Corporate Security, Easily Sidestepped, Seeks Stronger Shields

But the risk is not confined to the tech sector. Many companies across the country are similarly exposed, reflecting an open-door policy that for generations has pervaded corporate America, where safety training has long focused on fire drills, earthquake-sheltering procedures and accident cleanup.

Some of that trust has eroded over the years. After the World Trade Center attacks in 2001, companies fearing terrorist bombings and biochemical attacks taught employees how to handle suspicious packages. But a sharp increase in mass shootings over the past two decades has made companies increasingly nervous about gun violence from disgruntled workers and customers.

Last year, an employee fatally shot three people at the United Parcel Service complex in San Francisco. In 2016, an employee fatally shot three colleagues and injured 14 more at a lawn care equipment factory in Kansas. In 2012, a man shot seven people and himself at a Minneapolis sign company hours after he was fired.

“I just don’t know how we got here,” said James D. Smith, president of the American Society of Safety Engineers. “We would never be thinking 10, 15 years ago that this would be an issue.”

On Tuesday, Nasim Najafi Aghdam, a YouTube user upset about the company’s policies, shot three people at the company’s headquarters before killing herself, police said.

Ms. Aghdam shot the people in an enclosed courtyard where employees dined. YouTube said she had entered the courtyard through a parking garage. The gate between the parking garage and the courtyard was unlocked, according to Zach Vorhies, an engineer at YouTube. A former YouTube employee who used to handle threats from disgruntled video creators, but was not allowed to speak about it publicly, said his team repeatedly warned YouTube security about the risk of the parking garage and unlocked gate, but it was never fixed.

YouTube said in a statement on Wednesday that Ms. Aghdam never entered the building itself thanks to other security protections. The company said it was “revisiting this incident in detail” and would be increasing security at all of its offices around the world.

The F.B.I. identified 160 so-called active-shooter incidents in the United States between 2000 and 2013, which left 486 people dead and 557 wounded. Nearly 46 percent of the attacks took place in commercial locations. Dozens of other attacks have occurred since 2013.

Where Active Shootings Occur

An F.B.I. study found that nearly half of 160 active-shooting incidents over more than a decade occurred in business settings.

Businesses Open to Public

Elementary to High Schools

Higher Education Facilities

Workplace shootings have fueled a cottage industry of security consultants who show employees how to manage panic, when to run or hide, and how to fight as a last resort. Lesson plans identify which filing cabinets or furniture offer the best protection, and which office tools can become improvised weapons. A full day of training can cost companies thousands of dollars.

Companies are sending their employees to self-defense classes and their security personnel to gun ranges to test active-shooter scenarios in virtual reality. Architects are designing offices with designated safe rooms. Insurance providers are offering lower premiums for corporate clients with stronger security.

“If you can’t protect the work force, you’re putting your entire operation at risk,” said Arnette Heintze, a former Secret Service agent who runs the security consulting firm Hillard Heintze, which posted record revenue in the most recent quarter.

At Apple’s new campus in Cupertino, Calif., visitors are required to enter through a single, guarded entrance. The headquarters has a massive courtyard but it requires someone to pass through the building to reach it.

One former Facebook employee who worked on the company’s security protocols, who declined to be named because of Facebook’s prohibition on discussing internal company matters, said the company received dozens of threats a week.

In recent years, Facebook has increased security at the entrances to its headquarters in Menlo Park, Calif., but its parking lots and surrounding areas remain accessible. “The safety of our employees is paramount, and we work hard every day to maintain a safe and secure environment for our community,” Jamil Walker, a Facebook spokesman, said in an email.

Facebook could soon find security trickier. It has proposed expanding into a nearby neighborhood, with housing and public space for local residents alongside its offices.

Some security experts instruct clients to shift their parking lots further away from the main facility, giving more time for potential attackers to have second thoughts and for guards to act on a threat. Consultants recommend that executive offices remain unlabeled to make them less of a target.

Companies of all kinds have stepped up security. General Mills said it made physical changes to its building in Minneapolis to better prepare for an active shooter situation, but did not provide specifics. Wendy’s said it had installed upgraded security cameras throughout its headquarters in Dublin, Ohio; set up advanced access control systems that can lock down different parts of the facility; and upgraded its phone systems with emergency messaging capabilities.

Hallmark and Hershey said they show employees a training video from the Center for Personal Protection and Safety that covers active shooter protocol. Some companies use a softer term — “hostile intruder” — to describe the training, while others add customized introductions to the footage.

Employees are being asked to download internal apps loaded with safety plans, maps and emergency alerts. Some are told that their bonuses will be withheld if they do not attend mandatory drills.

And preventive tactics are gaining traction. Employers are hiring social media trackers and data analysts to search for warning signs in employee behavior. Accenture said it has a behavioral threat assessment team made up of human resources representatives, lawyers, on-call psychologists and others.

But security remains a matter of balance.

“You don’t want a security program so restrictive that it hinders the company from doing the business it’s in,” Mr. Heintze said.

And vulnerabilities remain common, security consultants said. So-called penetration tests frequently show how easily an outsider can slip into an office through the employee smoking area, past an unmonitored camera, into a door held open by a polite employee, or through a metal detector being overseen by an underpaid and overworked security contractor.

Employees looking for convenience tend to prop open automatically locking doors. Some will pass a badge over a turnstile to a friend who forgot theirs.

One corporate client described its facility to John M. White, the chief executive of the Protection Management security consulting firm, as being fully secure. Within three hours, Mr. White found that he could waltz through most of the building’s doors without being screened and that some were so old they would not lock.

Another customer spent several hundred thousand dollars installing security cameras, only to find that their views were obstructed. Mr. White said he has spoken to employees who, in a theoretical attack, said they would be unwilling to break a window to escape out of fear of being fired later.

“You can’t just throw a million dollars at security and say that now the problem’s gone,” he said. “In some ways, it can be a facade — you could have the most secure facility in the world, and there will still be some risks you’re going to have to accept and manage.”

Continue reading the main story