Risk UK November 2014

Page 1

FrontCover November2014_001 07/11/2014 12:48 Page 1

November 2014

Security and Fire Management

Vulnerability Management How to Minimise ‘Attack Surfaces’ on IT Systems Investigating Corporate Fraud: SFO’s Role in Detail Counter-Terrorism: Security Officers and The Six C’s Liquid Gold: Protection Regimes for UK Water Supplies Vertical Focus: Risk Mitigation in the Transport Sector


Project1_Layout 1 05/02/2014 17:39 Page 1

Have you tried Integriti yet?

Sophistication is not about size The Integriti Security Management System is an IP connected access control and intruder security system that offers sophisticated centralised management for both small systems on a single site, or large systems distributed across the country or across the globe.

With a growing list of new installations take a moment to think of what you’re missing! The Integriti system offers an advanced suite of software, hardware and integrated solutions to deliver complete management of your entire integrated system.

Inner Range Europe Limited Units 10-11 Theale Lakes Business Park Moulden Way, Sulhampstead Reading, Berkshire RG74GB UNITED KINGDOM

integriti@innerrange.co.uk

a4 integriti 0ne page UK.indd 1

+44 (0) 845 470 5000 www.innerrange.com 4/12/2013 8:40 am


Contents November2014_riskuk_Dec12 07/11/2014 12:28 Page 3

November 2014

Contents 33 Risk Mitigation in the Transport Sector

Fraud Investigations: The SFO in Focus (pp20-23)

Managing risk in the Transport Sector is the theme of this month’s Risk UK Vertical Focus. Daniel Wan reviews security systems Best Practice (p35) while Jamie Wilson assesses Ebola virus tracking techniques (pp36-37). Intelligent video in airports is the focus for Denis Castanet (p39) and Danny Williams traces the key role of security personnel at transport hubs (p41)

42 The Race for Traceability 5 Editorial Comment

Traceability allows food supply chain specialists to assess the extent of risks facing their business. Duncan Moir investigates

6 News Update Financial cost of cyber crime. BSI launches PAS 7000. ICO issues CCTV warning. BSIA maps out Health and Safety Forum detail

44 Liquid Gold: Safeguarding water supplies

8 News Analysis: Launch of Project FALCON

47 Thought shower

Project FALCON (Fraud and Linked Crime Online) is dedicated to protecting Londoners from the threat of economic criminality

Robert Moore considers Best Practice for safety shower design

Water sector security solutions delineated by Tony O’Brien

48 The Security Institute’s View 11 News Special: Transport Security Expo 2014 Transport Security Expo runs at London’s Olympia on 2-3 December. Brian Sims previews the 2014 show’s vital content

51 In the Spotlight: ASIS International UK Chapter 54 FIA Technical Briefing

12 Opinion: The Syrian Conflict and UK plc Brett Lovegrove runs the rule over numerous ways in which events in Syria are impacting the UK and cannot be ignored

56 Security Services: Best Practice Casebook Neill Catton describes the bespoke security services arrangements devised for King’s College London

14 Opinion: Training for Counter-Terrorism Given the recent escalation of the UK’s terrorism threat status to ‘Severe’, Charlie Swanson calls for education in The Six C’s

58 When is a vulnerability not a vulnerability?

17 BSIA Briefing

60 Risk in Action

Vulnerability management procedures covered by Mark Kedgley

Trevor Elliott outlines Best Practice in guarding procurement

62 Technology in Focus 20 In Defence of the Realm Alun Milford details the work of the Serious Fraud Office for the benefit of practising security risk management professionals

65 Appointments

24 Digital Evidence: Eradicating the pessimism

67 The Risk UK Directory

People moves in the security and fire business sectors

Mobile forensics have the potential to transform traditional methods of profiling offenders, as Yuval Ben-Moshe explains ISSN 1740-3480

26 Leading from the Front Do security risk professionals actually see themselves as leaders in the Boardroom? Peter French searches for an answer

28 Guarded by Griffin Don Randall looks back on ten years of achievement realised by the Project Griffin security and counter-terrorism initiative

30 Managing Video as a Digital Asset Thinking of making the switch to an IP-based surveillance system for your company? Karl Pardoe has the necessary detail

Risk UK is published monthly by Pro-Activ Publications Ltd and specifically aimed at security and risk management, loss prevention, business continuity and fire safety professionals operating within the UK’s largest commercial organisations © Pro-Activ Publications Ltd 2014 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical (including photocopying, recording or any information storage and retrieval system) without the prior written permission of the publisher The views expressed in Risk UK are not necessarily those of the publisher Risk UK is currently available for an annual subscription rate of £78.00 (UK only)

Editor Brian Sims BA (Hons) Hon FSyI Tel: 0208 295 8304 Mob: 07500 606013 e-mail: brian.sims@risk-uk.com Design and Production Matt Jarvis Tel: 0208 295 8310 Fax: 0870 429 2015 e-mail: matt.jarvis@proactivpubs.co.uk Advertisement Director Paul Amura Tel: 0208 295 8307 Fax: 01322 292295 e-mail: paul.amura@proactivpubs.co.uk Administration Tracey Beale Tel: 0208 295 8306 Fax: 01322 292295 e-mail: tracey.beale@proactivpubs.co.uk Managing Director Mark Quittenton

Risk UK PO Box 332 Dartford DA1 9FF

Chairman Larry O’Leary

Editorial: 0208 295 8304 Advertising: 0208 295 8307

3 www.risk-uk.com


EditorialComment November2014_riskuk_jul14 07/11/2014 12:33 Page 4

Audible & Visual Signalling

Klaxon Signals are specialists in the design and manufacture of world-class signalling equipment. Through innovation and technical expertise, Klaxon Signals produce state-of-the-art audible and visual signaling equipment, protecting and informing millions of people around the world. Klaxon Signal’s audible and visual signalling equipment are primarily used in Fire Evacuation, Industrial 6LJQDOOLQJ DQG 0DVV 1RWLÀFDWLRQ DSSOLFDWLRQV

Tel: +44 (0)1706 233879 www.klaxonsignals.com


EditorialComment November2014_riskuk_jul14 07/11/2014 13:41 Page 5

Editorial Comment

Fire Evacuation

On Guard he Security Industry Authority (SIA) recently held its annual Stakeholder Conference in central London. In the Keynote Speech, Elizabeth France CBE – chairman of the industry’s regulatory body – mentioned that it’s now exactly four years since the Government initiated its Public Bodies Review. A very strong pronouncement back in 2010 stated the SIA would no longer be a Non-Departmental Public Body and that a ‘phased transition to a new regulatory regime’ was about to commence. During the intervening period, the Regulator – brilliantly led by CEO Bill Butler – has worked hand-in-glove with companies across the private security sector to propel regulation forward. Importantly, that work has included fashioning detail around the aforementioned ‘new regime’ and, specifically, the creation of a model focused more on security businesses. The fact that there’s still no concrete timetable for the introduction of business licensing is – as Elizabeth France rightly stated at conference – both “disappointing and frustrating”. France continued: “We at the SIA recognise the expenditure and effort the industry has put towards preparing for business licensing and, of course, the ongoing costs around the continuing uncertainties, but it’s a Government matter.” The SIA is necessarily a creature of statute. It must align to the legislative vehicles with which it’s provided by the Home Office. What it cannot do is work without proper legislation or powers. “We’ve done everything we can to prepare for business licensing,” asserted France. “The SIA and the industry remain ready for that licensing as and when we have the legislation, but we cannot stand still and wait. We have to move forward.” The Regulator has worked with the sector on a shared framework for business licensing and duly delivered to Westminster a bold statement of intent. Security businesses presently in a poor shape can expect regulatory and/or legal interventions, the clear use of licence conditions and restrictions, the threat of removal of their licence to operate and the deliverance of higher indirect costs. For aspiring companies, the SIA is adamant that there will be distinct standards for improvement and, indeed, strategic interventions designed to support that betterment. As Elizabeth France explained at conference: “The burden of regulation will be proportionate. There will be protection from incompetent and criminal businesses and there will be proportionate costs.” Importantly, first class security businesses will be recognised for doing what they do best – delivering a respected and highly professional service to their end user customers (‘University challenge’, pp56-57). For those same end users, there’s the promise of “greater engagement” with the Regulator and “clearer information to support informed security purchases” (‘Security Guarding: Sourcing a quality supplier’, pp17-18). The guarding sector is crucial to the safety of our nation. Its constituent members work long and hard – often under extremely difficult circumstances – to protect life, limb, property and brand reputation for the clients whom they serve so diligently on a daily basis. If the Government is truly cognisant of that message it must act with legislatory haste. Time is pressing.

T

ZZZ NOD[RQVLJQDOV FRP ÀUH

Industrial Signalling

www.klaxonsignals.com/industrial&WAS

0DVV 1RWLÀFDWLRQ

ZZZ NOD[RQVLJQDOV FRP PDVVQRWLÀFDWLRQ

Brian Sims BA (Hons) Hon FSyI Editor

Visit the Klaxon website: www.klaxonsignals.com

December 2012

5

www.risk-uk.com


NewsUpdate November2014_riskuk_nov14 07/11/2014 12:56 Page 6

Top 10 online-enabled frauds hitting British wallets to the tune of £670 million

Francis Maude MP: Minister for the Cabinet Office

Organisers of Get Safe Online – the joint publicprivate sector Internet safety initiative – have revealed the financial and emotional cost of cyber crime. In a specially commissioned poll of 2,000 people by Vision Critical for Get Safe Online Week 2014 (which ran from 20-26 October), 50% of those who have been a victim of cyber crime (including online fraud or cases resulting in economic loss, ID theft, hacking or deliberate distribution of viruses and online abuse) said they felt either ‘very’ or ‘extremely’ violated by their ordeal. Separate figures prepared by the National Fraud Intelligence Bureau for Get Safe Online Week offer an indication as to the sheer scale of online crime, with over £670 million lost nationwide to the Top 10 Internet-enabled frauds reported between 1 September 2013 and 31 August this year. Given that a significant number of Internet-enabled fraud cases still pass by unreported, the true economic cost to the UK is likely to be significantly higher. The Get Safe Online survey also reveals that over half (53%) of the population now views online crime just as seriously as they do ‘physical world’ crimes, destroying the notion that online crime is ‘faceless’ and less important than other forms of criminality. As a result, more cyber crime victims (54%) wish to unmask a perpetrator but only 14% have succeeded in doing so.

Around half (47%) of victims did not know to whom they should report an online crime, although this figure is expected to drop due to the ongoing work of Action Fraud (the UK’s national fraud reporting centre) and the considerable Government resources now dedicated to fighting cyber crime. On a more positive note, victims in the Get Safe Online poll said that their experiences have shocked them into changing their behaviour for the better, with nearly half (45%) opting for stronger passwords and 42% now being extra vigilant when shopping online. Over a third (37%) always log out of accounts when they go offline and nearly a fifth (18%) have changed their security settings on their social media accounts. Commenting on the survey results, Francis Maude (Minister for the Cabinet Office) stated: “The UK cyber market is worth over £80 billion a year and rising. The Internet is undoubtedly a force for good, but we simply cannot stand still in the face of these threats which already cost our economy billions every year.” Tony Neate, CEO at Get Safe Online, explained: “We can all take simple steps to protect ourselves, including the use of strong passwords on our computers and mobile devices, never clicking on a link sent by a stranger and always logging off from an account or website when we’re finished.”

BSI launches PAS 7000 global risk management standard for supply chains BSI, the business standards company, has launched PAS 7000 – a universally applicable supply chain information standard orchestrated specifically for suppliers and buyers operational at organisations of all sizes around the globe. ‘PAS 7000 Supply Chain Risk Management: Supplier Pre-qualification’ helps answer three key questions relating to any organisation’s supply chain partners: Who are they? Where are they? and Can they be relied upon? The standard exhibits the collective expertise of 240 professionals drawn from global industry associations and organisations (including Astra Zeneca and the Chartered Institute of Purchasing and Supply) and addresses product, process and behavioural criteria for supplier pre-qualification. As supply chains increasingly span continents, and brands become more exposed due to the demand for increased transparency, so the challenge for procurement teams to assess the suitability of suppliers increases. In the last 12 months alone, 63% of EMEA companies have experienced disruption to their value chain due to unpredictable events beyond their control at an average cost of £449,525 per episode. PAS 7000 provides companies with a uniform set of common information requirements that reduces duplication of effort in completing tender forms and aids procurement in bringing consistency to the supplier base. It establishes a model of governance, risk and compliance information for buyers to pre-qualify suppliers and confirm their intention and ability to adhere to key compliance requirements. In turn, PAS 7000 helps organisations make an informed decision about whether or not to engage with a potential supply chain partner.

6 www.risk-uk.com


NewsUpdate November2014_riskuk_nov14 07/11/2014 12:56 Page 7

News Update

ICO warns CCTV operators that use of surveillance cameras must be “necessary and proportionate” The Information Commissioner’s Office (ICO) has warned CCTV operators that surveillance cameras must only be used as a “necessary and proportionate” response to a real and pressing problem. The warning comes at the same time the ICO publishes its updated CCTV Code of Practice. The update includes a look at the data protection requirements placed on the operators of new and emerging surveillance technologies such as drones and body-worn video cameras. “The UK is one of the leading users of CCTV and other surveillance technologies in the world,” said Jonathan Bamford, the ICO’s head of strategic liaison (pictured). “Technology is now able to pick out even more people to be recorded in ever greater detail. This realises new opportunities for tackling crime, but also poses potential threats to privacy if cameras are just being used for recording innocent members of the public without good reason.” Bamford added: “Surveillance cameras should not be deployed as a quick fix, but rather as a proportionate response to a real and pressing problem. Installing surveillance cameras or technology like ANPR and bodyworn video is often seen as the first option,

BSIA set to launch all-new Health and Safety Forum for the security sector he British Security Industry Association (BSIA) has announced the launch of a new Health and Safety Forum dedicated to the sharing of industry Best Practice and promoting the importance of Health and Safety for security practitioners, companies, their employees and their customers. Formed in light of the growing importance of Health and Safety within the security sector, the Forum has also been created in response to demand from BSIA members. In a recent survey conducted by the Trade Association, 93% of respondents expressed a keen interest in participating in such a Forum, which intends to deal with important issues including violence in the workplace, accidents and preventative measures. Open to representatives from all BSIA member companies, the Health and Safety Forum aims to facilitate the sharing of information and Best Practice techniques, in turn galvanising members’ commitment to

T

but before deploying such systems we need to understand the problem and whether that’s an effective and proportionate solution. Failure to conduct proper privacy impact assessments in advance has been a common theme in our enforcement cases.” The updated Code of Practice explains how CCTV and other forms of camera surveillance can be used to process people’s information. The guidance details the issues that operators should consider before installing such surveillance technology, the measures that companies should have in place to make sure an excessive amount of personal information isn’t being collected and the steps organisations ought to take in order to make sure captured information is kept secure and destroyed once it’s no longer required. The ICO’s CCTV Code of Practice complements the provisions in the Surveillance Camera Code of Practice issued last year by the UK Surveillance Camera Commissioner and which applies to police forces, local authorities and Police and Crime Commissioners in England and Wales (as per the Protection of Freedoms Act 2012). The ICO’s guidance covers a wider area as the requirements of the Data Protection Act apply to all sectors processing personal information across the whole of the UK (including the private sector).

Health and Safety into positive action while informing them of the latest developments across relevant legislation. Trevor Elliott, director of manpower and membership services at the BSIA, commented: “Recently, the Health and Safety of front line workers has been at the very forefront of public discussion, with a report from the Greater London Authority Conservatives indicating that no less than 66,000 front line workers have either been punched, kicked, spat on or even killed while undertaking workrelated duties. Assaults against security officers were also highlighted by this report as an ongoing issue.” The Health and Safety Forum will meet for the first time at a launch event taking place this month at Stamford Bridge. Facilitating the launch briefing is Bobby Logue, managing director of Interconnective. Logue stated: “The main purpose of the initiative is to understand the related industrywide issues and collect statistics on all Health and Safety-focused incidents. This would then form the basis of an industry strategy aimed at reducing such occurrences.”

7 www.risk-uk.com


NewsAnalysisProjectFALCON November2014_riskuk_nov14 07/11/2014 12:54 Page 8

FALCON will be “an important addition to the national economic crime prevention capability” City of London Police Commissioner Adrian Leppard has welcomed the Metropolitan Police Service’s announcement concerning the creation of a new fraud and cyber crime team designated FALCON and dedicated to protecting Londoners vulnerable to the threat of economic criminality etropolitan Police Service Commissioner Sir Bernard Hogan-Howe QPM officially launched FALCON – Fraud and Linked Crime Online – at the QEII Conference Centre in London’s Westminster. The new team will consist of up to 500 officers dedicated to tackling cyber crime, acquisitive crime with an online aspect and also fraud that does not have an online element attached to it. The overall aim of FALCON is to create a new operating model for the investigation and prevention of fraud and cyber crime in London that will deliver seven key services. These services are as follows:

M City of London Police Commissioner Adrian Leppard

Volume and cyber-enabled investigations A centralised capability that will remove the onus of investigation of fraud and cyberenabled acquisitive crime from local policing

Boroughs and provide a consistent approach towards investigations Complex and proactive fraud investigations A centralised investigations service that proactively targets specific criminals and organised crime groups causing the most harm to individuals and businesses Pure cyber investigations An increased capacity to undertake proactive and reactive investigations in response to intelligence or referral (from the national body) Problem solving, prevention, industry liaison A capacity to work in partnership alongside businesses with a common purpose of preventing fraud and cyber-enabled fraud. This will enable the Metropolitan Police Service to link more regularly and effectively with business forums and, in turn, encourage the increased reporting of crime Victim care Provision of a service to ensure that all Londonbased crime victims are recorded and contacted. This will enable the gathering of intelligence to improve future investigative outcomes and also identify enablers specifically designed to support ongoing prevention and enforcement activities Performance, training and marketing To provide accurate performance and information to internal and external stakeholders with data relating to both threats and trends Intelligence The creation of a dedicated fraud and cyber crime intelligence capability In summary, then, Project FALCON is being developed in response to the significant growth in cyber-enabled acquisitive crime. Boroughbased police officers will continue to be responsible for investigating cyber crimes involving malicious communications, harassment or cyber stalking. Speaking at the launch event, Metropolitan Police Service Commissioner Sir Bernard Hogan-Howe QPM explained: “FALCON sees a more focused and joined-up approach by the Met, the business sector and other law

8 www.risk-uk.com


NewsAnalysisProjectFALCON November2014_riskuk_nov14 07/11/2014 12:54 Page 9

News Analysis: Project FALCON – Fraud and Linked Crime Online

enforcement agencies to ensure that we’re protecting the public, designing out crime and arresting the culprits. We will be more powerful if the three of us – the police, the public and businesses – can work together.”

Cyber crime challenges in London As the national policing lead for economic crime with responsibility for the National Fraud Intelligence Bureau (NFIB) and Action Fraud, the City of London Police has been an active supporter of the Met in addressing the fraud and cyber crime challenges faced by Londoners. Those challenges are evidenced by the high proportion of reported economic crime assessed by the NFIB that results in disseminations to the Met for consideration of London-based investigations. City of London Police Commissioner Adrian Leppard said: “I welcome the creation of FALCON and the priority this type of crime is being given by the Metropolitan Police Commissioner and the London Mayor’s Office. These London-based teams will be an important addition to the national capability being developed by the City of London Police, the National Crime Agency and police forces across the rest of the country.” Karen Bradley, Minister for Modern Slavery and Organised Crime, added: “The threat from cyber crime is ranked as ‘Major’ in our National Security Strategy, and the Government is investing £860 million over five years to tackle this issue. We’re also increasing knowledge throughout local police forces with specialist training. I’m very pleased to see the Metropolitan Police Service’s commitment to dealing with fraud and cyber crime, and I look forward to hearing about the vital contribution FALCON will make to this work.”

Advance of Internet-enabled devices In tandem, the latest KPMG survey suggests UK consumers fear that technology is overtaking their lives, with many increasingly concerned about the pace of change they face. The study results also highlight apparent discomfort with the greater surveillance of everyday life and a cynicism about the need for connected devices. KPMG surveyed over 1,600 consumers across the UK to identify attitudes towards the ‘Internet of Things’/‘Internet of Everything’ – the term used to describe devices which ‘speak’ to each other over the Internet. The company aimed to gauge consumers’ views around intrusiveness, security and connected devices. More than half (58%) of the respondents resent the idea that computers seem to run their lives “wherever they go” while 70%

suggest that, with the marketplace ‘flooded’ by interconnected devices, it’s too easy for things to go wrong. The survey goes on to reveal that UK consumers are hankering after a return to ‘simple’ technology. For example, many of those who took part in the study (54% of respondents, in fact) mainly want their phone only to make calls while 46% of interviewees wish to use security systems to remotely monitor their property while they’re away.

Rise of the machine Wil Rockall (director at KPMG’s cyber security practice) commented: “It’s clear that consumers are struggling with a desire to use connected devices as a route towards an easier life and remain wary of the rise of the machine. They still support innovation, recognising that in the right environment having the latest technology is key. Nearly 60% acknowledge that technology makes us more effective at our job.” Asked why they’re cynical about the advance of the Internet of Things, respondents questioned how it’s possible to keep personal information private, with 56% of those polled concerned about a ‘Big Brother’ effect occurring as a result of new products and the pace at which they’re being implemented. In a work environment, more than one-third (36%) of respondents suggested employers are monitoring their every action. Mark Thompson, a senior manager in KPMG’s cyber security practice, added: “Security and privacy are high on the list of worries for the consumer, with 62% of respondents to our survey believing that there’s insufficient concern about it. The fact remains that, where once an Englishman’s home was considered to be his castle, the Internet of Things means that fortress walls can be breached more easily.” Thompson added: “There are so many opportunities for the latest technologies to provide value and enhance our lives, but we’re failing to take advantage of them. We will continue in that vein until consumers can be convinced that always-connected devices are both safe and worthwhile.”

Sir Bernard Hogan-Howe QPM: Commissioner of the Metropolitan Police Service

9 www.risk-uk.com


Project4_Layout 1 07/11/2014 16:20 Page 1


NewsSpecialTransportSecurityExpo2014 November2014_riskuk_nov14 07/11/2014 12:55 Page 11

News Special: Transport Security Expo 2014

Transport Security Expo: The Global Hub for Best Practice ith UK Government initiatives designed to share home-grown capabilities and burgeoning interest in security solutions worldwide, leading aviation, maritime and rail industry event Transport Security Expo (www.transec.com) runs with an exciting range of new features in 2014. The prestigious event is entirely free to delegates, with all conference streams and a world class array of speakers accessible to all for the first time in the show’s illustrious history. This move by organiser Nineteen Events was driven by increasing demand as well as synergies with the UK Government’s efforts to promote expertise and technology on the widest possible scale. Across the last decade and more, Transport Security Expo has become the global hub for transport security professionals worldwide who are looking to meet and learn Best Practice techniques from each other so as to ensure the safest possible movement of people and goods. This time around, Australia’s transport commissioner Paul Retter is flying to the UK such that he can host the event’s VIP Airport Programme and join 50 officials from the UK Department for Transport as well as 30 representatives from the British Transport Police. A further 22 foreign countries are also in discussion over sending delegations to the 2014 event (which runs at the London Olympia Exhibition and Conference Centre’s National Hall on 2-3 December). Nineteen Events works diligently alongside the Home Office and the UKTI’s DSO to identify priority opportunity markets and ensure the right industry representatives are visiting the UK to learn about current Best Practice. An expanded event this year includes new conferences for the latest areas where the UK has developed unparalleled understanding – namely major events transport security and secure transportation. The Hosted Buyer programme will also return. This is a ‘speed dating’ service joining key industry buyers with relevant exhibitors showcasing their wares. Buyers from a wide range of sectors and organisations are represented including Bank of America Merrill Lynch, Associated British Ports, the Home Office and the United Nations Office on Drugs and Crime. Alongside the event’s enhanced conference programme, both overseas and domestic visitors will be able to access an enlarged show which now includes a Live Demonstration

W

For over a decade, Transport Security Expo has remained a key focal point attracting Government regulators and industry professionals alike. This year’s programme runs at the Olympia Exhibition and Conference Centre’s National Hall in London on 2-3 December. Brian Sims previews the 2014 event for which Risk UK is an Official Media Partner

Theatre providing real-time examples of security scenarios and solutions in action. This operates in addition to a Security Vehicle Zone showcasing the very latest in armoured vehicles for Cash-in-Transit operations.

