Are You Ready for a Data Breach?

January 22nd, 2015 Comments off

The threat of a data breach is becoming greater every day. Any business with POS (point of sale) data is a target. Therefore it is important to have a reactive solution on standby in the event of a breach or attempted breach. Research has shown that if there is a concise, turnkey data breach response plan in place, with trusted experts contracted, it is shown to reduce the negative financial impact of the breach by 22%. Thoroughly understanding the ‘scope of the breach’ is also important and can further reduce costs by 20% more by avoiding unnecessary notification.

Data breach threats in the Healthcare industry represented 42% of all data breaches reported in 2014 and are expected to get worse in 2015. Furthermore, a stolen medical identity sells for $50 on the black market compared to $3 for credit card information and $1 for a social security number. Breach protection goes beyond HIPPA compliance. It should include any PII and PHI (Personal Identifiable Information and Personal Health Information) as well as payroll/financial data, employee records, and intellectual property.

So let’s look at this problem both proactively and reactively. Of course minimizing the chances of a breach through proactive/preventive audits or assessments is much more prudent than just having a good response plan. You might already have your IT professionals internally doing periodic system checks but do they include the third party partners and vendors that touch your data for example or review employee behaviors that are causing exposure? These methods are how access is gained through no fault of your own systems security.

Proactively conducting holistic audits or assessments using investigative experience and technical evaluation to assess your real-world vulnerabilities is the key to minimizing your chances of a breach. You must identify your specific “Actual Threat Environment” leveraging a combination of computer forensic, IT, legal and investigative understanding to capture the entire scope of your vulnerability.

Reactively, in the event of a suspected breach, planned response measures should be quickly employed with a crisis management approach including:

  • initial triage/breach validation
  • quantification of the scope of the breach (necessary to determine need for notification at certain levels and prevents the organization from inappropriate or unnecessary response and resulting in harm)
  • call center support, mass notification guidance and assistance, credit monitoring and legal advice (if needed)
  • total forensic investigation to preserve evidence
  • rebuilding client/customer confidence


For more information on how AFIMAC can help you plan for such a situation please call 440.878.5114

Categories: Physical and Online Training Tags:

Workplace Violence – Is Your Company Still in Denial?

December 31st, 2014 Comments off

Tragic events of violence in the workplace are continuing with disturbing frequency. Does your management really still think violence couldn’t happen in your workplace?  Violence is a critical issue for employers to deal with and one of the biggest mistakes that many organizations make is to remain in denial. It is an unpleasant topic to talk about, let alone make policy on, but you are taking a huge financial risk by not recognizing it could happen in your workplace and developing prevention strategies to reduce those chances. Your only defense against being found negligent and liable is to have done the necessary research to overcome a reasonable foreseeability argument and to have an assertive workplace violence prevention program in place. Furthermore, when you tell employees they are your most valued asset, what message are you sending to them when you do not address violence prevention? It’s not just about reducing liability- it is the right thing to do for your employees.

Let’s look at some conditions that can lead to a workplace violence incident.  Has your business/organization ever:

  • had crime in your neighborhood?
  • had a domestic violence situation with one of your employees?
  • fired anyone?
  • had a crime happen in your business?
  • had one of your employees stalked?
  • had an irate customer threaten one of your employees?
  • had a bully in your ranks using aggressive, intimidating language or action against another?

Yes, all of these things can lead to workplace violence and will be looked at in court as contributing to reasonable foreseeability.

How often, after a tragic violent incident, do people who are interviewed say something like “I knew he would do something like this” or “he always made me afraid”? Often those who are in the best position to recognize problem behavior from an individual are the employees who engage with them every day. They know something is wrong but may keep quiet about their concerns. They expect that someone should be doing something about an issue but don’t know how to report what they see, or are afraid to. This is not the employee’s fault if they haven’t been made aware that they have a responsibility to report certain things.

