Businessmen read newspapers. How else to explain the fact that one in four companies (26 per cent) expect to experience some form of terrorist attack over the next two years, according to research released today by think-tank RAND Europe and The Risk Advisory Group (TRAG), a corporate investigations and intelligence consultancy.
One in ten businesses (10 per cent) believe it is ‘extremely likely’ they will face at least one instance of terrorism, according to the study, which was conducted amongst security and risk managers at large corporations.
63 per cent of respondents believe terrorism is now a ‘significant threat’ to their organisations, with three out of four (74 per cent) believing that this threat will increase over the next 24 months. Twenty-four per cent believe it is likely their organisations will be deliberately targeted by terrorists – and half of companies believe terrorism is now a more serious threat than crime or fraud.
Almost four in ten (38 per cent) think conventional weapons are the most likely tactic to be used by terrorists but cyber-terrorism (32 per cent), chemical or biological attacks (18 per cent) and radiological or nuclear terrorism (12 per cent) are also seen as likely tactics.
Naturally, TRAG can scarcely believe its luck. In fact, the company has announced a new ‘Red Team’ threat assessment and security testing service. ” M any businesses still have gaps in their security management processes ,” it says ” One in seven (14 per cent) give no security awareness training to their staff; one in six (16 per cent) have no travel security programmes or systems in place; and almost one in five (18 per cent) do not screen their employees before hiring. Senior executives seem to be a particular target, with only 54 per cent of companies having some form of close protection in place for their senior managers. And one in seven companies (14 per cent) have not undertaken any form of security surveys, audits or penetration testing to check systems.
Under Red Team testing, a team of expert security and terrorism experts take on the role of a hostile ‘enemy’ to test a corporation’s security measures. The team conducts threat modelling, hostile surveys of company’s physical environments and penetration testing exercises – getting ‘hostiles’ into positions in which, if they were real terrorists or criminals, they could cause significant damage to the organisation.
“As governments respond more effectively to the threat of terrorism, terrorists have begun to identify softer targets – and business comes top of that list ,” says David Claridge, head of TRAG’s security risk management arm.
” Most notably, Al Qaeda has issued explicit instructions to its followers to attack economic targets. “Business is aware of the risk, clearly. But being aware is not the same as being prepared – and too many companies still have yawning gaps in their security systems.
The Limburg and Bali nightclub bombings were the first salvo e s in Al Qaeda’s new economic targeting programme. In the next twelve months, I think we can expect to see attempts on targets including banks and financial institutions, multinational ‘icon’ brands and the travel industry.”
The RAND Europe / TRAG study polled the views of 50 security and risk management professionals at major corporations, largely with international operations.
46 of the companies have a turnover of ?500 million or more; 37 have a turnover of ?1 billion or more. All respondents were guaranteed anonymity, helping to deliver, says Claridge, a significant respondent set in what is typically a very secretive area of business.
“In the last year, we have conducted 18 ‘hostile’ penetration tests against major corporations ,” concludes Claridge. ” In every single case, we have succeeded in getting team members into positions in which they could have caused severe criminal or terrorist damage to the company concerned – whether it be ‘secure’ data centres, bank vaults or manufacturing facilities. The US military realised years ago that Red Team testing is one of the most effective ways to really identify faults in military doctrine. Companies now need to use the same type of methodologies to identify their weak points.”