Managing chaos risk during evacuations
Publicly available information informs us that around a third of all of the London Fire Brigade’s calls are to a false alarm. In 2012/13 the Brigade attended over 39,000 calls to a false alarm with 26 sites calling the Brigade out over 50 times.
Jim Swift asks – can you be sure that your evacuation is one-way traffic?
It’s 10am on Friday. The fire alarm rings, you scan your work area with that ‘here we go again look’, pick up your jacket and evacuate to the muster point. You give your name to the fire marshal and then head off with two of your friends for a coffee and a catch up. But whilst you are away from your desk and everyone else away from theirs, what is going on inside? Who actually knows? Are your security guards checking the offices, toilets and other public areas for a confirmed fire and fire casualties? Are they remotely monitoring the CCTV to ensure that the fire exits are being used by one way traffic or has an anonymous person gained access to the network through a computer left logged in?
What is going on outside? Most people are used to the sight of groups of office workers standing outside the train station, or in the entrance to a park, and most would recognise this as being a fire muster. That anonymous passer-by knows what is going on, it happens every few months. He knows this because he has seen this before, two or even three times. He knows where the fire exits are, how they are released, how they are monitored and how he can get in. He knows that one of the cameras stopped working two weeks ago and is still in the maintenance queue. He knows this because he caused it to fail. He is the attacker: he could be from another company trying to steal your intelligence, he could be part of a criminal network looking to extort a ransom from you in return for the release of your critical information, or he could be a lone operator looking to sell your information on the internet’s dark markets. Whoever he is, he recognises what is going on because; he could predict it, he could plan for it, and now he can exploit it.
In many attack situations, especially those involving chaos, time is of the essence. How quickly you identify a malicious act will speed up your recovery and enhance your chances of defeating the attack. But do you have a policy and strategy in place to manage chaos situations from a security risk point of view? Do you review CCTV footage covering all entrances, exits and critical access areas during the chaos situation? Does your IT department check your system to ensure that no one accessed the network or a networked machine during the evacuation period? Do you review all workspaces to ensure that nothing has been removed? Do you ensure that every manager checks that all staff have their access control devices with them immediately after such an event? Does your access control system return to usual operating despite the high footfall and likelihood of long queues and lost work time? These are minor inconveniences but, because they are inconveniences, an attacker can anticipate that they will not be undertaken each and every time. This affords them a window of opportunity to complete their attack which could have a devastating effect on your business. Many organisations spend large sums of money on their IT security, but the human factor is the vulnerability preferred by ‘cyber’ attackers. Beit Baiting, phishing or Social Engineering, Humans, by our nature, are keen to trust, reluctant to cause offence and, unfortunately, reluctant to do things we consider an unnecessary inconvenience. Similarly, organisations that handle sensitive or commercial documents risk those documents being taken or copied each and every time they evacuate their building through the inconvenience of putting them away at the end of the day, or when we pop for a coffee or lunch. Risk is inherent in everything that we do; however, managing that risk is about mitigation. Mitigation through physical security measures, integrated systems and effective policy and implementation through robust strategies and audits.
Full spectrum penetration testing, system event analysis, performance monitoring and regular reviews of your security systems and risk assessments will all help to reduce the risk of you becoming a victim of an attack; however, staff training and engagement is also an essential, but an often overlooked, tool in your armour.
Many companies have in-house teams capable of developing risk mitigation strategies, test programs and training regimes; however, the value of third party review and testing should not be underestimated. Fire drills are not always taken seriously by employees or managers, and are seen as an unnecessary interruption to business. The standard Fire Warden/Marshal training in the UK is fairly uninspired, often generic and without context. Joint fire and security awareness training delivered by leading fire professionals and security professionals that undertake penetration testing and exploitation can help to contextualise the importance of personal responsibility for security and safety during evacuation situations. Training in the identification of possible hostile reconnaissance can help to inform dynamic risk assessments during chaos events. Full spectrum penetration testing can identify areas for development through sanctioned activity against your organisation’s security systems.
Organisations such as the Centre for the Protection of the National Infrastructure (www.cpni.gov.uk), the National Counter Terrorism Security Office (www.nactso.gov.uk) and the Security Service (www.mi5.gov.uk) all provide information and guidance concerning many areas of security and risk to allow organisations to effectively manage their risk mitigation strategies; however, if you need objective advice concerning any of the areas raised, or any additional security concerns, an independent security consultant will be able to help.
Jim Swift LLB (Hon’s) MSyI, BB7 Security, Risk and Resilience
Published July 2014