Who are the most important people working each night in the theatre ? The box office, ushers, actors and bar staff. They are the people an audience will interact with when they go to see a show and therefore are crucial to the theatregoing experience. It’s sad that in today’s troubling times, we now have to also add to this list the security guard at the door of the theatre.
Last January, I wrote about the visible security presence on Broadway.1 This may serve as an attempt for audience reassurance but I frequently think the theatre bag check is also as much about stopping soft drinks from outside being taken into the theatre. I would hate to think that the risk of terrorism has become used as an excuse to also help boost the theatre’s own takings at the bar. Over the past few years, I have reluctantly accepted that security checks are an inevitable part of the theatregoing experience.
But accepting that leads to the security guards effectively becoming the face of the theatre for audiences . It’s therefore vital that they combine their security duties with a warm welcome. After the recent terrorist attacks in London, theatres adopted a stringent security policy . The National Theatre effectively became a fortress, reduced to just two entrances.
Its friendly and well-informed security guards were placed on duty to check the bags of anyone entering the building . It caused some hassle and often long queues but was well-managed by a friendly and welcoming team. Over the river in the West End, security guards are being deployed across Theatreland, but with a frequent lack of customer care, which risks doing the theatres and their dedicated staff a huge disservice. Last Saturday I saw Cat on a Hot Tin Roof at the Apollo Theatre, and a few weeks earlier Harry Potter and the Cursed Child at the Palace Theatre.
Nimax, which runs both these theatres and four others in the West End, has some of the best front-of-house staff . When you visit one of its theatres, you genuinely feel that everyone is a valued part of the team and cares passionately about the theatre and production. So it was disappointing to observe and experience an unnecessarily aggressive attitude by the theatre’s security staff greeting the arriving audiences. They could not have cared less about that evening s show and did not know the answers to simple questions, such as what time the performance finished.
But at Cat on a Hot Tin Roof, the behaviour of the security staff at end of the performance that particularly troubled me . Standing dead centre in the lobby, and looking menacing with arms firmly folded, was a security guard whose position forced patrons leaving to walk around him. As the most visible staff person, audience members were naturally asking him questions, none of which he was able to answer; instead he responded with an attitude of annoyance at even being asked.
“Where are you going?” he barked at an audience member who had come out into the lobby looking for the toilet and needed to go back down to the stalls . Have you seen the performance?” he went on to ask, even though they were clearly holding the programme.
Meanwhile, I had gone past him to pick up a leaflet for the next show only to be challenged as to what I was doing. Standing by the wall and less immediately noticeable, was the front-of-house manager . I went over to comment at this security guard s behaviour and how little information he and his colleagues were able to provide about the show. She was pleasant and helpful and explained that the security staff were contracted to the theatre .
That meant they were not part of the theatre s staff and the theatre did not know they were going to be there on any given night. Had I not spoken to her, I’d have simply assumed as most of the audience probably did that because of their visible presence they were core members of the theatre’s staff. The security guard is obviously there to do a specific job . But the contractor s approach must be to adapt their staff into the environment of their workplace.
At the same time, the theatres who are contracting them need to ensure a greater level of training and integration to the same excellent level of customer care that awaits the audience once they have entered the building. The theatregoing experience has significantly changed in recent months . Today it begins not when you step into the theatre but instead when you open your bag for inspection outside it . These organisations must take care not to risk making audiences feel devalued.
How you end a performance is as important as how you begin it . The sight of security guards and bag checks at our theatres is here to stay, but one of the purposes of terrorism is to stop people enjoying their everyday activities. Therefore, if audiences continue to defy the threat and keep coming, then for theatres future, the whole experience must be truly great from start to finish.
- ^ I wrote about the visible security presence on Broadway. (www.thestage.co.uk)
Theatres around the UK have ramped up security in the face of heightened threat levels, with venues enforcing stricter bag checks and restricting access to their buildings. It follows advice that theatres should ensure their staff and buildings are prepared to deal with an attack, after the bombing in Manchester on May 22 that killed 22 people. The National Theatre in London confirmed it has put enhanced security measures in place including restricted access to the building and bag searches . The theatre is advising audiences to arrive earlier for shows to allow for extra time to carry out increased security measures.
The Royal Shakespeare Company has also stepped up its security in Stratford-upon-Avon, with bag checks at all performances and a small-bags-only policy for entry into the Royal Shakespeare Theatre and the Swan Theatre.
We will continue to be vigilant, as we know every one of us plays a role in keeping people safe from harm, and will continue to offer our warmest welcome to visitors, and to ensure that everyone is as safe and secure as possible, a spokeswoman for the RSC said. On May 27, the Old Vic Theatre in London was evacuated during a performance of Woyzeck, starring John Boyega, after a security alert was raised. A statement from the theatre said: Audience safety is our priority and on the afternoon of Saturday May 27 we evacuated the Old Vic as a precaution . The incident was found not to be suspicious and following Met Police advice, the evening performance went ahead as planned.”
