Exposing Some Misconceptions About Security Technology

While it’s tempting to become impressed with state-of-the-art asset protection technology, it can prove costly to be lulled into a false sense of security. With internal theft and cargo crime spiking, the last thing that any company can afford is to be blindsided by a six or seven figure loss. However, that’s exactly what’s been happening to companies throughout the country that have placed too much confidence in the security technology they’ve acquired.

Security technology can certainly be beneficial, however there are also weaknesses in these systems that are being exploited by dishonest employees. Here are some examples:

CCTV – Although some overzealous sales people would like you to believe that the existence of a few dozen cameras throughout your facility will virtually guarantee a theft-free environment, this is simply not true. In fact, more than 90% of the companies contacting us to investigate significant theft-related loss already have video systems in place. If closed circuit television effectively deterred dishonesty, these companies wouldn’t be missing large quantities of their inventory.

Why doesn’t CCTV prevent or expose insider theft? One of the primary reasons is that fraud and collusion look exactly like standard operating procedure. There are no bells or whistles going off when employees steal product through the shipping, receiving, customer pick-up, transfer or return functions – and these are the areas where large scale theft regularly occurs in the typical distribution center.

Another reason why video systems oftentimes fail to protect companies from theft is because few executives have the time, patience or inclination to watch live or archived activity. Unfortunately, dishonest workers are well aware of this fact. In this respect, a video system is no different than a piece of exercise equipment. Simply purchasing it won’t provide any benefit. Unless it’s regularly used, it provides little or no return on your investment.

RFID – A recent DC Velocity article referenced a survey of companies using radio frequency identification systems, where nearly half of the respondents had problems, such as signal disruptions, integration issues and unit failure.

Beyond the technical glitches, it’s important to keep in mind that RFID was never intended to protect against internal theft. Designed as an operational tracking tool, it is not immune from manipulation by employees who have access to the devices. Dishonest workers intent on concealing their theft activity can defeat RFID tags and readers a number of ways, at which point the tracking capability is completely neutralized.

Bar code scanning– The forerunner of RFID is still used by many companies today. Like RFID, it provides many operational benefits. However, it won’t stop internal theft.

If, for example, a devious selector or loader wants to place four extra cases of inventory onto the truck of a driver he’s working in collusion with, he simply won’t scan the extra boxes. It’s that simple.

A similar scenario can also take place in the receiving function. We’ve caught  receivers who were paid thousands of dollars from dishonest drivers because they allowed the truckers to keep a percentage of the product they were supposed to deliver. The receivers concealed their theft by scanning the same cases multiple times, which was possible because many manufacturers don’t assign personalized bar codes for the same SKU’s.

GPS– Many companies initially invested in global positioning satellite technology when it was introduced because they thought they would be able to put a stop to trucker theft. Although GPS has been effective at exposing drivers who extend their breaks, it has been repeatedly defeated by dishonest drivers selling product off their trucks.

Dishonest drivers can have their trucks overloaded with product by warehouse personnel working in unison with them, thereby creating extra inventory that can be subsequently sold for cash.

Drivers can also prey on customers that don’t carefully check in their shipments and deliberately short them on their deliveries, which results in extra cases that could then be illegally sold.

In order to avoid detection via GPS tracking when they illegally transact the product for cash, dishonest drivers will meet  their accomplices and offload the stolen product during their authorized break periods at diners or rest stops, rather than going off route. In other cases, drivers will stay under the radar by selling the hot goods in proximity of their authorized delivery locations, claiming they were waiting for an available door to make their delivery. Consequently, drivers looking to profit at their employer’s expense are not intimated by having GPS in their vehicles.

Technology can add significant value to a loss prevention program. However, it’s not a cure-all. Carefully selecting and integrating the right technology with Best Security Practices, has provento be the most effective way to protect against internal theft.

