Multitenant Facility Security: Good Neighbors Make Good Fences

Lessons for securing multi-tenant facilities. (Guess what: The landlord isn't going to help much.)

Rich Maurer was once hired to do security consulting for a property management company that had recently leased space to a child-care center. Not 30 seconds into the site visit Maurer, a managing director in the government services division of Kroll, realized this particular day-care business was going to be nestled in an extraordinary setting. "I'm standing in the parking lot in front of the day-care center," he recalls. "I turn my head to the left and there's an abortion clinic. I look beyond the clinic and I see the Israeli consulate. I turn my head to the right and I see the county probation department. Across the street the other way is the Federal Reserve Bank. It was like drawing a bull's-eye in red on this parking lot.

"We went to a whole other level of security plan," says Maurer.

Indeed. Maurer's story is a good illustration of the challenge of security in multi-tenant facilities such as office parks, office towers and malls. The threats facing one occupant may differ significantly from the risks neighboring businesses bring to the party. And vulnerabilities in one tenant's defenses can lead to problems for the others. What's more, no single entity is accountable for security across the entire facility; if you mistakenly think the landlord is responsible, keep reading.

CSO tapped Maurer (a past chairman of the physical security council for ASIS International) and other experts to help identify some basic principles, necessary steps and common gaffes for readers who share space with other businesses.

Long-established principles of tort law discourage landlords from providing extra security measures.

Tim Bartkowiak wears both the landlord hat and the tenant hat. Bartkowiak is director of security and loss prevention for the $2 billion retailer Spartan Stores, which operates 54 supermarkets, 21 drugstores and three fuel centers in the Midwest. Bartkowiak has plenty of experience as both landlord and tenant in strip mall settings where the Spartan market is the anchor store. When it comes to security issues in these settings, beyond securing the common areas, Bartkowiak believes responsibility rests firmly on the tenant's shoulders.

So in new properties operated by Spartan, the company will provide some basic security features such as high-quality locks, sturdy windows and metal doors, but it does not offer closed-circuit TV (CCTV) monitoring or uniformed security guards patrolling the parking lot at night. In Bartkowiak's opinion, if Spartan supplied those things as a landlord, the company would be opening itself up to the impression that it is wholly responsible for the tenant's securityand that's not the case. "We don't want anyone to say, The only reason I leased here is because of these extra measures you took, and I got robbed in the middle of the night," he says. The more you take on, the more you'll be held accountable for.

Conversely, as a tenant, Bartkowiak puts his own security measures in place rather than rely on the landlord's judgment. "We make our own security modifications. In some cases we do go as far as having a CCTV system if our crime risk analysis for that location indicates it is justified," he says. "We might modify the doors or the loading area in back."

Bartkowiak's stance is legally sound. Underlying Spartan's practices both as landlord and tenant is a fundamental tenet of tort law: Liability follows control. The landlord does not have immediate control over the premises occupied by the tenant in most cases, so the burden of providing security rests on the party with the control, i.e. the tenant.

This tort concept can be trumped by contractual agreement. So a landlord that knowingly and contractually undertakes the protection of its tenant may well be held liable should an incident ever go to court, though the tenant will always have the responsibility to minimize its own risk. In the event of a dispute arising from a security-related incident, each case will hinge on exactly what each party agreed to take on (which is a matter of contract law) and whether both used cost-justified loss-avoidance measures to mitigate risk (which is a matter of tort law). At any rate, the key take-away for CSOs is to not rely on the landlord for anything that is not spelled out explicitly in a contractand Maurer notes that in many leases, security isn't covered at all.

There are no universal standards in safeguards provided.

"In a multi-tenant environment, there are no hard-and-fast rules. What one company provides, another one might not," says Phill Banks, director of the Banks Group consulting firm in Vancouver, British Columbia. Banks worked in federal law enforcement for 25 years prior to opening his own company.

Surprise: Even in the post-9/11 world, it is hard to come by security standards for multi-tenant office buildings. Chances are, a CSO opening up operations in a new facility will start with an almost-clean piece of paper when negotiating the security provisions to be included as part of the deal. For most types of properties, there are no generally accepted security provisions beyond a lock on the door. That's changing slowly. For example, 10 years ago, many high-rise office buildings had no lobby-level security. Today, that is an anomaly. Most high-rise owners have uniformed security guards in the lobby to control visitor access. And, Banks says, given beefed up controls (added security guards, for example), more tenants want to know exactly what portion of their lease is attributable to security and what exactly that money goes to. Banks says current estimates run between 1 percent and 6 percent of the typical lease. Geoff Craighead, vice president of high-rise and real estate services at Securitas Security Services USA, adds that since 9/11, prospective tenants have been much more likely to ask that security arrangements be spelled out in the lease, with responsibility clearly laid out to each party. Another shift prompted by 9/11 is toward re-evaluation of the design of fire escapes and other safety features, particularly in high-rise facilities; again, however, real change in building codes and compliance takes many years.

