What were the main subjects that security professionals discussed in 2015, and will they continue to have a bearing on security and risk management as we begin the New Year? Peter Webster focuses on cyber security, terrorism, the political agenda and the topic of security contracts.
Security, in all of its myriad forms, has never enjoyed such a high profile as it does at the moment. We live in dangerous times, and rarely does a day go by without a reference to the subject and the ways in which people, property and assets alike must be better protected from a growing range of physical and technology-based threats.
All of which necessarily means that the discipline of security management – and, indeed, the wider security sector – has been placed under intense scrutiny during 2015. In my view, this is a trend that’s certainly set to continue over the forthcoming 12 months.
One thing we all know is that where there’s technology, there’s data – and that makes it attractive to cyber criminals. Our desire to quickly adopt new technologies brings unanticipated risks and inadvertent consequences that can have negative impacts.
Last year, the news headlines were dominated by stories of cyber threats and major data breaches arising from hacker groups, criminal organisations and espionage units. We’re regularly reminded that these criminals, activists and terrorists have access to powerful and evolving capabilities that provide them with the ability to make money, grab attention and disrupt our daily lives.
Sustained attack on TalkTalk
That last point was exemplified in October when news emerged of a significant and sustained attack on TalkTalk, one of the UK’s largest telecommunications companies. While the investigation is ongoing, it’s reported that nearly 157,000 of its customers’ personal details were accessed and somewhere in excess of 15,600 bank account numbers and sort code details stolen.
TalkTalk was by no means alone, though. In 2015, organisations as diverse as Ashley Madison, Fiat Chrysler, Edinburgh Council and Bitdefender were all compromised in some way. There’s little doubt that other companies will be affected in a similar manner this year.
That’s particularly concerning from a commercial point of view, as outlined in a recent study conducted by Gemalto. The organisation’s detailed survey of 5,750 consumers in the UK, Australia, France, Germany, Japan, Brazil and the US found that almost two-thirds (64%) of respondents are unlikely to do business with a company that has experienced a data breach where financial information has been stolen.
It follows that companies and consumers must do more to protect their data and treat security strategies as a ‘work in progress’ rather than ‘fit and forget’ solutions.
Growth of terrorism
Paris witnessed two events that shocked the free world. No sooner had 2015 begun than two Islamic terrorists forced their way into the offices of the French satirical weekly newspaper, Charlie Hebdo, before killing 11 people and injuring 11 others in the building.
Then, on Friday 13 November, over 130 citizens (among them 90 individuals attending a concert by American rock group Eagles of Death Metal at The Bataclan Theatre) were killed in co-ordinated attacks. The so-called Islamic State (IS) claimed responsibility. The fact that all of the known Paris attackers were EU citizens who had crossed national borders without difficulty has highlighted the dangers posed by home-grown terrorism.
The problem is very real and growing. Officials at the UK’s Foreign and Commonwealth Office report that around 700 individuals have now left our shores to fight for IS in Syria and Iraq. Putting that figure into perspective, this means that more than three times as many British Muslims have travelled to Syria to fight for extremists than are currently serving in our Armed Forces. Just as worryingly, some of them are returning to the UK, desensitised to extreme violence and still fighting for a radical Islamic ideal.
We know all too well the devastating impact that having such individuals walking freely among us can have, as the 7/7 suicide bombings and the murder of Lee Rigby in London amply demonstrated. That danger is never far away.
In recent days, it has also transpired that the Paris terror leader, Abdelhamid Abaaoud, had photos of Birmingham on his smart phone and was in direct contact with Moroccans living in the Alum Rock and Bordesley Green neighbourhoods of the inner city.
For organisations of all sizes, combating this threat relies upon vigilant and professional security. Moreover, it’s incumbent upon us all to recognise the threat, take it seriously and do everything possible to minimise the danger.
In truth, this can only be achieved by looking at the ‘bigger picture’ in terms of identifying the reasons that a particular organisation could be a target, where a threat might originate from and what to do about it. Knowledge, information and intelligence must guide and shape our ongoing approach, particularly in terms of risk and threat assessments and determining security policy and strategy.
Need to know basis
The 2015 General Election made for fascinating viewing. It came as no surprise that one of the first announcements made in its wake by Home Secretary Theresa May was the return of the so-called ‘Snooper’s Charter’ or, to give it its correct legislative title, the Investigatory Powers Bill (‘Powers of Investigation’, Risk UK, December 2015, pp24-25).
Back in 2013, the Liberal Democrats defeated the original Bill in Parliament while still part of the coalition Government. Theresa May has stated that the new Investigatory Powers Bill will not contain some of the ‘contentious’ parts of the original draft, but will still allow the police and the Security and Intelligence Services to access communications data. It has also been suggested that there will be no restriction or ban placed on encryption as some critics had feared.
As well as enabling the tracking of Internet and social media use, the Investigatory Powers Bill would also strengthen the Security and Intelligence Services’ warranted powers for the bulk interception of data, while requiring communication firms to retain website addresses for a year. It’s suggested that such data would consist of a basic domain address, but not a full browsing history of pages within that site or the search terms entered.
Although the proposals have not proven popular with civil liberties groups, those in favour suggest members of the public have nothing to worry about and should not be concerned over this legislation as we need to do everything possible to prevent terrorist attacks. This is a subject that’s bound to remain at the forefront of political and social debate.
Central Government contracts
For small to medium-sized (SME) security services providers, the way in which central Government contracts are allocated, awarded and serviced continues to raise eyebrows.
Last year, when Matthew Hancock (Minister for the Cabinet Office) announced an ambitious new target of realising more SMEs working on central Government contracts, hopes were dashed every bit as swiftly as they were raised. This is because the Government defines a company as an SME if it meets two out of three criteria: it has a turnover of less than £25 million, fewer than 250 employees and/or gross assets of less than £12.5 million.
Within the security sector there are a significant number of businesses with well over 250 employees. For many organisations in our industry and others that are similarly labour intensive, this announcement could actually make a bad situation far worse.
The industry’s larger companies will continue to win the bigger contracts while firms in the middle with, for example, 2,000 employees and the specialist resources available will miss out at both ends of the spectrum. These ‘bigger than SME’-sized operations combine the ability to carry out large-scale assignments with the kind of attention to detail that smaller organisations often display. This makes them able to hit a ‘sweet spot’ by offering the size to handle demanding contracts while still being flexible and responsive.
Until such time that a more inclusive and wide-ranging procurement policy is put in place, history may repeat itself. As I’ve stated previously in Security’s VERTEX Voice, it’s now time to redefine what constitutes an SME as far as the security sector’s concerned.
Lastly, one present that soared towards the top of the bestseller charts at Christmas was drones. With more of them in the sky than ever, the problem of these devices being used where they shouldn’t be – either through accident or by design – will be a subject for much animated discussion during the coming months.
Peter Webster is CEO of Corps Security