Risk UK October 2014 by Western Business Media Limited

FrontCover October2014_001 06/10/2014 12:23 Page 1

October 2014

Security and Fire Management

CCTV’s Watching Brief Surveillance Camera Code of Practice in focus BIM: Mitigating Risk in the Built Environment Event and Leisure Sector: Training and Career Development Fire Safety: Public Address/Voice Alarm Systems Cyber Security: ‘State of the Nation’ in 2014

Project1_Layout 1 05/02/2014 17:39 Page 1

Have you tried Integriti yet?

Sophistication is not about size The Integriti Security Management System is an IP connected access control and intruder security system that oﬀers sophisticated centralised management for both small systems on a single site, or large systems distributed across the country or across the globe.

With a growing list of new installations take a moment to think of what you’re missing! The Integriti system oﬀers an advanced suite of software, hardware and integrated solutions to deliver complete management of your entire integrated system.

Inner Range Europe Limited Units 10-11 Theale Lakes Business Park Moulden Way, Sulhampstead Reading, Berkshire RG74GB UNITED KINGDOM

integriti@innerrange.co.uk

a4 integriti 0ne page UK.indd 1

+44 (0) 845 470 5000 www.innerrange.com 4/12/2013 8:40 am

Contents October2014_riskuk_Dec12 06/10/2014 12:18 Page 3

October 2014

Contents 34 Banking on Security Rob Mason, Becky Stones and Toby Duthie consider the impact of the FCA’s proposed Senior Management Regime

37 Note perfect Bob Lammin looks to the avoidance of risk in cash handling

Cyber Security: ‘State of the Nation’ (pp58-59)) 39 PCI DSS: Best Practice to ensure compliance Alex Vovk and Mark Kedgley talk about payment card processing

5 Editorial Comment 40 Voice Biometrics: Crying out for understanding 6 News Update

Craig Pumfrey dispels the myths surrounding voice biometrics

SRI Corporate Security study. Institute of Risk Management revises Diploma. NAO update on UK Cyber Security Programme

42 Advanced Threat Detection Model Sean Newman assesses a new security model involving big data

8 News Analysis: SIA Corporate Plan 2014-2017 Brian Sims reviews the Security Industry Authority’s Corporate Plan 2014-2017 and the regulator’s Business Plan for 2014-2015

45 Ignore PAVA fire safety systems at your peril

11 News Special: BCI World 2014

48 The Security Institute’s View

The 2014 BCI World Conference and Exhibition runs at Olympia in November. Brian Sims previews the content for risk managers

51 In the Spotlight: ASIS International UK Chapter

12 Opinion: Addressing ‘The Terrorist Threat’

54 FIA Technical Briefing

Peter Webster elicits why now is exactly the right time for end users to engage with the providers of specialist security services

56 Security Services: Best Practice Casebook

Public Address/Voice Alarm systems outlined by Richard Paine

Gemma Quirke discusses future career development paths

14 Opinion: The Dark Web Peter Davies highlights the emergence of The Dark Web and the threats it poses to the business community and society at large

58 Cyber Security: ‘State of the Nation’ in 2014

17 BSIA Briefing

60 Risk in Action

How do we change the culture of ‘cyber’? Martin Smith responds

Phil Wright focuses on safety issues for Cash-in-Transit couriers

62 Technology in Focus 20 BIM: Mitigating Risk in the Built Environment Richard Shennan describes opportunities for reducing risk and cost in construction thanks to Building Information Modelling

65 Appointments

24 Keeping to Code

67 The Risk UK Directory

The latest people moves in the security and fire business sectors

Encouraging compliance with the Surveillance Camera Code of Practice is a key task for Tony Porter, as Brian Sims reports ISSN 1740-3480

26 Eliminating ‘The CSI Effect’ from CCTV What can end users do to ensure their surveillance regimes are fit for purpose? Simon Lambert offers some compelling advice

29 HDcctv: Technologies and Standards In this Risk UK ‘Primer’, Todd Rockoff details the main elements of HDcctv and standards developed by the HDcctv Alliance

31 Management Skills by Design The importance of strong management education programmes must never be underestimated, as Mark Harding explains

Risk UK is published monthly by Pro-Activ Publications Ltd and specifically aimed at security and risk management, loss prevention, business continuity and fire safety professionals operating within the UK’s largest commercial organisations © Pro-Activ Publications Ltd 2014 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical (including photocopying, recording or any information storage and retrieval system) without the prior written permission of the publisher The views expressed in Risk UK are not necessarily those of the publisher Risk UK is currently available for an annual subscription rate of £78.00 (UK only)

Editor Brian Sims BA (Hons) Hon FSyI Tel: 0208 295 8304 Mob: 07500 606013 e-mail: brian.sims@risk-uk.com Design and Production Matt Jarvis Tel: 0208 295 8310 Fax: 0870 429 2015 e-mail: matt.jarvis@proactivpubs.co.uk Advertisement Director Paul Amura Tel: 0208 295 8307 Fax: 01322 292295 e-mail: paul.amura@proactivpubs.co.uk Administration Tracey Beale Tel: 0208 295 8306 Fax: 01322 292295 e-mail: tracey.beale@proactivpubs.co.uk Managing Director Mark Quittenton

Risk UK PO Box 332 Dartford DA1 9FF

Chairman Larry O’Leary

Editorial: 0208 295 8304 Advertising: 0208 295 8307

3 www.risk-uk.com

EditorialComment October2014_riskuk_jul14 06/10/2014 13:20 Page 4

Audible & Visual Signalling

Klaxon Signals are specialists in the design and manufacture of world-class signalling equipment. Through innovation and technical expertise, Klaxon Signals produce state-of-the-art audible and visual signaling equipment, protecting and informing millions of people around the world. Klaxon Signalâ&#x20AC;&#x2122;s audible and visual signalling equipment are primarily used in Fire Evacuation, Industrial 6LJQDOOLQJ DQG 0DVV 1RWLĂ&#x20AC;FDWLRQ DSSOLFDWLRQV

Tel: +44 (0)1706 233879 www.klaxonsignals.com

EditorialComment October2014_riskuk_jul14 06/10/2014 13:21 Page 5

Editorial Comment

Fire Evacuation

Digital dilemma ccording to a report issued by European policing agency Interpol, the first ‘cyber murder’ isn’t far away. Flaws in online security coupled with the increasing use of webconnected health-based devices could be the conduits for such an occurrence. Interpol’s report cites another document – published by US security concern IID – predicting the inaugural death caused by a “hacked Internet-connected device” could well occur before the end of this calendar year. Frightening. A series of high-profile cases have duly highlighted the vulnerabilities of web-enabled gadgets to sabotage perpetrated by hackers. Prominent among them was the episode involving former US Vice-President Dick Cheney, who last year revealed that the wireless function on his defibrilator had been actively disabled to prevent a targeted cyber attack. Worryingly, Interpol’s report suggests that police forensics teams are ill-equipped to deal with this threat. It also ponders whether face and voice recognition technology (‘Voice Biometrics: Crying out for understanding’, pp40-41) could be open to exploitation by criminals who may use wireless systems to lock people out of their homes or vehicles and demand that ‘ransom’ payments be issued before access is duly restored. It’s certainly the case that ‘The Internet of Everything’ – which sees hospital healthcare systems and everyday devices, etc connected through online networks – represents an entirely new attack vector for cyber-savvy criminals to potentially exploit. If all that wasn’t enough to worry about, it has emerged that MPs are now fearful the UK’s financial system could come under sustained cyber attack. A series of meetings have been convened amid concerns UK markets may not be sufficiently protected. This news emerges after last July’s security breach at JP Morgan – one of the biggest breaches in banking history, in fact – during which information belonging to over 70 million households and seven million businesses was compromised. Add-in the breach at online marketplace eBay earlier this year (‘PCI DSS: Best Practice to ensure compliance’, p39) which forced the company to advise no less than 145 million users they should change their passwords in order to avoid the potential compromise of personal data like e-mail addresses, dates of birth and telephone numbers. Then there’s the insidious rise of The Dark Web (pp14-15) to be considered. Taken together, these incidents absolutely highlight the sheer scale of the problem facing the authorities. As always, the $64,000 question is: ‘What do we do about it?’ Perhaps the answer lies in changing the culture of ‘cyber’. In this month’s edition of Risk UK (pp58-59), recognised expert Martin Smith explains how enlightened companies have determined to make cyber security part of ‘business as usual’. “They have shown how good security can be a business enabler rather than just a cost on the bottom line,” asserts Smith. “They have proven that it is indeed possible to gain by not losing. They have brought cyber security from the periphery and the shadows into the centre of the business stage, and they have merged it (and all other security functions) into a single risk management organisation embracing the ‘convergence agenda’.”

ZZZ NOD[RQVLJQDOV FRP ÀUH

Industrial Signalling

www.klaxonsignals.com/industrial&WAS

0DVV 1RWLÀFDWLRQ

ZZZ NOD[RQVLJQDOV FRP PDVVQRWLÀFDWLRQ

Brian Sims BA (Hons) Hon FSyI Editor

Visit the Klaxon website: www.klaxonsignals.com

December 2012

www.risk-uk.com

NewsUpdate October2014_riskuk_oct14 06/10/2014 12:53 Page 6

News Update

Corporate Security Departments under close scrutiny in latest SRI sector study What are the most important characteristics of an excellent Corporate Security Department, and what makes for an excellent security supplier? In the latest report from the Security Research Initiative specifically designed to address these major issues, both corporate security personnel and security suppliers are asked to rate various characteristics of outstanding performance. Interestingly, while they share similar views overall, it’s also the case that some striking differences are readily apparent. What makes suppliers excellent? The most highly valued characteristic is a determined focus on customer needs. Harbouring objectives specifically aligned with the client is also seen as crucial. While it’s most certainly viewed as important to have innovative and adaptive senior management, it’s more important to have excellent management on the front line. Suppliers appear to attach higher importance than clients to some criteria, for example adopting new philosophies, a focus on training and learning and having excellent and visionary leadership in place. This may suggest suppliers are trying to do too much and would benefit from a greater focus. The survey suggests suppliers are likely to agree strongly that price trumps quality. Indeed, the difference here is striking given the similarity of answers on other criteria. The fact that 47% of clients and 59% of suppliers agree strongly that suppliers can only be excellent if clients fully support them would seem to infer that clients may underestimate the crucial role they play. There was some agreement that security is often not valued highly enough by host companies, and that they accord security suppliers less status than other suppliers.

Professor Martin Gill FSyI: Director of Perpetuity Research and Consultancy International

6 www.risk-uk.com

Clients (corporate security) and excellence Understanding threats (91%), an effective security strategy (87%) and objectives aligned with the company (84%) are the three highest ranked characteristics for client excellence. While clients and suppliers believe security fares well in comparison to other business functions in terms of excellence, it’s often less effective at showing how it adds value. Both suppliers and clients are in accord that security leaders need business skills, but only clients view security expertise as being of equal

importance. From their point of view, suppliers consider this much less important. Like suppliers, clients appear to favour the carrot rather than the stick approach, suggesting excellent companies are those that focus on rewarding good performance. There’s some evidence to suggest that clients do not fully recognise the price pressures placed on suppliers. For example, only one third of those clients questioned for this survey attach strong importance to paying the going rate for the job as a condition of excellence. According to both samples, and judged against all the criteria listed, it’s fair to say most clients do not achieve excellence. Reputations are only temporary Professor Martin Gill FSyI (director of Perpetuity Research and leader of the Security Research Initiative study) noted: “What is clear is that a reputation for being an outstanding performer is only temporary. There’s evidence from these findings that security undersells itself – suppliers to their clients and Corporate Security Departments to the wider business.” Gill added: “Security is moving from being seen as a protector of assets to a facilitator of good business, and an essential one at that. However, it’s moving slowly and the sector needs to change from keeping its potential secret. The characteristics of outstanding performance need articulating. The good thing is that, by all accounts, those working in different aspects of security are largely in agreement about what it involves. Now the strategy must be to achieve it.” Background to the research The research is based on an extensive review of the drivers for business excellence. Responses were received from 200 representatives of security suppliers and 289 clients based around the globe. These direct responses were supplemented by 24 in-depth interviews. The detailed study was undertaken by Perpetuity Research (which started life as a spin-out company from the University of Leicester) under the umbrella of the Security Research Initiative which, each year, conducts an analysis on a specific aspect of security. *To download a free copy of the full report visit: http://perpetuityresearch.com/ category/publications/security-researchinitiative/sri-publications/

NewsUpdate October2014_riskuk_oct14 06/10/2014 12:53 Page 7

News Update

Institute of Risk Management launches revised International Diploma The Institute of Risk Management (IRM) has issued its revised International Diploma in Risk Management, the content of which is specifically designed to tackle complex real world risks. With 50% of US and European banking and capital market firms reporting a lack of skilled compliance staff, and nearly 40% recording an increase in the size of their risk teams, the hunt for qualified risk professionals is very much on. The IRM’s revised International Diploma is based on the latest global risk standards and core competencies, in turn equipping professional risk managers with the skills they need to operate at the very highest level in today’s modern business environment. “Since the original Diploma was created 25 years ago,” explained Dr Lynn Drennan (the IRM’s education programme director), “globalisation has become a reality, cyber risk is the new ‘normal’ and once-experimental industries are now mainstream. Our revised International Diploma ensures risk professionals are qualified to deal with today’s complex realities.” Regulatory reforms such as the Dodd-Frank Act, Basel III and Solvency II have seen a new emphasis placed on risk management. Basel III demands organisations to address firm-wide governance and risk management, while Solvency II requires staff to have the necessary skills, knowledge and expertise in order to fulfil their responsibilities. Against this backdrop, the IRM commissioned research into risk management competencies across the world, establishing an expert global Education Advisory Board to agree the new programme in conjunction with existing module leaders and examiners. The final module of the Diploma – designated ‘Crises, Resilience and Future Risk’ – will provide risk managers with the skills they need to operate in today’s risk environment where major risk events – from natural disasters through to the latest global cyber attacks and health pandemics such as the Ebola crisis – frequently overlap. The revised International Diploma comprises six modules generally completed over three years. Successful completion of the first two modules of the Diploma leads to the award of the International Certificate in Risk Management. Visit: www.theirm.org for further information

National Audit Office issues update on UK Government’s dedicated Cyber Security Programme The National Audit Office (NAO) has published an update on the Government’s National Cyber Security Programme for the Committee of Public Accounts. The Programme’s objectives include tackling cyber crime and making the United Kingdom one of the most secure places in the world in which to do business. The NAO report finds that the Government has made good progress in improving its understanding of the most sophisticated threats to national security. However, the level of understanding around threats to wider public services remains variable. While exports in UK cyber products and services increased by 22% between 2012 and 2013, progress in encouraging trade and exports has been slow and, according to the NAO’s survey of stakeholders, this is the objective against which the Government currently has the poorest performance. Some progress has been made in encouraging businesses and citizens to mitigate risks, particularly in enticing larger companies to take action. That said, the Government has realised a limited impact in targeting SMEs and struggled to communicate guidance in a way that meets their needs.

Responding to the report, Hugh Boyes from the Institution of Engineering and Technology (IET) commented: “While the Government’s investment in this area has increased the capability for the public sector, there’s still much to be done to strengthen UK industry.” Boyes continued: “Current cyber security initiatives are focused on providing the skills for individuals employed in cyber security roles. This is a short term solution. It doesn’t address the need to improve the security awareness and skills of everyone involved in the design, production and use of softwarebased systems which is going to require much investment in education and training.”

7 www.risk-uk.com

NewsAnalysisSIACorporateandBusinessPlan October2014_riskuk_oct14 06/10/2014 12:48 Page 8

Security Industry Authority outlines key goals for regulation in forward-thinking corporate strategy The Security Industry Authority’s Corporate Plan 2014-2017 and the Business Plan for 2014-2015 highlight a challenging agenda for the regulator, including the introduction of mandatory business licensing, the licensing of the private investigations sector and ongoing improvements to ensure the delivery of a modern, digitally-based regulation regime executed at lowest possible cost. Brian Sims examines the detail ollowing a request from Government in 2010, the Security Industry Authority (SIA) has worked with Westminster, the security sector and the devolved administrations on plans for a new regulatory regime. The Home Office has accepted recommendations for that new regime wherein there’ll be a primary focus on the mandatory licensing of security businesses. The emphasis is shifting, then, with a lighter touch approach to the licensing of individuals and greater responsibilities for security businesses themselves. The regulator most certainly believes that business licensing is key not only to the effective and ongoing development of regulation but also for the security industry as a whole, with chairman Elizabeth France CBE and CEO Bill Butler jointly stating: “The impact of some businesses’ poor quality services and the influence of organised crime in the industry affects all, in turn undermining fair competition,

Home Secretary Theresa May

holding down standards, exploiting low paid workers and increasing risks to the public.” Arrangements for implementing the new regime are well developed, of course, but – to the dissatisfaction of many sector professionals – have been postponed at the behest of the Home Office until necessary secondary legislation can be introduced. Home Secretary Theresa May has committed to give the security sector three months’ notice of the commencement of business licensing and a further six months before implementation (at which point it would become a requirement for companies to be licensed). Referring to the present state of play, James Kelly – CEO at the British Security Industry Association (BSIA) – commented: “The Government has failed to identify a legislative vehicle by which to enact the planned changes, in turn placing the original implementation target of 2015 in real jeopardy. As part of the Security Regulation Alliance, the BSIA has been at the heart of these negotiations and still hopes that the industry can achieve clarity on a future regime within the current Parliament.” Support for the BSIA’s cause has been pledged by members across all parties as well as a significant number of Police and Crime Commissioners, many of whom use private security companies to provide back office support to their police forces, in turn allowing officers to spend more time on front line duties and less time focused on paperwork.

Regulation of private investigations The Home Secretary first announced that private investigators would be brought into the regulation mix in July last year. In the foreword to the SIA’s Corporate Plan 2014-2017 and Business Plan 2014-2015, France and Butler comment: “We believe that this is an important sector to regulate. The coincidence of this and the introduction of business licensing will allow for an effective regulatory regime for the sector.” The duo also assert: “The absence of business licensing would, we believe, seriously compromise our ability to identify and regulate private investigations effectively.” A core objective throughout the period 20142017 remains the delivery of an effective service to end customers and member companies enshrined within the Approved Contractor Scheme (ACS), all the while supported and underpinned by robust compliance and

8 www.risk-uk.com

NewsAnalysisSIACorporateandBusinessPlan October2014_riskuk_oct14 06/10/2014 12:48 Page 9

News Analysis: SIA Corporate Plan 2014-2017 and Business Plan 2014-2015

enforcement activity. There’s no doubt that ACS membership has supported improvements in quality across the industry, with businesses from all sectors and of all sizes represented and registered and approved companies demonstrating clear commitment towards maintaining and developing high standards. Lessons learned to date from the ACS afford the regulator a sound base from which to deliver the competence requirements necessary for business licensing and a platform for the delivery of an ACS framework that would complement such licensing. Delivery of effective services at the lowest possible cost remains a key goal for the regulator. Costs have been reduced by just shy of £12 million between 2009-2010 and the 2013-2014 total of £25.9 million. In turn, this allowed a 10% reduction in fees during 2012. Current fee levels have been held since then. In real terms, the SIA’s fees for a three-year licence are now at their lowest point since the regulator’s life began. At £220, this is the equivalent of £157 when costed at 2003 prices. The regulator’s commitment is that it will deliver business and individual licensing – as well as the ACS – to higher standards and for less cost than was the case under the old regime. The expectation is that total costs will be below the £25 million mark come 2015-2016. There’s a desire to develop further confidence in partner organisations with a view to the ongoing prevention of criminality in the security sector. Further, the Business Plan for 2014-2015 cites percentage targets around variables relating to protection of the public. These are as follows: • Correct application of licensing criteria at time of decision-making (Target: 99.5%, monthly monitoring) • Percentage of licence applications granted correctly at time of decision using SIA licensing criteria (Target: 99.5%, monthly monitoring) • Percentage of security operatives in the UK appropriately licensed or deployed using a valid Licence Dispensation Notice during random SIA inspections (Target: 95%, quarterly monitoring) • Disclosures that do indicate public safety concerns completed within five working days (Target: 90%, monthly monitoring) • Percentage of assessment or decisions on disclosures received from partners that do indicate public safety concerns completed within five working days (Target: 90%, monthly monitoring) • Disclosures that don’t indicate public safety concerns completed within ten working days

(Target: 90%, monthly monitoring) • Percentage of assessment or decisions on disclosures received from partners that don’t indicate public safety concerns completed within ten working days (Target: 90%, monthly monitoring) At the end of their joint Executive Summary for this latest report, Elizabeth France and Bill Butler make a telling statement: “Delays and uncertainties in respect of the legislation to bring forward business licensing and the regulation of private investigations mean that the delivery of new arrangements within planned timescales will be difficult for the SIA and, more importantly, impose different time pressures on the licensed industry.” Clearly, the delivery of timely legislative change by Government and continuing support from the industry at large is going to be vital.

Security Industry Authority CEO Bill Butler set to retire in Summer 2015 Bill Butler – the hugely successful chief executive of the Security Industry Authority (SIA) – is to retire in the Summer of 2015, and the search to recruit his successor is now underway. Butler joined the regulator back in July 2009, having previously held the post of director of corporate services at the Gambling Commission (where he was part of the team that led the establishment of the new regulator for the gambling industry). Butler has also worked in a number of other large national organisations, including the Audit Commission (where he qualified as an accountant and held a number of roles, among them regional director for central England and director of health) and the Healthcare Commission, where he served as finance director. Butler holds a degree in law and is a member of the Chartered Institute of Public Finance and Accountancy. The job advert issued by the security sector’s regulator on recruitment consultant GatenbySanderson’s website reads: “Playing our part in protecting the public remains the priority. We are looking for a new chief executive who will bring a successful track record of leadership at Board level in the public or private sector. You must be a strong leader. Excellent stakeholder engagement skills will be critical, and there will be a high level of success in delivering change within your career to date. This is an exciting time to join the SIA.” Elizabeth France CBE, chairman of the SIA, commented: “This is an important appointment and I want to ensure that we find an excellent replacement for Bill. We have the time and opportunity to make sure this change happens with the minimum impact on the SIA’s services, stakeholders and staff.” France added: “To ensure continuity, Bill has agreed to stay on until his successor is in place and a handover complete. That may be the end of Summer 2015. In the meantime, Bill will be with us for many months yet, making sure we keep our plans on track. We’ve a lot of work to do, and it will be business as usual at the SIA.” Closing date for applications (Ref: GSe17021) is Monday 13 October. Preliminary interviews will be held week commencing Monday 27 October, with an Assessment Centre taking place week commencing Monday 17 November. The final panel interview is to be conducted on Thursday 4 December. *Interested candidates should contact Michael Dobson (tel: 0207 426 3968) or Mark Turner (tel: 0207 426 3983) at GatenbySanderson

www.risk-uk.com

Project1_Layout 1 06/08/2013 12:13 Page 1

Security solutions for todayâ&#x20AC;&#x2122;s challenging times

Consultancy Operational Consultancy Manned Guarding Training Information and Intelligence Communications Support Technical Systems Equipment

Global economic pressures are forcing organisations to review expenditure across the board. But, the security issues remain the same. So, do you cut your security? Pilgrims offers a complete and complementary range of security, communications and support services, backed by an unmatched commitment to the highest level of quality, efficiency and client care, to reduce costs not cover. Our expertise and global experience allow us to deliver robust, practical solutions for todayâ&#x20AC;&#x2122;s challenging financial climate.

For more than ten years, Pilgrims has been supporting clients across the globe, protecting and enabling their businesses to continue in spite of threats from terrorism, serious organised crime and natural disasters. Our personnel are handpicked for their experience, skills, training and personality to match the requirements of our clients. This, combined with our continual exposure to the worldâ&#x20AC;&#x2122;s hot spots and difficult regions, makes Pilgrims the ideal choice for advice and support. Pilgrims provides a global service, with local knowledge through our employment of local personnel, quality control, continual ongoing training and our relationships with specialists and local partners.

