The Implications to UK Businesses
Are UK companies aware of the implications of either a cyber or terrorist attack?, asks Peter Collins of Bespoke Risk Solutions Ltd.
It is almost 12 years to the day since London was rocked with the atrocious suicide bombings on July 7th 2005. 56 people lost their lives.
The past three months have seen three terrorist attacks in London and Manchester. Terrorism usually results in the tragic loss of lives of innocent people. Terrorism does not discriminate. Victims span races and age groups, including families, friends, workers and tourists.
The common thread in terror attacks is the huge responsibility of the emergency services to manage the carnage. The Queen herself recently praised the bravery and dedication of the UK’s police officers, fire fighters and hospital workers.
During the London Bridge terrorist attack, police attended within eight minutes of receiving the first call. The terrorists were all shot at the scene and the event has highlighted the bravery of those involved. When most people were trying to flee danger, the emergency services were seen running towards the source of danger to help the injured.
UK businesses have a duty of care
Every business has a duty of care to its staff and its customers.
Even with the best intelligence in the world, it is impossible to know when or where the next terrorist attack will take place. At present, major cities are being targeted; putting many businesses at the heart of the risk. Where there is a risk to business there is a risk to P&L and, more importantly, to personnel.
Businesses need to contemplate risk and augment procedures before the next act of terrorism manifests itself. Businesses need an action plan that is kept consistently up to date.
Experts that have analysed the recent terrorist events were reported in the media as follows:
• The terrorists who struck in London would have killed more people if police had not managed to find and stop them within minutes of the violence beginning.
• As it has been widely reported, people in the UK will continue with their lives and not be deterred by the possibility of another attack. (1)
Most of the UK’s companies carry out health and safety audits. They receive a report from, in most cases, external consultants and then work to implement the recommendations. This is meant to ensure that their staff and visitors are safe whilst onsite. Surely, in light of recent events, it is time to incorporate the risk of terrorism. With the current terrorism threat level heightened, companies need to review the implications of terrorist activities on their business.
Companies urgently need to consider two main areas of risk:
Many companies still do not have cyber-audit/disaster plans. Some that do, mistakenly believe that once they have paid for a plan to be written, it is acceptable for it to be left in a bottom draw or on a bookcase, in case of emergency. It is imperative that business continuity plans are put in place, and tested on a regular basis; this could prevent an attack and could protect the company from financial losses.
Businesses are bracing themselves for an increased likelihood of direct impact from crises such as terrorism or cyber-extortion, according to new research findings by YouGov commissioned by Arthur J. Gallagher (2). The research states that:
• 24% of large companies are concerned or unsure about their resilience and preparedness against security crises.
• Cyber-extortion and terrorism were the top two threats experienced in the past two years (with 51% believing their business to be at high risk of cyber-attack in next 12 to 18 months.)
• Firms are warned that a box-ticking approach to crisis resilience can create a false sense of security and undermine their ability to anticipate, prevent, respond and recover.
• Even large UK companies (in the FTSE 350 or with a market cap of £500m or more) are increasingly aware of the fast-evolving security threats they face.
Justin Priestley, Executive Director of Crisis Management at Gallagher, said: “Crisis management plans must be short, principle-based and genuinely stress-tested to enable rapid decision-making and communication at times when there will be a vacuum of information, panic and pressure from stakeholders on all sides. However, getting crisis resilience right means the total cost of managing risk will be lower too, since insurance becomes a backstop rather than playing a central role. Comprehensive solutions will bolster confidence among internal and external stakeholders that a company will survive and prosper, regardless of the deepening threat environment.”
Peter Collins highlighted: “One particular company had a series of events that caused shareholder loss, which included cyber. It started with mail being stolen (containing bank details), the next step was ‘persons unknown’ entering the building avoiding the CCTV. Without any sign of forced entry to the offices, the intruders wiped the company’s servers and deleted one of the external back-up drives. There was a report made to the police, but the result was a fire sale of the business with shareholder loss. The shareholder was not satisfied with the police response, which is hardly surprising given how stretched police forces are in terms of resources”.
