Rideshare services are not as safe as you think. There are multiple considerations to take into account when weighing up the risk of rideshare services versus taxis, or private transportation and secure transportation services. The variables are numerous and include country, city, and location of use, time of day, destination, reason, and who you are to name a few.
Here are the Top 5 risks to take into account when considering the use of rideshare services:
Top 5 Risks of Using Rideshare services
1. Risk of Assault
Companies like Uber and Lyft have claimed all their drivers go through some level of security checks before they can operate on the ground. However, this does not necessarily mean they are genuine or trustworthy, nor does it demonstrate how competent they are behind the wheel. For example, a male driver from Washington, who worked for both Uber and Lyft, reportedly committed at least five sexual assaults, including rape, against females since 2014 while on duty. His most current attack was in March 2019 and has subsequently been arrested.
2. Fake drivers
Fake drivers are another concerning problem for the rideshare community. In March 2019, a female student from North Carolina was kidnapped and murdered after she boarded a vehicle, she believed was her Uber. This is not an isolated incident and is an increasing concern on a global scale. Implementing logical mitigation measures will help to reduce the risks. For example, checking the vehicle’s make, model and registration, make sure the driver’s name and/or photo matches your records and ensure your driver has your correct details before getting into their vehicle. Unfortunately, it’s not possible to completely mitigate the risks. Boarding a stranger’s vehicle will most likely put you in a vulnerable position, remaining vigilant is crucial.
3. Road Traffic Crashes
Road Traffic Crashes (RTC) are identified as the number one cause of death for travelers worldwide and it’s becoming a global health concern. The vast majority of Rideshare driving are part-time drivers, not professional, nor trained. The majority just jump in the car on their way home from work and do a few extra hours to supplement income. This also significantly increases the risk of fatigued driving, which is a major risk factor and a cause of multiple accidents.
4. Insurance Coverage Ambiguity
An organization sending employees, students, or volunteers abroad has a legal and moral duty of care for their personal safety. Transporting employees through ridesharing companies and/or unregulated taxis increases the level of risk for the employees, and heightens the corporate liability of employers. There is also no specified insurance coverages, and if something goes wrong the user can only file against the driver who will likely not be covered to provide executive protection services Mexico.
5. Over-reliance on the App
A rideshare driver, for the majority, is not a full-time professional chauffeur and is generally reliant on an App to move from location to location. They follow the guidance from the App blindly. This may be ok in some cities. But as soon as you move into more challenging or dangerous environments one wrong turn or one ‘shortcut’ provided by Waze could lead the vehicle (and therefore the user) into a high-risk environment. Imagine taking a wrong turn in Rio de Janeiro and ending up in a favela. Or, taking a shortcut through a Mexico City suburb.
Duty of Care Considerations: Organization Vs Private user:
An organization should have robust journey management and overland transportation plan for its travelers. The moral and legal duty of care that is placed on an organization increases the risk of litigation if an incident occurs, but more importantly (we think) is that if the basics are not carried out, and cost is put before travel security, then travelers are placed at increased risk, which can be mitigated significantly with the right precautions in place.
Assess the destination and understand the specific risk of that location.
Empower your travelers by teaching them how to stay safe, increase situational awareness, and react appropriately if an incident occurs. Consider a travel security training course such as ExploreSecure
Use a secure transportation service that has enhanced vetting of drivers, local drivers with all licensing and checks, and appropriate and secure vehicles.
Liaise with a security company for any travel to regions considered challenging or of increased risk. Seek consultation from subject matter experts as to the risks, and how to manage them. Contact Us
What your company
spent years to develop can be lost in an instant at the hands of one bad
intentioned employee. The statistics on employee theft of intellectual property
(IP) paint a dark portrait of what employees do when disgruntled, moving on, or
stockpiling for a rainy day. William Evanina, the U.S. government’s National
Counterintelligence Executive in the Office of the Director of National
Intelligence says, “As a corporate leader, the single most important investment
in protecting your proprietary information and sensitive trade secrets is
developing a viable and enterprise-wide insider
threat programs”.
