Risk UK September 2015 by Western Business Media Limited

FrontCover September2015_001 10/09/2015 14:29 Page 1

September 2015

Security and Fire Management

Corporate Espionage Staff Manipulation and â&#x20AC;&#x2DC;The Insider Threatâ&#x20AC;&#x2122; Demonstrating Resilience: Crisis Management Techniques Community Safety Accreditation Schemes The Evolution of Fire and Rescue Services Vertical Focus: Security Regimes for the Retail Sector

Project1_Layout 1 10/09/2015 14:57 Page 1

Contents September2015_riskuk_Dec12 10/09/2015 12:22 Page 1

September 2015

Contents 33 Security Solutions for the Retail Sector

Espionage and ‘The Insider Threat’ (pp44-45) 5 Editorial Comment

Risk UK’s Vertical Focus analyses security solutions for the retail sector. Justin Hollis covers Open Platform video (p35). Kiran Pillai views modular and scalable surveillance (p36) while Patrick Peterson tackles cyber attack risks (pp38-39). Peter Greener takes stock of crime prevention technology (p40) and James Walker details CCTV system planning techniques (p42)

44 Corporate Espionage: ‘The Insider Threat’

6 News Update

Why should businesses care about espionage and ‘The Insider Threat’, and what can they actually do in terms of prevention? Guy Bunker recites the detail of some high profile Case Studies

GCHQ research partnership with The Alan Turing Institute. NCA launches International Corruption Unit. CCTV grading guidance

46 The Security Institute’s View

8 News Analysis: BTP Annual Report 2014-2015 Brian Sims scrutinises statistics published by the British Transport Police detailing an 8% fall in crime on the rail network

11 News Special: National Security and Resilience Brian Sims previews the 2015 National Security and Resilience Conference running in central London on 20-21 October

12 Opinion: The Role of Security Consultants

It’s estimated that workplace stress costs UK businesses millions of pounds every year. How might companies address this situation? Andy Beale highlights intervention strategies

49 In the Spotlight: ASIS International UK Chapter 52 FIA Technical Briefing 55 Security Services: Best Practice Casebook

What is the role of the security consultant in this day and age? What should it be? David Gill addresses these key questions

58 Contact Centre Security: Fraud Not Present

14 Opinion: Security’s VERTEX Voice

Is the level of training across the security sector sufficient in scope and detail to prepare learners for conducting their duties? Mike Payne talks about the state of today’s education landscape

In examining today’s Community Safety Accreditation Schemes, Peter Webster outlines exactly why ongoing austerity cuts to the police service mean that more security solutions providers are being afforded enhanced powers in local environments

61 Training and Career Development

64 Risk in Action

17 BSIA Briefing

66 Technology in Focus

James Kelly reviews the security measures already in place and assesses what more can be done to protect the UK’s borders

69 Appointments

20 Demonstrating Resilience Those threats posed to a company’s value and reputation during a crisis scenario may well extend beyond operational levels. Rick Cudworth looks at how the Board should respond

People moves across the security and fire business sectors

71 The Risk UK Directory ISSN 1740-3480

24 Project Griffin: A Blueprint for Awareness Project Griffin is recognised by many security professionals as one of the finest examples of public-private sector joint working. Graham Bassett discusses developments for the future

27 An Open Letter to Risk Managers Jason Wakefield considers risk assessment procedures and details procurement Best Practice around Post Room security

Risk UK is published monthly by Pro-Activ Publications Ltd and specifically aimed at security and risk management, loss prevention, business continuity and fire safety professionals operating within the UK’s largest commercial organisations © Pro-Activ Publications Ltd 2015 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical (including photocopying, recording or any information storage and retrieval system) without the prior written permission of the publisher The views expressed in Risk UK are not necessarily those of the publisher Risk UK is currently available for an annual subscription rate of £78.00 (UK only)

Editor Brian Sims BA (Hons) Hon FSyI Tel: 0208 295 8304 Mob: 07500 606013 e-mail: brian.sims@risk-uk.com Design and Production Matt Jarvis Tel: 0208 295 8310 Fax: 0870 429 2015 e-mail: matt.jarvis@proactivpubs.co.uk Advertisement Director Paul Amura Tel: 0208 295 8307 Fax: 01322 292295 e-mail: paul.amura@proactivpubs.co.uk Administration Tracey Beale Tel: 0208 295 8306 Fax: 01322 292295 e-mail: tracey.beale@proactivpubs.co.uk Managing Director Mark Quittenton

30 Postal Threat Detection: The Man Machine Kirstine Wilson on ‘human dimensions’ of Post Room security

Risk UK PO Box 332 Dartford DA1 9FF

Chairman Larry O’Leary

Editorial: 0208 295 8304 Advertising: 0208 295 8307

3 www.risk-uk.com

EditorialComment September2015_riskuk_jul14 10/09/2015 12:34 Page 1

Premier Elite TTLCom

Network to fibre optic TTL converter The Premier Elite TTLCom allows Premier and Premier Elite control panel networks to transmit over fibre optic cables – significantly enhancing the size and scale of security systems compared to traditional alarm network cables. By converting network signals to 5V TTL level signals, the Premier Elite TTLCom permits fibre optic systems to extend network communications over considerable distances, or in electrically noisy environments. Premier Elite TTLCom features: • Converts network signals to TTL, and vice versa. • Compatible with Premier and Premier Elite control systems • Interfaces with any fibre optic modem that operate full duplex 5V TTL signal inputs

Designed & made in the UK by Texecom

EditorialComment September2015_riskuk_jul14 10/09/2015 12:34 Page 2

Editorial Comment

The Trailblazers Security for professionals The Premier Elite Series represents the most advanced electronic security solutions Texecom has to offer. These products are designed to protect high value installations where design flexibility, product performance and integrated solutions are a priority.

he Department for Business, Innovation and Skills has just approved the Trailblazer Apprenticeship Standard for the security and fire business sectors as well as the Emergency Systems world. This major development arises alongside the Government’s own announcements regarding radical changes designed to boost apprenticeships right across the UK. For its part, the Trailblazer Apprenticeship Standard sets out the core competencies for apprentices aspiring to become a security, fire or Emergency Systems-focused technician. It’s expected to take 36 months to complete. At that juncture, candidates will be eligible to apply for membership of the Institute of Engineering and Technology at EngTech level. The next step forward is the creation of an Assessment Plan in support of the new Trailblazer Apprenticeship Standard. Skills minister Nick Boles commented: “Businesses are better placed than anyone to train the next generation of workers and will help us deliver three million high quality apprenticeships by 2020. In designing apprenticeships, organisations like the Fire and Security Association (FSA) and their group of employers are ensuring that talented young people develop the skills needed to ascend the career ladder and help drive businesses forward.” Pat Allen (director of the Abel Alarm Company and lead employer on the Fire, Emergency and Security Systems Trailblazer Group) responded: “This structured apprenticeship programme has been developed by employers and key industry bodies alike to reflect the skills and competencies today’s businesses require of their apprentices. This is the first apprenticeship that caters for the needs of both fire and security systems installation companies as it allows candidates to specialise depending on the needs of their employer’s business.” Steve Martin, head of the FSA, has also welcomed the approval of the Trailblazer Apprenticeship Standard. “Our industry now has a means of recruiting high calibre talent to fill its vacancies and help succession plan for the future,” enthused Martin. “This is something we’ve needed for a long time.” In parallel, Apprentices for Fire & Security encompasses the 100 in 100 apprenticeship drive, the Engineers of Tomorrow competition and the Government’s Trailblazer initiative. In the four years since its inception, the scheme has placed over 3,000 16 to 24-year olds into careers within the security sector ranging from engineering and IT through to product design, marketing and sales. Nothing short of a superb achievement. Referencing UK plc-based businesses in general, the amount of money they’ve invested in training has fallen consistently over the last two decades. The sad outcome is that UK productivity presently lags some way behind other major Organisation for Economic Co-operation and Development member countries. To buck that trend, David Cameron’s Conservative Government is now asking employers for their views on the introduction of a special levy proposed for introduction in 2017 and designed to increase investment in both training and apprenticeships. Be they systems installers or security guarding companies, succession planning is everything. Let’s ensure the quality of tomorrow’s employee cohort by backing apprentices today.

Brian Sims BA (Hons) Hon FSyI Editor

www.texe.com Sales: 01706 220460

December 2012

www.risk-uk.com

NewsUpdate September2015_riskuk_nov14 10/09/2015 12:52 Page 1

GCHQ outlines detail of joint research partnership with The Alan Turing Institute GCHQ is about to embark on a joint research partnership with The Alan Turing Institute focusing on open access and commercial data analysis methods. The organisations have agreed in principle to work together alongside the wider national security community for the benefit of data science across the UK. Both institutions have a mission to inform policy, propagate Best Practice and catalyse the next generation of ideas and methods for the use of big data. They’ve now agreed to cooperate on training and research in dataanalytical methods that may be applied in open access and commercial environments. Established as the UK’s National Institute for Data Sciences, The Alan Turing Institute is a new joint venture between the Universities of Cambridge, Edinburgh, Oxford, UCL and Warwick and the Engineering and Physical Sciences Research Council. Headquartered at The British Library, the Institute will promote the development and use of advanced mathematics, computer science, algorithms and big data for ‘human benefit’. The plan is to attract the very best data scientists and mathematicians from the UK and across the globe to “break new boundaries” in terms of how we use big data in what’s now very much a fast-moving and competitive world. GCHQ’s director Robert Hannigan commented: “GCHQ is delighted to be a partner

of The Alan Turing Institute and have the opportunity to help maintain Alan Turing’s legacy for generations to come. Turing spent much of his life working with data, both during and after the Second World War, and it’s a fitting tribute that his name is associated with an Institute that will dedicate itself to becoming the world leader in the analysis and application of big data and algorithm research.” Hannigan added: “We believe that The Alan Turing Institute will allow GCHQ researchers, together with our counterparts in national security and defence in the public sector, to work with the very best professionals in the field, as well as providing the opportunity to share and develop our own techniques and ideas across a broad array of sectors. Inevitably, this will assist us in meeting the challenges set by the National Cyber Security Strategy.” Howard Covington, chairman of The Alan Turing Institute, responded: “We’re delighted to announce our relationship with GCHQ and the broader defence community. This takes us another step forward when it comes to building a network of strategic partners. GCHQ will support collaborative research on scientific matters of joint interest across a broad spectrum of possible applications.” Covington concluded: “Through CESG, GCHQ will also advise us on our own data and information risk policies and practices.”

International Corruption Unit established at UK’s National Crime Agency to tackle global scourges of bribery and money laundering A new unit at the National Crime Agency (NCA) has been established to tackle serious instances of bribery, corruption and money laundering around the world. The International Corruption Unit (ICU) brings together detailed anti-corruption work carried out by the Metropolitan Police Service, the City of London Police and the NCA. Jon Benton, joint head of the new ICU, explained to Risk UK: “The work we’re doing is absolutely vital for helping countries recover what’s rightfully theirs. The message to individuals and companies who see developing countries as fair game is that the UK is adopting a zero tolerance policy towards overseas bribery and corruption.” The ICU will continue to drive forward the work of its predecessors but with a defined focus on: *Investigating grand corruption and recovering and returning money that’s stolen from developing countries and laundered through the UK *Investigating the minority of UK nationals and companies who engage in bribery or other corrupt practices within developing countries *Ensuring those responsible for criminal acts are brought to justice Since 2006, no less than 150 cases involving suspected overseas bribery have been investigated and over £180 million has been restrained, recovered or returned through the work of the ICU’s predecessors. 27 individuals and one company have also been successfully prosecuted. In terms of funding, the Department for International Development will provide £21 million to the ICU for the five-year period to 2020.

6 www.risk-uk.com

NewsUpdate September2015_riskuk_nov14 10/09/2015 12:53 Page 2

News Update

BSIA guidance document explains new CCTV grading system for risk and security professionals New guidance has been published by the British Security Industry Association (BSIA) to help end users understand the system of security grading introduced by the BS EN 62676 series of international standards – the first standards for CCTV video surveillance that will be used to any great extent in the UK. Grading is a way of giving a variation in requirements such that surveillance systems not needing sophisticated features are allowed to be simpler in format. The BSIA has produced this new guidance to assist both end users and installers of CCTV solutions – along with other interested parties – in understanding how a choice of grade should be made and then applied in order to determine the design requirements of a given surveillance system. The first guide – entitled Graded Requirements Under BS EN 62676 Standards for CCTV: Technical Guide for Installers and Specifiers (BSIA Form 218) – is the end result of work undertaken by a team of BSIA members alongside specialists from the Home Office, the security sector’s inspectorates, insurance companies and security consultants to develop a method of applying grades that

Low cohort of females opting for risk management and STEM-centric careers actively addressed by Corporate Risk Associates Corporate Risk Associates (CRA) – one of the country’s largest independent safety and risk consultancies – is working hard to buck the trend of low female numbers joining STEM (Science, Technology, Engineering and Mathematics)-centric industries with a commitment that means the business now boasts what it believes to be one of the highest ratios of female-to-male STEM graduates in the sector. The company was founded in 2000 and specialises in managing risk across safetycritical industries including the nuclear, oil and gas, defence, power, process and transportation sectors. According to CEO Jasbir Sidhu, CRA prides itself on the fact that its first course of action from start-up was to look at how the company might actively encourage more women to choose safety and risk management as a career. This plan has been combined with actively promoting the uptake of STEM subjects to undergraduates through bespoke

demonstrably allow for both simplicity and, when required, flexibility. The second guide is entitled BS EN 62676 Series: Guidance for Customers About Grading and Other Important Matters (BSIA Form 217). It complements the first guide by providing a summary for customers who might be seeking a more concise and/or less technical explanation of the new grading system. Both guides relate to the BS EN 62676 suite of standards, themselves developed using Best Practice guidelines from a number of organisations including the BSIA and the Government’s Centre for Applied Science and Technology (CAST). Ideas from British Standards are also incorporated. While the grading of a CCTV system doesn’t specifically determine the quality of the images captured by it, the implementation of a higher grade may coincidentally result in an improvement for host organisations. Paul Phillips, technical manager at the BSIA, commented: “For the first time, a single set of standards includes a wide range of Best Practice ideas designed to improve the quality of CCTV systems. They’ve been embraced within the standards framework developed by the UK Surveillance Camera Commissioner.” Phillips added: “The new standards help to define Best Practice. Their use will ensure the needs of the customer are properly specified.”

university partnerships and internships with both Imperial College in London and Manchester University. The provision of resources and training that has enabled staff to quickly and effectively progress through the business, combined with the implementation of changes in the workplace duly providing greater flexibility for all members of staff, have also contributed to the number of STEM-focused employees joining Corporate Risk Associates. Indeed, the push across all of these key areas appears to have paid off as 20% of the business’ headcount is now occupied by female STEM employees. Sidhu explained: “The most recent set of figures shows that only 13% of those individuals employed in STEM-focused occupations across the UK are female. While this figure has begun to creep up somewhat over the last few years, it’s nowhere near where it should be.” Two recent STEM graduates to join the team at Corporate Risk Associates are Sophie Bold and Dr Eleanor Ramsden who, between them, hold two degrees, two Master’s qualifications and a PhD gained at Warwick, Imperial College London, York and Sheffield universities.

7 www.risk-uk.com

NewsAnalysisBritishTransportPoliceAnnualReport20142015 September2015_riskuk_mar15 10/09/2015 12:49 Page 1

BTP reports crime reduction on Britain’s rail networks for eleventh year in succession The British Transport Police has just issued annual figures showing an overall decrease in crime on the rail network of more than 8% compared with the previous year while theft of passenger property has fallen by 16%. However, incidents of violent crime are on the rise. Brian Sims examines the published statistics

uring 2014-2015, the British Transport Police (BTP) recorded a total of 46,688 notifiable crimes, down from more than 50,000 in the preceding 12 months. At least in part, this improved performance is due to major successes in a number of key areas, among them the effective targeting of robbery and fraud offences – both of which have fallen in number by 18% – and reductions in the theft of valuable passenger property such as smart phones and tablets. There’s still much more work for the force to tackle, though, as not all categories of crime have experienced a decrease. For example, an additional 724 violent crimes have been recorded by BTP in 2014-2015. This represents a rise of 8%, albeit a much lower figure than the average rise reported by the Home Office. Apparently, most cases were lesser types of assault involving pushing and shoving rather than those resulting in more serious injuries. Commenting on these headline figures, the BTP’s Deputy Chief Constable Adrian Hanstock stated: “I’m delighted that crime on Britain’s railways has fallen for the eleventh year in a row. This is a remarkable achievement directly reflecting the excellent work conducted day-in, day-out by officers and staff of the British Transport Police. We pride ourselves on our specialist knowledge of the railway environment, as well as our close relationships with rail companies and local police forces. This places us in a unique position to meet passengers’ needs and keep people safe.”

8 www.risk-uk.com

Hanstock added: “BTP is always looking to pioneer new and inventive ways of confronting crime, whether that’s through evidence-based policing, the work of our specialist mental health team, the introduction of body-worn video for patrol officers or the use of our dedicated 61016 text messaging service.”

Rise in violent criminality The rise in violent crime is clearly a concern for Hanstock. “It’s worth noting again, though, that the chances of becoming the victim of any crime are small. The use of more officers patrolling late-night trains and at peak periods, as well as our extensive CCTV network, is helping to halt this upsurge.” What’s worrying is that, in a disproportionate amount of these offences, it’s actually police officers or railway staff who end up becoming the victims of assault, often as a result of their intervention in seemingly ordinary incidents such as the non-payment of fares or petty antisocial behaviour. On that note, Steve White – chairman of the Police Federation of England and Wales – is pushing for harsher sentences against those who deliberately assault serving police officers. “On a daily basis,” urged White, “police officers sacrifice their own safety to ensure the protection of members of the public. It’s only right that officers should be protected through the criminal justice system so that they can do their job to the best of their ability knowing there are adequate safeguards in place.” In addition, White stressed: “There needs to be a clear sentencing deterrent which will warn people of the severe consequences of attacking officers of the law at any point in the future.” The Federation is presently working with the

NewsAnalysisBritishTransportPoliceAnnualReport20142015 September2015_riskuk_mar15 10/09/2015 12:49 Page 2

News Analysis: British Transport Police Annual Report 2014-2015

Home Office to look at a more robust process of collating national figures around the numbers of assaults carried out on police officers. Despite this increase in minor assaults, significant progress has been made in response to robbery offences as BTP continues to drive down some of the most serious criminality on the railways. A total of 358 robbery offences were recorded across England, Scotland and Wales during 2014-2015. This figure represents a drop of 18% compared to the 436 offences that were recorded back in 2013-2014. Deputy Chief Constable Hanstock outlined: “Robbery has a profound impact on victims due to the associated fear of violence and theft of their personal items. We are doing everything in our power to make sure this isn’t something people have to worry about on their journeys. Thankfully, in the context of the total number of crimes committed on the railways, robbery is a very rare occurrence although we fully recognise this has not always been the case.” Robbery has fallen by 86% during the past eleven years. On average, there’s now less than one incident per day across Britain. That’s down from more than six offences per day registered in 2003-2004.

Success of Operation Magnum One notable success story has been the progress of BTP’s Operation Magnum, a public awareness campaign designed to advise passengers on the most common tactics used by thieves, including pickpockets, and how to avoid becoming a victim. In 2014-2015, the theft of passenger property such as bags and smart phones on trains and at stations fell by 16% compared to 2013-2014, with 2,314 fewer recorded offences. Similar decreases have also been witnessed across each of BTP’s regional divisions. “Everyone has the right to travel on the railway without being concerned about their possessions being stolen,” urged Deputy Chief Constable Hanstock. “This is now more important than ever given the number of electronic devices many people routinely carry with them on their journeys. Through Operation Magnum, and our well-publicised ‘tactics’ videos, we’ve demonstrated the ways in which thieves try to exploit the railway, in turn making people more vigilant and restricting available opportunities for criminals.” Indeed, BTP has conducted significant work in making people aware of distraction and diversion techniques that individuals use in enclosed, busy locations on board trains and at stations. Much operational work is also underway, such as the large-scale dawn raids

by officers in west London last September when 13 people were arrested and 1,000 smart phones seized. Deputy Chief Constable Hanstock added: “This latest reduction shows that members of the public have taken notice of the campaign and reinforces our message – for anyone hoping to carry out a crime, the railway simply isn’t the place to do it.” BTP has set itself long-term targets around reducing both crime and disruption while at the same time increasing passenger confidence. Findings from the latest National Rail Passenger Survey, which measures rail user satisfaction, highlight that passenger confidence is currently at more than 77.75% (a percentage that sits above BTP’s target figure). A significant element of increasing passenger satisfaction lies in BTP’s successful management of disruption incidents and the safeguarding of vulnerable people. “While it’s encouraging to compare our current level of performance to last year and note these improvements,” said Deputy Chief Constable Hanstock, “the outcome is even more remarkable when you reflect on the progress made over the last decade. In that time, vehicle and cycle crime has been driven down by 39%, meaning 4,600 less offences, while 19,000 fewer people have been the victim of property theft.”

Adrian Hanstock: Deputy Chief Constable of the British Transport Police

Less bureaucracy, greater alignment Demand for the skills exhibited by BTP officers and staff will, of course, be even greater with the opening of Crossrail, ongoing plans for the HS2 link and the eventual introduction of night services on the London Underground network. “The 12-month period covered in this report represents our first year following a national restructure which enabled us to successfully reduce bureaucracy, forge greater alignment with our colleagues in the rail industry and achieve the majority of our national policing targets,” suggested Deputy Chief Constable Hanstock, “including spending more of our budget on front line resources and increasing passenger confidence.” BTP is keen to improve further and remains an ambitious force. “As we continue our transformation,” explained Deputy Chief Constable Hanstock, “we’re well advanced with plans to introduce cutting-edge technology involving better integrated computer systems, handheld mobile devices, body-worn video cameras and more extensive use of targeted CCTV cameras. Once in place, this will help consolidate BTP’s position as an outstanding police force delivering first-rate services.”

9 www.risk-uk.com

Project5_Layout 1 03/06/2014 11:20 Page 1

NewsSpecialNationalSecurityandResilienceConference September2015_riskuk_feb15 10/09/2015 12:50 Page 11

News Special: National Security and Resilience Conference

Securing The Future of Your Business ompetition, instability and uncertainty are now constants in an ever-changing world. It’s fair to say that today’s businesses face an unprecedented and growing number of potential disruptions to the status quo and their best laid strategic plans. Some will fail unless they seek to adopt modern risk management and governance models incorporating scalable resilience metrics. Terrorism, cyber crime, identity theft, organised criminality, espionage and ‘The Insider Threat’, manipulation, fraud and intellectual property crime. These are just some of the threats in play, but what are the emerging threat developments, policies, thought processes and challenges for today’s practising risk and security professionals? How might your organisation develop and then implement strategies for mitigating the threats and, importantly, ensure Duty of Care requirements are met for all employees?

Conference Programme Hosted by the National Security and Resilience Consortium (NS&RC), the 2015 National Security and Resilience Conference will assist delegates in strategising and planning for business security and resilience. The target audience for this event will be security directors and managers, CEOs and managing directors, IT and cyber security practitioners, risk professionals, members of the Emergency Services and the police as well as national Government agencies tasked with security and contingency planning initiatives. Day One of conference features an opening Keynote Address delivered by Tony Porter, the UK’s Surveillance Camera Commissioner. From 11.00 am-11.45 am, there’s a detailed review of the year from a national and corporate resilience perspective and a look at what’s around the corner. Chaired by John Baker (global director of operations at the NS&RC), one of the speakers for this session is Phil Luxford, director of Prepare Protect and CT Science at the OSCT within the Home Office. The session entitled ‘Safer Cities from the Corporate Context’ runs from 11.45 am-12.30 pm. What does the ‘Safer Cities Concept’ mean from the corporate perspective and how might a more resilient urban environment be delivered for businesses? Global Resilience Partners’ CEO Michael Fuller MBE chairs this session which features a delivery from London Resilience’s programme lead Tim Cutbill.

