FrontCover July2015_001 03/07/2015 16:00 Page 1
July 2015
Security and Fire Management
Planet of Convergence Developing Security Strategies in a Brave New World Room for Improvement: Business Processes Revisited Emergency Lighting Regulations: Ensuring Compliance Under ‘The Watchful Eye’ of CCTV: Remote Monitoring Vertical Focus: Construction Sector Risk Management
Project1_Layout 1 05/02/2014 17:39 Page 1
Have you tried Integriti yet?
Sophistication is not about size The Integriti Security Management System is an IP connected access control and intruder security system that offers sophisticated centralised management for both small systems on a single site, or large systems distributed across the country or across the globe.
With a growing list of new installations take a moment to think of what you’re missing! The Integriti system offers an advanced suite of software, hardware and integrated solutions to deliver complete management of your entire integrated system.
Inner Range Europe Limited Units 10-11 Theale Lakes Business Park Moulden Way, Sulhampstead Reading, Berkshire RG74GB UNITED KINGDOM
integriti@innerrange.co.uk
a4 integriti 0ne page UK.indd 1
+44 (0) 845 470 5000 www.innerrange.com 4/12/2013 8:40 am
Contents July2015_riskuk_Dec12 03/07/2015 14:19 Page 3
July 2015
Contents 34 Is There Cause for Alarm? Fires on construction sites are a much more common occurrence than you might realise. Paul Henson offers some top tips to risk managers on ways in which they can select effective fire alarms
Cyber: Technology, Policy and Process (pp58-59)
37 Under ‘The Watchful Eye’ of CCTV Mike Bullock details the key role of remote monitoring solutions when it comes to keeping both people and property safe
5 Editorial Comment
43 Site Security: Defending in Depth
6 News Update
Physical security should protect company assets but also deliver a safe and secure environment, as Peter Jackson asserts
MoD ‘Call To Action’ on communications. NCA issues UK crime threats analysis. Cyber training for procurement professionals
46 Voice over IP: Listen Without Prejudice
8 News Analysis: Investigatory Powers Review
Paul German urges today’s businesses to recognise the security implications of VoIP before it’s too late
The much-anticipated report on the Investigatory Powers Review has just been published. Brian Sims checks out the detail
48 The Security Institute’s View
11 News Special: SyI’s Annual Conference 2015
50 In the Spotlight: ASIS International UK Chapter
The Security Institute’s Annual Conference for 2015 takes place in London during September. Brian Sims previews the content
53 FIA Technical Briefing
12 Opinion: Corporate Investment in Security
56 Security Services: Best Practice Casebook
Sir David Veness suggests that recent developments in the sphere of international terrorism have duly bolstered the business case for increased corporate investment in security
58 Cyber Security: Technology, Policy, Process
16 Opinion: Security’s VERTEX Voice
61 Training and Career Development
Peter Webster reviews the likely future direction for UK plc’s political policy and how it could affect the security sector
Chris Wisely airs his collected thoughts on security training
Corporate cyber resilience is the focus for Nick Wilding
64 Risk in Action 19 BSIA Briefing The changing security requirements of construction sites and Best Practice for procurement are highlighted by James Kelly
66 Technology in Focus 69 Appointments
22 The Security Market: Solutions to Risk
Key people moves across the security and fire business sectors
Peter Speight and Peter Consterdine consider the hugely topical subject of Physical Security Information Management
71 The Risk UK Directory
24 Room for Improvement Richard Tisdall discusses the need for a more inward focus on technology designed to assist security company management
26 Let There Be Emergency Light Emergency lighting compliance evaluated by Graham White
29 Video Analytics: The Intelligent View As Ely Maspero duly discovers, video analytics and transactional reporting can realise tangible benefits for end users
ISSN 1740-3480 Risk UK is published monthly by Pro-Activ Publications Ltd and specifically aimed at security and risk management, loss prevention, business continuity and fire safety professionals operating within the UK’s largest commercial organisations © Pro-Activ Publications Ltd 2015 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical (including photocopying, recording or any information storage and retrieval system) without the prior written permission of the publisher The views expressed in Risk UK are not necessarily those of the publisher Risk UK is currently available for an annual subscription rate of £78.00 (UK only)
Editor Brian Sims BA (Hons) Hon FSyI Tel: 0208 295 8304 Mob: 07500 606013 e-mail: brian.sims@risk-uk.com Design and Production Matt Jarvis Tel: 0208 295 8310 Fax: 0870 429 2015 e-mail: matt.jarvis@proactivpubs.co.uk Advertisement Director Paul Amura Tel: 0208 295 8307 Fax: 01322 292295 e-mail: paul.amura@proactivpubs.co.uk Administration Tracey Beale Tel: 0208 295 8306 Fax: 01322 292295 e-mail: tracey.beale@proactivpubs.co.uk Managing Director Mark Quittenton
32 Heavy Metal: Confronting Zinc Whiskers Mike Meyer on how to manage Zinc Whiskers in data centres
Risk UK PO Box 332 Dartford DA1 9FF
Chairman Larry O’Leary
Editorial: 0208 295 8304 Advertising: 0208 295 8307
3 www.risk-uk.com
EditorialComment July2015_riskuk_jul14 03/07/2015 14:19 Page 4
Connect any Premier Elite control panel to your WiFi network. The Premier Elite ComWiFi integrates with any Premier Elite control panel for simple, secure network connectivity. WiFi connectivity provides a host of benefits to Premier Elite systems, including compatibility with Texecom’s suite of Premier Elite Mobile Apps, and upload/ download diagnostic control via Wintex software. • Enables alarm system control via Premier Elite Mobile Apps • Upload / download via Wintex software
Dedicated WiFi Support Area on the Texecom Website Texecom’s forum is perfect for gaining knowledge and sharing experiences. The forum now features a dedicated area for discussing all things WiFi – why not share your experiences and learn from the experiences of others?
EditorialComment July2015_riskuk_jul14 03/07/2015 14:20 Page 5
Editorial Comment
Perfect for Premier Elite Mobile Apps Premier Elite control panels can be remotely controlled via smartphone and tablet. The 2 apps offer end user and system engineer functionality. NOW FREE!
Keypad
Engineer
Premier Elite Mobile Apps have been recently updated to include system alerts via Push Notification and IP-enabled camera control.
The EU Question PMG has conducted an extremely interesting economic assessment. Carried out on behalf of leading trade body ADS Group, the analysis – underpinned by in-depth interviews with industry leaders – aimed to decipher whether or not the UK’s membership of the European Union (EU) delivers key and tangible benefits for our defence and security sectors. Also focusing on the aerospace and space markets, the work assessed the plus-points of membership for all four key sectors’ global competitiveness in terms of access to EU markets and supply chains, skilled workers and EU-driven funding for investment here in the UK. Importantly, the results are backed by a GfK NOP survey of ADS’ 900 members on their views of how the UK’s membership of the EU impacts the stated business communities. Reviewing KPMG’s findings in detail, an overwhelming 86% of interviewees questioned believe it would be better for their business if the UK were to remain part of the EU, with only 2% indicating that any form of exit strategy post-referendum would be more beneficial for them. Nearly 60% of respondents cited free trade within the EU as delivering core benefits to their business, closely followed by the simplification of regulations and overall economic growth. Those questioned also asserted that the forthcoming EU referendum presents an opportunity around prioritising increased funding from the EU for those UK companies wishing to invest in R&D. Across all four business sectors there was general agreement that the second priority for change should be concentrated on greater UK engagement with Brussels. Commenting on the study’s results, Paul Everitt – CEO of the ADS Group – explained: “Our industries are clear that the UK’s continued membership of the EU is good for companies, their employees and the future prosperity of the home nations. However, this detailed assessment has clearly shown that our sectors want to see change inside the EU with more focus on promoting growth, investment in skills, innovation and competitiveness. They also wish to see our Government raising its game to maximise UK influence and the level to which companies benefit from support and funding that’s available.” Not surprisingly, the in-depth KPMG assessment highlights the demonstrable value of modern industrial strategies when it comes to improving productivity across the UK. On that note, the UK’s defence, security, aerospace and space industries have all outpaced national productivity levels by some considerable margin. Collectively, they realise an impressive annual turnover of £56 billion, provide over 300,000 high value, highly-skilled jobs and support nigh on 800,000 roles. In short, they’re vital cogs in our continually revolving economic wheel. The UK’s EU referendum is scheduled to take place before the end of 2017, in turn opening a window for the EU itself to develop a positive and proactive economic agenda. One that examines how to work with Member States in enhancing the single European market’s performance on the worldwide stage. Are we better together? The UK’s security and defence sectors’ leaders have spoken. Their answer veers towards the affirmative.
K
Brian Sims BA (Hons) Hon FSyI Editor
www.texe.com Sales: 01706 220460
December 2012
5
www.risk-uk.com
NewsUpdate July2015_riskuk_may15 03/07/2015 14:38 Page 6
MoD calls on security sector and academia to help shape future of military communications
he Ministry of Defence (MoD) is looking to develop new approaches to land and littoral communications that will support military operations in future decades. The current Bowman communications system is nearing its out-of-service date. Technology (and the nature of military operations) has changed so the MoD is keen to reflect these developments and meet the requirements of the British Army, the Royal Marines and the RAF Regiment. Launched by the MoD, Project MORPHEUS will develop and consider options for what will eventually replace the current Bowman system. Those involved in areas such as telecommunications, wireless, IT, networks and security – as well as trainers in these disciplines – are invited to feed through their expertise and ideas on new technological approaches. Potential contributors may be working in the defence or commercial worlds. Project MORPHEUS aims to establish options that make the very best use of current and emerging technologies, in turn resulting in a communications system that may subsequently be evolved and managed in a cost-effective way. In essence, Project MORPHEUS provides a way for academics and businesses to inform the future of military communications. The MORPHEUS Systems House is tasked with drawing together different ideas into potential options. Those with partial solutions
T
Project MORPHEUS will look at options for what eventually replaces the Bowman system
6 www.risk-uk.com
and research are strongly encouraged to submit their ideas. The MORPHEUS Systems House is led by PA Consulting in parallel with contributions from QinetiQ, Roke Manor Research and CGI. The range of options outlining which technologies and software are needed to pass information from Point A to Point B on a secure basis will be addressed alongside the most appropriate long-term business models (in respect of both acquisition and operation). The selection process will take into account security, speed of communication, range, ease of use and cost when it comes to deployment and the manpower levels required for operation. These options also need to plan for the pace of change of operational demands and technical development. They must reflect a capability to securely integrate new technologies as they find their way to market, including commercial technologies. Selected option(s) will form the basis for an MoD competition centred around the design of the new system.
New concepts and information Rick Mather, project lead for MORPHEUS at QinetiQ, explained: “The key here is to examine all the potential options out there and identify the most operationally effective and costefficient solutions. We know there are lots of really exciting technology and security businesses in operation as well as academics carrying out exactly the kind of research and innovation this project needs.” Mather added: “We’re really open to innovative and even what might be considered unusual solutions to ensure that the final options are the best ones possible.” Companies involved in the MORPHEUS Systems House industry engagement process will also be exposed to new ideas, concepts, people and information from a variety of different sectors by way of dedicated workshops, events and online collaboration. They will help shape the future market by feeding through ideas that will mean increments of the MORPHEUS Project are more likely to be designed with the capability of their future products in mind. Beyond initial design, Project MORPHEUS will be the main vehicle for the procurement of the UK Armed Forces’ tactical communications capability for the next three decades.
NewsUpdate July2015_riskuk_may15 03/07/2015 14:38 Page 7
News Update
Latest in-depth analysis of current UK crime threats issued by the NCA The National Crime Agency (NCA) has just published its second public-facing analysis of the serious and organised crime threats presently affecting the UK. The National Strategic Assessment (NSA), which is produced on an annual basis, draws together knowledge from across the complete law enforcement community, in turn offering an objective picture of serious and organised crime threats and enabling UK law enforcement in its entirety to prioritise, coordinate and target the response. Themes brought out in the 2015 assessment include an overall increase in the risk from human trafficking and modern slavery, and a specific increase in labour exploitation. Money laundering is now a high priority risk in its own right while there’s an expectation that criminals will focus on mobile malware as the use of apps for financial transactions increases. In addition, the growing complexity of tracing online criminal activity as the next generation of IP addresses rolls out is pinpointed, so too the fact that bribery and corruption remain critical enablers for all types of criminality. The NSA is presented in two sections. The first of these analyses the key threats including child sexual exploitation and abuse, firearms, organised immigration crime, human trafficking and modern slavery, cyber crime, money laundering, drugs, economic crime and organised acquisitive crime. The second section assesses the cross-cutting threats which underpin most serious and organised crime, including corruption, criminal use of Internet technology, prisons and lifetime management, border vulnerabilities and the criminal use of identity as an enabler. The NCA’s director general Keith Bristow commented: “Serious and organised crime affects us all. It’s a pervasive national security threat with far-reaching effects on the UK’s social and economic well-being and international reputation. Its perpetrators are highly innovative and tenacious in pursuing their goals. Our response must be resourceful and relentless.” Continuing the latter theme, Bristow added: “To inform that response, we need a comprehensive understanding of the risk. The National Strategic Assessment draws together that single picture and has been produced in consultation with a broad range of partners.” In conclusion, Bristow stated: “A collaborative approach remains vital across policing and law enforcement. Partnerships, both domestic and international, bringing together the public and private sectors, academia, charities and society as a whole are crucial when it comes to delivering a lasting detrimental effect on serious and organised crime impacting on the UK.”
The National Crime Agency has been evaluating current serious and organised crime threats in the UK
*Keith Bristow is to retire from law enforcement in 2016. Bristow has made the announcement now to allow time for the appointment of his successor and enable a smooth handover period
Cyber training launched to boost security across procurement profession The Government has launched an Internet-based cyber security training course designed to help constituent members of the procurement profession stay safe online. The new interactive course will assist those working in procurement to protect themselves, their businesses and their suppliers from cyber attack. The training is freely available and will help UK businesses deter information breaches and other threats that could potentially cost millions of pounds. Procurement professionals deal with a wide range of sensitive commercial and financial information which is central to the successful operation of many businesses. On that basis, the new course will increase awareness of the common cyber risks and threats procurement professionals may experience in the workplace and how to prevent and deal with them. Importantly, it provides salient advice on how to safeguard digital information and raise awareness of cyber issues with suppliers while also affording Best Practice examples around dealing with issues such as information breaches in the workplace. Launching the new training course at the Chartered Institute of Procurement and Supply (CIPS), Giles Smith (deputy director of cyber security and resilience at the Department for Culture, Media and Sport) said: “This training course will help those working in purchasing and supply chain management understand the cyber threat and how to protect themselves and their information. We know businesses benefit when they train their staff and take the cyber security threat seriously. I would encourage all companies to make use of the training, advice and support on offer.” The new course supports the Government’s aim of making the UK one of the safest places in the world in which to do business online. Access is gained via the CIPS website: www.cips.org
7 www.risk-uk.com
NewsAnalysisInvestigatoryPowersReview July2015_riskuk_mar15 03/07/2015 14:36 Page 1
Investigatory Powers Review highlights law that’s “fragmented, obscure and under Prime Minister David Cameron has constant challenge” now published the muchanticipated report of the Investigatory Powers Review. Entitled ‘A Question of Trust’, the document was submitted by David Anderson QC (the Independent Reviewer of Terrorism Legislation) and a debate involving Home Secretary Theresa May played out in the House. Brian Sims reports
he Investigatory Powers Review was conducted by a small independent team operating under David Anderson QC’s direct leadership and received almost 70 written submissions from various quarters. Further evidence was taken from public authorities (at the highest level of security clearance) and from a wide range of organisations and individuals in the UK, California, Washington DC, Ottawa, Berlin and Brussels. Parts I-III of the report (Chapters 1-12) inform the debate by summarising the importance of privacy, the threat picture, the relevant technology, external legal constraints, existing law and practice and comparisons with other types of surveillance, other countries and private sector activity. These sections also summarise the views expressed to the Review by law enforcement, intelligence, service providers and civil society. Part IV (Chapters 13-15) sets out five underlying principles and 124 separate recommendations. Taken together, they form the blueprint for a new law designed to replace the Regulation of Investigatory Powers Act 2000 (RIPA) and the dozens of other statutes presently authorising the collection of communications data. Speaking about the Investigatory Powers Review’s findings, David Anderson QC said: “Modern communications networks can be used by the unscrupulous for purposes ranging
T
Prime Minister David Cameron has published the report of the Investigatory Powers Review
8 www.risk-uk.com
from cyber attack, terrorism and espionage through to fraud and kidnap. A successful response to these threats depends on entrusting public bodies with the powers they need to identify and follow suspects in a borderless online world.” Anderson continued: “However, trust requires verification. Each intrusive power must be shown to be necessary, clearly spelled out in law, limited in accordance with international Human Rights standards and subject to demanding and visible safeguards. The current law is fragmented, obscure and under constant challenge as well as being variable in the protections that it affords the innocent. It’s time for a clean slate. This report aims to help Parliament achieve a world class framework for the regulation of these vital powers.”
Key recommendations made The key recommendations are summarised in paragraphs 10-34 of the Executive Summary at the beginning of ‘A Question of Trust’. There’s mention of a new law that should be both comprehensive in its scope and comprehensible to people across the world. The advice given is also to maintain – subject to legal constraints – existing capabilities relating to necessary compulsory data retention as provided for by the Data Retention and Investigatory Powers Act 2014 (DRIPA) (and, formerly, under an EU Directive). The report also focuses on the enhancement of those capabilities (eg by requiring the retention of ‘weblogs’ as proposed in the draft Communications Data Bill 2012, the so-called ‘Snoopers’ Charter’) but only to the extent that a detailed operational case can be made out
NewsAnalysisInvestigatoryPowersReview July2015_riskuk_mar15 03/07/2015 14:36 Page 2
News Analysis: Investigatory Powers Review
and that a rigorous assessment has been conducted of the lawfulness, likely effectiveness, intrusiveness and cost. Bearing in mind legal constraints, a recommendation is made about the retention of bulk collection capabilities, but subject to additional safeguards and to the addition of a new and lesser power to collect only communications data in bulk. Mention is made of a new requirement of judicial authorisation (by Judicial Commissioners) of all warrants for interception, the role of the Secretary of State being limited to certifying that certain warrants are required in the interests of national security relating to the defence (or foreign policy) of the UK. Further, there’s some discussion around measures to reinforce the independence of those authorising requests for communications data, particularly within the security and intelligence agencies. Another recommendation centres on a new requirement of judicial authorisation of novel and contentious requests for communications data and of requests for privileged and confidential communications involving, for example, journalists and lawyers. Anderson’s 300-page report pinpoints the necessity for the streamlining of procedures in relation to warrants and the authorisation of requests for communications data by local authorities and other minor users. The Independent Reviewer of Terrorism Legislation also pinpoints the need for improved supervision of the use of communications data, including in conjunction with other data sets and open-source forms of intelligence material. In addition, there’s mention of maintaining the extra-territorial effect in DRIPA 2014 Section 4 pending a longer-term solution which should include measures to improve the co-operation of overseas (and in particular US-based) service providers and the development of a new international framework for data sharing among like-minded democratic nations. Also, the replacement of three existing Commissioners’ offices by the Independent Surveillance and Intelligence Commission: envisioned as “a new, powerful, public-facing and inter-disciplinary intelligence and surveillance auditor and regulator” whose Judicial Commissioners would take over the responsibility for issuing warrants, authorising “novel, contentious and sensitive” requests for communications data and for issuing guidance. Expanded jurisdiction for the Investigatory Powers Tribunal and a right to apply for permission to appeal its rulings is highlighted,
so too the “maximum possible transparency” on the part of the Investigatory Powers Tribunal and public authorities.
Endorsement of ISC’s proposals The new report endorses some of the recommendations made by the Intelligence and Security Committee (ISC) and outlined in the document entitled ‘Privacy and Security’, which was published in March. That said, the new report is somewhat broader in its own scope, covering the activities of all 600 bodies with powers in this field and not just the security and intelligence agencies. It also departs from the ISC in recommending (a) that a new law should apply across the board and (b) that interception warrants should be judicially authorised. A further Independent Surveillance Review, to be conducted under the auspices of the Royal United Services Institute (RUSI), was commissioned in March 2014 by the Deputy Prime Minister. It has not yet issued a report. The Independent Reviewer of Terrorism Legislation is also keen to point out that there has been some recent media speculation on the subject of encryption “which it may be useful to correct”. Indeed, the position communicated by the security and intelligence agencies to the Investigatory Powers Review is summarised as follows: “The agencies do not look towards legislation to give themselves a permanent trump card. Neither they nor anyone else has made a case to me for encryption to be placed under effective Government control, as in practice it was before the advent of public key encryption in the 1990s. There has been no attempt to revive the argument that led to the Clipper Chip proposal from the NSA in the 1990s, when public key cryptography first became widely available. The agencies do look for co-operation – enforced by law if needed – from companies abroad and in the UK that are able to provide readable interception product.” Anderson’s detailed report recommends that, in the digital world as in the real world, ‘no-go areas’ for intelligence and law enforcement should be minimised, but states the following: “Few now contend for a master key to all communications held by the state, for a requirement to hold data locally in unencrypted form or for a guaranteed facility to insert ‘back doors’ into any telecommunications system. Such tools threaten the integrity of our communications and of the Internet itself. Far preferable, on any view, is a law-based system in which encryption keys are handed over – by service providers or the users themselves – only after properly authorised requests.”
Home Secretary Theresa May
Human Rights campaigner Shami Chakrabarti, the director of Liberty
9 www.risk-uk.com
Project3_Layout 1 03/07/2015 13:16 Page 1
NewsSpecialTheSecurityInstitute'sAnnualConference2015 July2015_riskuk_sep14 03/07/2015 14:37 Page 1
News Special: The Security Institute’s Annual Conference
Redefining Security: Evaluating Change and Future Scenarios echnology is enabling us to monitor and modify behaviours. The accumulation of vast amounts of personal data is allowing us to drill down and identify trends that enable effective security interventions. The willingness of people to allow their personal privacy to erode is rendering behavioural insights of immense practical value, while the interconnected nature of society helps us to spot security threats and address them. The outsourcing of security from the public to the private sector also seems to be gathering speed, with all of the opportunities and challenges this entails. Education is becoming an increasingly important element within the profession, and we’re starting to see young people attracted to a career in security in far greater numbers. Given that backdrop, in 2015 The Security Institute’s popular Annual Conference will examine the changes that have taken place to propel us to where we are today and critically review them. Cyber security and digital threats will be among the many key challenges over the next five years, as will the diversity of general risks and threats and the need for integrated approaches able to deal with them. The 2015 event – which runs on Tuesday 22 September at The Thistle Hotel, Marble Arch, Bryanston Street, London W1H 7EH – will seek to ‘look over the horizon’ as the Institute speculates what’s likely to happen next and what developments will mean for practising security professionals. How is the 21st Century redefining the practice of ‘Security’? What have been the changes so far and, importantly, what are the changes to come?
T
‘The Public We Serve’ Dr Gus Hosein of Privacy International is set to give this year’s Keynote Address. The security landscape has changed dramatically since the turn of the 21st Century. This may be the result of voluntary and greater openness on the part of the authorities or an openness that has been driven by individuals or groups actively seeking to reduce their exposure to surveillance (from the state, corporations or individuals as a result of, for example, the rapid proliferation of social media platforms). Dr Hosein’s delivery will seek to highlight the changes that have occurred, both positive and
negative, and those that have had the greatest impact on individuals and their rights. The presentation will examine the role of the public and private sectors and consider whether ‘The Public We Serve’ is now better served by the changes that have occurred.
An insight on crime reporting An insight on Facewatch from concept to completion will be offered by Simon Gordon, the organisation’s founder. This session will look at some real-life Case Studies/success stories and explain to attending delegates how, if Facewatch didn’t exist, crime incidents might have been treated and resolved differently. It will also look at where online crime reporting is going. Simon Gordon founded Facewatch back in April 2010. As well as being the executive chairman of the organisation, he’s also a qualified Chartered Accountant.
Now in its eighth year, The Security Institute’s Annual Conference and Exhibition is the organisation’s premier educational vehicle for members and specially invited guests. In late September, the conference programme focuses on how the practice of security has been transformed during the first 15 years of the 21st Century
Security on the South Bank London’s South Bank once had the reputation for being one of the capital’s least likely areas to which visitors might actively return. Today, it has been transformed into a vibrant and thriving economy where members of ‘The Public We Serve’ are encouraged to return (and do so in their droves) having enjoyed their previous visitor experience. In recent times the South Bank has witnessed a massive increase in footfall, presenting opportunities for businesses and criminals alike. How, then, to build on the success so far and generate an even better customer experience for the public while at the same time stifling the criminal element? Eric Dench MSyI served for 31 years with the Metropolitan Police Service, retiring as a counter-terrorism security advisor in 2006. He’s now head of security for Merlin Entertainments attractions at London’s County Hall. Dench is also chairman of The South Bank Business Watch, a position that he has held for the past seven years. Other confirmed speakers at The Security Institute’s 2015 Annual Conference include Nick Hardwick CBE (Her Majesty’s Chief Inspector of Prisons), Paul Broadbent CSyP of the Gangmasters Licensing Authority and Mike Gillespie MSyI from Advent IM. In short, it’s a must-attend event.