Anatomy of a Theft: How $182,000 of Inventory Disappeared

Here’s an actual case history that resulted in a distributor losing over $180,000 of inventory. The methodology was simple, yet effective. By taking advantage of this company’s rapid growth and lax security controls (both of which created opportunity), a devious checker disproved the old axiom that crime doesn’t pay. Reality check: crime pays quite well, which is why it occurs so frequently.

OVERVIEW:

This distributor’s trucks would be loaded during the night shift. In the morning, company drivers would make their deliveries.

When this company shipped product, labels would be applied to the outside of each case picked. Management felt comfortable that extra cases being placed onto trucks would be noticed because they would not have an affixed label. In actuality, it wasn’t difficult to circumvent the system.

By printing duplicate labels, (if questioned, the checker would claim that some of the original labels did not print well, were damaged, or lost) he was able to have extra, unmanifested boxes placed onto the trucks of the drivers he was working in collusion with.  These truckers were able to sell the overloaded product at a steep discount and still make a handsome profit. In no time, the three employees were pocketing more than $10,000 a month in cash.

Management had no idea that they were losing this quantity of product until they took an inventory. The Director of Distribution initially balked at the possibility of theft. However, when the results of the next inventory indicated even more shrinkage, he realized that he could no longer remain in denial.

WHY THIS COMPANY WAS EASILY VICTIMIZED

(1) Although this company had purchased an expensive video system, the dishonest employees knew that no one ever watched the monitors or viewed recorded activity. Additionally, the cameras were not positioned strategically, nor was the right equipment purchased. The bottom line was that the video system didn’t prevent, or even slow down, the ongoing theft activity.

(2) The company failed to provide a risk-free way for employees to report confidential tips. Management assumed that their “open door policy” would be sufficient for workers to report illegal activity.

It was later determined that other workers knew that this checker was stealing, but kept this information to themselves. They were concerned about their identities being leaked if they confided in company executives. Only after the dishonest workers were apprehended did the employees come forward and reveal what they had known all along. If this company had an outsourced 800 tip-line that offered employees complete anonymity, the employees said they would have reported the dishonest checker.

(3) The company did not have an effective security auditing program that prevented and detected shipping dock collusion. Had they maintained periodic monitoring of their drivers and checkers via unannounced security audits, the thieves would have probably been exposed long before the thefts mushroomed into a six figure loss.

2011 C-TPAT Conference

U.S. Customs & Border Protection recently held its annual Customs-Trade Partnership Against Terrorism Conference in San Diego, and once again this sold out gathering featured top caliber speakers.

In keeping with the theme, “A Decade of Supply Chain Security & Innovation”, Bradd Skinner, Director of the C-TPAT program, reflected upon the progress made in the last 10 years. Conceived in 2001 with only a handful of U.S. importers, C-TPAT now has over 10,000 business entities that have received C-TPAT certification. Globally, the C-TPAT program has become recognized as the standard for supply chain security excellence.

Director Skinner also provided insight into a number of important issues, including future direction for this historic program.

One of the points he made was the emphasis that C-TPAT will now place on “evidence of implementation“ during validations. Being actively involved with validations domestically and internationally, I’ve experienced this new focus firsthand. Whereas, the Supply Chain Security Specialist teams used to accept documents that simply formalized supply chain security policies and procedures, companies being validated are now required to prove that they are in fact being diligently followed.

When I was a speaker at the 2010 C-TPAT conference, I made the statement that most security programs look much better on paper than they actually work in reality. Danbee Investigations has performed supply chain security investigations and audits for over 25 years, ranging from inventory theft, sabotage, product tampering, and counterfeiting, to workplace substance abuse/distribution and smuggling.

We’ve repeatedly found the most major security breaches were the result of companies believing that their safeguards were far more effective than they ultimately proved to be. Company executives wrongly assumed that their asset protection safeguards incorporated best industry practices and were being diligently followed on a day-to-day basis. The reality for these companies was that many vulnerabilities existed, and were subsequently exploited.

