RiskUKApril2017
Do you know the secret to free website traffic?
Use this trick to increase the number of new potential customers.
April 2017
www.risk-uk.com
Security and Fire Management
Academic Endeavours
Education Sector Safety and Security
News Analysis: National Surveillance Camera Strategy
PSIM Solutions: Procurement Advice for End Users
UPS Systems: Evaluating The Balance of Power
SABRE: Security Risk Management in Built Environments
“
MY PASSION IS
GETTING THE PERFECT
WELD EVERY TIME
”
Phil Warman, Welder, 6 years with Jacksons
OUR PASSION
IS YOUR SECURITY
We combine the highest
quality perimeter security
fencing and gates with seventy
years of expertise to provide
you with the right solution for
your project, large or small.
www.jacksons-fencing.co.uk
Jacksons
Fencing
April 2017
Contents
35 Smart About Access
Jaroslav Barton describes the shift to NFC, Bluetooth Low Energy
and advanced smart card technology
ERM and ESRM in the Spotlight (pp20-21)
5 Editorial Comment
6 News Update
Police Federation on Westminster terror attack. CREST global
certification for BSI. Skills for Security accepted to join RoATP
8 News Analysis: Surveillance Camera Strategy
Brian Sims examines the main points contained within the
National Surveillance Camera Strategy introduced by Tony Porter
11 Opinion: ‘Security as a Service’
By using ‘Security as a Service’, the customer gains access to a
maintained and supervised solution. John Davies has the detail
14 Opinion: SIA Stakeholder Conference 2017
Peter Webster spoke at the 2017 SIA Stakeholder Conference,
focusing on regulation, business licensing and the ACS
17 BSIA Briefing
James Kelly pinpoints the key considerations to be observed
around security solutions management in the education sector
20 ERM and ESRM: The Case for Convergence
If Enterprise Risk Management and Enterprise Security Risk
Management are here to stay, what does this mean for the
future of risk management? Philip Strand offers his views
22 Status Symbol: The CSyP Journey
Peter Speight on Chartered Security Professional status
24 PSIM: Only Fools Rush In...
Stephen Smith outlines why end user buyers of PSIM solutions
need to consider ongoing costs as well as the technology itself
27 The ‘Insider’ Threat
Emma Shaw plots a route forward for today’s organisations
seeking to employ technical surveillance countermeasures
30 An Education on Ransomware
Defeating the spectre of ransomware is so important in the
education sector. Wieland Age highlights Best Practice methods
32 Security By The Book
Peter Jackson documents physical security solutions for schools
38 Building Blocks of Risk Management
Several issues must be factored-in by construction sector
businesses when addressing the delicate calculation between
risk and reward. Carl Ghinn investigates
40 Intelligent Prevention is the Future
HD IP-based surveillance systems reviewed by Tristan Haage
42 Evaluating The Balance of Power
Leo Craig focuses on UPS solutions in the manufacturing sector
45 SABRE: Security in the Built Environment
Gavin Jones shines the spotlight on SABRE, a new security risk
management standard specifically for the built environment
48 The Security Institute’s View
50 In The Spotlight: ASIS International UK Chapter
52 FIA Technical Briefing
54 Security Services: Best Practice Casebook
56 Cyber: Mitigating Open Source Software Risks
58 Training and Career Development
60 Risk in Action
62 Technology in Focus
65 Appointments
The latest people moves in the security and fire business sectors
68 The Risk UK Directory
ISSN 1740-3480
Risk UK is published monthly by Pro-Activ Publications
Ltd and specifically aimed at security and risk
management, loss prevention, business continuity and
fire safety professionals operating within the UK’s largest
commercial organisations
© Pro-Activ Publications Ltd 2017
All rights reserved. No part of this publication may be
reproduced or transmitted in any form or by any means
electronic or mechanical (including photocopying, recording
or any information storage and retrieval system) without the
prior written permission of the publisher
The views expressed in Risk UK are not necessarily those of
the publisher
Risk UK is currently available for an annual subscription rate of
£78.00 (UK only)
www.risk-uk.com
Risk UK
PO Box 332
Dartford DA1 9FF
Editor Brian Sims BA (Hons) Hon FSyI
Tel: 0208 295 8304 Mob: 07500 606013
e-mail: brian.sims@risk-uk.com
Design and Production Matt Jarvis
Tel: 0208 295 8310 Fax: 0870 429 2015
e-mail: matt.jarvis@proactivpubs.co.uk
Advertisement Director Paul Amura
Tel: 0208 295 8307 Fax: 01322 292295
e-mail: paul.amura@proactivpubs.co.uk
Administration Tracey Beale
Tel: 0208 295 8306 Fax: 01322 292295
e-mail: tracey.beale@proactivpubs.co.uk
Managing Director Mark Quittenton
Chairman Larry O’Leary
Editorial: 0208 295 8304
Advertising: 0208 295 8307
3
www.risk-uk.com
Now you see me. Now you don’t.
Actual size
The smallest wireless contact we’ve ever made.
The Micro Contact-W is so small it fits within most uPVC window frames, providing invisible but powerful protection. And at a
diminutive 57mm x 27.5mm x 8.2mm in size, the Micro Contact-W all but disappears, even in plain sight.
Outstanding features include:
• Small size
• Cost effective
• 4 Year typical battery life
• Three colour options
• LED assisted setup procedure
• EN 50131-2-6 Grade 2
Visit us:
Stand G1200
Editorial Comment
Don’t just stop at the front door
The Micro Contact-W can be used to protect almost
anything, including doors, windows, drawers and
cupboards - the list is endless!
Internal door
Patio door
Window frame
Bedside drawer
An Eye on ID
Cifas, the UK’s leading fraud prevention service, has issued
new figures showing that identity fraud has hit the highest
levels ever recorded. A record 172,919 episodes of such
fraud were noted in 2016. Identity fraud now represents over half
of all fraud chronicled by the UK’s not-for-profit fraud data
sharing organisation, of which 88% was perpetrated online.
In recent years, Cifas has been informed of growing numbers
of young people falling victim to ID fraud. That upward trend
continued last year with almost 25,000 victims aged under 30. In
particular, there has been a 34% increase in the number of under
21s subjected to ID fraud. On that basis, Cifas is again calling for
better education around fraud and financial crime and urging
youngsters to be vigilant about protecting their personal data.
2016 also saw a rise in the number of ID fraud victims aged
over 40, with 1,869 more victims recorded by Cifas members.
Mike Haley, deputy CEO at Cifas, explained: “These new
figures show that identity fraud continues to be the foremost
fraud threat. With nine out of ten identity frauds committed
online and all age groups presently at risk, we’re urging everyone
to make it more difficult for the fraudsters to abuse individual
identities. There are three simple steps that anyone can take to
protect themselves: use strong passwords, download software
updates when prompted to do so and avoid the use of public Wi-
Fi for banking and online shopping.”
Haley continued: “We all remember to safeguard our valued
possessions through locking our house or car, but we don’t
always take the same care to protect our most important asset –
our identities. We all need to assume responsibility for securing
our mail boxes, shredding documents like bank statements and
utility bills and taking sensible precautions online. If not, we’re
simply making ourselves a target for the identity fraudsters.”
Commander Chris Greany, national co-ordinator for economic
crime, commented: “These latest Cifas figures demonstrate how
we all need to be alert to preventing identity theft now more
than ever before. We do everything we can in order to stop the
identity thieves in the fight against fraud, but it must be said
that the key to success is both prevention and protection.”
With instances of identity fraud set to rise, businesses and
consumers alike simply must take action to address this
damaging issue. Financial services companies should strengthen
the security systems they have in place and the way in which
they verify identities, and especially so for online transactions.
Businesses need to invest in biometric processes designed to
validate identities, at the same time implementing multi-layer
approaches that challenge fraudsters’ attempts to compromise
systems. “Myriad consumers are embracing biometrics in their
everyday lives, for example by using them to access their smart
phones,” observed John Marsden, head of identity and fraud at
Equifax. “Financial services companies can maximise such
technology to protect their customers and their businesses.”
Certainly, the worrying knowledge gap exhibited by too many
consumers when determining safe places in which to share their
personal information must be plugged sooner rather than later.
Brian Sims BA (Hons) Hon FSyI
Editor
www.texe.com
Sales: +44 (0)1706 220460
December 2012
5
www.risk-uk.com
“Right resources needed in wake of London
terror attack” urges Police Federation
The horrific terrorist attack in Westminster that
claimed several innocent lives, including that of
PC Keith Palmer, has reinforced the need for a
police service with the right resources and
support in place to continue “running towards
danger”. That’s the firm belief of Steve White
(pictured), chairman of the Police Federation of
England and Wales, who took part in a BBC
Panorama Special on Monday 27 March.
Wednesday 22 March witnessed the UK
Parliament and innocent citizens coming under
attack in the most serious terror incident in the
country for over a decade. Speaking to
witnesses and the injured to compile the
programme, BBC Panorama reporters pieced
together what happened during the episode.
