How to Prepare for What's Next in Era of Myriad Security Threats
PJ Media asked Andy Jabbour, the co-founder and managing director of D.C.-area security firm Gate 15, to offer some thoughts on the current homeland security climate and how threats are being addressed at every level.
Jabbour served eight years as a U.S. Army field artillery and civil affairs officer with tours in Kosovo, Iraq and Afghanistan. For several years he led contract support to planning, training and exercise projects and supported various national incidents for the Department of Homeland Security’s Office of Infrastructure Protection, as well as leading projects at the Department of Defense, the U.S. Army Corps of Engineers and the U.S. Nuclear Regulatory Commission. Jabbour leads Gate 15's risk management and critical infrastructure operations with a focus on information sharing, threat analysis, operational support and preparedness activities.
Q: You work with a variety of threats, domestic and international. Which security scenario should be a greater focus of training among government and private entities?
A: So, the quick answer is that regarding physical security, the threat of hostile events broadly -- low-tech terrorism, active shooters, workplace violence, etc. -- is something that needs to be an area of focus for all organizations. What that means varies from organization to organization, but it's thinking through the threat broadly and being ready for it both operationally in response as well as in terms of workforce education, messaging, resilience and other areas. On the cybersecurity side, it can seem overwhelming for many as they hear about scams, malware, identity theft, Internet of Things, etc. I think many organizations need to really just focus on fundamentals and general preparedness for potential cyber disruptions. That means basic blocking and tackling type stuff, like having plans and procedures in place, threat awareness/staff education programs and simple exercises. The Federal Trade Commission just put out new resources for small businesses and there are plenty of others as well. At the user level, being aware of the general types of scams and tactics that may be used is probably the right level to focus on for most organizations right now, and build from there.
Q: What is the general prevalence of unaddressed security vulnerabilities, including physical or cyber attacks, at government and private entities?
A: It's hard to say that across the board – every organization does things differently. In physical security issues, a lack of appreciation as to the threats, risks and potential impacts, combined with a lack of time and resources, leaves a lot of neglected areas. In cybersecurity, some organizations are great and very proactive but a lot aren’t, for a number of reasons. For some, trying to apply patches during certain periods is a risk they consider bigger than the risk of an attacker capitalizing on that exposure. That leaves them vulnerable, but by their risk calculation it’s a chance they’ll take.