Define Your Threat
“To be prepared, you must first define your threats and then move to counteract them.”--Fuqua and Wilson
The first step to take in your threat assessment is to determine the vulnerability of your business. Perhaps the most important factor to consider is its location. Terrorists’ primary targets are businesses that are either located in or owned by Israel, the U.S., and Great Britain, respectively. Terrorists are also more prone to strike closer to their base of operation, putting both the Middle East and Europe at increased risk. Terrorists are more vulnerable as they stray further from their base, which is why the U.S. has been a relatively safe haven in the past.
The type of industry will also be a factor in the vulnerability of your business. Most at risk are multinationals, defense contractors, businesses with telecommunications, businesses with government contracts, and high-profile organizations with extensive exposure. Nationwide, large metropolitan areas (especially those with large airports, such as New York, Detroit, or Los Angeles) or cities with a high concentration of specialty industries are more at risk.
The image of your company as portrayed by the media can play a role in a terrorist’s decision to attack. Because media tends to encourage terrorism and make it more prevalent, you should make a scrupulous effort to avoid exposure as much as possible.
A final consideration to take into account when assessing your particular threat is whether your company has, or is perceived as having, any religious leanings.
This is a general guideline to help determine the degree of risk that a company has of terrorist attacks. However, if you seek more specific information about your company in particular, intelligence is an excellent source. “My recommendation to our clients is to either hire a consultant or to gather information directly from such sources as the State Department or the FBI,” says Tal.
Once you have determined the vulnerability of your business, you next should look into probable targets within your organization. Make a detailed survey of its present security measures to highlight the strengths and expose the weaknesses; remember, the security of your business is only as strong as the weakest link. Also, keep in mind that the bomb is the most likely weapon of a terrorist. While a terrorist could feasibly access and sabotage your internal computer operations, Tal says that this would be a degree of sophistication not usually seen in the field of terrorism. “There really isn’t that level of intelligence, money, and planning capabilities within terrorist organizations to actually achieve something like this,” he says.
First and foremost, assess the physical security of your facility--upgrade existing security measures, particularly for vital areas, and implement new ones if necessary. Put rings of security around the facility itself (fences, alarms, locks, etc.), and have various types of redundant and intruder systems inside the building to detect unauthorized people and prevent them from getting into certain areas. You may also want to consider having access controls, such as digital codes and hand-screening. Once your security system(s) is in place, it must be constantly audited and upgraded to ensure that a high state of readiness is maintained and that new vulnerabilities are quickly addressed.
Your next step is to note all possible points of entry to the facility. Hire security guards from a nationally recognized security company that does background checks. The more visible your security is at the entrance, the greater your deterrence against attack.
You should also check how vehicles come onto your property--cordon off parking lots and require identification to park, and do not allow cars to drive right up to the door or park too closely to the building. Inside the facility, see how people (both employees and visitors) circulate through the building. Escort visitors and give them identification badges.
Mail is one of the most common venues for terrorist attacks. Thoroughly investigate how your mailroom is designed and if it is safe for incoming packages. Be wary of knapsacks, duffel bags, or the proverbial overstuffed manilla envelope; dark, greasy stains--or “sweating”--which may indicate a crude bomb; or packages heavier or stiffer than expected, or emitting a strange odor. If you receive a suspicious parcel, do not touch the metal fastener, as it may be an ignitor. To prevent risk, establish a central, incoming mailroom for letters and parcels. If something comes to the front door, require the recipient to come and pick it up; if it is not recognized, have it taken away. And don’t forget one of your best preventative resources: common sense and instinct.
Another feasible threat is an attack via undercover terrorists. A maintenance crew from an outside organization is one of the easiest ways for a terrorist to slip through, says Berg. Do an inventory: are they contract workers or full-time employees? What are your hiring practices?
You may also run the risk of already having potential terrorists within your organization. The probable threats in this case are those affiliated with a radical organization or activist group, those who are sympathetic to such a group, or those who are in a position that they may be pressured by such a group. To mitigate the risk of internal sabotage, designate various work areas and issue identification badges designating the area in which your employees work. If you have a legitimate concern about an employee, contact your local FBI or the State Department. DO NOT interrogate the person. If you are concerned about hiring new employees, you can check with your local authorities for recommended screening procedures for new hires. Psychological testing is permissible.
When assessing the security of your facility, you should obviously pay special attention to the critical areas that, if attacked, will most severely disrupt your products or operations. To maximize a small amount of resources, terrorists may try to hit volatile targets that are likely to have secondary or tertiary consequences. These include critical industrial facilities, such as chemical and nuclear plants, or liquid natural gas carriers.
