With hindsight, the even-more-recent bomb attack on the US Consulate in Karachi served to strengthen the warning given at IFSEC by David Veness – assistant commissioner (specialist operations) with the Metropolitan Police.
As chairman of one of the two terrorism conference sessions run in conjunction with the National Terrorism Crime Prevention Unit, Veness stated: "The public has been lulled into a false sense of security. Last Christmas you could almost detect a collective shrugging of shoulders, a sense that Al Qaeda had been eliminated and that there was never going to be another attack." He added: "It's my belief that we're between attacks. One only hopes that next time it will not be as horrific as last September. Another atrocity could only be a matter of months away. The biggest challenge facing security professionals at the moment is the management of complacency."
Counter-terrorism strategies
The National Terrorist Crime Prevention Unit, which became operational in January 1998, was set up to help security practitioners in their task. Working closely with the Metropolitan Police's own SO13 Anti-Terrorism Unit, its functions include helping to design-out the harmful effects of explosions by minimising the impact on buildings and reducing the severity of injuries. The unit is run by Brian Howat, who reports directly to Veness.
Howat told Security Management Today that he wants to build on initiatives like the joint venture project between the Royal Institute of British Architects and the police-run Secured By Design scheme. Launched in December 2000, it trains architects in the design of safer, crime-free urban buildings and their surroundings.
Addressing the end users at the conference, Howat stressed: "The terrorists are showing a growing disregard for human life, and have done since September 11". Nationally, police counter-terrorist strategy is focused on activities including high visibility preventative policing, community reassurance and safety, high quality investigations, the introduction of counter-terrorism protective security and prevention techniques (working in conjunction with the private security sector) and pre-emptive, intelligence-driven operations – an area in which Howat reports there has been a "massive change".
Howat added: "Significant intelligence networking is now occurring both in the UK and around the world. In Britain, for example, the City of London police service is financing the provision of information being passed to security managers of high profile companies who may be affected. Meanwhile," he continued, "hospitals, local authorities and the police are working together to minimise the impact of any future chemical, biological, radiological or even nuclear attacks. We're not in the business of panicking people. We're just being realistic about what's feasible."
Examining terrorism trends post-September 11, Howat noted that simultaneous spectacular attacks have been occurring, with calendar dates sometimes being specific to them (witness the heightened security Stateside for last month's 4 July Independence Day celebrations). There has also been a move towards civilian and economic targets, as well as a growth in novel attack methods.
That said, the UK is still viewed as a tough target for the terrorist community, who prefer to seek softer targets abroad.
Strategies for fighting back
Specific, practical advice on combating the terrorist threat was the theme of Howat's fellow speaker Bob Holmwood of SES Strategies (a company specialising in business continuity planning and risk assessment). Holmwood focused on security policies and procedures, describing them as "the glue that binds together your security staff and systems".
Holmwood said: "Policies define what personnel, assets and business processes are to be protected and to what degree, while procedures define how to protect those resources and processes. Security policies provide a framework on which to build your security culture. Procedures define the detailed actions required for a wide range of specific incidents, while offering a quick reference in a time of crisis." He added that security policies ought to be as concise as possible.
According to Holmwood, the following key policy areas should be addressed: access control, physical security, personnel security and information security. To achieve the security strategy outlined by the security policy, key security procedures will have to be detailed and defined. These include assignment instructions and CCTV management plus information security, network connection and search/incident management procedures.
80% of those businesses which suffer a major incident and don’t have contingency planning in place cease trading within 18 months
The senior partner at SES commented that a major principle behind security polices centres on who has access to a building or an area. Holmwood suggested adopting a segmented level of access to third parties. Trusting some of the people some of the time is a satisfactory compromise, he added, while access should be granted in relation to business needs. Both physical and technical controls can be used to ensure that this trust is not violated.
Ironically, security officers and cleaners/maintenance staff will generally have access to most (if not all) parts of a given building at night, and can bring their own bags in or out. In view of that fact, Holmwood stressed that the "very highest staff screening procdures" be applied prior to employment.
When determining the level of security control required, culture will play a major role. Top management commitment for the agreed security policies is a requirement, since if the policies are supported from above they are much easier to implement lower down.
In conclusion, Holmwood emphasised the importance of security managers devising a search plan for their company's premises. "A well thought out strategy might allow your staff back into the building as little as one hour after a bomb threat," said Holmwood, "but without any planning it may take as long as six hours before anyone is allowed back to their desk."
Terrorism and the Law
The theme of contingency planning was continued by solicitor Mark Scoggins who discussed the legal position with regard to terrorism and the terrorist threat. Pointing out that organisations have a duty of responsibility (in line with the police and intelligence services) when an incident occurs, he urged security managers to measure their current strategies against the law and be prepared to defend their processes and decisions. "Your obligation under the law is to try, but there is no obligation to succeed," said Scoggins.
Importantly, Scoggins went on to state that: "Don't forget that you can't insure yourselves against fines levied by the Health and Safety Executive. These come straight off your bottom line. The average level of the Executive's fines has been going up, too. I fully expect the first £5 million fine to hit an organisation will occur before the year is out."
Scoggins stressed that the Government intends to criminalise breaches of Health and Safety legislation (the number of prosecutions has been rising by 25% per annum in recent years). The concept of individual liability (defined under Section 7 of the Health and Safety at Work Act 1974) would apply in circumstances where, for example, an individual is found not to have taken reasonable care over a situation involving a bomb threat or a suspicious package.
Security managers in the audience would have done well to take note of Scoggins' assertion that there is a "discernible trend" towards "reversing the previously rare examples of individuals being prosecuted."
Measures for protection
Risk assessments have been a legal requirement since 1993. Regulation 3 of the Management of Health and Safety at Work Regulations 1999 describes the obligations of employers, pointing out the need for a review of any assessment if there has been a major change in any of the areas to which it relates.
In a stark warning to all security professionals, Scoggins added: "Security managers should have reviewed their procedures for terrorist incidents in the wake of last September. If not, they may have become indefensible in a Court of Law."
Crisis management in context: evacuation strategies revisited at the BBC
Continuity planning for retailers: a case study of Marks & Spencer
Source
SMT
No comments yet