By C-TPAT requiring companies to show proof of implementation, they will expose those companies not fully committed to implementing and consistently maintaining meaningful safeguards throughout their supply chain. Essentially, it is the “trust but verify” concept at work.

The February 2011 Global Awareness Bulletin published by the U.S. Department of State warns that American companies doing business in foreign countries may be targeted more aggressively by terrorist organizations like al-Qa’ida. Terrorists measure success not just in the number of victims but by the financial damage and long term costs associated with additional regulations governments are forced to enact to deter future terrorist incidents. Consequently, because of dramatically reduced inspection rates, C-TPAT certified companies automatically become high value targets.

If a C-TPAT member has superficial supply chain security controls in place they are at significatly higher risk of unknowingly transporting a conventional, biological, chemical or nuclear weapon into the United States. Obviously, safety is the number one concern. However, the ensuing panic, the widespread economic ramifications both domestically and abroad, as well as the financial and legal consequences for the company that imported the weapon of mass destruction would be catastrophic.

CBP’s mission is a daunting one. Unlike baseball, a .500 or .600 batting average will equate to failure rather than Hall of Fame status. While import volume to the U.S. may make perfection an unrealistic objective, striving for anything less creates an unacceptable level of risk. That’s why I not only understand CBP requiring evidence of implementation, I fully support this initiative.

Facility Break-Ins: “I Can’t Believe My Security System Was So Easy To Defeat!”

We’ve heard this statement repeatedly from executives whose companies have been victimized, usually accompanied by a dazed expression that can best be described as shock and awe.

In April 2010, a major pharmaceutical company’s Connecticut warehouse was burglarized by professional thieves who stole approximately $75 million of brand name drugs. According to reports, the thieves circumvented the electronic security systems in place with little difficulty while committing one of the largest distribution center thefts in history.

In the last few years, professional cargo theft rings have expanded their activities, no longer focusing only on trucks, rail cars and intermodal containers in transit. They have found it extremely lucrative to attack distribution centers and manufacturing plants, where they have repeatedly gotten away with millions of dollars of stolen inventory. Not bad for a few hours of work.

The truth of the matter is that these break-ins require a good deal of time to plan, prior to execution. It’s not unusual for example, for cargo rings to dispatch advance teams to surveil a targeted location for several weeks prior to their attack. Logistics such as the time the facility opens and closes, the number of employees on each shift, the traffic patterns of inbound and outbound trucks, whether there is on-site security and if so, how and where the manpower is appropriated, the design of the lighting and fencing, as well as the frequency of roving police patrols are just some of the factors that they carefully evaluate.

They’ve also been known to gain entry inside their targeted facilities posing as vendors, contractors, service people or sales representatives.

They will also have their members apply for jobs, many of whom have warehouse experience and are skilled at operating forklifts and other equipment. Once hired, they will assess the locations of all the alarm devices, what type of video system is in place, as well as the interior physical structure of the doors, walls and racking. After this information is obtained, and oftentimes photographed using concealed cameras and camcorders, they will methodically plan the most effective way to circumvent the facility’s security safeguards.

They oftentimes arrive with teams of specialists, including forklift operators, tractor trailer drivers, and surveillance personnel (who stake out the major access roads for police response) as well as technical experts who know more about electronic alarm systems than many of the companies that install them.

The end result is normally a successful heist, with the victimized company not knowing they’ve been hit until the next work shift arrives and finds that significant amounts of inventory have vanished.

Most of the companies that find their alarm systems disconnected, the video recorders missing, and several trailer loads of inventory stolen are shocked, not just by the financial loss, but by the speed and efficiency of the perpetrators.

While most victimized companies are amazed by the ingenuity and ease in which their security controls were defeated, the reality is that the professionals have been using the same methods for several years. Disconnecting phone and power lines, cutting through doors, (rather than prying them open and activating the alarm system’s magnetic contacts), and entering via the roof or wall vents, are standard operating procedure and pose little difficulty for these pros.