To paraphrase the well-worn mantra on hacking and apply it to the pandemic of Insider Threat: There are two types of companies, those whose employees have already stolen IP, and those who simply don’t know it yet. No matter where your company is along its journey toward an effective insider threat program, success or failure is measured by the last harmful egress of research, formulas, algorithms, strategies, service manuals, or other critical business information (CBI). Whether your effort to detect, deter, and prevent CBI loss has become an industry model or is still a nascent vision, three common components can help build a new plan or help review and adapt a mature program.
Security professionals exploring insider threat fundamentals can take a lesson from first year journalism students. Budding reporters are trained to instinctively repeat basic questions designed to get to the truth, and three of those questions drive formation of all Insider Threat programs: “What?”; “Where?”; and, “Who?” Security leaders should make it their practice to ask these three questions of their staff, key partners, and operational components of their companies. What is it that most merits protection? Where is this most critical information located, physically and in cyber space? Who amongst us requires regular access to CBI?
As the past head of counterintelligence for the FBI, a former corporate security executive for one of the world’s largest companies, and now a risk management consultant, it no longer surprises me to hear new security professionals struggle to answer these basic questions. Security practitioners sometimes perpetuate the long-standing C-suite myth that “security’s got this” when it comes to everything from a missing gym bag to a missing gyroscope. The perception that someone, somewhere, must have already addressed, planned for, or is in the process of resolving the concern of the moment, provides comfort to our senior executives and job assurance for those of us in the profession. But the comfort is dangerous and the assurance is hollow. Rather, we should work to dispel the notion that security can or should protect everything. To do that, the savvy security executive endeavors to first identify and then deeply understand exactly what represents the future of the company, where it resides, and which employees have stewardship of this lifeblood. Done correctly, in partnership with key stakeholders including Human Resources (HR), Legal, IT Risk, and Engineering, Science or Business leaders, this approach provides laser-like focus on what really matters, shares ownership across components, and generates confidence in a process designed to protect against existential threats to jobs and share price.
Build Your Team
Successful implementation of insider threat programs hinge on assembling the right team. IP protection is a team sport and should not be carried out by one component alone. The team requires willful senior level participants who are convinced the time is right to defend the company against the threat from within. Leadership is often motivated to take this step by a crisis sparked by the loss or near loss of a trade secret at the hands of a departing or on-board employee or contractor. But waiting for such a crisis is not advisable. Gather data on losses suffered within your industry, supply chain, or customers. Talk to FBI corporate outreach contacts and ask for examples of economic espionage targeting your technologies. Talk to HR about where employees go when they depart and ask those employee’s former managers whether cumulative losses pose a concern.
Meet one-on-one with a senior thought leader in Legal, IT Risk, HR, Business Development, or Research and ask them to partner with you to assemble a team and form an Insider Threat program. Next, meet unilaterally with each proposed team member to brief them on the threat and risk to proprietary data and seek their support to more strongly defend the company. In some non-defense corporate cultures, using the phrase “Insider Threat” can still generate privacy, trust, and culture concerns. In one large company, a security leader’s proposal to discuss such a program was met with this question from the head of HR, “Do you not think we should trust our employees?” The security leader responded, “I do, and I think we should have mechanisms in place to defend our trust.” Meeting first with each partner will allow you to listen to their concerns. Limit the team to five or six decision makers from key functions. When the team is assembled start asking the first of the Journalism 101 questions.
What?
Whether a newly appointed security leader or seasoned veteran, the question at the heart of IP protection is, “What exactly are we protecting?” Responses provided by security and business leaders to this single question help measure the need for an Insider Threat initiative or the maturity of an existing program. Common responses from the security ranks include; “I’m protecting these buildings”, “I’m protecting this campus”, “I’m protecting people”. Even security professionals in large, sophisticated corporations frequently do not cite, “ideas”, “research”, “technologies”, or “critical employees”, when asked what they protect. Follow up questions on which campuses, buildings, or people are more critical than others are sometimes met with silence or criticism that the question implies some employees are more important than others. One long-tenured security leader responded by displaying his daily automated reports advising him which doors, hallways and offices were entered, but, he could neither articulate which company functions occurred there nor how his data was relevant.
