The recent terrorist attacks that have occurred in countries throughout the world have received extensive international media coverage with reporters, eyewitnesses, subject matter experts and well-known news anchors commenting on each event. We often hear the same new age terror terminology used by those who report and comment in the aftermath of each attack.

One term that is frequently used to describe the location of an attack is ‘soft target’. This expression has a particular connotation for the uneducated listener, who may not have been exposed to terrorist-specific vernacular and most likely thinks that ‘soft’ means structurally soft. This is obviously inaccurate; the term ‘soft’ refers to easily accessible. To understand an attacker’s target selection, we have to understand the various phases of an attack. Most people think that the planning phase of an attack is less involved and relevant than the fast and furious execution phase. This is not the case, if it were, far fewer attacks would be successful.

There are some potential options identified before the selection of the actual target is chosen.  The objective is to select a target that will produce the greatest results with the least amount of risk. The highest profiled location or site that has the weakest security measures is ideal in hopes of sending a message to the world for public support, to alter the future actions of a country’s government or leader, or simply to discredit a government’s ability to protect its citizens. All terrorist attacks have included some form of target intelligence before the attack; even the mentally deranged, lone attacker needs to plan. The only time terrorists might reveal their intention prior to an attack is when they are conducting surveillance.

There are illegitimate avenues in obtaining target intelligence, such as the use of an unknown informant. This is mostly applicable for attacks on high profile individuals. However, most target intelligence information gathered by a terrorist or terrorist group is acquired through numerous legitimate resources available to anyone including the Internet, television, radio, newspapers, phone apps, libraries, open source government directories, etc. With the advent of social media, unsuspecting victims often post droves of information valuable to terrorists. Most terrorist groups operate in small, unsophisticated teams when gathering target intelligence; however, ISIS and Al Qaeda have demonstrated exceptional planning and execution of terrorist operations. These more sophisticated groups continually update intelligence reports on target locations such as airports, government buildings, theaters, etc., for the purpose of assessing a location’s vulnerability. The terrorists will then simply update their information, prior to a planned attack. Some groups use personal computers to store their information but do so very carefully, since they are aware of invasive electronic surveillance capabilities of law enforcement and intelligence agencies.

Once sufficient information has been gathered, the process moves on to the operational planning phase. With the more sophisticated terrorist groups, it has been found that some perform rehearsals or dry runs. For example, terrorist groups test security strengths to predetermine their chances of success. During the operational planning phase, the group’s top priority is to assess its tactical advantage points.

Terrorists look for the following elements before every attack and require a sufficient probable number to complete their plan successfully:

• Surprise – a sudden, violent event in an area where no one suspected anything to happen
• High ground (topography) – Good vantage points overlooking the targeted area without being seen or using a crowd situation to avoid being suspected or detected by the target audience or security personnel
• Field of fire – The group or individual needs to be able to reach its target successfully with the assault device it is using
• Field of vision – Decent area coverage to discern anything or anyone that could impede the success of the attack
• Choice of time, place, and conditions – only the terrorist knows when, where and how the attack will unfold, otherwise there will be little chance of success
• Diversions, secondary or follow-up attack – this happens during the larger scale, multi-prong attacks
• Training capability – technical knowledge of sophisticated explosive devices or weaponry
• Sufficient logistics – money, vehicles, fake IDs, disguises, etc.
• Proper planning capability – e.g. a kidnapping involves hundreds of details, such as; a safe haven, food, and water, 24-hour manpower coverage of the kidnapped individual, an escape route, etc.
• Ability to be at the attack site prior to attack – without arousing suspicion (minimum on site time required is 20 minutes)
• Escape route and plan – not all attackers intend to die themselves; they would rather escape to fight another day

In light of these extensive methods used by terrorists, we have to ask ourselves, what can be done to mitigate terrorist threats, and how do our governments deal with this? There are many distinct, sophisticated methods involving technology that we may never know about, if for no other reason than to safeguard the necessary secrecy protecting official networks and agents from being discovered by our adversaries.