We can help you find the right solution. Call Pilgrims on: +44 (0)1483 228 786 www.pilgrimsgroup.com

NewsSpecialBCIWorldAnnualConference2014 October2014_riskuk_oct14 06/10/2014 12:49 Page 11

News Special: BCI World - The BCI’s Annual Conference 2014

‘Listen, Learn, Lead’: Business Continuity in focus he 2014 edition of the Business Continuity Institute’s (BCI) World Conference and Exhibition plays out on 5-6 November at London’s famed Olympia in what is the BCI’s 20th year of operation. The highly prestigious event is set to explore business continuity and resilience through an excellent and varied educational programme which includes keynote speakers and three main conference streams – designated Listen, Learn and Lead. The three keynote speakers cover wholly different perspectives. Professor Steve Peters is a best-selling author, consultant psychiatrist and psychologist to several of the world’s leading sports stars. Professor Peters will use his wealth of experience in understanding people’s minds to help control the irrational, impulsive and seemingly impossible parts of our mind that can often hold us back. Beginning his career as a mathematics teacher, Professor Peters then switched to medicine and specialised in patients with severe and dangerous personality disorders. His focus is now very much on how the mind can enable people to reach optimum performance in all walks of life. Professor Peters has been described as “a genius” by Team GB cycling coach Dave Brailsford. Many decorated Olympians – among them Sir Chris Hoy MBE and Victoria Pendleton CBE – have attributed their successes to him. Meanwhile, Martin Fenlon MBCI – business resilience co-ordinator within the Emergency Planning College at the Houses of Parliament – will review how that specific location is designed to protect against today’s risks and threats thanks to built-in resilience. Also, Dr Rob Macfarlane – assistant director, training and doctrine (CCS) at the Cabinet Office – is set to announce a new national standard for Organisational Resilience (namely BS 65000).

Conference programme in detail In the Listen Stream, delegates will be able to hear practitioners share lessons learned, while the Learn Stream is designed around world class training based on the BCI’s Good Practice Guidelines. Finally, the crux of the Lead Stream is interactive and detailed thought leadership discussions and debates. The Listen Stream features a presentation from Hugh Morris MBCI (Marsh Consulting) on organisational resilience. Also, the future of business continuity management – a vitally important topic – is to be tackled by Matthias Rosenberg MBCI of Controll-IT AG.

The Business Continuity Institute’s annual BCI World Conference and Exhibition 2014 takes place at London’s Olympia in early November. Risk UK is an Official Media Partner for the event, previewed here by Brian Sims

How your business might advance global resilience is the subject of a detailed presentation by GlaxoSmithKline’s Jason Miles. Cyber resilience and data security is to be discussed by Drew Gibson MBCI (Atos Consulting) and Rene Cornelisse MBCI (KPN). Other subjects scheduled for coverage include crisis management and ‘The People Factor’. The Learn Stream encompasses some fascinating subjects. Looking at business continuity management lifecycles, in terms of design all delegates can learn how to determine continuity recovery strategies and tactics and then develop – and implement – specific business continuity planning. These subjects will be overseen by Mel Gosling MBCI of The Continuity Shop. Finally, the Lead element of conference – sponsored by PwC – focuses on standards. Here, there’s a panel session overviewing standards development at the national, European and international levels. There’s also a debate entitled ‘Risk Management versus Business Continuity Management’ to be chaired by Chris Green. Is business continuity a profession? Patrick Alcantara and Deborah Higgins MBCI of the BCI will lead a core competencies and skills session. Find out what knowledge, skills and experience are required of today’s business continuity practitioners and what demands will be placed upon them in the years ahead.

*To book your place at BCI World 2014 visit www.thebci.org or send an e-mail to: events@thebci.org

11 www.risk-uk.com

OpinionStrategiesforAddressingTheTerroristThreat October2014_riskuk_oct14 06/10/2014 12:54 Page 12

Now is not the time to take risks with security The dangers posed by Islamic State-related terrorist activity necessarily mean that higher standards of vigilance and security provision are required across UK plc. Peter Webster assesses the threat landscape and explains why now is the right time for end users to engage with specialist security services providers

Homegrown extremism must be taken seriously and yet estimates vary wildly about the extent of the problem. When it comes to numbers then matters are disconcertingly vague. The UK Foreign and Commonwealth Office has stated that anywhere between 400 and 500 individuals have left the UK to fight in Syria since the uprising began, but Khalid Mahmood MP recently explained that he believes this figure could be much higher (and that over 1,500 young British Muslims may have travelled to wage jihad since 2011). Whatever the exact figure is, as the murder of Lee Rigby on the streets of London demonstrated it doesn’t take huge numbers of extremists to cause utter chaos.

Recognising the present dangers

n 29 August this year, Home Secretary Theresa May announced that the UK’s terror threat level had been raised from ‘Substantial’ to ‘Severe’ in response to conflicts in Iraq and Syria (News Update, Risk UK, September 2014, pp6-7). Meaning that an attack on the UK mainland is highly likely, this action should inform the decisions and thought processes of organisations regarding the level of security they ought to have in place. The ‘nature of war’ has evolved such that it’s as much about terrorising innocent civilians as it is about soldiers fighting each other on the field of battle. This is asymmetric warfare, and no more is that evident than in the escalating threat posed by the Islamic State (IS), also known as the Islamic State of Iraq and the Levant (ISIL) or the Islamic State of Iraq and Syria (ISIS). The truly shocking video that appeared online of the British aid worker David Haines being beheaded by what appears to be a militant with an English accent suggests that the dangers posed by Islamic fundamentalism are closer to home than some of us would care to imagine. Undoubtedly of equal concern is that some of the individuals involved with fighting for the IS are reportedly returning to the UK and looking to target people, property and/or assets on home shores.

www.risk-uk.com

Although the Government must increase its investment in counter-terrorism resources across both the public and private sectors, it’s incumbent upon us all to recognise the present dangers, take them seriously and implement measures to minimise any possibility of attack. There are obviously some locations, organisations and establishments at higher risk of attack than others. For example, companies with American links, those that are Government related or that supply equipment to our Armed Forces are more likely to be targeted. High profile locations such as the City of London will also be on the terrorists’ ‘Hit List’. However, it would be naive of us to think that an attack would only take place in one of the UK’s larger cities. The fact is that terrorism could manifest itself anywhere and at any time. Far too many organisations are seemingly oblivious to how vulnerable they are in the real world. Just as worryingly, there is sometimes an inability to look at the ‘bigger picture’ in terms of identifying the reasons why a particular organisation could be a target, from where a threat might originate and what to do about that threat when it does rear its ugly head. Obviously, the task of identifying exactly who these IS-affiliated individuals are is extremely difficult. Therefore, countering such an insidious and covert threat requires a well imagined security strategy. That strategy will include security officers operating at the peak of their profession and their licensed powers. Given the current state of play and a juncture when the need for excellent protection is paramount, it’s somewhat surprising that there still appear to be some organisations prepared to compromise by using integrated service

OpinionStrategiesforAddressingTheTerroristThreat October2014_riskuk_oct14 06/10/2014 12:54 Page 13

Opinion: Strategies for Addressing ‘The Terrorist Threat’

bundling. Also known as Total Facilities Management, the term describes a portfolio of services that can also include building maintenance, catering and cleaning with the individuals involved on such contracts often undertaking a number of different roles. What, then, is the key procurement driver behind bundled services? The simple answer is a desire to cut costs. The problem here is that while such decisions might look good on paper and please the finance director, they will more than likely result in a service falling some way below accepted Best Practice levels.

Accepting a compromise solution Security is quite unlike any other service. Only a specialist solutions organisation can provide the best possible outcome for the end user. It stands to reason that, by opting for a bundle of services, customers are accepting a compromise and vastly reducing the likelihood of receiving a security solution that meets their unique and bespoke needs. What’s more, should a security event occur, clients do need to question whether a bundled service provider would be able to deal with the situation. With so many variables at play, host organisations must carry out a risk and threat assessment to ensure that they’re in the best position possible to deal with any real or perceived danger. Security specialists are often blessed with in-house experts possessing recognised academic and professional security qualifications. They can absolutely understand an end user organisation’s needs and then offer objective advice about how to meet them. They’re also in a position to offer strategic security reviews, develop corporate security policies and strategy documents and carry out regular and thorough security audits. Undertaking an in-depth analysis of an organisation’s activities, premises and facilities means that the risks may be fully understood and then acted upon. For example, managing the security of a business that’s Americanowned and based in the UK – as well as having facilities located in other parts of the world affected by political violence or extremism – requires planning and contingencies that extend far beyond a local perspective. Every bit as important, regular reviews of existing security programmes and measures are necessary to maintain adequate safeguards. A

security strategy that was relevant five years ago might not be so today. The term ‘bundling’ is also open to misinterpretation as it’s common to both integrated service bundling and security bundling. The latter refers to the ability of a specialist security solutions provider to offer security guarding, surveillance technology, access control and remote monitoring in a package. Knowledge about how these key elements work together is crucial to maximising potentials. Such expertise is something only a security specialist will harbour. Using bundled security services makes complete sense. Indeed, employing different suppliers for security guarding and surveillance technology is unwise. It’s a model that’s considered the norm in most of Europe, yet the UK seems to be lagging behind. This is surprising given the way in which bundled security services can streamline an entire security infrastructure and render it more operationally efficient and cost-effective.

Peter Webster: CEO of Corps Security

Risk and threat assessment Only after completing a professional risk and threat assessment is it possible to configure the most appropriate security solution incorporating the correct number of high calibre, well-trained and qualified security guarding personnel. A specialist provider will be able to deploy individuals able to protect specific environments and who have been afforded training and support that enables them to perform their roles to the very highest standards. This includes, for example, ‘Operation Fairway’-based training and the ability to carry out sensitive questioning, hostile reconnaissance recognition and Post Room threat identification. Specialist solutions providers are also at the forefront of professionalising the security industry and recognise the importance of continually investing in their officer-grade personnel such that they receive the knowledge and skills they need in order to develop as individuals and advance their careers. For the end user customer, this means that they benefit from having security personnel on site who are motivated, enthusiastic, cooperative, proactive and able to identify possible gaps in processes and procedures.

“Only after completing a professional risk and threat assessment is it possible to configure the most appropriate security solution incorporating the correct number of high calibre, well-trained and qualified security guarding personnel” 13

www.risk-uk.com

OpinionTheDarkWeb October2014_riskuk_oct14 06/10/2014 12:55 Page 14

The Dark Web: Saviour of free expression or a criminal’s playground? Many of those who commit to high levels of digital encryption are doing so not to exercise their democratic rights but rather to engage in criminal activity on an industrial scale. Peter Davies highlights the emergence of The Dark Web and the threats it poses not just to the business community and security managers but also wider society

extreme and perverted mindsets can find company and ‘normalisation’. As is the case with security, in a job like policing it’s easy to allow our constant contact with the negatives in life to distort our world view. I’ve lost count of the number of media articles ascribing a wholly negative value to new technology, often seeming to blame the technology for the way in which some people use it. Not only is it futile to try and reverse the direction or speed of progress, but there are so many seen and unseen benefits to life in the digital age that it would be undesirable to do so in any event.

Understanding – and tackling – cyber threats

or the past 28 years I’ve served as a police officer in the UK. Across much of the last decade, in helping to lead the fight against serious and organised crime I’ve been involved with local police forces and those at regional and national levels. Most recently, during my time as CEO of the UK’s Child Exploitation and Online Protection Centre (CEOP), I have become even more aware of how rapidly the digital world is transforming the nature of myriad threats posed to our lives, safety and property. As the Internet becomes an ever more integral part of our daily existence – and, indeed, the lives of those people and organisations we protect – it’s easy to be dazzled by the variety of ‘new’ threats now emerging. None of these threats are completely new. In my view, it’s more an instance of the traditionally worst facets of human nature – for example lust, greed and envy – finding a new medium in which to express themselves. Admittedly, it’s a medium that can amplify their effect many times over, overcome the kind of local social controls that repressed many of the worst behaviours in the past, change the risk-reward balance in favour of offending and create communities wherein even the most

www.risk-uk.com

On the basis that a digital, mobile, data-intense life is our new normality, there’s a need for security professionals – just like law enforcers – to change their understanding of threats and how to tackle them. Taking part in the ASIS European Security Conference held at The World Forum in Den Haag last April, I was particularly impressed by how far the security industry has come in a relatively short space of time to provide the technical and human means for identifying, quantifying, understanding and mitigating so many new threats. In many senses – and this is only my personal view – the industry has shown levels of agility and investment which have proven far harder to achieve in some areas of law enforcement. All that said, even at the cutting edge there are risks that are hard to spot, process and tackle – and they’re all the more threatening because of their low visibility. One such risk – or, to be correct, one more avenue for a variety of threats to propagate – is what many commentators refer to as The Dark Web. There are different forms of this in existence, but the prize for inventing the concept goes to the US Navy, who developed a means of combining numerous disparate personal computers into a network that could offer negligible risk of discovery through conventional online investigation. The purpose of this exercise was laudable: to enable operatives in parts of the world where Internet surveillance is the norm to send information from point to point without risking interception or capture. Who knows how much more secure the world is because of the enabling benefits of The Onion Router (US Patent 626704, 1998)? Who knows how much

OpinionTheDarkWeb October2014_riskuk_oct14 06/10/2014 12:55 Page 15

Opinion: The Dark Web

use has been made of it – or similar systems freely downloadable from the Internet – to enable the seeds of democracy to take root or highlight Human Rights abuses that would otherwise have remained under wraps? For our part, we are in the security business. We tend to focus on the downsides. It’s our job and, in considering The Dark Web, the downsides are considerable. In my experience The Onion Router, among other things, has become the network of choice for a number of people who want to operate beyond the reach of law enforcement. Everyone is entitled to seek to uphold their privacy and, post-Snowden, more people than ever before are probably thinking long and hard about how to do so, but many of those who commit to high levels of encryption are doing so not to exercise their democratic rights but rather to engage in criminal activity on an industrial scale. Look in the right places – thanks to new projects such as the UK’s National Cyber Crime Unit and Europol’s European Cyber Crime Centre, official information is easier to come by than ever – and you will see that the level of criminality on The Dark Web is alarming. It’s as if the criminal population thinks there’s not the slightest risk of detection. Silk Road – an anonymised marketplace successfully disrupted in 2013, but active for many years before that – was a bit like the amazon.com of contraband. A single Silk Road screenshot shows 502 different drug items for sale, nine sources of weaponry and other items such as jewellery, data and so on. Let’s not kid ourselves that all those sellers and buyers have now suddenly disappeared, although let’s hope their activities have at least been disrupted.

Triggering embedded malware If the security threat created by the existence of an undetectable means of monetising contraband and confidential data, etc isn’t enough to stir your interest, think about The Dark Web as a vehicle for the delivery or actuation of other forms of threat, notably cyber crime. As recently as February of this year, Kaspersky Lab reported that The Onion Router was being used to trigger malware already embedded in systems (one of the sleeper cyber crime threats that’s also more difficult to identify until the harm is already perpetrated).

Just like the rest of the digital world, new ways of using the technology to commit crime are being found. If the online paedophile community – my biggest target at CEOP – is anything to go by, there’s a chance that The Dark Web will be the centre of gravity for the worst offenders. People who will openly boast of the abuse they are inflicting, share footage with others and, in some instances, ruthlessly commercialise the suffering of children. If we’re really serious about keeping abreast with – or looking to get ahead of – the cyber threat, we absolutely need to include The Dark Web in our considerations. A comprehensive cyber threat assessment or mitigation strategy cannot be complete without it. The Dark Web is a sophisticated means of facilitating numerous cyber risks including the loss of data, assets and intellectual property and rendering more likely the type of critical reputational damage that can follow. In short, it creates another avenue for personal vulnerabilities to emerge. The good news is that, post-Snowden, the rapid rise in use of The Onion Router experienced in the Summer of 2013 has subsided. There isn’t a country on Earth where more than 0.3% of the population are end users so it’s hardly a pervasive technology – yet. The bad news is that recent events will only drive more users into encryption and secrecy, and towards those still dark places where threats can flourish. There’s no simple solution, but there is enough cause for concern to push more and more security and risk managers towards starting to identify and mitigate this threat with the same innovation and forward-thinking philosophies that – on the evidence provided by this year’s excellent ASIS European Security Conference – have already delivered so many beneficial outcomes.

Peter Davies: ACPO National Policing Lead for Security Industry Liaison

“If we’re really serious about keeping abreast with – or looking to get ahead of – the cyber threat, we need to include The Dark Web in our considerations. A comprehensive cyber threat assessment or mitigation strategy cannot be complete without it” 15

www.risk-uk.com

Project1_Layout 1 01/10/2014 12:01 Page 1

Our focus is taking HD to the extremes

Thatâ&#x20AC;&#x2122;s why our MIC IP 7000 HD ruggedized PTZ cameras feature starlight and wide dynamic range technology to deliver detailed video in low light, harsh light and no light in the toughest locations. Crisp images combined with intelligent Dynamic Noise Reduction saves up to 50% on bitrates and therefore storage requirements, while equally reducing network strain. Integrated intelligence focuses operator attention when pre- deďŹ ned alarm rules are breached and automates tracking of moving objects. Get the highest quality IP video images in the most challenging surveillance conditions. Learn more at uk.boschsecurity.com

BSIABriefing October2014_riskuk_oct14 06/10/2014 12:16 Page 17

BSIA Briefing

Cash-in-Transit: Reducing the risks faced by couriers ransporting around £500 billion every year – the equivalent to £1.4 billion every day – the UK’s Cash-in-Transit industry performs an essential public service, maintaining cash movement and actively supporting banks, retailers and businesses to facilitate millions of transactions on a daily basis. However, the large amount of cash involved renders Cash-in-Transit couriers particularly vulnerable to attempted robberies and physical attacks. In 2013, the number of attacks on couriers reached a record low, with just 270 attacks taking place. That’s 30% less than in 2012, and an impressive 75% decrease on the all-time high figure of 1,060 attacks back in 2009. Despite this reduction, though, couriers do remain susceptible to attack, particularly when carrying cash across the pavement from their secure vehicle to a client’s premises. Despite an overall reduction in the number of attacks, serious injury remains a very real threat. Overall injury rates have decreased since 2012, but almost a quarter of attacks in 2013 (24%, in fact) resulted in some kind of harm for the cash couriers involved. Further, the proportion of attacks where firearms were used (or their use was intimated) has risen from 10% in 2012 to 14% last year. A few years ago, the BSIA’s Cash and Valuables in Transit (CVIT) Section and the Home Office jointly commissioned the Jill Dando Institute of Security and Crime Science at UCL to assess the nature of Cash-in-Transit offences and the effects of these crimes. The research was carried out by analysing police and industry recorded crime data, criminal conviction records and interviews with incarcerated offenders. A report outlining the findings was published in 2011. The study highlights the fact that, despite the ongoing risk of serious injury to couriers, offenders still perceive Cash-in-Transit robbery to be a business crime with no real impact visited on any individuals. Following interviews carried out with convicted criminals, it appears that: “Offenders (and particularly those who are younger and newer to the crime) perceive CVIT robbery to be a victimless crime. They use this to justify their actions.” Reducing the risks faced by couriers remains a key focus of the partnership approach taken by the private security industry, the Home Office and police services across the country. With 2014 figures to date indicating some slight month-on-month rises in the number of attacks perpetrated on couriers, the commitment of all

Falling victim to attacks and/or robberies remains a very real threat for the security sector’s dedicated Cash-in-Transit couriers. As Phil Wright explains, with interim reports for 2014 suggesting that crime figures are in danger of rising, the British Security Industry Association is continuing its work to reduce the risks faced by couriers as they fulfil duties that keep the UK economy ticking stakeholders to the continuation of this partnership approach has arguably never been more important.

SaferCash: tackling the criminals Established in 2007, SaferCash is a security sector initiative which aims to reduce the number of attacks on Cash-in-Transit couriers through the effective sharing of intelligence between businesses within the Cash-in-Transit sector and police services nationwide. Operated by the BSIA, SaferCash provides a national framework for information and intelligence sharing between individual police forces and security personnel, while at the same time offering essential and immediate support for Cash-in-Transit crews who may witness any suspicious incidents. Steve Hurst, head of SaferCash, commented: “For couriers going about their daily duties, the published attack figures can never be far from

Phil Wright: Chairman of the BSIA’s Cash and Valuables in Transit Section

www.risk-uk.com

BSIABriefing October2014_riskuk_oct14 06/10/2014 12:17 Page 18

BSIA Briefing

their minds. It’s for this reason that we as an industry, along with our colleagues in Government and police services across the country, cannot afford to rest on our laurels.” Establishing a partnership between industry and the police service has afforded SaferCash the ability to identify linked offences and spot where organised crime groups are active across force boundaries. In the case of Cash-in-Transit, these gangs are operating on an increasingly nationwide basis, impacting negatively on local communities and often using the proceeds of their actions to fund other criminal enterprises such as drug dealing or human trafficking. Key findings from the Jill Dando Institute of Security and Crime Science’s dedicated research confirm the police service and industry’s existing understanding that Cash-inTransit crime is not an isolated form of criminality. The report findings show that Cashin-Transit robbery often involves multiple offenders engaging in an array of criminal activities in the preparation, execution and aftermath of an attack, resulting in a wideranging and detrimental impact on society. Among other crimes, vehicle offences are most frequently linked to Cash-in-Transit criminality. Not only are stolen cars often used in high-speed getaways, but more cumbersome vehicles – such as those in the construction sector – will surface in similar types of crimes where, for example, ATM machines are ripped from the walls of supermarkets. Thanks to partnership working between the police and the private security industry, criminals caught up in this web of cash crime now face a greater chance than ever of being caught and convicted. Through crime reduction initiatives such as Banknote Watch – which unites the manufacturers of forensic note marking technology with the police and stakeholder organisations including the Bank of England – information sharing enables stolen banknotes to be traced back to the scene of a robbery or linked directly with the perpetrators.

“Overall injury rates have decreased since 2012, but almost a quarter of attacks in 2013 (24%, in fact) resulted in some kind of harm for the cash couriers involved” 18

www.risk-uk.com

Hilaire O’Shea, national co-ordinator of Banknote Watch, explained: “When the police find stained banknotes, unique taggant technology can help them quickly and easily trace given notes back to the scene of a specific crime. In turn, this can help them track down vital supporting evidence to help secure a conviction. Each taggant has its own unique chemical code which shows up under ultraviolet light. This can attach itself to a criminal’s clothes or skin, or the inside of a car or home in which the stolen notes are stored.” Importantly, these solutions can remain traceable for years, so it’s important for the police to be able to recognise them and fully understand the procedures they can follow in order to secure the vital evidence required.

Parking negotiations in progress With Cash-in-Transit couriers at their most vulnerable when crossing pavements, reducing the journey between the security vehicle and the client’s premises is an important way in which risks can be minimised. Sadly, it remains the case that many cash vehicles are still forced to park illegally to make safe deliveries. Since 2008, the BSIA’s dedicated Parking Charge Notice appeals team has been working on behalf of members to appeal parking tickets issued to Cash-in-Transit vehicles parked outside delivery points across the UK. Pleasingly, constant contact with local authorities has resulted in the team winning more than 16,300 appeals and saving member companies a total of £1.7 million. With most major UK cities – including Birmingham, Glasgow and Manchester – allowing parking dispensation to cash couriers, 95% of tickets are now issued in London. However, support is growing here, too. Following negotiations by the BSIA on behalf of its members, agreements are now in place to allow cash couriers special consideration in a number of London Boroughs including Camden, Westminster, Wandsworth, Bromley, Enfield, Newham and, importantly, the City of London. Dick Hanks, CVIT liaison manager at the BSIA, commented: “We’re absolutely delighted to have reached the significant milestone of £1.7 million and deliver such a tangible benefit for our members.” In addition, Hanks explained: “Cash couriers face the risk of robbery and violence on a daily basis, with many victims suffering physical and psychological harm as a result. Members of the public and customers often become involved with incidents and it’s their safety, as well as that of professional couriers, that’s at the very heart of our ongoing activities in the sector.”

Project1_Layout 1 06/10/2014 13:34 Page 1

OxyReduct® ﬁre prevention

REMOVING THE T H R E AT O F F I R E .

The new Library of Birmingham has

Integrating, monitoring and protecting

chosen OxyReduct® to protect its valuable archives, the same as over 700 other businesses and organisations around Europe. No matter how good your ﬁre detection, extinguishing or suppression system is, a ﬁre has to start for it to work – so some damage

The risks faced may change but Reliance High-Tech remains one step ahead. For over forty years we have been trusted by government departments, major corporations and private customers to provide protection at the highest level.

is inevitable. In mission critical applications where any business interruption is unacceptable or where warehouse stock or archives are invaluable, a different approach to ﬁre prevention is needed.

Innovators in security technology OxyReduct® employs innovative technology that continuously reduces the oxygen level in a room by adding nitrogen to the air. The oxygen is reduced to a level in which combustibles do not inﬂame and an open ﬁre is impossible. Importantly, people can enter the area of risk.

From physical security, emerging cyber-threats, advanced PSIM to smart monitoring services; we work hand-in-glove with customers to ensure total protection. So whatever the threat or challenge at Reliance High-Tech we have the expertise, experience and resources to deliver the best solution. Call us now to discuss your requirements in strictest conﬁdence.