*Register to attend Transport Security Expo 2014 by visiting: www.transec.com or contact Nineteen Events on (telephone) 020 8947 9177

Advisory Board for 2014

**Transport Security Expo is supported by numerous industry bodies including ASIS International, the Security Industry Authority, The Security Institute and the ADS Group

A new Advisory Board for Transport Security Expo 2014 includes luminaries from UK security past and present. All areas from Government to private and public security are represented on the new Board which meets to ensure the event remains topical and ahead of the game in providing education and networking for the global transport security industry. The high-level Advisory Board is headed by British Naval veteran Admiral Lord West, Stephen Phipson CBE from the Office for Security and Counter-Terrorism (OSCT) and Rob Coleman, director of the Home Office Centre for Applied Science and Technology. Phipson is a 35-year veteran of the security industry and the director for security industry engagement within the OSCT. He’s charged with managing the development of the UK security world’s key initiatives designed to secure and develop export growth.

11 www.risk-uk.com


OpinionTheSyrianConflictandUKplc November2014_riskuk_nov14 07/11/2014 14:00 Page 12

Joined-up resilience... What will it take? In a thought-provoking discourse, Brett Lovegrove offers some personal views on how present events in Syria are affecting UK plc, the apparent lack of joined-up forward vision around this important issue and the overriding need for a coherent strategy to be developed by our leaders hy am I still forming the impression that the UK’s focus on the Syrian conflict is being kept at arm’s length? In a sense, I don’t blame us for adopting that attitude. Big debates are being had around the corridors of power as to whether or not – and how – we should be deploying our military on the ground. I understand all of that. The present Government doesn’t want (and cannot afford) to have a debate so close to next year’s General Election so a limited force is being sent to support our coalition partners. In parallel, here at home our law enforcement agencies and the Security Services are working hard to locate and track returning trained Jihadists and gather intelligence from both open and closed sources. Many City Security and Resilience Networks (CSARN) members are also working diligently to mitigate threats against their sectors while at the same time sharing information and intelligence on this subject with those who need to know. The voluntary groups operational on the front line are brilliant, brave and have the admiration of us all. Furthermore, such determined effort must continue unabated. There’s an inherent danger in ‘talking up’ the dangers posed to us both here and abroad by the Syrian situation so let’s not go down that

W

12

www.risk-uk.com

particular road. Where, though, do we think we are now in the wider global debate and where do we think we’re going? Although using Syria as a reference point, much of what’s about to be said here can apply to any conflict in the present or the future.

Assessing the fall-out to date As we know, the present state of affairs isn’t just about Syria. The situation affects some of our largest trading partners such as Turkey whose currency has fluctuated since the conflict began. Asian stock markets have visibly lost financial traction and, to date, continue to struggle in the battle for stability. Oil prices in the Middle East rose at the conflict’s outset and the world remains uncertain about this resource’s price sustainability. Jordan and the Lebanon are at a constantly high level of risk as a result of their affiliations. The impacts affect us here in the UK. Some louder than others, but they do. Existing Governmental strategies focus on preparing businesses for a range of threats and how to recover when an attack takes place, but none of them discuss how society should be engaging with itself. For example, how can we build, share or have a sense of our collective values (on Human Rights, repatriation and migration away from the battle space, etc) if we as citizens cannot join in that debate or have a mechanism to do so? Surely this wide debate alone would give decision-makers an idea as to how society views the challenges it faces and might even help find solutions? It’s not as though we don’t have the technological ability to do so, so why not take the plunge? The struggle arises when attempting to explain what we as a much larger society are doing to prepare for what we all believe is a long game (it’s already been four years, by the way). The questions in my head are many and varied. Is our overall response to the threat (which is some thousands of miles away) appropriate? What is the UK Government’s strategy on where its place in the world should be post-2015? What does our current limited response say about us as a United Kingdom? In addition, if we want to trade with Syria once the embargoes are lifted, what plans do we have in place to do so? How joined-up is the business community in relation to our Government and law enforcement agencies, and is it making best use of this potential partnership? Is it enough for businesses just to create individual mitigation plans?


OpinionTheSyrianConflictandUKplc November2014_riskuk_nov14 07/11/2014 14:00 Page 13

Opinion: The Syrian Conflict and UK plc

What will the Government and society really decide to do about those returning British-born Jihadist fighters who seem to have gambled foolishly with their own right to their nationality? Why do I feel that we are not working together as much as we should be? Let me share something else with you. I cannot help feeling we as UK plc believe that Syria and its environs are so many miles distant from this group of islands that we can turn on and off the flow of information and bad news as and when we wish. We treat this information as interesting but not compelling enough to do something substantial about it. I’m also not entirely convinced that we as a society have focused on the needs of our substantial Syrian, Turkish, Iraqi, Palestinian or Israeli communities and supported them while they harbour concerns for their families and friends overseas. In short, we don’t fear the outcomes of this conflict enough to think differently. To my mind we should.

Clear and joined-up vision There are many other issues associated with this current conflict. You’re welcome to fill in all the blanks, but the point I’m making is that we need a clear and joined-up vision about what the UK’s position really is right now. If we cannot see the whole picture then we’ll never be able to respond effectively. We need to have a clear map of how issues that directly affect business, Government and our many communities are interconnected such that we’re able to sense how one decision or action can affect the bigger picture. Only then might a coherent and responsive strategy be developed and all stakeholders contribute to it. If you like, responses can also include critical intelligence from the aforementioned communities themselves who will know a lot about the activities of individuals still resident in the battle space and those who travel there. It may contain ideas about how we prepare to continue to build business relationships with that part of the Levant for the juncture when real trading returns or how we can use the social networks to provide a counter narrative to some of the single source messages encouraging radicalism. Without this much wider narrative within an embracing strategy, all we’re doing is actively excluding communities and business sectors that can help shape a more effective response.

Having raised these issues, what should we do about them? First, it’s my considered belief we must come to terms with the fact that we all have an active part to play in shaping the collective future everyone would wish to witness. The UK Government either will not or cannot take the lead in co-ordinating the forward movement required to develop an interactive, all-encompassing repository of ideas. On that basis, it’s up to us to do so because we can often make things happen more quickly and, indeed, more effectively. We’re not aligned to party rules. Second, we must agree that unless we think differently and work together, those individuals who wish to visit great harm upon us will continue to have the upper hand in terms of narrative. We will always chase their shirt tails. Third, we need to recruit leaders – and those individuals are among us now – who can be influential in drawing together the vital pieces required for developing the vision and the allencompassing strategy that stands alongside.

Platform for discussion The alternative is to believe that the task before us is too difficult, insert ear plugs and keep on doing what we’re currently doing. That’s not an option because it simply isn’t working. CSARN is willing to act as a platform for further discussion, but particularly action. That discussion and action is critical, it’s complicated and it’s necessary… and there’s absolutely no time to waste.

Brett Lovegrove MA FRSA FSyI FICPEM: CEO of City Security and Resilience Networks (CSARN UK and CSARN Australia) and former Head of Counter-Terrorism for the City of London Police

“As we know, the present state of affairs isn’t just about Syria. The situation affects some of our largest trading partners such as Turkey whose currency has fluctuated since the conflict began” 13

www.risk-uk.com


OpinionSecurityOfficerTrainingforCounterTerrorism November2014_riskuk_nov14 07/11/2014 13:55 Page 14

The Six C’s: Why security officers need to know them To what levels are private sector security officers instructed to manage potentially life-threatening situations? Given the recent escalation of the terrorism threat status to ‘Severe’ here in the UK, Charlie Swanson calls for swift and thorough education in The Six C’s he Metropolitan Police Service has signalled that the threat to the United Kingdom posed by the Islamic State will continue for the foreseeable future. As a result, heightened security measures are now firmly in place, with the terrorism threat level recently raised from ‘Substantial’ to ‘Severe’. The Met’s Assistant Commissioner Mark Rowley – national policing lead for counterterrorism – has stated that these measures are designed to reassure members of the public while at the same time increasing national security. Speaking to The Guardian on Tuesday 2 September, Rowley – who’s also head of counter-terrorism at the Met – explained: “An enhanced number of officers for high-visibility policing have been deployed across the country, and this plan of action will continue.”

T

Changing forms of attack During the 1970s, 1980s and 1990s, of course, the UK was bombarded with attacks perpetrated by the Provisional Irish Republican Army (PIRA), whose favourite choice of weapon was the Improvised Explosive Device (or IED). This form of attack was delivered successfully on numerous occasions, killing and maiming thousands of innocent citizens. The PIRA terrorists would often give prior warning of their attacks, informing the police service by using some form of code, in turn

allowing evacuation of the area or local premises before any device exploded. For a number of reasons lives were still lost, but the agreement of warning codes made the situation almost manageable for the police service. In today’s world, though, Islamic State in Iraq and the Levant (ISIL) has introduced a new form of terrorism that’s of grave concern. It’s terrorism underpinned by the brutal torture and murder of dozens of innocent civilians in Syria and Iraq. The UK has to be ready for the returning British Jihadists who will attack our nation state – ie the United Kingdom – because it’s viewed by the Jihadists as an enemy of Islam. This time around there will be no gentlemanly code words or veiled threats. Islamic State is rampant in Syria and Iraq and appears to be gaining momentum on a daily basis. There’s a substantial percentage of Jihadist ‘volunteers’ from the UK who have not only been radicalised but also completely engaged. That’s to say they will follow orders without the slightest question of legality or morality as we in the democratic Western World understand the two concepts. Jihadists abide by Sharia Law. We don’t, and that makes the UK a prime target in the eyes of these terrorists. It may be argued that, given the opportunity, ISIL would attack those areas that are populated and where the greatest damage can be achieved in terms of loss of life, destruction of property and severe ruination to the country’s economy. They will not simply produce a weapons platform – the IED – plant it and simply hope for the best. The Jihadist is likely to carry out a number of reconnaissance missions and tests before deploying their operational units. Despite the brave statements issued by Mark Rowley from what is the police service with the greatest array of counter-terrorism resources at its disposal, ISIL is aware that police forces in the UK are stretched almost to breaking point.

The ‘Extended Police Family’ Here in the UK there’s a little known group of people referred to as the ‘Extended Police Family’. Its cohort includes Security Industry Authority (SIA)-licensed security officers (of whom there are around 350,000 currently in operation). Those officers are now carrying out progressively more duties that were once the domain of warrant-carrying police officers, including first response before or during a serious incident. In the main, these security officers conduct their duties very well indeed.

14

www.risk-uk.com


OpinionSecurityOfficerTrainingforCounterTerrorism November2014_riskuk_nov14 07/11/2014 13:55 Page 15

Opinion: Security Officer Training for Counter-Terrorism

However, during a series of recent security surveys in a major UK city, it fell upon me to question a number of security officers about their levels of training in relation to the recognition and handling of a suspect IED. The results are more than a little concerning. A number of officers assured me that, because of their personal experiences, they would be able to handle such a situation. Other officers claimed to have received suitable instruction and education during previous bouts of employment. Ultimately, they all agreed that the levels of training for managing serious incidents received during the course of their present employment – or, and which is even more concerning, during their SIA-centric training – has been just about non-existent.

The Case of Alfie and Bill Let’s visit an imaginary scenario. Picture a busy 20-storey office building in the centre of, say, London on a typical Monday morning during the commuter rush hour. A brown holdall has been discovered just inside the reception area on the ground floor, but the member of staff who has spotted it is fully confident ‘The Security Guys’ will be able to handle everything because, after all, that’s their job. One of the security officers present on site – let’s call him Alfie – has been employed at the building for all of three weeks, and on that basis is still learning the ropes. No worries, though, because Alfie’s armed with his Site Assignment Instructions (AIs) and has a trusted security supervisor (we’ll name him Bill) with whom he may consult. The AIs advise Alfie of actions required should a telephone warning be received or – Heaven forbid – a bomb explodes, but not what to do if he’s unlucky enough to be on shift when a bag is found and there’s no owner for said item (that last point should be a bit of a giveaway!). Alfie duly consults Bill. Bill takes into consideration the fact that the national terrorist threat level stands at ‘Severe’ and has consulted the Google ‘oracle’ to understand what that means. Further, Bill isn’t able to locate a legitimate owner for the bag, which Alfie tells him wasn’t there 20 minutes ago. A 999 call it is, then. All well and good, but remember it’s 8.30 am on a Monday morning in the centre of one of

the busiest cities in the UK. There’s no way the police can be on scene immediately. Bill duly speaks to the building manager only to be told: “You’re the security expert. I’m just a facilities manager. What do I know?” At this stage in proceedings, both Bill and Alfie should be considering The Six C’s: Confirm, Clear, Cordon, Control, Communicate and Check (for secondary devices). Let’s review each of them in turn.

The Six C’s: examining the detail (1) Confirm What makes the bag or case, etc suspicious? Tough call, but somebody has to make it! (2) Clear Consider evacuation or invacuation. It isn’t as simple as merely striking the fire alarm button. Rather, there has to be a pre-determined strategy in play (3) Cordon Isolate the location if possible (200 metres for a bag and 400 metres for a vehicle). What resources are to hand for delivering the cordon? (4) Control Once the cordon’s in place, it remains intact until the police arrive. How does a security officer deter a member of staff from entering the building to retrieve their belongings? (5) Communicate Ensure that everybody is kept up-to-speed with proceedings at all times. Effective communication at this stage is critical (6) Check Check for secondary devices, or what are often referred to as ‘The Come On’. The PIRA and the Taliban have been past masters of this tactic

Charlie Swanson MSc CSyP FSyI SIRM: Security and Risk Management Consultant

The police will arrive, take over the scene and – in conjunction with other emergency services personnel and (possibly) the military – professionally manage the whole situation. One thing is absolutely certain. If the SIA and private contract security companies don’t begin to invest in this form of training, the above frightening scenario will become a reality. Key-critical sites will be attacked and their local populations bear the brunt of our short term approach to risk, our arrogance and our incredible stupidity. Do we really want this scenario to play out? Obviously not, so let’s focus on The Six C’s as a matter of urgency.

“It may be argued that, given the opportunity, ISIL would attack those areas that are populated and where the greatest damage can be achieved in terms of loss of life, destruction of property and severe ruination to the country’s economy” 15

www.risk-uk.com


dycon psi november_Layout 1 27/10/2014 16:28 Page 1

D23X6 SERIES Radio Signal Analysers Designed and manufactured in the UK

NEW 4G Version NOW Available

Find the optimum antenna/device installation location

Detect and measure local 3G and GSM base stations

Lock to any network by inserting their SIM card

Detect all available networks by not inserting a SIM card

Detect and notify the operator of the presence of white noise jamming when it occurs (subject to signal strength)

D2386-r model is a Quad-band GSM analyser, including the EU-wide GSM-r frequency band for railway applications

For more information call:

+44 (0) 1443 471 060 info@dyconsecurity.com www.dyconsecurity.com

Dycon POWER SOLUTIONS


BSIABriefing November2014_riskuk_nov14 07/11/2014 12:24 Page 17

BSIA Briefing

Security Guarding: Sourcing a quality supplier ealising value for money when purchasing goods and services is of paramount importance for today’s business community. The procurement of security services is unique in that business owners are often unsure which measures are essential as opposed to desirable. Indeed, if businesses fail to ‘do their homework’ before commencing the procurement process, they may be left vulnerable to either spending too much and implementing security measures far beyond those necessary or selecting the cheapest option, unaware of the compromises some security providers may use to drive down costs. What, then, are the important questions for purchasers to ask when comparing potential security guarding suppliers?

R

Have all costs been considered? Initial costings should include those costs incurred during every stage in the delivery process. By way of example, a security provider may be able to ‘cut costs’ in the initial stages through various methods which – unbeknown to the service buyer – might cause complications further down the line. For instance, if security personnel are not managed adequately through regular contact, they may be left struggling to complete simple tasks associated with their role. Such an environment would leave a business vulnerable to security breaches and effectively undermine security systems that have been put in place. Therefore, ‘initial cost savings’ – wherein costs have been driven down through unsatisfactory means – will impact service levels and, indeed, may even make it necessary to begin the cumbersome and costly procurement process all over again. It’s for this very reason that, when it comes to security, the emphasis should always be on quality first and then cost. With such a mindset in place, businesses will be better equipped to procure the services of those security guarding companies providing true ‘value for money’.

Travel and subsistence schemes What travel and subsistence schemes are in operation at the guarding company? Another way in which employers can reduce costs is not to use the same officers regularly in one place. By adopting this strategy, the company can save on National Insurance contributions by claiming back costs for officers’ travel to their place of work and also the cost of buying food while they’re on the end user’s premises.

When looking for a quality security guarding supplier, end users can often be overwhelmed by the sheer volume of service providers and frequently don’t know what to look for in ensuring the highest levels of expertise and professionalism as well as value for money. Here, Trevor Elliott highlights various considerations that should be taken into account when procuring a security guarding supplier As this only applies to short-term placements of less than two years, security companies often move their staff between sites at regular intervals, meaning that the relationship between officers and the site – and their knowledge of the site and its specific security challenges – is lost. In turn, the relationship building process must begin all over again with the replacement officers. It’s not uncommon for security companies to have a certain percentage of staff tied to such schemes. However, the greater the number of staff on travel and subsistence schemes, the more likely the service for the host business will suffer due to staff moving around on a fairly frequent cycle.

Up-to-date insurance certification Insurance is a ‘must have’ for any reputable security guarding company. All security companies should have liability insurance in

Trevor Elliott: Director of Manpower and Membership Services at the BSIA

17

www.risk-uk.com


BSIABriefing November2014_riskuk_nov14 07/11/2014 12:25 Page 18

BSIA Briefing

place covering them for every eventuality (and specifically in the areas of professional indemnity and efficacy). Some of the more unscrupulous security suppliers attempt to save money by paying the initial monthly premium but then cancel the direct debit. That leaves them with no valid liability insurance. Ultimately, this could well render the end user’s own insurance void in the case of negligence on the part of a security officer. That being the case, it’s advisable to check security guarding suppliers have legitimate insurance in place by contacting their insurance provider to ensure all payments are up-to-date. It’s also worth checking to see when the present policy is due for renewal.

Uniform replacement policy Uniform costings in tender documents are nearly always an approximate calculation. Further, the length of time the uniform will endure will be impacted by the environment in which security officers are deployed (ie whether they’re stationed outside or indoors). Looking specifically at the tendering process, if a company were to provide poor quality uniforms to officers that are situated outside, then there would be a low initial cost on tender documents. However, if the uniform has to be replaced more often the eventual cost will be much higher than that of a company offering a better quality, longer lasting uniform (albeit at a higher initial cost). Therefore, it’s important to consider the supplier’s uniform replacement policy in relation to the conditions and location in which officers will be working.

Compliance with British Standards

To locate a BSIA member security company near you, or to find out more about the Trade Association, visit: www.bsia.co.uk

Security companies that have made the effort to comply with British Standards demonstrate a commitment to quality which provides added reassurance to the customer that they’re a reputable and reliable organisation. From the service buyer’s point of view, it’s well worth checking whether the supplier has

“All security companies should have liability insurance in place covering them for every eventuality (and specifically in the areas of professional indemnity and efficacy)” 18

www.risk-uk.com

been externally assessed to BS 7499, BS 7858 and BS 7984. In order to prove this is so, the security company should be able to show the end user certificates of assessment (ideally via a UKAS-accredited inspectorate).

VAT and PAYE Payments Some unscrupulous security companies run for a period of time and then cease making VAT and PAYE payments, instead choosing to use the money for other illegitimate activities (ie ensuring that the company goes into liquidation before re-starting the business under a very similar name using the money from non-payment of legitimate tax to finance the new venture). This could mean that the security officers on site are unpaid and have outstanding wages owed to them. For peace of mind, purchasing companies must ask potential guarding suppliers to prove that these payments are up-to-date.

Are premises fit for purpose? A reputable services supplier will welcome potential clients to visit their premises prior to signing contracts. The end user should ensure that the premises are safe and secure, checking the Control Room to make certain it’s appropriately equipped with PCs and software for managing, say, lone worker check calls and that adequate procedures are in place for dealing with occurrences on clients’ sites. If the security company is going to be holding keys for your premises, check its key control procedures and where your keys are to be kept.

Choosing a BSIA member company The British Security Industry Association (BSIA) is an ideal port of call for any business seeking a security supplier. BSIA members are subject to rigorous checks before they’re admitted into membership, affording end users reassurances that they’re selecting a quality supplier. Key points to note about BSIA member companies are as follows: • they are independently inspected to the quality standard ISO 9001 with a UKASaccredited inspectorate • they’re fully compliant with the relevant British Standards, European Standards and Codes of Practice • they are financially sound • staff vetting has been conducted where necessary • they are technically proficient and committed to quality training and development for all members of staff • they’re up-to-date with both British and European policies and legislation


Project4_Layout 1 07/11/2014 16:26 Page 1

CONTRACT SECURITY SERVICES LIMITED CASH & VALAUABLES IN TRANSIT (CViT) SERVICE PROVIDER CASH PROCESSING & BANKING SERVICE (INCLUDING COLLECTION AND PROCESSING FROM CAR PARK MACHINES)

CASH CONSOLIDATION SERVICE SECURITY GUARDING AND MOBILE PATROL HEAD OFFICE: CHALLENGER HOUSE 125 GUNNERSBURY LANE LONDON W3 8LH T: 020 8752 0160 F: 020 8992 9536 E: info@contractsecurity.co.uk www.contractsecurity.co.uk

SALES: T: 01622 792639 F: 01622 882084 E: sales@contractsecurity.co.uk

DEPOTS: Brentford, London | Larkfield, Kent | Andover, Hampshire


FraudInvestigationsTheWorkoftheSFO November2014_riskuk_nov14 07/11/2014 12:46 Page 20

In Defence of the Realm The Serious Fraud Office was established in order to investigate and prosecute crimes involving serious or complex fraud, a concept which extends to the offences of bribery and corruption. Here, Alun Milford expands on the detail of that remit for the benefit of practising security and risk management professionals

With that re-statement, the SFO explicitly rejected any notion that we might take on other roles not assigned to us by Parliament. We are not a regulator. That is the role of the Financial Conduct Authority (FCA). We are not an educator. That – so far as the Bribery Act is concerned, at least – is the role of BIS. Neither are we an advisor. That role is for lawyers. To emphasise this re-statement, David Green also reviewed and re-issued our take on criteria in order to ensure that the cases he adopts for criminal investigation really do concern top-end fraud or corruption. When considering whether to accept a case for investigation, he will ask himself whether the case demands the particular expertise, capability, multidisciplinary approach and legislative powers available to the SFO. Factors involved will ordinarily include the scale of the loss occasioned (or threatened), the impact (or potential impact) upon the UK economy, the effect of the alleged conduct upon the UK’s reputation as a safe place in which to do business and the degree of factual or legal difficulty to which the case may give rise.

Major cases since 2012 Let’s outline some of the major cases the SFO has taken on board for the purposes of criminal investigation across the last two years.

hen the organisation came into being in 1987, the Serious Fraud Office (SFO) was given a set of powers unique among the United Kingdom’s main criminal justice agencies in that it’s empowered both to investigate and prosecute offences. This way of working is commonly known as The Roskill Model after the chairman of the committee which recommended the SFO’s creation. So it is that our case teams are made up of specialist prosecutors, investigators and forensic accountants. They engage early with counsel to ensure a consistent strategic vision for a case, and also with IT professionals to help them make the most of the data available. This is an operating model which was designed to, and which has since been proven successful in enabling us to take on even the most challenging of cases. This is also the model that the SFO’s director, David Green, wanted to make the most of when he took up his post two years ago. As such, David immediately re-stated our purpose as a body that investigates and prosecutes cases involving serious or complex fraud – a concept that includes bribery and corruption within its remit.

W

20

www.risk-uk.com

Libor This is an ongoing investigation into the manipulation of the London Interbank Offered Rate (a measure used in the setting of interest rates around the world) Forex This concerns the alleged manipulation of the foreign exchange market Rolls-Royce Concerns allegations of bribery in the conduct of the company’s business G4S and Serco Concerns allegations of fraudulent claims for payment under contracts for the provision of services to the UK Government The Sweett Group Concerns allegations of bribery in the conduct of the company’s business There are several points to note. First, the SFO is using its resources to focus on what it was established to do. That work – the investigation of top tier economic crime and, if the test for prosecution is met, the prosecution of it – is resource-intensive. 70 staff are working on Libor alone. While we well understand the financial constraints within which all in the public sector


FraudInvestigationsTheWorkoftheSFO November2014_riskuk_nov14 07/11/2014 12:47 Page 21

Fraud Investigations: The Work of the Serious Fraud Office

have to operate, we have had the benefit of a 10% increase in our funding during 2014. On top of that, we’re able to apply to the Treasury for so-called ‘blockbuster’ funding on particularly resource-intensive cases. The Libor case is a prime example.

