Security/Emergency Information

So when is the NSGP grant be coming out?

Short answer, we don’t know. The U.S. Department of Homeland Security cannot formally announce any grant program before there is a federal budget and Congress gave itself up to April 28, 2017 to come to an agreement. Both the House and the Senate included the program in their appropriations, but they must still work out the funding level of the program (We want it raised to $25 million.). It could be that the grant deadline is only days, rather than weeks, after the grant announcement, so get started now! 

We don’t expect many changes in the application process this year. Our best advice, complete all of the preliminary steps below and a draft of your application (known as the “Investment Justification” or “IJ”) as soon as possible. If there are any changes, you will be able to concentrate on the changes.

One final piece of advice. If you think that your organization is at high risk because of ideology-based/spiritual/religious reasons, think about how you would document them, especially if you follow mission implementing policies or practices that may elevate your risk. If you are a religious corporation, the answer is clear. If not, there may be an opportunity to document the risk.

NSGP 2017

Prequalification NY nonprofits should register at https://grantsgateway.ny.gov/ &
complete their Document Vault . See JCRC-NY’s additional
information at: http://www.jcrcny.org/document-vault-faqs/ .If your nonprofit was previously prequalified, you will still have to update certain documents or your document vault is expired. Check our your document vault for more information.
E-Grant registration If you have an existing account (and remember the
username/password), you’re fine; to register for the DHSES E-Grant system, email: grants@dhses.ny.gov
Risk assessment Find guidance and contacts at:
http://www.jcrcny.org/security-assessment/ and JCRC-NY’s guide to security consultants here.There are some self-assessment tools available. Check out:

Investment Justification The 2017 forms are not ready. Download the 2016 Investment Justification here to see what the applications looks like. Just make sure that the
For the most up-to-date info http://www.jcrcny.org/securitygrants
Questions? Click here to send questions about the grant program.

To evacuate or not to evacuate? That is the question.

With another 17 additional hoax bomb threats reported, you should have already have a plan. However, the ongoing threats should serve as a reminder to review  our ongoing guidance, make use of the resources and implement the recommendations, as appropriate.

Should we be worried? At this time the experts conclude that the series of
incidents referencing threats against schools, Jewish facilities and businesses likely do not represent a credible terrorist threat for two reasons:

  1. terrorists’ rarely provide operational insight into their planning, and
  2. the fact that nearly all hoaxes in the United States are conducted by criminal actors or those instigating a nuisance prank.

What are my options? Many security experts question the wisdom of the policy of evacuation. After all, a terrorist could trigger an evacuation of a facility with a simple phone call and then attack the evacuees in multiple ways. On the other hand, someone could place 100 hoax bomb threat calls, but actually plant a bomb on the 101st. (In rebuttal, why make a warning phone call when simply planting the bomb works).

The bottom line is that there is no perfect solution, so all institutions should think about their options and consult with local law enforcement in the absence of the pressure of an actual emergency.

  • Set up a meeting with your local police to review and discuss your options.
  • There is no perfect solution. This is an issue that should be raised at a security committee or board meeting. Remember, your reputation is at stake and your decision may create liability issues.
  • Identify possible options leading to a sheltered evacuation, i.e., one that minimizes the dangers of an attack on evacuees:
    • Is your parking lot a relatively safe area? Could you evacuate there and and stand an appropriate distance from your facility? Is there a sheltered path to an adjoining building? Can the local police establish a perimeter to protect the evacuees?
    • Develop appropriate protective measures based on your facility’s characteristics. For example, some facility managers have identified areas (e.g., a pool or gym) that are not cluttered and therefore, easy to check for bombs. If the architecture of the building is engineered so that the building would not likely collapse on those inside, one option is to evacuate people to these safe (or more accurately, safer) places (HT to Steve Levy of ISA).
  • Communicate, early and often. If you decide not to evacuate, some stakeholders will question your judgement and try to second-guess you. A well-planned sheltered evacuation option is easy to explain and to show that your highest priority is the safety of your stakeholders. Whatever you choose, have pre-written messages ready to go should you become a target.

No one can give you a perfect answer. Identify your options, consult with the best people possible and keep your people safe.

Hoax threats can be scary, too.

Should we be worried? At this time the experts conclude that the series of incidents referencing threats against schools, Jewish facilities and businesses likely do not represent a credible terrorist threat for two reasons:

  1. terrorists’ rarely provide operational insight into their planning, and
  2. the fact that nearly all hoaxes in the United States are conducted by criminal actors or those instigating a nuisance prank.

Due to the common occurrence of bomb threats across the country over the last few years, the experts judge malicious terrorism hoaxes such as bogus emails and phoned-in threats, including robo-calls, will almost certainly continue, diverting resources as they create disturbances and send false alarms. However, don’t become blasé. Someone might take advantage of the hoaxes to accomplish a real attack.


What should we be doing? Consider these incidents to be a teaching moment. How would your organization handle such threats.