0845 121 0802 www.rht.co.uk

Visit our in-house demonstration facility and experience a ﬁre-free environment at ﬁrst hand.

www.wagner-uk.com

BIMMitigatingRiskintheBuiltEnvironment October2014_riskuk_oct14 06/10/2014 12:10 Page 20

Modelling out risk and cost: Why BIM is the future for construction When combined with powerful software tools, the improved management of information engendered by Building Information Modelling can fundamentally enhance almost any project process and, as Richard Shennan describes, unlock new opportunities for reducing risk and cost uilding Information Modelling (BIM) is often thought of as simply a method of designing in 3D but, in truth, this is merely the tip of the iceberg in terms of the value BIM can actually deliver. Due to the fact that it improves the accuracy, accessibility and sharing of information – and facilitates more effective scheduling, costing and construction management – BIM is an effective tool for reducing project risk. BIM also offers new opportunities and tools for value engineering and waste elimination, in turn creating time savings and the ability to ‘get things right first time’. Each of these variables contributes to significant project cost reductions for the host organisation. The crucial word in Building Information Modelling is ‘Information’. BIM enables superior organisation, analysis and retention of information of all kinds. When combined with powerful software tools, this improved management of central information can fundamentally enhance almost any project process and, therefore, unlock new opportunities to reduce both risk and cost. Any project generates reams of data, from 3D geometry to costs, scheduling, carbon, structural quality, light and temperature, maintenance, safety and myriad other facets. Traditionally, each data set would be held separately, with multiple copies disseminated onto different desks. By contrast, BIM creates better information flows and collaboration. Everyone accesses the same central

www.risk-uk.com

information source, creating confidence that each user has the most accurate, up-to-date data available. Duplication of work can be eliminated, while data may be directly shared between project parties with no loss of knowledge. This reduces the risk of inconsistency and saves time. Considerable time can also be saved in the preparation of drawings, quantities, activity schedules and other documents which may be generated automatically from the model and then quickly re-generated after any changes.

Cutting-edge design to the fore Working in 3D offers powerful design capability – not least the ability to automatically detect clashes that can be easily rectified at the design stage but would be costly if not discovered until the project is live on site. Likewise, it can be invaluable for designing and planning complex operations such as the jet grouting required for ground stabilisation works as part of the Victoria Station upgrade project in central London. Here, collaboration between the project team and the specialist contractor around a common data set enabled the modelling of each grout column using BIM, not to mention use of data from the model when setting out the column locations on site. As such, the risk of clashes with the area’s buried utilities was eliminated. BIM doesn’t stop at 3D. There’s also a fourth dimension: time. 4D BIM integrates scheduling with design, meaning the central model contains information such as when each element will be built, and when and where plant and materials are needed. The construction sequence – as well as vehicle and plant movements – may be visualised within BIM to test logistics and avoid clashes while the implications of any delay can be immediately assessed, with obvious benefits in terms of heading off risk. The fifth dimension is cost. Costs associated with each element may be tracked within 5D BIM. Not only can this reduce the time required to prepare a cost plan by as much as 80%, but it also makes the cost implications of any decisions much more visible. This is particularly useful for design ‘optioneering’: alternative options can be modelled and their costs calculated in real-time, in turn enabling the

BIMMitigatingRiskintheBuiltEnvironment October2014_riskuk_oct14 06/10/2014 12:12 Page 21

BIM: Mitigating Risk in the Built Environment

development of a design that offers optimal value for money. Countless specialist analyses can be performed through BIM. For example, Mott MacDonald uses its own pedestrian modelling software, designated STEPS, to test evacuation times and reduce the safety risk to occupiers. Designs can be tested for their natural heat and daylight gain, and can therefore be optimised for energy efficiency. Sun path data may be used to assess how a structure will affect light levels reaching neighbouring properties, which can then facilitate planning applications. Further, geotechnical analysis will aid the assessment of safety risks posed to contractors by any necessary excavation or slope. Also, structural analysis can enable more comprehensive design ‘optioneering’ than ever before, as demonstrated on Mott MacDonald’s recent tender design of Northern Ireland’s Casement Park Stadium (above, right). Design optimisation also includes designing out risks, both for construction and operation. BIM may be integrated with carbon data. Mott MacDonald’s own cost and carbon modelling tool, LifeCYCLE, affords us clearer understanding of a design’s cost and carbon implications in the asset management period, allowing earlier certainty about whole-life costs and meaning that clients can bring forward decisions which would otherwise have been impossible due to a lack of tangible data. Minimising carbon emissions on every project is becoming more important as Government, regulatory and corporate agendas increasingly demand that each project plays its part in addressing global climate risk.

Minimising risk of costly redesigns BIM famously produces high quality project visualisations. These are more than pretty images, though. They, too, can help reduce risk and cost. When clients and stakeholders such as maintenance operatives see the design in 3D they can immediately understand it, recognise any issues and give meaningful feedback. They instantly gain a sense of the spaces, access routes and sight lines that will be produced. It’s even possible to realise visualisations that users can interactively ‘walk around’ as if immersed in a digital video game. Such clarity and transparency from an early stage helps minimise the risk of costly redesigns. Moreover, BIM centres on collaboration both within and between project parties. By co-operating in a central model, teams are impelled to share their information and form closer working relationships which can help mitigate the risk of disputes.

BIM reduces risk and cost beyond design and into the construction stage. For example, BIM’s visual nature means site inductions may be delivered in a clearer and more effective way, resulting in better mitigation of Health and Safety risk – particularly when English is not site workers’ first language. Visualisation through BIM is also increasingly used on site for ‘tool box talks’ to help operatives understand upcoming operations and associated risks, and for planning the movements of people and materials in the short term. BIM can also improve the management of – and access to – safety documentation associated with the site’s design. Extracting data directly from the model reduces the risk of human error in setting out and plant operation (as in the aforementioned jet grouting example). Later, an ‘as-built’ model may be updated on site in real time by using mobile devices to record the work completed. Bypassing the need to log work, convey that data to the office and then update the model, this virtually instant process reduces the risk of inaccuracies and saves on time and cost. The as-built model can become a valuable asset once the project is complete. Clients can receive a highly detailed model of their new asset with comprehensive records of each

www.risk-uk.com

BIMMitigatingRiskintheBuiltEnvironment October2014_riskuk_oct14 06/10/2014 12:12 Page 22

BIM: Mitigating Risk in the Built Environment

BIM and Security: dynamics of the system design process Prior to the advent of Building Information Modelling (BIM), building design was based on 3D scale models devised by architects, traditional 2D drawings and copious lists of elements such as windows, doors and all ‘materials’ inbetween necessary for the structure at hand, writes Brian Sims. Often, designs completed in this way would run to hundreds of pages of information – all of which would need to be rigorously checked for conformity with myriad regulations not to mention general compatibility. Given this scenario, it’s perhaps of little surprise to learn that mistakes could occur, some of which wouldn’t be readily apparent until construction was set in motion. The end result? Potential cost and schedule overruns caused by necessary but often time-consuming remedial works. Building Information Modelling (BIM) allows the various design disciplines to generate drawings, schedules and proposed costings by way of computer. One of those disciplines, of course, is security. What role, then, does BIM have to play in security system design? In essence, BIM affords the security design team an improved visualisation of how the project will appear in the real world. It yields greater control over the design process and realises extremely realistic feedback on how a given security system will actually operate in the post-installation phases. In practice, the BIM environment enables the designer(s) to strategically locate security systems in specific areas of a given building plan and coordinate them with other objects. In this way, system performance may be assessed ahead of physical construction and any necessary modifications or improvements made to planned operation. BIM packages comprise ‘smart’ objects representing physical elements such as walls, floors, doors, drainage and air conditioning systems in addition to security systems. In terms of the latter, let’s consider CCTV. Network camera developer Axis Communications has issued a set of 3D CAD security camera models for deployment with Autodesk Revit CAD software (which is actually designed for BIM). Those models may be included as part of a design and delineate which spaces will be under surveillance upon their installation. When a ‘virtual’ camera is located within the building model, important detail such as resolution and focal range is then made available. As you can imagine, this cuts back quite dramatically on design time and pinpoints any obstructions to a certain camera’s field of view that might not have been so obvious if the design were being completed by way of those aforementioned and more conventional 2D sketches. Importantly, received wisdom suggests that BIM renders the integration of a facility’s proposed security solutions with other operational systems that much easier. The design team can really see how the planned security set-up interacts with the rest of the building and its constituent parts. The resulting improvements in accuracy and efficiencies actively help to mitigate risk and, importantly, enable the realisation of a more cost-effective and robust security solution for the building owner/manager.

the spatial model such that operators have all the relevant information to hand when needed. Many clients currently lack the capacity to make the most of BIM in this phase but it’s well worth developing those skills. Pennsylvania State University in the USA reported that, by incorporating BIM within its asset management procedures, the organisation has achieved savings of $2.2 million per annum.

Making the case for BIM BIM is able to improve risk and cost profiles in many and varied ways. Like Mott MacDonald, many consultants are now moving towards using BIM as standard. However, due to the fact that BIM changes a project’s cost profile by encouraging greater resolution of problems up front in order to reduce the work needed on site and beyond, full and effective use of BIM also depends on participation by the client. The figures do speak for themselves. BIM enabled Mott MacDonald to achieve a 52% time saving on the tender design of Casement Park Stadium and a 65% time saving on construction of the London 2012 Olympic shooting venue. Eur Ing Richard Shennan BSc (Eng) CEng MCIBSE MInstE is Buildings Practice Manager at Mott MacDonald and a recognised BIM expert

element’s attributes and history, including the security systems in place. They may also use this model to optimise asset performance and track maintenance activity, reducing the need for future surveying and modelling. Health and Safety information can also form an integral part of this organised data set, related to

“Due to the fact that it improves the accuracy, accessibility and sharing of information – and facilitates more effective schedule, cost and construction management – BIM is an effective tool for reducing project risk” 22 www.risk-uk.com

Project1_Layout 1 06/10/2014 15:18 Page 1

UKSurveillanceCameraCodeofPractice October2014_riskuk_oct14 06/10/2014 13:23 Page 24

Keeping to Code Providing salient advice and information to members of the public and system operators alike in relation to the effective, appropriate, proportionate and transparent use of CCTV is but one facet of the UK Surveillance Camera Commissioner’s role, as Brian Sims reports n March this year, Tony Porter QPM LLB was appointed UK Surveillance Camera Commissioner at the Home Office – a role created under the Protection of Freedoms Act 2012 with a view to ensuring that CCTV systems are deployed to protect and support communities rather than spy on them. Porter – a retired senior police leader whose roles included commanding the North West Counter-Terrorism Unit from 2006 to 2012 – deservedly received Her Majesty The Queen’s Police Medal in the New Year Honours List of 2008. He will now carry out a three-year term of office as UK Surveillance Camera Commissioner having taken over the reins from predecessor Andrew Rennison (who held the role on an interim basis following his own dedicated stint as the forensic science regulator). Porter’s key task focuses on encouraging compliance with the Surveillance Camera Code of Practice – introduced by the Home Office in June 2013 under Section 30 of the aforementioned Protection of Freedoms Act – and, in tandem, reviewing that same Code’s operation as well as providing advice on it (in relation, for example, to any changes introduced within or, indeed, breaches to ‘Terms and Conditions’ that have taken place).

The 12 Guiding Principles

Tony Porter: UK Surveillance Camera Commissioner

www.risk-uk.com

The Code of Practice applies to ‘relevant authorities’ (principally local authorities, police services and Police and Crime Commissioners) across England and Wales operating surveillance camera systems in public spaces. Those ‘relevant authorities’ must have regard to the Code of Practice when exercising any functions to which it relates. Although any failure to observe the rules set down does not of itself make anyone liable to criminal or civil proceedings, the Code is admissible as evidence in either scenario. Suffice to say the Surveillance Camera Commissioner states that due regard must be paid to the Code by end users when they’re having new systems installed or otherwise reviewing those currently deployed.

There are 12 Guiding Principles underpinning the Code which, if followed, will create a CCTV framework designed to reassure members of the public that surveillance camera systems are used effectively, proportionately and transparently. The first four concentrate on the development and use of camera systems, whereas numbers five through to 12 are all about the use (and processing) of both images and information. The first principle states that the use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary in order to meet an identified pressing need. Second, the use of a surveillance camera system must also take into account its effect on individuals and their privacy, with regular reviews making sure that CCTV’s use remains entirely justified. The third Guiding Principle is that there must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints. Fourth, there must be clear responsibility and accountability for all surveillance camera activities, including images and information collected, held and subsequently used. Clear rules, policies and procedures – states the fifth Guiding Principle – must be in place before any surveillance system is set to work, and have to be communicated to all who need to comply with them. Moving on to the sixth principle, no more images and information should be stored than that which is strictly required for the stated purpose of a CCTV solution. Such images and information should be deleted once their purposes have been discharged. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access (and for what purpose such access is granted). The seventh Guiding Principle goes on to state that the disclosure of images and information ought only to take place when it’s necessary for such a purpose or, indeed, law enforcement requirements. Principle 8 outlines that surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose, and also work to meet – and, equally, maintain – those standards. Surveillance camera system images and information should, according to Principle 9, be subject to appropriate security measures in order to safeguard against any unauthorised access and use.

UKSurveillanceCameraCodeofPractice October2014_riskuk_oct14 06/10/2014 13:23 Page 25

CCTV: Surveillance Camera Code of Practice

The tenth Guiding Principle in the Code of Practice outlines that there should be effective review and audit mechanisms designed to ensure legal requirements, policies and standards are complied with in practice, and that regular reports should be published. When the use of a CCTV system is in pursuit of a legitimate aim – and there’s a pressing need for its use – it should then be used in the most effective way such that it supports public safety and law enforcement with the aim of processing images and information that’s of evidential value and use. Last, Principle 12 asserts that any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up-to-date.

What the Guiding Principles mean “In essence, the 12 Guiding Principles balance the rights of the citizen against the needs of the State,” explained Tony Porter. “They ensure that surveillance camera systems are used appropriately and proportionately. They enable communities to hold CCTV operators to account such that surveillance cameras are only ever used for an acceptable purpose. They mean that CCTV should not be used in such a way that it breaches an individual’s reasonable expectation of privacy.” The UK Surveillance Camera Commissioner’s role is very much in line with the current Government’s stated desire to cut red tape. As such, there’s no extra burden placed on business, and Porter has no powers of either enforcement or sanction. Naturally, Porter works closely with other regulators in the surveillance space, among them Information Commissioner Christopher Graham, the Rt Hon Sir Anthony May (the Interception of Communications Commissioner), the Rt Hon Sir Christopher Rose (Chief Surveillance Commissioner at the Office of Surveillance Commissioners) and Biometrics Commissioner Alastair MacGregor QC. The area of greatest overlap lies with the Information Commissioner. “We have a Memorandum of Understanding in place,” stated Porter. “This makes clear where the overlaps exist and ensures they’re properly managed.” The Information Commissioner’s Office has produced its own CCTV Code of Practice, and this provides guidance on how end user organisations operating overt surveillance equipment that captures or records personal data can comply with their legal obligations under the 1998 Data Protection Act. The Information Commissioner’s document

references the enforceable requirements of that Act right across the UK and covers all sectors. Porter – who served as national co-ordinator for the Pursue agenda throughout the duration of London 2012 before going on to work at Barclays as head of physical security intelligence – is “determined to provide leadership” for the CCTV sector and make certain that his team at the Home Office is the first port of call for anything related to surveillance camera systems. It’s a bold ambition, as is another stated desire to raise standards and agree an “effective framework” that will enable the sector to standardise and simplify its approach. Moving from a plethora of guidance and standards towards something that’s more end user friendly can only be a good thing. Given the speed of surveillance development, remaining abreast of myriad changes in technology – and ensuring that those changes are Code of Practice compliant – is going to require diligence of the highest order. “Technology moves forward at a fast pace and will present new and dynamic issues,” asserted Porter. “There’s no doubt that my role presents complex and challenging issues that impact on matters of social policy, Human Rights and crime prevention.” In conclusion, Porter said: “My commitment to everyone is to ensure an open and transparent approach to the role. I’m seeking to raise levels of confidence across communities and interest groups as to the use of surveillance cameras and the standards against which those systems operate.”

“The Guiding Principles balance the rights of the citizen against the needs of the State. They ensure that surveillance camera systems are used appropriately and proportionately” 25

www.risk-uk.com

LoweringRiskinSurveillanceDesign October2014_riskuk_oct14 06/10/2014 12:46 Page 26

Eliminating ‘The CSI Effect’ from CCTV Given the fact that many end user customers of CCTV are not experts in this field, what can they do to ensure the surveillance regime they procure is fit for purpose and satisfies the host organisation’s requirements? Simon Lambert offers some compelling advice for risk and security managers he ‘CSI Effect’ is a very real and worrying development in the CCTV arena and across forensic science in general. Since the popular American TV show first aired on our screens back in October 2000, its legions of fans have been privy to over 300 episodes dripfeeding dramatic and compelling stories about the ways in which technology and ‘cool people in white coats’ can solve every mystery that emerges. Even the real law enforcement teams are not immune to this distortion of reality. A few days after the terrorist bombing at Madrid railway station in 2004, thousands of miles away in the United States an attorney by the name of Brandon Mayfield was arrested. Mayfield was held by law enforcers because his fingerprints had been matched to those found in Spain. Pleading no connection with the atrocity whatsoever, Mayfield was eventually released. He received a very rare apology from the FBI because the ‘incontrovertible’ science of fingerprint matching had failed and – if you’ll excuse the all-too-obvious pun – duly ‘fingered’ the wrong individual. The ‘cool people in white coats’ have limits. CSI:NY is fantasy and we must realise the truth that the producers of such programmes simply cannot make up new laws of physics on our behalf, particularly so when it comes to CCTV. Many end users of CCTV that I encounter remain seduced by ‘The CSI Effect’. The problem comes when they immediately assume pictures from their poorly designed and badly maintained surveillance regime can be made

Simon Lambert BSc (Hons) MIET MASC RISC: Principal security consultant at Lambert & Associates and Technical Lead for the CCTV National Standards Forum

good in the notional CSI Lab. Genuinely, it’s difficult to make people – even many police officers – accept the fact that CSI on the TV isn’t true. This illusion gives a false sense of security. It means they fail to recognise badly designed CCTV and shoddy maintenance. Naturally, the majority of buyers are not experts in CCTV so they rely heavily upon the advice of those who should be: sales people, installers/integrators, system maintainers, police crime prevention advisors and so on. Sadly, it’s true that many of these advisors provide poor advice to their innocent customers. I can state this to be the case because, in my role as a CCTV consultant, I’ve often been tasked to deal with the aftermath. Why would a sales person help to create an unsatisfactory surveillance design? I was a CCTV salesman 20 years ago, so I know that targets can pressure these individuals into ‘quick and dirty’ sales proposals whereby the assumption is that the Engineering Department resident back at base will fix everything if the purchase order comes in. However, this correction doesn’t usually happen because to do so would eat up all the profit margin on the project. Subsequently, the installation technician on site will generally put up the cameras as they see fit on the day rather than bothering to follow the design spec. As the customer is no expert, and sees lots of lovely new pictures on his or her screens, they accept it and pay the bill. Little do they know of the disappointments stored for the future. Upon their discovery, they can blame the original ‘experts’ until they’re blue in the face. By then it’s way too late. It’s so much cheaper to get it right from the beginning. On that note, here are some compelling ideas for CCTV buyers, installers and consultants.

Capture enough picture detail The detail in each image must be sufficient for its intended purpose. In so many CCTV systems this is where the design fails. Obviously, wide-angle views cannot carry the same detail as narrow close-ups. In practice, a balance must be struck between these two extremes. For example: • Wide vista with tiny anonymous figures or vehicles moving about? • Narrow it a little for enough detail to recognise familiar people? • Accept that a narrow close-up is necessary for identifying strangers?

www.risk-uk.com

LoweringRiskinSurveillanceDesign October2014_riskuk_oct14 06/10/2014 12:47 Page 27

CCTV: Lowering Risk in Surveillance Design

CCTV projects like the alternative CCTV CAD4. So popular is this idea today that several CCTV manufacturers are now offering their own branded CAD tools. Even scene lighting design – so often a weakness in CCTV – is possible thanks to free software like Relux5. Outwith the CCTV world, architects and construction consultants are now using 3D CAD in the form of AutoCAD and Revit6.

Simpler specifications are the best

Decide at the outset what details each CCTV camera’s image must render. The UK Government’s CCTV guidelines issued by way of the Home Office Scientific Development Branch explain how system designers can arrive at the correct outcome1.

Buy-in for a reliable design As stated, it’s very often the scenario that CCTV owners who must agree design parameters are not specialists so they can find this stage of the proceedings very off-putting, and particularly so during technical meetings. Here’s the secret sauce. For many years now I’ve helped non-CCTV people confidently reach these technical decisions using a purely pictorial approach that anyone can view. I simulate a picture from each of their future CCTV cameras on my laptop using 3D CAD models of their site. Then we can join forces and try out any number of ‘What if?’ scenarios, including blind spots and car number plates. Without suffering any jargon, the non-CCTV participants can truly see the level of detail in the images and obtain realistic expectations at this very early stage in the process such that any future disappointment is neatly avoided.

Developments in 3D CAD software When this idea of 3D CAD software to simulate camera views first hit me back in 1997, that software was far too expensive to play with. In 2000, I completed my first design using TurboCAD 7, progressing to truSpace in 2003 and Sketchup2 in 2011. None of these programs have specific CCTV tools inside them so I developed bespoke techniques within. Now, software such as JVSG3 has become a ‘regular’ because it’s specifically designed for

Two important things I’ve learned over 25 years in the CCTV arena go like this. As a salesman trying to win a big tender, I need not have stayed up all night before a deadline trying to guess what the buyer’s heavy specification actually wanted. Its author didn’t understand it either, and my competitors were at home fast asleep having ignored all of the details and quoted instead what their price list contained. They could win the work on cost alone. As a consultant, I’ve seen sales people do this with my specification then installers install CCTV without bothering to refer to that spec at all. Solve this problem by adding the images that illustrate, simulate, predict and previsualise… Call it what you like. The software can help you lay out a Control Room, equipment rack and junction box assembly, etc before anyone reaches for the screwdriver. All of my CCTV designs over the past few years have used this method. Been there, done that and bought the T-shirt several times over. Why? We’re CCTV consultants whose services are hired so that our clients can reduce their risks. Not only the security-focused risks, but also the other risks like wasting money that lurk inside every new project. Non-technical CCTV customers will understand that what they’re about to receive will satisfy their needs and those of the host organisation. Sales people know that their competitors cannot hoodwink with a shortcut. Installers know what they will need to hand over to the end user customer. For their part, the end user customer can be confident they’ve received the surveillance regime for which they’ve paid. In a nutshell, that’s how you lower risk in surveillance design.

References 1‘CCTV Operational Requirements Manual’, Home Office Scientific Development Branch [Available online: http://www.nactso.gov.uk/ system/cms/files/127/files/ original/28_09_CCTV_OR_ Manual2835.pdf ] 2www.sketchup.com 3www.jvsg.com 4www.cctvcad.com 5www.relux.biz 6www.autodesk.com

“Genuinely, it’s difficult to make people – even many police officers – accept the fact that CSI on the TV isn’t true. This illusion gives a false sense of security. It means they fail to recognise badly designed CCTV and shoddy maintenance” 27

www.risk-uk.com

Project1_Layout 1 06/10/2014 13:33 Page 1

innovation through experience

More than 30 years of Innovation & Experience Apollo Fire Detectors have been protecting lives and properties worldwide for more than 30 years. As industry leaders, we use our expertise and experience to provide customers with the latest technology to meet the challenges of the most demanding environments.

