The threat is still present

 The terrible terrorist attacks that took place on Christian churches and hotels in Sri Lanka in April were a wake-up call to anyone who thought that the military defeat of ISIS on the ground in Syria heralded the end of the global terror threat from that particular organisation.

The terror attacks on the Muslim community in Christchurch, New Zealand, were another rude reminder to those who thought that only ISIS provided a threat of this nature. The truth is that the threat from terrorist attacks was present in many locations around the globe long before ISIS was created and will continue to exist even when that organisation has faded from memory.

A new and noteworthy feature of both the New Zealand and Sri Lanka attacks is the impact that they had on social media in those countries. The Christchurch incident was, of course, notoriously live-streamed on Facebook by the attacker. This led to condemnation of Facebook itself for its slow response to the unfolding events by the government in New Zealand and the possibility, subsequently raised by the company, of self-imposed restrictions being placed on who can livestream on the platform.

All social media was suspended

The Colombo attacks led to the immediate suspension of all social media in Sri Lanka by the government, on the grounds that it could be used to spread panic, fake news and possibly incite further violence in the country. Facebook, WhatsApp, Snapchat and Instagram were all among the platforms that were suspended for more than 48 hours.

One impact of this suspension was to hinder families and friends in their search for information about loved ones who were missing. Facebook Safety

Check was just one of a growing number of free social media emergency tools that was affected by this decision. Another impact was to prevent companies who use social media to communicate with their employees during critical events from being able to contact them.

Why free tools are risky

Relying on free social media tools, such as WhatsApp or Facebook, for your critical communications is a risky business. Here’s why:

• Free tools, such as WhatsApp Groups, lack administrator control over what happens to the information that is shared via the application. Any media attachments, suchas videos, are downloaded as default to all user devices and can easily be shared outside the platform.
• This is a seriously risky business if you are sending anything that you would regard as confidential. WhatsApp makes a big deal of its end-to-end encryption, saying that not even they can see what messages you are sending. But this security function is completely bypassed if someone is forwarding on your messages outside your control.
• You also need to consider what could happen to your data if any of your group users loses their device or has it stolen.

Neither you nor they can remotely disable their WhatsApp account away from the device on which it is held. Only WhatsApp can do that themselves upon receipt of a request. Even if the SIM is disabled, the WhatsApp account can still be accessed using wi-fi. This means that you are reliant on every user within your group acting promptly to notify WhatsApp. If they act at all, most people will simply disable the SIM, which leaves all of the messages, media attachments and contact data from the group account accessible on the compromised device.

• Free social media tools are not built to the scale needed for corporate communications. Although WhatsApp has now increased the maximum limit on group numbers from 100 to 256, this is still clearly not enough for most enterprises when you consider the need to contact not just employees, but suppliers and customers as well. The only way around this is to create multiple groups, which quickly becomes both impractical and inefficient.
• Tools such as WhatsApp lack enterprise grade administration. This means that they have no administrator portal to ensure easy roll-out to all employees, no monitoring of traffic on the platform, no enforcement of company-wide communication policies, no user management, no corporate user support, and they lack comprehensive access control and compliant archiving.
• Even when these social media platforms are working they lack enterprise class security and administration. But if you are relying on a communication tool that has the possibility of being suspended by national government in the wake of a major incident, as happened in Sri Lanka, then you really are putting all your eggs in the wrong basket.

Enterprise grade security and administration

As a tool for talking to your friends, or even your work colleagues about low level non-critical issues, WhatsApp is a great free tool. We all use it! But if you are thinking about translating that personal use into critical business communications, please think again. It has not been designed as an enterprise application with enterprise class security and administration. To provide these functions is expensive and does not fit into the freemium business model.

There are critical communications platforms on the market that provide enterprise class security, administration, do not expose the business to unacceptable data security risks and utilise multi-channel communications that can guarantee the critical message gets through, even when one channel such as social media gets suspended. If you do not use them then you could be risking a loss of contact with your employees at a critical moment.

Shalen Sehgal

Managing Director, Crises Control

www.crises-control.com

The post Free tools and critical communications don’t mix appeared first on City Security Magazine.

The National Police Chiefs’ Council has just taken the unusual step of releasing a video advising citizens what to do in the event of an armed terrorist attack in a public place. The four minute video, called ‘Run, Hide, Tell’, advises what to do in the event that you are caught up in a firearms and weapons attack, and advises that you should first of all run if you can; if not, then hide and tell someone what is happening to you.