While there are always new, innovative methods, such as installing concealed wireless video cameras outside a building that will record employees entering their alarm codes into the lobby keypad, the professionals tend to use the same techniques that have historically been very effective for them.

To appreciate why electronic intrusion detection and video systems have been consistently compromised, it’s necessary to understand two realities about the alarm industry.

The first is that most of the sales reps that design intrusion detection and video systems have very little, if any, direct knowledge of how these professional thieves operate. While this may seem illogical, it’s none the less true.

Danbee Investigations has investigated over $100 million dollars worth of thefts by professional crime organizations. When we’re asked to conduct a post-theft investigation, we meet with representatives from the security system provider who designed and installed the facility’s electronic protective systems. During these discussions, we typically ask these sales representatives if they’re familiar with the professional thieves and their standard operating practices, i.e., how they defeat high-tech security systems. Ninety-nine out of 100 times, their response is, “No.” However, these same sales reps are the ones that distribution company executives typically rely upon to select the right technology, strategically position all the protective devices, and then properly program these systems.

Another reality is that alarm companies have minimal legal or financial responsibility for losses sustained by their customers. Regardless of whether for example, the wrong devices were selected, or if the central station operator failed to properly respond to an activation, alarm vendors have limited liability. If you doubt this, read the small print in your contract and you’ll probably find not one, but two or three causes that stipulate this.

This is not an indictment of alarm and video system providers. The reality is that they would not be able to obtain insurance if they assumed this type of responsibility. Because alarm companies could potentially be paying out millions each year, their contracts essentially state that they are not “insurers.”

Considering the limited understanding that many security system sales representatives possess, businesses should be wary about relying on a vendor to design their electronic protection. There is a significant difference between having your security systems designed by a salesman and an independent security consultant.

Cargo Theft: The Latest Intelligence Regarding Professional Crime Organizations

More product than ever is being shipped to warehouses, stores and directly to consumers by truck. As a result, professional criminals have found that there is a fortune to be made by stealing these “warehouses on wheels.”

Once the exclusive domain of established organized crime families, dozens of new cargo theft rings have sprung up across the United States in the last ten years. In some parts of the country, law enforcement officials are overwhelmed and simply unable to keep up with the case load.

As reported in a 2010 Wall Street Journal article, law enforcement agencies and insurance companies are both reporting increases in cargo theft activity. Chubb Corporation, a major insurance company based in N.J., reported that insurance claims and data from other sources showed cargo thefts in 2009 increased 6.6% from 2008, and were up 23% from 2007.

Attracted by the number of trucks on the road, the lax security controls utilized by many warehousing and transportation firms, the low probability of being caught, as well as the resale value of the goods, cargo theft has become an extremely profitable enterprise. Here are some of the tactics they frequently utilize:

• They are so confident in their ability to be successful that the product is oftentimes sold before the truck thefts or distribution center break-ins have even taken place.

• They have been known to infiltrate their members into companies posing as employees, vendors and contract labor, which has proven to be an excellent source of inside intelligence for them.

• It’s not unusual for them to conduct surveillance on a targeted DC or to follow trucks for extensive periods of time before striking.

• They are extremely familiar with almost every variety of GPS, including where the antennas are concealed. Consequently, they can have most GPS units disabled within minutes.

• They frequently conduct surveillance at truck stops commonly used by drivers looking for targets.

• They have been known to lease warehouses in various parts of the country with interior loading docks to safely conceal the trucks they steal and store goods.

Avoiding Pitfalls When Conducting Foreign Supply Chain Security Audits

by Barry Brandman

Here are two reasons why supply chain security should be taken seriously:

1. If your safeguards look considerably better on paper than they work in reality, your company faces the risk of having illegal narcotics or a weapon of mass destruction smuggled into the United States via one of your shipments.

2. The other risk you face is that when C-TPAT inspectors validate your foreign suppliers and logistics providers, they may find your controls woefully inadequate and lower your tier level or even remove you from the C-TPAT program.

