Threat level

Atkins | 16 Jan 2010 | Comments

Terrorism, internet attacks, industrial espionage – the threats facing organisations in both the public and private sector have evolved in recent years. But is the way we approach security measures keeping pace with this evolution?

Security used to mean locks on office doors, guards patrolling the halls after hours and regular fire drills. Not any more. Today, security encompasses everything from airborne particles to crimes in cyberspace, from border controls to human resources.

UK Prime Minister Gordon Brown made the point in a speech given in 2008, on the emerging threats to security in London: “The modern security challenge is defined by new and unprecedented threats: terrorism; global organised crime; organised drug trafficking and people trafficking.

“….we must understand the changing world we live in and the unprecedented changes in scope and scale of the security threat. Indeed, when people look back at the history of the first decade of the 21st century, they will see it as a period of new and fast changing threats.”

According to Geoff Robins, managing director of defence, aerospace and communications with Atkins, our definition of security had to be refined due to the complex environment in which we are now living and working.

“Look at the National Risk Register in the UK, the government’s assessment of the risks threatening the country. It focuses on areas you would expect, like terrorism and pandemics, but it also features the current economic crisis, global population shifts, climate change, competition for energy, electronic attacks, failing and fragile states, organised crime and so on. All of these different elements will influence the way we go about protecting our critical national infrastructure and our people and their assets.”

In essence, security today must be more in-depth than ever before, says David Livingstone, an associate fellow on the International Security Programme at Chatham House, and managing partner of Morgan Aquila, an independent UK-based consultancy that specialises in national security and resilience strategy.

“You have to mitigate against risk from its origins right through to the point of vulnerability,” he says. “This wider perspective requires a ‘system of systems’ approach, which takes into account all of the risk mitigation efforts along the way, and how various risks interact. You can’t have isolated bastions of security; the response has to be systemic and it has to involve the whole infrastructure – people, organisation, process, business change, and of course technological enablers.”

Biometrics management systems are one example of this systemic approach to security, says Robins: “It’s about identity management, often in a highly transient environment. For example, Atkins has devised a biometrics system for use in airports, which matches the identity of individuals to their boarding passes, and forms part of a wider end-to-end security strategy. It provides security for those people travelling and for the airport itself, but it also increases the security of national borders.”

Biometric ID systems based on face or fingerprint recognition, for example, take security to a “third level”, agrees Simon Longlands, biometrics expert at Atkins. However, he warns that, like any security strategy, there are obstacles to be overcome before they are accepted as effective, efficient and worthwhile.

As with any security system, there are strengths and weaknesses, says Longlands, and these will need to be recognised from the start. For example, people are sometimes hostile to the idea of biometrics because they can seem impersonal and have cultural implications. In addition, some cultures associate fingerprints with criminal investigations while others may object to the use of images.

“It’s one of the main challenges involved in security strategies. If you damage a person’s dignity, you risk alienating them – frisking at airports is a classic case. Security must adapt and evolve to succeed. Good security need not be obvious.”

Safe house

Despite the evolving threats, for most organisations, security begins at the front door. Enter the premises of a large organisation in any major city today and you will begin to appreciate the scale of the challenge. On a physical level, bags are searched and X-rayed, metal detectors are employed and security guards watch every move, both in person and via a growing number of close circuit television (CCTV) cameras. ID is required and verified, often more than once across a number of designated checkpoints.

At the same time, servers are secured offsite with back-ups containing sensitive information held separately, and firewalls are established to prevent online attacks. Security training is ramped up among employees and measures are taken to limit access to vital assets.

Organisations now take no chances when it comes to security, drawing on a mixture of architectural planning, human input and effective intelligence to improve their defences.

Matthew Brittle, associate director of security at Atkins, understands the risks involved, especially as it relates to the physical environment. His work includes the £600 million Birmingham New Street Station refurbishment, which involved substantial security issues – “Places with legitimate public access are the hardest places to defend,” he points out.

“Security is best provided when a full understanding of the business or operating environment is known, integrated solutions not just for now but also into the future,” he says.

Architectural planning can go a long way towards minimising the appeal of a location as a potential target. For example, Brittle recommends curved columns in the interior space of a building over more defined angular ones. Ledges and other horizontal surfaces should slant, so that nothing can sit on them. There should be no gaps in corners where bags might be stashed.

By keeping sightlines “smooth and long”, the opportunities for dangerous behaviour become easier to spot, Brittle points out.

As for the exterior, especially in high-profile targets such as government buildings, airports and financial institutions, “stand offs” are becoming an increasingly common sight. These are defined boundaries, often a reinforced secondary wall that establishes a clear perimeter. Following such incidents as the failed Glasgow Airport attack of 2007, in which a truck loaded with propane canisters was driven into the glass doors of the terminal and set ablaze, such strategies seem like common sense.

Keith Carter, associate director of blast engineering for Atkins, suggests that all highly sensitive buildings should have a stand off. But instead of creating an environment that looks at best unfriendly and at worst sinister, a wall surrounding a garden achieves distance without alienating passers-by or making employees feel like they’re in a prison.

