As lockdown restrictions are slowly lifted and London’s workforce begins to emerge, Barry Dawson, operations director at Wilson James, examines the impact the coronavirus pandemic has had on the capital’s security sector and how service providers are preparing for the ‘new normal’.

During this tumultuous period all aspects of our personal and work lives have changed. The coronavirus pandemic is having obvious implications for business continuity across the entire economy, and business in all industries and market sectors are adapting to a very different operational landscape. Security services providers are no exception and as the lockdown restrictions begin to ease, their role in protecting people is more critical than ever.

Pole position

The security services sector is well positioned to deal with these new challenges – identifying potential risks and managing them is what we do. However, there will be some fundamental differences to how this is achieved and, with the situation changing so rapidly, companies need to be flexible, agile and quick to react. Before people do return to their offices ‘en masse’, it must be safe enough for them to do so and effective systems have to be in place. Since lockdown was first announced, forward thinking organisations have spent time training their employees so that they can hit the ground running.

This has included knowledge provision on a broad range of subjects including furloughing, self-isolation, personal protective equipment, government guidance, and the ways physical security and technology can work together successfully. For example, a building’s access control and CCTV infrastructure will play a vital part in reducing bottlenecking, ensuring social distancing is implemented and allowing one-way system strategies to operate as intended.

In addition, relatively new systems such as CCTV cameras with thermal sensing are being used to identify those people entering a building who have a high temperature – a symptom of COVID-19. Some of these systems can even remotely read multiple individuals’ temperatures and use the cloud to share data in real time with security teams to keep buildings safe for operation.

Personal touch

Initially at least, employees returning to their places of work are likely to be nervous, apprehensive and uncertain. On top of that, a place that was previously familiar may now seem alien and there is likely to be some confusion about how any new operational policies work in practice. A security team’s ability to communicate in a way that is firm but friendly, calm, focused, clear and tactful will be imperative, particularly when approaching occupants who are inadvertently contravening social distancing guidelines.

Good communication is also a prerequisite when working with clients to develop policy and operational guidance, carry out risk assessments and define business continuity strategies. By adopting a customer service and concierge-style approach, security professionals can demonstrate a level of proactivity that assists any defined objectives.

For instance, Wilson James has initiated a system for one of its clients whereby a member of its team acts as an elevator operator, who is responsible for pressing the buttons and making sure that a lift is not overcrowded.

In many respects security personnel need to be the eyes and ears of a building by monitoring whether seating and workstations are suitably distanced, if space is being utilised properly and if there are any areas where people are congregating. Employee health and safety also depends on a hygienic work environment so workstations, conference rooms, collaborative areas, cafes, reception desks and other common areas must be monitored and cleaning staff notified to take immediate action if minimum standards are not met.

Close to home

The adoption of home working and the use of video conferencing technology have been two of the standout features of the coronavirus lockdown. While it’s too early to understand the full extent of the new skills and habits we’ve developed while working and communicating remotely, it’s reasonable to assume that this will continue to some extent once lockdown is fully lifted.

Security services providers have benefitted enormously from video conferencing technology as a way to communicate with clients and colleagues, which has been highly effective in making sure that relevant personnel are up to speed with any developments. Just as importantly, it has allowed meetings to be carried out to brainstorm, share ideas, exchange best practice tips, monitor workflows, build community, reinforce organisational culture, and strengthen colleague and client relationships.

There have also been less obvious benefits. While some people have easily adapted to home working, others have not. For this group of people video conferencing has offered a welcome level of human interaction and engagement, which has reduced their sense of isolation. It has also meant that those who are visibly struggling with lockdown can be more easily identified, and action taken to monitor their mental health and wellbeing.

Next step

The coronavirus pandemic has raised the profile of security within organisations and service providers need to start planning for when people return to their clients’ workplaces in greater numbers. As the security industry adapts to the ‘new normal’ we must not forget that pre-coronavirus threats still exist and must not be ignored, but be in a position to adapt to fundamental changes in the way we work, as well as workplace design and operation.

Barry Dawson

Operations Director, Wilson James

www.wilsonjames.co.uk

See also Creating a resilient security operation: The Crick Institute

Related articles in our Business Continuity category 

The post The security sector and the new normal appeared first on City Security Magazine.

We are living in the limbo of a Before Coronavirus (BC) and After Coronavirus (AC) world. The question of how dystopian or utopian life turns out to be rests with how resilient we make UK business.

The other great limbo of life, Brexit, posed a similar question: ‘project fear’ – dystopia, or ‘take back control’ – utopia. Depending on your personal interpretation of both and Britain’s place in the world, there was an opportunity to vote in a referendum and General Election. ‘Take back control’ won.

The irony of Brexit, and for the government, is that the only thing that has taken control is a virus. Business across the UK has spent the last few years preparing resilience measures for leaving the EU; nothing was done for the resilience now required and in fairness, business or any government could be not be expected to have predicted the situation of now. With the 75th anniversary of VE Day coinciding with lockdown, there was no criticism in the celebrations of the government of the time failing to stockpile Spitfires and radar pre-1939. The Spitfire and radar came from British ingenuity, inspiration and fortitude during a time of existential crisis impacting the whole nation, just as there is an existential crisis impacting the nation now.