Bribery Act now in force The second point is that the SFO is independent. The decision about whether to take on a case is, by statute, that of our director alone. While he has the power to delegate that power, he has decided not to do so. He too decides charges and, with the coming into force of the Bribery Act and the removal of AG’s consent requirement, will be doing so in corruption cases as well as those of fraud. In a speech last month, David Green commented on our independence. What he said bears repeating. “Many of our cases concern blue chip UK companies. Such companies may be household names whose performance is of great importance to the UK economy and every citizen would wish them well. They are the good guys. SFO investigations involving iconic British enterprises do not enhance our popularity, and some may feel a certain tension between wanting the law enforced and wishing our companies to prosper.” He continued: “These corporates have real clout among politicians and in the City. Some use the media to influence and shape public opinion. Those facts alone underline the need for a visibly independent investigator and prosecutor to have conduct of these cases. That’s what the SFO is for. Visible and demonstrable independence is crucial to judicial confidence, business confidence and to public confidence in the investigation and prosecution of major economic crime involving even our flagship enterprises.” Third, the fact that we’re independent doesn’t mean we are isolated. While we’ve invested significantly in our own intelligence capability, we plug into the wider network of intelligence available to UK agencies. We work closely with the police service, particularly the City of London Police, and with the FCA, with HMRC and the National Crime Agency (NCA). The NCA is a relatively new arrival on the law enforcement scene, but it’s an important and welcome one. It’s a national agency with its own operational capability. Significantly, and for the first time, we have in the NCA an

organisation with a remit to co-ordinate a law enforcement response to serious crime. We welcome that development, and we’ve already established good and effective links with its Economic Crime Command. Overseas, we have access to – and make good use of – the networks of NCA and HMRC officers as well as Crown Prosecution Service (CPS) lawyers based in Embassies across the world. We also have our own contacts with investigators and prosecutors overseas. Our good relationship with the Department of Justice in Washington is a case in point. Fourth, note that all of the investigations previously mentioned are criminal investigations. There’s no short cut to other disposals, such as a civil recovery order. This follows from the director’s withdrawal of a policy on corporate referrals issued by his predecessor and implying that, if a corporate entity reported itself to the SFO, then the SFO would be very likely indeed to resolve the matter by civil settlement and not prosecution. This policy was specific to the SFO. It had not been agreed by – and could not bind – prosecutors in the CPS working on cases with the police. It created a two-tier response by the State to corporate crime, with corporates themselves being able to determine which set of public policies applied to them. Furthermore, the implied promise contained in the self-referral policy meant cases were effectively pre-judged on arrival in the office, as the question of how properly they should be disposed of couldn’t be assessed ‘in the round’. That situation could not carry on.

Reasonable lines of enquiry Fifth, we go where the evidence takes us and we include both companies and individuals in the scope of our investigations. We follow, as we must, the requirement to pursue all reasonable lines of enquiry whether these point towards or away from the suspect. We also decide how we will deal with a case – and in particular whether or not we will prosecute – at the conclusion of the investigation. Some background may be helpful here. The test a public prosecutor must apply before embarking on criminal proceedings is to be found in the Code for Crown Prosecutors, a statement of policy issued as a matter of statutory duty by the Director of Public Prosecutions and binding on all public

Alun Milford: General Counsel at the Serious Fraud Office

“The decision about whether to take on a case is, by statute, that of our director David Green alone. While he has the power to delegate that power, he has decided not to do so” 21

www.risk-uk.com


FraudInvestigationsTheWorkoftheSFO November2014_riskuk_nov14 07/11/2014 12:47 Page 22

Fraud Investigations: The Work of the Serious Fraud Office

prosecutors. That statement makes it clear that a prosecution can only be commenced where (a) there is sufficient evidence to provide a realistic prospect of conviction (that is to say it’s more likely than not that a jury, properly directed in accordance with the law, will convict) and (b) it’s in the public interest to prosecute. The Code also makes clear that if the evidential sufficiency test is not met then that is the end of the matter and there’s no possibility of considering the public interest. If the evidential sufficiency test is met, a prosecution will usually take place unless the prosecutor is satisfied that there are public interest factors tending against a prosecution which outweigh those tending in favour. It then provides a nonexhaustive list of public interest factors both for and against a prosecution. Contents of the Code can be supplemented by more detailed guidance on specific areas of the public interest. Thus, the Director of Public Prosecutions and their equivalent in the Serious Fraud Office have together issued and published guidance – consistent with the Code for Crown Prosecutors – on the proper exercise of discretion in cases involving corporate suspects and, separately, on the Bribery Act.

Introduction of deferred prosecution It’s against this background that, earlier this year, deferred prosecution agreements were introduced into UK law. Inspired by practice in the US but adapted to suit our own judicial system, these agreements are a way in which corporates which have committed certain economic crimes can admit their wrongdoing and resolve to make things right by agreeing to comply with stringent conditions (including the possible payment of a substantial penalty). In a process scrutinised by a Crown Court judge, criminal proceedings will be commenced against the organisation and immediately suspended without a conviction being recorded pending the organisation’s compliance with the terms of the agreement. As stated, conditions may include the payment of substantial penalties, making reparation to victims, undertaking reform to prevent such conduct occurring again and submitting to regular reviews and monitoring.

“Significantly, and for the first time, we have in the National Crime Agency an organisation with a remit to co-ordinate a law enforcement response to serious crime” 22 www.risk-uk.com

The threat of a renewed prosecution will remain hanging over an organisation should it fail to comply fully with the agreement. Of course, the great benefit to the company is that the suspension of criminal proceedings means it avoids a damaging conviction. Negotiations leading to the deferred prosecution agreement can only be initiated by the prosecutor. They will take place in private. The initial judicial scrutiny will also be in private. This is essential to prevent prejudicial publicity which could undermine any future criminal trial for the same or connected offences should the negotiations fail. It’s also required because, as is true with any other negotiation, a degree of confidentiality is necessary at an early stage. Although the negotiations might be private any agreement will not. To be effective, both the principle of the agreement and its contents need to be approved by the presiding Judge. What factors do we take into account when deciding whether to initiate negotiations with a view to entering into a deferred prosecution agreement? An invitation to embark upon negotiations around these agreements will depend upon a number of factors, but the hallmark will be co-operation and the free supply of relevant information. Many of our cases emanate from reports passed on to us by the company concerned. Of course, a genuine self-report is a helpful thing. Two points arise here. First, in this context, we take reporting to mean telling us something that isn’t already in the public domain and which you might assume we do not already know. It’s not impressive when lawyers ask to see us about an apparently urgent matter in order to tell us something their client has known about for some time, and which we have just learned about from the media. It’s even less impressive if, at the end of that meeting, our sum of knowledge has not increased. Second, the report has to be adverse to the company. That is what’s meant by ‘self-report’. If it’s a report into wrongdoing by others – employees of the company – then, co-operative as the company has apparently been, there’s no prospect of a deferred prosecution agreement as only corporates can be granted them and the corporate has no criminal liability to purge. However, we will not take a report at face value and will conduct our own investigation around the allegation. If, at the end of that process, we conclude that there is after all criminal liability by the company, then it will be difficult to have viewed that company as cooperative if the report it submitted to us was aimed at throwing the SFO off the scent.


Project4_Layout 1 07/11/2014 16:29 Page 1


MobileForensicsintheDigitalEra November2014_riskuk_nov14 07/11/2014 12:52 Page 24

Digital Evidence: Eradicating the pessimism Mobile forensics have the potential to transform traditional methods of profiling offenders and build a comprehensive picture of suspects. Yuval Ben-Moshe outlines the importance of social data and why the evidence it can provide deserves greater traction among the legal system it ably serves pon extracting evidence from mobile devices, the police service is now using traditional investigative methods to analyse the data. Data which can place people at the scene of a crime and provide – or indeed even break down – an alibi. Some commentators argue that mobile phones have become such personal tools that they can offer more detail to investigators than fingerprint evidence. DNA was accepted as a formal method of evidence in the late 1980s and, in 2014, mobile forensics must now be accepted in the same way. The legal system simply must embrace the evidence that can be provided by such methods of forensic detection. Ian Huntley’s conviction in 2002 for the murder of Holly Wells and Jessica Chapman was the first high profile case to be based partly on mobile phone evidence. Now, over a decade on, it’s not just calls and text messages that can link a suspect to a range of different crimes. GPS tracking, social media applications like Facebook, Twitter and Instagram, e-mails, online transactions and even mobile banking can offer forensic investigators critical evidence that may well help determine the route a criminal case takes whether it involves petty crime, such as minor thefts, or more serious instances – even terrorist threats. Social data retrieved from mobile apps is fast becoming a major source of evidence in not only building profiles of suspects but also establishing or demolishing a witness’

U

Yuval Ben-Moshe: Senior Director of Forensic Technologies at Cellebrite

credibility. Recent research conducted by Cellebrite revealed that 77% of its customers believe mobile applications are a crucial data source in criminal investigations. The value to both prosecuting and defence counsels in a Court of Law renders the neglect of such data a potentially severe barrier to case solving. Social data can provide highly important evidence for terrorist investigations. Criminals plotting potential attacks are continuing to use sophisticated digital methods and it’s essential that investigators as well as the criminal courts are one step ahead. If plots are not thwarted, courts should have the tools at their disposal to fully embrace the evidence built up through detailed investigations. This evidence may come not only directly from suspects’ activities but also from witnesses to criminality. The investigation of the 2013 Boston Marathon bombing episode – in which three people were killed and an estimated 264 left injured – made use of crowdsourcing to collect photos and video from mobile phones. The data was made public within 72 hours and arrests implemented less than 30 hours later thanks to the evidence shared widely by onlookers.

Grasping the implications In today’s world, the technology to extract valuable and accurate evidence from specific devices has evolved but legal systems are only now starting to grasp the full extent and implications of that fact. Around 85% of people in Britain own at least one mobile phone and, because those phones readily fit into a pocket or bag, they’re carried by users for the majority of their day. Even if the device isn’t used or no direct contact is made with it when committing or planning a crime it still has the potential to offer vital evidence.

“Criminals plotting potential attacks are continuing to use sophisticated digital methods and it’s essential that investigators as well as the criminal courts are one step ahead” 24

www.risk-uk.com


MobileForensicsintheDigitalEra November2014_riskuk_nov14 07/11/2014 12:53 Page 25

Mobile Forensics in the Digital Era: Evidence and the Law

Location data via GPS tracking can identify abnormal travel patterns of a suspect, for example, which may provide important insights. It’s now time that such information is widely used as vital case evidence. Digital data that shows a defendant or victim was in a certain place at a specific time is harder evidence than having to take a witness’ word for it. Both prosecution and defence counsels should be using this in a similar fashion to that evidence obtained from CCTV systems. It’s not just the complex nature of mobile devices that’s giving the criminal courts a more pessimistic view of digital evidence. Concerns over privacy are heightened by the personal nature of mobile devices. Data ownership is also a regular barrier. Take data on a Facebook application, for example. There are always problems over the physical ownership of potential evidence and who must be approached to obtain that evidence. Most legal systems are yet to be provided with solid answers or case law to answer these vitally important questions. Therefore, investigators are having to opt for a traditional approach which is based on the physical location and then serve a court order or warrant to Facebook for the data. As you might well imagine this can be a very drawn out process. Traditional systems are connecting the physical location of the data with its ownership and control while in the all-connected world servers may reside anywhere in the world and serve any point on Earth. This is an adjustment legal systems absolutely need to make.

Determining Best Practice If well thought out and prepared for in advance, forensic evidence from mobile devices can make all the difference to cases tried in criminal courts. The technology exists for investigators to be partnering with forensic examiners and prosecutors who, to save time and improve the cases they build, should be working together on determining standard operating procedures and Best Practice around obtaining the evidence. It’s quite alarming that, at a point in time where there are 6.8 million mobile phones worldwide, only in the last few years have some legal systems started to adapt and place themselves in a position to accept digital evidence. When it can build profiles and support or refute alibis, it’s imperative that this form of evidence is taken seriously. Hopefully, as courts across the world become more aware of the latest mobile phone technology and its capabilities, advances in social media and privacy issues, they will then

be better equipped to make decisions about the legal ramifications of search and seizure, acquisition and analysis. Legal systems need to accept mobile forensics and embrace and alter their approach to accommodate the technology that will ultimately prove a major benefit to criminal cases.

Social media as recruiter Earlier this year, a young British man was arrested in Bangladesh on suspicion of recruiting potential Jihadists to fight for ISIS in Syria. According to police in Bangladesh, the suspect is reported to have used social media sites such as Facebook to recruit combatants wishing to fight for ISIS in the Middle East. Although the suspect has not been charged, this episode showcases the value and importance of social media data when it comes to investigating, profiling groups and individuals and breaking down suspected terrorist activities. Social media data offers a different yet complementary sort of analysis than the more traditional forms of forensic evidence. In a case of suspected terrorism, social media platforms and applications may be used for mass communication. This point highlights and embellishes the importance of digital forensics when considering social media data as an evidence source. Again, this truism demands to be recognised. It’s not just about a potential conviction. Rather, it’s about preventing and neutralising any threats to either national or international security. For more than a decade now, mobile phone records and messages have been central to unlocking evidence in many investigations. They still are to this day, but there has to be greater recognition of that social media data and what it can be used to achieve in law.

25

www.risk-uk.com


RiskandSecurityProfessionalsLeadershipintheBoardroom November2014_riskuk_nov14 07/11/2014 14:03 Page 26

Leading from the Front It’s a relatively simple question, but do security risk professionals actually see themselves as leaders in the Boardroom? Do they have the capabilities and attributes to hand that would make them the trusted partner for the Board of Directors? Peter French searches for some answers hen The Conference Board surveyed its constituent CEO members in the States around the question: ‘What keeps you awake at night?’, the respondents duly listed their most pressing business concerns (more of which anon). In assessing the Top 5 concerns, it’s apparent many of them could be mitigated by – and, in turn, increase the profile of – the security risk professional. To gain the trust of the Boardroom, those professionals need to be interwoven with the aims and aspirations of the corporation’s structure. Any misunderstanding here means they will not be viewed as a trusted partner. So what are CEOs’ foremost concerns? For one, it appears that many corporations are not fulfilling their talent requirements. This is leading to worries that businesses cannot be innovative and that key entrepreneurial traits are perhaps being lost. Any company’s ‘speed to market’ will be decidedly impaired if it’s not able to attract top talent. People within the business remain the greatest strength – and weakness – of most corporations, potentially exposing the company to inappropriate behaviour at the most senior levels or leading to the acceptance of contracts that hold a high degree of risk. Changing direction, how might customer actions place the company’s reputation at risk? This is a single point of service delivery that security risk professionals could impact very successfully and has a dashboard visibility in the Boardroom. ‘Know Your Customer’ is the compliance mantra in the financial services

W

26

www.risk-uk.com

sector, for example, and is now becoming a broader term in the consumer environment. There are examples of customers using product which places the life of the end user at risk. When it comes to a branded product, it’s going to be your reputation that’s at stake. Can the corporation leverage new technologies to improve quality and contain – or otherwise drive down – costs? One challenge for security risk professionals across the next few years will be the control of Intellectual Property between increasingly dispersed employees and establishing those all-important secure environments underpinning technology transfer.

Need for knowledge retention Through the next decade, the members of Generation Z and beyond will become less reliant on the ‘secure job’ as they take up roles based on what factors appeal to them. Workers will enjoy a career lattice, not a career ladder. Across the USA and the UK, the percentage of home workers and the self-employed is growing. In tomorrow’s world, workers will be technically integrated into hubs on a remote basis, requiring the use of corporate calibrate tools such that they can function on the move, when ‘coffee shop hopping’ or wherever they feel most comfortable. It does make you wonder what we will use all of these modern corporate office blocks for in times ahead. Reputational and regulatory risk is now such a stark reality that even minor corporations presently globalising their operations through the web should be aware that the Internet sites them in many different jurisdictions. The CEO will increasingly have to think of themselves as the Chief Risk Officer operating somewhere between the caution of legal counsel and the drive of internal business entrepreneurs. The security risk professional has a big role to play in offering oversight for a portfolio of critical operations that can mitigate risks as they’re played out. This is possibly a key component for major corporations that need to have transparent operations by dint of functioning in riskier but also more profitable areas of the globe. That’s not solely because of the colossal fines handed down by regulatory authorities that most of us have never heard of, but rather increasing penetration into countries and regions where lawful business has collapsed. For the corporation and its clients, trust is indeed a basic business trait but what keeps


RiskandSecurityProfessionalsLeadershipintheBoardroom November2014_riskuk_nov14 07/11/2014 14:03 Page 27

Risk and Security Professionals: Leadership in the Boardroom

people like Bill Simon – CEO of Wal-Mart – and Larry Page (co-founder of Google) awake at night? You would be forgiven for thinking the answer might involve very different factors, but in truth the reality fits neatly within the standardisation of subjects already outlined.

Shareholder activism and M&A In terms of shareholder activism and M&A, one can lead to the other. We’re living in the age of the mega deal but, as business history recounts, mega mergers don’t always conclude with a successful outcome. Much has to do with the alter ego of the CEO wanting to leave their mark on the business world and wishing to convince themselves – not to mention the rest of the Board – that they will ‘get it right’. Rationalisation of overheads never leads to more employment and, for some communities, the effects can be catastrophic. Set against that landscape, what’s the right path for the CEO? The security risk professional must interweave scenarios and benefits around their programmes and gain the trust of the Boardroom such that they become a ‘go to’ business manager. How can professionals in the sector manage and/or learn to manage risk? We educate. Sometimes through risk scenario exercises played out in classroom-style learning formats. There’s also on the job learning, but who experiences risk as a reality? Who has been privy to the aftermath of flooding, the loss of colleagues due to a tsunami, a volcanic eruption or an avalanche? Given that 55% of those professionals dealing with security risk at a senior level emanate from a formal background – ie the police service or the Armed Forces – they have a natural prevalence towards erring on the side of being risk averse. There’s no gain to be made from being a risk taker. Organisations are risk averse through the media and public scrutiny. Research lead by Raghavendra Rau – Sir Evelyn de Rothschild Professor of Finance at the Cambridge Judge Business School – suggests that experiencing a natural disaster at first hand during childhood has a profound impact on the strategic and tactical behaviour of individuals who become business leaders. That same research also concludes that CEOs who’ve been ‘desensitised’ to risk underestimate either the probability or costs of a disaster.

The research team studied the impact of natural disasters on leading CEOs and, remarkably, found that those who experienced a number of moderate disasters actually had a greater appetite for risk-taking than those who had experienced none at all. The CEOs were also more likely to take on more risk in response to a direct threat to the business. Those who experienced the most extreme natural disasters were found to be most risk averse. In business terms, this manifests itself in various ways. Using data from over 1,711 CEOs, these individuals were then grouped into three categories: those exposed to extremely negative effects of natural disasters during their formative years, those who experienced only ‘medium’ effects of such disasters and those who were not exposed to disasters at all. The researchers then examined the effect of CEO risk preferences on financial leverage, cash holdings, stock volatility, acquisitiveness and the CEOs’ own compensation structures. The results are striking.

Major influence on beliefs and traits Firms run by CEOs from the ‘medium’ group show a 3% higher leverage ratio than those managed by CEOs who experienced no fatal disasters. Medium exposure CEOs were also 3% more likely to announce a corporate acquisition while at the helm. Finally, medium exposure CEOs were also more likely to accept firm-specific risk within their compensation packages. Of course, most of us accept the fact that the childhood environment is a major influence on our being, beliefs and character but, looking at risk make-up, how will the recruiter delve into that background? The risk averse security professional who meets the CEO risk taker will certainly be culturally challenged if certain traits are neurologically ingrained.

Peter French MBE CPP FSyl: Managing Director of SSR Personnel

“The security risk professional must interweave scenarios and benefits around their programmes and gain the trust of the Boardroom such that they become a ‘go to’ business manager” 27

www.risk-uk.com


Counter-TerrorismTenYearsofProjectGriffin November2014_riskuk_nov14 07/11/2014 12:29 Page 28

Guarded by Griffin Project Griffin was developed by the City of London Police as a joint venture between the City and Metropolitan Police Services in order to advise and familiarise security managers, officers and the employees of large public and private sector organisations across the capital on security, counter-terrorism and crime prevention issues. Don Randall reviews the scheme’s hugely successful first decade of operation he horrific attacks visited upon New York and Washington on 11 September 2001 highlighted the evolving nature of the terrorist threat that Western countries would be facing for over a decade and are still combating today. Even before that threat materialised on the streets of London on 7 July 2005, security authorities expected the UK to feature high up the list of appealing targets for Al-Qaeda and its affiliates. As a result, attempts were made to encourage and promote greater engagement between the public and private sectors around counter-terrorism issues in the firmly held belief that national security was a collective responsibility that could be more effectively pursued by proactively involving a wider range of stakeholders. In this vein, Project Griffin represented an ambitious initiative aimed at fostering security awareness across the capital’s business community through effective and timely information sharing with law enforcement. Established in April 2004 as a pilot joint venture between the business community, the City of London Police and the Metropolitan Police Service, the project initially involved three major City-based financial institutions. Since its inception, though, Griffin has expanded significantly and is now looked upon as the most effective and successful example of a public-private sector partnership centred on security issues. Project Griffin’s stated mission is to ‘engage, encourage and enable members of the community to work in partnership with the police in order to deter, detect and counter terrorist activity and crime,’ providing an official and direct channel through which the police service can share valuable information and

T

28

www.risk-uk.com

provide relevant updates concerning security and crime prevention matters. The scheme has been praised for raising awareness of security and terrorism issues among the business community in addition to facilitating the sharing of valuable intelligence before, during and after crisis scenarios. Griffin’s operational framework includes three main strands – Awareness Days, Conference Bridge Calls and Emergency Deployments and Cordon Support. Let’s examine each in turn: • Awareness Days: Staged locally by participating police forces in order to introduce Project Griffin’s working concept and help build relationships. Awareness Days are used to instruct participants on how to recognise, respond to and report suspicious activities. A natural development of this initiative has been the launch of an online refresher module to help keep participants informed and engaged. • Conference Bridge Calls: Through these calls, participating organisations receive relevant intelligence updates, including information on crime trends and upcoming events that might have implications for public order and safety. In London, such intelligence input is provided by (among others) the City of London Police, the Metropolitan Police Service, the British Transport Police (BPT) and the Counter-Terrorist Squad at New Scotland Yard. Private sector security officers regularly provide law enforcement partners with crucial information on suspicious activities by way of ‘Lightning Reports’. On average, five such reports are produced each week and sent on to law enforcement bodies for further investigation. • Emergency Deployments and Cordon Support: In times of emergency, Griffin security officers can be asked to assist police forces in activities such as setting up incident cordons or carrying out high visibility neighbourhood patrolling. Such deployments are voluntary and subject to agreement by all parties engaged in Griffin.

Engagement on a wider scale Although it was originally limited to companies with their own security staff, Griffin has since managed to engage a wider range of commercial businesses across numerous UK towns and cities and currently benefits from the active involvement of the City of London Police, the Met and the BTP. Griffin is now a mandatory response for all police forces in England and Wales under guidance of the National Counter-Terrorism Security Office (NaCTSO), and has also been


Counter-TerrorismTenYearsofProjectGriffin November2014_riskuk_nov14 07/11/2014 12:29 Page 29

Counter-Terrorism: Ten Years of Project Griffin

adopted by Police Scotland. It’s used across both the Metropolitan Police Service and the BTP to train private security officers. Indeed, the expertise showcased by private security officers has proven to be greatly beneficial on numerous occasions, not least during the 7 July 2005 London bombings when Griffin security officers provided much needed support by carrying out external patrols of premises and reassuring the local communities most directly impacted by the terrorist attack. Similarly, private security officers actively assisted in the evacuation of the West End’s Tiger Tiger nightclub when an explosive device was found outside the premises in June 2007.