Similarly, for some potential targets, such as shopping centres, something as simple as a plaza can serve this function. A handful of strategically placed benches also invite people to sit down, which can be a useful and cost-effective surveillance aid without creating a new target for terrorists looking for high body count numbers.

Carter appreciates the need for thoroughness when it comes to integrated security solutions. He has worked on the courtroom building in The Hague that is holding the trial of the former Bosnian Serbian leader Radovan Karadzic, for war crimes in the 1990s. Carter also oversaw security work for existing UNICEF buildings in six capital cities throughout Middle East and Asia. Retrofitting was going to be an expensive solution. No matter what the security issues involved, Carter points out that organisations need to start planning for them as early as possible and think further ahead than ever before.

“There is a public expectation of better risk management by those in government and those who are responsible for delivering security systems,” says Livingstone. “These can’t be point solutions, which solve one problem without paying attention to related issues. They’ve got to be integrated with other risk mitigation instruments.”

Some risks will develop over time, argues Livingstone. They require systems that will have the ability to change depending on how the threat changes.

“These systems need to be able to grow, have built-in flexibility from the outset, and the ability to cope with new functionality changes,” he says. “Real security evolves from a broad understanding of the whole of the risk spectrum and the solutions available. With this in place, you can design, plan and implement the systems that will actually achieve the appropriate level of performance, achieving the lowest possible risk against the budget available.”

The threat within

Security is not all about guarding the front door, however: “You may have a building where getting inside is enormously complex, but the IT systems are not nearly as secure,” Robins argues. “This is a major security risk.”

Robins cites the distributed denial of service (DDoS) attack on Internet Service Providers (ISPs) in Kyrgyzstan in early 2009, which effectively cut the country off from the world.

“The internet plays a vital role in both the public and private sector today, as a means of communication and commerce. Imagine the disruption this kind of thing would cause in a major urban centre like New York or London,” he points out. “Examples like these are changing the way we view security. It’s a vast and complex puzzle and we need to make sure we see all the pieces.

“At Atkins, we analyse the way people think about security. For example, why do people shred their bills before putting them out for recycling? Because there is a perceived threat – in this case, identity fraud – and that is how people respond to that threat.”

Robins argues that this leads to a commoditised service of security, with point solutions sought for individual threats, which is not ideal.

“Organisations need to consider threats in a holistic way, in order to make sure they are addressing them coherently,” he says. “An off the shelf approach to security may displace a problem, but it won’t solve the problem. Again, security needs to take a ‘system of systems’ approach.”

Human error

This is particularly true when it comes to the human element, which remains a major security threat within most organisations. Consider the example of HM Revenue and Customs (HMRC) in the UK. In 2007, a junior official in HMRC sent two CDs containing personal details of 25 million people to another department via courier. It was neither registered nor recorded, and the package never arrived, placing all of this information at risk.

Or the recent incident at mobile phone company T-Mobile, in which staff sold on millions of customer records to third party brokers. It came to light because T-Mobile customers were suddenly being “cold called” by other mobile phone companies just as their contract was due to expire. It was a stark reminder of the scale of the threat that can be posed from within.

From disgruntled employees to industrial espionage and plain old human error, security procedures should be reviewed with personnel on a regular basis. Consequences of a breach in security can be ruinous, especially when it comes to reputation.

In the case of the HMRC data loss, for example, the head of HMRC resigned, the Prime Minister had to apologise in Parliament, an investigation was launched and the CDs were never found. It was both a security and a PR nightmare, worse still, it prompted several other departments to come forward and admit that they too had experienced similar security breaches. Security procedures were in place, yet it still happened and the reputation of the public sector took a palpable hit.

“Ultimately, you need to grow a security culture,” advises John Green, security consultant with Atkins. “This can be done via good education and management in much the same way as health and safety and sustainability training. In fact, many larger organisations have security awareness training already in place.”

Creating a culture of awareness and vigilance is particularly important as threats will usually appear at the weakest point to target an organisation. The anthrax attacks in the US in 2001 highlighted how vulnerable some organisations can be through something as simple as an unsecured mailroom. “It’s a game of cat and mouse. Mitigate a threat and the aggressor will look for the next chink in your armour,” says Brittle. “Therefore, removing the vulnerability will lead to more enduring solutions.”

“Security these days is becoming a societal responsibility,” adds Livingstone. “It’s vital to engage every conceivable stakeholder in the security debate; including everyone from the outset so that no single, but potentially important, stakeholder holds up a red card and says, ‘I was never consulted’. All parties have to see benefit in the security journey.

“You have to identify the stakeholders, those with interest in developing a secure infrastructure, and engage with each at the right time, with the right messages, within the correct business context. Overall, it’s a matter of consensus management, making sure all stakeholders are heading in the same direction and the right way. Delivery of vision always helps, with stakeholders all grasping the essence of the desired condition: security, resilience and safety, harmonised with the business that is being protected from risk.

“The people and organisations that have that vision are those that will deliver the optimal solutions,” says Livingstone.

 This article was originally published by Atkins in January 2010.

Download PDF