Conference Bookings Prices for delegates at this year’s SyI Annual Conference are as follows: • Conference and dinner: £189 for SyI members/£249 non-members • Conference only: £149 for SyI members/£199 nonmembers • Dinner only: £75 for SyI members/£90 guests *To book your place telephone 08453 707717 or visit: www.securityinstitute.org/events **The 2015 event is kindly sponsored by Insafe
11 www.risk-uk.com
OpinionStrengtheningtheCaseforBusinessSecurity July2015_riskuk_apr15 03/07/2015 14:40 Page 1
Closing The Gap: Increasing Corporate Investment in Security Former Metropolitan Police Service Assistant Commissioner Sir David Veness presents a strong argument to suggest that recent developments in the sphere of international terrorism, coupled with current responses to the threats and risks posed, have duly bolstered the business case for increased corporate investment in security
12
www.risk-uk.com
he recent presence of armed soldiers on the streets of French and Belgian cities demonstrates nothing if not changed circumstances and the novel dimensions of the challenge presently facing today’s security managers and directors. For their part, business leaders will wish to consider the four key factors which have led to these changed conditions. First, the threat is growing faster than the response and has created a gap in security. Second, the threat and the security gap is likely to be enduring. Third, the potential impact upon business encompasses staff safety and security at home and abroad. Fourth, the changed threat and response has wide implications for business operations and thus necessitates a more integrated and comprehensive security policy. The opportunity for business arising from these factors is to assess the need for self-help and sharpen the corporate security posture. This opportunity extends to a given business’ contribution to closing the security gap in the wider community interest. A sound beginning for the process of assessment of the need for business change is to analyse the reasons for the growing threat and duly appreciate the limitations placed upon response. Today’s growing threat derives from geography, groups, expanding terrorist methodologies and the stated agenda of terrorist actors. In terms of space, geography applies to both real locations and the virtual
T
realms of electronic communications. Terrorists have occupied the grey spaces to develop their activities and elude traditional counter measures. Meantime, instability within Syria, Iraq and the Yemen added to the existing predicament of Afghanistan and Pakistan plus parts of North, East and West African states provides a wider dimension of risk. Andrew Parker, director general of the UK’s Security Service, emphasised the Syrian aspect in his compelling and incisive address to the Royal United Services Institute at Thames House in London on 8 January this year. “Outside of Iraq and Syria, we believe that since October 2013 there have been more than 20 terrorist plots either directed or provoked by extremist groups in Syria,” explained Parker. He also reminded the audience of events in Belgium, Canada, Australia and France, adding: “We know that terrorists in Syria harbour the same ambitions towards the UK, trying to direct attacks against our country and exhorting extremists here to act independently.”
Ungoverned virtual territory International terrorists have already made vigorous use of ungoverned virtual territory to incite violence, to plan and to train, create plenty of propaganda and communicate both overtly and secretly. On this matter, former GCHQ director Sir David Omand has stated: “It would seem only a matter of time before neo-Jihadist terrorists acquire and use cyber attack capabilities, possibly by buying the services of criminal hackers, although so far they’ve preferred the more traditional route of explosives and guns.” Cyber attack is entirely consistent with the stated international terrorist aim of causing economic harm and potentially significant loss to target interests. The private sector is particularly vulnerable to this development which absolutely reinforces the wisdom of an holistic approach to corporate security. In September last year, the FBI’s Cyber Division issued a detailed advisory note to private sector industry setting out the possible reaction to ongoing airstrikes against the Islamic State in Iraq and the Levant (ISIL). The note highlighted the potential for offensive cyber terrorist and hacktivist activity. The advice was aimed at US victims, but listed
OpinionStrengtheningtheCaseforBusinessSecurity July2015_riskuk_apr15 03/07/2015 14:40 Page 2
Opinion: Strengthening the Case for Business Security
examples of actual incidents in the UK. The importance of the thread of instability extends to the emergence of new groups and new forms of old groups. The result is a wider and deeper pool of terrorists. Hence the significance of ISIL and its assertion of Islamic Statehood attracting volunteers from many nations. There’s also the forward deployment of AlQaeda core to Syria and the continued activities of affiliates such as Al-Qaeda in the Arabian Peninsula. Groups in North, West and East Africa – some of them with links to ISIL, AlQaeda or their affiliates – merely add to the complexity of sources of terrorist operatives. The overall movement of fighters from outside the country to Syria is a major factor and numerically worrisome, particularly when compared to the numbers who fought in Afghanistan and went on to cause a global terrorist surge. It must also be said that the implication of foreign fighters is wider than the issue of individuals simply travelling to and from Syria. The broader consequence is the danger of greater connections between potential terrorist recruits, both in their homelands and on the move, and terrorist recruiters, trainers and technical advisors in ungoverned spaces. These connections are both real and virtual.
Nature of terrorist plots Another component of the growing threat is the very nature of terrorist plots and attacks. Terrorist methodology is expanding from the established middle ground of guns and explosives – including the deployment of suicide bombers – towards new variations at both ends of the spectrum. At the unsophisticated tier, the use of knives and motor vehicles as weapons to be driven into crowds are advocated by terrorist agitators. In addition to regrettable casualties, public fear is to be expected, and notably so when crude attacks are carried out with such great brutality. The cumulative effect of more potential offenders, more unpredictable incidents and greater mitigating measures only adds to the burden placed upon the authorities to both Protect and Prepare. The centre ground of guns and explosives remains a present menace with additional tactics of marauding attackers and variations in components as well as the concealment of IEDs. At the top end of the scale, terrorist innovation is a persistent dimension. Cyber attack – plus chemical, biological and radiological aspects – remains pertinent. On 24 January this year, an airstrike near Mosul in Iraq killed a member of ISIL whom US
Central Command asserted had technical competence in the production and use of chemical weapons. The final key aspect of threat development is the expressed intention of international terrorist groups. Dire events since 2001 have underlined the wisdom of listening to and evaluating what terrorist groups actually say. There’s a marked correlation between intended targets and actions and grim reality on the ground. A clear current example is the stated threat of retaliation aimed at members of the US-led coalition carrying out air strikes in Iraq. Terrorist groups in Iraq and Syria have expressed the ambition to strike back at coalition member states and urged their supporters to take action wherever they’re located, including the specification of potential targets and/or attack methods. UK membership of the coalition conducting operations in Iraq (but not Syria) is based on the debate held in the House of Commons on 26 September 2014. During those discussions, issues of national interest and the safety of the British people from the ISIL threat were well articulated. The counter-terrorist case for membership of the coalition is soundly based and that membership is likely to be long-term.
Assessing the response capability The consequences of terrorist reaction are an inevitable factor in the overall threat. The
“Terrorist groups in Iraq and Syria have expressed the ambition to strike back at coalition member states and urged their supporters to take action” 13
www.risk-uk.com
OpinionStrengtheningtheCaseforBusinessSecurity July2015_riskuk_apr15 03/07/2015 14:41 Page 3
Opinion: Strengthening the Case for Business Security
combination of extended geography (both territorial and virtual), more groups and terrorists, a broadened span of attack methods and stated terrorist intentions provides the code to understanding the changed contemporary threat of international terrorism. This is markedly different from the threats which the UK has faced since the 1970s and business security regimes should now reflect that unwanted fact. Speaking in the House of Lords last January, Lord Evans of Weardale (former director general of the UK’s Security Service) explained: “When I left MI5 in 2013, I felt cautiously optimistic that we were over the worst as far as Al-Qaeda and Islamist terrorist attacks in this country were concerned. It seemed to me that we were making significant progress. Regrettably, subsequent events have proven that judgement to be wrong.” This cogent analysis from one of the UK’s most knowledgeable and experienced experts becomes even more powerful when the threat review is extended to a review of response. The stark conclusion is that the threat has increased but the response capability has not kept pace. This has produced a gap at a time when the national threat level posed by terrorism is ‘Severe’ and an attack on the UK mainland is assessed as being ‘Highly likely’.
Political and economic constraints
*This article first appeared in City Security Magazine (Spring Edition 2015)
The limited ability of nations – including those directly threatened by terrorist attacks – to address threats at their geographic or virtual sources is critical. There are political, social and economic constraints. There are also the risks of counter-productive consequences of direct action to be taken into account. This means that disruption and degradation of terrorist groups will not be swift. It will also require a sustained multi-national commitment. On that note, US President Barack Obama has warned: “It will take time to eradicate a cancer like ISIL. Any time we take military action there are going to be risks involved.” The Report of the House of Commons Defence Committee published on 5 February this year underlines the myriad challenges in defining and implementing strategy towards Iraq and Syria. The domestic resourcing requirements to address the growth of the threat are indeed formidable. Investment in
“The combination of extended geography, more groups and terrorists, a broadened span of attack methods and stated terrorist intentions provides the code to understanding the changed contemporary threat of international terrorism” 14
www.risk-uk.com
intelligence is the logical best choice, but the demand extends across Pursue, Prevent, Protect and Prepare. For example, protective security for people and places requires intensive effort with high grade skills.
Monitoring and surveillance Monitoring and surveillance generate comparable demands for well-trained staff. Also speaking in the House of Lords back in January this year, Lord Harris of Haringey questioned whether the budgetary allocation for the police service is adequate for the additional demand. Lord Harris also drew attention to the provision of police firearms capability. Both the former and present director generals of the Security Service have underlined the pressing need to modernise properly accountable access to terrorist communications and mitigate the present exploitation of dark areas. There seems little doubt that this issue is a very important reason for weakness in response without any prospect of immediate resolution. The relationship between threat and response has been graphically described in The Economist in an article entitled: ‘CounterTerrorism: Getting harder’. The final paragraph of that article states: “The citizens of the West have grown used to the idea that their security services can protect them from the worst that might happen. Faced by a new range of threats, and with counter measures apparently of rapidly declining effectiveness, that situation may be about to change.” The UK is extremely fortunate in having highly competent private security professionals working both within companies and for external specialist solutions providers. We have an excellent tradition of Corporate Social Responsibility in terms of business selfsufficiency, support to the public services and a valued contribution to the wider safety of the community in general. Indeed, business-representative organisations have a very constructive track record of engagement on this agenda. There’s a unique range of innovative public-private sector joint initiatives such as the excellent CrossSector Safety and Security Communications scheme energised for London 2012 and, of course, Project Griffin. There may well be scope for even greater effectiveness by closer coordination of these elements. Sir David Veness CBE QPM is Senior Advisor at Pilgrims Group and Honorary Professor of Terrorism Studies at the University of St Andrews in Fife, Scotland
Project3_Layout 1 03/07/2015 13:14 Page 1
OpinionSecurity'sVERTEXVoice July2015_riskuk_apr15 03/07/2015 14:39 Page 1
The Rise of the SNP: The Thin End of The Wedge?
As far as General Elections go, that which played out across the UK in May had more than its fair share of drama. Fast forward a couple of months and, with the Queen’s Speech now delivered to Parliament, Peter Webster reviews the likely future direction for UK plc’s political policy and, closer to home, how it could affect the security business sector deficit reduction programme in order to limit what the Opposition perceives to be the negative effects of austerity. For sure, Conservative Party promises of a referendum on EU membership will continue to cause a degree of uncertainty for those in the security sector who export their goods and services outside of the UK.
Seismic shift north of the border n many respects, the General Election result was a tale of two nations. Most of us expected a hung Parliament of one kind or another, so when the BBC’s constantly updated exit polls started predicting that the Conservative Party would win an outright majority it was somewhat hard to believe. Let’s just say very few of us truly thought Lord Paddy Ashdown GCMG CH KBE of Nortonsub-Hamdon would actually have to eat his hat. That said, I was one of those who suspected there may well be a surprise outright victory for the Conservatives as, against all expectations, the UKIP vote seemed to be emanating from the supporters of other parties. The success – or otherwise – of the Conservative/Liberal Democrat partnership fostered across the last five years is a moot point and, with public enthusiasm for ‘Government by coalition’ now at its lowest ebb in 30 years, it’s probably a good thing that a hung Parliament didn’t transpire on the morning of Friday 8 May once all of the votes from the 650 Parliamentary constituencies had been duly counted and affirmed. The issue of spending dominated political discussion both pre- and post-General Election. Broadly speaking, the Conservatives will focus on continued fiscal consolidation, UK devolution and a renegotiation of European Union (EU) membership. The Labour Party would have looked towards a less aggressive
I
Peter Webster: Chief Executive of Corps Security
16
www.risk-uk.com
While the startling success of the Tories was down to English voters, north of the border a seismic shift occurred with the Scottish National Party (SNP) winning 56 of the country’s 59 seats. Although this result was greeted with a certain amount of incredulity by most political commentators, some of us were rather less surprised given the result of the Scottish Independence Referendum wherein just shy of 45% of the voters supported the Nationalist message. What transpired in the General Election was that the SNP achieved 50% of the vote in Scotland and, in turn, placed itself firmly in the driving seat when it comes to negotiating greater devolution. Indeed, Angus Robertson – the SNP’s Westminster leader – recently stated that his party wants to negotiate the transfer of even more tax and welfare powers to Scotland. The Scotland Bill will make Holyrood responsible for raising around 40% of the country’s taxes, with powers to set the thresholds and rates of income tax included in the legislation. SNP MPs at the Palace of Westminster will no doubt be pushing to make the Scottish Government responsible for raising all of the money it spends. No surprises there, but we have to be careful that any moves in this direction don’t adversely affect those businesses conducting their operations in both Scotland and England. For instance, if income tax levels are different and/or changes to the National Minimum Wage are made independently, confusion could be
OpinionSecurity'sVERTEXVoice July2015_riskuk_apr15 03/07/2015 14:39 Page 2
Opinion: Security’s VERTEX Voice
the end result. We must be careful not to create a situation in which Scotland sets the agenda for the rest of the UK. This surely strengthens the case for English votes for English laws.
Zero hours contracts Moving away from this subject for a moment, the issue of zero hours contracts was a hot topic leading up to the General Election and I’m glad to see positive steps being made in respect of this agenda. The Government acted in advance of the Queen’s Speech (‘Queen’s Speech 2015: Government’s plans for repeal of Human Rights Act “on hold”’, Risk UK, June 2015, p6) to outlaw the use of exclusivity clauses in zero hours contracts and, as part of the Enterprise Bill, David Cameron and his Cabinet indicated that there would be a further crackdown on the abuse of such contracts. Details are pretty scarce just now, but the Government has entered into a period of consultation on the issue and we can expect to hear more very soon. Although they’re certainly being abused in some cases, when employed correctly zero hours contracts are a force for good and offer flexible employment opportunities. Therefore, any legislation must be careful not to throw the baby out with the bathwater and hinder the employment of those who are happy to work under this type of contract. Iain Duncan Smith, the Secretary of State for Work and Pensions, has argued that zero hours contracts “provide people with a flexible way of working and the freedom to arrange jobs around other commitments’. Some employers, though, are clearly abusing the system and creating an intolerable situation for their employees, either by placing them ‘on call’ 24/7 or by preventing them from taking on additional work elsewhere. This practice is wholly unacceptable. Data from the Labour Force Survey indicates that the number of people employed on zero hours contracts between October and December 2014 was 697,000 (or 2.3% of all people in employment). Of course, nobody knows how many of the individuals involved choose to have a flexible contract as it suits their lifestyle or how many feel that such arrangements are potentially exploiting them.
‘Naming and shaming’ process It’s good to hear that a harder line will be taken against those employers failing to pay the National Minimum Wage. A ‘naming and shaming’ process has already begun. To date, the Government has publicly named over 200
employers who’ve failed to pay their workers the National Minimum Wage, with total arrears of over £635,000 and penalties somewhere north of £248,000. Companies could now face financial penalties of up to £20,000 if they don’t pay the National Minimum Wage, while ‘naming and shaming’ could also result in serious reputational consequences for those involved. Wage rates in the security guarding sector have been a significant cause of concern for many years and, to my mind, this isn’t helping our ongoing bid to improve the security sector’s image. The Government recently announced that the National Minimum Wage would be raised by 3% to £6.70 an hour from October 2015. This is welcome news that will afford a pay rise to over 1.4 million of the lowest paid workers in our country. I’m pleased that this type of decisive action is being taken as, in my opinion, we should all be working towards paying the Living Wage in the security industry (‘The Living Wage: Stepping in the Right Direction’, Risk UK, May 2015, pp1415) as a bare minimum in order to benefit from increased staff motivation and retention rates and reduced absenteeism. Hopefully, we’ll see greater moves in this direction going forward. At £7.85 an hour, the current Living Wage is 21% higher than the National Minimum Wage, while this figure rises to £9.15 an hour in London. During 2014, the number of accredited Living Wage employers more than doubled, with over 1,000 employers across the UK having now signed up to the pledge. That said, any improvement to the National Minimum Wage will have a positive impact on those at the sharp end of the security guarding sector. As a security sector professional, another Parliamentary-produced document that catches my attention is the Investigatory Powers Bill, colloquially referred to as the ‘Snooper’s Charter’. In addition to enabling the tracking of individuals’ Internet and social media use, the proposed Bill will also strengthen the Security Service’s warranted powers for the bulk interception of the content of communications. Although this move has not proven popular with pro-civil liberties and Human Rights groups such as Liberty, those with nothing to hide should not be concerned about this legislation as we need to do everything in our power to prevent terrorist attacks.
*The author of Risk UK’s regular column Security’s VERTEX Voice is Peter Webster, CEO of Corps Security. This is the space where Peter examines current and often key-critical issues directly affecting the security industry. The thoughts and opinions expressed here are intended to generate debate among practitioners within the professional security and risk management sectors. Whether you agree or disagree with the views expressed, or would like to make comment, do let us know (e-mail: pwebster@corpssecurity.co.uk or brian.sims@risk-uk.com)
“We must be careful not to create a situation in which Scotland sets the agenda for the rest of the UK. This surely strengthens the case for English votes for English laws” 17
www.risk-uk.com
Project4_Layout 1 07/11/2014 16:05 Page 1
Securitas, a true focus on Security The skills of our people, alongside the best in technology produce total integrated solutions that safeguard your business.
0800 716 586 www.securitas.com
BSIABriefing July2015_riskuk_mar15 03/07/2015 14:16 Page 2
BSIA Briefing
he construction sector has experienced a positive start to 2015, with figures published by the Office for National Statistics suggesting that the sector has contributed to a better than expected outlook for economic growth in the first quarter of the year. Making up 6.4% of the UK’s economy, the construction sector suffered the effects of recession particularly keenly but is now beginning to feel more upbeat, with reports suggesting that customer uncertainty has reduced following May’s General Election1. How might these positive upward trends affect demand for construction site security? As the number of construction projects rises, it’s natural to expect demand for effective site security measures to increase in tandem. With the typical building site playing host to a number of different contractors at any one time, not to mention a wide range of valuable equipment, security considerations are always paramount, particularly so given the often open and accessible nature of such locations. Left vulnerable overnight, construction sites face potential threats in terms of theft, vandalism and/or acts of terrorism. A security breach or poorly implemented security measure can have a number of negative effects on a construction site or depot. These may include financial losses and unplanned downtime alongside Health and Safety issues caused by unauthorised tampering with equipment or procedures. On that basis, site security is essential for the successful and timely completion of a project and the continued success of all businesses involved. As such, security should be addressed at the earliest possible opportunity, in turn ensuring maximum protection throughout the entire build process.
T
Taking the holistic approach A layered approach to security will work best. Starting at the perimeter and working inwards, various security measures – both electronic and physical in nature – can be integrated successfully to provide an holistic, effective solution that will safeguard even the most complex of construction sites. According to construction sector analyst Glenigan2, London is leading the way in the market’s recovery, with rising demand for business-focused accommodation set to prompt increased investment in the development of prime office space, while the sharp rise in planning approvals for a number of high-profile residential schemes also looks set to provide the market with a significant forward momentum.
Building on Firm Foundations: Best Practice Techniques for Construction Site Security As the construction sector begins to recover and grow again in the post-recession period, so the demand for site security looks set to rise. James Kelly explores the changing security requirements of construction sites and highlights Best Practice methods when it comes to procurement Of course, one of the most high-profile building projects in the capital is Europe’s largest construction project, Crossrail. At present, Crossrail employs 10,000 workers across 40 sites in continuing to work towards its goal of constructing 42 additional kilometres of track capacity for London’s railway network, in turn providing more direct access routes across the city. Kick-started in 2008 and scheduled for final completion in 2018, much of the work on the project is due to take place in the 2015-2016 period. In conversation with IFSEC International’s organiser UBM, Crossrail’s security manager David Buck has outlined the successful application of the layered security approach that has been deployed at Crossrail sites across the city. Showcasing the busy Farringdon site situated near the heart of the Square Mile, Buck has discussed the blend of physical perimeter security with electronic security measures and security guarding. “You will see hoardings. You will see gates. You’ll see entry points. All of these are the
James Kelly: CEO of the British Security Industry Association
19
www.risk-uk.com
BSIABriefing July2015_riskuk_mar15 03/07/2015 14:16 Page 3
BSIA Briefing
References 1‘UK growth outlook brighter after new construction data’, The Guardian, 12.6.2015 (http://www.theguardian. com/business/2015/jun/12/ uk-economic-growth-revisedup-as-ons-paints-brighterpicture-of-construction) 2Construction Market Analysis: Featured Region – London, Glenigan, June 2015 (https://www.glenigan.com/ construction-marketanalysis/news/featuredregion-london-2015)
physical ‘locks and bolts’ of how a site is secured. We then introduce an electronic system of access control permitting access through turnstiles. Internally, we zone the site and this allows individuals who need to pass through into work areas to do just that. Those who don’t need to go into these work areas for any reason are restricted in their access.” Buck added: “We then have CCTV cameras. These will be set on a patrol schedule and pick up images which are monitored by trained security personnel. Other cameras on the hoarding lines afford a view of those lines. Backing all of this up, we then introduce a specialist security provider who will provide licensed security officers.” In fact, the so-called ‘Onion Ring’ approach – whereby the most at-risk area lies at the core of a layered defence system – is commonly deployed on construction sites, integrating physical security measures with electronic systems to provide an early warning system in tandem with realising speedy responses to any potential breaches. Contrasting with the huge Crossrail project, those managing smaller construction sites don’t always have the resources and manpower to ensure that such locations are being monitored around the clock. This is where remotely monitored alarm systems can assist. If an alarm is triggered on a given site, personnel at a Remote Video Response Centre (RVRC) can be notified of the breach and will be able to respond accordingly, allowing for effective and efficient 24-hour protection and giving site managers peace of mind whenever they’re not in the area.
Effective security solutions Protecting the valuable plant machinery and equipment often stored on a construction site overnight is also a primary concern, particularly given the recent trend of equipment being stolen and then used to commit other crimes including the removal of ATMs from the walls of banks and out-of-town supermarkets. In days gone by, industrial diggers have been notoriously easy to steal and difficult to trace, but developments in their design and the application of security technology are helping to combat this dual problem. One particularly cost-effective method of protecting valuable construction materials is by
“Health and Safety considerations are also of paramount importance on construction sites of all sizes. This is an area where security solutions can and do play an important role” 20
www.risk-uk.com
identifying them with a forensic marking system. This includes the use of microdots and forensic solutions which work in a similar way to our own DNA in that they are invisible to the naked eye but visible under UV lighting and provide a unique identifier for tracing the machinery back to its original owner. When applied to specific elements of construction machinery, such solutions make it impossible for thieves to disguise the given machine’s true identity without completely removing that part of the vehicle. In fact, just a small amount of ‘taggant’ or dye has to be applied in order to prove ownership of diggers or power tools, etc should a theft occur. Health and Safety considerations are also of paramount importance on construction sites of all sizes. This is an area where security solutions can and do play an important role. As mentioned previously, access control measures can help restrict the movement of personnel into more dangerous or challenging areas. Other security solutions, though, may also prove effective in ensuring the Health and Safety of construction site personnel. Lone worker devices, for instance, can help to protect construction workers working alone or without direct supervision, providing them with added reassurance when they’re travelling to and from remote sites in either dangerous or remote neighbourhoods.
Making informed choices Recently, the British Security Industry Association (BSIA) began conducting research into the attitudes of those procurement professionals responsible for buying security products and services in a number of industry sectors, including construction. Early results of this research suggest that spending on construction site security actually increased during the economic downturn, with procurement personnel focusing heavily on the quality of solutions rather than price alone in order to determine their purchasing decision. The BSIA has published a guide to the application of various security measures in the construction sector. Exploring a range of issues from risk assessment and mitigation through to the different approaches required for greenfield (new build) and brownfield (redevelopment) sites, the BSIA’s guidance notes provide indepth, impartial advice to construction site managers seeking to maximise the effectiveness of security measures. The BSIA’s guide can be downloaded directly at: http://www.bsia.co.uk/publications/ publications-search-results/123-constructionsite-security-a-guide.aspx
Project1_Layout 1 04/06/2015 17:56 Page 1
Our focus is providing you with a 360-degree overview in a single image
Never miss a thing with FLEXIDOME IP cameras. Blind spots can seriously undermine the reliability of your video surveillance solution. With the range of FLEXIDOME IP panoramic cameras from Bosch, you will never miss a thing. Thanks to a choice of 5 or 12 megapixel sensor resolution at high frame rates and ďŹ sh eye lens, a complete overview without blind spots and easy capture of moving objects signiďŹ cantly improves the quality of every video surveillance operation. So you can capture objects of interest with superb clarity, eliminate blind spots and always see the bigger picture. Learn more at www.boschsecurity.com/hdsecurity Tel: 01895 878095 | Email: security.systems@uk.bosch.com
Come and see us at IFSEC 2015. Stand F700, Hall S5.
