Unfortunately, we live in a time where we all face the ever looming threat of terrorism, at home, overseas and digitally.
MI5 have stated that terrorism is a significant threat to businesses all over the UK, and as result companies need to protect themselves, and their employees, from attacks. To do this; however, it’s vital that there is an understanding of exactly what threats a business could face. This enables companies to counteract and protect themselves from acts which are unique to their business, whether the threat is digital or physical.
What is the nature of the threat to your business?
What are potential attackers likely to want to achieve? How are they going to go about it? Which elements of my business are the most attractive to terrorists? These are all questions which should be considered when trying to establish how best to protect a business from acts of terrorism.
Also, consider the location of the firm. Is there anything about where it is situated which would make it more of a target? For example, a small hotel is less of a target than a train station, with the latter likely to be the busier place, and so has the potential to cause maximum destruction. However, if the hotel is hosting high profile guests, the threat may escalate as a result.
Being located in the city center, inside or near to a government building or tourist attraction could also make the business or area more susceptible to terror threats, and subsequently, business owners must stay vigilant, always having the security of the public and staff in the forefront of their mind at all times.
What information does the business hold that is a valuable enough target for a cyber-attack?
Business around the world heavily rely on computers and technology to store and process information, whether regarding employees, clients or internal processes and as a result they are a target for cyber terrorists. However, the threat of modern-day cyber-terrorism no longer stops at the leaking of private information or a site being crippled by a DDoS attack, but there is also a real chance of being able to cause physical damage to a business and its staff.
An example of this grim reality is the recently disclosed cyber-attack on a BP-owned Turkish oil pipeline in 2008. Armed with a keyboard, the hackers, who are still yet to be apprehended, were able to super-pressurize the crude oil in the pipeline, causing an explosion which crippled the pipeline.
This is just one example of how terrorists can use technology to cause destruction, but there are many other incidents which could have been used, including attacks on Paypal, Amazon, Dell, Yahoo, PlayStation Network and even NATO.
What do you need to protect?
Businesses must prioritize their protection in four categories:
- People online (staff, contractors, visitors).
- Physical assets (the building and its contents, including equipment, sensitive materials, plans).
- Information (data in both paper and electronic form).
- Processes (supply chains, critical procedures).
What measures must a business take to reduce risk?
It is essential that the company and its owner take an all-inclusive approach to security that protects everyone and everything that is important. Security measures such as the use of security hardware and specialized software cannot stand up alone, and they must go hand in hand with proper recruitment and cyber security training of the staff.
One of the training options available is Project Griffin, a campaign set up by the National Counter Terrorism Security Office (NaCTSO). Project Griffin is a national counter-terrorism awareness initiative for businesses, which aims to help businesses understand the threat of terrorism, how people can recognize and report suspicious activity, and how to cope with an incident.
NaCTSO is encouraging companies to sign up to the self-delivery initiative, and following authorization, they will be provided with a Project Griffin package relevant to their sector, and provided with regular updates and training material. In order to take part, a business must meet certain criteria, which include that it must be a Public Limited Company and operate in a ‘crowded place’ environment.
What are standard security procedures in place or should be in place?
There are some standard safety precautions which are effective at deterring and protecting businesses from both terrorists and common criminals.
Good access control for both people and vehicles, CCTV, anti-blast film, lighting, and movement sensors are all measures which a business can take to protect against the physical dangers of terrorism or at least limit the effects should an attack occur.
From a digital perspective, basic measures such as full disk encryption for hard drives ensures that a stolen or misplaced laptops hard drive cannot be cloned and have its data taken. Alternatively, ensuring that servers are configured correctly or using mitigation appliances can help prevent DDoS attacks, and buy excess bandwidth to handle sharp increases in demand can contribute to deal with them, should a business be targeted.
It’s also important that a company protects itself from ransomware, and it can do this by monitoring file activity, protecting its email servers and ensuring that an endpoint security solution is installed and maintained. Also, if a business limits access to the areas which employees have access to, then this reduces the number of files the malware can attack. If it’s not essential that an employee is able to access every shared drive and folder, then don’t let them have it!
Many businesses choose to store data on cloud-based services; however it is best that sensitive data is kept off of it, due to questions about cloud computing security. If the cloud is your only storage solution, then ensure that files with confidential information and sensitive data are encrypted before upload.
Lastly, how often should security measures be reviewed?
It can be tempting to ignore or forget about security measures and let standards slip, particularly if the business is busy or does not have the resources to spend. Regular training, software updates, anti-virus scans, and occasional drills simulating physical threats will help to increase security at relatively little cost. Hope it helps!
Top Featured Image: By The3Cats / Pixabay