Taking charge of your personal security

Page title here:
Taking charge of your
personal security
A guide to running a staff vigilance campaign
Together, we’ve got security covered.
Introduction
Organisations like ours are at risk from people who
want to interrupt our operations, steal our data or
cause harm to our personnel, premises or reputation.
When identifying a target, these ‘hostiles’ conduct
detailed research to identify weaknesses they might
be able to exploit. Alongside physical and electronic
security systems, they will scrutinise the people
working within an organisation. If they identify weak
security practices or attitudes they may also target
employees themselves.
© Crown Copyright 2015
Disclaimer
Reference to any specific commercial product, process or service by trade name, trademark, manufacturer or otherwise, does not constitute or imply its
endorsement, recommendation or favouring by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or
product endorsement purposes.
To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential and including, but not limited to,
loss of profits or anticipated profits, loss of data, business goodwill) incurred by any person and howsoever caused arising from or connected with any error or
omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using, the information contained in this document
or its references. You should make your own judgement as regards use of this document and seek independent professional advice on your particular circumstances.
Introduction – 01
In this guide, we will explain
how to protect yourself from
the attention of malicious
individuals – at work,
at home and online. By
understanding how hostiles
think and act, we can take
simple steps to enhance our
personal security and – in
the process – contribute to
the safety of our colleagues,
family and friends.
Together, we’ve got security covered.
Understanding the threat
Hostiles need confidence
While their aims can vary, hostiles are united in two important ways:
•they need to know they will succeed; and therefore
•they plan before attacking
Hostiles often invest a lot of time and resources in attack planning. Even when they do not care about their
own safety, they care about their reputation and the impact of their actions. They cannot countenance failure
and plan meticulously – conducting both online and physical reconnaissance.
During reconnaissance they will be extremely anxious. Hostiles realise their behaviour is unusual and therefore
conspicuous. They are very concerned about being detected before they have developed their plan. This makes
them vulnerable to any suggestion that they will not succeed – such as staff displaying good personal security.
Looking through the hostile lens
A preoccupation with confirming that a potential attack will be successful makes hostiles’ actions more
predictable than you might think.
You can use this knowledge when developing your personal security. Ask yourself these simple questions
to better understand the hostile’s perspective:
•Why would I be a target?
•Who would be targeting me?
•What would they want to achieve?
•How would they achieve this?
•Where and when?
•How am I vulnerable?
•Where can I influence this?
These questions can help you counter a hostile’s research. You can call on them whenever you think the threat,
situation or environment has changed for you – for example, if you travel to a higher risk location.
Understanding the threat – 03
Taking charge of your personal security
Together, we’ve got security covered.
Responding to the threat
Influencing hostile confidence
Personal security checklist
To determine they have a high chance of success, hostiles will either employ detailed planning, or use the simple
assumption that they have chosen an option so easy they can’t possibly fail.
Good personal security doesn’t mean constantly looking over your shoulder.
Here are some simple, effective steps you can take:
There are therefore two fundamental ways to influence their confidence and greatly deter them:
✓Look confident and be security savvy. This can be enough to deter a hostile.
•Remove detail
Use the understanding of what the hostile wants to achieve, and how they would go about achieving it, and
try to ensure that sufficient detail for them to successfully plan is not available. Protecting personal details does
not necessarily mean trying to disappear; rather it means ensuring that certain detail, such as your address or
children’s names or school, is not available.
•Appear vigilant
Remove the perception you could be an easy target. An appearance of vigilance is a great deterrent. Remember
that all attacks will involve some form of reconnaissance, so vigilant individuals who might detect and report
suspicious activity may well be enough to completely deter the hostile.
Can you remove yourself from the equation?
A hostile will often only choose an individual as a target as a means to an end. So consider whether you
can indicate you cannot help them achieve that end. For example, if you are only a target by association –
perhaps because of who you work for – could you deemphasise your involvement or level of responsibility?
Although this approach is often overlooked, it can be a highly effective personal security measure.
✓Pay attention as you enter and leave buildings. Avoid staring at your book, phone or tablet.
✓Do you draw attention to where you work? Avoid chatting to colleagues outside the front entrance, smoking
within the immediate vicinity of the building, hailing a cab outside the front door or walking around in your
company livery or uniform if possible (e.g. wearing a company fleece while visiting the shops at lunchtime).
✓If showing where you work is inevitable, can you separate it from your home life?
✓Can you vary your route to work, even by just a little? It could be something as simple as taking an
earlier or later train, using a different bus stop or entering the building by a different entrance to the one
you normally use.
✓Dispose of personal information securely; shred it if possible.
Extending these principles to your online presence, consider the following:
•Do you know what information is available about you online? Take the time to review your digital footprint and
understand what this looks like. Remember, it’s not just you who shapes this – your friends and family add to
this every time they mention you online. A large footprint isn’t necessarily a bad thing; it’s about managing it.
•Do you make use of and update security settings? These change regularly so keep an eye on them.
•Can you replace your profile picture with something less obvious? It could make it harder for someone to be
confident that they’ve identified you online.
•Do you talk about your work online? Think carefully about your actions and don’t draw unnecessary attention
to yourself.
