The security of monitoring clients depends on many factors - most of them occur in monitoring centers. Few companies and even fewer customers are aware of how serious requirements a modern monitoring center should meet. They relate to many aspects - from architectural conditions and wall thickness to data encryption. A few years ago I participated in the design and construction of the only such center in Poland. Starting from the foundations and ending with IT solutions. It was built with considerable EU funding, because, unfortunately, a "normal Polish security agency" could not simply afford it.
Another article is devoted to the security of monitoring centers https://dmsi.pl/bezpieczenstwo-centrow-monitorowania/but now let's get back to the current topic.
Nobody asks questions?
Probably most clients assume that if it concerns our security, then there are some legal provisions that regulate monitoring. That there are standards and there is "someone" or "something" who watches over it. Yes and no.
The reality is this: there are rules, but they don't actually regulate how this monitoring should be implemented. Standards or standards are some, but hardly anyone uses them. There is also a control body, but there are no adequate control mechanisms in the field of emergency monitoring. In practice, this means that the actual security of monitoring clients depends on the security company and its internal standards and technical "culture".
In Poland, the first security companies performing alarm monitoring appeared in the early 90s of the last century. The provision of these services was not regulated by law and left much freedom in this area. Regulations regarding monitoring services as an element of electronic security systems did not appear until 1994 as part of the Polish Standard PN-93 / E-08390, which is now replaced by the PN-EN 50131-1 series of standards.
There is also the aforementioned PN-EN 50518 standard (3 sheets), which directly specifies technical and organizational issues for Alarm Monitoring Centers (Alarm Receiving Centers). Unfortunately, this standard has three main problems:
- is in english
- has very strict requirements, which in Polish reality are still practically impossible to meet,
- no one requires it.
The applicable legal act, which to a small extent refers to monitoring services, is the Act of 22 August 1997 "on the protection of persons and property". It defines and divides security services into technical protection and physical protection, which can also be implemented in the form of "constant supervision of signals sent, collected and processed in electronic devices and alarm systems".
The performance of the monitoring service is subject to only a few conditions related to the maintenance of relevant documentation. In some cases, there is also an obligation to have a firearm. There are no specific technical and organizational requirements.
What does the police say?
The quintessence of the problem seems to be the famous sentence from the document "Methodology for agreeing protection plans (...)" issued by the Police Headquarters in 2014:
"In most cases, alarm monitoring stations are located outside protected facilities. Experience shows that these objects are poorly secured, but this fact is of fundamental importance for the protected object.
Therefore, even the most complex alarm systems that secure facilities important from the point of view of state interests are worth as much as USI (monitoring station) security of this facility is worth. "
One could draw such conclusions from this:
- They wrote the truth
- They understand the problem
- There is nothing they can do about it
I will comment on the third point that could offend someone, but I do not intend to. My point is that we are dealing with something similar to how it used to be with Polish roads. Instead of patching the hole, a warning sign appeared ...
Ideally, such guidelines should include a specific provision that for monitoring such and such objects (i.e. subject to mandatory protection) Monitoring Centers that meet such and such requirements should be used (e.g. PN-EN 50518). Then, for facilities with increased risk, monitoring could be provided at the appropriate level, because state authorities could check the quality of services according to specific guidelines or records.
Then, other clients could theoretically hook up to such requirements, for example, following the model of obligatory protected facilities, they would like to have a higher level of security.
It's not good
This is a bad situation for both security companies and their clients. In alarm monitoring there are four main elements that affect the whole situation:
- customers they pay meager rates for alarm monitoring, they are poorly interested in the subject, a fence plaque is often enough to feel safe,
- security companies they provide different services - unfortunately, in most cases, they can't afford the development and maintenance of standards, investments, etc.
- standards they are not created because nobody cares about them
- right does not specify important technical and organizational issues related to alarm monitoring
Finally, if something happens, the client is left alone with the monitoring company. This is a very bad deal for both sides. Because neither of them has any chance of rational defense and reasonable investigation of possible damages. Not to mention the attitude of insurance companies to an issue in which they can properly interpret the fulfillment or not of the insurance conditions. There are plenty of examples.
Can customers feel safe?
It depends on the customers. If someone cares about the right level of security then he should be a bit interested. You don't go to the first "specialist". Of course, not everyone has to know each other but there is definitely someone to ask.