The programme also examined the life of 52
year-old attacker Khalid Masood, asking what
motivated him to carry out this fatal strike in
the heart of London, whereby he drove a car
into pedestrians on the pavement along the
south side of Westminster Bridge and Bridge
Street, injuring more than 50 people.
After the car crashed into the perimeter fence
of the Palace grounds, Masood abandoned it
and ran into New Palace Yard where he fatally
stabbed PC Palmer. Masood was then shot by
an armed police officer and died at the scene.
“There are bound to be questions as to
whether things would have been different if
more officers were armed and if PC Palmer had
possessed a firearm,” suggested White. “It’s
entirely likely that we’ll never have a clear
answer. What’s important is that there are many
tactical options to mitigate threats that we need
to consider.”
White continued: “We have to police the
threats that we currently face. For their part,
MPs must take the advice of professionals in
the police service on what we can do and how
we can best do it. We no longer live in a world
of traditional unarmed British bobbies walking
the streets meaning that all will be well.”
These points build on a comment piece by
White which was published in the pages of The
Sunday Express following the London attack. In
the article, White outlines his fears that such an
incident will happen again, but is clear that the
police service will continue to rise to the
challenge. White also touches on the need for
members of the public to ensure that “what
they want and what they demand from their
police service is achievable.”
Chief constable Sara Thornton, chair of the
National Police Chiefs’ Council, said: “We’re
deeply saddened by the horrific events that
took place in London. Our thoughts and
condolences are with the families and friends of
the victims and all those injured and affected.
We’re devastated by the loss of our brave
colleague PC Keith Palmer as he went about his
duties. Now and always, we stand together.”
BSI enhances international capabilities with CREST global accreditation
BSI, the business standards company, has boosted its newly-created cyber security and information
resilience business stream with global membership of CREST, the organisation that spearheads the
highest possible levels of security testing standards. In achieving this status, BSI now joins an elite
group of seven organisations* who can offer myriad clients across the EMEA, the Americas, Asia
and Australasia the heavyweight assurances synonymous with CREST.
BSI has also consolidated its CREST-accredited services with recently acquired CREST member
companies Espion and Info-Assure. Indeed, the business now offers CREST Penetration Testing,
CREST Incident Response Services, CREST START (Simulated Targeted Attack and Response Testing)
and Cyber Essentials.
CREST membership is an important validation of the BSI’s cyber security testing and incident
response capabilities. All member companies undergo stringent assessments of business
processes, data security and security testing as well as incident response methodologies.
Accreditation is very robust and a challenge to attain, in turn demonstrating complete assurances
of processes and procedures.
BSI is a strong proponent of CREST and its role in professionalising the technical security
industry, as well as its efforts to advance the wider information security community through recent
openings of international chapters in Singapore, Hong Kong and the USA. This approach has also
garnered support from international regulators.
*The seven CREST members with global accreditation are Cisco, Context Information Security,
Deloitte Touche Tomatsu, Gotham Digital Science, the NCC Group, PwC and Trustwave SpiderLabs
6
www.risk-uk.com
News Update
National Security Inspectorate
re-appointed by Regulator as ACS
assessment body
Subject to contract, from 1 April 2017 the
National Security Inspectorate (NSI) has been
re-appointed as an assessing body for the
Security Industry Authority’s (SIA) Approved
Contractor Scheme (ACS) and as a provider of
a ‘Passport’ route to ACS compliance. As of
that date, the NSI (led by CEO Richard Jenkins,
pictured) will be offering even more choice for
guarding services companies in terms of how
they can obtain and maintain ACS approval.
The NSI provides assessment services to the
widest variety of guarding services providers,
ranging from small and local specialist
operators through to many of the largest
national operators. Most have chosen to hold
NSI Guarding Gold with an integrated NSI
‘Passport’ to ACS approval.
This provides a cost-effective solution for
businesses wanting to demonstrate both
commitment to the holistic values embodied
within the Regulator’s ACS and the rigour of
comprehensive compliance with British
Standards and the ISO 9001 standard for
Quality Management Systems.
The NSI ‘Passport’ route to ACS approval
also provides cost benefits in holding multiple
approvals with the NSI.
A popular arrangement among typically
more regional providers is to appoint the NSI
to conduct assessments as part of the ACS
standard route approval. Now, the NSI is
offering these companies a new ‘middle way’:
NSI Guarding Silver with the NSI’s ‘Passport’
to ACS. This means companies can now
‘upgrade’ to an NSI Guarding Silver approval
with a ‘Passport’ to ACS approval,
demonstrating full compliance with British
Standards over and above the standard ACS
without necessarily seeking approval to ISO
9001 at the same time. This will prove a
valuable and cost-effective stepping stone for
companies wanting to differentiate themselves
from the ‘Standard’ route to ACS approval and
afford end user buyers additional confidence
in their service providers’ ‘commitment to
compliance’ with British Standards.
Margaret Durr, the NSI’s head of field
operations (services), commented: “Our team
of auditors harbours industry expertise across
a broad range of areas including security
guarding, close protection, key holding, CCTV,
door supervision, event security and
investigative services. Feedback from our
clients is testament to the added value
independent assessment can bring to an
organisation. The ultimate winners are
security buyers and their staff, visitors and,
indeed, members of the general public.”
Skills for Security earns ‘trusted
training provider’ status from
Government with RoATP acceptance
Skills for Security, the sector skills body for
the private security business sector, has been
accepted by the Skills Funding Agency’s
Register of Apprenticeship Training Providers
(RoATP), meaning that the organisation has
now qualified for Government funding to
deliver apprenticeships from May this year.
Passing all elements of the application,
including due diligence checks on compliance,
quality and financial health, Skills for Security
has fully satisfied the Skills Funding Agency
that the organisation is capable of delivering
high-quality apprenticeship training.
Under the Government’s new apprenticeship
policy, training providers must be on the
RoATP to be eligible to deliver training – either
directly or as a sub-contractor – to large,
Apprenticeship Levy-paying employers. Out of
2,327 applications, a total of 1,708 providers
(73%) have made the grade, with the full list
of providers published by the Department for
Education on Tuesday 14 March.
Speaking about this development, Peter
Sherry (pictured), interim director general at
Skills for Security, stated: “I’m absolutely
delighted that Skills for Security has been
accepted on to the RoATP, giving employers in
the security sector the confidence that we, as
the sector skills body for the industry, can
provide them with trusted support and
expertise in equipping the workforce of
tomorrow with a solid educational foundation
through a carefully considered system of
training, assessment and qualifications.”
The Government’s apprenticeship reforms
aim to support an increase in the quality and
quantity of apprenticeships, subsequently
enabling a greater number of individuals to
pursue a successful career. There will be
regular opportunities for new providers to
apply to the RoATP, with the chance for new
applications at the end of March and quarterly
thereafter encouraging diversity and
competition among providers and supporting
both quality and employer choice.
The RoATP is a crucial milestone in
delivering the Government’s wider reforms
designed to make apprenticeships more
rigorous, better structured, independently
assessed and more clearly aligned with the
needs of employers. Those reforms include the
introduction of the new Apprenticeship Levy.
7
www.risk-uk.com
Home Office Commissioner introduces
National Surveillance Camera Strategy
Following on from a
detailed consultation
process that began
last October, Tony
Porter QPM LLB – the
Surveillance Camera
Commissioner at the
Home Office – has
launched a National
Surveillance Camera
Strategy for England
and Wales with the
specific aim of helping
to keep people safe in
public places while
also respecting their
right to privacy.
Brian Sims examines
the fine detail
The 27-page strategy document aims to
provide direction and leadership within and
across the surveillance camera community,
in turn enabling system operators to
understand good and Best Practice as well as
their legal obligations (such as those contained
within the Protection of Freedoms Act, the Data
Protection Act and the Private Security Industry
Act 2001).
It’s the Surveillance Camera Commissioner’s
strategic vision to ensure members of the
public are assured that any use of surveillance
camera systems in a public place helps to
protect them and keep them safe, while at the
same time always respecting the individual’s
right to privacy. That assurance is based upon
deployment which is proportionate to a
legitimate purpose, so too transparency
demonstrating compliance with Best Practice
and relevant legal obligations.
The National Surveillance Camera Strategy
aligns closely with the Home Office’s own key
responsibilities to keep the UK safe from the
threat of terrorism, reduce and prevent crime
and criminality and ensure that people feel safe
in both their homes and communities.
The new strategy provides the Commissioner
with a robust and transparent framework to
fulfil his statutory functions as set out in the
Protection of Freedoms Act, and also
subsequently inform and underpin his Annual
Report to the Home Secretary Amber Rudd.
Speaking about the new National
Surveillance Camera Strategy, Surveillance
Camera Commissioner Tony Porter explained:
“After much hard work, I’m delighted to be able
to launch this strategy document. It’s a strategy
that’s far-reaching, touching on many areas of
surveillance camera use by the police service
and local authorities, installers and
manufacturers as well as training providers and
regulators and, of course, how the use of
surveillance cameras impacts members of the
public on a daily basis.”
