How Should Organisations Respond to Elevated Terror Threat Level?

Photo: Archivey, under CC3.0

The Government has advised businesses to review their security plans in light of the increased security threat level from international terrorism, but what does this actually mean.

Many organisations have a security risk management strategy; however, most do not have a scalable response that is influenced by the Government threat levels.

The simple response for most organisations will be to do nothing; however, to do so blindly may have negative consequences that, at their extreme, could result in complete business failure.

To identify what you and your organisation can do and whether you need to do anything at all, you should start by carrying out a review of your security Threat and Vulnerability assessment. It may be that this hasn’t been carried out for some years so a thorough review and revision will help to identify any additional threats that you, as an organisation, may be exposed to.

It is important to identify the ‘what’ and then to explore the ‘how’ to fully develop your mitigation programme. We run workshops entitled ‘Think like your attacker’ and it is this approach that you should adopt when carrying out your threat and vulnerability assessment.

For most organisations, a robust security stance designed to combat ‘general’ security threats will also serve to mitigate the risk of terrorist-borne threats; however, regular reviews are essential to ensure that stance is maintained.

Once your threat and vulnerability assessment is complete you can move on to carry out a security risk assessment. This will help you identify the level of risk faced and, in turn, identify whether there is anything additional needing to be done in consideration of the raised security threat level.

Asset pillars

Below is some guidance on the development of a threat assessment which can be used to inform the security risk assessment process.

The starting point is to create or review your asset register and categorise your assets under what are sometimes referred to as the four asset pillars, i.e. People, Physical, IP and Processes. It is stressed that you cannot design a solution without knowing the problem and, from a security perspective; in a similar vein, it is impossible to develop a security strategy without defining the threat.

Asset prioritisation should be documented as part of your threat and vulnerability assessment and a unique identifier should be attributed to each asset category and/or class.

Each identifier should then be considered from a threat identification point of view to establish the vulnerability of the asset and the type of attack that is likely to be carried out against it. Our advice is to think big and think bold. The likelihood will be dealt within the security risk assessment so even if there is a very small chance that the type of threat will be perpetrated – consider it.

The threat that you face as an organisation will be intrinsically linked to your assets. This is true for all types of threat but even more so from a terrorist perspective. Terrorist attacks are motivated by one or more objective. Most recently, Islamist extremist originated terrorists have had mass casualty objectives which mean that most organisations would not be at ‘direct’ risk from a terrorist attack, i.e. they themselves will not be targeted.

Having said this, it is important for organisations in dense urban areas to be aware of their proximity to potential terrorist targets as they may be used as an attack vector against the other target. Participation in police led engagement and communication strategies are essential to understanding your overall risk profile. You may also want to consider your customer base and identify whether any of these may expose you to greater risk.

It is only when you know the type of threat that faced, that you can then consider how to mitigate against it and, more crucially, whether you need to.

It may be that you do nothing, look to invest in blast film for your glazing, implement a screening policy, or introduce Hostile Vehicle Mitigation (HVM) measures. Whatever you choose to do, it should be commensurate with the level of risk faced and your operational requirements should be established long before you design, procure and install the system.

Having considered your security response, it is suggested that you review your Business Continuity plans as these are more likely to be tested than your security strategy should an attack take place. Mass casualty attacks have previously targeted transport links which, should they be attacked again, will have a direct impact on your ability to operate at full functionality.

An attack near to or outside of your premises will also have a significant impact on your ability to function. Have you identified your mission critical areas, determined how quickly you need to return to functionality, and established procedures for this? Does your communication strategy include communicating with your workforce so as not to put them at risk in the event of an attack? Are your BCM plans regularly reviewed to ensure they comply with your security requirements? Have you recently tested your plans?

A well informed, well tested and well communicated continuity plan will ensure that your organisation responds efficiently to any major event and returns to critical functionality as quickly as possible.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today