Looking ahead to 2016

In our final issue of 2015, we asked leading security business leaders: What do you see as the major threats to security in 2016, in particular from terrorism and cybercrime? What role has the private security industry in the response to these threats? How can partnership working support these efforts?

We had responses from the following:

• Adrian Moore, Operations Director South, VSG
• Kenneth Larsen, Regional Director London, Securitas
• David Ward, MSyl, Managing Director, Ward Security
• Amanda McCloskey, Sales & Marketing Director, CIS Security
• Peter French, MBE, CPP, FSyI, CEO, SSR Personnel
• James Crouch, MD, Universal Security Systems
• Paul Stanger, Sales Director, KM Security
• Emma Shaw, MBA, CSyP, FSyl, FCMI, Company Director, Esoteric
• Dave Mundell, Managing Director, Axis Security
• Paul Harvey, Director, Ultimate Security Services
• David Clark, CPP, PCI, PSP, Head of Security, The Francis Crick Institute and Chair Security Commonwealth on behalf of ASIS UK
• Dan Ling, Associate Director, QCIC (at time of writing)
• Dawn Holmes, BA (Hons), MSc, CPP, FSyl, Company Director, ASIS and Women in Security lead
• Deputy Henry Pollard, Chairman, City of London Corporation Police Committee and Patron, City of London Crime Prevention Association (at time of writing)
• Rekha Babber, Managing Director Templar Cyber Academy Templar Executives

Adrian Moore, Operations Director South, VSG

Security officers of the “future” are delivering a service to the leading most respected brands in the UK and operate complex systems which in the corporate sector comprehensively track and control visitors/clients and customers to properties. When guests arrive, officers verify the identity of the visitor, send real-time notification of the visitor’s arrival to the host and automatically print guest badges, enabling guests access to the building. Additionally, more and more organisations are using advanced integrated security solutions based on trace detection equipment and X-ray screening systems. These systems, managed by trained officers, help secure those on the front line and the public at large. Stereotypical views of officers as low skilled individuals are a thing of the past and the ‘people agenda’ should be at the top of the tree. Security officers may be using Segways to conduct patrols, have smartphones with apps for live incident reporting, all of which requires development and investment in our people.

The partnership with law enforcement has also continued to develop. Security officers have worked in conjunction with police officers in many different guises, both in training and operational capacities, such as on Projects Griffin, Argus and Servator, but developments in 2016 will bring this partnership closer than ever.

Continuing along this vein of change, the guarding industry will drive the career of choice as opposed to a stopgap, well-trained and dedicated to their contract and the industry. Innovation in the sector will continue to drive standards of a security officer, ensuring that we deploy better equipped and respected officers into the market place. We need to continue raising the bar on training, employee benefits and wages to ensure we have the right people in the right place, meeting that need!
More and more often, security officers are becoming equipped with ‘out of the box’ training, that will make a difference to clients and the general public, which again all requires investment from an already low margin industry. Behind the public face of the security officer lives an expertly prepared and ever vigilant security professional who is multi-trained and supported by cutting edge, integrated technology.

Kenneth Larsen, Regional Director London, Securitas

We all carry a responsibility. Traditional manned guarding can no longer stand alone and this change is long overdue. As wages continue to rise, and pricing on technology decreases, we must work smarter. I believe that market leaders, like Securitas, have a responsibility to drive the security industry forward and that advanced technology and systems combined with fewer, but better skilled and paid, specialised security officers is the only way forward.

Both police and the private security industry are in the business of crime prevention. To achieve this we are analysing crime statistics and trends and working closely with our clients, the community and the policing authorities, to fully understand crime concerns, crime patterns and disorderly behaviour. This enables us to act more proactively and predictively, improving our use of resources, with the aim of preventing crime – all in a joint effort and in support of partnership working.

As part of advancing the security industry and its partnerships, we must also look at how we can improve our lines of communication and how we share the intelligence gathered from our many dedicated security officers who are deployed every day and night, at the same time exploiting our advanced technology. In this way we can all contribute to a safer environment for all of us.

David Ward, MSyl, Managing Director, Ward Security

We are facing rapidly evolving threats from increasingly adept and competent individuals and organisations using technology to organise and plan to great effect. Terrorism, as well as commercial crime, is multifaceted and increasingly involves multiple angles of attack, both real world and in cyberspace. So it is critical that the security world needs to evolve to develop a defensive stance that is more holistic and interconnected in order to be truly effective against such a threat.

The solution, of course, is closer working between security and police agencies, and which involves the private security industry and security technology industry. As Chair of the Cross-Sector Safety and Security Communications (CSSC) Southern Region, I can attest to the effectiveness of an interlinked approach that sees law enforcement agencies, local and national government organisations and private sector businesses coming together to develop a truly holistic and robust security intelligence, communications and response infrastructure.