Porter went on to state: “The responses to
the consultation on the draft show that this
strategy is extremely well supported, as do the
number of organisations that have written to
affirm their support. I look forward to delivering
on this strategy for the next three years,
ensuring that, where surveillance cameras are
used, they keep people safe while protecting
their right to privacy.”
Endorsement from the BSIA
Endorsing the National Surveillance Camera
Strategy, James Kelly (CEO at the British
Security Industry Association) explained: “The
strategy is a very worthy and successful
attempt to draw together multiple stakeholders
from across what is certainly a diverse and
critically important sector. The BSIA is proud to
have been a contributor to the Commissioner’s
efforts at providing direction and leadership on
the appropriate use of such systems to secure
the protection of our communities, while also
safeguarding individuals’ right to privacy. I’m
delighted to endorse the strategy and will
continue to support the Surveillance Camera
Commissioner’s work on standards and Best
Practice in what’s undoubtedly a vital part of
the UK’s economy.”
To support the achievement of the
Commissioner’s vision, eleven high-level
objectives are outlined within the strategy, each
of them to be led by an expert.
Simon Adcock, chairman of the BSIA’s CCTV
Section and lead on the industry strand of the
National Surveillance Camera Strategy for
England and Wales, commented: “The work of
the industry strand of the strategy is focused
on educating buyers around what to expect
from a knowledgeable and professional service
provider as well as providing practical guidance
to help them comply with the Surveillance
Camera Code of Practice. Ultimately, we’re
aiming to establish and promote a set of
8
www.risk-uk.com
News Analysis: National Surveillance Camera Strategy
guidelines to ensure that buyers can rely on
their service providers for good practice.”
Adcock went on to state: “Over the coming
months, the industry strand will be defining
what we mean by good practice. This will be
centred around ensuring that there’s an
Operational Requirement in place and that the
resulting system meets agreed objectives. Our
end-game is to ensure that anyone providing
professional video surveillance services will, as
a bare minimum standard, meet these good
practice guidelines.”
Adcock also commented: “The National
Surveillance Camera Strategy for England and
Wales represents an opportunity for the
industry to assure members of the public that
video surveillance systems are being used in
public spaces on a legitimate basis, responsibly
and transparently in order to keep them safe.
The strategy document is fully supported by
members of the BSIA’s CCTV Section and we
very much look forward to seeing its content
being delivered through to 2020.”
NHS Foundation Trust certification
Barnsley Hospital NHS Foundation Trust had
been considering applying for the Surveillance
Camera Commissioner’s third party certification
scheme, but it wasn’t until Mike Lees (the
Trust’s head of business security) heard Tony
Porter speaking at a conference that the
decision was taken to ‘go for it’.
Lees stated: “Although we had been
considering applying for some time, the turning
point followed an excellent presentation by the
Surveillance Camera Commissioner to NHS
security managers late last year. This
presentation clearly outlined the advantages to
NHS organisations of following a process and
how we could demonstrate the rationale of
surveillance use.”
Certification enables organisations to clearly
demonstrate that they comply with the
Surveillance Camera Code of Practice. For
relevant authorities – such as local authorities
and police forces – this is particularly important
as they must show due regard to the Code. For
other organisations, such as NHS Trusts,
following the Code is a voluntary decision.
The certification process provides assurances
to hospital users and staff alike that
surveillance cameras are deployed effectively,
efficiently and proportionately. It also ensures
that NHS Trusts are transparent about why they
use cameras and where they’re sited.
For its part, Barnsley Hospital NHS
Foundation Trust approached the Security
Systems and Alarms Inspection Board (SSAIB)
and subsequently achieved Step 1 certification.
“Responses to the consultation on the draft show that this
strategy is extremely well supported, as do the number of
organisations that have written to affirm their support”
This involves completing the Surveillance
Camera Commissioner’s self-assessment tool
and then submitting the form to one of the
certification bodies. The completed form and
documents are then audited by the certification
body who may contact the end user
organisation for more information before
recommending it to the Commissioner to award
his certification mark which can then be used
for the ensuing 12 months.
Lees added: “The certification process was
certainly challenging, but also very worthwhile.
It allowed us to critically review the reasons for
surveillance and scope these against our
existing policies and procedures.”
Accessible and affordable
Certification is simple, accessible and
affordable. There are currently three security
industry certification bodies qualified to audit
against the Code of Practice – the SSAIB, the
National Security Inspectorate and IQ Verify.
Barnsley Hospital NHS Foundation Trust is
preparing its application for Step 2 certification,
which involves a full site visit and audit. If
successfully awarded the certification mark, the
Trust can use this for a period of five years.
Lees concluded: “Our application for Step 2
certification is indeed already in motion. The
Trust will be applying well in advance of the 12-
month period that’s covered by Step 1. I would
recommend any NHS Trust using surveillance
cameras to apply for the mark.”
The surveillance camera sector is substantial
and an industry that will continue to grow. In
2015, there was a £2,120 million turnover in the
UK for video and CCTV surveillance equipment.
The most recent estimates suggest that there
are anywhere between four and six million
CCTV cameras in the UK. That figure doesn’t
include body-worn video cameras, Automatic
Number Plate Recognition cameras or
Unmanned Aerial Vehicles (ie drones).
Approximately 85% of local authorities have
shown due regard for the Code of Practice by
completing the Commissioner’s selfassessment
tool in respect of their main CCTV
scheme (typically their town centre scheme).
54% of local authorities in the UK have
equipped some staff or contractors with bodyworn
video cameras. Transport for London and
Marks and Spencer have already adopted the
Code of Practice on a voluntary basis.
Tony Porter QPM LLB:
Surveillance Camera
Commissioner at the Home
Office
Simon Adcock: Chairman of the
BSIA’s CCTV Section
9
www.risk-uk.com
FOCUS
ON… protecting
people,
premises and profits.
Our security solutions do much more than protect
your manufacturing premises. With AXIS Camera Station
software, you can manage your system remotely and even
add smart features such as audio communication, access
control and analytics. And that’s just a start. It’s all designed
for simple set-up to make your job easier, so you can focus
on productivity.
Choose an Axis recorder pre-installed with
AXIS Camera Station. Discover more at
www.axis.com/products/video-recorders
Opinion: Physical Security as a Service
The ongoing shift in consumer focus may
feel a little surprising at first as the security
industry – much like any other technology
sector – has concentrated on ‘shifting boxes’ for
quite a long time now. This was especially the
case when proprietary systems were the norm.
If an end user wanted more services, they
bought a new product. From a basic sales point
of view, this was both simple and economic for
manufacturers and installers alike.
However, a determined move towards
integrated and open technology has
transformed the way in which security
consumers now view their purchase. It’s no
surprise as this has proven to be the case with
any form of consumer technology. When the
option to source from different providers
increases, so too does customer choice and
interest in the physical product becomes
eclipsed by the overall solution realised.
This is certainly evident with smart devices
and IT. Cloud services have put the onus on
what the result looks like, with the device the
user chooses losing much of its significance.
We’re also starting to see this in areas that
nobody would have predicted in the past, such
as the automotive industry, for example.
People in big cities don’t want the expense
and hassle of owning – and parking – their own
cars anymore. Unless you use your car every
day, it makes more sense to rent one by the day
or week specifically for those moments when
you need to venture beyond the confines of
public transport. For some, at least, the
automobile has become a service item with the
end result – ie a specific journey – assuming a
greater importance than the type and
specification of the vehicle being used.
Service without stress
At the crux of all this is the demand from
consumers to identify the service need and for
suppliers to provide the easiest and most costeffective
solution.
Equally, when it comes to specifying a
security solution, the operator doesn’t
necessarily want to know the full details of
what’s going on ‘under the bonnet’. Rather,
they’re more concerned that it ‘does the job’.
Any sensible security buyer – ie the
practising security or risk management
professional – will be focused on their specific
security requirements and the business drivers
that need to be addressed (such as the
protection of buildings, assets, data and
employee safety) and that the chosen solution
suits their budget. This is actually where
service becomes key. For their part, customers
need an expert on hand capable of addressing
All Part of the (Physical
Security) Service
There are signs that the way in which we all buy our products
and services is changing. The concept of buying and owning
a service product is increasingly looking antiquated, as
consumers focus more and more on the outcomes rather than
the tools needed to achieve them. As the physical security
industry becomes more integrated and offers true open
systems, John Davies suggests there’s every reason to
assume our sector will follow this trend
their requirements with all of these parameters
firmly in mind, and with a view to removing the
stress of finding ‘the right product(s)’.
In the past, specifying and using an
unsuitable solution could be difficult at best,
and potentially disastrous at worst. From an
economic point of view, it’s also a challenge to
finance a big install then try to accumulate
resources again for the upgrade when the
incumbent solution has reached its ‘end-of-life’.