Let’s just take the example of not reporting inappropriate aggression in the workplace. This can stem from a number of reasons including but not limited to:

  • Fear of repercussions from the individual in question
  • Not knowing what behavior is deemed unacceptable and must be reported
  • Not knowing to whom or how to report the behavior
  • No assurance that there will be a follow up by a supervisor

All of these reasons can be addressed with an effective workplace violence prevention policy that is enforced and is an employment compliance requirement. Workplace violence prevention policies must address inappropriate intimidation through language, gestures, direct and indirect threats, or any other aggressive conduct that instills fear into employees. This fear can be coming from an internal or external source. Not only should all employees be trained in what to look for but they should be required to report the problem to supervisory personnel. Supervisory personnel also have to be trained in how to investigate such reports and follow up with those designated within the organization to handle such matters.

Denial is evident when ongoing intimidating conduct is never reported, or a mildly violent incident occurs, and no action to investigate or correct the behavior is taken. This will assure that the aggressive conduct or bullying will continue. Others may even mimic the aggression since it seems to be tolerated by the company. Soon the behavior can take on a more violent form when people begin to fight back. Eventually the workplace becomes a hostile environment. No matter who the aggressor is, the behavior must be addressed and stopped. Don’t transfer the person out to another department hoping they will change their behavior.  Don’t promote them out, and don’t make excuses – correct the behavior.

For more information regarding workplace violence prevention, safe terminations, bullying prevention, active shooter response planning and training, supervisory training and other related topics check out the Workplace Violence Series on our website at

Categories: Physical and Online Training Tags:

Employees with Guns During Active Shooter Incidents – Making a Bad Situation Worse!

November 19th, 2014 Comments off

There is always debate after a tragic school or workplace active shooter incident about employees wanting to take their protection into their own hands. Yes, certain states have laws which allow employees to have their firearms with them if they have completed the necessary background checks and training, and have acquired the required permits. On the other hand, companies and other organizations would prefer to have workplace violence policies which prohibit their employees from bringing guns on property, even locked in their car in the parking lot. So where should prudent workplace violence policies draw the line?

Practically speaking, when would an employee be in a realistic position to safely and effectively employ a weapon in an actual active shooter situation? What are the realities about firing a personal weapon accurately in a tense ‘combat’ situation and can the average citizen effectively engage a hostile shooter under those conditions without hurting any innocent bystanders or co-workers? Not easy questions to answer.

Let’s think about some realities and you can shape your own opinions.

  • Companies and organizations need to develop proactive weapon restrictions as part of their workplace violence prevention policy. That policy has to take into account the local and state laws relative to each of their facilities when developing a company policy. An active shooter response plan should be part of this workplace violence policy. The active shooter response plan should dictate that the first reaction priority is to get out of the building during such an incident. The second response option is to hide quietly in a safe, locked and barricaded place. Only as a last resort should you engage the shooter in a fight for your life. Granted, at that point having your weapon would be useful.  However, would everyone have that discipline to stick to the policy and get out first and not try to play hero, perhaps making matters worse for responding police?
  • Do all private citizens/employees engage in combat shooting training to prepare themselves for the adrenalin, fear, tunnel vision, panic and confusion that will characterize an active shooter rampage? This type of defensive shooting is even a challenge for law enforcement professionals who do such training.
  • What liabilities exist for the company, and the defending employee, if they engage a personal weapon defensively but miss and hit an innocent person nearby?
  • If the weapon is going to be defensively used in an active shooter incident, it will have to be in a position to be reached quickly, not in a locked car in the parking lot. Thus, the weapon would have to be in the building. This however, represents a more significant risk on a daily basis for the business under normal conditions. What if another type of workplace violence incident is perpetrated simply because others know about that personal weapon in the workplace? And others will know about its presence.
  • Personally, if I was the employee who could not get out and had to hide out, I would like to have my 9mm with me, if I did have to fight for my life, rather than makeshift weapons. However, I also feel confident in my training and level of shooting experience with my law enforcement and protective operations background. Still, the weapon wouldn’t do me much good if it wasn’t in my desk or close-by.

This may not be the most definitive advice, but I think it is helpful to consider these practical concerns when formulating your active shooter response plan as part of your larger workplace violence prevention plan.