International news media and governments are increasingly encouraging the public to report anything suspicious. This is a very tough task since every individual has a different concept of what is suspicious. Without any common denominators and discriminators, people tend to be misled by their preferences, preconceived notions and end up reporting something innocuous while missing the actual threat indicators.

In today’s world, internet based radicalization of young people puts terrorism and attack planning far closer to private citizens and families than ever before. The parents of the attackers have stated that they felt their sons had been taken away from them by some poisonous influence.

Here are some physical indicators of suspicious activities:

• Terrorists often resort to video or camera usage at non-tourist sites such as security operations or locations
• Asking unusual questions about security procedures
• Taking notes, drawing, using cellular phone, or tape recording
• Pacing off distances (using GPS)
• Vehicles parked for prolonged periods with passengers for no apparent reason
• Unusual encampments
• Ruses (static surveillance, disguised as beggar, demo, shoe shiner, food vendor)
• Deliberate penetration attempts
• Foot surveillance with 2-3 people working together
• Mobile surveillance on bikes, scooters, motorcycles, SUVs, cars, trucks or boats
• Unusual behavior (quickly looking away, etc.)
• Observing timing (bollards, gates, motorcades, security procedures)
• Climbing perimeter fencing (boundary probing)
• Watching the same individual or vehicle

Suicide bomber key indicators:

• Loose/bulky clothing inconsistent with weather/disproportionate to body type
• Bulges/exposed wires under clothing
• Strange ‘chemical’ odors
• Sweating, mumbling (prayers), sometimes loud yelling at the very moment of the attack
• Unusually calm and detached behavior
• Nervous – unresponsive (blank stare/trance-like) or preoccupied/focused/vigilant
• Tightened hands (may hold detonation device)
• Constantly moving/inability to stay still
• Luggage or gym bag weighing more than it should
• Hands in pockets of trousers/refuse to show hands
• Stiff torso/lack of mobility from wearing explosive vest
• Has concealed communication device, cell or pager

The list goes on and unfortunately, there are never-ending changes in the tactics, techniques, and procedures of the terrorists. As individuals, private citizens and organizations we have to consider ourselves the ‘eyes and ears’ of our National Defense Agencies.

In conclusion, the term ‘soft target’ has a very broad and all-encompassing meaning. Being susceptible to radicalization makes one a ‘soft’ target. Not realizing that our children are being radicalized makes us ‘soft’ as a society. Insufficient information and intelligence on potential terrorists and inadequate security at potential targets make us ‘soft’ (susceptible) to growing terrorism. Unfortunately, there is no single answer to the many questions regarding our safety and security. It will be up to all of us to do everything possible to mitigate the various forms of threat. Education is key; awareness needs to be constant, and preparedness must no longer be interpreted as paranoia.

Click images for full story.

Security guard services are some of the most challenging services in the industry.

Despite playing a more prominent role in the wake of 9/11, the security guard industry remains plagued by inadequate training and standards in many states, according to new research by Michigan State University criminologists.

Formal training for the nation’s 1 million-plus private security officers is widely neglected, a surprising finding when contrasted with other private occupations such as paramedics, childcare workers, and even cosmetologists.

By and large, security guards say they’re unprepared to handle problematic people and physical altercations and to protect themselves. They strongly endorse the need for systematic and standardized training in the $7 billion-a-year industry.

It’s reasonable to conclude that private security continues to be an under-regulated industry despite the increase in the roles private security guards play in people’s lives and the fact that they greatly outnumber sworn police officers in America. The number of unarmed security guards has roughly doubled since 1980, to approximately 1.1 million, compared to 833,000 police officers. The threat of terrorism after the 9/11 attacks raised awareness of the role security guards could play in intelligence sharing with law enforcement.

Given security guards’ increased role, the question has to be raised whether states have kept up by strengthening minimum standards and requirements.

