Page title here: Taking charge of your personal security A guide to running a staff vigilance campaign Together, we’ve got security covered. Introduction Organisations like ours are at risk from people who want to interrupt our operations, steal our data or cause harm to our personnel, premises or reputation. When identifying a target, these ‘hostiles’ conduct detailed research to identify weaknesses they might be able to exploit. Alongside physical and electronic security systems, they will scrutinise the people working within an organisation. If they identify weak security practices or attitudes they may also target employees themselves. © Crown Copyright 2015 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer or otherwise, does not constitute or imply its endorsement, recommendation or favouring by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to, loss of profits or anticipated profits, loss of data, business goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using, the information contained in this document or its references. You should make your own judgement as regards use of this document and seek independent professional advice on your particular circumstances. Introduction – 01 In this guide, we will explain how to protect yourself from the attention of malicious individuals – at work, at home and online. By understanding how hostiles think and act, we can take simple steps to enhance our personal security and – in the process – contribute to the safety of our colleagues, family and friends. Together, we’ve got security covered. Understanding the threat Hostiles need confidence While their aims can vary, hostiles are united in two important ways: •they need to know they will succeed; and therefore •they plan before attacking Hostiles often invest a lot of time and resources in attack planning. Even when they do not care about their own safety, they care about their reputation and the impact of their actions. They cannot countenance failure and plan meticulously – conducting both online and physical reconnaissance. During reconnaissance they will be extremely anxious. Hostiles realise their behaviour is unusual and therefore conspicuous. They are very concerned about being detected before they have developed their plan. This makes them vulnerable to any suggestion that they will not succeed – such as staff displaying good personal security. Looking through the hostile lens A preoccupation with confirming that a potential attack will be successful makes hostiles’ actions more predictable than you might think. You can use this knowledge when developing your personal security. Ask yourself these simple questions to better understand the hostile’s perspective: •Why would I be a target? •Who would be targeting me? •What would they want to achieve? •How would they achieve this? •Where and when? •How am I vulnerable? •Where can I influence this? These questions can help you counter a hostile’s research. You can call on them whenever you think the threat, situation or environment has changed for you – for example, if you travel to a higher risk location. Understanding the threat – 03 Taking charge of your personal security Together, we’ve got security covered. Responding to the threat Influencing hostile confidence Personal security checklist To determine they have a high chance of success, hostiles will either employ detailed planning, or use the simple assumption that they have chosen an option so easy they can’t possibly fail. Good personal security doesn’t mean constantly looking over your shoulder. Here are some simple, effective steps you can take: There are therefore two fundamental ways to influence their confidence and greatly deter them: ✓Look confident and be security savvy. This can be enough to deter a hostile. •Remove detail Use the understanding of what the hostile wants to achieve, and how they would go about achieving it, and try to ensure that sufficient detail for them to successfully plan is not available. Protecting personal details does not necessarily mean trying to disappear; rather it means ensuring that certain detail, such as your address or children’s names or school, is not available. •Appear vigilant Remove the perception you could be an easy target. An appearance of vigilance is a great deterrent. Remember that all attacks will involve some form of reconnaissance, so vigilant individuals who might detect and report suspicious activity may well be enough to completely deter the hostile. Can you remove yourself from the equation? A hostile will often only choose an individual as a target as a means to an end. So consider whether you can indicate you cannot help them achieve that end. For example, if you are only a target by association – perhaps because of who you work for – could you deemphasise your involvement or level of responsibility? Although this approach is often overlooked, it can be a highly effective personal security measure. ✓Pay attention as you enter and leave buildings. Avoid staring at your book, phone or tablet. ✓Do you draw attention to where you work? Avoid chatting to colleagues outside the front entrance, smoking within the immediate vicinity of the building, hailing a cab outside the front door or walking around in your company livery or uniform if possible (e.g. wearing a company fleece while visiting the shops at lunchtime). ✓If showing where you work is inevitable, can you separate it from your home life? ✓Can you vary your route to work, even by just a little? It could be something as simple as taking an earlier or later train, using a different bus stop or entering the building by a different entrance to the one you normally use. ✓Dispose of personal information securely; shred it if possible. Extending these principles to your online presence, consider the following: •Do you know what information is available about you online? Take the time to review your digital footprint and understand what this looks like. Remember, it’s not just you who shapes this – your friends and family add to this every time they mention you online. A large footprint isn’t necessarily a bad thing; it’s about managing it. •Do you make use of and update security settings? These change regularly so keep an eye on them. •Can you replace your profile picture with something less obvious? It could make it harder for someone to be confident that they’ve identified you online. •Do you talk about your work online? Think carefully about your actions and don’t draw unnecessary attention to yourself. Responding to the threat – 05 Taking