The Old Vic s increased security measures include introducing additional security guards, while it will continue to search all bags, conduct security checks of the building and the perimeter and drill exercises for members of staff.
The UK s threat level was increased to critical in the wake of the Manchester attack, and reduced back to severe on May 27. Performances at major Manchester venues continued the day after the attack, however enhanced security has been put in place. Sheena Wrigley, executive director of Home, said it had decided against implementing bag checks, but more security staff were in attendance and 24-hour site security had been implemented .
Staff have also been briefed about increased vigilance. Following the attack, advice sent out by the Society of London Theatre and UK Theatre the membership organisations representing theatres and producers in the capital and the rest of the UK recommends theatres review events taking place over the next 20 days and any high-profile attendees. Among other recommendations for venues are ensuring first-aid points are fully stocked and made clear to staff, and raising awareness on the full range of attack methods to include vehicles, knives and suicide bombers.
Venues are also being asked to ensure security staff are vigilant and proactive in monitoring their area for suspicious activity, to try to minimise crowds and to be aware of who is arriving and leaving the premises. Theatres are also being advised to pay extra attention to areas around exits, especially when staff and audiences are leaving. HQ Theatres, which operates 12 venues around the UK on behalf of local authorities, confirmed that it had reviewed its safety procedures, emergency planning frameworks and event-specific security measures, all of which were already in place.
Operations director Alvin Hargreaves said some procedures had been enhanced following the Manchester attack, and the company had reviewed pre and post-show access to buildings as well as looking at the daytime operation of theatres.
You re looking for practical measures, but you re also looking for measures that give the public reassurance . That s a tricky balance to get right sometimes, Hargreaves said. Ambassador Theatre Group, which operates more than 30 venues across the UK, including the West End, confirmed to The Stage that security measures at its theatres had also been stepped up, including bag checks.
- Ensure staff and buildings are prepared to deal with an attack
- Encourage security staff to be vigilant and proactive in monitoring business areas for suspicious activity
- Work together with nearby businesses to ensure shared areas are protected
- Try to minimise crowds and be aware of who is coming in and out of premises
- Keep buildings secure where appropriate
- Pay attention to areas around exits, especially when large numbers of staff and customers are due to leave
- Be proactive in telling audience members around changes to procedure, advising them not to bring large bags and allow more time to enter venues
Last week Gizmodo and Propublica published a joint investigation1 on Mar-a-Lago Cyber Security, as well as on other Trump-owned hotels and golf courses. They scanned for open networks, unsecured devices, and other common security problems . They found that all the properties have basic security lapses using out of date servers and poorly protected networks. A spokesman for The Trump Organization said they follow cybersecurity best practices, but we don t put much value in generic company statements2.
Since Trump regularly visits Mar-A-Lago, has hosted foreign leaders there, and even observed military airstrikes , it seems like the security of his commercial properties are now a national security issue. To avoid being caught in any legal troubles, the investigators did not attempt to break in to these networks . Which is great because we don t want to see people going to jail but it also means there simply isn t enough data to say if Mar-A-Lago s network is secure or not. For instance, we don t know how if the network is properly segmented (which would insulate against the weak public-facing security measures) or any other configuration specifics .
We could speculate about worst case scenarios, but that seems more self-indulgent than truly useful. Propublica s claim that any half-decent hacker could break into Mar-A-Lago is undoubtedly true . But without knowing more about those networks, it s hard to know if that is a meaningful statement. We don t know who is using the network . Is President Trump using the network (standard govt practices say no3) ?
His advisors ? Their spouses ? What about staff members of foreign governments? Or is it just guests of the clubs and hotels ? That is still bad since the affluent people who can afford memberships likely have access to important business information and valuable contacts . But it s not in the same league as hacking the President.
But we can all learn from the weak security practices that were uncovered in this investigation, and apply that to the management of our own networks . Remember that Mar-A-Lago is primarily a resort (essentially a hotel) and they have to balance security with their guests needs . When you have someone paying tens of thousands of dollars a year to be a member, do you tell them you don t support their ancient devices, or turn on insecure options to keep them happy ? These are typical pressures faced by businesses, which you may also have to deal with on your own network. So, let s take a look at some of the mistakes we can learn from
We picked up signals from the club s wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP.
WEP (Wired Equivalent Privacy) is an outdated wireless security protocol designed for Wi-Fi networks.