The scope of work for security guards has certainly broadened in recent years. Companies rely on their personnel for more than just ‘observe & report’ duties. Guards are often the first responders to situations involving workplace violence, active shooter events, and high-risk terminations. These areas were previously not as much of a concern, the nationwide increase in events has made them more of a priority in the last five to seven years.

Specific job descriptions including duties and responsibilities often lack pre-employment packages for guard force personnel. This may eventually lead to discrepancies when conducting performance evaluations, since the basis for these evaluations was never properly formulated. In turn, this means that quality assurance will be more of a challenge.

A study, published in Security Journal, found no dramatic increase in the stringency of industry regulations since 1982. In fact, many states still lack any training standards – meaning security guards must learn on the job if their company doesn’t provide training – while some states do not require any minimum education or even a criminal background check for guards.

A second study, also in Security Journal, drew on in-depth interviews with security officers. While some guards were able to improvise based on previous experience as police officers, many others believed the lack of training was a hindrance to performing their tasks effectively.

Companies tend to shy away from formalized training programs because of the associated costs. The much needed cost – benefit analysis is frequently discarded as inconvenient since it would reveal some very disquieting truths about capabilities and quality of services.

Private security is a relatively low-paying industry with high turnover, which can make it difficult to recruit qualified guards, especially for small security companies. Many other regions around the world, including Australia and Europe, have stricter standards and accountability for their private security industry.

——————————————————————————————————–

Source: Mahesh Nalla, MSU professor of criminal justice & Jennifer Cobbina, assistant professor, MSU criminology program.

Risk management is an important process for any organization. The effectiveness of your risk management program will set the pace of your success if done right. Most entrepreneurs think that a successful startup requires three things, namely: good staff, good product, and the least possible CapEx expenditure. However, even with all the right elements, we often see startups fail.

During the initial phase of starting a business, the perceived cost of time-consuming tasks such as examining risk and potential problems often takes a back seat, especially when there is an early success. “We’ll cross that bridge when we get to it” is a common approach. Risks remain a secondary issue. Eventually, a potential risk may occur and without a clear mitigation strategy, a company will pay the price. This may appear as lost resources, a blown schedule, or a CapEx overrun. In certain scenarios, a company may need to register with a regulatory authority, which can require regular or scheduled audits or the implementation of certain risk management framework. When a startup does not follow these requirements, there is a chance of trouble. For example, if the startup wants to be ISO 27001 certified (an ISO standard for information security management), a risk management evaluation is a prerequisite. Other areas, such as security assessments (PSAs) are often perceived as costly and inconvenient because they require personal information considered intrusive by most people. To ignore the possible risks can lead to startup failures.

Risk management is the identification, assessment and mitigation of risks that can have any adverse effects on business. It encompasses various forms of risk – physical risk (physical security), information technology risk (IT security), proprietary risk (industrial espionage) and travel risk (journey management), amongst other things. The goals of risk management are to prepare the business for all known or unknown factors that can hinder its success. A business impact analysis (BIA), although not necessary, can help clarify the associated risk impact, recovery time and the estimated actual revenue loss.

Initial designs of a risk matrix are helpful to determine the best course of action by considering the pros and cons of each idea or concept. During this process, associated costs can be identified so budget considerations can be discussed at the earliest possible stage. A well-developed set of risk practices and strategies are fundamental to the long-term survival of any startup.

Many entrepreneurs use instinct (intuitive analysis) in their decision process to manage risks. However, for truly effective risk management, you must look beyond experience and simple reasoning in making decisions that involve considerable risk. New types of risks keep appearing every day, especially for startup companies since they focus mostly on new technology. Working with new technology means there are going to be risks that no one had faced before.

There are many established standards of risk management frameworks. You can start by creating the context and then moving onto identifying, analyzing, and evaluating the risks, then finally looking at the risk treatment process.