Importantly, your team should pose the “What” question to key business leaders including the CEO, General Counsel, CFO, Supply Chain leader, Research or Engineering executives, Business Development or Sales heads, and corporate audit manager. Provide context by framing the question as an attempt to identify the small subset of proprietary information that would most damage the company if it fell into the wrong hands. Various formulas and thresholds can be customized to help guide this discussion and quantify the degree of damage to finances, share price and reputational risk.
Where?
Security professionals
can only truly protect that which they know is there. Once CBI is identified,
the team must learn where it resides, in both physical and cyber space. In
large companies with thousands of employees and facilities, this question is
more easily asked than answered. Yet, the answer is vital to learning how your
CBI is exposed. One large company locating its CBI discovered a proprietary
formula sitting in an open folder accessible by its entire employee population.
Audit of the folder revealed that employees in high risk nations had visited
the folder without any valid reason.
When countering the insider threat, the physical and the cyber security of CBI must be viewed as one holistic endeavor. The behavior of data and the behavior of humans are inextricably linked and the partnership between IT Risk and Physical Security should be seamless. Once aware that specific buildings, offices, or laboratories contain CBI, protocols and checklists for enhanced safeguarding can be drafted. This initiative counters more than just the internal threat. Upon learning the location of a sensitive manufacturing process one company found the process was part of a public tour route.
Who?
The seemingly simple “Who” question can generate more consternation than the previous two questions combined, particularly from your partners in HR and Labor & Employment Law. While answering the first two questions is often labor intensive, this last query raises issues of policy, organizational culture, and law. Companies may learn that some CBI is assigned to contractors, and the team must wrestle with the issue of whether people with less allegiance, and more transient tenure, should be entrusted with the firm’s future. Yet, identifying employees who require access to CBI is easy compared to planning how to relate to them. This discussion should include: standards for employees to receive and maintain CBI access; policies on travel and device security; enhanced computer monitoring; and, governance protocols for investigative response to suspicious conduct. Importantly, the approach to such vital and often singularly knowledgeable employees should be an inclusive one that views them as special stewards with more responsibility than the average employee.
If approached
carelessly, insider threat plans can breed mistrust, alienate key employees,
erode company culture, and even violate labor or privacy laws. But, a quality
program can be a leader’s most important legacy, reaping tangible dividends
in loss prevented, jobs saved, and relationships forged.
Originally posted in
the Security Magazine
https://www.securitymagazine.com/articles/88644-insider-threat-programs-a-beginners-guide
Our Executive Is Missing: Kidnap and Ransom Basics for Security Professionals
The first of a three-part series to help protective professionals understand how K&R can be successfully resolved.
Preparing for the worse is part of every security professional’s repertoire especially when it comes to planning for failure. This three-part series is designed to enhance understanding of how kidnap and ransom negotiations work and your role in the event the unthinkable happens. Cyber Security leaders with a significant global high-risk footprint know that a kidnapping may not be a question of “if” but a question of “when”. It may happen when you are not directly responsible for covering your employee or their family and therefore least able to prevent it – when they are alone and most vulnerable. Learning what to expect in those first hours of an abduction will help you avoid becoming a bystander when your leadership is most needed.
Kidnap 101:
Kidnapping is a significant weapon of influence and source of funding for criminals and terrorists from South America to Southeast Asia to Africa. Kidnapping is the unlawful seizure and detention of a person usually for a ransom. That latter part of the definition, “usually for a ransom”, is the beacon of light the skilled negotiator homes in on and exploits to accomplish the mission – the safe release of the victim.
The international kidnap phenomenon is a “good news, bad news” scenario. The bad news – Kidnapping is a burgeoning crime flourishing in countries where police and prosecutors are unable or unwilling to address it. Consequently, the kidnapper perceives his plans as low risk, high gain. The good news – The captor’s motivation in most kidnappings, is money. The kidnapper’s purpose is monetary rather than bringing harm to the hostage. Therefore, hostages retain their value when they remain alive. This critical dynamic provides the negotiator with the leverage and influence needed to liberate the hostage.
Although money remains far and away the most common kidnap motivation, political demands including publicity, release of prisoners and welfare items have also been used as ransom criteria. Nigerian groups have taken hostages to force oil companies to provide economic assistance to local villagers. Journalist Danny Pearl was taken to pressure the Pakistan government not to support the U.S. In all cases, the kidnapper’s goal is to force a third party to do something; usually to pay money. Holding the hostage and threatening harm empowers the kidnapper. Nevertheless, victim companies and families have control and influence since they control what the kidnapper wants – money. The overriding theme a negotiator messages is; “If you harm the hostage you won’t get what you want.”
