After the attack in October last year and the events this year in Paris, Sydney, Kenya and Copenhagen, Parliament Hill in Ottawa is undertaking a scenario planning exercise to consider their response to a whole range of possibilities, going from the “lone wolf” attack to a well-planned assault such as the one against Charlie Hebdo.
I think that their approach of using scenario planning as part of the risk assessment and strategy is good, although doing this before an attack is, naturally, better.
Are you confident that your organisation’s building security plans are adequate?
Theft and sabotage
Whilst terror attacks are still a reality for today’s enterprises, the odds are fortunately fairly long on it occurring in your building. However, theft and sabotage are a viable scenario.
Building security has perhaps never been more important than now – the physical premises, the people who work there and access to secure areas within the building.
In his article “Anatomy of a hack”, Chris Nickerson describes how he was able to gain access to a corporate site and hack their entire network, while their staff looked on and joked with them. Fortunately for the company, they had paid him to check their vulnerabilities. The core weakness was their physical security, but their staff were also not alert to potential threats.
You can read the full story here.
This process of gaining people’s trust to get them to do what you want is called social engineering. Here are some of the ways a scammer might go about this:
- By being friendly with the security guard or receptionist to convince them that he is a fellow employee or a trusted outsider, then gather information over time and gradually work towards his target
- Learning the corporate language and other company cultural behaviours so that others believe he is an insider
- Borrowing the company ‘on hold’ music, so when he calls, he can put the caller on hold, play the music and make the caller think he is internal.
- Phone number spoofing, so that the caller ID appears to show an internal call.
The antidote is to educate all employees as to the dangers, and also considering human aspects when scenario planning for an attack. Despite threats against Charlie Hebdo, it does not appear that the employees were prepared. However, in the synagogue in Copenhagen, the children had taken part in security drills and knew what to do when the time came to get them out of the basement.
The cornerstone of Ottawa’s planning is to not let the attacker get inside the building. Easier said than done, especially in commercial premises. Whilst by no means exhaustive, some key areas to consider are:
- Using the perimeter to prevent vehicle access – walls, barriers, retractable bollards at vehicle entrances
- Having as few entrances as possible
- Policies regarding visitors
- Putting in additional measures for secure areas, e.g. server rooms and remote data centres
Against this you need to consider the financial cost, potential disruption to operations and the reactions of employees of any additional measures.
The risk element
When looking at security, it is unlikely you can ever plan for every single eventuality. Even if Charlie Hebdo had the highest security systems known to man, how would they have fared against a demand for access with a gun pointed at the employee and her young daughter?
It comes down to the organisation’s overall risk strategy, so that the measures taken are aligned to this, from the analysis of needs, the scenarios, strategies and training, as well as a fully coordinated approach with outside contractors.
If you bring together your security experts and your risk management experts, you can then review your current strategy to ensure it is adequate, and if there is more to be done, then develop revised plans for the new risks we face, from criminals armed with ever-improving technology and from extremists.