Revealing current levels of concern over terrorism issues, the large numbers of security professionals attending two dedicated conferences on the topic at this year's IFSEC Exhibition showed the high level of interest among end users in developing counter- terrorist strategies in conjunction with the police and local Government.
The very fact that security managers' interest in counter-terrorism issues has not waned post-September 11 was shown to be prescient in the wake of recent high profile arrests of Al Qaeda suspects amid alleged plots to explode a radioactive 'dirty bomb' in America and carry out suicide bombings against UK warships in the Straits of Gibraltar.

With hindsight, the even-more-recent bomb attack on the US Consulate in Karachi served to strengthen the warning given at IFSEC by David Veness – assistant commissioner (specialist operations) with the Metropolitan Police.

As chairman of one of the two terrorism conference sessions run in conjunction with the National Terrorism Crime Prevention Unit, Veness stated: "The public has been lulled into a false sense of security. Last Christmas you could almost detect a collective shrugging of shoulders, a sense that Al Qaeda had been eliminated and that there was never going to be another attack." He added: "It's my belief that we're between attacks. One only hopes that next time it will not be as horrific as last September. Another atrocity could only be a matter of months away. The biggest challenge facing security professionals at the moment is the management of complacency."

Counter-terrorism strategies
The National Terrorist Crime Prevention Unit, which became operational in January 1998, was set up to help security practitioners in their task. Working closely with the Metropolitan Police's own SO13 Anti-Terrorism Unit, its functions include helping to design-out the harmful effects of explosions by minimising the impact on buildings and reducing the severity of injuries. The unit is run by Brian Howat, who reports directly to Veness.

Howat told Security Management Today that he wants to build on initiatives like the joint venture project between the Royal Institute of British Architects and the police-run Secured By Design scheme. Launched in December 2000, it trains architects in the design of safer, crime-free urban buildings and their surroundings.

Addressing the end users at the conference, Howat stressed: "The terrorists are showing a growing disregard for human life, and have done since September 11". Nationally, police counter-terrorist strategy is focused on activities including high visibility preventative policing, community reassurance and safety, high quality investigations, the introduction of counter-terrorism protective security and prevention techniques (working in conjunction with the private security sector) and pre-emptive, intelligence-driven operations – an area in which Howat reports there has been a "massive change".

Howat added: "Significant intelligence networking is now occurring both in the UK and around the world. In Britain, for example, the City of London police service is financing the provision of information being passed to security managers of high profile companies who may be affected. Meanwhile," he continued, "hospitals, local authorities and the police are working together to minimise the impact of any future chemical, biological, radiological or even nuclear attacks. We're not in the business of panicking people. We're just being realistic about what's feasible."

Examining terrorism trends post-September 11, Howat noted that simultaneous spectacular attacks have been occurring, with calendar dates sometimes being specific to them (witness the heightened security Stateside for last month's 4 July Independence Day celebrations). There has also been a move towards civilian and economic targets, as well as a growth in novel attack methods.

That said, the UK is still viewed as a tough target for the terrorist community, who prefer to seek softer targets abroad.

Strategies for fighting back
Specific, practical advice on combating the terrorist threat was the theme of Howat's fellow speaker Bob Holmwood of SES Strategies (a company specialising in business continuity planning and risk assessment). Holmwood focused on security policies and procedures, describing them as "the glue that binds together your security staff and systems".

Holmwood said: "Policies define what personnel, assets and business processes are to be protected and to what degree, while procedures define how to protect those resources and processes. Security policies provide a framework on which to build your security culture. Procedures define the detailed actions required for a wide range of specific incidents, while offering a quick reference in a time of crisis." He added that security policies ought to be as concise as possible.

According to Holmwood, the following key policy areas should be addressed: access control, physical security, personnel security and information security. To achieve the security strategy outlined by the security policy, key security procedures will have to be detailed and defined. These include assignment instructions and CCTV management plus information security, network connection and search/incident management procedures.