Check out our workplace violence and active shooter response training courses on line at:

Categories: Physical and Online Training Tags:

High Risk Employee Terminations – Not Always Obvious

October 23rd, 2014 Comments off

There are two types of terminations that should be considered high risk. One is when aggressive behavior by an individual violates workplace violence policies or elevates to an unacceptable level and the person has to be terminated due to that behavior. The other kind can sneak up on you and many workplace violence prevention programs do not address it. In this type, the person has displayed continuously deteriorating work performance, in spite of progressive counseling, and this leads to the termination requirement. What makes this situation high risk is that the underlying cause(s) for the deteriorating work performance can also be hidden contributors towards that person’s potential to react violently during the termination itself. Furthermore, they can feel an extreme sense of desperation in the time after losing that job which can lead to problems as well, just when you thought it was over.

Most good workplace violence prevention programs will have educated the workforce, and supervisors, to recognize the dangerous individual behaviors leading to the first type of high risk termination. The unacceptably aggressive behavior is the reason for the termination. It is therefore reasonable to expect some element of risk with the termination event itself, and precautions are often taken.

The second type may not contain the same aggressive behavioral indicators. However, in some of these cases, there will be indications of stress induced aggressiveness which should then serve as a red flag. Human resource personnel and the corporate security team should work together and involve third party clinical professionals to evaluate the underlying causes for the performance drop in otherwise good employees. Those causes could indicate that if termination becomes necessary, precautions should be taken during the process. They can discuss with the individual what is going on in their life. They can assess how those factors might affect the person’s response to the possible loss of their employment (often the last straw.) These ‘under the radar’ cases are the exception to the rule and that is what makes them so dangerous.

Violence is typically a process, not an isolated event. The violence process usually has behavioral red flags along the way and this is what thorough workplace violence training often outlines. But these ‘under the radar’ cases that I have just described are especially dangerous because they lack those behavioral indicators. Therefore, your termination process protocols should address not only the obvious high risk terminations but they should also account for those where there has been a dramatic drop off in performance so substantial and out of character that it results in the need for termination. Perhaps the real reasons for that performance drop off are so personally severe and so devastating, they could also represent a danger for a violent reaction to the loss of employment. Only realizing the desperation that this person faces at the time of the actual termination may be too little, too late. The job may have been all they had left to depend on!  They are now focusing on your company as the evil force that took away that one last thing that was important to them.

For more information regarding safely conducting the termination process for all types of high risk cases, check out the courses at

Categories: Physical and Online Training Tags:

Reducing Your Workplace Violence Liability

February 25th, 2014 Comments off

Having a robust and effective Workplace Violence Prevention Program is now a necessity in terms of reducing your organization’s liability for such events. Denial that anything horrific will ever happen in you workplace is no longer acceptable. Occupational Safety and Health Administration (OSHA) compliance and civil liability will often revolve around the legal opinion of whether an act of violence could have been foreseen, and mitigation or prevention steps taken. If the act occurred in your workplace, or in an environment related to your business dealings, your organization will have to answer the often unclear question of what was “reasonably foreseeable.” There are many different types of incidents that are considered workplace violence and subject to such scrutiny such as:

  • Criminal activity of a violent nature that takes place in your workplace
  • Violence by a customer/client/patient with some relationship with the workplace (even if it occurs in the “field” while on organizational business)
  • Co-worker aggression or bullying
  • Former employee returning to commit ‘revenge violence’
  • Personal relationship violence (domestic violence) unfolding in the workplace

Granted, the final act of violence might happen suddenly but the precursory warning signs that often develop over time, before the culminating incident, need to be addressed. Proper follow up on those warning signs might even prevent the violence from occurring. So, what will be necessary in order to develop a defensible position that your organization had done everything reasonable to anticipate and prevent a violent incident? Depending on which type of incident occurs, you will need much of the following to build your defense:

  • Crime statistics (trends and recent occurrences) in the geographic location of the workplace
  • Physical security audit at the property
  • Research on crimes and violence typically related to your industry – Perhaps from professional associations or peer groups – emphasis on causes that might also apply to your organization within that same industry
  • Records regarding specific acts of inappropriate aggression or violence at your workplace or at other company facilities in the past
  • Records of employee complaints and incidents of “bullying” in the workplace
  • Evidence of a written workplace violence prevention policy
  • Evidence of employee and supervisory training relative to aggressive behavior recognition and reporting responsibilities dictated by the workplace violence prevention policy
  • Development of a case management team for assessment purposes when investigation of an individual or incident is called for
  • Records regarding reports of domestic violence affecting someone in your workforce – especially if it has become noticed at work (You cannot consider this just a personal matter)
  • Evidence of safe termination protocols for individuals where violence or aggression has been an issue or for someone who might be considered high risk for a vengeful reaction