Organised by the National Security and Resilience Consortium and Torch Marketing, the National Security and Resilience Conference 2015 runs at the London offices of international law firm Field Fisher on 20-21 October. Risk UK is an Official Media Partner for the event which focuses on organisational security and resilience in today’s climate of extreme threats. Brian Sims previews what’s in store In the afternoon on Day One, the initial focus rests on IT and cyber threats. Martin Walsham (director of cyber security and information assurance at Info Assure) and Sopra Steria’s principal solutions architect John Bradshaw are the speakers from 2.00 pm-3.15 pm. The final session of the day examines ‘Innovations and Solutions in Security and Resilience’. What does the future look like in terms of safety and security-critical software and communication regimes? ViaSat UK’s CEO Chris McIntosh and CBRN consultant Richard Mead are among the presenters. Day Two of conference begins at 9.00 am with ‘Internal Security Management: From The Insider Threat to The External Threat’. Given the increase in organised crime and document fraud, how aware are you of your employees’ legitimacy? Training staff to be advocates for the business and ably manage potential threat scenarios is the central focus here. ‘Organisational Resilience and Specialist Training’ includes consideration of BS 65000 which itself examines how to build-in resilience within a business. Minerva Elite’s managing director Guy Batchelor and Lee Thomas of the European Training and Simulation Association will speak between 9.45 am and 11.00 am.

Legacy of London 2012 Between 11.45 am-1.00 pm, the threats to (and employers’ Duty of Care towards) employees working overseas will be covered by Andrew Sanderson (senior associate at Field Fisher), Debra McCabe (director of business development for Northcott Global Security) and Tony Maher MSyI MInstLM, head of the International Secure Minds Training Academy. Conference concludes with a panel discussion on the legacy of the London 2012 Olympic and Paralympic Games. This session considers the principles of organisational resilience and how resilience planning might be adopted to improve business efficiencies while also supporting corporate aspirations.

*For further information – and to register as a delegate for the National Security and Resilience Conference 2015 – access the dedicated event website at: www.nsr-conference.co.uk

11 www.risk-uk.com

OpinionTheRoleofTheSecurityConsultant September2015_riskuk_apr15 10/09/2015 13:02 Page 1

Security Consultants and ‘The Value Proposition’ What is the role of the security consultant in this day and age? What should it be, and what value do consultants bring to in-house professionals and host organisations? In answering these questions, David Gill encompasses the potential licensing of consultants and whether or not a baseline qualification to practise ought to be introduced alongside mandatory CPD

he term ‘security consultant’ will mean different things to different people, with definitions varying from sector to sector. Unlike protected terms such as ‘architect’ or ‘solicitor’, calling oneself a ‘security consultant’ isn’t regulated by either professional association or legislation. Strange that, given the fact this term is frequently used in relation to a diverse range of disciplines, from securing IT infrastructure and networks through to protecting against cyber attack, developing integrated security systems, providing science-based advice on blast mitigation or designing the physical and operational layout of business facilities. Today, security consultants may also be viewed as an external resource. Alternatively, they may perform an internal role providing sage input to the host organisation’s overall enterprise risk management strategy. In an ideal world, consultants – or perhaps ‘advisors’ – would be able to demonstrate expertise in their chosen specialist field through a combination of academic study, training and operational experience. Consultants not only require in-depth subject matter knowledge. They also need a host of other capabilities that include project and financial management expertise, acumen in conflict resolution, research abilities and myriad other business-related skills. What value do consultants bring to in-house professionals and host organisations? We’re talking about qualified expertise, experience, underpinning knowledge and objectivity.

An assessment of competency

David Gill MSc CSyP FSyI: Managing Director at the Linx International Group

www.risk-uk.com

Choosing an appropriate security consultant is a veritable minefield as there are few, if any, effective controls in place designed to protect service end users from the unscrupulous or simply incompetent practitioners out there. Historically, there has been no recognised benchmark to assess a consultant’s competence and consumers have been faced with something of a lottery when engaging a security consultant operating with few effective controls in place. Indeed, a number of security system installers employ in-house consultants who determine what a client requires in terms of cameras, detection systems and so forth, the concern being as to whether these are truly

independent assessments of need. When it comes to the unscrupulous installers, it will be the consumer that suffers as a direct result of potentially inappropriate, ineffective or otherwise ‘over-sold’ systems. In order to address what many in the security sector felt was a huge void in terms of a professional, top level standing for security consultants, several of the leading industry associations have sought to self-regulate this element of the security business sector. The Association of Security Consultants (ASC) was founded in 1991 and lives by a wideranging Code of Conduct requiring members to abide by certain obligations. For example, members must ‘maintain a high standard of work’ and ‘act with integrity’, yet there’s no obligation for an individual to join the ASC or comply with its Code. The Register of Security Engineers and Specialists (RSES) has been developed with the sponsorship of the Centre for the Protection of National Infrastructure to validate an individual’s credentials and experience, primarily on Government projects. It perhaps shows the security sector’s frustration at a lack of central regulation.

Knowledge and commitment The Security Institute, which is recognised as the UK’s premier security membership body, has worked in conjunction with The Worshipful Company of Security Professionals and a team of eminent academics to develop the Register of Chartered Security Professionals. Lord Alex Carlile QC CBE, the first President of the Register’s Registration Authority, has described Chartered Security Professionals as being representative of ‘The Gold Standard’. Since the creation of the Register in 2011, 92 security professionals have been successfully admitted. The process is extremely robust. Applicants must have extensive experience and be able to demonstrate a high level of competence in five key areas: security knowledge, leadership, practice skills, communication and professional commitment. Those who successfully pass the application process are then ‘admitted’ to the Register and thereafter referred to as ‘registrants’. The majority of applicants hold a recognised degree. Those who do not are required to

OpinionTheRoleofTheSecurityConsultant September2015_riskuk_apr15 10/09/2015 13:02 Page 2

Opinion: The Role of the Security Consultant

submit a comprehensive written portfolio which is assessed at degree standard. Registrants are mandated to undertake Continuing Professional Development (CPD), adhere to a strict Code of Conduct and organise professional indemnity insurance cover. As is the case with the more established Chartered bodies, registrants can be suspended or even struck off. A high percentage of registrants are security consultants, either working for consulting firms or as sole independents. The remainder occupy senior positions operating at a strategic level across a range of organisations within the private or public sector. The process works. Importantly, there’s now increasing evidence to suggest that the marketplace recognises the value of a security professional holding and demonstrating the CSyP post-nominal. Some top flight recruitment specialists are now specifying ‘Chartered Security Professional preferred’ on job advertisements. As the value of CSyP status becomes more recognised, the marketplace should dictate ‘The Gold Standard’ and the headhunters et al will be replacing ‘preferred’ with the word ‘required’ or ‘essential’. All that said, there’s no obligation to apply for CSyP status.

What about some regulation? There’s a valid case to be made for the regulation of security consultants, or even some form of Government-backed registration system encompassing those providing security consulting services. Professional security practitioners require a compliance framework to underpin the delivery of their services and thereby narrow the pool of practitioners through the establishment of a single and effective professional examining and compliance body. A central register of security consultants divided into generic subject areas that verify identity and probity – and which records evidenced knowledge and expertise – may be a solution. This system would require a mandated level of CPD to ensure that consultants maintain currency with sanctions/penalties in place for those that transgress, ultimately resulting in their removal from the register if allegations are substantiated in fact. Furthermore, any such system would require support from the likes of the Association of British Insurers who would seek to make it mandatory for their clients to use a registered security consultant. Some might say the obvious body to administer and run such a centralised register

ought to be the Security Industry Authority (SIA). However, the SIA has seemingly chosen to leave the licensing of security consultants in the ‘Too Difficult’ file without even defining the term ‘security consultant’. This task doesn’t seem to have been an issue in other jurisdictions such as Australia and New Zealand, for example, where defined systems and procedures are in place to regulate consultants’ activities. Completion of the regulatory circle of licensable security activities would close the existing loophole which currently allows dubious or simply incompetent operators to function under the mantle of ‘security consultant’. For my part, I’ve heard some cynical comments about the SIA’s failure to grasp the ‘consultant nettle’, including reference to Lord Turner’s remarks following his review some years ago of the UK’s banking sector in which he made reference to the ‘duck test’. In short, if it walks like a duck, swims like a duck and quacks like a duck, it probably is a duck. Defining a security consultant isn’t that difficult. However, establishing what competencies, experience and qualifications are required for the role and how these are – or should be – tested does require close assessment and scrutiny to absolutely ensure that any risk posed to the consumers of security consultants’ services is minimised.

“Choosing an appropriate security consultant is a veritable minefield as there are few, if any, effective controls in place designed to protect service end users from the unscrupulous or simply incompetent practitioners out there” 13

www.risk-uk.com

OpinionSecurity'sVERTEXVoice September2015_riskuk_apr15 10/09/2015 12:55 Page 1

CSAS: A Power for Good?

In their early days, one of the reasons behind the relatively low profile of CSAS was that police services hadn’t experienced the kind of cuts that they are dealing with today. To date, under the austerity measures nearly 16,000 officers have been lost from forces in England and Wales – the equivalent of losing all the police forces in the South West of England, in fact. Paul Ford, the current secretary of the Police Federation’s National Detectives’ Forum, has stated that this issue is directly affecting the police service’s ability to protect communities and respond to calls.

Cutting to the chase

First established by the Police Reform Act back in 2002, Community Safety Accreditation Schemes (CSAS) are realising a significant impact on the private security sector. Peter Webster outlines exactly how and why more security companies are being afforded enhanced powers in their local environments

*The author of Risk UK’s regular column Security’s VERTEX Voice is Peter Webster, CEO of Corps Security. This is the space where Peter examines current and often key-critical issues directly affecting the security industry. The thoughts and opinions expressed here are intended to generate debate among practitioners within the professional security and risk management sectors. Whether you agree or disagree with the views outlined, or would like to make comment, do let us know (e-mail: pwebster@corpssecurity.co.uk or brian.sims@risk-uk.com)

www.risk-uk.com

hen the Police Reform Act 2002 came into being over a decade ago now, many national news headlines focused somewhat inevitably on the creation of Police Community Support Officers. Very few column inches were given over to the fact that, under Section 40, this Act also introduced the ability for chief constables in England and Wales to confer a limited range of police powers on other individuals as part of Community Safety Accreditation Schemes (CSAS). CSAS extend the number of individuals allowed to perform some of the work usually carried out by sworn police officers. In essence, they permit such ‘accredited persons’ to have limited but targeted powers appropriate to their roles. CSAS aim to provide an additional uniformed presence by capitalising on the skills of – and any information captured by – those already engaged with security and/or law enforcement duties in the community. Accredited persons can act upon a range of issues such as littering, underage drinking and graffiti and deal with general incidents of antisocial behaviour, disorder and nuisance. They can also issue penalty notices on anyone knowingly raising a false alarm with the Fire Brigade or acting in a manner likely to cause harassment, alarm or distress. While accredited persons don’t have the power to detain or arrest, it’s an offence for an individual to refuse to provide an accredited person with their name and address when asked to do so or otherwise assault and/or obstruct them in the course of their duties.

Early last month, a BBC News story focused on a three-month trial conducted by Leicestershire Police during which time the force deliberately adopted the tactic of only sending forensic officers to those burgled homes with an even door number in a bid to find out whether this course of action would adversely impact victim satisfaction or overall crime rates. Apparently, the trial was prompted as a result of analyses conducted by the East Midlands Special Operations Unit (EMSOU) which covers Lincolnshire, Nottinghamshire, Derbyshire, Leicestershire and Northamptonshire. The EMSOU had found that, of 1,172 attempted burglary scenes, few exhibited any forensic evidence. Only 33 suspects were identified. Commenting on the trial, Jo Ashworth – director of forensic sciences at the EMSOU – said: “At a time when we’re operating within reduced budgets, it’s even more critical that we make the absolute best use of our crime scene investigators’ time.” Policing resources were also under intense scrutiny following the recent Hatton Garden Safe Deposit robbery, of course, when it was discovered that the police decided not to respond to an intruder alert issued by the Alarm Receiving Centre. This incident has left many professionals in the security sector concerned that they cannot rely on a police response when needed.

Crunching those numbers Back in the early days of CSAS, the response by police forces to the notion of private sector security companies taking on additional powers could only be described as lukewarm. As a result of growing pressures on policing resources, the last few years have seen greater use of CSAS, yet the Home Office appears reluctant to provide annually updated nationwide figures. In fact, the last survey conducted by those at Marsham Street was way back in December 2010. It duly showed there

OpinionSecurity'sVERTEXVoice September2015_riskuk_apr15 10/09/2015 12:56 Page 2

Opinion: Security’s VERTEX Voice

were 26 police forces participating in CSAS encompassing 2,219 individuals accredited with specific powers. In point of fact, all organisations with members of staff playing an active role in safeguarding our communities can seek accreditation. Following on from this, the effectiveness of CSAS very often boils down to the quality of the individuals involved and the training they’re given. The Police Reform Act 2002 states that a chief constable may not grant accreditation unless they’re fully satisfied that the individuals involved have received adequate instruction for the efficient and effective exercise of their powers. Further, there has been concern about whether the procedures that need to be carried out before someone can be accredited simply duplicate the work of the Security Industry Authority (SIA). That said, it’s demonstrably clear that the standards for licensing required by the SIA and those taking part in the CSAS accreditation process will be consistent. In many respects, standards for accreditation to the latter will be higher than those required by the SIA simply because they afford an individual access to certain police powers.

Recipe for disaster National Police Chiefs’ Council approved services providers for CSAS must organise specific training which has to be vetted to a national standard. An organisation must accredit individuals as being fit and proper and suitable to exercise the powers duly conferred upon them. Furthermore, the employing organisation must also have a fit and proper person in place to supervise the work of an accredited person. It must be borne in mind that not all of the employees in an organisation may meet the standards required. There’s no general solution to this scenario. Responses will differ depending upon the number of employees affected and specific deployment requirements. Choosing the right people is of paramount importance. Failing to give this subject proper consideration is a recipe for disaster. At one extreme, some security personnel could be excessively officious, while on the other hand individuals might simply see their extra powers as an excuse to be more ‘heavy handed’ in their actions. Put simply, some organisations might not have the necessary selection procedures in place. Ultimately, this could render their employees and members of the public at increased risk. Good security work requires tenacity, determination and the ability to stand one’s

ground when confronted by challenging situations. Accredited persons must be able to exercise high standards when it comes to conflict management skills, assertiveness, risk assessment and Health and Safety awareness. To do so effectively means having excellent interpersonal and social skills and recognising the importance of community safety. Issuing a fixed penalty notice to someone who’s drunk and/or aggressive and who views an accredited person as nothing more than a ‘Hobby Bobby’ requires finely-tuned conflict avoidance skills. All-too-often, security companies think that the most effective way to deter trouble on a tricky assignment is to deploy the biggest, toughest, most uncommunicative and aggressive men for the job. It’s certainly a policy with the potential to cause more problems than it prevents. Emotional intelligence involves the ability to monitor one’s own and indeed others’ feelings and emotions, to discriminate among them and to use this information to guide thinking and actions. While many men have excellent levels of emotional intelligence, women are particularly good at being able to identify, assess and control situations. Body language is often a more accurate indicator of someone’s reaction to what’s being said or done at a given moment. Knowing how to respond to this is crucial and perhaps one of the reasons why females are extremely good at diffusing potentially volatile situations.

Peter Webster: Chief Executive of Corps Security

Back-up plans in place One significant concern when it comes to security personnel operating under CSAS is what happens when things go wrong. As stated, while the onus is very definitely on security companies to ensure that the right people are deployed, it would be unreasonable to assume that the potential for things to go awry from time to time is non-existent. In a threatening or otherwise dangerous situation, will security personnel receive the kind of quick response from the police service that they need, or will such incidents simply be downgraded? A positive answer to this question is something that the security industry as a collective must seek assurances on if closer cooperation between private sector security providers and the police service under CSAS is to be a mutually beneficial experience.

“Accredited persons must be able to exercise high standards when it comes to conflict management skills, assertiveness and Health and Safety awareness” 15

www.risk-uk.com

Project1_Layout 1 09/09/2015 14:50 Page 1

Tested, Certiﬁed, Approved and Preferred. LPS 1175 SR1 to SR5 CERTIFIED

APPROVED FOR UK GOVERNMENT USE

PAS 68 CERTIFIED

Perimeter Intrusion Detection Systems

SBD POLICE PREFERRED SPECIFICATION

Innovative and proven perimeter security solutions from the experts. In the last 10 years, we have done more to respond to the changing landscape of physical perimeter security than any other company in the UK. That’s why today, we can offer the widest selection of LPS1175 and PAS68 certiﬁed, approved for UK Government Use and Secure by Design preferred fencing and gate solutions available; including unique designs combining timber with steel.

Timber and steel fencing

Vehicle and pedestrian gates

HVM

Bespoke solutions

Noise barriers

Pedestrian safety

Vehicle access and parking control

Access control

Secure storage

Find out more about how we can help secure your perimeter against a variety of threats by calling an expert on 0800 41 43 43 or visit us at jacksons-security.co.uk

MONTH

E E

AR NT A

M AT I

YEARS

AR NT A

I CE LI

Head Ofﬁce: 402 Stowting Common, Ashford TN25 6BN.

AT ME N

AR NT A

www.jacksons-fencing.co.uk

BSIABriefing September2015_riskuk_mar15 10/09/2015 12:20 Page 2

BSIA Briefing

mid growing concerns for border security at the Port of Calais and the Channel Tunnel, both British and French authorities are coming under increasing pressure to deal with the problem. In recent months, it’s estimated that as many as 400 migrants have attempted to make the journey across the Channel every night with around 50 of them successful on each occasion. Migration across the Channel isn’t a new issue, of course, but just now it’s clearly one that’s placing a bigger burden on the UK Border Force, the police service, port authorities and Channel Tunnel operator Eurotunnel. According to Home Office statistics for 20142015, the UK Border Force and French authorities have prevented attempts by 39,000 individuals to gain entry to the UK on an illegal basis1. That’s twice as many as in the previous year. Between 1 January and 21 May this year, 18,170 stowaways attempted to illegally gain entry to Britain. The importance of securing the border at Calais and preventing illegal incursions is clear. A number of potential threats to the UK may result from unrest at the border. There’s an ongoing need to protect migrants attempting to breach the border by climbing aboard lorries and trains in France eventually bound for Britain. Since June, at least nine migrants have died. Many more have been badly injured2. For their part, UK businesses are facing considerable losses as they lament delays to travel through the Channel Tunnel. It costs approximately £1 per minute to run a heavy goods vehicle. Lengthy queues can see haulage firms haemorrhaging significant amounts of money when either Eurotunnel trains or regular ferry services are disrupted. In addition, British companies are also being forced to ‘write off’ millions of pounds worth of stock due to the potential contamination risk caused by stowaways breaking into trailers. According to the Fresh Produce Consortium, at least £10 million worth of food destined for Britain had to be destroyed between January and June this year due to such risks. The Freight Transport Association (FTA) has declared its own concerns for the UK’s logistics industry, estimating that delays on both sides of the Channel are costing around £750,000 per day. Indeed, the FTA has requested “suitable compensation” be considered by the French Government and awarded to UK freight operators affected by Operation Stack to help cover their losses. According to the FTA, during the 28 days that Operation Stack was implemented (between 23 June and 2 August), the cost to UK hauliers

Border Security for the UK: An Integrated Systems Approach The subject of national border security has become increasingly topical of late as unrest in the northern French towns of Calais and Coquelles continues to disrupt travel arrangements and routes into and out of the UK. James Kelly discusses the security measures currently in place and assesses what more can be done to protect the UK’s borders whose vehicles were stuck on the M20 in Kent was north of £21 million. The estimated cost doesn’t include loss of business, spoiled cargoes, missed export deadlines or the percentage of journeys diverted during Operation Stack, all of which represent additional expenditure for freight operators.

Security: can it be enhanced? Keeping the UK’s trade moving, as well as protecting the nation from threats such as terrorism, is vitally important for decisionmakers. What, then, is being done to protect the border at Calais, and could existing security measures be further enhanced? Operators at the Port of Calais and the Channel Tunnel rank security extremely highly in their list of priorities. This is evidenced by the sheer size of investment made in security solutions both in Calais and Kent and in the array of innovative technologies on display. Groupe Eurotunnel SE, operator and manager of the Channel Tunnel, boasts an holistic suite of high-tech measures which brings together technology such as access control, infrared-

James Kelly: CEO of the British Security Industry Association

www.risk-uk.com

BSIABriefing September2015_riskuk_mar15 10/09/2015 12:21 Page 3

BSIA Briefing

References 1http://www.bbc.co.uk/ news/uk-29074736 2http://www.theguardian. com/uk-news/2015/jul/29/ calais-one-dead-1500migrants-storm-eurotunnelterminal 3The Eurotunnel terminal is located in Coquelles off the A16 at Exit 42. This is the terminus of shuttle services from the UK and that of the LGV Nord whereby Eurostar services can travel into the Channel Tunnel

focused equipment, Passive Millimeter Wave (PMMW) imaging systems and comprehensive CCTV coverage with a host of other security solutions. Over the past 20 years, Eurotunnel has spent something in the region of €150 million on security measures and continues to develop the systems in place in order to cope with the increasing pressure induced by migrants in the Calais area. Also, the Port of Calais has organised and implemented a comprehensive security suite to guarantee the safe passage of passengers, drivers and cargo into and out of Calais. In a bid to improve security at Calais, the UK Government has pledged to fund additional private security officers, fencing and CCTV cameras. A new ‘Secure Zone’ for Britain-bound lorries is to be constructed next to the ferry terminal and Channel Tunnel entrances. This will be capable of holding up to 230 lorries on a secure basis. The UK Government is also set to fund more UK Border Force search dog teams to be deployed in France. The size, nature and complexity of ports means that an holistic approach to security must be taken. An array of integrated security features is the best way of providing comprehensive protection for such complex sites, and this is duly reflected by both the Port of Calais and the Channel Tunnel. One of the most important areas for the implementation of security measures is the perimeter. Perimeter protection is the first line of defence against any potential intrusions. Where possible, perimeter fencing should make use of additional features such as barbed wire, razor wire coils or rotating toppings. Further protection may be afforded by electrifying the fence or installing an electrified extension with appropriate signage.

Deploying thermal cameras It’s not always possible to completely protect perimeter zones using fencing alone. Often, the location, size and position of a port can make it difficult to install fencing that completely encompasses the perimeter. On that basis, additional security measures will be required. One such that’s becoming increasingly common for protecting ports is thermal cameras. The benefit of thermal cameras here lies in their ability to detect intrusion across vast areas regardless of lighting or

“There’s an ongoing need to protect migrants attempting to breach the border by climbing aboard lorries and trains in France eventually bound for Britain” 18

www.risk-uk.com

environmental conditions. Thermal imaging cameras produce images of invisible infrared or heat radiation by comparing the differences in temperature between detected objects. Since thermal cameras are not reliant on visible light, they’re able to produce images in zero light or adverse weather. These cameras are particularly well suited to port security due to their ability to detect suspicious activity at long range or to verify something which has been picked up by other security methods. The impressive range of thermal cameras allows ‘man-sized’ objects to be detected at distances of up to 18 km and vehicles beyond 22 km. Integrating thermal cameras with conventional CCTV can produce effective detection, verification and surveillance on a large site such as a port. The range of thermal cameras enables early detection and verification of potential targets, then, while conventional PTZ-style cameras may then be used to monitor a target and collect evidence for use in a prosecution. CCTV’s effectiveness may be further reinforced using Video Content Analysis (VCA). Systems automatically analyse CCTV images to generate useful content information and can be employed to issue alerts to security personnel should an incident occur. Theoretically, any action or behaviour that might be seen and accurately defined on a video image can be automatically identified using a VCA system. This technology has witnessed success in a variety of applications including intruder, smoke and fire detection, sabotage detection and – perhaps most interestingly when set within the context of Calais – people counting.

Presence of trained security officers During times of higher risk, an increased human presence can prove to be very effective. Well-trained, professional and licensed security officers patrolling the perimeter can discourage intruders immediately. Considering the degree of tension in Calais and Coquelles3, the visible presence of security officers – or police officers – can assure drivers of their safety and give them an enhanced sense of security. The placement of officers at access points to sensitive areas – such as the aforementioned ‘Secure Zone’ – will afford further reassurance to drivers. A major challenge in Calais of late has been the breach of lorry trailers by migrants when the former are stuck in slow moving or standstill traffic. More security officers carrying out checks could help to keep the traffic moving swiftly and, in turn, reduce this risk.

Project1_Layout 1 10/09/2015 14:41 Page 1

The problem with Parcel Bombs is they look just like... Parcels! Specifying the most appropriate equipment and training your staff to recognise postal threats using a range of techniques including x-ray image interpretation is what weâ&#x20AC;&#x2122;re known for.

