Routine, detailed security tests vital for businesses
by Graeme Mickelberg
The seventh anniversary of the terrorist attacks on the US has just passed, and in the years since 9/11 Australians have seen many changes in the way in which security is regarded, writes Graeme Mickelberg.
There is no doubt the raised awareness of security by Australian Governments, many businesses and the broader community has resulted in positive benefits. Underpinning much of the work done to improve security has been international agreements for a range of areas, including port security, legislation enacted by the Commonwealth and some State Governments and security planning guidance provided by Governments and industry peak bodies to businesses.
The guidance provided has also given an emphasis to benchmarking security against relevant Australian standards. The use of these benchmarks is evident in the evolving approach to the auditing of security. However, although such audits are valuable they fall short as a detailed test of effectiveness.
Many Australian businesses, particularly larger businesses that are dependent on IT systems to sustain the continuity of their operations, have over a long period regularly tested the security of their IT systems by using external IT security consultants with specialist knowledge and experience. Although the rationale for such testing is well established, the same cannot be said for testing of other areas of security within Australian businesses. However the need to rigorously test all areas of security is well established in other countries that have recognised the need to test physical security, security technology and personnel security. A case in point is the nuclear energy industry in the US, which has for some time employed specialist consultants to test their security measures against credible security threats.
A recent consultancy undertaken for a client with a diverse portfolio of infrastructure assets provides an insight to an emerging approach being adopted by some Australian businesses to test security. The client, who conducts annual forensic accounting audits and tests of IT systems security including measures to attempt to penetrate IT systems, identified the need to test a broad range of security measures designed to protect people, property, reputation and the continuity of business operations. The consultant was requested to provide an approach to testing security that would stop short of an actual penetration of infrastructure sites but which would provide a detailed insight to security-related vulnerabilities and measures that might be used to exploit identified vulnerabilities. The client required the consultant to take into account a range of security threats, including terrorism, sabotage, theft, vandalism, extortion, protest action by issue motivated groups and harassment of employees. Awareness of the engagement of the security risk consultant was limited to the CEO.
The consultant commenced the task by collecting key information necessary to inform the development of possible options that might be expanded to produce a plan of action with the objective of breaching security. This initial step involved researching a range of public domain sources, including websites, company annual reports, community billboards and industry magazines. The intent was to gain a broad insight into the client’s business.
Armed with the information obtained from initial research, the consultant secured employment as a casual worker with a cleaning contractor responsible for cleaning the client’s corporate headquarters offices. This permitted the consultant ease of access outside of normal business hours. Considerable valuable information was collected from documents displayed on walls, notice-boards or left on desks in offices. The documents included detailed floor plans, access to engineering plans and other security-related information.
Other information was also collected by observing infrastructure sites, the websites of building managers and other businesses that operate within the same supply chain. Further useful information was also obtained from the website of an issue-motivated group as well as from some of their members at a public rally they had organised to recruit new members.
Information collected during the research phase permitted the consultant to confirm key security-related vulnerabilities which informed the development of options that might be used to produce a plan of action to threaten the security of people, property, reputation and the continuity of the business.
It was at this point that the consultant reported back to the CEO and provided an insight to the outcomes of the consultant’s research and planning. The CEO then tasked the consultant to deliver a briefing to board members examining issues of strategic relevance to the business associated with identified vulnerabilities, compliance-related implications, including director’s duty of care implications. The second of the briefings was directed at senior managers with the objective of providing them with an insight to how and where key information was collected by the consultant, identified vulnerabilities and how the information collected could be used to put at risk the security of people, property, reputation and business continuity. This provided the foundation for a workshop facilitated by the consultant to engage the management team in identifying mitigation strategies.
The case study outlined reflects an approach to security designed to move beyond checking compliance, with the objective of providing business owners, operators and managers with an insight to practical ways in which criminals, issue-motivated groups and other persons, including terrorists, can collect information and use it to develop plans that have the potential to put the safety of people and property at risk and adversely affect corporate reputation and business continuity. To adopt this approach effectively requires well defined objectives and shared trust between the CEO and the consultant. The other key requirement is access to consultants with specialist knowledge and experience and an understanding of business imperatives that permits them to consider potential security threats relative to their client’s business and explain to managers how such threats may evolve.
First published in ASM, November-December 2008 edition.