places strategy was to some extent known among New Zealand security practitioners but by no means by a clear majority. It remained practically unknown among the general public. By contrast, in Australia, the ANZCTC strategy, which provides guidance to owners and operators of crowded places on how to protect their patrons, visitors and employees from terror attack, has become the vehicle for dynamic platforms of public-private engagement and information sharing both nationally and across states and territories, and also at the local level via Crowded Places forums. A crowded places strategy for New Zealand We are yet to see the document, but it is anticipated that the New Zealand version will share strong commonalities with its Australian predecessor, but with some differences – starting with the title of the document itself. ‘Protecting Our Crowded Places from attack: New Zealand’s Strategy’ replaces the terrorism-focused nomenclature of the Australian and UK versions with the less-specific ‘attack’. On one level this avoids a potentially undue and alarmist reference to terror, recognising that in New Zealand’s threat profile terrorism looms less large than it does in the UK and across the Tasman. On another level, it also acknowledges that the ‘terrorism’ label – as applied to many attacks internationally – has proven to be somewhat contestable. Many ‘lone wolf’ and ‘fixated person’ attacks, for example, have attracted the terrorism label despite not necessarily meeting the various scholarly or policy definitions of terror. The title of the New Zealand document also departs from the preceding versions by its use of the pronoun ‘Our’, which implies an inclusive identity, and the only non-preposition within the title not to receive first-letter capitalisation is ‘attack’, semantically subordinating that term. These are subtle yet powerful innovations that convey important New Zealand points of difference: inclusivity and a remit that broadens the utility of the document to the myriad threats – fixated person, armed offender, terrorist or otherwise – that such a Strategy should be able to collectively address. Beyond the front cover, there are several further unique elements. At the national level, the Australian strategy features a Business Advisory Group (BAG) made up of representatives of crowded places with a national presence, which reports to and is advised by the Crowded Places Advisory Group, which in turn reports to and advises the ANZCTC. The ANZCTC ultimately reports to the Council of Australian Governments (COAG). In the New Zealand strategy, a hierarchy of crowded places groups will interface with the National Security System via the existing Counter Terrorism Coordination Committee. These include a Business Advisory Group (BAGNZ) and a Community Advisory Group (CAGNZ) that will both report to the DPMC

April / May 2020

The 2 Wire Intercom System From Bticino The easiest system available The 2 wire intercom system is the best technology available when time saving and ease of installation are crucial. With the simple non polarised 2 wire bus it is possible to install all kinds of simple and complex systems from single dwellings to large apartment and age care complexes.

Classe 300X13E

The new Classe 300 Wi-Fi monitor allows you to transform every home into a connected home. Receive calls, open the gate and activate the camera remotely day or night, at home or away from home.

Digital Call Entrance Panel Introducing the Linea 300 vandal-resistant entry panel with heavy stainless steel front cover. Can be flush or surface mounted. Call up to 4000 residents from multiple entry points.

Door Entry App: designed for the end user

DOOR ENTRY is the free APP for Android and iOS smartphones and tablets. Configuring the App needs just a few steps and, thanks to the BTicino Cloud, the connection is totally automated and managed with the maximum level of security. No port forwarding or router configuration required.

Matt Isaac M: 021 666 502 • P: 0800 34 88 88 E: info@incnz.co.nz • W: www.intercom.co.nz Auckland, New Zealand

NZSM

Crowded Places Advisory Group (CPAGNZ). NZ Police is the lead government agency for this strategy. While it is not clear what the likely membership of the BAGNZ and CAGNZ will be, the addition of the CAGNZ carves out a clear role for ‘community’ representatives – a delineation not made in the Australian version – and a clear elevation of the importance of community engagement in the process. Like the Australian version, NZSM understands that the New Zealand strategy will also include Crowded Places Forums to facilitate engagement and information sharing at the local level. These forums are envisaged as a vehicle for fostering local networks and partnerships to ensure all stakeholders are as well connected as possible. The non-government security sector The ANZCTC strategy provides a suite of guidance documents relating to specific threats, such as vehicular attacks, chemical attacks, improvised explosive devices and active shooters. Likewise, the New Zealand strategy will likely include guidelines, security audits and self-assessment tools, which are aimed at assisting owners and operators of crowded places to understand and implement protective security measures. While the Australian strategy states that in many cases, owners and operators will need to seek further advice from private security professionals, presumably in relation to how they can make full sense of the self-assessment tools and implement appropriate security controls and safety measures, it is unclear whether the New Zealand strategy will identify a similar role for private security practitioners. Many of the physical and electronic security controls the strategy puts forward for deterring, detecting, delaying

and responding to an attack – fencing, security lighting, CCTV cameras, intruder detection systems, vehicle barriers, environmental measures (CPTED), screening equipment, security response staff and security plans – are controls that professional security consultants and providers are generally best qualified to advise on. As such, the non-government security sector has an important potential support role to play in the effective adoption and operationalisation of the strategy, and a failure of the document to acknowledge this would be an unfortunate omission. New Zealand lags behind both the UK and Australia in terms of public-private partnerships and engagement in security. The Southern Response controversy and resulting 2018 State Services Commission Inquiry into the Use of External Security Consultants by Government Agencies and the NZ Police Engagement of External Security Consultants report appear to have resulted in government agencies and law enforcement engaging even less with the non-government security sector. Protecting Our Crowded Places from attack: New Zealand’s Strategy brings with it the promise of unprecedented levels of engagement between government and society in the protection of soft, high impact targets, and by all accounts this is a promise that lead agency NZ Police is intent on delivering on. It’s an exciting prospect. Police engagement with representative bodies within the non-government security sector, such as the New Zealand Security Sector Network (cross-sector), New Zealand Security Association (physical security) and ASIS New Zealand Chapter (security managers and consultants), would ensure that the strategy benefits from the input of relevant professionals. It would also avoid the potential conflict of interest pitfalls that direct provider engagement has caused in the past.

April / May 2020

SECURITY TECHNOLOGY RELIABILITY

your electromagnetic locking specialist!

Underpinned by 30 year's experience and service with integrity. Standard features include: • Field-selectable 12 & 24 VDC options • 550kg holding force • Slimline styling • Instant release • Stainless steel fitting hardware • Through hardened, polished stainless sex nut • Full protection against transients.

Options include: • Door Position Switch • End-to-end Magnetic Bond Sensor • Header extension angle bracket • Custom full width housings • Z/L brackets for inward opening doors • Frameless glass door brackets • Powder coated or anodised colours • Stainless indoor, outdoor and gate locks

GUARANTEE

April / May 2020

GUARANTEE

NZSM

*Standard terms & conditions of sale apply.

21066/1/18

For expert advice and assistance with your security locking needs, trust in Loktronic, call us on 0800 367 565

COVID - 19

Protection during a pandemic – how security solutions can help keep people safe Steve Bell, Gallagher’s Chief Technology Officer – Security, writes that Gallagher’s Command Centre, Mobile Connect app and contactless technology helps organisations keep track of people onsite and keep them safe. The current pandemic situation around the world has left many organisations asking how they can protect the health of their staff and visitors while on site. For essential services, this is more important than ever before, but it is also a major concern for businesses everywhere who need to protect wellbeing and increase the safety of their work environment when operation recommences. We’ve been communicating with a number of customers about actions they can take in the short term, and moving forward, to help keep people safe. One way to protect the wellbeing of people on site is to reduce the number of surfaces they come into contact with. Utilising contactless access technology, such as the Morphowave biometric

Steve Bell is responsible for the global technical vision of Gallagher’s security business. He leads all aspects of the technology programme, and sits on the company’s executive leadership team.

reader, can reduce the spread of contactborne viruses or bacteria that could cause people to become unwell. Gallagher’s Mobile Connect app also allows for contactless access, with full two factor authentication. Gallagher’s Mifare DESFire card technology uses single factor authentication, which eliminates the need for users to touch a PIN pad. Sites operating some fingerprint biometric systems can temporarily reconfigure the readers as card only readers to also reduce surface contact. Social distancing is a term that has been discussed often over recent weeks. By utilising the Zone Counting functionality in Gallagher’s Command Centre, limits can be set on the number of people able to access a specific physical area at any time. Breakrooms, meeting rooms, or other areas where people congregate can be configured to ensure they don’t become crowded places, and that people have the space to move around safely. For sites unable to operate at all during this time, Command Centre’s lockdown functionality allows a site to quickly and easily shut down, securing the building with access enabled for critical staff only. Command Centre also provides a method for tracking the movement of individuals on site. If a staff member or visitor to site were to become unwell, their movements could be traced and individuals they may have come into contact with can be identified, enabling those at risk to isolate or seek the necessary treatment to reduce the risk of the illness spreading further. Capturing detailed information about visitors to your site is also important. A good visitor management system will

not only inform visitors about important site information, such as evacuation procedures or health and safety information, but can also gather vital information about who is entering your site. Information gathered could range from contact information to specific questions about whether they have recently travelled internationally. With the current situation changing rapidly, it’s crucial to keep staff updated with important information, and to ensure they receive communications promptly. This can be a challenge, with many workplaces now operating remotely as their staff work from home, or not operating at all. Gallagher’s Broadcast Notifications tool can send information out via email, text message (SMS), or the Gallagher Mobile Connect app to keep staff updated in real-time. Visit security.gallagher.com for more information on how your security system can help keep people safe.

April / May 2020

1999 - 2019

Tactical Solutions April / May 2020

NZSM

INDUSTRY

Uniview supports pandemic response with suite of body temperature solutions IP video surveillance leader Uniview offers a comprehensive range of non-contact, highvolume and multi-function solutions supporting timely and safe detection of high body temperatures. With the fight against COVID-19 heating up, Uniview has been contributing to the effort as a manufacturer of leading fever detection and epidemic prevention equipment. UNV body temperature solutions are playing their part in a diverse range of deployments, from airport terminals to office buildings.

Uniview provides a wide range of body temperature solutions, with noncontact temperature measurement to prevent cross infection, and the ability to identify subjects even while wearing masks, triggering built-in audio alarms when temperature readings exceed the set threshold. Face Recognition Terminal with Digital Detection Module The OET-213H-BTS1 digital detection face recognition access control terminal offers a precise rate of recognition, large storage capacity and fast recognition speed. It integrates UNV face recognition and non-contact temperature detection technology to ensure maximum safety. The digital detection module supports rapid body temperature detection, achieving face recognition and temperature detection at the same time. This means it’s well-suited to deployment in common areas, such as schools, office buildings and hospitals to rapidly detect higher-then threshold temperatures. The system’s non-contact wrist temperature detection module measurement range is between 30 and 45 degrees Celsius, with a measurement accuracy to 0.1 degrees celsius. Its deep learning algorithm model provides for a face recognition accuracy rate of > 99 percent (a false rate of < 1 percent) and fast recognition time of 0.2 seconds. Additionally, the terminal boasts antispoofing detection, making it effective against photo and video-based fraud, and it is tamper protected. It supports ‘door open timeout’ and ‘time exceed’ alarm functions to keep door opening during fire alarm active

Bi-spectral Infrared Temperature Fast Screening Instrument Uniview’s dual-view infrared TIC600 series dual-spectrum infrared body temperature rapid screening camera uses a non-refrigerated core and low signal-noise image processing technology. It is a non-contact, real-time, continuous and accurate temperature measuring system.

April / May 2020

SUBSCRIBE Its dedicated software displays continuous and accurate temperature information of subjects in the field of view, making it ideal for entry-exit health quarantine checkpoints at airports, stations, terminals, ports, and epidemic prevention in places such as schools, hospitals, office buildings. Hardware advantages of the system are longer detection distance, 120dB WDR feature, blackbody to ensure temperature measurement accuracy. Key features of the TIC600 include its 384 x 288 pixel high sensitivity sensor, body temperature detection with abnormal temperature alarm, automatic exposure control and automatic white balance, and an ability to superimpose temperature measurement information on standard images so that they’re easier to keep track of.