The sharing of knowledge and communication is crucial. But whereas previously, knowledge sharing was a challenge, we can now use the very same technology as terrorists and criminals. There is no excuse for failure to be as well organised, and it is the only way the security industries can match the threat.

Peter French, MBE, CPP, FSyI, CEO, SSR Personnel

dustry and security technology industry. As Chair of the Cross-Sector Safety and Security Communications (CSSC) Southern Region, I can attest to the effectiveness of an interlinked approach that sees law enforcement agencies, local and national government organisations and private sector businesses coming together to develop a truly holistic and robust security intelligence, communications and response infrastructure.

The sharing of knowledge and communication is crucial. But whereas previously, knowledge sharing was a challenge, we can now use the very same technology as terrorists and criminals. There is no excuse for failure to be as well organised, and it is the only way the security industries can match the threat.

Amanda McCloskey, Sales & Marketing Director, CIS Security

Take one second to ask yourself: Do you feel safe?

A simple question that forces us to consider how we feel at home, at work, studying, commuting, socialising and, sadly, even when choosing a holiday destination.

To establish ourselves as a value adding service rather than a necessity, our priority is to focus on engagement. We need to listen to our customers and staff. We must research, educate, share knowledge and insights, communicate to and advise our staff, our clients and the wider community.

There are a number of challenges we face in current business operations: profitability, service quality, customer relationships, brand loyalty, productivity, and market confidence. Management need to take a step back to look at the bigger picture in order to achieve a balance between business as usual and business change.

Although we must keep pace with the rapidly progressing technical side of security, we must not neglect the engagement with and development of our people as part of a blended approach to risk mitigation and that essential feeling of safety we must deliver.

We are beginning to see more specialisation in the industry as security personnel develop and innovate within their niche areas, which creates more attractive and diverse career opportunities for new talent.

In the year ahead I believe we will see the security industry push forward to become more commercially risk aware through more rigorous planning supported by technology, as well as demanding higher standards in terms of compliance and governance.

Peter French, MBE, CPP, FSyI, CEO, SSR Personnel

The underage, alleged baby-faced terrorist living with his mother, perhaps demanding a ransom from a corporation; arrested in Northern Ireland, who may well bring down TalkTalk, a company with seemingly archaic computer systems, would have been easy to defeat if just the basic encryption of data had been their policy. We see businesses with their roots in bricks and mortar, who have generically grown and acquired, but have maintained legacy systems that are their Achilles heel.

Generation Y onwards are pretty adept at technology, they have developed kiddy script code that can challenge many IT departments and want the challenge of knocking off the Bank of England or corporations that hold people’s data. It forms an anti-establishment agenda with our Millenials, we do it because we can. Anonymous individuals joining up, sharing research online, just like being at the coffee point in the office. So they have the skills, they just need the criminal financiers who can develop the scripters’ networks.

This channel is here for life, although constantly changing: in 2013 WhatsApp was channelling 4 million messages, less than 12 months later that had grown to 50 million every 60 seconds, and looks to double in 2015.

The masses of expenditure on cyber protection are just a drop in the ocean, compliance driven through regulation and huge fines is now a $20 billion per year industry. Governments will have to be at the forefront of this battle. Laws will have to be negotiated with some pretty lawless countries. For the first time, the US Justice Department is bringing hacking charges against another country. Five members of the Chinese military are alleged to have stolen trade secrets from five American companies and the United Steelworkers, attacking with just a desk and a computer. This is the landscape for 2016, optimism whilst taking greater care.

James Crouch, MD, Universal Security Systems

The Insider Threat will become of increasing concern in the year ahead.

It’s not all about terrorism, the intent could be purely criminal: to steal or exploit the information or intellectual property they have access to. It is an insidious threat since it comes from your fellow employees or contractors.

Frequently these individuals are not acting alone. In some cases, sleepers can be put in place and left dormant for months, if not years, then activated when required. Their controllers could be in the business of commercial espionage, looking for the right opportunity to steal or carry out sabotage.

Another modus operandi is for criminal or terrorist organisations to place a controller in your business who identifies and targets vulnerable people with financial or other personal problems. The internal controller can blackmail them into carrying out criminal activities, such as infiltrating your IT systems.

The solution is to train staff to look out for individuals who may be at risk or who may already be acting in a criminal way, and to put in place processes and procedures for escalating their concerns. It’s important this is done in a sensible and sensitive way so as not to impact the morale of the business or innocent members of staff. However, it is vital to identify those people who are putting the business at risk.