Effective information sharing Further testament to Griffin’s success as a valuable and effective information-sharing mechanism is the fact that it has now been exported to several countries, including Singapore, Australia (Griffin is currently used in Sydney, Melbourne and Victoria), Canada (where it was employed during the 2010 Winter Olympics) and the USA. There are currently plans afoot for adopting the programme in the Netherlands, France and at Los Angeles Airport. Speaking of the States, Project Griffin was incorporated into New York’s existing Project Shield, an umbrella programme designed to ‘co-ordinate the efforts of both public and private security activities’ for the purpose of protecting the city from terrorist attacks. Here in the UK, Project Griffin has proven to be a critical source of inspiration for a wider and more comprehensive information sharing platform which was launched in time for – and successfully tested during – the London 2012 Olympic and Paralympic Games. Conceived at the time as a unique partnership between the London-based police services, the Home Office, the Greater London Authority, Transport for London, the London Resilience Team, London First and 23 key industry and business sector groups, the CrossSector Safety and Security Communications (CSSC) Project’s mission statement was ‘to provide and facilitate for all London businesses to be safety and security aware before, during and after the Games by improving communication between the public and private sector on security matters, in turn creating a legacy of improved communication and awareness.’ Progression has been impressive. The CSSC Project’s main strength lies in its truly cross-sector character – currently a total of 31 sector and industry groups are represented – which allows for extensive coverage. Key information is effectively cascaded through

“Griffin is now a mandatory response for all police forces in England and Wales under guidance of the National Counter-Terrorism Security Office” various business links, trade organisations and contacts to the wider business community. Currently, that cascading mechanism ensures CSSC messaging reaches up to 8.45 million individuals right across the UK. Notably, until the creation of the CSSC Project there had been no other way for the majority of London’s businesses to communicate with law enforcement, the Home Office, wider Government and the London Resilience Team. The CSSC Project’s other unique feature is its two-way information flow which aims to provide a real opportunity for organisations to voice their priorities in relation to both security and business continuity issues. In order to do this, a ‘Hub’ has been created to act as the interface between law enforcement and business partners through which real-time information can be fed back and forth with a view to supporting the authorities and helping them optimise their resources. The very idea of creating networks of communication that could be co-ordinated through the ‘Hub’ is what allows the messaging to be cascaded to all connected businesses and, potentially, the wider local community.

A decade of achievement April 2014 marked the 10th Anniversary of Project Griffin. The occasion was celebrated by way of a special event held at the Vintners’ Hall and hosted by the City of London Crime Prevention Association, during which John McClune was presented with the Griffin Person of the Year Award. Responsible for managing the Griffin bridge calls since their early stages, John was rightly commended for his enduring commitment and dedication to the project. Similarly, on the margins of the CSSC Annual Charity Celebration Dinner which took place on Tuesday 14 October at London’s Grange City Hotel, Gordon Barnes was presented with the Griffin Community Person of the Year Award for his valuable and extensive contribution to the development of Project Griffin across the BTP’s national network. In conclusion, it’s fair to say Project Griffin continues to add enormous value in supporting the community by dint of genuine partnership between the public and private sectors. Its international transferability not only identifies Griffin’s global success but also highlights its continuing growth and support.

Don Randall MBE FSyI: Co-Founder and Chairman of the National Executive at Project Griffin and Chief Information Security Officer for the Bank of England

29

www.risk-uk.com


CCTVMigratingtoIPVideoSurveillance November2014_riskuk_nov14 07/11/2014 15:56 Page 30

Managing Video as a Digital Asset For those companies deliberating over the move to an IP-based video system there are technologies, products and Best Practices prevalent in the marketplace that can assist them in making this transition on both a smooth and cost-effective basis. Karl Pardoe reviews the available options usinesses of all sizes are fast recognising the wealth of untapped data being collected by security cameras throughout the corporate footprint. Sophisticated video analysis and monitoring systems can detect events and alert members of staff to potential threats without requiring employees to sift through hours and hours of video. While traditionally used for safety and security reasons, video and video analytics deployed across an IP network are now being viewed as corporate digital assets that also deliver business intelligence for key functions including operations and customer service. Video content is regarded as key business support data that integrates with existing systems at the network, organisation and application levels in order to realise increased benefits and lower total cost of ownership. Depending on the size of the organisation, the number of locations and the amount of recorders needed, the options for video surveillance and the choice of solutions available can sometimes be daunting for the purchasing end user. The good news for those companies switching to an IP-based video system is that there are technologies, products and Best Practices prevalent in the marketplace specifically designed to help make this transition on a smooth and cost-effective basis. Stakeholders throughout the organisation – including physical security, risk management, operations and marketing professionals – need to collaborate on their collective business requirements. New applications and uses of video, such as mapping customer or employee

B

traffic patterns (or measuring audience dwell time in front of a digital signage display) should always be taken into consideration. Selecting a business partner with video, security and networking expertise is vitally important to the success of the project. The end user’s business partner can help to define a technical solution that meets the organisation’s exact requirements and allows expansion for new video applications in times ahead. Most importantly, that partner can develop a practical migration strategy designed to address existing and new sites on a separate basis while at the same time providing a means of managing both legacy and new equipment from a single management system.

Benefits of network video solutions Businesses face the challenge of protecting their investments in legacy infrastructure while also taking advantage of the benefits of newer technology. An incremental investment in Hybrid Network Video Recorders (NVRs) can prolong the use of CCTV systems and provide enhanced features for end users. In essence, Hybrid NVRs are converged video management platforms providing analogue and IP camera support, outstanding video compression and storage and intelligent software applications for superior surveillance and operational efficiency. Converged video platforms allow organisations to test and deploy IP cameras selectively alongside existing analogue cameras. NVR technology provides advances in video compression and storage management when compared to earlier DVRs. The use of MPEG-4 compression optimised to limit video signal noise renders clearer images while also reducing the use of bandwidth and storage. In parallel, the use of intelligent techniques for tagging and retaining important video based on user-defined criteria – such as motion

“An incremental investment in Hybrid Network Video Recorders can prolong the use of CCTV systems and provide enhanced features for end users” 30

www.risk-uk.com


CCTVMigratingtoIPVideoSurveillance November2014_riskuk_nov14 07/11/2014 15:56 Page 31

CCTV: Migrating to IP Video Surveillance

detection or transaction events – will also improve usage and overall cost of video storage. Untagged video may even be saved at a lower frame rate or discarded sooner than tagged video for further storage optimisation. NVR products can support enhanced business intelligence capabilities. New selfdiagnostics and the ability to alert personnel automatically to incidents like camera tampering, alarm cuts and hard drive fatigue make for far less time spent on maintenance and more on using the system’s capabilities to actively protect both people and assets.

Examination of enterprise solutions For larger enterprises, a centralised system management is particularly advantageous during the initial installation and configuration of the solution. Instead of spending hours adding and naming all the cameras, setting up alarms and triggers and configuring the network credentials, the system enables mass configuration of all devices. Centralised control of enterprise solutions also makes the day-to-day operation and maintenance of video surveillance much easier. Features like remote health monitoring allow one person to quickly scan the status of all devices when they log on in the morning and makes it much faster and easier to identify problems. Firmware updates can also be made simultaneously to all devices. In the long term, these time savings can realise a considerably positive impact on the host business. In terms of the benefits of an open, IP-based video solution for security and risk managers, there’s ubiquitous access to video – whether local or remote – from anywhere on the network with all the access policy controls of the company’s other IT services. Security and risk managers may leverage the use of an established, highly secure network infrastructure, proven network connectivity, health monitoring tools and robust storage systems to provide a high degree of confidence that video is available when needed. More storage may be allocated for video with longer retention requirements. Potentially, the investment in video can be shared with other departments for non-security applications and so deliver an increasing overall ROI. In an enterprise solution, customisable features allow for fast and easy access to the right information so security staff can focus on monitoring key areas. Camera views of rear entrances can guard against employee theft. In the retail environment, cameras may be focused on high value merchandise. Enterprise solutions allow these views to be created and

saved such that they may be easily accessed. Due to the fact that enterprise solutions offer multi-level user access privileges, security and risk managers are able to control access to different information. For example, they can create broad, high-level permissions for senior managers and more customised views for regional managers in the retail world such that they only see the camera views applicable to their own group of stores. These IP video solutions come with built-in deployment and failover functionalities, such as the ability to run in a virtualised environment using VMware. They also support LDAP services like Microsoft Active Directory users and user groups. In practice, this means the same login and password information can be used for both the security system and regular programs while the corporate IT Department may deploy its regular system tool to control end user access in relation to sensitive information.

Overcoming obstacles to change When it comes to video, the most common concerns will focus on bandwidth usage, network reliability and system security. Standards-based video compression, such as MPEG-4, reduces bandwidth usage on a video stream to between 250 Kbps and 500 Kbps per camera depending on the level of motion – a fraction of the bandwidth available on a typical 100/1000 Mbps Local Area Network (LAN). It would require about 1,600 cameras to consume the effective bandwidth available on a Gigabit Ethernet LAN. It’s useful to use a sophisticated video searching tool that enables browsing through video footage to isolate a small segment without having to transfer large quantities across the network. When a particular video segment is downloaded or saved it’s often similar in size to the average business presentation. If there are any concerns about the network, cameras also contain flash memory cards able to cache video during a network disruption, in turn boosting reliability. Given the security tools, techniques and selfdefence features attributable to today’s networks, IT Departments are able to effectively block hackers and viruses from compromising video infrastructure. In addition, access to live and recorded video may be secured through the use of standard user rights and policy management applications.

Karl Pardoe: Regional Sales Manager (UK and Ireland) at March Networks

31

www.risk-uk.com


Project1_Layout 1 06/10/2014 14:08 Page 1

Available Now!! SA66 & DA66 Two new revolutionary electric locks that solve all the issues with transom fitting and Side loading on both single and double action doors. Issues with shear locks, and solenoid bolts are problems of the past. • • • • • • • • • •

Releases under side loads in excess of 100kg (PRen13637) Holding force of 1000kg 10mm thick solid stainless steel bolt 13mm bolt projection Pulls door closed if misaligned by up to +/- 8mm Fail safe/fail secure Bolt stays retracted until door is closed to eliminate bolt noise Door and bolt position monitors Surface housings available for both timber and glass mounting Fire rated BS.476.Part 22-1987

www.secure-access.co.uk Tel: 0845 1 300 855 info@secure-access.co.uk


TransportSectorSupplementFrontCover November2014_001 07/11/2014 14:20 Page 1

November 2014

Security and Fire Management

On the Right Track Risk Management in the Transport Sector Best Practice: Security Systems and Processes Tackling Unconventional Foes: Addressing the Ebola Virus CCTV: Intelligent Video in the Airport Environment A Physical Presence: The Key Role of Security Officers


Project1_Layout 1 01/10/2014 12:01 Page 1

Our focus is taking HD to the extremes

That’s why our MIC IP 7000 HD ruggedized PTZ cameras feature starlight and wide dynamic range technology to deliver detailed video in low light, harsh light and no light in the toughest locations. Crisp images combined with intelligent Dynamic Noise Reduction saves up to 50% on bitrates and therefore storage requirements, while equally reducing network strain. Integrated intelligence focuses operator attention when pre- deďŹ ned alarm rules are breached and automates tracking of moving objects. Get the highest quality IP video images in the most challenging surveillance conditions. Learn more at uk.boschsecurity.com


TransportSectorSecuritySystemsBestPractice November2014_riskuk_nov14 07/11/2014 14:19 Page 35

Transport Sector: Security Systems Best Practice

From the skies to the tracks ecent statistics issued by the Home Office revealed that, between January 2012 and June 2013, four of the UK’s Top 10 crime hot spots were major railway stations: Manchester Piccadilly (with 1,508 reported incidents), London Victoria (1,483), King’s Cross (1,322) and Euston (1,283). Set alongside a close-to-10% increase in rail passenger theft between April 2012 and March 2013, these figures readily suggest the UK’s railway stations remain a prime target for thieves and vandals. To whom, then, can security managers operating on the UK’s rail network turn for ideas and inspiration that might just combat the ever-present threat of criminality? The answer is: ‘Airports’. International airports have invested heavily in solutions and strategies designed to better protect their passengers, assets and cargo. What’s more, there are strong parallels between airports and railway stations beyond the fact that both serve as transport hubs.

R

Pre-empting security incidents Picture the departure lounges at international airports during the summer holiday season with thousands of people and their luggage present in one relatively small space. Equally, walk through major railway stations on a Friday night during the commuter rush hour and the sheer number of people is overwhelming. Airports approach this situation in an innovative way. Imagine that a passenger leaves a bag in one of the terminals and walks off. Technologies like video analytics help security staff to spot suspicious behaviour in a crowd and pre-empt any problems. In addition, by using a Video Management System to integrate cameras in a single unified view it’s far easier to spot a person behaving in an unusual manner and quickly guide security personnel to the source of the trouble. This approach to managing situations should serve as an inspiration to railway security teams. Another commonality is that both these types of transport networks never cease operations. As such, their security systems must perform to the very highest standards both day and night. Continuing to operate without interruption – whatever the circumstances may be, and even in the immediate aftermath of an incident – is absolutely critical. So how do airports ensure they deliver a 24/7/365 security solution that runs smoothly

In order to boost safety levels for members of the public, what elements of airport security Best Practice might be easily leveraged by risk specialists operating across the UK’s rail network? Daniel Wan investigates

even in extreme circumstances? The answer lies in integrated security systems designed with automatic fail-over to back-up systems so that, in the event of a power failure or other risk scenario, site security is immediately picked up and controlled by a secondary security site. Like airports, railway stations can also be affected by adverse conditions outside of their control – for instance severe weather, flooding or fire – that disrupt critical operational systems and place thousands of passengers at potential risk. Investing in back-up security solutions will afford security managers on the rail network peace of mind. Airports and railway stations play host to different contractors – cleaners, maintenance engineers, shop staff and train operators – who may have access to sensitive areas on site. For their part, airports are managing staff with state-of-the-art access control functionality. Integration with Human Resources and building management systems ensures that no unauthorised personnel can access restricted areas. These systems are linked to payroll and, as soon as a member of staff leaves or a contractor ceases working for the organisation, their physical access credentials are updated simultaneously. In turn, this ensures that access rights are accurate at all times.

Daniel Wan: Marketing Leader for the UK at Honeywell Security Group

“Technologies like video analytics help security staff to spot suspicious behaviour in a crowd and pre-empt any problems” 35

www.risk-uk.com


TransportSectorManagingTheEbolaVirus November2014_riskuk_nov14 07/11/2014 15:58 Page 36

When security goes viral Airport safety and security has never been more observed and regulated. To this end, airport security managers are now being called upon to help combat a new threat – that posed by the deadly Ebola virus. How should those managers and their teams respond? Jamie Wilson confronts the issue n recent years, the protection of national borders has focused on the threat posed by terrorism. The events of 9/11 in the States, Richard Reid (Britain’s infamous failed ‘Shoe Bomber’ now serving a life sentence in a maximum security Colorado prison) and the Glasgow International Airport attack in 2007 placed airport security front and centre in the media spotlight. Today, many of the security measures implemented in the wake of those events remain in situ. In the summer, new rules regarding electronic devices were introduced for passengers entering and leaving the UK following a statement issued by Patrick McLoughlin, the Secretary of State for Transport. In that statement, McLoughlin said the nation faces “a constantly evolving threat from terrorism.” Passengers now need to be able to demonstrate that devices such as tablets and smart phones conveyed in their hand luggage can be powered-up. Airports have been privy to huge investment in security technologies and the training of personnel to help detect unusual behaviour in terminals or suspicious devices in luggage areas. In the years since 9/11, every aspect of those security systems used in and around airports has evolved to a great degree. We’ve moved from analogue to IP cameras. Video analytics are now highly sophisticated while sensors and alarms have become more advanced and plentiful. In recent years, we’ve also seen widespread adoption of Physical Security Information Management (PSIM)-based solutions to help make the best use of these innovations by analysing, correlating and co-ordinating the interactions between people and technology. Locating a microscopic virus like Ebola, though, represents an altogether different challenge.

I

Jamie Wilson: Security Marketing Manager (EMEA) at NICE Systems

Tried and tested measures Of course, airports do have tried and tested measures in place for disease control, but those measures are mainly designed to address the livestock population. They’re so effective they’ve helped to virtually wipe out rabies from the UK. The last recorded case of rabies on

36

www.risk-uk.com

home shores occurred in May 2012 when the individual concerned died after contracting the disease from a dog bite in India. Specifically referencing the Ebola virus, placing passengers in some form of ‘Typhoid Mary’-style quarantine conditions upon arrival if they’ve flown from affected regions is neither practical nor ethical. Furthermore, a blanket ban on flights to and from areas like Sierra Leone, Guinea and Liberia where the Ebola virus is prevalent would be difficult to justify. Airport staff can be trained to be vigilant and passengers screened for any obvious symptoms that may indicate early stages of the disease. Early indicators of infection range from headaches, joint and muscle aches, weakness and diarrhoea through to vomiting, stomach pain and lack of appetite. However, the fact is that someone can incubate Ebola for up to 21 days before exhibiting any such symptoms, by which time they’ll have long since departed the airport and joined forces with local society. Fully aware of all this, the Center for Disease Control in the US recently announced plans to track passengers arriving from affected countries for 21 days, but what happens when someone’s actually diagnosed with Ebola? Clearly, airports cannot deliver accurate screening for the Ebola virus. However, they can play a vitally important and time-critical role in the joined-up efforts to contain it. For example, they can historically trace the movements and interactions of confirmed victims through airport buildings and locations. Once a positive diagnosis has been reached, time is then of the essence to try and locate everyone with whom the infected individual has come into direct contact and so try and halt the spread of the disease.

Focus on the flight manifest The obvious first port of call is the flight manifest. It’s all about knowing with whom the infected person shared their flight such that these individuals may be contacted and questioned as to whether they’re exhibiting any of the classic Ebola symptoms. What about all those who may have come into direct contact with the subject after that? What about the security official who greeted the person at border control, or the on-site coffee shop worker who sold the individual an Americano and a croissant? What about the Bureau de Change operator who exchanged currency for the individual? Or the driver and 75 passengers on the shuttle bus that conveyed the subject to the airport car park? Anyone who works in – or knows about – typical Control Room environments will


TransportSectorManagingTheEbolaVirus November2014_riskuk_nov14 07/11/2014 15:58 Page 37

Transport Sector: Managing the Ebola Virus

recognise the challenge faced by CCTV operators when asked to find footage pertaining to a particular person. Even if there’s a date or time range available it’s still a manual process that takes many man hours of laborious trawling through footage. In an airport environment, the shear footprint of such vast estates makes this task immense. All the while, the clock is ticking. However, new technology that airports are already assessing to help locate and track the movements of suspects, people of interest and missing children across the CCTV network may hold the answer. How, then, does this new technology operate in the real world?

An imaginary Case Study Imagine a person who has travelled from Sierra Leone to the UK presents at hospital and tests confirm a positive diagnosis of Ebola, immediately triggering a chain reaction of events that begins with treatment of the patient but, in tandem, encourages an investigation designed to locate the people that may have come into close contact with the patient. In this instance, the investigation reveals that the victim arrived in the UK a week earlier on a flight from Freetown to London via a connecting flight from Paris. The team calls the airport and they co-ordinate with the airlines to request the manifest for the two flights such that all passengers might be contacted. At the same time, the airport is sent an electronic photograph of the patient which is then passed across to the Control Room operators. That photo is uploaded to the system and every second of footage captured by every camera from the time the plane arrived at the gate is scanned in minutes (not hours). Security officers are then presented with a shortlist of people matching the patient’s photo. The CCTV operator narrows the search by selecting the right person and is automatically presented with every instance in which the patient appears on camera. Those camera images are time-stamped on a map of the airport that’s also presented to the operator so that he or she can see exactly the route the infected person took and when. The surveillance operator is then able to drill down still further, clicking on each image to replay the footage in order to gain more insight (ie did the person speak or shake hands with anyone, kiss or hug anyone or share a bottle of water or a sandwich?). They’re looking for any

detail, in fact, that could give cause for concern around cross-contamination. Known members of airport staff that came into contact with the patient can be identified and communicated with in the appropriate way. Meanwhile, the movement of unknown people who came into close contact with the patient can be tracked in the same way to help kickstart the identification process.

Tackling unconventional foes Obviously, such a solution isn’t going to wipe out the threat from Ebola. However, it’s one way in which technology investments being made by airport management teams to enhance security against the ‘familiar’ threats can be leveraged in helping to confront a more ‘unconventional’ foe. Whether we’re fighting the threat of terrorism or disease, the answer lies in being able to glean as much information as possible for dissemination to the right people at the right time, and having the tools and capabilities to hand such that security can play an effective part in the co-ordinated and joined-up efforts designed to act around – and react to – changing situations. The risk posed by Ebola is yet another reminder of the important role airport management teams have to play in helping to preserve the safety, security and well-being of not only those specific people who work within and travel through these locations but also the wider population at large.

“We’ve moved from analogue to IP cameras. Video analytics are now highly sophisticated while sensors and alarms have become more advanced and plentiful” 37

www.risk-uk.com


Project4_Layout 1 07/11/2014 16:05 Page 1

Securitas, a true focus on Security The skills of our people, alongside the best in technology produce total integrated solutions that safeguard your business.

0800 716 586 www.securitas.com


TransportSectorIntelligentVideoinAirports November2014_riskuk_nov14 07/11/2014 15:57 Page 39

Transport Sector: Intelligent Video in Airports

ithout doubt, video surveillance is one of the cornerstones in every airport’s security concept. Given the advent of intelligent video analysis, management teams are able to streamline their security operations and greatly reduce manual labour in the Control Room by only transmitting images and alerts whenever pre-defined events occur. It’s the case that many commentators primarily think of this kind of efficiency gain when talking about intelligent video. However, with the Internet of Everything now emerging and an abundance of intelligent sensors looming large on the horizon, intelligent video will be able to go much further. While not necessarily a reality today, you can easily think of intelligent video being used as an enabler of new services for both passengers and tenants, in turn opening up new business opportunities for airport operators. Upfront investment in such services would be minimal as the entire infrastructure – including the cameras – is already in place. It’s really then a matter of identifying opportunities, developing the additional services and subsequently deploying them.

W

When video makes money Boosted by intelligent analysis functions, CCTV cameras can potentially do much more than solely provide security surveillance solutions. As Denis Castanet concludes, they might even contribute to an operating airport’s bottom line

Service delivery management One of the main areas in which intelligent video could potentially offer additional benefits to an airport operator is service delivery management. By way of example, the Video Management System can use one or multiple camera images for crowd density analysis and thus focus on queues at boarding gates, passport control and baggage check areas. Such an application could offer real-time information about the current situation, but thought processes can also turn towards trend analyses or a comparison with historical data. Information like this could prove invaluable for targeted staff assignments in real-time as well as future personnel planning.

Importance of information What about automatic performance measurement at check-in areas and also of contracted security companies? Passenger information is another important area. A passenger information system employing intelligent video will have the potential to greatly increase the customer experience with real-time information on waiting times or even live images from the boarding gate allowing passengers to enjoy their stay at the airport as much as possible rather than spending time at the gate. In such a scenario, real-time images could either be displayed on public terminals or even

be sent directly to a known passenger’s mobile device once they’ve enrolled for that specific service. Applications like these will also please tenants in the shopping and restaurant areas of the terminal building as passengers will have more time to spend at their outlets.

People counting applications Using metadata from the video surveillance system, security risk managers can also develop people counting applications which, in conjunction with flow and crowd density analyses, open up additional services to assist shop and restaurant owners in maximising efficiencies or determining the effects of specific offers or activities on site. One vision here is to empower airport operators in developing rental charge schemes based on real and proven traffic. In addition, such data can be used to detect bottlenecks or hotspots and subsequently improve space usage within the terminal. Security is – and will probably remain – the single biggest reason to install comprehensive video solutions at airports. That said, thinking beyond ‘just security’ can open our eyes to a plethora of new opportunities which can even turn surveillance video into a money-maker. Now there’s something to think about.

Denis Castanet: Director of Business Development (EMEA) at Bosch Security Systems

39

www.risk-uk.com


Project3_Layout 1 07/11/2014 15:50 Page 1

WIN-PAK Complete Security System

Spanning Video, Access, and Intrusion with the ability to seamlessly grow with your business needs. Spanning Video, Access, and Intrusion with the ability now to seamlessly grow with your Ɣ WIN-PAK includes: business needs. for Access Control – New functionalities

Visit stand E43 at Transec 2-3 Dec 2014

Visit stand E43 at Transec 2-3 Dec 2014

– Improved video and Galaxy® Intrusion Ɣ WIN-PAK now includes: integration – New functionalities for Access Control Ɣ Key sales opportunities for: – Improved video and Galaxy® Intrusion – Previous users of WIN-PAK 3.0 (and below) integration – Existing users of Galaxy intruder alarm systems Ɣ Key sales opportunities for: – Customers wanting to expand their NetAXS-123 system – Previous users of WIN-PAK 3.0 (and below) – Existing users of Galaxy intruder alarm systems – Customers wanting to expand their NetAXS-123 system

All other company names and products are trade names, trademarks or registered trademarks of their respective companies.

© 2014 Honeywell International Inc. All rights reserved.


