Is your organisation prepared for the worst?
Reacting to a terrorist threat is something that organisations prefer not to think about. Planning for such a threat is something that they definitely should think about. Bob Wade of the Emergency Planning Society discusses why emergency planning can save more than just lives.
It is often forgotten that before 9/11, the world’s most costly terrorist attack in material terms was in the UK. In 1992 and then again in 1993, the IRA detonated one ton lorry bombs in London, firstly at the Baltic Exchange and then in Bishopsgate. The latter alone forced 91 companies to relocate – two buildings were totally destroyed and a further 25 severely damaged. There was £2 million’s worth of glass damage – total damage to the local built environment was estimated at £350 million (£647 million in today’s money). The security consequence was a ‘ring of steel’ around the City of London which cost £100 million to initiate, and £25 million a year to run. Terrorism can be an expensive business.
Businesses and organisations are vulnerable to terrorism, no matter what size, location or sector. Yet in these days of austerity, many managements put resilience of their organisation way down their operational agenda. They fear it could be an expensive outlay for something that ‘probably will never happen’.
Well, let’s knock that latter oft-heard refrain on the head. Let us look at the sleepy country lanes of South Oxfordshire, not an area you would imagine to be in the front line of the ‘war on terror’. But that assumes a mind-set that counter terrorism is only to do with Jihadi style terrorists. Terror tactics can come in many forms and from many unexpected directions.
In the early hours of 15 January 2015, a deranged individual drove a vehicle filled with crude fire‑bombs into the main office of South Oxford District Council, which was burnt to the ground. Two other buildings had also suffered arson attacks, and the individual responsible was still on the loose.
At our Emergency Planning Society conference last September, the Principal Emergency Planning Officer for Oxfordshire County Council, Carol McKay, explained the challenges the authorities faced during that long night. Very soon, over 400 District Council workers, most of them unaware of the unfolding drama, would be setting off to work in their corporate clothing, corporate vehicle or with a prominent Council ID card around their neck – and out there was an individual clearly intent on doing harm to South Oxford District Council. The challenge in those early hours of the morning was to inform every employee not to identify themselves in any way as a council employee, as well as co‑ordinating rapidly with the police to make sure every council site was secure.
Could your business or organisation achieve that in the early hours of the morning? Attacks by disgruntled employees or customers are on the increase in the US. Why not here? The point is, just because your organisation is not based alongside an ‘iconic’ potential terrorist target does not mean you are free from the threat of attack. The unexpected can happen at any moment, and usually does.
Is taking time and resources to make your organisation resilient worth it? Yes. It is a worthwhile investment because the dynamics of a robust response to a crisis are basically the same, whether you are facing a terror attack or a flood. It will be cost-effective in the long term and pay off somewhere along the line.
From 1996 to 2010, I was the lead officer for civil contingency communications in the regions, for central government. A large chunk of the late ‘Noughties’ was spent preparing for a new flu epidemic, as the 37 year cycle of flu virus mutation looked set to arrive. Almost on schedule, via Mexico, it came in 2010 in the form of Swine Flu. West Midlands NHS had spent much time and resources preparing a Mutual Aid plan between hospitals across the region – it was not just the fear of a mass influx of patients, but that its own health staff would be taken out by the virus. The hospitals drew up plans to pool and share consultants and specialist equipment.
Swine Flu came and went, with little need for recourse to the Mutual Aid plan. From Wolverhampton to Warwickshire, grumbles could be heard amongst hospital staff of ‘what a waste of time’ it was to put all that resource and effort into worrying about Swine Flu. Then out of the blue came news that the Eyjafjallajokull volcano in Iceland had erupted and was spewing volcanic ash, grounding aircraft across Europe. Consultants and surgeons tend to be an international lot, and suddenly West Midlands NHS found itself bereft of its medical specialists who were stranded at airports around the world, trying to attend conferences, visit relatives or return from holiday. So the Swine Flu Mutual Aid plan was hurriedly taken off the shelf, dusted down and put into action. And it worked too.
All that effort had not been wasted after all, thanks to a volcanic eruption over a thousand miles away. Stuff happens. Indeed, the costly IRA attack in 1993 meant that the City of London, compared to many of its international counterparts, were ahead of the game for the aftermath of 9/11.