Paul Stanger, Sales Director, KM Security

The threat from terrorism still remains a real and serious issue to us all, as events this year have shown. Acts of terrorism can take many forms, from major attacks inflicting large scale violence, with far-reaching consequences, like those seen in Tunisia and Paris, to more minor incidents that are designed to inflict

superficial damage. Nonetheless, both of these types of terrorism need to be discussed and thought about seriously within the workplace and when travelling to and from your work destination.

The cyber threat poses an “invisible” face of terrorism and in today’s world of widespread internet access and social media use, the organised, and sometimes not so well organised, perpetrators of these atrocities have a very real and far reaching audience to drum up support and recruitment.

Terrorism and cyber terrorism will be a constant problem, not only for the next year or two, but far beyond. But with MI5, the Police and other government organisations continuing to advise companies, and individuals, of the current perceived threat, everyone can assist in cracking down on the groups that deliver these awful acts of war!

Emma Shaw, MBA, CSyP, FSyl, FCMI, Company Director, Esoteric

Terrorism and information security/cyber related crime continue to be a significant global threat. This has been demonstrated by a number of incidents in the media such as the recent cyber-attack on TalkTalk and suspected terrorist incident on a Russian passenger flight.

Information, whether personal or professional, data or conversational, is ever more valuable. Cyber-enabled and economic crime will continue to increase. This is largely, I believe, due to the continued increase in technology and innovation and our move to a technologically advanced environment, both personally and professionally. The use of personal smart technology will continue to increase, and, therefore, the trajectory of incidents will also increase. Criminals and others will continue to use traditional means to facilitate attacks through social engineering and more traditional methodology as well as identifying weak spots in technology and exploiting them. Latest statistics support this theory. In 2015, for example, there were 38% more security incidents detected than in 2014. Theft of hard intellectual property increased 56% in 2015.

The private security industry continues to play a vital role in mitigating these risks, particularly as public sector resources continue to be limited. A number of public/private partnerships have been successfully developed and it is important that these continue. I anticipate that intelligence sharing will develop over the foreseeable future enabling the private sector to support both clients and police in a more informed way through intelligence sharing platforms. Strategic coherence in public/private partnership working will be critical.

Dave Mundell, Managing Director, Axis Security

Security threats to organisations continuously evolve and develop. They reflect changes in the way business is transacted, as well as wider changes in the global, political and criminological landscapes. The private security industry is evolving in response to these developments, and while the significant threats posed by terrorism and cybercrime may appear beyond the remit of ‘traditional’ private security services, there is much that it can do to support and assist the authorities.

The key is partnership. When organisations work in silos, they are potentially more at risk and have only a very narrow view. Working closely with other similar organisations and sharing information is essential if we are to understand what is actually happening and develop best practice in reducing risk. Support for Projects Griffin and Argus, for example, as well as engaging with local crime reduction strategies, provides information that can be packaged into a format that has meaning and relevance to the organisation before being cascaded to the relevant stakeholders.

The targeted training of security officers that results from this collaborative approach is also essential to ensuring that best practice is realised and supported in day-to-day security operations. It means teams can be updated on current and future threats, such as social engineering that is steadily becoming a feature of certain terrorist and cybercrimes.

Paul Harvey, Director, Ultimate Security Services

The police, other public law enforcement agencies and the private security sector must continue to act collaboratively in 2016.  Private security companies must continue to develop trust with the police and other public stakeholders.  I do not believe that this journey is complete.  An aligned approach to skills and resources is the ultimate solution.

In addition, private security companies need to target familiarity and complacency in end-users. The UK threat level has been classed as ‘Severe’ for prolonged periods given global and domestic events, and people have become desensitised as to what ‘Severe’ actually means in practice.

Complacency and familiarity are a risk management challenge. With ever increasing pressure to drive down cost/investment in risk based solutions, there is a temptation for organisations to reduce security provision and often prioritise customer service elements over security.  While the two are not mutually exclusive, you would be amazed at the lack of security specific focus that some high risk targets have.  It should not take a significant near miss, or worse case, a major incident, to remind organisations and individuals alike of the threats that we face.

David Clark, CPP, PCI, PSP, Head of Security, The Francis Crick Institute and Chair Security Commonwealth on behalf of ASIS UK

The major threat to security in 2016 will come from inside the organisation, whether these threats are cyber, terrorism or crime related and whether these are realised through negligence, malice or coercion.  These insiders could be our own staff, contractors, temps or anyone else who has access to our buildings, data or systems.

One of the best ways to defend against these threats, and one that can be led by the private security industry, is through an insider threat education programme. Educating our senior executives so that they buy into the programme, educating our staff, our supply chain and our partners, along with ensuring that the education is relevant and proportionate, is the first and arguably the most important step in protecting ourselves.

