In recent months, people of most nations have realized that terrorism groups do exist, and their crimes have escalated to a point where it's important to consider the safety of yourself and those you care about. As an executive, the growing environment for terrorism should be on your radar, and right now is the time to prepare a crisis and continuity plan. Let's have the uncomfortable discussion about terrorism, and what it means to CEOs.
Just this week we've seen another mass shooting take place in the United States, however, this attack is strongly rumored to have been an act of domestic terrorism at the least. To make things worse, multiple media sources are reporting that this was an act of terrorism, in the conventional deﬁnition we have become used to. See this link: 'Devout' Muslim US citizen and his Saudi wife who were 'living the American Dream' identiﬁed as heavily-armed duo who burst into his ofﬁce holiday party and slaughtered 14 after leaving their baby with his mother.
Whether your organization has just one ofﬁce, or maintains multiple ofﬁces around the world, it's important to consider threats like these when preparing a crisis plan. If you haven't created a crisis plan yet, or updated your current one - now is the time. As the CEO or Executive Director, what would you do if an armed gunman (or woman) stormed your ofﬁce? Yes, you can hire private security, and begin pouring money into a security budget, but there are other things you can do right now to protect your organization and its employees.
If you do not have a business crisis (or continuity) plan in place then consider how best to make your organization more resilient while the plan is being developed. Designate a crisis management team led by senior staff, incorporate succession planning for key personnel and organize a robust telephone and/or e-mail cascade system for contacting staff outside working hours. Make sure copies of essential data or records are stored off-site and that IT systems can be accessed from other sites. Staff may continue to work from home if they have remote access to your IT systems. Ensure that you have robust banking and ﬁnancial arrangements so that you can continue to make payments and sustain your business.
10 Protective Security Points:
The following ten protective security points summarize the guidance given to executives overseeing security. Whether you are creating, reviewing, or updating your security plans, keep these key points in mind:
- Carry out a risk assessment to decide on the threats you might be facing and their likelihood. Identify your vulnerabilities.
- If acquiring or extending premises, consider security at the planning stage. It will be cheaper and more effective than adding measures later.
- Make security awareness part of your organization's culture and ensure security is represented at a senior level.
- Ensure good basic housekeeping throughout your premises. Keep public areas tidy and welllit, remove unnecessary furniture and keep garden areas clear.
- Keep access points to a minimum and issue staff and visitors entrance passes. Where possible, do not allow unauthorized vehicles close to your building.
- Install appropriate physical measures such as locks, alarms, CCTV surveillance and lighting.
- Examine your mail-handling procedures, consider establishing a mailroom away from your main premises.
- When recruiting staff or hiring contractors, check identities and follow up references.
- Consider how best to protect your information and take proper IT security precautions. Examine your methods for disposing of conﬁdential waste.
- Plan and test your business continuity plans, ensuring that you can continue to function without access to your main premises and IT systems.
Business Continuity and Crisis Planning:
Business continuity planning is obviously not just driven by terrorism, but it would be critical to your business’s survival if it was affected by a terrorist incident. And the beneﬁts have an even wider impact. Every year nearly one in ﬁve businesses suffers a major disruption, and planning to deal with those disruptions is widely regarded as good business sense. Effective business continuity planning is critical to ensuring that the essential functions of your business can carry on despite an emergency. Many businesses will already have plans to deal with sudden commercial risk. These may include events such as the failure of critical suppliers, an unexpected bad debt, industrial action or the discovery of a serious fault in a product or process. Planning for the aftermath of terrorist incidents is very similar
For example, a major terrorist incident could have the following consequences:
- Damage to your buildings.
- Loss of IT systems, records, communications and other facilities.
- Unavailability of staff because of disruption to transport or their unwillingness to travel.
- Loss of staff through death or injury.
- Adverse psychological effects on staff, including stress and demoralization.
- Disruption to other organizations and businesses on which you may depend.
- Damage to reputation.
- Changes in the business demands placed on your organization.
You will need the right resources to maintain your critical business functions following a disruptive event. These are likely to include:
- Sufﬁcient people with the necessary expertise and motivation to lead and manage the organization.
- Access to key records and IT systems.
- Reliable means of communication, especially with your staff.
- The ability to carry on paying staff, to ensure their safety and to provide them with welfare and accommodation.
- The ability to procure goods and services.
- The ability to respond to demands from the media
Five Steps to Developing a Continuity (or crisis) Plan:
- Analyze your business. Working with the full support of senior management, you need to understand your business and the way it works, including which functions are essential and where vulnerabilities lie.
- Assess the risks. You need to understand what emergencies might affect your business and what impact they would have. By focusing on impacts rather than causes, you will make sure your plan allows you to deal effectively with an incident, no matter what the source.
- Develop your strategy. You will need to agree with senior management of the organization's appetite for risk. You can then decide which risks can be accepted, which risks can be reduced and which risks should be managed using business continuity planning.
- Develop your plan. You should then develop a business continuity plan covering the agreed areas. All plans look different, but they should be clear about roles and responsibilities, easy to understand and open for consultation and review around your organization.
- Rehearse your plan. Rehearsal helps you to conﬁrm that your plan will be connected and robust if ever you need it. Rehearsals are also a good way to train staff who have business continuity management responsibilities. Lessons from exercises can be used to reﬁne your decisions in steps one to four.
Basic good housekeeping reduces the opportunity for planting suspect packages and helps deal with false alarms and hoaxes. You can reduce the number of places where devices may be left by:
- Keeping public and communal areas – exits, entrances, reception areas, stairs, halls, lavatories, washrooms – clean and tidy.
