Important security lessons arising from disasters are very often missed by the Boards of UK companies. Whether or not your own organisation has been involved, there’s a very strong case for reflecting upon what impact such dramatic incidents as bomb blasts might have on your company’s business – and whether more thought and energy could be given over at senior level to creating an environment that both minimises risk and maximises corporate well-being.
The simple fact is that, whether the incident in question involves a terrorist bomb, fraud, intrusion or industrial espionage, the corporate response to security is invariably a knee-jerk reaction. It’s for this reason that attention to security issues is often labelled as a ‘disaster sale’. Why? Simple. It’s reactive when it should be proactive.
For too long now businesses have paid scant attention to anticipating security problems before they occur. For the most part, confusion wedded to ignorance pervades the world of corporate security. Clearly, there is a need for greater understanding about the subject itself, and the risks involved. The objective is clear: it is the creation of a safe, secure and efficient corporate environment that contributes to any company’s success and corporate image.
For this reason everything – including the company building(s), the security systems installed and the staff employed – must be carefully planned beforehand.
The 1992 amendments to the Health and Safety at Work etc Act 1974 require employers to safeguard their staff against everything from a cut finger through to canteen fist-fights and acts of terrorism. Equally, codes of practice relating to corporate governance – such as the Turnbull Report – require that companies address operational as well as financial risk.
The first message the Board of Directors should understand, then, is that security is now very much an integral part of corporate planning. It is vital to staff welfare, morale and – ultimately – profits. The second message is that security covers a complex range of issues, all of which demand very careful consideration.
Risk assessment and building security
The starting point for securing your business has to be the risk assessment. How can any security manager hope to address all of the subsequent security issues without this valuable document?
The effectiveness of strategic security planning, policy provision and the introduction of workable, targeted security systems are all diminished if they are not responding to identifiable threats or risks.
Why is it, then, that some businesses – particularly those with no dedicated security manager – ignore the risk-based approach to security? We are all used to carrying out health and safety risk assessments, so why not security risk assessments? Without the latter, the end result is likely to be an ineffective security system with inefficient targeting of resources, additional and unnecessary cost plus exposure to ‘intangibles’ (such as corporate reputation and litigation).
When it comes to building security, over the past few years companies have taken the protection of assets like equipment, staff and information far more seriously. Most firms have now installed CCTV on their premises, although this is often in the hope of preventing security incidents from arising in the first place. When such incidents do occur, companies find that they don’t actually have the necessary procedures, policy and equipment in place to respond effectively. A scenario that can be avoided with judicious planning.
An example of ill-considered security is the current tendency for managers to purchase expensive and sophisticated CCTV systems without eliciting expert advice on the best methods for installation. State-of-the-art, ‘mission control’-style banks of monitors may look very impressive, but just how effective are they? Of the thousands of video tapes supplied to the police for evidential purposes, only an embarrassingly small percentage can actually be used in court.
The basic problem is that, post-installation, very rarely is sufficient attention given to Home Office guidelines for the management of video evidence, maintenance of the hardware or even the basic re-alignment of cameras should this be necessary. Where expert advice has not been sought, the tapes are invariably unusable due to poor pictures resulting from problems with lighting, the incorrect positioning of cameras or simply a bad lens selection.
Another tendency is to fill the control room with monitors, but then only employ one officer to keep an eye on all of them. If this is the case, you can expect crimes to pass by unnoticed. Don’t expect to see a successful prosecution.
When planning building security, most security professionals will automatically think not only of CCTV, but an effective access control system and some form of perimeter protection. Try thinking of security issues that don’t just involve the ‘breaking-and-entering’-style thief. Think of other types of crime instead. Think ‘insider’ as well as ‘outsider’. Your planning will then begin to take shape.
Involve your Human Resources Department in the whole process, so too health and safety executives, IT and facilities managers. If they are consulted at the assessment stages the security manager will then be able to spot the weaknesses in current security provisions and pinpoint what needs to be improved.
Where possible, garner expert advice on security systems and their design. Watch out, too, for all the legal pitfalls. When restricting or controlling access, monitoring public areas or installing systems remember to follow all the current codes of practice and laws – including the Data Protection Act 1998 for CCTV systems, the terms and conditions of which came into full effect on 24 October (‘Process… and be damned’, SMT, September 2001, pp42-43).
Unquestionably, there is a need to raise the level of security awareness throughout a company’s organisation – a process that demands the involvement of the Board members themselves. Ultimately, it is they who must set policy. And it is to them that security issues should be routinely reported.
Determining a security policy
Your company policy on security must be clearly communicated to all members of staff as every individual has a part to play in its successful implementation. Where necessary, staff should be given the necessary training commensurate with their responsibilities.
Security policies extend in various forms to all members of staff, whether through IT security, post room procedures or visitor access. A member of staff innocently loading a virus-infected disk on their PC can cause just as much damage to the business as any terrorist. Clear policies on behaviour in the workplace, as well as procedures covering purchases and sales can aid the discovery and prevention of internal fraud and violence in the workplace.
Always remember that good policies provide the checks and balances which could be the early warning system to much bigger crimes.
Many companies make one fundamental error. Having installed their physical security systems, firewalls and virus detection software, written their security policy and determined reporting procedures, they feel they’re adequately covered against most serious threats. If companies do give a second thought to the enemy within, it’s usually only based on how much they feel they can trust an employee – very rarely is it based on research.