charge of your personal security Together, we’ve got security covered. Responding to the threat Achieving the right level of response A joined up approach to personal security It can be helpful to decide what kind of threat you face. This can determine the type of personal security measures you need to adopt. When thinking about personal security, you should think about your home, work and online life. Some people are very good at protecting themselves in one area while they are wholly open to attack in another. Try to safeguard across all areas. Threat Type of personal security measures High/Likely target Improve your situational awareness and try and take note of what is going on around you. If appropriate, research locations or routes. Those facing a specific direct threat. This could be due to their role or profile. It might be an ongoing threat or related to a certain time or location. Components of personal security Where possible, travel in numbers. Change your route to and from work where possible. Be aware of how other people are reacting to you. HOME WORK Cultivate those around you – for example, be friendly with local shopkeepers and see if they notice anything out of the ordinary. Don’t advertise who you work for. Do you need to wear a uniform or company livery outside of work? Manage your social media footprint: keep your security settings high; research what information is publicly available about you. ONLINE Low/Unlikely target Try and cultivate the appearance of vigilance and awareness. Where the threat exists but is not specifically directed at them. Don’t stand out. Don’t look like a victim or easy target. Manage your social media footprint and keep your security settings high. Matching measures to the threat you face means you don’t have to employ more onerous measures when they are not necessary. You can employ additional measures if the threat increases. It must be remembered that some personal vulnerabilities cannot be easily removed if it becomes necessary to increase your personal security. For example, once information is posted on social media it is ‘out there’, and can be very hard to delete or retrieve. Shaping your digital footprint Have you thought about what information is available that might help a hostile profile you? It is not always possible to stop people putting information on the internet about you, but you should take every effort to limit what is out there. This may be by ensuring you are using the correct security settings, replacing profile pictures with something neutral, removing information and avoiding talk about work. If you don’t follow these measures, hostiles can quickly build a picture of you from seemingly innocuous content. And even if you do attempt to remove personal information, you should consider the fact that the information is already ‘out there’ and that you may need to use other personal security measures to mitigate any potential threat. CPNI has produced advice specifically about taking control of your digital presence. Ask your security manager about how to manage your Digital Footprint. Responding to the threat – 07 Taking charge of your personal security Together, we’ve got security covered. Responding to the threat The risk of routine Personal security means personal responsibility Routines and predictable patterns provide the hostile with a framework in which to plan their actions. You know what constitutes your ‘normal’ environment better than anyone else. Be vigilant for abnormal activity or the absence of the normal. If you detect suspicious activity, always report it IMMEDIATELY. Even if you are not directly involved in the activity a hostile objects to or needs information about, they might still target you if you fall in with the behavioural patterns of those around you. E.g. everyone from an organisation taking the same route to the same café at the same time of day, or staff in the same uniforms socialising in the same bar after work. A hostile might base a plan on the routines of a group of employees, and simply identify a victim who fits their profile during an attack. Security professionals are not expecting every report they receive to reveal criminal or terrorist activity. But to accurately identify concerning activity, multiple reports are often necessary. Your contribution could be the piece of the jigsaw needed to complete the puzzle. By taking responsibility for personal security, employees can contribute to creating a stronger security culture across an organisation; one where vigilance becomes a part of everyday life. To achieve this it’s important not to assume that someone else has reported an incident and to trust your instincts. If you feel it, report it straight away. If your presence in a certain time or place is predictable, it is also avoidable. By varying your routine, you instantly convey unpredictability about your behaviour, which will discourage a hostile trying to predict every eventuality. A security conscious workforce can multiply an organisation’s capacity to spot suspicious activity, deter those up to no good and create a safer environment for each other, visitors and neighbours. “It’s never been a problem before” Make sure you always have the security control room number An absence of previous hostile attacks does not reduce you or your organisation’s vulnerability to reconnaissance or targeting. Don’t be complacent. Identify what threats you might face and what you can do about it, rather than leaving your personal security to chance. Do you know the correct number to call to report in – from inside and outside your organisation’s premises? Responding to the threat – 09 Taking charge of your personal security Together, we’ve got security covered. Responding to the threat Summary • Develop baseline personal security measures and always follow them. Then look to enhance these only when necessary. • Three fundamental ways to disrupt hostiles targeting you are: 1.Remove detail: ensure that information about you lacks sufficient detail for a hostile to successfully plan. 2.Don’t be an easy target: appear vigilant and security-savvy. 3.Don’t suit their aim: once you have looked through the hostiles’ lens and have begun planning your response, you can consider how to remove yourself from their options. • Report suspicious activity IMMEDIATELY and become socially responsible for the security in your environment. REMEMBER: RESPONSIBILITY FOR YOUR PERSONAL SECURITY STARTS AND ENDS WITH YOU. Responding to the threat – 11 Taking charge of your personal security
© Copyright 2024