These days, WEP should stand for Worthless Encryption Protocol . Back in 2005, the FBI demonstrated how to break WEP encryption in just 3 minutes4 . Today, there are apps for Android phones that can get you access to a WEP protected network in even less time . You should avoid using WEP at all costs. So why would Mar-A-Lago be using it ? Rich, elite, country club members aren t exactly known for their technical prowess .
This is likely a situation where there is pressure to support legacy devices . If you absolutely have to support aging technology like WEP, set it up on its own network . While this won t protect your guests/users on that network, it will isolate your critical infrastructure (aka, what the employees and admins use). The proper protocol to use on your Wi-Fi network is WPA2 . This will be available as an option on any router made in the last 10 years . You may see variations of WPA2 listed Personal and Enterprise there is a big difference between those.
WPA2 Personal uses a single pre-shared key, which is the method people are most familiar with when it comes to logging into Wi-Fi . With this mode, the admin sets a router password, which is used to create the pre-shared key . Everyone who wants to connect to the network simply types in the same password to connect. The Enterprise version allows every user to have their own credentials to login to the network . This limits the access an attacker can get, as they can only compromise one user at a time instead of the whole network . Enterprise is the more secure version, but it s significantly more difficult to administer .
This is the expert option if you aren t an experienced admin, stick with Personal. With either version of WPA2 you want to use a complex (mixed numbers, letters, and symbols) and long password at least 14 characters (as recommended by the DoD for their own networks5) . Legitimate users login infrequently, so a long password is only a rare annoyance . Short passwords save you a few seconds, but shave years of computational time off an attacker who is trying to brute force the password. Many routers have an option for Wi-Fi Protected Setup this is a misnomer and will make your network less secure6 .
Disable this option.
From our desks in New York, we were also able to determine that the club s website hosts a database with an insecure login page that is not protected by standard internet encryption.
This is a big no-no and I will consider it a personal offense if you do this. If you have a password protected page on the internet you must use HTTPS . There are no exceptions to this rule . HTTP is extremely insecure and if you login over HTTP you are broadcasting your credentials to the local network and the internet . It s the equivalent of shouting a secret through a megaphone.
There is a reason Firefox and Chrome now present big bold warnings if you try to login over HTTP7. Even if the page is on the internet but only used by employees or not publicly listed it is still on the internet . Setting up HTTPS is fairly easy and inexpensive even if you are a network admin who has never configured HTTPS before it will only take about an hour. If you have a local network login page it is also a good idea to use HTTPS . Depending on how your network is configured, and how you are connected, there are considerably less risks is this scenario .
However there are still risks and you should use HTTPS here too . An easy rule: if you see a login page, you better also see HTTPS in the address bar.
At a Trump property in New Jersey, they spotted two open Wi-Fi networks, TrumpMembers and WelcomeToTrumpNationalGolfClub, that did not require a password to join.
This one is tricky . Depending on the type of business you operate, you may have a need for an easily accessible network . In a coffee shop you can have the password available at the register that is a bit more difficult on a sprawling golf course. While a password protected network is technically more secure, that security is mostly an illusion if you can get the password by purchasing a $2 coffee or pretending to be a flustered guest.
If you are running such a network the best way to avoid issues is to make sure guests understand the risk, and that employee s aren t using the network out of laziness . For instance, imagine Trump (or a member of his team) selecting the open network by accident or out of ignorance of the security risks. If you are on an open/public Wi-Fi network, any unencrypted (HTTP) traffic can easily be recorded and viewed by other users on that network . As more and more sites adopt strong HTTPS configurations, there becomes less risk that a user leaks sensitive information this way . However nearly half of data is still communicated over HTTP, so there is still a lot of potential for compromise.
Propublica talked to well-known security expert Robert Graham8, who warned that poorly secured networks are a gateway to bigger issues . Add in network devices that are unsecured, or a poor network layout where an open access-point is connected to more important areas of the network, and now you have real trouble. Remember, attackers are looking to inch their way in . Small flaws are combined until they have big flaws, and access to a device or data . Graham also warned that a series of vulnerabilities could be used to access a microphone or a camera of a device on that network, which could be used to listen in and monitor sensitive communications .
While this is far beyond the skills of an average hacker, it s a realistic threat when you have a President on your network.
- ^ Gizmodo and Propublica published a joint investigation (www.propublica.org)
- ^ but we don t put much value in generic company statements (www.thesslstore.com)
- ^ standard govt practices say no (www.nytimes.com)
- ^ how to break WEP encryption in just 3 minutes (www.zdnet.com)
- ^ as recommended by the DoD for their own networks (assets.documentcloud.org)
- ^ this is a misnomer and will make your network less secure (www.howtogeek.com)
- ^ Firefox and Chrome now present big bold warnings if you try to login over HTTP (www.thesslstore.com)
- ^ Robert Graham (twitter.com)