Very few of the larger Blue Chip organisations check the background and experience of those they are about to hire. Why not? If you were about to hire a nanny or a home help to come into your home you’d want some authentication, proof of suitable training and references to substantiate the reputation of that given individual. How is it, then, that most companies will invite people into their offices, offer access to their company information, supplies and staff solely on the strength of how they performed in a 30-minute interview or what they may have said about themselves on a Curriculum Vitae? In most cases, your business cannot afford to hire the ‘wrong people’.
Proving the point
In May this year it was reported that the troubled Marks & Spencer retail chain hired a security advisor to investigate the leaking of sensitive documents and sales figures on account. A process that was harming staff morale throughout the company, at the same time leading to another sharp fall in profits. The investigation demanded that all staff at the company’s head office in London’s Baker Street be interviewed to find the rogue employee.
Back in January, foods giant Kraft sued over an attempt by a rival to steel trade secrets about a new pizza base recipe. The $1.75 billion market for frozen pizza bases was the matter at issue, Kraft alleging that Schwan’s Sales Enterprises had hired a double agent and a freelance corporate intelligence agent to discover the secret of Kraft’s rising crust frozen pizzas. According to Kraft, the freelance agent posed as a reporter, a food researcher and then subsequently as a manager in order to solicit the necessary information.
This strategy apparently worked. The company then argued in court that even a “slight advantage” in the marketplace could mean millions of dollars of lost sales.
Third, a recent report by the Computer Security Institute in San Francisco blames disgruntled employees for $378 million ( GB pound 259 million) in damage to property or fraudulent claims identified by US firms in 2000.
Security managers should never fall into the trap of thinking about fraud purely in terms of individuals siphoning off millions of pounds out of others’ accounts, or selling on trade secrets to their company’s competitors.
Think of all those thefts from the supply cupboard, missing laptops secretly taken home and those employees pretending to work when they’re actually doing other things.
Often we think of moonlighters, but all those handing in worksheets for hours spent surfing the net for private use are committing fraud. All of those hours are effectively stolen company time, and should be seen as a theft of manpower as much as they are bad for morale.
Who wants to work alongside someone who is being paid the same salary but does nothing all day, especially when the security manager turns a blind eye?
Jack Welch – the newly-retired chief executive of General Electric, and the man credited with turning the $12 billion per year turnover outfit into a $530 billion worldwide conglomerate – thinks that a happy and efficient workforce was the key to his success.
Welch recently addressed selected managers at an Institute of Directors seminar, and said: “Your employees know more about what’s going on in your company than you do. The day you learn to understand that will be the day that you cross the great divide. Employees know who is shirking, and they hate it if management looks the other way.”
This policy of vetting all employees should extend to suppliers and, in some cases, the clients as well. Since those you have dealings with are not governed by your own internal company policies, you should be aware that they may also not be as reliable or trustworthy as your own members of the security team.
Carrying out security assessments
Vital to any security plans should be regular audits and reviews. After all, how do you know that you have the right security design in place?
When drawing up your objectives for improving security, always factor in assessments. Most companies carry out appraisals for employees, and most will also conduct fire and evacuation test procedures. How many, though, conduct security penetration audits and assessments? It’s often only when a security alert occurs that companies realise there are gaps in the security arrangements and procedures, or indeed a lack of any company policy to cover them.
The other common mistake to make involves warning everyone that a test will take place. As seen only recently with the scheduled evacuation of One Canada Square (more popularly known, of course, as Canary Wharf Tower), many people used the lifts as a means of escape because they knew it wasn’t a real danger situation, while others chose to be ‘out of the office’ for the whole time.
Tests and audits must be carried out in a natural environment. People will usually react differently when they’re put under pressure, as indeed will the building equipment.
For those enlightened company directors who realise the importance and seriousness of good security management, well-qualified advice can significantly reduce the harm that may be done to a business and its reputation. Many also view the need for an annual company security audit in much the same way as a financial audit. There is much to be gained by a regular review of security measures. At the very least, the assets and future of the company will then be properly safeguarded.
In light of the tragic events that unfolded Stateside on 11 September, no-one should remain naive about the environment in which we now live. The threat to security is greater than ever before. Protecting your company’s assets against the myriad risks out there requires expertise, sound knowledge and experience. Any advice you make use of must be objective and totally independent of internal management pressures, while still taking into account the security needs specific to each individual department within the firm.
The overall solution, however, is not to be found in the Yellow Pages or at your local crime prevention office. Obtaining qualified and professional advice is an investment requiring nothing less than careful research.
A sad comment on today’s world though it may be, security is an ever-present issue that affects us all. Get it right and there is no need to panic, even in the face of terrorist activity. With well-established, sensible security measures and contingency plans in place, your company can protect its business and continue to operate with the minimum of disruption.
EBOOK: Lessons from IFSEC 2023 – Big Tech, Martyn’s Law and Drone Threats
Read IFSEC Insider’s exclusive IFSEC eBook and explore the key takeaways from the 2023 show!
Navigate the impact of Big Tech on access control, gain insights from Omdia’s analysts on video surveillance trends, and explore sessions covering topics like futureproofing CCTV networks, addressing the rising drone threat, and the crucial role of user proficiency in security technology.
There's also an exclusive interview with Figen Murray, the driver behind Martyn's Law legislation.