Every building and surrounding property faces a unique set of risks.

Performing a physical property assessment is a logical first step in determining whether to take on the property's associated risks. A suburban office campus presents a different set of concernsnot necessarily fewer concernsthan does a downtown high-rise or an industrial park call center. Clearly, any corporate policy that spells out a single set of security measures regardless of location is going to be inefficient at best, and dangerous at worst.

Most security managers know it is essential to do a thorough risk assessment prior to signing on the dotted line, but some require help with the exact ins and outs of that assessment. Even those who understand the basic due diligence steps (see "5 Steps of Site Security Evaluation," Page 32) sometimes call in consultants because it can help to have a disinterested third party take a look at the shortlist of locations. "We do a lot of checking on our own, but we'll go to a service provider should there be key pieces of information we need to check further," Bartkowiak says.

Sometimes the simplest solution is sufficient (and sometimes not).

CSOs must calibrate security measures in accordance with each facility's risk assessment. "What level of protection do you need to bring to your assets, and are you comfortable with the security provisions the landlord provides?" asks Banks. Though the public perceives a greater threat post- 9/11, businesses still are wary that tight security measures will hamper their employees' and guests' business activities. Banks says the key phrase is "appropriate level of security." When security measures are too restrictive, employees will find ways to circumvent them.

Here's an example. Having someone at the entrance who greets visitors and makes eye contact is powerful. This simple step tells visitors "that someone knows you're there," says Maurer. Banks agrees the "polite challenge" is an effective frontline security effort in any commercial setting. Craighead, on the other hand, is a big advocate of electronic card readers, which automatically scan the wearer's security pass before granting admittance. In high-traffic locations, he says, "This is better because there's no way for anyone to tailgate or sneak in behind someone." Greeter versus card readereach will prove the better choice in certain circumstances. And in some cases, CSOs will deem both to be necessary.

Good neighbors make good fences.

Haggling over the lease and putting cameras in place is only the beginning. The nature of the multi-tenant arrangement dictates that neighboring CSOs should meet early and communicate often. Joining the tenant association, if there is one, is a smart but not completely sufficient step. As simple as it sounds, lunch or coffee every few weeks can go a long way toward preventing ugly finger-pointing if there is a security breach later. As Bartkowiak puts it, "If an incident occurs, hopefully these are people you already know. You don't want to trade business cards when you're in a crisis situation."

It is natural to assume that the next-door neighbor knows that its questionable foot-traffic at all hours of the night (for example) is putting other companies' employees and customers at risk. But Banks says the assumption is false. "People don't try to guess what your issues are. If you don't tell them, they won't know. And if you don't tell your fellow tenants that something they're doing is putting you at risk, they don't get a chance to change the way they operate," he says. A strong network can provide early warning if something (like a rash of office laptop thefts) crops up. To that end, Maurer also notes the importance of connecting with local law enforcement agencies. When Maurer was the head of security for a large security printing company, he invited the local police and fire chiefs and emergency medical personnel to tour the facilities. "I would point out the door they would come through in an emergency situation," says Maurer.

The CSO of a large organization with far-flung offices should make sure someone at each office does this same work of making local connections. It might seem tedious to do this at every branch office, but there is simply no substitute for having local contacts that can provide the latest local information. Similarly, if a local security manager gets word of an incident in his area, transmitting that intelligence throughout the organization can help quash the outbreak before it becomes more widespread.

Other tenants can bring risks you might not normally think of.

Maurer's day-care illustration should make this point immanently clear. In addition to companies that are appealing targets of financial crime (whether violent or white-collar), CSOs should be highly conscious of neighbors associated with political bodies (foreign consulates, for example), those involved with hot-button issues (such as an abortion clinic or companies that test products on animals) and those that could be regarded as icons of American capitalisma priority consideration since 9/11.

Even tenants that seem unobjectionable may bring unexpected risks to the table. Maurer once checked out an apparently low-key real estate development company, only to find out that the owner was the defendant in numerous lawsuits going all the way up to the U.S. Supreme Court. "There were tens of thousands of people who had lost money due to this guy. We didn't even have to do an in-depth search. We just Googled him," says Maurer. Sometimes, obviously, a cursory Web search won't do the trick; in some cases CSOs may need to check court filings and records, do background checks, investigate complaints at the Better Business Bureau or elsewhere, search police records and more. The results may affect the CSO's thinking about access controls, lighting, parking and surveillance.

Copyright © 2005 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)