The overriding requirement for today’s businesses to be resilient continues to expand in terms of the concept. Our own personal resilience and behaviour brings added nuances to the debate about how effective a company might be when it comes to maintaining its long-term viability. In light of the increasing terrorist threat, Phillip Wood offers his considered views on this thought-provoking subject.
From my own perspective, being resilient involves the interaction between an organisation, its people, its business aims and objectives and the various disciplines and sub-disciplines related to risk, emergency preparedness, crisis, safety, continuity, disaster recovery and so on.
The requirement to be resilient continues to expand in concept. The study of personal resilience, human behaviours and character becomes something that brings additional nuances and colour to the overall discussion about how effective an organisation can be in terms of maintaining its viability in both the short and long-term, whether it’s subject to a dramatic event – criminal or non-malicious – or conducting its routine operations against a constant targeting by various adversaries attempting to breach its security or causing damage in some other way.
Within the ‘sector’, there are multiple levels and sources of advice, good practice, paradigms, examples, Case Studies and so on providing recommendations for improvement and the development of the ultimate secure and safe organisation. The signposts for resilience are so widespread, in fact, that they can confuse, but for those interested (and who wish to improve their resilience) there’s more than enough raw and developed material for them to be able to identify what’s required, assess the technical and professional skills and knowledge demanded of a company’s people and the technological and related solutions – either physical or logical security-related – that allow the host business to reduce access and, by extension, any impact upon its assets.
However, and there’s always ‘However’, one of the constant and most dynamic influences upon an organisation and its ability to protect itself – apart from the constant and evolving threats that it faces – will be the fact that its own people are the ones who make it permeable. The very truism that our people have specific needs and requirements (Maslow, anyone?) drives them towards behaving in a particular way.
The fact that we act, talk, think, interact and react and that we have aspirations and are greedy, selfish, ambitious or otherwise harbour any number of other human traits makes each of us different and each of us a source of potential risk to the organisation.
We need to be able to accommodate the development of both current and new human behaviours within our companies as they progress and develop when faced by a specific type of threat landscape.
Selfishness – and perhaps our self-centredness – can impart direct and impactful problems upon the organisation for which we work and the society within which we operate.
In essence, what we’re talking about here are holes. Large holes, small holes, yawning gaps and small indentations in the protective armour. We’re talking about holes that are developed from the inside every bit as much as we’re considering the penetration of our organisation from the outside.
In most cases, those who create these holes are probably our own people. They’re not malicious. They have no intention of causing any harm to anyone. They certainly wouldn’t consider themselves to be adversaries of the organisation or the type of people whom we would label as being difficult or even criminal.
That said, the fact of the matter is that every organisation has its fair share of those who would make holes (or who would even show others where the holes may be). Alternatively, they might show or otherwise indicate where the holes may effectively be made. Due to that point, we should consider them to be just as serious an issue as any determined adversary.
Cyber and IT security
It’s probably simplest to illustrate the issues around the permeability and porosity of a business by considering cyber and IT security.
Since we’re all connected, and because we rely so much upon our connected devices, it’s difficult to impose a significant degree of control and management upon our behaviours. Organisations do their best. Those who are focused towards effective IT security processes and protocols consider carefully – and implement in detail – the necessary security measures designed to limit the holes that can potentially occur.
There are some really simple and straightforward indicators that our behaviours can cause problems. By way of example, SplashData has produced a list of the most common passwords used for computers in 2015. If you look through that list you’ll see the Top Three passwords. They are as follows: 123456, qwerty and 12345678.
You may well look at this and say to yourself: “That’s not what I do.” However, those who make the holes in the organisation are not the people who think like you do. The people who make the holes are those focused on other things rather than the security and risk management of the business. Those who cause the problems are those who are either disinterested or simply don’t understand the importance of the integrity of your ‘perimeter’.
Partially, it’s the fault of the organisation for being unclear and imprecise about the need to be stringent in maintaining organisational security. It’s probably also partially the fault of the individual concerned that they simply cannot be bothered to put in place anything more than a very simple security process designed to protect sensitive information.
Maybe they don’t understand the importance of maintaining the confidentiality of information. Perhaps they feel that everyone with whom they undertake transactions and interact on a daily basis is a nice person who wouldn’t consider any form of dishonest or malicious act. Of course they’re silly to adopt such an attitude, but believe me it happens.
Moving away from the obvious shortcomings of the inability to understand the real impacts of virtual errors, we can apply similar considerations to wider behaviours.
Tailgating through access control points. Failing to challenge individuals whom we see entering or wandering around our relatively open sites. Propping open fire doors. Leaving access points insecure… These are but some classic examples. If we can accept that there are inherent problems and issues with those people who ultimately create the holes in our system, what might we do about it?
First, we can think about plugging the holes. We could put in place both virtually and physically significant barriers to accessing our property and assets. However, this can be a problem (as anyone who has tried to do so will readily attest). People need to move and, in a connected world such as ours, they require to be able to move quickly and respond rapidly to the stated requirements of others.
In this day and age, any delay of anything more than a few seconds tends to be met with impatience and a certain degree of resentment.
Unless we have a stronger and embedded culture of accepting these delays and obstacles, the development of unbalanced security processes can cause more problems than they’re worth. We need to think carefully about what holes we can plug and to what extent, all the while considering those issues related to imposing inconveniences and delays upon the actions of given individuals.
If we do attempt to put in place barriers that are too restrictive, it’s probably a safe bet that our people will find other ways around them. In that case, our preventative measures could make things worse. If we’re thinking about human behaviours, we need to think about how we can influence them by developing a culture that allows us to manage those behaviours in such a way that suits the organisation.
We need access control, but we need to ensure that access for those who require it may be managed as smoothly as possible.
We must explain to our people that the effects of their simple – and perhaps momentary – oversights can be devastating for the organisation. Once the adversary has gained access to assets, their removal can be both rapid and devastating for the business.
Perhaps we also need to consider making sure our people understand that they need to be more vigilant and also report rather than ignore any problems or issues they may detect around the potential for adversaries to gain access to the organisation and threaten both people and property.
It sounds really simple, doesn’t it? The reality of the situation, of course, is that people don’t like change and, to be perfectly honest, they really don’t care for inconvenience.
The challenge for security professionals is to keep people contented and comfortable while rendering the organisation more impermeable.
It’s easier said than done – or trained.
Phillip Wood MBE MSc is Head of the School for Management and Professional Studies and Head of Department for Security and Resilience at Buckinghamshire New University