Readers of NZ Security include those working directly and indirectly in the domestic and commercial security industry. From business owners and managers right through to suppliers, installers and front line staff. Among our readers are IT security experts, surveillance professionals and loss prevention staff. Our readers take their job seriously and make an active choice to be kept informed and up to date with the industry. For only $75.00 plus GST you can ensure that you receive a 1 year subscription (6 issues) by filling out the form below and posting to:

Integrated wrist temperature measurement system The CW180 is a non-contact, multifunctional safety check system that can be used to detect for temperature abnormality with face image captured. It consists of temperature measurement, image acquisition system, date storage and business showing system, HD display system. It is suitable for a range of deployments, such as school, hotel, enterprise, government building, supermarket, business premises, etc. It is rapidly deployable and easy to use for temperature measurement. The system’s real time alarm and voice linkage will trigger when the detected temperature over the set value. This system can be used as local business and remote business. With Uniview’s APP, alarm notification can be sent to mobile, details image and playback video can be displayed on APP. For more information about how Uniview’s body temperature solutions can support the safety and security of your sites contact local distributor: Clear digital on 09 215 2300 or visit their website: www.cleardigital.co.nz.

New Zealand Security Magazine 27 West Cresent, Te Puru, 3575 RD5, Thames, New Zealand or email your contact and postal details to: craig@defsec.net.nz Mr Mrs Ms________________________ Surname_________________________ Title_____________________________ Company________________________ Postal Address____________________ ________________________________ ________________________________ Telephone________________________ Email____________________________ Date_____________________________ Signed___________________________

NZSM New Zealand Security Magazine

April / May 2020

NZSM

INDUSTRY

New access control standards a welcome addition Andrew Thorburn, Enterprise Security & Risk Manager at Atlas Gentech, provides insights into the new Australian/New Zealand access control standard, highlighting the importance of standards for the entire supply chain from manufacturers to installers to end users.

In the June-July 2018 edition of NZSM, immediate past NZSA Board Chair, Doug McCormick wrote an insightful piece titled, “It’s time New Zealand caught up; Why we need standards for electronic security”.

Andrew Thorburn is Enterprise Security & Risk Manager at Atlas Gentech and immediate past Chair of ASIS New Zealand Chapter. He is the 2018 New Zealand Security Consultant of the year.

In his article, Doug raised the issue of the absence of a standard for access control systems in Australia and New Zealand. However, he did acknowledge the existence of a series of standards for intruder alarm systems, albeit dated and requiring revision. Almost two years later, Australian Standards and New Zealand Standards have adopted the proposed IEC (International Electrotechnical Commission) standard for access control. This joint Australian/New Zealand standard is comprised of two parts (which are, in effect, two distinct standards): • AS/NZS IEC 60839-11-1:2019 Electronic access control systems System and components requirements (Part 11-1), and • AS/NZS IEC 60839-11-2:2019 Electronic access control systems Application guidelines (Part 11-2) The Standard was produced by a subcommittee, the Joint Technical Committee EL-031, Intruder Alarm Equipment and Installations, consisting of experts from several European countries, Canada and New Zealand. As a member of the Committee, the New Zealand Security Association (NZSA) was represented by immediate past chair, Doug McCormick, and current board member, Matt Stevenson.

The Standard was approved by the New Zealand Standards Approval Board on 4 December 2019. Why standards? In the article Doug stated, “established standards are invaluable for manufacturers and suppliers as they set benchmarks for export and confirm to customers that their products are designed to and incorporate features to a recognised level”. As many standards are voluntary, the debate of aligning to them or not is another topic and will not be covered within this article, but keep an eye out in the next issue of NZSM. However, it is important to note that standards relating to safety are deemed mandatory by government. These include, but are not limited to, electrical, fire protection and building. Additionally, where an electronic access control system includes functions relating to hold-up or the detection of intruders, the requirements in the Standards relating to intrusion and holdup are also applicable. What is encouraging to observe in this new Standard is the use of a performance-based approach, aligned to the outcome of threat, vulnerability and risk assessments, thus identifying an organisation’s risk appetite and what solution or treatment is most appropriate and proportionate to their requirement(s). The same model used in the HOSDB CCTV Operational Requirements Manual 2009 and as part of the NZSA Codes of Practice technology solutions audits. It is important to note, however, that the Standard does not cover the methods or procedures for conducting a risk assessment.

April / May 2020

This performance-based approach also ensures room for product innovation and interpretation for how to meet the requirement(s). Part 11-1: System and components requirements The objective of Part 11.1, is to specify the minimum functionality, performance requirements and test methods for electronic access control systems (EACS) and components used for physical access (entry and exit) in and around buildings and protected areas. It is intended for the system manufacturer, hardware, firmware and software developer to ensure compliance and conformity to the standard, and it is comprised of the following sections: 1. Scope 2. Normative references 3. Terms and definitions 4. Abbreviations

April / May 2020

5. Conceptual models and system architecture 6. System performance functionality requirements 7. Environmental and EMC (immunity) requirements 8. Test methods 9. Documentation and marking With many manufacturers in the market, the use of proprietary terminology can confuse consultants, system integrators and end users. Section 3 – ‘Terms and definitions’ provides standardised definitions. From the fundamentals of an access control unit to system self-protection, anti-pass back and identification information user identity, this section aligns the industry to a common language and simplifies understanding for end users – well, maybe some. Section 6 focuses on System performance functionality

requirements. The use of Grades 1 (low risk) to 4 (high risk) sit in parallel to risk level from low to high respectively. In addition, example definitions of skill/knowledge of adversaries/ attackers and typical examples provide guidance to corresponding levels of protection. For those familiar with the New Zealand Government Protective Security Requirements (PSR), the grades are the same as Alert Levels – such as those recently seen in the COVID-19 response. All requirements within Section 6 are available from market-leading access control brands currently available in New Zealand. It is worth reviewing the Standard to learn about these, their functionality and how system integrators can deliver those that are not necessarily understood to add more value to their system deployments. Section 8 – ‘Test methods’ is very comprehensive, covering system performance from general conditions of installation and operation, such as atmospheric, access point interface, duress, and power supply requirements to environmental and EMC (immunity) testing. Also of note is that testing is aligned to the respective alert levels of where the EACS is being deployed. The Standard is rounded off with Section 9 – ‘Documentation and marking’. This section speaks to the installer and user documentation, which should be supplied along with the access control unit. This information is used by the system integrator during the design and deployment, including the as-built documentation. Marking ensures components can be identified to whichever standard the component claims compliance to, the type of product, i.e. access control unit, card reader etc, the name of manufacturer, the grade, environmental class and date of manufacture, batch number and/or serial number. Part 11-2: Electronic access control systems – Application guidelines The objective of Part 11-2 is to define the minimum requirements and guidance for the installation and operation of electronic access control systems (EACS) and/or accessory equipment to meet different levels of protection. It includes requirements for planning, installation, commissioning, maintenance and documentation based on the functions defined in Part 11-1, and it is comprised of the following sections:

NZSM

1. Scope 2. Normative references 3. Terms and definitions 4. Abbreviations 5. System architecture 6. Environmental and EMC considerations 7. System planning 8. System installation 9. Commissioning and system handover 10. System operation and maintenance 11. Documentation This part of the Standard is intended for the system designer, consultant and integrator to ensure appropriate design and planning occurs in compliance to and conformity with the Standard. Sections 1 to 6 cover Scope to Environmental and EMC considerations, much of which is an extension to Part 11-1, but with additions in Sections 3 – ‘Terms and definitions’ and 4 – ‘Abbreviations’. Section 7 covers system planning. ISO3100 Risk Management or the PSR framework is evident again here in that the end user’s risk appetite, aligned to the functionality/performance criteria, security grade and environmental classification will determine what treatment is deployed. This section also includes considerations for interfacing with other

systems. Notably, where intruder alarm systems, video surveillance systems, elevator control and administrations systems etc, are desired or required by end users. As more and more specialist solutions are developed, interfacing with best of breed third party offerings is more expected than ever. Consideration, therefore, should be given to aspects such as the type of communication links, availability, reliability and security of the communication with the respective integrations. Section 8 identifies all aspects of installation from general planning of the system to equipment used to cabling. Section 9 covers system commissioning and handover – two areas that have traditionally been poorly executed in my experience. Their purpose is to ensure that the system installed meets the requirements of the system design and that documentation and training is undertaken in conjunction with a test period. Of note in this section is the requirement that system design should be identified and agreed to between the end user and system integrator, including any other interested parties, such as independent consultants, that may have been commissioned to oversee the design and system deployment.

Section 10 defines system operation and maintenance. This section outlines the system owner’s responsibility to the system in respect to training of their people, and to ensure policies and procedures exist for ongoing training and preventative maintenance of the system. Section 11 covers documentation, encompassing documentation for (i) planning, (ii) commissioning / system handover, and (iii) maintenance. I suggest that all system integrators consider using the components of Section 11 as the basis of their as-built system handover checklist. Whilst many would consider them standard practice, again my experience is that they are frequently omitted. Part 11-2 is rounded out with Annex A – ‘Allowed exceptions for installed systems’ and Annex B – ‘Standby battery capacity calculations’. Conclusion All in all, a welcomed set of standards to both Australasian manufacturers and system integrators. It is evident that a significant amount of time has been spent by volunteers on this, including travelling to Australian meetings. What is also encouraging is the work that has gone into reviewing the current Alarm Systems AS/NZS 2201 standard. Section 2 – ‘Monitoring Centres’, is already under review, whilst Sections 1, 3 and 4 are overdue and next to be considered. Doug and Matt have again been spearheading this on behalf of the NZSA, albeit with a few road bumps now. As the AS/NZS IEC 60839 preamble states, “standards are living documents which reflect progress in science, technology, and systems. To maintain their currency, all standards are periodically reviewed, and new editions are published.” The work done in reviewing standards is critical to ensure they remain current in an industry characterised by technological developments. Based on the 60839 standard being adopted, I have the utmost confidence that they will again represent the New Zealand security community and deliver a more current interpretation. For members of the NZSA, access to the Standard is available for viewing only via the member’s portal of the NZSA website – www.security.org.nz. The AS/ NZS 60839.11.1 and AS/NZS 60839.11.2 standards can be purchased from the New Zealand Standards website, www. standards.govt.nz, for $149.40 (plus GST) each.

April / May 2020

NZSM

INDUSTRY

Inner Range’s Inception now integrates with Hanwha WiseNet Wave VMS New feature-rich integration is a first of its type for Inner Range’s Inception, creating exciting opportunities for Atlas Gentech and Central Security Distribution (CSD) customers. This new and exciting integration between Hanwha WiseNet Wave VMS and Inner Range’s Inception security and access control solution allows bi-directional control of both systems in one, simple to use interface through Hanwha’s mobile app, WiseNet Wave. The Inner Range philosophy of open architecture has provided the ability for bi-directional capability in automation, biometric access control and high-level video surveillance integrations to be created by many of the world’s leading manufacturers. “In this case it is the collaboration between Atlas Gentech, CSD, Inner Range and Hanwha that has seen the combined technical resources in ANZ, from the teams of Atlas Gentech and CSD, create this integrated solution” states Mark Edwards, General Manager – Products, Marketing & Support for CSD and Atlas Gentech. “We have written comprehensive commissioning documents to make this whole process very simple from start to finish.” This specific integration incorporates features such as arming and disarming of the system and unlocking and locking doors on the Inception solution from the WiseNet Wave mobile App. Video analytics trigger alarms, activating security inputs and emergency Icons on the WiseNet Wave Mobile App, when triggered, will then activate alarms on the Inception panel.

April / May 2020

This feature rich integration is the first of its type for Inner Range’s Inception and creates some very exciting opportunities for Atlas Gentech and CSD customers. Inner Range “At Inner Range, the foundation of the business has always been about intelligent security systems that seamlessly integrate with other best in class solutions. So, when Inception was developed and launched, the very same philosophy was carried through” says Mark Cunnington, Senior Vice President of Inner Range. “The Inception platform allows for third party programmers to design their own integrations very easily” he concludes. “The electronic security market has witnessed significant changes over the last 20 years” states Andrew Thorburn, Enterprise Security & Risk Manager for Atlas Gentech NZ. “Fully integrated access control, intruder detection and IP video surveillance platforms are simplifying operational command centres for businesses all over the globe.” Whilst these changes have brought significant benefits to law enforcement, public safety organisations and enterprise end users, their deployment has often been restricted to organisations with large budgets. This is due to licensing

April / May 2020

and some solutions costly software maintenance agreements. Many consider that systems are similar at face value, however, the hidden details become evident when the surface is scratched. Manufacturers who have evolved their offerings to embrace an IP centric user interface, combined with high levels of open standards communication protocol encryption and effortless thirdparty integration, have changed what was previously reserved to large corporates. “Much of the performance and functionality of those enterprise systems is now accessible to the residential and SME markets at a fraction of the cost” says Edwards, “The Inception solution is an integrated access control and security alarm system with a design edge that sets it apart from the pack.” The Inception solution has web-based software built directly into the main system controller, the Inception system is easy to access using a web browser on a computer, tablet or smartphone. With a step-by-step commissioning guide and outstanding user interface, Inception is easy to install and very easy to operate. Budget Friendly Security Solution “The Inception system is a budget friendly security solution that is both powerful and very flexible” states Thorburn. “With no software costs

and truly universal inputs & outputs, Inception can often be deployed as a stand-alone controller reducing the need for additional hardware” he adds. Inception’s web-based interface is the gateway to convenience for both the system installer and the end user. There is no need to install software on a computer and no need to leave a computer running on site. Inception can be configured and commissioned using almost any device that has a web browser. Integration is world class For end users, this new integration between the Inner Range Inception system and Hanwha WiseNet Wave combines the expertise and ingenuity of a local manufacturer with the power and endless capabilities from Hanwha one of the world’s largest manufacturers of surveillance products. The solution is extremely easy to control through the WiseNet Wave mobile app on your existing smartphones, tablets or computers. To find out more, visit: www.atlasgentech.co.nz, email: orders@atlasgentech.co.nz, or phone 0800 222 220.