This is certainly not a complete list but it is enough to give your organization a good baseline for being prepared. The biggest challenge that any employer has to face is getting out of denial that one of these incidents could happen to them. Having a solid Workplace Violence Prevention Plan is good practice not only legally, but it is the right thing to do for the safety of your employees and visitors.

Check out IMAC’s online training series on workplace violence at including the new course on Active Shooter Response.

Categories: Physical and Online Training Tags:

Crisis Management Exercises – Do They Work?

January 24th, 2014 Comments off

Whether it is being proactive about preparing for an active shooter incident, an industrial accident, or a pending trip for executives to a major international sports event like the World Cup in Brazil this year, there is no better way of getting your emergency policy plans off of the shelf and tested than a mock or tabletop exercise. These should be lead by a third party contingency planning specialist with experience in crisis management and specific knowledge of the countries and cultures involved in the crisis. They don’t necessarily have to have been through each of your anticipated scenarios but they do need to have sufficient field experience to know what curves to throw into the exercise that are based on real world events.

Ideally the mock crisis is one that is reasonable to anticipate for your environment, industry, and circumstances. Senior management should participate so that it conveys the true significance of the event. All internal organizational entities must participate for the event to be useful. This can include but should not be limited to:

  • Security
  • Human Resources
  • Senior Management
  • Operational Unit Management
  • Legal/Compliance
  • Risk Management/Insurance Managers
  • Accounting
  • Public Relations
  • Union Representation (if appropriate)
  • Local Law Enforcement/Emergency Responders (if appropriate for the scenario)
  • Third party vendor partners/external experts

The objective is to see what everyone can and will do and what the realistic parameters for action are going to be. Making assumptions that certain actions would occur (as is often the case with mental walkthrough exercises) will not offer the same critical evidence of practicality. Outside emergency responder participation is always a plus but not essential, however they should at least be consulted with specific response capability questions. This might even spark their interest to participate and practice themselves. The more action oriented the exercise, the more effective and accurate the feedback is going to be. If conducting a “table top” only is all that your management will buy into then the exercise should be carried out with seriousness, full participation, and as much real circumstance simulation as possible.

Yes, these drills can come with some cost and be slightly disruptive. However, what is learned regarding the practicality and functionality of your policies and contingency/emergency plans can save the organization from exponential losses by comparison. There will be nothing more important if a real crisis hits and being prepared has proven to save lives in cases of a violent crisis.  With proper planning, complete communication of the exercise, and full support from all levels of the organization, you can be more confident in your contingency/emergency plans knowing that they have been professionally tested. Furthermore, you will be able to gain evidence legally, if you ever have to, that you did everything you could reasonably do to be prepared.

Check out some of our crisis management related courses at  or contact us to help coordinate such an exercise.

Categories: Physical and Online Training Tags:

World Cup Security Concerns and Personal Preparation

December 31st, 2013 Comments off

If you are planning to go to the games of the World Cup competition next summer in Brazil, there are a few things you need to be prepared for. This goes beyond the normal understanding of general security awareness measures. You have to start with an understanding of how and why people will be targeted. Many Latin American countries while beautiful can be dangerous places. Brazil is no exception even though they have been preparing for these games. Violent street crime is an increasing problem as are the activities of Transnational Crime Organizations (TCO’s). The proper approach to your security during these games will have to do primarily with your personal circumstances and the length of your stay.

Short-term visitors to Brazil need to focus on how not to become an attractive target of opportunity. Remember that perception is reality to the street criminal looking for an easy mark. Foreigners seeming to be confused or tentative, and appearing to have some wealth, are their targets. Wealth being a relative term – just wearing nice clothes or a fancy watch could be all that is necessary to establish your value to them. (Your presence at any of these events alone might mark you as someone of means.) Then they will observe your level of awareness. Those two factors are going to decide their actions towards you. Whether you are at the airport or hotel, on the street, or at one of the events, if you move about with a very low key, alert and prepared demeanor, wearing simple attire and limited or no jewelry then you will probably not be selected for assault. However, just trusting to blend in and being alert is not the best plan for this high profile event.