The facts today are that this is not wartime Britain and the Britain of today is not the wartime population and nation it was then. The government message and what was needed at the start of lockdown was to remain at home, keep calm, carry on, tap into the stoic British character and see it through. This was the message that was needed then and it resonated with large parts of the population, especially those classed as vulnerable to COVID 19, the elderly and those of us with underlying medical conditions acutely susceptible to the virus.

In terms of business resilience, the resilience lockdown provided was to preserve and protect the workforce. This was and is now achieved – as things stand and the empirical evidence of cases and deaths in the UK appears to show, the general health and age of the workforce in the UK can survive COVID-19.

There will always be a risk of person-to-person transmission of COVID-19 and a risk of developing symptoms, just as there was a risk during SARS, Avian Flu H5N1 and Swine Flu H1N1 (according to the CDC– Centers for Disease Protection and Control – between 2009 and 2010 H1N1 infected 1.4 billion people and killed between 151,700 and 575,400 people across the globe).

The interesting difference between H1N1 and COVID-19 is H1N1 was virulent and caused deaths to younger adults and children, whereas COVID-19 is virulent and causes deaths to the elderly and those with specific underlying medical conditions.

A cautious movement out of limbo is now starting; the message from the government for business is to be ‘Covid Secure’ and conduct COVID-19 Business Risk Assessments. There are copious volumes of information on being COVID Secure, online at Gov.uk and the HSE website. The information is excellent, but the very volume of it and sometimes bureaucratic feel, can make it impenetrable and disengaging to the vast majority of business, especially SME business, the pulse of the nation.

Being Covid Secure is needed, but for someone running a business, it can be seen as a defensive and back-foot message. What is needed to get businesses back, especially to get SME business back, is a message from within the business community that businesses understand and will engage with. Businesses want to provide confidence, assurance, diligence and trust for their employees, customers and clients. They just need to be engaged with, assured, messaged and incentivised in their own business language and given a means to do it that is easy to understand.

Getting every business in the UK engaged to complete a COVID 19 Risk Assessment and the awareness measures to control and manage the risk of COVID completing an assessment provides, will create collective resilience across the country.

For the business community, in getting the UK back to business, to those they employ, and the customers and clients they serve, in reducing the impact of any future second wave transmissions, this is today’s radar.

Andy Williams

Board Director

CovidGo!

www.covidgoto.com

The post Getting business going after coronavirus appeared first on City Security Magazine.

In the UK, 5.7 million businesses have fewer than 250 employees. It can be key to their survival for these Small and Medium Enterprises (SMEs) to create coherent and effective security and resilience strategies.

What are the top tips for smaller businesses to be more resilient to threats to their people, property and assets?

1. Understanding potential threats

The starting point should be to understand the key potential threats to your organisation. It’s difficult to put measures in place that limit the exposure to risk unless the likely sources of potential threat are identified. City centre locations, or those close to major public infrastructure such as travel hubs, hospitals or universities, are likely to be at higher risk of attack than others, for example, if only because your business might get caught up in an attack, fire or explosion from a neighbouring building.

Know your neighbours and their potential threats because they could end up being your threats too. If your organisation is involved in, or supplies products or services to organisations involved in, potentially contentious activities, including financial services, oil and gas, meat production, animal testing, arms procurement, tobacco, gambling, then you may be at higher risk than others. Understand where you sit on the threat scale and you can then plan accordingly.

2. Carry out a comprehensive risk and threat assessment

Once you have a general idea of your threats, carry out a comprehensive risk and threat assessment. Undertaking an in-depth analysis of your activities and facilities will help you to identify the most appropriate security solutions.

Do you store a large number of high value items, for example, which would seriously threaten the continuity of your business if they were to be stolen?

Do you have sensitive manufacturing or IT equipment which needs to be kept secure? Are you in a multi-tenanted building?

Work out what’s the worst thing that could happen to your business and plan accordingly.

Also, be aware of what’s happening in the wider world and understand whether any events have safety implications for your organisation. For example, if you’re in the meat production industry and there are attacks on organisations in this sector, you may need to change your strategy and update policies.

3. Put together a security strategy

Once you’ve identified your threats, then put plans in place to mitigate them. You may prefer to use a security consultant to help you, but it’s perfectly possible for a small business to research the various options and create a coherent and effective security strategy. You should consider a mixture of physical security – fences, gates, doors, windows – combined with security personnel – officers and even dogs – and electronic security – cameras, sensors, alarms etc. An integrated approach is the most cost-effective and most powerful.

4. Don’t forget cyber security

Many organisations find themselves under constant barrage from hackers or phishing scams, including online systems being compromised by people purporting to be company directors extracting cash or information from employees. Hackers have even targeted building management systems and used them to access an organisation’s network. Work with your IT colleagues to devise a strategy for dealing with cyber attacks and include it in your physical security strategy. They should be completely integrated to be successful.

5. Be discerning when procuring advice and services

If you seek advice, look for professional credentials such as the Chartered Security Professional designation, and/or membership of the Security Institute, or Association of Security Consultants. Anyone can call themselves a security consultant, so ask for references and follow them up. Likewise, when looking to employ an external security service, only use companies that are designated as approved contractors by the Security Industry Authority (SIA) and make sure that their people are licensed.