If you want to protect your import shipments from theft, smuggling and terrorism, you’ll need to have a diligent auditing process in place. Aside from it being a C-TPAT requirement, it’s also one of the most critical components of your security program.

One of the primary objectives when performing a comprehensive security audit is to separate fact from fiction.

Prior to conducting one of our C-TPAT compliance audits at a foreign distribution center, we had been assured that all their security controls were being diligently followed and our client’s product was extremely well protected.

Prior to our arrival, this consolidator had informed us that they had complete video coverage throughout their facility, tight control over inbound and outbound goods and that our clients’ product was always kept in a highly secured segregated area.

What we observed however was quiet different. Not only were the CCTV camera views providing terrible clarity, but our client’s goods were not being monitored from the time they were taken off an inbound truck to the time they were eventually reloaded for transport to the Hong Kong seaport. There were numerous “blind spots” where our client’s product could have been tampered with and completely avoided observation by their video system

We found that their digital hard drive was much too small, only archiving recorded video for 7 days – an inadequate period of time in the event that a post event investigation was required in the future.

We also exposed loopholes with their cargo handling practices. Inbound truck security seals for example, were being removed by anyone working on the receiving dock rather than by more senior personnel (which is what their policy called for). Consequently, we found that many workers did not take the time to verify that the seal number on an arriving truck matched the manifest (another major policy violation).

We also found that the seals used on outbound trucks were left exposed in an open box on the shipping dock, fully accessible to all employees, vendors and outside truckers. Because the shipping crew didn’t use seals in numerical sequence, these exposed seals could have been stolen and then reattached to a truck’s cargo doors after a driver left their facility.

Insofar as our client’s product being segregated “in a highly secured area”, we observed that the fencing was only 8’ high and had no ceiling to protect against employees simply climbing over it. We also found that  the keypad code to this area hadn’t been changed in nearly nine months and was known to most of the workforce (including those without clearance to this area). Additionally, we determined that the alarm system was only being armed at the end of each workday, even when there was no work being performed in this area for hours at a time.

These issues, as well as an array of other security loopholes that were exposed, were promptly addressed and remedied. However, had this audit not been performed, our client’s risk factor would have remained unnecessarily high.

Training is another important component, yet it’s frequently not provided when an on site assessment is performed. During a recent C-TPAT training program we conducted for a foreign manufacturer, we asked if anyone knew whether bolt seals could be circumvented. Ninety percent of those in attendance responded that it was impossible to manipulate them. The problem here is that bolt seals can in fact be circumvented a number of ways and if those responsible for seal integrity think they’re foolproof, they’ll never recognize and expose breaches when they do occur.

When evaluating the quality of a foreign site’s security program, it’s’ also important to avoid “getting lost in the translation.” Because C-TPAT focuses on imports, working with foreign companies is commonplace.

Cultural differences and language barriers can result in misleading responses and faulty conclusions. It’s for this reason that we deliberately ask the same questions several times (although they are worded differently) in our supply chain security questionnaires sent out to foreign suppliers and logistics providers. When respondents answer yes on page one and no on page five to the same question, we know that they either didn’t understand what we were asking or weren’t providing us with accurate responses.

It’s also a good idea to confirm questionnaire responses through follow up e-mails and conference calls. More often than not, we receive feedback that differs from many of the original answers that were provided to us.

Is it a case of some foreign firms wanting to look more secure than they really are for their U.S. based customers? Or, did the respondents have different interpretations of words or phrases, resulting in inaccurate feedback?

Whatever the reason, you can’t afford to be inadvertently or deliberately misled if you want to know that your supply chain is in fact as secure as it needs to be.

Annual C-TPAT Conference

by Barry Brandman

Last week I attended the Customs-Trade Partnership Against Terrorism annual conference in Anaheim, California. This much anticipated event sold out within hours of being announced on the Customs & Border Protection website.

This annual conference not only provides certified member companies with the opportunity to learn about the state of the program and interact with senior government officials, but also receive a briefing about changes that will be taking place with the C-TPAT program.