The Early Hours:
The initial stages of a kidnap are marked by both limited and conflicting information. You will normally have more questions than answers when your employee’s whereabouts are unknown. You may be nowhere near your protectee nor responsible for their welfare when you get a call indicating they or their family member are missing. Therefore, your priority must be to confirm that a kidnapping truly occurred. Event Security professionals who maintain viable tracking and locator technology enjoy a significant advantage here. Immediately engage a pre-selected K&R professional, who you or your company have already vetted. These professionals often come out of federal law enforcement or specialized firms and are extensively trained in crisis negotiations. Your consultant should be able to demonstrate dozens of successful resolutions to ransom, extortion and barricaded subject scenarios. Next, prepare for the worse-case scenario by planning for the abductor’s initial call. Next, assist the consultant, your company and the employee’s family to decide who should take the initial ransom call.
The Communicator:
As a protective professional you should have a crisis management plan that includes a K&R response protocol. Part of that protocol should be an understanding that if a kidnap occurs, a K&R consultant will want to select a communicator to engage with the captor. The role of the communicator is that of a mouthpiece for the victim family or company and to act as a conduit to the kidnapper. The communicator has limited authority and must project subordination to the final decision makers when conversing with the captors. Adherence to company or family objectives and gathering accurate information are important aspects of the communicator’s duties.
When helping to select a communicator remember that the person must be: Willing to accept coaching; Loyal to your client’s company and its policies; Emotionally stable; and, an excellent listener. The communicator is not a debater but more of an influencer and persuader who conveys honesty and resolve while trying to avoid confrontation.
The ability of the communicator to maintain a low key, calm and patient business-like demeanor is imperative. One of the communicator’s key tasks is to establish a window of contact with the kidnapper. The communicator can exert a degree of control and minimize the necessity of being continuously available by arranging a specific time frame for contacts with the captors. If the captor attempts to make contact outside of the arranged time, the communicator must not acknowledge the contact thereby using a classical conditioning approach to influence the captor to abide by the agreement.
Prior to a scheduled contact the communicator will prepare and rehearse under the supervision of a trained K&R negotiator. Objectives are set out for each contact. The communicator must be prepared to play both defense and offense. The communicator will be coached on how to respond (defense) to anticipated topics the captor may broach. At the same time, the communicator will be armed with three or four key points (offense) to work into the conversation. The conversation will be scripted with key words and phrases prominently posted on situation boards in the negotiation operations center (NOC). You can facilitate this operation by acquiring and securing a NOC that is quiet and convenient for all.
Once a decision is made as to where and to whom the initial call will be directed the key messages must be readied. Your K&R professional will help draft a message for the company or family that is designed to convey three things to the captor:
A willingness to communicate
The need for proof of possession/proof of life
A requirement for a reasonable delay. You should prepare the communicator for what’s coming – A high financial demand, a deadline, threats, and a warning to not involve law enforcement.
Up next: The second article in this series will address interaction with law enforcement, families, and the media.
Steve Romano and Frank Figliuzzi help lead ETS Risk Management, Inc. They consult with global clients on Crisis Negotiations, Kidnap, and Workplace Violence. Steve was the FBI’s Chief Hostage Negotiator and a Vice President of Control Risks. Frank was the FBI’s Assistant Director for Counterintelligence and a Fortune 100 corporate security executive. Frank also works as a National Security Contributor for NBC News.
Our Executive is Missing: Kidnap and Ransom Basics for Security Professionals
The third of a three-part series to help protective professionals understand how K&R can be successfully resolved
It may happen when you are least able to prevent it – when your executive or his family are alone and most vulnerable. Learning what to expect in the hours and days after an abduction will help you avoid becoming a bystander at a time when your leadership is most needed. The first article of this series focused on the early hours, activating your plan, confirming a kidnapping, engaging an expert consultant, establishing a negotiation operations center, and selecting a communicator to receive ransom calls. The second article dived deeper into negotiation techniques and financial criteria. In this last article of the series, we address engagement with law enforcement, victim families, and the media.