TransportSectorSecurityGuarding November2014_riskuk_nov14 07/11/2014 14:18 Page 41

Transport Sector: Security Guarding for Travel Hubs

hy are there no physical security measures at bus/coach terminals or train stations? When you fly or sail away on holiday or business, you fully expect to be subject to certain security procedures aimed at keeping you and your fellow passengers safe and sound. However, we’re not subject to the same safety measures when boarding a bus, coach or train. The British Transport Police (BTP) has the responsibility for policing bus/coach terminals and train stations, of course, but what actual security procedures are in place to deter a repeat of the terrorist attacks in London back in 2005 and 2007? Let’s compare the situation with maritime security. All people, cars and light vans, freight units and deliveries have to go through certain security procedures before entry to any port estate is allowed. Legislation states all the above must be searched before being allowed to board ferries/ships. However, people who use buses, trains and the London Underground simply enter the premises and then board without any physical security measures to prevent the conveyance of bombs or weapons that could be used to attack. Within the maritime discipline, port locations generally deal with the transfer of passengers from coaches, trains and buses. These passengers will have embarked at any given location along the route their mode of transport has taken. What’s more, it’s very likely they will have begun their journey from a location where there were no security procedures in place. Subsequently, it falls upon the port facility to ensure these passengers – and their belongings – are subject to search procedures as laid out within maritime legislation.

W

Lack of satisfactory resources There’s no doubt that the BTP and, indeed, individual national police forces have been affected by the Government’s austerity measures. Unfortunately, this means they simply do not have the satisfactory resources available to deal with everyday crime, let alone the prevention of terrorism on our busy transport networks. As the 2005 and 2007 London bombings proved, anyone can walk off the street into a transport terminal and board a train, bus or the London Underground with impunity. Most of the time, there will be absolutely no sign of the BTP or even a local police presence.

Covering all bases In terms of the UK’s bus and coach terminals and train stations, what security procedures are in place to deter a repeat of the London terrorist attacks during 2005 and 2007? Danny Williams assesses the key role of security personnel The Department for Transport did carry out trials into the use of mass passenger screening at five mainline rail and tube stations in London in 2006 but the research showed that, while people were largely positive about the need for such checks to be carried out, they were not willing to accept major delays to their journey. In June 2008, transport ministers ruled out the use of airport-style screening at rail and underground hubs, stating the technology then available meant it was not feasible to introduce 100% screening of such large passenger flows at the thousands of entry points present on the UK’s rail and underground networks. The Department for Transport also carried out studies into security at public transport locations and, from the findings, produced a guidance document that covers generic security procedures. However, it’s only for guidance. No actual legislation has been passed to ensure the procedures outlined are enacted.

Role for private security companies Is there a role for private security companies in all of this? Uniformed security officers at ports and airports are viewed as one of the main deterrents to anyone who wants to conduct an unlawful act. They are a deterrent because security officers represent a visible presence and one that could greatly reduce the risk of incidents on other transport modes. Of course, some locations do already have private security officers in place. The main difference is that those officers on duty in bus and train stations are generally there to concentrate more on the delivery of customer service while their counterparts at maritime or aviation locations are, in the main, focused on the prevention of terrorism. As risk profiles change and technology develops, it’s imperative that security providers engage in deploying the most educated personnel to address all legislative requirements while executing their daily duties.

“Uniformed security officers at ports and airports are viewed as one of the main deterrents to anyone who wants to conduct an unlawful act”

Danny Williams: Maritime Director (UK) at Securitas Security Services

41

www.risk-uk.com


SecurityintheFoodSupplyChain November2014_riskuk_nov14 07/11/2014 14:09 Page 42

The Race for Traceability Traceability allows food supply chain managers to assess the extent of a risk and stop bad ingredients from passing further up that chain. The key challenge for food processors has always been to make this procedure work efficiently and with the highest degree of accuracy. Duncan Moir outlines Best Practice techniques herever your company sits in the food process manufacturing supply chain, you’ll understand the importance of effective traceability to meet European Union legislation and myriad regulatory requirements. Product recalls are pretty much unavoidable, but it’s the way in which they’re handled within the industry that needs to improve. Over a period of 33 months, the Food Standards Agency issued no less than 141 food alerts, product withdrawals and recalls affecting hundreds of different items. That situation demands to be addressed. In recent years, the public has gained a far greater understanding of traceability through high profile recalls. While it cannot prevent criminal acts such as livestock passport fraud, traceability’s primary role is to allow the food supply chain to assess the extent of a risk and prevent bad ingredients from passing further up the chain or – in the worse case scenario – into the hands of consumers. The challenge for food processors has always been to make traceability work efficiently and with high degrees of accuracy. The number of entries needed for even a simple operation can soon spiral out of control. Take a company producing a single pie filling that uses 30 ingredients – all delivered three times a week – to produce three batches going to eight distribution points. That’s a total of 32,400 traceability points in a single week. Bear in mind this doesn’t even include contact with different machines and storage locations. Traceability produces huge amounts of data but many companies still run this mission-critical area as a paper-based process. When an issue is identified that could spark a store recall or production run withdrawal, it’s very much the case that confidence, accuracy and

W

42

www.risk-uk.com

speed become critical factors. Management should be able to identify all affected batches in a matter of minutes. Recalls can be damaging for a business’ reputation. They may lead to fines being imposed, product removal from shelves at your cost or the business being overlooked during range reviews that could prove an important source of new income. This is exactly why it’s so critical to act quickly and with confidence. Retailers take a hardline approach to enforce good practice – and no wonder. This is a matter of public health and regulation. Crucially, it’s the retailer whose name is often remembered when products are recalled and not that of the supplier. If a retailer harbours any doubts about the robustness of the recall information you provide on affected batches, all of your products could be removed from the shelves. Think about that for a moment… Who’s your largest customer and what percentage of your revenue do they represent? More importantly, can you afford to lose that income stream? The answer has to be an emphatic: ‘No’.

Delivering effective traceability Implementing traceability correctly within your organisation can help meet the regulatory demands of being a process manufacturer with increased efficiency and afford peace of mind that, if you ever need to call on the data, it will be a swift and pain-free experience. The goal is to fashion a supply chain in which traceability processes and recording are of the highest possible standard in tandem with rigid enforcement of rules and data quality. Companies that can demonstrate this robust level of traceability have a distinct advantage over their competitors. For traceability to bring the benefits of lower cost, reduced risk and higher revenues, a business-wide approach must be adopted for implementation that encompasses people, process and technology. The primary goal has to be ensuring traceability processes take place as close to each production interaction as possible and at every step an ingredient (including packaging) is received, released, handled, introduced to a machine, moved or tested. In truth, it ought to be an automated and embedded process rather than an extra step. There are a number of key areas to be considered when making effective traceability a reality. Let’s examine them. Accuracy of information As stated, many food processors still use paper-based solutions for traceability of


SecurityintheFoodSupplyChain November2014_riskuk_nov14 07/11/2014 14:10 Page 43

Security in the Food Supply Chain

ingredients and the manufacturing process. In many cases, even those that use spreadsheets or simple databases import information to the systems using some form of post-processing whereby an administrator re-keys information gathered on paper. Inevitably, errors occur either through boredom or sheer laziness and, because the process is manual, the checks carried out against the data are just as likely to fail. Unfortunately, these errors are usually only noticed through an audit or when the need for a recall arises. The latter is the worst possible time as it leads to delays and erodes confidence in the results. This can have serious repercussions if a retailer is involved and may lead to a much wider range of batches and products being recalled as a precautionary measure – and all at the processor’s cost. Validating your data Whatever process is used for traceability, validating the data that’s collected is absolutely critical. As data enters an electronic system it should be checked against other records and rules to ensure that batch numbers, dates, times, location codes, staff IDs and quality control data are recorded properly and that they cross-match. This ensures the integrity of the information collected and that it can be trusted when needed at a future point in time. Traceability at speed Traceability records should make their way into an electronic system as quickly as possible. That process should be simple, if not instant, and automated. Speed is at its most critical when a potential withdrawal of product needs to take place. Whether the instigator is a retailer, supplier or your own quality control checks, it should be possible to narrow down the recall to specific criteria as quickly as possible. The aim should be five minutes. With the right people, processes and technology in place this can become a normal response time. If data is stored electronically – whether it’s an ingredient, machine, manufacturing process or some other factor that’s the cause – it’s possible to instantly query the traceability data and subsequently identify the batches affected. Controlling traceability Part of making sure the correct systems and processes are in place for traceability is ensuring that they can be controlled. At every point where an ingredient or product changes location, is introduced to the manufacturing process or completed ready for distribution it’s

“Over a period of 33 months, the Food Standards Agency issued no less than 141 food alerts, product withdrawals and recalls affecting hundreds of different items” the case that a traceability record is created. Wherever traceability is a parallel process to existing systems, a manual procedure or an additional step there’s the chance it might be overlooked. Recording traceability records has to be as easy as possible, not require additional steps and be as close a part of the process – if not an invisible one – that a member of the manufacturing staff would go through at each step of production. Integration with other manufacturing systems There are other aspects of manufacturing systems that play an important role in traceability: distribution, warehousing, machine maintenance, supply chain data and quality control. These can all make use of – and support – a robust traceability process. For example, if cross-contamination occurs you could easily identify the machines or storage locations that have come into contact with a given product. By integrating traceability with other manufacturing systems a fuller picture of the production lifecycle is made possible and readily available at the fingertips of those who need to consider a withdrawal of product(s). If traceability is part of the production process and systems, rather than a raft of processes in its own right, then systems reflect the real world: all of the information about every ingredient, machine, person, storage location and process interaction is logged by time and individual. This detail can also be electronically passed up and down the supply chain as and when required. Fully-ERP integrated traceability addresses these issues, removing risk and administration tasks. It also increases confidence and makes your business more efficient, in turn allowing staff to focus on creating fantastic products. As time progresses, the demands of major food retailers around traceability are only going to increase. In the current competitive and sensitive landscape, suppliers who can demonstrate they have traceability embedded within their process manufacturing remit will reap the rewards as others fall by the wayside.

Duncan Moir: Product Director for Process Manufacturing at Epicor UK

43

www.risk-uk.com


SecurityandRiskManagementfortheUtilities November2014_riskuk_nov14 07/11/2014 14:07 Page 44

Liquid Gold: Safeguarding water supplies Population growth, increasing industrial development and urbanisation has resulted in 50% of the world’s population living in cities and consuming 60% of the planet’s drinking water. Tony O’Brien explains why the provision and protection of water – an essential service critical to health and well-being – must be of paramount importance to security and crisis management concepts ith the UK currently facing a ‘Severe’ threat from international terrorism, damage or destruction to the water supply and its underlying infrastructure by terrorist and/or extremist groups could threaten public health and possibly result in the loss of life. Water supplies and their management sites are vulnerable not only to high risk threats such as this but also natural and environmental hazards like droughts and flooding in addition to walk-in crime and vandalism. That being so, the daily protection of personnel, buildings and assets is absolutely vital. Water infrastructure systems include vast areas of surface and underground set-ups and thousands of miles of pipes. Often, the scale and remoteness of the sites themselves can render them vulnerable. They might be linked with other infrastructures, notably those for electrical power and transportation, in turn rendering security a greater issue of concern. Even low level intrusions might cause nuisance, disruption, damage and loss of assets. At a higher level, meanwhile, there’s the risk of attack which could result in disruption to vital services for extended periods and a subsequent loss of public confidence.

W

44 www.risk-uk.com

Reservoirs, mains, sewers and treatment works represent around three-quarters of all water industry assets. Less attention may be focused on protecting wastewater treatment facilities possibly because their potential destruction represents more of an environmental threat than a direct one to life and public welfare. However, vulnerabilities do exist here. Large underground sewers could be accessed by terrorist groups and toxic chemicals released into the water supply. In addition, water and sewerage companies need pumps, vehicles, IT solutions, remote monitoring, control systems and other essential equipment to be protected at all times. The water industry faces a broad range of challenges in order to secure a viable and longterm competitive future. The key drivers are increased turnover, reduced costs, improved operational efficiencies and the development of a sustainable sector for the years ahead.

Tackling the operational challenges Each day, the UK’s water industry collects, treats and supplies more than 17 billion litres of high quality water to domestic and commercial customers and then collects and treats over 16 billion litres of the resulting wastewater, returning it safely to the environment. Water authorities are required to make provision for maintaining water supplies and sewerage services at all times. It follows that they need maximum protection for their people, premises and processes to ensure security of that supply and the support of specialist suppliers in order to help them address these challenging requirements. It’s apparent that the water industry faces real operational challenges, but they can be reduced through the adoption of an integrated, technology-based approach. One that’s supported through the help of experienced and knowledgeable technology partners who wholly understand the specific requirements of what is a complex industry sector. Key criteria for any security system to meet would include a 24-hour all-weather capability, detection and verification of all persons attempting to breach the perimeter, detection of any attempt to defeat the access control systems and the effective security management of all systems. Large and complex sites may need to meet further stringent criteria, among them UK Government standards. Some sites might be subject to inclement weather conditions


SecurityandRiskManagementfortheUtilities November2014_riskuk_nov14 07/11/2014 14:07 Page 45

Security and Risk Management for the Utilities

including high winds and salt in the air which may cause equipment deterioration if functioning systems are not fully protected. Installed and commissioned security systems should actively deter, detect and deny unauthorised intrusion and communicate these events while also providing for effective control of any security incident. Security risk professionals must seek to deter any attempt at unauthorised intrusion by showing visible and effective security and safety measures. They also need to detect unauthorised intrusions on site by individuals, vehicles or water-borne craft through or across the site perimeter safety fence. Further, they must seek to deny attempts to defeat or bypass access control measures on the perimeter – or between controlled areas and security zones – and deny access to the site (within the limits of the capacity of installed fences, gates, barriers and doors). Last, but not least, security risk professionals must look to communicate security events to their staff and other designated personnel, and also realise the technical means for effective control of security incidents. There are considerations around providing roll-call and mustering capabilities for site security and safety incidents and ensuring a continual, effective interface with site safety systems.

Command and control platforms At the heart of some of today’s safety and security solutions are innovative command and control platforms designed to improve protection across multiple sites, manage critical situations and enhance procedures. These software-centric solutions will integrate with existing security investment, adapt to specific corporate security and safety policies and incorporate sub-systems such as access control, video surveillance, fire detection and extinguishing, emergency call systems and communications. In turn, this ensures business continuity. As stated earlier, water infrastructure systems are particularly vulnerable as they extend over vast areas and are often found in remote locations. It’s not only difficult and expensive to safeguard large perimeters and fence lines, but the requirement for costly duct networks – together with the associated power supplies and cabling infrastructure – places significant demands on available resources. One example of how to assist with securing assets across wide area perimeters is the introduction of solar-powered perimeter protection. Anglian Water is the first water company to benefit from solar-powered

“Water authorities are required to make provision for maintaining water supplies and sewerage services at all times. They need maximum protection for their people, premises and processes to ensure security of that supply” electronic perimeter protection in the form of the Si-IR and SiFence. Si-IR is a wireless networked solar-powered active infrared beam detection system while Si-Fence is a solarpowered, fence-mounted perimeter intrusion detection system. Both technologies operate on a light source, not just sunlight, remaining powered for up to three months – even in total darkness. In addition to safeguarding assets, these solutions are designed to improve green credentials and assist with carbon reduction programmes. In fact, this new solution has saved Anglian Water valuable construction time and money as there was no need to install civils, power and communications. Importantly, the systems will also provide considerable savings on future running costs. Asset management, the requirement for highlevel protection, the strategic investment opportunities presented by the SEMD Programme, various programme requirements as well as necessary compliance with OFWAT national regulations and controls all contribute to the drive towards maximising operational effectiveness. In truth, the answer lies in a systematic approach. One that should include the development of a clear technological roadmap configured to drive a coherent, joined-up and long-term investment strategy and one that includes safety and security at its very core.

Enhanced asset management From a technology perspective, investments in advanced and bespoke protection solutions that ensure security of supply and have the ability to integrate legacy systems while at the same time assisting with business continuity will enhance the resilience of the service and improve asset management. To further assist the water industry, end-toend solutions realising technological convergence deliver benefits by way of improved costs. In parallel, the use of bespoke framework agreements strengthens the procurement process. Adopting new technology – which enables access to (and the interpretation of ) essential data – as well as effective risk management strategies will be essential elements in the creation of a sustainable future for the sector.

Tony O’Brien: Head of Enterprise Solutions at Siemens Building Technologies

45

www.risk-uk.com


Project4_Layout 1 07/11/2014 16:04 Page 1

solutions for a safer world


SafetyShowersintheWorkplace November2014_riskuk_nov14 07/11/2014 14:06 Page 47

Safety Showers in the Workplace: Best Practice Design

anufacturing facilities can be dangerous places. Even with the most stringent of Health and Safety procedures in place, accidents can – and occasionally do – happen. The consequences may be extremely serious. The risk posed by liquid chemicals, for example, is not so much one of ingestion but rather from spillages and/or the liquid being accidentally splashed onto clothing or someone’s skin. The most dangerous scenario, of course, is when a chemical finds its way into an unlucky person’s eyes. Manufacturers – and their counterparts in laboratories and pharmaceutical facilities – have long since identified this risk and taken steps to limit potential harm to their employees. Wash stations are de rigeur, as are safety showers in the event that the body needs to be fully immersed.

M

Standards governing design Despite the essential nature of such equipment, ensuring a business is ‘compliant’ from a Health and Safety perspective is somewhat confusing since there are only a few recognised standards specifically governing the design and performance of safety showers. There appears to be no complete EU or UK standard covering all types of shower for all types of installation. The existing EN15154 standard has four completed parts that address plumbed-in showers in laboratories and plumbed-in eye showers for both laboratories and industrial/logistics sites as well as tank showers (non-plumbed) for all sites. However, there’s no finalised standard covering plumbed-in showers for industrial (non-lab) sites. The lack of clear EU standards doesn’t mean that an employer can install any form of shower and ‘get away with it’. They must abide by clear legal requirements to provide appropriate First Aid equipment, but the lack of an agreed standard does make the definition of ‘appropriate’ somewhat difficult to determine. Perhaps employers could look further afield for advice and, more specifically, turn their attentions Stateside? America’s ANSI Z358.1-2004/2009 is a more or less holistic standard covering most types of shower and eye bath. Its scope is for all types of working environments. The thoroughness of this standard means it has become the essential reference point for those employers seeking Best Practice. Similarly, the German DIN 12899-3:2009 standard covers plumbed and tank body showers for industrial and logistics sites, thus plugging the substantial gap existing in the

Thought shower Given the health risks posed by liquid chemicals in the manufacturing sector, Robert Moore considers what constitutes Best Practice when it comes to safety shower design within hazardous working environments current European norm. Indeed, it’s believed that the German standard will be followed when Part Five of the EU legislation is finally completed. Employers have a responsibility to ensure that a shower will work when it’s needed. Best Practice would include an audit of when a shower was last used. It would also encompass some form of alert mechanism to show when the shower had been activated (and particularly at a time when an individual may be working alone).

Providing an audit trail Technology is there to assist. A Limitless wireless switch, for example, can be easily installed on existing safety shower units and integrated with local or central alarms, building management systems and CCTV, not only to improve critical first alert response times in the event of an accident, but also to provide an audit trail of when each safety shower/eye wash station has been used. This also supports employers in documenting their Health and Safety obligations when it comes to the law of the land. Being wireless, it enables any washing facility – regardless of where it may be located on site – to be centrally located and tracked such that, if an emergency should occur, help is always close at hand. The switch can be manually operated or set to automatically trigger an alarm the moment a valve is opened. The solutions are available in two wireless protocols. First, there’s a Limitless point-topoint protocol where switches transmit directly with a receiver. Here, the protocol allows for lost connectivity and low battery diagnostics. Second, there’s the ‘OneWireless’ multiapplication, multi-standard wireless network that can be tailored to offer the network coverage needed for large industrial applications. Field devices mesh, in turn allowing for multiple RF transmission pathways.

Robert Moore: Product Director (EMEA) for Electromechanical Switches and Test and Measurement Products at Honeywell Sensing and Control

47

www.risk-uk.com


TheSecurityInstitute'sView November2014_riskuk_nov14 07/11/2014 14:14 Page 48

Corporate Security Risk: Is it any different from other forms of risk management? Y’s Global Information Security Survey 2012 suggests that only around 5% of businesses employ a Chief Risk Officer. Of course, smaller organisations may not have a dedicated Risk Officer in place for myriad reasons but, generally speaking, for larger concerns it’s considered good business practice if there’s a senior person in situ with risk as their remit and direct area of accountability. Stepping down a level from overall business risk to security risk, the latter isn’t always a part of ‘Boardroom DNA’. This in itself seems like a risk given the overriding need for good quality, carefully embedded security in today’s businesses. In essence, it makes for good corporate governance when security risk is part of the organisational DNA, and yet the same EY research highlights the fact that almost half of those companies surveyed across the UK in 2012 didn’t discuss Information Security at the top of their organisational structure. It’s not possible to establish if those organisations responding to EY’s questions consider security to be part of the Chief Risk Officer’s remit. From a security perspective, though, you can begin to see the emerging picture and the disconnect between the culture setters: the Boardroom and their businesses. For some reason, ‘Security’ appears to be in a box all by itself. How many Information Security practitioners harbour a risk background or have undergone proper and robust risk training? Very frequently, this function ‘falls out’ of the IT Department. While an IT understanding is very important, it’s also part of an overall threat surface and is by no means the only area that a comprehensive Information Security strategy must cover. Allowing IT to drive the Information Security agenda isn’t appropriate and yet around 63% of businesses apparently align their Information Security risk to their IT strategy. Security is so vital to any

E

48

www.risk-uk.com

In today’s world, security is so vitally important for any organisation. However, from a managerial perspective it sometimes appears that the dots are not joined between overall risk and security. Surely there are elements of security that ought to be considered in various risk areas of an organisation? Mike Gillespie focuses on this central topic organisation, but sometimes it seems as if we just don’t join the dots between overall risk and security as a matter of course. In summary, then, we’re lacking Chief Risk Officers. Those Chief Risk Officers in residence may not be including security in their assessments and there’s not enough good quality Board-level representation for security to advise, plan and help build the discipline into all business functions.

Threat, Risk, Strategy, Policy When examining how projects are risk assessed there will be many elements and processes that need to be considered, included or mitigated. Using the example of a product development project, the financial risk tolerances and appetites will have been assessed and set and the teams and leaders will know where the thresholds lie and what they need to do in order to move the project along within those guidelines. They’ll also comprehend at which juncture they might need to raise the red flag if it looks like the project is at risk. However, some of those considerations may have been security risks. There may well be a Risk Register in place for the security team that includes some elements with which the product development specialists might be working. For instance, let’s assume all the talk is of new software requirements. These might be necessary in order to expedite the project. The financial tolerances and appetites may have been established and observed and the team may have checked with end user groups and IT to establish the correct software applications to be considered, but what if the chosen software is purchased and installed without it having passed through a security risk assessment? In this instance, for argument’s sake let’s say that the risk assessment simply missed out security as an indicator. Given that all criteria are satisfied, the decision is taken to press on and issue the software. The project goes ahead but then it’s discovered that the new software


TheSecurityInstitute'sView November2014_riskuk_nov14 07/11/2014 14:14 Page 49

The Security Institute’s View

is, in fact, a platform. The information it readily makes good use of is Cloud-hosted. The Cloud provider has suffered a security incident and the data is now placed at risk. Security may well have had Cloud-based applications on the Risk Register and a very close control could have been maintained around what applications should be enabled. However, since in this case the solution was procured and installed independently of security, the element(s) of risk that really should have rested with the security team is now ownerless and, consequently, the business entity finds itself under threat.