Your data center is also a target that, if hit, can suffer destruction far beyond the initial damage. To mitigate this risk, define and back up all of your crucial information on a regular basis, strengthen external walls, windows, and doors leading to the computer room and other critical areas, and replace ordinary glass with a more secure glass combination (e.g., laminated glass, laminated glass with anti-fragmentation film, or polycarbonates, which are 300 times more resistant to breakage than ordinary glass). It is also a good idea to have supplemental diesel generators to supply the power required for the computers, the heating, ventilating, and air conditioning (HVAC) system, and the fire-fighting system. If the connection to the main electrical power grid were cut off, the generators would enable you to continue operations. If the diesel generators should fail, a battery-powered emergency system could supply the full electrical load long enough to ensure storage of the data and an orderly shutdown of the computers.
Develop Your Disaster Recovery Plan
“The advantage to having a crisis management system in place is that a company can practice with it and learn what doesn’t work. And in the event of a crisis, problems already will have been corrected and reactions can be instantaneous.” --Neil C. Livingstone, professor of National Security Studies at Georgetown University
If you have already developed and implemented a comprehensive disaster recovery plan for your business, chances are good that you are already safeguarded against the terrorist threat. Take out your plan and see if you have a facet that deals with terrorism, kidnapping, etc. “I would say that every company above $1 billion should have a crisis management plan with a subchapter on terrorism, and smaller companies should have one if they have a perceived threat,” Tal says.
If you have no plan or only a partially developed one, Berg suggests that your first plan of action should be to develop a Crisis Management Team (CMT), headed by the chairman/president, that is exclusively dedicated to your organization’s security. The departments involved in the CMT should include a threat assessment coordinator (you may want to assign a different person to address each potential crisis scenario); human resources; legal counsel; CIO; internal security manager; public relations officer; psychological counselor; and MIS (management information system).
Once you have established a CMT for each plant location, list all potential crises that may afflict your organization and plot out each team member’s responsibility.
Remember, if you choose to increase security measures in response to a perceived terrorist threat, use discretion when implementing changes or upgrades in security policy to avoid widespread panic with your employees. Announcements regarding security increases should be made with a great deal of sensitivity towards employees. Berg recommends that you conduct small, non-threatening departmental meetings with employees to keep them briefed on reasons for increased security, and implement communications training for team and division-level deputies who can, in a crisis, know how to handle employees, shareholders, the press, security analysts, local authorities, etc.
To avoid unduly alarming employees, Tal suggests that you keep certain increased security measures confidential--those that do not involve the employees, such as a kidnap plan. However, he says that “in most cases, I would recommend coming up front with an increase in security, because if you come up with a cover story, chances are good that it will leak”-- ultimately causing more harm than good. “Training and open approach is the best way to combat rumors and panic,” he says.
Once your plan is in place, you must continually search for weak links in order to improve and perfect it. Distribute the plan widely throughout the organization and hold regular meetings of the CMT.
You also need to test the plan to make sure everything will flow as smoothly as possible in the event of a real crisis. Berg says that a good method of testing is by contracting with an outside company that designs board games. “They put together a realistic scenario for you,” she explains, “and you play it out.” For example, a company called Design Simulations in New York will create a variety of scenarios specific to your industry, giving the CMT random events to test the plan and how well members work together. The advantages of this option, she says, is that it is a realistic, low-profile, and cost-effective way to design and test the plan.
In addition to testing, audit the plan on a regular basis. Go back through the system on a routine basis and make certain that everything works and everyone knows what to do in a crisis. Test and update the plan at least every six months, or as the situation demands.
For constant and immediate updates on the situation, use intelligence sources, such as the FBI’s Anti-terrorism Unit, to keep track of activities. Print media is also a good source of current information; subscribe to a variety of publications.
The threat of terrorism did not begin, nor will it end, with the war against Iraq. Although the Gulf war has put the U.S. in the spotlight, thus heightening anti-American sentiments in some Arab nations, the work of terrorists is never done; their best weapon is their unpredictability. History dictates that the U.S. is infrequently a victim of attacks by terrorist-sponsored organizations. Yet, whether it is a terrorist organization that infiltrates the U.S., or simply a disgruntled employee seeking revenge on your company, be certain that when the smoke clears, the perpetrators of violence, not your business, are the ones who wave the white flags.
Margo Young is a Staff Writer for the Disaster Recovery Journal
This article adapted from Vol. 4 No. 2, p. 6.