Law Enforcement:
One of the early critical decisions needed during a kidnapping is the degree your company will engage with law enforcement in the likely foreign jurisdiction of the incident. Law enforcement’s priorities, including the identification, apprehension, and prosecution of the kidnappers, may impede effective negotiations. Police pressure can have a significant and negative impact on the time/money correlation that is present during all kidnappings for ransom. Corporations should strongly consider obtaining the services of a security consultant with a proven track record in ransom negotiations. These consultants already have established liaison with law enforcement and military in the countries where kidnap is most prevalent.
The taking of a U.S. citizen hostage or a ransom demand made against the U.S. Government, regardless of the victim’s citizenship, is a violation of U.S. federal law. The FBI, through their Crisis Negotiation Unit, is recognized as the official negotiation arm of the American government. Under the direction of the U.S. Ambassador, the FBI is the lead agency for Development and implementation of negotiation strategies; Conduct of investigations; and, Collection of evidence. The FBI will coordinate the government’s response to kidnap but will not take over decision making. Key decisions, such as whether to pay a ransom, always remain the responsibility of the victim family and/or company. The FBI will not provide the funds nor make the delivery of any ransom payment outside the United States. Corporations and families still must make these tough calls while managing the incident.
Know the Law
Some countries require mandatory notification to authorities that a kidnap occurred. Some countries mandate that you obtain their permission to negotiate with captors. Learning in advance the legal requirements in the countries where you have a presence could save precious time. A robust exchange of information with country authorities can result in permission to make a ransom payment when there is no other recourse for the victim’s safe release. The strong liaison can also help authorities realize that a kidnap negotiation is an investigative tool that provides intelligence and creates potentially exploitable options for law enforcement. Accommodation can be reached wherein authorities agree to wait until the victim is safely recovered before pursuing the abductors. In turn, a victim company may promise to provide all available evidence and make the victim available for debriefing.
In most cases, cooperation with authorities should be the preferred option of a victim company. Cooperation is a two-way street that can build trust. A strong liaison with authorities can increase the company’s ability to influence law enforcement actions. This is most critical when there is a need to restrain officials from attempting high-risk rescues. Continuous contact with high-level trusted officials can reap both short and long-term benefits.
Families:
A company should prepare to expend a considerable amount of time and resources supporting, advising and protecting the victim family. First impressions are critical, and a company should give serious consideration as to which executive protection level official will make the initial in-person notification, and who will be assigned as the full-time family liaison for the duration of the incident. The victim’s family will feel isolated, perceive that information is being filtered, and that the company is not doing enough to obtain their loved one’s release. These sentiments are quite common and understandable. It is essential for the company to form a united front with the family and to provide them with realistic assessments and genuine assurances that they are equal players at the table.
As soon as possible there are two areas to address with the family. The first area is how to handle contact with the captors. The second topic involves the best approach to media inquiries. Contact from the captors with the family is very common and should be expected. Captors realize the emotional impact they can have when they manipulate victim family against victim company. They know the family can pressure the company to quickly acquiesce to the captor’s demands. A company that provides the victim family with concrete guidelines can minimize the likelihood of orchestrated manipulation. Additionally, the family’s confidence in the company’s knowledge and competence increases when they can anticipate the adversaries’ strategy.
The family will also need media guidance and someone to act as a buffer during the kidnapping. Educate the family on the potential damage to negotiations that can be done by a spontaneous statement to the media. It might even be necessary to relocate the family for the duration of the incident to isolate them from a media onslaught.
Media:
A Crisis Communication Plan should be an annex of your Crisis Management Plan. The media will ask three basic questions: What happened? How did it happen? What are you going to do about it? It is in your company’s best interest to respond to media inquiries. Failure to respond or delaying response makes the company look irresponsible, unconcerned or incompetent. Again, an experienced negotiation consultant can assist you with the best responses to media inquiries.
Your company’s communication department should craft holding statements for various crises in advance. Innocuous holding statements can help a company buy time to gather critical information. Financial details, ransom policies, insurance coverage, and negotiation status should never be discussed with the media. It is also a good policy to not publicly criticize any government’s response efforts.
