DECEMBER 8, 2015
The near-future threat environment is (conservatively) at its highest level since 9/11. The Paris attack was “the perfect storm” that many of us in the security industry have been predicting would occur while hoping it would not. This was a pre-planned, coordinated, simultaneous soft-target attack in a Western capital by perpetrators who wanted to die. The desired result (besides the shock and loss of innocent life) was achieved when the instigators essentially shut down an entire country for a span of several days. This scenario and result are now in their “play book” and there is very little standing in the way of this set of actions being repeated either domestically in America or abroad.
The investigation into the San Bernardino tragedy is still evolving. Whether or not this is ultimately proven to be a pre-planned and directed attack doesn’t diminish its impact or the risk associated with those inclined to self-radicalization acting out in a shocking and violent manner towards a soft target.
These incidents also demonstrate that the terror threat is no longer segmented to the actions of outside parties.Employees of a company can actually be compromised and become the instigators of an attack.
Those responsible for the protection of private-sector assets should be either launching the following measures or (if they are already in place) be bolstering their current posture across several key mitigating strategies:
- Implementation of a Predictive Intelligence Model – Monitoring of enterprise risk through the monitoring of security systems will not help in the evolving threat environment. Neither will reliance on some form of notification of a potential threat impacting your business from a governmental agency or law enforcement personnel. Only an individual company understands their own unique global footprint, the current status of their mobile assets and the ramifications that an attack and its subsequent denial of services will have on their business. Government threat information is just one type of “feed” that needs to be monitored in a forward-looking environment where country risk data, social media intelligence, company-specific asset locations, civil unrest / local government instability and credible threats to a specific brand or market sector combine to portray a more accurate and focused picture of potential evolving threats.
- Institute a Cyber-Readiness Campaign – From a terroristic context, a well-defined and implemented cyber-readiness campaign will allow for the periodic testing and exercising of mission critical systems and functions while being subjected to cyber-attack simulations. The cyber-readiness campaign should be viewed as “launching a set of probes” within the business ecosystem at any given time to report back the “measure of protection score.” The ultimate goal of the cyber-readiness campaign is to ensure that proper protection and controls surround the corporation’s key assets (e.g. people, process and technology), while minimizing or nullifying their exposure to unauthorized access. The cyber-readiness campaign should be comprised of testing routines that illustrate the “predictive, quality-of-service and reactive” cyber capabilities of the corporation.
- Implementation of a Well-Balanced Reaction Model – The time to develop and deploy your reaction plan for an incident which could have enterprise-level impact to your organization is not after this type of incident has occurred. The specific threat and impact scenarios that can have a catastrophic effect on your company need to be identified and developed now, and the reaction and response protocols need to be created then vetted, practiced and drilled utilizing professional tabletop exercises. Only when your response personnel understand the dynamic and chaotic environment they will be working in when reacting to a crisis on this level will they be able to perform effectively when an actual incident occurs.
- Hardening your Soft Targets – We cannot make our facilities and personnel impervious to attack. We can, however, implement prudent measures to make fixed assets less vulnerable and mobile assets better educated to decrease their vulnerability to identified threats. To the extent possible, assessments of current physical security measures implemented at fixed facilities should be undertaken to ensure the measures currently in place are functioning at their intended level of protection and they are actually deployed in a manner to counter current threats. There was a massive uplift in the deployment of physical security measures in the years immediately following 9/11, but many of these measures have either been removed from their initial deployment or removed from the design of new facilities. Standards of protection should be refreshed and locations should be assessed for compliance with these updated standards. Mitigation measures vary widely from industry to industry and by in-country location of facilities so a “one size fits all” checklist approach should be avoided. In regards to mobile assets, means should be established to determine the current location of personnel; their imminent travel plans and their safety status should an incident occur. Each employee should know how to interact with the corporate security function when booking travel; be notified they may be heading into a heightened threat environment; and know what to do if they feel threatened and how to connect with assistance immediately if they find themselves in an affected location subsequent to an attack. Active shooter awareness and reaction training programs should be updated and employees should be informed of their response and evacuation protocols should such an incident occur.
- Heightened Threat Level Anticipation – We’ve moved away from the old “Green, Yellow, Orange, Red” threat level barometer. This doesn’t mean we won’t receive notifications that are either location-specific or industry-specific that a credible threat is imminent. Now is the time to establish and document your Tiered Protocols that will take effect when your facilities or personnel become the potential target of a specific threat vector. How will you secure your lobbies? What level of visitors will be allowed access? What types of events will / will not be allowed to occur? These are all stratifications of your current defensive posture that will need to be enhanced based upon the severity / credibility of the threat. These Protocols are more than documents. They may require the pre-positioning of protection assets prior to actual escalations. If you’ve determined you will need to screen visitors to a certain facility type with a magnetometer if you receive a specific type of threat, you don’t want to be shopping for these devices the day the threat occurs and waiting a week (while you close the facility to visitors) for them to arrive.
The internal resources to perform these critical tasks in a fast-paced and effective manner will be difficult to repurpose for these initiatives. Internal teams have an increased level of core business responsibilities during times of heightened threat and security awareness. Finding external resources to outsource these tasks should be performed in a measured approach. As security-related incidents hit the news there will always be a new crowd of “experts” offering their solutions to solve the current challenges. Potential providers should be vetted to ensure they have the experience, proven deliverables and global reach to be able to add value to the process improvement program.
I work with corporate security executives with global responsibilities across a wide range of markets including software, finance, data centers, energy, pharmaceuticals, commercial real estate, healthcare and manufacturing. All of these market sectors are affected by the increase in the global terror threat level as these executives seek to apply prudent countermeasures to manage the risk to their people and facilities and to implement protocols that can allow them to anticipate threats and recover from the widespread business disruptions these heinous acts cause.
My intent in passing on this information is not to be alarmist. The alarm has already sounded. The new reality is that our principal antagonist in the terror arena has found a low-risk attack scenario for their eager network of followers to participate in, and this network is more widely deployed and motivated than any that we’ve seen in the past.
I’m looking forward to the feedback I receive from this post and I’m willing to help any of you who may be faced with these tasks in finding the right resources to develop and deploy the countermeasures you require.
Matthew V. Wharton
serves as president for the Guidepost Solutions Security and Technology Consulting group and oversees its core services: cyber security, system design and project management, global command and control centers, security assessments and managed services. He is a career security professional with more than 30 years of experience leading security consulting and integration firms.