PrioritisingRiskManagementIssuesandRiskResponse July2015_riskuk_apr15 03/07/2015 14:46 Page 1
The Security Market: Solutions to Risk The final instalment of an exclusive three-part series dedicated to Best Practice in the arena of risk management techniques witnesses Peter Speight and Peter Consterdine examine the subject of Physical Security Information Management (PSIM). As they duly discover, the goal of PSIM is not just to integrate systems but also to provide vital business intelligence for the host organisation rom a technology perspective, there are two new capabilities making integration across physical security devices easier in today’s business environment. First, with the advent of IP networking for security devices and systems there are common networks in place for the simple collection of information. Second, software technology is now available to integrate any number and variety of disparate physical security devices into one intelligent security system that leverages a single common operating picture. The latter technology, designated Physical Security Information Management or PSIM, applies experience from the software networking and security worlds to the physical security market in order to optimise device integration, analysis and end-to-end situation management and resolution. Migrating security systems to an IT network should acknowledge that an enterprise requires more from these systems than simple alerts of events and incidents. The enterprise demands key information and often requires decisionmaking at a systems level. PSIM is the latest independent strand of software designed to achieve these seemingly impossible goals. PSIM is a category of software that integrates all security devices and operational data into one common view, applies intelligence to identify situations and presents step-by-step instructions for situational analyses, management, tracking and resolution that are effective, compliant and timely. PSIM should accomplish five goals. It should interface with all devices, analyse incoming data and correlate events or alarms, collect all data and send it to a centralised location to be verified by a control centre operator and provide users with the ability to resolve the situation. Last but not least, PSIM software should be configured to gather all information relating to a given event for end user reporting and compliance purposes. PSIM software is based on what was originally a military term for attempting to
F
22 www.risk-uk.com
consolidate the plethora of battlefield information into one encapsulated view, often referred to as a Common Operational Picture. The term has migrated to the world of security, and specifically in terms of how it has informed the development of PSIM software. Another description for this consolidated view is ‘situational awareness’. We’re achieving – by means of the grouping of all event signals into one common view – an immediate grasp of the situation and its implications together with pre-arranged response action guidance.
Situational awareness platform Situation management is capable of visually presenting multiple and related events in a single group. In fact, PSIM has often been described as the glue that brings the entire technology infrastructure together. In this day and age, it’s no longer sufficient to only be able to answer the question: ‘What’s happening?’ The system should now also answer the questions: ‘How important is it?’ and ‘What should I do about it’? Inevitably, this requires the correlation of all activities. PSIM can combine the several sets of information registered during a break-in, for example: the door alert actioned by access control, the lock failure alert from a key card system, the motion detection alert picked up by a hallway sensor and the video feeds from two or three nearby CCTV cameras. The software combines all of the above into a single, holistic view of the available information. A PSIM system combines several technologies to: • Aggregate, correlate and analyse data from various systems, including intruder alarms, environmental sensors, video surveillance, access control solutions, networks and Building Management Systems, etc • Provide solutions which are also very costeffective, allowing an end user customer to monitor and control a variety of systems and sensors from a centralised location (or, in some cases, on a remote basis) • Become the foundation of the next generation of security and risk management. It’s not a single product but rather a set of processes governing the management of operational data • Instantly place instructions, information and the tools necessary to control security devices in the hands of dedicated security personnel and first responders across multiple operations
PrioritisingRiskManagementIssuesandRiskResponse July2015_riskuk_apr15 03/07/2015 14:46 Page 2
Prioritising Risk Management Issues and Risk Response
• Enable forward and backward ‘tracking’ of suspects on live and recorded video • Monitor and adapt to a situation as it unfolds, providing updated information, additional tools and policies as well as coordination with multiple agencies and teams • Sort through a vast stream of device data as well as IT security systems in order to identify and prioritise situations in real-time A key differential is the ability for a PSIM platform to connect to systems at a data level, contrasting with other forms of integration that solely interface a limited number of products. PSIM software provides a platform and applications that collect and correlate events from existing disparate security devices and information systems (video, access control, sensors, analytics, networks and building systems, etc) to empower personnel to identify and resolve what may be critical situations. The end result is lower risk, increased security, faster response to situations, better compliance with policies and lower operational costs. Put simply, security managers and directors no longer have the constraint of CCTV or access having to be deployed as the management ‘hub’. PSIM is now the hub.
Integration and co-ordination In the past, most security systems have been of the ‘locked out’ proprietary nature. Some vendors purporting to have a PSIM solution simply render a ‘vertical integration’ of their own devices and systems. Effective PSIM requires both the integration of technologies and co-ordination with IT and security processes governing the management of operational data. The theory has thrived amid dynamic change in the security world precisely because of its composite nature and multiple benefits. PSIM helps extend security services, improve efficiencies and effectiveness and also allows for better accountability. There are several key trends rendering PSIM more valuable and affordable. For instance, data management Best Practice is more pervasive. Also, regulatory compliance and management Best Practice dictates that computer systems and data be handled in standardised ways, for example according to guidelines established by the International Organisation for Standardisation. Generally speaking, Security Departments are not always compliant with these Best Practices. On top of all that, business leaders are now demanding more data. Business decisions are made throughout organisations by analysing data. Going forward, Security Departments will be forced to share security and risk data in
clear ways that business managers can easily understand and appreciate. PSIM software integrates and analyses information from disparate traditional physical security devices, thereby allowing host organisations to leverage existing security investments and not have to spend additional finance on either new or different technology. It also eliminates the requirement for operators to manually review and correlate data from multiple systems, in turn saving time and resources which translates into cost savings. To overcome today’s security and safety challenges and issues, careful attention ought to be paid when selecting a PSIM solution. This decision has significant impacts on the future efficiency, effectiveness and accountability of a host organisation in general but, and importantly so, will determine success when it comes to minimising risk for both the business and its assets. Key areas on which to focus when evaluating a PSIM solution are the platform, the architecture and solution completeness as well as the vendor’s reputation for (and overriding commitment to) security and safety. When it comes to managing the information from complex and disparate systems, the potential benefits of a PSIM open platform software solution are many. However, it would be inappropriate to engage with a management system which is overly-sophisticated in relation to an organisation’s more simple requirements. Those requirements may very well be satisfied with a less complex solution.
Dr Peter Speight CSyP DBA MPhil MSc MIRM: Director of Risk and Consultancy at Securitas Peter Consterdine is Managing Director of Future Risk Management
“PSIM software is based on what was originally a military term for attempting to consolidate the plethora of battlefield information into one encapsulated view” 23
www.risk-uk.com
BusinessProcessAutomation July2015_riskuk_jan15 03/07/2015 14:17 Page 1
Room for Improvement: The Systematic Approach to Business Management not sub-standard. Certainly, it’s incredibly wasteful in terms of time and other resources and leaves the company open to human error, not to mention a lack of visibility that, in turn, renders the security business – and, by extension, its customer base – open to risk management and compliance issues that are, frankly, unacceptable.
What is a business process?
Given that we’re witnessing an exponential growth of technology right across the business world, it’s interesting to note how little of it is currently employed to assist the day-today internal management of companies within the security sector. Richard Tisdall looks at the need for a more inward focus on technology designed to do just that
24
www.risk-uk.com
ention the phrase: ‘Technology in the security sector’. What images spring to mind? For many in the profession the answer revolves around CCTV, access control, monitoring solutions, intruder alarms, network security and much more. Indeed, there’s a wealth of fantastic technology-based products, solutions and devices available and the list is growing daily. This is absolutely fine and each of these systems has a role to play in the delivery of services to end users. That said, there’s a problem afoot. The sector has become so incredibly focused and fixated on technology that’s external to the enterprise – ie products and systems sold-in to end user customers and companies – that bespoke internal processes within host organisations can be neglected and, ultimately, take second place to the services offered by that organisation. Security guarding companies wouldn’t sell their customers sub-standard solutions. Neither would they offer sub-standard advice. Yet it’s often the case that they think nothing of employing outdated models that manage tasks and business processes on spreadsheets or manual forms. They store hard copy documents in paper folders and rely on people to perform tasks in line with paper-based quality management processes that exhibit no effective means of monitoring and enforcement. In this day and age, it could well be argued that such an approach to business is nothing if
M
A process can be defined as: ‘A series of actions or steps taken in order to achieve a particular end…’ In business terms, it’s pretty much everything we do from simple tasks such as ordering stationery or signing up a new customer through to very complex systems of tasks and activities like managing the merger of two businesses. Regardless of their complexity, it’s the management of these processes that’s of paramount importance. Streamlining and efficiency can have an enormous and quantifiable benefit in terms of both time saving and real cost reduction. For example, security guarding companies that have switched to online management for site surveys are seeing a two-to-three hour per site reduction in the time taken to perform these surveys and generate a set of assignment instructions. Whereas previously a contract manager would manually record information on a paper form then have to return to the office to type it all up and send it to the customer, this all happens on site on a tablet or other smart device and the assignment instructions can be with the customer before the security company’s representative is back at base. The side benefits may be numerous, including virtually paperless processing, improved visibility and auditability, enhanced management control and employee accountability. The standardisation of processes and improved management oversight also has a cultural impact. There’s no place to hide and we have a definitive view on whether tasks have or haven’t been completed. In short, your business procedures and processes are clear, consistent, documented and enforced and you’re providing your employees with the necessary and efficient framework in which to complete them. For management team members who just want the detail-free helicopter view, the ability
BusinessProcessAutomation July2015_riskuk_jan15 03/07/2015 14:17 Page 2
Business Processes Automation in the Security Sector
to focus on issues and manage exceptions – for example failures, complaints or tasks that have not been completed – all adds up to significant savings in time and greater ease of use.
“Change is good, of course, but in order to progress effectively it requires management and control. With a business process management solution in place, adaptability is built-in”
Automating repetitive tasks Business process management solutions should be seen as a framework or platform for automating repetitive tasks. Rather than replacing existing systems, the platform is viewed as an enhancement to them that can provide a joined-up layer between disparate systems and processes. It should fit seamlessly into your organisation’s existing solutions and enable the rapid deployment of new processes and applications. Scalability is of critical importance. Right from a couple of simple processes for a small security business through to an enterprise-wide solution for a larger corporate, the approach should always be the same. A good vendor should start with a review of existing processes. This is a perfect opportunity to evaluate current internal procedures and streamline or amend where necessary, as well as identify any integration touch points to existing systems whether they be financial, Human Resources (HR) or operations-centric. The connected world of smart phones, big data, ‘wearable tech’ and the dawn of The Internet of Things brings with it exciting new applications of technology but at the same time ever more complexity. Each new node in our connected networks whether it be a human, a device, a camera or a vehicle is constantly creating data. We need to be able to capture, control and then use this data to our advantage rather than be swamped by it or lose its value. That being so, it has never been more important to simplify processes and procedures wherever and whenever possible. This is where you can really leverage the benefits of a business process management solution.
businesses providing even more services and expanding into new markets. Change is good, of course, but in order to progress effectively it requires management and control. With a business process management solution in place, adaptability is built-in. The impact on a business realised by a merger or acquisition, the coming together of people and processes and systems or the transformation of business processes as service offerings change can all be minimised by having the right system in place. We know that this year will bring external change with the impending revisions to ISO 9001. The standards are changing to bring them up-to-date such that they duly reflect a more globalised economy and the impact technology has had on the way in which we work. We will see a more risk-based approach, a greater focus on leadership and objectives measurement and, ultimately, profound change. As a result, there must be a corresponding step change in the security world in terms of how we define our quality management processes. With a business process management solution, we can create tasks and procedures to help us make the transition to the new standard and then use it as a tool for continuous monitoring and enforcement. By placing real-time business process management and compliance automation at the heart of your organisation you’ll create a dynamic and scalable infrastructure that can evolve, grow and readily adapt to the changing technological and commercial landscape.
Richard Tisdall: Operations Director of SecuriTech Software
Applications in the security sector The applications of business process management are both limitless and driven purely by the specific requirements of the business. No two solutions are the same. For the security sector, likely areas of improvement include contract management, quality management and compliance, risk management and mitigation, people management and providing interfaces to HR and scheduling solutions in addition to other internal systems. The continuing trend of consolidation or convergence in the sector with a blurring of boundaries between physical and network security and facilities management will see
25
www.risk-uk.com
EmergencyLightingRegulations July2015_riskuk_apr15 03/07/2015 14:21 Page 1
Let There Be Emergency Light Failure to comply with the stipulations outlined not only puts lives at risk and raises the possibility of prosecution, but can also invalidate insurance policies.
Know what you’re buying
Emergency lighting can be a lifeline for individuals trying to find their way out of a building when the mains lighting fails. It’s particularly important in the event of a fire scenario. How, though, might end users be sure that their emergency lighting is compliant with the necessary regulations? Graham White evaluates the main points to be borne in mind he Regulatory Reform (Fire Safety) Order 2005, which brings all aspects of fire safety together under one roof, recommends that any emergency lighting deployed in a building is covered by the British Standards Institution’s (BSI) Kitemark scheme. If you have five or more employees, by law that same Order requires you to conduct a fire safety risk assessment and maintain a written record of the results. In short, this legislation exists to ensure that the correct emergency lighting is installed to cover any identifiable risks and that the solution will operate in the proper fashion should the mains lighting supply fail. BS 5266 is the Emergency Lighting Code of Practice for premises and duly provides information on the correct emergency lighting solution for the safety of people. Alongside the BS EN 1838: 2013 Code (entitled ‘Lighting Applications: Emergency Lighting’), this provides specifiers with information regarding areas that need emergency lighting. In essence, it covers the minimum levels of illumination, duration, maximum brightness to prevent glare and any points of emphasis which require particular consideration.
T
Graham White: Technical Manager for Lighting at Eaton
26
www.risk-uk.com
Given that emergency lighting will never be used on an everyday basis, it can be tempting to opt for cheaper luminaires. These are often supplied from distant sources and will pass through numerous intermediaries before installation. This can lead to confusion over the precise specifications and the claims made by manufacturers and sellers which may not be independently verified. Buying cheaply may turn out to be a false economy since lower quality components can shorten the lifespan of both batteries and lamps. Less costly systems may have inferior optics resulting in an increased number of fittings being required to meet the minimum emergency lighting levels. As this is a life safety product you must consider whether a cheaper option might be more vulnerable to failure. The BSI governs the implementation of strict European standards on the design and manufacture of emergency luminaires under regulations including EN 60598-1 and EN 60598-2-22. The most reliable way in which to ensure your emergency lighting regime is fit for purpose is to buy products approved by third party certification schemes such as the aforementioned BSI Kitemark and the registration run by the Industry Committee for Emergency Lighting (ICEL), part of the Lighting Industry Association which serves as the manufacturers’ Trade Association. ICEL provides a product auditing and approval process. If ICEL-approved luminaires are installed at the correct location according to the recommendations of BS 5266 and using verified spacing data, the emergency lighting system will meet the minimum lighting levels for the safety of individuals. However, this may need enhancement if specific risks are identified during the risk assessment.
Consideration of long-term costs Buying high quality, industry-approved emergency lighting may initially seem more costly for the end user, but consider the bigger picture. For example, good quality products may have a higher output and better spacing performance meaning that fewer units are needed to achieve the required level of
EmergencyLightingRegulations July2015_riskuk_apr15 03/07/2015 14:21 Page 2
Emergency Lighting Regulations: How To Ensure Compliance
illumination. This may reduce the outlay on products as well as the installation cost. It’s also worth bearing in mind the total cost of ownership (TCO) as long-term energy costs may be reduced. Additionally, take a look at LED-based emergency luminaires. They use less power and so reduce running costs and require less maintenance. LED-based emergency luminaires boast a working life that’s often greater than 50,000 hours. That’s anything up to ten times longer than a conventional fluorescent lamp. Furthermore, the latest generation of LEDs incorporate optic lenses to direct light into a specific pattern. This ensures the light is correctly distributed to maximise the coverage for emergency lighting from the luminaires which may be needed to cover a larger open area or a specific distribution so as to maximise the spacing along an escape route.
Location, location, location The positioning of emergency lighting is crucial. Some of the key locations where emergency luminaires should be installed are along escape routes, at every change in direction, adjacent to any step or trip hazard, over every flight of stairs (so that each tread receives direct light), close to firefighting equipment, Call Points and First Aid stations and outside every final exit to a place of safety. Under the regulations, a minimum luminance of one lux is required on the centre line of an escape route with a uniformity of at least 40:1. In open areas, however, a minimum of 0.5 lux is required. To achieve these minimum lighting levels, end users should refer to the spacing tables that ought to be provided by your chosen system manufacturer. Higher levels of luminance will also be required for areas identified as having a greater risk. Examples of these areas are described within the BS 5266 guidance along with the recommended higher lux level values.
Pay attention to exits What if a failure of supply should happen to occur in the hours of darkness? BS 5266-1:2011 requires that external lighting must be provided to guide evacuees from the point where they exit a building to a place of safety. This means that many applications will need a weatherproof luminaire operating in maintained or switched maintained mode and controlled by daylight sensors. LED luminaires may be used here to reduce both maintenance and running costs. Minimum routine testing schedules are one of the requirements of the regulations and
“The most reliable way in which to ensure your emergency lighting regime is fit for purpose is to buy products approved by third party certification schemes such as the BSI Kitemark” standards. The time they take to complete can place significant demands on facilities managers and maintenance teams. One way to avoid the ongoing costs associated with maintenance, servicing, repairs and replacements is, of course, to specify quality emergency luminaires in the first place. Another tip worth bearing in mind for the end user is to consider self-testing systems. These reduce the expense, time demands and disruption associated with manual testing regimes upon individual luminaires. With automatic test systems, the results from an entire network are collected and fed back to a central database where the exact location of the fault can be pinpointed. Importantly, the system will also identify the cause of the fault – which might be due to a failed lamp or module – such that the necessary spare part can be selected and then taken to the location in order to speed up the repair process.
Don’t ignore the signs In addition to the emergency lighting itself, it’s vitally important to consider signage at the earliest stage. The obligation is to ensure that escape routes are clearly defined and identified with the correct exit signage. When selecting a product, be aware that the viewing distance for an internally-illuminated exit sign is calculated by multiplying the height of the illuminated element by a factor of 200. This information will normally be available from reputable manufacturers. For externally illuminated signs, the multiplication factor is only 100, but it must have at least 5 lux at any point of the sign in emergency conditions. An alternative option is the photoluminescent exit sign. It’s important to remember that these rely on ambient light to charge their photoluminescent membrane. Additionally, EN 1838 states that, under emergency lighting conditions, the sign shall be sufficiently illuminated to be visible. The safety colour must remain green and the contrast colour white within the colour boundaries specified in ISO 3864-4. In practice, this usually means that general lighting must be permanently switched on in order for the exit light to self-illuminate in the event of a power failure.
27
www.risk-uk.com
Project3_Layout 1 03/07/2015 13:13 Page 1
We go further.
Axis Security – reaching new heights in customer service. • Our employees – are highly trained, valued and rewarded • Our proactive management approach – ensures service is continually improving • Our intelligent technology – ensures open lines of communication and transparency • Our prestigious industry recognition – includes 3 Security Guarding Company of the Year awards
T. 020 7520 2100 | E. info@axis-security.co.uk | axis-security.co.uk
VideoAnalyticsandBusinessIntelligence July2015_riskuk_apr15 03/07/2015 15:01 Page 2
Video Analytics and Business Intelligence
Video Analytics: The Intelligent View P ut your thinking cap on and imagine for a moment the sheer number of hours of footage that a single bank branch or retail outlet will be able to access from its security cameras. Multiply that by hundreds of branches or shops across the UK and, pretty soon, you can see how all of that video might be used to gather and analyse information that will not only enhance security but also measure operational efficiencies. Video analytics has enormous potential for business intelligence, enabling raw data to be transformed into meaningful and useful information that can be acted upon by end user organisations. The principle behind business intelligence is to deliver end users key-critical information that helps them devise more effective strategies. It’s designed to take advantage of improved and accurate tactical and operational insights such that more effective decisions can be taken. Rather than merely being seen as tools designed to support the marketing function, business intelligence and analytics have instead grown in importance. Indeed, last year they were ranked as top IT themes by 29% of banks1, which put them slightly ahead of security on 28%. We would argue that the two actually go hand in hand. Business intelligence and analytics represent a proven combination of technologies with all the makings of a very solid proposition for organisations, either as purpose-built or generic devices or via vertically oriented reporting tools that leverage analytics. To understand why all of this is important, though, there’s a necessity to review and learn from specific sector-related examples.
Key security concerns for banks Banks are facing a record number of threats from traditional fraud, ATM skimming and cash harvesting through to more sophisticated cyber threats and online hacking. While ATM-related fraud incidents fell by 26% in 2014, related losses were up 13% while losses through both skimming and ATM physical attacks increased by 18% and 17% respectively2. The challenge for banks and their security teams is to minimise the cost of these losses. One of the most effective methods of doing so is by harnessing the power of big data, business intelligence and video analytics. Increasingly, bank branches are privy to skimming devices being installed in their
Video analytics and transactional reporting carefully woven into an overarching business intelligence strategy can bring about immeasurable benefits for companies operating within the traditional vertical sectors, from banking and finance through to retail. Ely Maspero has the fine detail
external ATMs. If they use the video feed from the camera this could take many hours to review and identify the appropriate evidence from the moment the skimmer was installed. By using analytics, criteria can be set that helps to narrow down the options beyond just time and date. Transaction records – for example a credit card being used, or a person detected at the ATM when no transaction was made – can help pinpoint the crime being committed. Fraudsters have become very sophisticated – a skimming device can take as little as 30 seconds to install – so while video cannot possibly help to prevent physical attacks, what it can do very effectively is identify the moment of the crime, reduce investigation times and help the banks to locate ATMs that are more at risk to prevent further frauds from occurring. The longer a bank waits to take action the more likely it is that it will become liable for any losses that a customer incurs. Business intelligence may be used to analyse the history of fraudulent situations and develop useful fraud prevention business rules. These will include models for predicting a credit card or cash card holder’s behaviour and alerts that
Ely Maspero: Product Line Manager for VMS Solutions at March Networks
29
www.risk-uk.com
VideoAnalyticsandBusinessIntelligence July2015_riskuk_apr15 03/07/2015 15:02 Page 3
Video Analytics and Business Intelligence
Customer satisfaction in mind
References 1Informa Telecoms and Media Research (Ovum) and Nucleus Search, September 2014 2Source: EAST, European ATM Crime Report, April 2015
can be set up if the average number of daily transactions suddenly increases.
View of the retail sector According to the 2013-2014 Global Retail Theft Barometer, retail losses – or ‘shrink’ – across Europe as a result of theft or other forms of loss amounted to $40.09 billion. Globally, that figure stands at $128.51 billion. The main problems facing retailers are theft by dishonest employees and shoplifting (or shop theft) which, in Europe, accounted for 61% of global retail shrinkage. The majority of retailers use video surveillance, but by integrating this with Electronic Point-of-Sale (EPoS) transaction data they can be more quickly and accurately alerted to instances of suspected theft and, therefore, potentially reduce investigation times from hours to minutes. The analytics technology that enables this focuses on data of people counts, queue length monitoring and dwell times and analyses this to provide meaningful insight on threats, occupancy and customer interest, etc. With analytics that shed light on hourly or daily trends, retail sector managers can understand patterns in customer behaviour while at the same time relying on security analytics to identify possibly suspicious events including unauthorised access or loitering. One of the great benefits of video analytics is that it allows retailers to not only manage incidents immediately and audit stores quickly and efficiently, but also develop threat prevention strategies that may be implemented across all branches. Video analytics tools can assist in packaging case evidence – complete with synchronised video clips and EPoS transaction data – that will help to curtail losses from theft.
“Video analytics tools can assist in packaging case evidence – complete with synchronised video clips and EPoS transaction data – that will help to curtail losses from theft” 30
www.risk-uk.com
Security is absolutely paramount from the customer’s perspective, and particularly so when they’re dealing with banks. That said, customers also crave hassle-free access to their money and the ability to use their payment method without delay. While fighting fraud and theft is the primary use of business intelligence and video analytics, they can also provide meaningful insights that will assist in increasing customer satisfaction. These include an overview of branch and staff performance, observations that will help to reduce waiting times and analysis of the influence and effectiveness of in-branch marketing activities. Business intelligence and analytics are enabling us to move away from a loss prevention and theft identification perspective and add performance to the equation. For both banks and retail organisations, business performance analytics translate into the means to measure employee performance, to automate marketing, sales and promotions and innovate products. Analytics can assess customer profitability and regulatory compliance while providing valuable feedback on risk management.
Maximising return on investment Although retailers have perfected their skills in cross-selling over many years, this is a relatively new tactic for banks increasingly trying to maximise marketing return on investment, not just through cross-selling but also by maximising up-sell opportunities. Before attempting to sell an additional product to an existing customer, it’s advisable to estimate the probability of being able to ‘close the deal’. The advantage of correctly estimating that probability, facilitated by business intelligence, is that a high response rate will lower marketing campaign costs and improve the quality of customer relations. Analysis of average daily withdrawals from an ATM, for example, will help banks to decide how much money to load into the machine. There’s often little point in loading the maximum amount if it’s rarely needed. This will only prove to be a risk, particularly given the high incidence of physical attacks on ATMs. Equally, business intelligence algorithms can optimise cash management by anticipating time, place and the amounts of cash to be loaded, taking into account weekly, monthly and seasonal oscillations and trends. A good reporting tool will help operators predict branch-by-branch and ATM-by-ATM what the trends will be during a given time period.
Project1_Layout 1 03/06/2015 14:36 Page 1
INTELLIGENT CONTROL & MONITORING SOLUTIONS
THE MOST ADVANCED MONITORING CENTRE IN THE UK AN INDEPENDENT AND ADVANCED MONITORING FACILITY, CORPS MONITORING COMBINES BEST IN CLASS CCTV AND ACCESS CONTROL TECHNOLOGY WITH WORLD-CLASS REMOTE BUILDING MANAGEMENT AND MONITORING. PART OF CORPS SECURITY, PROVIDING INDUSTRY LEADING SECURITY.
• CCTV MONITORING • FIRE DETECTION/INTRUDER ALARM MONITORING • ACCESS CONTROL MONITORING • INTEGRATED BUILDING MONITORING SERVICE • CORPSGUARD/LONE WORKER MONITORING • MANNED KEY HOLDING /ALARM RESPONSE • BARRIER LIFT/GATE CONTROL • CAMERA PATROL • STAFF ESCORT SERVICE
CORPS MONITORING TEL: 0800 0286 303 WWW.CORPSMONITORING.CO.UK CORPS SECURITY WWW.CORPSSECURITY.CO.UK
85 COWCROSS STREET, LONDON, EC1M 6PF
Corps Security is the trading name of Corps of Commissionaires Management Limited.
RiskManagementinDataCentres July2015_riskuk_apr15 03/07/2015 14:49 Page 1
Heavy Metal: Confronting Zinc Whiskers any growth at all, followed by a period of growth at rates as high as 1 mm per year.