NZSM

INDUSTRY

International Standards: An explainer Doug McCormick, Security Consultant at Gallagher, is the NZSA representative on the Joint Technical Committee that produced the new A/NZ access control standard explains the importance of international standards regimes. A standard is a document that provides rules, guidelines or characteristics. The use of the term ‘standard’ can be used by anyone. If an individual or company produces a standard document, then it will probably contain proprietary statements, meaning it will apply only to the individual or company’s situation. In the national and international scenarios, a standard is a document, established by consensus and approved by a recognised body, that provides rules, guidelines or characteristics. The document will have been created by representatives from interested users and producers, who may also be competitors in the business environment.

Doug McCormick has three decades of experience in electronic security. He is a member of the IEC Access Control Working Group (TC79, WG11) and New Zealand delegate to the IEC Technical Committee 79 (Electronic Access Control Systems), and he is the immediate past New Zealand Security Association Chair.

Local versus international New Zealand could produce its own access control standard, but if it did so it would limit choices for the purchaser.

If a prospective customer specified a New Zealand standard, then would international suppliers be able to meet this standard? There would be a cost to show that their product met the standard, which may not warrant the cost of testing for conformance. This limits the customer’s choice. Because the IEC 60839 standards have an international basis, New Zealand and Australian manufacturers have better access to international markets. Likewise, international manufacturers will have better access to Australasian markets. Also, only having to conform to a limited number of standards keeps conformance costs to as minimum. By adopting an international standard such as IEC 60839, we are aligning our access control standards with many other countries who have also adopted these standards. For international standards, countries are represented to ensure the “playing field is level”.

April / May 2020

Focus your energy on the things that matter. The fuel card that helps you run things your way Receive 12 to 16 cents per litre (including GST) discount off the pump price for all diesel and petrol purchased at a discounted Mobilcard acceptor site. Exclusions apply. For further details or to receive an application: Matthew John, Mobilcard Commercial Business Manager Phone: 027 839 3817 Email: matthew.o.john@exxonmobil.com

Terms and conditions apply. Not valid for c/c purchases. It is a commercial offer for NZSA members only.

International standards bodies are recognised by the World Trade Organisation (WTO), and are required to ensure that standards documents do not create trade barriers or anti-competitive activities. The IEC 60839 standards were thus produced by an IEC sub-committee consisting of experts from several European countries, Canada and New Zealand. The proposed standard was circulated worldwide and voted in favour of being accepted as an international standard: • New Zealand (and Australia) have adopted these standards as AS/NZS 60839 • Europe has adopted these standards as EN IEC 60839 • Canada has adopted these standards as CAN/ULC 60839 • South Africa are about to adopt the standard as SANS 60839 If there needs to be local modifications to the standard to meet local regulatory requirements, for example, then the modified standard would be referred to as ‘AS/NZS 60839-xx MOD’, however, this is not the case for the access control standard.

April / May 2020

If a product displays ‘IEC 60839 -xx’ with a different prefix such as AS/ NZS, EN, BS EN, CAN/ULC etc, then the product will conform with the IEC document but may have local variations (MOD). The purchaser can rely on the fact that the product meets IEC 60839. Likewise, if a purchaser anywhere in the world specifies their national version, then the AS/NZS version is going to substantially meet their version. For purchasers of systems, an international standard unlocks a wider choice of suppliers than would be the case if a national standard was imposed. Additionally, if the product indicates conformance with 60839, then under international agreements, you will know what you are getting! Mandatory versus voluntary Some standards require mandatory compliance. These usually relate to safety requirements and are dictated by an Act of Parliament. Electrical, fire protection, building etc standards are usually mandatory. Other standards, such as AS/ NZS 60839 and other security standards, provide for voluntary conformance. These standards provide guidance to the product conformance to assist both the manufacturer and the purchaser

in determining what can or should be provided by way of product or service. Although voluntary, a purchaser may insist that a product conforms with a standard. And while a product will often display a Standards Mark to indicate that it conforms to a specific standard, a purchaser may ask for an independent laboratory report proving conformance. Proving conformance with a standard can be done at different levels: • Self-assessed: the manufacturer or service provider has assessed conformance with the standard themselves. • Accredited laboratory assessment: carried out by an independent laboratory that has had its processes certified to comply with ISO/ IEC 17011. If the independent laboratory carries IANZ or JAS-ANZ certification, then their testing of a product or service must be recognised internationally by any country who is signatory to the international Mutual Recognition Agreement (MRA). If a country refuses to accept the report, then there are processes through the International Laboratory Accreditation (ILA) or World Trade Organisation (WTO) to address this.

NZSM

INDUSTRY

Security Training and Professional Development SIG Andy Gollings, Red Badge Group CEO and Chair of the NZSA Security Training and Professional Development Special Interest Group, talks progress in industry training, industry training survey, and expectations of CoA training. The SIG met for the first time in 2020 recently and this meeting was used to review progress for our industry and to reset some priorities for the coming year. 2019 was a very positive year for security training. With a significant increase in cross industry collaboration, we were able to create some momentum for positive change for our industry. Recent progress for industry training • Connected with NZQA to ensure that our industry is supported and represented at the highest level. • Finalisation of the new Level 3 qualification, with two training providers already underway with the delivery of this. • Continued development of a new Level 4 qualification which is nearing completion. We are now developing the guidelines for instructors of the High Risk Units included in this qualification.

• Supported a Skills review of the delivery and assessment tools for the mandatory Certificate of Approval (CoA) Units, this includes an innovative approach by the NZSA to utilise virtual reality (VR) technology. Updated materials, including VR are planned to be available by July 2020. • Confirmation that the NZ Certificates in Electronic Security are well under way with 60 participants in the Level 3 Qualification and the Level 4 Security Technician apprenticeship qualification almost complete. Survey of industry For 2020, we will continue to identify ways that we can improve the quality, availability and suitability of training. Our industry is growing and demands upon us for personnel are continually increasing. This is an important time to ensure that our standards are maintained, if not improved, as the safety of our staff and our customers depends on this. To this end we will be developing a survey of industry to identify areas that industry training can be improved and your participation is important.

Basic training and awareness of Security Law and Conflict Management are the only things that enable an entry level security officer to keep themselves and their customers safe and to stay on the right side of the law regarding the use of force, etc. Corners should not be cut in the delivery of this training as this has a direct impact upon the safety of our staff. All trainers of the Conflict Management Units are required to have undertaken specific training, including refresher training, and be on a Register of Trainers held by Skills. It is also important to note that there are specific requirements for what is trained and how this is trained. A full day of conflict management training role play and assessment is prescribed as this is a key component to preparing our staff to manage these situations. If you are concerned please contact the NZSA for advice. We are committed to raising industry standards and your feedback and input is essential. Please direct any questions or concerns you have to the NZSA so that we can work together.

Expectations of CoA training We have recently been made aware that there are some inconsistencies in the quality of the training for the mandatory COA Units with short-cutting of both delivery and assessment occurring. These claims are being investigated but it is important to remember the reason for, and some basic expectations of, this training. Andy Gollings, Red Badge Group CEO

April / May 2020

REACH

NEW HEIGHTS in Professional Excellence

ASIS accredited certifications can help you reach your career goals.

Globally recognized as the gold standard for more than 40 years, the CPP is designed for senior-level security managers with seven to nine years of related experience.

WHY EARN THE CPP DESIGNATION? • Validate your security management expertise • Gain global recognition by your peers and the industry • Get a competitive edge in the marketplace • Enhance your career and earnings potential • Enjoy personal satisfaction and professional achievement Be one of the many ASIS board certified practitioners who are leaders, mentors, and trusted strategic partners, serving both their organizations and the profession.

"I have always understood the 'HOW' of security but completing the ASIS Certified Protection Professional (CPP) gave me a deeper understanding of the 'WHY' of security. The CPP designation proves to my peers and fellow industry professionals that I am technically proficient in all seven domains of security management." - Johan Janse Van Rensburg CPP

WHY SHOULD AN EMPLOYER HIRE ASIS CERTIFIED PROFESSIONALS? • Build a strong, dedicated team committed to high standards and continuing professional development • Promote ongoing education of critical job knowledge and skills • Feel confident that your staff are using best practices • Recruit the most qualified professionals • Reinforce or elevate your organization’s reputation and credibility Increase the competency level of your staff by supporting your security professionals in their certification journey.

Visit www.asis.org.nz for more information April / May 2020

NZSM

Creating security culture requires leadership from security In this except from her ASIS New Zealand Chapter Women in Security event presentation, technology authority Jennifer Cherrington says that businesses are adopting more digital tools, but they need to be more security smart. In this day and age, digital and data protection, and in particular customer data and how you look after it, is a really hot topic. What we aren’t seeing is businesses keeping pace with the technology they’re using and the security of it. Training and awareness is woefully lacking and, in fact, most of the tools businesses use are pretty much inadequate.

Jennifer Cherrington has over 25 years’ experience in director roles for a variety of UK and US businesses, including eBay, Amazon, British Telecom, and more recently in New Zealand as CTO for Genesis Energy and as a technology advisor to Foodstuffs NI.

It might surprise a few people that at the top of most corporate risk matrixes is ‘malicious insiders’. One shouldn’t be too worried about Russian teenagers breaking into things, but you do need to be worried about who physically comes into your building. If you can get into the building you can get into the network, and that’s game over.

An example from the digital space: a few years after I left eBay in the UK, I worked for Amazon and I learnt a whole other side to security because we actually sold physical goods, but I never actually got eyes on the stuff that I bought. This is because we’d buy it, it would all get shipped into a number of DCs, and when we sold it on the platform it would get shipped out from these DCs. As part of a tour, we had Jeff Bezos come and visit the UK. All of the management came together in Scotland, and that was where I got the opportunity to tour one of our DCs for the first time. Now I say ‘tour’ in a loose sense because I wasn’t actually allowed past the front door even though I was an employee, and the reason why was because I had my bag with me. It sounds a bit archaic and possibly a bit dramatic, but that was a security

April / May 2020

security.gallagher.com

measure. The DC staff had passed through body scanners on the way in and on the way out, and, of course, they weren’t allowed to take bags with them. This was to make sure they weren’t stealing iPods and digital cameras and the small stuff. Needless to say, these measures were actually only partially successful. They didn’t use cameras, which could have provided a big disincentive to nicking stuff, so we couldn’t trace anything once it left the building. Of course, in this day and age you’d use source or packaging RFID tagging and blockchain and cameras and scanners; it would be security for the fourth industrial revolution. Nowadays, whilst I know that Amazon are on the case, we still see businesses suffering from theft and shrinkage because whilst they’re excited about providing an ever better customer experience, at the same time there’s not enough investing in the latest EAS technology, for example, to keep stock safe from would-be thieves. Businesses are absolutely in need of education around converged security. Security’s broad implications are not particularly well understood in commercial situations, and that’s because businesses don’t tend to have security

people in their management teams or sitting at their board tables. Businesses are still reeling from and trying to adapt to changing business models, and digital makes it even more complicated. As business people, we don’t really understand the need for a converged approach to security because we don’t look at physical, cyber security, processes and governance all in one place. We tend to think of these things in silos, and that’s where stuff gets missed. I started to encounter what I consider to be a more holistic approach to security when I joined British Telecom, running sales and service online. When I joined we were building technical platforms and products, and although we had to do lots of policy and training around data, I didn’t have any security people on my team at all. Nobody tested my code or my forms at all. What I was effectively doing was creating massive great big wide-open digital doors with lights on them that might as well have just said “welcome, break in here” instead. I’d love to say that those were the old days, but I actually see it now every single day because getting things out there faster is what we do, and we don’t think about the risks that come with it. As a result, these digital front doors have proliferated everywhere, and most

businesses are actually oblivious of the risk. Because of the pressure to move ever-faster we cut corners, and we’re ignorant of the dangers. We need more CSOs to bring their knowledge of the issues and the threats into the business from a day-to-day point of view. We need more people who understand what the security fourth industrial revolution is bringing about. One really hot opportunity I see for security professionals is in the growth of IoT. Not everybody has cottoned onto the fact that physical security is now operating in a much wider space. We’re going to see more and more IoT devices all over the place. There are predictions of about 75-billion of them connecting to the internet by 2025, and the rise of 5G will fuel this. These IoT devices are going to be deployed by companies geared to helping customers help themselves – smart cameras, motion sensors, smart watches, smart locks, drones, smart batteries, mobile devices, voice-controlled devices. While all these are amazing and are changing the way we do things, anything that talks to the internet mothership ultimately broadens your threat landscape and access to what you want to keep protected.

