Summary
There is a huge focus on cyber security, and rightly so, but what about the physical security for people and the buildings in which they operate?
While many Sentinel readers will be well-versed about cyber security threats, that knowledge should not come at the expense of other security threats and hazards in our businesses, warns Stu Wallace, Head of Security Risk Management at Inverroy Crisis Management.
Stu, a former Royal Marine, joined Inverroy just before the pandemic hit and brought additional security-focused skills to the team as the firm aimed to expand its business throughout the UK and overseas. “With Inverroy having strong crisis management and business continuity expertise, it made sense to have a security team as well,” explained Stu.
With a strong energy specialism, the organisation has increasingly been working with clients in Africa, South America and the Middle East. “With the perceived higher risk of working in these regions, many of our clients said, ‘tell us about your security services’,” said Stu. “By bringing a team of people with backgrounds in the police, military and academia together, we have a diverse knowledge base to draw from.”
To improve security resilience, Stu recommends that businesses consider their:
- Corporate security
- Intelligence and information reporting
- Travel risk management
- Overseas security management
- Business assurance.
With security threats are on the rise, it’s essential for businesses to be prepared for potential risks and crises. “It’s important that a business’s people, assets and operations are protected. A lot of companies send their employees abroad with varying risk mitigation strategies and some with no mitigation plans in place at all. So, it is vital to assess their risk tolerance and ensure that they have a journey management plan.”
Travel presents an elevated risk when people are faced with unfamiliar situations and environments. Depending on the level of threat, businesses could require anything from a bespoke travel risk assessment to business assurance officers, protection officers and monitored vehicles and drivers. “The security threats have always been there,” explained Stu, “but people are more alert to the threats now and they are being exacerbated by world events that stem from political idealism and the need for money. Leadership teams need to be more aware to these threats and plan accordingly.
“There was a recent incident in Bogota where people were assaulted and the company involved was transparent about the situation in an effort to warn others. There are always lessons to be learned and with social media and local news agencies, there is nowhere to hide. That means that it is often the business’s reputation that is at stake if something goes wrong – a kidnapping or carjacking, for example. But, much more important, is that we are talking about people’s lives.”
Security threats are not just when employees travel. Inverroy collaborates with senior leadership teams to identify security risks and foster a culture where security is seen as a business enabler, not a hindrance. This might mean designing security management plans and systems or embedding security staff into an organisation.
Stu said: “If there are security plans in place, we can evaluate them and offer guidance. A lot of companies want site audits when they have moved into new premises and building security ensures that people are safe at work. But while many organisations are savvy to cyber security as a threat, the biggest risk to them can be their people.
“An insider who has or had access to an organisation’s resources, including personnel, facilities, information, equipment, networks and systems can cause a great deal of harm. As victims of social engineering, they could be involved in corporate espionage, unauthorised disclosure of information, extortion, blackmail or violence. So, it is vital that companies have a great vetting process and have the right people in place. With companies competing for the best people, it comes down to knowing your employees.
“Everyone has a life outside of work and, with working from home more prolific, they increasingly have the tools to cause damage. Ignorance is no excuse and businesses should not pay lip service to this. Strong leadership and integrity is an important part of building the right culture for a secure and resilient business.”
Stu acknowledged that many organisations may not have a specialist security manager in place and that security may come under the health and safety manager’s remit. “Security is a very broad term. It encompasses our work and home environments and, with that, people need education and reassurance to play their part. We can help with that education and help organisations understand the security risks and become more resilient.”
WORLD SECURITY REPORT FINDINGS
Commissioned by Allied Universal and our international business G4S, the World Security Report offers a look at the concerns of 1,775 Chief Security Officers (CSOs) from large companies in 30 countries.
In the findings, CSOs share the internal and external security threats they have faced in the last 12 months, and whether they expect to experience more or less of them again in the next 12 months.
Read the report: www.worldsecurityreport.com/key-findings
PREVENTING INSIDER THREAT
Statistics from the National Protective Security Authority, which provides physical and personal security advice to help businesses take proportionate steps to protect themselves against national security threats, demonstrate that organisations are still badly prepared for potential acts of ignorance or maliciousness by their employees when it comes to an insider threat.
- 28 per cent of insider incidents took place outside of normal working hours.
- 24 per cent of incidents happen from a remote location.
- 60 per cent of organisations do not have a plan to manage insider risk appropriately.
An insider threat is a security risk that manifests from inside your organisation. Your employees, contractors and third-party suppliers all have the potential to become an insider threat. These people have access to your organisation’s systems network and information. They could maliciously or accidentally release the sensitive information of employees and customers, causing significant damage to your company’s reputation and bring about intense regulatory scrutiny.
However, the financial route is only one route that can be travelled. During the Cold War, there were physical security breaches through espionage and spying but now, with conflicts in the Middle East and Eastern Europe, the new challenge for governments and businesses is the growing cyber threat.
Good practices to assist in your planning:
- Hire the right person – Check right to work, confirm identity and pre-employment screening.
- Establish the role – Assign computer and building access and discuss security policy.
- Provide reviews – Face-to-face progress reviews and assess the work-life balance.
- Consider remote working – Assess environment and devices, consider scheduled days on site.
- Manage contractors securely – Personnel security clauses in contracts and audit compliance with security policies.
- Be there when they need you – Question changes in behaviour and establish a process for employee reporting.
Find out more at www.npsa.gov.uk/reducing-insider-risk