  1. Know what you should do. Have a bomb threat plan before an incident happens.  For starters, check out DHS’ Bomb Threat Guidance and Introduction to Bomb Threat Management. Add JCRC-NY’s post, Manhattan bomb threat: lessons learned to your reading list. Now is a good time to review, or to think through your own plans. Our own Emergency Planning: Disaster and Crisis Response Systems for Jewish Organizations has a longer chapter discussing the issue.
  2. Train your phone answerers. Everyone answering the phone (including those who might answer) should be taught how to handle a phone threat with this checklist. Have copies of the bomb threat checklist posted nearby.
  3. You have to communicate.
    • First things first. Call 911. Bring in the cavalry…ASAP. Whether you think the incident is real or a hoax, contact the experts and defer to them. Have a system (with primary and backup callers) that ensures that someone calls 911 immediately. Remember, don’t use a cell phone or walkie-talkie in the area of a suspicious package … you might set it off. Get to your landline.
    • Get the word out. Even if your people know what to do (i.e., you’ve conducted bomb scare drills) you have to let them know that they have to do it. Does your building have a public address system? Do you have cell phone numbers for all of your staff so that you can text them with updates? Can you modify your fire alarm system so that it sounds a distinctive signal for a bomb scare?
    • Let your constituencies know what’s happening. Bomb scares create angst and the possibility of physical danger, but there is the potential for risk to your reputation. No one wants a parent to learn about an incident from the media. Have pre-written messages ready for distribution directly to your constituencies (e.g., by text) stressing the steps you’ve taken and that everyone is safe. Have a point of assembly where worried parents can go for additional information from your best staffers. Work with the police to direct people to the appropriate areas. Do not post specifics on social media.  Click here for resources on crisis communication.
  4. Decisions, decisions. Have someone in charge (and a backup). OK, you receive a threat, now what? Certainly, dial 911, but should you evacuate or not (might someone use a bomb threat in order to trigger an evacuation setting up an active shooter or vehicle ramming?)? In reality there is no perfect answer to this question. Someone has to give the order and there will be no time to waste.
  5. Know where to go. If you decide to evacuate out of an abundance of caution you probably don’t want to stand in the street, especially if the weather is bad. Do you have an agreement with a neighboring institution that allows you to bring people into their facility. By doing so you can keep your people warm and dry and out of harms way.
  6. Keep unused parts of your building locked. It’s good practice to have your staff check your facilities daily, looking for something that “Just Doesn’t Look Right”. As they move through the rooms they should lock the doors. Closets and other storage areas should be kept locked. If you develop such procedures and do receive a bomb threat, the bomb sweep of your building can be accomplished faster.
  7. Consult your leadership about security plans. There will always be Monday morning quarterbacks, but a review of your plans at the Board level should empower those making difficult decisions under duress. As they say, “once is not enough.” Revisit security planning and procedures on a regular basis.

How can we know if the threat is real? The intelligence firm, Stratfor, recently published an article: How to distinguish a bomb threat from a bomb warning. The experts suggest some other possible indicators of a hoax:

  • Most genuine bombers wouldn’t specify the exact timing and target of an attack (since providing that information would jeopardize the success of an event);
  • Most genuine bombers wouldn’t use threats with complex scenarios involving chemical weapons or other advanced capabilities, or cite geographically dispersed targets; and
  • Most genuine bombers wouldn’t use threats involving large numbers of operatives.

Remember, there are no guarantees in security. You will have to weigh the options and make the best decisions possible. If you’ve thought about the options and have made decisions ahead of time, the odds of making the right decision increase dramatically.

Awareness 101: When it “Just doesn’t look right”

Regularly check around your facility for anything that "Just doesn't look right"

Regularly check around your facility for anything that “Just doesn’t look right”. Shown is a car parked in a “No Parking” zone with strange wires.

Experts note that terrorist attacks don’t appear out of thin air. In virtually every situation (and that includes active shooter events) an attacker practices “pre-operational surveillance.” More mundanely, they “case the joint” or just show up to observe, orient themselves to the situation and to decide how they will act during their attack. When suspect behavior is reported (1-888-NYC-SAFE) it can be investigated and an attack can be interrupted.

Determining that it “Just doesn’t look right”

The NYPD Intelligence Bureau just released some excellent guidance. Its primary focus is to help detect suspicious signs along special event routes (e.g., parades) or areas designated for large-scale public gatherings (e.g., demonstrations, celebrations, street fairs, etc.), but can apply to houses of worship, schools, community centers and other gathering points. The following examples of activity, though not fully inclusive, may be of possible concern to law enforcement (Click here for a PDF of the NYPD Indicators of Terrorist Activity guidance):