Specifically they advise:

• RUN to a place of safety. This is a far better option than to surrender or negotiate. If there’s nowhere to go, then…
• HIDE. It’s better to hide than to confront. Remember to turn your phone to silent and turn off vibrate. Barricade yourself in if you can. Then finally and only when it is safe to do so…
• TELL the police by calling 999.

I want to consider what steps employers can take in advance to improve the safety of their team during an attack on a crowded or public place. Since the Paris attacks, almost every client that I talk to mentions the issue and they have one concern above all else. That is to be able to know where their employees are in the field at all times and to be able to contact them to check if they are safe and need help.

I have talked to a global media organisation, a City-based financial intelligence agency and a US investment fund in recent weeks. All three had staff in Paris at the time of the attacks and were thrown into a panic by not being able to contact them with the mobile phone networks under severe strain.

Social media in a terrorist attack

Of course, social media can come into its own in such situations. Moments after the news broke about the attacks, Facebook activated its Safety Check feature for Parisians to reassure friends and family that they were safe. The system, first used earlier this year during the Nepal earthquake, targets users it knows to be in or around the affected area and asks them to check in and confirm that they are safe.

Whilst Facebook Safety Check can be a fast and effective way to reassure family and friends you are safe, and is ideal in a natural disaster scenario, there are some issues with it for work use. Many people see Facebook as a place for family and friends, rather than work, and will not want work colleagues to access and view their pages, so they may well resist signing up for the app.

Another, more serious, issue is the problem with identifying your physical location on social media during a terrorist attack where there are armed insurgents looking for victims to shoot. There may be privacy settings in place, limiting the post to your own contacts, but you could be potentially broadcasting your location in a public arena. Once you have told dozens, or even hundreds, of people where you are, you have lost control over what they do with that information. Some of them may well pass it to others, including the mainstream broadcast media to use as part of the developing story.

In fact, during the recent Paris attacks, reporting of what was being shared on social media was restrained by the broadcast media in the light of what happened after the Charlie Hedbo attack. There media companies were accused of endangering hostages by broadcasting their location based on information posted to social media. One company was even reportedly sued as a result.

Mobile apps

A more appropriate workplace tool would be one of a number of emergency mass notification mobile apps that are on the market. These apps provide a secure private network that can track an employee’s location using GPS and receive a message from them using a combination of e-mail, SMS and push notification. This vastly increases the certainty that a message will get through, even if the mobile network has crashed. If they are not getting in contact themselves, then a message can be sent to them, which they must acknowledge if they can. All of these functions should still work if the mobile phone has been turned to silent and no vibrate, as the NPCC suggests.

If you are looking to procure one of these apps you should make sure that they have a number of features that are vital in an emergency situation:

• The app must use SMS, e-mail and push notifications, to ensure that the message gets through even if the mobile phone network is down.
• The app should also have a GPS tracking facility so that you can see where each employee is physically located if they are unable to acknowledge your message
• The app should require an acknowledgement from the message receiver before the message can be closed.
• The app should be cloud hosted with a secondary backup data centre, to ensure its resilience in the event of an incident that takes out the local power supply.

Such an app will usually provide a dashboard, so that a company can keep track of all of its employees that are in a danger zone on a single screen and manage the situation in a controlled manner. And the location of an individual is only being broadcast within the private company network. A company can set up all of its field team on the app in advance and put in place a protocol for employees to follow.

This protocol is likely to insist that all employees must have GPS tracking turned on at all times when in the field. It should also dictate that if they become involved in an incident they should follow the advice from the NPCC to run, hide, and they must also establish contact with their company using the app as soon as they are in a safe place.

Richard Barnes

Consultant, Crises Control

Former Deputy Chair, Metropolitan Police Authority and Chair of the London

Resilience Forum.

www.crises-control.com

The post Advice to employees caught up in a terrorist attack appeared first on City Security Magazine.

CRISES CONTROL

An easy-to-use business continuity mobile app and mass communication tool that delivers crisis control in a box.

T: +44 (0) 20 8584 1385

E: support@crises-control.com

W: www.crises-control.com

The post CRISES CONTROL appeared first on City Security Magazine.