For more information visit www.apollo-ďŹ re.co.uk

HDcctvTheRiskUKPrimerforEndUsers October2014_riskuk_oct14 06/10/2014 12:25 Page 29

HDcctv: The Risk UK Primer for End Users

HDcctv: Technologies and Standards In an exclusive interview with Risk UK, Todd Rockoff – executive director of the HDcctv Alliance – outlines why risk and security managers would do well to familiarise themselves with HDcctv Alliance standards and the compliant solutions now available to suit their surveillance regimes Risk UK: HDcctv... What is it and why does it matter to end users? Todd Rockoff: HDcctv technologies are specialised solutions designed for transporting HD surveillance video from cameras to Control Rooms in secured sites. HDcctv technologies are configured to be as reliable, as convenient to use and as affordable as PAL. HDcctv equipment is particularly effective for upgrading legacy CCTV systems to HD – HDcctv cameras provide HD video without the expense of installing new cabling infrastructure or enhancing the existing infrastructure. It’s worth end users discussing HDcctv options with their chosen installer or integrator. If end users do decide to ‘go HD’ then HDcctvcompliant equipment is the only sure way to enjoy Plug-and-Play functionality. Risk UK: Can you explain the detail behind the HDcctv Alliance? Todd Rockoff: The HDcctv Alliance is the group of manufacturers who manage the HDcctv standards and promote the use of specialised HD surveillance local site transport technology. The Alliance is a non-profit company regulated by the Australian Securities and Investments Commission. Alliance Members are drawn from all over the world and include semiconductor manufacturers, equipment developers and the producers of companion components such as cables and connectors. Risk UK: What exactly are the HDcctv Alliance standards in practice? Todd Rockoff: HDcctv DT 2.0 and HDcctv AT 2.0 are the current standards. DT (‘Digital Transmission’) is based on SMPTE HD-SDI technology and is backwards compatible with HDcctv 1.0. AT (‘Analogue Transmission’) is based on Dahua HDCVI technology. DT 2.0 and AT 2.0 share a common Controlover-Cable protocol which allows cameras to be managed from the convenience of the Control Room via existing infrastructure without the need for running separate control wires. Risk UK: Are the standards gaining acceptance? Todd Rockoff: The importance of the HDcctv standards continues to grow in step with the

booming market for HDcctv equipment. Going forward, we expect increasing numbers of manufacturers to embrace Plug-and-Play because differentiating video equipment by the technology used to transmit video signals inhibits sales. A big step in the journey towards a common standard is the recent announcement that Dahua, the world’s second largest CCTV product manufacturer, is licensing its HDCVI transmission technology – the basis of the HDcctv AT 2.0 standard – through the HDcctv Alliance Member Intellectual Property Agreement. This means that other Alliance Member manufacturers – even Dahua’s direct competitors – can secure licenses to apply HDCVI technology for their own HDcctv AT implementations. Risk UK: How might end users take advantage of HDcctv Alliance-compliant products? Todd Rockoff: Technical details become a direct concern for end user customers only at that point when they fail to meet expectations, for example should the cameras fall off the walls or the HD surveillance transmission within the building prove to be unreliable, inconvenient or low fidelity. To take full advantage of HDcctv, end users should be sure to marry cameras with DVRs bearing the same compliance marks. That’s really all they need to know. Risk and security managers should discuss their needs with chosen installers or integrators in detail and ask them if they’ve considered using HDcctv solutions for any forthcoming surveillance projects.

Todd Rockoff: Executive Director of the HDcctv Alliance

www.risk-uk.com

Project1_Layout 1 06/10/2014 15:27 Page 1

solutions for a safer world

EventandLeisureSectorSecurityTrainingandCareerDevelopment October2014_riskuk_oct14 06/10/2014 12:20 Page 31

Event and Leisure Security: Training and Career Development

his summer, Showsec experienced the biggest single working day in the company’s history when the epic Tour de France once again visited British shores. Record staffing levels – over more than 100,000 shifts, in fact – and record numbers of management hours were delivered across a busy four-month period during which we provided crowd management and security services for the Tour in addition to several other high profile events. It’s vitally important to provide a career pathway for individuals while ensuring there’s continuous improvement in our service delivery for purchasing end users. On that basis, training and development programmes have underpinned Showsec’s success for many years now, and particularly so since the introduction of our Academy. We operate a dedicated Training and Development Centre, a Management Development Programme and an e-Learning Programme. The proof of the pudding is in the eating, as they say, and feedback from the Management Development Programme has been extremely positive. “It’s remarkable how quickly things have progressed for me, and that’s testament to the training programmes in place at Showsec,” explained Tim Chambers, our area manager for Liverpool. “The company offers a great career pathway. Yes, you do have to make sacrifices when working nights and weekends in this line of business, but there are tremendous rewards in terms of the career you can develop.” Louise Stockden, Showsec’s area manager for greater London, added: “The company’s training programmes provide all the support anyone could need to further their career. From an early stage of the Management Development Programme I was afforded valuable experience by dint of being tasked with important roles in the London office. Within a few weeks of starting the Programme, it was very much a case of being in at the deep end running security at The Roundhouse. From then on, everything developed to a point where I’m now responsible for another iconic venue – the SSE Arena at Wembley.”

Developing managerial talent The latest addition to our extensive education offer for members of staff takes the form of an Area Managers Development Programme. This provides our 14 area managers and a number of specially selected operations executives with the opportunity to elevate their knowledge and skill levels. We believe this will help the business and its constituent individuals to meet the challenges and issues presenting themselves as we endeavour to progress.

Management Skills by Design

Another record-breaking summer at security specialist Showsec was underpinned by the strength and depth of the company’s management teams who provided highly effective leadership at so many major events throughout the UK. As Mark Harding asserts, the importance of strong management education programmes should never be underestimated Some of these area managers and operations executives have graduated through our aforementioned Management Development Programme and the Foundation Degree focused on Applied Professional Studies in Crowd Management. Both are integral elements of the educational qualifications framework we’ve developed to reflect the company’s aspirations. We’ve worked in excellent partnership with the University of Derby Corporate to ensure that our education programme is not about off-theshelf qualifications but rather learning that’s bespoke to the specialised industry in which we operate. It’s also learning that meets many of our own specific requirements. The University of Derby Corporate has assisted us once again in creating the new Area Managers Development Programme. The education programme has been set up across two groups, not because of a need for competition between them but to facilitate participation by helping those involved to focus on all the essential elements of key development work without it affecting their own operational patterns. This highlights a need for universities in general to perhaps

Mark Harding: Managing Director of Showsec and Chairman of the UK Crowd Management Association

www.risk-uk.com

EventandLeisureSectorSecurityTrainingandCareerDevelopment October2014_riskuk_oct14 06/10/2014 13:58 Page 32

Event and Leisure Security: Training and Career Development

become more commercially astute and, in doing so, offer bite-size chunks of education which then transform into qualifications. Only by providing more flexible options can we afford further impetus to the drive for raising industry standards. This opens up further educational opportunities for career progression. Bite-size chunks of education make perfect commercial sense because qualifications would then become more accessible to many capable individuals looking to further their careers. Not only would this serve the best interests of public safety and staff development throughout the sector but – and just as significantly – it would also provide additional assurances to our end user customers that they’re the proud recipients of the very highest standards in security services.

Engagement with stakeholders Everyone benefits when you have a training and development programme in place that allows individuals to acquire qualifications and fulfil their potential. Clients and stakeholders alike want to see a continual improvement in standards, and that’s exactly why they’re willing to play an active part in that whole process. The engagement we have with external stakeholders – who continually offer a fascinating insight into what they expect from a company such as ours – is of enormous benefit. The very fact that they’re prepared to give their time and support to add more value to these education programmes is a measure of their own desire to witness even higher standards of service delivery on site. Our commitment to achieving that aim isn’t confined to the Area Managers Development Programme. As we expand upon the training and educational opportunities in place at Showsec, a key part of our delivery centres on the aforementioned online e-learning and ebriefing platforms. In order to raise standards at the entry point to the security sector, we’re making six online training modules a mandatory procedure for all members of staff. While new starters have to comply with this initiative from the outset, those individuals already working for us will also have to complete the training modules by the early stages of next year. As you can well imagine, this represents a massive commitment on the part of our Training Department.

“Only by providing more flexible options can we give further impetus to the drive for raising industry standards. This opens up further educational opportunities for career progression” 32

www.risk-uk.com

If all members of staff have attained a certain level in their initial training, this ensures there’s even greater consistency in the delivery of our services right across the business. Returning to an earlier theme, again this forms part of our desire to provide career pathways for different generations of specialist event/crowd managers and security operatives. In addition to generating significant opportunities for new recruits, we’re also looking to develop our existing personnel and help them climb the career ladder.

Raising standards in security It doesn’t stop there, though. We also have a responsibility to help the security industry itself raise the bar, which is exactly why we’ve played a prominent role in creating qualifications. In addition to the development of an internationally-recognised Level 2 Award for Front of Stage Pit Barrier Operations orchestrated in partnership with the Highfield Awarding Body for Compliance (HABC), we’ve also been directly involved in the creation of National Occupational Standards. In my capacity as chairman of the United Kingdom Crowd Management Association (UKCMA), I’ve been able to influence the development of the National Occupational Standards for crowd management and security which are now in their final phases prior to gaining official approval. The new qualification wouldn’t have reached this stage without the tremendous commitment of UKCMA members and strong support from HABC as well as many industry experts, most notably Martin Girvan from the Sports Ground Safety Authority and Ruth Oliver. It’s the determined ambition of those in influential positions to create fit-for-purpose qualifications which will benefit individuals, clients and, indeed, public safety in general. One of the difficulties the industry faces is the lack of a one-stop shop for all qualifications. At present, the sector is wholly reliant upon a series of educational establishments and qualifications providers. Therefore, we hope the National Occupational Standards will be the first stage in the development of industry-wide qualifications which will inevitably assist in unifying the whole educational process and present a clearer pathway for those wishing to build a successful career in our line of work. Ultimately, that particular scenario can only be for the good of everyone, but most of all it will assist in improving public safety and render the experience for those attending events an even more enjoyable one.

Project1_Layout 1 06/10/2014 15:23 Page 1

CONTRACT SECURITY SERVICES LIMITED CASH & VALAUABLES IN TRANSIT (CViT) SERVICE PROVIDER CASH PROCESSING & BANKING SERVICE (INCLUDING COLLECTION AND PROCESSING FROM CAR PARK MACHINES)

CASH CONSOLIDATION SERVICE SECURITY GUARDING AND MOBILE PATROL HEAD OFFICE: CHALLENGER HOUSE 125 GUNNERSBURY LANE LONDON W3 8LH T: 020 8752 0160 F: 020 8992 9536 E: info@contractsecurity.co.uk www.contractsecurity.co.uk

SALES: T: 01622 792639 F: 01622 882084 E: sales@contractsecurity.co.uk

DEPOTS: Brentford, London | Larkfield, Kent | Andover, Hampshire

BankingandFinancePreventingBreachesofRegulations October2014_riskuk_oct14 06/10/2014 12:09 Page 34

Banking on security Rob Mason, Becky Stones and Toby Duthie consider the impact of the Financial Conduct Authority’s proposed Senior Management Regime for companies and individuals in terms of both liability and practical preventative measures n July this year, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) published a joint consultation paper on the proposed Senior Management Regime, Certification Regime and Conduct Rules. The regulatory changes outlined are broad in scope but their intention is clear. Regulators are striving to ensure accountability to make both individual and corporate enforcement a somewhat easier process. Put simply, an absence of proof will no longer be a defence but rather evidence of culpability – systemic or individual. Alongside ever larger and often duplicative fines, this is part of a wider US-led international enforcement trend. By defining a sufficiently broad set of roles to be ‘Senior Management Functions’, requiring a ‘Statement of Responsibilities’ for each senior manager and a firm-wide ‘Responsibilities Map’ between functions and managers, the FCA and the PRA will ensure the Senior Management Regime is effective in identifying individuals responsible across all regulated activity. The proposed regulation changes will raise the stakes significantly for senior managers by

reversing the burden of proof relating to breaches of regulation and introducing a ‘presumption of responsibility’. Under the proposals, the FCA and the PRA will require senior managers to demonstrate that they took ‘reasonable steps’ to prevent, stop and/or remedy regulatory breaches which occurred in their area of responsibility or face sanctions. Typically, the FCA and the PRA are providing no guidance as to what they regard as ‘reasonable steps’ but will, in practice, determine these on a case-by-case basis. Reversal of the burden of proof under the Senior Management Regime is not without precedent in UK law. The 2010 Bribery Act introduced the offence of failure of a commercial organisation to prevent bribery perpetrated either by an employee or an agent acting on a given company’s behalf. Just as taking ‘reasonable steps’ to prevent regulatory breach is a defence under the Senior Management Regime, a company might avoid prosecution under the Bribery Act if it can ably demonstrate that it had ‘adequate procedures’ in place designed to prevent bribery ‘on the balance of probabilities’. Unlike the FCA and the PRA in relation to the Senior Management Regime, the Ministry of Justice has provided some guidance as to what constitutes ‘adequate procedures’ under the Bribery Act. The six principles are: • Proportionality: Action should be proportionate to the risks faced and to the size of the business • Top level commitment: Make sure that all your staff and key business partners understand that you do not tolerate bribery • Risk assessment: Research and assess the bribery risks faced by the business • Due diligence: Know exactly who you are dealing with • Communication: Communicate clearly your policies and procedures to all members of staff and business partners alike • Monitoring and review: Monitor and review the anti-bribery steps taken to ensure continued effectiveness as risks evolve From a practical rather than legalistic compliance perspective, when analysing the Senior Management Regime in light of these six principles, we see the most likely areas of deficiency to be in Principle 3 (Risk assessment) and Principle 6 (Monitoring and review) because approaches towards both have tended to be reactive rather than proactive.

Risk assessment in banking Historically, risk assessment in investment banks has followed three themes. First, there

www.risk-uk.com

BankingandFinancePreventingBreachesofRegulations October2014_riskuk_oct14 06/10/2014 12:10 Page 35

Banking and Finance: Preventing Breaches of Regulations

has been a focus on the performance of internal assessments of well-understood risks (unauthorised trading, for example). The second theme is all about engaging with the regulators, listening to their current focus and mirroring that focus. Last, there’s the tendency towards monitoring the news to see what’s alleged to have happened at other firms and assessing whether it did happen, is still ongoing or could occur at your own company. The salient lesson to be learned from the world of bribery is that such a largely reactive approach will no longer suffice. Effective risk assessment requires a detailed mapping exercise encompassing analysis of what risks are at issue and the identification of where they manifest themselves – both directly and indirectly. The assessment should be based on empirical transactional sampling to demonstrate whether the controls and procedures are being adhered to and whether or not they’re robust and wide-ranging. If a known risk isn’t flagged through initial sampling then that sampling must be expanded to address the situation and all relevant controls subsequently enhanced as required. The risk assessment should be periodically reviewed and adjusted to take account of changes in market behaviour, the introduction of new products and transactional reviews.

Monitoring and review procedures Most financial entities have sharpened the review process to which they subject complex deals prior to execution by imposing in-depth independent internal peer and management review, as well as enhancing the audit trail for the decision-making process. Electronic records – e-mail, voice recordings and chatroom logs, etc – are kept to provide evidence in case of dispute or allegation of wrong-doing after a financial deal is closed. A potential flaw in the review of a complex deal is that it occurs at a single point in time, typically immediately prior to deal execution. Thus ‘red flags’ which may have arisen during the gestation of the deal could be disguised prior to review. Such a risk can be addressed by carrying out an in-depth review of the deal gestation, making full use of the electronic audit trail for a risk-based sample of all deals. For more straightforward deals, the bulk of trading activity is in liquid markets, priced and executed either virtually instantaneously through automated trading systems or in a matter of seconds by an experienced trader. This type of ‘flow’ business is not – and cannot practically be – subject to deal reviews. In highly liquid markets, traders cannot and do

not expect to retain a material amount of the bid/offer spread when handling client or interdealer order flow. Some flow traders state that the skill from which they make money and for which they are paid is the anticipation of order flow and pre-positioning to benefit from it. However, as might be deduced from the news coming from the FX spot market, there’s a fine line between one trader’s anticipation of order flow and another’s front running of orders. Increasingly, firms are testing their systems and control frameworks by running dummy transactions to see how and when (or if at all) these are picked up – for example a high risk counterparty, excessive profitability, imbalance of risk and reward, excessive fees and so on. In his speech at Mansion House on 12 June this year, Chancellor of the Exchequer George Osborne announced that the Senior Management Regime will be extended to cover all banks operational in the United Kingdom and include branches of foreign banks. The finer details remain to be ironed out given that prudential regulation of EEA banks is reserved for the Home State Supervisor, but the same reserve does not apply to conduct matters. A consultation on the implementation of this order is expected to be launched by the Treasury before the end of 2014. There’s clear read-across from the Bribery Act and its ‘adequate procedures’ around affirmative defences. The cost of compliance needs to be managed by embedding compliance into the business activities where it’s effective and where risks can be managed and/or pre-empted before they crystallise. Trying to re-create an audit trail after the event is hugely time-consuming, expensive and far weaker than being able to readily demonstrate contemporaneous compliance. Compliance then needs to be supported by proactive post-facto periodic reviews and backing from informed senior management. The cost of compliance needs to be considered in the context of the huge burden of regulatory litigation fees. It’s increasingly difficult to estimate what the final cost will be as new issues arise and fines are trending ever upwards. Whatever the final cost, prevention is clearly more desirable. Rob Mason, Becky Stones and Toby Duthie are Partners at Forensic Risk Alliance

“Effective risk assessment requires a detailed mapping exercise encompassing analysis of what risks are at issue and the identification of where they manifest themselves” 35

www.risk-uk.com

mescom_Layout 1 04/08/2014 11:20 Page 1

MesCom

Designed and manufactured in the UK

The Complete Monitoring Solution in Your Hand REMOTE SITE • HVAC / temperature levels • Tank level monitoring • Doors, elevators, access control • Security and fire alarms

• Alarm messages sent direct to your phone by SMS text • Easy-to-follow web configuration tool • 2 phone-controllable outputs to switch ON/OFF most electrical devices

LEARN MORE, CALL NOW:

+44 (0) 1443 471 060 Email us: sales@dyconsecurity.com Check out the benefits at: www.dyconsecurity.com

Dycon POWER SOLUTIONS

CashinTransitAvoidingRiskinCashHandling October2014_riskuk_oct14 06/10/2014 12:17 Page 37

Cash-in-Transit: Avoiding Risk in Cash Handling

here’s now a record number of almost 68,000 ATMs across the UK. Nine out of every ten (ie 45 million) adults used a cash machine at some point in 2013, representing a rise of 800,000 on the 2012 figure. A staggering £58 billion of cash is in circulation today, with a consistent increase in the number of banknotes available over the past ten years to the point where three billion banknotes are now ‘doing the rounds’. The use of cash remains one of the most popular ways in which consumers pay for their goods, with over half (52%) of all transactions in 2013 made in cash. That being the case, the efficiency of cash handling is vitally important for all retailers such that they may realise the lowest possible risk profile coupled with the most effective endto-end cash control procedures. While the theft of goods is often opportunistic and conducted as covertly as possible by the criminal, the theft of cash nearly always involves direct contact with members of staff or the Cash-in-Transit couriers servicing a given site. Sadly, most perpetrators of such crimes are more than willing to employ violence and threats to achieve their criminal objectives. On that basis, it’s vital that adequate cash management procedures are in place to ensure the safety of all employees. Cash risk needs to be considered in terms of both external and internal theft, forgery and substitutions while also optimising the physical labour and security equipment deployed. Retailers investing in cash management solutions typically desire the following generic benefits: a reduction in cash handling overhead costs, the removal of Cash Office functions, less touch points to mitigate internal shrinkage, the security of cash to combat external attack risks, integration with cash management systems and an optimum speed for cash settlement.

Types of cash validation technology Cash management solutions come in a variety of forms and retailers must select the one most suitable for their needs. Cash validation technology may be in the shape of a back/Cash Office-type solution catering for the entire store or in multiple smaller note acceptor devices placed at or around the point of sale. A till-based cash security solution is ideally suited for high risk locations, instantly securing all takings above standard cash float levels nearest to the point of sale. With cash exposure kept to a minimum, the retailer is then able to remove efforts expended in cash counting and control and focus instead on the delivery of excellent customer service.

Note perfect

The presence of cash on retail premises – often in substantial quantities – inevitably presents business owners with specific security risks. Bob Lammin examines ways in which retailers might improve business efficiencies and, at the same time, avoid risk in cash handling Cash validation at its acceptance assures integrity of the cash count on collection and during subsequent cash centre processing. Put simply, securing your cash takings at the very earliest possible opportunity removes the risk of multiple touch points and any loss of accountability. Cash Office-based solutions are ideally suited to higher cash volumes where a single point of cash control is established away from the point of sale. In this type of scenario the solution needs to be high capacity, secure and robust. Note recyclers have been designed to improve Cash Office security and processing efficiencies by optimising the cash cycle. Labour intensive tasks in cash counting are simplified through the preparation of bank deposits and securing all notes ahead of the Cash-in-Transit collection service. Local cash validation protects against forgeries and removes the need for cash handling and recounting at the point of sale. Security of your cash with no employee access also delivers a lower risk profile for staff.

Bob Lammin: Retail Programme Manager at G4S Cash Solutions

www.risk-uk.com

Project5_Layout 1 03/06/2014 11:20 Page 1

PaymentCardIndustryDataSecurityStandard October2014_riskuk_oct14 06/10/2014 12:56 Page 39

Payment Card Industry Data Security Standard

PCI DSS: Best Practice to ensure compliance Brian Sims learns from Alex Vovk and Mark Kedgley why companies processing payment cards must follow Best Practice steps to safeguard against security incidents arlier this year there was a substantial security breach at eBay which forced the company to advise no less than 145 million of its 223 million registered and active users they should change their passwords in order to avoid the potential compromise of personal information such as e-mail addresses, dates of birth and telephone numbers. Last December, a breach at US retailer Target resulted in 40 million stolen credit card numbers and compromised the personal information of more than 70 million customers. “Ironically, Target has been used by some as evidence that the Payment Card Industry Data Security Standard (PCI DSS) doesn’t work,” stated Mark Kedgley, CTO at New Net Technologies. “To the contrary, subsequent reports suggest that some of the incident handling procedures at Target may have failed. Poorly implemented and operated PCI measures not only fail to offer protection but provide a false sense of security that leaves the business every bit as exposed had it not taken any precautions at all.” To assist organisations in avoiding the kind of serious data breaches outlined here – and their often unpleasant consequences – Alex Vovk (president of Netwrix) recommends six essential rules around change and configuration auditing.

Separate environments Retailers should minimise their risks by reducing PCI scope within systems and enforce the separation of environments by continuously auditing access and changes to the systems where cardholder data is stored. Audit access control Permissions must be adequate and access to sensitive data limited only to those who need it. Change and configuration auditing can help by giving the retailer precise information about the state of access rights and all changes made to them, in turn alerting end users to critical issues and helping with investigations should an unauthorised access event occur. Audit provisioning and de-provisioning of users Companies must establish control over user creations and removals. A comprehensive

change and configuration auditing solution will provide daily and ondemand reports plus real-time alerts on critical modifications. Audit of privileged users’ activities Particular emphasis should be placed on changes made by administrative accounts: changes to end user access rights, elevation of privileges, mistakenly changed permissions and other security-related events. Document everything You never know what part of your system activities (or during what period) you will be required to demonstrate to an auditor – so keep it all. In addition to a complete audit trail, some of the more advanced change and configuration auditing solutions allow retailers to record video (along with metadata) of user activities on critical systems and provide search and replay capabilities. Monitor and test Change and configuration auditing solutions will offer a complete audit trail alongside detailed information on access and changes with ‘Who?’, ‘What?, ‘Where?’ and ‘When?’ details (including after and before values for each event). “Although hugely important, it’s simply not enough for retailers to align their processes and policies with PCI DSS guidance,” explained Alex Vovk. “They must also establish mechanisms designed to verify these processes actually work and be able to prove as much to all stakeholders: IT management, executives and auditors.”

www.risk-uk.com

BiometricSecurityfortheBusinessSector October2014_riskuk_oct14 06/10/2014 12:16 Page 40

Voice Biometrics:

Crying out for understanding The term ‘biometrics’ can conjure up images of Big Brother watching over our every move. In a bid to dispel the myths surrounding such technology, Craig Pumfrey addresses common concerns harboured by both consumers and organisations when it comes to voice biometrics ith passwords continuing to attract widespread derision from consumers, it seems that businesses are starting to listen to their customers. Of late, voice biometrics have been hitting the headlines as the technology set to replace the

bane of so many people’s lives. However, there are a lot of misnomers out there. If you want to learn exactly how voice biometrics work and what the capabilities of this technology are in the real world, read on. Put simply, voice biometrics is a method for verifying an individual is who they say they are via their voice. The technology works by taking a ‘voiceprint’ of the customer which is captured while they’re speaking with the customer representative on the telephone. Then, when they call again, their voice is matched within approximately ten seconds. The voiceprint is kept on record and, if a match is duly verified, then the customer is authenticated. The speed at which a customer identity may be matched is a hugely compelling proposition for end user organisations handling large

numbers of calls, with as much as 50% of a call being consumed by the authentication process. It follows that if you can reduce this time it also means the business is able to handle more calls in the same timeframe. This realises improved efficiencies and less time for customers to spend on hold in a ‘virtual’ queue. Another important reason for introducing voice biometrics is to reduce identity fraud. This is great for the business as it can potentially help to save millions of pounds. Voice biometrics also deliver an added level of protection to the customer, safeguarding them from the distress of having their identity stolen and needing to go through the subsequent and often lengthy claims processes involved with such a dispiriting scenario. For consumers, perhaps the biggest single benefit is that they now no longer have to remember a secret word, memorable phrase or password. They just need one thing: their voice. All sounds great, doesn’t it? There’s only one problem. Start talking about biometrics and people begin to worry that Big Brother is watching over them. That being the case, it’s worth addressing some of the concerns both consumers and organisations harbour about voice biometrics technology. “I don’t like the idea of an organisation holding my biometric information” A voice biometric is a recording of your voice. Nothing more than that. Every time you call a Contact Centre it’s likely that the interaction will be recorded. You often receive a message something along the lines of: ‘This message may be recorded for training purposes’. All an organisation is doing is using your voice to help you to prove you are who you say you are. “If I have a cold or a sore throat my voice changes so the system will not work” The human voice is a hugely complex instrument comprising 50 physical and behavioural traits. These include characteristics such as pronunciation, emphasis, speed of speech and accent as well as physical elements like the length of the vocal tract and mouth shape and size. This means that, even if you have a blocked nose or simply decided to converse in a different language, the voice biometric system would still be able to match you with your unique voiceprint.