6. Allocate the necessary budget

Make sure that there is money allocated to support the strategy. Some of the investment can be categorised as Capex and some as Opex, which may help mid-year expenditure. Ensure that security has a protected place in the budget in future years and always build in contingency – security needs have a way of changing quickly and you don’t want to be arguing about investment in the middle of a disaster.

7. Determine who is responsible

Irrespective of the size of an organisation, someone has to take overall responsibility for security. It might be the MD’s PA, the office manager or the FD, but the person needs to know they’re in charge.  This is particularly important in the event of a fire, robbery, explosion or other emergency, as a designated person will need to manage the crisis and make sure that the necessary safety procedures are implemented correctly.

8. Educate internal stakeholders

Everyone thinks that security is someone else’s responsibility, so it’s important to educate everyone in the organisation about their personal role in keeping people and property safe. It could be as simple, but crucial, as making sure windows and doors are locked or setting the alarm. Or people may have more complex roles in the event of an emergency. Depending on your specific risks, you may want to educate people on how to identify and respond to potential dangers. This will also give them confidence in your organisation’s ability to manage threats appropriately.

9. Everyone needs good neighbours

It is surprising how many businesses don’t communicate with their neighbours. Sharing concerns and passing on information can often help prevent unwanted and antisocial activity, as well as help to combat bigger threats, so make sure that those in a particular area are aware of any incidents that might affect them. This includes liaising with the police and being aware of local crime trends.

10. Don’t file your security strategy away

Once you’ve completed your security strategy, secured the budget and introduced the new way of doing things, it can be tempting to congratulate yourself on a job well done and put the security strategy in the filing cabinet. But just as you test a fire alarm on a weekly basis, you should regularly test your security strategy. Consider using a mystery shopper to test out your security procedures and see if they can gain access to your building. Don’t warn staff or your security partner first, so you can get a realistic picture of how good your systems are. Continually review what you do and how you do it and any potential intruders or attackers will move on to softer targets.

Mike Bullock CEO, Corps Security

www.corpssecurity.co.uk

See also:

Cyber security for Small and Medium Enterprises (SMEs)

A strategic approach to organisational resilience

The post Resilience for SMEs appeared first on City Security Magazine.

Achieving operational resilience brings many challenges in an increasingly demanding security landscape. It is key to establish a clear security strategy – aligning it with company objectives. Can decision support systems be the way forward as part of system resilience?

A complex security landscape

Firms have many day-to-day priorities – market strategy, hiring and retaining top talent, profit growth – the list goes on. However, one issue which has grown in importance in recent years is operational resilience – keeping the business and its people safe. However, the security landscape and therefore the ease of protecting people is becoming more complex, and businesses need to respond accordingly in order to be successful. For example, the advent of IoT has precipitated vast interconnectivity throughout businesses, which has led to many benefits (such as quicker information sharing). However, this connectivity has also meant that both physical and cyber security concerns have become irreversibly intertwined, meaning it’s no longer enough to think of them as two separate functions – firms can be attached from both the front and back door.

Increasing damage from cyber breaches

What’s more, it’s becoming increasingly damaging. There is an astounding amount of evidence that shows just how harmful a cyber breach can be. For instance, the Ponemon institute produced research that showed the average cyber attack costs $3.62 million. But physical breaches can be just as costly – and often in terms of human safety. School shootings, for example, demonstrate in the extreme the horrifying outcomes which can happen when physical security systems are breached.

Aligning security and resilience

While security and resilience are undoubtedly linked, they are by no means one and the same. Security refers to the defences in place to protect assets, whereas resilience means the procedures in place before, during and after an incident. It’s vital that organisations address resilience concerns and take steps to align their people, processes and technology to aid recovery times and harden overall security. The features of good system resilience are how effective security procedures are at resolving a situation, the return to normal business and afterwards, what measures can be taken to stop it reoccurring. Crucially, the speed at which these can be done is also a key measure of system resilience. For smaller businesses these challenges aren’t always as severe, but for larger organisations – like retail centres, airports or those that operate across multiple sites – true resilience can be harder to achieve.

However, despite its business-critical nature, an EY survey of 1,400 C-suite executives showed that 77% of organisations operate with ineffective security and resilience, highlighting that many companies urgently need to reconsider their security practices.

But how can firms improve their operational resilience?

An important first step that organisations can take towards a more resilient security system is employing a unified platform, linking everything together to provide one holistic view. This provides a single place for security teams to work from, providing them with all the information they might need from across the entire physical or digital environment. The ability to access all facets of security, like access control, surveillance or cyber, in an instant provides huge operational advantages. For instance, it eliminates the need to search for information as it’s at operators’ fingertips, which drastically reduces incident resolution time. Furthermore, it also means that security teams will be less stretched when covering a large environment and can optimise available manpower.