The roster of speakers was impressive, and included David Aguilar, the acting Deputy Commissioner of U.S. Customs & Border Protection, Bradd Skinner, Director of the C-TPAT program, Kevin Weeks, Director of Field Operations for CBP’s Los Angeles office, as well as Richard Dinucci, CBP’s Director of Cargo Control. Director Skinner discussed an array of topics, including the C-TPAT program’s growth, up 7.8% in 2009 and expected to exceed 10,000 member companies this year.

Conference sessions also featured speakers from the private sector, who provided insight from the industry perspective.

I was asked to give a presentation on “Tools, Technologies and Processes – Innovative Industry Solutions to Security Challenges.” I focused on areas within the foreign supply chain where we have uncovered significant risk and gave specific examples of why many corporate security programs look much better on paper than they actually operate on a day-to-day basis. I also explained several of the most important safeguards of a world class supply chain asset protection program, including how to design state-of-the-art intrusion detection and video systems, as well as how to get the most from GPS tracking technology and cargo security Best Practices.

There is no question that the C-TPAT program has become respected worldwide, with many countries developing their own supply chain security programs modeled on C-TPAT standards. Other countries like Japan, Canada and Jordan have already entered into mutual recognition programs with the United States, which is beneficial for the government as well as the trade community.

I believe that C-TPAT is a critical component of our homeland security efforts. This government–industry cooperative program proves that when these two sectors work together effectively towards a common objective, very significant results can be achieved.

2010 Supply Chain Security Webinar

by Barry Brandman

Today, I participated as a guest speaker for the 2010 Supply Chain Security Webinar.

This program focused on strategies for minimizing supply chain security risk, a growing concern for manufacturers, distributors, and transportation companies. Along with myself, experts from Cisco, Powers International, Customs & Trade Solutions, Accenture, as well as the National Custom Brokers & Forwarders Association and the Air Forwarders Association gave presentations.

My session was entitled, “Are Your Profits Quietly Being Stolen – What Every Supply Chain Company Should Know.” One of the areas I focused on was seven of the biggest myths about distribution center security. I explained why, for example, common misconceptions such as “If we sustain a theft due to a faulty intrusion detection system, our alarm company will be responsible” and “Our camera system will keep our workers honest” have caused companies significant loss.

I also explained some of the essential components of a successful loss prevention program and why it’s so important to realistically assess your safeguards so you can uncover weaknesses before others have the opportunity to exploit them.

One of the ever present concerns for logistics executives is collusion between inside personnel and truckers. With cargo crime estimated between $20-40 billion a year, companies are eager to learn which methods and technologies can effectively prevent and detect this type of criminal activity. As a result, I made it a point to provide some proactive solutions that have dramatically reduced this costly problem for many of our clients.

The 7 Deadly Sins of Logistics Security

It’s estimated that the cost of business crime in the United States now exceeds $100 billion a year and is responsible for nearly 1/3 of all corporate bankruptcies. In a survey taken by a national accounting firm, nearly 25% of the respondents reported that theft related losses in their respective firms exceeded $1 million.

Most wholesalers, consolidators, freight forwarders and distributors that find themselves victimized by internal theft share a common denominator: They have usually committed one or more of what I refer to as The 7 Deadly Sins of Logistics Security.

Is your company guilty of making any of these costly mistakes?

1.  Are you relying on safeguards that simply don’t work?

Ask most executives how they protect their inventory and they’ll answer “alarms, guards and closed circuit television.” If these security solutions are effective, then why is it that so many companies that sustain loss have these controls in place?

Alarms are designed to protect against break and entry, not theft committed by insiders – which is how inventory loss usually occurs. Most uniformed guards are not adequately trained to recognize internal theft and collusion. Closed circuit television will only be effective if it has been strategically designed and consistently monitored, which is typically not the case.

