Context is the most important part of a security risk assessment. Knowing who does what, where, when, how and why allows us to identify assets and their criticality (more on this later). Once we identify assets that people would like to take or potentially damage, we can identify the vulnerabilities that such action might allow to occur; the likelihood and consequences of the identified risks and if they are acceptable; and what treatments can be put in place.
So, given that during the pandemic, workforces are dispersed, greatly reduced or non-existent, it is reasonable to assume that assets are going to be distributed or possibly unattended. In situations where workers are in the building, there are fewer managers and support staff on site. In some cases, people are attending the site outside normal work hours to minimise contact with others.
Basically, every Security Risk Assessment (SRA) done before February 2020 is wrong as the context has changed.
The underlying assumptions behind the previous SRA are probably no longer valid. The controls that rely on having people on site to manage, observe and monitor activities are probably not there. The access control regime now has people coming in at strange times, which begs the question, how is this being managed and approved with reduced managers on site?
The basic business rules for the organisation have had to change. In retail, shops have closed and staff been laid off or stood down for the duration. Were normal dismissal processes followed, particularly for those expected to return to work? As part of that, were keys or access credentials collected? In cases where there has been a need to suddenly increase employee numbers, for example supermarket staff, delivery drivers and cleaning or security personnel; have the usual pre-employment checks been conducted or were they too time consuming?
In manufacturing, there has been a shift in some factories around what needs to be made and what stores are now of higher priority and criticality? Are the previous goods still protected to an appropriate degree or have they been moved out of the way to make room for the new materials?
In relation to criticality, who would have thought that toilet paper would become a critical asset? Masks, medicines, hygiene products were all known to be critical and attractive during a health crisis but… toilet paper? Similarly, it is unlikely that hand sanitiser in the toilets was seen as an asset worthy of protection, or that the cleaners’ storerooms might become holding areas for attractive assets.
Communications, including the internet, are fundamental to business in this new environment. Telecom towers are being attacked by those who think 5G and the virus are connected. How will the business be secured if/when comms of any type are disrupted in the short or long term?
Home-based work moves people, physical, information and reputational assets out of the normal environment to basically uncontrolled environments. If the business had a home-based work plan, is it applicable for a large number of off-site, remote workers?
The change in context has created, or enlarged, all sorts of vulnerabilities. Few of these were relevant to SRA written last year.
As the relative attractiveness and vulnerabilities of the assets changed, so did the threats. The employee who would never steal a computer or on-sell a company secret may take sanitiser to protect their family. Closed shops offer targets for opportunistic and organised criminals. There has been a rise in cyber threats, but what other threats are evolving?
Cleaners and security guards, the lowest paid people in the building, are now seen as critical services. Will they be given recognition and better renumeration? If we follow the trend in the US, we may see people with degrees seeking to become guards as it is one of the growth industries offering employment.
It is not over yet. Now the novelty of self-isolation is wearing off and this, or some version of it, becomes the ‘new normal’ the context will continue to change. New assets will become attractive, new threats will arise as some sectors of society may become poorer and more desperate, and existing controls may become irrelevant requiring new ways to mitigate redefined security risks.
Risks can also be positive, so where are the opportunities? Security can show that it is aware of the changes and is finding ways to not only protect the business now but so that it will be strong enough to continue in the changed new world. For security businesses, there are plenty of opportunities in manpower, remote monitoring, IT/Cyber and areas we haven’t even considered, but should.
This is a time when security risk reviews must be revisited. This is not a time when senior managers can be allowed to say “we don’t have time for that”. Rather this is when we say “ the world has changed, where are we vulnerable?”
Don Williams CPP ASecM is a recognised thought leader in security and related disciplines. Don can be contacted at firstname.lastname@example.org .