Call 0207 355 3555 for free advice or contact us through our website on www.scanna-msc.com

CrisisManagementandResilienceProtectingtheBusiness September2015_riskuk_apr15 10/09/2015 12:23 Page 1

Demonstrating Resilience: The Board of Directors and Crisis Management During a crisis situation, those threats posed to a company’s value and reputation – or even its very existence – will typically go beyond the operational level as shareholders, regulators and legal authorities become involved. Under such circumstances, Board members are often challenged in ways that may be unfamiliar to them as they’re drawn into a more active role. Rick Cudworth reviews how they should respond

hile many of today’s businesses will have some form of Crisis Management Plan in place, such plans frequently fail to address the direct needs of the Board. That’s not a healthy situation. During a crisis, members of the Board are often required to support the executive management team with oversight, moral authority and strategic vision. Certain types of crisis – among them litigation, leadership controversies or even the necessary removal and replacement of top executives – could directly involve the Board of Directors. That being so, ensuring that the Board and the business as a whole is ready and sufficiently resilient to deal with a crisis situation – be it foreseen or unforeseen – is an essential part of good governance. Let’s examine the role of the Board in relation to crisis management, then, both in ‘normal’ times and during – and immediately after – a crisis. Research tells us that companies can expect a value-destroying crisis event to occur at least once every five years1. An organisation’s ability to manage such a situation can impact its ongoing survival and viability. It’s also worth bearing in mind that the cost of mismanaging a crisis can be enormous, both in individual and collective term. As part of its governance responsibilities, the Board of Directors has a vital role to play in ensuring that the executive leadership and the business as a whole is ready. The starting point is to find out whether a Crisis Management Plan

does exist. If the answer lies in the affirmative then confirming whether or not that plan adequately defines crisis management procedures for organisation, roles and responsibilities, information management processes, decision-making protocols and communication/co-ordination requirements is key. Each of these areas needs careful consideration before a crisis develops.

Definition of the structure Defining an effective organisational structure for crisis management is absolutely critical. Put simply, this helps to ensure a more rapid, controlled and consistent response. Typically, such a structure will distinguish between those individuals who need to act locally ‘on the ground’, those who require to communicate and co-ordinate across the organisation and with external parties (such as suppliers) and the crisis leadership team, the members of which need the necessary time to be able to think and act strategically and then manage the most senior stakeholders. What’s described here is sometimes referred to as the ‘Gold-Silver-Bronze’ structure that’s commonly used by the Emergency Services and other front line responders when dealing with major incidents. Crisis management organisation will encompass appropriate support including external assistance and the necessary crisis management office, in turn ensuring that adequate resources are demonstrably applied from the outset. A particular feature of the response structure must be its ability to transform information flows and decision-making from the normal pace of everyday business into one which is much more able to make decisions at speed and operate under a high degree of uncertainty and ambiguity. Any failure to organise effectively is one of the most frequent reasons why businesses can struggle to stay on top of a crisis situation.

Different role in a crisis From the public’s perspective, the Board is seldom visible. However, a crisis – and notably a leadership crisis – can thrust Board members into the front line. A company and its Board needs to decide where operational issues end

www.risk-uk.com

CrisisManagementandResilienceProtectingtheBusiness September2015_riskuk_apr15 10/09/2015 12:23 Page 2

Crisis Management and Resilience: Protecting the Business

and ‘corporate crisis’ begins. Sometimes, the difference between an operational and an existential crisis isn’t clear. One can become the other quite quickly. The first category is usually the domain of CSuite executives and those individuals who report to them. The focus here will be on occurrences such as supply chain disruption or weather events that complicate daily business flows. In contrast, a corporate crisis is one that might involve reputation, share price, major litigation, regulatory sanction or even a company’s existence. In preparing for, meeting and then rebounding from a corporate crisis, the Board isn’t just in oversight mode. Its members have a direct responsibility to anticipate threats and make quick, far-reaching decisions. These may include pre-populating a crisis sub-committee with specific roles attending to legal, accounting, audit, public relations or industry issues. The process may include arranging for outside counsel or support, or deciding whom to include in sensitive external and internal communications and what (and how) to communicate to employees. At a time like this, the Board’s role may even include having to replace a CEO at short notice or someone stepping in to act in that capacity for a period of time. The needs of the Board must be thoroughly considered and addressed in the Crisis Management Plan. This will include an assessment of exactly who will take on what role in support of the executive leadership and under what circumstances, how the Board will exercise governance and oversight during and immediately after the crisis and the actual degree of support the Board may need in fulfilling these responsibilities.

No time for ‘on the job’ training Crisis experience may not be at the top of the checklist when Boards recruit new members. In truth, the prospect of dealing with a bad situation is probably not the reason people seek or accept Board appointments. In the final reckoning, though, experience is still the best training and a valuable quality to build into a Board’s mindset. It’s hard to weather a storm with a group of people who came together with smooth sailing in mind. Nor is a crisis the right time to discover disharmony. Any cracks in the armour are going to become very visible and extremely costly. The same necessity for experience is true for executive leadership and all those in the organisation who’ll be involved in responding to a crisis. Advances in mobile communications

technology mean that speed, openness, transparency and honesty are essential even when only limited information is available. Given that a crisis is not an everyday occurrence, how then do you build the necessary experience? There’s only one way forward. Regular, formal crisis simulations will not only enhance experience in handling reallife situations, but they can also rehearse and embed crisis decision-making protocols, information flows and communication and help determine how well the Crisis Management Plan – and those involved in its delivery – will really function during the hour of need. As with the absence of consideration of the Board in many Crisis Management Plans, so too the Board is often not involved in crisis simulations. Not only do constituent members miss out on gaining possibly vital experience themselves, but other important areas will be overlooked. For example, an excellent opportunity to gain first hand assurance of the organisation’s readiness to deal with extraordinary situations is missed, so too the chance to assilimate a thorough understanding of – and confidence in – the structures and support processes that would come into play.

Rick Cudworth: Resilience and Crisis Management Leader and Partner at Deloitte UK

Assessing lines of authority The relationship between organisational crisis planning and Board crisis planning takes its cues from the relationship between the

“Even for experienced crisis leaders, a key challenge and skill is to be able to stand back, look from the outside-in and assess how the situation will play out in the short and medium terms” 21

www.risk-uk.com

CrisisManagementandResilienceProtectingtheBusiness September2015_riskuk_apr15 10/09/2015 12:23 Page 3

Crisis Management and Resilience: Protecting the Business

timely, accurate and objective information. Even for experienced crisis leaders, a key challenge and skill is to be able to stand back, look from the outside-in and assess how the situation will play out in the short and medium terms. In addition to management information, the Board may look towards third parties for advice and support. Board members might also consider secure access to real-time operational data. These factors – in other words the ‘What?’, the ‘Who?’ and the ‘How?’ – demand to be considered in advance.

Specific Board considerations Reference 1Reputation Review (Oxford Metrica and Aon, 2012)

organisation and the Board. Historically, there have been important regional differences in this alignment, although they are appearing to decline. In North America, for example, the CEO is typically invested with significant strategic latitude and may also be the chairman of the Board. In Europe and Asia, the C-Suite may take strategic cues from a more prescriptive Board. Each business should assess these lines of authority and make sure the plan for action in a crisis corresponds to them. Some CEOs will look to the Board during major threat events. Others may risk the tactic of micromanagement. To avoid misunderstandings when no-one has time for them, it’s important to have regular and honest discussions about who expects what and from whom. Often, the end result here is best understood when enacted through simulation. No matter what the Board’s intended role is in crisis management, its members will need

When a crisis situation emerges, Board members may become full-time leaders and remain that way until the threat subsides. Individuals who join a Board of Directors may not expect daily conference calls to be part of the bargain, but such occurrences could turn out to be the most important engagements a person has during his or her tenure. Who on your Board is expert in risk? Who is the steady PR hand? Who knows how to monitor social media and safeguard reputational risk? Who has been through something like this before? If you build crisis capabilities into the makeup of a Board, define the role of that Board and agree upon operating protocols to be adopted during a crisis, it will be easier to staff the necessary sub-committees, determine the need for outside advisors and plan roles and responsibilities. Whether the solution is a phone tree or a written protocol, anything is far better than finding out no-one knows who’s in charge when it matters most.

Key questions to be considered by the Board of Directors Under normal business conditions *Do we have a Crisis Management Plan in place with clear roles and responsibilities outlined? Who is responsible for it? *Have our Executive Leadership Team members been adequately trained and do they take part in simulation exercises on a regular basis? *Have our crisis management capabilities been subject to internal audit and external verification? *What’s our perception of our own organisation’s ‘crisis readiness’? Are we fully prepared and confident? During and after a crisis scenario *Do you know the role to be played by the Board during a crisis? *Have members of the Board taken part in crisis simulation rehearsals? *Is it clear which member of the Board will be responsible for which element(s) of the business during a crisis? *Do you know which external advisors you may call upon to support the Board? *As a matter of course, do you request an independent review in the wake of major incidents and events such that lessons may be learned and improvements made?

22 www.risk-uk.com

TODD_Layout 1 10/09/2015 14:44 Page 1

Are you effectively screening your mail for threats? Talk to us today and understand why, for over 50 years, we have partnered with companies to minimise the impact of dangerous devices to business continuity.

• Hoaxes or live devices can cripple an organisation • Avoid expensive evacuations • Reputational & brand damage • Negative impact to employee morale • Disruption to customers

PublicPrivateSectorSecurityPartnerships September2015_riskuk_sep14 10/09/2015 13:07 Page 1

An Awareness of Project Griffin Born back in 2004, Project Griffin is recognised by many security professionals as one of the finest examples of publicprivate sector joint working. The goal is to bring together the Emergency Services, the private security sector and Government agencies in supporting operations designed to disrupt and deter terrorist and extremist activity. Graham Bassett outlines present and future developments ost of us can remember where we were on the day of tragic events such as 9/11 or the London bombings of 7 July 2005, perhaps some more clearly than others. No doubt many of Risk UK’s readers will also recall where they were on the day of the horrific terror attacks that struck Baltic Exchange, Bishopsgate and London Docklands not to mention the Manchester bombings. Without doubt, it’s events such as these that have changed our lives and how we live them. Importantly, they’ve also resulted in a raft of new measures designed to prevent terrorist groups and individuals from seeking to harm and kill innocent people. Put simply, the rules have changed. Within the City of London, one such measure was the famous ‘Ring of Steel’ introduced in 1993 following the aforementioned Bishopsgate truck bomb on 24 April that same year. That horrific episode in the heart of the financial district, which occurred a little over 12 months on from the Baltic Exchange attack, resulted in a news photographer losing his life and £350 million worth of damage. The Baltic Exchange bomb, detonated on the morning of 10 April 1992, was contained in a large white truck and consisted of a fertiliser

www.risk-uk.com

device wrapped with a semtex-fashioned detonation cord. The bomb killed three people: Paul Butt, a Baltic Exchange employee, 49 yearold Thomas Casey and 15 year-old Danielle Carter. More than 90 people were injured. That bomb also caused damage to surrounding buildings. £800 million worth, in fact, representing £200 million more than the total damage caused by the 10,000 explosions in Northern Ireland up to that point. In practice, the newly-introduced ‘Ring of Steel’ meant that most routes into the City were closed or made exit-only, while the remaining eight routes had checkpoints introduced to be manned by armed police officers. CCTV cameras were also installed to monitor vehicles entering the area, including two cameras at each entry point – one to read the vehicle registration plates and another to monitor both the driver and any passengers.

Introduction of Project Griffin In 2004, a new public-private sector partnership devised between private sector security solutions providers, the City of London Police and the Metropolitan Police Service was born. The brainchild of Sir David Veness CBE QPM and Don Randall MBE, this initiative was dubbed Project Griffin. Project Griffin is a relatively simple concept in that the local police service delivers training via Awareness Days to employees working within the private sector. They advise on a whole host of security, counter-terrorism and crime prevention-related issues. Another key element of Project Griffin is how it seeks to enlist the help and support of individuals or groups responsible for the safety and security of buildings, businesses, districts or neighbourhoods. In turn, the initiative provides an official and direct channel through which members of the police service can share and update vital information relating to security and crime prevention issues. The principal aims are to raise awareness of current crime and terrorism-related issues, gather and share intelligence and information, build and maintain effective working relationships, seek Best Practice solutions designed to defeat crime and terrorism, maintain trust and confidence in the police and other law enforcement authorities and empower people to report any suspicious activity and behaviour they might witness.

PublicPrivateSectorSecurityPartnerships September2015_riskuk_sep14 10/09/2015 13:07 Page 2

Public-Private Sector Security Partnerships

In terms of numbers, over 30,000 individuals have now attended a Project Griffin Awareness Day. This translates into having an extra 30,000 pairs of eyes and ears in London to report on events and support the City of London Police, the Metropolitan Police Service and the British Transport Police. Looking back to 2004 and Griffin’s launch, this scheme may well have been viewed as a somewhat radical approach towards policing when it came to working in partnership with the private sector. In the early days, the initiative primarily involved security solutions companies and their staff who had attended Project Griffin Awareness Training Days. Nevertheless, it was a partnership approach that worked well and one that’s now recognised as being an unqualified success since inception. So much so, in fact, that Project Griffin has generated international interest. Subsequently, the model has been shared with – and adopted by – police services in the United States, Australia, South Africa, Singapore and Canada.

What next? Europe? Engaging a major European city to adopt the ethos underpinning Project Griffin seemed to be something of an enigma. Until, that is, the power and value of ASIS International’s business network became apparent. Nicholas Le Saux PhD CPP, vice-president for ASIS International’s French Region 9A, mentioned his interest in Griffin when attending the UK Chapter’s Annual General Meeting and seminar at Nomura Bank back in December 2013. Subsequently, lots of e-mails were exchanged which led to an initial meeting in September last year followed by a further gathering last March involving myself, Don Randall, Ian Mansfield and Alex Williams. Sandwiched between those two meetings, of course, was the tragic terrorist attack on Charlie Hebdo in Paris which made the March discussions on the implementation of a pilot Project Griffin seem even more poignant. The French delegation consisted of Eric Davoine, chapter chairman for ASIS in France, Stéphanie Bergouignan (ASIS International’s Women In Security chairman for the region), Thierry Coudert, Préfet, Délégué Interministériel aux Co-opérations de Sécurité (head of security partnerships) and his deputy Colonel Pascal Hurtault. Also involved at one of the gatherings was Valérie Hatsch, chief of staff to the Préfet of Hauts de Seine. Discussions were held at the Bank of England and many questions asked. Le Saux attended an Awareness Day and operational site visits were arranged with providers of Project Griffin

personnel at both Lloyds of London and 30 St Mary Axe (facilitated by Ashley Heywood and Danny Moody respectively). The latter enabled our French colleagues to witness Project Griffin at work first-hand and to speak with the client user of Project Griffin security personnel, the company providing the security officers and the staff members themselves. The result of the visit and discussions realised has been the launch of a pilot scheme in La Défense which is Europe’s largest dedicated business district located on the outskirts of Paris. In terms of geography and scale, it’s a little like Canary Wharf in London’s Docklands only far larger. The official launch is set to take place at the end of this year.

Focusing on the Netherlands Via the ASIS International contact network, we were also introduced to Lucien Stöpler, Justice in Practice in the Netherlands, who was keen to highlight the methodology of Project Griffin to the appropriate Dutch authorities as well as the security services. He visited London last September, attended the City of London Police Project Griffin Awareness Day and then discussions were held at the Bank of England. Stöpler then arranged for Fred Kuijer – an author for Blauw, a security magazine connected to the Dutch Police Academy – to visit London in March this year. Kuijer was keen to see Project Griffin work and also speak with a variety of involved stakeholders such that he could then script an article designed to further stimulate interest among the relevant Dutch authorities. The latter includes NCTV, the National Co-ordinator for Security and CounterTerrorism. This is the equivalent of the National Counter-Terrorism Security Office that resides within Government here in the UK. We’re hopeful that, via our Dutch ASIS support network, we can now initiate a pilot Project Griffin in Holland in the near future. In summary, then, Project Griffin works. Public-private sector partnerships work and, without doubt, connectivity and discussion between the 38,000 ASIS International members worldwide also works. Without the latter, it’s perhaps highly unlikely that the French and Dutch interest in Project Griffin would have arisen and then generated so much positive feedback and discussion.

Graham Bassett: Vice Chairman of ASIS International’s UK Chapter, a Member of the European Advisory Council, Chairman of the London Project Griffin Board and Managing Director at GBRUK

“Project Griffin is a relatively simple concept in that the local police service delivers training via Awareness Days to employees working within the private security sector. They advise on a host of security and counter-terrorism issues” 25

www.risk-uk.com

Project1_Layout 1 10/09/2015 14:54 Page 1

PostRoomSecuritySystemProcurementandOperatorTraining September2015_riskuk_apr15 10/09/2015 13:03 Page 43

Post Room Security: System Procurement

An Open Letter to Risk Managers A s a starting point, an x-ray machine is of course a step in the right direction when it comes to Post Room security regimes, but this alone will not solve your problems overnight. Rather, such equipment should be treated as one element of a number of security measures that need to be considered in order to protect and safeguard a given facility and the personnel deployed within. First of all, it’s recommended that a thorough Post Room threat and risk assessment is carried out to afford the host business a better understanding of exactly what security systems may be needed and why. A Post Room risk assessment should provide an understanding of the current processes in place and assess the equipment that’s presently in operation to specifically combat any potential postal threats at your location. An understanding of what the present postal threats are and how they’re delivered will help. The current threat can be in the form of chemical or biological agents in powder or liquid form, as well as explosives and items designed to inflict physical and/or psychological harm. Importantly, the threat assessment should be carried out by a trained security professional. The threat assessment should start at the point of entry where the post enters the building. This can involve multiple locations, for example Royal Mail and courier deliveries to a loading bay and hand-delivered items at reception. If possible, all deliveries should be placed into one specified area. The Post Room needs to be located as close as possible to the post delivery point. An assessment should be made to identify any services such as computer servers, electricity supplies, water and gas utilities as well as key personnel in your organisation operating within a potential blast area. Protective measures would ensure any detonation event then exerts minimal effect on the business while the affected area may be cordoned off with ease.

Overview of target groups Threat information is forever changing. That being the case, fashioning a good working relationship with your local Counter-Terrorism Security Advisor is recommended. In addition, a thorough overview of groups that may target your organisation should be identified and reasons outlined as to why they might look to do so at some point. Never rule out the lone

When risk and security professionals are considering specialist equipment designed to detect suspect devices entering the building through the postal system, it’s fair to state that there are many key aspects to be taken into account before purchases are made. Jason Wakefield offers an overview of the necessary risk assessment procedures and details procurement Best Practice

activist, disgruntled employees or customers bearing a grudge. We would also strongly recommend checking the MI5 website (www.mi5.gov.uk) at least once every week such that you remain up-todate on all current threats and follow the countrywide terrorism alert status. On top of this, maintaining a dossier on all recent mail attacks with detail of current trends and methods used would also make for a fantastic staff training tool. Whether to scan mail onsite or offsite is a decision that needs to be made early on in the process. There are pros and cons to both. Offsite scanning is an ideal option simply because any risk posed to your building through mail delivery is alleviated. All scanning is conducted at another location. An undisclosed location is advised in order to maintain anonymity. There are certain aspects to remember when setting up offsite scanning regimes. First, there’s going to be a delay in receiving mail. Also, there’ll be a greater expense involved as you’ll need to pay for premises and a secure delivery vehicle to transport the mail between the two locations. Third, an x-ray machine will be required for all hand-delivered items. Onsite scanning is by far the most popular and cost-effective option. The downside to onsite scanning is that, if a suspect package were to be identified, you would run the risk of loss of business due to a possible evacuation scenario. Also, if a device were to detonate, the resulting disruption would be on a larger scale than for an explosion at the offsite location.

Evaluating x-ray systems There are various different types of x-ray machine available from a variety of manufacturers. In terms of physical form, those machines are either conveyors or cabinets. Conveyor-style systems are similar to those typically installed within airport security areas for scanning hand luggage. They’re effective

Jason Wakefield: Threat Assessment Manager at Todd Research

www.risk-uk.com

PostRoomSecuritySystemProcurementandOperatorTraining September2015_riskuk_apr15 10/09/2015 13:04 Page 44

Post Room Security: System Procurement

scanners for those points in time when your flow of incoming mail is constant and there’s a significant amount of large packages entering the business. Certain types of conveyor boast some additional software options for the end user. Advanced detection software is an algorithm software that works by identifying the atomic number in explosive substances and contraband. This then highlights to the operator explosives within a red box and contraband within a yellow box, thus making it easier for the x-ray machine end user to identify potentially dangerous or banned substances. Threat image protection software allows the automatic overlapping of a pre-defined banned item (for example a gun, knife or explosive device, etc) into a scanned item. The operator would need to hit the suspect button on the keyboard when a suspect item has been identified. This will then go towards the operator’s threat image protection score. If, after hitting the suspect button, there’s no threat image protection confirmation then the image on the screen is genuine. Usefully, reports on the x-ray machine operators’ effectiveness can be generated for management appraisal. Cabinet-style x-ray scanners are the most popular machines for Post Room use. They take up around one third of the footprint occupied by their conveyor belt cousins and can cost up to 50% less. They’re also extremely effective and easy to use. Cabinet scanners are operated by opening the chamber door, placing your items to be scanned inside and then pushing a button to generate the required image. Once the image has been generated, operating software with advanced features immediately comes into play to make the identification of suspect items that much easier. These advanced features include enhanced powder detection for the ease of identifying powders which could be Anthrax or Ricin, as well as an e-mail facility such that the end user can send pictures of a suspect package to a third party for subsequent assessment. Certain systems also allow zoom control, density alerts and three-point colour. All are designed to help the user identify what’s inside the package they’re scanning.

“If your business owns an x-ray machine that’s over eight years old, the chances are it’s not fit for purpose, obsolete and very likely inadequate when it comes to dealing with the types of suspect devices currently being identified” 28

www.risk-uk.com

If your business owns an x-ray machine that’s over eight years old, the chances are it’s not fit for purpose, obsolete and very likely inadequate when it comes to dealing with the types of suspect devices currently being identified by security professionals. Make it your priority to source a new one.

Training for system operators Training on the use of x-ray machines and their enhancement tools should be completed upon purchase of the new system and refresher training carried out every two years. It’s also recommended that your operators attend an endorsed suspect package training course to give them further knowledge on the types of devices that can be transported through the postal system and what they look like under xray conditions. Here, thorough instruction should also cover the types of devices that have been found in the postal system and the main components underpinning them. Full procedural actions necessary for enactment on finding suspect devices need to be written, rehearsed and updated on a regular basis such that your operators and other members of the security staff are comfortable with what to do if and when a suspect device is found. There should be a separate action plan in place for the discovery of powder. A decontamination plan will help prevent the spread of any potentially lethal substance. Outlined procedures need to cover full escalation plans as well as detailing safe routes for evacuation. All members of staff should be familiarised with the content of the action plans so that, during any sickness episodes or holiday periods involving key members of staff, everyone knows the procedures involved. Someone senior in the company needs to be responsible for writing down the following vital information to be handed over to the authorities: What has been found? Where is it? What does it look like? Who found it and at what time? Also, identify a safe route towards the suspect package area. It’s all-too-easy to become complacent about the daily operation of x-ray scanners and the training people receive in order to use them. It’s worth bearing in mind that explosive devices and other suspect packages are encountered more often than many people would imagine. At the end of the day, x-ray scanners and their operators are the first line of defence against suspect postal devices. It’s imperative that x-ray machines are able to see powders, fine wires and biological agents and that the operators working at your location are highlytrained and fully alert at all times.

Project1_Layout 1 09/09/2015 15:07 Page 1

PostRoomSecurityTheHumanDimension September2015_riskuk_apr15 10/09/2015 13:05 Page 1

Postal Threat Detection: The Man Machine employs multiple layers of protection including intelligence gathering, checking passenger manifests against wanted lists, canine screening and screening at checkpoints. While that’s true, and while the demands on TSA staff to reduce passenger waiting times may have an impact on their ability to spot the ‘threats’, these latest tests do appear to highlight the failure of the human factor rather than any deficiency in the security screening equipment.