Separate Risk Registers: a problem Security might be disconnected from the main business and may have a standalone Risk Register that could include vital pieces of information. These may have been needed by the project teams in our example, but the constituents of those teams simply didn’t have access to them. They may be totally unaware of the elements that other parts of the business need to be including in risk assessment procedures or the Risk Register itself. If there’s no effective communication mechanism or path from security through to the business as a whole – or, more specifically, the Boardroom – then risk is actually being created. Projected costs and timelines might be inaccurate and, on that basis, projects or processes could potentially fail. That failure is the direct result of a ‘corporate disconnect’ with security risk. By the time the risk has been discovered, it will have matured and potentially be able to de-rail or otherwise seriously delay a given project. It’s absolutely vital for any business to have a risk management process in place that’s clear, concise, consistent and repeatable (with the emphasis being on repeatable). To achieve that status quo, a business has to set out how it wishes risk to be managed in a ‘top management’ or C-Suite approved policy and then make sure resources are applied to ensure that policy is educated and adhered to by all members of staff at all times. Once again we can see the importance of good culture coming from the top of an organisation and setting the tone for how risk and security will be dealt with throughout various teams and units. If this doesn’t happen then a business will not exhibit an effective risk management process and risk will not be managed at the level appointed by ‘top management’. Here, risk is not being accepted at appropriate levels throughout the organisation and, instead, may

be accepted by people at an entirely inappropriate level. Alternatively, the understanding of risk will be below par and the following scenario may develop: • The risk is accepted at a lower level of management as it has been incorrectly assessed as being a low risk and bypasses any strategic management involvement • The risk isn’t identified as a proper risk management process hasn’t been employed • The risk is over-assessed which may cause delays on critical business outputs and/or use up too much resource in mitigation • Risks may even be created out of thin air

From strategic to tactical levels Risk management needs to be carried out as an organisation-wide activity that addresses all forms of risk from the strategic to the tactical level. An holistic approach ensures that riskbased decision-making is at the very heart of the organisation and drives any resulting policy. The best Risk Registers include all risks to the business and are broken down into sections – Information Security Risks, Operational Risks, Corporate Risks and so on. This approach makes communication and presentation to top management – or the C-Suite – much clearer and really enables strategic risk decisions. We undoubtedly face a business challenge when considering risk. Our language, approach and strategy needs to be continually reviewed and there has to be an holistic and businessbased approach to integrating security within our thinking at all levels and across all silos.

Mike Gillespie MSyI MBCS MInstISP CIRM: Director of Cyber Research and Security at The Security Institute

“How many Information Security practitioners harbour a risk background or have undergone proper and robust risk training? Very frequently, this function ‘falls out’ of the IT Department” 49

www.risk-uk.com


Project1_Layout 1 10/12/2013 18:04 Page 1


InTheSpotlightASISInternationalUKChapter November2014_riskuk_nov14 07/11/2014 12:50 Page 51

In the Spotlight: ASIS International UK Chapter

Physical Access Governance: Assuring Compliance, Reducing Risk, Saving Costs anks, financial institutions and companies (such as utility providers) managing our Critical National Infrastructure – including nuclear power plants and data centres – are mandated to ensure compliance against Government and/or industry regulations for several areas of their operation. Importantly, risks associated with any failure around that compliance are often related to the financial and/or reputational profile of a given organisation and, that being the case, must be taken seriously at all levels. On that basis, companies will implement rigorous processes and procedures alongside internal checks and balances to ensure they’re able to measure the level of their compliance and, in turn, identify any areas of concern. For its part, physical access governance within an organisation relates to: • ensuring that the right individual has (physical) access to the right places and at the right times • making certain that the required vetting and validation of any individual provided with such access has been carried out in accordance with the host organisation’s security policy • the necessary approvals being received before physical access is provisioned for a particular area (for instance critical/high security data centres) for a specific individual • the required training and certification (eg in relation to Health and Safety) being in place in accordance with the security policy governing any specific area • physical access being revoked or suspended as per the defined and stated security policy In order to measure and assure compliance around these various aspects, organisations have to collect, manage, analyse and report on often large amounts of data and processes during the ‘lifecycle’ of any individual who sets foot on the premises. This necessarily involves collaboration between several departments concerned with physical security, IT and data security, general business risk and continuity. However, in the main the ownership of – and liabilities around – such aspects rest with the Physical Security Department. Hence the reason that, in a 2012 survey conducted jointly by the CSO magazine and the IDG Research Services Group, 63% of serving directors responsible for the physical security remit at medium/large-scale organisations who were

B

How might organisations ensure compliance around physical access in today’s business environment? Further, what challenges confront them when attempting to do so? Dr Vibhor Gupta examines Physical Identity and Access Management solutions and their ability to reduce both risk and operational costs questioned classified compliance around access governance as either ‘Critical’ or ‘High Priority’. That figure increases to 92% when all participants in the survey are included.

Compliance around physical access How, then, do organisations ensure compliance around physical access in today’s business environment? Further, what challenges confront them when attempting to do so? Until now, there has been heavy reliance on the use of various solutions/devices such as physical access control systems to help measure those metrics previously outlined and, in turn, assure compliance. In addition to the collection of data from such systems, measuring overall compliance involves a good deal of administrative effort and cost due to the lack of any easily identifiable audit trail for all processes leading to the data generation. This spend is further enhanced when there are disparate sources of information/systems deployed within a business. That statement is true for most global enterprises that have grown – either organically or by dint of mergers/acquisitions – and inherited a legacy infrastructure of disparate systems focused on different areas, sites or indeed regions. Of late, many organisations have spent millions on standardising their systems – physical access control solutions among them – to one model or type with the intention of reducing risk and the administrative

51

www.risk-uk.com


InTheSpotlightASISInternationalUKChapter November2014_riskuk_nov14 07/11/2014 12:51 Page 52

In the Spotlight: ASIS International UK Chapter

“A Physical Identity and Access Management solution allows physical security administrators a single self-service user interface from which they can view and report on processes” spend involved in measuring and ensuring compliance. In truth, such investments haven’t helped them that significantly.

Introduction of PIAM solutions

Dr Vibhor Gupta BSc (Hons) PhD: Technology Lead for the ASIS International UK Chapter Committee

52

www.risk-uk.com

In light of decreasing budgets around physical security in tandem with increasing operational costs, it becomes hugely important to identify a way in which all processes and data might be captured, audited, reported and analysed in the most cost and time-efficient manner. To meet that desire, a new class of enterprise software – designated Physical Identity and Access Management (PIAM) – has been introduced. A PIAM solution allows physical security administrators a single self-service user interface from which they can view, control, audit and report on data and processes relating to employees, contractors or visitors and their physical access to a building or site. A key component of PIAM solutions is a rulebased engine which allows the administrators to define all workflows along with the necessary checks and balances required when provisioning physical access for a given individual. This permits physical security administrators to automate and audit the implementation of these processes through one single user interface. In turn, that means the elimination of any need to extract, normalise and stitch together data from multiple source systems. The end result is significant savings on both cost and effort. The important thing to remember here is that PIAM solutions are not a replacement for physical access control systems or, indeed, Physical Security Information Management (PSIM) systems. Rather, they’re intended as a complementary fit within an organisation’s overall security infrastructure. PIAM solutions integrate with existing physical access control solutions to source/provision required data as per the workflows defined in their rule engine. In addition, PIAM solutions allow physical security administrators to schedule and create reports/audits that measure the host organisation’s level of compliance. Examples of some typical end user questions for which a PIAM solution will help provide the answers are as follows: • Are all those individuals with physical access to a particular area security cleared?

• Are there any people with physical access to a particular area who don’t meet the necessary training or certification requirements that are mandatory for this area? If so, has their physical access been terminated/suspended? • Have all individuals with access to a particular area been approved for access by the respective area owner/authoriser? • Has an area owner/authoriser validated all individuals who have access to their area? • Have the results of any change in security policy or compliance regulations been implemented across all concerned areas and for all concerned individuals (ie employees, contractors or visitors)? • What’s the actual scale of the impact for any such changes (ie how many people and areas are impacted)? • How compliant is the host organisation in relation to various parameters defined as part of industry regulation (such as Sarbanes-Oxley, SAS16, Basel III, SAS70, NERC and FERC)? • Has the organisation taken necessary action across areas where it’s currently failing in relation to compliance? Does this require any internal process re-engineering?

Reducing risk, assuring compliance Time and cost savings which may be achieved through a PIAM solution are subject to the industry sector in which the host organisation operates, compliance mandates, processes and existing infrastructures. Various Case Studies and examples have shown that, on average, such solutions can help reduce overall operational costs by as much as 60%. Most importantly, the ability to proactively audit and manage processes provides a great opportunity for any business to significantly reduce its risks. A typical return on investment for PIAM solutions is realised within eight-to-ten months from the date of implementation. That being so, a PIAM solution can help add value to an existing security infrastructure by providing opportunities to ensure compliance, reduce overall risk and render savings on the business’ operational costs. Finally, it’s important to consider the ease of implementing a PIAM solution. As stated, the primary objectives of implementation are to reduce risk and cost while maintaining full business continuity. It’s highly recommended that end users consider a commercial off-theshelf (or COTS) PIAM solution rather than those which are customised or otherwise bespoke versions of existing solutions.


Project4_Layout 1 07/11/2014 16:03 Page 1

ARE YOU ON TRACK? The only manufacturer with a comprehensive range of PADS approved IP and analogue surveillance solutions for the UK rail network. Upgrade or migrate now with confidence.

Open Platform at your service Run multiple third party applications on your camera! Queue management

Facial recognition

People counting

ANPR

Intrusion detection

Keeping you on Track www.samsungsecurity.co.uk/PADS Continue your journey with the Samsung Group


FIATechnicalBriefing November2014_riskuk_nov14 07/11/2014 12:38 Page 54

Portable Fire Extinguishers: Best Practice training for technicians Portable fire extinguishers are firmly placed on the front line of life protection. While there’s a trend in some areas towards removing them in favour of automatic systems and evacuation, their importance should never be underestimated. What, though, does Best Practice look like when it comes to training for the use of such systems? Ian Gurling has the answers nyone managing fire protection on company premises will be acutely aware of the need to protect people’s lives. The portable fire extinguisher technician holds responsibility for those lives through ensuring that the right extinguishers are available on site according to the assessed and perceived risks, and that those systems will function correctly when required to do so. Current legislation exists to ensure technicians ‘get it right’. That legislation includes the Regulatory Reform (Fire Safety) Order, technician and Third Party Certification schemes (such as those provided by BAFE) and, of course, guidance documents like BS 5306. How does the technician make sure they are legislation compliant? The answer is: ‘Training’. Let’s go back to basics for a moment. What instruction will your technician receive on a training course? In essence, he or she needs to know and fully understand the physics of fire, from the causes and processes of combustion right through to extinguishing. They need to understand flammable materials and extinguishing media as well as what happens when any of the wide range of such media are applied to a fire (and how they will react in relation to those materials with which they come into contact). Technicians must also understand how to ‘read’ a risk assessment and estimate the potential scale of a fire before selecting the extinguisher(s) that will meet the risk. They must know the construction of portable fire extinguishers. Servicing a stored pressure extinguisher, for example, has obvious and inherent risks to personal safety on system stripping. If not correctly returned to a functioning condition, including pressurisation, the extinguisher may fail should it be needed. Technicians also have to understand their customer – the host organisation – and how to ensure that customer understands and fulfils their own individual requirements.

A

Ian Gurling: Training Manager at the Fire Industry Association

54

www.risk-uk.com

The key to a good training course is one that encourages an understanding of the subject and doesn’t just ‘teach to repeat’ what has been said on the day. If the training provider simply offers the answers to questions posed by the examination paper then the technician hasn’t developed the understanding necessary to apply what they’ve learned across various situations and scenarios. This is where respected and established training providers such as the Fire Industry Association (FIA) come into play. As a benchmark, the FIA’s course on this particular subject matter provides three days of comprehensive learning followed by the BAFE examination on Day Four. Over the three days of learning the technician will cover the theory and, in terms of the practical element, carry out stripping, inspecting and reassembly exercises for a range of portable fire extinguishers. Learners are encouraged to think for themselves and, with daily assessment of progress made, any difficulties in understanding or interpretation of the necessary standards are quickly addressed. This process affords the learner the greatest possible chance of success in the examination. As stated, for the FIA course it’s Day Four which is the designated examination day. As administrators for the Competent Technicians Scheme, it’s felt that BAFE is best placed to conduct the examination. BAFE harbours a comprehensive understanding of what’s required for entry to the scheme and, as such, will have a similar comprehension of testing that knowledge. Examiners from BAFE will attend to invigilate a two-hour paper and also conduct practical one-to-one assessments. BS 5306 recommends refresher training – a fact repeated in the requirement for the Competent Technicians Scheme – and it’s intended that refresher training be completed every three years. Unfortunately, the transient nature of the portables industry and individual demands placed on technicians means that regular refresher training may either not be possible or simply left for extended periods beyond the recommended timescale. If periods between training and refresher courses do become too extended then it’s the case that a four-day course may once again be required.

Requiring measures of control Making sure that portable extinguishers are maintained to a consistently high standard requires measures of control. Given the prior mention of Third Party Certification schemes, let’s start there. It’s hard to argue in favour of Third Party Certification when there’s no


FIATechnicalBriefing November2014_riskuk_nov14 07/11/2014 12:39 Page 55

FIA Technical Briefing: Training on Portable Fire Extinguishers

legislation requiring that certification, but this leaves businesses and individuals working commercially without it subject to criminal prosecution (as is the case for gas engineers). We also know that, without the cost of registering on such a scheme, businesses have the scope to undercut prices. In an industry where margins are already very small the attraction for not holding Third Party Certification becomes quickly apparent. Third Party Certification works for both the individual technician and for the company employing them. It provides an easy point of reference to the end user that the company and individual they use knows what they’re doing, has the relevant and comprehensive support systems in place and the right tools for the job. It ensures that the service provider works to a recognised base standard (most companies will provide their own levels of added value to this standard in order to separate themselves from their competitors) which then ensures the end user knows what they should expect. Commercially, it makes sense to hold Third Party Certification. It’s easy for any of us to make a statement that we can do something, but somewhat harder to provide evidence proving the point. Third Party Certification provides that evidence and training forms one extremely important aspect of Third Party Certification requirements. A given company cannot be awarded certification without competent technicians. For their part, it follows that technicians cannot be deemed competent without benefit of recognised and current training. Moving on a stage further there’s the legislative requirements. The aforementioned Regulatory Reform (Fire Safety) Order states that there must be a Responsible Person for the fire safety of the premises and, in turn, that individual must employ Competent Persons to advise and carry out work on those fire safety systems within their area of specialisation. It’s highly unlikely that a Competent Person will remain the same individual for all systems within the fire safety programme. The Responsible Person has to be able to confirm a Competent Person’s claim to be competent. The best and easiest way to demonstrate competence is through Third Party Certification. To date, the term ‘Competence’ has not been defined by law. As such, it’s assumed by the fire industry to be a combination of experience, the

right tools for the job and, of course, training. With all of these elements in place the technician will have the confidence to stand up in court and say: “Yes, I am competent”. Even easier – and backing up that claim – would be to hold a certificate stating that the individual concerned has been independently audited and certificated by a third party.

Is training really necessary? Do you really need training to service a portable fire extinguisher? Emphatically, the answer is: ‘Yes, you do!’ As is the case with many apparently simple tasks, the layman or untrained individual may be tempted to do it themselves. However, the risk here is that key aspects of safety may be inadvertently missed. Elements of fire risk could be omitted or misinterpreted. As a result, in the event of a fire portable extinguishers may prove to be insufficient or – worse still – completely wrong for the nature of the fire. If the extinguisher or its provision should fail then lives are placed at risk and potentially lost. In the subsequent enquiry and possible court case, inevitably the competence of the service technician is going to be called into question. The most effective defence in court is Third Party Certification, which is recognised in the fire industry as the easiest means of demonstrating competence.

“If the training provider simply offers the answers to questions posed by the examination paper then the technician hasn’t developed the understanding necessary to apply what they’ve learned across various situations and scenarios” 55 www.risk-uk.com


SecurityServicesBestPracticeCasebook November2014_riskuk_nov14 07/11/2014 14:11 Page 56

University challenge What are the main issues at play on site when a security company takes over a contract where the incumbent provider has been in place for some time, and how might the new solutions team realise positive change for the end user? Neill Catton examines CIS Security’s strategy at King’s College London hen a security contract is acquired after a long period of occupation by a previous incumbent solutions provider, it can often be the case that the new supplier is tasked with raising service levels to a higher standard. Of course, this doesn’t necessarily mean that the previous supplier’s service levels were in some way inadequate. Rather, there can be a number of reasons at play which mean standards need to be raised, not least the fact that the nature of the tender process in our business sector can have a tendency to create something of a lull at the end of a contract. For those security staff employed by the incumbent supplier, the transfer period can be a disruptive and uncertain time. While sleeves will need to be rolled up in order to modernise and raise service levels – notably in cities such as London that harbour their own unique security issues – a balance must always be struck to ensure security team members are feeling valued and motivated to redouble their efforts at the instigation of a new contract.

W

Neill Catton: Managing Director of CIS Security

‘Cradle to grave’ approach The security services contract for King’s College London – one of the world’s leading research institutions and an entity encompassing five campuses – was awarded to CIS Security in January this year. The King’s Strand Campus is based close by the River Thames and provides a multitude of services to students and non-students alike. King’s College’s architecturally stunning suite of buildings sit adjacent to – and include part of – the landmark Somerset House. High profile buildings such as this do present a number of security challenges. For its part, King’s College London is one of the world’s Top 20 universities, accommodating 26,000 students from over 140 countries worldwide and playing host to more than 7,000 members of staff. In addition, this revered academic institution hosts different buildings of varying ages and a broad cross-section of different types of end user across its campuses. It’s essential that regular dialogue is maintained

56

www.risk-uk.com

with this cohort. Put simply, security must be a visible and approachable presence on campus. CIS Security’s Stuart Butcher was selected to serve as operations manager on site in support of William Lyle (head of security at King’s College London) and set about reviewing processes and services in a ‘cradle to grave’ approach, invoking knowledge gleaned from his time working as security manager for one of the world’s largest management consulting, technology services and outsourcing firms. Drawing upon that experience, Butcher has been able to adapt existing technologies to optimise processes and reporting across King’s College’s five campuses, streamlining the service into one cohesive system and improving outcomes across the many familiar and timeconsuming scenarios regularly faced within campus environments. A tailored approach is essential given the ever-changing risk and threat environment impacting today’s high level educational institutions. The solution for the end user must now extend far beyond simply providing security guarding services.

Technical awareness and ability While the drive for many security companies is to increase volume of man hours, CIS Security is working with King’s College on efficiencies, bringing physical and electronic measures into play that will provide significant future savings over the length of the contract. Technical awareness and ability is a strong part of the recruitment and retention strategy for on-site management teams, and Stuart Butcher has played a significant part in identifying strategies to ensure that technology and manpower work efficiently and effectively in tandem. Given the volumes of footfall experienced, without careful management and clear communication strategies it’s fair to state that campus environments can be easily disrupted. Continual customer service training, a flexible approach as well as thorough observations and understanding of end users are ‘essentials’ for maintaining good relations while keeping the campuses secure. “On campus,” explained Butcher, “the job encompasses helping sometimes anxious students striving to fulfil deadlines on which their future career may depend, offering customer care and displaying an ‘Ask me’ attitude towards the university’s population.” Observing student, staff and visitor behaviour and exercising sensitivity in the monitoring of – for instance – learning and teaching room bookings in an environment as diverse as that of King’s College requires diplomacy and careful


SecurityServicesBestPracticeCasebook November2014_riskuk_nov14 07/11/2014 14:11 Page 57

Security Services: Best Practice Casebook

judgement. “We want the campus to be welcoming and not exhibit a heavy, oppressive and lockdown-style environment,” asserted Butcher. “The latter approach simply doesn’t work in the university setting.” All members of the senior management team have completed Workshop Raising the Awareness to Prevent (WRAP)-style training, the Metropolitan Police Service instruction programme aimed at reducing the number of individuals who become – or support – violent extremists. To this end, regular diversity-centric refresher courses equip managers and security officers alike with the diplomacy needed to question and monitor behaviours that might be considered relevant.

Training and development CIS Security actively embraces King’s College London’s ‘Fit For King’s’ training and development programme. This is a modular education package tailored specifically to the Estates and Facilities Directorate and which embodies the previously referenced Mission Statement on customer service. Since implementation, 155 security staff have completed the ‘Fit For King’s’ customer service training. 155 appraisals have been completed while 78% of the team members have also received enhanced specialist First Aid training. As a company, we regularly hold security surgeries and security awareness days to help students understand how they can mitigate risks in their day-to-day student life and avoid becoming the victim of an incident. Advice includes everything from protecting their belongings through to awareness around alcohol-related incidents. University communities represent a perfect breeding ground for the rapid escalation of scaremongering episodes. Critical incident exercises with careful attention paid to communication strategies during such moments in time are crucial to protect King’s College London from disruption and potential shutdown.

Focus on specific security roles Stuart Butcher and William Lyle manage – and rely upon – a dedicated security team comprising a mix of new CIS Security recruits and TUPE transfers from the previous contract. Part of the strategy for enhancing team morale and motivation centres on transforming the roles of individuals. Following a thorough review to identify individuals’ strengths, experiences and passions, management ensure team members are given responsibilities which play to their strengths and harness their experiences of

working at the campus, in turn empowering them to succeed and feel that they have a stake in the success of the security service contract. To lift service levels still higher, enhanced Key Performance Indicators (KPIs) have been introduced and agreed with King’s College London’s management team and now form part of all staff yearly objectives (themselves linked to appraisals). Security staff are presented with a clear and motivating career path and ably supported in their roles by senior management in addition to dedicated training and Human Resources managers who provide onsite and remote assistance to ensure that staff needs are met on a continual basis. Security technology also plays a big part in keeping the operation running smoothly and creating efficiencies for King’s College. One task during implementation was to unify the systems for all campuses. Stuart Butcher’s innovative approach to security operations management imports some methods and language from the IT specialism of user experience. “Communication is hugely important such that expectations can be managed and preparations made at the right time,” explained Butcher. “Departments can be thrown into chaos because of an access point being taken out of commission without warning. That cannot be allowed to happen.” New technology employed to monitor access control at King’s College London includes the use of Near Field Communication (NFC). This allows CIS Security to capture trends, delineate peak times and overall user trajectories and, in turn, populate forecasts enabling the accurate resourcing of security officers at designated points within the campus. One example of an outcome following an observational study within King’s College focused on justifying the move of the Security Head Office to the main entrance of the building from a previous back office location which had impaired visibility of front line issues and created a ‘disconnect’ between the management team and the front line security officers. In just eight months the ‘face’ of the King’s College security team has changed. Judging by some very positive feedback, a significantly developed operation is now readily apparent. Alterations and amendments have been based on insights derived from team members, end users – via the appropriate platforms – and ongoing training and reviews.

“CIS Security is working with King’s College on efficiencies, bringing physical and electronic measures into play that will provide significant future savings” 57

www.risk-uk.com


DataRiskManagement November2014_riskuk_nov14 07/11/2014 12:30 Page 58

When is a vulnerability not a vulnerability? Vulnerabilities exist in business data systems via configuration settings, software bugs and the misuse of software features. That’s why it’s essential for security risk managers to minimise the ‘attack surface’ of IT systems by employing a vulnerability management process. Mark Kedgley pinpoints the right procedures nformation security is an industry full of buzzwords, acronyms and clichés. The GRC sector in particular is rife with them (which succinctly proves my point about acronyms – GRC: Governance, Regulatory and Compliance). For example, the expression ‘Checkbox Approach to Compliance’ is disparagingly aimed at anyone who treats compliance as a project. For these ‘Checkbox Compliance Cowboys’, compliance receives focus once a year over a few weeks with the sole intention of providing enough paperwork to satisfy an auditor, but with little substance beyond that. Of course, those who treat compliance as cynically as this are missing the point. Threats to security are constant and, on that basis, security measures and the associated checks and balances of compliance also need to be operational on a continuous cycle. Security and compliance is a hugely complex task, while the implementation of a hardened build standard is a highly technical project in its own right. There’s no doubt that finding the right balance between a configuration standard that protects vital business systems without preventing them from working demands very careful consideration.

I

58

www.risk-uk.com

Overlaid with configuration hardening is the related task of patch management. Both disciplines will address vulnerabilities and both can have nasty side-effects. On this basis, within the overall context of vulnerability management, it’s valid to group all vulnerabilities together. Indeed, many vulnerability scanners will aim to detect both configuration and software-based vulnerabilities with one scan. However, because the nature of vulnerabilities and the actions required to either mitigate or remediate them are so different, it actually makes sense to segregate their management.

