Our anonymous client called us in a panic. A significant number of new laptop computers had vanished from a storeroom without trace. They did not want to suffer a reputational damage, as they took significant pride in their ability to investigate fraud and corruption. But this was a case of the baker being caught with no bread.
The storeroom where the laptops were taken from was in the parking basement and was one of the many areas not covered by their CCTV system. Cameras were placed wherever they might be needed, with no objective.
A quick review of the available CCTV footage showed that coverage was woefully inadequate for their needs, it used old technology and essentially blind at night.
These problems were aggravated by management only placing lip service to security. The role of security was almost an afterthought allocated by default to the facilities manager, who had no experience nor training for the undefined role. More importantly, no budget was allocated to him for security.
Being helpful
Obtaining copies of the existing CCTV footage was compromised as evidence and a substantial part of it was lost when the OHS officer tasked with the job failed to copy it successfully. He was found to perform this function purely because no one else had been allocated the task, and he had never received any training. He did so out of inquisitiveness and to help out.
The remaining footage had no offline reader, so the investigators were forced to download a viewer that turned out to be barely suitable. The footage also all had nearly the same filename, so it became near impossible to determine which day and time the investigators were viewing. The viewing software lacked zooming capability and did allow fast forwarding and still frame images. These problems were systematically resolved by the private forensic investigating team, but the solution was far from optimal.
Slowly the many files were identified and a coded naming convention was applied to allow viewing. The files did not allow coverage of the entire timespan needed as backups had not been taken when the OHS officer was on leave.
The existing useable footage was then reviewed in painstaking detail, as the investigators were not sure what to look for. Activity that could possibly be related to the missing goods was tracked, viewed through all possible cameras and noted. At night, lights to illuminate the building essentially blinded the cameras. Only one of the cameras was high definition and it was placed at the managing director’s office entrance.
Convenience beats security
The footage revealed what was already suspected, the existing security guards paid only lip service to access controls as well as company assets moved between buildings. Management were fully aware of this themselves, but were only too happy to bypass the existing controls as it hampered their movements.
Despite their best efforts, due to the lack of appropriate CCTV footage, the investigators were unable to conclusively prove beyond reasonable doubt exactly how the laptops went missing from the storeroom. The hundreds of hours of available CCTV footage failed to find the flames, but did show lots of smoke. Lots of inappropriate after-hours activity was evident. The investigators did however, establish sufficient evidence against the perpetrators and trace a substantial number of the goods on the black market.
Unfortunately, the issue was swept under the table as a major contributory fact to the theft was the extremely poor management controls and oversight of their assets.
Lessons learned
In retrospect, the following lessons seems so obvious, yet they were missed by a generally very capable management team:
1. The client paid only lip service to securing its assets (people, equipment and intellectual property).
2. The client had not performed a detailed security risk assessment to identify items of value and each item’s associated risks and controls.
3. The client failed to provide the security department with a formal dedicated budget.
4. The client failed to define and implement any security objectives, only implementing basic access controls.
5. The client failed to formally allocate distinct duties to the security staff.
6. The client made use of inadequate storage facilities due to operational demands.
7. The client did not install and operate the CCTV cameras adequately.
8. CCTV footage should be available for at least three months, backups tested for readability, and have trained persons performing the tasks.
9. The client failed to undertake regular scenario planning based on own vulnerability assessments, asset value and recent occurrences in the industry.
10. Persons undertaking security duties (especially external parties) should be adequately trained and rotated. Their daily functioning should not be bypassed by management for convenience as it sets the tone for all others to follow.
11. Any sub-contracting of the security functions must be formally managed on a regular basis with SLA breaches being followed up.
12. A regular operational capability assessment should be carried out.
Corporate Business Security specialises in the design, installation and maintenance of access control and surveillance systems.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version