Decision Support Systems (DSS) are another tool that can ease security challenges by collecting and qualifying data from different security devices. In the event of a security breach, this information can instantly give security teams a step-by-step guide in how they should respond to an incident. This not only reduces operator decision-making time but also ensures organisation-specific processes and compliancy requirements are followed to the letter. This eliminates the potential for user pitfalls, such as false-alarm fatigue or poor decision-making. Furthermore, in the aftermath of an incident, security leaders can do a full audit of the incident and the security response – to ensure procedures were followed correctly and implement necessary training if not.

A quick resolution isn’t the only objective; a truly resilient system means that businesses’ strategies should always be evolving. By analysing data of past incidents, security teams can be more assured in future responses, such as confidently assigning resources to a specific area at different times of day, as the data demonstrates the need. Furthermore, some decision-support solutions allow organisations to review and retrace each step that went into the resolution process. Then, raw data can be exported to help organisations start building a detailed report of an incident, so that they can analyse how things were done and how they could be improved next time. By reviewing the process from incident detection through to resolution auditing, organisations are able to make predictive changes, create new best practices, plan for the unexpected, identify weak spots, determine areas that require extra staff training, and shore up defences.

The benefit of these technologies to a business’s overall strategy is undeniable. But leaders must forego lacklustre practices in favour of a more proactive approach. This will allow them to establish a clear security strategy – aligning it with company objectives and ensuring operational resilience. Ultimately, security teams must move from a policing mindset to one that promotes an integrated, comprehensive strategy powered by people, processes and technology. By fostering a strategic approach that focuses on preparation, prevention, detection, response and recovery, organisations will ultimately be as resilient as they can be.

Paul Dodds

Country Manager UK & Ireland

Genetec

www.genetec.com

See also:

Hardening physical security by Paul Dodds

Cyber security in an age of state-sponsored cyber attacks by Paul Dodds

The post Ensuring business continuity with decision support systems appeared first on City Security Magazine.

As rare or improbable as events might be that could interrupt your business, it is essential to invest in resilience, business continuity and crisis management planning, because it is likely guaranteed to cost much more to fix things retrospectively, once crisis hits.

National Grid Blackout

Forty minutes, in relative terms, might not seem a particularly long period of time. Less than most business meetings. Less than maybe your workout at the gym. Less than most TV shows. But for National Grid on the 9 August 2019, this caused blackouts across the midlands, south east, north west and north east of England and Wales, seriously impacting everyone, including commuters and businesses, even long after the power was restored.

National Grid’s Operations Director said that the near-simultaneous loss of two generators was more than the grid was routinely prepared for, prompting automatic safety systems to shut power to some places. A lot of places. But even two days later, at the time of writing this, there is still no clear explanation of why it happened. Cyber attack, sabotage, wrong button pushed? We may never know.

Regardless, serious doubts and questions should be raised about their resilience. Getting the system back on line quickly was probably pretty quick; proof perhaps that their business continuity/interruption plans evidently worked. But what about their resilience in the first place?

Planning for the wheels to fall off

Having worked with many companies over the years developing Business Continuity Plans (BCP), Business Intervention Plan (BIP) and Crisis Management (CM) plans, it almost feels that it has only been quite recently that companies are actually thinking seriously about what they should be doing before the ‘wheels’ wobble, let alone spinning off entirely. I have noted that many Boards are now sitting up and paying heed to the financial implications even a momentary ‘downtime’ could have, let alone reputational impact, but that’s not to say that all of them are investing significantly into their resilience as perhaps they should.

Having a BCP, BIP or CM plan should only really act as an absolute failsafe.  During the process of ‘crystal ball’ gazing, the issues should be fixed at the root, not only planned for in terms of a failure and the associated response. Sadly, the majority of companies often only realise this once a situation has occurred. I’m still more regularly called when an incident has happened and it’s a ‘clean-up’ operation. Many of these situations could have likely been prevented or avoided, with the adequate investment having been made initially. The inevitable challenge for many companies is allocating priorities and necessary investment. However, as rare or unlikely the event might be, you can likely be guaranteed it will cost more to fix retrospectively.

easyJet fan the flames

In these ‘digital’ times the repercussions, reputationally, could also be even worse than the damage the incident actually caused. A good example of this, also this week, with easyJet. A picture was posted on social media of a woman sitting on a plane seat with no back. The company’s comms team leapt into action requesting the poster to furnish them with more information (good move) and immediately delete the picture (bad move).

Why you might ask was the request to remove the picture a bad call? Never forget sensationalism is the bedrock of social media – something the comms team would know better than most? This only fanned the flames with the poster categorically refusing, much to the mirth of others who then proceeded to repost the thread. As it turned out, this seat had been decommissioned and passengers told not to sit in it – but why let the truth get in the way of a good story (or picture).

The clawback by easyJet may have been relatively easy but how many bookings did they lose from those hovering over the booking button when they saw the picture? In peak season too.

Crisis Management

The easyJet story is an example of why a good (or shall we say bad, in this case) crisis management strategy is also essential. What could they have done? Plenty. Firstly, don’t ever try and bury it. The damage has already been done, but don’t exacerbate it. Be honest.

Be humorous and put in a ‘holding pattern’ while you investigate furiously behind the scenes. If it’s true, fall on your sword and give assurances that this shouldn’t have happened and every step will be taken to prevent it in the future. We all make mistakes but it’s owning up to them when we do that makes the difference, in my opinion.