Benefits of Risk Management

• Encourages a proactive approach to managing risks
• Reduces revenue leakages
• Improves the identification and understanding of threats and opportunities
• Increases the likelihood of achieving goals
• Ensures relevant regulatory and safety requirements
• Developes stakeholder confidence and trust
• Provides support for decision making and planning
• Improves overall control of business and governance
• Allows for effective allocation of resources for risk mitigation activities and processes
• Improves operational efficiency and effectiveness
• Promotes loss prevention and incident management
• Supports and enhances a company’s education and maturity
• Reduces business vulnerability
• Ensures business continuity

Effective Risk Management should;

• be an integral part of business processes
• always be part of the decision-making process
• explicitly address uncertainty and assumptions
• be structured and timely
• be based on the best available information
• take technology, human and cultural factors into account
• be clear and comprehensive
• be forceful, iterative and responsive
• facilitates continual improvement in the startup
• be continually re-assessed

Reference Source:   “Risk Managers” A LinkedIn Group (March 22, 2016)

Last month’s discussion focused on providing security services in a foreign environment. Let’s go one step further into the specific considerations and challenges of providing consultancy and training in a foreign country. Global companies expect a high level of productivity based on expanded capabilities of service companies, who in turn structure their programs according to the concerns of their clients and the desired end state – safe and secure environments conducive to best business practices and continuity.

Some of the typical buzz words/acronyms are “FCPA”, “FATCA”, “Voluntary Principles of Human Rights”, “QAQC” and “EHS”. It has become the norm for security concepts to encompass these areas, or even base their methodology on these focal points in order to be synchronized with clients’ corporate philosophies and strategies. The initial footprint in a foreign country, usually supported by contracted security professionals, is the most challenging phase of a project with inherent disconnects from US based corporate offices. Detailed reports and analysis of local vendors and service providers may be necessary to ensure sound business practices to HR and compliance departments.

In the United States and most western countries, established rules and regulations govern security operations. Private organizations, such as ASIS, work closely with government agencies to generate industry standards that synchronize various commercial requirements with government standards and the rule of law. This approach is often not prevalent in other parts of the world. Security companies exist at the leisure of each country’s government, operating licenses are issued based on special relations of individuals or families with the Presidency, which could remain unchanged for three or more decades. Foreign companies may be required to enter into joint ventures, partnerships and service agreements with local companies in order to conduct business. The choices of these local companies may be limited, to include security service providers.

Let’s look at an example, without specific names and locations. The security consultant is tasked with managing local national personnel sourced via a company owned by the President’s brother, who has the monopoly on all security contracts and can veto security programs and protocols applied by the US Company. This alone represents a myriad of FCPA concerns, along with “Voluntary Principles of Human Rights” challenges all of which have to be addressed appropriately while obtaining approval from the local government prior to implementing security programs.

Personnel selection, staffing structures, operational programs and in service training will have to be planned and executed with an important consideration in mind – everything will be directly relayed to the country’s government, who has eyes and ears throughout the work force and can directly intervene at their leisure, including removal of foreign personnel without given reason or explanation. It is be very difficult to build any mutual trust equity in such an environment. Most western companies perceive local customs and norms as nepotism and corruption. The client expectation of the security consultant is to ‘deconflict’ these concerns and build a sound security structure by educating the local national staff without inadvertently stepping into a political minefield and jeopardizing business continuity.

Training programs include effective communications, duties and responsibilities, access and perimeter security protocols, post orders and chain of command. These programs have to be carefully crafted in order not be perceived as para military in nature. This concern comes from previous coup attempts on the local government, who has an inherent paranoia of all things military outside of their immediate control. Doing all this in a foreign language, such as Spanish or French, can make this all the more complicated and challenging for the security consultant.

The US based company mandates periodic FCPA seminars of their entire staff. This sensitive subject matter falls under the purview of the security consultant and may have to be conducted in the target language. The Q&A portion of the training session may prove to be the most challenging part, this is where cultural differences surface and local nationals may take offense to the seemingly rigid and inconsiderate western guidelines. A simple pragmatic approach may not suffice to convince local staff of the importance and actual benefits of western business philosophy.