It’s far more sensible to moderate the costs
of security investments by paying a monthly or
annual fee that’s predictable and for which a
budgeted sum may be readily set aside. This is
where buying ‘Security Assurance as a Service’
makes complete sense.
Benefits for customers
While the idea of procuring and servicing
physical security on a subscription basis may
seem groundbreaking and will undoubtedly
involve a change of mindset for many
traditional security buyers, there are some very
John Davies:
Managing Director of TDSi
11
www.risk-uk.com
Opinion: Physical Security as a Service
persuasive and practical benefits to be realised
for the customer in doing so.
As the solution isn’t purchased outright,
there’s no need to find a large capital outlay in
one lump sum. At the same time, this capital
can either be invested in a subscription for a
more comprehensive security system or
otherwise accumulated as a saving on the
overall security budget.
With a service-style approach, the
installation and servicing costs are built into
the overall fee, so there will be no unexpected
bills for the business in the event of any issues
or repairs. This is very similar to the benefits of
renting a building or a fleet car, for example,
whereby any maintenance costs become the
concern of the lease company.
Equally, by leasing the security solution, the
end user customer gains instant access to
greater technical expertise and support (for no
extra cost), compared to maintaining these
systems for themselves. This is particularly
appealing when it comes to security systems,
where the integrity – and, therefore, the level of
protection – is of paramount importance. It’s
also very helpful when it comes to integrating
new security components or expanding the
capabilities of the overall security network.
End-of-life stage
The benefits for the customer continue when
the system reaches its end-of-life stage. The
security service provider deals with the
upgrade needs, along with the removal of the
old equipment and installation of any new
systems where required. This also affords a
natural break in the lease, such that the
customer can reassess the host business’
security needs and make upgrades or continue
with the same service levels as before, but with
the attendant benefits of the latest solutions.
Ultimately, by using ‘Security as a Service’,
the customer gains access to a constantly
maintained and supervised solution. This is a
great way in which to ensure that a stable and
reliable security service is realised on a
24/7/365 basis, as well as throughout the
lifespan of the system(s) being used.
When an organisation purchases its own
systems (and, as a consequence, often ends up
using older systems, perhaps due to budgetary
constraints) it can be a real challenge to ensure
safety levels are maintained. It’s a pressure
which most of today’s businesses would be
only too happy to avoid.
Opportunities for solution providers
There are considerable benefits for security
providers, too, both for manufacturers and
installers. Rather than ‘shifting boxes’ (which
any salesperson will tell you is an approach
that can have considerable peaks and troughs),
a move towards complete service solutions
offers a far more stable business model. Rather
than having to win new business with every
product, it becomes possible to sell ongoing
services for a set period.
It’s my own fervent belief that the whole
business model for the security industry will
change and adapt itself to reflect this approach
over the next five-to-ten years. Manufacturers
are already cognisant of the change in
customer expectations and are gearing up to
meet this demand.
The service or leasing approach has become
entrenched in other industries and represents a
firm indication of what’s to come in the
professional security spectrum.
If you look at the airline industry, it has
embraced this model of supply because it
makes sound economic sense for both the
customer and the supplier. Whole aircraft and
even individual key components – such as
engines or seating – can be leased by the
airlines. This yields much greater flexibility, but
also means that the airlines (as consumerfacing
businesses) can have the peace of mind
needed to concentrate fully on providing the
services their customers demand.
The manufacturer and partners provide
assurances and guarantees of service time for
aircraft engines, then deal with servicing and
the technical maintenance to ensure this is
delivered. This model works just as well for the
provision of security systems.
We’ve now reached a point in time where
there are major opportunities on the horizon for
the security business sector, but this inevitably
means that manufacturers and installers will
need to shift their focus and perhaps realign
their business model.
Ultimately, we can begin to concentrate on
developing the right systems for the market
and be assured that our end user customers
will be looking for the kind of support we’re
ideally placed to deliver.
“Ultimately, by using ‘Security as a Service’, the customer gains access
to a constantly maintained and supervised solution. This is a great way in
which to ensure that a stable and reliable security service is realised”
12
www.risk-uk.com
Always a suitable solution
with the DIVAR hybrid
and network recorders
At Bosch, we believe that video surveillance solutions should be as easy to
install as they are to use. It’s the thinking behind our completely new portfolio
of DIVAR hybrid and network recording solutions. Specifically designed for
24/7 operation, they offer the ability to create video surveillance solutions
with professional security features. Solutions that can be tailored to fit the
growing needs of small and medium businesses.
boschsecurity.com
SIA Regulation, Business Licensing and
the ACS: A Personal Perspective
Tuesday 14 March
witnessed the 2017
edition of the Security
Industry Authority’s
(SIA) annual
Stakeholder
Conference, which ran
at the Hallam
Conference Centre in
central London. A
reflection of the
partnership working
theme for the day, the
confirmed speakers
emanated from
academia, the police
service and the NHS.
Representing the
private security
industry, Peter
Webster aired his
views and now shares
them with the readers
of Risk UK
The SIA’s Stakeholder Conference allowed
me to share my perspectives on licensing
and regulation with members of the
audience. As regular readers of the Security’s
VERTEX Voice section in Risk UK will know, this
is a subject close to my heart. On that basis, I
thought it would be useful to share with you
the crux of my presentation as well as some of
the reactions to it.
First of all, let me begin by stating that I fully
support regulation. As an industry trusted to
keep people and property safe, we want to be
regulated and, indeed, I’ve never met anyone
who has advocated deregulation.
I’m also particularly supportive of the current
system of individual licensing, as administered
by the SIA. An SIA licence gives an individual a
passport to employment, meaning that he or
she can work anywhere in our industry. This is
undoubtedly a good thing for both employees
and employers. While it gives individuals
freedom to work across our industry, when
someone comes to us with a licence we know
they’ve been vetted and trained to a basic
standard and checked by the SIA.
If I’m to be critical of the current system,
however, it is that it isn’t publicised enough.
The wider public needs to understand that the
SIA exists and affords a licensing framework for
the industry. When I say ‘the public’, I include
those who purchase and use security services
in this realm, as well as the wider public.
Indeed, I fear that the wider public has a
stereotypical image of a security officer, fed by
portrayals in the national media and fictional
drama, as an unhelpful ‘jobsworth’ or a lazy
and disinterested individual. This does a great
disservice to the more than 300,000 people
who work in our industry, who are licensed and
serious about the job that they do. As it is, the
negative perception of security in society
reflects on our people and creates a downward
spiral of low self-worth, which invites lower
standards and impacts on professionalism.
We need to flip this spiral around and build
pride in our industry and the work that security
officers do. Awareness of individual licensing is
key to this. With the police service facing
financial pressures, the security industry is
beginning to play an increasingly important role
in safeguarding critical infrastructure. If the
public understood the process of licensing and
regulation, I’m certain there would be more
respect for the industry and its crucial role.
Spectre of business licensing
I’m strongly against business licensing, the
spectre of which continues to loom large over
the industry. While some regulation is good,
there’s no justification for increased and
unnecessary regulation. The last 30 years have
seen business and Government trying to
deregulate wherever practical and possible.
Business licensing goes against that trend.
Fundamentally, business licensing will create
a greater burden on business, and at additional
cost, for what is an already financially
challenged industry. Preparing for my
presentation last month, I discovered once
again a chart from 2015 in which the SIA
showed the administrative burden moving
towards businesses and away from the
Regulator. Furthermore, that chart highlights a
decline in overall regulatory responsibility for
the SIA as it transfers responsibilities to
industry. Is this really what we want?
I find it hard to believe that business
licensing will even stop the behaviour it seeks
to prevent. I’ve heard claims from the SIA that
business licensing will drive out organised
criminality, yet in all my time in the industry, I
have never come across an operator working
within the commercial environment whom I’ve
suspected of being linked to organised crime.
On a practical level, company law already
exists to address illegal activity and, bearing in
14
www.risk-uk.com
Opinion: Security’s VERTEX Voice
mind that even non-executive directors must at
present hold ‘non-front line’ individual SIA
licences, how can business licensing improve
on that level of vetting? Do we not think that
the criminal fraternity is clever enough to
circumvent this? If criminals can successfully
launder billions of pounds’ worth of drugs
money, do we really believe a determined
criminal organisation will not be able to
override a self-administered vetting process?
Of course, while business licensing would
increase the burden on law abiding business,
any unscrupulous organisation wouldn’t apply
to the legal requirements anyway, so in fact the
only companies really affected would be the
honest and legitimate ones.
Finally, it strikes me that business licensing is
simply unworkable. How will it address the
complexity of brass plaque organisations or
companies with overseas shareholders? How
can one insist on regulatory checks on
shareholders in a Belgian-owned business or a
holding company domiciled in Luxembourg?