To that end, I sometimes like to use the analogy of your car as an example of resilience, business continuity and crisis management. If you ensure your petrol tank has enough fuel, that’s good resilience. If your car breaks down, you have a vehicle recovery subscription, that’s good business continuity.  If the onboard computer unexpectedly goes haywire, and your family starts kicking off, that’s crisis management.

Will Geddes, Managing Director, ICP Group & TacticsON

www.icpgroupcompanies.com

www.tacticson.com

See also our archive of articles on Business Continuity in particular:

Security strategy: planning for risk

Strategy for corporate security: Sir David Veness

Business continuity: the need for regular assessments

The post Resilience – isn’t it just Business Continuity Planning? appeared first on City Security Magazine.

This article has been nominated for the City Security magazine Article of the Year Award. You can vote for this article or click here to find out more.

.

For any business or enterprise, managing risk needs to start from the beginning, or at least a point where risk realisation has not become too prevalent. After all, a key objective of any business must be to create a secure and safe environment for people to work and for the business to operate profitably.

However, too often a business’s primary focus is directed towards financial growth and sustainability in demanding markets. This is, of course, understandable and even laudable, but can mean that many businesses do not properly consider where the actual threats to their survival may lie.

Our goal as risk professionals, in whatever discipline or function we may serve, is to prepare our employers or clients to an extent where a harmful event will not lead to a crisis. We should seek to create facilities that protect our employers’ assets and we implement processes and practices to respond purposefully, appropriately and effectively to an emergency. Should an emergency result in a critical loss, plans should be developed and in place in such a way that will enable business continuation.

Whilst the controls to manage risk can become convoluted, implementing the basics will go far in achieving resilience to those events that may cause harm and have the potential to lead to a crisis.

A realistic view of risk

Whilst large organisations often have the capability to invest in a risk management function – in whatever form that may be known and to whatever purpose it may serve – small to medium-sized businesses are often found lacking in this respect. In a complex market, with ever-evolving risks and security priorities, medium-sized and even smaller businesses now need to consider threats and risks that may once have been seen as the purview for larger businesses and brands.

Reputational harm, data and cyber security attacks and malicious actors are able to affect businesses of all sizes if the organisations have not properly analysed weak points and prepared for these threats. The most serious risk to all businesses remains assuring its survival and we have several recent case studies in the press of how damage may be done to businesses and brands due to lack of preparedness for a harmful event, or series of harmful events. History is rife with examples where such events eventually lead to crisis and for some, the end conclusion is closure. In the last few months alone we have seen a number of high profile brands dealing with the consequences of malicious attacks, poor security or inadequate preparation for 21st-century threats. The consequences can be fines, legal and reputational damage and in extreme cases, business continuity itself.

Designing for risk

A business cannot operate efficiently and effectively if its facilities and operations are not designed to protect its assets, both tangible and intangible. Designing a secured environment is a first step in creating resilience to a harmful event and this will be achieved by understanding the threats, assessing the vulnerability of the existing controls in place, and evaluating the likelihood of the threat occurring and its potential to cause harm. Risk assessments are strategic tools to analyse current risk levels, and can inform subsequent design solutions to mitigate and minimise the challenges as they are identified. Ideally, this process should also identify those critical functions that cannot suffer harm and must be protected foremost.

Undertaking an independent and comprehensive risk assessment should critically evaluate the controls in place at a business’s facilities. A quality assessment should provide a good understanding of the level of risk present and, undertaken holistically with other areas of risk consideration, will guide where risk focus is best achieved whilst giving a good understanding of the present vulnerabilities. Events that have the potential to cause harm need to be recognised as early as possible to enable a considered and appropriate response.

Preparing for risk as inevitable

A risk that has been identified but has not been countered with a prepared response or solution has not been mitigated. Once again, comprehensive risk assessments can advise businesses where statistical threats are more likely to penetrate, or can suggest areas for immediate investment or attention. The implementation of emergency and business continuity plans and response procedures is crucial to ensure that the right level of attention is enabled when and where it is needed.

However, between malicious actors, human error and ever changing threats, the business that does not consider and prepare for a ‘worst case scenario’ is doing itself a disservice.

Unfortunately, a documented process does not suffice to enable an appropriate response to an emergency alone. The emergency and business continuity planning process should also include training exercises where those with responsibilities in the response activities are continually educated, exercised and tested. Furthermore, provisions and processes should be put in place that all staff are aware of, and know what to do, in an emergency. The importance of situational awareness cannot be understated, and this can be achieved through incident alerts and notifications, the monitoring of known or specific threats, and horizon scanning above others.

What is true across the industry is that our approach to risk must continue to become more complex because the threats we face are themselves are more complicated than they have ever been. Businesses that are not factoring risk assessments and continuity planning into their security strategy are leaving themselves exposed to more subtle but sinister threats which may pose a greater threat to the sustainability of their brand in the long run. Crises may never become 100% avoidable, but in planning for risk correctly, we can help ensure that they are not business-fatal.

Gavin Wilson, Head of Risk Advisory Services, Wilson James

www.wilsonjames.co.uk

See also:

The Security Industry in 2019 by Gavin Wilson.