80% of those businesses which suffer a major incident and don’t have contingency planning in place cease trading within 18 months

The senior partner at SES commented that a major principle behind security polices centres on who has access to a building or an area. Holmwood suggested adopting a segmented level of access to third parties. Trusting some of the people some of the time is a satisfactory compromise, he added, while access should be granted in relation to business needs. Both physical and technical controls can be used to ensure that this trust is not violated.

Ironically, security officers and cleaners/maintenance staff will generally have access to most (if not all) parts of a given building at night, and can bring their own bags in or out. In view of that fact, Holmwood stressed that the "very highest staff screening procdures" be applied prior to employment.

When determining the level of security control required, culture will play a major role. Top management commitment for the agreed security policies is a requirement, since if the policies are supported from above they are much easier to implement lower down.

In conclusion, Holmwood emphasised the importance of security managers devising a search plan for their company's premises. "A well thought out strategy might allow your staff back into the building as little as one hour after a bomb threat," said Holmwood, "but without any planning it may take as long as six hours before anyone is allowed back to their desk."

Terrorism and the Law
The theme of contingency planning was continued by solicitor Mark Scoggins who discussed the legal position with regard to terrorism and the terrorist threat. Pointing out that organisations have a duty of responsibility (in line with the police and intelligence services) when an incident occurs, he urged security managers to measure their current strategies against the law and be prepared to defend their processes and decisions. "Your obligation under the law is to try, but there is no obligation to succeed," said Scoggins.

Importantly, Scoggins went on to state that: "Don't forget that you can't insure yourselves against fines levied by the Health and Safety Executive. These come straight off your bottom line. The average level of the Executive's fines has been going up, too. I fully expect the first £5 million fine to hit an organisation will occur before the year is out."

Scoggins stressed that the Government intends to criminalise breaches of Health and Safety legislation (the number of prosecutions has been rising by 25% per annum in recent years). The concept of individual liability (defined under Section 7 of the Health and Safety at Work Act 1974) would apply in circumstances where, for example, an individual is found not to have taken reasonable care over a situation involving a bomb threat or a suspicious package.

Security managers in the audience would have done well to take note of Scoggins' assertion that there is a "discernible trend" towards "reversing the previously rare examples of individuals being prosecuted."

Measures for protection
Risk assessments have been a legal requirement since 1993. Regulation 3 of the Management of Health and Safety at Work Regulations 1999 describes the obligations of employers, pointing out the need for a review of any assessment if there has been a major change in any of the areas to which it relates.

In a stark warning to all security professionals, Scoggins added: "Security managers should have reviewed their procedures for terrorist incidents in the wake of last September. If not, they may have become indefensible in a Court of Law."

