Attacks across Europe inspired by so-called Islamic State have changed perceptions of terror risk and require companies to plan carefully around business continuity
The 9/11 attacks on the US in 2001 were a watershed moment in history. Since that day 15 years ago, nothing has been the same.
The subsequent “War on Terror” failed in its primary objective of reducing threats to the West. On one level it has weakened significantly the organisation behind the 9/11 attacks, Al-Qaeda, but the decade-long US-led campaign in the Middle East has destabilised the region to a dangerous level.
Worse, it has spawned an even more appalling terror organisation of mediaeval barbarity that has brought death and fear to almost every continent.
The attacks on Paris in November 2015 by so-called Islamic State (IS), or Daesh as it is also known, were vastly different in execution to those of 9/11 yet their impact was felt just as deeply, certainly across Europe. No longer do terror groups need to stage complicated “spectaculars” – they can be as devastatingly effective with basic weapons.
This point was made perhaps even more starkly in the French coastal resort of Nice last summer when a lone individual acting under the auspices of IS used a delivery truck to run down and kill 85 people.
Both events were human tragedies first and foremost, but there have been implications for businesses also.
In the aftermath of the November Paris attacks the Belgian city of Brussels was closed for almost a week even though it was not under direct attack. This unprecedented lock-down of one of Europe’s most important capitals occurred because authorities feared that members of the gang that carried out the Paris atrocities were based in Belgium and had returned either to evade police or launch another attack.
Companies based in this vital business centre had to make arrangements to keep staff and clients safe first and to try to maintain and try to maintain a semblance of continuity.
Although no attacks took place in Brussels during that time, the subsequent bombing of the city’s airport and one of its metro stations earlier this year has kept authorities on the highest alert. It is the same across much of Europe. So how do companies ensure the security of their employees at such times and seek to keep their business activity moving amid disruption and uncertainty?
Planning ahead, particularly in terms of how to manage people, is crucial in this regard, according to Karla Cruickshanks, risk and business continuity manager at international law firm DLA Piper. She had to implement a strategy for colleagues after the attacks in Paris, Brussels and Munich and highlights the importance of soft skills that might otherwise be overlooked in a crisis situation.
Keeping a clear head and being able to make rational decisions under testing circumstances is crucial, not only for risk professionals but also for everyone involved, Cruickshanks says.
“What is your first thought when you hear about a possible new terror attack on the news?” she asks. “Even the most committed employee is likely to focus on family and friends ahead of the business. So it makes sense to work with people and help them plan personal and professional strategies for dealing with a crisis.
“Also, by encouraging people to consider different possibilities, if the worst does happen, there is something they can (hopefully) remember to make them feel they have an element of control in an otherwise uncontrollable situation.
“While you can never truly know how someone will react in a crisis, bringing your business continuity team(s) together regularly to discuss possible scenarios can also be revealing as to what reactions you might encounter when people are under pressure in a live situation.
“Keeping your team focused and calm in a tense situation is challenging and you need to ensure you have the right people trained. If you think that there may be members of your team who might not respond well, and cause others to panic, ask the group to be honest about how they feel. By engaging the team on this level, you’re often able to bring them closer together and form the critical bonds and trust essential in a crisis. It can also ensure team members feel safe enough to honestly admit that they might not be the best person for the job and you need to respect that level of disclosure.
“If you are managing multiple teams or sites, you need to ensure there is a level of consistency in your approach as well as some flexibility for the needs of that site and those people. Whether this is cultural in the sense of a particular jurisdiction, practice/work area, or another context, people need to feel they are heard and valued and not just part of a process that does not fit with their way of working.”
As a former police officer with anti-terror experience, Business Continuity Institute vice-chair James McAlister has a particularly unique insight in terms of physical risk.
“People should think geographically about where they place their critical buildings,” he says. “I realise that is massive infrastructure and investment and requires thinking longer rather than short-term, but companies need to do this.
“There is a view about London [and other capital cities] that everything happens there and if you are not in the heart of the city then you do not have your finger on the pulse. The problem is that you then take the risk. It is about understanding the risk, and if you are going to think about where you are and how you build, you need to design terrorist-proof buildings. This is difficult. You can do it by adding physical protection to existing buildings, but it is much harder and more expensive – and it never quite fits.
“If you walk into a building with purpose, don’t pay attention to reception and pick the right time, it is possible to not be challenged. I have undertaken penetration testing before and waited until reception has two or three people, you see a gap, you tailgate and away you go. You can get anywhere you want because all too often nobody has the courage to challenge you unless it is a particularly sensitive building that has a lot of control about where you can and cannot access.”
McAlister, who runs organisational resilience consultancy Crisis Prepared, says it is fundamentally important that companies take action to improve their security, even at a basic level.
“You don’t always have to spend a lot of money to improve business continuity and security,” says McAlister.
However, even secure buildings cannot prevent attacks taking place in and around their vicinity. In such cases, a lock-down or evacuation plan becomes essential.
“Everyone has an evacuation plan,” he says. “The last thing you want to do is evacuate if there is murder and mayhem going on in the street outside or in the general local area. The problem is a lot of buildings only have a plan to get people out. They do not have a plan to take people to a safe haven within a building or even just to lock down the exterior of a building, move everyone away from the glass and to a safer area.
“Stairwells are a great place because they are generally quite robust. Or take them to the basement or even the roof – a safe haven to hide until they get more information.
“With a lock-down, ideally you would need a hibernation plan where you could take it further. So you might create a strong room, for example, where employees can go to and within there might be water, hardline telephony, internet access, and so on. In theory people might also be able to bed down overnight.”
Not every company needs to take such extraordinary measures, says McAlister. “A lot of this comes down to what is the real threat to you and also to your organisation? What have you done to sufficiently annoy people to think they might want to attack you?”
But while the current wave of attacks by so-called Islamic State are not specifically aimed at businesses, they are so random and indiscriminate that companies inevitably become caught up in them or in the affected location. So what then?
Having an alternative site is vital for some organisations, but many can operate effectively with employees working from home, for a short time at least. “People need to move from the old-fashioned way of working to the mentality of being able to work much smaller, more efficiently, effectively and safer with employees spread widely geographically,” McAlister says.
Carl Leeman, head of risk at Belgium-based logistics firm Katoen Natie says security in cities has been increased significantly since the attacks on Paris and Brussels, with soldiers and military vehicles deployed on the streets.
Security of business buildings has also been bolstered. “Depending on what type of business we are talking about, physical security of premises or a site has been stepped up,” Leeman says.
But what about workforce checks aimed at detecting a potential security threat from within a business?
“This is changing a little, but you need to recognise that it is not an easy debate to have,” Leeman says.
“In Europe there is such a focus on confidentiality and privacy issues and that does not make it easy for companies or authorities to undertake screening. So privacy and security are not necessarily the best strengths.
Today, it is perfectly possible for a company to hire an individual who has been profiled as a terrorist by the police and to not realise it.”
Companies are certainly reacting to the new terror threat in terms of improving security, but it is questionable how much of the response is considered and proportionate. McAlister believes the risk needs to be weighed up properly. “The threat is out there, but the risk to you is very low, so think about that when you are looking at a budget for what you are doing,” he says.
“Fit for purpose will never be ‘gold plated’ as that is not the purpose – you don’t need a completely over-engineered solution.”