Western companies are unwilling to compromise their standards and insist on the application of their guidelines to the letter. They will look to their in country security team for compliance, requiring documentation of attendance and often individual signatures of all participants.

So, working in these challenging environments equates operating constantly between a ‘rock and a hard place’. Conduct detailed country studies, network with others who have previously been there and step lightly when starting your project – the rewards can be great for those who can handle the political and cultural hurdles.

The globalization of companies has resulted in a myriad of challenges associated with conducting business in foreign countries. The primary areas of concern are often security, safety and business continuity, especially during crisis situations. International security service providers have to consider some key critical components when dealing with local nationals, who often comprise the majority of the clients’ workforce.

Especially during project startup, the challenges are often cultural centric. Language, customs and courtesies, social infrastructure and rule of law will invariably impact the concepts, methods and programs implemented by the company. For example, a US based service provider to a US based company operating in a foreign country has to be acutely aware of these areas of concern and balance client business needs with local requirements, often legal in nature and sometimes difficult to deconflict with client expectations.

Organization of personnel and resources and managing daily security operations in support of the client generally sets the pace of daily activities. Ensuring security for personnel during transit and on station (travel risk management) as well as asset protection constitute the main focus of security efforts. Duty of care for all personnel is the mantra; this applies unilaterally and touches on all aspects of the operation. In essence, if the environment isn’t safe, if the operation is not secure, there is no successful risk mitigation; a re-evaluation of existing methodology will be necessary.

When personnel are locally sourced, working in concert with the human resource department mandates a good understanding of specific cultural concerns. In some African and Middle-Eastern countries, tribal hierarchy often supersedes any modern work force structure. Inadvertently upsetting the tribal hierarchy can jeopardize security and thus directly impact operations. These finite sensitivities have to be managed and conveyed to the client, who may not be aware of the importance and potential impact of a ‘cultural slip’, a possible undercurrent to an apparently well-functioning workforce.

Have you done your research regarding the cultural specifics of your environment? Does your client have prior exposure to such environments? Should you be the sounding board on these issues to your client or could unsolicited input become counterproductive? Are you able to foster a relation of trust with your local staff based on cultural connectivity rather than company hierarchy?

One of the most important areas of risk mitigation is human intelligence, especially in countries where technology is limited, often by government mandate. Trust equity is hard to build, but is an important part of the security foundation. It pays off to closely monitor atmospherics, often obtained in conversation rather than from official sources.  All these are complex issues that make for a very challenging work environment. All this is amplified during crisis situations, where time is of the essence and local staff members may play a critical role.

Many international companies dedicate more time and effort to corporate social responsibility programs. The security support for these programs can be a golden opportunity to connect culturally and help establish good social relations, while putting security concerns into perspective for the client. Preparation for these challenges is best done by sound planning, establishing procedures and protocols, which are applied in foreign environments – or is it?

There is no unilateral answer any more than there is a global security program equally applicable in all locations. A good understanding of the need to curtail concepts and programs for each new location and client will hopefully prevent the ‘square peg for the round hole’ approach. It can prove extremely difficult to become the conduit between international management and local staff, not only regarding security matters. Cultural flexibility and adaptability is an acquired skill, honed by years of experience and often difficult to quantify or qualify.

Clients want to ‘get it done’; so figure out how to get there. If this means spending countless hours with locals drinking tea and talking about family matters before ever getting to the real topics, then so be it. Overarching security programs managed by the head office in the US may not consider these hard to discern difficulties. That poses yet another challenge of effectively communicating something that is hard to quantify and qualify.

A company offering global services, be it security, crisis management, travel risk management or any other service executed in a foreign country should provide holistic approaches based on extensive research and detailed analysis.  Additionally, the KSA (Knowledge Skill Abilities) of staff members sent abroad will set the stage for success in foreign countries, where many have stumbled because of being ill prepared.