A
year after the attacks on September 11, Nic Paton reports on five ways to
improve workplace security
Ask
any HR professional whether their organisation has improved security and
disaster planning in the wake of September 11, and the chances are the answer
will be a firm yes. But while recognising the need for increased vigilance and
evacuation measures is one thing, securing the necessary investment to make a
real difference, is quite another.
According
to Texas-based security specialist PentaSafe Security Technologies, the
difficult global economic climate means that while security has now been
elevated up the agenda, it is still just another cost to be weighed up and
justified like any other.
PentaSafe
has 1,250 customers, and advises major banks, consumer groups such as Johnson
& Johnson and four of the top five US auditing firms.
Marketing
director David Blackman believes firms are looking to tighten up their security
and disaster planning without investing new money.
“If
it is a new project, the organisation may go through an entire evaluation. But
it’s always against a backdrop of ‘is this going to help us reduce our costs or
increase revenues?’,” he says.
The
bill for extra security can run to many thousands of pounds, so it is vital to have
a central strategy to prevent people pulling against each other, or wasting
money on pet projects.
Some
security initiatives can, in fact, help to reduce costs. An estimated 40 per
cent of calls to IT help desks are related to forgotten or lost passwords. By
putting an automated tool in place, for instance, the helpdesk can be freed to
deal with bigger issues and security is not compromised, argues Blackman.
Here
are five tips for making your organisation better prepared for the worst:
Be
transparent
Effective
disaster planning is as much about education as blueprints and secret manila
folders. Make sure your staff know what to do in an emergency, make it clear
and simple to understand and make sure you have emergency teams in place.
Who
will come in at the weekend to set up offices in people’s homes or in business
partners’ offices, for instance? “You need to be able to mobilise your staff,”
argues Blackman.
It
is important to know at all times who has the facility to work from home and
who can be used to hook back up to the office. Do you have a fall-back
location? Where are your critical staff? What, for instance, would you do if a
bomb took out the Underground or rail network, and employees could not get in?
Watch
your back
When
it comes to physical security, have a strategy that looks at all aspects of the
building: front, back, side, top and bottom.
Organisations
will often have stringent security for employees at the front, and then become
lax about the goods’ entrance or loading bays. Make sure partners and
associates are equally stringent.
Assess
what your options are if the building were to be destroyed, and determine which
assets are critical and which less so. Is there a particularly vital server, HR
database, central record or classified information that needs to be taken into
account, for instance? Put a programme in place that will ensure that in the
event of a disaster, you will still have access to this information.
Do
trial runs
This
doesn’t necessarily mean everyone donning arm bands and hurrying into the
woods. It can entail running an exercise where you can’t get into the network,
for example, or doing an evacuation exercise, or choosing a department to
assess how it might function in a crisis situation.
But,
however useful, exercises still only have a limited use. “They are worthwhile,
but when it happens for real, you still just have to deal with it,” warns
Blackman.
Disasters
don’t have to be spectacular
Financial
fraud, hacking and industrial espionage can be just as damaging to a business
as a high-profile terrorist attack. Fraud will often involve someone on the
inside, so if you have a lot of sensitive information, it is imperative to make
sure adequate checks are carried out on employees, contractors and suppliers.
When
it comes to cyber attacks, ensure your IT people have configured all the
firewalls correctly and, as far as possible, have closed off all opportunities
for hackers.
Also
look at your corporate website – are you giving too much away about your key
locations, assets and executives?
Keep
your plans updated
People
may be on leave or out of the office when disaster strikes, so make sure staff
know who’s responsible for deputising when that person is away at all times.
Some
organisations have ‘buddy’ systems where employees help each other out of the
building.
Organisations
will also often merge, so make sure disaster planning doesn’t end up being put
to one side in the newly formed business.