Customer service skills are not just ‘nice to haves’ Gemma Quirke, Wilson James.

The post Security Strategy: Planning for Risk appeared first on City Security Magazine.

In order for a business to be successful in the face of any type of adversity, it is essential that comprehensive contingency plans are in place from the word go in order to ensure business continuity.

In today’s world, the threats facing businesses are varied: from cybercrime to fraud and the ever-present concern of terrorism. Risk management is therefore an essential part of any business model. Some of the key elements that make up effective risk management are explored here.

Reviewing security strategies

In an unpredictable world, it is very important that businesses are taking the time to review their security strategies, policies and plans on a regular basis, not just in response to current threats. Anticipating a range of events can help in the development of a multi-level response plan that will enable the business to continue to function regardless of the threat.

One way of achieving this is by assigning responsibilities to a few key people within the business, particularly those on a senior management level. These individuals should be up to date with all contingency plans and be able to direct personnel efficiently following an incident.

When assigning responsibilities to a specific group of employees, it can be wise to have them undertake specified training courses on crisis management. These courses can help personnel enhance their existing crisis management skills and teach them valuable new methods that can be instrumental in the development and implementation of a successful incident response structure.

Training

The training available is extensive and can cover all aspects of incident management, such as risk assessments, security surveying, continuity management and disaster recovery. However, it is essential that the training is delivered by a reputable training provider with professional, qualified tutors who have real world experience of the industry.

As well as seeking the assistance of a qualified training provider, it can also be good practice to engage with a security consultant in order to assess the various risks the business is facing. An outsider’s perspective can be very beneficial, as often it can be hard to identify all of the potential risks from within the business. The services offered by security consultants are wide-ranging, including threat and risk assessments, security audits and reviews, security policy, procedures, strategy and management, crisis management and business continuity planning. Being able to adequately identify its risk register is one of the most important steps in preparing a business for the future; working closely with a qualified security consultant can be a helpful aid in ensuring the register is as comprehensive as possible. When considering the various risks, it is also important to consider other companies that are involved with the business. For example, if a company is looking to go into business or merge with another company or individual, it can be considered best practice to carry out necessary due diligence checks in order to expose any possible liabilities. Security consultants can carry out a risk assessment of the potential business partner in order to determine the level of due diligence required.

Finding red flags

Subsequent due diligence checks can uncover details of a company’s management, financial information, performance, suppliers, clients and history. Once all the data has been collected, it must be thoroughly verified and validated by someone who is objective – such as the security consultant – who can then properly evaluate the data and identify any red flags.

These red flags can help build the risk register of the corresponding business and will aid the business, and security consultant, in developing plans to mitigate those risks. This will also help identify whether or not the new business relationship is too high risk to continue.

As mentioned, remaining one step ahead of the game is important when crisis planning; this is especially true in relation to cyber security. Cyber criminals are regularly finding new ways to carry out attacks, with the repercussions of a cyber attack having huge financial and reputational impacts on a business. As such, it is essential for businesses to be prepared when it comes to cybercrime, taking the time to develop cyber policies and strategies and training staff effectively to ensure everyone is vigilant with cyber security in the workplace.

Security consultants can help assist in the development of cyber policies and can also carry out penetration testing of a business’s networks in order to ensure that the protection already in place is adequate enough to challenge ever-advancing cyber threats. The testing can also identify any weaknesses in the network and address them where necessary.

Quality

Generally, when implementing security strategies for the sake of business continuity, the importance of quality should always be a key factor. It is essential that those responsible for procuring security products and services for their organisation should only be enlisting the help of a trusted, professional provider who meets with the necessary British and European standards.

Members of the BSIA are all inspected to rigorous criteria and offer a professional service. To find out more visit: www.bsia.co.uk/home.aspx#

James Kelly

Chief Executive ,British Security Industry Association  (BSIA)

www.bsia.co.uk

The post Quality security strategy for business continuity appeared first on City Security Magazine.

Business Continuity: two very simple words, but lift the lid on its meaning and there are a host of considerations and challenges for those responsible for delivering business continuity in the commercial world.

A quick check on the internet defines Business Continuity as the capability of an organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Message received loud and clear, but I prefer the colour brought to the subject of Business Continuity planning by two well-known quotes: “He who fails to plan, plans to fail.” “Planning is bringing the future into the present, so that you can do something about it now.”

Recent history tells us that reputation and market share can quickly be eroded following an inadequate response in the wake of a period of disruption; and very often those disruptions can come from the most surprising of incidents – whether it’s extreme weather, such as the recent run of hurricanes in the Caribbean, or the cancellation of thousands of flights due to poor management of pilot rotas and staff shortages. We are very aware of the threat of terrorist and criminal attack but there are many types of interference that can quickly bring businesses to their knees. Fires, floods, strikes and all manner of accidents can turn a normal business day on its head. So how should your business prepare for the worst?