2. Do you make it easy for dock personnel to work in collusion with truckers?

Because they don’t know how to prevent internal theft, many companies inadvertently make it too easy for drivers to work in unison with shippers, receivers, checkers and loaders. These theft schemes are silent, with no bells or whistles going off to alert anyone that they are taking place, which is why they oftentimes add up to a small fortune.

3. Is your company too reactive?

A large percentage of companies that incur shrinkage do little to prevent it from happening in the first place. By the time they decide to take action, they’ve already incurred a substantial loss and the missing inventory is never recovered.

It’s been repeatedly proven that preventing loss is far less expensive then reacting to it.

4. Do you have an efficient way for concerned employees to report security problems?

A confidential hotline can be an invaluable tool to learn about individual theft, collusion, fraud, workplace substance abuse, arson, product tampering, harassment or discrimination. Yet, many companies still rely on methods of communication that don’t work for security sensitive issues like these, such as open door policies or in-house tiplines. As a result, employees who become aware of unethical or illegal activity tend to remain silent.

In order for a tipline program to be successful it should be outsourced so workers can speak to people who won’t recognize their voices. Employees are more likely to confide in someone outside their company, rather than using an in-house system for tips.

Equally important, callers should never have to provide their name. The best response comes when you offer complete anonymity. The way we accomplish this with the Danbee Hotline for example, is to provide every caller with a code number, which is one reason why we’ve received information that has exposed millions of dollars of losses.

5. Are you  checking your checkers?

Too many companies have made the mistake of not keeping their checkers accountable. Because of this lack of oversight, a percentage of checkers become negligent or dishonest over time, and that’s when companies can rack up substantial losses.

One effective way to control the accuracy and integrity of your checkers is by having loss prevention audits regularly performed. These can be done numerous ways.

One method would be to have a security representative arrive (without any advance notification) during the time your trucks are being loaded, select one (or several) and reconcile the product found on the trucks to the shipping manifests.

Another technique would be having surprise audits performed on your trucks as drivers begin their route deliveries. We refer to these as non-covert surveillances. By having an investigator meet a driver at their first stop and performing a verification of each piece delivered throughout the course of the day, you will uncover product that has been over-loaded.

Both of these security techniques are excellent ways to not only detect collusion or gross negligence, but they will also prevent it from taking place.

6. Does your company effectively weed out on-the-job substance abusers and distributors?

Nearly 90% of all employee drug users either deal or steal to support their addiction. As many distribution executives have learned, if you have a drug problem inside your company, you can expect to have a theft problem as well.

Two of the best ways to identify drug users and distributors on your payroll is through the use of a tipline program or by inserting an undercover investigator into your operation.

7. Do you provide meaningful training for your key personnel?

All too often, losses occur because managers and supervisors are not educated on how to recognize the subtle, ingenious ways that theft takes place in a distribution center. Keep in mind that much of this theft and collusion looks exactly like standard operating procedure. The reality is that if your key people don’t know what they’re looking for, they probably won’t see it.

A 9/11 Reality Check: Is Your Supply Chain Really Secure & C-TPAT Compliant?

by Barry Brandman

During a recent trip to mainland China, I inspected the security at a large manufacturing complex on behalf of a client. Prior to my arrival, I had been advised by one of their U.S. based Vice Presidents that he was confident I would not find anything lacking because they had just undergone “an official” supply chain security audit by a local compliance company who gave them an outstanding evaluation.

After conducting my assessment of this facility, I advised their on site management team that their security policies, procedures and technology were not even close to being C-TPAT compliant. I explained for example, that their personnel were not conducting proper container inspections prior to loading exports destined for the States, and that their finished goods department (which consisted of a building without doors), had product staged for hours at a time with no monitoring of any kind. They also were not bothering to place security seals on their loaded export containers until they reached the Hong Kong border (a two hour trip from their site). Consequently, their U.S. bound shipments, as well as the containers they used, had no real chain of custody.