What elements are at risk?
Managing the issue of Zinc Whiskers is an important concern not just for the data centre manager, but also for anyone directly responsible for risk management within an IT environment. Mike Meyer describes how following the right procedures can help maintain the integrity of a facility, its equipment and the data held on a 24/7, ad infinitum basis
32
www.risk-uk.com
eeping critical environments such as data centres clean from contamination is a constant challenge. Even something as innocuous as a cloth or a buffer pad used by an untrained cleaning operative creates tiny fibres that can cause untold damage to sensitive servers and other essential IT equipment. Within certain data centres, though – be they old or new, owned or shared – a more sinister danger lurks. It’s a danger with a seemingly innocent name that’s guilty of making some of the world’s most renowned institutions – among them NASA – sit up and take notice. It goes by the name of a Zinc Whisker. What are Zinc Whiskers? Where do they come from? What impact can they have? How can they be identified and, most importantly, how might the problems they realise be overcome? Zinc Whiskers are a phenomenon that can occur on bare metal surfaces. Metal surfaces are coated with zinc in a galvanisation process to help protect them from corrosion. In simple terms, the whiskers are zinc crystals formed by the degradation – or corrosion – of the galvanised metal surface. These crystalline growths or whiskers are typically 2 microns in diameter and over time – ie many years – can grow to be several millimetres in length. Anything up to 10 mm, in fact, although typically less than 1 mm. Under proper lighting, they can be visible to the naked eye on surfaces. The whisker formation process consists of an unpredictable incubation period, typically lasting months or even years without
K
Zinc Whisker growth has been documented on a wide range of zinc-coated materials including electrical components (electromagnetic relays), mechanical hardware (nuts, bolts, washers, equipment racks, housings and rails), zincplated undersides of raised-access floor tiles (typically found in computer data centres) and raised-access support structures (pedestals and stringers). Steel studs, suspended ceiling hangers and grid systems, electrical conduit, equipment cabinet frames and server frames may also be at risk. Whisker growth on access floor tiles is of particular concern as these have a large surface area and are often disturbed during ‘normal’ activity in a computer room. Growth is most likely to occur on wood-core access panels and flat-bottomed concrete core panels. Access floor tiles have been used in high-tech facilities since the 1960s and it seems that some – if not all – access floor system manufacturers didn’t give adequate forethought to the electro-chemical instabilities of the metal stock used in the manufacturing process. In essence, many facilities are outfitted using construction materials wholly incompatible with the environment in which they find themselves installed. While whiskers remain attached to their source they’re basically benign. However, when the whiskers are disturbed and dislodged they become airborne and circulate freely throughout the environment. Disturbance is likely to be caused by routine maintenance activities, including the lifting, sliding and reinstallation of access floor tiles and the pulling of electrical cable in the sub-floor space.
Movement through vents and fans For efficient cooling, the forced air system typically pressurises the sub-floor space with chilled air. Perforated floor tiles and air vents provide channels through which the cool air, including the Zinc Whiskers, can pass into the above floor space. Ultimately, many whiskers can move into the electronic hardware through vents and fans on the equipment. Once inside the equipment, Zinc Whiskers – which are electrically-conductive structures in their own right – can cause various electrical failures ranging from intermittent to permanent short circuits. Whisker debris can also become
RiskManagementinDataCentres July2015_riskuk_apr15 03/07/2015 14:49 Page 2
Risk Management in Data Centres
a physical impediment to moving parts or obscure optical surfaces and sensors within some equipment such as disk or tape drives. The first identification of Zinc Whiskers and associated system failures occurred in the 1940s. Renewed interest has arisen triggered by the apparent increase in reported failures. Several factors appear to contribute to this increase. The drive towards miniaturisation, for example, has led to more densely packed circuitry and tighter spacing between conductors which means that smaller conductive particles can now cause larger problems. Similarly, the lower energy levels required by newer technology means that the whiskers no longer ‘melt’, thus increasing the risk of a permanent short. The age of existing floor structures is also a challenge, as is the need to constantly maintain or upgrade the facilities in place. There’s another potential hazard: the risk to health. Although the impact on human health has yet to be fully investigated, the hazardous potential for any airborne contaminant should be acknowledged and addressed. Failure to initiate a remedy for a contamination problem contributes to the potential risk of future litigation around system failure and healthrelated illness or injury. The identification of Zinc Whiskers is generally verified through a visual inspection and laboratory tests, but their presence can be indicated by shiny particles and other factors such as the age of the facility and the types of backing used on the access floor tiles. Once their presence is confirmed, though, and the length to which the whiskers have migrated is fully understood, it’s then that the remedial work can begin. Both short-term and long-term corrective actions can be considered for solutions to Zinc Whisker problems. Short-term actions include replacing affected components with ones that have a protective insulating compound that coats most of the exposed electronic circuitry and minimising activities that require significant handling of floor tiles. Longer term solutions encompass – but are not limited to – the carefully planned and controlled removal of all affected or suspicious tiles and support structures while protecting equipment and personnel as well as the thorough cleaning of the data centre environment using H-type vacuums to remove as much whisker debris as possible. On top of that there’s the installation of replacement floor structures not prone to Zinc Whisker formation, including all-aluminium or steel structures employing conductive epoxy
“Failure to initiate a remedy for a contamination problem contributes to the potential risk of future litigation around system failure and health-related illness or injury” powder coatings or paints instead of zinc for corrosion protection.
Bespoke solutions assessed The best course of action will vary from one facility to the next. The extent of contamination and overall condition of the tiles and structural system, for example, will impact the solution proposed as will the size of the area to be treated. Cost clearly has a role to play as do operational demands. In putting a plan into action, airborne zinc will be maximised during the remediation procedure. Technicians involved in the removal of contamination in clean room and other high technology environments should use asbestos abatement personal protection protocols as necessary to prevent aspiration of Zinc Whiskers and other contaminants. Containment of the working area is necessary to prevent cross-contamination of the facility and to protect non-abatement workers who may be present during the cleaning of any facility with Zinc Whisker contamination. Partitioning, zone pressurisation and the use of high efficiency, high volume air filtration units are often employed. Any remediation project needs careful planning with proper regard to contaminant isolation and conditioned air distribution to minimise the possibility of impacting hardware reliability. Ideally, the whole room would be shut down, equipment removed and the air conditioning units switched off. Any remaining equipment would be covered with plastic barrier tents and sealed within plastic sheeting between the ceiling and the floor.
Mike Meyer: Group Sales Director at 8 Solutions
33 www.risk-uk.com
FireSafetyonConstructionSites July2015_riskuk_apr15 03/07/2015 14:23 Page 1
Is There Cause for Alarm? Fires on construction sites are a much more common occurrence than you might realise while the end result can be serious, farreaching and costly for businesses on the receiving end. Here, Paul Henson advises risk managers on ways in which they can select effective fire alarm solutions different and conflicting information ranging from: ‘A fire alarm system is not required on a construction site because it isn’t a completed building’ – that’s absolutely not the case, by the way – through to offers of a fire alarm system but one that doesn’t fully comply with the relevant and current legislation.
Abiding by the rules To clear up once and for all the confusion around fire alarms on construction sites, here are some rules that are worth observing.
ire alarm systems are an ‘essential’ on all construction sites, particularly so when such environments become more complex and play host to large quantities of potentially combustible materials. Add to this the increasing number of high rise and timberframed structures in our midst and you have a potentially dangerous combination of personnel working in high or remote locations who are surrounded by materials and hot trades that can easily result in a fire scenario. While fire evacuation procedures are quantified and employed on sites, all-too-often their implementation can be described as haphazard rather than strategic. For instance, it’s still common for whistles, hand bells and other manual systems to be used as a basis for ‘sounding the alarm’. Such ‘solutions’ harbour a number of limitations, with the most obvious one being a danger that the alarm isn’t heard by everyone present on site. In my experience, managers on construction sites can be inundated with different messages about what constitutes a fire alarm system. The basic problem is that they’re presented with
F
Paul Henson BSc: Sales and Marketing Director at Ramtech Electronics
34
www.risk-uk.com
Rule 1: Check that your fire alarm system meets EN54 requirements A fire alarm system for a construction site should comply with EN54 and, therefore, the new Construction Products Regulation (CPR). EN54 is a mandatory standard that specifies requirements and laboratory testing for every component of a fire detection and fire alarm system. It applies to all types of buildings including those undergoing construction, demolition or refurbishment. Rule 2: EN54 beats everything else EN54 is purely concerned with the quality standards for fire alarms. It doesn’t make an exception for whether a project is temporary, for example, a construction site or a permanent structure such as a completed building. Quite rightly, because a fire alarm is indeed a fire alarm whatever the kind of facility in which it finds itself installed, the safety of personnel on a construction site is no different to that for employees who occupy a completed building. Just remember that fact the next time someone tries to tell you EN54 doesn’t apply to a construction site. Rule 3: Your chosen fire alarm system should be CE marked If the fire alarm system you’re thinking of
FireSafetyonConstructionSites July2015_riskuk_apr15 03/07/2015 14:24 Page 2
Fire Safety on Construction Sites
“If the fire alarm system you’re thinking of specifying for a construction site has been tested to EN54 by a notified body you’ll see a four-digit test centre number displayed after the CE mark” specifying for a construction site has been tested to EN54 by a notified body you’ll see a four-digit test centre number displayed after the CE mark. To be absolutely sure, ask your supplier for their Declaration of Performance certificate. If the certificate you are presented with simply relates to an individual component part within a larger unit then it doesn’t follow that the whole unit meets EN54 requirements. In order to comply with EN54, the complete unit – for example, the entire heat detection unit and not just the detector head – as well as every unit in the system including the base station, fire point or smoke and heat detection unit should all have been tested to the relevant part of EN54. Rule 4: Technology can be more predictable in a crisis Relying on human response alone has its limitations. It’s often the case that people don’t react well in stressful situations such as an emergency evacuation. Then there’s the added concern of what would happen if a fire scenario was initiated while no-one was on site. On top of that, the aforementioned hand bells, whistles and other manual systems still employed to this day are unlikely to be loud enough for everyone to hear. That last statement is particularly true for larger construction sites. Investing in a technology-based fire alarm system removes this uncertainty and sends a clear message to all concerned that your company places the safety of personnel, visitors and people in nearby buildings above any other concern. Rule 5: Wireless beats wired The very nature of construction sites means that they’re both constantly changing and evolving environments. This creates an added challenge for risk and fire safety professionals and the regimes they devise, although it’s fair to say that such challenges may be overcome if a wireless fire alarm system is specified. Such solutions enable the heat and smoke detection units to be easily moved as your site progresses in terms of form and function. Work can continue as planned without being held back due to construction professionals on site having to wait for an electrician to reposition
the electrical cabling (as would necessarily be the case with a wired system). What’s more, the wireless frequency is capable of passing through all solid materials typically found on today’s building sites. This way, you know everyone will be alerted irrespective of where they’re working. Note that there are now wireless systems available with a three-year battery life which reduces the ongoing maintenance burden. Do make sure, though, that the system you’re considering employs the very highest specification Category 1 wireless equipment.
Audible and visual alerts A wireless fire alarm system comprises manual Call Points installed on site in accordance with the project’s Fire Plan. These Call Points are interlinked. In essence, this means that all areas receive the same audible and visual alert signal even if the fire scenario is contained within an area close to just one of them. The alarm may be manually triggered by personnel from any Call Point. Where it’s the case that heat or smoke detectors are incorporated into the wireless system, it will provide automatic cover on a 24/7 basis, in turn ensuring that the site is protected even when personnel are not present. Fire can cost lives and may result in extensive damage to assets and nearby buildings. Wireless fire alarm systems offer greater flexibility, ensure that the Emergency Services are alerted at the earliest opportunity and are, therefore, an effective method of ensuring safety on construction sites. Bear all of the above tips in mind when you’re looking to select an effective and fullycompliant fire alarm system for your next construction site project and you’ll be on the right tracks.
35
www.risk-uk.com
Project3_Layout 1 03/07/2015 13:14 Page 1
RemoteMonitoringSolutions July2015_riskuk_apr15 03/07/2015 14:48 Page 44
Remote Monitoring Solutions
Under ‘The Watchful Eye’ of CCTV ll of us have now become well accustomed to living in what many commentators have dubbed a ‘Surveillance Society’. It’s fair to say that CCTV cameras stationed on busy streets are considered the norm, with the average Londoner caught on camera over 300 times every day. Whether CCTV actually serves as a deterrent to criminality or is simply an inconvenience to those with such intent is the subject of considerable debate. For its part, remote monitoring can adopt several different forms and, if it’s to be truly effective, needs to be carefully targeted in suiting specific applications. Recent news stating that the Dyfed-Powys Police Service has decided to stop monitoring live CCTV footage places the issue of remote monitoring firmly in the spotlight. The impact of such a move in terms of crime statistics and public security is difficult to predict, but it has highlighted the need to re-examine exactly how and where CCTV can be of most benefit so that we can maximise its crime reduction potential. In the majority of cases, CCTV is retrospectively used to analyse where a crime took place, establish the events that occurred and, if necessary, provide evidence for the prosecution. Therefore, having people monitoring cameras in real-time doesn’t necessarily deter crime from happening in the first place.
A
Working with the police service Within the overall debate about 24/7 live monitoring, it’s fair to assume that two people looking at a bank of 200 camera images could lead to a criminal act being missed. However, on a more positive note, if a Remote Monitoring Centre’s operating team is notified about an event, they can work with police ‘on the ground’ to help apprehend the perpetrators.
End user organisations across a diverse range of vertical sectors are now able to benefit from the instigation of remote monitoring services. Mike Bullock examines the key role of dedicated remote monitoring solutions when it comes to keeping people and property safe, and details how increasingly sophisticated technology is rendering the end product more effective than at any time in the past Does live CCTV monitoring actually deter crime from taking place? Probably not. Is it useful in helping to apprehend criminals? Absolutely. Not all remote monitoring needs to be carried out on a live basis. For those end customers seeking constant round-the-clock surveillance of their premises and operations, alert-based remote monitoring represents the perfect solution. In fact, it’s most effective when linked to a range of other building services technologies including intruder alarms, access control and fire detection systems. Remote Monitoring Centre operators can pick up alerts which are then visually confirmed, meaning that the response from the Emergency Services is taken to an enhanced level. Similarly, the implementation of IP-based video and audio transmitter/recorder technology provides the earliest possible warning of a security threat, minimises the impact to a business and enables the efficient and effective deployment of security personnel. In the event that an intruder is identified, an operative stationed in the Remote Monitoring Centre can issue a verbal warning to that intruder. This is an approach to security that has been proven to stop between 80%-90% of incidents in their tracks. Remote monitoring can also reduce overheads in other ways, for example by dint of barrier and access control. Shopping centres often have one dedicated person on site to provide access for deliveries and, while this is obviously important from a security perspective, there may well be long periods of time where a security officer is not being
Mike Bullock: Managing Director of Corps Security Monitoring Services
37
www.risk-uk.com
RemoteMonitoringSolutions July2015_riskuk_apr15 03/07/2015 14:48 Page 45
Remote Monitoring Solutions
deployed to their full capacity. By using an IP-based two-way video and voice system, a Remote Monitoring Centre’s operators are able to carry out this function as part of a much broader range of activities. Remote monitoring should never be seen as a replacement for all other types of security provision. Having the right solution in place is wholly dependent on an awareness of any risks and threats. Every situation is unique and a clearly defined and implemented security strategy will usually necessitate the integration of a range of measures including security guarding, CCTV, access control, lighting and remote monitoring. Using security services from one supplier rather than purchasing different companies’ solutions for guarding, key holding and surveillance technology makes complete sense. It’s a model that’s routinely adopted in most of Europe, yet the UK seems to be lagging behind. This is surprising given the way in which this form of procurement can streamline an entire security infrastructure by making it fit for purpose, operationally efficient and, importantly, cost-effective. Furthermore, combining the latest technology with security guarding and remote monitoring ensures that a security services provider can be flexible and responsive by, for example, swapping manned hours for monitored hours when and where necessary. The UK’s terror threat level is now set at ‘Severe’ in response to the danger posed by the Islamic State. Meaning that an attack is highly likely, this situation should support the decisions and thought processes of organisations regarding the appropriate level of security that they ought to have in place. It also means that the technology used to remotely monitor locations such as shopping centres, sports stadiums and transport hubs must be able to help identify any potential threats well in advance. Intelligent video analytics software is now capable of automatically recognising people, vehicles and suspect packages.
“Remote Monitoring Centre operators can pick up alerts which are then visually confirmed, meaning that the response from the Emergency Services is taken to an enhanced level” 38
www.risk-uk.com
These systems are also capable of counting, measuring speed and monitoring direction. For example, the time a person spends in a specific location can be tracked, so too items such as unattended bags, while suspiciously parked vehicles may be monitored. Alarms can be set up using pre-defined rules such as ‘white van parked in permit zone’ or ‘group of ten or more people’ to alert operatives in a Remote Monitoring Centre.
Drawing a virtual line The technology often works by simply drawing a virtual line or box area in a certain part of the scene. The camera then counts the number of people that cross the line or enter the box and the data can then be transmitted at selected intervals to a Remote Monitoring Centre. It allows high quality images of faces, clothes, vehicles and other details to be accurately and clearly recorded, and can be used to follow intruders in much the same way as a police searchlight. Smart phones have become ubiquitous and remote monitoring software is now available that can help tackle low-level crime by sharing video and still images of perpetrators. Crimes such as shoplifting, personal theft, violent incidents and vandalism may now be instantly reported online.
Drones: driving plenty of debate Drones are proving to be somewhat controversial. However, they also have the potential to be extremely useful in scenarios where remote monitoring is required. A good example is outdoor music concerts or festivals where a drone could be used to monitor crowds and ensure that people are kept safe. A potentially dangerous situation could be identified early on and security/safety personnel on the ground deployed to attend before a given scenario escalates. Equally, drones have great potential when it comes to monitoring remote sites such as reservoirs and oil installations. Drones can also enhance building access control, particularly in environments where there’s a good deal of perimeter fencing. A drone high up in the air can easily identify who’s entering and leaving a site and could actually work out a lot cheaper than installing CCTV cameras to cover the area. While there are clear benefits to be derived by end users from remote monitoring, it’s important to make sure that a chosen service provider has the necessary technical expertise – not to mention wider knowledge of all aspects involved with security service provision – to render such solutions truly effective.
GartnerSecurityandRiskManagementSummit July2015_riskuk_mar15 03/07/2015 14:25 Page 39
Advertisement Feature
Gartner Security and Risk Management Summit nformation technology research and advisory company Gartner has made several key predictions for the security and risk management space in the immediate future. They certainly make for interesting reading. Through 2015, more than 75% of mobile applications will fail basic security tests. By 2016, a majority of Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) will adopt what’s known as a Governance, Risk and Compliance Pace-Layered Application Strategy to bolster the risk management program. Come 2017, 30% of threat intelligence services will include vertical market security intelligence information from the Internet of Things while the demand for Security Analyticsas-a-Service is set to grow by 50%. By that same year, 50% of large-scale enterprises are predicted to be making use of IT services failover between multiple data centre sites as their primary disaster recovery strategy. In addition, at least one major city using Smart City-style infrastructure will experience a cyber security attack on its critical infrastructure, duly resulting in substantial disruption. Looking slightly further ahead, by the time we reach the year 2020, supply chain security failures will force 50% of digital businesses to negotiate partner contracts aimed at sharing risk and liability while 30% of Global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals. Bearing all of these predictions in mind, CLevel executives and their teams, CISOs and security directors/managers, business continuity and disaster recovery specialists and managers/directors in the financial services realm will be looking for salient advice on validating their security and risk management strategies such that they can objectively assess what needs to be improved, kept the same or changed in terms of approach and then steer a clear vision into the future. Thanks to dedicated Workshops, analyst sessions and end user Case Studies, attendees at Gartner’s Security and Risk Management Summit 2015 will be provided with all of the latest advice on how to: *Structure and manage IT risk programs *Make IT risk programs more efficient and effective for the host organisation *Select approaches and vendor solutions *Articulate security and risk requirements in today’s business language
I
*Integrate business continuity management with overall risk and security regimes *Architect an overall security and risk management strategy directly aligned to business needs *Create a more risk-aware organisational culture that supports dedicated risk management initiatives *Meet compliance regulations and leverage master data to manage risk C-Level executives can learn how to develop an integrated IT security and risk management strategy that aligns with the business’ needs and supports forward goals. They can find out how to improve communications with the Board of Directors as well as the IT organisation. They can discover current thinking on the development of a risk management strategy that reduces risk without inhibiting business operations as well as cut back on firefighting in order to focus on strategic goals. For their part, CISOs and security managers will find out about developing and maintaining an effective security regime, how to address today’s ‘hot topics’ such as cloud and mobile and fully embrace the Internet of Things. They’ll also learn how to establish efficient solutions and avoid security breaches because of misconfigurations while discovering Best Practice around running network security operational tasks. Business continuity and disaster recovery professionals need to know how to anticipate the unanticipated and develop an action plan that will reinforce a discipline of risk management and mitigation, response and recovery in the corporate culture with a growing need for business resilience. They’ll have to control emerging risks from the Nexus of Forces. Advice is on hand at the Gartner Security and Risk Management Summit 2015.
The 2015 edition of Gartner’s ever-popular Security and Risk Management Summit runs on 14-15 September at London’s Park Plaza Hotel on Westminster Bridge Road. Attendees can learn how to manage risk and deliver first class security in what’s now an increasingly digital business landscape
GartnerSecurityandRiskManagementSummit July2015_riskuk_mar15 03/07/2015 14:25 Page 40
Advertisement Feature
The Five Agenda Programs in 2015 The Gartner Security and Risk Management Summit 2015 features five key Agenda Programs: the Chief Information Security Officer (CISO) Program, the Risk Management and Compliance Program, the Security Manager Program: Technology, Trends and Operations, the Business Continuity Management Program and the Internet of Things Security Program. Let’s look at each in turn. Chief Information Security Officer Program Digital business is often at odds with conventional security strategies. While ongoing publicity of severe security incidents results in valuable executive support, CISOs can no longer only depend on proven practices. It’s incumbent upon security leaders to challenge convention. The CISO Program will help you gain the leadership skills needed to make these difficult decisions. Hot Topics: Transforming security programs to deal with the challenges of digital business. Communicating effectively with senior executives. Juggling scarce human and financial resources. Managing the human aspects of security. Effective security policy management Risk Management and Compliance Program Digital risks are mounting as newer technologies are woven into the fabric of the business. At the same time, regulatory compliance and legal risks continue to escalate for most enterprises. This program focuses on practical methods to apply Gartner’s three dimensions of risk management: creating new frameworks to assess the widening array of risks, developing new metrics to analyse risk impacts on business outcomes and deploying new governance, risk and compliance technologies to integrate and streamline risk management practices. Hot Topics: Understanding new risk leadership roles for the digital business. Identifying and assessing risks with public cloud deployments. Effective use of cyber insurance to transfer risks associated with data breaches. Managing risks associated with third parties and vendors Security Manager Program: Technology, Trends and Operations Digital business and its underlying drivers – namely cloud, social, mobility and big data – challenge traditional approaches to information security. Attackers change and adapt as
organisations adjust to the new realities of digital business. As organisations accelerate their adoption of new platforms for business operations, your security program must also rapidly adapt to the new reality and assimilate new technologies as you also mature in your use of existing solutions. Hot Topics: Security in public and private clouds. Evolving challenges of mobility and BYOD. Building successful IAM programs in a digital business world. Protecting networks as the underlying infrastructure changes. Advanced threats and threat intelligence Business Continuity Management Program The complexity and interconnectedness of the world isn’t subsiding. Enterprises with the best business continuity management practices have a corporate culture that espouses flexibility, agility, availability and resilience. The Business Continuity Management Program helps companies anticipate the unexpected and enable a discipline of risk management and business disruption response and recovery in the corporate culture towards the goal of business resilience. Hot Topics: Business resilience. Crisis management. Digital business. IT service continuity management. Supplier contingency. Business continuity management program leadership. Information security and business continuity management alignment The Internet of Things Security Program The introduction of the Internet of Things to organisations that embrace digital business is increasing. Major changes to cyber security infrastructure, process and organisation will ultimately be needed across all sectors of business, whether industrial, commercial or consumer-oriented in nature. Operational technology security changes for industrial automation and control systems are early precursors to this change. The Internet of Things Security Program has been specifically designed to assist today’s practising security leaders in addressing these changes within their own organisations. Hot Topics: The Digital Business and what it means for Internet of Things Security. IT, Operational Technology and Internet of Things Security Convergence. The Internet of Things and Privacy
GartnerSecurityandRiskManagementSummit July2015_riskuk_mar15 03/07/2015 14:25 Page 41
Advertisement Feature
Conference and Keynote Speakers On Monday 14 September at conference, the CISO Program begins at 1.15 pm with a presentation by Tom Scholtz entitled ‘The New CISO’s Crucial First 100 Days’. At 3.15 pm, Rob McMillan is set to speak on the subject of ‘Be Agile Not Fragile: Use Threat Intelligence Services to Defend Yourself’. Following on from Solution Provider Sessions, Tom Scholtz presents once again, this time at 5.00 pm, and examines ‘Protecting Your House on the Prairie: Security Strategies for the Smaller Enterprise’. Tuesday 15 September begins with two end user-focused Case Studies and a presentation entitled ‘People-Centric Security: Experiences and Lessons Learned’. ‘One Simple Way to Get Your CEO to Embrace Risk Management’ is the focus for Summit speaker John Wheeler between 3.45 pm and 4.15 pm, with the day’s program closed by Keynote Speaker Neil MacDonald discussing the ‘Cyber Security Scenario 2020: The Impact of Digital Business on Security’. In terms of the Risk Management and Compliance Program, the conference element begins on Monday 14 September with a delivery by Paul Proctor. The subject? ‘A Public Cloud Risk Model: Accepting Cloud Risk is OK, Ignoring Cloud Risk is Tragic’. This presentation runs from 1.15 pm through until 2.00 pm and is not to be missed. ‘The Path to High Impact Security Awareness’ will be evaluated by Christian Byrnes from 3.15 pm-4.00 pm. Then, following on from Solution Provider Sessions between 4.15 pm and 4.45 pm, Rob McMillan discusses ‘Incident Response Platforms: A Long Time Coming’. This Summit session runs between 5.00 pm and 5.30 pm, after which there will be a Networking Reception. Day Two of the Risk Management and Compliance Program’s Summit sessions on Tuesday 15 September witnesses John Wheeler presenting once again, this time around on the topic ‘What’s New and Hot in Governance, Risk and Compliance’. ‘Use a Vendor Risk Management Framework to Mitigate Regulatory, Compliance, Security and Performance Issues’ is the focus for Gayla Sullivan between 11.00 am and 11.45 am. The day concludes with a presentation by John Girard looking at ‘How to Build a Globally Legal and Successful BYOD Program’ and another on ‘Assessing Cloud Service Providers: Getting Beyond The Checklists’. The latter is to
be delivered by Erik Heidt. These presentations run between 3.00 pm and 3.30 pm and from 3.45 pm to 4.15 pm respectively. The Security Manager Program: Technology, Trends and Operations begins on Day One with sessions led by Oliver Rochford (‘Defensive Strategies in an Age of Digital Uncertainty’) and Neil MacDonald, who leads on the subject of ‘Gartner’s Adaptive Security Architecture: New Approaches for Advanced and Insider Threats’. These sessions run in parallel between 1.15 pm and 2.00 pm. ‘Mobile Security Threats and Trends in 2015’ is the specialist subject for presenter Dionisio Zumerle, after which Brian Lowans considers why ‘Your Cloud Service Adoption Strategy Must Include Data Protection’. The former session runs from 3.15 pm-4.00 pm on Monday 14 September, with the latter taking place between 5.00 pm and 5.30 pm. Tuesday 15 September’s agenda is begun by Ant Allan, who will be reviewing ‘How To Get Single Sign-On’ between 8.00 am and 8.45 am. In parallel is the session by Peter Firstbrook, who considers ‘Defending Endpoints from Persistent Attack’. ‘The Future of Endpoint Management’ occupies the mind of Rob Smith between 9.00 am and 9.45 am. Again, in parallel with this session is one delivered by Mario de Boer on the key topic of ‘Defending Against Sophisticated Malware’. There’s another interesting session taking place between 3.00 pm and 3.30 pm, which is the appointed time for Felix Gaehtgens to evaluate ‘Friends at the Gate? Best Practices for Enabling Remote Privileged Access from Vendors and Third Parties’. Last but not least, the Business Continuity Management Program and the Internet of Things Security Program feature not one but two presentations from Roberta Witty (entitled ‘The Availability Implications for Digital Business’ and ‘Why Crisis Management is at the Heart of Business Continuity Management Software’). Both of these sessions run on Monday 14 September. Also, from 1.00 pm through until 1.45 pm on Tuesday 15 September, Earl Perkins makes a presentation under the title ‘Operational Technology Security is Not Just for Industries Any More’. The presentations organised for Gartner’s Security and Risk Management Summit 2015 will be key learning points for all attendees.