April / May 2020

REACH

NEW HEIGHTS in Professional Excellence

ASIS accredited certifications can help you reach your career goals.

"The PSP certification filled huge knowledge gaps for me. It also gave me the confidence and competence to move forward in my career and my professional goals."

Demonstrates proof of knowledge and experience in physical security, including threat assessment and risk analysis, integrated physical security systems, and implementation of security measures. Designed for those with 4-6 years of related experience.

WHY EARN THE PSP DESIGNATION? • • • • •

Validate your physical security expertise Gain global recognition by your peers and the industry Get a competitive edge in the marketplace Enhance your career and earnings potential Enjoy personal satisfaction and professional achievement

Be one of the many ASIS board certified practitioners who are leaders, mentors, and trusted strategic partners, serving both their organizations and the profession.

- Ngaire Kelaher CPP PSP

Visit www.asis.org.nz for more information

Would you keep your front door propped open, unlocked, and with the lights on? Of course you wouldn’t. But if you’ve got IoT technology out there then that’s exactly what you’re doing if you don’t consider the security of it – and most people don’t. Our survival as businesses is reliant upon brand reputation and trust. Companies get cracked all the time, and it actually doesn’t really matter how it got cracked. Customers will lose trust. In this day and age of social media, you can’t hide it like you used to and by the end of the day you’re gone. You can literally be gone that quickly. The next few years are going to bring about more technological advances, but we have to also increase our awareness of the security aspects of it. For business leaders, change is tough and it contrasts with security professionals who struggle to get the attention of senior management most of the time until something goes wrong – and then suddenly you’re the most popular person in the room. Recently I worked for Genesis Energy, and with one of our generators getting hit thousands of times a day, I didn’t have to work very hard to convince our senior leadership team that we had to have proper professional security in our business. I therefore had quite a large team, and we worked on everything from Checkpoint automated network sniffing through to training and awareness and

hunting down malware. We also used to put the security team on any development releases so that they had to sign off before anything actually went live. But even with a relatively large resource it was actually quite hard work because security is also a cultural challenge. Training people to be alert every single day requires continuous reinforcement messaging, and even then they don’t remember. The hard part is the day-to-day. Even in a business where we were quite security-aware, it was a constant battle trying to tell our teams not to let people follow them into the building – even if they knew them – if they didn’t have a valid Id pass. Creating a security culture is hard and requires repeating constantly, but it is possible through education. It is possible to change. But you need to help businesses understand that converged security needs to be viewed across physical, digital and cyber, governance and training. If your company, for example, uses any technology, then those intent on harming have front doors from anywhere. They will be sophisticated, and it only takes one to get in. So the paradigm has absolutely changed. Security, like technology, needs to talk the language of business, and help evolve that leadership. I’ve worked in IT a long time and one of the biggest barriers we have in terms of IT people getting their message across is of course

the fact that they’re speaking ‘Klingon’. I’ve used a couple of examples here to highlight that broad security risk management isn’t physical or digital; it’s both. But it’s also people, and process, and it’s also very global. Converged security needs to be part of business strategy, and it needs to be unashamedly part of your business DNA and in the hearts and minds of all your people. It is in this space where security professionals can be leaders. Being involved in business strategy is really important, and you have to hone your communication skills so that you can speak in a language that businesses will understand. You have to be able to come to the table with solutions, such as crisis management, and policies and strategies that need to be in place should anything actually happen. And you’ll need to anticipate objections, such as ‘that’s going to cost a lot of money’. In summary, I’ve seen the world change dramatically with the rise and rise of digital – and it’s not slowing down anytime soon. So, keeping up to date with this ever-changing and evolving threat landscape means we have to help our businesses understand what those threats are because if they don’t they won’t survive. You guys are the experts, now be security leaders. The full transcript of this speech will be made available on the Defsec website www.defsec.net.nz.

April / May 2020

fired up protection LOKTRONIC’s expansive product range has just become even wider with these first class EGRESS and FIRE PROTECTION DEVICES and PROTECTIVE COVERS.

NEW

STI-1130 Ref. 720-102

STI-WRP2-RED-11 IP67 Ref. 720-062R

Surface mount with horn and spacer 255mm H x 179mm W x 135mm D

Also available in White.

STI-RP-WS-11/CN Ref. 720-052W Available in White, Green, Blue & Yellow.

STI-13000-NC Ref. 720-090 Flush mount, no horn 206mm H x 137mm W x 69mm D

STI-RP-GF-11/CN Ref. 720-051G Available in White, Green, Blue & Yellow.

NEW

STI-RP-RS-02/CI

STI-13B10-NW Ref. 720-092 Surface mount, horn and label optional 206mm H x 137mm W x 103mm D

Ref. 720-058 Cover included. Flush Mount Available. • •

STI-1100 Ref. 720-054

•

Flush mount with horn 255mm H x 179mm W x 86mm D

•

• • • • •

STI-6518 Ref. 720-060 Flush mount, no horn 165mm H x 105mm W x 49mm D

STI-13210-NG Ref. 720-093 Surface mount, horn and label optional 206mm H x 137mm W x 103mm D

All STI ‘Stoppers’ are made of tough, UV stabilised polycarbonate. Many can be supplied with or without a 105 dB horn. Other models and sizes available including weather resistant options.

Approved to EN54-11 Current Rating: 3 Amps @ 12-24V DC, 3 Amps @ 125-250V AC Material: Polycarbonate Comes with Clear Cover 2 x SPDT switches Positive activation that mimics the feel of breaking glass. Visible warning flag confirms activation. Simple polycarbonate key to reset operating element - no broken glass. Dimensions: 87mm Length x 87mm Width x 23mm Depth (Flush Mount) & 58mm Depth (Surface Mount)

STI-6255 Ref. 720-042

Mini Theft Stopper discourages inappropriate use of equipment. Sounds a powerful 105 dB warning horn when activated. Tough, ABS construction. Reed switch activation for cabinets and display cases or unique clip activation for freestanding equipment. Does not interfere with use of protected fire fighting equipment. Compact design 85mm H x 85mm W x 25mm D.

STI-6720 Ref. 720-047

Break Glass Stopper. Keys under plexiglas. Protects emergency keys from inappropriate use. Keys remain visible. Fast, easy installation. Simple, inexpensive plexiglas. 3 year guarantee against breakage of the ABS housing within normal use.

NEW

Battery Load Tester Ref. 730-101

Fire Brigade Alarm: (Closed/Open) Ref. 730-231

Anti-Interference Device

ViTECH, strong, lightweight aluminum case, 5, 15 and 30 amp battery load tester for fire and alarm use. Weight: 500gms, Size: 165mm x 90 x 70mm.

ViTECH branded Type X (730-230) and Type Y (illustrated) models with temperature compensated pressure transducers with digital display showing pressures for defect, fire and pump start.

Ref. 730-400 series ViTECH AID for sprinkler valve monitoring; fits all ball valve sizes.

April / May 2020

NZSM

21620/1/18

21620

ViTECH products are designed and produced in New Zealand.

A note of caution on the digital document revolution Ian Lancaster, former managing director of Reconnaissance International and lead author and editor of ‘Physical to Digital: A Revolution in Document Security’, advocates for greater balance between physical and digital safeguards

A revolution is underway in the secured document field. Society is migrating from using physical secured documents, such as banknotes and identity cards, to the use of smartphones and electronic payment cards for financial transactions and as carriers of our identity credentials.

Ian Lancaster has decades of experience in security and authentication. Founder and former MD of Reconnaissance International, a specialist analyst of holography and anti-counterfeiting, he served as the general secretary to the International Hologram Manufacturers Association (IHMA) from 1993 to 2015.

`The Covid-19 crisis has thrown this trend more sharply into focus in relation to payments. In just one week, cash usage halved in the UK and a similar story is playing out around the world, as more people turn to contactless payments to minimise the spread of the virus. Whether this is a temporary measure while the virus is active or another nail in the coffin of cash remains to be seen. `In the minds of many people, this transition from physical to digital is inevitable, unstoppable and irrevocable, even though cash is still used for most retail purchases globally (Covid-19 influence aside) and passports are still required to enter a territory. Nonetheless, this transition is inevitable, so there is a need to consider the impact and implications of this change. `These considerations are the driving force behind Reconnaissance International’s new White Paper, ‘Physical to Digital: A Revolution in Document Security’, which looks at the implications of the current digital revolution in the areas of financial transactions and ID document security. The publication contrasts more than 1,000 years’ experience in printing and examining security documents with the 30 years of digital experience and the use of smartphones in what has

previously been the domain of secured printed documents. In simple terms, is it a revolution that leaves us and our data safe? We are moving from a world in which people can examine and inspect a document to check its legitimacy (in order to be confident it can be trusted), to one in which we have to trust that a device, such as our smartphone, is doing what we think it’s doing, that the data it’s using is accurate and secure and the decision it makes – or leads us to make – is correct and appropriate. Are we right to invest this much trust in these new methods of making payments and showing our identity? Or should we pay heed to the view that, in failing to question the algorithms that are doing this work for us, we open the door to hackers, fraudsters and other criminals? In examining the transition in security documents from the physical to the digital, our White Paper considers: • How far has it gone and what is its future? • What are its implications and – crucially – how safe is the data held and used in the digital world? • Are we merely users of these systems, or is there a role for us in ensuring that they and the data they use are secure? What might that role be? • Is anything needed to enhance the safety and security of these digital methods and if so – what? Current landscape The use of digital technologies has some way to go before replacing cash – most people in most countries continue to rely on cash for retail transactions. Similarly,

April / May 2020

when it comes to ID documents, digital technologies, while attractive, remain for the time being some way short of being ubiquitous. It’s clear that physical banknotes and ID credentials remain the norm – but why? Physical documents are tangible, familiar, and with security and authentication features built in. Moreover, a key driver for specifiers and designers – honed over this 1000-years of experience – is security and document protection. In this physical world, professional document examiners develop a sixth sense, a feeling for the document which comes with familiarity and practice. The result is reflected in the low counterfeiting levels for banknotes and passports; for example, 0.003 percent of euro banknotes in circulation and 2 percent of passports worldwide. This