It also depends on the company that performs the service. There are companies that try and provide this service at a very good technical and organizational level, with full awareness of the responsibility and the fact of concentration of risk in one place, which is their Alarm Monitoring Center.
There is also the other side of the coin. These are companies which, not knowing standards and good practices, and not being forced by specific legal regulations, perform monitoring services incorrectly and irresponsibly. Unfortunately, it often happens that these companies are not aware of it - because how can they know how to do it right, since nowhere is it written and said? Many companies stopped in technical development at the level of many years ago and for unknown reasons are closing to new solutions - although they are cheaper and more effective, and most importantly they are safer for end customers.
You can read about data security in monitoring systems here: https://dmsi.pl/bezpieczenstwo-w-safestar/
What about intervention patrols?
It's very different. There are plenty of problems. I can cite two extreme cases of security audits that I once conducted:
Case 1. From several years ago. A large institution. Obligatory protection facility. During the audit, I ask the receptionist to press the "panic button", from which theoretically an alarm should result in the arrival of an intervention patrol. We wait 30 min. Are! Two gentlemen (armed!) Enter, approach the reception desk and calmly ask if there is a robbery here because they received such a signal. I approach these gentlemen and ask what their action procedure is? They answer that they are from another company that is a subcontractor and they do not know much because they came for the first time ...
Case 2. Quite not long ago. Summer house. Test burglar alarm. 9 minutes pass, we look ... gentlemen are riding, rushing through the copper that a little oil pan will not break. The "bulls" jump out of the car, jump over the fences (they use a blanket). One stands by the fence, the other runs around the cottage. After a while, the two of them walk and check windows and doors. The gentlemen are leaving. We call the monitoring station and ask why we have not received information about the alarm? There, you informed us that there was an alarm, but no violation was found, so in such cases they do not bother customers.
Can someone be happy with this state?
For years, security companies have only competed in price (which is slowly changing). Therefore, monitoring customers' security boiled down to obtaining the lowest possible rate. This caused total erosion of prices, which for many now are on the verge of profitability. Why was this happening? Mainly because "security is invisible" and usually nobody has seen what they are buying. Therefore, customers could not distinguish between better and worse quality services, so they chose the cheaper ones. A very simple mechanism that led to the fact that price and trading strategy were winning, not real security.
Not to mention the very negative impact of public procurement. They significantly influenced the lowering of protection prices, despite the fact that in the case of emergency monitoring this impact is not that great.
The lack of involvement of insurance companies, as is usually the case in other countries, has also had a rather destructive effect on monitoring services. When concluding the policy, all you have to do is tick the "there is an alarm monitoring with intervention" and that is enough to receive a discount. And then ... let everyone worry if anything.
Another large element that significantly affected the current shape of the monitoring market was the emergence of the possibility of providing services by one center throughout the country. Network clients, such as banks, insurers, commercial networks, gas networks, etc., took advantage of this opportunity - i.e. those who were still able to pay reasonable remuneration. As a consequence, local security centers were stripped of their "tasty morsels" and stagnation began.
In the current situation, many companies think about connecting with others, sharing technical and human resources. We also observe the reinforcement of local companies. This is favored by, among others, technology, cloud solutions, mobile applications and generally modern telecommunications generally boiled down to the internet. This bodes well for the future. Such activities will have a positive impact on the security of monitoring clients.
Can anything be done about it?
One might wonder if it is good as it is. If it all fits and life goes on, is there anything to crush a copy for? In our opinion, if you start a discussion on this topic. You first have to organize everything into a logical whole and then think about whether to actually do something about it. The starting point for this should be common sense, customer risk analysis and standards, although those we have.
Where can you start?
- First, let's ask ourselves: who needs alarm monitoring and why? Analysis of the answer to this question will most likely show us that not everyone needs the same. Business issues will also appear here.
- Secondly, if not everything is to be the same, let us introduce a division, some quality categories. Here standards help us classify the most important issues. There is also the issue of reliable certification for individuals and companies.
- Third, let us tell our customers what they are buying. It is important to know that monitoring is not equal to monitoring and it is not always possible to buy it for the proverbial zloty. Here I see a large share of modern media, including social media.