Approved Contractor Scheme
There is, of course, a form of business licensing
already in existence in the shape of the
Approved Contractor Scheme (ACS). It’s
voluntary. I know it has many detractors, but it’s
a great deal better than not having any scheme
at all. The introduction of mandatory business
licensing would kill off the ACS. This would be a
terrible mistake.
From my perspective, I could easily live with
any plans to drop the proposed business
licensing and adopt a mandatory ACS. All of the
reliable and trustworthy security companies are
on the ACS Register anyway, meaning that
application and approval would only be a
burden to the fringes of the industry that the
Regulator is seeking to eradicate.
Indeed, in many respects ACS status provides
a level of rigour that I, for one, welcome. For
example, ACS requires vetting to BS 7858
which, to my mind, is far more robust than SIA
licence requirements as it looks at five-year
employment histories. In particular, we should
consider how it might be used to forge
improvement across the industry and drive out
those on the fringes that the proposed business
licensing is meant to address.
On that subject, the ACS should remain under
the control of the Regulator and not be handed
over to industry. This will leave the industry free
to drive the important improvements needed.
Introducing bands of attainment within the
ACS would have the effect of encouraging
organisations to strive to improve their score.
While we don’t need to publicly compare
actual ACS audit scores, the opportunity to
‘band’ providers – whether Bronze, Silver or
Gold, for example – would allow these same
firms to demonstrate their expertise and use
such a banding to differentiate their services in
the quality end of the market.
Reactions and responses
At the Stakeholder Conference, it was very
interesting to hear Ronnie Megaughin (chief
inspector at Police Scotland) talk about his
experiences of making ACS status mandatory
for public sector tenders in Scotland. By all
accounts, this has helped improve the quality of
the security services provided north of the
border and made tendering more transparent.
This tells me that a mandatory ACS would work
in England as well.
That said, I was questioned from the floor
about whether a mandatory ACS would add
excessive cost and burden to smaller security
providers. Naturally, the ACS requires a
business to make a commitment in terms of
people and time, but if it plays a central part in
the continual improvement of that business,
then I would view any associated cost as an
investment in the company.
For me, two points came across loud and
clear at the SIA’s Stakeholder Conference. One
was the need for partnership, whether between
the regulatory body and private security
providers or the industry and the police service.
The second point I noticed was the welcome
recognition of the crucial role that the security
industry plays in keeping people, property and
assets safe across the UK. As Elizabeth France
(chair of the SIA) remarked, there are more
security staff than police officers in the UK.
That’s 300,000 pairs of ‘eyes and ears’ trained
to support the police’s sterling work. At a time
when policing budgets are under considerable
pressure, our industry’s importance to the UK’s
security infrastructure is crystal clear.
However, the good work of the SIA, the
existence of the ACS and the importance of the
security business sector as a whole is poorly
understood and unappreciated. As an industry
we must act and take better control of our
image. Indeed, it’s crucial that the private
security industry buys into this key message.
From my own point of view, the reputation of
the industry depends on it, while its future
growth relies on positive action being taken.
Peter Webster: Chief Executive
of Corps Security
*The author of Risk UK’s regular
column Security’s VERTEX Voice is
Peter Webster, CEO of Corps
Security. This is the space where
Peter examines current and often
key-critical issues directly
affecting the security industry. The
thoughts and opinions expressed
here are intended to generate
debate among practitioners within
the professional security and risk
management sectors. Whether you
agree or disagree with the views
outlined, or would like to make
comment, do let us know (e-mail:
pwebster@corpssecurity.co.uk or
brian.sims@risk-uk.com)
“The last 30 years have seen business and Government
trying to deregulate wherever practical and possible.
Business licensing goes against that trend”
15
www.risk-uk.com
INSPIRATION
THROUGH INVALUABLE
DIGITAL INSIGHT
With approaches, systems and
devices constantly changing,
etailers need to be aware of the
latest trends and innovations to
gain significant competitive
advantage from their eCommerce
and mCommerce efforts.
The eTailing Summit offers a day
of a day of meetings and
networking with industry suppliers
and peers for idea gathering,
inspirations, tools and tactics to
help transform strategies in line
with the latest technologies.
11th July 2017
Hilton London Canary Wharf
For further information contact Katie Bullot on:
01992 374049
k.bullot@forumevents.co.uk
forumevents.co.uk
@eTailingSummit
ForumEventsLtd
forumevents
MEDIA & INDUSTRY PARTNERS
ORGANISED BY:
BSIA Briefing
Last year, the National Counter-Terrorism
Security Office produced some guidelines
containing advice for leaders of schools and
other educational establishments on reviewing
protective security, in tandem pressing school
officials to take the subject of risk management
seriously. This advice followed a series of hoax
telephone calls being made to educational
sites across the UK, which forced at least 27
schools to be evacuated after bomb and gun
threats were made.
It seems history may now be repeating itself.
Last month, across no less than 11 counties in
Britain, nearly 5,000 schoolchildren were
evacuated after their schools received bomb
threats. While these threats were treated as
hoaxes, they do further solidify the fact that
school leaders absolutely must take the time to
review their security plans and ensure the
measures they currently have in place are both
effective and of good quality.
Alongside potential bomb and gun attacks,
educational establishments face a wide number
of threats right across the year, including walkin
thefts, the potential for personal data
breaches, threats against students and staff
and the possibility of arson. Bearing all of this
in mind, school officials have a Duty of Care to
both their fellow members of staff and pupils,
as well as a legal responsibility to provide a
safe environment in which people can learn.
A lack of effective security can not only result
in potentially life-threatening situations, but
also the prospect of reputational damage. Back
in March, two separate schools in Cumbria were
placed under ‘special measures’ by Ofsted for
security reasons. A small secondary school,
Kirkby Stephen Grammar School failed its
Ofsted inspection due to a perceived lack of
perimeter security, with the school reportedly
being criticised for its failure to put in place
appropriate measures that would “minimise
identified potential risks” to pupils.
In short, Ofsted’s inspectors deemed the
premises as being too readily accessible to
members of the general public.
According to a report in The Westmorland
Gazette, the ‘special measures’ decision came
after The Queen Katherine School in Kendal
was also placed into this category due to
safeguarding and security issues. Following the
decision, the school is now moving forward
with £30,000 plans that will include a perimeter
fence designed to improve security in an effort
to satisfy the Ofsted inspectors.
Ofsted’s decision has angered school
officials, with Kirkby Stephen Grammar School’s
head teacher Ruth Houston and Simon Bennett
(chairman of the governing body) sending a
Learning By Inspection: The
Importance of School Security
Security and safety in UK schools is a highly emotive subject.
Indeed, it’s one which is never far from the mindset of the
presiding head teacher, the facilities team responsible for a
given establishment, the governing body and/or members of
the Local Education Authority, all of whom have key roles to
play in the implementation of an effective strategy. Here,
James Kelly examines the main considerations to be observed
around security in the education sector
letter to parents stating that they believed the
decision was “a failing of the inspection
system, not the school, if an overall judgement
is defined by the lack of a fence or not enough
locks on doors, rather than the excellent
teaching, leadership, behaviour and outcomes
of the school.”
Students from Kirkby Stephen Grammar
School have contacted Ofsted to express their
own concerns. The Westmorland Gazette report
stated that students told Ofsted they felt
“valued, inspired and appreciated. Unsafe is
something we never feel. A member of our Sixth
Form remarked that ‘everybody knows
everybody in Kirkby Stephen’. This same
community ethos is reflected in our school, an
ethos which would be changed for the worse by
the severe security measures Ofsted would like
us to put in place.”
An integrated approach
School security solutions extend well beyond
perimeter fences and physical locks, with an
James Kelly: CEO of the British
Security Industry Association
17
www.risk-uk.com
BSIA Briefing
integrated approach being the most effective
way of protecting staff, students and assets
alike. It’s also important to choose measures
that integrate seamlessly with the design of a
given school building so as not to intimidate
pupils or their parents.
Access control systems can be a great place
to start, with electronic access control
becoming increasingly more commonplace in
schools. A combination of electronic access
control and physical security measures will be
vital in helping to manage known or anticipated
threats by dint of controlling, monitoring and
restricting movement around a given site.
Schools can be quite complex in terms of
their access control, with specific areas – such
as a science laboratory or an IT room – needing
to be restricted to certain people at specific
times of the day. Outside of school hours,
access control measures can be used to restrict
entry to the entire building and may be
integrated with gates or fences at the perimeter
to grant access only to authorised personnel.
Alongside electronic access control, as
mentioned, high quality physical security
measures should also be employed. In a school
environment, particular doors – such as that
allowing access to a caretaker’s storage room –
can be fitted with a mechanical patented
cylinder lock under a master key system.
Escape doors may be fitted with crash bars or
push pads for emergency exit only.
On the subject of doors, it’s essential to
consider the types of doors used that will
provide the most streamlined access to and
within a school, taking into account the
demands made by the Equality Act 2010.