Routine screening of mail

When assessing the specific threats posed by explosive devices sent in the post or other mail-borne hazards, it’s-all-too common for security teams to simply rush out and purchase the latest high-tech security screening technology and then provide some very basic training to the operators of that equipment. As Kirstine Wilson reflects, Best Practice dictates a very different way forward

www.risk-uk.com

llow me to reference the results of a report produced in June this year by one of the most security-conscious organisations on the planet, namely America’s Transportation Security Administration (TSA). An investigation conducted by the TSA found that, when undercover security assurance examinations were conducted, 95% of those individuals assigned to test airport checkpoints were able to bring weapons through the system. In fact, members of the Homeland Security ‘Red Team’ were able to pass dozens of banned weapons and mock explosives by TSA agents who failed on 67 out of 70 tests. Even more worrying is the fact that undercover officials posing as passengers were able to beat the system and smuggle weapons on board flights. This is startling considering the multi-millions invested in aviation checkpoint security to ensure passengers and bags are well screened. At airports, multiple technologies are deployed including metal detectors, millimeter wave scanning, Terahertz scanners and, in some cases, x-ray scanning and even CT scanning of passengers. Then there’s baggage screening using x-ray machines, explosives trace detection, shoe and bottle scanning and even specialist scanners for electronic devices. The list goes on. The most shocking revelation in the TSA trial was when one ‘passenger’, with a fake bomb strapped to his back, triggered the walkthrough metal detector. The security officer on duty failed to find the device during the ‘patdown’ procedure and duly passed the ‘passenger’ fit for boarding. TSA’s response was that travellers are subjected to a robust security system that

Let’s translate these scenarios and observations to the sphere of routine and regulatory screening for mail and packages. Similar to passenger/baggage screening, international mail is security screened. Attempting to implement similar measures for shipped or road mail would likely fail due to the adverse impact on commercial interests that regulations would cause. Something akin, in fact, to trying to screen all passengers/bags travelling on trains and buses. Even if measures were introduced for all mail handled by the postal services, it would be somewhat naïve to think that security risks would disappear. On one hand there’s the sheer scale of the international postal system and, on the other, the demand from customers for increasingly faster delivery times. Introducing security screening across the board would cripple the system and be extremely costly. The better tactic is a more harmonised and uniform approach to international postal security involving the tightening up of security measures with better analysis of parcel information and clear details of sender, receiver and parcel contents. Such detail could then be used to identify items posing the highest risk and profile them for additional security screening. If we adopt the view that the postal service cannot possibly screen all of our mail, each business with a Duty of Care to its employees harbours the responsibility around installing its own measures for ensuring postal hazards are detected before they have the opportunity to cause harm. In-house managers who don’t consider the way in which mail is being screened will not necessarily create a successful threat detection regime. Systems wise, for high volume throughputs of mail it’s best to install large conveyor beltstyle equipment. Of course, there are also x-ray machines, but they’re only one part of the screening process. In fact, they’re usually at the

PostRoomSecurityTheHumanDimension September2015_riskuk_apr15 10/09/2015 13:05 Page 2

Post Room Security: The Human Dimension

tail end of a process that begins with observations made by Post Room and/or security personnel. It’s through these observations that anomalies can be detected. Something unusual will trigger the screener to take a second look.

Detecting suspect packages Regarding the successful detection of suspect packages, if a Post Room’s ‘Red Team’ personnel were to test most mail security protocols by inserting white powder letters or razor blade devices into a sack of mail, those threats are very unlikely to ever be detected by Post Room operatives. Is this the fault of the equipment? Not really. Is it the fault of the operatives? Again, the answer is not really. The real issue here is that the contents of the mailbag could be relatively complex and dense, in turn rendering the ordinary – and legitimate – items in that mailbag a natural ‘mask’ for the low density, physically small threats that need to be detected. Finding a white powder in a full postbag would be an extremely tricky task. If harmful white powder-based threats are your main concern, though, you’ll have a far greater chance of detecting them by breaking mail down into batches of 40-50 envelopes and screening them flat in a cabinet x-ray machine with lower penetration and a much larger onscreen image. Admittedly, in a commercial business your employees are going to complain that they’re receiving mail much later in the day but they’ll also complain a lot harder if you deliver them an item of fast-screened mail containing a powder. It’s a complex challenge wherein commercial demand must be carefully balanced against the overriding need for tight security. Suspect mail detection comes with many challenges. High staff turnover and screener complacency are but two of them. Arguably most important of all is the requirement to prevent unnecessary building evacuations which can cost companies millions of pounds in lost productivity and revenue.

Avoiding false evacuations In some cases, false evacuations may be avoided by outsourcing x-ray image analysis procedures to a bomb detection specialist. If your x-ray equipment has a network port you can stream images from the Post Room for external analysis by one of your internal team members or a specialist police team. Alternatively, you could look to contract an external company to address this analysis work for you. The latter course of action is gaining more and more interest.

What else might be done to increase the potential for successful detection of mail-borne threats? Intelligence gathering by security and counter-terrorism agencies underpins regular advice for high threat businesses around when potential risks are imminent. Be fully aware of security threat levels and, wherever possible, increase vigilance and screen mail in smaller batches during these time periods. Remember, though, that postal threats may arise at any time and be concealed in any number of ways. As a result, the focus should be on vigilance every day and on every piece of mail and any packages received.

Policy for the Post Room Here in the UK the onus is on individual businesses to carry out mail screening either offsite (which represents the safest but slowest option), prior to (requiring space for external security screening structures) or at the point of entry to a given building. Encourage businesses you deal with to identify themselves and the contents of the mail item on the envelope or package. Adopt a Post Room policy whereby you don’t accept anonymous mail. Wherever possible, don’t allow members of staff to have personal packages sent to the workplace. Most important of all, ensure that mail is routinely screened and check that your x-ray equipment has the detection capability to view all types of postal threats with images presented clearly. Consider a secondary screening method such as explosives detection or material detection technology. It’s also advisable to test your x-ray equipment’s efficiency using the Mail Room xray Test Piece developed by CAST and the CPNI. However you decide to move forward with your mail screening policy, to carry it out effectively you’re going to experience commercial pressures. There will need to be an investment in staff. Most important of all, you must make vigilance towards postal threats something that’s practised every day and on every item rather than solely during a heightened state of threat alert. Kirstine Wilson is Sales and Marketing Manager at Scanna MSC

“Suspect mail detection comes with many challenges. High staff turnover and screener complacency are but two of them. Arguably most important of all is the requirement to prevent unnecessary building evacuations” 31

www.risk-uk.com

Project4_Layout 1 07/11/2014 16:05 Page 1

Securitas, a true focus on Security The skills of our people, alongside the best in technology produce total integrated solutions that safeguard your business.

0800 716 586 www.securitas.com

RetailSecuritySolutionsFrontCover September2015_001 10/09/2015 14:31 Page 1

September 2015

Security and Fire Management

Centre of Attention Risk and Security Management in the Retail Sector Open Platform Video: The All-Round Smart Solution Building Blocks of CCTV: Modular and Scalable Surveillance In Search of the Fraudsters: Crime Prevention Technology Planning Makes Perfect: Improving Business Results

Project1_Layout 1 23/07/2015 17:10 Page 1

Track

Keep persons of interest in view, as they move – even at speed.

Locate

Gives you the ability to pinpoint persons of interest fast and accurately.

Zoom

Gives you the detail you need to make informed decisions.

Our focus is helping you to locate, track and zoom in on details. Bosch motion control cameras oﬀ er you total control of what you choose to see, and the level of zoom you use to identify objects over large distances, regardless of movement. Learn more at Tel: 01895 878095 | Email: security.systems@uk.bosch.com

RetailSecuritySolutionsOpenPlatformVideo September2015_riskuk_apr15 10/09/2015 14:00 Page 2

Retail Security Solutions: Open Platform Video

Open Platform pen Platform technology has allowed camera manufacturers to work in partnership with leading developers of innovative third party solutions like video analytics to elevate surveillance from a security system to an all-round smart solution. Video analytics is perhaps one of the best examples in which the functionality of a camera may be enhanced with the use of Applications. Indeed, many video-based specialist Applications are already available, including those that can provide Automatic Number Plate Recognition, people counting, perimeter protection and storage-focused solutions. This has become possible because the very latest video surveillance cameras are equipped with a high performance DSP chipset with sufficient processing power to download and run edge-based Applications in a similar way that you would add Apps to a smart phone. On board Applications create opportunities for cameras to be used for multi-tasking, with various departments within a business or organisation able to simultaneously collect and analyse valuable management information via different specialist video analytics Applications. This affords operational managers the potential to improve efficiencies in areas such as process control, Health and Safety and Human Resources (HR) management while at the same time assisting loss prevention specialists to combat potential theft. Retailers can use cameras with an Open Platform capability to integrate with other instore systems, software and technologies such as Electronic Article Surveillance, EPoS, access control, facial recognition, people counting and HR data to analyse customer traffic patterns, manage queues or otherwise understand the implications of shopper behaviour in relation to signage, store layout and promotions.

Adoption for business intelligence It’s pretty much certain that we’ll look back in a year or so and be amazed at the diversity of Apps that have been introduced. Retailers, for example, may wish to use a video analytics App designed to provide business intelligence on customer in-store behaviour and can produce heat maps which show busy areas of a store by hour or day of the week. This enables a given store’s Merchandising Department to identify where they ought to locate in-store promotions or perhaps relocate slow-selling items. Data can also be collected to allow the analysis of how long customers have to queue

The latest generation of Open Platform video surveillance cameras is helping retailers to improve operational efficiencies and enhance customer satisfaction, not to mention assisting security personnel in reacting swiftly and effectively to any threats posed. Justin Hollis focuses on added value for the end user

to pay. This can be used to help store managers in establishing how many checkouts should be open to ensure that the customer experience isn’t adversely affected by long queue times. Security personnel responsible for missioncritical sites may wish to use a specialist video analytics App. These are ideal for perimeter protection applications where there’s a need to have a high performance solution to detect and track would-be vandals and thieves. Today, retailers also have the opportunity to capitalise on the benefits of 360-degree camera technology. A single 360-degree camera is quite often all that’s required to efficiently and costeffectively cover a whole area where a much larger number of standard cameras might normally be required. A 360-degree camera will complement a video solution perfectly by giving the operator a complete view of an area, while standard ‘statics’ and PTZ-style cameras are used to pick up the detail at critical points such as doorways and to make certain there are no blind spots. There are now powerful 360-degree cameras available to deliver superb quality evidence grade images. Many have a digital PTZ feature which allows end users to electronically pan, tilt and zoom in on specific areas for a more detailed view while at the same time continuing to monitor the whole 360-degree spectrum.

Justin Hollis: Marketing Manager at Samsung Techwin Europe (a division of the Hanwha Group)

www.risk-uk.com

RetailSecuritySolutionsModularandScalableSurveillance September2015_riskuk_apr15 10/09/2015 14:01 Page 1

Retail Security Solutions: Modular and Scalable Surveillance

The Building Blocks of CCTV best possible images even in challenging lighting conditions. Efficient compression software delivers low bit-rate video streams that need less storage. On top of that, recording solutions can now scale from oncamera SD cards to petabyte storage arrays. The latest transcoding technology allows effective remote operation of your surveillance solution with both low bandwidth streaming and highly detailed static images. Whether you’re starting from scratch, expanding or replacing an existing installation, selecting scalable solutions is the right choice for so many reasons. Even when upgrading from an analogue system to IP, you can still use your existing architecture. Low-cost encoders are all that you would need to interface with legacy analogue cameras.

Finding the ideal surveillance solution for your retail operation isn’t always straightforward. As Kiran Pillai recounts, there are many different aspects to consider, among them image quality, number and type of cameras supported, network and storage capacity and ease of everyday operation for security personnel on site

Kiran Pillai is Product Marketing Manager at Bosch Security Systems UK

www.risk-uk.com

hen it comes to CCTV, the size of your retail operation as well as your own ways of working may initiate specific demands. In a smaller retail outlet, for example, the end user would want a selfcontained, comprehensive, easy-to-install and easy-to-use surveillance system. In a large retail chain with central loss prevention operations support, the security and risk management professional would almost certainly want much more, including full access to live and recorded video from all sites, a robust authorisation system and remote access to live video and recordings (often through a corporate network with limited bandwidth). They would also require easy system expansion to new stores, centrally-managed software updates and comprehensive system monitoring and diagnostics. Then there’s the question of consistency. When you have video systems in different locations, do they seamlessly interface with each other? Does each separate system require specific testing, training and maintenance? The ideal solution is a modular and scalable surveillance system which not only helps prevent losses in retail operations but is always based on the same architecture, interfaces, access and operating principles. The system needs to be designed to grow with the end user’s needs. Now and into the future, there needs to be a guarantee of consistency, familiarity and simplicity with all elements in the system incorporating state-ofthe-art components as standard. Some of today’s cameras use the latest sensors and image processors to render the

Uniformity right from the start A single family of building blocks covers the surveillance needs of your operation, large or small. This brings tremendous benefits for end users. Store managers/loss prevention personnel only ever have to become familiar with one user interface. The same applies to the system administrator. There’s only one configuration interface to learn. On that basis, training staff is a far simpler process, as is the installation and maintenance of systems for new stores. It’s also always the case that you would use the same protocol when interfacing with external systems (for example, when it comes to Central Station alarm monitoring, reporting, data mining and retail-centric analytics). You can start small, with a handful of cameras that securely send their images to your local, remote or mobile monitoring device for analysis. Full monitoring and control may be provided by smart phone and tablet-friendly Video Security Apps designed for either iOS or Android platforms. When your needs change or your premises expand, you can install additional cameras and in-store monitoring as well as enable local storage of images. If you add or acquire more locations, you effectively ‘copy and paste’ the same solution, possibly supported by a central monitoring operation. Even when you require much larger surveillance systems, for example in so-called ‘big box’ stores or distribution centres, the same management system software would efficiently and effectively manage hundreds or even thousands of individual CCTV cameras.

Project1_Layout 1 09/09/2015 15:07 Page 1

RUN Milestone Mobile AND DOCUMENT ANY EVENT WHILE IT HAPPENS

Let your staff stream live video from their smartphones, wherever they are By allowing your staff to stream live video from the device’s camera directly into your Milestone solution, the Milestone Mobile app gives operators in your central monitoring station immediate awareness of incidents no matter where they occur. Compatible with all Milestone XProtect® video management software and the Milestone Husky™ NVR series, the Milestone Mobile app provides extended live visibility and the ability to use video streams in later investigations. Explore more surveillance and security opportunities with Milestone video management solutions at milestonesys.com

Milestone Systems UK Tel: +44 (0) 1332 869380

POSSIBLE STARTS HERE

RetailSecuritySolutionsCyberRisks September2015_riskuk_sep14 10/09/2015 15:15 Page 58

What’s Hiding in the Electronic Mail? By taking a proactive approach to security, and choosing solutions that collect data about e-mail channel activity on a global basis, brands will be able to remove the risk of infected communications reaching that most valued asset – their customers. Patrick Peterson unravels the risks posed to retailers by e-mail-borne cyber attacks

send an e-mail using someone else’s identity – and the perpetrators of cyber crime are exploiting this weakness. Hackers use many tricks, but one of their favourites is to take advantage of design flaws in the basic architecture of the Internet to send e-mail from what looks to be a legitimate domain (usually a .com return address that appears to be identical to those used by reputable businesses).

Replica websites, branded e-mails

here’s no doubt that e-mail is a simple and direct way for retailers to stay in touch with their customers. However, you only need to look at recent news headlines to see how today’s cyber criminals are amplifying their use of this communication medium to spread data theft malware. The infamous Target data breach, for example, clearly illustrates how cyber criminals are capitalising on e-mail as an attack vector to steal credentials, infect machines or harvest enough information to continue the next steps of their malicious campaign. For retailers looking to maintain e-mail correspondence with their customers – whether to let them know about new offers or sales – the unavoidable issue is: ‘How can they expect those customers to spot phishing e-mails when, for all intents and purposes, the message that has landed in their Inbox looks legitimate?’ The unfortunate truth is that e-mail was created with a fundamental flaw – anyone can

Patrick Peterson: CEO of Agari

“Those employing the DMARC standard – a security framework for e-mail senders and receivers that standardises how to directly check the authenticity of emails and the domain – minimise the risk of a compromise” 38

www.risk-uk.com

To date, there have been considerable technological developments that stop people from impersonating ISPs or domain spoofing, but it still remains relatively easy to do. Designing replica websites or branded e-mails are tasks that today’s well-funded cyber criminal gangs have the time, resources and patience to take on and complete. Given the amount of money that can be made with these exploits is enormous – often hundreds of millions of pounds – the number of criminals that will look at using this channel will only continue to swell while their tactics become increasingly more sophisticated. Take notoriously complex threats like CryptoLocker ‘ransomware’, for example, which encrypts the end user’s hard drive until a substantial Bitcoin ransom payment is made. Such attacks succeed because they abuse a growing number of web domains, with attacks typically spiking from thousands to millions of malicious e-mails per day as the criminals attempt to unleash malware before security specialists have a chance to respond.

Analysing the phishing risks Indicative of the scale of the problem facing businesses worldwide, our own quarterly research (known as the Agari Trust Index) has shown that 93% of retailers are considered to be ‘sitting ducks’ for cyber criminals. That research, which applies big data analytics to identify both the sectors and companies that have the highest and lowest risk for dangerous e-mails, shows that retailers are not alone in being targeted. In the second quarter of last year, the travel sector recorded a nigh on 800% increase in bugged e-mail purporting to be authentic correspondence. The Trust Index proves that the UK still has a long way to go in prioritising e-mail security, with three quarters of leading retail, banking and gaming organisations classed as easy targets. Indeed, retail banking and financial

RetailSecuritySolutionsCyberRisks September2015_riskuk_sep14 10/09/2015 15:17 Page 59

Retail Security Solutions: Cyber Risks

organisations will forever remain a prime target for hackers if such would-be criminals are not deterred. Our findings also revealed that European banks are ranked tenth out of eleven global industry sectors in successfully implementing e-mail security Best Practice. This indicates that, despite being a primary target, they’re still failing to adequately protect what is a valued communication chain. When considering the consumer retail market, it’s also worthwhile noting that so-called ‘e-tailers’ are typically ahead in security terms when compared with retailers supporting both a ‘bricks-and-mortar’ and e-commerce business. That’s encouraging. Indeed, companies such as Amazon and the like are recognised for being technologically innovative, so it absolutely stands to reason that they would also do well in the e-mail security sphere.

Implementing the DMARC standard With one eye firmly fixed on the recent number of security breaches involving e-mail in a bid to steal valuable consumer data, it’s imperative that large global brands re-address their email security practices immediately and boost defences to better protect their customers. There’s good news. Technology that shuts down e-mail as an avenue of attack does exist. Furthermore, e-mail providers are a critical element within this security puzzle. Those employing the DMARC standard – a security framework for e-mail senders and receivers that standardises how to directly check the authenticity of e-mails and the domain – minimise the risk of a compromise. When DMARC is implemented by the brands that send e-mail, a virtual ‘handshake’ of sorts is instantly initiated with the e-mail receivers that deliver e-mail (the majority of whom already support DMARC). With DMARC turned on, if an e-mail arrives from a domain owned by, say, your bank, you can be sure your bank actually sent it. ‘Fake’ e-mails are automatically rejected by the e-mail receivers before they even reach the Inbox. There are several benefits of implementing DMARC. For a start, there’s reduced risk. By and large, retailers are reporting that cyber attacks are the biggest risk they face. By preventing hackers from sending e-mails that pretend to be from registered domains, DMARC reduces the risks associated with fraudulent email. One study showed that, by implementing DMARC, some brands have managed to cut e-mail abuse by over 70%. Risks to the business from a cyber attack can be significant. The largest breaches have initiated everything from a loss in shareholder value to a call for change in the C-Suite, not to mention the everyday business impacts such as operational losses, increased customer service calls and account takeovers. Then there’s identity protection. According to the 2014 Verizon Data Breach Investigations Report, there were 1,367 breaches in 2013 affecting over 15 industries and countless companies’ reputations. One of the reasons for this epidemic is that private information is extremely valuable to more than just consumers. For instance, there are numerous ‘shadowy’ hacker websites wherein personal information – credit card data, for example – can be bought and sold pretty easily. In today’s world, identity theft is big business. DMARC should be the foundation of companies’ efforts to fight the criminals.

www.risk-uk.com

RetailSecuritySolutionsCrimePrevention September2015_riskuk_apr15 10/09/2015 13:12 Page 1

Retail Security Solutions: Crime Prevention Technology

Searching for the Fraudsters

Using the latest IP video technology to target known sources of shrinkage is proving to be a hugely successful strategy for cutting retail theft. Peter Greener outlines exactly how security systems developers are helping businesses nullify the criminal fraternity

Peter Greener: Channel Business Manager for Milestone Systems UK

www.risk-uk.com

ithin the first two years of working with them, we’ve helped one of our retail customers to nearly halve their shrinkage from 0.81% to just 0.44%. In so doing, the number of employees ‘caught in the act’ has increased five-fold. Furthermore, we now know this sort of success story is highly repeatable for other retail customers. Today’s technology providers are able to demonstrate rapid return on investment for networked video systems. From our own perspective, we’ve devoted considerable R&D resources of late to developing a series of sophisticated investigation tools specifically designed to assist retail customers search known ‘fraud scenarios’ and find evidence of such events very quickly. So how have we realised this happy state? The starting point is to enable seamless integration between Electronic Point of Sale systems and XProtect Transact or XProtect Retail systems, both developed as add-ons for standard VMS software. Second, you need open architecture that allows for eco-system partners to integrate their own software solutions. The resulting combination renders the possibility of tackling retail shrinkage head on a reality while future-proofing the investment as new issues emerge. We’ve been working closely with our partners to garner a detailed understanding of how specific retail ‘scams’ operate. Indeed, we now have eco-partners that can analyse various modes of behaviour which are often early indicators of theft. There are several examples. The majority of retail theft still emanates from the till or cash drawer. If tills are opened

without an associated transaction, it’s pretty important to be able to isolate such events. If till rolls don’t reconcile with actual cash – or vouchers and cheques, etc – present in that till, managers must investigate these events more closely. It’s possible to pull up each event in XProtect Retail and run sequences of video recordings associated with them. Of course, there has been a substantial upsurge in the use by consumers of loyalty card bonus points given out as a reward for doing more shopping with specific retailers. Employees have also been ‘cashing in’. A common scenario in recent years has seen cashiers collecting the bonus points of customers that fail to bring their loyalty cards with them to the store. In some cases, this has led to points from hundreds of transactions being assigned to employees or friends’ loyalty cards in a single week. Again, systems can be set up to recover and view events associated with specific loyalty cards. By viewing video recordings alongside these suspect transactions, it becomes clear very quickly if an employee is using their own loyalty card when the customer doesn’t produce one. Fraud events like the modification of pricing or the manual entering of prices offer opportunities for cashiers to pocket the difference between the full price of goods and the discounted price the customer should have received. Again, searches can be made and corresponding video evidence displayed alongside the relevant transaction data.

Events outside business hours All-too-many fraudulent events happen at the beginning of the day as tills are being stocked or last thing at night before cashiers head for home. It’s important to be able to search on the first transactions of the day and last transaction of the day for each cashier. Many retailers also want to be able to analyse all transactions conducted outside of normal business hours, just before customers come in and when most employees are focusing on doing their specific job to make sure they’re ready for the opening of the store. XProtect Retail offers 20 pre-defined queries designed to enable the rapid recovery of video relating to the above and, indeed, many more types of transaction events which could also highlight evidence of employee theft. Search results are displayed as a transaction list with corresponding video recordings.

Project1_Layout 1 10/09/2015 15:18 Page 1

Value engineered Competitively priced megapixel and Full HD bullet cameras and domes from a brand you can trust.

Delivering a heavyweight performance at an ultra light price, WiseNet Lite 1.3 megapixel and 2MP Full HD cameras and domes share many of the features built into Samsung Techwinâ&#x20AC;&#x2122;s award winning WiseNetIII camera series. Plus, a Hallway view function for the efficient monitoring of narrow vertical areas such as aisles, corridors, tunnels and roads. With WiseNet Lite, Samsung Techwin continues to support installers with affordable solutions that will meet budget limitations, as well as demanding functionality requirements of any size video surveillance project.