Crisis management in context: evacuation strategies revisited at the BBC

The reality of a terrorist bomb explosion was related to the IFSEC Conference delegates by Eddie Halling, head of security and investigations at the BBC, who described how the world famous broadcasting corporation coped with the effects of last March’s detonation of a 20 lb car bomb directly outside Television Centre in west London, writes Ian Drury. Television Centre houses much of the BBC’s critical broadcasting facilities, and contains eight TV studios. Up to 7,000 staff work there, while an average of 1,300 guests and visitors show up on a daily basis. Overall, the BBC is responsible for 24,000 employees and 580 buildings across the UK. Eddie Halling and his 12-strong security team – responsible for protecting the company’s physical assets, property and members of staff – are assisted by manned security contractors, facilities management contractors and security consultants. Halling recalled the events of last March, when a red taxi was parked with its lights left on outside BBC Television Centre. Bought 24 hours earlier by members of dissident republican group The Real IRA, its deployment followed four coded bomb warnings issued on 3 March. These were given to a hospital, the Samaritans, a hotel and a newspaper, three of them subsequently finding their way through to the Metropolitan Police. An attempt was made to disarm the taxi bomb by way of a controlled explosion carried out by a police robot ‘disrupter’, but it was unable to destroy the terrorist device. The bomb subsequently exploded at 00.27 h on 4 March. No injuries were caused to BBC staff – 400 individuals were evacuated from the site before the incident – although a London Underground worker at the nearby White City tube station on the Central Line was hit by flying glass. Neither was there any serious structural damage to the building, despite the all-too-obvious severity of the blast – a wheel from the taxi landed on the roof, six floors up. The success of continuity planning “We had plans in place for such an incident, yet it caused utter chaos,” said Halling. “We had 30 minutes notice, but even the police’s own plans were thwarted when the robot failed to deal with the bomb”. As the front of the building contained a lot of glass, and was also an area where a considerable number of staff were working, this was evacuated first. News broadcasting was moved to other facilities. Despite the disruption, Halling recalled that positive outcomes resulted. “We kept the bomber on the outside of the premises, a lot of the glass remained in place and no staff were hurt.” In the aftermath of the explosion an incident team was formed, comprising duty facilities managers who maintain operations and liaise with police and BBC staff. The team also identifies priorities, such as resolving the potential conflict between the police need to preserve ‘scene of crime’ evidence and the BBC’s interest in reoccupying areas of the site. Parts of the building were back in use within two hours of the blast, though police continued to use parts of the damaged area as a crime scene for 3-4 days. Other actions taken by the team included ensuring the building’s structural integrity and investigating potential contamination of the water supply and air conditioning plant. The team also dealt with the 1,000 workstations damaged by the blast, and glass-riddled furniture. Halling told the conference how the incident team and corporate human resources personnel handled communication issues such as reassuring staff about future security and Health and Safety at work. Among the lessons learned from the incident was the need to revise evacuation procedures. The BBC security team has now identified improved escape routes for staff, and parts of the site it could use as internal safe areas. Rehearsals for incidents have been stepped up, too, while Television Centre’s fabric protection has also been strengthened. The specification of the vulnerable glass now includes higher bomb resistance.

Continuity planning for retailers: a case study of Marks & Spencer

Delegates at the IFSEC Conference also heard from Trevor Partridge – head of business continuity at Marks & Spencer – who shared details of the major High Street retailer’s emergency and major incident management policies. The after-effects of a bomb explosion are not alien to Partridge, who recalled the 1996 terrorist attack in Manchester which significantly damaged the city’s commercial core – including one of Marks & Spencer’s major outlets. “80% of those businesses which suffer a major incident and don’t have any form of contingency planning in place cease trading within 18 months,” said Partridge. A sobering thought. Mindful of the potential threats to its branch network (comprising 600 stores across 30 countries), the company has put in place a detailed incident management policy. This is focused on the underlying commercial priorities of continuing to distribute merchandise, pay suppliers and staff, maintain financial control and provide a seamless service to its customers. The company’s criteria for a major incident scenario are predicated on members of staff having sustained injury or death, with property having been damaged (making occupancy untenable) and business systems being non-operational. Marks & Spencer spends £25,000 each year on a major test exercise, as part of which the Samaritans are employed to telephone the company’s major incident centre posing as distressed relatives. Journalists will also be hired to call the centre and test the company’s media strategy. As Trevor Partridge rightly pointed out: “Our procedures are about as rigorous as they can be.” Partridge added that the retailer had learned its limitations from past experience. “We can never prevent an incident from occurring,” he said, “but we can minimise the effects. We can help to deal with the effects, and that will inform all situations based on a worse case scenario.” Partridge suggested that the escalation of an event’s severity rises rapidly, often turning an unusual occurrence into a manageable problem within around two hours. However, left beyond three hours a given incident could turn into a crisis and, eventually, a major incident. Partridge then cited the required evacuation of one of the company’s south east London stores after the discovery of an unexploded World War II bomb. Re-occupation of the building was out of the question for three days. Problems encountered included confused staff and visitors, with the arrival of various suppliers and their deliveries compounding the situation still further. A direct result of this occurrence is that the company’s incident preparations now identify whether its most important resource – the employees – both understand what they have to do when a major incident takes place, and that they know what to expect before an incident occurs.