April / May 2020

compares to, say, the World Health Organization’s estimate that 10 percent of medicines worldwide are fake. As digital methods become more common, we need to question whether they match the security and detection built into the physical document world. If not, how can they be improved? Should we abandon the use of human inspection and, if not, how do we combine the best of both worlds? These questions become more pertinent when we consider the significant number of data breaches, hacks and outages that occur in the digital world. There are numerous examples of online identity and financial theft, often serious enough that they are reported in the mass media, not just the specialist media. In addition, there have been many cases of systems crashing, making it impossible for

people dependent on their credit cards or smartphones to conduct any financial transactions. To give a few examples: • In July 2019, Capital One bank suffered a data breach which affected around 100 million US citizens • In 2019, 165 million records containing personally identifiable information (PII) were breached in the USA alone, according to the Identity Theft Resource Center • Following system crashes at TSB, NatWest and other UK banks, an October 2019 report by the House of Commons Treasury Committee said that customers were left “cashless and cut off” due to an unacceptable number of IT failures – some of which cut off customers from their bank for several days or longer It is worth pointing out that these are thefts from or hacks of the places where our data is stored. Those promoting online systems refer to storage in ‘the cloud’, implying an ethereal, intangible entity which thus cannot be illicitly penetrated. But the reality is that our data is transmitted over the internet (via cables and satellites) to huge server farms, buildings that contain thousands or even hundreds of thousands of servers making and recording our transactions or our identity. These tangible resources are certainly well-protected, with backups and redundancy built in, but they have been hacked, as have the internet network connections to them, as the above examples reveal. So, for ‘cloud’ read ‘networked computers’. These computers, data stores and the connecting networks operate numerous security features, including hash codes, two-factor sign-in and encrypted apps, but they all work within the digital domain; there is no interaction with human beings. There are numerous collaborative development projects underway to establish standards and improved systems for data protection, including the EU-funded Olympus7 project and ISO’s emerging mobile driving licence standard. These all show that there is recognition of the need for security within the digital domain, even though the original impetus may have been – and in hardware terms, still is – technologydriven. Nevertheless, current systems remain vulnerable and fallible – particularly so in the digital payments world. The difference in the rate of fraud between banknotes and payment cards in the

NZSM

eurozone is stark. The European Central Bank reports that payment card fraud in the zone in 2016 totalled €1.8 billion, which is one-tenth of one percent of the total card transaction value of €1.8 trillion. This is over 300 times greater than the 0.003 percent of euro banknote counterfeits, while Europol reports that cardholder not present (CNP) transactions accounts for 66 percent of the card fraud. In electronic transactions, whether card or app-based, the key challenge is identity. If you pay with cash, the cash is assumed to be yours and the physical exchange is straightforward. The link between value and the bearer is “presence” and not “identity”. A digital transaction is more complicated because there is no link between the value and the identity of the user. The regulatory landscape is struggling to keep up and criminals are exploiting the new paradigm of payment being about value linked to identity rather than value linked to presence. This brings us back, of course, to how governments and businesses can secure identity with confidence, what is the proof of identity and how it can be proved at the point of transaction. In general, digital identity has its benefits – notably, convenience and in some cases, reduced cost. Every day, millions of travellers get home faster because they can move quickly through ports of entry and exit using their digital

ID. Tens of millions of patients get better treatments because their doctors can gain access to their digital medical records, and billions of consumers can buy goods from around the world with a username and password. However, there’s a very real tension between efficiency and convenience on the one hand and security on the other. Whilst a machine is highly efficient at confirming the truth, or otherwise, of a user’s credentials, it is not so good at determining the provenance of those credentials. It may also be vulnerable to the theft of this digitised personal data. A possible way forward? Whilst the switch to digital systems is undoubtedly gathering pace and there is widespread recognition that society cannot turn back the clock, there is also a need to change the mindset of people working in digital finance and digital ID, to encourage them to put data and personal security at the heart of this new world. Improving data and cyber security should be a top priority for all of us. Perhaps there needs to be a greater realisation that physical and digital documentation can co-exist; a way forward in this inevitable transition to digital could be to seek ways of drawing on the best of both worlds. Can the commitment to security and protection that drives the physical secured document field be inculcated among

digital system developers and adopters – and if so, how? The primary purpose of creating, recording and storing personal data digitally is to improve convenience for service users and providers – a trend that seems likely to continue. Equally, card and contactless payments are set to become even more common. But there is a risk that further adoption of digital identity and digital payments may be greeted with pushback until key issues of trust, privacy and security can be addressed. Could this be an opportunity for commercial entities with know-how and experience in the security arena to guide users in the proper balance between physical and digital safeguards to ensure that security is built-in and not merely a bolt-on? Whilst our White Paper is an important contribution to this debate, clarifying the current position and the critical issues, it doesn’t have all of the answers. Hopefully, however, it facilitates the asking of the questions and exploring of the issues. The White Paper sets out the issues for which Reconnaissance is creating discussion platforms, including the Digital Document Security conference, which takes place 5-7 October in Vienna, and an extended special report due for publication later this year, titled ‘Secure Documents: The Transition from Physical to Digital’.

April / May 2020

ENGAGING, PROTECTING, SUPPORTING, COLLABORATING 19-20 October 2020 | Ellerslie Events Centre

NICK DYNON Chief Editor Defsec Media

PHILIP WHITMORE, Partner, KPMG

PROF ROUBEN AZIZIAN, Professor and Director Centre for Defence and Security Studies, Massey University

DR CHRIS WILSON, Senior Lecturer, University of Auckland

KEY THEMES: • Protecting people and places • Homegrown violent extremism - the new face of terrorism

• Future security and safety - the role of new technology • Collaborative working to deliver effective security and safety

MEDIA PARTNER

NZSM New Zealand Security Magazine

April / May 2020

DEFSEC

SUPPORTING ORGANISATION

Line of Defence New Zealand’s Defence and National Security Magazine

FULL AGENDA NOW ONLINE AT CONFERENZ.CO.NZ/SAFE

NZSM

INDUSTRY

Our Journey - A week in the life of a business dealing with Covid-19 Ben Wooding, Director and General Manager at Red Badge Group, provides a day-byday account of the week leading up to 22 March as the implications of Covid-19 became apparent and lockdown imminent. One thing COVID-19 has helped define is the sometimes blurred line between governance and management. In times of crisis, the need for good governance becomes very clear. I hope that for our team, as a family owned SME in New Zealand, we have been able to lead in a way that reflects that need, first and foremost. None more so than in the past seven days.

Ben Wooding has been in senior roles with Red Badge Group since January 2017. He has worked in a range of security management roles since 2008, including with Armourguard Security and as Host City Security Coordinator for the FIFA U-20 2015 World Cup in Dunedin.

Firstly for context. For 21 years Red Badge Group has been the leading event security company in New Zealand. Nationally, Red Badge Group has about 2,000 casual staff and 300 permanent staff, including four New Zealand-based directors and 35 management.

Five years ago, a conscious decision was made to re-brand and establish a third division called Red Security. This brand would focus on the protection of people, infrastructure and commercial assets. From 10 percent three years ago, Red Security now contributes about 50 percent of Red Badge Group annual revenue. [I have intentionally left out specifics around our pandemic response plan and business continuity plans so as to focus more on the overall journey]. Seven days ago, the country was receiving the news that mass gatherings of more than 500 people were to be banned, a necessary step that needed to be taken in this time of crisis. Six days ago, we were working hard to understand what the exact impact would be, of having 50 percent of our company revenue turned off overnight. We implemented daily conference calls for our management team so we remained agile, and through video on social media we communicated to our front line staff reassuring them of our support. Five days ago, we identified that the impact of the reduction in revenue was going to be significant, and we moved to reduce fixed or non-essential costs immediately. We considered annual leave for our managers across the board. We realised the government package wouldnâ&#x20AC;&#x2122;t be enough to support our potentially thousands of staff out of work. We were planning for worst case, though via further communication to staff and clients across New Zealand we

April / May 2020

reassured them that given our strategic diversification the business was in a strong position to continue supporting our people and New Zealand. Four days ago, we made a conscious decision to aggressively focus on keeping our front line people in work; this approach would benefit our people, our clients and the business. We again contacted existing clients by phone to assure them of our strong position and offered support to industry colleagues. Revenue started to flow again. Three days ago, by mid-morning we were being contacted by supermarkets, retirement villages, councils and DHBs amongst others, who were all in desperate need of security staff. Within 24 hours, we went from many front line event security staff out of work, to rapidly developing rosters and sending

April / May 2020

staff all over the country for work. All plans for annual leave and some cost cutting measures were put on hold. Two days ago, demand continued to escalate and many of our incredible management team had worked through the night. We began expanding our national operations support capacity, developed additional capability around recruitment and added more on the road support for our people. We developed video briefings for our rapidly growing workforce and continued to hammer home the government messages around hygiene. One day ago, none of our teams would have known it was the weekend as all but one of our managers and directors joined our 10:30am daily conference call. The vibe was very much one of ‘we are in this together’, and we began

reaching out to industry partners and recruitment channels for staffing support to fill the demand from our clients. We posted job ads on every channel we have and encouraged our team to spread the word that Red Badge was open for business! Today (22 March), we are developing our responses to the government alert levels to provide our people the same levels of certainty our PM attempted to provide the country yesterday. We are planning to try and get our management teams half days off on Monday and Tuesday having worked all weekend, and empowering our key leaders around the country to shape their local management teams in order to keep up with the (sometimes hourly) changes to our operation. Nonetheless, amongst all of the madness of the last seven days, as a company we have tried to stay human and appreciate that each of our amazing team members all over the country are mums, dads, brothers sisters and grandparents. The last week has been a roller coaster with no sign of slowing down, but if we continue to look out for and look after each other, we will certainly come out of this crisis stronger than when we went in. All of that said, we are well aware that we are one of the lucky ones. There are many companies that won’t get the turnaround we had halfway through our week. To those companies, if there is any way we can support you or your staff through working opportunities please reach out - we have work available across the country.

NZSM

OPINION

Cyber threat evolution – cyber security, physical security, and the importance of staying up to date Andrew Scothern, Chief Software Architect at Gallagher, explains the relationship between cyber security and physical security, and why it’s important to keep these up to date. In 2019, the average cost to a company for a data breach was USD 3.92 million (approximately NZD 5.92 million). Cyber risks were the number one concern for businesses, with 55% worried about the risks.

The cyber threat landscape is constantly evolving and organisations are worried about the effects of data breaches, which can be both costly and damaging. It’s essential for organisations of all sizes to invest in quality security products to protect themselves from these ever-evolving threats.

How can organisations effectively defend themselves against cyber threats? We look to the boundary-pushing high security government spaces in the UK, US, Australia, and New Zealand to define best practice in this area. High security standards evolve as governments demand increasingly sophisticated solutions to protect their vital assets and critical sites, and these features gradually filter down to commercial security solutions. Cyber defence requires more than just cyber security Effective protection against cyber risks requires more than cyber security alone. Physical site security is equally as vital

Andrew Scothern has over 25 years’ experience in product development, encompassing software development, software architecture, R&D management, and IT advisory roles. He was a founding member of the industry advisory group behind the STRATUS research project.

April / May 2020

as cyber security for securing your data. According to the 2019 Verizon report, physical theft and loss was identified as one of the nine basic patterns of security incidents and data breaches, with paper documents and laptops the top two stolen physical assets involved in data breaches. One of the most common theft locations identified was the target’s work area. Investing in cyber security alone leaves organisations vulnerable, with anyone able to enter their site and uplift property containing company data. Physical security solutions, such as perimeter fencing and access control, can protect your data by preventing unauthorised people accessing your site. Access controlled doors secure important work areas and keep a record of who is entering or exiting these areas. The option to add two-factor authentication ensures anyone entering an area is who they say they are. While physical security supports cyber security solutions, cyber protection provides the security of security – protection for physical security solutions. A cyber attack on your physical security system could give hackers access to data held within the system, or enable them to remotely control your doors, cameras, or alarms. It’s vital to keep your cyber security and physical security systems up to date and working together to protect your organisation.

April / May 2020

The importance of staying up to date The weakest target is the easiest way in. An outdated security system provides an easy way in for hackers, who can then navigate to the data they’re looking for, such as credit card information or customer data. To provide the best level of protection, it’s vital to keep your systems up to date. Being up to date doesn’t necessarily mean replacing security hardware with the latest products every time a new cyber threat is announced. It’s about keeping up to date with information security best practice, knowing what current and emerging cyber threats pose a risk to your business, being aware of any vulnerabilities that may exist within your system, and acting to mitigate cyber risks to your organisation. Security hardware that easily allows firmware upgrades is a simple measure for ensuring your systems stay current for longer. From time to time, manufacturers will release firmware upgrades, which could be in response to emerging cyber threats or a vulnerability discovered within the system. We know that cyber threats can evolve quickly, so choosing a solution that allows updates to be easily pushed out from a central location enables organisations to react quickly if a threat is detected. Conducting regular audits on your security systems can also help you

stay up to date by identifying existing vulnerabilities within your system. Vulnerabilities could be due to incorrect system configuration or people not following security protocols. As an example, The Washington Post reported on a 2018 security audit conducted by the Western Australian government, which revealed 1,464 of their employees were using Password123 as their password. Issues like this are a significant risk to organisations but can be quickly and easily rectified through regular audits. How does your organisation become aware of potential cyber attacks on your system? The response time when dealing with cyber issues can often be weak compared with the response to physical security threats. A notification regarding a security vulnerability in an application may be received, but how long before action is taken and the application is updated? Just as a broken lock on a door would warrant an immediate response, organisations must react with the same urgency to unusual cyber-related activities.