Here, it’s vital measures are chosen that are
both non-discriminatory and convenient in their
nature. For example, if selecting revolving
doors for a school entrance – which can act as a
beneficial airlock to keep out draughts, noise,
dust and dirt – then an automatic pass door
should also be installed next to it in order to
grant access to those less able to enter through
a revolving door.
Identification devices
Once the physical barrier – such as a door,
turnstile or speedgate – has been chosen, then
officials must decide on which type of
identification device will be most suited to the
school. This can largely depend on which areas
“Dynamic lockdown procedures have the ability to restrict
access and egress at a site or building through physical
measures, among them access-controlled doors”
of the school require authorisation for access
and by whom. For example, some schools may
only have certain restricted areas and need to
give permissions to authorised staff only,
whereas at other schools there may be a
requirement for all students to carry an
identification device.
Proximity cards – such as contactless keys, ID
cards or fobs – can be very useful in achieving
streamlined access throughout a school.
However, it might also be beneficial to consider
biometric access control measures, such as
fingerprint readers, as they can eliminate the
potential issues of children misplacing or
forgetting their access devices.
A good quality system can generally handle a
large amount of users and will be able to
identify individuals quickly and efficiently. As
user information is very often linked to a
dedicated database, it’s also wise to choose a
system that doesn’t need to be online in order
to make access decisions. This way, if the
Internet connection is lost for any length of
time, students and staff will still be able to
access specific areas/zones of the school.
Identification devices can also carry various
added value benefits. They don’t simply have to
contain access information. Rather, they can
store important student and staff data, too,
such as any notes on medical issues or dietary
requirements, and are a useful way of logging
time and attendance. They can also act as
cashless vending devices, meaning children
don’t have to carry cash with them to school,
potentially reducing the risk of bullying.
Dynamic lockdowns
Another security measure that’s gradually
becoming a part of school security strategies is
that of dynamic lockdowns. A dynamic
lockdown would generally occur in response to
a fast-moving incident, such as a firearmsbased
attack occurring either directly at the site
or somewhere close by.
Dynamic lockdown procedures have the
ability to restrict access and egress at a site or
building – or parts of it depending on its
configuration – through physical measures,
among them access-controlled doors. As well
as verbally alerting staff to physically lock
down the school, panic hardware can be fitted
to doors and windows – and especially ‘final
exit doors’ like playground doors – so that they
automatically lock when the alarm is activated.
The panic hardware must be capable of selflocking.
Pullman-type latches integrated with
door closers would be a good way to achieve
this. A school’s access control system may also
be integrated with a panic alarm system.
18
www.risk-uk.com
ERM and ESRM: Can They Continue
to Exist Independently?
If Enterprise Risk
Management and
Enterprise Security
Risk Management are
here to stay, what
does this mean for the
future of risk
management? What
models should we
look forward to in the
future, and what
future should risk
management
practitioners prepare
themselves for as time
moves on? Philip
Strand searches for
some answers to
these key questions
Dr Philip Strand PhD MBA:
Senior Risk Consultant at
CornerStone
20
www.risk-uk.com
Thought leaders in the risk management
industry continue to evolve practitioners’
views of the world they protect. In many
ways, the recognition that the industry merited
and required professional organisations such
as ASIS International (1955), IAPSC (1984) and
The Security Institute (1999) was an evolution
in thought, both in and of itself.
From this evolution, the industry gained
platforms upon which leaders could develop
their ideas more quickly and communicate with
global reach. Significant paradigm shifts have
included distinctions between security
management and risk management and the
convergence of IT and physical security
operations in the 1990s.
Joining the ranks of these industry-changing
movements is the latest major shift in risk
management thinking, namely Enterprise Risk
Management (ERM) and its security-focused
spin-off, Enterprise Security Risk Management
(ESRM). Enough time has gone by to suggest
that these strategic-level frameworks for risk
management are more than just passing fads.
Indeed, they’ve now firmly taken root.
Risk management was originally developed
as a concept in the mid-1950s to help the
insurance industry conceptualise its role in
society and achieve its commercial goals. By
the early 1960s, two professors – namely
Robert Mehr and Bob Hedges – had developed
risk management for business enterprises into
a more robust system of thought,
encompassing not only risks related to readily
insurable incidents (ie hazard risks), but also
four distinct categories of business risk.
Come the mid-1990s, these four categories
became the foundation of ERM and
encompassed hazard risk (ie employee illness
and injury, theft, third party liabilities, natural
disasters and property losses), operational risk
(information transfers, bidding processes,
construction management and accounting
processes, etc), financial risk (ie costs of
capital, market risks, bank and surety support
and growth capitalisation) and strategic risk (ie
changes in customers and industries, growth
strategies, risks to brands and reputations and
competition risks).
Although Mehr and Hedges succeeded in
bringing risk management out of a single
industry and into the mainstream business
world, their model left significant room for
development. For one thing, their ERM
framework didn’t make it clear how physical
risks can cross-cut all four categories.
At first glance, physical risks – which stem
from threat actors ranging from criminals to
incompetent employees through to natural
disasters – most obviously relate to the ‘hazard
risk’ category, but there are more subtle
relationships to the other three categories that
shouldn’t be understated.
For example, strategic risks could be
compounded by malicious damage caused to
assets or processes that are vital to a
company’s growth strategy. Likewise, robust
physical risk mitigation measures might be
marketed as a comparative advantage over
competitors, thus giving a company an
advantage in a specific market. Additionally,
information transfers could be affected by the
sudden and unfortunate loss of employees.
In each of these examples, an understanding
of physical security risk is an essential
prerequisite to understanding operational,
financial or strategic risk.
While it’s wholly possible for risk managers
to relate different security risks to each of the
categories in the ERM framework, the
development of ESRM in 2009 seems to have
eliminated some practitioners’ desire to do so.
ESRM is a risk management ‘philosophy’ that
encourages practitioners to assess all forms of
physical risk (ie information, cyber, physical
security, asset management and business
continuity risks) in an holistic manner similar to
how ERM advocates assessing many business
risks together.
According to ESRM, risks should be assessed
not only in terms of their immediate impact, but
also according to their second and third order
effects on other assets and processes within a
given organisation.
Clear evolution in thought
ESRM represents a clear evolution of traditional
security thinking in as much as it requires
practitioners to examine the total impact that
security incidents might exert on an
organisation. From an ESRM perspective, a
stolen laptop doesn’t only cost a company the
replacement value of the laptop. ESRM enables
us to see the loss at a higher level by factoring-
Enterprise Risk Management and Enterprise Security Risk Management
in the value of the information on the laptop
and the value of all of the business processes
that the laptop facilitated.
ESRM also encourages security managers to
ensure that risk decisions are made by true risk
owners. It brings security managers who’ve
traditionally operated separately (eg physical
security and IT security managers) together
under the same umbrella whereby they can
more easily determine how some risks might
affect multiple stakeholders.
Despite ESRM’s contributions to risk
management thinking, there are still several
ways in which ESRM must be further
developed. While the ERM framework fails to
recognise how security risks can impact
business risks, ESRM also fails to adequately
emphasise this point.
Many models depicting ESRM as a process –
among them ASIS International’s own widely
accepted model – are narrowly focused on
identifying and quantifying organisations’
assets and the risks facing those assets. ESRM
encourages CSOs to liaise with finance,
executive and other C-Level officers to
understand how security risks can affect
multiple assets within their organisations
(including intangible assets like reputation),
but ESRM models stop short of emphasising
the importance of understanding how assets
facilitate the operational, financial and strategic
goals of the organisation.
While ESRM goes beyond ERM in several
important ways, this lack of emphasis makes it
possible for ESRM-minded security managers
to miss out on the important elements of
business risk upon which ERM focuses heavily.
Embracing the philosophy
In their 2016 book entitled ‘The Manager’s
Guide to Enterprise Security Risk Management’,
Allen and Loyear state that: “ESRM is not the
same as ERM, and it certainly doesn’t replace
it.” This appears to be quite true and, at
present, large organisations are likely to need
competent and experienced risk managers at
the head of their ERM Departments as well as a
series of similar risk managers embracing the
ESRM philosophy throughout their
organisational structures.
Currently, there’s no single risk management
framework that embraces all of the elements of
both ESRM and ERM. This allows for a gap in
risk management thinking because, by default,
it means that there’s no single model plainly
relating security risks and business risks in a
single process.
In order for risk managers to correctly
prioritise assets and risks, they must fully
understand the roles that assets play in helping
organisations to achieve their missions and
strategic objectives. ESRM aspires to do this,
but the next evolution in risk management
thinking must be to converge ERM and ESRM.
The four business risk categories of ERM
must be viewed in concert with the security risk
categories of ESRM. The ‘holistic’ approach of
both types of risk management merits
applause, but neither type of risk management
can claim to be truly holistic if they’re not
assessing business and security risks together.
If the convergence of ERM and ESRM looms
in the future, then it’s natural to ask the
question: ‘What would this convergence look
like?’ It seems that it might be appropriate to
add ESRM’s ‘security risks’ as a fifth category in
the ERM model. This is indeed tempting for
simplicity’s sake, but it’s noteworthy that, in
most organisations, the impacts of the two risk
models flow mostly in one direction.