So is your organisation prepared for the worse? You would be surprised at which organisations don’t bother with such measures. Two days after the 7/7 bomb attacks, the BBC found out the hard way. In Birmingham on 9 July 2005, we had three known terror suspects loose in the city, and had to evacuate the city centre, which included the BBC’s Mailbox complex, which is responsible for most national radio over the weekends. As the communications officer on the ground for COBR, I had a very frosty tussle with the BBC, who seemed to think our evacuating them for their own safety was the problem, not their own lack of business continuity planning. In the aftermath, they got the message and now have robust plans in place.
Let’s start with the basics. An excellent resource that can help you is the Business Emergency Resilience Group (BERG), part of Prince Charles’ ‘Responsible Business Network’. BERG helps businesses and communities across the UK to prepare for, respond to and recover from emergencies such as flooding, cyber attacks and civil unrest. Their advice applies to three key areas: emergencies, planning ahead and communication.
Emergencies – what are the threats your organisation faces? There’s the obvious – access to site prevented, disruptive events like flooding, critical equipment failure, loss of power, transport disruption, criminal attacks, IT outages, sudden staff shortages etc. Through your local council’s Emergency Planning Unit, you can also find out what local external risks you face, with a look at the local Community Risk Register.
Plan ahead – now you know what can happen, prepare for it and work out your back-up plans.
Communicate – this is the easiest one to do, yet is the one most organisations fall over on when the crisis hits. The basic tool is to compile key staff contact numbers, as well as those of the key utilities and suppliers, with other details such as how to access your site out of hours. Don’t just keep electronic versions – make sure everyone has three hard copies: one for their desk, one for their work bag, and one by the phone at home.
A growing cyber threat
The growing ‘terror’ threats today however are cyber attacks. The first such attack was way back in 1988, when the digital age was still in its infancy. Robert Morris created the ‘Morris Worm’ which spread around computers in the US. Morris was the first person to be prosecuted for computer abuse, although today he is a Professor at the Massachusetts Institute of Technology.
The world has moved on a long way from the days of the bored geek hacking away from his bedroom, more out of curiosity than malice. Cyber warfare is now more important than bombs and guns. There are several sources of cyber-attacks, which are listed below.
Overt cyber-warfare: these are open acts of warfare between nations or by terror groups. In 2008, during the Russo-Georgia conflict, computer networks in Georgia were hacked – there was no disruption, but pro‑Russian propaganda left behind instead. Similarly, in 2010, the ‘Iranian Cyber Army’ disrupted the main search engine in China, Baidu, leaving political messages in its wake.
Covert cyber-warfare: the most famous was the Stuxnet attack on the top secret Natanz Uranium enrichment plant in Iran in 2010, allegedly a joint US-Israeli operation. This virus was not hacked in from the outside, but inserted via a memory stick by an agent on the inside. In another incident a year earlier, it was Israel that was the target – during their military offensive against the Gaza Strip, an attack on government sites was launched by five million computers, mainly based in former Soviet states.
Cyber terror groups: these are groups that hack through political motivation, the most well known being ‘Anonymous’ in the West, and ‘Red October’ in Eastern Europe.
Insider threat: these are attacks by disgruntled employees (usually facing dismissal or redundancy). The FBI says of the cases that they have dealt with in the US, such attacks left each company facing between £3,000 to £1.8 million worth of damages.
And then there are always the geeks: the Robert Morris’s are still out there.
Much hacking however, is not to disrupt but to spy or steal secrets, either for national security, commercial advantage or criminal gain.
You may think none of the above has anything to do with you. Unfortunately, when the viruses and worms bite, you can be the collateral damage. As well as infrastructure resilience, you need cyber-resilience.
For your organisation generally, visit the Centre for the Protection of National Infrastructure, which can provide critical security controls guidance. They have a 20 point programme that provides the basics of cyber defence, from managing an inventory of authorised and unauthorised devices within your organisation, right through to secure network engineering.
The main barrier businesses and organisations face is usually their very own senior management. It is natural for individuals to hope for the best. At the January 2016 meeting of the UK government’s Community Preparedness National Group, the Environment Agency reported that research had shown that the average UK citizen has to be flooded three times before they decide to take measures to protect their home. Don’t be average – get to work on those resilience plans now.
Bob Wade is a crisis communications consultant, and a member of the UK government’s National Steering Committee for Warning and Informing the Public. He is also editor of Resilience, the house journal of the Emergency Planning Society (www.the-eps.org/magazine). The EPS is the professional association for those working in the resilience sector, and will be holding its next annual conference in Cardiff on 28-29 June.