Advice on protective security matters
CPNI – Centre for the Protection of National Infrastructure
Defence-in-depth should play a key role in an organisation’s approach to protective security…
It is especially relevant for those operating within the City of London, considering the increasing scale, economic importance and high profile of these organisations, both private and public, but whatever their size, significance or location, all organisations should take appropriate protective security measures.
However, effective protective security is not about simply adding layer after layer of protection measures in the expectation that sheer volume will achieve the best results. Doing so could be needlessly expensive and in many cases not relevant to the particular circumstances of the organisation.
Defence-in-depth should be obtained through employing a range of the most appropriate measures, applied in proportion to what matters most, what is most at risk and what is most vulnerable.
At the Centre for the Protection of National Infrastructure (CPNI) this is the approach that we advocate throughout the advice and guidance we give to the organisations that provide the UK’s essential services – more formally called the ‘national infrastructure’.
Our role is as the national technical authority for protective security advice delivery, helping reduce the vulnerability of the national infrastructure to national security threat, for example from terrorism and espionage. This means we have contact with many key organisations. Much of our advice, though, is equally relevant to a wider range of businesses, and is easily accessible online through www.cpni.gov.uk.
The starting point for any organisation should be careful consideration of risk and likely impact. Outcomes from these assessments can be used to guide the selection of protective security controls. Specialist advisers can help, for example Counter Terrorism Security Advisers (CTSAs) for crowded places or CPNI advisers for national infrastructure.
Considering protective security
And it is crucial to consider protective security in the round. Even the most effective physical security elements – for example, automatic access control barriers – could be compromised by exploitation of weaknesses in the cyber security that controls operation of the barriers, or in the personnel security procedures covering the people who manage or have access to the systems themselves. This means it is sensible to deploy a range of controls embracing physical, cyber and personnel security. Your organisation may have specialists in each of these areas. However, it is the combined application of their specialisms that will bring most value to your protection regime, and encourage collaborative working too.
Physical security should come through a sensible mix of good housekeeping, use of appropriate barriers, deterrents and detection systems. There are obvious deployments such as security lighting, obscuration techniques to deter hostile surveillance, glazing measures to protect against the impact of explosive devices. For businesses it may also include specifics such as how to securely destroy sensitive items, the choice of equipment to do so, what to do with the waste generated, and even how to engage an assured secure destruction service to undertake the work.
Cyber attacks are unfortunately an increasingly frequent reality, taking high profile and causing considerable business disruption, damage and individual distress.
Cyber security is one of the top tier national security threats. CPNI protective security advice to the national infrastructure has had to embrace the rising scale and complexity of the cyber threat. We endorse a top-level approach – in the Government’s 10 Steps to Cyber Security advice to businesses – as well as baseline technical security controls that organisations can use to improve their cyber defences. So, in practice, you should be looking at a wide spectrum of cyber security measures, and making a robust case where necessary to your Board/Senior Executives for the resources to deploy them. All the building-blocks for cyber security measures can be found on www. cpni.gov.uk/advice/cyber including signposts to guidance produced jointly with other Government departments and agencies.
Finally, it is important to recognise that ultimately it is your people who could make or break your security. It may be an individual or group of people outside your organisation with malicious or even hostile intent who deliberately seek access to your operations, and manage to overcome or override your systems. But often overlooked is the potential for your own employees/contractors to inflict damage or disruption. This could be intentional, for example through staff who become disgruntled or disaffected. Or it could be through external manipulation, for example through social engineering. Whatever the reason we cannot emphasise enough the need to have robust personnel security measures in place as an integral part of your protective security mix, in order to be sure of reducing vulnerabilities.
At the same time, creating a strong security culture within your organisation and developing the security awareness of those who work within it can help further increase your levels of protection. Even seemingly simple things such as not clicking on unknown links in emails, or being alert to spear-phishing attempts, can prevent significant consequences of compromise.
In future editions of City Security we will explore some of these subjects of interest in more detail, particularly about the people aspects of protective security. There is a range of practical guidance, tools and materials accessible from CPNI that can support implementation of an integrated protective security approach for your organisation. Throughout 2016 we will signpost you towards it.
For further information on the Centre for the Protection of National Infrastructure (CPNI) visit www.cpni.gov.uk