The World Cup events will bring thousands of people into the country and there will be an increase in criminal activity that goes along with the excitement and revenue brought by the games. Do some homework and make some plans for where you are going, who will meet you, and how you will recognize them. This will help you avoid that ‘lost or confused’ appearance. Arranging for a security driver is a great way of assuring this. Not a limousine but a simple sedan or van driven by someone who knows the area and can keep you out of dangerous locations. Also, remember that these services will be booked up early, so reserve the service you will need by January or February of 2014. Otherwise you may get stuck with someone who is not qualified at the last minute. When walking, remain alert for approaches towards you and respond assertively. This will communicate that you are not going to be an easy target. Potential assailants will choose someone who appears to have valuables or lots of cash and who also looks easier to catch off guard.

More extended stays bring another element into play. This affords the chance to study you over a longer period of time to assess your possible value as a kidnap or extortion target. Conducting yourself in a low key manner is still important but now you have to be observant for repeats of people or vehicles that seem to keep popping up around you during your day. This is probably criminal surveillance. They often study several possible kidnap or extortion targets and pick the one that offers the most value at the least risk. It will take some discipline and training for you to counter this by avoiding patterns of time or travel routes. This will make you harder to study. This alone could remove you from their list of possible targets. A security driver is again a great option or you could learn surveillance recognition techniques yourself. It is not that hard. Busy, distracted business executives are however encouraged to take advantage of a security driver because practicing designed randomness and surveillance detection takes mental concentration. This level of attention to detail and observation is difficult to practice when your daily focus might be on your business, your family members, and your enjoyment of the games.

This brief discussion is only the tip of the iceberg when it comes to avoiding becoming a part of the increasingly disturbing crime statistics of Latin American countries. For more detailed information check out some of the online training courses available at or visit our website to review our service capabilities in LATAM at

Categories: Physical and Online Training Tags:

AFIMAC Answers Growing Demand From Clients and Opens an Office in Mexico

October 25th, 2013 Comments off

MIAMI, FL, Sept. 24, 2013 /CNW/ – AFIMAC, a North and South American leader in business travel security and intelligence services is pleased to announce their new office opening in Mexico. AFIMAC prides itself on partnering with their clients to protect people and property both during times of crisis and regular business operations.

Mexico is the third largest growing market for AFIMAC and the new office location will better serve companies with multi-regional operations and enhance their security postures in the growing economy. “Manufacturing plants will continue to expand and create jobs and employment, fostering vibrant local economies which will enhance overall security. But with this comes other forms of increased security threats which may mask themselves under varying asymmetric veils”, states Art Garffer, director of operations.

“Some of the many services AFIMAC will offer are security drivers, client protection, and consulting” asserts Garffer. “In addition, we provide critical analysis on how to prevent and mitigate risk, develop a corporate crisis management model, broaden the leveraging of intelligence and information scrutiny to preempt events, improve on corporate scenario planning and through improved and new technology, increase logistical cargo recovery and diminish loss”, affirms Garffer.



Read more

Categories: Press Release Tags:

Active Shooter Response – Organizational Responsibility

October 18th, 2013 Comments off

Will your building occupants know what to do if an active shooter is loose in your facility hallways or on your campus? Will they all know that the event is happening, thus giving them some chance to react? Do they know what the appropriate reaction should be? Most people’s instincts are to run from danger but they must be given guidelines for doing so in an active shooter situation that won’t put them in even greater danger. What if they are trapped in an area by the shooter? What will they do then?

Depending on common sense assumptions to provide the answers to these questions is not a good response plan. Absent of a well thought out and thoroughly communicated plan, your organization is subject to occupants doing things that might make bad conditions worse. You have an ethical and legal responsibility to maintain some level of preparedness. Not because of the foreseeable probability of this happening, but because of the extreme human cost if it ever does.  No facility where such a tragedy has happened ever considered itself a likely place for it- until it did happen there!