Responding to the threat – 05
Taking charge of your personal security
Together, we’ve got security covered.
Responding to the threat
Achieving the right level of response
A joined up approach to personal security It can be helpful to decide what kind of threat you face. This can determine the type of personal security
measures you need to adopt.
When thinking about personal security, you should think about your home, work and online life. Some people
are very good at protecting themselves in one area while they are wholly open to attack in another. Try to
safeguard across all areas.
Threat
Type of personal security measures
High/Likely target
Improve your situational awareness and try and take note of
what is going on around you. If appropriate, research locations
or routes.
Those facing a specific direct threat.
This could be due to their role or
profile. It might be an ongoing threat
or related to a certain time
or location.
Components of personal security
Where possible, travel in numbers.
Change your route to and from work where possible.
Be aware of how other people are reacting to you.
HOME
WORK
Cultivate those around you – for example, be friendly with local
shopkeepers and see if they notice anything out of the ordinary.
Don’t advertise who you work for. Do you need to wear a
uniform or company livery outside of work?
Manage your social media footprint: keep your security settings
high; research what information is publicly available about you.
ONLINE
Low/Unlikely target
Try and cultivate the appearance of vigilance and awareness.
Where the threat exists but is not
specifically directed at them.
Don’t stand out. Don’t look like a victim or easy target.
Manage your social media footprint and keep your security
settings high.
Matching measures to the threat you face means you don’t have to employ more onerous measures when they
are not necessary. You can employ additional measures if the threat increases.
It must be remembered that some personal vulnerabilities cannot be easily removed if it becomes necessary to
increase your personal security. For example, once information is posted on social media it is ‘out there’, and can
be very hard to delete or retrieve.
Shaping your digital footprint
Have you thought about what information is available that might help a hostile profile you? It is not always
possible to stop people putting information on the internet about you, but you should take every effort to
limit what is out there. This may be by ensuring you are using the correct security settings, replacing profile
pictures with something neutral, removing information and avoiding talk about work.
If you don’t follow these measures, hostiles can quickly build a picture of you from seemingly innocuous
content. And even if you do attempt to remove personal information, you should consider the fact that
the information is already ‘out there’ and that you may need to use other personal security measures to
mitigate any potential threat.
CPNI has produced advice specifically about taking control of your digital presence. Ask your security
manager about how to manage your Digital Footprint.
Responding to the threat – 07
Taking charge of your personal security
Together, we’ve got security covered.
Responding to the threat
The risk of routine
Personal security means personal responsibility
Routines and predictable patterns provide the hostile with a framework in which to plan their actions.
You know what constitutes your ‘normal’ environment better than anyone else. Be vigilant for abnormal activity
or the absence of the normal. If you detect suspicious activity, always report it IMMEDIATELY.
Even if you are not directly involved in the activity a hostile objects to or needs information about, they might
still target you if you fall in with the behavioural patterns of those around you. E.g. everyone from an organisation
taking the same route to the same café at the same time of day, or staff in the same uniforms socialising in the
same bar after work.
A hostile might base a plan on the routines of a group of employees, and simply identify a victim who fits their
profile during an attack.
Security professionals are not expecting every report they receive to reveal criminal or terrorist activity. But
to accurately identify concerning activity, multiple reports are often necessary. Your contribution could be the
piece of the jigsaw needed to complete the puzzle. By taking responsibility for personal security, employees can
contribute to creating a stronger security culture across an organisation; one where vigilance becomes a part of
everyday life. To achieve this it’s important not to assume that someone else has reported an incident and to trust
your instincts. If you feel it, report it straight away.
If your presence in a certain time or place is predictable, it is also avoidable. By varying your routine, you instantly
convey unpredictability about your behaviour, which will discourage a hostile trying to predict every eventuality.
A security conscious workforce can multiply an organisation’s capacity to spot suspicious activity, deter those up
to no good and create a safer environment for each other, visitors and neighbours.
“It’s never been a problem before”
Make sure you always have the security control room number
An absence of previous hostile attacks does not reduce you or your organisation’s vulnerability to
reconnaissance or targeting. Don’t be complacent. Identify what threats you might face and what you
can do about it, rather than leaving your personal security to chance.
Do you know the correct number to call to report in – from inside and outside your
organisation’s premises?
Responding to the threat – 09
Taking charge of your personal security
Together, we’ve got security covered.
Responding to the threat
Summary
• Develop baseline personal security measures and always follow them. Then look to
enhance these only when necessary.
• Three fundamental ways to disrupt hostiles targeting you are:
1.Remove detail: ensure that information about you lacks sufficient detail for a hostile to successfully plan.
2.Don’t be an easy target: appear vigilant and security-savvy.
3.Don’t suit their aim: once you have looked through the hostiles’ lens and have begun planning your response,
you can consider how to remove yourself from their options.
• Report suspicious activity IMMEDIATELY and become socially responsible for the
security in your environment.
REMEMBER: RESPONSIBILITY
FOR YOUR PERSONAL SECURITY
STARTS AND ENDS WITH YOU.
Responding to the threat – 11
Taking charge of your personal security