Put simply,taking stock of security risks means:
- assessing the risk of your organisation becoming the target of criminals
- evaluating the consequences to the organisation if a crime is committed
- identifying realistic measures to reduce the risk or the consequences, or both
- formulating a recovery plan identifying what action to take after a crime has been committed.
The risk of a burglary where the target is petty cash is higher than that where your IT server is the thieves' prize. However, the loss of the server can have far more dramatic consequences and would justify more expensive preventative measures.
Assessing the risks
Security must cover all the risks. Those not addressed are the ones that criminals find and exploit. As budgets are often limited, the decision to commit resources must be based on a realistic risk assessment backed by hard evidence.
However, think about the consequences of crime. One company in central southern England was burgled thirteen times at roughly fortnightly intervals — each time all the chips from its computers were stolen. Eventually the company was unable to service its customers and went out of business.
Minefields
There are several minefields awaiting anyone with responsibility for security. The main ones are:
- the proliferation of laws, regulations, directives and policies that apply to any action taken regarding security. Take for example: the Data Protection Act relating to CCTV systems, the Association of Chief Police Officers' policy relating to response to intruder alarms, the imminent Private Security Industry Act (see factfile) relating to registration of people working in the security industry and even the Health and Safety at Work Act relating to bomb threat evacuation planning
- the vast range of low-tech and high-tech goods and services to choose from
- the variations in price and quality of those goods and services
- the need to establish the importance of security in your organisation from top to bottom.
Unless you have, or have access to, the relevant expertise, it may be advisable to seek advice and information on which to base your decisions.
Information sources
The police will be able to advise you on the frequency of the different crimes reported to them in your area. Each chief officer publishes an annual report that gives an overview. Contact with the local police station should also be beneficial, as there may be a crime prevention officer who can visit your premises and advise you on the risks. However, be aware that some officers have little experience or training despite the title. Other demands on police time may mean they will have only a limited amount to dedicate to you. You will have to contact each different police force, and probably division, covering the area you operate in. But, this advice is free so make use of it.
There are many experienced, reputable experts working in the security industry (and many not as reputable). They will, naturally, only give you advice on the range of products or services that their company can supply and may not be able to advise you on whether you would benefit more from, say, an intruder alarm than anti-ram raid bollards.
Security consultants will be able to provide advice across all risk areas, assist in assessing the impact of crimes, provide options for reducing both risks and consequences and provide information on suppliers. They can help write user requirements to enable the installation of equipment and the contracts for services. They can also ensure that the user requirements are satisfied.
Many consultants have financial links with security suppliers and are not independent, so care needs to be taken to select one who can give you the best advice to suit your needs. Until the Private Security Industry Act becomes fully effective even convicted criminals can set themselves up as consultants. Check the background of any individual before you let them loose on your organisation.
It is also worth making the effort to contact neighbouring businesses to learn what their experience of crime has been and to establish a method for exchanging information in the future.
Plan of Action
It is easy to let security slip when faced with apparently more pressing concerns, so it will be necessary to have an outline of what you wish to achieve and a timescale. Large sums of money are spent on security measures that do little to reduce the crime risk by concentrating on one area and neglecting others. It is worth reiterating that criminals will make use of any vulnerability they can find.
However you decide to work your way through security, there are a number of topics you will have to consider including:
- designing out crime
- training courses
- electronic security
- manned guarding.
Designing out crime can be applied to any product, service, organisation or building and simply involves incorporating crime prevention measures at the design stage. Its most frequent use is at the planning stage of any new construction or major refurbishment. If security is incorporated early enough in the design of a new building, preferably before an architect puts pen to paper, many measures to reduce the risk of crime can be included at no extra cost. It seems a pity to waste this opportunity if your organisation is considering a new build and it should be a factor that is considered when choosing new premises. Some security consultants can assist in this area, as can most police forces. The relevant officers are called architectural liaison officers (except in the Metropolitan Police where they are called crime prevention design advisers). There is a certification scheme available through the police, called Secured by Design, that is attracting increasing interest, particularly from insurance companies.
Security training may also be beneficial. A number of training companies offer security courses. Most are targeted at people working in the security industry, but there are several that would suit managers who have responsibility for security.