With the recent active shooter tragedies in Aurora, Portland, Newtown, and now the Navy Yard in Washington DC, it becomes increasingly evident that organizations/businesses/schools/universities need an active shooter response plan that is tailored for the security circumstances at their facilities. Furthermore, there is not a one size fits all solution. Granted, the response plan from one organization or institution to another may have some common reaction guidelines but the specific response protocols for each will be quite different.

In a prior piece I wrote that there are typically three response choices for facility occupants to rely upon:

  • get out – exit the danger area immediately if possible
  • hide out – lock and barricade silently in place if escape is not possible due to the location of the shooter
  • take out – mass attack the shooter if you’re cornered and your hide out option becomes a sudden fight for your life

To be practical and effective a tailored active shooter response plan has to take into account several factors including, but not limited to:

  • The type of facility in question – school, office building, retail store, factory, sports complex, secured facility, etc.
  • Public occupants as well as employees
  • The environment in which the facility is located – city, suburban, rural, remote, etc. This may dictate the time it will take for law enforcement response.
  • The type of communication/notification system available – how will everyone in your facility know that such an event is taking place? Don’t just pull the fire alarm!
  • The occupants’ capabilities to evacuate and knowledge of where to go – consider age / physical abilities
  • Emergency responder tactics and expectations

The variations of how “get out / hide out / take out” is applied and which of the response options are selected under what conditions will be influenced by these and other factors.  Accounting for these factors in a specific response plan, and giving example circumstances during training will help to prepare each occupant to know what they should be doing.

Finally, the response plan must be tested and rehearsed. Include the local emergency responders in the refinement of your plan. Lessons learned from other incidents that have occurred, and from your own rehearsals, can be used to further modify and tailor your active shooter response plan; the one that might become part of your legal defense and your clear conscience. Arm people with the knowledge that will give them a chance to survive. It’s the right thing to do.

For more detailed training regarding active shooter response guidelines see our free course at

Categories: Physical and Online Training Tags:

Workplace Violence Prevention for Customer Service

August 23rd, 2013 Comments off

Do your customer service employees occasionally have to deal with angry customers in person? If the answer is yes, then the customer service employee could become a victim of aggression or violence. Workplace violence is often given a limited scope definition in most company policies. However, any physical altercation, intimidation, or even a threat of an altercation should be considered workplace violence. The employer has a responsibility to prepare these employees. They should have the benefit of workplace violence prevention training and good security measures.

The concept of “reasonable foreseeability” will be considered when determining liability for the consequences of an act of aggression or violent incident. What conditions leading to an act of aggression or violence could have been deemed reasonable to expect by a reasonable person? Now think again about the customer service personnel that occasionally deal with angry people. Might it be reasonable to foresee the possibility, that they could encounter an abusive, irate customer who could turn violent? A judge might one day ask whether the victimized employee had been given training on methods for defusing angry, potentially violent customers. Were they aware of emergency procedures for discretely summoning help in the face of such an altercation? Workplace violence policies should not only pertain to employee relations amongst each other, but they should also include relations between employees and visitors and/or customers.

Your business should consider training in nonviolent confrontation management for these customer service personnel. This training can give them the following tools:

  • Verbal and nonverbal de-escalation tools that might prevent a tense situation from getting out of hand
  • Positioning tactics that will help keep the employee safe, confident, and more able to regain control of the situation
  • Discrete duress signals to other employees for immediate assistance
  • Methods for redirecting the customer to feel they are being heard and action is being taken

Physical security measures should be implemented such as:

  • Measures for emergency notification and discretely summoning help
  • Designing customer service areas that afford a certain level of physical security
  • Removing items that could be used as weapons from customer service areas
  • Having areas designated which will remove the aggressor from any ‘audience’

Don’t wait for an incident to happen before you do the right thing for your team. It’s not just about liability. It is about caring enough for your employees who might be subject to this and doing what you can to protect them.

Please check out the workplace violence series courses at, specifically, “Non-Violent Confrontation Management” and “Crisis Negotiation – Dealing with Difficult People in Difficult Situations.”

Categories: Physical and Online Training Tags:
  • LinkedIn
  • YouTube