  • The appearance of a suspicious vehicle (including bicycles with a storage basket; motorcycles; utility storage boxes, etc.) parked near the area designated for the event to take place. Items left for a protracted period of time and disregarded.
  • Actions by an individual that suggest the pre-event videotaping or still photography of the route or location (and surrounding area) for no apparent reason (i.e., no aesthetic value). Sketching of the area e.g., cross streets, access streets into and out of the area.
  • Any request to videotape from a roof or a vacant unit/apartment overlooking the event venue.
  • The sudden appearance of a new street vendor in an area adjacent to the event route, the venue’s access doors, or gathering location.
  • Unclaimed or suspicious packages/objects found along the special event route/location.
  • Individuals sitting or standing at a bus stop and not boarding a bus; Individuals sitting at a particular location (e.g., park bench) at the same time each day for numerous days.
  • The very. recent placement of a garbage can, postal mailbox, newspaper kiosk or other stationary object along the special event route/location.
  • Recent attempts by unknown individuals to gain access to your building’s roof overlooking the parade route/special event location/venue.
  • Inquiries about short-term rental of an apartment or space above your store/business – or in your residential complex — that also happens to offer a view of a parade route or special event location. (Terrorist operatives will often cohabitate to facilitate operational planning.Additionally, they may attempt to position themselves in an area that will ease their surveillance of potential targets.)
  • Large plastic drums being stored inside a building (commercial or residential space).
  • Reports of small fires or smoke conditions being reported from a particular store or apartment.
  • Suspicious inquiries by unknown individuals regarding:
    • The security measures anticipated for the event (e.g., extensive questioning as to
      the searching of backpacks, stopping of vehicles, etc.)
    • The seating of public officials, dignitaries, or other VIPs at an event.

Ransomware: Lessons learned

Don’t say that we didn’t warn you (see here, here and especially here). Here’s a tale about a synagogue in the NYC area, but it could happen to anyone.

In mid-November the rabbi’s secretary was going about her business on the shul computer. Whether she was duped to click on an infected popup advertisement or she visited an infected website the damage was done. What we do know is that this ransom note appeared on her screen:

ransomware-warning

Then the panic. The note was accurate, they were locked out of the shul’s only computer. What should the shul do?

  • They couldn’t get to their Quickbooks.
  • They couldn’t get to their member software.
  • They couldn’t get to the file with the Yahrzeits.
  • They couldn’t get to their record of Kol Nidre pledges

Some computer-savvy members tried various tools, but no luck. The problem was eventually brought to the synagogue board and a hearty debate followed. Would they just be paying a ransom and get nothing in return (See the FBI guidance here)?  Finally, the vote was to pay the ransom, 3 bitcoins (almost $2,400).  Fortunately, the thieves were relatively honest. The synagogue’s files were decrypted and they could recover their data. Many other victims pay, but their computers remain locked.

Lessons learned

People, there’s nothing new here. Check out JCRC-NY’s Cybersecurity Resources page and our cybersecurity blog posts. This episode is an expensive reminder that it’s crucial to practice good cyber-hygiene.

  1. Backup, backup, backup. There is no excuse. External thumb drives and hard drives are cheap. Buy one and take the time to configure the backup program so that it automatically, regularly keeps critical data safe. There are many free or low-cost cloud options. Backup to Google Drive, Dropbox or a cloud server provided by your anti-virus/backup program. The data in some shul membership management programs are automatically saved to the cloud which may even be monitored by full-time cybersecurity staff. Finally, more than one backup (e.g., one onsite, one offsite or in the cloud)  is better than one … one is better than none.
  2. Keep your anti-virus software up-to-date. The bad guys are smart and they’re getting smarter. Somehow, the bad guys got the rabbi’s secretary to click on the infected link. Our poor synagogue had anti-virus software, but it was a year out-of-date (duh, it turns itself off).  Most of the better anti-virus programs are updated constantly and will probably stop a ransomware attack before your data is seized. Buy a license that will protect all of your computers. (see bargain software rates for nonprofits at Techsoup).
  3. Have strong passwords and record them. Whoever set up the synagogue’s computer did follow “best practice” and didn’t give the users “Administrator” access (pardon the techy-talk). The trouble was that no one knew that password so the consultant who assisted the synagogue had to get permission from the board to reset the password before she could revive the computer. Click to https://www.lockdownyourlogin.com/ for the latest guidance on passwords.
  4. Beware of residual “bread crumbs”. Some ransomware leaves malware on a computer so that the bad guys can re-infect the computer. After all, you paid once, won’t you pay again? Once you have recovered the encrypted files, use multiple products to scan your computer: first your new, up-to-date anti-virus program, then a some others (the trial or basic versions are available free online) such as Malwarebytes, CCleaner, SUPERAntispyware, to name a few. There is no perfect solution. Each may find something that the others missed.
  5. Cybersecurity is a board responsibility. The incident was an expensive lesson. When no one on staff has computer skills, the board has a fiduciary responsibility to make sure that the staff know the basics of cyber-hygiene: the software is being updated, the backups are made, the anti-virus programs are working.

Finally, kudos to JCRC-NY’s outside computer maven from Dragonfly Technologies, who dropped everything to travel to the shul and spent many hours into the night to get them back in business and up-to-date.