Protect your organisation from cyber risks by ensuring your cyber and physical security systems are up to date. Visit security.gallagher. com to learn more. NZSM

OPINION

Fatalities from terror attacks continue to decrease Far-right terror attack fatalities are trending up, writes senior editor of ASIS International’s Security Management magazine Mark Tarallo, yet far-right terrorism remains a small fraction of the worldwide total.

For the fourth consecutive year, deaths from terrorism worldwide have declined, according to the latest edition of the Global Terrorism Index (GTI). This means that total deaths from terrorism are now down more than 52 percent from their peak in 2014.

Mark Tarallo is an award-winning journalist spanning a wide range of media. He completed a journalism fellowship in the Middle East and holds degrees from the University of California and University of Texas.

Nonetheless, terror’s tentacles still have a grip on countless countries around the world, according to the GTI, which is produced by the Institute for Economics and Peace and based on data from the University of Maryland’s National Consortium for the Study of Terrorism and Responses to Terrorism (START) Global Terrorism Database. In 2018, the last full year for which data was available, 103 countries recorded at least one terrorist incident, and 71 countries suffered at least one fatality from a terror attack. This marks the second worst year on record for the number of countries suffering at least one death. “Although the intensity of terrorism has diminished, its breadth has not,” the report authors write. “It highlights the need for continued assertive international action to combat terrorism.” Bombings and armed assaults have remained the most common types of terrorist attack over the past two decades, according to the report. In sum, the GTI sketches out global trends in terrorism in the last 50 years, with an emphasis on trends since 2014— the year which some say marked the beginning of the fall of the Islamic State (ISIS).

The decline in terror deaths is due to a few factors, the report found. One is success in fighting ISIS and Boko Haram; the number of deaths attributed to those two militant groups totaled 15,952 in 2018, a 15 percent decrease from 2017. Of these two groups, ISIS’s decline seemed the most marked. Deaths attributed to attacks by ISIS decreased 69 percent in 2018, with the number of attacks dropping 63 percent. The group continues to lose fighters. It now has an estimated 18,000 fighters left in Iraq and Syria, down from more than 70,000 in 2014, according to the report. Another factor is the improving situation in Iraq. Roiled by terrorism for more than a dozen years, Iraq’s terrorism death toll decreased by 75 percent in 2018. Although the death toll in Iraq was still high (3,217), 2018 marked the first year since 2003 that the country was not the most impacted by terrorism in the world—Iraq was second to Afghanistan. Somalia and Syria also saw reductions in terror deaths in 2018. And in Somalia, the report found some success fighting the militant group Al-Shabaab, which has been the target of airstrikes by a U.S.-led coalition. Somalia recorded the second largest (behind Iraq) reduction in deaths in 2018, with 824 fewer deaths recorded than in 2017. But terror attack fatalities are not uniformly decreasing around the world. In Afghanistan, which replaced Iraq as the country most affected by terrorism, terrorism deaths increased 59 percent to 7,379 in 2018. “The increase is closely aligned with the increasing intensity of the civil war,” the authors write. “There has been a

April / May 2020

constant increase in both terrorism and battlefield deaths over the past decade as the security situation continues to deteriorate.” With the increase of fatalities in Afghanistan, the Taliban overtook ISIS as the world’s deadliest terrorist group in 2018. Besides Afghanistan, only three other countries suffered a significant uptick in terror attack deaths in 2018: Mali, Mozambique, and Nigeria, with each recording an increase of more than 100 deaths. The report also discusses several recent global terror trends. One is the increase of far-right ideological terrorism in the West, particularly in North America, Western Europe, and Oceania. Worldwide, the total number of incidents motivated by right-wing ideology increased by 320 percent during the past five years. In 2018, total deaths attributed to far-right groups increased by 52 percent, from 11 in 2017 to 26 in 2018. But by the end of September 2019, when GTI data ends, the 2019 number had nearly tripled to 77 deaths. “The three largest politically motivated terrorist attacks in the West in the last 50 years have been perpetuated by far-right extremists,” the authors write.

Yet far-right ideology is not even close to being one of the leading motivations for global terror attacks. “Far-right terrorism remains a small fraction of total terrorism worldwide,” the authors explain. “Even in the West, historically nationalist or separatist, Islamist, and far-left terrorism has been much more common.” And terror attacks on the whole remain less common in the West than in other regions of the world. Between 2002 and 2018, 93 percent of all terrorism deaths took place in South Asia, the Middle East and North Africa (MENA), and sub-Saharan Africa. Overall, the report found that the South Asia region suffered the highest impact from terrorism since 2002, while Central America and the Caribbean regions had the lowest impact. Although the GTI does not cover 2019 in full, another recent report, Terrorism & Counterterrorism in 2019: The Year in Review, does provide analysis for that year. The report was issued by the Foreign Policy Research Institute (FPRI), a think tank that produces nonpartisan policy analysis of national security issues.

“2019 was a year of highs and lows for counterterrorism forces around the world,” writes the report’s author, Colin Clarke, a senior fellow at FPRI. The high points included the killing of Hamza bin Laden, son of al Qaeda founder Osama bin Laden and the group’s heir apparent. “Hamza’s death is a major blow to al Qaeda,” Clarke writes. As for the low points, Clarke cites the high-profile terrorist attacks in Christchurch, New Zealand; El Paso, Texas; and various sites throughout Sri Lanka. All resulted in significant fatalities. What will 2020 hold? Clarke writes that he expects “a battle for supremacy between ISIS, as it attempts to rebuild, and al Qaeda, a group poised to take advantage of power vacuums in failed states.” He also predicts a continued surge in violent transnational white supremacy. And, like in so many other areas, technology is likely to play an increasing role. “We should also expect terrorists and terrorist groups to continue flirting with new technologies in an attempt to harness the power of drones, 3D printing, and artificial intelligence as force multipliers,” he adds

April / May 2020

NZSM

OPINION

Assessing cyber risks to your access control system Despite the numerous vulnerabilities that exist, writes senior editor of ASIS International’s Security Management magazine Megan Gates, there are myriad ways to mitigate the risk of compromise to an access control system. A round lock sat in the front of Joseph Bramah’s shop in London with a challenge displayed on the window: whoever could pick the Bramah Precision lock would win 200 guineas (roughly $30,000 today). That challenge would remain for 67 years until A.C. Hobbs—an American locksmith— took up the gauntlet.

In addition to being published by Security Management, Megan Gates’ work has been published in The Standard and by Reuters. She holds a Bachelor’s of Science in Journalism from Missouri State University.

Hobbs brought a great deal of experience to the table. He had gained recognition in America for demonstrating to bank managers that their locks could be picked, so they should be replaced with locks of his own invention. At the Great Exhibition hosted in London in 1851, Hobbs announced after successfully picking a Chubb “Detector” lock that he would open Bramah’s creation. Bramah’s sons set Hobbs up with a workspace above their shop. For 52 hours, Hobbs worked at the lock until he successfully picked it. Hobbs’ success became known as The Great Lock Controversy, striking fear into the hearts of everyone who had previously used the Bramah lock— including the Bank of England—because they believed it could not be picked. Their sense of security was shattered. Since then, methods for locking doors and controlling access have changed with the times and technology advancements. Now, instead of having a guard monitor and log when a door is unlocked and opened in a facility, and then verify that that individual is allowed to do so, most organisations rely on access control systems. And often, these systems are connected to the Internet—making them vulnerable to cyber intrusions.

“Older access control systems were not meant to be tied to the building network or the organisation’s network,” says Coleman Wolf, CPP, CISSP, senior security consultant for Environmental Systems Design, Inc., (ESD) and a member of the ASIS International IT Security Council. “There are adapters that can be used to put those on the network. They function just fine. I can access the control panel from my desk, but the security isn’t always the best.” The access control system is “meant to provide a function, but either the device was not built to have password protection or the person who installed it wanted to get it up and running, so they didn’t put in the effort to install the security with it,” Wolf adds. The Basics By connecting an access control system to the Internet, the system becomes part of the Internet of Things (IoT). Typical IoT devices include thermostats, electrical outlets, light switches, refrigerators, smart speakers, and doorbells. They also now include—in the security arena—cameras, alarm systems, smoke detectors, locks, and other access control devices, says David Feeney, CPP, PMP (Project Management Professional), and advisory manager of cyber and physical security risk services at Deloitte. “Before IoT, everything that was connected to a network was a network device in the traditional sense,” explains Feeney, who is past chair of the ASIS Physical Security Council. “Now, almost anything can be a network device. And while the computer industry has had decades to incorporate security into its products, services, and overall DNA, IoT

April / May 2020

is essentially a toddler—growing rapidly but with most of its maturation still ahead.” All of these IoT devices face a “gauntlet of cyber threats,” Feeney says, including malware, man-in-the-middle attacks, brute force attacks, dictionary attacks, IP spoofing, denial of service and distributed denial of service (DDoS) attacks, session hijacks, and more. “The difference that IoT brings is that the attack surface—the aggregation of all points at which an attacker can gain access—is now exponentially larger once access control and other IoT devices are added to the network,” Feeney adds. It might seem obvious why someone would want to compromise an access control system: to unlock the doors to a building to gain entry. “The first thing that people think about is that once they’re inside the system, they have control over the system so they can unlock doors or disable sensors—things that are part of the actual mission of the access control system itself,” Wolf says. For instance, in a worst-case scenario at a highly controlled environment like a hospital, a compromised access control system could be used to lock surgeons out of an operating room or open doors to the pharmacy.

April / May 2020

But there’s another equally concerning reason someone might want to hack an access control system, Feeney adds. “Your natural first thought might be that access control systems are attacked because attackers want to gain access to an area, and the system is standing in their way,” explains Feeney. “That is one reason. But the reason is often that an attacker simply wants access to the network, and an access control system is as good an entry point as any other.” Regardless of the method of infiltrating an organisation, attackers are often looking to infiltrate the network and then move within it to gain access to more sensitive or valuable information. Hackers used this method during the infamous Target breach in 2013. They compromised a third-party vendor, obtained valid credentials from an unknowing authorised user, and connected to Target’s network using its vendor-portal process. The malicious actors then leveraged this access to obtain payment card data and personally identifying information about Target customers. “Maybe there are employee databases where they could steal information,” Wolf says. “Or they could use that access to spread ransomware, where files and

systems could be encrypted and held hostage—forcing the organisation to pay to free up that information.” Leveraging an intrusion into the access control system to the organisation’s building system could also pose safety risks to employees—such as setting off a fire alarm—or equipment. “If you’re able to control the HVAC system, you could prevent cooling of data center space, so servers start to overheat and fail,” Wolf says. “And that can cause interruption of business or operations.” Mitigating Existing Risk Despite the numerous vulnerabilities that exist, there are myriad ways to mitigate the risk of compromise to an access control system. “I work with a lot of clients who don’t have any drawings of where their devices are—they are flying blind,” Wolf says. “They don’t know, if something goes wrong, where to go and what component to look at.” The first step for security professionals with an existing access control system that is connected to the network is to fully understand the system—where the readers are, how it works, how it is connected to the network, who has access to the system,