“In point of fact, voiceprints are even more sophisticated than fingerprints, being comprised of over 100 unique characteristics in comparison to the 20 unique characteristics associated with any given fingerprint” 40

www.risk-uk.com

BiometricSecurityfortheBusinessSector October2014_riskuk_oct14 06/10/2014 12:16 Page 41

Biometric Security for the Business Sector

“Someone could impersonate me on the telephone” There are some great impressionists out there. When you hear someone impersonate David Beckham, for example, it may sound to you exactly like him. It’s possible to fool our ears to give the ‘impression’ that it’s David Beckham, but it’s impossible to mimic all of the traits that make up his voice. In fact, the ‘ears’ of these systems are so attuned they can actually tell the difference between identical twins. “What if someone recorded a voice on their phone and played it down the telephone line?” Making a voiceprint of someone sounds as easy as pressing ‘Record’, but in truth that’s not the case. These systems are able to detect whether the person speaking at the other end of the line is actually there or if it’s a recording. “If I make a call from a busy street the system will not work” Voice biometric systems are readily able to differentiate between your voice and background noise. Call from Leicester Square in London on a Saturday night after a few drinks and with slightly slurred speech and the voice system will still be able to identify you. That said, it’s probably best not to call your bank if you happen to find yourself in that condition! “Can an organisation create my voiceprint without my consent?” Most organisations recognise that the best way to introduce voice biometrics is to do so with customer consent, along with an explanation of the benefits offered over and above current methods of personal authentication. Craig Pumfrey is Vice-President of Marketing (EMEA) at NICE Systems

“The biggest clue may lie in his voice” (CNN, 24.8.2014) The tragic news regarding American journalist James Foley has brought voice recognition very much into the media spotlight, writes Jade Khan. Some media outlets have questioned the efficacy of voice biometrics. On that basis, it’s time to absolutely set the record straight. In the same way that each of us has a unique fingerprint, so each of us harbours a unique voiceprint. In point of fact, voiceprints are even more sophisticated than fingerprints, being comprised of over 100 unique characteristics in comparison to the 20 unique characteristics associated with any given fingerprint. You can be identified using your voice. The unique characteristics in your voice – both physical and behavioural – may be used to create a voiceprint. This voiceprint can then be compared against any audio stream to determine whether or not there’s a match with the original speaker. Voice recognition is the only biometric that can be used on a remote basis. Not only that, voice biometrics may also be used to identify a speaker with the person not present by simply levering the audio of their voice (whether from a phone call or a video recording). In truth, voice biometrics work even with background noise. While better quality audio naturally produces improved results, the technology can identify a speaker on a busy street where there’s plenty of background noise (and to an extremely high degree of accuracy). The unique attributes of the human voice have been leveraged for many years in forensics to identify criminals and are now being used around the world by enterprises for the identification of identify fraudsters over the phone. While we don’t know how the authorities have used voice biometrics in this latest and tragic incident, the technology is indeed very real. There are many people who moan about having to use passwords, but those passwords have been with us for so long that even detractors have come to accept them as a ‘necessary evil’. After all, what we use passwords to safeguard is valuable. We have become saturated with passwords, memorable words and pass codes and, as a result, we can fall into the trap of using the same one over and over again for different accounts. Potentially, this compromises security. Constantly, there’s a requirement to reset those passwords. It’s human nature to be wary of change, but if we want something that’s truly unique to us, cannot be copied or forgotten and may be used to prove our identity both quickly and securely then our voice could well be the answer. Jade Khan is Director of Solutions Marketing (EMEA) at NICE Systems

www.risk-uk.com

AdvancedThreatDetectionModel October2014_riskuk_oct14 06/10/2014 12:07 Page 42

Advanced Threat Detection: More than a moment in time The evolving nature of the threat landscape and the evergrowing sophistication of hackers mean that the ways in which organisations protect themselves against advanced cyber attacks must change in tandem. Sean Newman reviews a security model that combines big data architecture with a continuous capability ackers are no longer fixated on what was traditionally deemed to be their destination – the perimeter of the enterprise. Now, they’re focused on the journey itself, leveraging an array of attack vectors, taking endless formfactors, launching attacks over time and, all the while, very cleverly hiding the leakage of data. The reason that many hackers enjoy a good deal of success in their ventures is that most of today’s security tools focus on prevention only – controlling access, detecting and blocking threats at the point of entry. Typically, incoming files will be scanned just the once at an initial point-in-time to determine if they’re malicious. To detect advanced threats and breach activity more effectively, security methods simply cannot solely focus on detection and prevention. They must also include the ability to mitigate the impact once an attacker is on the inside. Organisations need to review their security model and gain continuous protection and visibility along the entire journey – from point of entry, through propagation and on to post-infection remediation. To do this, we need a security model that combines big data architecture with a continuous capability. Only then may we overcome the limitations of traditional point-intime detection and response technologies. In this model, network and process-level telemetry data is continuously collected across all sources such that it’s always up-to-date when needed. Analysis is layered to work in concert, eliminating impact to control points and delivering advanced levels of detection over an extended period of time.

www.risk-uk.com

That analysis is more than just event enumeration and correlation, though. It also involves weaving telemetry data together for greater insights into what’s happening across the business environment. Tapping into a broader community of users, global intelligence is continuously updated and shared on an immediate basis. Importantly, it’s also correlated with local data for even more informed decision-making. Orchestrated in tandem with big data analytics, a continuous approach enables transformative innovation in the battle against advanced threats. Detection that moves beyond point-in-time A continuous approach enables cyber threat detection to become more effective, efficient and pervasive. Behavioural detection methods such as sandboxing serve as inputs for continuous analysis and correlation. Activity is captured as it unfolds, and intelligence duly shared across both detection engines and critical control points. Monitoring that enables attack chain weaving Retrospection – the ability to go back in time to monitor files, process and communications against the latest intelligence and then weave that information together and create a lineage of activity – provides unprecedented insights into an attack as it happens. Automated, advanced analytics that look at behaviours over time Combining big data analytics and continuous capabilities to identify patterns and Indicators of Compromises (IoCs) as they emerge enables security and risk teams to focus their efforts on the threats that matter the most. Better targeted and faster investigations Transforming investigations into a focused hunt for threats based on actual events and IoCs affords security and risk teams a faster and more effective way of scoping attacks. Swift containment With the level of visibility the continuous approach provides, security and risk teams can identify specific root causes and shut down all points of compromise and infection gateways simultaneously to prevent the lateral movement of an attacker and break the attack chain. In this model, detection and response are no longer separate disciplines or processes but rather an extension of the same objective: to stop advanced threats. Going beyond traditional point-in-time methodologies,

AdvancedThreatDetectionModel October2014_riskuk_oct14 06/10/2014 12:08 Page 43

Advanced Threat Detection Model

detection and response capabilities are continuous and integrated. It’s what’s required for advanced threat detection and response that’s focused on the journey, not just the destination.

Staying safe in the mobile world Picking up on another trend, the use of mobile devices for work purposes is on the rise, in turn creating new opportunities for the employee. In fact, according to a report from Juniper Research, the number of employee-owned smart phones and tablets in the workplace could exceed one billion by 2018. It’s now possible to access your company resources whenever you need to, whether working from your living room, sat in a restaurant or just chilling out in the local park. When you do need to work from the office, smart phones and tablets are often far more convenient to use than a bulky laptop. The benefits of having a computer that fits in your pocket or bag are hard to ignore, particularly for busy business types always moving from meeting to meeting. The flexible working opportunities presented by mobile devices are copious and there to be harnessed by companies who want the most in terms of productivity from their employees. However, according to Cisco’s 2014 Annual Security Report, the creation of mobile malware is also on the increase. This could be the cause of severe headaches for businesses as more and more access to company information is becoming available via mobile platforms. The vulnerability of an unknown Wi-Fi connection is often the last thing on a person’s mind as they think about that urgent e-mail they need to send. It’s crucial to be aware of these risks because we all operate in an age of ‘industrialised hacking’. Nowadays, attacks are not likely to come just in the form of a lone file that infects individual devices. Rather, they’re made up of multiple moving parts that start with one device being infected via an e-mail or a link to a compromised website and typically result in the attacker moving around laterally within the target organisation until they find the data they really want to appropriate. It’s also more difficult to determine the type of person likely to be that attacker. In this connected world of ours, the chances are there’s someone out there who’s motivated to

break into your organisation’s network. Given the industrialisation of hacking, they don’t even need to possess all the skills to see their plan through to fruition. They can merely rent attack tools from someone who does. Exploit kits such as BlackHole and Cool Exploit Kit continue to be very popular with attackers as they’re cost-effective and relatively simple to use as well as being continually updated to include the latest vulnerability exploits. When the authorities eventually catch up with the authors – as was the case with BlackHole in October last year – new kits simply spring up to replace them. There’s clearly much about which we should all be concerned. Malware designed specifically to exploit mobile device vulnerabilities is becoming a huge blot on the security landscape. Users’ appetite for new, creative and innovative apps is insatiable, but this poses a real challenge for those looking to securely enable their use for business purposes. In practice, it’s rather difficult to restrain users from downloading new apps, but ensuring they stay away from unofficial app stores is vital. The recent news about malware posing as Google’s official Play Store proves just how careful people have to be when downloading files of any kind to smart phones.

Sean Newman: Security Strategist at Cisco

Popularity of exploit kits Mobile devices are every bit as vulnerable to the oldest tricks in the book as their desktop predecessors. Hackers can take advantage by sending malicious links to those busy travelling (and therefore perhaps not concentrating properly) as they read e-mails on their phone. Just one moment of distraction and a mobile device can be instantly infected. Before an attack occurs, organisations should establish control over where, when and how mobile devices are being used and what data they’re able to access and store. During an attack, complete visibility is crucial for business risk professionals to identify compromised devices and monitor their activities. After an attack, companies need to quickly review how the threat was able to enter the network, which systems it interacted with and what applications and files were run. This will allow the scope of the attack to be determined and the threat to be contained – and then cleaned up – as quickly as possible.

“With the level of visibility the continuous approach provides, security teams can identify specific root causes and shut down all points of compromise and infection gateways simultaneously to prevent the lateral movement of an attacker and, ultimately, break the attack chain” 43

www.risk-uk.com

Project1_Layout 1 06/10/2014 14:08 Page 1

Available Now!! SA66 & DA66 Two new revolutionary electric locks that solve all the issues with transom fitting and Side loading on both single and double action doors. Issues with shear locks, and solenoid bolts are problems of the past. • • • • • • • • • •

Releases under side loads in excess of 100kg (PRen13637) Holding force of 1000kg 10mm thick solid stainless steel bolt 13mm bolt projection Pulls door closed if misaligned by up to +/- 8mm Fail safe/fail secure Bolt stays retracted until door is closed to eliminate bolt noise Door and bolt position monitors Surface housings available for both timber and glass mounting Fire rated BS.476.Part 22-1987

www.secure-access.co.uk Tel: 0845 1 300 855 info@secure-access.co.uk

FireSafetyPAVASystems October2014_riskuk_oct14 06/10/2014 12:22 Page 45

Fire Safety: Public Address/Voice Alarm (PAVA) Systems

Ignore PAVA fire safety systems at your peril t has long been known in the fire sector that alarm bells don’t always ring in people’s heads. In fact, respected research has shown that, in the event of a fire, it’s typically the case that only 13% of a building’s occupants would respond to the warning tones from a constantly ringing bell. Compare this statistic with the 75% who would act on a spoken message announced over a Public Address system. The problem is that, without further instruction, people are effectively left to guess what a bell or electronic sounder tone actually means. Is the safety system being tested or is it merely a false alarm? In these circumstances, many will stay put and wait to see what others do, perhaps in the belief that someone present knows more about what’s going on and can then offer a lead. Detailed research conducted by Notifier shows that over 25% of respondents would assume a given system activation was a false alarm until and unless told otherwise. As the world becomes a noisier place, with a multiplicity of tones and alarms on machines, it’s all-too-easy to ignore similar sounds even when they occur unexpectedly. At the same time, buildings are becoming ever more complex in their division of space, not to mention the use of both levels and materials. Studies around how people think about fire safety have shown that very few members of the general public ever consider how to leave a building in an emergency, even if it’s one they visit on a regular basis. Without more detailed instructions, the majority of occupants would exit the building by way of the entrance they used rather than via a closer or more appropriate exit. Less than a third would simply leave by the nearest exit. Unfortunately, and as is often shown with tragic consequences, relying on instinct or plain common sense simply isn’t enough when it comes to the swift and safe evacuation of a building under threat from fire.

Prompt and correct response Against this background it becomes more important than ever to ensure that the best possible solution is found to encourage members of staff, residents and visitors alike to respond promptly and correctly to a fire warning. The answer lies in a clearly spoken message over a Public Address/Voice Alarm (PAVA) system, directing a building’s occupants away from danger as quickly as possible.

Is a fire safety system being tested or is it merely a false alarm? Richard Paine outlines why the incredible adaptability of fully-integrated Public Address/Voice Alarm systems means they simply must be considered for use in buildings of any size where there’s public access Day-to-day, this technology can operate like an advanced PA system, carrying background music and announcements. In an emergency scenario, the system kicks in to broadcast appropriate spoken messages, directing people to safe exits. Should the situation demand more specific responses, firefighters can easily use an emergency microphone to make their own announcements and ensure a quick and safe evacuation of the premises. Sophisticated and intuitive PAVA systems will meet all types of challenges as they’re suitable for buildings of all sizes, from the smallest of business premises through to medical centres and sports stadiums. These systems are costeffective at any level and can be custom-built. Where larger applications are required, technological advances have boosted the ability to link multiple buildings within integrated and easy-to-use PAVA solutions. They’re perfectly adaptable to the kind of dispersed or complex sites that benefit from phased evacuation procedures and IP connectivity. This forms part of a broader drive towards greater ease of networking, designed to improve system implementation and also ensure greater security in linking locations. Developments – most notably in the area of digital signal processing – have also made the management of PAVA systems much more straightforward. PC-controlled, siteconfigurable routing and set-ups have replaced the costly and high maintenance hard wiring and relays previously required. The resulting audio quality is also much improved.

Better quality of sound Today’s advanced PAVA solutions are more power-efficient, require fewer batteries and produce a much better quality of sound. For larger implementations, the best network systems are capable of carrying many audio channels on a fibre optic network. This means it becomes easier to manage many different channels of music, general announcements and fire safety information in large multi-purpose premises and public arenas. The technology can also carry messaging such as paging and advertisements besides

Richard Paine: Product Marketing Manager at Notifier by Honeywell

www.risk-uk.com

FireSafetyPAVASystems October2014_riskuk_oct14 06/10/2014 12:22 Page 46

Fire Safety: Public Address/Voice Alarm (PAVA) Systems

“Sophisticated and intuitive PAVA systems will meet all types of challenges as they’re suitable for buildings of all sizes” background music. On larger sites, the best network systems are able to carry up to 200 audio channels on a fibre channel interface anywhere up to 30 kilometres between stations. Remarkable flexibility, the ability to handle a varied workload and significant technical advances are the keys to overall success for these systems. Covered by safety standard BS 5839 Part Eight, there are five types of PAVA system giving varied levels of manual control and live or automated messaging. The range of available options means that automatic voice alarms may be activated according to a predetermined evacuation plan and using recommended messages that meet the needs of most buildings. In addition, supplementary live announcements designed to assist with evacuation may be broadcast using an emergency microphone at a strategic point. Where required, messages may be formulated to suit special circumstances and even involve coded alerts to warn staff ahead of members of the public. Equally, designated public zones may be omitted from the paging cover if not deemed necessary. The range of tailored solutions is considerable, then, and PAVA systems are flexible enough to allow for different parts of a building to be covered by Public Address and/or music as well as voice alarm. For example, in a building containing a public bar, office, bar store, public lounge and staff room, paging may be enabled for the bar store and staff room but not elsewhere, whereas the office space can be omitted from the relay of music over the system. The combined effect of the technical advances means that, in almost any building requiring phased evacuation, a fire safety solution should include an element of voice as part of a comprehensive detection and response strategy.

www.risk-uk.com

Reducing disruption to the business Once a fire threat is detected, phased evacuation means that some areas can be evacuated immediately while others will receive an alert or standby message advising people to await further instructions. This reduces the huge disruption and cost of false alarm activations without compromising safety. Since these alarm systems rely on voice messages and Public Address announcements, great attention has been paid to the ‘technology of sound’. Within many commercial office environments there’s little need for sophisticated acoustic design. However, the situation is very different in larger public spaces such as sporting arenas or transport hubs where there are areas of irregular shape, some of which may be open to the elements. Such structures are built on differing levels and often characterised by hard materials incorporated within their design. That combination creates poor acoustic conditions, making it more important to control the direction and quality of sound. For such difficult areas, the need for skilled acoustic system design is absolutely essential, not only to ensure that the system performs to its potential but also that it meets the dedicated regulations for voice alarms. Many of the challenges in these situations have been overcome by developments in speaker technology and design which make announcements audible where there are acoustic problems or there’s a specific issue in relation to background noise. As a result, PAVA systems now require fewer amplifiers and are much easier for staff to use. This is particularly important in smaller organisations where personnel have multiple roles. Loudspeakers are now available to suit each environment. Ceiling loudspeakers, for example, work well in open plan offices with suspended ceilings. Cabinet loudspeakers afford good coverage in smaller, quiet offices and are suited to paging announcements. Projector loudspeakers afford more directional impetus to the sound and can be useful in saving amplifier power in noisy areas such as railway stations and shopping centres. Areas with difficult characteristics (like churches and airports) benefit from column loudspeakers which have a very wide sound dispersion in the horizontal plane. Horn loudspeakers are weather-proof, robust and suitable for use out-of-doors while spherical loudspeakers are ideal for open areas with high ceilings and distribute sound around the 360 degrees of the compass.

Project1_Layout 1 06/10/2014 13:31 Page 1

Involved in the secure movement of people or goods? This is your event.

>> LIVE DEMO THEATRE – Scenario-based security

demonstrations, in association with CrisisCast >> INNOVATIONS HUB – A glimpse into the future >> THE SHIP INN – Business & social networking at the heart of the show >> TECHNOLOGY WORKSHOPS – Science and technologies revealed >> FOUR CONFERENCES – Expert insight, practical strategies and tomorrow's technologies for Aviation, Maritime, Public Transport and Secure Transportation

Introducing... TRANSPORT SECURITY The first one-day conference on the security challenges of Major Events and Transport Systems

VISIT WWW.TRANSEC.COM/RISKUK1 TO FIND OUT MORE #TRS2014 Our partners

Official Show Partner

TheSecurityInstitute'sView October2014_riskuk_oct14 06/10/2014 13:22 Page 48

The Security Profession:

Four key challenges to be addressed The 2013 Lloyds of London global Risk Register states that crime and security risk is held to be one of the Top 5 concerns for Boards of Directors. Why, then, doesn’t this apparent Board-level focus appear to offer ‘Security’ any traction as a profession? David Thorp addresses that question in tandem with other major challenges facing the security business sector verything I know about ‘Security’ I’ve learned in the six months since I was appointed managing director of The Security Institute. On that basis, I remain something of an outsider in this world. However, the skills I do bring with me to the role – in terms of marketing and prior leadership of other professional bodies – have allowed me to nurture a series of informed views about the current state of the security profession and, of course, its potential for the future. To my mind, potential is very much more important than history. At The Security Institute’s Annual Conference held last month in central London (‘The Future of Security’, Risk UK, August 2014, p11) – and our most successful to date, in fact – I presented my considered views as a series of challenges facing the profession. I’d like to use this edition of Risk UK as a platform for bringing those challenges to a wider audience. They should be on the radar of anyone who considers ‘Security’ as their area of specialism. Coming from a highly commercialised world such as marketing, the first thing that strikes me about the security arena is how little dialogue it seems to have with the world of business. In the 2013 Lloyds of London global Risk Register (an annual survey conducted among global Boardlevel directors), crime and security risk was held to be one of the Top 5 key concerns, right up there with strategic business risk and regulatory risk. While I’m heartened to see that ‘Security’ is apparently a big issue at Board level, you’d have to say that this fact alone doesn’t appear to be giving us any traction

www.risk-uk.com

as a profession. I believe there are a number of reasons for this. Allow me to elaborate. From my perspective, the main challenge before us is not having significant and meaningful exposure at Board level. To develop the profile of ‘Security’ we need to reach the stage where the discipline is represented in the Boardroom in the same way that most Boards include a Chief Finance Officer, a Chief Marketing Officer, a Chief Information Officer and a Chief Purchasing Officer. Why isn’t a Chief Security Officer sitting at the Boardroom table alongside them? The answer is simple. ‘Security’ doesn’t speak the language of business. ‘Security’ is a key business enabler. It adds value to organisations, products and services but, for the most part, senior security professionals don’t understand the technicalities of business – elements like value propositions, finance and strategy – as readily as they know their own specialist field. This is somewhat ironic when one considers that there are so many members of the security profession emanating from the Armed Forces. In that environment, if an individual is to progress above a certain rank this will entail a period of time spent at Staff College, acquiring the new skills necessary for a successful career in the upper ranks.

Business and organisational leaders There’s no such provision in the security arena designed to prepare experts in their field to make that vital leap and become business and organisational leaders. Trust me, I’ve looked. The only pathway open to the really committed is to enrol and study for an MBA. This profession – and its training and education suppliers – does little or nothing to deliver general business awareness instruction for security professionals. To get things moving we need a generation of influencers. Those influencers need to be at Board level. To attain such a status quo we need to overcome the first challenge and learn to speak the language of business in both a fluent and confident manner. The other challenges I’ve identified include the fact that many security appointments are held by individuals who claim to be ‘Security Professionals’ when, in truth, they possess little or no experience or qualifications in this field. These individuals undermine and devalue the status of everyone who can justifiably call themselves ‘Professional’ by dint of experience and demonstrable achievement. It’s not a problem unique to ‘Security’, by the way. We see the same situation within accountancy, purchasing, marketing and engineering.

TheSecurityInstitute'sView October2014_riskuk_oct14 06/10/2014 13:23 Page 49

The Security Institute’s View

In the longer term, the answer is to do what the accountancy profession has done. If everyone from a book-keeper to a bought ledger manager can call themselves an accountant then the profession needs a device that will enable outsiders to distinguish the true professionals at the top of the tree from those who use the term ‘Accountant’ on a somewhat loose basis. That’s why we all know the value of a Chartered Accountant. In the security business sector we have the Register of Chartered Security Professionals. It’s offered by The Worshipful Company of Security Professionals and managed by ourselves here at The Security Institute. Gaining wider acceptance of this Register will marginalise the unqualified and inexperienced who undermine everyone that has put in the effort to professionalise themselves. A further challenge that demands to be addressed is the sheer number of different organisations, bodies, networking groups and forums operational in our business sector. To my eye they haven’t evolved to accommodate the rapid growth of the security profession. I should add the caveat that I’m speaking entirely from my own perspective here. Indeed, my comments on this topic should not be taken to imply any policy or strategy of The Security Institute. As a professional body we’ve always promoted – and will continue to promote – inclusivity. However, in any sector market forces will eventually have their day and, if you review practically any market in products and services, the inexorable trend is towards consolidation. The idea is to have fewer but larger suppliers at the core with much smaller single niche suppliers operational at the margins. The security industry is by no means immune to market forces. Has this proliferation of bodies and groups held back recognition of the security profession? It’s certainly the case that external stakeholders – particularly Government and regulatory authorities – prefer to deal with one channel of communication. It’s equally true that the more bodies there are in existence in any given sector, the more difficult it is to form a consensus view and develop concerted and focused strategies to promote that view. A plethora of organisations might also erode confidence among the general public if there are competing bodies each claiming to light the

true path ahead. It’s entirely possible to make the case, then, that having too many bodies in a given business sector can hold back the ultimate development of the profession. Over time, the various professional bodies will need to speak about this among themselves such that they can each chart their individual course and their various alliances of equals before the market forces them to act.