Always provide information to the victim family before providing it to the media. Also, focus on internal messaging for the “corporate family” of colleagues and co-workers who will not appreciate learning information through the media. There should be only one authorized spokesperson and statements should be cleared with key partners before release. Don’t lie to the media. Take control and portray a posture of calm and confidence. Proactively anticipate media events and stories rather than merely reacting to them.
Companies responding to an international kidnapping will face the challenge of dealing with multiple governments, interacting with law enforcement agencies, victim families and the media. The safety of your victim employee may depend on your ability to successfully navigate the internal and external complexities of the crisis. Will you be ready?
Meeting duty of care requirements is a complex process to navigate for any organization with employees who are traveling overseas on company business. Understanding what measures one can take to manage risk to an acceptable standard remains a considerable challenge. Now, more than ever in our volatile world, the question arises: how best to meet this legal obligation?
The GEBIR principal identifies the five key components of a Travel Risk Management (TRM) program:
Ground Truth
Education
Briefings
In-Country Support
Response
Ground Truth
It is vital to obtain a comprehensive threat overview of all international locations where travel will be conducted. Accurate risk assessments and country security risk reports will provide a more informed and balanced decision-making capability regarding operational security concerns.
Security risk reports provide the organization with a comprehensive understanding of what we refer to as “Ground Truth” – knowing the risks of the area of operations – country, region, and locale. Documents should be user-friendly, relevant and up-to-date. Situations change rapidly and timely intelligence will provide detail on current and future anticipated threats.
Education
Provide personnel with the tools and knowledge to minimize and mitigate personal travel risk. Travel safety and situational awareness is a vital cog in the TRM machine. Risks can be significantly reduced with the sensible application of basic personal security methodology. It is often the most cost-effective and efficient method of significantly improving the safety of individuals or groups abroad. Any training should provide an auditable trail that personnel completed the necessary steps prior to departure to minimize the risk of litigation.
Briefings
Prior to any travel, the individual traveling should be fully aware and conversant with the environment they will be visiting, as well as the threats and risk of those threats. To avoid the risk of litigation, it is vital that any individual’s travel goes ahead willingly and with “eyes wide open.” To ensure this, any organization should supply, or provide access to a country briefing to an individual or group prior to departure.
In-Country Support
The provision of the necessary protective and personal safety support when your travelers are in-country should involve, but not be limited to, two categories:
The biggest risk to any traveler in a foreign country is a vehicular accident. Further, most robberies, abductions, and violent opportunistic crime occur in or near a vehicle. It is therefore essential that journey management plans are prepared and rigorously enforced. Trusted and vetted suppliers of drivers and vehicles must be a priority. A reliance on taxis and ride-share services has led to multiple issues for organizations throughout the world.
Private transportation significantly alleviates risk to individuals abroad. The risks of express kidnapping, robbery, and sexual assault are significantly reduced if travelers do not have to hail taxis from the street or utilize public transport.
Security
In some countries, the use of Executive Protection may be required to manage individual and group security. Executive protection is no longer a service for the rich and famous. The modern professional “bodyguard” acts in an enabling role, facilitating the movement of executives through the plethora of risks that exist.
Response
The final part of the GEBIR principal is contingency planning. If an emergency incident occurs police and national emergency medical services are often inadequate, overwhelmed, or non-existent. There must be a pre-identified and rehearsed service in place to ensure the effective and timely response to an emergency.
There are three components to Response:
Communication – The benchmark is to be able to identify the exact location of your employees and be able to effectively communicate with them within 15-20 minutes of an incident occurring.
Crisis Management – Being able to react immediately and effectively. This requires the design and implementation of plans and processes, to be complemented by the introduction and training of a crisis management team.
Emergency Evacuation or Hibernation Plans – These should be a structured and practical guide for the organization to identify and respond to executing a full or partial evacuation of personnel from operational locations, or hibernate in-situ until the situation changes.
The moral arguments for a solid TRM plan are obvious, but there is now a growing recognition both in the courts and with potential plaintiffs that breaches of duty of care occurring abroad can be heard in U.S. courts. The number of cases being presented has increased, and employment lawyers are particularly alert to the issue.