The ‘Traditional Scanner Approach’ One of the main obstacles to making vulnerability a streamlined process is that there’s a tendency to always be starting at ‘Square One’. The vulnerability landscape changes daily with new exploits being discovered and reported. As such, new scan signatures will always be available. There’s also the issue of needing to know which devices you have and where they’re located in order to scan them – a secure network is going to be firewalled to prevent scanning activity. Finally, it’s always better to operate a scan in a focused manner, which means knowing what’s installed on the hosts under test in order to specify those vulnerabilities for which you’re going to test. The alternative is to merely run a simple but overkill ‘Route One: Let’s-test for every exploit of every package’ but in a large estate this is far too wasteful of both resources and time. Once the scan results are reported it’s then that the real work begins. Each failure needs to be reviewed in turn for its relevance and associated risk. In a large estate where remediation work could take days or even weeks, which vulnerabilities (and for which devices) should you address first? For configuration-based vulnerabilities, is it practical to mitigate the vulnerability given that reducing the opportunity to exploit vulnerabilities invariably reduces functionality? Likewise, is it safe to go ahead and patch a system? An update that addresses a specific vulnerability may well introduce other issues such as feature/functional changes or even a new ‘bag of bugs’. Faced with these potentially undesirable side-effects, the first question to ask is: ‘How serious is this vulnerability?’ Or, in other words, does the risk posed by the vulnerability


DataRiskManagement November2014_riskuk_nov14 07/11/2014 12:30 Page 59

Data Risk Management: Minimising the ‘Attack Surface’ of IT Systems

fundamentally outweigh the risk of causing other operational problems?

Categorising and scoring Various systems exist which attempt to categorise and score each vulnerability. Qualys has its own scoring system as do Tripwire (and nCircle), but there are also the consensusbased systems – presided over by NIST – which reference the three earlier definitions of vulnerability classes. In turn, these are: • Common Configuration Scoring System (CCSS): Used to score the severity of security configuration-based vulnerabilities • Common Vulnerability Scoring System (CVSS): Used to score the severity of software flaw-based vulnerabilities • Common Misuse Scoring System (CMSS): Used to score the severity of software misuse-based vulnerabilities At a high level, the intention is clear – define how potentially dangerous each vulnerability really is, but that isn’t such an easy assessment to make and scoring vulnerabilities starts to become extremely complicated very quickly. Each of the Common Scoring Systems factorin the context of the threat: ‘Just how likely is it that this exploit can be used?’, ‘How real is the exploit?’, ‘How available are the fixes and how risky are they?’ and ‘How much damage could be done using the exploit?’

No vulnerabilities should be ignored There are no vulnerabilities that should be ignored, but there are any number that, within the context of your estate, might be tolerated temporarily or permanently due to compensating controls that are in place. SCADA infrastructure components subject to NERC CIP compliance will require the highest levels of security, while user workstations segregated from confidential data systems can be treated as lower priority, lower risk items. With scan results highlighting hundreds of vulnerabilities across the estate, the last thing you need is to be re-reminded every time you scan the same known-and-acknowledged vulnerabilities. The concept of improvementbased vulnerability management begins with the overriding need to address this key issue. For example, with a large compliance initiative, there could be any number of reasons why servers or network devices will remain in a non-compliant state for months – resource

constraints, application compatibility and network architecture, etc – so the need to either suspend or exclude compliance requirements for certain hosts or device groups is absolutely essential. If we think it will take us three months to remediate all vulnerabilities across all systems then we can set time-based milestones for minimum levels of compliance to be achieved and, in doing so, give a realistic set of targets to hit progressively over time without being repeatedly beaten up over all outstanding vulnerabilities. Similarly, there may be a need to make exceptions or adjust compliance requirements. Last, but not least, the ability to extend the compliance standard to include additional file integrity monitoring checks over and above the STIG or other secure build standard is valuable.

Minimising the ‘attack surface’ Vulnerabilities exist via configuration settings, software bugs and the misuse of software features. It’s essential to minimise the ‘attack surface’ of IT systems using a vulnerability management process. Where patches can be used to remediate vulnerabilities, these need to be carefully assessed for potential negative side-effects before deployment. Similarly, security configuration settings may be deployed to close off potential exploits, albeit at the loss of functional freedom (which also needs to be weighed up). Modern approaches to vulnerability management make use of vulnerability scores to help with decisions over whether the cost of remediation outweighs the potential risk. Scoring vulnerabilities also helps prioritise remediation work in large-scale estates where the workloads involved are significant. However, the real answer lies in operating a process of improvement-based vulnerability management. This ensures that intelligence regarding your estate is accumulated incrementally and accuracies continuously improved. Ultimately, this serves to elevate vulnerability management above the ‘Groundhog Day’ scenario that traditional vulnerability scanners might engender.

Mark Kedgley: CTO at New Net Technologies

“The vulnerability landscape changes daily with new exploits being discovered and reported. As such, new scan signatures will always be available” 59

www.risk-uk.com


RiskinAction November2014_riskuk_nov14 07/11/2014 14:04 Page 60

Risk in Action Lone worker security at VINCI Facilities boosted by MySOS Part of the VINCI construction group, VINCI Facilities has chosen to roll out Skyguard’s MySOS personal safety service in order to mitigate potential risks for all of the company’s lone workers. VINCI Facilities provides bespoke solutions and services to a variety of traditional vertical sectors (including housing, education and healthcare) and fully understands the potential risks and threats faced by its dedicated group of lone worker employees. On that basis, Josephine O’Connor – business and community investment manager at VINCI Facilities – set about sourcing a BS 8484compliant and approved lone worker personal safety service to support and protect the company’s lone working employees. Following extensive research, VINCI Facilities awarded Skyguard the contract to provide 24hour emergency back-up for all lone worker personnel by way of its fully-accredited MySOS personal safety device. The MySOS allows end users to raise an alarm at the press of a button should they feel threatened or deem their personal safety compromised. That alarm is sent to Skyguard’s Incident Management Centre where trained controllers will listen-in, locate the end user, assess the situation and take appropriate action (including potential escalation of the scenario to the emergency services). When tracking options are enabled, the MySOS device will also automatically record and transmit its GPS locations at set intervals. Alternatively, manual activation is realised by the press of a button on the device. Locations may be viewed on a map with grid references – and in real-time – via Skyguard’s Customer Service Centre online portal. “The Customer Service Centre portal gives us the management data we need to be able to keep the lone working staff safe,” asserted O’Connor. “It also details the geography of my teams. This has the added benefit of enabling me to better manage their time and afford an enhanced service to our clients.”

60

www.risk-uk.com

Showsec helps put Leeds’ First Direct Arena on the venue map Event and venue security specialist Showsec has been acclaimed for the substantial part the company has played in helping to establish the First Direct Arena in Leeds as a friendly, customer-focused venue. The 13,000-capacity First Direct Arena recently celebrated its first birthday when Jake Bugg performed his unique blend of indie rock and folk to a capacity crowd. This special occasion also marked the 25th Anniversary celebrations of Leeds-based bank First Direct, the venue’s sponsor. Showsec was contracted by SMG Europe to provide its specialist services for the First Direct Arena from the outset, and has undoubtedly made an important contribution to many memorable events (among them the hosting of the BBC’s annual Sports Personality of the Year Awards ceremony). First Direct Arena’s general manager Ben Williams commented: “During the launch year of the First Direct Arena, SMG Europe has relied upon the scale, expertise and professionalism delivered by Showsec. As a company, Showsec has not only embraced but also proactively committed to the venue’s vision for placing the customer at the heart of everything we do.” As well as the anniversary event featuring Jake Bugg, the First Direct Arena has played host to many other international artists including Kasabian and The Kaiser Chiefs. With Showsec’s Sam Hodkin now operating as the Arena’s head of security, the company has developed a strong team of experienced supervisors, Security Industry Authority-licensed professionals and stewards to help the venue enhance its reputation for top class entertainment. “The emphasis has been on ensuring that the experience for all visitors to the First Direct Arena is the very best it can be,” explained Julian Kumah, Showsec’s area manager for Yorkshire. “The fact that we’ve been able to deliver that level of service is due to the professionalism of our staff.”


RiskinAction November2014_riskuk_nov14 07/11/2014 14:05 Page 61

Risk in Action

BBC Worldwide awards prestigious FM contract to MITIE Group plc FTSE 250 strategic outsourcing company MITIE has just been awarded the prestigious facilities management (FM) contract at BBC Worldwide. The contract will run for a three-year period with provision for an extension. Under the Terms and Conditions of the deal, MITIE will now deliver the full range of FM services including security, Front of House solutions, maintenance and repairs, cleaning and catering for BBC Worldwide’s new offices at Television Centre in London’s White City when they open next year. Speaking about the contract, Andreas Arnold (director of strategic projects for BBC Worldwide) explained: “MITIE was chosen as our FM partner due to the company’s creative approach, the cultural fit with our own business and the demonstrated use of technology to improve service delivery.”

Tyco provides bespoke fire protection for the Royal Navy Following an extensive tender process, Tyco Fire & Integrated Solutions was awarded the contract to design fixed fire-fighting solutions for the UK MoD’s new Type 26 Global Combat Ship Programme. Appointed by main contractor BAE Systems, the team at Tyco Fire & Integrated Solutions has developed a bespoke design package consisting of a variety of systems including water, mist, foam and gaseous solutions. Graham Linney, engineering manager (marine division) at Tyco Fire & Integrated Solutions, commented: “Throughout the design phase we’ve worked closely with BAE Systems and the Royal Navy to ensure the solution for the new Type 26 Global Combat Ships meets the specific requirements of such a unique environment. This collaborative approach was vital in order to meet client and end user requirements.”

Charter Security dog patrols reduce crime in London’s Tower Hamlets Residents in London’s Tower Hamlets have praised a project that has helped to reduce crime in their neighbourhood. The ‘Dealer a Day’ programme sees Charter Security working with Tower Hamlets enforcement officers and Partnership Task Force police officers to combat drug dealing and anti-social behaviour in an initiative that’s managed by the local authority. In response to residents’ concerns, sniffer dogs and general patrol dogs are being used to detect a variety of items, among them potential weapons and drugs. The pilot initiative began at the end of 2013 and was so successful it has since been extended. That project has already disrupted numerous drug deals and detected (and seized) several quantities of cannabis. Raids have led to the seizure of heroin, cocaine and cannabis with a street value of over £6,000. Regular patrols combat the problem at source, helping to disrupt and prevent drug deals from taking place. The dog patrols target high risk areas during what would be considered ‘peak’ drug trading/anti-social behaviour hours. Six tower blocks formed the pilot area, which has now been extended to cover 15. Stairwells of Tower Hamlets Homes-managed properties are regularly visited and patrolled, and dogs are also used in open areas such as greens. Trevor Kennett, head of enforcement services at Tower Hamlets, explained: “We know that residents want the council, police and our partners to work together on stamping out drug dealing and bringing the dealers to justice. These latest patrols involving Charter Security’s dog handling services are part of our continuing efforts to do just that.”

2014 HMV Football Extravaganza supported by Cardinal Security Cardinal Security was appointed to provide security solutions at the annual HMV Football Extravaganza event that took place on Tuesday 14 October. Held at The Hilton Hotel on London’s Park Lane, this year marked the fifth occasion that Cardinal Security had been asked to manage security for the event. As in previous years, Cardinal supplied a number of SIA-licensed security officers who duly took responsibility for all general and VIP admission entrances as well as any additional security needs on site. In the spirit of charity, a number of the officers were provided free-of-charge. Football Extravaganza was first launched in 1996 to raise money for Nordoff Robbins, a national music charity dedicated to transforming the lives of vulnerable children and adults across the UK. Since then, the event has realised over £5 million for the charity through a series of celebrity auctions of football memorabilia and artwork. Past Football Extravaganza events have celebrated the careers of several footballing heroes, among them Pele, Chelsea manager Jose Mourinho and Sir Bobby Charlton. This year, the evening honoured one of the most decorated individuals in English football’s history – Ryan Giggs, Manchester United’s longest-serving player – with the Legend of Football Award. The successful 2014 gathering, which raised £402,000, also featured a special performance from rock band Stereophonics.

61

www.risk-uk.com


TechnologyinFocus November2014_riskuk_nov14 07/11/2014 14:12 Page 62

Technology in Focus Vista issues VFD analogue security cameras for end users Thanks to a Wide Dynamic Range (WDR) of up to 120 dB, the new VFD28V12WDR analogue cameras launched by Vista offer “outstanding image quality” even under extreme backlit conditions. Viewing images in highly contrasted scenes can lead to a loss of detail that compromises both image quality and usefulness. Thanks to CMOS WDR technology and “exceptional” 1000 TVL colour and monochrome images, the new VFD28V12WDR models address these issues, providing more detail to be viewed and recorded. Key features of the new cameras include: • Exceptional WDR of 120 dB for balanced and detailed images • 1000 TVL colour and monochrome images rendering “impressive” live and recorded image quality • True day/night operation thanks to the built-in switching IR cut filter • End user-selectable privacy zones designed for protecting sensitive or personal information • Optically correct bubble ensures superior image quality at all viewing angles Vista brand product manager Kramar Donachie commented: “The VFD28V12WDR cameras include a host of features such as peak white inversion, 3DNR and BLC which help end users to ensure excellent resolution for the majority of lighting conditions.” www.norbain.com

Elmdene switches to STX PSU range with EcoCharge to power EN54-4 compliant fire systems Elmdene International has launched the STX range of energy efficient, cost-effective switched-mode power supply units (PSUs). The new range has been designed to meet the demands of today’s EN54-4 compliant fire systems and is the first product line from Elmdene to be supplied as standard with the company’s advanced EcoCharge intelligent battery charging capability. The STX range comprises four power variants – 1A, 2A, 5A and 10A – each delivering a 27.6 V DC output. All models are certified to EN544:1997, A1:2002 and A2:2006. Rigorous inhouse testing has demonstrated that the latest STX PSU models are capable of delivering highly impressive efficiency levels of up to 95%. www.elmdene.co.uk

CEM Systems releases new version of AC2000 access control software CEM Systems has issued Version 6.9 of the AC2000 suite of access control and security management software. This new edition of the software offers improved security features and increases the performance of the AC2000 software suite including the AC2000, AC2000 Airport and AC2000 Lite solutions. “AC2000 is an integrated security management system that’s designed with the customer in mind, providing flexible solutions that help increase security and improve operational effectiveness,” said Conleth Donaghy, senior product manager at CEM Systems. “The latest release of AC2000 further reinforces this, offering improved security features with the addition of the SmartCard Utility and support for AES encryption across all CEM DESfire readers. Enhancements to emerald also provide an

62

www.risk-uk.com

additional security level whereby images of personnel may be immediately verified at the point of entry.” An enhancement of AC2000 is the addition of user-defined keys through the AC2000 SmartCard Utility application. This application is a convenient and flexible approach to smart card key management allowing end users to take full ownership of their smart card personalisation process. If encryption keys are compromised, updates may be implemented using the AC2000 SmartCard Utility. AC2000 Version 6.9 now supports 128-bit AES (Advanced Encryption Standard) encryption across the CEM DESFire reader versions of the emerald terminal, the S610 reader range and the sPass reader. This encryption standard provides a future proof access control solution, increasing security for the end user while also reducing the risk of card cloning. As stated, Version 6.9 of AC2000 offers enhanced functionality of emerald, CEM’s award-winning intelligent access terminal. www.cemsys.com


TechnologyinFocus November2014_riskuk_nov14 07/11/2014 14:12 Page 63

Technology in Focus

Hikvision adds Mini IR PT network camera to Easy IP range Hikvision’s range of Easy IP solutions has been supplemented with the launch of a sophisticated infrared pan and tilt IP camera. The DS-2CD2Q10FD-IW 1MP Mini IR PT network solution features HD 720p real-time video with motorised pan and tilt. The discreet housing also incorporates a built-in microphone and speaker, an SD card slot supporting on-board storage of up to 64 GB, a 100 MB/sec Ethernet interface and WiFi connectivity. Despite its compact size, the Mini IR PT camera offers the full flexibility and manageability of an IP surveillance solution, providing a 0°-355° pan range and a -20°-90° tilt range of view. The DS-2CD2Q10FD-IW is ideally suited to quick and easy installation, the Wi-Fi WPS capability enabling automatic configuration even for those end users with either limited or no network knowledge. The new cameras feature 3D DNR and DWDR image enhancement technology and zone configurable backlight compensation for “outstanding” day/night performance in any environmental conditions. www.hikvision.com

Milestone Husky models with integrated encoders ease move from analogue to digital technology Milestone Systems – the open platform company in IP Video Management Software (VMS) – has unveiled an easier and more affordable way for end users to make the transition from analogue to digital technology. Milestone’s Husky Series of NVRs now offers versions with integrated encoders that make it easy to connect analogue and digital cameras which run on IP networks to the same box. The Husky Hybrid NVRs are pre-installed with Milestone’s VMS and allow end users to build on their initial investment. Security managers can continue to use existing analogue cameras and add new IP cameras over time. The Hybrid NVRs are aligned with the new Milestone encoder licensing. Here, only one hardware device license is needed for each analogue-to-IP encoder regardless of the number of analogue cameras connected to the encoder. This applies to encoders with no more than one IP license. In addition, the Husky Series supports Milestone’s encoder licensing when external encoders are used on the NVRs. www.milestonesys.com

Samsung Techwin’s open platform WiseNetIII Series cameras now integrated with Milestone’s XProtect Video Management Software Samsung Techwin’s award-winning open platform WiseNetIII Series of network cameras has been successfully integrated with Milestone’s XProtect Video Management Software (VMS). Milestone XProtect VMS is powerful, reliable, easy-to-use and proven in more than 100,000 installations worldwide. Based on a true open platform, XProtect VMS enables integration with the industry’s widest choice of cameras and ‘Best in Class’ business solutions. All of the 1.3, 2 and 3 MP IP network cameras and domes within the WiseNetIII Series have been integrated with Milestone XProtect, including the recently launched SNP-6320 (pictured). This is the world’s first 2 MP 32x PTZ dome, while the 1.3 MP SNP-5430 can claim to be the world’s first 43x PTZ network video surveillance dome camera with intelligent auto-tracking. Samsung Techwin’s open platform WiseNetIII DSP chipset recently won the Video Hardware of the Year category at Benchmark Magazine’s 2014 Innovation Awards. The spare processing power and open platform capabilities of the chipset provide end users with complete freedom to choose their perfect combination of on-board video analytics, as well as a VMS that best matches the requirements of individual video surveillance projects. “A key element of our product development strategy is based on the understanding that customers are looking for easy-to-implement and easy-to-operate integrated video surveillance solutions,” said Peter Ainsworth, head of product and marketing for Samsung Techwin Europe. “Integration with independently developed software such as Milestone XProtect is essential in order to provide the option for the latest generation of Samsung Techwin WiseNetIII cameras and domes to be controlled and monitored alongside systems produced by other manufacturers.” www.samsungsecurity.com

63

www.risk-uk.com


Project1_Layout 1 06/08/2013 12:13 Page 1

Security solutions for today’s challenging times

Consultancy Operational Consultancy Manned Guarding Training Information and Intelligence Communications Support Technical Systems Equipment

Global economic pressures are forcing organisations to review expenditure across the board. But, the security issues remain the same. So, do you cut your security? Pilgrims offers a complete and complementary range of security, communications and support services, backed by an unmatched commitment to the highest level of quality, efficiency and client care, to reduce costs not cover. Our expertise and global experience allow us to deliver robust, practical solutions for today’s challenging financial climate.

For more than ten years, Pilgrims has been supporting clients across the globe, protecting and enabling their businesses to continue in spite of threats from terrorism, serious organised crime and natural disasters. Our personnel are handpicked for their experience, skills, training and personality to match the requirements of our clients. This, combined with our continual exposure to the world’s hot spots and difficult regions, makes Pilgrims the ideal choice for advice and support. Pilgrims provides a global service, with local knowledge through our employment of local personnel, quality control, continual ongoing training and our relationships with specialists and local partners.

We can help you find the right solution. Call Pilgrims on: +44 (0)1483 228 786 www.pilgrimsgroup.com


Appointments November2014_riskuk_nov14 07/11/2014 12:23 Page 65

Appointments

Alex Younger Foreign Secretary Philip Hammond has announced that Alex Younger is appointed as successor to Sir John Sawers as Chief of the Secret Intelligence Service. Younger will take up the appointment this month. Often referred to as MI6, The Secret Intelligence Service (SIS) collects Britain’s foreign intelligence. Based at Vauxhall Cross in London, the SIS provides Her Majesty’s Government with a global covert capability to promote and defend the national security and economic well-being of the United Kingdom. Commenting on his appointment, Alex Younger said: “I’m delighted and honoured to become Chief of the Secret Intelligence Service. Our dedicated members of staff work tirelessly against an array of threats that this country faces. They do so in close partnership with both MI5 and GCHQ with whom I’m looking forward to co-operating very closely.” Alex Younger is a career SIS officer and has been in the Service since 1991. For the last two years he has overseen the SIS’ intelligence operations worldwide. Younger has held overseas postings in Europe and the Middle East and was formerly the senior SIS officer in Afghanistan. Having served as an officer in the British Army, Younger has filled a variety of operational roles in London, including leading the SIS’ work on counter-terrorism for the 2012 Olympics.

Appointments Risk UK keeps you up-to-date with all the latest people moves in the security, fire, IT and Government sectors Jeff Little OBE Brigadier (Retd) Jeff Little OBE MBA CGIA FSyI FICPE is now an advisor to the Board for MITIE Group plc’s growing Total Security Management (TSM) business. For three years from December 2010, Little served as CEO of the National Security Inspectorate and brings to MITIE TSM a vast array of experience in the fields of strategic security, resilience, training, systems and emergency planning. A distinguished military career resulted in an OBE from Her Majesty The Queen in recognition of Little’s exemplary leadership skills during the third Balkan War which ran from 1991 until 2001. In this new role, Little will focus on MITIE’s critical security offering to existing major contractor clients within the defence, nuclear, utilities and data centre sectors. “I’ve always been impressed by MITIE’s security business,” explained Little. “I’m now very much looking forward to assisting the development of MITIE TSM’s offer and taking the MITIE way of thinking forward. It’s vital that we continue to provide innovative solutions.”

Chris Norris Wicklander-Zulawski (WZ), the US-based consulting and training company, has announced that Chris Norris CFI – the organisation’s director of webinar, WZ Europe (WZ-EU) and international training – is moving to the UK on a year’s secondment with a view towards raising the profile of the brand’s investigative interview techniques across Europe. Norris, who has been with the company for almost 15 years, will be responsible for building the profile of WZ-EU training that’s available to both UK and European businesses while also identifying training professionals who can help deliver WZ’s unique educational courses. Since joining WZ in 2000, Norris has presented at several national US meetings for organisations including the National Retail Federation and is a regular guest instructor at the Federal Law Enforcement Training Centre. He has trained thousands of Human Resources professionals, audit managers, loss prevention specialists, security and law enforcement practitioners in the art of non-confrontational interviewing, and also conducted numerous professional investigations for both private companies and public agencies. Speaking about his secondment to the UK, Norris said: “As we see more US companies trading in the UK, so there has been a greater demand for our recognised form of interview training. We know that the loss prevention sector, for example, is recognising a need for such training to help address internal issues and mitigate liabilities.” Norris added: “By moving to the UK, I can help raise awareness of the benefits of our training services to UK and European businesses and also respond to the growing demand for the nonconfrontational interview techniques we can offer.”

65

www.risk-uk.com


Appointments November2014_riskuk_nov14 07/11/2014 12:23 Page 66

Appointments

Chris Pinder Tavcom Training has announced the appointment of Chris Pinder, who joins from the National Security Inspectorate (NSI) in order to spearhead the company’s marketing and development functions. Pinder is well known throughout the security sector having carried out important roles for the British Security Industry Association – where he served as southern region general manager and export services manager from November 1997 through until August 2010 – and most recently at the NSI, where Chris was external affairs director for nigh on three years from November 2011. Speaking about his latest move, Pinder commented: “I’ve known Tavcom for as long as I have been in the industry. I’m thrilled to have the opportunity to contribute towards the future growth of such a professional organisation as Tavcom which, as the country’s leading security systems training provider, has established an outstanding reputation for delivering quality courses conducted by highly knowledgeable tutors.” Tavcom has grown significantly since the company was founded in 1994. Today, the organisation offers over 70 courses supporting security systems engineers and managers alike.

Palm Timana and Vicky Cooper Perimeter protection specialist Zaun has appointed two newcomers to sales and customer support functions. Palm Timana (pictured) takes on the new role of sales estimator while, in another new role, Vicky Cooper is now sales and customer support administrator. Timana has worked in the private sector across security guarding, CCTV and access control-focused roles and also spent almost five years at The Home Office, first as an immigration officer and then in the sphere of criminal intelligence. Timana holds a Masters Degree in Law and is a graduate of the International Security Programme at Harvard University in the States specifically designed to promote international relations, peace and security. Vicky Cooper’s career has seen her provide administration and co-ordination in the public and voluntary sectors to support programmes with some of Sandwell’s most vulnerable and disadvantaged groups, including the victims of domestic violence and those with severe mental health issues. Zaun’s director Alastair Henman explained: “2014 has been a great year for us. Five months ago we strengthened our delivery team on the back of keynote security projects in the UK and overseas. We want to ensure that we don’t lose sight of our core supply business to fencing installers. These two new roles will enable us to better service those customers.”