While security risks can – and often do –
compound business risks, the latter tend to
exacerbate security risks only under rare and
extreme circumstances.
Looking ahead, future models of converged
ERM-ESRM frameworks must consider in depth
the fact that assets and processes (which are
directly affected by security risks) exist to
support organisational objectives (which are
directly affected by business risks and only
affected by security risks when assets and
processes are compromised).
“ESRM represents a clear evolution of traditional security
thinking in as much as it requires practitioners to examine
the total impact that security incidents might exert”
21
www.risk-uk.com
Status Symbol: The Chartered Security
Professional and Standards of Excellence
The concept of
chartered
professionalism traces
its roots back many
centuries, in fact to
the years following
the Norman invasion
of 1066. Now,
in the 21st Century,
being ‘Chartered’ is
more relevant than
ever in terms of both
winning and securing
public trust. Peter
Speight examines the
importance of
Chartered Security
Professional status for
today’s practitioners
Recently, a security manager whom I’ve
known and worked with for some years
now, namely Mike Topham, was keen to
discuss pursuing the journey towards Chartered
Security Professional (CSyP) status. Mike – who
has held a number of security management
positions – contacted me as he wished to know
more about the whole subject of CSyP.
For my part, I fully expected a relaxing cup of
coffee or two and a general conversation with a
couple of questions about CSyP thrown in, but
Mike’s keen determination to learn as much as
possible was obvious from the outset. Indeed,
Mike asked several questions, all of them
pertinent and very much to the point.
Why would anyone want to attain this
standard? What will it achieve for the practising
security professional? How will customers
benefit? Who should apply and why? What does
the individual have to do if they pass muster?
We had a great meeting and jointly agreed
that Mike should carry out some detailed
research of his own into CSyP in order to gain a
feel for the ‘What?’, ‘Why?’ and ‘How?’
Mike is right in his assessment that, as we
head into the next few years, every aspect of
the security environment in which we all now
live whether in a local, national or global
business context or as an individual has
become more complex, technically challenging
and generally more unstable than ever before.
The sheer magnitude and range of threat
types, from the technical vulnerability of
information and systems through to fraud and
terrorist activity and on to the local protection
of people, premises and business assets
demands the exponential development of the
security sector. The emergence of fully riskbased
methodologies along with this general
growth has been accompanied by the
development of many intelligent tools, both
technical and academic. The security landscape
refuses to stand still, then, even for a moment.
In this maelstrom of activity, the burning
question for customers has been where to turn
in order to ensure that those engaged to advise
on these matters are somehow up to the job
and the best available. If there was a bridge to
be built or the legal defence of a corporation to
be conducted there would be a need for a
proven group of professionals (ie engineers or
lawyers) to transact such work. Their industries
or commercial business sectors are chartered,
with a Register of Chartered Professionals
available as guidance.
Until relatively recently, the security business
sector had no such listing despite the growth of
complex security threats. Thankfully, matters
have changed much for the better.
Strategic competencies
CSyP is a professional certification in security
established to show the attainment of strategic
and higher operational level competencies in
the discipline. The Security Institute operates
the Register of Chartered Security Professionals
on behalf of The Worshipful Company of
Security Professionals and it’s expertly
managed by the Chartered Security
Professionals Registration Authority.
The criteria for joining the Register of CSyPs
is founded to a large degree on the UK
Standard for Professional Engineering
Competence. Advice was also sought from the
Foundation for Science and Technology and The
Engineering Council. The final version of the
criteria for becoming a CSyP is, to an extent,
based on the criteria for Chartered Engineers.
22
www.risk-uk.com
Chartered Security Professionals: ‘The Gold Standard’
To be admitted to the Register, applicants
must have a strong understanding of general
security principles (although they may be a
specialist in one field) and be operating at a
strategic or senior operational level of security
practice while demonstrating a high level of
competence in five key areas: Security
Knowledge, Practical Application,
Communications, Leadership and Personal
Commitment. Applications are also welcome
from professionals working in the security
business sector who are engaged primarily in
teaching or in public or private sector
organisations involved with security activity.
To remain a CSyP, Continuing Professional
Development (CPD) is mandatory, as is
adherence to a professional Code of Ethics.
The Security Institute and ASIS
International’s UK Chapter are both eligible to
receive applications from potential CSyPs,
although applicants don’t have to be a member
of either organisation. It’s testament to the
vigorous protection of CSyP organisational
standards that it took ASIS UK a year of hard
work to demonstrate compliance with relevant
standards in order to be awarded a licence to
manage CSyP registration applications.
Both ASIS UK and The Security Institute are
fully committed to CSyP on several levels,
including mentoring and promotional activities.
Standards of excellence
The five core competencies required for CSyP
registration are weighted in favour of security
knowledge and application skills. The
weighting also requires CSyPs to be better than
average. Achieving a mark of ‘Good’ across the
board isn’t enough. Applicants must be better
than ‘Good’ to be admitted as a CSyP. Those
applying must be of undisputed integrity and
have a sound level of expertise, operating at a
strategic level or the senior end of the
operational level of security practice.
To date, the Register of Chartered Security
Professionals has attracted successful
applicants not only from the UK, but also
Australia, the USA, Canada, the UAE, Spain,
France, Albania, the Netherlands, the Czech
Republic, Switzerland and Hong Kong.
As substantial as the foundations are, and as
undeniable as the commitment of the industry
is to adapting to modern customer needs, in
order to fully understand why an individual
should submit themselves to the rigours of
registration we must understand – as Mike
asked of me – what the advantages of achieving
CSyP status are for the individual in order for
this ‘Gold Standard’ to become attractive to the
next generation of security professionals.
“For some time now, customers have been unhappy with
the ‘single dimension’ security service delivery. Several
fairly weighty voices have called for better informed and
bespoke risk profiling of their businesses”
‘Single dimension’ security
For some time now, customers have been
unhappy with the ‘single dimension’ security
service delivery. Several fairly weighty voices
have called for better informed and bespoke
risk profiling of their businesses and a move
towards Enterprise Risk Management on a
service partnership level.
Traditionally, ‘security’ has been viewed as a
grudge purchase by some clients for a variety of
reasons, which inevitably leads to price-driven
procurement decisions based on hourly charge
rates. The end result has often been poor
service delivery by poorly-motivated security
officers operating in a poorly-resourced
environment. That’s the fact of the matter.
The traditional corporate mindset is slowly
changing, but still pervades among many of the
current customer base. In essence, the key
must be to manage expectation at the outset by
demonstrating the professionalism, flexibility
and tailored offering which our industry is now
able and geared to deliver. A potential customer
needs to be encouraged to found procurement
decisions on the value added by the security
services package based on a risk management
methodology, and not simply on the charge rate
for the officers delivering those services.
Security professionals must drive to become
actively involved in the full range of enterprise
risk mitigation (including crisis first response)
along with their customers, while also pressing
to become integrated service partners.
Returning to one of Mike’s key questions,
why register for CSyP? The answer is to
demonstrate that we understand and stand by
the concept of ‘professionalising’ the security
world around a single, transparent and
continually relevant standard, and at the same
time send a message into the marketplace that
we’ve adapted to changing customer needs.
Choosing a professional or a service provider
from within our sector is now possible in a way
that mirrors the seriousness of current threats.
Registration as a CSyP also requires a
demonstrable personal commitment to the
development of security in its wider sense,
through supporting colleagues, members of the
public and immediate neighbourhoods.
Applicants shouldn’t attempt to attain CSyP
status without fully appreciating that ongoing
commitment. This isn’t just a ‘tick-box’ exercise.
Dr Peter Speight CSyP DBA
MPhil MSc MIRM:
Managing Director of Future
Risk Management
23
www.risk-uk.com
Physical Security
Information
Management is a
category of software
that provides a
platform and
applications created
by middleware
developers specifically
to integrate multiple
unconnected security
applications and
devices and control
them through one
comprehensive user
interface. Stephen
Smith outlines why
the end user buyers of
such solutions need to
consider not only the
technology itself, but
also the ongoing costs
involved
PSIM: Only Fools Rush In...
Of late, there has been a fair degree of
focus on how Physical Security
Information Management (PSIM) solution
developers are planning to offer integrated
security systems aimed at the growing needs of
large-scale enterprises. They would be doing so
while also offering advanced functionality for
more stakeholders and providing greater
control from one central location.
Within the world of PSIM, certain matters are
crucial for the future development of our
industry. One such is about understanding and
resolving problems associated with the
increasing geographical scope of clients, while
adhering to a multi-tiered hierarchy – a socalled
‘federated’ system – wherein total
control is centralised, but allows individual
sites to maintain local control.