The first step is to carry out, or enage professional advisers to undertake, a full continuity assessment. This should cover everything from mapping every specific critical business function to training staff on how to react to various types of threats against the business. Following The Centre for the Protection of National Infrastructure (CPNI) guidelines, which is an invaluable resource in its own right, any business continuity plan should consider:

1. Resilience:

critical business functions and the supporting infrastructure must be designed in such a way that they are materially unaffected by relevant disruptions, for example through the use of redundancy and spare capacity;

2. Recovery:

arrangements have to be made to recover or restore critical and less critical business functions that fail for some reason.

3. Contingency:

the organisation establishes a generalised capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.

Mapping crtitical functions and assets

The first part of the assessment is a complete mapping of the specific critical business functions and key assets. As well as identifying these key areas, the assessment should determining how they are used and how they could come under threat. Recovery times and alternative working methods will need to be considered and established for each vital area.

Disaster recovery planning often has to consider terrorist threats or environmental disasters. Whilst considering these threats, any specialist equipment that might be required to help prevent such disasters should also be considered. This could include equipment such as cabinet x-ray mailroom scanners, which assist staff to identify weapons or explosives before they enter your building.

Once the assessment has been carried out, the next step is to identify the optimal method for restarting the business after an interruption. This could be from a separate co-location site or from the existing location. Plans will need to be put in place to replace key assets quickly. Where a co-location is selected, it should have equal security measures as the main site, for example, CCTV, Access Control, front of house X-ray scanning and postal scanning and metal detection products.

Once the mapping information has been gathered and the best possible recovery methods for the business have been determined, a bespoke Business Continuity Plan (BCP) can be implemented.

Staff must be fully trained to ensure they understand the plan and can implement their parts successfully. This could include the use of supporting IT tools and the logistical arrangements in place to implement the plan. Senior level support and sponsorship for this training is imperative and it must be a regular fixture in your organisation’s training calendar.

The plan should be regularly tested, reviewing every aspect, to check whether the plan actually works. Are there any gaps in arrangements? Are staff fully prepared? Is there anything more you can do to make your organisation more resilient?

Testing your plan and training staff can be achieved through business continuity exercises. A desktop exercise is where you talk through the response to a fictitious incident, with groups and individuals sharing their knowledge and understanding. Or it could be a live scenario-based exercise, where people take on their roles and respond as an incident unfolds. It is crucial to identify the lessons learned from these exercises and incorporate them in your plan.

Once the Business Continuity plan has been assessed, implemented and tested, those responsible can then turn to one final relevant continuity quote: “Plan to be better today, but don’t ever plan to be finished.” Unfortunately, the very nature of Business Continuity means that those responsible can never rest on their laurels.

Jason Wakefield

Sales Director, Todd Research

www.toddresearch.co.uk

The post Business continuity: the need for regular assessments. appeared first on City Security Magazine.

In an ever-changing world with traditional and new threats to business continuity, the security function is critical in mitigating and managing those risks. 

Business continuity responsibility reaches across most areas of a business, and all staff have a role, directly or indirectly, in ensuring its success. It is a fundamental objective for any security team. Evolving and emerging technologies are enabling companies to deliver more efficiently and effectively against business continuity objectives, using technology and people to the best effect.

CCTV is a good example where markedly improved functionality in terms of image capture, storage and retrieval and automated alerts based on pre-determined algorithms free up security staff to focus less on time consuming monitoring, and more on the value-added tasks of analysis and deduction – essential activity in identifying areas of risk and pre-empting threats.

As the technology and the skills required to deliver a security service evolve, it is important the highest standards of professional and technical competence are maintained. For example, the latest version of the NSI code of practice for companies approved for the design, installation and maintenance of CCTV surveillance systems – NCP 104 Issue 3 – concentrates on ensuring users’ requirements are accurately understood, interpreted and embodied in system design, and operation.

The code forms a part of the basis for NSI approval of installers, as well as the basis of the certificate of compliance issued on system commissioning signifying due consideration has been given to the threats faced by an organisation in the delivered solution design.

From a CCTV monitoring and analysis perspective, the NSI code of practice for the provision of control room services – NCP 107 Issue 2 – is a framework to be applied by operators ensuring the highest standards through specified training requirements. It sets out that operatives new to the role of monitoring and analysis be assessed for competence within three months of employment against relevant criteria relating to the duties they perform.

Closer working relationships between commercial security providers and law enforcement agencies means the role of the security officer is fundamental not only for protecting an immediate site or premises, but as a source of information, often in real time, that is safeguarding the community.

For example, many security officers, particularly in the City of London, are trained in the national counter terrorism awareness initiative, Project Griffin. Security managers are the focus for guidance issued by the National Counter Terrorism Security Office on managing increased threat levels. The guidance can be used as part of an escalation plan during a rise in the threat level.

SOCs (Security Operating Centres) are another example of how the blend of technology and people can work exceptionally well. SOCs gather data and information using a range of services, including web crawlers, and employ experts in intelligence analysis, operational understanding and communication. SOCs are a valuable asset in the security toolbox, helping organisations to benefit from an intelligence-led approach to security. They often serve as the communications hub for crisis management, helping with informed decision making and deploying resources to return the organisation to a ‘business as usual’ state as quickly as possible.