Electronic kit
Electronic security covers the vast range of security equipment, including CCTV, access control and intruder alarms. CCTV is a very popular way of spending considerable sums of money. Do not be fooled by a demonstration of the power of any system. It may well be able to cover a wide area and yet zoom in and produce a head and shoulders shot that could be shown in court and guarantee a conviction. However, to make full use of this power you either need someone operating the system or further devices to make the system intelligent.
The majority of systems installed simply record what the cameras are pointing at. They seldom produce images that do anything to help identify offenders, other than inform you of the number involved, possibly a guess at their gender and a very accurate time. The deterrent value of simply having cameras on your premises has reduced as increasing numbers have been installed. The technology exists to provide intelligent systems that are remotely monitored. In this form, CCTV is a very valuable deterrent and evidence gathering tool. It will be expensive and needs considerable care when deciding how the system is expected to perform. Write your user requirement before you contact any installation company. You must also remember that to stop an offence, or to catch the criminal, someone must respond to the images seen. You will have to decide who that someone will be — yourself, the police, on-site security or manned guards called to the site.
How alarmed should you be?
Intruder alarms are the most frequently used electronic preventative tool and frequently an insurance requirement. But they have their limits. An alarm is basically a number of devices which, when they detect an intruder, switch an electrical circuit on or off. This circuit is linked to a control box which, when set, enables other devices to operate. These usually make a noise, communicate to an alarm receiving centre, or both.
When a centre receives an activation notice it telephones the police. It sounds good but, beware, over 85 per cent of the calls the police receive have not been caused by an intruder. Police policy is that if your system generates three false calls in a rolling 12-month period their response is downgraded. If you reach five or more they will not respond at all.
Even with full police response the systems have a weakness. The communication chain — alarm panel via receiving centre to police control room — usually takes about five minutes to complete. The police will then take between five and 15 minutes to get to the alarmed premises in urban areas (not guaranteed), longer in rural areas. Offenders therefore have to be very unlucky to have less than ten minutes from attacking your premises until they need to escape. A lot can be done in ten minutes so, even with a good alarm, you will have to take measures to buy time and slow the offender down, for example making sure you have strong boxes around your IT equipment.
Stop! Who goes there?
Access control covers everything from a simple key operated lock to a fully integrated electronic system. Which system is most suitable for your organisation will depend on its nature and your budget. There are two basic problems with access control. First, no system is of any value unless it is used properly — even a simple lock does not work unless someone turns the key. Second, unless full height turnstiles are used, it is difficult to prevent tailgating — where an authorised entrant is followed by an unauthorised person. This is another area in which it is easy to spend money without gaining any real increase in security.
Manned guarding exemplifies the best and worst options in a single choice. No machine has yet been developed that can encompass as many variables and responses as a human. However, it is costly to employ security officers to cover all or part of the day. The return of employing such officers is dependent on the quality of the guarding company used and the individuals employed. It is one area of employment that is typified by low wages and long hours. If you outsource guarding, the direct costs are likely to increase as the Private Security Industry Act is implemented and those who have been convicted of a serious criminal offence are excluded from this role. The role of a guard can be enhanced by the careful use of CCTV, alarms and other technology. Part of the cost should be charged to other budgets if, for example, the guard performs other duties.
Poachers not allowed to turn gamekeepers
The Private Security Industry Act, which received Royal Assent earlier this year, is the first attempt to control the type of personnel who are employed in the security industry. The timetable for its implementation is not fully decided but a Security Industry Authority is being set up and anyone who operates in the sector will have to register with it. The authority will have full access to criminal records and thus will be able to exclude people who have been convicted of a serious criminal offence from registration. It will be an offence to work in the security industry without being registered, or to employ an unregistered person in a security role. This registration will apply not only to the person acting as a guard but their supervisors and managers, all the way up to the managing director. The Act will eventually cover everyone involved in security and is intended to start with manned guards and doormen. Some exceptions are already beginning to appear, such as in-house guards and intruder alarm installers, but the authority may redefine who must register.Source
The Facilities Business
Postscript
Paul Kidson is an independent security consultant for PCCD Associates and was formerly crime prevention and architectural liaison officer for the Swindon division of Wiltshire Constabulary
Tel: 01793 694257
Email: paulkidson@btinternet.com