- Keeping the furniture in such areas to a minimum – ensuring that there is little opportunity to hide devices.
- Locking unoccupied ofﬁces, rooms and store cupboards.
- Ensuring that everything has a place and that items are returned to that place.
- Considering the removal of litter bins or replacing them with clear bags.
- Putting plastic seals on maintenance hatches.
- Keeping external areas as clean and tidy as possible.
- Pruning all vegetation and trees, especially near entrances, to assist in surveillance and preventing concealment of packages.
The vigilance of your staff (including cleaning and maintenance staff) is key to your protective measures. They will know their own ofﬁces or work areas and should be encouraged to look out for unusual behavior or items out of place. They must have the conﬁdence to report anything suspicions, knowing that reports will be taken seriously even if they turn out to be false alarms. Staff must also know who to report to and their contact details. Training is therefore particularly important. Staff should be briefed to look out for packets, bags or other items in odd places, carefully placed (rather than dropped) items in rubbish bins and unusual interest shown by strangers in less accessible places.
An efﬁcient reception area is essential to controlling access, with side and rear entrances denied to all but authorized people. Keep access points to a minimum and make sure the boundary between public and private areas of your building is secure and clearly signed. Invest in good quality access controls such as magnetic swipe identiﬁcation cards or ‘proximity’ cards which are readable from a short distance.
If a staff pass system is in place, insist that staff wear their passes at all times and that their issuing is strictly controlled and regularly reviewed. Visitors should be escorted and should wear clearly marked temporary passes, which must be returned on leaving. Anyone not displaying security passes should either be challenged or reported immediately to security or management. Consider introducing a pass system if you do not have one already.
The random screening of hand baggage is a signiﬁcant deterrent and you have the right to refuse entry to anyone who does not allow you to search their possessions. However, body searches may be carried out only with the agreement of the person being searched. Routine searching and patrolling of premises represents another level of screening covering both internal and external areas. Keep the patrols regular, but not too predictable.
Trafﬁc and Parking Controls
If you believe you might be at risk from a vehicle bomb, the basic principle is to keep all vehicles at a safe distance. Those requiring essential access should be identiﬁed in advance and checked before being allowed through. If possible, you should ensure that you have proper access control, careful landscaping, trafﬁc-calming measures and robust, well-lit barriers or bollards. Ideally, keep non-essential vehicles at least 30 meters from your building.
Doors and Windows
Good quality doors and windows are essential to ensure a building’s security. External doors should be strong, well-lit and have good quality locks. You may want to consider alarms as well. Doors that are not often used should also have internal bolts and remember that, if you have glazed doors, they are only as strong as their glazing. All accessible windows should have good quality key-operated locks.
An electronic attack could:
- Allow the attacker to remove sensitive information
- Allow the attacker to gain access to your computer system and do whatever the system owner can do. This could include modifying your data, perhaps subtly so that it is not immediately apparent, or installing hardware or software devices to relay information back to the attacker. Such attacks against internet-connected systems are extremely common.
- Make your systems impossible to use through ‘denial of service’ attacks. These are increasingly common, relatively simple to launch and difﬁcult to protect against. As soon as you entrust your information or business processes to a computer system, they are at risk. Electronic attacks are much easier when computer systems are connected directly or indirectly to public networks such as the internet.
The typical methods of electronic attack are:
This is an attempt at unauthorized access, almost always with malicious or criminal intent. Sophisticated, well-concealed attacks by foreign intelligence services seeking information have been aimed at government systems but high-tech industries might also be targets.
The techniques and effects of malicious software (e.g. viruses, worms, trojans) are as variable as they are widely known. The use of e-mail, systems that interconnect, external contractors and remote access (e.g. for home working) allows virus infections to spread ever more widely and rapidly.
Malicious Modiﬁcation of Hardware
Computer hardware can be modiﬁed so as to mount or permit an electronic attack. This is normally done at the point of manufacture or supply prior to installation, though it could also be done during maintenance visits. The purpose of such modiﬁcations would be to allow a subsequent attack to be made, possibly by remote activation.
Denial of Service (DoS)
These attacks aim to overwhelm a system by ﬂooding it with unwanted data. Some DoS attacks are distributed, in which large numbers of unsecured, ‘innocent’ machines (known as ‘zombies’) are conscripted to mount attacks.
What to do in the Event of a Cyber Attack
- Acquire your IT systems from reputable manufacturers and suppliers.
- Ensure that your software is regularly updated. Suppliers are continually ﬁxing security vulnerabilities in their software. These ﬁxes or patches are available from their websites – consider checking for patches and updates at least weekly.
- Ensure that all internet-connected computers are equipped with anti-virus software and are protected by a ﬁrewall.
- Back up your information, preferably keeping a secure copy in another location.
- Assess the reliability of those who maintain, operate and guard your systems.
- Consider encryption packages for material you want to protect, particularly if taken off-site – but seek expert advice ﬁrst.
- Take basic security precautions to prevent software or other sensitive information falling into the wrong hands. Encourage security awareness among your staff, training them not to leave sensitive material lying around and to operate a clear desk policy (i.e. desks to be cleared of all work material at the end of each working session).
- Make sure your staff are aware that users can be tricked into revealing information which can be used to gain access to a system, such as user names and passwords.
- Invest in secure cabinets, ﬁt locking doors and ensure the proper destruction of sensitive material.
- Where possible, lock down or disable disk drives, USB ports and wireless connections.
- Ensure computer access is protected by securely controlled, individual passwords or by biometrics and passwords.