66 www.risk-uk.com

Valerie Dale Valerie Dale has joined Securitas as the company’s new Human Resources (HR) director. Dale relocates from G4S Secure Solutions (UK) and brings over 20 years’ HR experience to the role, 14 of which have been spent in HR management. A Fellow of the Chartered Institute of Personnel and Development, Dale will now be responsible for the overall HR strategy at the company having helped to develop industry standards across the last six years. Speaking about Dale’s appointment, Brian Riis Nielsen (Country President at Securitas and managing director for the UK and Ireland operation) said: “Valerie will be a key service provider and, along with her team, will consistently support the business to attract, retain, motivate and develop our people such that they can achieve their maximum potential and realise exceptional customer service.” Dale herself commented: “Securitas enjoys a very well respected reputation in the industry. We have clear security solutions objectives in place and a structure that enables autonomy, accountability and innovation for our employees to deliver them. We’re hoping to expand on the company’s already wellestablished training and development programmes and ensure an overall HR strategy in tune with the business’ philosophy.”

Paul King Paul King has been appointed regional director at The Shield Group, the UK’s largest independent Total Security Solutions provider. King brings no less than 25 years’ security sector experience to his new role, the last 15 of them spent in senior management positions which have contributed towards the development of exceptionally strong leadership and expert client relationship skills. King will be based out of The Shield Group’s Manchester office and looking after the group’s Northern portfolio. His commitment to customer service and officer welfare will ensure that The Shield Group’s standards are maintained at the very highest level, and that back-up and support will always be available to on-site teams by way of ensuring consistent service delivery. For the last eight years, King has been a dedicated member of the Manchester City Centre Crime Prevention Panel.


oct14 dir_000_RiskUK_jan14 07/11/2014 16:42 Page 1

Best Value Security Products from Insight Security www.insight-security.com Tel: +44 (0)1273 475500 ...and lots more Computer Security

Anti-Climb Paints & Barriers

Metal Detectors (inc. Walkthru)

Security, Search & Safety Mirrors

ACCESS CONTROL

Security Screws & Fastenings

Key Control Products

Empty Property & Lone Worker Alarms

Traffic Flow & Management

see our website

ACCESS CONTROL – BARRIERS GATES & ROAD BLOCKERS

FRONTIER PITTS Crompton House, Crompton Way, Manor Royal Industrial Estate, Crawley, West Sussex RH10 9QZ Tel: 01293 548301 Fax: 01293 560650 Email: sales@frontierpitts.com Web: www.frontierpitts.com

ACCESS CONTROL

ACT ACT – Ireland, Unit C1, South City Business Centre Tallaght, Dublin 24 Tel: +353 (0)1 4662570 ACT - United Kingdom, 2C Beehive Mill Jersey Street, Manchester M4 6JG +44 (0)161 236 9488 sales@act.eu www.act.eu

ACCESS CONTROL – BIOMETRICS, BARRIERS, CCTV, TURNSTILES

UKB INTERNATIONAL LTD ACCESS CONTROL

APT SECURITY SYSTEMS The Power House, Chantry Place, Headstone Lane, Harrow, HA3 6NY Tel: 020 8421 2411 Email: info@aptcontrols.co.uk www.aptcontrols-group.co.uk

Planet Place, Newcastle upon Tyne Tyne and Wear NE12 6RD Tel: 0845 643 2122 Email: sales@ukbinternational.com Web: www.ukbinternational.com

B a r r i e r s , B l o c k e r s , B o l l a r d s , PA S 6 8

ACCESS CONTROL, CCTV & INTRUSION DETECTION SPECIALISTS

SIEMENS SECURITY PRODUCTS ACCESS CONTROL

KERI SYSTEMS UK LTD Tel: + 44 (0) 1763 273 243 Fax: + 44 (0) 1763 274 106 Email: sales@kerisystems.co.uk www.kerisystems.co.uk

Suite 7, Castlegate Business Park Caldicot, South Wales NP26 5AD UK Main: +44 (0) 1291 437920 Fax: +44 (0) 1291 437943 email: securityproducts.sbt.uk@siemens.com web: www.siemens.co.uk/securityproducts

ACCESS CONTROL & DOOR HARDWARE

ALPRO ARCHITECTURAL HARDWARE

ACCESS CONTROL

COVA SECURITY GATES LTD Bi-Folding Speed Gates, Sliding Cantilevered Gates, Road Blockers & Bollards Consultancy, Design, Installation & Maintenance - UK Manufacturer - PAS 68

Tel: 01293 553888 Fax: 01293 611007 Email: sales@covasecuritygates.com Web: www.covasecuritygates.com

Products include Electric Strikes, Deadlocking Bolts, Compact Shearlocks, Waterproof Keypads, Door Closers, Deadlocks plus many more T: 01202 676262 Fax: 01202 680101 E: info@alpro.co.uk Web: www.alpro.co.uk

ACCESS CONTROL – SPEED GATES, BI-FOLD GATES ACCESS CONTROL MANUFACTURER

NORTECH CONTROL SYSTEMS LTD. Nortech House, William Brown Close Llantarnam Park, Cwmbran NP44 3AB Tel: 01633 485533 Email: sales@nortechcontrol.com www.nortechcontrol.com

HTC PARKING AND SECURITY LIMITED 4th Floor, 33 Cavendish Square, London, W1G 0PW T: 0845 8622 080 M: 07969 650 394 F: 0845 8622 090 info@htcparkingandsecurity.co.uk www.htcparkingandsecurity.co.uk

ACCESS CONTROL - BARRIERS, BOLLARDS & ROADBLOCKERS

ACCESS CONTROL

HEALD LTD

INTEGRATED DESIGN LIMITED

HVM High Security Solutions "Raptor" "Viper" "Matador", Shallow & Surface Mount Solutions, Perimeter Security Solutions, Roadblockers, Automatic & Manual Bollards, Security Barriers, Traffic Flow Management, Access Control Systems

Integrated Design Limited, Feltham Point, Air Park Way, Feltham, Middlesex. TW13 7EQ Tel: +44 (0) 208 890 5550 sales@idl.co.uk www.fastlane-turnstiles.com

Tel: 01964 535858 Email: sales@heald.uk.com Web: www.heald.uk.com

www.insight-security.com Tel: +44 (0)1273 475500


oct14 dir_000_RiskUK_jan14 07/11/2014 16:42 Page 2

ACCESS CONTROL

CCTV POLES, COLUMNS, TOWERS AND MOUNTING PRODUCTS

SECURE ACCESS TECHNOLOGY LIMITED

ALTRON COMMUNICATIONS EQUIPMENT LTD

Authorised Dealer Tel: 0845 1 300 855 Fax: 0845 1 300 866 Email: info@secure-access.co.uk Website: www.secure-access.co.uk

Tower House, Parc Hendre, Capel Hendre, Carms. SA18 3SJ Tel: +44 (0) 1269 831431 Email: comms@altron.co.uk Web: www.altron.co.uk

CCTV AUTOMATIC VEHICLE IDENTIFICATION

NEDAP AVI PO Box 103, 7140 AC Groenlo, The Netherlands Tel: +31 544 471 666 Fax: +31 544 464 255 E-mail: info-avi@nedap.com www.nedapavi.com

G-TEC Gtec House, 35-37 Whitton Dene Hounslow, Middlesex TW3 2JN Tel: 0208 898 9500 www.gtecsecurity.co.uk sales@gtecsecurity.co.uk

CCTV/IP SOLUTIONS

DALLMEIER UK LTD ACCESS CONTROL – BARRIERS, GATES, CCTV

ABSOLUTE ACCESS

3 Beaufort Trade Park, Pucklechurch, Bristol BS16 9QH Tel: +44 (0) 117 303 9 303 Fax: +44 (0) 117 303 9 302 Email: dallmeieruk@dallmeier.com

Aberford Road, Leeds, LS15 4EF Tel: 01132 813511 E: richard.samwell@absoluteaccess.co.uk www.absoluteaccess.co.uk Access Control, Automatic Gates, Barriers, Blockers, CCTV

CCTV & IP SECURITY SOLUTIONS

PANASONIC SYSTEM NETWORKS EUROPE

BUSINESS CONTINUITY

BUSINESS CONTINUITY MANAGEMENT

CONTINUITY FORUM Creating Continuity ....... Building Resilience A not-for-profit organisation providing help and support Tel: +44(0)208 993 1599 Fax: +44(0)1886 833845 Email: membership@continuityforum.org Web: www.continuityforum.org

Panasonic House, Willoughby Road Bracknell, Berkshire RG12 8FP Tel: 0844 8443888 Fax: 01344 853221 Email: system.solutions@eu.panasonic.com Web: www.panasonic.co.uk/cctv

COMMUNICATIONS & TRANSMISSION EQUIPMENT

KBC NETWORKS LTD. Barham Court, Teston, Maidstone, Kent ME18 5BZ www.kbcnetworks.com Phone: 01622 618787 Fax: 020 7100 8147 Email: emeasales@kbcnetworks.com

DIGITAL IP CCTV

SESYS LTD High resolution ATEX certified cameras, rapid deployment cameras and fixed IP CCTV surveillance solutions available with wired or wireless communications.

PHYSICAL IT SECURITY

RITTAL LTD

1 Rotherbrook Court, Bedford Road, Petersfield, Hampshire, GU32 3QG Tel +44 (0) 1730 230530 Fax +44 (0) 1730 262333 Email: info@sesys.co.uk www.sesys.co.uk

Tel: 020 8344 4716 Email: information@rittal.co.uk www.rittal.co.uk

CCTV

TO ADVERTISE HERE CONTACT: MANUFACTURERS OF A COMPLETE RANGE OF INNOVATIVE INFRA RED AND WHITE LIGHT LED LIGHTING PRODUCTS FOR PROFESSIONAL APPLICATIONS INCLUDING CCTV SCENE ILLUMINATION, ARCHITECTURAL UP-LIGHTING AND COVERT SECURITY.

Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk

ADVANCED LED TECHNOLOGY LTD Sales: +44 (0) 1706 363 998 Technical: +44 (0) 191 270 5148 Email: info@advanced-led-technology.com www.advanced-led-technology.com

www.insight-security.com Tel: +44 (0)1273 475500


oct14 dir_000_RiskUK_jan14 07/11/2014 16:43 Page 3

INFRA-RED, WHITE-LIGHT AND NETWORK CCTV LIGHTING

RAYTEC Unit 3 Wansbeck Business Park, Rotary Parkway, Ashington, Northumberland. NE638QW Tel: 01670 520 055 Email: sales@rayteccctv.com Web: www.rayteccctv.com

CCTV SPECIALISTS

PLETTAC SECURITY LTD Unit 39 Sir Frank Whittle Business Centre, Great Central Way, Rugby, Warwickshire CV21 3XH Tel: 0844 800 1725 Fax: 01788 544 549 Email: sales@plettac.co.uk www.plettac.co.uk

TRADE ONLY CCTV MANUFACTURER AND DISTRIBUTOR

COP SECURITY Leading European Supplier of CCTV equipment all backed up by an industry leading service and support package called Advantage Plus. COP Security, a division of Weststone Ltd, has been designing, manufacturing and distributing CCTV products for over 17 years. COP Security is the sole UK distributor for IRLAB products and the highly successful Inspire DVR range. More than just a distributor.

COP Security, Delph New Road, Dobcross, OL3 5BG Tel: +44 (0) 1457 874 999 Fax: +44 (0) 1457 829 201 sales@cop-eu.com www.cop-eu.com

WHY MAYFLEX? ALL TOGETHER. PRODUCTS, PARTNERS, PEOPLE, SERVICE – MAYFLEX BRINGS IT ALL TOGETHER.

MAYFLEX Excel House, Junction Six Industrial Park, Electric Avenue, Birmingham B6 7JJ

Tel: 0800 881 5199 Email: securitysales@mayflex.com Web: www.mayflex.com

CCTV & IP SOLUTIONS, POS & CASH REGISTER INTERFACE, EPOS FRAUD DETECTION

AMERICAN VIDEO EQUIPMENT Endeavour House, Coopers End Road, Stansted, Essex CM24 1SJ Tel : +44 (0)845 600 9323 Fax : +44 (0)845 600 9363 E-mail: avesales@ave-uk.com

CONTROL ROOM & MONITORING SERVICES

THE UK’S MOST SUCCESSFUL DISTRIBUTOR OF IP, CCTV, ACCESS CONTROL AND INTRUDER DETECTION SOLUTIONS

NORBAIN SD LTD ADVANCED MONITORING SERVICES

210 Wharfedale Road, IQ Winnersh, Wokingham, Berkshire, RG41 5TP Tel: 0118 912 5000 Fax: 0118 912 5001 www.norbain.com Email: info@norbain.com

EUROTECH MONITORING SERVICES LTD.

Specialist in:- Outsourced Control Room Facilities • Lone Worker Monitoring • Vehicle Tracking • Message Handling • Help Desk Facilities • Keyholding/Alarm Response Tel: 0208 889 0475 Fax: 0208 889 6679 E-MAIL eurotech@eurotechmonitoring.com Web: www.eurotechmonitoring.com

EMPLOYMENT

FIRE AND SECURITY INDUSTRY RECRUITMENT

DISTRIBUTORS

SECURITY VACANCIES www.securityvacancies.com Telephone: 01420 525260

EMPLOYEE SCREENING SERVICES

THE SECURITY WATCHDOG Cross and Pillory House, Cross and Pillory Lane, Alton, Hampshire, GU34 1HL, United Kingdom www.securitywatchdog.org.uk Telephone: 01420593830

sales@onlinesecurityproducts.co.uk www.onlinesecurityproducts.co.uk

IDENTIFICATION

ADI ARE A LEADING GLOBAL DISTRIBUTOR OF SECURITY PRODUCTS OFFERING COMPLETE SOLUTIONS FOR ANY INSTALLATION.

ADI GLOBAL DISTRIBUTION Chatsworth House, Hollins Brook Park, Roach Bank Road, Bury BL9 8RN Tel: 0161 767 2900 Fax: 0161 767 2909 Email: info@adiglobal.com

www.insight-security.com Tel: +44 (0)1273 475500


oct14 dir_000_RiskUK_jan14 07/11/2014 16:43 Page 4

COMPLETE SOLUTIONS FOR IDENTIFICATION

PERIMETER PROTECTION

DATABAC GROUP LIMITED

GPS PERIMETER SYSTEMS LTD

1 The Ashway Centre, Elm Crescent, Kingston upon Thames, Surrey KT2 6HH Tel: +44 (0)20 8546 9826 Fax:+44 (0)20 8547 1026 enquiries@databac.com

14 Low Farm Place, Moulton Park Northampton, NN3 6HY UK Tel: +44(0)1604 648344 Fax: +44(0)1604 646097 E-mail: info@gpsperimeter.co.uk Web site: www.gpsperimeter.co.uk

INDUSTRY ORGANISATIONS

PLANNED PREVENTATIVE MAINTENANCE

TRADE ASSOCIATION FOR THE PRIVATE SECURITY INDUSTRY

BRITISH SECURITY INDUSTRY ASSOCIATION Tel: 0845 389 3889 Email: info@bsia.co.uk Website: www.bsia.co.uk

THE LEADING CERTIFICATION BODY FOR THE SECURITY INDUSTRY

SECURITY MAINTENANCE CONSULTANTS • Planned Preventative Maintenance (PPM) Specialists • Price Comparison Service (achieving 20-70% savings) • FM Support / Instant Reporting / Remedial Work • System Take-Overs / Upgrades / Additions • Access, CCTV, Fire & Intruder, BMS, Networks & Automation • Free independent, impartial advice Tel: +44 (0)20 7097 8568 sales@securitysupportservices.co.uk

SSAIB 7-11 Earsdon Road, West Monkseaton Whitley Bay, Tyne & Wear NE25 9SX Tel: 0191 2963242 Web: www.ssaib.org

INTEGRATED SECURITY SOLUTIONS SECURITY PRODUCTS AND INTEGRATED SOLUTIONS

HONEYWELL SECURITY GROUP Honeywell Security Group provides innovative intrusion detection, video surveillance and access control products and solutions that monitor and protect millions of facilities, offices and homes worldwide. Honeywell integrates the latest in IP and digital technology with traditional analogue components enabling users to better control operational costs and maximise existing investments in security and surveillance equipment. Honeywell – your partner of choice in security. Tel: +44 (0) 844 8000 235 E-mail: securitysales@honeywell.com Web: www.honeywell.com/security/uk

POWER

STANDBY POWER SPECIALISTS; UPS, GENERATORS, SERVICE & MAINTENANCE

DALE POWER SOLUTIONS LTD Salter Road, Eastfield Industrial Estate, Scarborough, North Yorkshire YO11 3DU United Kingdom Phone: +44 1723 583511 Fax: +44 1723 581231 www.dalepowersolutions.com

POWER SUPPLIES – DC SWITCH MODE AND AC

DYCON LTD Cwm Cynon Business Park, Mountain Ash, CF45 4ER Tel: 01443 471 060 Fax: 01443 479 374 Email: marketing@dyconsecurity.com www.dyconsecurity.com The Power to Control; the Power to Communicate

INTEGRATED SECURITY SOLUTIONS

INNER RANGE EUROPE LTD Units 10 - 11, Theale Lakes Business Park, Moulden Way, Sulhampstead, Reading, Berkshire RG74GB, United Kingdom Tel: +44(0) 845 470 5000 Fax: +44(0) 845 470 5001 Email: ireurope@innerrange.co.uk www.innerrange.com

STANDBY POWER

UPS SYSTEMS PLC Herongate, Hungerford, Berkshire RG17 0YU Tel: 01488 680500 sales@upssystems.co.uk www.upssystems.co.uk

SECURITY PRODUCTS AND INTEGRATED SOLUTIONS

TYCO SECURITY PRODUCTS Heathrow Boulevard 3, 282 Bath Road, Sipson, West Drayton. UB7 0DQ / UK Tel: +44 (0)20 8750 5660 www.tycosecurityproducts.com

UPS - UNINTERRUPTIBLE POWER SUPPLIES

ADEPT POWER SOLUTIONS LTD Adept House, 65 South Way, Walworth Business Park Andover, Hants SP10 5AF Tel: 01264 351415 Fax: 01264 351217 Web: www.adeptpower.co.uk E-mail: sales@adeptpower.co.uk

PERIMETER PROTECTION INFRARED DETECTION

UPS - UNINTERRUPTIBLE POWER SUPPLIES

GJD MANUFACTURING LTD

UNINTERRUPTIBLE POWER SUPPLIES LTD

Unit 2 Birch Industrial Estate, Whittle Lane, Heywood, Lancashire, OL10 2SX Tel: + 44 (0) 1706 363998 Fax: + 44 (0) 1706 363991 Email: info@gjd.co.uk www.gjd.co.uk

Woodgate, Bartley Wood Business Park Hook, Hampshire RG27 9XA Tel: 01256 386700 5152 e-mail: sales@upspower.co.uk www.upspower.co.uk

www.insight-security.com Tel: +44 (0)1273 475500


oct14 dir_000_RiskUK_jan14 07/11/2014 16:43 Page 5

SECURITY

ONLINE SECURITY SUPERMARKET

EBUYELECTRICAL.COM CASH MANAGEMENT SOLUTIONS

LOOMIS UK LIMITED 1 Alder Court, Rennie Hogg Road, Nottingham, NG2 1RX T - 0845 309 6419 E - info@uk.loomis.com W - www.loomis.co.uk

Lincoln House, Malcolm Street Derby DE23 8LT Tel: 0871 208 1187 www.ebuyelectrical.com

INTRUDER ALARMS – DUAL SIGNALLING

WEBWAYONE LTD CASH & VALUABLES IN TRANSIT

CONTRACT SECURITY SERVICES LTD Challenger House, 125 Gunnersbury Lane, London W3 8LH Tel: 020 8752 0160 Fax: 020 8992 9536 E: info@contractsecurity.co.uk E: sales@contractsecurity.co.uk Web: www.contractsecurity.co.uk

11 Kingfisher Court, Hambridge Road, Newbury Berkshire, RG14 5SJ Tel: 01635 231500 Email: sales@webwayone.co.uk www.webwayone.co.uk www.twitter.com/webwayoneltd www.linkedin.com/company/webwayone

LIFE SAFETY EQUIPMENT

C-TEC PHYSICAL CONTROL PRODUCTS, ESP. ANTI-CLIMB

INSIGHT SECURITY Unit 2, Cliffe Industrial Estate Lewes, East Sussex BN8 6JL Tel: 01273 475500 Email:info@insight-security.com www.insight-security.com

Challenge Way, Martland Park, Wigan WN5 OLD United Kingdom Tel: +44 (0) 1942 322744 Fax: +44 (0) 1942 829867 Website: http://www.c-tec.co.uk

PERIMETER SECURITY

TAKEX EUROPE LTD FENCING SPECIALISTS

J B CORRIE & CO LTD Frenchmans Road Petersfield, Hampshire GU32 3AP Tel: 01730 237100 Fax: 01730 264915 email: fencing@jbcorrie.co.uk

Aviary Court, Wade Road, Basingstoke Hampshire RG24 8PE Tel: +44 (0) 1256 475555 Fax: +44 (0) 1256 466268 Email: sales@takexeurope.com Web: www.takexeurope.com

SECURITY EQUIPMENT INTRUSION DETECTION AND PERIMETER PROTECTION

OPTEX (EUROPE) LTD Redwall® infrared and laser detectors for CCTV applications and Fiber SenSys® fibre optic perimeter security solutions are owned by Optex. Platinum House, Unit 32B Clivemont Road, Cordwallis Industrial Estate, Maidenhead, Berkshire, SL6 7BZ Tel: +44 (0) 1628 631000 Fax: +44 (0) 1628 636311 Email: sales@optex-europe.com www.optex-europe.com

PYRONIX LIMITED Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY. Tel: +44 (0) 1709 700 100 Fax: +44 (0) 1709 701 042 www.facebook.com/Pyronix www.linkedin.com/company/pyronix www.twitter.com/pyronix

SECURITY SYSTEMS INTRUDER AND FIRE PRODUCTS

BOSCH SECURITY SYSTEMS LTD

CQR SECURITY

PO Box 750, Uxbridge, Middlesex UB9 5ZJ Tel: 01895 878088 Fax: 01895 878089 E-mail: uk.securitysystems@bosch.com Web: www.boschsecurity.co.uk

125 Pasture road, Moreton, Wirral UK CH46 4 TH Tel: 0151 606 1000 Fax: 0151 606 1122 Email: andyw@cqr.co.uk www.cqr.co.uk

INTRUDER ALARMS – DUAL SIGNALLING

CSL DUALCOM LTD Salamander Quay West, Park Lane Harefield , Middlesex UB9 6NZ T: +44 (0)1895 474 474 F: +44 (0)1895 474 440 www.csldual.com

SECURITY EQUIPMENT

CASTLE Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY TEL +44 (0) 1709 700 100 FAX +44 (0) 1709 701 042 www.facebook.com/castlesecurity www.linkedin.com/company/castlesecurity

www.twitter.com/castlesecurity

INTRUDER ALARMS AND SECURITY MANAGEMENT SOLUTIONS

SECURITY SYSTEMS

RISCO GROUP

VICON INDUSTRIES LTD.

Commerce House, Whitbrook Way, Stakehill Distribution Park, Middleton, Manchester, M24 2SS Tel: 0161 655 5500 Fax: 0161 655 5501 Email: sales@riscogroup.co.uk Web: www.riscogroup.com/uk

Brunel Way, Fareham Hampshire, PO15 5TX United Kingdom www.vicon.com

www.insight-security.com Tel: +44 (0)1273 475500


Project1_Layout 1 13/10/2014 12:18 Page 1

Memories. iFly Singapore, the world’s largest indoor skydiving simulator,

uses Milestone XProtect® Enterprise surveillance software to monitor park grounds and give visitors a lasting memory. Flying at speeds of up to 186 miles per hour, the software records each skydiver’s flight and information using Radio Frequency Identification (RFID). After their flight, a video souvenir helps visitors relive all of the adrenaline-fueled moments. Proving again that XProtect is more than security.

More than security

Milestone XProtect® is the world’s leading IP video surveillance management software and is reliable, future proof and easy to use. It supports the widest choice in cameras and seamlessly integrates with business and security solutions such as RFID. Which means your possibilities are unlimited and you can keep your security options open. Milestone is hosting introduction days for new partners in the UK and Ireland. Visit our website to sign up! www.milestonesys.com

Milestone Systems UK Tel: + 44 (0) 1332 869380


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.