As part of the programme, it is equally important to test and validate the effectiveness of the education and to take steps to strengthen areas where necessary.  A strong internal working partnership between key departments, including, HR, IT and the Security Department, will ensure that the education programme is effective. Open and communicative relationship between these three departments can only enhance the ability to detect and prevent any nefarious insider activity.

Dan Ling, Associate Director, QCIC (at time of writing)

Partnerships in counter-terrorism context are traditionally focused on improving information sharing and collaboration between public and private sector entities. However, equally critical in the face of modern threats are the strength of partnerships between corporate security managers and their support network of technology-focused service providers and internal stakeholders.

Security managers have made great strides to adapt to the significant changes that technology now demands of them. Throw in the additional pressures of financial services regulations, growing trends in the use of security systems as a compliance tool, and expectations that security adds value to a business over above providing a safe and secure environment, and it’s easy to see why eyes might be drawn away from the prize.  Recruitment from a more diverse market and a shift in the skill set within a corporate security team are reflective of this adaptation.  However, the pace of technological change, breadth of sophistication and level of integration with IT departments point to the need for trusted and effective partnerships to complete the capability set.

By engaging a varied and specialised portfolio of both in-house and outsourced experts, corporate security managers give themselves a fighting chance to stay ahead of inexorable developments in technology systems that now provide the backbone of risk management strategies. Get the partnership balance wrong and technology becomes an expensive and time consuming distraction, get it right and appropriate levels of time and effort can be given to the primary security function of protecting people, assets and corporate reputations from emerging threats.

Dawn Holmes, BA (Hons), MSc, CPP, FSyl, Company Director, ASIS and Women in Security lead

Terrorism will certainly be high on the agenda in 2016. Lone actors and random, low tech attacks are expected to become more frequent: testing the intelligence and security services as they try to anticipate and prevent such events. More emphasis will be placed on protecting reception areas: target hardening, lock down potential and protecting the glazed areas of buildings. Staff training and education will also be high on most security managers’ ‘to do’ lists. The challenge will be to meet objectives and protect from these threats without creating building lobbies as inviting as Fort Knox and to educate without frightening people.

Whilst the attacks suffered in 2015  (both virtual and physical) have been tragic and wide ranging, it has brought security to the forefront and Boards are now interested in how their organisations are being protected.

This will be the test of many a security director/manager, who will need to ensure efficient and joined up security solutions and will also need to improve on how security policies and processes are disseminated throughout the organisation.

Deputy Henry Pollard, Chairman, City of London Corporation Police Committee and Patron, City of London Crime Prevention Association (at time of writing)

Next year’s British Crime Survey for England and Wales is likely to show an increase of several million fraud and cybercrimes to the overall level of crime in the UK – an increase of over 40%. Although British police forces have introduced hubs of cyber-crime experts, their efforts are a drop in the ocean compared to the scale of the problem we are now facing. All too often fraud is regarded as a ‘distant’, ‘victimless’ crime, which I reject entirely. Fraud is real and hugely damaging to those it touches and it undermines society at large. Online fraud and identity theft poses a huge threat and can ruin people’s lives.

Scams continue to affect the most vulnerable in society. The City of London Police closes down some 10,000 websites, telephone numbers and bank accounts on a monthly basis, preventing over £500m of fraud annually.

Partnership is critical and our relationships across the police and security spectrum paramount. The City of London Police has outstanding relationships, including with the Metropolitan Police and the British Transport Police, the Mayor’s Office for Policing and Crime, the British Transport Police Authority and National Police Chiefs’ Council and critically with the National Crime Agency.

Rekha Babber, Managing Director Templar Cyber Academy Templar Executives

Repeated headlines of corporate cyber security breaches underline the mounting threat from cyberspace that British companies face going into 2016.

No company and no one is immune to attack. Many high profile British companies have suffered a damaging attack this year – either directly or through vulnerabilities in their supply chains. The threat is not only from profit-seeking or malicious individuals, or organised crime gangs, but also espionage and terrorism. The threat cannot be overstated as more systems become digitised and diversified. Sensitive personal data and intellectual property held by British companies remains at high risk.

Every company is now a digital company, globally connected; the potential effect of business information not being sufficiently protected is not just short-term financial cost, but long-term damage to reputation and trust, even the viability of the business.

As we head towards 2016, it is imperative that companies recognise that growth in online activities from communications to commerce must be matched by higher attention paid to mitigating risks against loss, unauthorised access, corruption or damage

to information. This will mean clarity and awareness at Board level for good governance, better internal infrastructure protection, and a renewed focus on staff cyber security best practice and behaviours.