Minimising the Threat

15 July 2007

The threat of malicious attack on organisations is ever present and a lack of adequate security measures,
particularly in the mailroom, can leave your organisation open to financial and reputation loss, and your staff at risk of injury. Geoff Haw and Leagh Ganpatsingh explain

IN NOVEMBER 2006, Dame Eliza Manningham-Buller (former Director General of the Security Service)stated that the threat of terrorism in the UK is both 'serious' and 'growing'. As if to make her point, a series of letter bomb attacks the following February hit businesses across the country, including the head office of Capita in London and accountancy firm, Vantis, in Wokingham.

Incidents such as these can have both a short and long term impact on business functionality and could be made more severe by a lack of risk management. Neglecting to implement health and safety legislation or failure of duty of care to staff could result in court proceedings and costly fines, whilst a lack of adequate planning for business continuity could have financial implications and result in loss of reputation with clients and insurers.

Government advice to businesses recommends risk assessment, selecting a range of protective measures that best suit the organisation's circumstances, training staff, and encouraging them to protect themselves through vigilance and good housekeeping. Security plans should be tested regularly and include evacuation, search and recovery procedures.

Businesses should not plan in isolation, but make use of all available advice. The Police, Home Office, and MI5 all offer guidance on their respective websites. The Centre for the Protection of National Infrastructure was set up as a branch of the security services, specifically tasked with the protection of public and private
business. In 2006, the Civil Contingencies Act was updated to give local authorities responsibility for advising companies about continuity management. Business forums allow organisations to share best practice and facilitate participation in counter-terrorist security planning.

Although risk can never be eliminated, with careful planning it can be significantly reduced. There are three main questions to consider when undertaking a security risk assessment for a business:
....What are the threats?
....Where is the business vulnerable?
....What steps can be taken to reduce the risks?

By looking at the activities and relationships a business is engaged in, it is possible to create a profile of the organisation and to determine the level of threat to its functions. The level and type of threat to an organisation can change quickly and it is vital to be aware of current affairs or changes in circumstances. New company activities or relationships with 'controversial' clients can all add risks to the security profile.
Even indirect links can have an impact and plans must be in place to accommodate changes. There are also risks associated with mere physical location, and the potential for collateral damage from an attack on a neighbour should be taken into account.

Once the specific threats and level of risk have been identified, one must assess which areas require protection and how they are vulnerable. Common areas of risk are people (staff and visitors), property, and business information. The mailroom is often the main point of entry in any business, for personnel, goods, and data, and is therefore key to ensuring security of premises and employee safety.

Any protective measures must be commensurate with the level of risk. There will always be a compromise between the level of protection, the disruption to day-to-day activities, and cost. A range of measures should be considered to ensure depth of protection, as this is more effective than a single barrier approach. A Security Plan should be implemented, taking account of all risks to the business, level of threat associated with each, mitigation procedures, and responses in the event of an incident. This is likely to involve organisationwide input and should be circulated as appropriate. All staff must be made aware of their general and specific responsibilities within the Security Plan and trained accordingly. The Plan should be tested and reviewed on a regular basis and any changes notified to all concerned.

The primary goals of any Security Plan are safety of individuals and integrity of business functions. A Business Continuity Plan (BCP) must therefore form an integral part of any Security Plan. The BCP should be flexible, and provide procedures for continued functionality in the event of a range of circumstances, from
power cuts or building loss to staff disruption. These procedures will come into play regardless of whether the cause of the incident is terrorist or non-terrorist action, natural disaster, hoax or real threat. A dedicated BCP site may be warranted, the location of which should be close enough to transport staff without delay but not be caught in the same incident. Any such site must be secure, networked, and fully equipped, or incorporate a call-down facility to provide necessary equipment within a short period of time. Staff facilities must be available on location or within close proximity and the site must be visited and services tested regularly.

Finally, the appointment of a Security Coordinator will ensure that planning is focused and responsibility for policy and procedures rests with a designated individual. This need not require an additional member of staff, and is likely to fit within an existing role. The Security Co-ordinator should have primary responsibility
for producing risk assessments and planning protection measures, maintaining search and evacuation plans, arranging staff training, and establishing communication cascades and drills. Furthermore, the nominated person would have a vital role during an incident, liasing with the emergency services, determining the extent and direction of any evacuation, and deciding when to re-occupy premises.

Mailroom security
As greater attention is focused on potential security threats, so the market has responded and adapted with new technology and strategies. Outsourcing mail handling and security screening, or basing these activities off-site, is becoming more prevalent. This can reduce the impact of an incident by preventing disruption to
core business functions, as well as enabling increased operational efficiency. It has the added benefit of reducing central space requirements or freeing up room for other needs.

Organisations in the process of designing new premises are now likely to consult mailroom experts about enhanced on-site security, including bomb-mitigated rooms and screening equipment. Retrospective security works can be expensive, and it is vital to ensure that protection is factored in at an early stage. A
further option is establishing a threat escalation site, to provide enhanced incoming mail security on-demand. Not operational under normal circumstances - but moth-balled - such a site would be fully equipped to be functional within 24 to 48 hours, as required. As the nature of the perceived threat changes, enhanced screening technology is under constant development. Xray screening is widely available, and recent improvements allow detection of organic matter and explosives in liquid form.

None of these measures alone will have substantial benefits for business security unless supported by well-trained and motivated staff. Expensive, sophisticated equipment is wasted if the staff using it are not competent. For mailroom staff (assuming use of X-ray equipment) the minimum amount of training required would be in identification of suspicious items, X-ray screening, and knowledge of responsibilities and procedures under the Security Plan. Furthermore, the mailroom should have a Radiation Protection Supervisor, with sufficient trained personnel to cover staff absences.

All processes and procedures should form an integral part of an organisation's overall Security Plan. The Plan must be comprehensive, but simple enough to be understood and implemented. Each threat should have a specific response and staff should be trained in its implementation. It is not only new staff who need training; existing staff should have their training refreshed on an ongoing basis.

Whilst the key to mailroom security lies in the appropriate use of technology and systems by well-trained and motivated mailroom staff, security awareness should be part of organisational culture. Communication is key and all staff should advise the mailroom as soon as possible of any potential changes to the threat
level. Ensuring that contractors and clients address mail correctly, that the mailroom is advised of expected deliveries, and that personal items sent to the company address are kept to a minimum, will also assist mailroom operation. Reducing the risk from the receipt of a device will result in an element of delay in receiving some items. This can usually be mitigated through changes to shifts and delivery times, but on occasion will not be practical, and staff should be encouraged to understand and make allowances. A broader level of staff training may only extend as far as knowing how to report suspicious incidents and how to react to alarms, but awareness and vigilance can be priceless.

....Geoff Haw is Director and Leagh Ganpatsingh is Principal Consultant at MailSource UK Ltd