Wednesday, April 1, 2015

Security Weekly: Security for Meetings, March 19, 2015

By Scott Stewart

In last week's Security Weekly I discussed an attack against U.S. Ambassador Mark Lippert in Seoul that occurred as he was attending a breakfast meeting hosted by the Korean Council for Reconciliation and Cooperation at the Sejong Center for the Performing Arts.

After that article, I received an email from a friend who works for a large global nongovernmental organization. He asked if I could write a Security Weekly discussing how people without a security background can help plan security for meetings and conferences. I'd be remiss if I didn't first recommend that NGOs, companies and academic institutions hire or train up competent security professionals to help them secure their people and assets. However, I also understand that budgets — and sometimes organizational and corporate culture — often make that difficult, and as a result non-security people are often tasked with planning conferences and meetings.

As a final disclaimer, there is so much variation in the size and type of meetings and conferences that no guide can possibly cover them all. But I will try to provide some general guidelines.

Step 1: Threat Assessment

To assess the threats to meeting participants, you must first have a full understanding of the meeting's format and purpose. A small, private, invitation-only meeting requires far different security preparations than a large meeting open to the public and advertised in advance. Obviously, it is preferable that the threat assessment be completed before a location and venue are selected and be used to help guide those decisions rather than being done after the fact.

When considering the types of threats that could affect meeting participants, it is also important to remember that not all threats are connected to violence. Intelligence threats, natural disasters, fire, medical emergencies and health threats such as disease must also be considered.

The threat assessment must be conducted at several levels to determine an appropriate venue for the desired type of meeting, considering the specific venue, but also the city, region and country, for potential threats. Should we hold this meeting in Kandahar, or is Kabul safer? Do we stand a greater risk of losing proprietary information if we hold our Asian sales conference in China instead of Japan? Given the French emphasis on economic espionage, do we really want to have our corporate board meeting in Paris? Should we hold that meeting in New Delhi during prime dengue season? The primer we published for planning a safe trip abroad provides a list of good resources for obtaining much of the information required for such an assessment. Local contacts and trusted in-country security contacts can also be valuable in this process, especially with regard to specific venues.

In terms of venue, obviously the size of your audience is going to influence your choice of location: There may be a limited number of venues that can handle the number of people you expect to attend your event. But in general, there will often be a need for a decision on whether it is better to try to keep your meeting location low-key and out of the spotlight, or whether you will opt for the more visible security presence at a more high-profile venue.

As we have discussed for many years now, there is a terrorist threat to high-profile Western hotels. While hotel security managers have done a great job of hardening their security to counter this threat, it nonetheless persists, and by simply holding your meeting in a Western hotel you might place your people in a "wrong place, wrong time" situation. Thus, a risk/benefit analysis must be made to determine whether the superior security at a Western hotel is worth the tradeoff that the venue itself could be targeted merely for being a Western hotel. The answer to this question will vary based on the purpose of the meeting, the profile of the attendees, and the country and city in which the meeting will be held.

"Because we've always met there" is not an adequate reason to continue meeting at a specific venue if the assessment is that meeting at the venue presents a risk. Indeed, a long history of meeting at the same location could mean that any actor who poses a threat is also aware of this history and would have ample time to plant a listening device or prepare for an attack before the meeting.

Step 2: Protective Intelligence Assessment

In addition to considering general threats related to your organization, the country and city of the meeting, and the venue, you also need to conduct a granular assessment of any threats to your organization as it pertains to that particular place. Are there people or groups in the place where the meeting will be held that have come to the attention of your organization in a negative way in the past? Protesters, disgruntled customers, angry former employees, or mentally disturbed individuals with an abnormal focus of interest on your organization? Hopefully, your organization maintains a database of such people and groups to assist in this task.

If such people or groups are in the area where the meeting will be held, an assessment should be made of the danger they pose and the likelihood of them discovering your meeting and attempting to disrupt it. The names, information and photos (if available) of such people should be shared with venue security and local law enforcement. If deemed appropriate, meeting attendees should also be briefed about potential threats — especially if there is a chance such individuals approach or confront meeting attendees. In this situation, it is much better for attendees to be forewarned than it is for them to be caught off guard.

If there is a VIP attending your meeting, you should contact their staff to determine if they are bringing security with them or if they expect you to provide appropriate security for them. You will have to coordinate or create a plan for their arrival, a holding or safe room, and contingency plans in case of fire, attack or medical emergency.

In such a case you should also do a protective intelligence assessment on the VIP to see what their threat profile is and if they could be dragging security problems, in the way of protesters, mentally disturbed individuals or even terrorism, to your event. The VIP's security team can be a valuable source of such protective intelligence.

When I was working for a large multinational company, we once had a high-profile CEO of another company come to speak at a large customer event. Not only did our security team have to provide security for the CEO during the trip, but he was also a veritable magnet for mentally disturbed individuals. The CEO's visit was discussed in advance by the local news media and his presence resulted in several mentally disturbed individuals showing up at our event in an effort to contact him.

Step 3: Planning

It is difficult to plan security for an event at a venue without first visiting the venue. This will allow you to assess the security personnel and procedures in place and determine if additional security is needed. Such additional measures may include bomb or technical security countermeasure sweeps. For some larger events, you might have to arrange for additional access control and some sort of magnetometer or pat-down screening for members of the public attending.

Registration and badging are also important access control tools. Many times hotels and convention centers will have a trusted security vendor who can provide additional security officers. It is sometimes possible to coordinate with the local police to hire off-duty officers or even to arrange for on-duty officers to provide extra security for a meeting depending on the location and circumstances.

When looking at the security of a venue it is very important to physically examine all the fire exits and fire control equipment. On many occasions, I have encountered meeting venues with fire exits that were clogged with furniture or other items and therefore impassible, fire doors padlocked shut with a chain, and fire extinguishers that were expended, expired or otherwise not properly charged. Such equipment, including emergency lighting — and if appropriate, backup generators — should be inspected. Fire is a very real killer and should not be ignored, so fire evacuation plans are important.

From a statistical standpoint, a medical problem such as a heart attack is also far more likely to impact a meeting participant than a terrorist attack. Meeting planners should therefore plan for medical emergencies, including medical evacuation in places were modern medical care is not available.

Communications planning is also important. Planners need to ensure they have a way to quickly contact security personnel, key meeting coordinators, transportation companies and local authorities. Depending on the size of the event and the location, radios may prove to be more useful than cellphones. This is especially true in emergency situations that take the cellphone network down or if the cellphone network becomes overloaded as the result of an emergency situation. Backup communication channels should also be planned.

Depending on the threat and the venue, thought should be given to providing a security briefing to conference participants instructing them what to do in the case of a terrorist attack, fire or natural disaster. Security conditions and considerations for participants engaging in events outside of the meeting venue can be discussed. At the very least, event staff should be thoroughly briefed on what to do in the case of such emergencies.

In an event where access control is deemed necessary, it should be maintained for the entire meeting and access control points should not be abandoned after the event begins. A way for access control personnel to signal a problem to security and law enforcement should be established, as should a means of alerting the participants to an active shooter or other urgent security problem.

But access control will not be necessary for every event. Your security plan needs to be measured, appropriately logical and as non-invasive as possible to protect against the threats identified in your assessment.

One other thing that is critical to remember is that security plans must be flexible. It is a rare event that comes off without a hitch, and security plans must be able to adapt to changes and problems that arise. Indeed, it is hoped that the security plan will provide a general guide to respond to unforeseen events.

Security for Meetings is republished with permission of Stratfor."

No comments:

Post a Comment