In this article, Mike Bluestone considers the challenges facing internal auditors in light of the recent scourges of terrorism, binge drinking and drug use, and proposes eight principles of security.
Internal auditors are inevitably engaged in an ongoing challenge to uncover intellectual wrongdoing of varying kinds. The 'fail-safe' measures practised and implemented by them frequently reveal failings and intentional wrong doing - by employees and others - in both the public and private corporate sectors. In many instances, the findings they uncover and the subsequent action taken can result in the survival of a business that may otherwise have been struck a deadly blow, as a result, for example, of an attempted fraud, negligence or sheer incompetence.
What is sometimes not always appreciated however, is the increasing need for internal auditors to also focus on the physical security failings that occur within corporations.
In recent months, the advent of suicide bombers on the streets of London (and the resulting economic damage to the economy) have focused all of our minds on the need for corporations to play their part in helping to secure their individual corporate infrastructures. In parallel, the police and security services battle to secure the streets and public transport services, whilst the government strives to maintain the democratic freedoms that the vast majority of us so cherish. We indeed find ourselves living in difficult times.
Any organisation or business that fails to address both its intellectual and physical security is, in its own way, adding to the insecurity of the whole country. Effective security requires a collective ‘buy-in', and no business wants to be the one that let's everyone down. 
Compounding the current threat of global terrorism from groups such as Al Qaeda are other worrying factors, such as the increase in physical violence that manifests itself in the nightly street brawls on our city streets as a result of ‘binge drinking'. Significantly, this violence is not restricted to the streets of under-privileged sectors of our society, with even the City of London (the ‘Square Mile') suffering a rise in violence as the number of drinking establishments in the Capital's financial centre continues to grow.
So how does all of this specifically threaten individual corporations, and what losses can occur? The answer is that the issues fuelling violence, be it terrorism, drink and/or drugs, create a climate in which corporate assets become at risk. In many senses the outcomes are no different to the collateral damage which homes and businesses suffer if they are unlucky enough to be situated in the heart of a city centre, where drunken yobs decide to run rampage or when terrorists decide to explode a device, or, as in July, themselves!
Many corporations are - sadly - used to being broken into by thieves and vandals, where the presence of laptop computers and other valuable corporate assets prove too tempting. It is not uncommon, for example, for illegal drug users to break into corporate premises just to steal one laptop and re-sell it within hours or even minutes on the streets, in order to finance their next ‘fix'. Of course, in such cases, we see the inevitable link between physical and intellectual security where the loss of a laptop constitutes both the loss of a physical and more importantly, an intellectual asset. For many organisations, their information, aside from their people, is their key asset, and the loss of such information can be a fatal blow.
Any corporation worth its salt should also be actively demonstrating its own physical robustness/security to its own management and employees, and indeed to the outside world. Who, for example, would want to deposit their money in a bank that was constantly being robbed or falling victim to internal or external fraud? The reputation of a corporation can be destroyed by a steady string of such events, or even by just one major hit.
What measures, then, are available to corporations to counter such threats, and will they break the bank?
Of course, the actual physical measures employed by any corporation should be specific to meet the Threat & Risk Assessments for that organisation. Such assessments will vary greatly, depending, for example, on the business sector, physical/geographical location, ownership, and a raft of other relevant factors.
These assessments alone are insufficient, and a tried and tested platform for the implementation of a sound security programme may be found in the ‘Eight Principles of Security'. These principles have been adopted by numerous corporations over the past ten years, and have also been described as a Security Tool Box. So what are they, and how do they work?
Here then are the Eight Principles, in order of priority:
- Policy & Strategy
- Information & Intelligence
- Manpower/HR
- Technical Means
- Control & Supervision
- Procedures
- Tests & Drills
- Internal & External Audit
Principle One - Policy & Strategy
Without a firm Security Policy and Strategy endorsed by the Board or other senior management, no organisation can plan and implement it's security programme effectively. Simply put, the absence of a policy or strategy could mean that no budget is set aside for security. It is essential, therefore, that any security policy and strategy enjoys total ‘buy-in' from the most senior management within an organisation.