Businesses can assess to some large degree how security suppliers are able to achieve these high standards through scrutiny of the approvals held specifically for the services offered. Approvals are important as a recognised means of establishing integrity, technical competence and effective management in service delivery. Part of the NSI Gold audit covers the quality management standard ISO 9001, which itself covers business risk assessment. Although there is no specific requirement for a business continuity plan (covered in BS EN ISO 22301:2014), compliance to this approval does signal value.

This is particularly important given the Greater London Authority assesses that up to 73% of small businesses do not have a business continuity plan in place. Often these are the very businesses forming part of longer supply chains for larger organisations.

Security management and business continuity are interdependent and part of an integrated whole that delivers broad effective security.  The security team is best placed in terms of physical security for the assessment of risk, deterrence and prevention of breaches, preparation and readiness to respond, and finally support post-incident recovery. They are at the heart of reducing and managing risk, protecting assets and people, adding value on which it is impossible to put a price.

Richard Jenkins, Chief Executive

National Security Inspectorate

www.nsi.org.uk

The post Critical assets for business continuity and risk management appeared first on City Security Magazine.

“No plan of battle ever survives first contact with the enemy.” Helmuth von Moltke, German military strategist.

Insert the words ‘business continuity plan’(BCP) and ‘real life incident’ into this quote and it would still hold true. In fact, not only do most business continuity plans not survive first contact with a real life incident, but many BCPs are not even looked at when an actual incident occurs.

I was recently facilitating the desktop simulation of a significant business disruption incident for a client in which the scenario was that their entire data network appeared to have been compromised. This was the once a year test of the business continuity plan; the organisation’s top team sat around the table and they had a hard copy of the plan in a grab bag in the room in which the exercise was taking place. As soon as the scenario was put to the team they leapt into action, securing their IT network, considering the impact on the business and making alternative arrangements. All very commendable, but it was not until almost three quarters of the way through the exercise that any of them actually picked up the BCP and looked at it.

That seems very strange, doesn’t it? Why go to all the trouble and expense of drawing up a business continuity plan, appointing a business continuity team, testing the plan on a regular basis, and then not actually using it, even in a simulation exercise, let alone in the white heat of a real incident?

Human decision making

Actually it is not strange, or even surprising, at all. The science of human decision-making (popularised by US psychologist Daniel Kahneman in his seminal book ‘Thinking, Fast and Slow’) teaches us that even in non-stressful situations human beings will make non-rational choices based on their intuitive responses to presenting situations. The effect is multiplied in situations of extreme pressure such as a catastrophic business disruption event.

Kahneman argues that human decision-making is often based on a set of intuitive mental short cuts (heuristics) that can lead us in the wrong direction. The so-called ‘availability’ heuristic is particularly relevant, being related to judgements about the probability of an event based on how easy it is to recall other similar events. So research shows that business continuity managers almost always overestimate the real likelihood of their business being the subject of a terrorist attack, because it is so easy to recall examples of actual terrorist events, such as the 9/11 attacks in New York.

A business continuity plan is critical

Given that a well thought out and well tested BCP is critical to the chances of an organisation surviving a major business disruption without fatal damage to its operations or reputation, what could be done to bring the plan to life in a real incident and persuade the business continuity team to intuitively turn to it and pick it up?

The most important thing you can do is to make your business continuity plan salient, so that it is more likely to be directly relevant to the incident at hand. The scenario put to my client represented one of the highest threats on their corporate risk register, but it was not specifically addressed in their BCP, so when the desktop incident kicked off they did not intuitively turn to the plan for help.

Disruption threats

As with the heightened perception of terrorist events, there is often a significant disconnect between the potential disruptions that are expected and those that actually happen.

According to the Chartered Management Institute 2013 Business Continuity Management Survey, the top three perceived disruption threats amongst managers were loss of IT (63%), loss of access to site (53%) and loss of telecommunications (52%).

The same managers reported that actual disruption events they had experienced were extreme weather (54%), loss of people due to illness (42%) and loss of IT (40%).

Step-by-step to business continuity

This salience can be achieved through the following steps:

Step 1 – Be prepared to review and restructure your BCP, so that it is a living document which is easily accessible and useable in the chaotic few moments when your incident is launching.

Step 2 – Build up a wide-ranging library of possible business disruption scenarios relevant to your own organisation.

Step 3 – Break the business continuity plan down into a set of specific tasks, each with clear ‘how to’ instructions.

Step 4 – Provide a range of multi-media assets that can support the ‘how to’ implementation of your BC tasks, such as video and audio files, process maps and contact lists.

Step 5 – Customise the response to each of your scenarios by identifying the tasks necessary to respond to that particular disruption event.

Step 6 – Allocate each of those tasks to a nominated member of your BC team in advance.

“There cannot be a crisis next week. My schedule is already full.” Henry A Kissinger

Having gone through these steps, you should then put in place a regular programme of engaging with your business continuity team, to create what I call ‘Responsive People’.

By engaging with your team on a regular basis, making them aware of their responsibilities and keeping track of how quickly they respond to regular BC messages, you can identify and build a team of ‘Responsive People’ who will be primed to act, and intuitively refer to the plan, when a real business disruption event takes place.

Rickie Sehgal

Founder of Crises-Control

www.crises-control.com

The post Business continuity plans: A step-by-step guide appeared first on City Security Magazine.