Customer and shareholder value The final challenge I’d like to share with you is how we raise the status of security in general and, more specifically, that of the security professional. In many instances, ‘Security’ is looked upon as a grudge purchase that’s seen purely as a cost instead of a business enabler and enhancer. While ‘Security’ is viewed as an item on the debit sheet instead of something that creates customer or shareholder value we will always be facing an uphill task. Consider the placing of armed, anonymous sky marshals on many US domestic and intercontinental flights in the immediate aftermath of the 9/11 attacks. That move – along with other enhanced security measures – quickly restored passenger confidence and could be physically tracked for positive return on investment. Safety has a value. Security delivers safety. Security realises peace of mind. Security makes customers more likely to employ your services. As such, ‘Security’ is an invisible, often forgotten and nearly always unheralded differentiating factor for those businesses and organisations canny enough to recognise these facts and who treat security as an investment that pays dividends in the long-term rather than just a sunk cost. These are far from being the only challenges facing the security profession. Addressing them will not be a task that’s achievable overnight. However, the starting point is to recognise them as challenges in the first place, consider them carefully and frame strategies for moving from where we are as a profession right now to where we think we want and ought to be resident in five or ten years’ time. The transition will undoubtedly demand consensus among the various stakeholder bodies, associations and interest groups. It will also require strong leadership to emerge, both in terms of thought and deed.

David Thorp LLB MSc: Managing Director of The Security Institute

“This profession – and its training and education suppliers – does little or nothing to deliver general business awareness instruction for security professionals. To get things moving we need a generation of influencers. Those influencers need to be at Board level” 49

www.risk-uk.com

Project1_Layout 1 06/10/2014 17:38 Page 1

INTELLIGENT SENSING SOLUTIONS RELY ON OUR SENSING EXPERTISE TO MAKE MORE INFORMED DECISIONS

VEHICLE DETECTION

TAILGATING SOLUTIONS

PEOPLE COUNTING

INTRUSION DETECTION

INTEGRATED WITH

VMS SYSTEMS

ACCESS CONTROL

BUILDING FACILITY MANAGEMENT

TO DELIVER

INTELLIGENCE TO MAKE BETTER SECURITY, SAFETY AND BUSINESS DECISIONS.

OPTEX delivers smart and accurate detection solutions that trigger or input wider security and operational systems.

www.optex-europe.com (EMEA headquarters) +44 (0)1628 631 000

InTheSpotlightASISInternationalUKChapter October2014_riskuk_oct14 06/10/2014 12:25 Page 51

In the Spotlight: ASIS International UK Chapter

Corporate Security: Reviewing ‘The Risk Landscape’ n today’s world, Corporate Security and Risk Management Departments face myriad challenges as they attempt to mitigate risks and threats on behalf of their organisations. For one, they’re confronted by specific security risks that can impact the business environment (for example terrorism, financial instability or acts of fraud). It must be said that there are also risks arising from the manner in which the discipline of risk management itself is both exercised and perceived. Ultimately, one of the greatest challenges faced by all security and risk management professionals is the risk of new or unfamiliar threats remaining undetected. In this instance, let’s refer to ‘Social Media’ and ‘Cyber Crime’. It also remains the case that it’s a highly complex – not to mention near impossible – task for any risk management strategy to wholly eliminate internal malpractice, and most notably where that malpractice occurs at a senior level. Broadly speaking, the practical security risks facing modern businesses may be placed into two categories: external and internal. External risks include events such as natural disasters, industrial accidents, IT failures, climate change, supply chain disruptions, theft and geo-political/socio-political events (ie terrorism, military conflict or revolution). Internal risks include factors such as employee fraud or sabotage, or perhaps employee errors involving IT/security functions. Placing all of these risks into a rigid or prescriptive hierarchy is, in itself, a problematical exercise and arguably dependent on the type of business in which a particular company finds itself engaged. Indeed, the very perception of risk varies from person to person and within corporate organisations who have varying degrees of ‘risk tolerance’ depending on their position within the global marketplace. In my experience, it does seem that there’s one factor at play across multiple sectors of the economy. That factor is globalisation in tandem with the various risks contingent upon it. It’s often argued that corporations involved in the global business environment expose themselves to risks reliant on extended value chains and country/economic stabilisation.

Spotlight on enterprise-related risks Enterprise-related risk can take many forms, such as that for carbon emissions credit trading (via London-based LCH, ICE Futures Europe or Nasdaq OMX Commodities Europe). Trading

What exactly are the challenges affecting Corporate Security Departments attempting to manage and mitigate enterprise risk on behalf of the organisations they serve? Dr Peter Speight examines the current state of play

offers companies a means of securing their business by achieving emissions targets. However, in 2011 alone, cyber theft resulted in the loss of carbon offsetting credits valued at 30 million Euros1. In some instances, risk may simply be the outcome of the firm’s core activities and revolve around failing to maintain management of company policy, strategy, structure and principles in parallel with the demands of an evolving and changing environment. Meanwhile, lobbying organisations like the UK’s Carbon Trust argue that adverse events around climate change will eventually drive consumers towards rejecting brands linked to those occurrences. Also, supporters of the Corporate Social Responsibility agenda would argue that companies successfully managing such risks will effectively secure competitive advantage by developing and maintaining appropriate corporate governance strategies. In my opinion, other security risks such as IT failures and acts of cyber criminality are inevitable. In practical terms, we need to try and eliminate them – as far as possible – through Best Practice that’s driven and underpinned by policy and regulation.

Dr Peter Speight CSyP DBA MSc MIRM: Education Lead for ASIS International’s UK Chapter and Director of Risk and Consultancy at Securitas Security Services

www.risk-uk.com

InTheSpotlightASISInternationalUKChapter October2014_riskuk_oct14 06/10/2014 12:26 Page 52

In the Spotlight: ASIS International UK Chapter

References 1Chaffin J (2011): ‘Carbon trade cyber theft hits E30 million’, Financial Times, 20 January 2011 [Available online: http://www.ft.com/cms/s/0/c db788e8-24df-11e0-895d00144feab49a.html#axzz25Uj 7ePwt] 2Fragniere E and Sullivan G (2007): ‘Risk Management: Safeguarding Company Assets’, Boston: Thomson 3Smith D and Irwin A (2006): ‘Complexity, Risk and Emergence: Elements of a “Management” Dilemma’, Risk Management, 8(4), pp221-226 4Sadgrove K (2005): ‘The Complete Guide to Business Risk Management’ (Second Edition), Aldershot: Gower 5Madura J (2010): ‘Financial Markets and Institutions’ (Ninth Edition), Mason OH: Cengage

Across the past few years, the development of ISO 27001 specifically referencing Information Security Management has certainly provided guidance and structure for addressing the mind-blowing complications around dealing with the physical, technical and procedural minefield that may be present in some organisations. However, it could be argued that, in time, all companies will be subject to these types of incursion and criminality. On that basis, we need to look at – and plan for – recovery and damage limitation. Again, ISO 27001 does offer some really good mitigation advice. If you want to consider other standards, try ISO 22301 (Business Continuity Management Systems), ISO 31000 (Risk Management), PD 200:2011 (Crisis Management) and PD 25222 (Continuity Supply Chain Management). All offer useful guidance which will help organisations’ risk management teams to develop effective strategies. Such strategies only work, though, when driven downwards from the Boardroom whereby company executives take responsibility and assume accountability for the risk appetite within their organisation. This means creating an effective culture that supports and implements measures designed to mitigate and manage corporate governance. In some cases, it seems to me that executives and Chief Operating Officers blame everybody else but themselves when things do go wrong. Having said that, I’m a realist and companies have to ensure that they balance the benefits of Enterprise Risk Management with the costs and implementation of all mitigation strategies. We all have to balance ROI, but it’s the cost of doing nothing which really worries me. Security and risk management professionals do face challenges arising from the very nature of their discipline. Also, the work they carry out is sometimes perceived – and notably so by other management professionals – as a drain on resources. Until such time that there’s a problem, of course. Although Enterprise Risk Management is now generally accepted in the corporate environment, risk management is a fairly new aspect of the overall management structure. New legislation, activist shareholders and rising insurance costs are now converging and, in turn, rendering integrated risk management a far more important proposition.

“Successful security management eliminates problems before they impact upon performance. This means that the corporate community cannot easily appreciate the value of the exercise” 52

www.risk-uk.com

According to a 2007 article penned by Fragniere and Sullivan2: “Natural, geopolitical and financial disasters in the first few years of the 21st Century created a new awareness of risk among the public, businesses and lawmakers. This has spurred the development of several risk management methods in both financial and non-financial sectors. Risk managers responsible for creating the ‘riskenabled company’ have to balance and resource multiple mitigation strategies.” Risk management professionals also face specific problems around achieving recognition of their contribution to profitability and justification for their investment. Successful security management eliminates problems before they impact upon performance. This means that the corporate community cannot easily appreciate the value of the exercise. Seen in this light, it’s a sad truism that an effective security manager may well become the victim of his or her own success.

Establishment of new frameworks Last but not least, risk management professionals must face challenges arising from their own practice and the possibility that they will fail to identify new or non-anticipated risks. As Smith and Irwin3 have written, managers themselves make the decisions that contribute to ‘the precursors of failure’ and ‘determine the acceptability of residual risk as well as the appropriateness of mitigation strategies’. Many risk management frameworks have now been established to meet this challenge by informing consistent Best Practice4. For example, AS/NZS 4360:1995 in Australia, CAN/CSA-Q850-97 in Canada and JSI Q 2001:2001 in Japan. Meanwhile, after the 9/11 attacks in the USA, the UK’s Institute of Risk Management created PAS 56 which was subsequently replaced by BS 25999. These are largely qualitative and generic frameworks. The degree to which they could assist in identifying specific new threats is debatable. For instance, it could be argued that such frameworks encourage a normative view of security risk and thus actively discourage the identification of new or unfamiliar challenges. Furthermore, frameworks and policies are no guarantors of Best Practice. On the high profile stage, the Enron Corporation reportedly harboured an excellent ethics policy prior to its much-publicised demise5. Somehow, risk management professionals have to convince the corporate community that investment in mitigation strategies is necessary and beneficial, even for those instances where the apparent benefits are difficult to measure.

Project1_Layout 1 29/09/2014 21:00 Page 1

Access control that keeps you in touch Aliro – IP access control – not complication

For too long, Access Control meant anything but control. It meant complex software, special training, even dedicated staff. When it really should have meant simple, straightforward security that anyone can use. That’s why we gave Aliro an elegant mobile app – to put Access Control back where it belongs, in your hands. So you don’t need to be on site to know what’s happening – and so you can easily control your security from any internet connected device. Anywhere you are. Making access control management as easy as opening a door. Aliro – Your way in

www.aliro-opens-doors.com

FIATechnicalBriefing October2014_riskuk_oct14 06/10/2014 12:21 Page 54

Lending a voice to the fire engineering profession The Fire Industry Association has established a specialist Fire Engineering Council designed to appraise and work on some of the major issues facing today’s fire sector, including competency, independent third party approvals and Scope of Services. Martin Duggan has the detail he fire engineering profession needs a voice. In comparison with other construction professions, at 30-plus years of existence fire engineering is still relatively new as a discipline, but it’s now high time the profession stood up to be recognised and counted alongside its compatriots. In parallel with this key goal are myriad challenges facing professionals operating in today’s fire sector, not least when it comes to hugely important matters such as competency, Scope of Services and the subject of independent third party approvals. At present, there’s no industry-wide competency criteria laid down for fire engineering companies. This results in a wide range of organisations offering fire engineering services despite the fact some of them don’t possess any real expertise. When you consider Scope of Services, it’s often the reality that fire engineers are only employed during the design stage of a project. It’s not always the case that

Martin Duggan: General Manager of the Fire Industry Association

www.risk-uk.com

thorough checks will be carried out to ensure the building constructed is actually compliant with the designed fire strategy. Concerns have been raised about the independence and extent of third party checks conducted under the Terms and Conditions of the Building Regulations, not to mention the involvement of very limited site inspections.

Industry must take the lead These are but the foremost three concerns. It’s fair to say there are many other problems to be addressed. The UK Government has been clear that it’s up to the industry to take the lead in resolving any issues across these particular areas. On that basis, the fire engineering sector simply must shoulder this responsibility. The Fire Industry Association (FIA), of course, is a well-established Trade Association. Our main objective is to promote professional standards within and across the fire sector through close liaison and lobbying with Government and official bodies as well as other key organisations in the industry. We aim to inform our members – and, indeed, the general market – about the latest legislation and how it can affect their businesses. The FIA diligently represents manufacturers, installers and maintainers of fire detection, fire alarm and extinguishing systems, the latter encompassing portable solutions. Importantly, we also represent fire risk assessors and suppliers to the Fire and Rescue Services. At our Annual General Meeting in November last year, we formally opened FIA membership to fire engineering companies in the firm belief that we harbour the infrastructure required to assist such organisations in resolving the key issues present within and around what is a specialist industry sector. As is the case with our other membership sections, we’ve now deliberately established a dedicated Council to represent these new members. It’s this Council that will appraise and work on the major issues before us, and also identify key messages and appropriate target audiences. The FIA estimates that between 30 and 50 companies operate in the fire engineering sector. We’re already targeting 50% of them with further recruitment drives now underway. We enjoy a good working relationship with the Institution of Fire Engineers (IFE), itself a long-established professional body, and believe that by working together we can help resolve

FIATechnicalBriefing October2014_riskuk_oct14 06/10/2014 12:21 Page 55

FIA Technical Briefing: The Fire Engineering Council

the challenges facing the industry. To support this co-ordinated work, the IFE has a representative on the Fire Engineering Council. In simple terms, the IFE is focused on both individuals and their competencies. A Trade Association can look at the wider commercial market. Hence, the FIA represents companies rather than individuals. To date, we have developed competency criteria for membership of the FIA’s new Fire Engineering Council based on the employment of Chartered Fire Engineers. The criteria is currently set at a level that most competent fire engineering companies should be able to meet, but there are plans in place to raise the bar in the longer term. The intention is to encourage companies to invest in training members of staff such that they’re able to meet the higher criteria that will be introduced in years ahead.

Developing the Scope of Services The FIA has also been working to develop a Scope of Services which we believe will encourage employment of fire engineering companies through the design and construction phases of building projects. This mirrors the Construction Industry Council’s own Scope of Services. It also neatly fits in with the Royal Institute of British Architects’ (RIBA) Plan of Works and, in essence, pinpoints specific areas within a given project that demand consideration from professional fire engineers. The objective is to ensure that the end user of a given building is afforded confirmation that the completed structure provides a high standard of fire safety, along with an ‘as-built’ fire strategy which will help the host organisation understand exactly how the location is to be operated and maintained to the correct levels. Our next step is to engage with both the Construction Industry Council and RIBA to try and get them involved and adopt this scenario within their documents. With regards to building control, ensuring the independence of approved inspectors is currently an area of concern. Approved Inspector Regulation 9 states that there must be clear separation between design and third party approval. However, some companies may be compromising this request by openly offering ’one-stop shop’ services, with design and approval by ‘sister’ companies (which would appear to be a breach of Regulation 9). The FIA has already submitted its concerns on this matter to the Construction Industry

Council which, in turn, has subsequently written to the Department of Communities and Local Government for clarification on the matter. We very much hope to work with them on providing stronger and clearer guidance. The $64,000 question in relation to all of these areas is: ‘Can the FIA make a difference?’ A Trade Association’s main principle is that the sum of the parts can achieve more by working together than they can by operating in isolation. There are many concerns within the fire engineering industry at present, but there are also some fabulous fire engineering companies in existence. Working diligently in tandem, there’s no doubt we can collectively help to propel the fire industry forward in a way that benefits each and every interested party.

Portable Fire Extinguishers: benefits for end users In 2008, the Fire Industry Association (FIA) carried out a survey into the use of portable fire extinguishers, writes Graham Ellicott. The study showed that 80% of fires tackled with such devices were successfully extinguished and that, in 75% of cases, there was no need to call the Fire and Rescue Services. Based on these findings, there’s no doubt that portable fire extinguishers play a very important role in the preservation of life and property. They can reduce the risk of a small fire, for example a fire in a waste paper bin that might well develop into a really serious incident. In particular, for educational or healthcare premises it’s fair to say that portable fire extinguishers may mean the difference between a complete evacuation or no evacuation at all. The safe use of a fire extinguisher to control a fire in its early stages can significantly reduce the risks involved for individuals on the premises, allowing them to assist others and/or those who are particularly vulnerable. Training must be supplied to individuals who would be expected to attempt to extinguish a fire. That said, all members of staff ought to be familiar with the location and basic operating procedures of the portable fire extinguishers provided in case they need to use them at some point. Further to this, all fire safety equipment must be installed and maintained by a ‘Competent Person’. Under the Fire Safety Order, a person is to be regarded as competent when he/she has undergone sufficient training and gathered enough experience or knowledge to enable them to properly assist in undertaking the preventive and protective measures required. A ‘Competent Person’ should be able to advise on the number of fire extinguishers needed to combat the risks in a given premises and the appropriate locations for them (ie on escape routes at each floor level). Suitable signs indicating the location of extinguishers may also be necessary. The FIA strongly recommends that portable fire extinguishers be properly maintained by members of personnel who can prove their competence through membership of an initiative such as the Portable Fire Extinguisher Service Technicians Scheme operated by BAFE. Portable fire extinguishers are tested, tried and trusted. Evidence from the market proves that they’re successful in dealing with small fires. Risk, security and facility managers must bear in mind that their correct installation could well end up saving lives and property. Graham Ellicott is CEO of the Fire Industry Association

“The FIA estimates that between 30 and 50 companies operate in the fire engineering sector. We’re already targeting 50% of them with further recruitment drives now underway” 55 www.risk-uk.com

SecurityServicesBestPracticeCasebook October2014_riskuk_oct14 06/10/2014 12:58 Page 56

Pathways for progression Professional benchmarks for certain security roles are not always readily available on the wider scale. This can create barriers to progression for employees and, in doing so, continues to hinder efforts targeted at both altering external perceptions of the security business sector and pushing the discipline further up Boardroom agendas. Gemma Quirke puts forward proposals for changing the status quo he challenge of ‘professionalising’ the security sector is one which is continuously discussed (‘Professionalising ‘Security’: Working towards a change in perception’, Risk UK, August 2014, pp50-51) in tandem with the necessity for in-depth training and ongoing skills development. Arguably, there’s also a wider requirement to focus on providing clarity for security professionals in terms of the career paths open to them and the benefits to be derived as a result of investing their precious time in the sphere of professional development. In turn, might such a focus also contribute to achieving all-round professional recognition for the security business sector while encouraging others to make it a career of choice? By definition, to ‘professionalise’ is to identify the qualities demanded of any business practitioner and then provide a clear direction of the relevant training and qualifications which may be undertaken to achieve a professional status. In the security business sector, the opportunity to become a Chartered Security Professional is now available (‘Chartered Security Professionals: The Gold Standard’, Risk UK, August 2014, p17). However, even with this prestigious goal as an ultimate aim, benchmarks for lower level through to mid-level roles which individuals both experienced and new to the industry might strive to meet – and exceed – are not necessarily as widely available. As a direct consequence, this not only creates what can be seen as a barrier to professional progression for security officers and managers but, in doing so, continues to hinder the efforts aimed at changing external industry perceptions and pushing security further up the Boardroom agenda.

Aspiring to Excellence: key findings The Security Research Initiative has just published its latest report. ‘Aspiring to Excellence’ outlines the challenge of both

www.risk-uk.com

defining and achieving exemplary service, and is based around an extensive review of the drivers for business excellence. Both corporate security personnel and 200 representatives of security suppliers rate various characteristics of outstanding performance. Two key characteristics consistently noted in this report are ‘People’ and ‘Leadership’, both often used by clients and suppliers alike as a means of measuring current performance. Suppliers questioned use the pages of ‘Aspiring to Excellence’ to highlight that quality, motivation and training of staff are front and centre in terms of what constitutes ‘Excellence’, while clients focus on the balance of having both business and security expertise. Clients also pinpoint an opportunity for security suppliers to become better at displaying how the function delivers value for host businesses. The importance of enhanced Board-level recognition of security as a business enabler is flagged by both clients and security solutions providers alike.

Defining and achieving ‘Excellence’ With the security sector as a whole and, specifically, suppliers and clients in apparent agreement that professional recognition would be beneficial, and that there’s a requirement to better display how value is added, how might we best combine our knowledge to define and achieve excellence within? In order to drive the security business sector as a whole towards professional status, it’s fair to suggest that a considerable restructuring may be necessary. Various industry bodies are already making positive step changes. However, the lack of cohesion between groups could be seen as limiting in relation to the end goal. While the intent and effort may be universal, agreement on defined career paths – and how best to implement and support them – is often individually focused. Collaboration across such major groups could genuinely ‘revolutionise’ the sector, developing those already on their career path as well as attracting new talent and training the security leaders of tomorrow. Within the security business sector’s supplier organisations, we all deliver hard and soft skills training for both officers and managers. However, as such training is often conducted without an underpinning and clear career guide that matches these skills against industry progression routes, the options available in terms of ‘next steps’ from being a frontline security officer to becoming a leader of the future may seem somewhat blurred.

SecurityServicesBestPracticeCasebook October2014_riskuk_oct14 06/10/2014 13:01 Page 57

Security Services: Best Practice Casebook

As a result, this could lead to confusion as to what it is that security officers and managers should and could be striving for in their career roles, and how they might actively use training to help further individual development. The pool of talent within the security sector has traditionally fallen within two factions – those who deploy their skills and practical expertise on the day-to-day management of sites and those who follow the contract management route with a determined focus on business acumen and commerciality. In truth, it’s in the combination of both skill sets that the key to better client service lies. As such, any progression path should build upon and combine both knowledge bases. A system of formal and recognised cross-department mentoring might be one way of providing sitebased specialists with an introduction to business transactions or affording contract staff practical insight of operations. Such a set-up could also help service leavers progress their specific security sector knowledge. Further thought must also be given to a graduate apprenticeship programme specifically designed to attract new talent and afford career opportunities for new graduates. Skills for Security’s apprenticeship scheme for the security systems sector has created a route for 16-18 year olds to join the sector by way of employment in a skilled role offering on-the-job practical training. There’s also an opportunity to continue learning and gain relevant

qualifications enabling apprentices to progress within the specifically defined security systems sector career pathway. Put simply, this is a tremendous example of what could be developed for wider areas within the industry and something that absolutely would be welcomed across other areas of operational security. An apprenticeship programme will offer a clear road map to graduates, in turn helping to fill skills shortages in the security sector while at the same time making sure graduates develop the vocational acumen they need in order to function well in the jobs available. In a recent study conducted by the National Apprenticeship Service it was discovered that 76% of businesses questioned who employ a graduate state those same graduates make their organisation more productive, while 77% believe having graduates on the payroll renders the business more competitive.

Gemma Quirke: Managing Director of Security Services at Wilson James

Recruitment of wider skill sets Security is a business sector that exists – and, indeed, will continue to exist – in an everchanging landscape, with shifting threats from terrorism and growing digital risks very much part of the mix. To ensure we have the skilled resources and leadership in place that will keep the industry evolving, now is the time to start attracting and developing talent and knowledge from both within and further afield. As security technology develops, we as individuals need to develop with it in order to ensure that technology can be deployed and managed on a successful basis. Recruiting wider skill sets into security from the IT and digital arenas and combining this knowledge with the physical manpower, intelligence and processes already developed is going to be essential when it comes to making certain that the security sector’s solutions for business are fit for future purpose. The responsibility for making these changes, building the future of the profession and gaining supplier recognition in the Boardroom which security deserves has to sit with everyone who works across the security arena. If we collectively drive change not only for our own benefit but also for that of future leaders in our sector, together we may just manage to reach the accolade of ‘Excellence’.