GartnerSecurityandRiskManagementSummit July2015_riskuk_mar15 03/07/2015 14:26 Page 42
Advertisement Feature
Summit Venue, Exhibitors and Registration Venue Park Plaza Westminster Bridge Hotel 200 Westminster Bridge Road London SE1 7UT Telephone: 0844 415 6780 Special Gartner Hotel Room Rate A limited number of rooms have been held at the Park Plaza Westminster Bridge Hotel for attendees at the Gartner Security and Risk Management Summit 2015. There are two special promotional Gartner rates available. These are the Superior Room, priced at £175 per night (including breakfast) and the Studio Room, which costs £195 per night (again including breakfast). These rates are based on single occupancy and exclude VAT. In order to secure accommodation at the preferred rate access: http://www.parkplaza.com/gartner-securityrisk-management-summit Alternatively, e-mail your request to: gartnerconference@pphe.com or telephone the Park Plaza Westminster Bridge In-House Reservations Office on +44 844 415 6780 and quote the following promotion code: GART130915 Reservation Office Opening Times Monday to Friday between 8.00 am and 7.00 pm (GMT) Saturday between 9.00 am and 5.30 pm (GMT) Exhibitors The Security and Risk Management Summit 2015 will help you develop a shortlist of technology and service providers who can meet your business’ particular needs. You’ll receive exclusive access to some of the world’s leading technology and service solution partners in a variety of settings. Premier Exhibitor: Trend Micro Platinum Exhibitors: AirWatch, Dark Trace, Fortinet, Qualys, Splunk Inc, Vectra Silver Exhibitors: Avecto, BlackBerry, BoldonJames, Bomgar, Certes Networks, csg Invotas, Denyall, Esentire, Imperva, LogRhythm, MetricStream, Netskope, Observe,
Okta, Pirean, RedSocks, ssh, Tenable Network Security, Voltage Security, Wandera, WatchGuard and Wombat Registration There are three ways in which to register for the Gartner Security and Risk Management Summit 2015… *Online: www.gartner.com/eu/security *e-mail: emea.registration@gartner.com *Telephone: +44 20 8879 2430 Pricing *Early Bird Price €2,150 + VAT Early Bird Deadline: Friday 17 July 2015 *Standard Conference Price €2,475 + VAT *Public Sector Price* €1,950 + VAT *Eligibility for the Public Sector Price will be verified and proof of public sector status will be required. Price cannot be applied retrospectively. Public Sector Definition: National Government, State and Local Government, Public Administration Group Rate Discount Maximise your learning by attending as a group. Participate together in relevant sessions or split up to cover more topics, sharing your session takeaways at a later time Complimentary Registrations *One for every three paid registrations *Two for every five paid registrations *Three for every seven paid registrations Benefits of Attending *Gain the role-specific tools, strategies and insights needed to stay ahead of expanding scopes of responsibility and increasing threats *Align security and risk management strategies with enterprise objectives *Assure adherement to new regulatory, compliance, privacy and e-discovery requirements *Build a culture that drives security performance through employee engagement
PerimeterProtectionBestPractice July2015_riskuk_apr15 03/07/2015 14:44 Page 2
Perimeter Protection Best Practice
Site Security: Defending in Depth M ention the term ‘Site Security’ to a business owner and the chances are the first thoughts that spring into their mind will relate to various technology-based solutions like CCTV or Perimeter Intrusion Detection Systems (otherwise known as PIDS). While there’s undoubtedly a call for these devices to be installed as part of the overall physical security architecture, the simple fact is that they’re incapable of preventing the determined intruder or vehicle from gaining access to the premises. The Centre for the Protection of National Infrastructure (CPNI) defines physical security as follows: “Physical security measures aim to either prevent a direct assault on a premises or reduce the potential damage and injuries that can be inflicted should an incident occur.” Preventing an assault or reducing damage/injuries can only be achieved if the determined intruder or vehicle is physically restricted from gaining access to the area by means of an imposing fence or line of defence. CCTV and various intruder systems play a pivotal role in gathering intelligence on – or alerting security personnel to the presence of – unauthorised individuals, but they’ll not deliver a physical barrier to entry in the first instance. UK plc is now growing accustomed to remaining on a heightened state of terrorism alert. The current terrorism threat level is set at ‘Severe’. That being the case, both effective and robust perimeter protection for sensitive sites is an absolute priority.
Focus on future-proofing Perimeter protection needs to be carefully planned out for any site. It’s not merely a question of creating a secure fencing structure in front of the main building. A review of physical security measures typically begins with a comprehensive risk assessment designed to pinpoint and prioritise the potential threats to site security. This would include identifying and confirming potential access points and looking at the requirements specific to the individual site. For example, while the height of fencing may seem an obvious consideration, selecting the type of fence appropriate to the level of threat and type of potential attack it’s required to mitigate is of greater importance. Senior decision-makers responsible for procurement also need to focus on delivering a long-term solution providing a security
In the current climate, wherein the UK is growing accustomed to remaining on a heightened state of terrorism alert, effective and robust perimeter protection for sensitive sites is an absolute priority. Peter Jackson outlines why businesses should consider the need for physical security designed not only to protect their assets but also deliver a safe and secure environment
infrastructure that’s fit for purpose and balances security performance and cost with optimum effectiveness. For higher risk sites, lowest cost is unlikely to be the defining consideration as the consequences of a security breach could be catastrophic. Products approved by the CPNI, certified to LPS 1175 or approved by Secured by Design carry with them an assurance of performance and suitability to varying levels and types of threat. Some of the hard work in the selection process, then, has already been done. The design of access control is naturally of equal importance as it could become the weakest link in the perimeter. Once again, tested and approved products are available to maintain or otherwise enhance the security of a given site. When risk-assessing the physical security needs of a location, it’s preferable to identify a complete perimeter solution package from a single source.
A question of cost or performance? There’s a commonly-held belief that tested and approved fencing and access solutions are expensive. Yes, indeed they are. They do cost
Peter Jackson: Managing Director of Jacksons Fencing
43
www.risk-uk.com
PerimeterProtectionBestPractice July2015_riskuk_apr15 03/07/2015 14:45 Page 3
Perimeter Protection Best Practice
more than triple-pointed riveted palisade fences or generic mesh panels. There’s a reason for that. They’ve been specifically designed to perform against strictly controlled criteria. Situations or scenarios they can avert are where their true value lies. Care needs to be taken when comparing what outwardly appears to be the same product from a variety of suppliers. Assurances of longevity and durability can only ever be justified if the highest quality materials and processes are employed. Attention to detail, then, is vital. By way of example, a steel mesh panel that’s supplied with an inferior pre-galvanised finish will not deliver the same outstanding performance over time as a steel mesh panel offering a Galfan zinc and aluminium coating. When compared with traditional galvanising processes, the latter can quadruple the service life of the product. There’s also a perception that whichever fence is selected will be employed across the entire site which adds significantly to the cost but, in fact, doesn’t add any value. A wellexecuted perimeter security plan will employ appropriate solutions for different parts of the site. Generally speaking, this would lead to a reduction in cost as not every part of the site requires the same level of protection as do the most critical elements.
Designing from the outside in That last point brings us neatly on to ‘The Onion Principle’ of target hardening. Security surveys employ ‘The Onion Principle’ to develop a layered approach towards protecting a potential target. The aim is to work from the outside into the middle, treating each different boundary as a layer which needs to be hardened to delay the attacker and provide greater protection for the target. Such a ‘layered’ approach typically increases the level of defence as you move deeper into the heart of the facility and closer to the most critical assets. All-too-often, decisions are taken based on a printed plan, a web search, a specification, a fixed budget or from a desk in an office looking out and not from the view of someone attempting to break in. The best providers of physical security solutions will offer a consultation service which means that the client can be guided on how best to plan the appropriate perimeter protection and access control into the overall
“Perimeter protection needs to be carefully planned out for any site. It’s not merely a question of creating a secure fencing structure in front of the main building” 44 www.risk-uk.com
structural design of the site. Specialist advice should be available from the supplier on how best to integrate perimeter fencing, gates, bollards and additional access control devices with other security systems that may already be in place so that the host organisation achieves an effective and cost-efficient outcome. The highest security fencing will usually feature three rows of razor wire and could never be dressed-up to look attractive. In some situations, visual appearance may need to be considered alongside functional requirements. It’s possible to introduce a ‘hardened’ perimeter security boundary which boasts the necessary strength and resistance to attack while also blending in with the local landscape. Timber fencing is not traditionally associated with higher end security. That said, products do exist which outwardly resemble wood but feature a combination of materials to make it significantly more difficult for an intruder to penetrate through the fence or scale over it, in turn delivering an inherently strong defence which also delivers on aesthetics.
Access control regimes Allowing authorised personnel in and keeping unwelcome visitors out are the basic rules of site security. Automated access control plays a pivotal role in addressing these fundamental needs while some sites may also require the introduction of further measures such as PAS68-rated crash fencing, road blockers, bollards or crash barriers, etc. Where practicable and where security is not compromised, automated gates or barriers must comply with the EU Machinery Directive, be CE marked and accompanied by a Declaration of Conformity. Regardless of the perimeter security/access control measures in place, all devices should be designed and installed with the accepted best safety protocols in mind. Consideration ought to be given to outlining procedures by way of ensuring the safe evacuation of the site in an emergency scenario. All of these factors can be incorporated if they’re planned into the site’s security architecture from the outset. Whether investing in perimeter protection at the design stage of a new build or retrospectively for an existing site, the outlay must represent a solid return on investment. It pays to source products offering a genuine long service life guarantee coupled with minimal maintenance requirements. Automated gates will require regular maintenance (at a minimum of every six months), so a review of the maintenance agreements that support any installation must be undertaken.
Project1_Layout 1 03/07/2015 16:25 Page 1
solutions for a safer world
ARE YOU READY IF THE POWER FAILS? POWER QUALITY ASSURANCE FOR UPS AND GENERATORS - PREVENTATIVE MAINTENANCE - ONE-OFF HEALTH INSPECTIONS - LOAD BANK TESTING - THERMAL IMAGING - REMOTE MONITORING
TEL: 01488 680500 WWW.UPSSYSTEMS.CO.UK
VoiceoverIPandDataSecurityInfrastructure July2015_riskuk_apr15 03/07/2015 15:03 Page 12
Voice over IP: Listen Without Prejudice
Voice over IP may well deliver great savings over traditional telephony, but with call-jacking across unsecured lines collectively costing UK businesses – not the service providers – an estimated £780 million per annum, the cost/benefit argument is perhaps more complex than many companies realise. Paul German urges today’s businesses to recognise the security implications of VoIP before it’s too late
46
www.risk-uk.com
any UK businesses are now switching to Voice over Internet Protocol (or VoIP) for their telephone requirements in order to cut call costs. Alongside cloud computing, VoIP is undoubtedly a key component in today’s flexible, low cost infrastructure that’s supporting both business agility and growth. However, while businesses are increasingly confident about deploying such technologies, far too many are failing to understand the associated risks. The clue is in the name: Internet Protocol. VoIP is not just a new, lower cost telephony system. It uses an Internet data connection to provide a voice service and should be treated as such when it comes to security and usage policies. Only the most naïve of companies would ignore the requirement for firewalls and anti-virus solutions, not to mention all of the other essential products required for a robust, multi-layered data security model located on the core infrastructure. Why, then, are most companies blithely deploying VoIP without even considering the security implications? The end result of doing so is a virtual door left wide open onto the server which is used to host the VoIP service. The same one, in fact,
M
that’s probably employed for the rest of the business. Indeed, the voice function may actually be integrated with essential applications such as ERP. Step forward the fundamentally compromised business infrastructure. In fact, the potential risk goes far beyond hackers simply using this unsecured route into the business to access corporate data. The biggest problem associated with VoIP in the current business climate is so-called toll fraud or, more to the point, call-jacking. So how does this occur? In essence, a hacking team sets up a number of premium rate lines – typically the 0900 numbers often located in the Philippines or Malaysia – and gains access to an unsecured VoIP network. The hacking team will then set-up automated dialups to £5-per-minute numbers. While the network operator takes some of that call revenue, the hackers are typically raking in around 60%. It’s a pretty nice earner that leaves the end user company with a nasty bill which can run into multiple thousands of pounds1. Typically, these events occur over a weekend which inevitably means that they’re extremely unlikely to be detected in time. In some cases, companies don’t actually discover the problem until the bill arrives at the end of the month. Who, though, pays the bill? Check the small print. The telephone network provider has no liability in such cases. It’s all down to the end user of the service, although most providers will work out a payment plan rather than demand the full sum up front. Either way, a single weekend’s call-jacking can leave a business facing a debt that may well tip it over the edge.
Failure to mention the risk This is a problem that’s widely recognised. Indeed, the Communications Fraud Control Association’s (CFCA) Global Fraud Loss Survey has attributed $8 billion a year to toll fraud on a global basis. Given the huge worldwide impact and widescale recognition of this problem, then, why are service providers failing to mention the risk involved when presenting the compelling benefits of VoIP? For their part, why are resellers not bundling security solutions into the overall product set? Put simply, it’s all down to cost. VoIP connections can be secured, of course, using a Session Border Controller (SBC) which acts as a
VoiceoverIPandDataSecurityInfrastructure July2015_riskuk_apr15 03/07/2015 15:03 Page 13
Voice over IP and Data Security Infrastructure
“While the data team wouldn’t dream of implementing any technology without first considering the security implications, the voice team has had little more to worry about than the ‘small’ risk of mobile phone hacking” voice firewall. However, viewed from a traditional perspective these voice firewalls have been expensive solutions requiring dedicated hardware implementation. As a result, those companies aware of the risk have generally ignored it while resellers have felt compelled to downplay the risk because bundling security into the VoIP package usually results in an uncompetitive offer. Add-in the fact that the VoIP purchase often falls between two teams – the voice team responsible for telephony and the data or networking team responsible for the data infrastructure – and it’s perhaps somewhat less surprising that the security risk associated with VoIP has slipped under the corporate radar. While the data team wouldn’t dream of implementing any technology without considering the security implications, the voice team has had little more to worry about than the ‘small’ risk of mobile phone hacking. For them, security just isn’t on the agenda.
Time to think again Businesses must change their train of thought. They need to challenge the VoIP providers to provide an accurate picture of the true cost/risk argument and demand that the reseller community explores the latest generation of ‘freemium’ voice firewall products. This new cloud-based technology finally provides businesses with the essential first tier
in the voice security model at a fraction of the cost of traditional products. A simple download and install of virtual SBC enables businesses to secure the voice network within minutes. The great news is that, in a business environment awash with unsecured VoIP connections, any hacker will be deterred by even the most basic of security solutions and will rapidly move on to an easier target. Furthermore, once the voice firewall is in place, a business has the foundation for the multilayered security model required for every aspect of the infrastructure (including voice). This encompasses determining how VoIP should be used, what policies ought to be implemented to improve control over the environment and deploying application-level security with a view towards implementing these policies both quickly and effectively. VoIP is hugely compelling and, with the rise in excellent broadband connections, growing numbers of companies will opt for this low cost approach. However, any Internet-related deployment demands security. Don’t fall victim to undermining your investment in the remainder of your security architecture. Only by applying the same level of rigour to voice security that has become standard practice across data networks will businesses gain the inherent value offered by VoIP solutions without running the risk of damaging breaches or call-jacking episodes.
Paul German: CTO and Founder of Voipsec
Reference 1http://www.bbc.co.uk/ programmes/b04wwcp4
47
www.risk-uk.com
TheSecurityInstitute'sView July2015_riskuk_apr15 03/07/2015 14:58 Page 1
Duty of Care to Employees: Are You Up to Speed?
ou hear a loud explosion and a series of shots followed by a brief silence. Then the screaming starts and, in a very short time, you hear sirens in the distance approaching at a rapid rate. You look out of the window and witness mayhem on the street, with smoke billowing from the office block across the road. Your phone rings and Jody on Main Reception informs you that a police officer has instructed that everyone must remain inside the building and stay well away from the windows. The sound of gunfire is now emanating from the building opposite. What do you – and, just as importantly, other members of the business’ dedicated management team – do next? These days, more often than not those companies sending their employees on international assignments understand that they have a Duty of Care towards their members of staff, although it’s frequently the case that this area could be better defined. They know full well that when they take a person from Wakefield in Yorkshire or Boise City in Idaho and send them to work on a site in Afghanistan, Iraq or Nigeria, they’ll need to prepare that individual for what they will experience and situations they may encounter. In addition, the company will need to be satisfied that they’ve carried out their risk assessments, mitigated or managed those risks and that the member of the team involved is
Y
Does your company fully understand and deliver upon both the legal and moral components around Duty of Care for those members of staff undertaking overseas assignments and international travel, not to mention employees stationed at headquarters? Colin Brown outlines Best Practice procedures that must be put in place to mitigate disaster scenarios
48
www.risk-uk.com
fully prepared for the unexpected through crisis and incident management planning and training. To be frank, this equates to straightforward good management. When considering this outline description, does your company currently understand and deliver upon both the legal and moral components of Duty of Care for personnel undertaking overseas assignments and international travel? If you’re unclear or otherwise uncertain of your answer here, it would be wise to raise the question within your management team and seek resolution. Does a company with its head office located in London, Paris or New York also have a legal and moral Duty of Care towards its employees when a terrorist cell attacks the area where that building is located? After all, this is the company’s home town or city and the terror episode is at the company’s front door. Some commentators will state that it’s the duty of the Government, the intelligence agencies, the Security Service, law enforcement and the other Emergency Services to keep us safe in our home nations. Of course they’re right. Only the Government can defend a nation against terrorists or other threats to national security, but does this remove all responsibility from the company to prepare adequately for such contingencies and to take reasonable precautions in terms of protecting its employees at work? Perhaps not.
Decision-making and policy setting While it may be best placed for legal council to determine the specific legal obligations of the company regarding Duty of Care to its employees in their own home town environment or elsewhere, bear in mind that this doesn’t absolve the management team of its responsibilities around decision-making and policy setting. Irrespective of the legal perspective for the Duty of Care a company has towards its employees, contractors and visitors, is there a business case for saying that a responsible company does have a moral Duty of Care towards its employees and others during working hours (and while those staff, contractors or visitors are on company property and/or undertaking company business in their home country)? If so, then to what extent must the company protect its employees against the impact of a terrorist event, and prepare adequately both to enable continuation of the business and for the continued well-being of all employees? There’s no doubt that management teams charged with security issues and crisis and
TheSecurityInstitute'sView July2015_riskuk_apr15 03/07/2015 14:59 Page 2
The Security Institute’s View
incident planning in these ‘normal’, ‘home base’ environments may find it difficult to think through the scenarios that could impact their business in the current terrorist threat environment. However, the process can start in a very simple manner that’s within the capacity of all management teams. Those management teams should gather the information surrounding the tragic events that took place in Sydney on 15 December 2014, in Paris on 7 January 2015 and in Tunis on 18 March this year and then aim to overlay those events on the area in which they’re located within their own city. While it’s unlikely the attacks that took place in Sydney, Paris or Tunis will be replicated exactly, elements will continue through into the next attack, wherever and whenever that takes place. Don’t restrict yourself to recent events, either. Rather, reflect on Ottawa and Nairobi last year, Mumbai in 2008, London in 2005 and Madrid in 2004. Having gathered together the necessary detail, you might form a small group from within your management team to set available information against the company’s location, environment and circumstances. Then it’s time to start asking some questions: (a) How many Government, law enforcement or military installations are resident close to the location? (b) How close are the nearest major tourist destinations? (c) Are you in the vicinity of any train stations or other transport hubs? (d) While the company itself may be incognito, is there a major iconic brand housed in an office block close by?
Safe routes for evacuation Once your management team has mapped out potential targets that may be of interest to an attacker, consider the company’s location in respect of those areas and ascertain the following: (a) Might your head office be within a police cordon and so be locked down? (b) Could your building be damaged directly or indirectly due to a terrorist incident and, if so, what sort of destruction might occur? (c) If an incident occurs and a situation is ongoing, is it possible that staff may be denied access for a few days? (d) How might an incident affect your employees’ ability and willingness to travel to work? (e) What are the safe routes for evacuating staff from the building? (f ) Do your existing primary and alternate
evacuation muster areas potentially place your personnel at risk should such an incident of some kind duly occur? After your team has worked out what the possible impact might be, there’s a need to review contingency plans against the answers to the questions above. This will help ensure the company is minimising the impact of events which are essentially outwith the control of the business. These plans will need to cover a spectrum of issues which may range from how you might feed all of the staff during a lockdown, prevent visitors from coming to your offices for meetings, ensure staff on medication have sufficient supplies and that they have funds if they’ve been unable to go to the bank through to assisting a member of staff in organising childcare as they’re unable to go home to pick up their infant because the police service will not let them leave the premises. It might require you to establish a system enabling the rapid electronic distribution of information to staff in transit to work, or to direct those outside of the premises to stay away, make their way to an alternative work location or wait at home. Irrespective of the legal position, would such a system make straightforward common business sense to your company, and is it the right thing to do for your staff and guests? The team has developed its plans and they’re deemed fit for purpose. Don’t put them away in a cupboard or let them become ‘shelfware’. Rather, use them to educate and train management teams, not forgetting those team members who may be absent on the day of your Workshop. As a company, be sure to brief members of staff that you’re taking matters seriously and have your employees’ safety, security and well-being at the forefront of the business’ response to the unexpected. Let your employees, contractors and visitors know that you put their continued safety and security at the forefront of your considerations, but equally make clear what their own responsibilities are to help prevent these potential incidents impacting upon them, their colleagues and the business. Clear direction and ample preparation are key to the individual and the business when it comes to preventing a potential emergency situation from escalating into a crisis for your company or employees.
Colin Brown MA MSc CPP MSyI CSyP: Senior Vice-President of Risk Management Services at Olive Group
“Clear direction and preparation are key to the individual and the business when it comes to preventing a potential emergency situation from escalating into a crisis” 49
www.risk-uk.com
InTheSpotlightASISInternational July2015_riskuk_feb15 03/07/2015 14:35 Page 1
Converged Security: A Brave New World by this IP migration, but only a handful. Security directors can find those vendors by specifying that their products must be secured from an IT-side attack. Some vendors do indeed provide inherently secure products, or at the very least offer the software applications and hardware that you can use to secure the products under your own initiative. End users must also require vendors to provide a plan for configuring the security software and operating systems, server hardware and the protection systems for those tools. If the configuration solution is weak, hackers and criminals will find ways to access the equipment. From there, they can break into your building and your firm’s IT system.