People tend to associate cyber-crime as being Internet or digital based. As the above scenario demonstrates that is not always the case. Admittedly, there have been well-documented cyber-attacks including one on the NHS. According to the media, hospitals across the UK were affected but also less publicised (3) were the facts that:
• Nearly 100 other countries were affected including a cyber-attack on German train stations when hackers targeted Deutsche Bahn, and FedEx Corp in the USA
• A Russian-linked cyber gang ‘Shadow Brokers’ was blamed Senior NHS managers and the government are still facing questions over why hospitals had been left vulnerable to the global cyber-attack that crippled services.
Peter Collins warned: “With this growing risk, companies should act now, carry out audits, and arrange contingency planning. I am still amazed that organisations, when asked, still have back-up information on-site rather than in a secure environment. As highlighted in the above report, 51% of people that took part in the survey stated that cyber was one of the main risks in the next 18 months.”
The current threat level for international terrorism in the UK is severe. This means that an attack is highly likely. In a recent article (4) it was reported that Britain has become more vulnerable to terrorist attacks because ‘frustrated travellers’ are finding it more difficult to get to Syria and are being urged by different extremist groups to commit atrocities in the UK.
The return of some British fighters from Syria has added to a complex picture, which means that the UK’s counter-terrorism agencies are feeling heat from all sides.
In fact, thwarted terrorist attacks in the UK are so common that they rarely make the news, demonstrating the ability of our intelligence teams.
Considering today’s heightened risks, there is a strong argument that directors of companies must protect both their staff and assets. A director has to make sure the assets and the liabilities of the companies are adequately insured.
We live in a litigious society and any company could face legal action from shareholders or staff if they feel the directors have not carried out due diligence.
Peter Collins believes that all companies should:
• Immediately review their contingency plans
• Immediately review counter terrorism measures
• Prove that they continually review both plans
• Make staff and shareholders aware of the existence of both plans
Carry out this simple test!
Tom Moor Managing Director of Corporate Security Consultants added: “There is a very simple test that companies should undertake to ascertain risk factors. If a company’s ‘front of door’ or reception staff cannot answer these questions, then they urgently need training:
SCENARIO: The building is in ‘lockdown’ and outside a young women (possibly pregnant) is begging to get in. The security guards have two options:
1. If they let the woman enter the building, she may be carrying a suicide bomb or a weapon, which could result in fatalities. How do they control her and where/how should she be quarantined and controlled?
2. If she is refused entry and she is killed, this would generate poor PR and possible legal implications for the company. Should she be refused entry?
The guards need to be trained in terms of action to be taken for the next steps. Important tactical points include: ‘Who is creating the strategy for the staff to follow, and who do they turn to when the situation changes?’
Businesses stand to lose without professional training; it could be their key assets, their staff, or the effects on their balance sheet from poor PR.
Security training incorporates not only physical and cyber, but can include personal or counter terrorism. For the latter, an ongoing training programme should incorporate the latest advice from S019.
Andrew Sinclair, Director of PIB, warned: “Directors and officers of companies need to review their positions in relation to terrorism otherwise they could have an exposure from shareholders.”
Peter Collins added: “In recent years, many companies have not taken out terrorism insurance. This means that in the event they could be un-insured. The result of not having insurance is any damage or loss of income would have to be paid directly from the company”.
For more information on continuity planning, cyber-insurance or counter terrorism audits and training contact Peter Collins on 01702 200222 or email him at email@example.com
Bespoke Risk Solutions Limited are an Appointed Representative of Leisureworld (GB) Ltd who are authorised and regulated by the Financial Conduct Authority (Financial Services Register No. 749920) You can check these details by visiting www.fca.org.uk
Bespoke Risk Solutions Ltd are registered in England and Wales No. 07292153. Registered office: Victoria House, 50 Alexandra Street, Southend-On-Sea, England, SS1 1BN Leisureworld (GB) Ltd are registered in England & Wales No. 02663024. Registered office: 1422/24 London Road, Leigh On Sea, Essex, SS9 2UL.