“An apprenticeship programme will offer a clear road map to graduates, in turn helping to fill skills shortages while at the same time making sure graduates develop the vocational acumen they need in order to function well in the jobs available” 57

www.risk-uk.com

CyberSecurityStateoftheNationin2014 October2014_riskuk_oct14 06/10/2014 12:19 Page 58

Changing the culture of ‘cyber’ There are magnificent examples of organisations succeeding at cyber security in an environment where most others are failing – and they have done so without any extra investment. The $64,000 question is: How? As Martin Smith states, it’s all about culture change from within

early a decade ago my dear father died after several grim weeks at our local hospital where he was being treated for terminal cancer. Keep going, loyal reader of Risk UK, as I will duly explain how this applies to the state of cyber security in the year 2014. We were all heartbroken, of course, not just because of Dad’s passing but mainly due to the miserable experiences of his dying days while in the hands of the NHS. My father was a proud man – intelligent and perceptive, gentle and uncomplaining in equal measure – and deserved far better than the care on offer. My perception was that staff at all levels seemed simply not to care. It was clear they’d given up, not just with my Dad but with the system. You could smell the despair in the air. The hopelessness was seemingly all-embracing and the inertia complete.

Complete and profound change Wind the clock forward to today. Over the past two years my dear and now very elderly mother has suffered a series of small heart attacks. As a result, she has been admitted six times as an emergency patient into the very same hospital. Accordingly, my mother has experienced (and I’ve witnessed in detail) the full process from ambulance to casualty to medical assessment to ward admission and on through healing to discharge and follow-up care. The change at the hospital is both complete and profound. It’s hard to believe this is the same place. The treatment of my mother has

www.risk-uk.com

been exemplary, not just sporadically but consistently on each admission and at every stage of the process. I’ve been able to spend days with my mother, keeping her company and just observing and listening to staff and patients alike. Culture change is my business, so my professional antennae have been fully extended. Given the universally despondent reports in the national press about the present state of the NHS, I was finding it difficult to reconcile the difference between what I had previously experienced, what I was expecting and what I was now seeing. The members of staff are happy. The whole atmosphere is one of optimism and positivity. Change is evident everywhere. The nurses really care, and smile at both each other and at their patients and visitors. Doctors take time to speak with their patients and explain to them what’s going on. Care assistants perform their ancillary duties diligently. What has changed, why and how? My mother might be seen by some as just another old lady with a failing heart who makes no fuss. She’s certainly no exception to the norm. It’s just that the system now embraces her and all the other patients at this particular hospital. They are recognised as customers and treated accordingly. It looks like the same hospital, with mainly the same staff and resources and the same budget, but clearly the whole culture has been dramatically altered for the better. I cannot imagine this scenario has been easily or quickly achieved, but the difference is most certainly overwhelming. Reports in the national news often indicate widespread failures in the NHS across the whole country despite the vast and increasing sums of money thrown at it, and there’s little obvious sign that things are changing for the better. Of course, my local hospital is still struggling to deal with the ongoing pressures placed upon it, but the place absolutely serves as a shining example of how failings can be addressed without just throwing more money and managers at them. The senior management has changed the culture. They have empowered the doctors and carers. They’ve made great efforts to communicate with staff and patients alike, and they’ve included the patients within their own treatment regimes. They have removed layers of management and silos of specialism such that everyone works as an integrated team.

CyberSecurityStateoftheNationin2014 October2014_riskuk_oct14 06/10/2014 12:19 Page 59

Cyber Security: ‘State of the Nation’ in 2014

This same lesson applies to cyber security in 2014. Cyber security still has insufficient profile and status among Board members despite their own obvious concerns. Notwithstanding the vast and increasing sums of money being directed towards this issue, our vulnerabilities to cyber attack continue to grow both at home and at work, as individuals or as corporations. The levels of e-crime continue to rise.

Data breaches and ID theft Data breaches occur with increasing monotony and do great harm. International and industrial espionage is rife. Privacy is becoming a thing of the past. ID theft is commonplace while the threat to our children from grooming and our society at large from online pornography – and worse – grows on a daily basis. The cyber security sector is fooling no-one except itself that things are alright. Our Boards are despairing at online safety and security in the same way that the public is despairing at the state of the NHS. Trust in cyber space was always a fragile thing anyway, but it’s being constantly bombarded and damaged by reports in the media of one breach after another. Similarly, trust in organisations’ cyber security functions was always going to be a fragile thing, but what little traction it had is – in so many cases – being eroded on a daily basis. No matter how much money Boards throw at cyber security, their companies are still very likely to appear in tomorrow’s newspapers. Each day that they don’t make the headlines is not a day that their cyber security efforts have succeeded, but simply another day nearer the one when they will suffer a breach and thus make the headlines. So many of these problems can so easily be overcome and trust restored. As is the case with the hospital and its improvements, there are magnificent examples of organisations succeeding at cyber security in an environment where most others are failing – and they have done so without any extra investment.

possible to gain by not losing. They have brought cyber security from the periphery and the shadows into the centre of the business stage, and they have merged it (and all other security functions) into a single risk management organisation – embracing the ‘convergence agenda’. They’ve educated their workforces about the basics of cyber security (so-called ‘cyber hygiene’), empowering them both to protect their own data and systems and to report problems easily and quickly. Like my local hospital, these enterprises have stopped doing more of the same and instead looked sideways at how they can make what they already do so much more effective. Like my local hospital, they have profoundly changed their cultures by taking time to communicate properly with everyone in the system – members of staff and customers alike. This last factor has been the key. It’s the single factor that has flipped the coin. Like my hospital, they are a work in progress. There is still much to be done and many benefits still to be gained. If it can be done at these organisations, why not everywhere? The answer lies within our own power to change. The fact that the cyber security industry still cannot – or will not – accept this, well… It’s enough to make a grown man cry.

Martin Smith MBE FSyI: Chairman and Founder of The Security Company (International) and the Security Awareness Special Interest Group

Part of ‘business as usual’ The difference – the only difference, in my humble opinion – is their culture. They have made cyber security part of ‘business as usual’. They have shown how good security can be a business enabler rather than just a cost on the bottom line. They have proven that it is indeed

“The cyber security industry is fooling no-one except itself that things are alright. Trust in cyber space was always a fragile thing anyway, but it’s being constantly bombarded and damaged by reports in the media of one breach after another” 59

www.risk-uk.com

RiskinAction October2014_riskuk_oct14 06/10/2014 12:56 Page 60

Risk in Action

Fike’s video fire detection protects UK’s Battle of Britain heritage The SigniFire Video Fire Detection (VFD) system from Fike Safety Technology has been deployed at the Battle of Britain Memorial Flight (BBMF) hangar to protect some of the nation’s most valuable historic assets. Based at RAF Coningsby, the aircraft of the BBMF are regularly seen at events commemorating World War II, British State occasions and at air displays around the UK and Europe. Most notable among the WWII aircraft are the Spitfire, the Hurricane and one of only two flight-worthy Lancaster bombers in the world. It was therefore imperative that when the fire safety needs of the BBMF hangar were reviewed, a state-ofthe-art solution was chosen to provide effective and reliable fire detection. The new system was designed and installed by T.I.S., an integrated solutions specialist and part of Fike’s dedicated nationwide Integrator Network. The camera-based SigniFire VFD visually detects the presence of fire or smoke at its source. Multiple cameras have been installed covering both the floor of the hangar and the roof space. The technology offers many benefits including fast and reliable response, effective protection in demanding environments, excellent value for money and the bonus of providing CCTV images for security purposes (if required). The video can also aid incident response with recordings made for post-scenario analysis. Distributing the video processing to within each fire detector camera delivers improved resilience and, with the use of fire-resistant cable, duly allows certification to BS 5839.

www.risk-uk.com

ISC awarded security contract at Brent Civic Centre: ‘Britain’s Greenest Building’ Integrated Security Consultants (ISC) has been awarded the contract to provide a range of security services at Brent Civic Centre, the new hq of Brent Council which has been heralded as Britain’s greenest building and is managed by Bilfinger Europa Facility Management. ISC is to supplement Bilfinger Europa’s security operation by providing security teams for the building’s special events, including Brent Council-hosted receptions and public meetings, as well as an enhanced security presence in the building at key times (eg for match days at the nearby Wembley complex). “We’re delighted to have been chosen to support Bilfinger Europa in serving this modern and iconic building,” explained ISC’s managing director Pat Carr. “The building presents a number of security challenges, including its mix of public and private usage alongside a close proximity to two of the UK’s busiest sporting and entertainment venues.” Carr added: “We look forward to providing a service that balances the needs of Brent Council, its guests and VIP visitors with those of the general public who use the facilities on a daily basis. This contract represents further diversification in our customer base which, historically, consists of a significant number of clients across the entertainment sector.” Carr believes ISC was chosen for the contract because of the organisation’s vast experience in multi-agency communication at Wembley Stadium, where the company also provides integrated security services. “As security partner at Wembley, we manage the day-to-day needs of a large complex and all of its associated challenges,” stated Carr, “whether that’s for a select few VIP guests attending a corporate function or for 90,000 people on the day of a major event.” Mike Munro, account director at Bilfinger Europa, commented: “ISC’s breadth of experience, and the fact that the company already looks after iconic buildings in this proximity, ably demonstrates its expertise in managing diverse security requirements.”

RiskinAction October2014_riskuk_oct14 06/10/2014 12:57 Page 61

Risk in Action

PIRs and laser technology from Optex safeguard council depot

Apollo’s XP95 range fit for King’s Education in Canterbury dates back to 597 AD, when St Augustine arrived to evangelise England. In 1541, education provided by the monastic foundation – and the ancient school of the City of Canterbury – was made the responsibility of the new Cathedral Foundation of Henry VIII. He established within it 50 King’s Scholars, a Headmaster and Lower Master. Now, Apollo’s fire detection technology has been chosen to protect an historic school in Canterbury which counts playwright Christopher Marlowe, astronaut Michael Foale and actor Orlando Bloom among former alumni. The King’s School is a co-educational independent establishment for both day and boarding pupils, and sits in the grounds of the prestigious Canterbury Cathedral. There are 821 pupils on The King’s School register, 75% of whom are boarders. King’s is thought to be the oldest continually-operating school in the world, and protecting both property and life is of the utmost importance. The Meister Omers building is one of the boys’ houses at The King’s School and is home to 49 pupils. To meet an ongoing refurbishment of all fire detection systems, more than 150 Apollo XP95 units were recently installed throughout The Meister Omers building by Triangle Integrated Fire Systems. This Level 1 system is supported by a Kentec Syncro AS control panel which monitors 16 zones on a single loop. Speaking about the project, Terry Hailes (operations director for Triangle Integrated Fire Systems) said: “We’ve now worked on 14 different system installations at The King’s School over the past four years. All of these projects have featured Apollo XP95 and Kentec Syncro systems with the exception of the original Chapel. Here, Apollo’s Wireless XPander range was used as no drilling could take place for cabling due to the building’s age.” Hailes added: “The fact that Apollo offers open protocol systems which are forward and backward compatible is a big attraction.”

A council depot in Dudley was experiencing up to 80 false alarms in 45 minutes when opening every morning, but the problem has now been practically eradicated thanks to a review of the existing sensor locations and subsequent deployment of Optex laser detection technology. The site is used to store building materials including paving slabs, electrical cabling and some council vehicles, and is protected by a CCTV system triggered as a result of infrared motion detection sensors. However, the location was suffering numerous false alarms due to staff arriving for work and congregating in front of the building, and also because of wildlife along the canal footpath that runs parallel to two sides of the perimeter. Historically, intruders had broken through one of the perimeter walls and stolen central heating boilers and piping, and also climbed up on to the roof and illegally entered the building through the skylights. Although the operational needs of the site had changed, sensors remained in their original location and the false alarms generated when staff arrived at work were proving problematic for operators at Visual Verification’s Remote Monitoring Centre in Timperley, Cheshire. Location of the existing sensors needed a rethink. There was a requirement for a mixture of detection technologies that would avoid staff triggering the system. Now, 18 Redwall long range passive infrared (PIR) detectors from Optex have been installed throughout the car park and along the perimeter of the building to protect the elevation of the storage warehouse. Replacing the traditional volumetric sensors protecting the building, a Redscan laser detector has been installed on top of the building in a vertical application, covering the facade and a one-metre area from the wall and working in conjunction with two CCTV cameras. Creating a ‘virtual wall’, the laser sensor only detects people standing next to the building wall and ignores those further away. This has resulted in the false alarm rate decreasing by 80%. Richard Lowe, deputy stores and services manager at Dudley Metropolitan Borough Council, said: “It was paramount for us to realise the right level of security, triggering genuine alarms that the Remote Monitoring Centre operators could then act upon.”

www.risk-uk.com

TechnologyinFocus October2014_riskuk_oct14 06/10/2014 13:02 Page 62

Technology in Focus Voice cues for key management launched by Morse Watchmans Key management is a vital tool in ensuring a safe and secure facility. Voice cues make it even easier for the end user to incorporate key control within their security programme. With this in mind, Morse Watchmans has debuted a KeyWatcher system that uses voice cues to prompt the user to open a door, remove the key, return the key and close the door. End users can select key management solutions for single location applications such as museums or correctional facilities or for multiple-site enterprise level installations at university campuses. There’s even a system designed for fleet management applications. Innovative features include scheduled reports, automatic e-mail notifications, key reservations, mobile capabilities and checks for key ring inventories. KeyWatcher Touch, for example, has been updated to incorporate new easier-to-use onscreen icons. The enterprise key control and management system has a large touchscreen and user-intuitive interface including KeyAnywhere and KeyFind operations. www.morsewatchmans.com

Assa’s CLIQ Remote access solution goes mobile ASSA’s CLIQ Remote is now available with a new mobile PD key updater, allowing administrators to update access rights ‘on the move’. CLIQ Remote is designed for larger master key suites, remote sites and companies with a geographical spread of operations, providing end users with remote access to a building through a secure web connection. ASSA’s new mobile PD unit connects to most smart phones via Bluetooth, or to the Internet by USB connector, in turn enabling administrators to grant access to remote users and update access rights at any juncture and from anywhere in the world. Nojmol Islam, product manager for ASSA, said: “ASSA’s CLIQ Remote is a popular product for small and large-scale organisations as it creates scalable, centralised and automated security management that reduces administrative requirements making it cost-effective. The system reduces the risk of keys falling into the wrong hands by allowing the access rights of lost keys to be removed without the need for changing cylinders and makes it easy to add or delete employees as they join or leave the company.” He added: “The new mobile PD updater unit makes it even simpler for the administrator to update user credentials to suit a company’s requirements, even while on the move and without having to have access to the key.” CLIQ Remote is easy to install and has the functionality to create time-defined user keys to allow access for a specified period of time – a popular feature for engineers and contractors who need access outside normal working hours. www.assaabloy.co.uk/Security-Solutions

www.risk-uk.com

KBC Networks unveils new generation of ThruLink products Following a comprehensive software and hardware development programme, KBC Networks has now launched a new generation of ThruLink products. In addition to enhanced security and functionality, the secure hardware VPN series has been extended to suit different applications and capacity requirements. ThruLink is capable of applications that range from streaming secure video from vehicle cameras through to large-scale surveillance networks employing the Internet as the transmission medium. Following last June’s release of the standard capacity units designed for systems using between one and four cameras, the hardware VPN family now also includes Standard Plus, High Capacity and High Capacity Plus units (with plans for a micro version to be released in 2015). The ThruLink series now features embedded 3G/4G models that enable secure, live video to be streamed from patrol vehicles, units capable of operating as a mini hub and 200 Mbps-plus high capacity units ideal for large-scale systems. Each model within the series now features FIPS compliance capability (in addition to AES, Blowfish and Camellia encryption) and enables meshed networks to be established over any type of WAN. They will fit within an existing network infrastructure without the need for any network changes to be made prior to installation. In addition, upgraded management information enables end users to identify location and status of all the ThruLink devices on a network via the web browser compatible user interface. KBC’s engineering director Clinton Bessesen commented: “The new features and increased range of models mean that our customers can build secure and flexible systems tailored to what they need.” Bessesen added: “In the feedback we’ve received to date, customers have commented on how quick and easy it is to install and manage the new solutions. Also, if the network connection should fail, there’s no need to send an engineer out to site. ThruLink will automatically reconnect once the connection is re-established.” www.kbcnetworks.com

TechnologyinFocus October2014_riskuk_oct14 06/10/2014 13:03 Page 63

Technology in Focus

Videx debuts access control solutions range for end users Hoyles moves to enhance Exitguard fire door alarm solutions Nowadays, it’s safe to say that the majority of employers consider the responsibility of Health and Safety high on their list of priorities. Unchecked, blocked fire exits are without doubt an accident waiting to happen and should be taken seriously. Checking systems are an excellent idea but, as can occur with many routines of this nature, they’re prone to fall by the wayside. Certain premises will be more vulnerable than others, of course, and are likely to have fire exits obstructed perhaps by pallets, scaffolding, rubbish, vehicles or incorrectly opened roller shutters. The list goes on. Thankfully, electronic security solutions manufacturer Hoyles Electronic Developments has not only increased its range of Exitguard fire door alarms but also developed a clever way of ensuring that fire exit doors are regularly checked and available to be fully opened in the event of an emergency scenario. The new capability – designated Fire Door Checker – is now a standard feature available on all of the keypad-operated Exitguards. Fire Door Checker alerts members of staff to OpenCheck-Close as soon as the building is occupied. Each Exitguard emits an intermittent sound while strobing. Only when the fire doors have been verified will the Exitguard sounder and strobe cease. This ensures a given fire door is available for emergency use, after which time it resumes its normal security monitoring role. The Fire Door Checker operates via a switched signal from the intruder alarm, clocking machine, a time switch or on an independent basis. If a more frequent check is required, the time switch option allows the end user to introduce a tighter regime of checking suitable for their exact requirements. In addition to the Fire Door Checker function, Hoyles’ Exitguard door alarm range provides a comprehensive solution for the security (and prevention of misuse) of fire exit doors. The different models afford options for battery, 12 V DC and mains power sources as well as end user control via keypad or key switch. The Hoyles solution could prove invaluable to management and those responsible for safety and security, ensuring that staff members incorporate the checking procedure of each fire exit door into their daily routine and, at the same time, educate colleagues on the dangers of blocked fire exits. www.hoyles.com

Door entry and access control systems developer Videx has launched a new access control range which provides enhanced features for businesses across the UK. The new range offers tailor-made products compatible with standard single gang flush back boxes, in turn making installation simple. The stand-alone or networked keypads, proximity readers and exit switches are available in six different colours to match surroundings and different types of building. “The existing access control product range available in today’s market is aesthetically quite limited,” said Neil Thomas, general manager at Videx. “Of course, there are a number of access control systems to manage entry through doors but most of the products do not fit in well with the décor of the building. The Videx range includes proximity readers, keypads and touch-to-exit switches in a compact design, which turns a necessary accessory into a modern, stylish feature within any building.” The Videx products are designed for any location where access needs to be restricted, controlled or monitored. This includes commercial buildings such as shopping centres, offices and storage facilities through to public premises like schools, hospitals, doctors’ surgeries, nurseries and libraries. www.videx-security.com

Cisco introduces threat-focused next generation firewall Cisco ASA with FirePOWER Services provides the full contextual awareness and dynamic controls needed to automatically assess threats, correlate intelligence and optimise defences to protect all networks. By integrating the proven Cisco ASA 5500 Series firewall with application control, and the industry-leading Next Generation Intrusion Prevention Systems (NGIPS) and Advanced Malware Protection (AMP) from Sourcefire, Cisco is providing integrated threat defence across the entire attack continuum – before, during and after an attack. Cisco ASA with FirePOWER Services is an adaptive, threat-focused next generation firewall that’s designed to deliver “superior” multi-layered protection. Until now, next generation firewalls have focused on policy and application control, and have been unable to address advanced and zero-day attacks. Cisco ASA with FirePOWER Services changes this dynamic, adopting a visibility-driven, threat-focused and platformbased approach. www.cisco.com

www.risk-uk.com

Project1_Layout 1 03/09/2014 14:04 Page 1

Appointments October2014_riskuk_oct14 06/10/2014 12:08 Page 65

Appointments

John Naughton Unipart Security Solutions has appointed John Naughton as sales and marketing director. Naughton joins the company direct from Securitas where he’d expertly managed the sales teams of the now combined Securitas, Reliance and Chubb security businesses. Commenting on the announcement, Andrew Hallam (acting managing director at Unipart Security Solutions) said: “We’re delighted that John is joining us to lead our strategic growth objectives and refine our proposition through team engagement. He brings with him a wealth of relevant sales and marketing experience at a senior level. This knowledge will be of great value to the team during what is an extremely exciting time for our organisation.” Naughton himself told Risk UK: “It’s wonderful to be joining what is an outstanding Unipart Security Solutions team. I’m a firm believer in using the power of truly engaged teams to deliver solutions that exceed customer expectations. This is ‘The Unipart Way’, and I’m very much looking forward to introducing many more customers to our philosophy.” Unipart Security Solutions was established in 2008 by parent company Unipart Group, the well-known logistics provider boasting an annual turnover of more than £1 billion.

Appointments Risk UK keeps you up-to-date with all the latest people moves in the security, fire, IT and Government sectors Steve Salter Power management company Eaton’s security business has reaffirmed its commitment to manufacturing products and systems that offer industry leading standards of reliability by appointing Steve Salter as the organisation’s new quality manager. Salter brings extensive experience in the aerospace industry to his new role. Prior to joining Eaton, he was employed by Pattonair (a leading aerospace supply chain service provider) in the role of business process manager. Working closely with companies such as Rolls-Royce and Boeing, Salter was responsible for ensuring world class performance by maintaining the highest quality standards. Salter’s experience in the sector also involved the development of flight actuation systems and solid propellant rocket motors as well as dealing with a wide range of service fulfilment challenges. Although new to the security world, Salter believes that effective quality management is vital to all business sectors. “Since joining,” explained Salter, “I’ve been very impressed with the excellent reputation that the Menvier and Scantronic products enjoy among installers and end users in the security sector. My challenge is to address any issues that have been raised by our customers and maintain product consistency.” Describing his determination to further enhance the reputation of the company, Salter added: “It’s my intention to ensure that we continue to have one of the most reliable and robust products on the market.”

Adam Doohan

John Psyllos

Adam Doohan takes on the new role of service director at Reliance HighTech as the company continues its ongoing drive to increase efficiencies and customer satisfaction. Previously operations director for Balfour Beatty, Doohan has now worked in operations and customer service for over a decade. His new role will be focused on sharing Best Practice across the company to the benefit of all Reliance High-Tech customers. “Our investments in business efficiency mean that all end user customers will receive the best possible service,” asserted Doohan. Reliance High-Tech’s managing director Terry Sallas added: “We enjoy a reputation for handling complex projects and service contracts very well and, in his new role, Adam will be responsible for ensuring that customer service at Reliance High-Tech continues to set the benchmark for the security sector.”

Surveillance specialist IDIS has appointed John Psyllos to the role of product manager for DirectIP across Europe and the Middle East. Psyllos’ appointment strengthens IDIS’ commitment to further development of third party integrations which deliver powerful offthe-shelf functionality to increase the flexibility and cost-effectiveness of DirectIP surveillance solutions. He will now work closely with IDIS technical support as well as the sales and marketing team to increase sales of the DirectIP line-up by developing and maintaining high levels of product value and quality. Psyllos brings with him extensive security industry experience across technical design, engineering, project and account management. An electronic and IT network engineer with a deep understanding of IP surveillance technology, Psyllos spent over a decade with security systems integrator First City Care. In his most recent role as a technical design consultant, he oversaw the implementation of tightly integrated security solutions at Londonheadquartered corporate enterprises.

www.risk-uk.com

Appointments October2014_riskuk_oct14 06/10/2014 12:09 Page 66

Appointments

Mark Sprules

Sandra Eastlake

Complete security service provider SecureData has announced that former Sainsbury’s security team leader Mark Sprules is to spearhead its CISO-as-a-Service practice and promote security awareness programmes in the midenterprise market. CISO-as-a-Service was designed to assist medium-sized enterprise businesses in developing and maintaining an Information Security Management System, and Sprules will now be responsible for the company’s existing base of clients in sectors such as retail, property, publishing and charity as well as the day-to-day assurance of its own CISO duties and ISO 27001 requirements. Prior to joining SecureData, Sprules led a team of information security analysts at Sainsbury’s from 2008, and worked closely with business stakeholders for the risk assessment and compliance of newly-selected third parties and the secure delivery of business solutions. Armed with over 27 years’ business experience, Sprules is also tasked with providing strategic security and information risk assessment as well as guidance on threat detection, protection measures and response planning for security incidents. Multiple certifications in the ISO 27000 series – which represent Best Practice standards for ISMS – will also see Sprules strengthen SecureData’s data handling specifications across the entire business.

ADP Security Systems welcomes a new member of staff to its management team with the appointment of Sandra Eastlake. Eastlake joins the company as security services manager tasked with leading business development in both new and existing markets. Eastlake brings over two decades’ experience of client services and consultancy in the security sector to this role having worked for Norbain SD, VCL/Honeywell, Asset Security and Protection, The Lone Working Group, Security Consultant Services (UK) and, most recently, Absolute Security Systems. Active in Surrey, Hampshire, Sussex, London and elsewhere, ADP Security Systems was founded in 1996 with a view to providing complete security solutions covering electronic security, security guarding, remote site monitoring and integrated physical security systems for end users.