Securing your future WWW.SAMSUNGSECURITY.CO.UK STESECURITY@SAMSUNG.COM T: +44 (0) 1932 82 6700

RetailSecuritySolutionsSurveillanceSystemPlanning September2015_riskuk_apr15 10/09/2015 13:59 Page 1

Retail Security Solutions: Surveillance System Planning

Making Plans cross the retail spectrum, it’s fair to state there are many different security-centric applications for a modern CCTV video surveillance system. As a bonus, intelligent video analysis, for example, is also useful for marketing. Retail specialists are able to use video in observing customers, measuring footfall and conducting behavioural studies or structural analyses, all of which assists with improving staff planning or shop layouts. To ensure that your video system delivers useful image material when needed there’s one truism to be observed: good planning is a must. It’s not always necessary to use many cameras to derive the desired picture quality. This is where multifocal sensor systems play their part. Unlike single sensor cameras, these systems are equipped with multiple lenses capable of replacing several conventional megapixel and HD cameras, even from just one installed and commissioned location. Multifocal sensor technology provides a guaranteed constant resolution. This makes it possible to monitor larger areas and distances from a single location, achieving this in realtime and with uniform image resolution, high

James Walker: Managing Director at Dallmeier UK

Video is used to prevent theft in shops and stores and collect evidence of robberies. However, it isn’t just security that can benefit from video surveillance. James Walker examines how effective planning might open the door towards enhanced business results dynamics and consistent focal depth. For the host business, the end results include considerably lower costs around installation, labour, network components and cabling. Focusing on recording, several different approaches are now available from special video appliances to video recording software. Another essential aspect of the installation is video management (ie the client software). In addition to rapid, intuitive display of live views, today’s integrated functions are able to support efficient analysis of the recordings. These days, many manufacturers even offer Applications for smart phones and mobile devices that may be employed to view video images from anywhere. Be aware that professional installation and manufacturing companies can provide advice on planning an individual video solution.

solutions for a safer world

CONTRACT SECURITY SERVICES LIMITED CASH & VALAUABLES IN TRANSIT (CViT) SERVICE PROVIDER CASH PROCESSING & BANKING SERVICE (INCLUDING COLLECTION AND PROCESSING FROM CAR PARK MACHINES)

CASH CONSOLIDATION SERVICE SECURITY GUARDING AND MOBILE PATROL HEAD OFFICE: CHALLENGER HOUSE 125 GUNNERSBURY LANE LONDON W3 8LH T: 020 8752 0160 F: 020 8992 9536 E: info@contractsecurity.co.uk www.contractsecurity.co.uk

SALES: T: 01622 792639 F: 01622 882084 E: sales@contractsecurity.co.uk

DEPOTS: Brentford, London | Larkfield, Kent | Andover, Hampshire

Project1_Layout 1 09/09/2015 14:52 Page 1

THE FIRST TIME YOU SEE QULU IN ACTION...

We like to think of our qulu software as VMS re-imagined. What do we mean by this? We mean that it allows you to take control of how you interact with video. You can exactly tailor it to best meet your needs and interrogate any scene like never before.

Need to see it for yourself? Watch the demo video at www.vimeo.com/vistacctv/qulu Download a 30 day free trial at www.vista-cctv.com/product/qulu

HD CCTV FROM VISTA

g Web: vista-cctv.com

FLEXIBLE LAYOUT Set up the software to operate exactly how you want it to AUTOMATIC FAILOVER Cameras automatically transferred to an available server upon system failure FISHEYE DEWARPING Generate multiple camera views from a single camera PAXTON INTEGRATION Link and view footage directly from the Paxton Access Control interface

g Email: info@vista-cctv.com

g Tel: 0118 912 5000

IndustrialEspionageManipulationandTheInsiderThreat September2015_riskuk_apr15 10/09/2015 12:39 Page 1

Corporate Espionage: ‘The Insider Threat’

Many critical information and data loss episodes arise due to individuals whom the host company has happily entrusted with access to corporate data. In other words, we’re talking about ‘The Insider Threat’. Why should businesses care about this issue, though, and what can they actually do in terms of prevention? By way of guidance, Guy Bunker recites some recent (and high profile) Case Studies

44 www.risk-uk.com

ast July, Ashley Madison – a matchmaking site billed as an enabler for those inclined towards extramarital dating and affairs – had the details of between 33-37 million customer accounts and other critical information stolen (and then posted online) by a group calling itself ‘The Impact Team’. The fall-out of this data breach has been significant, including the scrapping of a planned Initial Public Offering, the prospect of substantial legal action and, late last month, the resignation of Noel Biderman (CEO of the Ashley Madison website’s parent company Avid Life Media Inc). Canadian Police are also investigating possible links between the data hack and two suicides. Of course, a national media interest story such as this one instigates discussions around ethics and morals that wouldn’t apply to other websites or news items. The threat of data loss, on the other hand, applies equally to any organisation and, amid the ongoing intrigue, there are some very important lessons to be learned here. In recent Clearswift research, 88% of 500 global security professionals polled said they’d experienced a security incident in the previous 12 months, with 73% of them attributing these occurrences to employees, ex-employees, contractors or partners (the extended enterprise). This represents a dramatic increase on last year’s research statistic of 58%. The classic image of information being stolen by distant hackers with no link to the business

is somewhat misguided. Most data loss emanates, at least in part, from someone to whom the business has happily given access to its key data. Hacking into a corporate network on a remote basis is actually a pretty difficult ‘ask’, although certainly not impossible. On the other hand, transferring files from your desktop to a memory stick or private email/cloud account is easy. Unless, of course, your company has put precautions in place, but most haven’t. Even where the threat ultimately stems from outside, it invariably involves hackers duping someone on the inside by tricking them into installing malware, convincing them to send out information or blackmailing them. Embarrassment of both companies and individuals is becoming increasingly common. It’s not just about salacious details. Last year, Sony suffered a breach whereby the leak of seemingly innocuous comments in compromised e-mails caused significant problems for the company. The reason data theft is made easy is because many companies simply do not recognise the threat insiders can create and, as a result, don’t take adequate precautions. Only 28% of the experts we quizzed believe internal breaches are treated with the same importance by their Board as external threats.

Types of insider threat Let’s also be clear that there are two types of insider threat: malicious and inadvertent. Inadvertent security incidents are more common than malicious ones, for instance the sending of sensitive information to ‘the wrong Dave’ through e-mail autocomplete, but the end result is the same. The information falls into unauthorised hands. Uttering the phrase Mea Culpa will not keep the regulators off your back. Nor will it satisfy customers that such a situation is never going to arise again. Clients can move their business elsewhere with the click of a mouse. Fortunately, available solutions for addressing the malicious insider address the inadvertent one as well. In our survey, a simple lack of understanding was the most commonly perceived factor in the rise of internal threats. Other issues raised were the use of forbidden Apps and a general feeling of contempt towards business protocol. Our research was conducted before the Ashley Madison scenario emerged, but we did ask whether high profile stories such as the

IndustrialEspionageManipulationandTheInsiderThreat September2015_riskuk_apr15 10/09/2015 12:39 Page 2

Corporate Espionage: Manipulation and ‘The Insider Threat’

Edward Snowden revelations and the Sony Pictures data breach have forced internal threats further up the corporate agenda. 70% of respondents agreed that they had. However, increasing numbers of breaches suggest a low level of translation in terms of instigating effective decisions for dealing with them. 14% of those individuals questioned even said that, until their organisation suffers from its own serious internal data breach, the subject will never be taken as seriously as that of external hackers. Whether the Ashley Madison episode will wake people up – or whether it will prompt more mumbles of: ‘This will not happen to us’ – remains to be seen. To prevent such incidents, it’s vital for a given business to deploy both tools and policies that will minimise the risk. As our research shows, enticing decision-makers to view the subject seriously remains half the battle. Assuming security and risk managers can succeed in this task, what must organisations do in order to mitigate the threat?

Mixing policy with technology The answer lies in a mixture of policy and technology, but in advance of that you need to truly understand the nature of the threat. Where does your critically important data reside? Our research finds that most security professionals view finance, Human Resources (HR) and legal departments as holding most of the sensitive data. Data of the kind that could cause potentially serious damage if leaked. It’s notable that while around 50% of respondents to our study said that HR and finance operations represented security threats to their organisation, only 16% said the same of legal. This shows it’s not just access to sensitive data that creates risk. Legal departments tend to have a more secure, conservative culture and, hence, represent a much lower risk. Here, there may be lessons around transferring Best Practice techniques between departments. No less than 67% of those questioned also said personnel working onsite were a higher risk than those working remotely. Despite security worries about people working offsite on personal devices, those in the office actually have easier access to sensitive data so are actually more likely to lose or abuse it.

“If you understand what data is valuable and where it’s held, you can set up DLP systems to track whether private information is being transferred in a suspicious manner” selecting technology to minimise the insider threat risk. Not all information is created equal. A cost-effective solution requires you to accept this fact, and also recognise that there isn’t a silver bullet to solve everything in one go. If you understand what data is valuable and where it’s held, you can set up data loss prevention (DLP) systems to track whether private information is being transferred in a suspicious manner, and then stop it from going anywhere you don’t want it to. Fortunately, DLP technology has moved beyond the days of simply blocking e-mails and become very clever. It can make intelligent decisions based on who is sending what (for example, an employee sending customer details to a colleague on the same account would be allowed, but sending that information to a private e-mail address would not). DLP can automatically redact only critical information (such as credit card details) from an e-mail or document but leave the rest to continue so as not to stop the information flow of business. It can flag suspicious activity to the right people, such as the sender’s manager, who can then quickly act upon it (in turn either allowing the information involved to proceed unhindered or raising the alarm). Technology must always be accompanied by awareness training and good policies. Sensitive data, for example, should stay on the network unless there’s very good reason for it to leave.

Guy Bunker: Senior Vice-President of Products at Clearswift

Using knowledge wisely Having spent time understanding what your valuable data is, where it can be found and how it might get out – and the expert views above provide a good starting point for your own analysis – you can start creating policies and

www.risk-uk.com

TheSecurityInstitute'sView September2015_riskuk_apr15 10/09/2015 13:20 Page 1

Under Pressure: Dealing with Workplace Stress

as it may first appear. All business is about ‘process’: using the right parts of the right quality and in the right order to produce a finished article for sale. We could be talking about widget production, servicing a specific sector, IT security or mitigating perceived danger to physical or human assets within high risk environments. The security world is no different to any other business sector. With the right processes in place, an adequate risk assessment, suitably trained people and appropriate intervention strategies, dealing with workplace stress doesn’t have to be a prohibitively costly nor onerous process for management. The legal imperative is clear, as laid down by the Health and Safety at Work Act 1974 and the Management of Health and Safety at Work Regulations 1999, not to mention established case law, etc. On that basis, the Duty of Care is also clear. Once strategic sign-up is established and backed by managerial support, the first step in combating stress is a risk assessment. In short, you need to identify the stressors.

Searching for the stressors

Workplace stress – including posttraumatic stress disorder – can be a significant underlying cause of employee absenteeism, accidents and injury. Here in the UK, it’s estimated that stress costs businesses millions of pounds every year. How might companies look to address this worrying situation? Andrew Beale highlights some intervention strategies

www.risk-uk.com

ack of concentration, hastily-taken decisions, impaired judgement and frequent mistakes are occurrences that can hinder your employees long before they might suffer the myriad and debilitating consequences of a nervous breakdown. Sometimes, when a workplace stress-related case goes to court and it’s proven that an employee’s injury was caused by a breach of the employer’s – common law of contractual – Duty of Care to this employee, the member of staff will be entitled to (and be able to recover) appropriate compensation. Added to the human and monetary cost for all concerned is the significant negative press and reputational damage that could impact the business. Contracts will be lost when a Judge or coroner publicly states that an organisation has demonstrated ‘gross and systematic failings’. Death, long-term sickness and, on occasion, the dismissal of employees are outcomes at the extreme end of the ‘consequences of negative stress’ spectrum, but it’s against this backdrop that the question: “What’s the bottom line when dealing with stress in the workplace?” is often asked. In a sense, businesses are posing the question: “What’s the least we can do – or spend – to ensure that our employees are safeguarded from the effects of workplace stress and the company’s name is kept out of the courts?” This isn’t quite as harsh a question

Workplace stress emanates from many different sources, not least the recent economic downturn. There are changing work/lifestyle patterns and social pressures afoot, so too an ever-increasing emphasis placed on the quality of service delivery now expected of employees. In many sectors at present – and particularly so when it comes to the public sector encompassing the police and prison services – there are best value practices, output measures and performance indicators in play that create a more customer (ie tax payer)-driven focus coupled with far-reaching austerity cuts and changing service delivery models. For the security sector and high risk-to-life environments, the risk assessment required by law cannot always be carried out prior to a specific incident occurring simply because the employee isn’t sure where an incident will occur or what the size and/or severity of the incident might be. Consequently, there’s a defined need for generic risk assessments. In addition, while the incident is underway the employee’s place of work changes, often with dramatic consequences (as a result of explosions, structural failure of buildings, the release of chemicals or, at an extreme, someone trying to kill them). In these situations, managers are expected to conduct clearly recognisable generic and dynamic risk assessments under extreme pressure and in distressing and disturbing circumstances during which their own life may be threatened.

TheSecurityInstitute'sView September2015_riskuk_apr15 10/09/2015 13:20 Page 2

The Security Institute’s View

By way of comparison, a static security officer working alone on the night shift in a remote location somewhere in central London may seem like a less risky duty but it must still be stress risk assessed, as should any home working that may be requested by IT security staff. Clearly, all Security Industry Authority licensed staff such as security officers, door supervisors and public space surveillance CCTV operators will at some point be subject to stressful situations, but it may not be the obvious confrontational elements engendered by their work that create the most stress. It’s important to remember the differing ways in which people respond to stress and the whole range of stressors present in the same environment. This renders the identification of stressors in the work environment for large teams an even more complex procedure, but it absolutely must be done. Placing human beings into stressful scenarios means that a method of assessment of their suitability and ongoing ability to deal with those situations should be undertaken. This includes stringent screening of new joiners to the company who, in the security sector, may well be bringing stress-related issues with them from previous work events if they’ve arrived from the military or the police service. In cases where post-traumatic stress disorder (PTSD) and prolonged-duress stress disorder (PDSD) – both of which have similar symptomatology – are suspected, thorough assessments need to be conducted. Here, it’s worth noting that PTSD is generally diagnosed in 1%-3% of the general population, 9% of urban adolescents, 15%-20% of combat veterans and 15%-32% of Emergency Services/response workers. Where an individual has worked – or is working – is clearly a factor in the diagnosis.

Potential intervention strategies The RAND Corporation study detailing research into the mental health of contractors who had worked in conflict zones was published in December 2013. It concludes that levels of PTSD found in private security contractors who have served in Iraq, Afghanistan or other conflict environments are more than double those experienced within the UK military. Evidence is there to suggest that PTSD levels are high, but this might be because the Armed Forces – for whom many security contractors have served in previous employment, of course – haven’t dealt with traumatic incidences as well as they might have done in days gone by. Significantly, though, my own research has shown that, in fact, within high risk-to-life

employment situations it’s not actually the traumatic experiences that cause the most stress but rather new management/organisational practices, increased demands/long hours and/or job insecurity and redundancies. Addressing ‘stress’ as a management issue recognises that organisations operating in the security sector need good all-round employees who know how to deal with the effects of daily negative stress of the job. They also require employees who can perform well in turbulent, dynamic and sometimes harrowing environments. Healthy employees are best placed to do so. Today’s organisations should adopt an holistic approach towards stress reduction and apply appropriate process models underpinned by total quality management principles. In this way, they understand that work isn’t isolated within the ‘departmental fortress’. Rather, it’s divided into a series of activities or processes. It seems so simple and is talked about a great deal but many organisations still fail to deliver the right quality tools that function all the time and on time.

Being proactive is essential Proactive management of the stress issue can be achieved by prevention, promotion and intervention. Again, this is very straightforward. If we listen to what people have to say about stress, and recognise individuality and psychological vulnerability, we will ‘unfreeze’ existing attitudes towards the subject. There’s no doubt about it. Treating employees as adults allows everyone to commit to new attitudes. In educating and training staff members around workplace stress, PTSD and PDSD, they become aware of the theory, accept the principles as valid, adopt them for themselves and adapt their behaviour accordingly. Ultimately, this leads to positive cultural change across the business. Reluctance to speak openly about stress is probably because the ghosts of ‘shell-shock’, ‘battle fatigue’, ‘combat neurosis’ and ‘cowardice’ still linger. Individuals are far more likely to ‘open up’ about any stress issues they have in a one-toone conversation. They’ll then be more willing to accept support and undertake treatment that allows them to return to their duties.

Dr Andrew Beale MSc FSyI FCMI GIFireE: Consultant on Strategic Leadership, National Crisis Response, Emergency Management and Security Planning

“Today’s organisations should adopt an holistic approach towards stress reduction and apply appropriate process models underpinned by total quality management principles” 47

www.risk-uk.com

Project1_Layout 1 08/09/2015 13:12 Page 1

InTheSpotlightASISInternational September2015_riskuk_apr15 10/09/2015 14:33 Page 2

In the Spotlight: ASIS International UK Chapter

Preparing for Operations in Kazakhstan ention Kazakhstan to most people in the UK and they would probably respond with any number of Borat Sagdiyev-style sayings once voiced by Sacha Baron Cohen’s popular fictional character who ‘retired’ from our television screens way back in late 2007. Many of those quizzed wouldn’t even know where the country – the ninth largest on the planet by land mass, in fact – is located. In terms of a brief history and geography lesson, Kazakhstan obtained independence from Russia in 1991. Although located in central Asia, the country prefers to describe itself as a Eurasian nation by dint of the fact that its western regions are actually located in Europe. Imparting a little more detail, China sits immediately to the east while the so-called ‘Stan’ countries – ie Uzbekistan and Turkmenistan – reside to the south. Politically speaking, President Nazarbayev has been repeatedly elected since independence and, indeed, recently polled no less than 90%-plus of the votes cast in this year’s election. This is one of the factors as to why Kazakhstan is seen by many to be both a calm and stable democracy: one that’s ‘friends with all and enemy to none’. Why, though, is it of such interest to security professionals and the security profession in general? The simple answer to this question involves oil and gas. The oil and gas industry is the main reason for Kazakhstan’s economic success over the past two decades and, in order to maintain its effectiveness, joint ventures have been created with several international partners. The international providers rely upon the expertise of expatriates and, in order to protect them, there’s a definite need to understand what ‘real’ threats actually exist when operating in the region. Corruption appears to be endemic and allegedly spreads from the highest levels of Government to lower-level civil servants and the police. There’s anecdotal evidence to support these assertions, with Transparency International ranking Kazakhstan as the joint 126th most corrupt country in the world (out of 175 declared nations). Although there have never been any direct accusations of corruption levelled at the President, some of his wider associates have been linked with alleged corruption. With stories of political positions allegedly being bestowed through patronage as opposed to competency, the opportunities and ability for

Viewed by many commentators as a calm and stable democracy that’s friends with all and enemy to none, Kazakhstan is the former soviet state located to the east of the Caspian Sea and directly south of Russia. Why, though, is the country of so much interest and intrigue to today’s practising security professionals? Andy Davis investigates corruption to occur may not only exist but could also flourish. The prospect of organised crime may be listed as ‘medium’ on the chart. While organised crime can go hand-in-hand with corruption, it’s not always as visible as it appears in other countries. However, that doesn’t mean it doesn’t exist in Kazakhstan. The country sits on the northern supply route in terms of heroin that’s leaving Afghanistan destined for Europe and China (a route said to be worth $20 billion per annum). As this falls on the old ‘Silk Route’, other commodities – including electronic goods and minerals – are also on the ‘hit list’ for potential smugglers. Wherever heroin reaches the Kazakh markets, there’s an increase in drug-related deaths, street crime and gang violence, although this is similar to the case pertaining in many UK cities.

Climate, violence and bureaucracy Probably one of the biggest threats that can directly impact safety and security in Kazakhstan centreson the extreme climate swings, from +40 degrees centigrade in the summer down to -40 degrees in the winter. While most international organisations operating in the country provide suitable protective equipment designed to handle these extremes of temperature, they do directly

Andy Davis MSc CSyP FSyI CPP SIRM: Owner and Managing Director of Trident Manor, a Member of ASIS International’s CSO Round Table Leadership Development Committee and the Technical Committee/Working Group for Investigative and Risk Assessment Standards

www.risk-uk.com

InTheSpotlightASISInternational September2015_riskuk_apr15 10/09/2015 14:33 Page 3

In the Spotlight: ASIS International UK Chapter

“Kazakhstan’s economy never truly recovered from the global economic downturn of 2008 and, with the price of oil sitting at around $50 per barrel, there’s clear evidence of a massive slowdown in development within the extractive sectors” impact operational abilities whether through an increased risk of dehydration or sunstroke through to frostbite and the cancellation of flights and ground movements. The Kazakhs are a tolerant society and, while violence exists, it doesn’t normally target expatriates. Where violence does occur, in many cases it’s due to cultural insensitivities, notably towards the Kazakh females, or during the course of street crime. Violence exists, but no more so than it does in western countries. Although several aspects of the Kazakh nation are forward-thinking, it’s also fair to state that many of the governmental procedures and processes are embedded within the soviet mentality, in much the same way that India is still referred to as having a colonialstyle civil service. Until December 2017, UK citizens can visit Kazakhstan without a visa, although stays must not exceed 15 days. Different rules exist for working in Kazakhstan. Of late, there have been several reported cases where expatriates’ visas haven’t been renewed due to the expatriate/national employee ratio being deemed too high in favour of the former.

Risks in the supply chain Aside from limited access via the Caspian Sea, Kazakhstan is landlocked and, as such, the choice of supply paths is curtailed to a few land-based routes, air transportation or the Russian inland waterways. All supply routes are threatened by the weather, with the freezing of the waterways for between four and six months of the year and land/air routes being affected by the temperature extremes mentioned previously. Basic infrastructure – ie roads, drainage systems and the rail network – varies throughout Kazakhstan, with areas in the east being well maintained while other parts of the country suffer from potholed roads, lack of drainage and airport closures (in the case of the latter, most notably during the winter). Using the UK Government’s established threat levels for potential terrorist activity, the risk of terrorism in Kazakhstan falls somewhere between ‘Moderate’ and ‘Substantial’. This might be an area where others disagree. The justification for this assertion is that, although Kazakhstan experienced terrorist attacks in

www.risk-uk.com

2011 at the hands of ‘Jund al Khalifa’ (Soldiers of the Caliphate), those episodes were relatively unsophisticated and limited in sustainability. Since the robust response to these attacks, there have not been any successful terrorist strikes against targets within Kazakhstan.

Terrorism and political succession Kazakhstan’s security services have adopted a robust approach to managing terrorist risks which appears to have served them well, at least until the present moment, but without wishing to sound contradictory, the current threat is as it is because of a number of factors, among them the approach of the security services, the social non-acceptance of terrorism and economic benefits previously experienced. Two factors would lead us to believe that, in future times, the terrorism threat is going to increase. These are the economic downturn and the ‘fall-out’ from Kazakh Islamic fighters. Kazakhstan’s economy never truly recovered following the global economic downturn of 2008 and, with the price of oil sitting at around $50 per barrel, there’s clear evidence of a massive slowdown in development within the extractive sectors. This has resulted in increased unemployment, or at the very least a distinct lack of employment opportunities. In turn, that landscape has the potential to engender increased social unrest and the opportunity for that social unrest to be exploited by radical elements. The second factor revolves around the number – believed to be near the 400 mark – of Kazakh fighters presently classed as foreign fighters. These fighters are active in Afghanistan and within the newer combat zones of Syria and North Africa. It’s anticipated these fighters will return home and bring with them newly acquired skills and experiences that can be used against the Kazakh Government as well as international targets. Kazakhstan hasn’t known life without President Nazarbayev and there are no clear succession plans in place. While Kazakhstan is a democracy, the ruling political party has no clearly identified future leader. Many of those favoured have either been found guilty of wrongdoing or physically fled the country. Given this state of political uncertainty, a void may be created that could be exploited by individuals or organisations and lead to civil unrest in tandem with internal feuding. Without addressing the succession issue while President Nazarbayev remains in relatively good health, the chances of a smooth transition of political power will be reduced.

Project1_Layout 1 05/02/2014 17:39 Page 1

Have you tried Integriti yet?

Sophistication is not about size The Integriti Security Management System is an IP connected access control and intruder security system that oﬀers sophisticated centralised management for both small systems on a single site, or large systems distributed across the country or across the globe.

With a growing list of new installations take a moment to think of what you’re missing! The Integriti system oﬀers an advanced suite of software, hardware and integrated solutions to deliver complete management of your entire integrated system.