Deleting the default data
As security risks and vulnerabilities change, it’s very much the case that Security Departments develop new ameliorating strategies and tactics. With security threats and vulnerabilities now converged, they’ve created a host of new opportunities for internal and external hackers to find – and take advantage of – weaknesses. How might security managers respond? Dave Tyson outlines the way forward
50
www.risk-uk.com
oday, a criminal gang thousands of miles away from your company’s offices can travel over the Internet, break into your building, steal intellectual property, turn off your surveillance cameras and unlock doors protected by an access control system. When you discover the plundered databases and the unlocked doors, you might think the thief broke in by defeating your physical security systems and waste your time in trying to strengthen them when instead you ought to be bolstering your IT security systems. Of course, that scenario also works the other way. Criminals can break into your building and IT Department and carry away a couple of servers housing the personal information of thousands of your customers.
T
Threats and vulnerabilities The point is that security threats and vulnerabilities have converged. Weaknesses in physical security technology place your IT data at risk just like weaknesses in IT security place your company’s physical assets in jeopardy. How, though, has this situation occurred? Advancing technology has improved cameras, access control systems, intruder alarms and other physical security technology immensely thanks to a plethora of new inclusions and capabilities, including IP features that enable you to plug these devices into an IP network – an IP network which, it must be said, is vulnerable to hacker exploitations. A handful of physical security equipment vendors have focused on the problems created
Take the time to set and maintain robust user IDs and passwords in your video cameras. Equally important, don’t forget to delete the default user IDs and passwords set in the factory by the manufacturer. There are only a handful of factory settings and attackers know them all. If you don’t delete the default data, an attacker will be able to break into the cameras. In addition, physical security devices contain programmed sets of rules that actively direct their operation. For example, when an employee presents an access control card to a reader, the system is programmed to search the current end user database for that employee’s name and door permissions. If the employee’s name is in the database along with permission to access this door, the system will unlock it. No permission, no entry. You have to protect the rules programmed into your devices by encrypting them. Attackers can access and re-write unsecured rules. There are several types of encryption used to protect rules. Whatever type you use, you must then secure the encryption itself against tampering. The IT Department’s security people can help to protect the logical components of physical security technology. They will want to help as they harbour an abiding interest in protecting physical security pathways towards the company network. After installing and configuring physical security software, it’s a good idea to have a qualified technician test the strength of the lock by trying to break in. If the tech can break in then so can a skilled hacker. Physical and IT security consultants can also assist with this task. Just as the IT security personnel will help secure physical security devices to protect their
InTheSpotlightASISInternational July2015_riskuk_feb15 03/07/2015 14:35 Page 2
In the Spotlight: ASIS International UK Chapter
network and data from attackers, so too the physical security staff will help protect the IT system from becoming a path towards keycritical physical security systems and devices. One way in which physical security can help directly is to monitor for rogue hotspots while on patrol. Can security officers do that? Yes. With some training from IT, those officers may carry inexpensive sensors that will detect hotspots passed during normal patrols. The IT security staff will know which locations are legitimate and which are not. In the IT Department itself, new and better tools can detect and mitigate attacks on the network. Some attacks may even be stopped before serious damage is allowed to occur. A physical fence protects the perimeter of a company’s location while firewall technology will do the same at the edge of the IT network. In fact, multiple layers of firewalls protect departments. Today’s advanced firewalls and other security tools also enable administrators to watch network traffic and spot threats as they arise, whether they emanate from a hacker or an unwitting user being compromised. Purchasing managers ought to focus on vendors that provide security for the devices they sell: computers, servers and monitors. In fact, any device that connects to the network. As noted earlier, physical security devices must have inherent security as well. For the larger networks at risk from debilitating Denial of Service attacks, current defensive software applications can spot intrusions almost as they occur and talk to filtering applications located at ISP sites. The filters can block the bad data and pass the good data through, thereby maintaining the normal flow of business.
“Physical and logical security professionals have always tried to provide the least amount of security necessary. After all, too much security can slow down the pace of business” Not long ago, for instance, a system operator in a large multinational company came up with an astoundingly anti-secure idea. He outsourced his job to an individual working in another country known for providing outsourcing services. The sysop surfed to a website offering outsourcing services and hired someone to do his work for a small percentage of his salary. He provided this individual with his user name and password – a major security breach – and trained him to do his job. Next, the employee installed a webcam and created a Virtual Private Network (VPN). He secured the VPN with a VPN token and started a pornography business. He collected pornography from online sites and sold it to customers that he rounded up. This has happened on a number of occasions in recent years. Some have started pornography businesses. Others have come up with somewhat more tame business ideas. Whatever the focus of the host business, employees outsourcing their roles can not only commit fraud against their employers, but they also create major security breaches that may well end up costing the business substantial amounts of money. Convergence has rendered a whole new set of security problems possible, in turn making more and more security necessary. Asking the question once more, how much security is necessary in the era of convergence? Wherever the line is drawn, it will certainly be at a level higher than it has ever been before.
Dave Tyson CPP: President of ASIS International and Senior Director of Global Information Security at SC Johnson & Son
What’s needed? More security In today’s era of convergence, the security profile of a facility is dramatically different. Physical and logical security professionals have always tried to provide the least amount of security necessary. After all, too much security can slow down the pace of business coming through the doors and travelling across the network. While minimum security remains the goal, the convergence agenda has created a host of new opportunities for internal and external hackers and criminals to find – and take advantage of – vulnerabilities. Plugging these new holes increases the security effort required. How much more security does this entail, though? Security professionals are looking for that point, but it’s difficult to find today at the beginning of what is a very new era.
51
www.risk-uk.com
Project1_Layout 1 06/08/2013 12:13 Page 1
Security solutions for today’s challenging times
Consultancy Operational Consultancy Manned Guarding Training Information and Intelligence Communications Support Technical Systems Equipment
Global economic pressures are forcing organisations to review expenditure across the board. But, the security issues remain the same. So, do you cut your security? Pilgrims offers a complete and complementary range of security, communications and support services, backed by an unmatched commitment to the highest level of quality, efficiency and client care, to reduce costs not cover. Our expertise and global experience allow us to deliver robust, practical solutions for today’s challenging financial climate.
For more than ten years, Pilgrims has been supporting clients across the globe, protecting and enabling their businesses to continue in spite of threats from terrorism, serious organised crime and natural disasters. Our personnel are handpicked for their experience, skills, training and personality to match the requirements of our clients. This, combined with our continual exposure to the world’s hot spots and difficult regions, makes Pilgrims the ideal choice for advice and support. Pilgrims provides a global service, with local knowledge through our employment of local personnel, quality control, continual ongoing training and our relationships with specialists and local partners.
We can help you find the right solution. Call Pilgrims on: +44 (0)1483 228 786 www.pilgrimsgroup.com
FIATechnicalBriefing July2015_riskuk_feb15 03/07/2015 14:22 Page 2
FIA Technical Briefing
Robust and Transparent: Determining Even the most reliable of fire safety Supply Chain Reliability systems will fail to function if they haven’t been manufactured correctly. Ray Turner explains why it’s so important for life safety and risk management specialists to seek fire protection equipment that emanates from a robust and transparent supply chain nsuring optimum safety on their premises means that building owners need to fully understand the product development process of their shortlisted life safety systems before anything’s installed on site. This is vital both to safeguard compliance with local regulations for the building(s) in question and address the long-term performance and maintenance requirements of the solutions once they’re installed and commissioned. Failure to do so may lead to the selection of equipment that requires additional aftercare over its lifetime, in turn resulting in a higher total cost of ownership (TCO) – not to mention the risk of impaired product function. Due to the necessary complexity of the fire safety production process, and given the need for systems developers to comply with multiple local and international standards, it can sometimes be a challenge for end user buyers to identify the solutions with the most reliable supply chain. However, there are a number of factors businesses can consider to help them overcome these issues and ensure they do select the most appropriate products.
E
Pinpoint the correct category Optimising occupant safety means that building owners must assess the suitability of the fire safety system considered for the development and its intended location by determining the system category to which it belongs. In order to meet the requirements of British Standard BS 5839 Part One, fire alarm equipment is split into categories M, P1, P2, L1, L2, L3, L4 and L5 which correspond to the building applications for which they’re suitable and the functionality they offer when it comes to maintenance and aftercare. To select the most appropriate product category for the building, it’s crucial that owners and managers consider the particular locations at which they intend to install the
equipment as each point in the structure will have its own performance and operational needs. Building owners may obtain guidance on BS 5839 from fire safety system manufacturers and their installer partners. Often, it can be tempting to select what appear to be the most advanced technologies on the market. However, no two buildings are alike. What’s more, it’s not always the case that the newest products are the most appropriate for the building(s) in question. End users need to think about the individual requirements of their development(s) such that they choose the systems with the most suitable features and benefits for the tasks at hand. Particular attention should be paid to issues such as the approvals the system has received, the type of protocol used and whether it’s flexible, the regulations the system meets, the quality of the components sourced, whether the system can withstand typical environmental conditions present inside the building and the chosen solution’s life expectancy. Put simply, all of these areas can act as markers of both quality and reliability.
Understanding TCO Also essential is the requirement to determine the aftercare necessities and life expectancy of each product under consideration in order to minimise TCO. To comply with the UK’s Regulatory Reform (Fire Safety) Order, building
53
www.risk-uk.com
FIATechnicalBriefing July2015_riskuk_feb15 03/07/2015 14:22 Page 3
FIA Technical Briefing
Ray Turner: General Manager of Operations at Hochiki Europe
References 1Department for Communities and Local Government: https://www.gov.uk/ government/statistics/firestatistics-monitor-april-2013to-march-2014 2Based on a maintained system of 100 LED luminaires compared to 100 traditional fluorescent tube light fittings
owners and managers must check their life safety systems every six months by way of ensuring they offer optimal performance to minimise the risk of unwanted alerts. Recent Government statistics1 show that, over the last couple of years, the UK’s Fire and Rescue Services have attended nearly 250,000 false alarm incidents caused by faulty fire safety systems. This doesn’t only realise significant business disruption for building occupants but can also divert Fire and Rescue Services from attending real emergencies where their intervention may well be crucial. Every technology is different. Some will require maintenance and monitoring more regularly than once every six months as stipulated by the regulations. Other life safety systems might also be susceptible to unexpected issues that can lead to downtime for emergency repairs. All of this extra care will cost time and money, potentially increasing the life safety system’s TCO. These operational processes can be streamlined – and the cost of equipment over its lifetime minimised – by selecting solutions that have minimal maintenance needs. There are now self-testing fire safety and emergency lighting technologies, for example, that can considerably reduce monitoring needs. A number of manufacturers also offer a comprehensive warranty which could help in offsetting the impact of unplanned repairs. Building owners and managers should also look at the energy efficiency of the emergency lighting solutions they intend to install as some require far more power than others, again costing extra money. Technologies that feature low-voltage cabling and LEDs, for example, consume only 5% of the electricity expended by standard fluorescent lamps2, in turn cutting operating costs throughout their lifetime. Helping to simplify the monitoring process and ensure compliance with the Regulatory Reform (Fire Safety) Order as well as similar legislation, those responsible for the maintenance of life safety systems should also use logbooks. These are comprehensive documents that can record all performance monitoring and maintenance data. Logbooks should be kept in a single location so that they can be easily produced for an audit if required. Choosing logbooks compiled in consultation with independent fire safety registration
organisations such as British Approvals for Fire Equipment (BAFE) will ensure regulatory compliance while also streamlining the inspection process (and thus further enhance operational efficiencies).
Support from the experts There’s plenty of guidance available from fire safety and emergency lighting experts to help building owners select the most appropriate technologies for their developments. Many fire safety system manufacturers, for example, offer on-site technical experts who can support owners and managers in choosing products that comply with both local and European safety standards, as well as identifying solutions for their particular application. A number also offer solutions designed to help businesses understand the long-term performance and TCO of shortlisted systems. Owners should also look to receive advice from their installers. Many have established partnerships with a particular manufacturer, in turn giving them insight that can help during the product selection process. The Fire Industry Association and similar industry bodies can provide up-to-date information on European standards and regulations to help building owners ensure they comply with the very latest legislation.
Reliability in the supply chain At the end of the day, a given building is only as safe as the fire safety system(s) installed within it. On that basis, it’s imperative that business owners and managers do all they can to gain the information they need in order to choose the most appropriate life safety technology for their requirements. Understanding the supply chain that supports fire safety and emergency lighting equipment is vital for determining how that equipment will perform throughout its lifetime. More and more manufacturers are realising this truism and, as such, seek to make their supply chains as transparent as possible. However, until such time that this state of openness is achieved, building owners should talk to their suppliers to gain the information they require that enables them to make an informed decision and balance cost and operational efficiencies with the safety and well-being of building occupants.
“Recent Government statistics show that, over the last couple of years, the UK’s Fire and Rescue Services have attended nearly 250,000 false alarm incidents caused by faulty fire safety systems” 54
www.risk-uk.com
Project2_Layout 1 03/07/2015 16:28 Page 1
SecurityServicesBestPracticeCasebook July2015_riskuk_apr15 03/07/2015 14:50 Page 1
Mitigating Lone Worker Risk
ecently, a building firm became the eleventh company in the UK to be convicted of corporate manslaughter. The prosecution arose from the death of an employee who, while working for the company on a project, plunged through a skylight and landed on the concrete floor below. After pleading guilty to a charge of corporate manslaughter under the Corporate Manslaughter and Corporate Homicide Act 2007 and breaching Section 2(1) of the Health and Safety at Work Act 1974 (for which a fine of £20,000 was levied), the building company was fined over £200,000. In addition, the presiding Judge imposed a Publicity Order requiring the business to advertise the incident on its company website for a set period of time. The owner of the company – who denied a charge of manslaughter – admitted to a breach of the Health and Safety at Work Act and was sentenced to a total of eight months in prison (a term suspended for two years). The owner was also ordered to complete 200 hours of community service and pay costs of £31,504.77. This episode follows in the wake of a more widespread crackdown on inadequate systems and processes, as well as guidance from the Sentencing Council that the potential fines for Health and Safety breaches should be significantly increased. As a result, many
R
Nigel Gray: Director at PageOne (Part of Capita plc)
56
www.risk-uk.com
Security Control Room operatives play a vital role in the co-ordination of people and resources, shouldering significant responsibility for monitoring the well-being of field-based employees. Nigel Gray outlines how many organisations are now introducing location-aware lone worker systems and expanding their remit to enhance other aspects of key staff management organisations are currently revisiting their approach towards worker safety with a view to ensuring their processes are fit for purpose and that, should the unthinkable occur, they can demonstrate by way of hard evidence all reasonable precautions were taken. Now is indeed a particularly important time for businesses to revisit existing worker safety and security arrangements as, in recent years, we’ve witnessed a major change in the way in which workforces are structured. For example, the British Security Industry Association estimates that there are now ‘over six million people in the UK who work in isolation or without direct supervision, often in locations or circumstances placing them at potential risk’. That cohort includes all the groups of lone workers we would traditionally think of, such as lorry drivers and healthcare visitors. However, we could just as easily be talking about police officers, night-time Front of House receptionists, field-based engineers working out-of-hours on a customer site or, of course, private sector security officers. Today, virtually every company across any traditional vertical sector employs lone workers. That being the case, these organisations must demonstrate how they plan to meet their mandatory Duty of Care towards such employees.
Delivering on the legalities One of the key legal requirements is to implement procedures designed to deal with those occasions when a lone worker has an accident or otherwise signals an emergency. Control Room operatives usually play a major role in delivering the legal Duty of Care. However, they don’t always have access to the communication systems required to fulfil this objective in either the most effective or costefficient manner. In fact, it’s very much the case
SecurityServicesBestPracticeCasebook July2015_riskuk_apr15 03/07/2015 14:50 Page 2
Security Services: Best Practice Casebook
that many still rely on a simple telephonebased check-in procedure whereby remote workers are required to call the Control Room at pre-agreed intervals. This can be an effective procedure but it’s one that does harbour some major limitations. First, it’s labour intensive with a significant process overhead and responsibility. Second, it doesn’t scale very well if the number of lone workers should substantially increase. Finally, this is a procedure that relies on the lone worker having a good understanding of their location, with the Control Room operators having no independent means of verifying the accuracy of the information with which they’re being supplied. This is where location-aware technology can make a huge difference. Cloud-based software solutions allow for the location of all lone workers to be displayed in the Control Room on a dynamic map. Each lone worker is issued with a pager or smart phone application which they then activate at the beginning of their shift. At pre-agreed intervals, the pager automatically alerts them with a message that they must acknowledge to confirm they’re not in any form of difficulty. This provides an accurate record of the worker’s location for the Control Room operating staff and enables operatives to concentrate on those lone workers presently in need of assistance or who have failed to check-in. Not only does this solution provide greater protection to lone workers but it also frees up Control Room-based staff to take on other activities that add further value to the business. Such location-based technology may be deployed to demonstrate compliance with the Working Time Directive, better co-ordinate people and resources on the ground or identify the nearest qualified engineer to a reported fault so as to improve response times.
Creating an audit trail For less hazardous environments, it’s fair to say that a smart phone application holds all of the necessary functionality needed for both protecting the lone worker and creating an audit trail that proves the organisation has taken all reasonable steps towards Duty of Care and welfare. By way of example, Toshiba Medical Systems provides its field-based service engineers with such an application through which they can set their status to ‘Available’ on the beginning of their shift and raise an SOS alarm that triggers within the Control Room should the need arise. Primarily, this is a safety initiative that ensures compliance with the company’s ISO
18001 accreditation for Health and Safety management procedures. However, the sophistication of the technology has also seen it employed to record job completion times in order to predict how long it will take for future faults to be rectified. In riskier environments, such as those encountered by members of the Emergency Services, it’s likely that a dedicated device for lone worker safety may be more appropriate. For instance, the Dorset Fire & Rescue Service uses lone worker pagers to ensure that fire hydrant technicians are provided with a resilient safety net. These employees are responsible for the inspection, test and repair of approximately 14,500 fire hydrants spread around the county, some of them located in remote or hazardous areas. As well as a dedicated SOS button, the devices incorporate tilt and motion sensors together with ‘man down’ detection to instantly alert the Control Room operators that an employee may be in a state of distress. It’s abundantly clear that organisations of all sizes must determine to revisit their lone worker processes and procedures and confirm that they’re still fit for purpose. Risk management is – and, what’s more, always will be – a somewhat daunting task for companies. For their part, location-aware lone worker systems will ensure employees have that all-important means of contact with a Control Room. In tandem, the end user organisation is able to mitigate the risks around falling foul of legislation by documenting necessary procedures.
“Today, virtually every company across any traditional vertical sector employs lone workers. That being the case, those companies must demonstrate how they plan to meet their mandatory Duty of Care towards such employees” 57
www.risk-uk.com
InformationSecurityImprovingCyberResilience July2015_riskuk_mar15 03/07/2015 14:33 Page 1
Cyber Security: Technology, Policy, Process
The debate around effective corporate cyber resilience often refers to members of staff – ie the ‘end users’ – being ‘the weakest link’ in any given security system but this perception is damaging. As Nick Wilding asserts, it’s true to state that ‘Security’ is only as strong as its users, but those end users are only as good as the technology, policies and processes put in place by the company
58
www.risk-uk.com
or many professionals working in the information security arena, the typical response to a successful cyber attack episode is a comprehensive review of the controls environment. This process usually focuses on preventative controls. That’s often followed by the review, development or purchase of new technology or software solutions designed to plug perceived vulnerabilities. A secondary priority might be to review IT policies and procedure. End user training can be an afterthought. Messages are sent to employees advising that they need to review company policy, make sure they don’t break the rules and that they must now be ‘more careful than ever’. Increasingly, it’s clear that such a methodology is flawed, based as it is on a view that situates technology at the heart of cyber resilience. It’s perfectly understandable why this approach has developed. After all, statistics tell us that simple user mistakes are behind the majority of cyber incidents. However, most organisations are missing a golden opportunity in failing to take advantage of the most powerful force that can help protect their reputation, safeguard their critical information and keep customers close: their people. Information lies at the heart of any organisation as a critical enabler of value, innovation and growth. This information has never been at greater risk from cyber attack than it is today, in turn threatening reputation, customer trust and operational stability. We often hear about sophisticated cyber attacks but the reality is usually very different.
F
It’s far easier to trick a user into providing access to a computer system than it is to embed malicious software within the network. The challenge is around understanding how best to make system users – regardless of their role or position within the company – aware of when they’re being tricked into providing information and what they should do next. Many of today’s organisations remain reliant upon annual ‘one-off’ information security awareness training programmes. This is typically computer-based education that fails to properly involve the end user in understanding the consequences of any poor behaviour. While many will view information security as an IT issue, the truth is that it always depends on the complex intersection of IT systems and human behaviour. Information drives growth and all members of staff, wherever they may sit within an organisation’s heirarchy, play a critical role in keeping it safe from attack or accidental loss. A simple multiple choice test, taken once a year before its contents are swiftly forgotten, is simply not enough to instil confidence that your operating system is as secure as it can be.
Learning a new language Security professionals, IT specialists and corporate users must learn a new language for cyber resilience. The way in which risks are discussed and debated inside organisations typically distances users from understanding how they can play their part in security. That rule applies to members of the Board of Directors as much as it does to anyone else. Traditional approaches towards raising cyber awareness – and thus changing behaviours – have often been of the ‘one size fits all’ variety, dominated by messages that simply say: ‘Don’t do this or that’ or otherwise full of technical jargon. Hardly surprising, then, that end users don’t readily engage with them. What’s required is more creative and relevant learning that communicates the potential issues and consequences of what we do every day and which prompts the key questions: ‘What’s my role in this?’ and ‘How can I help?’ Cyber awareness training and learning should address three key challenges: ‘How do I make it engaging for users?’, ‘How do I know how effective it has been?’ and ‘What has changed as a consequence?’ The learning content ought to cover ten prime subjects and, by way of example, focus on areas such as phishing, social engineering, information handling and password safety.
InformationSecurityImprovingCyberResilience July2015_riskuk_mar15 03/07/2015 14:34 Page 2
Information Security: Improving Cyber Resilience
Prior to any instruction commencing, allow individuals the opportunity to complete an assessment that measures their knowledge levels and understands their personal learning requirements. In this way the right content type and level is prioritised. Content can then be delivered to staff throughout the year, with regular assessments deliberately orchestrated to measure improvements in their knowledge and skill sets.
Addressing all employees Cyber resilience relies on members of staff understanding not just the basic principles of security, but also why those principles are important to their role and play a key part in preventing incidents and attacks. This will differ for each member of staff so good cyber resilience training should account for that. The CEO, for example, will be responsible for leading growth and delivering shareholder value, highlighting a clear vision and strategy for the organisation and ensuring that the business can deliver on its corporate strategy. Key issues or problems which the CEO may have to confront will be protecting corporate and personal reputation, meeting customer needs and understanding the organisation’s level of vulnerability. On that basis, training for the CEO ought to be focused on helping them to understand cyber risk and its impacts on business strategy and providing the professional development required to lead an effective cyber resilience plan. They need to know how to respond to – and recover effectively from – a cyber incident and take both informed and insightful cyber risk decisions. In terms of the Chief Information Security Officer (CISO), they’ll be protecting the organisation from cyber attack as well as holding responsibility for delivering all information security training, policies and controls. They’ll want to balance technology, people and process. They’re required to keep pace with vulnerabilities and risks, assess the risk to personal and corporate reputation, align cyber security strategy with the main business strategy and maintain compliance against changing policy and/or formal regulation. Training priorities for the CISO, then, should be all about defining, managing and reporting on an effective cyber resilience strategy in addition to assisting all members of staff when it comes to adopting behaviours that will enhance resilience to attack. There must also be a focus on the ability to respond to – and recover from – a security breach using people, processes and technology.
“We often hear about sophisticated cyber attacks but the reality is usually very different. It’s far easier to trick a user into providing access to a computer system than it is to embed malicious software within the network” What of vendor managers? Typically, they look after supply chain management, managing third party risk and realising the best deal for their organisation. An issue here is that the vendor manager may have no understanding of the specific risks that suppliers can cause and might be unable to identify and categorise the risk of multiple suppliers. In this instance, training priorities should focus on techniques for making appropriate recommendations to suppliers, the ability to promote good cyber behaviours and the development – and management – of a solid third party cyber resilience strategy. Last but not least in the chain is the customer services executive. The individual tasked with meeting the demanding needs of the client base and hitting those all-important business targets while at the same time providing the highest value service possible. They have to deal with the pressure of delivering services at speed while following appropriate processes in order to minimise the company’s vulnerability to cyber attack. Here, training priorities must be centred on an ability to provide compelling and engaging awareness of cyber security issues. The importance of encouraging and/or championing good behaviours across customer service teams can never be stressed too highly. It’s crucial to be able to track effectiveness not just in terms of what the end user has learned, but also which delivery styles are working best across the organisation.
Nick Wilding: Head of Cyber Resilience at AXELOS
59
www.risk-uk.com
Project1_Layout 1 02/06/2015 13:39 Page 1
Introducing the future of perimeter protection from Hill & Smith
Bristorm Zero is the latest High Performance Anti Ram crash rated security fence from Hill & Smith Ltd. Its fully tested and rated to ASTM F2656-07 M50 P1 and offers Zero penetration by the attacking vehicle. Designed, developed and manufactured in the UK its quality and high performance can be relied upon to protect your valuable site and asset.
