Life After 7/7
Law Business Review ❘ 5th June 2012
“Firms should have procedures in place to follow in the event of a physical or technical attack, as Alex Bomberg explains”
In July of 2004, I was interviewed by a legal publication about my opinion of the preparedness of London firms when and if terrorists struck the City. Looking back at that interview now, many of the points that I raised sadly became a reality; what no-one was prepared for, however, was that the terrorist attacks, when they did come on the morning of 7 July 2005, would be carried out by UK citizens and suicide bombers.
So, what has changed?
One thing that the morning of 7 July 2005 taught us all is that no matter how well planned an evacuation plan or disaster-recovery plan is, in the hours following an attack the only thing that wins is panic and chaos.
Mobile telephone networks went into meltdown while loved ones and co-workers hurried to make contact; much public transport ceased for a time. The attack did exactly what it was designed to do, and the evacuation plans and emergency procedures that companies did have in place worked the best that they could given the time of the attack (08:50hrs) and the state of the mobile communications networks; London-based companies did very well overall.
Bracing for disaster
In this, our Olympic year, I wanted to revisit the themes of my 2004 opinions, not only to see what has changed and what we learned from the attacks of 7/7, but also to invite thought and induce conversation on a subject that is not going to simply go away. Since 7/7 the City, country and world have been hit by recession and the first part of most City businesses to suffer is the security and disaster and recovery budget, followed soon after by the training and IT budgets.
Firms like mine (International Intelligence Limited) have suffered in the recession due to companies cutting security budgets; many firms and organisations only come to us for help and advice post-incident; after the horse has well and truly bolted.
Organisations and companies have a duty of care to provide a safe and secure place of work, as they do to have staff training for first aid and evacuation. This is not an optional extra, it’s a basic right and covered by a number of laws (including the Corporate Manslaughter and Corporate Homicide Act 2007); yet many companies fail to meet this legal requirement, feeling that bottom line profits are far more important than the lives of staff. Coming from a military background, I really struggle to understand how the City flouts threat and risk of not only physical terror attacks but also technical attacks. Terrorism (and espionage) is here to stay and it is up to the boardroom to set standards to move dynamically with the threats. Every company should have, at the very least basic procedures to follow in the event of an attack (physical or technical).
Latest threats to UK PLC
In the past eight years, threats have widened and grown from Middle East fundamentalism to home-grown Islamic terror cells (which manage to remain off the intelligence radar in the main) to the reemergence of Irish Republican groups and onward to cyber terrorists, organised crime and the ever-present threat of acts of government-sponsored espionage. Many people think that al Qaeda is an organised “group” of terrorists; it’s not, at least not any more. Al Qaeda is more of a fundamental ideal than a group, and it’s not al Qaeda that we really need to worry about; worse are the young extremists who are groomed for and who have nothing to lose in death.
The last five years has seen the emergence of Al-Qaeda in the Land of the Islamic Maghreb, to give its full name in English. This “group” has its roots in the bitter Algerian civil war of the early 1990s but has since evolved to take on a more modern Islamist agenda. It emerged in early 2007 after a feared militant group, the Salafist Group for Preaching and Combat (GSPC), aligned itself with Osama Bin Laden’s international network. This is one group that British Intelligence services fear will attack UK assets both here (in the British Isles) and overseas.
The threat of technical terrorist attacks hitting power bases, infrastructure and economic targets is on the increase. Cyberattacks emanating from Russia, China and the Far East are on the rise. Terrorism is not all about dusty, bearded men sitting in tents in the desert plotting against the West. Many think that cyber-attacks are like an act of industrial espionage which is not going to affect their company. Tell that to the likes of Lockheed Martin or RSA, the security division of EMC (a secure data storage company used by many major banks and financial institutions). And it is not only major corporations which are under threat; at International Intelligence Limited, we are every week taking on new clients who have either been attacked or who fear that their company would cease trading for a time if hit by a cyber-attack.
While most firms in the UK would not be on any cyberterrorist’s hit list, it is worth pointing out that in a recession, industrial espionage is on the rise.
The espionage threat
Like the rise of shoplifting and white-collar crime during a recession, espionage too tends to increase. Many have sat back and by now got bored of the News of the World phone hacking scandal but have given little thought to how widespread this practice became and how easy. If newspapers could pay a few hundred pounds to have a celebrity’s phone hacked then why would your competitor not think about doing this too?
The use of social engineering is also on the rise. Individuals are being targeted and singled out as easy targets for gaining sensitive information, often with the aid of social networking sites such as Facebook and Linked In.
At International Intelligence Limited, we carried out counter-espionage, counter intelligence and witness protection for one of the largest litigation cases in British legal history. Take it from us, firms will do all they can to win big-money and high-profile cases.
Education, training and understanding
Prevention is always less costly than trying to rebuild after attack. Having well-trained staff who are educated to the risks and threats is a key defence. As too are incident procedure, command and control.
Having your team up to date with training not only prevents skill fade, but it also incentivises and empowers them. This can only be good for the day-to-day running of a company and is also an important factor on how your client views you and your company. Raising basic skill sets within your workforce and making sure that key personnel are up to date with courses and qualifications will all aid in the survival of a business; that and an understanding and education of the threats and risks that your particular business faces.
Understanding the threats and risks can be daunting but that coupled with an understanding of what services or processes are essential for the running of your business will ease the command and control of an incident as and when it unfolds.
Managing threat and risk
Holding a one-day training session where staff and management can discuss threats, risks and strategies and maybe even air concerns will aid any company, not only in securing the work environment but also in safeguarding the future of the company, its personnel and profitability. Knowing your operational capabilities and knowing what is mission-critical is the key to surviving any incident.
Ask yourself the following questions:
- Are all of your personnel aware of who is responsible for security issues?
- When was the last time your policy was reviewed and updated?
- What is your IT “actions on” policy?
- When was the last time your office was swept for covert bugging devices?
Basic incident procedures:
- When was your last fire drill?
- Do you have an emergency contact procedure?
- Do you have a clear incident command structure?
- Do you have a disaster-recovery plan?
Training and education:
- How many of your personnel are first aid trained?
- When was your firewall updated?
- When was the last time your head of IT went on a course?
- Do your personnel understand external risks to your company?
At International Intelligence we work with companies to find the most cost-effective way of securing a company, its staff and its intellectual property. No security procedure should hinder the day-to-day running of the company; procedures should be put in place as part of a good “housekeeping policy” to aid in times of need.
In this Olympic year when the threat of a terrorist attack is heightened, could your company hold its head high and say that it has done all that it can to be prepared and to provide a safe working environment?
Educating companies and individuals on the threats faced is often akin to scaremongering; but it’s nothing of the sort. If companies are unaware of the threats, then it’s impossible to counter threats or at the very least, have an action plan. This article is not about stopping a terrorist act, but merely how your company might handle and survive any threats that it or our country may face in this uncertain future.
“Prevention is always less costly than trying to rebuild after the attack. Having well-trained staff who are educated to the risks and threats is a key defence”
For up-to-date information on the risk and security situation with live news feed, see our United Kingdom Security Risk Report.