NZSM

and who has administrative privileges over it. Then, all that information should be documented. “Identify where everything is and, probably most importantly, how those devices intercommunicate with each other and the outside world,” Wolf adds. “An Internet connection is one thing, but with older systems we’ll see a DSL line or dial-up modem connections to systems so a contractor can log in and make changes to the system.” These systems may have been installed decades ago. People often forget about those connections, which could be used by malicious actors to infiltrate access. Wolf also recommends security professionals working with an existing access control system connected to the network assess if it meets the organisation’s current security requirements. Starting from Scratch For those in the fortunate position of installing a new access control system, the process should start with a “soulsearching discussion” on the risks and benefits of connecting that system to the Internet, Feeney says. “If there isn’t a significantly compelling benefit to essentially adding a door to your network, it is arguably not worth doing,” he explains. “In the case of access control, there may be a strong case for doing this—especially if the desired end goal is moving to the cloud. In this case, be sure to leverage best practices to incorporate security into your new network architecture.” The organisation should consider if the access control system should be on a network separated from other assets. Doing this will help mitigate the risk that an intruder will use the access control network to obtain corporate information. “If the ultimate goal is to move your access control system to the cloud, this network separation can still be done at the organisation level,” Feeney says. “The separate access control or IoT network will connect to the cloud infrastructure. The original corporate network will separately protect all other assets. So, if the access control network’s connectivity is compromised, the attacker will not get access to the corporate network.” Once a decision is made about what network the system should reside on, the organisation should designate who is responsible for that network and the day-

to-day management of it. This is critical because the system will require regular patching and updates to mitigate new security threats. “Often an organisation’s IT department is better equipped to maintain the system because—if they’re a good IT organisation—they will have a patch management process in place to make sure that the network switches and all the network servers are up to date,” Wolf says. When purchasing the actual access control system, the individual responsible—such as the physical or IT security representative—should ask vendors how data from the reader to the master console is protected, says Darrell Brown, CISSP, information security program manager at La-Z-Boy Incorporated and member of the IT Security Council. “Is that data in transit encrypted? At what level? And what is the right fit for my company?” Brown adds. Organisations should also ask how often the vendor itself issues patches to its products, and what the process for issuing those patches is. “Proactively query your providers about patches and security updates to your hardware,” Feeney recommends. “Many access control devices traditionally get patches because customers request a feature or report an error that requires the patch. Instead, patch these devices like you do your computer—proactively as part of a comprehensive security strategy.” Organisations should also have a robust master service agreement

that outlines expectations and the responsibilities the vendor has to the organisation. “Have clear lines that delineate who owns what part of the system,” Brown adds. “Who’s responsible? Where’s the backup? Is there a backup? How do we ensure failover to it?” And while the system is being installed and implemented, security professionals should ensure that the process follows best practices for maintaining good cyber hygiene. This starts with disabling default passwords to create strong, unique passwords for the system, and limiting administrative privileges. ESD frequently encounters operating systems set up to automatically give administrator privileges to any users. “Most people don’t need that, and by restricting that, you’re ensuring that if a bad guy were to gain access using one person’s credentials, they wouldn’t have the ability to have administrative rights over the whole operating system,” Wolf says. Access control systems, like all locks, can be compromised by motivated actors given the right circumstances. Security practitioners should not assume that the system itself is secure. “Security is ideally a shared responsibility between consumer and provider,” Feeney says. “You’ll find this to typically be the case. But where the separations of responsibilities lie can differ greatly. For that reason, always check your service level agreement to understand what security responsibilities your provider has and what is left to you as the consumer.”

April / May 2020

MEM2400LP

World leaders in revolutionary Electric Locking Design and Craftsmanship. Proudly stocked and supported by NZ’s leading authorized distributor…

• Suits low door height or narrow profile frames • High holding force up to 1000kg • Releases with up to 70kg of side pressure; early warning alarm • Supplied with anti-tamper bracket • 12/24 VDC, low power consumption • 4 hour fire rated • Lock Status & Door Status Sensors MEM2400LED-LZ • Features as for MEM2400LP with L/Z Bracket for inward opening doors

FES20M • High security stainless steel strike rated up to 1490kg holding strength • Quick and easy Power to Lock/Power to Open interchange • Mounting kit with adaptor tabs • 12VDC 220mA; 24 VDC 120mA; 36 VDC 80mA • Door, Lock & Frame status monitors • Pre-drilled for extension lips, 25mm & 50mm available

FES 10 and FES 10M • Stainless steel faceplate & keeper rated up to 1300 kg holding strength • FES 10 is IP56 rated • Dual voltage capable; 12VDC 200mA, 24VDC 100mA • Pre-drilled for extension lips, 25mm and 50mm available • FES 10M has door latch monitor

SECURITY TECHNOLOGY RELIABILITY

• ELECTROMAGNETIC LOCKS

VE1260

• STRIKES • DROP BOLTS • ELECTRIC MORTICE LOCKS

FEL990M

• 5 YEAR WARRANTY

April / May 2020

• High security, 1000 kg holding force, 35kg pre-load capability • Accepts 12-30 VDC • Door status & Lock status monitors • Square & radius edge models • Pre-taped glass door housing available for radius edge version • Special strike plate caters for up to 12mm door misalignment • • • • • • • •

Multi-functional and field changeable Vestibule or combination Fail Safe/Fail Secure selectable 12/24 VDC Left or Right hand Key override Monitors: Door, Lock, Key & REX 12 pin connector

NZSM

21136/REV11.17 21336/1/18

Your FSH Electric Locking range includes…

OPINION

Opinion: Much to be done in response to violent extremism Former DPMC National Security Policy Advisor Dr Richard Shortt provides his perspectives on the Christchurch Mosque Attacks – and lessons for government – twelve months on. March 15, 2019, saw four issues collide and explode with horrific brutality into our collective consciousness. It was truly a stripping away of naivety and innocence for our country. Those four issues are:

Dr Richard Shortt is a former NZ Police Officer, and previously National Security Policy Advisor in the Department of Prime Minister and Cabinet, and Manager of the Combined Threat Assessment Group (CTAG) NZSIS.

1. Decades long failure of New Zealand governments and agencies to protect citizens from Military Style SemiAutomatic (MSSA) firearms; 2. Terrorism as a reality for New Zealand, not an abstract concept or something happening elsewhere in the world; 3. Confirmation that yet another type of violent extremism poses a real threat to life, and 4. Reinforcement of the fact New Zealand authorities must now be able to respond to violent extremism on home-soil, or wherever they detect it, because the Internet connects us all. The sad truth about the gun buy-back scheme, implemented with praiseworthy speed by the current government, is that it was 29 years too late. And, because of that delay 51 people died and 40 were seriously injured. Ministers were warned following the Aromoana mass-shooting in November 1990 about the dangers of such firearms in private hands in New Zealand. Six years later they received further confirmation of that danger via the Port Arthur mass-shooting in Australia, yet our leaders still failed to take steps to better protect the public. Successive governments of all political hues were reminded of the dangers over the following decades by officials and all failed to take any steps to outlaw such weapons. Now, one year on from Christchurch we have seen laws change, guns

purchased and hopefully a reduction of the risk to us all. Will the law changes and buy-back alone see MSSA weapons go out of circulation in New Zealand? No, unfortunately not. Some owners have not surrendered their weapons, criminals have not surrendered theirs, and no amount of border controls and policing can guarantee that such weapons will not enter the country illegally. That said, the law change was required and sensible, the buy-back offered a pathway out of ownership of the now banned weapons and those now found in possession of such firearms will be subject to penalties under the law. It’s the best we could hope for, I suggest. My second point goes directly to the question “Has the threat landscape changed.” Absolutely it has, in New Zealand and globally. Terrorism is now a reality for New Zealand. It has names and locations attached; it is etched into our collective memory. It is no longer a word that cannot be used in New Zealand, as I was advised many years ago as a national security policy advisor in the Department of Prime Minister and Cabinet, and as the leader of the country’s Combined Threat Assessment Group. It is no longer abstract or ‘over there’. It is here, it is bloody, it destroys lives and it must be effectively prevented and responded to. What is more, we now have to add a further type of violent extremism to the landscape. The type supported by the shooter in Christchurch. Recently in Australia, a government minister rebuked the Director-General of ASIO for publicly referring to this new type as ‘violent right-wing extremists’. I’m sure the rebuke was to placate her right-wing voters, who were, I am prepared to suggest, probably supporters of the calls a year or two ago to “call

April / May 2020

‘violent religious extremism’ ‘Islamic extremism’ because that’s what it is”. Unfortunately, for the minister and her voters this new type of extremism is inextricably linked to the far-right of politics and was described accurately. For many years the Federal Bureau of Investigation (FBI) in their annual threat assessments described far-right domestic groups and individuals as the greatest violent extremism threat in the USA. Then, along came 9/11 and the focus shifted, but now, here in New Zealand and in the USA (and elsewhere), the focus is firmly on all types of violent extremism as they are all just as deadly and corrosive as each other. As we know, a Royal Commission into the Christchurch shootings is underway. This is another praiseworthy response by government. I am confident the commission will present a variety of conclusions and recommendations that will guide this government and any future governments in their response to violent extremism. While not wishing to second guess the Commission’s outcomes, my own thoughts on what may be discovered include: Firstly, that it is very challenging to identify an individual who is a threat to life if they are careful in keeping their thoughts and intentions off the ‘radar’. Not all criminals (for this is what the person responsible for Christchurch is) ‘telegraph’ their intentions so intelligence or law enforcement agencies have a chance to interdict them.

April / May 2020

Secondly, that intelligence and law enforcement agencies are bound by the law. GCSB et al. were strongly criticised not so long ago for having stepped outside their legal boundaries. If we – society – want greater surety of protection, we may need to adjust our laws to empower agencies to look more widely and deeper in their efforts to detect danger. In doing so strong protections need to be applied to those powers to ensure public confidence is maintained. Finally, as someone who has worked in collaborative environments and researched interorganizational relationships, I will be interested to see what findings the Commission arrives at concerning the relationships between intelligence and law enforcement agencies in New Zealand. I hope they are found to be robust, lawful and collaborative in nature, with effective oversight, leadership and legislative support. If any of those elements are not present or are determined to be ineffective, they must be fixed as a priority, and, I argue, can be without too much additional expense. In conclusion, what are the key takeaways from the attacks and their aftermath? Firstly, governments should listen closely to their expert advisors – particularly when the advice is repeated and reinforced by events. We may have avoided the horrors of March 15th, 2019, if New Zealand had effectively dealt with MSSA firearms nearly three decades ago. The alleged shooter came to New

Zealand for a reason. He clearly had an intent but needed a capability, and his own country had acted decisively on the capability issue many years ago. Secondly, violent extremism is not limited to one flavour or colour. It cannot be ignored and must be watched for, identified, and called out for what it is. Let’s not get too hung-up on labels. If a person or group believes that killing another is a legitimate way of achieving their aims, then that’s violent extremism. Finally, the way people interact and communicate has been irreversibly changed by the advent of the Internet. Geographic isolation no longer means ideological isolation or inability to mix with, draw strength from or be motivated by like-minded individuals or groups in real time. Individuals who carry out acts of violent extremism are most often not loners, disconnected from the world and acting purely on their own thoughts. They are often connected to others via the Internet, they are in fact part of a virtual community. Our intelligence and law enforcement agencies need to be able to scan the Internet on all its levels to seek out and disrupt those who are disposed towards violent extremism. It requires laws to enable it, resources to do it and coordination and collaboration to ensure a small country like New Zealand can add a strong link to the chain of global security, because violent extremism is now a local as well as a global issue.

NZSM

INDUSTRY

NZSA CEO’s March Report In this update, NZSA CEO Gary Morrison talks virtual reality CoA training, Good Practice Guideline, wage increases, Fair Pay Agreements and Audits (written and originally released prior to Covid-19 lock down)

One of the biggest challenges for any association is how we communicate with our members and the wider industry. Whilst social media currently holds focus for many, we have found that some of the “old-fashioned” communications tools such as this newsletter and our regional visit programme achieve the most positive feedback and support.

Gary Morrison is CEO of the New Zealand Security Association (NZSA). A qualified accountant, Gary originally joined Armourguard Security as a junior accountant and held several roles over two decades prior to appointment as GM for New Zealand and Fiji, after which he established Icon Security Group.