For more information please visit www.bristormzero.com or call 01902 499400 and speak to a member of our sales team
New Rope mounting bracket technology
Zero penetration
No tensioning requirements – Ideal for extreme temperature environments
ASTM F2656-07 M50 P1 tested and rated
Scan for more information or visit
www.bristormzero.com
Tested in soft ground
Simple installation, allowing for installation worldwide
The total solution in barrier systems
TrainingandCareerDevelopment July2015_riskuk_apr15 03/07/2015 16:01 Page 44
Training and Career Development
Developing the Security Profession T here can be little doubt that the face of training in the UK’s security sector has changed significantly in recent years. With higher client expectations of security providers, expanding risk registers, increased pressure on margins and rising aspirations of those working in the security world, training has become a key driver of both change and quality. Indeed, key thinkers in the sector understand that ongoing training in security is now ‘part of the job’. Before the advent of regulation and the Security Industry Authority (SIA), security providers would perform their own basic job training at the recruitment stage, imparting quality control and the ability to select candidates for sites based on little more than the impression that was gained during the interview process. Regulation afforded the security business sector ‘ready-trained’ personnel and offered some companies the opportunity to reduce their costs by cutting back on their own in-house training capabilities or, in some cases, abandoning them altogether. This was a strategy not without risk and the sector has duly witnessed instances of training malpractice (‘BSIA Training Providers Section defends security industry suppliers in wake of BBC’s Inside Out programme’, Risk UK, April 2015, pp8-9). Perhaps this isn’t too surprising. Where Government funding was made available to training providers for SIA licence-linked instruction based on candidate numbers and results, it could be argued that this created significant financial incentives to bend and/or break those rules that are in place. Security companies who place their trust in the security training sector to provide appropriately trained personnel may well be deploying officers who have not even undertaken the mandatory training. The sector has no way of ever knowing the scale of malpractice. The responsibility for ensuring that personnel are appropriately trained once again falls to the security companies.
SIA’s Approved Contractor Scheme One requirement of the SIA’s Approved Contractor Scheme (ACS) is that all security officers are assessed at the recruitment stage to confirm that they’ve both undertaken and retained the knowledge derived from their basic job training. It’s often the case that significant time may have elapsed since that education was completed. In addition, there’s no official requirement for annual refresher training.
Rather than be considered some kind of regulatory or contractual burden, Chris Wisely explains exactly why security training ought to be viewed for what it is – a widespread benefit to any organisation that, if conducted in a detailed and appropriate fashion, far outweighs the scale of any necessary underpinning financial investment
With no formal research in place to inform about knowledge retention levels in relation to SIA training, it’s fair to suggest that this is a sensible first line of inquisition for anyone hiring security operatives, irrespective of ACS accreditation requirements. A structured ‘training needs analysis’ should follow to identify areas of strength and weakness, in turn informing operational management teams for risk management as well as succession planning opportunities. Regular refresher training on core security topics should also be considered an ‘essential’. Again, the ACS audits include a check for the provision of annual refresher training on subjects relevant to the roles being performed. This could perhaps be considered best practice for all security providers regardless of whether or not they hold ACS accreditation. The delivery of this training can be challenging. Sites with a dedicated security management structure in place provide the simplest environment for delivery, whereas the ‘single officer’ sites are the hardest to address, and particularly so when they’re in remote locations. A common solution is for mobile management to provide ‘toolbox talks’ to these officers during their mandated welfare visits. Another solution that’s gaining traction in the sector is e-Learning. e-Learning can either be
Chris Wisely: Managing Director of Axis Security
61
www.risk-uk.com
TrainingandCareerDevelopment July2015_riskuk_apr15 03/07/2015 16:02 Page 45
Training and Career Development
“Requests for additional information in tender proposals are an excellent barometer in terms of how security solutions purchasers view the importance of training” extremely cost-effective or extraordinarily expensive depending on how it’s implemented and/or embedded within the security business. It’s true to say that taking ‘old’ and potentially uninspiring content and simply making it available online isn’t likely to engage the workforce and may indeed be counterproductive if the intention within the business is to develop a true learning culture.
Significant investment required The investment required for security training is significant. While arguments may be made for and against delivering training in excess of contractual requirements, discussions should always be balanced against the costs of no training being provided at all. Refresher training on certain core topics may be a legal obligation for security providers, specifically in relation to Health and Safety at work, but training in other areas should also be considered. This might include additional conflict management instruction, risk assessment or even physical intervention training if this is identified as being required by an appropriate review. In this respect, effective training is clearly a cost-efficient risk mitigation strategy. Further, if the security business sector is perceived – rightly or wrongly – as providing personnel that lack the appropriate knowledge and skills to do their job properly then the harm that could be done due to lack of instruction is undeniable.
Clients would refuse to see the value of security guarding services, downward pressure on margins would increase, the industry would fail to attract and retain talent and the progress the sector has made towards ‘professionalisation’ would ultimately be rendered useless. Fortunately, such pessimistic views are being countered by our nature as a service industry. We’re privy to positive change being driven by the needs and expectations of our client base. Requests for additional information in tender proposals are an excellent barometer in terms of how security solutions purchasers view the importance of training as an integral element of service delivery. Typically, this will include a focus on customer service which is likely to be costed into the contract as ‘added value’, in turn increasing costs to the security provider. It may be due to the historical practice of offering limited training on this basis within security tenders which has now been accepted as a standard offering. That status quo may contribute to pressure being applied in order to expand this commitment further at no additional cost to the client. Sadly, this can lead to training being delivered ‘on the cheap’ as a ‘box-ticking’ exercise that’s actually counter-productive in terms of the cultural risks it creates and the cost management introduced by wasting money on ill-conceived or ineffective training. Experience informs us that there’s no such thing as ‘training on the cheap’. The measurement should be whether or not the training is effective in bringing about positive behavioural enhancements that will increase client satisfaction while also controlling costs.
Clients: not the only stakeholders Clients are not the only stakeholders with an interest in training. As the security business sector matures there’s internal pressure for training opportunities. Indeed, a number of studies have indicated that those working in the sector have career aspirations perhaps beyond those traditionally associated with front line security personnel. If the sector truly wishes to retain these people and attract others like them, training and career development opportunities must be clearly signposted. There’s little doubt that any security business investing in an effective training programme is preparing itself for the future needs of both the market and the industry itself. An innovative training strategy will help to win business, attract and retain quality staff, maintain client satisfaction, build trust and support the growing perception of the security sector as being a developing profession.
62
www.risk-uk.com
Project3_Layout 1 03/07/2015 13:19 Page 1
Gartner Security & Risk Management Summit 2015 14 – 15 September | London, UK | gartner.com/eu/security
-ANAGEĂĽ2ISKĂĽANDĂĽ$ELIVERĂĽ3ECURITYĂĽ INĂĽAĂĽ$IGITALĂĽ7ORLDĂĽ
Five Programs sĂĽ #HIEFĂĽ)NFORMATIONĂĽ3ECURITYĂĽ/FlĂĽCERĂĽ #)3/ ĂĽ sĂĽ 2ISKĂĽ-ANAGEMENTĂĽANDĂĽ#OMPLIANCE sĂĽ 3ECURITYĂĽ-ANAGERĂĽ0ROGRAM ĂĽ4ECHNOLOGY ĂĽ4RENDSĂĽANDĂĽ/PERATIONS sĂĽ "USINESSĂĽ#ONTINUITYĂĽ-ANAGEMENT sĂĽ )NTERNETĂĽOFĂĽ4HINGSĂĽ3ECURITY
GARTNER PREDICTS:
By 2017, 30% of threat intelligence services will include vertical-market security intelligence information from the Internet of Things.
ÂĽĂĽ ĂĽ'ARTNER ĂĽ)NC ĂĽAND ORĂĽITSĂĽAFlĂĽLIATES ĂĽ!LLĂĽRIGHTSĂĽRESERVED ĂĽ'ARTNERĂĽISĂĽAĂĽREGISTEREDĂĽTRADEMARKĂĽOFĂĽ 'ARTNER ĂĽ)NC ĂĽORĂĽITSĂĽAFlĂĽLIATES ĂĽ&ORĂĽMOREĂĽINFORMATION ĂĽEMAILĂĽINFO GARTNER COMĂĽORĂĽVISITĂĽGARTNER COM ĂĽ
RiskinAction July2015_riskuk_jun15 03/07/2015 15:53 Page 1
Risk in Action LOCKEN works in tandem with UK Power Networks on securing critical electricity supply infrastructures LOCKEN – the developer of cable-free access control whose solution concentrates on power, intelligence and communication in one smart key – is working with UK Power Networks to secure electricity supply infrastructures. LOCKEN equips more than 1,500 UK power distribution facilities with its digital access control system, enabling the power supply network to deliver maximum performance to its customers. The system also improves Health and Safety procedures for the power group’s employees and sub-contractors. This solution allows UK Power Networks to move away from mechanical keylocking systems and make the transition towards a solution specifically built around smart keys and electronic cylinders. The system deployed by LOCKEN includes the company’s LPCB4 electronic high security padlocks. Only registered and accredited personnel are able to access work locations. Every lock opening – or attempted opening – can be tracked on the system for subsequent analysis. The three networks operated by UK Power Networks make use of more than 100,000 miles of underground cables and overhead power lines – a distance approximately equivalent to four times the circumference of the Earth. Reliable power supplies are essential for the UK, of course, and particularly so for our Critical National Infrastructure. The decision by UK Power Networks to continue investing in the security of its networks and infrastructure is a key part of achieving this reliability. Nick Dooley, UK managing director at LOCKEN, explained: “The alldigital concept with the energy supplied by the key was of great interest to UK Power Networks. It allows simple and efficient access management and is supported by proven software, in turn yielding improved operational efficiency.”
Swisscom selects TBS’ 3D-Touchless biometric systems for state-of-the-art data centre in Switzerland Major telecommunications provider Swisscom has integrated TBS’ 3DTouchless technology within its latest state-of-the art data centre. Employing no less than 14 TBS 3D terminals, the client has ensured the very highest levels of security for both people and process in the Swiss-based operation. Swisscom’s newest data centre is the crown jewel among the company’s 24 such operations across Switzerland and provides “the highest standards” in terms of performance and security for customers. Completed at the end of 2014, it represents Swisscom’s largest data centre and is one of only a few in Europe certified for maximum
64
www.risk-uk.com
Securitas flying high with Airbus Group in wake of UK contract win Securitas has been awarded a contract to provide specific security solutions for leading aircraft manufacturer Airbus Group. Those solutions will encompass many specialised services and include the platform for Securitas to further develop its aerodrome-focused fire and rescue services. Securitas has been providing numerous security-focused solutions for Airbus in France, Spain and Germany since 1990. Last year, Airbus Group put out a tender for its UK operation and Securitas’ 40-strong bid team fought determined competition to secure the prestigious contract win. Michael Clancy, commercial director at Securitas, said: “In winning this contract we have proven our services capability and the depth of our reach back to professionals in the UK and across Securitas EMEA.” In practice, the specialist services contract will cover Airbus’ sites in Chester, North Wales, Bristol, Portsmouth and Stevenage and include tasks such as reception duties, airport security and aerodrome fire and rescue in addition to fire vehicle and equipment maintenance. availability while also being afforded high ratings in terms of energy efficiency. With a brief to procure the highest security systems available, Swisscom chose TBS’ 3DTouchless terminals. These integrate with a full access control system supplied by Securiton. All systems – including the IP video surveillance set-up – are monitored from the building’s dedicated Security Control Room. Entry to the building is granted by way of RFID badge scanners followed by full metal detection units much like those employed at customs control. In practice, TBS’ 3D terminals are the final step when it comes to individuals accessing the most secure areas within the Swisscom location. The 3D-Touchless reader is the only touchless biometric technology to deploy three cameras for the finger scanning process. This ensures ‘No Failure To Enrol’ and also avoids any possibility of sensor damage.
RiskinAction July2015_riskuk_jun15 03/07/2015 15:53 Page 2
Risk in Action
Pilgrims’ vessel ‘The Judge’ to assist organisations requiring maritime security solutions in West Africa International security specialist Pilgrims Group has further enhanced its ability to provide safe passage for clients working in West African waters by upgrading a former US Coast Guard cutter with state-of-the-art anti-piracy facilities. The vessel, designated MV ‘The Judge’, was acquired by Pilgrims in the USA three years ago and has recently been refitted to install stateof-the-art navigation and anti-piracy equipment. On-board personnel capacity has now been expanded to 12 crew members. Corporate clients including oil companies, geological surveyors and cable laying experts have already enjoyed the protection of an armed escort provided by MV ‘The Judge’ whose captain, Shane Slabbert, harbours military experience gained with the South African Navy. The vessel, which has served as far afield as Egypt, Somalia and Mombasa, is now based in Lagos, Nigeria working alongside the Nigerian Armed Forces. Its area of operation extends along the West African coast. “The potential for attack by pirates is a regrettable feature of modern maritime activity and poses a significant threat to our clients, many of whom are involved in projects of economic significance on the international stage,” stated Daniel Revmatas, general manager of Pilgrims Africa. “MV ‘The Judge’ affords Pilgrims Group the ability to provide organisations with a complete solution to security provision, both on land and at sea,” added Revmatas. “Our sea-borne service, demonstrated by the upgraded abilities of ‘The Judge’, provides welcome reassurance in this uncertain environment.” The highly mobile vessel is able to respond rapidly to potential threats long before a suspicious craft can approach a client’s operation. Pilgrims Group closely co-ordinates the vessel’s movements with the Nigerian authorities to safeguard a range of commercial operations around West African waters.
Roll out of OPTEX REDSCAN railway crossing safety solution gathers steam OPTEX REDSCAN laser detection technology is at the heart of a new system developed and delivered in the UK by systems integrator Tew Plus to enhance the safety of more than 400 level crossings from Scotland down to the South Coast of England. Following nearly two years of testing, Tew Plus achieved full Network Rail Product Approval for its Level Crossing Obstacle Detector – designated LIDAR – using the OPTEX REDSCAN as the core detection element. The complete MCB-OD Level Crossings solution incorporates the LIDAR as the Complementary Obstacle Detector (COD) working alongside RADAR and CCTV surveillance equipment. While the RADAR system is used to detect vehicles or large objects that can cause damage to trains and endanger the safety of passengers, the LIDAR system is designed to protect pedestrians or cyclists who could be trapped between the barriers. The signalling solution tells the LIDAR system when the Level Crossing is active, while the detection system scans the crossing area within the barriers accordingly. If the crossing is clear, the signal turns green and the train can pass through safely. If an object is detected the barriers will be raised to enable that object – for example a vehicle or pedestrian – to leave the area before allowing the train to pass. If a detected object is static and the system has gone through three cycles, a message can then be sent to the train driver to proceed with caution.
Sovereign installs firstever lift destination system in Wales with support from TDSi Sovereign Fire and Security has completed a state-of-the-art building management system installation for insurance company Admiral at the business’ Ty Admiral headquarters in Cardiff. Developed in conjunction with TDSi and lift manufacturer OTIS, the new access control and lift destination solution is the very first of its kind in the UK. Previously, upon entry employees would call the lift and choose the floor they needed. With the new integrated system, once the employee’s card is presented to the access control reader at the secure speed gate, a message is sent to the system and an LCD screen then displays the lift number that the employee needs to enter. The lift will already be set to their destination. The intelligent, integrated system will also send anyone else entering the building who needs to go to the same floor to the same lift. This saves on time by dint of the lift not having to stop at each floor. Mike Sussman, technical director at TDSi, told Risk UK: “This solution uses TDSi’s newly-developed component for our EXgarde security management software. It’s largely the result of developments in network access and fullyintegrated security systems.”
65
www.risk-uk.com
TechnologyinFocus July2015_riskuk_jul15 03/07/2015 15:54 Page 1
Technology in Focus Cloud Video Platform launched by Digital Barriers Following on from successful beta trials involving key partners, Digital Barriers has announced the launch of its Cloud Video Platform (CVP). CVP provides automatic video alert verification, camera tampering alerts and face detection all from a cloud service. This enables organisations across both the commercial and public sectors to analyse their video more effectively and efficiently. Using advanced video analytics, CVP can help organisations identify what’s important and compress live and recorded video such that it may be shared more easily, subsequently enhancing operational effectiveness. CVP can also assist Alarm Receiving Centres (ARCs) to reduce false alarms through advanced analytics and enhancement tools over direct web services. Managers and operators are able to use CVP to quickly verify potential threats without significant installation or deployment costs, whereas in the past deploying such tools has been both time-consuming and expensive, in turn leading to prolonged procurements and delayed implementations. CVP is able to operate on public, private and secure Government clouds. www.digitalbarriers.com
Hikvision unveils ‘LightFighter’ ultra-high WDR models for security managers Hikvision has been focusing on extremely high contrast imaging solutions with the launch of its LightFighter Series of 2 Megapixel SMART IP cameras. Each of the new LightFighter camera models incorporates Hikvision’s ultra-high 140 dB Wide Dynamic Range (WDR) technology for high visibility in brightly lit or high contrast environments. The result is clear, detail-rich images for end users in lighting conditions that would otherwise defeat conventional WDR cameras. The LightFighter Series consists of seven 2 Megapixel cameras. The new models include a Smart IP box camera, two outdoor bullet cameras, two outdoor dome cameras and a pair of network PTZ dome cameras. All seven LightFighter cameras are capable of rendering Full 1920 1080 HD images at a consistent 60 frames per second, as well as boasting low-light capability for night-time surveillance needs. Key to the performance of the LightFighter cameras is the WDR technology that allows each model to record greater scene details even where the intensity of illumination varies considerably, such as backlighting when very dark and very bright areas appear simultaneously in the field of view. Although a common feature in CCTV cameras for this reason, the 140 dB WDR in the LightFighter offers 100 times more powerful enhancement than the 120 dB WDR systems of conventional cameras. LightFighter is particularly suited to intense backlight situations and is the ideal camera for pointing towards windows and entrance doors. The LightFighter camera range is equipped with Hikvision’s full SMART feature set, including face detection, intrusion detection, line-crossing detection, ANPR and object counting that enables the camera to detect any moving object and follow it within the camera’s area of coverage without fault. www.hikvision.com
66 www.risk-uk.com
Axis Communications introduces dedicated series of high-speed pan-tilt head network cameras Axis Communications’ Q86 PT Head Network Camera Series reveals a highperformance product line that includes both visual and thermal cameras. “Extremely fast” pan-tilt capabilities combined with low-light visual and thermal features make the cameras ideal for perimeter protection, border control and transportation monitoring. According to Axis, the cameras’ expanded range of vision and high precision images “deliver new levels of efficiency and costeffectiveness” for monitoring large areas in challenging conditions. “With the introduction of these fastmoving pan-tilt head cameras we can offer operators managing perimeter protection and border surveillance a solution for covering large areas, reducing the number of cameras they need,” stated Erik Frännlid, Axis’ director of product management. www.axis.com
Pelco showcases Optera Series of ‘Panomersive’ CCTV cameras Pelco’s new Optera Series of high resolution ‘Panomersive’ cameras with panoramic viewing and SureVision 2.0 Wide Dynamic Range (WDR) are said to “bring a new dimension” to CCTV. The Optera Series cameras seamlessly blend high quality images from four 3 Megapixel cameras mounted within the same housing. An ultra-HD ‘Panomersive’ video stream of an entire scene is produced while the cameras simultaneously render detailed, immersive video streams of multiple areas of interest within the scene. Each video stream is processed separately by Pelco’s VideoXpert video management software (VMS) and other compatible, integrated VMS. The ‘Panomersive’ video stream is up to 12 Megapixels at 12.5 frames per second in full resolution. SureVision 2.0 WDR, anti-bloom technology, 3D noise filtering and advanced tone mapping are all part of the mix. www.pelco.com
TechnologyinFocus July2015_riskuk_jul15 03/07/2015 15:55 Page 2
Technology in Focus
FaceSentinel: Facial recognition for access control by Aurora Facial recognition specialist Aurora has launched FaceSentinel, dubbed “the world’s first biometric access control authentication product powered by Deep Learning”. Designed for integration with existing access control systems, the solution uses Artificial Intelligence (AI) and infrared light to achieve “unparalleled” facial recognition speed, accuracy and reliability. FaceSentinel works with existing high security access control systems to authenticate pass holders. A registered user swipes his or her pass card or key fob and FaceSentinel simply confirms whether the person holding the credential is the same individual registered within the organisation’s access permissions system. This authentication happens in a second or less thanks to that core technology behind FaceSentinel: Deep Learning. Deep Learning is a pioneering technique used to create a highly optimised AI. It works by first creating a blank ‘brain’ or artificial neural network. This brain is then trained to recognise faces by presenting it with millions of face image examples, enabling it to become more experienced, faster and more accurate at the facial recognition task than any human or existing technology. www.facrec.com
Honeywell devises specialist safety solution for confined space working Honeywell has introduced the Miller H-Design confined space harness, a specialist safety solution for people working in confined areas. The harness features a belt that holds a respiratory mask, providing workers in the utilities and water treatment sectors with a comfortable, flexible and easily accessible self-rescue solution. Suitable for use with all major self-rescuer masks on the market, due to a single webbing attachment system the soft and flexible padded belt is comfortable and can be adjusted in height to suit the end user. The self-rescuer mask can be placed either on the front, side or back of the harness for greater freedom of movement with a smooth, sliding action bringing the mask to the front of the belt both quickly and easily in case of a developing emergency situation.
SOTERIA safety technology championed by solutions specialist Apollo Fire Detectors Apollo Fire Detectors has unveiled the new addressable detectors which form the initial line-up in the SOTERIA detection range, the next generation in fire recognition technology which is designed to improve detection, reduce false alarms and deliver improved reliability. Comprising a range which covers all detection areas such as heat, optical and CO individually or across innovative combinations, the exclusive technology incorporated into the range has been shown to reduce the incidence of false alarms while ensuring ease of installation. Models in the range meet and indeed exceed EN54 standards and have been developed using the most sophisticated manufacturing equipment to ensure consistent high quality products and fast response to customer requirements. The technology behind SOTERIA, known as PureLight, incorporates both enhancements to the smoke entry process and the new design of the Cone sensing chamber which, taken together, are proven to lower the possibilities of false alarms and enhance smoke detection. The ‘Serpentine’ designed smoke entry path provides a wide degree of separation of smoke and dust, and enables smoke to pass to the Cone chamber but acts as a barrier to dust and insect ingress. www.apollo-fire.co.uk
These EN361:2002-compliant harnesses are available on their own or as a complete unit with belt and harness. Belts are offered in two sizes (S/M or L/XL) to fit any body shape. Fitted with DuraFlex stretch webbing at the shoulders for additional comfort, the Miller HDesign has special features that make it up to three times faster to put on than traditional harnesses. These include easy-to-access buckles that offer the ability to make intuitive adjustments by pulling from the top down (versus traditional harness buckles that require pulling from the bottom up) as well as a chest strap that can be adjusted for a more comfortable fit. Highly visible stitching and fall indicators positioned on the front web loops and back plate render inspection of the harnesses an easy task for safety and security managers as well as the site workers using them. www.honeywellsafety.com
67
www.risk-uk.com
paper ad_Layout 1 04/06/2015 17:59 Page 1
thepaper
Pro-Activ Publications is embarking on a revolutionary launch: a FORTNIGHTLY NEWSPAPER dedicated to the latest financial and business information for professionals operating in the security sector
Business News for Security Professionals
The Paper will bring subscribers (including CEOs, managing directors and finance directors within the UK’s major security businesses) all the latest company and sector financials, details of business re-brands, market research and trends and M&A activity
FOR FURTHER INFORMATION ON THE PAPER CONTACT: Brian Sims BA (Hons) Hon FSyI (Editor, The Paper and Risk UK) Telephone: 020 8295 8304 e-mail: brian.sims@risk-uk.com www.thepaper.uk.com
Appointments July2015_riskuk_jul15 03/07/2015 15:55 Page 1
Appointments
Baroness Pauline Neville-Jones DCMG The Board of Directors at GeoReach Global has announced the appointment of The Right Honourable Baroness Pauline Neville-Jones DCMG PC as an independent director of the company with immediate effect. “Baroness Neville-Jones has extensive experience across the security sector while her expertise in foreign affairs and corporate matters will add a valuable dimension to our Board,” enthused Ian Taylor, chairman of GeoReach Global. Baroness Neville-Jones is chairman of the Bank of England’s senior Cyber Advisory Panel. In the UK coalition Government she served as Minister of State for Security and CounterTerrorism occupying a seat on the UK’s National Security Council, subsequently taking on the role of the UK Government’s Special Representative to Business on Cyber Security. Previously, Baroness Neville-Jones was chairman of the UK’s Joint Intelligence Committee and political director at the Foreign and Commonwealth Office, a BBC Governor and the non-executive chairman of QinetiQ. The Baroness also led the British delegation to the Dayton negotiations focused on the Bosnia peace settlement. Speaking about this appointment, Ben Ebdon (CEO at GeoReach Global) commented: “With directors such as Ian Taylor, who spent 23 years in Parliament and is a former science minister, and Michael Butler – who’s a former president and COO of Inmarsat – already in place, the addition of Baroness Neville-Jones strengthens our business still further.”
Richard Stones CSyP FSyI ASIS International UK Chapter’s Police Liaison Committee member Richard Stones CSyP has been awarded an OBE in Her Majesty The Queen’s 2015 Birthday Honours List for services to the police and business. Back in 2011, Stones was the first serving police officer worldwide to be awarded Chartered Security Professional (CSyP) status. He’s also a Fellow of The Security Institute and a Freeman of The Worshipful Company of Security Professionals. On receiving the award, Stones explained to Risk UK: “It’s great to be recognised in this way. I was shocked but delighted when I received the letter. I hope this accolade will
Appointments Risk UK keeps you up-to-date with all the latest people moves in the security, fire, IT and Government sectors Joe Connell At this year’s Annual General Meeting, Joe Connell was elected as the new chairman of the Association of Security Consultants (ASC). Connell has been a member of the ASC since 2010 and served on the Board for three years. He’s joined by fellow ASC member Roger Noakes, a stalwart of the security sector, as deputy chairman. Connell has been in the consulting world since 2006 following a 32-year policing career which led him to a senior position with Specialist Operations at New Scotland Yard. He has consulted throughout Western and Eastern Europe, Asia and Africa. Connell spends much of his current time as the Senior Police Adviser in Somaliland where he leads a team developing the capabilities of this growing country in a vitally important region for global security. Other new members of the ASC Board include Steve Beels and Warren Collins. They join existing Board members Mike Cahalane (founder), Nigel Flower (founder), Bob Martin (treasurer), Graeme Dow (external events), Ken Graham (membership), Jon Laws (industry standards) and Jim Swift (honorary secretary). “The independence aspect is key to the value ASC members bring to the market,” explained Connell in conversation with Risk UK. “Members are drawn from a broad range of professional backgrounds, each honed in their own securityrelated discipline. End users are being offered the best advice on their security issues.” help in raising the profile of ASIS, particularly in policing circles where a closer collaboration with business and industry standards would help us all.” Speaking about this development, ASIS UK’s Chapter chairman Andy Williams CPP said: “With the police service in the UK being subject to further budget reductions, the pressure on non-front line departments to reduce expenditure while at the same time improving efficiencies is huge. Set in that context, it’s particularly gratifying to see the great work that Richard has undertaken being rewarded in this way.” Stones is currently serving as staff officer to the national policing lead for business crime reduction in the UK.