Peter Cowell and Anthony Collett The Security Systems and Alarms Inspection Board has recruited two regional auditors – Peter Cowell and Anthony Collett – to carry out inspections of both existing and potential registered companies. Cowell boasts nearly 30 years’ security industry experience gained at companies including Thorn Security. More recently, he was managing director at HSG Security. Cowell will now be inspecting companies in Essex, Suffolk, Norfolk, Cambridgeshire, Hertfordshire, Bedfordshire and Northamptonshire. Anthony Collett has been resident in the security sector for a similar time, having served as an alarm engineer and contracts manager at companies such as Secom and Bell Security. As a regional auditor for the SSAIB, his ‘patch’ now covers the home counties of Kent, Sussex and Surrey.

66 www.risk-uk.com

Cowell recently attained a quality management systems lead auditor qualification while Collett will be attending a similar course run by the International Register of Certificated Auditors later this year. “We’re delighted to welcome two inspectors with such a broad span of knowledge, all of which is now available to our existing registered firms as well as businesses actively considering the many benefits available through certification by the SSAIB,” commented Geoff Tate, the SSAIB’s CEO. Founded in 1994 and based in Tyne & Wear, the SSAIB runs the rule over organisations providing electronic security systems, security guarding services, fire protection, alarm and telecare services systems in both the UK and the Republic of Ireland. In addition to its successful product schemes, the organisation offers a range of management system certification schemes, including ISO 9001 quality management systems and ISO 14001 environmental management systems.

oct14 dir_000_RiskUK_jan14 06/10/2014 16:10 Page 1

Best Value Security Products from Insight Security www.insight-security.com Tel: +44 (0)1273 475500 ...and lots more Computer Security

Anti-Climb Paints & Barriers

Metal Detectors (inc. Walkthru)

Security, Search & Safety Mirrors

ACCESS CONTROL

Security Screws & Fastenings

Key Control Products

Empty Property & Lone Worker Alarms

Traffic Flow & Management

see our website

ACCESS CONTROL – BARRIERS GATES & ROAD BLOCKERS

FRONTIER PITTS Crompton House, Crompton Way, Manor Royal Industrial Estate, Crawley, West Sussex RH10 9QZ Tel: 01293 548301 Fax: 01293 560650 Email: sales@frontierpitts.com Web: www.frontierpitts.com

ACCESS CONTROL

ACT ACT – Ireland, Unit C1, South City Business Centre Tallaght, Dublin 24 Tel: +353 (0)1 4662570 ACT - United Kingdom, 2C Beehive Mill Jersey Street, Manchester M4 6JG +44 (0)161 236 9488 sales@act.eu www.act.eu

ACCESS CONTROL – BIOMETRICS, BARRIERS, CCTV, TURNSTILES

UKB INTERNATIONAL LTD Planet Place, Newcastle upon Tyne Tyne and Wear NE12 6RD Tel: 0845 643 2122 Email: sales@ukbinternational.com Web: www.ukbinternational.com

ACCESS CONTROL

APT SECURITY SYSTEMS The Power House, Chantry Place, Headstone Lane, Harrow, HA3 6NY Tel: 020 8421 2411 Email: info@aptcontrols.co.uk www.aptcontrols-group.co.uk B a r r i e r s , B l o c k e r s , B o l l a r d s , PA S 6 8

ACCESS CONTROL, CCTV & INTRUSION DETECTION SPECIALISTS

SIEMENS SECURITY PRODUCTS Suite 7, Castlegate Business Park Caldicot, South Wales NP26 5AD UK Main: +44 (0) 1291 437920 Fax: +44 (0) 1291 437943 email: securityproducts.sbt.uk@siemens.com web: www.siemens.co.uk/securityproducts

ACCESS CONTROL

KERI SYSTEMS UK LTD Tel: + 44 (0) 1763 273 243 Fax: + 44 (0) 1763 274 106 Email: sales@kerisystems.co.uk www.kerisystems.co.uk

ACCESS CONTROL & DOOR HARDWARE

ALPRO ARCHITECTURAL HARDWARE Products include Electric Strikes, Deadlocking Bolts, Compact Shearlocks, Waterproof Keypads, Door Closers, Deadlocks plus many more T: 01202 676262 Fax: 01202 680101 E: info@alpro.co.uk Web: www.alpro.co.uk

ACCESS CONTROL

COVA SECURITY GATES LTD Bi-Folding Speed Gates, Sliding Cantilevered Gates, Road Blockers & Bollards Consultancy, Design, Installation & Maintenance - UK Manufacturer - PAS 68

Tel: 01293 553888 Fax: 01293 611007 Email: sales@covasecuritygates.com Web: www.covasecuritygates.com

ACCESS CONTROL – SPEED GATES, BI-FOLD GATES

HTC PARKING AND SECURITY LIMITED 4th Floor, 33 Cavendish Square, London, W1G 0PW T: 0845 8622 080 M: 07969 650 394 F: 0845 8622 090 info@htcparkingandsecurity.co.uk www.htcparkingandsecurity.co.uk

ACCESS CONTROL MANUFACTURER

NORTECH CONTROL SYSTEMS LTD.

ACCESS CONTROL

Nortech House, William Brown Close Llantarnam Park, Cwmbran NP44 3AB Tel: 01633 485533 Email: sales@nortechcontrol.com www.nortechcontrol.com

INTEGRATED DESIGN LIMITED

ACCESS CONTROL - BARRIERS, BOLLARDS & ROADBLOCKERS

ACCESS CONTROL

HEALD LTD

SECURE ACCESS TECHNOLOGY LIMITED

HVM High Security Solutions "Raptor" "Viper" "Matador", Shallow & Surface Mount Solutions, Perimeter Security Solutions, Roadblockers, Automatic & Manual Bollards, Security Barriers, Traffic Flow Management, Access Control Systems

Tel: 01964 535858 Email: sales@heald.uk.com Web: www.heald.uk.com

Integrated Design Limited, Feltham Point, Air Park Way, Feltham, Middlesex. TW13 7EQ Tel: +44 (0) 208 890 5550 sales@idl.co.uk www.fastlane-turnstiles.com

Authorised Dealer Tel: 0845 1 300 855 Fax: 0845 1 300 866 Email: info@secure-access.co.uk Website: www.secure-access.co.uk

www.insight-security.com Tel: +44 (0)1273 475500

oct14 dir_000_RiskUK_jan14 06/10/2014 16:10 Page 2

AUTOMATIC VEHICLE IDENTIFICATION

CCTV POLES, COLUMNS, TOWERS AND MOUNTING PRODUCTS

NEDAP AVI

ALTRON COMMUNICATIONS EQUIPMENT LTD

PO Box 103, 7140 AC Groenlo, The Netherlands Tel: +31 544 471 666 Fax: +31 544 464 255 E-mail: info-avi@nedap.com www.nedapavi.com

Tower House, Parc Hendre, Capel Hendre, Carms. SA18 3SJ Tel: +44 (0) 1269 831431 Email: comms@altron.co.uk Web: www.altron.co.uk

CCTV

ACCESS CONTROL â&#x20AC;&#x201C; BARRIERS, GATES, CCTV

ABSOLUTE ACCESS Aberford Road, Leeds, LS15 4EF Tel: 01132 813511 E: richard.samwell@absoluteaccess.co.uk www.absoluteaccess.co.uk Access Control, Automatic Gates, Barriers, Blockers, CCTV

G-TEC Gtec House, 35-37 Whitton Dene Hounslow, Middlesex TW3 2JN Tel: 0208 898 9500 www.gtecsecurity.co.uk sales@gtecsecurity.co.uk

CCTV/IP SOLUTIONS

DALLMEIER UK LTD

BUSINESS CONTINUITY

3 Beaufort Trade Park, Pucklechurch, Bristol BS16 9QH Tel: +44 (0) 117 303 9 303 Fax: +44 (0) 117 303 9 302 Email: dallmeieruk@dallmeier.com

BUSINESS CONTINUITY MANAGEMENT

CONTINUITY FORUM

CCTV & IP SECURITY SOLUTIONS

Creating Continuity ....... Building Resilience A not-for-profit organisation providing help and support Tel: +44(0)208 993 1599 Fax: +44(0)1886 833845 Email: membership@continuityforum.org Web: www.continuityforum.org

PANASONIC SYSTEM NETWORKS EUROPE Panasonic House, Willoughby Road Bracknell, Berkshire RG12 8FP Tel: 0844 8443888 Fax: 01344 853221 Email: system.solutions@eu.panasonic.com Web: www.panasonic.co.uk/cctv

COMMUNICATIONS & TRANSMISSION EQUIPMENT

PHYSICAL IT SECURITY

KBC NETWORKS LTD.

RITTAL LTD

Barham Court, Teston, Maidstone, Kent ME18 5BZ www.kbcnetworks.com Phone: 01622 618787 Fax: 020 7100 8147 Email: emeasales@kbcnetworks.com

Tel: 020 8344 4716 Email: information@rittal.co.uk www.rittal.co.uk

DIGITAL IP CCTV

CCTV

SESYS LTD High resolution ATEX certified cameras, rapid deployment cameras and fixed IP CCTV surveillance solutions available with wired or wireless communications.

1 Rotherbrook Court, Bedford Road, Petersfield, Hampshire, GU32 3QG Tel +44 (0) 1730 230530 Fax +44 (0) 1730 262333 Email: info@sesys.co.uk www.sesys.co.uk

SURVEILLANCE / CCTV

IDIS EUROPE 1000 Great West Road, Brentford, LONDON TW8 9HH Tel : +44 (0)203 657 5678 Fax : +44 (0)203 697 9360 uksales@idisglobal.com

TO ADVERTISE HERE CONTACT: MANUFACTURERS OF A COMPLETE RANGE OF INNOVATIVE INFRA RED AND WHITE LIGHT LED LIGHTING PRODUCTS FOR PROFESSIONAL APPLICATIONS INCLUDING CCTV SCENE ILLUMINATION, ARCHITECTURAL UP-LIGHTING AND COVERT SECURITY.

Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk

ADVANCED LED TECHNOLOGY LTD Sales: +44 (0) 1706 363 998 Technical: +44 (0) 191 270 5148 Email: info@advanced-led-technology.com www.advanced-led-technology.com

www.insight-security.com Tel: +44 (0)1273 475500

oct14 dir_000_RiskUK_jan14 06/10/2014 16:10 Page 3

INFRA-RED, WHITE-LIGHT AND NETWORK CCTV LIGHTING

RAYTEC Unit 3 Wansbeck Business Park, Rotary Parkway, Ashington, Northumberland. NE638QW Tel: 01670 520 055 Email: sales@rayteccctv.com Web: www.rayteccctv.com

TRADE ONLY CCTV MANUFACTURER AND DISTRIBUTOR

COP SECURITY Leading European Supplier of CCTV equipment all backed up by an industry leading service and support package called Advantage Plus. COP Security, a division of Weststone Ltd, has been designing, manufacturing and distributing CCTV products for over 17 years. COP Security is the sole UK distributor for IRLAB products and the highly successful Inspire DVR range. More than just a distributor.

COP Security, Delph New Road, Dobcross, OL3 5BG Tel: +44 (0) 1457 874 999 Fax: +44 (0) 1457 829 201 sales@cop-eu.com www.cop-eu.com

WHY MAYFLEX? ALL TOGETHER. PRODUCTS, PARTNERS, PEOPLE, SERVICE – MAYFLEX BRINGS IT ALL TOGETHER.

CCTV SPECIALISTS

PLETTAC SECURITY LTD Unit 39 Sir Frank Whittle Business Centre, Great Central Way, Rugby, Warwickshire CV21 3XH Tel: 0844 800 1725 Fax: 01788 544 549 Email: sales@plettac.co.uk www.plettac.co.uk

MAYFLEX Excel House, Junction Six Industrial Park, Electric Avenue, Birmingham B6 7JJ

Tel: 0800 881 5199 Email: securitysales@mayflex.com Web: www.mayflex.com

CCTV & IP SOLUTIONS, POS & CASH REGISTER INTERFACE, EPOS FRAUD DETECTION

AMERICAN VIDEO EQUIPMENT Endeavour House, Coopers End Road, Stansted, Essex CM24 1SJ Tel : +44 (0)845 600 9323 Fax : +44 (0)845 600 9363 E-mail: avesales@ave-uk.com

THE UK’S MOST SUCCESSFUL DISTRIBUTOR OF IP, CCTV, ACCESS CONTROL AND INTRUDER DETECTION SOLUTIONS

NORBAIN SD LTD

CONTROL ROOM & MONITORING SERVICES

210 Wharfedale Road, IQ Winnersh, Wokingham, Berkshire, RG41 5TP Tel: 0118 912 5000 Fax: 0118 912 5001 www.norbain.com Email: info@norbain.com

EMPLOYMENT

ADVANCED MONITORING SERVICES

EUROTECH MONITORING SERVICES LTD.

Specialist in:- Outsourced Control Room Facilities • Lone Worker Monitoring • Vehicle Tracking • Message Handling • Help Desk Facilities • Keyholding/Alarm Response Tel: 0208 889 0475 Fax: 0208 889 6679 E-MAIL eurotech@eurotechmonitoring.com Web: www.eurotechmonitoring.com

FIRE AND SECURITY INDUSTRY RECRUITMENT

SECURITY VACANCIES www.securityvacancies.com Telephone: 01420 525260

DISTRIBUTORS EMPLOYEE SCREENING SERVICES

THE SECURITY WATCHDOG Cross and Pillory House, Cross and Pillory Lane, Alton, Hampshire, GU34 1HL, United Kingdom www.securitywatchdog.org.uk Telephone: 01420593830

EMPLOYMENT

URGENTLY NEEDED… National Franchise Opportunities with an established Security Company with over 4000 installs specialising in Audio Monitoring. Try before you buy scheme. Contact Graham for full prospectus graham@securahomes.co.uk TEL: 01274 631001 sales@onlinesecurityproducts.co.uk www.onlinesecurityproducts.co.uk

IDENTIFICATION ADI ARE A LEADING GLOBAL DISTRIBUTOR OF SECURITY PRODUCTS OFFERING COMPLETE SOLUTIONS FOR ANY INSTALLATION.

ADI GLOBAL DISTRIBUTION Chatsworth House, Hollins Brook Park, Roach Bank Road, Bury BL9 8RN Tel: 0161 767 2900 Fax: 0161 767 2909 Email: info@adiglobal.com

www.insight-security.com Tel: +44 (0)1273 475500

oct14 dir_000_RiskUK_jan14 06/10/2014 16:10 Page 4

COMPLETE SOLUTIONS FOR IDENTIFICATION

PERIMETER PROTECTION

DATABAC GROUP LIMITED

GPS PERIMETER SYSTEMS LTD

1 The Ashway Centre, Elm Crescent, Kingston upon Thames, Surrey KT2 6HH Tel: +44 (0)20 8546 9826 Fax:+44 (0)20 8547 1026 enquiries@databac.com

14 Low Farm Place, Moulton Park Northampton, NN3 6HY UK Tel: +44(0)1604 648344 Fax: +44(0)1604 646097 E-mail: info@gpsperimeter.co.uk Web site: www.gpsperimeter.co.uk

INDUSTRY ORGANISATIONS

PLANNED PREVENTATIVE MAINTENANCE

TRADE ASSOCIATION FOR THE PRIVATE SECURITY INDUSTRY

BRITISH SECURITY INDUSTRY ASSOCIATION Tel: 0845 389 3889 Email: info@bsia.co.uk Website: www.bsia.co.uk

THE LEADING CERTIFICATION BODY FOR THE SECURITY INDUSTRY

SECURITY MAINTENANCE CONSULTANTS • Planned Preventative Maintenance (PPM) Specialists • Price Comparison Service (achieving 20-70% savings) • FM Support / Instant Reporting / Remedial Work • System Take-Overs / Upgrades / Additions • Access, CCTV, Fire & Intruder, BMS, Networks & Automation • Free independent, impartial advice Tel: +44 (0)20 7097 8568 sales@securitysupportservices.co.uk

SSAIB 7-11 Earsdon Road, West Monkseaton Whitley Bay, Tyne & Wear NE25 9SX Tel: 0191 2963242 Web: www.ssaib.org

INTEGRATED SECURITY SOLUTIONS SECURITY PRODUCTS AND INTEGRATED SOLUTIONS

HONEYWELL SECURITY GROUP Honeywell Security Group provides innovative intrusion detection, video surveillance and access control products and solutions that monitor and protect millions of facilities, offices and homes worldwide. Honeywell integrates the latest in IP and digital technology with traditional analogue components enabling users to better control operational costs and maximise existing investments in security and surveillance equipment. Honeywell – your partner of choice in security. Tel: +44 (0) 844 8000 235 E-mail: securitysales@honeywell.com Web: www.honeywell.com/security/uk

POWER

STANDBY POWER SPECIALISTS; UPS, GENERATORS, SERVICE & MAINTENANCE

DALE POWER SOLUTIONS LTD Salter Road, Eastfield Industrial Estate, Scarborough, North Yorkshire YO11 3DU United Kingdom Phone: +44 1723 583511 Fax: +44 1723 581231 www.dalepowersolutions.com

POWER SUPPLIES – DC SWITCH MODE AND AC

DYCON LTD Cwm Cynon Business Park, Mountain Ash, CF45 4ER Tel: 01443 471 060 Fax: 01443 479 374 Email: marketing@dyconsecurity.com www.dyconsecurity.com The Power to Control; the Power to Communicate

INTEGRATED SECURITY SOLUTIONS

INNER RANGE EUROPE LTD Units 10 - 11, Theale Lakes Business Park, Moulden Way, Sulhampstead, Reading, Berkshire RG74GB, United Kingdom Tel: +44(0) 845 470 5000 Fax: +44(0) 845 470 5001 Email: ireurope@innerrange.co.uk www.innerrange.com

STANDBY POWER

UPS SYSTEMS PLC Herongate, Hungerford, Berkshire RG17 0YU Tel: 01488 680500 sales@upssystems.co.uk www.upssystems.co.uk

SECURITY PRODUCTS AND INTEGRATED SOLUTIONS

TYCO SECURITY PRODUCTS Heathrow Boulevard 3, 282 Bath Road, Sipson, West Drayton. UB7 0DQ / UK Tel: +44 (0)20 8750 5660 www.tycosecurityproducts.com

UPS - UNINTERRUPTIBLE POWER SUPPLIES

ADEPT POWER SOLUTIONS LTD Adept House, 65 South Way, Walworth Business Park Andover, Hants SP10 5AF Tel: 01264 351415 Fax: 01264 351217 Web: www.adeptpower.co.uk E-mail: sales@adeptpower.co.uk

PERIMETER PROTECTION INFRARED DETECTION

UPS - UNINTERRUPTIBLE POWER SUPPLIES

GJD MANUFACTURING LTD

UNINTERRUPTIBLE POWER SUPPLIES LTD

Unit 2 Birch Industrial Estate, Whittle Lane, Heywood, Lancashire, OL10 2SX Tel: + 44 (0) 1706 363998 Fax: + 44 (0) 1706 363991 Email: info@gjd.co.uk www.gjd.co.uk

Woodgate, Bartley Wood Business Park Hook, Hampshire RG27 9XA Tel: 01256 386700 5152 e-mail: sales@upspower.co.uk www.upspower.co.uk

www.insight-security.com Tel: +44 (0)1273 475500

oct14 dir_000_RiskUK_jan14 06/10/2014 16:10 Page 5

SECURITY

ONLINE SECURITY SUPERMARKET

EBUYELECTRICAL.COM CASH MANAGEMENT SOLUTIONS

LOOMIS UK LIMITED 1 Alder Court, Rennie Hogg Road, Nottingham, NG2 1RX T - 0845 309 6419 E - info@uk.loomis.com W - www.loomis.co.uk

Lincoln House, Malcolm Street Derby DE23 8LT Tel: 0871 208 1187 www.ebuyelectrical.com

INTRUDER ALARMS – DUAL SIGNALLING

WEBWAYONE LTD CASH & VALUABLES IN TRANSIT

CONTRACT SECURITY SERVICES LTD Challenger House, 125 Gunnersbury Lane, London W3 8LH Tel: 020 8752 0160 Fax: 020 8992 9536 E: info@contractsecurity.co.uk E: sales@contractsecurity.co.uk Web: www.contractsecurity.co.uk

11 Kingfisher Court, Hambridge Road, Newbury Berkshire, RG14 5SJ Tel: 01635 231500 Email: sales@webwayone.co.uk www.webwayone.co.uk www.twitter.com/webwayoneltd www.linkedin.com/company/webwayone

LIFE SAFETY EQUIPMENT

C-TEC PHYSICAL CONTROL PRODUCTS, ESP. ANTI-CLIMB

INSIGHT SECURITY Unit 2, Cliffe Industrial Estate Lewes, East Sussex BN8 6JL Tel: 01273 475500 Email:info@insight-security.com www.insight-security.com

Challenge Way, Martland Park, Wigan WN5 OLD United Kingdom Tel: +44 (0) 1942 322744 Fax: +44 (0) 1942 829867 Website: http://www.c-tec.co.uk

PERIMETER SECURITY

TAKEX EUROPE LTD FENCING SPECIALISTS

J B CORRIE & CO LTD Frenchmans Road Petersfield, Hampshire GU32 3AP Tel: 01730 237100 Fax: 01730 264915 email: fencing@jbcorrie.co.uk

Aviary Court, Wade Road, Basingstoke Hampshire RG24 8PE Tel: +44 (0) 1256 475555 Fax: +44 (0) 1256 466268 Email: sales@takexeurope.com Web: www.takexeurope.com

SECURITY EQUIPMENT INTRUSION DETECTION AND PERIMETER PROTECTION

OPTEX (EUROPE) LTD Redwall® infrared and laser detectors for CCTV applications and Fiber SenSys® fibre optic perimeter security solutions are owned by Optex. Platinum House, Unit 32B Clivemont Road, Cordwallis Industrial Estate, Maidenhead, Berkshire, SL6 7BZ Tel: +44 (0) 1628 631000 Fax: +44 (0) 1628 636311 Email: sales@optex-europe.com www.optex-europe.com

PYRONIX LIMITED Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY. Tel: +44 (0) 1709 700 100 Fax: +44 (0) 1709 701 042 www.facebook.com/Pyronix www.linkedin.com/company/pyronix www.twitter.com/pyronix

SECURITY SYSTEMS INTRUDER AND FIRE PRODUCTS

BOSCH SECURITY SYSTEMS LTD

CQR SECURITY

PO Box 750, Uxbridge, Middlesex UB9 5ZJ Tel: 01895 878088 Fax: 01895 878089 E-mail: uk.securitysystems@bosch.com Web: www.boschsecurity.co.uk

125 Pasture road, Moreton, Wirral UK CH46 4 TH Tel: 0151 606 1000 Fax: 0151 606 1122 Email: andyw@cqr.co.uk www.cqr.co.uk

INTRUDER ALARMS – DUAL SIGNALLING

CSL DUALCOM LTD Salamander Quay West, Park Lane Harefield , Middlesex UB9 6NZ T: +44 (0)1895 474 474 F: +44 (0)1895 474 440 www.csldual.com

SECURITY EQUIPMENT

CASTLE Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY TEL +44 (0) 1709 700 100 FAX +44 (0) 1709 701 042 www.facebook.com/castlesecurity www.linkedin.com/company/castlesecurity

www.twitter.com/castlesecurity

INTRUDER ALARMS AND SECURITY MANAGEMENT SOLUTIONS

SECURITY SYSTEMS

RISCO GROUP

VICON INDUSTRIES LTD.

Commerce House, Whitbrook Way, Stakehill Distribution Park, Middleton, Manchester, M24 2SS Tel: 0161 655 5500 Fax: 0161 655 5501 Email: sales@riscogroup.co.uk Web: www.riscogroup.com/uk

Brunel Way, Fareham Hampshire, PO15 5TX United Kingdom www.vicon.com

www.insight-security.com Tel: +44 (0)1273 475500

Project1_Layout 1 06/10/2014 13:47 Page 1

G4S Cash Solutions (UK) Ltd G4S Cash Solutions is the UK leader in cash management, with unrivalled national expertise applied locally and with the most sophisticated fleet around. 4,500 businesses big and small choose us to handle their money and valuables. We help them cut cost, time and risk associated with managing their cash.

Want to know more? Find out how we can secure your cash and protect your business by calling us on 0844 800 4205 and press option 3 or for a call back please e-mail cashsales@uk.g4s.com or for further information log onto www.g4s.uk.com/cashsolutions