We launched our newsletter four years ago to approximately 200 recipients - today our distribution list exceeds 1600 recipients, many of whom are industry customers, influencers and stakeholders. The regional visit programme was also introduced four years ago as a way to ensure our members and nonmembers had the opportunity to meet with the CEO on a regular basis, to keep up with industry developments and to provide feedback on pertinent issues. The regional visits originally comprised breakfast or ‘after five’ collective meetings but have evolved to the current one-on-one meetings at the member, or non-members, place of business. The regional visit meetings are without doubt one of the most enjoyable parts of my role - they provide the opportunity not only to meet with company owners and managers but also to understand their business (including the successes and challenges) and in most instances to meet a number of team members. They also provide a great snapshot of the current state of the security industry. There has definitely been an increase in optimism from most providers over the last six months or so and it is pleasing to note that this applies across both the guarding and electronic sectors. This

optimism seems to be largely driven by strong revenues, a lifting of charge rates (particularly for guarding contracts and casual work) and improved enforcement of our licensing legislation. The greatest concern across industry continues to be the ability to source good candidates to meet labour resource requirements. The ability to attract workers into the security industry, and to retain them, is a key focus area for the NZSA and as you will see in the commentary below we will be launching several new initiatives in this area to further support our already successful MSD Work Broker Programme. Virtual reality training platform for delivery of CoA Unit Standards This is a very exciting development for the industry as we look to use leading edge technology to provide a training option that will address existing concerns around the access to training, the quality of training materials and inconsistency of training delivery, and literacy related difficulties. Our focus in working with MSD in the development of the virtual reality training platform is to ensure that the industry has access to training that will provide the best possible learning outcomes. We do not intend to deliver the training - that will remain

April / May 2020

the function of the existing training providers. Furthermore, it needs to be recognised that virtual reality may not be suitable for all learners or circumstances and therefore the use of the virtual reality training platform will be an option for those being trained and not the only method of delivery. Our software developer, JBA, have been working closely with Skills over the last two months on understanding the legislative and regulative requirements that must be met under the Act and for NZQA and discussing how assessment criteria can be established and measured. The next phase will involve the developer scoping scenarios that align with the necessary training outcomes and the involvement of a small working group in evaluating and critiquing those scenarios. Timelines for the launch of the virtual reality training platform are still to be finalised but at this time we expect a date in the second half of this year. Good Practice Guideline The New Zealand Security Industry Good Practice Guideline has been reviewed by the endorsement panel at WorkSafe in the last week of February and we are currently waiting for any feedback and confirmation to launch the document. It is very pleasing to see that a number of major customers, who have had access to the draft document, have immediately included reference to the Guideline within their tender and contract documents and we view this as a positive step for the industry and lifting standards.

Increase in minimum wage and living wage A reminder to all members that the minimum wage increases from $17.70 per hour to $18.90 per hour effective 1st April 2020. There will also be an announcement during April as to what has been determined as the new living wage, currently $21.15 per hour. Fair Pay Agreements There remains some political uncertainty about the introduction of Fair Pay Agreements (FPAs). The Labour-led government remains committed to the introduction of FPAs and it has been confirmed that the first two industries to be covered by FPAs will be Security (being the guarding sector) and Commercial Cleaners. An official announcement on this, with timeframes for implementation, was expected from Minister Lees-Galloway in early March however our expectation is that any introduction will be scheduled for post the election. NZSA audit programme The NZSA audit programme provides members with the opportunity to be audited against the applicable Codes of Practice and where the standards with the Codes of Practice are met, to be recognised as an Accredited Member. The audit process generally requires either one or two days depending on the range of services provided and on completion the party being audited is provided with an audit report with detailed recommendations and if necessary, mandated improvements.

The intent of the audit is to provide an independent assessment verifying that the member operates in compliance with current good practice and to assist the member with continuous improvement. Where business deficiencies are identified, the audit report will provide recommendations on how improvements can be achieved and will often be supported with template documents or processes. The audits are valid for five years but require an annual declaration confirming that there have been no material changes to the business ownership, operation or premises. For more information on the NZSA audits contact gary@security.org. nz. New Zealand Security Awards This yearâ&#x20AC;&#x2122;s awards event is scheduled to be held in the Christchurch Town Hall on the evening of Friday 21st August. The event provides an opportunity to recognise our stand-out performers across the wide range of services covered by our industry. We will be providing information on the nomination process for award candidates and bookings for the event over coming months, however I encourage all business owners and managers to get behind the event and to take the opportunity to support and recognise your star employees.

April / May 2020

NZSM

INDUSTRY

Professional Investigators: No rest for criminals in lockdown In this update from New Zealand Institute of Professional Investigators Chair Ron McQuilter CFE, Covid-19 puts a halt on field work and progress is made on PI training and good practice guidelines.

Ron McQuilter is Managing Director of Paragon Investigations. A leading figure in the New Zealand private investigation sector over the past 35 years, Ron is a long-serving Chairman of the NZIPI.

Lockdown Like many professions, the work of professional investigators has been significantly impacted upon by the Covid-19 pandemic and associated lockdown. The nature of the job is that it is face-to-face, and much of it requires interacting with people. In saying this, we do work for banks and insurance companies that are essential services, so there is some investigations work going on. But field work is more or less on hold. If a PI investigating internal theft in a business is interviewing people during lockdown, I’d have serious concerns about that. My advice is don’t do it; it’s only money. Unless it’s life or death – or have an ongoing impact on public safety – you shouldn’t be going in and conducting face-to-face interviews. As to the question of whether it’s worthwhile seeking further clarification on what investigations activity is ‘essential’, I’m aware that there are around 4,000 queries to government about whether specific services are essential or not. That’s why I’ve decided not to enquire at this stage, and as I’ve already said some of our work might fall under our client’s designation. Many of the businesses in our industry are self-employed contractors and would be able to apply for the government subsidy, and I assume they are doing so. Ultimately, once lockdown lifts, we should be one of those industries standing at the start line with engine on and clutch down, because a lot of crime will have occurred in the meantime. I’m anticipating the phones should run red hot as the lockdown winds down, and so I think the industry should do okay.

Industry training C4 Group have been developing their Private Investigator training course. I’ve reviewed it line-by-line and have made recommendations to ensure it is as practical as possible. The NZIPI committee will now look at it with a view to endorsing it as a course for people interested in becoming a PI. Several years ago, another company ran a course, but NZIPI never got involved because it was pitched at a very low level. By contrast, this new C4 Group course is content-rich with information tailored for PIs. It is a good start, and it will cater for people new to the industry. Good practice guidelines I met recently with New Zealand Security Association CEO Gary Morrison in relation to the NZSA’s Good Practice Guidelines, and we’re looking to work with the NZSA to develop similar guidelines for PIs. It is important that we have a proper industry accepted set of guidelines, and I believe that ultimately something like this should be accepted by the PSPLA (Private Security Personnel Licensing Authority) as an industry standard.

April / May 2020

2020

MAGAZINE

The only publication featured at New Zealand’s premier Fire Industry Event New Zealand

NEW ZEALAND

FireNZ 2020

will be held in Rotorua, New Zealand

2nd – 4th September 2020.

The conference is once again presented by the Fire Protection Association of New Zealand, the Society of Fire Protection Engineers NZ Chapter, and the Institution of Fire Engineers New Zealand Branch.

2-4 SEPTEMBER 2020

The annual FireNZ national conference has established a reputation as the premier fire industry event for keeping abreast of advancements all aspectsCENTRE, of fire safety ROTORUA in New Zealand. ENERGY in EVENTS

NEW ZEALAND

The FireNZ Conference and Tradeshow 2020 will provide you with a valuable opportunity to promote your company it’s products and services to key industry buyers, suppliers, stakeholders creating new business opportunities while fostering connections with leading international experts . FireNZ Magazine is the best way to make the most W Z E A L A N Dyour business it’s of this opportunity toN Epromote people, products and services to the the cream of New Zealand’s fire industry.

For advertising in the publication contact: craig@defsec.net.nz • web: www.defsec.net.nz For exhibition stands contact: admin@fpanz.org • web: www.firenz.org

www.firenz.org

DEFSEC

Defsec Media publishes Line of Defence, New Zealand Security Magazine and FireNZ Magazine - premier publications covering industry sectors that help keep Kiwis safe. Find us online www.defsec.net.nz • Phone +64 (0) 274 597 621

THE FORUM OF FIRE PROTECTION, FIRE SAFETY AND FIRE ENGINEERING PROFESSIONALS

Line of Defence New Zealand’s Defence and National Security Magazine

MAGAZINE

NZSM New Zealand Security Magazine

The VPN is back but don’t forget device hygiene To avoid high-risk data flows from remote workers onto corporate networks, Forescout says organisations should use VPNs and device hygiene to ensure their networks remain secure and visible during this disruptive period. The digitalised capability of today’s workforce means that, while people in Australia and New Zealand are being urged to self-isolate, many businesses are encouraging employees to work from home to help flatten the pandemic curve. Remote working capabilities are letting many public and private sector employees continue working their normal hours, saving thousands of jobs.

Over the past few years, many organisations have integrated cloud-based services into their operations, making the rapid shift into remote working seamless. However, the move to the cloud has often accounted for just part of the operations, with many common and proprietary applications still residing on-premise. This leaves organisations reliant on VPNs to secure the communication pathway from remote users to a corporate network with an end-to-end encrypted tunnel. This potentially provides a false sense of security for organisations when used in isolation. Steve Hunter, senior director, systems engineering, Asia Pacific and Japan, Forescout, said, “While VPNs provide a secure communication path to the corporate network, they don’t enforce security on personal devices and activity isn’t monitored when connected to the corporate network, presenting a new attack surface for remote workers.” With remote working being the only viable solution for the foreseeable future, businesses must understand the risk this brings. Forescout has identified three ways to help businesses secure their remote workforce:

1. Get complete visibility into all remote devices Organisations can’t secure what they can’t see. Beyond user and VPN authentication, it is important for organisations to identify devices and categorise them as corporate-issued or personal. This provides for specific security policies to be applied to bringyour-own-devices (BYOD), while also monitoring device behaviour and network traffic. This gives organisations visibility into devices at a higher risk than corporate devices. Additionally, relying solely on installed agents to gain visibility into corporate devices can be risky, as reduced IT oversight and governance may cause agents to get misconfigured. Agentless solutions are preferred because they don’t require anything to be installed on devices and they can provide visibility into all devices without blind spots. 2. Extend same level of cyber hygiene to remote devices Unlike most home Wi-Fi networks, corporate networks have network controls such as next-generation firewalls (NGFW), intrusion prevention systems (IPS), alternatives to detection (ATD), and network traffic analysis (NTA) to protect the environment and detect intrusions. With the remote workforce connecting to less-secure networks at home, device hygiene and security are

essential for both corporate and BYOD devices. Essential security posture checks need to be conducted before letting devices on the corporate network, even if they have authenticated correctly via VPN. A single vulnerable, non-compliant, or compromised remote device on the network can provide an entry point for threat actors. Additionally, consumergrade Internet of Things (IoT) devices on home networks provide opportunities for lateral movement of threats. In these cases, it’s essential to provide continuous end-user education and communication. 3. Enforce access controls and segmentation policies The rapid shift to the remote workforce means that organisations are already operating outside of normal conditions. With cybercriminals aware of this, it is more important than ever for organisations to continuously monitor and enforce policies to prevent cyberattacks from succeeding. Organisations should enforce best practices such as least-privilege access. Users should be automatically notified about compliance issues via captive web portal and balloon/popup notifications, and VPN connections should be terminated if non-compliance persists. Most importantly, organisations should monitor network activity from remote devices to detect deviations and maintain segmentation hygiene.

April / May 2020

NZ made

SECURITY TECHNOLOGY RELIABILITY

fire door holding

electromagnets 12 & 24 VDC selectable ! e l ab

FDH40S

k rea

unb

unbreakable universal mounting • Low power consumption - low operating temperature • One product suits floor and wall mounting • Universal armature - offsets to 55º to suit doors opening past 90º • Wall mount extensions available • 12 & 24 VDC selectable • Push off button with no residual magnetism • Oversize armature for easy alignment • Emergency release button • Electroless nickel plated armature and electromagnet • Stainless fastenings • Full local support and back up

10 YEAR GUARANTEE*

Standard, floor mounted, wall to door distance 114mm

Designed, tested and produced in New Zealand to AS4178 A) Wall mounted,126mm extn. tube (overall 202mm) B) Wall mounted, 156mm extn. tube (overall 232mm) C) Wall mounted, 355mm extn. tube (overall 431mm) A)

ANTEE

Option A – Surface Mounted

GUAR

FDH40S/R

Surface and Recess mounting This device enhances an outstanding range of unbreakable products which conveniently hold open fire doors. When a smoke/fire alarm is activated the magnet instantly releases the door to the closed position to prevent the spread of smoke and fire. These units feature a choice of 3 covers for optimum aesthetic appeal and durability. The installer can utilise one device for surface mounting or for recess mounting. Option B – Recess Mounted

10 YEAR GUARANTEE*

Gloss Black

Gloss White

April / May 2020

GUARANTEE

NZSM

*Standard terms & conditions of sale apply.

21556/1/18

Satin Aluminium

For expert advice and assistance with your security locking needs, trust in Loktronic, call us on 0800 367 565

April / May 2020