They asked me to read the report they had received from this compliance company and give them my thoughts. I pointed out an array of observations and conclusions in the report that were factually inaccurate. They agreed that the report had limited value and admitted that the people who conducted the audit didn’t appear to know much about supply chain security. The weaknesses I had uncovered they said, were not examined or discussed during that audit. Yet, they were advised that they were successfully meeting C-TPAT criteria and awarded with an excellent numerical rating.

Is this an uncommon occurrence? Unfortunately, it’s not. After the C-TPAT program came into existence, it didn’t take long for a number of companies with little or no core competency in asset protection to magically transform themselves into supply chain security experts overnight. Despite the fact that they possessed scant knowledge of security technology and many had never conducted investigations into inventory theft, cargo crime, sabotage, fraud, smuggling or workplace substance abuse, these “experts” began aggressively advertising to overseas companies, promising them C-TPAT complaint security programs.

Some have even taken it a step further. During an audit at a Hong Kong consolidator, the general manager took me into his private office and proudly displayed their C-TPAT membership certificate hanging on the wall. When I asked if his company had any presence in the United States he replied no. Upon closer examination of his certificate, it was apparent that the certificate had not been produced by U.S. Customs and Border Protection.

I then proceeded to review their physical and procedural security safeguards and found them deficient in a number of areas. I explained that his loss prevention program required a good deal of improvement, and began discussing needed remedial action. He replied that if his security was inadequate, why was it that he was granted C-TPAT certification? At that point, I broke the bad news that his certificate was not legitimate and that his business entity wasn’t even eligible for C-TPAT membership. He was clearly shaken and replied, “But I paid over $6000 U.S. to this firm to become a member!”

Motivated by the opportunity to turn a quick dollar, a number of firms continue to prey on uninformed companies who have a sincere desire to either join the C-TPAT program or become C-TPAT compliant.

This problem transcends how I personally regard the ethics of these firms guilty of misrepresentation. Far more important are the significant risks that are created by companies that are performing superficial audits and providing bogus certifications.

Experts agree that the most vulnerable links in the supply chain are usually found on foreign soil. These are the likely places where terrorists will attempt to smuggle a chemical, biological or nuclear weapon inside a carton, pallet, container or trailer, which will then be sent to the United States. This is why Customs and Border Protection sends out C-TPAT Supply Chain Security Specialists who perform foreign validations every three years.

While these formal validations serve an important purpose, they typically only provide CBP with a very limited glimpse of an importer’s supply chain. The C-TPAT representatives may only have the opportunity to evaluate less than 10% of an importers entire network.

As previously stated, these validations only take place once every three years, a time frame where a company’s security program can easily develop gaping holes.

Plus, the C-TPAT validation team will always provide advance notice when they will be arriving and what facilities they intend to inspect. Consequently, when they are on site they may not be seeing a true representation of how the protective safeguards really operate on a day to day basis.

This is why CBP mandates that C-TPAT certified companies must conduct comprehensive self assessments of their supply chain security. These audits should identify weaknesses, recommend solutions to strengthen those areas that are vulnerable, as well as provide awareness training for key personnel. These audits should also result in detailed action plans, complete with time tables for completion of the needed remedial work.

However, when these audits consist of little more than individuals with questionable experience and expertise merely “pencil-whipping” generic checklists, this process becomes little more than a meaningless exercise.

Despite having significant vulnerabilities in their asset protection controls, after receiving these superficial audit reports and bogus certifications, foreign companies oftentimes then operate under the assumption that their supply chains are extremely secure. This false sense of security can be compared to wearing a defective bullet proof vest that won’t stop a 38 caliber round. While you may feel well protected, when actually tested the consequences could prove catastrophic.

U.S. importers cannot afford to rely on cosmetic, ineffective security programs. The first time their supply chain is victimized may not only lead to the suspension or revocation of C-TPAT membership, but could also result in significant financial loss, irreparable harm to their reputation, and most concerning, the opportunity for another major act of terrorism inside the United States. As we reflect on 9/11, let us remain committed to never allowing history to repeat itself.