Inner Range Europe Limited Units 10-11 Theale Lakes Business Park Moulden Way, Sulhampstead Reading, Berkshire RG74GB UNITED KINGDOM

integriti@innerrange.co.uk a4 integriti 0ne page UK.indd 1

+44 (0) 845 470 5000 www.innerrange.com 4/12/2013 8:40 am

FIATechnicalBriefing September2015_riskuk_nov14 10/09/2015 12:35 Page 1

Red Shift: The Evolution of Fire

and Rescue Services

By 2020, the total funding shortfall for the UK’s Fire and Rescue Services is estimated to be somewhere around the £600 million mark. The last five-year period alone has seen the loss of 500 front line firefighting roles. With continued austerity measures emanating from Westminster, David Smith assesses what future service provision might look like ince 2010, more than 5,000 front line firefighters’ jobs have disappeared in the UK. There are now 39 fewer Fire Stations in operation and 145 less fire appliances. The Metropolitan services have been hit particularly hard as they depend on central funding for up to two-thirds of their income. With Control Room and on-call firefighter staff members also down in number, response times to dwelling fires in England are now almost two minutes slower than they were a decade ago. The future of our Fire and Rescue Services is now strongly dependent on an effective response, not only to the ever-deteriorating financial picture – the estimated total funding shortfall by 2020 will be somewhere around £600 million – but also in terms of factors including extremes of weather, the number and types of housing and premises present and, not least, the threat of further terrorist attacks. In 2013, Sir Ken Knight CBE QFSM FIFireE produced a Government-commissioned report entitled ‘Facing The Future’ in which the former chief fire and rescue advisor duly assessed efficiencies for the Fire and Rescue Services. The 80-page document features a wide range of discussion points relating to potential changes within the Fire and Rescue Services. The Fire Industry Association’s (FIA) FIRESA Council contributed to the review. Sir Ken Knight’s report observes that the 46 Fire and Rescue Services in England harbour differing governance structures and delivery models: an example of Government’s localism policy that acts as a fundamental barrier to achieving collective efficiencies. This situation is made worse still by a paucity of sector leadership and sharing of Best Practice. In addition, the expansive review document references duplication in the design, commissioning and evaluation of firefighting products and calls for a more sensible approach towards product customisation. These are issues close to the hearts of the FIA’s members who supply Fire and Rescue Services.

David Smith PhD: Secretary of the Fire and Rescue Suppliers (FIRESA) Council and Export Manager at the Fire Industry Association

www.risk-uk.com

On the subject of procurement, Sir Ken Knight’s report refers to potential financial and other resource savings to be made through a collaborative approach. Government made clear its support for some strands of the thesis, among them collaborative procurement, infrastructure sharing, mergers and a greater proportion of on-call firefighters. Material support then came in the form of a £75 million ‘transformation fund’ that has been channelled towards 37 efficiency-generating projects. Within that overall total, £5.54 million is helping to fund the planned merger of the Wiltshire and Dorset Fire and Rescue Services.

Fire safety policy and legislation One of the key barriers to implementing change in a concerted fashion is that central Government continues to adopt a largely ‘hands off’ approach in respect of fire safety policy and legislation. It’s no coincidence that the Department for Communities and Local Government, which holds responsibility for our Fire and Rescue Services, is already the most downsized Government department. Substituting Government responsibility with sector-led change might be viewed positively in principle, but organisations such as the FIA and the Fire Sector Federation have no legislative or regulatory jurisdiction. Therefore, they’re reliant on non-mandatory solutions. There’s also a problem with a Fire and Rescue Services-led approach as, to date, such bodies have functioned largely on an autonomous basis and, hence, tended to be divergent rather than collaborative. This is manifest to premises owners who will find that their local Fire and Rescue Service’s response to an automatic fire alarm depends on where they are in the country. It’s also manifest for suppliers to the fire and rescue sector who, for example, will have to spray paint their fire appliances differing shades of red or provide one of 97 variants of ladder depending on which Fire and Rescue Service is the customer. A joint FIRESA Council/Chief Fire Officers Association (CFOA) seminar held at the Fire Service College in December last year provided an invaluable focal point for the state of play going into this year. At that event, Penny Mordaunt MP – then the appointed fire minister in Government – stated that the public sector must exist within its means and that there had to be new ways of thinking and resourcing. Indeed, Mordaunt was absolutely adamant that the pace of change must gather momentum and address issues such as product standardisation, collaborative procurement and equipment testing.

FIATechnicalBriefing September2015_riskuk_nov14 10/09/2015 12:36 Page 54

FIA Technical Briefing: Fire and Rescue Services

CFOA’s vice-president Paul Hancock – chief fire officer for the Cheshire Fire and Rescue Service – voiced strong support not just for Fire and Rescue Service collaboration, but also for ‘Blue Light’ cross-fertilisation which is coming into increasing focus. In parallel, CFOA Board member Ann Millington conceded that the Fire and Rescue Services need to be better clients and must achieve reward for collaboration rather than for separatism. Millington also welcomed the creation of a ‘national back office’ for the Fire and Rescue Services. Pivotal to the proceedings was the FIRESA Council presentation given from the suppliers’ perspective which led us through the ultimately failing National Procurement Strategy introduced by the (then) Office of the Deputy Prime Minister in 2005, the austerity measures since 2010 and via Sir Ken Knight’s report to the present time of moves designed to make substantive changes that must preserve Fire and Rescue Services’ capabilities with less financial resource.

Cuts already having an impact Examining the individual responses of the Fire and Rescue Services, it’s clear that the financial cuts have already impacted materially on front line and back room resources. This trend is set to continue. A snapshot Internet search at the time of writing yields news stories in the last month alone of cuts taking place at no less than a dozen Fire and Rescue Services. During the previous Parliament, Government had already attempted to put through a thwarted legislative order allowing local authorities to contract the private provision of Fire and Rescue Services. It may still be minded to do so, while certain Fire and Rescue Services – including London and Surrey – have already contracted out some non-front line functions. We also note that the Fire Service College was sold to Capita in 2013. Co-responding and shared ‘Blue Light’ services are much on the agenda, and there’s significant evidence that some Fire and Rescue Services are actively developing synergies with the police and ambulance services. Perhaps we’ve already reached the point at which unilateral measures within each Fire and Rescue Service cannot achieve the efficiencies and financial savings needed. In fairness, this belief has been recognised for some time. It’s

pleasing, therefore, to see the equally difficult and more nationally-driven initiatives gaining traction. However, some of these are not without controversy and will require careful debate if they’re to offer genuine improvements to the Fire and Rescue Services rather than simply serving as cost-cutting measures. A more concerted approach towards equipment specifications, evaluation and procurement are unequivocal gains that can and must be pursued.

Particular priorities and visions More contentious still is Home Secretary Theresa May’s view that the Fire and Rescue Services should fall under the ultimate jurisdiction of Police and Crime Commissioners. Not surprising, perhaps, given the low level of public support for these Commissioners and the fact that management of the police and fire services currently falls under different Government departments. Whether it’s central Government, local Government (through the Local Government Association), CFOA or other relevant bodies such as the Fire Brigades Union, each has their own priorities and visions for the future that can appear largely distinct. With Westminster maintaining what has been described as a ‘policy vacuum’ in respect of Fire and Rescue Services, it’s fair to suggest that local decisions are set to dominate over any measures implemented at the national level.

“One of the key barriers to implementing change in a concerted fashion is that central Government continues to adopt a largely ‘hands off’ approach in respect of fire safety policy and legislation” 53

www.risk-uk.com

Project1_Layout 1 04/08/2015 15:14 Page 1

3-day conference | 75 speakers Hear from an incredible line-up of speakers including: Pierre Antonio, Natural Security Alliance, France Giovanni Buttarelli, European Data Protection Supervisor, Belgium Samsung Electronics, UK Matt Smallman, Lloyds Banking Group, UK Starbug, Chaos Computer Club, Germany Jonathan Vaux, Visa Europe, UK

Conference topics include: ID management in the digital world Mobile biometric authentication Fraud prevention in payments Data protection and privacy Law enforcement and forensics New biometric technology and applications

FREE EXHIBITION

“Professionally very relevant and topical; really good speakers who know their subject” Biometrics 2014 delegate

biometrics Live View the technologies and meet with the suppliers and integrators of biometric solutions for identity management, authentication and security 14-15 OCTOBER 2015 FREE VISITOR REGISTRATION NOW OPEN

ORGANISED BY:

IN PARTNERSHIP WITH:

SPONSORED BY:

PREMIER MEDIA PARTNER:

#biometrics2015 #biometricslive

www.biometricsandidentity.com

SecurityServicesBestPracticeCasebook September2015_riskuk_apr15 10/09/2015 13:18 Page 2

Security Services: Best Practice Casebook

The Changing Landscape of the UK’s Private Security Sector: By Accident or By Design? Subtle but significant change seems to be occurring in the security guarding sector. As Paul Harvey explains in detail, this change is actively serving to professionalise security businesses, attracting new entrants to market and affording end user customers a genuine opportunity to differentiate between their potential supply partners aving started out as a part-time security officer, I’ve now been in the private security world for over 20 years (and held Board-level positions for more than 15 of them). My apprenticeship was served through Human Resources, sales and operational roles. Across those two decades, it’s absolutely fair to suggest that the landscape of this business sector – about which I’m truly passionate – has changed quite dramatically. Cast your mind back to the early 1990s. Gross margins in the security guarding market were 15% and above. Employment law was fragile. There was no consistency in training. There were huge inconsistencies in vetting standards and identity checking. There was no Government regulation and licensing, nor any sign of the voluntary Approved Contractor Scheme. The TUPE Regulations didn’t exist and there were definitely some questionable business practices. Suffice it to say that, for those of us who remember the industry of that time, the subsequent journey to arrive at where we are now has been very colourful.

Costs and unsustainable margins Discussions and arguments around increasing costs and low or unsustainable margins have been well documented. It’s also recognised that the recent economic downturn has not served as a conducive environment for being robust and resolute in a reckless manner. Security solutions providers have often been forced into underpricing their offer just to remain competitive. Likewise, the recent opportunistic and, some might say, predatory behaviour exhibited by certain companies is recognised and entirely their prerogative.

Across the last few years, survival has been the key for many security businesses. My own view is that the guarding sector continues to act as a victim of those circumstances. Margins steadfastly remain low because end user clients are still being presented with credible solutions from reputable companies at artificially low costs. Client feedback on the buying procedure regularly contests that, by way of the selection process, bidders did not provide any clear differentiation. In the absence of any such differentiation, customers will buy on price. How many times have we heard clients express the view to tendering companies that: “You all said the same thing”? Is change afoot? As the proverb states: “Necessity is the mother of invention”. Distressed markets force companies to think about survival, but they also create opportunity. As a consequence of the past five years, I firmly believe we’re witnessing the beginning of the next phase of the security guarding sector’s life, and it’s all about ‘Specialism’. Here at Ultimate Security, we’ve been successful by creating the circumstances and therefore confidence to commit to our operating model. Private ownership and sound financial stability underpins a capability to focus on our chosen market, namely prestige and high risk locations in London. We’re not in a position whereby we have to take on work at all costs. Instead, we diligently profile opportunities presented to the business. In recent times, we’ve walked away from tendering for three £1 million-plus contracts. On each occasion, this course of action was the right decision for our business, our staff and the clients involved. Our success is ‘by design’

Paul Harvey BSc (Hons) MSyI MBIFM MIoD: Commercial Director at Ultimate Security Services

55 www.risk-uk.com

SecurityServicesBestPracticeCasebook September2015_riskuk_apr15 10/09/2015 13:18 Page 3

Security Services: Best Practice Casebook

which enables us to ensure that we can charge a ‘fair and real rate’ for the services provided. What’s more, we don’t apologise for doing so. A ‘fair and real rate’ is something that the wider industry needs to address and will come to represent a significant step forward when it does. It absolutely astounds me that some buyers still don’t understand all of the constituent parts required to deliver even a basic security service and what the cost of solutions delivery really is in the real world. It’s incumbent upon the industry to change that status quo and put it right. How can clients be expected to commit to ‘real rates’ if they don’t truly understand what they’re buying? Put simply, it’s the security companies themselves who must become the agents of change. It’s no co-incidence that, for those aforementioned contracts, we found ourselves bidding against the same handful of competitors. This is a common trend in other allied sectors. Clients across all sectors are establishing their own intelligence as to who the market leaders are and which company represents a ‘best fit’ in terms of meeting corporate objectives, and most notably in the area of risk management. As client demands become more bespoke, it follows that suppliers are being driven to specialise, be it by sector or geography or a combination of both. At this point, let me be clear there’s no suggestion of a ‘one solution fits all’ here. There will always be exceptions to the rule. However, as buyers become more discerning and educated, and their demands and expectations increase, security companies face being pigeon-holed out of their control. Will the in-house management team looking after a premium building housing a high profile clientele appoint a security company that mainly operates on building sites? Probably not, yet there is a place for companies that specialise in the construction industry, as indeed there’s a place for companies supplying sub-contract staff and all of the other variations existing within our own sector.

Further segregation is likely As barriers to entry in market segments become higher, further segregation is likely to occur. What’s important is that security companies become experts in their fields and demand higher prices for their service. We must include

“How hard are security companies actually trying to ‘sell’ their services rather than just bid on margin? Let’s invest more time in considering the ‘Go/No Go’ criteria” 56

www.risk-uk.com

all of the key items required to deliver successful solutions. How hard are security companies actually trying to ‘sell’ their services rather than just bid on margin? Let’s invest more time in considering the ‘Go/No Go’ criteria for any given opportunity. Let’s be brave. We have the power to affect change so let’s believe in ourselves and be proud of what it is we do. There’s an age-old question that has been asked on many occasions: ‘Are we, the security companies, simply providing manpower or delivering a service based on managing risk?’ To achieve the latter, successful companies will have to become ‘Learning and Growth Organisations’ wherein individuals will need more expertise as well as promotional opportunities within the business. Continuing Professional Development isn’t a luxury. Rather, it’s a necessity. Isn’t it somewhat interesting that security officers are required to undertake Basic Job Training and gain a licence from the Security Industry Authority while management and directors don’t require any formal security or management expertise at all? We need to provide our people with the skills and behaviours needed to do their job. We have to invest in security management and leadership-focused qualifications, but that’s only going to be possible if we can alter present buying trends and make sure that clients invest in our journey. Pricing contracts on an artificial footing is not the way forward. Clients are now saying: “Show us what you can do”. By way of response, we must demonstrate the capability, credibility and professionalism that we know we possess. Security solutions providers are employing more sophisticated marketing strategies so the message about individual excellence is beginning to be disseminated.

Clear purpose and strategy A number of circumstances have dominated how we’ve reached the point at which we find ourselves. Everyone’s journeys have been unique. Looking ahead, the companies that flourish will be those underpinned by clear purpose and strategy. They must know who they are or what it is they want to be. Expectations of the client base are higher than at any time before and, indeed, constantly evolving within what remains a challenging security landscape. A good example of this is the concept of front line security personnel having a First Aid qualification as a bare minimum in tandem with a growing requirement for practical fire safety training being added to the first response toolkit.

Project1_Layout 1 09/09/2015 14:48 Page 1

EARLY BIRD SAVINGS Book your delegate place by 20th September 2015 and save with the Early Bird!

The National Security & Resilience Conference, hosted by the National Security & Resilience Consortium (NS&RC), will help you identify the future threats to your organisation and help you strategise and plan for your business security and resilience. For further information, conference programme and registration details visit www.nsr-conference.co.uk

Organisational security and resilience in todays climate of extreme threats National Security and Resilience combines national security needs with an in-depth understanding of the design and implementation of resilience solutions. Working collaboratively and cooperatively to provide unique, world-class security and resilience solutions in the face of increasing natural and man-made risks and threats to Governments, corporate organisations, major events, transport systems and critical national infrastructure. The National Security & Resilience Conference, hosted by the National Security & Resilience Consortium (NS&RC), will help you identify the future threats to your organisation and help you strategise and plan for your business security and resilience.

Opening Keynote Speakers include: Tony Porter, Commissioner, Surveillance Camera &RPPLVVLRQ +RPH 2IĂ&#x20AC;FH

Richard Barnes, Former Statutory Deputy Mayor of London

Speakers include: â&#x20AC;&#x201C; Phil Luxford, Director Prepare Protect and &7 6FLHQFH 26&7 +RPH 2IĂ&#x20AC;FH â&#x20AC;&#x201C; Tim Cutbill, Programme Lead, London Resilience â&#x20AC;&#x201C; Commander Wayne Chance, Commander Operations, City of London Police - Gary McManus, Project Genesius, Metropolitan Police â&#x20AC;&#x201C; Phil Sherwood, Head of Volunteer/ Workforce, Olympic Games

â&#x20AC;&#x201C; Senior Representative, CERT-UK â&#x20AC;&#x201C; Mike Fuller MBE, Director for Global Resilience and advisor to National Olympic Security Coordination Centre â&#x20AC;&#x201C; Chris McIntosh, CEO, ViaSat UK â&#x20AC;&#x201C; Paul Sawyer, Managing Director, XIX Group â&#x20AC;&#x201C; Tony Maher MSyI, MInstLM, Head of Head of International Secure Minds Training Academy (ISMTA)

For full speaker details, programme and to register visit www.nsr-conference.co.uk

Preparing your organisation for what lies ahead - securing your business future Owned & Organised by:

www.nsr-conference.co.uk

DataSecurityinContactCentres September2015_riskuk_mar15 10/09/2015 12:33 Page 1

Contact Centre Security: Fraud Not Present One of the difficulties in securing Contact Centres is the sheer number of attack vectors that can be exploited by criminals. Threats may emanate from both outside and in. They can be online or physical, brazen or covert. In short, Contact Centres – and the organisations responsible for them – face an uphill battle to successfully fend off would-be attackers.

‘The Threat From Within’

As the threat landscape changes and fraudsters are funnelled down the few remaining paths of least resistance, organisations have a duty to ensure they protect themselves, their employees and their customers from criminal activity. Matthew Bryars discusses the fraud risks that Contact Centre operations can face from their own employees and what solutions might be enacted to mitigate the dangers posed

www.risk-uk.com

ecent advances in security technology are making many payment channels safer than ever for the consumer. That’s bad news for professional fraudsters, who are being forced to concentrate on an ever-diminishing number of more vulnerable targets. One of these is the traditional Contact Centre, where the huge volume of daily Card Not Present transactions being processed, combined with often lax physical security measures, is making them an increasingly attractive target for criminals. Primarily consisting of online and telephone purchases, Card Not Present transactions remain the Achilles heel of the card payments industry, largely due to the difficulty in implementing a second authentication layer such as Chip and PIN. The recent introduction of 3-D Secure technology has had a positive impact in terms of securing online Card Not Present transactions, but telephone payments do remain somewhat vulnerable. This risk is magnified in the chaotic Contact Centre environment. Customers often don’t realise that, when they make a telephone payment via a Contact Centre agent, they’re handing over all of the details needed for someone else to use that same card on a fraudulent basis. They’re placing the security of their information in the hands of someone who is, for all intents and purposes, a total stranger. Long-term solutions to this security loophole are in development, but until such time that they’re ready for global roll-out, the Contact Centre will remain a weak link in the chain. As a result, criminals will undoubtedly continue to try and make hay while the sun shines.

The threat from within an organisation is a major concern. Not only do insiders already have access to much of the sensitive information needed to commit acts of fraud, but they’re also vulnerable to coercion from criminals looking to access this data. Insiders can be willing or unwilling participants in fraud, but the threat they pose is equally concerning. For example, a few years ago CIPHER – an independent security auditor and Quality Security Assessor – was asked to investigate suspicious activity for a bank that had noticed the unauthorised use of credit cards taking place. CIPHER quickly traced the problem back to the bank’s Contact Centre, and duly installed a key logger and network packet sniffer in order to catch the perpetrator in the act. One night an alert was triggered. A dormant account was activated, the fraud block removed and, less than 30 seconds later, an ATM was used to withdraw cash from the account in question. Through the data CIPHER was tracking and associated time stamps, it was possible to identify the Contact Centre employee involved. This employee had accessed the Contact Centre building outside of their normal shift pattern, the proof of which was picked up on a CCTV camera, and had then made use of a coworker’s desktop and account in order to transact the fraud. When all of the information was presented to the employee, including camera footage and IT evidence, the individual admitted the crime and that they had sent an accomplice a text message containing the cardholder information in order to withdraw cash from the ATM. Later on, it transpired that the individual was part of an organised crime gang found to have compromised over 15,000 credit cards. The person concerned received a two-year jail sentence for their criminal efforts. As stated, not all insider threats have malicious intent. During a recent Contact Centre audit, a site auditor witnessed telephone agents manually writing down customer

DataSecurityinContactCentres September2015_riskuk_mar15 10/09/2015 12:33 Page 2

Data Security in Contact Centres

payment information as part of the company’s continuity policy in case the IT systems went down mid-transaction. This information was then entered into a PIN pad to complete the transaction. If the transaction failed for any reason, the PIN pad slip and hand written card details were simply discarded in bins under the agents’ desks with the information intact. After witnessing this, the auditor asked where the successful transactions were kept. He was taken to an unlocked office full of PIN pad slips where his proud host told him the bulldog clips held these slips in place to defeat any draft that may mix them up!

Protecting payment card data These are, of course, two extreme examples. Generally speaking, there’s now much better awareness around the threats posed against our personal information, and in particular cardholder data. However, there are still very few advanced security controls in place to guard against the insider threat. Many organisations have taken the route of outsourcing their Contact Centres, wrongfully thinking that they’re transferring the risks associated with insider threats and other security threats. Arguably, even if the legal – ie litigation and compensation – risk is transferred, the much more costly residual risk to the brand and customer loyalty perception is still present no matter who operates the Contact Centre. Therefore, the risk remains for the organisation as well as the outsourced Contact Centre itself. In 2004, the payment card industry – ie VISA, Mastercard and American Express, etc – constructed the Payment Card Industry Data Security Standard (PCI DSS) for any business that processes card payments. In the context of telephone payments, the PCI DSS stipulates: “Do not store sensitive authentication data after authorisation (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorisation process.” The PCI DSS goes on to state that it’s only permissible for issuers and companies to store sensitive authentication data if there’s a business justification for doing so and the data concerned is securely stored.

“Not only do insiders already have access to much of the sensitive information needed to commit acts of fraud, but they’re also vulnerable to coercion from criminals looking to access this data” pause a call recording at the moment a customer payment is being made and resume it again once complete. While purposefully ‘ticking the compliance box’, this kind of solution is manually intensive, open to human error and, importantly, doesn’t guard against the insider threat. Contact Centre agents often forget to either pause before the payment or resume again afterwards, resulting in an incomplete – and, therefore, non-compliant – call recording. A more effective alternative is to use a secure telephone payment platform that prevents sensitive data from ever entering the business. At the point of payment, customer calls are re-routed via the secure platform to a PCI DSScompliant third party service. The customer then keys in payment details via their telephone keypad. For their part, the Contact Centre agents remain connected to the customer throughout the process but play no part in the payment itself, in turn removing the risk of human error and helping to protect the business against any attempts at insider fraud. This type of solution can ease the burden of storing and protecting confidential customer data on the part of the business by outsourcing the payment processing to a secure and compliant third party. Doing so ensures that all PCI DSS obligations related to telephone payments are removed from the original business (barring, that is, Requirement 12: ‘Maintain a policy that

Matthew Bryars: CEO of Aeriandi

Secure telephone platforms The PCI DSS advises businesses to use available technology in preventing sensitive data being recorded. There are numerous options to choose from. One example is pause/record. This is a rudimentary solution that allows Contact Centre agents to manually

www.risk-uk.com

Project1_Layout 1 04/08/2015 15:13 Page 1

WORLD

Conference and Exhibition

10% OFF using promotional code

MP10

TrainingandCareerDevelopment September2015_riskuk_apr15 10/09/2015 13:21 Page 2

Training and Career Development

Speculate to Accumulate A nyone who’s a ‘veteran’ within the security business sector knows that our world – and the role of the operatives within it – has changed dramatically in the last decade. On that basis, the ongoing importance of further personnel and career development, the retention of knowledge and the enhancement of training courses across the sector are all of paramount importance. Clients of private sector security companies are now asking more of their contracted security officers and managers than ever before. They’re doing so during a period of fiscal austerity wherein personnel numbers across the police service – and the Emergency Services in general – are being reduced. The potential consequences of these two truisms combined with a perceived stagnation and a lack of adaption are fast becoming the pivotal issues confronted in Security Control Rooms and company meetings right across the UK. Individuals joining the security business sector – and who are necessarily subject to Security Industry Authority (SIA) licence-linked courses – will duly gain the basic knowledge required to obtain an SIA licence and take on their role. However, it could be argued that there’s a need for additional knowledge at this stage. Unfortunately, this isn’t a mandatory requirement at present. It might be said that this comes down to the individual and their self-development, but in reality the impetus for additional learning ought to emanate from the security company via signposting or direct provision. For too long, the perception has been that an individual considers working in the security sector because their suitability for other roles is out of their reach or they merely wish to ‘top up’ money earned in their ‘first’ job. Therein lies our main problem. For many, security isn’t viewed as a career but as ‘just a job’. There’s little or no aspiration towards personal development. The biggest factor at play in this ‘stalemate’ centres on the financials of both the licence holders themselves and the security companies employing them. No longer is it the case that all licence holders look towards attending training courses delivered by known and reputable companies/instructors. Driven by economics, they’ll seek the cheapest course and not even consider taking any extra learning modules. From the security companies’ perspective, there remains fierce competition around charge

In parallel with many other companies, TCS Training provides Security Industry Authority licence-linked qualifications in all security sectors stipulated and governed by the Awarding Bodies and the Regulator. Is the level of training on offer across the sector sufficient in scope and detail to prepare learners for conducting their duties and, by extension, for today’s security companies to correctly deliver a good service? Mike Payne assesses the education landscape

rates, with high overheads and training costs adding to the financial mix. This makes it harder for them to cover costs, let alone turn a decent profit.