69
www.risk-uk.com
Appointments July2015_riskuk_jul15 03/07/2015 15:55 Page 2
Appointments
Tom Feeney
Chris Gould EY has appointed a new partner, Chris Gould, specifically to head up its cyber crime team in the UK. He will now lead a group of dedicated professionals that helps organisations tackle the threat of cyber crime by proactively identifying threats, responding to data breaches and tracking down perpetrators. Gould has over 25 years’ experience of working with clients across a variety of sectors in Russia, central and Eastern Europe, the US and the UK. Prior to joining EY, he led PwC’s Cyber Security practice in central and Eastern Europe. According to GCHQ, eight-in-every ten of the biggest British companies have suffered a serious cyber attack, episodes that cost the UK economy tens of millions of pounds on an annual basis. Cyber attacks are also one of the UK’s top national security risks alongside terrorism. Paul Walker, partner and head of forensic technology for EY in the UK, commented: “Chris brings a wealth of experience in the cyber space sphere which is where we expect to see significant growth. Clients will be taking steps to protect themselves from cyber crime, investigate breaches and deal with the aftermath of cyber incidents from rogue employees, criminal gangs and statesponsored attacks.”
James Condron Physical Security Information Management software specialist CNL Software is strengthening its senior management team and Board thanks to the promotion of James Condron to the role of global vice-president with responsibility for sales and marketing. Condron will now be in charge of driving growth for the company via its already extensive global partner ecosystem. Condron joined CNL Software in 2004 and boasts over 25 years’ experience within sales and marketing of IT software and hardware solutions. Having formulated a successful track record in delivering significant business growth, Condron has been instrumental in some of the largest, most complex and groundbreaking security integration projects during his tenure at CNL Software. “We’re all extremely excited that James has accepted this new role,” commented Keith Bloodworth, CEO at CNL Software. “He brings with him great drive, energy and expertise within complex security integration programs.” Speaking about his new role within the business, Condron told Risk UK: “Security operations across the world are eager to leverage additional value from the investments made in their security infrastructure and also to exploit the tremendous benefits offered by the Internet of Things, yet end users are struggling to make sense of the myriad data being produced by multiple systems and devices. We can help them cut through this complexity.”
70
www.risk-uk.com
G4S Facilities Management has appointed Tom Feeney as the business’ new finance director. Feeney will be responsible for finances across the UK, Ireland, the Channel Islands and the Isle of Man as well as leading the finance and commercial teams at the G4S FM head office located in Banbury. Feeney has been with G4S FM for just over a year and previously held the role of head of finance and commercial with the company. In his new position, Feeney will manage the finances across 60 single, bundled and total facilities management contracts in a business boasting an annual turnover of £300 million. Before joining G4S FM in July last year, Feeney served as commercial finance director at United Technologies Actuation Systems and, prior to that, as the firm’s after-market finance director. He has also held director-level roles in FM businesses including Capita. Feeney trained as a management accountant before embarking on a successful career in the service and outsourcing sectors.
Steve Brown Fire detection solutions manufacturer Apollo Fire Detectors has appointed Steve Brown as the company’s new managing director with regional responsibility for Europe, the Middle East and Africa (EMEA). Brown brings with him “an excellent record” of growth and business transformation in his previous roles, joining Apollo from ITW where he served as group president of the International Catering Equipment division. Brown read Engineering at the University of Cambridge and gained an MSc in Aeronautics from Cranfield. His career history includes positions as senior engineer in research at British Aerospace and project manager for a UK-based consultancy before he joined ITW in France. Commenting on his new appointment, Brown told Risk UK: “I’m looking forward to building on Apollo’s founding values and traditions, gaining a deeper understanding of our customers and increasing our worldwide presence to position the business as a truly global company.”
july15 dir_000_RiskUK_jan14 06/07/2015 12:07 Page 1
Best Value Security Products from Insight Security www.insight-security.com Tel: +44 (0)1273 475500 ...and lots more Computer Security
Anti-Climb Paints & Barriers
Metal Detectors (inc. Walkthru)
Security, Search & Safety Mirrors
ACCESS CONTROL
Security Screws & Padlocks, Hasps Fastenings & Security Chains
Key Safes & Key Control Products
Traffic Flow & Management
see our website
ACCESS CONTROL – BARRIERS GATES & ROAD BLOCKERS
FRONTIER PITTS Crompton House, Crompton Way, Manor Royal Industrial Estate, Crawley, West Sussex RH10 9QZ Tel: 01293 548301 Fax: 01293 560650 Email: sales@frontierpitts.com Web: www.frontierpitts.com
ACCESS CONTROL
ACT ACT – Ireland, Unit C1, South City Business Centre Tallaght, Dublin 24 Tel: +353 (0)1 4662570 ACT - United Kingdom, 2C Beehive Mill Jersey Street, Manchester M4 6JG +44 (0)161 236 3820 sales@act.eu www.act.eu
ACCESS CONTROL – BIOMETRICS, BARRIERS, CCTV, TURNSTILES
UKB INTERNATIONAL LTD ACCESS CONTROL
APT SECURITY SYSTEMS The Power House, Chantry Place, Headstone Lane, Harrow, HA3 6NY Tel: 020 8421 2411 Email: info@aptcontrols.co.uk www.aptcontrols-group.co.uk
Planet Place, Newcastle upon Tyne Tyne and Wear NE12 6RD Tel: 0845 643 2122 Email: sales@ukbinternational.com Web: www.ukbinternational.com
B a r r i e r s , B l o c k e r s , B o l l a r d s , PA S 6 8
ACCESS CONTROL, CCTV & INTRUSION DETECTION SPECIALISTS
SIEMENS SECURITY PRODUCTS ACCESS CONTROL
KERI SYSTEMS UK LTD Tel: + 44 (0) 1763 273 243 Fax: + 44 (0) 1763 274 106 Email: sales@kerisystems.co.uk www.kerisystems.co.uk
Suite 7, Castlegate Business Park Caldicot, South Wales NP26 5AD UK Main: +44 (0) 1291 437920 Fax: +44 (0) 1291 437943 email: securityproducts.sbt.uk@siemens.com web: www.siemens.co.uk/securityproducts
ACCESS CONTROL & DOOR HARDWARE
ALPRO ARCHITECTURAL HARDWARE
ACCESS CONTROL
COVA SECURITY GATES LTD Bi-Folding Speed Gates, Sliding Cantilevered Gates, Road Blockers & Bollards Consultancy, Design, Installation & Maintenance - UK Manufacturer - PAS 68
Tel: 01293 553888 Fax: 01293 611007 Email: sales@covasecuritygates.com Web: www.covasecuritygates.com
Products include Electric Strikes, Deadlocking Bolts, Compact Shearlocks, Waterproof Keypads, Door Closers, Deadlocks plus many more T: 01202 676262 Fax: 01202 680101 E: info@alpro.co.uk Web: www.alpro.co.uk
ACCESS CONTROL – SPEED GATES, BI-FOLD GATES ACCESS CONTROL MANUFACTURER
NORTECH CONTROL SYSTEMS LTD. Nortech House, William Brown Close Llantarnam Park, Cwmbran NP44 3AB Tel: 01633 485533 Email: sales@nortechcontrol.com www.nortechcontrol.com
HTC PARKING AND SECURITY LIMITED 4th Floor, 33 Cavendish Square, London, W1G 0PW T: 0845 8622 080 M: 07969 650 394 F: 0845 8622 090 info@htcparkingandsecurity.co.uk www.htcparkingandsecurity.co.uk
ACCESS CONTROL - BARRIERS, BOLLARDS & ROADBLOCKERS
ACCESS CONTROL
HEALD LTD
INTEGRATED DESIGN LIMITED
HVM High Security Solutions "Raptor" "Viper" "Matador", Shallow & Surface Mount Solutions, Perimeter Security Solutions, Roadblockers, Automatic & Manual Bollards, Security Barriers, Traffic Flow Management, Access Control Systems
Integrated Design Limited, Feltham Point, Air Park Way, Feltham, Middlesex. TW13 7EQ Tel: +44 (0) 208 890 5550 sales@idl.co.uk www.fastlane-turnstiles.com
Tel: 01964 535858 Email: sales@heald.uk.com Web: www.heald.uk.com
www.insight-security.com Tel: +44 (0)1273 475500
july15 dir_000_RiskUK_jan14 06/07/2015 12:07 Page 2
CCTV
ACCESS CONTROL
SECURE ACCESS TECHNOLOGY LIMITED Authorised Dealer Tel: 0845 1 300 855 Fax: 0845 1 300 866 Email: info@secure-access.co.uk Website: www.secure-access.co.uk
CCTV POLES, COLUMNS, TOWERS AND MOUNTING PRODUCTS
ALTRON COMMUNICATIONS EQUIPMENT LTD Tower House, Parc Hendre, Capel Hendre, Carms. SA18 3SJ Tel: +44 (0) 1269 831431 Email: cctvsales@altron.co.uk Web: www.altron.co.uk
AUTOMATIC VEHICLE IDENTIFICATION
NEDAP AVI PO Box 103, 7140 AC Groenlo, The Netherlands Tel: +31 544 471 666 Fax: +31 544 464 255 E-mail: info-avi@nedap.com www.nedapavi.com
CCTV
G-TEC Gtec House, 35-37 Whitton Dene Hounslow, Middlesex TW3 2JN Tel: 0208 898 9500 www.gtecsecurity.co.uk sales@gtecsecurity.co.uk
ACCESS CONTROL – BARRIERS, GATES, CCTV
CCTV/IP SOLUTIONS
ABSOLUTE ACCESS
DALLMEIER UK LTD
Aberford Road, Leeds, LS15 4EF Tel: 01132 813511 E: richard.samwell@absoluteaccess.co.uk www.absoluteaccess.co.uk Access Control, Automatic Gates, Barriers, Blockers, CCTV
BUSINESS CONTINUITY
3 Beaufort Trade Park, Pucklechurch, Bristol BS16 9QH Tel: +44 (0) 117 303 9 303 Fax: +44 (0) 117 303 9 302 Email: dallmeieruk@dallmeier.com
CCTV & IP SECURITY SOLUTIONS
PANASONIC SYSTEM NETWORKS EUROPE Panasonic House, Willoughby Road Bracknell, Berkshire RG12 8FP Tel: 0844 8443888 Fax: 01344 853221 Email: system.solutions@eu.panasonic.com Web: www.panasonic.co.uk/cctv
BUSINESS CONTINUITY MANAGEMENT
CONTINUITY FORUM Creating Continuity ....... Building Resilience A not-for-profit organisation providing help and support Tel: +44(0)208 993 1599 Fax: +44(0)1886 833845 Email: membership@continuityforum.org Web: www.continuityforum.org
COMMUNICATIONS & TRANSMISSION EQUIPMENT
KBC NETWORKS LTD. Barham Court, Teston, Maidstone, Kent ME18 5BZ www.kbcnetworks.com Phone: 01622 618787 Fax: 020 7100 8147 Email: emeasales@kbcnetworks.com
PHYSICAL IT SECURITY
RITTAL LTD
DIGITAL IP CCTV
Tel: 020 8344 4716 Email: information@rittal.co.uk www.rittal.co.uk
SESYS LTD High resolution ATEX certified cameras, rapid deployment cameras and fixed IP CCTV surveillance solutions available with wired or wireless communications.
1 Rotherbrook Court, Bedford Road, Petersfield, Hampshire, GU32 3QG Tel +44 (0) 1730 230530 Fax +44 (0) 1730 262333 Email: info@sesys.co.uk www.sesys.co.uk
INFRA-RED, WHITE-LIGHT AND NETWORK CCTV LIGHTING
RAYTEC
TO ADVERTISE HERE CONTACT: Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk
Unit 3 Wansbeck Business Park, Rotary Parkway, Ashington, Northumberland. NE638QW Tel: 01670 520 055 Email: sales@rayteccctv.com Web: www.rayteccctv.com
CCTV SPECIALISTS
PLETTAC SECURITY LTD Unit 39 Sir Frank Whittle Business Centre, Great Central Way, Rugby, Warwickshire CV21 3XH Tel: 01788 567811 Fax: 01788 544 549 Email: jackie@plettac.co.uk www.plettac.co.uk
www.insight-security.com Tel: +44 (0)1273 475500
july15 dir_000_RiskUK_jan14 06/07/2015 12:07 Page 3
TRADE ONLY CCTV MANUFACTURER AND DISTRIBUTOR
COP SECURITY Leading European Supplier of CCTV equipment all backed up by an industry leading service and support package called Advantage Plus. COP Security, a division of Weststone Ltd, has been designing, manufacturing and distributing CCTV products for over 17 years. COP Security is the sole UK distributor for IRLAB products and the highly successful Inspire DVR range. More than just a distributor.
TO ADVERTISE HERE CONTACT: Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk
COP Security, Delph New Road, Dobcross, OL3 5BG Tel: +44 (0) 1457 874 999 Fax: +44 (0) 1457 829 201 sales@cop-eu.com www.cop-eu.com
WHY MAYFLEX? ALL TOGETHER. PRODUCTS, PARTNERS, PEOPLE, SERVICE – MAYFLEX BRINGS IT ALL TOGETHER.
MAYFLEX Excel House, Junction Six Industrial Park, Electric Avenue, Birmingham B6 7JJ
Tel: 0800 881 5199 Email: securitysales@mayflex.com Web: www.mayflex.com
CCTV & IP SOLUTIONS, POS & CASH REGISTER INTERFACE, EPOS FRAUD DETECTION
AMERICAN VIDEO EQUIPMENT Endeavour House, Coopers End Road, Stansted, Essex CM24 1SJ Tel : +44 (0)845 600 9323 Fax : +44 (0)845 600 9363 E-mail: avesales@ave-uk.com
CONTROL ROOM & MONITORING SERVICES
THE UK’S MOST SUCCESSFUL DISTRIBUTOR OF IP, CCTV, ACCESS CONTROL AND INTRUDER DETECTION SOLUTIONS
NORBAIN SD LTD ADVANCED MONITORING SERVICES
EUROTECH MONITORING SERVICES LTD.
Specialist in:- Outsourced Control Room Facilities • Lone Worker Monitoring • Vehicle Tracking • Message Handling • Help Desk Facilities • Keyholding/Alarm Response Tel: 0208 889 0475 Fax: 0208 889 6679 E-MAIL eurotech@eurotechmonitoring.net Web: www.eurotechmonitoring.net
DISTRIBUTORS
210 Wharfedale Road, IQ Winnersh, Wokingham, Berkshire, RG41 5TP Tel: 0118 912 5000 Fax: 0118 912 5001 www.norbain.com Email: info@norbain.com
EMPLOYMENT
FIRE AND SECURITY INDUSTRY RECRUITMENT
SECURITY VACANCIES www.securityvacancies.com Telephone: 01420 525260
EMPLOYEE SCREENING SERVICES
THE SECURITY WATCHDOG Cross and Pillory House, Cross and Pillory Lane, Alton, Hampshire, GU34 1HL, United Kingdom www.securitywatchdog.org.uk Telephone: 01420593830
sales@onlinesecurityproducts.co.uk www.onlinesecurityproducts.co.uk
IDENTIFICATION
ADI ARE A LEADING GLOBAL DISTRIBUTOR OF SECURITY PRODUCTS OFFERING COMPLETE SOLUTIONS FOR ANY INSTALLATION.
ADI GLOBAL DISTRIBUTION Chatsworth House, Hollins Brook Park, Roach Bank Road, Bury BL9 8RN Tel: 0161 767 2900 Fax: 0161 767 2909 Email: info@adiglobal.com
www.insight-security.com Tel: +44 (0)1273 475500
july15 dir_000_RiskUK_jan14 06/07/2015 12:07 Page 4
COMPLETE SOLUTIONS FOR IDENTIFICATION
PERIMETER PROTECTION
DATABAC GROUP LIMITED
GPS PERIMETER SYSTEMS LTD
1 The Ashway Centre, Elm Crescent, Kingston upon Thames, Surrey KT2 6HH Tel: +44 (0)20 8546 9826 Fax:+44 (0)20 8547 1026 enquiries@databac.com
14 Low Farm Place, Moulton Park Northampton, NN3 6HY UK Tel: +44(0)1604 648344 Fax: +44(0)1604 646097 E-mail: info@gpsperimeter.co.uk Web site: www.gpsperimeter.co.uk
INDUSTRY ORGANISATIONS
PHYSICAL CONTROL PRODUCTS, ESP. ANTI-CLIMB
INSIGHT SECURITY TRADE ASSOCIATION FOR THE PRIVATE SECURITY INDUSTRY
BRITISH SECURITY INDUSTRY ASSOCIATION Tel: 0845 389 3889 Email: info@bsia.co.uk Website: www.bsia.co.uk
Unit 2, Cliffe Industrial Estate Lewes, East Sussex BN8 6JL Tel: 01273 475500 Email:info@insight-security.com www.insight-security.com
POWER THE LEADING CERTIFICATION BODY FOR THE SECURITY INDUSTRY
SSAIB
POWER SUPPLIES – DC SWITCH MODE AND AC
7-11 Earsdon Road, West Monkseaton Whitley Bay, Tyne & Wear NE25 9SX Tel: 0191 2963242 Web: www.ssaib.org
DYCON LTD Cwm Cynon Business Park, Mountain Ash, CF45 4ER Tel: 01443 471 060 Fax: 01443 479 374 Email: marketing@dyconsecurity.com www.dyconsecurity.com The Power to Control; the Power to Communicate
INTEGRATED SECURITY SOLUTIONS STANDBY POWER SECURITY PRODUCTS AND INTEGRATED SOLUTIONS
UPS SYSTEMS PLC
HONEYWELL SECURITY GROUP
Herongate, Hungerford, Berkshire RG17 0YU Tel: 01488 680500 sales@upssystems.co.uk www.upssystems.co.uk
Honeywell Security Group provides innovative intrusion detection, video surveillance and access control products and solutions that monitor and protect millions of facilities, offices and homes worldwide. Honeywell integrates the latest in IP and digital technology with traditional analogue components enabling users to better control operational costs and maximise existing investments in security and surveillance equipment. Honeywell – your partner of choice in security. Tel: +44 (0) 844 8000 235 E-mail: securitysales@honeywell.com Web: www.honeywell.com/security/uk
UPS - UNINTERRUPTIBLE POWER SUPPLIES
ADEPT POWER SOLUTIONS LTD Adept House, 65 South Way, Walworth Business Park Andover, Hants SP10 5AF Tel: 01264 351415 Fax: 01264 351217 Web: www.adeptpower.co.uk E-mail: sales@adeptpower.co.uk
INTEGRATED SECURITY SOLUTIONS
INNER RANGE EUROPE LTD Units 10 - 11, Theale Lakes Business Park, Moulden Way, Sulhampstead, Reading, Berkshire RG74GB, United Kingdom Tel: +44(0) 845 470 5000 Fax: +44(0) 845 470 5001 Email: ireurope@innerrange.co.uk www.innerrange.com
UPS - UNINTERRUPTIBLE POWER SUPPLIES
UNINTERRUPTIBLE POWER SUPPLIES LTD Woodgate, Bartley Wood Business Park Hook, Hampshire RG27 9XA Tel: 01256 386700 5152 e-mail: sales@upspower.co.uk www.upspower.co.uk
SECURITY PRODUCTS AND INTEGRATED SOLUTIONS
TYCO SECURITY PRODUCTS Heathrow Boulevard 3, 282 Bath Road, Sipson, West Drayton. UB7 0DQ / UK Tel: +44 (0)20 8750 5660 www.tycosecurityproducts.com
TO ADVERTISE HERE CONTACT: PERIMETER PROTECTION ADVANCED PRESENCE DETECTION AND SECURITY LIGHTING SYSTEMS
Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk
GJD MANUFACTURING LTD Unit 2 Birch Business Park, Whittle Lane, Heywood, OL10 2SX Tel: + 44 (0) 1706 363998 Fax: + 44 (0) 1706 363991 Email: info@gjd.co.uk www.gjd.co.uk
www.insight-security.com Tel: +44 (0)1273 475500
july15 dir_000_RiskUK_jan14 06/07/2015 12:07 Page 5
SECURITY
INTRUDER ALARMS – DUAL SIGNALLING
WEBWAYONE LTD CASH & VALUABLES IN TRANSIT
CONTRACT SECURITY SERVICES LTD Challenger House, 125 Gunnersbury Lane, London W3 8LH Tel: 020 8752 0160 Fax: 020 8992 9536 E: info@contractsecurity.co.uk E: sales@contractsecurity.co.uk Web: www.contractsecurity.co.uk
11 Kingfisher Court, Hambridge Road, Newbury Berkshire, RG14 5SJ Tel: 01635 231500 Email: sales@webwayone.co.uk www.webwayone.co.uk www.twitter.com/webwayoneltd www.linkedin.com/company/webwayone
LIFE SAFETY EQUIPMENT
C-TEC QUALITY SECURITY AND SUPPORT SERVICES
CONSTANT SECURITY SERVICES Cliff Street, Rotherham, South Yorkshire S64 9HU Tel: 0845 330 4400 Email: contact@constant-services.com www.constant-services.com
Challenge Way, Martland Park, Wigan WN5 OLD United Kingdom Tel: +44 (0) 1942 322744 Fax: +44 (0) 1942 829867 Website: http://www.c-tec.co.uk
PERIMETER SECURITY
TAKEX EUROPE LTD FENCING SPECIALISTS
J B CORRIE & CO LTD Frenchmans Road Petersfield, Hampshire GU32 3AP Tel: 01730 237100 Fax: 01730 264915 email: fencing@jbcorrie.co.uk
Aviary Court, Wade Road, Basingstoke Hampshire RG24 8PE Tel: +44 (0) 1256 475555 Fax: +44 (0) 1256 466268 Email: sales@takex.com Web: www.takex.com
SECURITY EQUIPMENT INTRUSION DETECTION AND PERIMETER PROTECTION
OPTEX (EUROPE) LTD Redwall® infrared and laser detectors for CCTV applications and Fiber SenSys® fibre optic perimeter security solutions are owned by Optex. Platinum House, Unit 32B Clivemont Road, Cordwallis Industrial Estate, Maidenhead, Berkshire, SL6 7BZ Tel: +44 (0) 1628 631000 Fax: +44 (0) 1628 636311 Email: sales@optex-europe.com www.optex-europe.com
PYRONIX LIMITED Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY. Tel: +44 (0) 1709 700 100 Fax: +44 (0) 1709 701 042 www.facebook.com/Pyronix www.linkedin.com/company/pyronix www.twitter.com/pyronix
SECURITY SYSTEMS INTRUDER AND FIRE PRODUCTS
CQR SECURITY 125 Pasture road, Moreton, Wirral UK CH46 4 TH Tel: 0151 606 1000 Fax: 0151 606 1122 Email: andyw@cqr.co.uk www.cqr.co.uk
BOSCH SECURITY SYSTEMS LTD PO Box 750, Uxbridge, Middlesex UB9 5ZJ Tel: 01895 878088 Fax: 01895 878089 E-mail: uk.securitysystems@bosch.com Web: www.boschsecurity.co.uk
SECURITY EQUIPMENT INTRUDER ALARMS – DUAL SIGNALLING
CSL DUALCOM LTD Salamander Quay West, Park Lane Harefield , Middlesex UB9 6NZ T: +44 (0)1895 474 474 F: +44 (0)1895 474 440 www.csldual.com
CASTLE Secure House, Braithwell Way, Hellaby, Rotherham, South Yorkshire, S66 8QY TEL +44 (0) 1709 700 100 FAX +44 (0) 1709 701 042 www.facebook.com/castlesecurity www.linkedin.com/company/castlesecurity
www.twitter.com/castlesecurity
INTRUDER ALARMS AND SECURITY MANAGEMENT SOLUTIONS
SECURITY SYSTEMS
RISCO GROUP
VICON INDUSTRIES LTD.
Commerce House, Whitbrook Way, Stakehill Distribution Park, Middleton, Manchester, M24 2SS Tel: 0161 655 5500 Fax: 0161 655 5501 Email: sales@riscogroup.co.uk Web: www.riscogroup.com/uk
Brunel Way, Fareham Hampshire, PO15 5TX United Kingdom www.vicon.com
ONLINE SECURITY SUPERMARKET
EBUYELECTRICAL.COM Lincoln House, Malcolm Street Derby DE23 8LT Tel: 0871 208 1187 www.ebuyelectrical.com
TO ADVERTISE HERE CONTACT: Paul Amura Tel: 020 8295 8307 Email: paul.amura@proactivpubs.co.uk
www.insight-security.com Tel: +44 (0)1273 475500
Project3_Layout 1 03/07/2015 13:15 Page 1
DETECT ATM SKIMMING AND CASH HARVESTING
IMPROVE BRANCH PERFORMANCE
SURVEILLANCE IS CRITICAL. But video can do so much more.
The need for high quality, highly reliable surveillance is a given. Get more for your investment with March Networks’ intelligent IP video-driven analytics and insight. With March Networks Searchlight™ for Banking you can: t t t t t
Reduce losses from fraud Improve branch performance Detect ATM skimming and cash harvesting Reduce investigation time and costs Increase customer satisfaction
Trusted by more than 450 leading financial institutions worldwide.
Find what you need at marchnetworks.com/solutions/financial