Principle Two - Information & Intelligence 
This is not about crawling across the border between Iraq and Syria dressed as a Bedouin - although of course within the context of military intelligence, it might be! No, this is about issues such as: Where are our new premises to be located? Who are the other tenants in our building? Who works for us? How do we check them?
Principle Three - Manpower or Human Resources
People are the most important facet of any security programme
This is our strongest message and reinforces the fact that - People are an organisation's greatest security asset! After all, when the electricity fails and the CCTV system fails, it is people that sort it out. Indeed every electronic or mechanical security system requires a human to operate it, and of course to monitor it. Human intervention is essential.
Trained personnel, be they security officers, or simply other employees who have undergone security awareness training, provide the ‘eyes and ears' of corporate security.
Principle Four - Technical Means
Recent advances in electronic and mechanical security technology has been immense, and notwithstanding the importance of people, there can be no doubting the value that such technology provides to the overall security solution. CCTV, intruder alarms, access control (biometric or conventional), car park barriers, vehicle blockers and anti-ram devices, are but a few of the almost essential electronic and other technical solutions that corporations employ as part of the day to day security programme.
Principle Five - Control & Supervision
For any security related issue it helps to know who is actually in charge!
Who has real ‘ownership' of the issue? This is key to efficient and safe security practice. Confusion about this issue can be positively dangerous, especially during the management of a crisis or contingency.
Principle Six - Procedures
The best security people and technology in the world won't produce optimum and safe results, without practical and workable procedures (sometimes referred to as ‘SOP's). They must be Understood, Simple, Accessible, and Adhered to (‘USAA'). Over complicated procedures are unhelpful and cause confusion. They must be written in a way that everyone can relate to.
Principle Seven - Tests & Drills
A security system that's never been tested and drilled is an unknown quantity
It may just not work on the day! Things change, so systems must be tested and drilled frequently.
Principle Eight - Internal & External Audit
The value of internal and external security audit processes cannot be overstated. Once a security system is installed (and that includes the human element) it will require regular internal security audit. Premises, threat levels and circumstances change so that the system must be constantly kept under review. It is also advisable to use, from time to time, the professional expertise of external security specialists/auditors.
The advent of regulation in the private security industry is also of key importance when considering which security personnel to deploy, and when choosing a contract-guarding supplier. Remember to ensure that you select a contract guarding company which is working towards the licensing of their staff in order to meet the requirements of the Private Security Act 2001, and the regulator, namely the SIA (Security Industry Authority). Check also that such companies are on track to achieve membership of the Approved Contractor Scheme (ACS), this being a new benchmark of excellence, and compliance with demanding standards of operation.
It is also advisable to get managers who are responsible for security, suitably trained in the skills of security management. Facilities managers, for example, have to address the many challenges of multi-tasking; so up-skilling them in specific security management techniques, such as the carrying out of security surveys for example, can prove highly cost effective.
Finally, here are ten useful tips for public and private sector corporations:
- Remember to use the ‘Eight Principles'!
- Don't try and do everything at once
- Plan and implement a priority security programme
- Don't be nervous of calling in external advisors and specialists
- Keep the Threat Assessment under constant review
- Cooperate with colleagues in other corporations
- Keep things in a sense of proportion
- Don't be bullied by the ‘high & mighty'!
- If it looks like a duck and walks like a duck.........
- Don't forget the ‘Eight Principles'!
In many instances, it will be an internal auditor who will spot the flaws or deficiencies in a corporate security programme, hence the reason for readers to be fully aware of the process of implementing, and managing effective physical security.
Mike Bluestone MA FSyl FIISec, Head of Training & Development & Security Risk Consultant, MITIE Security