What makes a good trainer? The Awarding Bodies do a very good job in regulating the training sector and confirming that instructors are correctly qualified and have the required knowledge, but does an experienced security operative automatically make for a successful tutor? There are many good trainers in the security sector, all of whom warrant standing in front of students to deliver courses embellished with the knowledge they’ve gained over the years, but this doesn’t necessarily mean that the correct information is being imparted. For example, a three-year door supervisor with the correct teaching qualifications under their belt can teach a door supervision course, but what if that trainer happened to be a noneffective operator or had, at some point in time, jumped ship from one company to another due to malpractice? In this scenario, does the student receive the correct information to be able to tackle the role of door supervisor in the real world? Does the

Mike Payne: Managing Director of TCS Training

www.risk-uk.com

TrainingandCareerDevelopment September2015_riskuk_apr15 10/09/2015 13:22 Page 3

Training and Career Development

company with whom they gain employment actually enlist the services of a licence-holding operative possessing the required knowledge to represent that security company in the best way possible? Having spoken directly with security operatives, and read about or watched such cases being played out in the national media, there are allegations that some learners are being given the answers to tests by their tutors in a bid by the latter to keep their pass rates high. If a tutor has delivered the course content correctly, then students should have the foundations in place to pass the tests without the need for any ‘assistance’. If students are not able to succeed in the necessary examinations of their own volition then it’s quite simple: they shouldn’t be allowed to hold an SIA licence. How can any individual who doesn’t have a good command of the English language or harbour basic reading and writing skills read Assignment Instructions on site, write a detailed incident report or speak to clients or customers effectively? Wherever such a scenario is immediately apparent, the first question should be: ‘How did they achieve the qualification to obtain their licence?’

Security company responsibilities Millions of pounds are expended by clients to ensure that their own members of staff are trained to function to the best of their ability and represent the business in the right fashion. Security personnel represent the security company as well as the client for whom they’re working under contract. Alas, that training continuity exhibited by clients isn’t always apparent within the security companies serving them, meaning that contracts are won and lost due to the quality of the operatives rather than anything to do with contract management. Security companies need to return to the basics, starting with the recruitment process wherein every potential candidate must be tested on their abilities and level of knowledge before any employment decision is taken. Recently, we conducted some research in this area. Current SIA licence holders of between one and five years were assessed by way of a basic knowledge test on subjects covered in their initial training. The pass mark was set at

“The Awarding Bodies do a very good job in regulating the training sector and confirming that instructors are correctly qualified, but does an experienced security operative automatically make for a successful tutor?” 62

www.risk-uk.com

80%. Not one of the operatives involved achieved that recommended score. How, then, can these individuals conduct their security role with any degree of effectiveness and represent both their employing company and the client in the manner that’s required of them? The simple answer is that they cannot do so. What’s the knock-on effect of all this? Pretty much what’s happening across the UK every day. There are complaints about security personnel and police investigations and, alas, security companies losing contracts. Are the security personnel solely the ones to blame here? No. Far from it. The responsibility lies with the security companies. Do all of these companies provide further training, set out career development plans or even ensure that the operatives on site actually know what they’re supposed to be doing? In too many instances the simple answer is: ‘No’.

Speculate to accumulate Spending should not be a tick box exercise underpinned by a hope that it will work. Rather, there should be financial outlay totally relevant to the issues at hand. This should begin with security companies setting aside a realistic budget for training, incorporating new and existing staff within the mix and in a way that fits exactly with business strategy. By working with and using the expertise that a qualified training provider can offer, and focusing on bespoke educational packages, contractual obligations will be met. The correlation between the security provider and the training provider should be for a common goal, beginning with extra learning modules for existing staff, assessing competency for potential new joiners at the recruitment stage and then conducting further ongoing annual training and assessment regimes for both sets of operatives and, importantly, their managers. Similarly, the security companies should set the framework for training all new members of staff. The training provider should be looking at the extra elements outside of the basic requirements designed to suit the company. That structure sets the precedent and can be used as a Unique Selling Point when tendering for new contracts or, more importantly perhaps, maintaining current ones. There’s a need to ensure security personnel achieve the standards required in further modules such as customer service, First Aid, incident reporting, communication and counterterrorism awareness. Such knowledge can then be cemented by targeted refresher training.

paper ad_Layout 1 04/06/2015 17:59 Page 1

thepaper

Pro-Activ Publications is embarking on a revolutionary launch: a FORTNIGHTLY NEWSPAPER dedicated to the latest financial and business information for professionals operating in the security sector

Business News for Security Professionals

The Paper will bring subscribers (including CEOs, managing directors and finance directors within the UKâ&#x20AC;&#x2122;s major security businesses) all the latest company and sector financials, details of business re-brands, market research and trends and M&A activity

FOR FURTHER INFORMATION ON THE PAPER CONTACT: Brian Sims BA (Hons) Hon FSyI (Editor, The Paper and Risk UK) Telephone: 020 8295 8304 e-mail: brian.sims@risk-uk.com www.thepaper.uk.com

RiskinAction September2015_riskuk_sep15 10/09/2015 13:16 Page 1

Risk in Action SALTO Systems – and BLOC Hotels’ smart phone innovations – herald UK’s first keyless hotel According to research conducted by HRS, guest demand for the use of smart phones, tablets and corresponding Apps as part of their hotel experience is increasing rapidly. Business travellers in particular are looking for a ‘homefrom-home experience’ when it comes to the use of all forms of smart technology while resident at their chosen hotel. With that in mind, BLOC Hotels has recently opened new premises at Gatwick Airport. The hotel is spread across five floors with 245 rooms divided into standard, business and executive-level offerings. Gary Holmes, managing director of Connected Hotels (the technology division of Boxbuild) said: “The technology we’ve delivered for BLOC Hotels goes far beyond just offering smart TVs, free Wi-Fi and super-fast broadband on the premises. It encompasses mobile and web, access, self-service kiosks for check-in and tablet control of in-room systems through to Back of House operations processes, automating and integrating check-out and housekeeping.” The strategy is focused around the use of mobile Apps that are free for guests to download from the Apple App Store or Google Play. It’s then possible for residents to tap into developments such as Near Field Communications or Bluetooth Low Energy such that their own smart phones become not only their room key, but also a personalised remote control device. In terms of the locking solution for each guest room, Holmes explained to Risk UK: “SALTO Systems recommended its Aelement hotel lock as the right technology.” The benefits of Aelement at the site include instant room move and extended stay abilities.

Jersey’s airport, harbour and town centre-focused CCTV upgrade completed by Milestone Systems Milestone Systems’ XProtect Corporate and Inter-Connect solutions are helping to deliver a highly secure and flexible platform for permission-based access to over 90 CCTV cameras managed by the States of Jersey Police. The force serves a resident population of 97,800 people as well as over 700,000 visitors to Jersey each year and recognised the need for improving the reliability of the CCTV system serving Jersey’s town centre, airport and harbour, not to mention its own hq-based Custody Suites. The States of Jersey Police’s IT Department – which led the project to upgrade and bring the

www.risk-uk.com

Chelsea FC signs Rembrandt security solution from Intrepid at start of Premier League campaign This summer, Chelsea FC has been busy with pre-season preparations at its Stamford Bridge retail Megastore in readiness for the start of the new Barclays Premier League season. Closed to shoppers from the end of May, the Megastore has undergone its first major refurbishment since the official opening over a decade ago. The new, larger Megastore, which opened on Monday 3 August, features many innovations designed to improve the visitor experience. Store security and marketing tools have also been upgraded to enhance efficiencies for the Megastore’s management team. Intrepid Security was tasked to replace the existing Electronic Article Surveillance tagging system with its latest RF system. Designated Rembrandt, the systems are sited at three points in the store: one at the entrance and one at each of the two exits (one of which is only open on match days to cope with the 10,000plus fans passing through the doors). Intrepid has added five thermal overhead people counters within the Megastore. four separate CCTV systems together – worked directly with Milestone Systems’ Professional Services team on configuring the surveillance regime to meet defined requirements. As well as upgrading the CCTV cameras to IP video in the town centre, at the harbour and at the airport, the States of Jersey Police also wanted to bring all of these previously separate systems into one single centralised video management system based at its headquarters in Rouge Bouillon, St Helier. Members of the IT Department specified an IP-based, open architecture video management software platform which could provide highly secure, role-specific, desktop PC access to more than 90 cameras operational across these four set-ups. A total of 22 new IP cameras were deployed at Jersey Airport in April 2014 while a further 26 IP cameras have replaced the ageing CCTV system covering the harbour area of St Helier.

RiskinAction September2015_riskuk_sep15 10/09/2015 13:16 Page 2

Risk in Action

Zaun called in to protect extensive London Underground construction project London Underground has once again turned to high security fencing systems supplier Zaun to protect one of its sites during important construction works. MultiFence – a temporary, high security fencing and gate system developed by Zaun specifically for the London 2012 Olympic Games – is now being used to help safeguard the £1 billion upgrade of Tottenham Court Road London Underground Station. Crossrail and Transport for London are jointly redeveloping the existing 100 years-old site at Tottenham Court Road and building a new station, which is expected to be completed by 2016-2017. The work is being carried out at the intersection of Oxford Street, Charing Cross Road and Tottenham Court Road. The existing London Underground Station handles 150,000 passengers per day, a figure forecast to increase to 200,000 per day when Crossrail is fully up-and-running. Key journey times will be reduced from Tottenham Court Road to other stations including Canary Wharf (down from 21 minutes to 12 minutes), Ealing Broadway (27 minutes reduced to 12 minutes) and Heathrow (53 minutes down to just 28 minutes). The new, four-storey station will feature a Ticket Hall on Dean Street, three new station entrances, step-free access, additional escalators delivering passengers to the Northern Line platforms, a public piazza and dedicated access to the Central Line platforms. Previously, Zaun’s MultiFence had been deployed to provide protection for construction works at nearby St Paul’s London Underground Station, at Kings Cross Station and also at the Bull Ring complex in central Birmingham. Zaun became synonymous with temporary security fencing when it installed the 20 km boundary for the main Olympic Park ahead of the 2012 Olympic and Paralympic Games.

LOCKEN works diligently across the UK and Europe to secure large-scale exhibition venues LOCKEN – the specialist developer of cable-free access control regimes whose solution concentrates on power, intelligence and communication in one smart key – is working with a number of UK and European companies to secure their large-scale exhibition venues. Exhibition and conference centres employ hundreds of staff and, when an event is running, witness thousands of visitors pass through their doors each day. On that basis, it’s vital that their infrastructure, assets, members of staff, service providers and customers alike can operate in a safe and secure environment, all backed-up by a robust access control solution. With clients including The NEC in Birmingham, The Convention Centre, Dublin and Marseille’s Chanot Exhibition and Convention Centre, LOCKEN provides a secure and traceable access control management solution based on proven CyberLock technology. “The LOCKEN system enables us to provide bespoke access for our clients as and when it’s required,” asserted Philip Hartigan, head of security at The Convention Centre in Dublin. “It allows us to monitor and restrict access to specific areas, meaning that we’ve been able to re-allocate security officers who were previously responsible for opening restricted access areas, signing out keys and monitoring key registers to other duties.” Nick Dooley, managing director of LOCKEN UK, told Risk UK: “Ensuring the safety of people and the security of goods while providing maximum productivity are our main priorities. Monitoring and controlling restricted access is key, with data capture and analysis providing vital information.”

Mission-critical management solutions for Atos taken care of by Siemens Datacenter Clarity LC Atos is a leading global IT solutions provider responsible for ensuring the security, reliability and continuity of its customers’ critical business information and resources. The company provides fully-managed services for its clients who operate across a wide range of industries. With four data centres strategically located throughout the UK and customers around the world, Atos’ management team decided to invest in a state-of-theart data centre infrastructure management (DCIM) solution for one of its key locations that would actively deliver a single, consolidated view of all that data centre’s IT and facilities operations from a single workstation. In a bid to increase overall energy efficiencies and cut back on utility costs for its customers, Atos required detailed, rack-specific power consumption data with real-time temperature monitoring and heat map visualisation. The company decided to implement Datacenter Clarity LC – the advanced software solution suite developed by Siemens Building Technologies – at its first data centre in Livingston, Scotland. The intuitive, easy-to-use DCIM interface processes information from vital sub-systems that traditionally operate in silos into a single solution that monitors security and fire safety.

www.risk-uk.com

TechnologyinFocus September2015_riskuk_sep15 10/09/2015 13:19 Page 1

Technology in Focus Reinforced High Fence protection system introduced to UK security sector end users by Mojo Barriers

Consisting of one metre wide by 2.4 metre-high sections, the reinforced High Fence aluminium barrier system developed by Mojo Barriers allows security personnel to create resilient restricted zones and segregate crowds. High Fence is described as “far more robust and aesthetically attractive” than the usual ‘wire-style’ fencing and similar types of barricade often used in physical security projects. Doors and gates are available for seamless integration within the barrier line, in turn ensuring that fire safety, access and egress regulations for temporary barrier solutions are always met. Designed and manufactured in accordance with the high specifications stipulated by the organisers of the G20 Summit in Brisbane, Australia last November, High Fence is now available to the international security and policing sectors. At the G20 Summit, a 2.5 km High Fence system was used across the city to create restricted zones and ensure security for heads of state. www.mojobarriers.com

Honeywell’s R600 Digital Video Manager improves operator efficiencies and mitigates business risk

Honeywell has announced enhancements to Digital Video Manager (DVM). The latest release, DVM R600, will enable end user organisations to more efficiently manage their security system with enhanced mobile capabilities and voice commands while at the same time mitigating business risk. Major updates to DVM include enhanced system access and usability designed to improve operator efficiencies and reaction time. Security personnel can now access HD, full-frame rate video on a mobile device, for example, in turn enabling continuous monitoring from almost any location. Operators may also control DVM using voice commands to more easily manage multiple video feeds and request near real-time system updates. “Every second is important to a business when an incident occurs, and security staff must take immediate action if there’s a threat,” said John Rajchert, president of Honeywell Building Solutions. “The latest update to DVM helps operators quickly identify and react to an issue to help mitigate the impact on safety and business continuity, no matter if they’re in front of a central workstation or find themselves on the opposite side of a campus.” Along with an improved user experience, DVM R600 promotes IT integration and compliance with support for current Microsoft operating systems and databases (including Windows Server 2012, Windows 8.1, Internet Explorer 11 and SQL Server 2014). In addition, DVM R600 allows end customers to deploy and intelligently group multiple back-up servers to boost system robustness. This helps protect surveillance systems from failures. DVM is a component of Honeywell’s Enterprise Buildings Integrator. www.honeywell.com/security/uk

360 Vision Technology and Meyertech partnership delivers effective ONVIF-compliant systems integration

CCTV specialist 360 Vision Technology – working in conjunction with systems control concern Meyertech – has developed fast and easy set-up and “deep control” for its range of ONVIF-compliant security cameras. The manufacturers’ long-term technical partnership extends much further than just a shared protocol, as Mark Rees (business development director at 360 Vision Technology) explained to Risk UK. “From the design stage of any new product, our respective R&D teams interact to ensure the camera equipment we introduce to market is as best performing and simple to use as it can possibly be.” www.360visiontechnology.com

MAGIC dual motion detectors from Vanderbilt awarded prestigious NF, INCERT, IMQ and VdS approvals

Models in Vanderbilt’s MAGIC range of dual motion detectors have been awarded several prestigious European approvals. One of the most important approvals in France, the NF standard confirms that products are suitable for use in applications where compliance is required by the end users of security systems and their insurers. INCERT is recognised all over Belgium and the Netherlands where the markets demand high end products and systems while IMQ is Italy’s most important certification body – and a European leader – in conformity assessments. www.vanderbiltindustries.com

66 www.risk-uk.com

TechnologyinFocus September2015_riskuk_sep15 10/09/2015 13:19 Page 2

Technology in Focus

Cheshire Fire and Rescue Service keeps public informed with Crowd ControlHQ’s social media platform

Cheshire Fire and Rescue Service is using a risk management and compliance platform devised by CrowdControlHQ to monitor and govern its corporate social media accounts including Twitter and Facebook. Cheshire Fire and Rescue Service employs social media for two-way communication with county stakeholders, including other Fire and Rescue Services and local Government officials and businesses. There has been an increase in engagement witnessed across all accounts in the last two years, which has seen the number of Twitter followers double to over 17,000. Using CrowdControlHQ makes it possible to manage corporate social media accounts from a single point. Cheshire Fire and Rescue Service has chosen to have just one account for each social media channel rather than every fire station or area of the service actively posting to designated individual accounts. James Leavesley, CEO at CrowdControlHQ, said: “Using a risk and compliance platform affords organisations the confidence that they can manage and respond to social media communications effectively and consistently.” www.crowdcontrolhq.com

Wavestore’s VMS now integrated with Immix Command Center The Immix Command Center is a web-based networked solution specifically designed for enterprise businesses and Central Stations to protect critical assets. “In simple terms, we’ve achieved a high level of integration between the Wavestore and Immix Command Center software platforms, enabling operators to effortlessly control the management of alarms and associated video,” said Craig Evans, managing director of SureView Systems. As a result of the integration, alarms reported via the Immix Command Center are automatically linked to the live video stream of any associated cameras connected to the Wavestore VMS, allowing operators to verify that an incident is taking place and then respond accordingly.

Axis Communications expands HDTV PTZ dome IP camera options with competitively priced entrylevel models for end users The new entry-level IP camera models in Axis Communications’ P55 Series offer HDTV image quality, improved light sensitivity and increased video analytics performance for risk professionals. Following the launches of the Axis P56, Axis Q61 and Axis V59 PTZ dome network cameras earlier this year, the company has now updated its entire mid-range and highend portfolio of PTZ network cameras. Axis P5514 and Axis P5515 are indoor cameras suitable for monitoring auditoriums, shopping centres and hotel reception areas. The Axis P5514 is an HDTV 720p camera with 12x optical zoom and IP51 protection against dust ingress. The Axis P5515 offers the same zoom performance and dust protection capability but also features HDTV 1080p resolution for greater image detail. The Axis P5514-E and Axis P5515-E are outdoor versions. Axis P5514-E is an IP66protected camera that’s resistant to water, wind and snow. Its HDTV 720p resolution and 12x zoom makes it perfect for monitoring smaller external areas. Designated Axis P5515-E, the HDTV 1080p version offers a higher resolution as well as 12x zoom and IP66 protection, in turn making it resilient against conditions in tough operational environments. www.axis.com

Both pre-alarm and post-alarm images from multiple cameras can be displayed alongside each other on a single screen such that operators might make quick and effective decisions. There’s also an option to set up e-mail alerts so that, when an alarm is received, a snapshot or video clip of the incident may be sent to a designated key holder or security manager. The Immix Command Center is fully compatible with the very latest version of Wavestore’s VMS. Wavestore 5.50 incorporates a long list of new and improved features designed to extend the lifespan of video surveillance systems and unlock the full potential of integrated security for end users. The Wavestore VMS offers much more than just video and recording management. www.wavestore.com

www.risk-uk.com

Project1_Layout 1 04/08/2015 15:16 Page 1

MEET WITH THE BIGGEST AND BEST SECURITY SOLUTION PROVIDERS IN THE UK AT THE...

19th - 20th October 2015 - Whittlebury Hall Hotel & Spa, Northamptonshire The Total Security Summit is a highly focussed event that brings together security professionals for one-to-one business meetings, interactive seminars and valuable networking opportunities. These experts offer the latest security solutions to help attendees discuss their plans, generate new ideas and share information in a non-pressured environment.

To book now or for more information, call Nick Stannard on 01992 374100 or email tss@forumevents.co.uk

Media & Industry Partners:

Appointments September2015_riskuk_jul15 10/09/2015 12:19 Page 1

Appointments

William Hague

The Council of the Royal United Services Institute for Defence and Security Studies (RUSI) has announced that the Right Honourable William Hague is the organisation’s next chairman, taking over from Lord Hutton of Furness who has been in this role since 2010. William Hague served as the Conservative Party’s Member of Parliament for Richmond, Yorkshire from 1989 to 2015. He first entered the Cabinet in 1995 and led the Conservative Party from 1997 to 2001. From 2010 to 2014, Hague served as Foreign Secretary and, between 2014 and earlier this year, was Leader of the House of Commons. Welcoming Hague to RUSI, director general Professor Michael Clarke said: “The Right Honourable William Hague is the most ideal choice of chairman. His experience at the very top of UK politics since 1997 is unrivalled while his status as a global figure is right for the next phase of RUSI’s development.” In response, William Hague commented: “I’m very pleased to be joining RUSI. At a time when we face an increasingly complex and unstable world, we need ever-greater insight and scrutiny into the challenges confronting our global security and defence. I look forward to working with Michael Clarke, who has led the organisation so impressively, and his team.” RUSI exists as an independent Think Tank engaged in cutting-edge defence and security research. A unique institution founded by the Duke of Wellington back in 1831, RUSI embodies nearly two centuries of forwardthinking, free discussion and careful reflection on defence and security matters.

Dr Simon Harwood Cranfield University has appointed Dr Simon Harwood as director of defence and security. Dr Harwood joins from Boeing where he was director of strategy and business development for Phantom Works International addressing emerging global market opportunities. Dr Harwood will now work with colleagues and partners around the world to grow defence-related education and research across the university, and most notably within Cranfield Defence and Security – the institution’s embedded partnership within the UK’s Defence Academy at Shrivenham. Referencing his new role, Dr Harwood told Risk UK: “It’s with eager anticipation that I

Appointments Risk UK keeps you up-to-date with all the latest people moves in the security, fire, IT and Government sectors Baroness Eliza Manningham-Buller

Baroness Eliza Manningham-Buller is confirmed as a co-president of the Royal Institute of International Affairs (Chatham House), replacing Liberal Democrat peer Lord Paddy Ashdown of Norton-sub-Hamdon who steps down after ten years in the role. The appointment of Baroness ManninghamBuller as a co-president of Chatham House, the independent London-based policy institute, was confirmed at the organisation’s recent Annual General Meeting. Baroness Manningham-Buller now joins Sir John Major and Baroness Scotland of Asthal as a co-president of the organisation. Eliza Manningham-Buller was director general of the UK’s Security Service (MI5) between 2002 and 2007 and became an independent life peer in 2008. She served as chairman of Imperial College London from 2011 to 2015. Importantly, the Baroness brings to Chatham House an extensive knowledge of – and experience in – international security. Speaking about her new role, Baroness Manningham-Buller said: “I’m delighted to be elected as a Chatham House president at this important time in the Institute’s history while it grapples with a complex and interconnected agenda of policy challenges.” A president’s term at Chatham House lasts for five years and is renewable only once. There are no governance responsibilities. The latter reside solely with the Institute’s Council. start work at Cranfield, growing and exploiting its existing and unique set of capabilities, expertise and facilities to deliver practical solutions through research and education.” Dr Harwood was educated at the University of Hull where he gained an Honours Degree in Chemistry with Bio-Organic Chemistry and Toxicology and, in addition, a PhD in Liquid Crystal Chemistry. His professional qualifications include Innovation in Business and Executive Leadership from Cambridge University’s Judge Business School and Building Businesses in Emerging Markets, attained at the Harvard Business School. As the appointed academic solutions provider to the UK’s MoD, Cranfield is at the forefront of the security and defence fields.

www.risk-uk.com

Appointments September2015_riskuk_jul15 10/09/2015 12:19 Page 2

Appointments

Paul Rankin

Ian Moore

Ian Moore is the new CEO at the Fire Industry Association (FIA). He succeeds Graham Ellicott in this important sector role. Moore joins from Elmdene International, where he served as managing director from April 2010. Following a decade-long tenure in the Royal Navy, Moore worked at Chubb and concentrated on fire system sales for three years. He then worked at Cerberus (now Siemens) for seven years, three of them spent as general manager of Cerberus Taiwan. Moore also headed up Cerberus Dubai for a similar time period. Moving back to the UK, Moore then established a fire and gas division of Zellweger Analytics (now Honeywell). He became interested in video processing as a method of fire detection and joined ISL as managing director, helping to develop analytics-based fire detection solutions as well as other specialised systems. This period culminated in Moore and the business winning the Queen’s Award for Innovation. Speaking about Moore’s appointment at the FIA, Martin Harvey – the not-forprofit Trade Association’s chairman – enthused: “Ian’s knowledge and the 25 years-plus experience he has amassed within the fire business sector will make a significant contribution to our organisation.”

