Business Resilience: Planning to Mitigate Acts of Terrorism.
Any business owner or manager that has seen the concrete barriers installed on London bridges to protect pedestrians or the increased security at concerts and sporting venues in the wake of terrorist attacks, cannot have failed to consider their own business security arrangements. Fortunately, these types of attacks are still rare but as MI5 British Intelligence chief Andrew Parker admitted in a recent, rare public speech the UK terror threat is higher than at any time in the past 30 years, so with this in mind most security experts agree that it’s not a case of If, it’s a case of when!
These tragic events, alongside the high-profile warnings, have led many businesses that once considered themselves low-level targets to reconsider their approach to security. But the challenge for those responsible for business resilience and security is where to begin? The wide-ranging nature of attacks makes the threat level really difficult to assess and the potential method of attack even harder to identify. Businesses could face everything from verbal or written threats, through to dangerous items sent through the post to direct cyber, property or personnel attacks.
So, in a business world where security awareness must be heightened, what questions should every organisation ask itself when considering business resilience and how to mitigate against acts of terrorism?
What is the level of threat to my business?
In times of heightened threat it is easy to get carried away by the rising tide of negative publicity. The first thing to rationally consider is just how at risk your business is to terrorist attack? Your location alone can sometimes put the business at risk. For example, if you are in a high-profile location, or public building. The nature of your business can sometimes make you more prone to attack, if there are political, religious or environmental connotations. All these aspects must be considered from an objective viewpoint to establish just how at risk the business is and where these attacks might come from?
What types of threat are you most at risk from?
Once you have understood the level of threat, it is important to identify the most likely types of terrorist attacks that could harm staff and/or customers and interrupt business. Remember, the most likely attacks are not necessarily the high profile, tragic attacks on people that are well publicised. Sometimes the most common attacks are in the form of infrastructure threats, such as Denial of Service attacks on your communications and internet connected systems. The National Cyber Security Centre recorded more than 500 ‘significant’ cyber attacks launched against computer systems in the UK over the past year. In total there have registered 1,131 IT threats since October 2016. Of those, 590 were classed as “significant” with 30 serious enough to trigger a cross-government response. Victims include national institutions like the NHS, along with large and small businesses.
What are the critical business elements to protect?
You must now establish the critical areas of the business that most require protection. First consider your people and then property and infrastructure. Are there frontline staff or key personnel more likely to be under threat? Are their office, store or building locations that are natural targets for selection? What are the key functions, such as mailroom or communication systems, that are most vulnerable to attack?
How best to detect and protect?
Once a thorough assessment has been made, a strategy for detection and protection can be established for each vulnerable area. These areas are generally situated around how people and packages enter your building / venue; the various security requirements can be wide-ranging. They can include eyes and ears on the perimeter of your buildings in the form of CCTV systems; Access systems to control who goes where and when, and security screening for some or all people leaving and entering the buildings’ mailroom screening for all incoming parcels and letters against the delivery of potential IED,s and harmful biological agents such as ricin or anthrax, and last but not least IT security solutions to protect against cyber threats included in this needs to be a password change routine and access levels to sensitive information tightly controlled.
And remember to try to build-in flexibility into your security solutions. The threats to your business are unlikely to remain fixed and it is prudent to ensure that the security arrangements you put in place are as versatile as possible. For example, one fast growing area in security screening is the implementation of ferromagnetic search pole technology. These are unlike the fixed security walk-through arches seen at airports; these ferromagnetic search poles are highly versatile and can be easily moved so that you can have a fully operational security checkpoint in a matter of minutes. The detectors can also be used externally and in all weathers so that you can establish a checkpoint outside your building / venue which offers the flexibility to quickly set up fast screening for weapons such as guns and knives in any remote location, thus enabling the security team to effectively screen people before they even enter your establishment. The use of the fully rechargeable batteries makes these products an obvious answer to a fast growing problem.
Are disaster recovery plans in place?
However, detailed your security plans have been, there is always the danger that a terrorist attack will be successful in some way and disrupt the business. As a result, businesses must have equally robust disaster recovery plans in place to ensure that the business is impacted for the minimum time possible. These plans could involve back-up / co-locations being established quickly if a building becomes unusable or for IT and communication infrastructures to be mirrored, so that a connection can be quickly re-established in the event of an unforeseen outage.
Are your people trained and tested?
Despite the rapid advances in detection technology, your staff are often the first line of defence and the best eyes and ears for the security of your business. To do their job well they must be trained properly. Consider the appropriate level of training for your staff. Some may just require basic threat awareness training, whilst others will need detailed training on how to effectively use the security technology they have at their disposal.
Make sure that the training the staff receive is from a recognised security training provider, that is appropriately accredited and is delivered by experts in their field. Also ensure that the training is regularly updated, as required, to keep up to date with new techniques and evolving threats.
Finally, ensure that your staff are regularly drilled and tested in their techniques to ensure that best practice is being implemented at every level.
To keep up to date with the latest actions on recommendations we highly recommend the use of the Citizen Aid app, this can be downloaded onto everyone’s personal mobile and is available on android and IOS, The citizen aid App is designed so that it will help to reduce the anxiety from difficult decision making in an unfamiliar and fast moving situations. Simply follow the systematic logical steps to do the right things in the right order.
Is there additional support for businesses in this area?
Yes, Remember that security action taken against potential terrorist threats and for business resilience should wherever possible enhance and not stand in the way of business. Staff and customers are reassured when they see security steps being taken and implemented considerately. Everyone in the business should be encouraged to participate. Public campaigns such as “See it, Say it, Sort it” can have a positive impact.
And finally, remember that this type of security assessment and implementation is not something that your business has to do alone. There are professional organisations that can assist with threat assessment, security implementation plans and training. Your local police force and the use of the CTSA (counter terrorist security advisor) can offer up to the minute advice that can also help plug your business into the wider support and counter terrorism activities that are underway in your community. The CPNI website offers excellent advice on counter terrorism for most business activities and business resilience; it also gives guidance on how to construct and how to implement business continuity plans in line with government and BSI guidelines. All of these resources can help integrate your business-focused prevention activities into wider community prevention action.
Jason Wakefield – Todd Research Ltd