Bob Forsyth

Facilities management specialist Mitie Group plc has appointed Bob Forsyth as the new managing director of its Environmental + cleaning business (one of the largest specialist cleaning operations in Britain). The cleaning business is commercially central to Mitie Group plc, generating no less than £400 million in revenues every year and employing upwards of 33,000 cleaning staff across the country. Forsyth adds this new position to his existing responsibilities as managing director of Mitie Total Security Management (TSM) which provides integrated and risk-based approaches for a plethora of blue chip clients. Now with over ten years’ experience at Mitie, Forsyth will focus on bringing innovation to the cleaning industry based on his strong performance and proven success in leading the security business for the last six years. In tandem, Jason Towse will now widen his remit. As managing director of Mitie’s TSM business, Towse will be responsible for both people and technology services, supporting Forsyth and continuing to grow this element of Mitie’s offer within the security sector. “I’m excited to have been given the opportunity to widen my remit within Mitie,” explained Forsyth. “Jason will continue to inspire change in the security sector and drive our TSM business forward with security convergence and cyber high on his agenda.”

www.risk-uk.com

Securitas Security Services UK has reported the appointment of Paul Rankin – a seasoned aviation professional with 30 years’ airport operations and safety management experience – as the company’s new director of Fire and Safety Services. Rankin joins the business from Regional and City Airports Limited where, as the company’s director of regulatory compliance and head of airfield operations, he was directly responsible for ensuring the safe and effective management of airports within the business’ management services division. As director of Fire and Safety Services at Securitas, Rankin will now help develop the capability and service delivery of the company. Speaking about Rankin’s new role, Brian Riis Nielsen – Country President at Securitas – explained: “Paul is an experienced and inspirational leader with an impressive track record of senior management across what is a highly regulated industry. We’re delighted to welcome him to the team.”

Scott Samme and Tayyaba Arif

PwC has appointed two new data analytics directors to the UK company’s Financial Services Risk and Regulation team. Scott Samme and Tayyaba Arif immediately join the leadership team of PwC’s Financial Services Advanced Risk and Compliance Analytics (ARCA) practice. Samme moves to the company from EY where he was a leader in the Compliance IT Advisory practice. He has worked with several large banks on global financial crime compliance programmes to address regulatory concerns. In his new role, Samme will focus on leading the analytics financial crime and compliance team within ARCA. Tayyaba Arif joins PwC from Accenture where she led on data management and governance at Accenture Digital. Arif has over 12 years’ experience in helping many organisations develop their data vision and strategy as well as managing and delivering complex multi-site data programmes. Within the ARCA practice, Arif will lead the Data Management and Governance function.

sep15 dir_000_RiskUK_jan14 10/09/2015 15:33 Page 1

Best Value Security Products from Insight Security www.insight-security.com Tel: +44 (0)1273 475500 ...and lots more Computer Security

Anti-Climb Paints & Barriers

Metal Detectors (inc. Walkthru)

Security, Search & Safety Mirrors

ACCESS CONTROL

Security Screws & Padlocks, Hasps Fastenings & Security Chains

Key Safes & Key Control Products

Traffic Flow & Management

see our website

ACCESS CONTROL – BARRIERS GATES & ROAD BLOCKERS

FRONTIER PITTS Crompton House, Crompton Way, Manor Royal Industrial Estate, Crawley, West Sussex RH10 9QZ Tel: 01293 548301 Fax: 01293 560650 Email: sales@frontierpitts.com Web: www.frontierpitts.com

ACCESS CONTROL

ACT ACT – Ireland, Unit C1, South City Business Centre Tallaght, Dublin 24 Tel: +353 (0)1 4662570 ACT - United Kingdom, 2C Beehive Mill Jersey Street, Manchester M4 6JG +44 (0)161 236 3820 sales@act.eu www.act.eu

ACCESS CONTROL – BIOMETRICS, BARRIERS, CCTV, TURNSTILES

UKB INTERNATIONAL LTD ACCESS CONTROL

APT SECURITY SYSTEMS The Power House, Chantry Place, Headstone Lane, Harrow, HA3 6NY Tel: 020 8421 2411 Email: info@aptcontrols.co.uk www.aptcontrols-group.co.uk

Planet Place, Newcastle upon Tyne Tyne and Wear NE12 6RD Tel: 0845 643 2122 Email: sales@ukbinternational.com Web: www.ukbinternational.com

B a r r i e r s , B l o c k e r s , B o l l a r d s , PA S 6 8

ACCESS CONTROL, CCTV & INTRUSION DETECTION SPECIALISTS

SIEMENS SECURITY PRODUCTS ACCESS CONTROL

KERI SYSTEMS UK LTD Tel: + 44 (0) 1763 273 243 Fax: + 44 (0) 1763 274 106 Email: sales@kerisystems.co.uk www.kerisystems.co.uk

Suite 7, Castlegate Business Park Caldicot, South Wales NP26 5AD UK Main: +44 (0) 1291 437920 Fax: +44 (0) 1291 437943 email: securityproducts.sbt.uk@siemens.com web: www.siemens.co.uk/securityproducts

ACCESS CONTROL & DOOR HARDWARE

ALPRO ARCHITECTURAL HARDWARE

ACCESS CONTROL

COVA SECURITY GATES LTD Bi-Folding Speed Gates, Sliding Cantilevered Gates, Road Blockers & Bollards Consultancy, Design, Installation & Maintenance - UK Manufacturer - PAS 68

Tel: 01293 553888 Fax: 01293 611007 Email: sales@covasecuritygates.com Web: www.covasecuritygates.com

Products include Electric Strikes, Deadlocking Bolts, Compact Shearlocks, Waterproof Keypads, Door Closers, Deadlocks plus many more T: 01202 676262 Fax: 01202 680101 E: info@alpro.co.uk Web: www.alpro.co.uk

ACCESS CONTROL – SPEED GATES, BI-FOLD GATES ACCESS CONTROL MANUFACTURER

NORTECH CONTROL SYSTEMS LTD. Nortech House, William Brown Close Llantarnam Park, Cwmbran NP44 3AB Tel: 01633 485533 Email: sales@nortechcontrol.com www.nortechcontrol.com

HTC PARKING AND SECURITY LIMITED 4th Floor, 33 Cavendish Square, London, W1G 0PW T: 0845 8622 080 M: 07969 650 394 F: 0845 8622 090 info@htcparkingandsecurity.co.uk www.htcparkingandsecurity.co.uk

ACCESS CONTROL - BARRIERS, BOLLARDS & ROADBLOCKERS

ACCESS CONTROL

HEALD LTD

INTEGRATED DESIGN LIMITED

HVM High Security Solutions "Raptor" "Viper" "Matador", Shallow & Surface Mount Solutions, Perimeter Security Solutions, Roadblockers, Automatic & Manual Bollards, Security Barriers, Traffic Flow Management, Access Control Systems

Integrated Design Limited, Feltham Point, Air Park Way, Feltham, Middlesex. TW13 7EQ Tel: +44 (0) 208 890 5550 sales@idl.co.uk www.fastlane-turnstiles.com

Tel: 01964 535858 Email: sales@heald.uk.com Web: www.heald.uk.com

www.insight-security.com Tel: +44 (0)1273 475500

sep15 dir_000_RiskUK_jan14 10/09/2015 15:33 Page 2

ACCESS CONTROL

CCTV

SECURE ACCESS TECHNOLOGY LIMITED

G-TEC

Authorised Dealer Tel: 0845 1 300 855 Fax: 0845 1 300 866 Email: info@secure-access.co.uk Website: www.secure-access.co.uk

Gtec House, 35-37 Whitton Dene Hounslow, Middlesex TW3 2JN Tel: 0208 898 9500 www.gtecsecurity.co.uk sales@gtecsecurity.co.uk

ACCESS CONTROL â&#x20AC;&#x201C; BARRIERS, GATES, CCTV

ABSOLUTE ACCESS

CCTV/IP SOLUTIONS

Aberford Road, Leeds, LS15 4EF Tel: 01132 813511 E: richard.samwell@absoluteaccess.co.uk www.absoluteaccess.co.uk Access Control, Automatic Gates, Barriers, Blockers, CCTV

DALLMEIER UK LTD 3 Beaufort Trade Park, Pucklechurch, Bristol BS16 9QH Tel: +44 (0) 117 303 9 303 Fax: +44 (0) 117 303 9 302 Email: dallmeieruk@dallmeier.com

BUSINESS CONTINUITY CCTV & IP SECURITY SOLUTIONS

BUSINESS CONTINUITY MANAGEMENT

CONTINUITY FORUM Creating Continuity ....... Building Resilience A not-for-profit organisation providing help and support Tel: +44(0)208 993 1599 Fax: +44(0)1886 833845 Email: membership@continuityforum.org Web: www.continuityforum.org

PANASONIC SYSTEM NETWORKS EUROPE Panasonic House, Willoughby Road Bracknell, Berkshire RG12 8FP Tel: 0844 8443888 Fax: 01344 853221 Email: system.solutions@eu.panasonic.com Web: www.panasonic.co.uk/cctv

COMMUNICATIONS & TRANSMISSION EQUIPMENT

PHYSICAL IT SECURITY

KBC NETWORKS LTD.

RITTAL LTD

Barham Court, Teston, Maidstone, Kent ME18 5BZ www.kbcnetworks.com Phone: 01622 618787 Fax: 020 7100 8147 Email: emeasales@kbcnetworks.com

Tel: 020 8344 4716 Email: information@rittal.co.uk www.rittal.co.uk

DIGITAL IP CCTV

SESYS LTD High resolution ATEX certified cameras, rapid deployment cameras and fixed IP CCTV surveillance solutions available with wired or wireless communications.

TO ADVERTISE HERE CONTACT: Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk

1 Rotherbrook Court, Bedford Road, Petersfield, Hampshire, GU32 3QG Tel +44 (0) 1730 230530 Fax +44 (0) 1730 262333 Email: info@sesys.co.uk www.sesys.co.uk

INFRA-RED, WHITE-LIGHT AND NETWORK CCTV LIGHTING

RAYTEC Unit 3 Wansbeck Business Park, Rotary Parkway, Ashington, Northumberland. NE638QW Tel: 01670 520 055 Email: sales@rayteccctv.com Web: www.rayteccctv.com

CCTV

CCTV POLES, COLUMNS, TOWERS AND MOUNTING PRODUCTS

CCTV SPECIALISTS

ALTRON COMMUNICATIONS EQUIPMENT LTD

PLETTAC SECURITY LTD

Tower House, Parc Hendre, Capel Hendre, Carms. SA18 3SJ Tel: +44 (0) 1269 831431 Email: cctvsales@altron.co.uk Web: www.altron.co.uk

Unit 39 Sir Frank Whittle Business Centre, Great Central Way, Rugby, Warwickshire CV21 3XH Tel: 01788 567811 Fax: 01788 544 549 Email: jackie@plettac.co.uk www.plettac.co.uk

www.insight-security.com Tel: +44 (0)1273 475500

sep15 dir_000_RiskUK_jan14 10/09/2015 15:33 Page 3

WHY MAYFLEX? ALL TOGETHER. PRODUCTS, PARTNERS, PEOPLE, SERVICE – MAYFLEX BRINGS IT ALL TOGETHER.

MAYFLEX Excel House, Junction Six Industrial Park, Electric Avenue, Birmingham B6 7JJ

TO ADVERTISE HERE CONTACT:

Tel: 0800 881 5199 Email: securitysales@mayflex.com Web: www.mayflex.com

Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk

CCTV & IP SOLUTIONS, POS & CASH REGISTER INTERFACE, EPOS FRAUD DETECTION

THE UK’S MOST SUCCESSFUL DISTRIBUTOR OF IP, CCTV, ACCESS CONTROL AND INTRUDER DETECTION SOLUTIONS

AMERICAN VIDEO EQUIPMENT

NORBAIN SD LTD

Endeavour House, Coopers End Road, Stansted, Essex CM24 1SJ Tel : +44 (0)845 600 9323 Fax : +44 (0)845 600 9363 E-mail: avesales@ave-uk.com

CONTROL ROOM & MONITORING SERVICES

ADVANCED MONITORING SERVICES

EUROTECH MONITORING SERVICES LTD.

Specialist in:- Outsourced Control Room Facilities • Lone Worker Monitoring • Vehicle Tracking • Message Handling • Help Desk Facilities • Keyholding/Alarm Response Tel: 0208 889 0475 Fax: 0208 889 6679 E-MAIL eurotech@eurotechmonitoring.net Web: www.eurotechmonitoring.net

DISTRIBUTORS

210 Wharfedale Road, IQ Winnersh, Wokingham, Berkshire, RG41 5TP Tel: 0118 912 5000 Fax: 0118 912 5001 www.norbain.com Email: info@norbain.com

EMPLOYMENT

FIRE AND SECURITY INDUSTRY RECRUITMENT

SECURITY VACANCIES www.securityvacancies.com Telephone: 01420 525260

EMPLOYEE SCREENING SERVICES

THE SECURITY WATCHDOG Cross and Pillory House, Cross and Pillory Lane, Alton, Hampshire, GU34 1HL, United Kingdom www.securitywatchdog.org.uk Telephone: 01420593830

IDENTIFICATION

sales@onlinesecurityproducts.co.uk www.onlinesecurityproducts.co.uk

ADI ARE A LEADING GLOBAL DISTRIBUTOR OF SECURITY PRODUCTS OFFERING COMPLETE SOLUTIONS FOR ANY INSTALLATION.

ADI GLOBAL DISTRIBUTION Chatsworth House, Hollins Brook Park, Roach Bank Road, Bury BL9 8RN Tel: 0161 767 2900 Fax: 0161 767 2909 Email: info@adiglobal.com

COMPLETE SOLUTIONS FOR IDENTIFICATION

DATABAC GROUP LIMITED 1 The Ashway Centre, Elm Crescent, Kingston upon Thames, Surrey KT2 6HH Tel: +44 (0)20 8546 9826 Fax:+44 (0)20 8547 1026 enquiries@databac.com

www.insight-security.com Tel: +44 (0)1273 475500

sep15 dir_000_RiskUK_jan14 10/09/2015 15:33 Page 4

INDUSTRY ORGANISATIONS

PERIMETER PROTECTION

GPS PERIMETER SYSTEMS LTD TRADE ASSOCIATION FOR THE PRIVATE SECURITY INDUSTRY

BRITISH SECURITY INDUSTRY ASSOCIATION

14 Low Farm Place, Moulton Park Northampton, NN3 6HY UK Tel: +44(0)1604 648344 Fax: +44(0)1604 646097 E-mail: info@gpsperimeter.co.uk Web site: www.gpsperimeter.co.uk

Tel: 0845 389 3889 Email: info@bsia.co.uk Website: www.bsia.co.uk

PHYSICAL CONTROL PRODUCTS, ESP. ANTI-CLIMB

INSIGHT SECURITY

THE LEADING CERTIFICATION BODY FOR THE SECURITY INDUSTRY

SSAIB

Unit 2, Cliffe Industrial Estate Lewes, East Sussex BN8 6JL Tel: 01273 475500 Email:info@insight-security.com www.insight-security.com

7-11 Earsdon Road, West Monkseaton Whitley Bay, Tyne & Wear NE25 9SX Tel: 0191 2963242 Web: www.ssaib.org

POWER POWER SUPPLIES – DC SWITCH MODE AND AC

INTEGRATED SECURITY SOLUTIONS

DYCON LTD Cwm Cynon Business Park, Mountain Ash, CF45 4ER Tel: 01443 471 060 Fax: 01443 479 374 Email: marketing@dyconsecurity.com www.dyconsecurity.com The Power to Control; the Power to Communicate

SECURITY PRODUCTS AND INTEGRATED SOLUTIONS

HONEYWELL SECURITY GROUP Honeywell Security Group provides innovative intrusion detection, video surveillance and access control products and solutions that monitor and protect millions of facilities, offices and homes worldwide. Honeywell integrates the latest in IP and digital technology with traditional analogue components enabling users to better control operational costs and maximise existing investments in security and surveillance equipment. Honeywell – your partner of choice in security. Tel: +44 (0) 844 8000 235 E-mail: securitysales@honeywell.com Web: www.honeywell.com/security/uk

STANDBY POWER

UPS SYSTEMS PLC Herongate, Hungerford, Berkshire RG17 0YU Tel: 01488 680500 sales@upssystems.co.uk www.upssystems.co.uk

UPS - UNINTERRUPTIBLE POWER SUPPLIES

ADEPT POWER SOLUTIONS LTD

INTEGRATED SECURITY SOLUTIONS

INNER RANGE EUROPE LTD Units 10 - 11, Theale Lakes Business Park, Moulden Way, Sulhampstead, Reading, Berkshire RG74GB, United Kingdom Tel: +44(0) 845 470 5000 Fax: +44(0) 845 470 5001 Email: ireurope@innerrange.co.uk www.innerrange.com

SECURITY PRODUCTS AND INTEGRATED SOLUTIONS

Adept House, 65 South Way, Walworth Business Park Andover, Hants SP10 5AF Tel: 01264 351415 Fax: 01264 351217 Web: www.adeptpower.co.uk E-mail: sales@adeptpower.co.uk

UPS - UNINTERRUPTIBLE POWER SUPPLIES

UNINTERRUPTIBLE POWER SUPPLIES LTD Woodgate, Bartley Wood Business Park Hook, Hampshire RG27 9XA Tel: 01256 386700 5152 e-mail: sales@upspower.co.uk www.upspower.co.uk

TYCO SECURITY PRODUCTS Heathrow Boulevard 3, 282 Bath Road, Sipson, West Drayton. UB7 0DQ / UK Tel: +44 (0)20 8750 5660 www.tycosecurityproducts.com

PERIMETER PROTECTION

ADVANCED PRESENCE DETECTION AND SECURITY LIGHTING SYSTEMS

TO ADVERTISE HERE CONTACT: Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk

GJD MANUFACTURING LTD Unit 2 Birch Business Park, Whittle Lane, Heywood, OL10 2SX Tel: + 44 (0) 1706 363998 Fax: + 44 (0) 1706 363991 Email: info@gjd.co.uk www.gjd.co.uk

www.insight-security.com Tel: +44 (0)1273 475500

sep15 dir_000_RiskUK_jan14 10/09/2015 15:33 Page 5

SECURITY

INTRUDER ALARMS – DUAL SIGNALLING

WEBWAYONE LTD CASH & VALUABLES IN TRANSIT

CONTRACT SECURITY SERVICES LTD Challenger House, 125 Gunnersbury Lane, London W3 8LH Tel: 020 8752 0160 Fax: 020 8992 9536 E: info@contractsecurity.co.uk E: sales@contractsecurity.co.uk Web: www.contractsecurity.co.uk

11 Kingfisher Court, Hambridge Road, Newbury Berkshire, RG14 5SJ Tel: 01635 231500 Email: sales@webwayone.co.uk www.webwayone.co.uk www.twitter.com/webwayoneltd www.linkedin.com/company/webwayone

LIFE SAFETY EQUIPMENT

C-TEC QUALITY SECURITY AND SUPPORT SERVICES

CONSTANT SECURITY SERVICES Cliff Street, Rotherham, South Yorkshire S64 9HU Tel: 0845 330 4400 Email: contact@constant-services.com www.constant-services.com

Challenge Way, Martland Park, Wigan WN5 OLD United Kingdom Tel: +44 (0) 1942 322744 Fax: +44 (0) 1942 829867 Website: http://www.c-tec.co.uk

PERIMETER SECURITY

TAKEX EUROPE LTD FENCING SPECIALISTS

J B CORRIE & CO LTD Frenchmans Road Petersfield, Hampshire GU32 3AP Tel: 01730 237100 Fax: 01730 264915 email: fencing@jbcorrie.co.uk

Aviary Court, Wade Road, Basingstoke Hampshire RG24 8PE Tel: +44 (0) 1256 475555 Fax: +44 (0) 1256 466268 Email: sales@takex.com Web: www.takex.com

SECURITY EQUIPMENT INTRUSION DETECTION AND PERIMETER PROTECTION

OPTEX (EUROPE) LTD Redwall® infrared and laser detectors for CCTV applications and Fiber SenSys® fibre optic perimeter security solutions are owned by Optex. Platinum House, Unit 32B Clivemont Road, Cordwallis Industrial Estate, Maidenhead, Berkshire, SL6 7BZ Tel: +44 (0) 1628 631000 Fax: +44 (0) 1628 636311 Email: sales@optex-europe.com www.optex-europe.com

PYRONIX LIMITED Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY. Tel: +44 (0) 1709 700 100 Fax: +44 (0) 1709 701 042 www.facebook.com/Pyronix www.linkedin.com/company/pyronix www.twitter.com/pyronix

SECURITY SYSTEMS INTRUDER AND FIRE PRODUCTS

CQR SECURITY 125 Pasture road, Moreton, Wirral UK CH46 4 TH Tel: 0151 606 1000 Fax: 0151 606 1122 Email: andyw@cqr.co.uk www.cqr.co.uk

BOSCH SECURITY SYSTEMS LTD PO Box 750, Uxbridge, Middlesex UB9 5ZJ Tel: 01895 878088 Fax: 01895 878089 E-mail: uk.securitysystems@bosch.com Web: www.boschsecurity.co.uk

SECURITY EQUIPMENT INTRUDER ALARMS – DUAL SIGNALLING

CSL DUALCOM LTD Salamander Quay West, Park Lane Harefield , Middlesex UB9 6NZ T: +44 (0)1895 474 474 F: +44 (0)1895 474 440 www.csldual.com

CASTLE Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY TEL +44 (0) 1709 700 100 FAX +44 (0) 1709 701 042 www.facebook.com/castlesecurity www.linkedin.com/company/castlesecurity

www.twitter.com/castlesecurity

INTRUDER ALARMS AND SECURITY MANAGEMENT SOLUTIONS

SECURITY SYSTEMS

RISCO GROUP

VICON INDUSTRIES LTD.

Commerce House, Whitbrook Way, Stakehill Distribution Park, Middleton, Manchester, M24 2SS Tel: 0161 655 5500 Fax: 0161 655 5501 Email: sales@riscogroup.co.uk Web: www.riscogroup.com/uk

Brunel Way, Fareham Hampshire, PO15 5TX United Kingdom www.vicon.com

ONLINE SECURITY SUPERMARKET

EBUYELECTRICAL.COM Lincoln House, Malcolm Street Derby DE23 8LT Tel: 0871 208 1187 www.ebuyelectrical.com

TO ADVERTISE HERE CONTACT: Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk

www.insight-security.com Tel: +44 (0)1273 475500

Project1_Layout 1 26/03/2015 21:24 Page 1

<USLHZO [OL M\SS JVUULJ[P]P[` KL[LJ[PVU ]LYPÃ&#x201E;JH[PVU [YHUZTPZZPVU and response capabilities of the award-winning ADPRO 9LTV[LS` 4HUHNLK 4\S[P ZLY]PJL .H[L^H`Z 94.

1 3LHYU TVYL =PZP[ ^^^ _[YHSPZ JVT