Providing more powerful systems is
undoubtedly important. Perhaps more
important, however, is the scalability of the
solution, from a single PC through to those
‘federated’ solutions that afford end users the
power to match risk with budgets. It is indeed
the case that big is beautiful up to a point, but
what’s considerably more attractive, I would
strongly argue, is the ability to scale a solution
according to need. This will allow more
businesses to realise the considerable
advantages PSIM solutions can deliver.
Also important is the issue of connectivity
and, to be more specific, the subject of
connectivity failure. It would seem obvious that,
in locations where there are known connectivity
challenges, and where connectivity failure is
therefore a distinct possibility, the ability for a
system to work in a standalone mode is
essential. It would seem similarly obvious that
managing an enterprise-wide PSIM-based
solution doesn’t create huge volumes of data.
Distributed architecture
The distributed nature of the architecture
within certain PSIM solutions means that each
Control Room is autonomous. This in turn
means that, if a connection is lost to the others,
it will continue to run without interruption and
monitor the systems assigned to it. To that end,
it’s a genuine ‘hot reserve’, as opposed to being
a ‘fail-over’ Control Room that has to be
switched on and booted up.
In my opinion, data bottlenecks should never
be used as an excuse for a system going down,
nor for creating a lack of ‘control’. It’s
disingenuous to suggest otherwise. PSIM
technology should have an efficient alarm
escalation functionality, which means that if
there’s a problem, the operator still knows
exactly what to do should a critical event occur.
For their part, operators must have access to
all of the data, information and systems at their
fingertips. None of that information should be
‘lost’ in the event of a connectivity failure, or
while waiting for the back-up to warm up.
While some are seeking to develop more
powerful solutions for ‘federated’-level security
across larger organisations and smart cities,
others are already being deployed throughout
the world, from the UK to the United Arab
Emirates. While some manufacturers appear to
focus on the past, the more forward-thinking
among us are already operating in the future.
PSIM technology is of course capable of
managing large numbers of systems – and not
just video – from a single platform across
multiple sites. This allows end users to manage
incidents according to standard operating
policies set by the customer or based upon
best business practice, mitigating risks to life,
security and assets accordingly.
Importance of reputation
Reputation is important in any industry and for
any technology. Frustratingly, PSIM is already
one of those technologies that has a poor
reputation. It has come a long way in a
comparatively short space of time, but such
rapid evolution has been an element of the
problem. This is partially because PSIM can be
misunderstood and grouped erroneously with
security management systems, but also partly
because, in my opinion, some PSIM solution
developers are misleading the market.
24
www.risk-uk.com
PSIM Solutions: Procurement Advice for End Users
They seem to be doing this in two ways: first,
in regard to what their technology is capable of
achieving and, second, in relation to how much
their clients should pay for the pleasure of
having a PSIM solution installed. Indeed, this
is the other great challenge and the other
great myth: lifecycle costs.
I have a genuine fear that these hidden costs,
with particular regard to software licenses,
combined with the lack of an adequate support
service – or one that’s ludicrously expensive –
are problems that continue to be unexplained
and do our industry a tremendous disservice.
This was certainly evidenced in the survey we
ran in conjunction with Risk UK last year.
Depending on the specific PSIM system and
its manufacturer, these costs can be highly
fragmented and split into many different ‘parts’
or stages. This may be confusing to the end
user buyer, since they can include the physical
equipment cost, installation, initial software
licenses, training packages and project
management services, etc.
What’s most alarming, however, is that these
are only the ‘initial’ costs and don’t take into
account factors such as annual licence fees,
future upgrades and renewals which, when you
think of the initial capital expenditure for
implementing a system and the number of
years you expect it to be functioning, could run
into the many thousands – if not hundreds of
thousands – of pounds.
Specification: key points
In specifying a PSIM solution, and identifying a
reputable manufacturer with whom to work,
what should the end user be looking for?
Ensure the companies that are pitching to
you state, in writing, their annual fees for the
renewal of your licence and, if technical support
is provided, what it entails and what it costs
over a five-year period.
Find out whether you will be expected to pay
for system updates, too, and if so, how
frequently these updates will occur. What are
the fees? Is the cost a percentage of the initial
capital outlay?
Given the level of investment you’re making,
insist that the software will be supported for a
minimum of ten years or longer if possible.
Sweat the small print pre-contract so you
don’t expose yourself to risk that could well
end up having a catastrophic impact on your
organisation somewhere down the line. A small
number of software providers are still known to
build a ‘timer’ into their software. Worth
bearing in mind, as this automatically shuts the
software down if, for any reason, your annual
renewal payments haven’t cleared.
“Ensure the companies that are pitching to you state, in
writing, their annual fees for the renewal of your licence
and, if technical support is provided, what it entails and
what it costs over a five-year period”
Don’t evaluate a project based solely on the
initial capital cost. What might appear to be a
competitive initial cost could actually be the tip
of a very big iceberg when you rack up the
other additional costs for updates, licence
renewal and technical support. Work out the
lifetime cost. Don’t discover when you’re too far
down the line that the cost of installing the
system is lower than the ongoing annual costs.
A decision was taken early on in our
commercial history that we would never place
clients in the unenviable position of budgeting
for a capital expenditure only to find a raft of
renewal and licensing costs emerging. Cost, of
course, cannot be the only driver, but the
danger is that the cost a client is quoted isn’t
the ‘true’ cost that they end up paying when
ongoing outlays are then taken into account.
Transparency is paramount
Over the years, I’ve lost count of the number of
red-faced security managers berating a PSIM
solution provider for metaphorically holding a
gun to their head and, in effect, telling them to
‘pay the ongoing fees or we will not support
your system’. We certainly know of cases where
public bodies are now having their PSIM
systems ripped out because they cannot afford
to maintain them from revenue budgets.
PSIM solution providers must be 100%
transparent and fair or otherwise risk going out
of business on the back of an army of
disgruntled customers. Short-term opportunism
and narrow-mindedness could seriously impact
the industry’s long-term credibility.
PSIM is very much the system of tomorrow
that’s already being used to great effect in the
‘here and now’ today, but not always to the
extent that it should, or indeed by the
businesses that could benefit from it the most.
Buying a PSIM solution can be fraught with
difficulties, many of which are of our industry’s
own making. It must be said that buying on
initial capital cost alone is certainly a
dangerous way of doing things.
My best advice would be to conduct your due
diligence very thoroughly indeed. Consider the
technical implications of the risks to be
overcome and the lifetime cost of a system
rather than rushing unexpectedly into a brick
wall of hidden fees or false promises. After all,
only fools rush in where angels fear to tread.
Stephen Smith:
Managing Director of
Intergrated Security
Manufacturing (ISM)
25
www.risk-uk.com
The Insider Threat: Technical Surveillance Countermeasures
Many cyber attacks come from halfway
around the world, but the network
openings that allow cyber attackers to
infect databases and potentially take down an
organisation’s file servers are mostly initiated
by trusted employees.
Insider threats are much harder to detect and
potentially far more damaging financially and
reputationally than an external attack. Whether
malicious or simply negligent, workers need
access to sensitive information and systems to
do their jobs. As a result, if they accidentally or
choose to steal, their actions can do an
enormous amount of damage to a business.
Statistics show the extent of the risk posed
by insider threats. Accenture and HfS Research
state that 69% of enterprise security executives
have reported experiencing an attempted theft
or corruption of data by insiders during the last
12 months. According to The Ponemon Institute,
62% of business users report that they have
access to company data they probably
shouldn’t see, while the SANS Institute
observes that nearly a third of all organisations
still have no capability in place to either
prevent or deter an insider incident or attack.
In one study conducted by Gartner that
examined malicious insider incidents, 62%
involved employees looking to establish a
second stream of income by way of their
employers’ sensitive data, 29% stole
information on the way out of the door to help
future endeavours and 9% were saboteurs.
Defining insider attacks
Understanding what an insider attack is and
how it can happen will assist in reducing
exposure. Typically, an insider is usually a
trusted employee, student or contractor. It’s
someone who’s given a higher level of trust
than an outsider. This trust is usually
established through various formal and
informal processes, including references at the
employment stage and ‘earned’ trust as rapport
with the employee is built upon.
Recognising an ‘insider’ is the first step
towards classifying internal attacks.
Understanding what constitutes an insider
attack is the next one. Common attacks include
making an unintentional mistake, ignoring due
process and using ‘work arounds’ to access
information, trying to make a system do
something for which it wasn’t designed,
checking the system for weaknesses,
vulnerabilities or errors and acting with the
intention of causing harm.
To successfully protect a company’s
confidential information, its assets and current
controls need to be identified and assessed. For
The ‘Insider’ Threat
Colossal data breaches are fast becoming the ‘new normal’.
With each new incident invariably comes a feeble apology
‘for any inconvenience caused’. At best it’s embarrassing for
the company concerned, at worst the damage can be
catastrophic, often resulting in loss of reputation and profits
as well as law suits. Emma Shaw plots a path to safety for
today’s organisations
example, if a company stocks high value
equipment, thought will need to be given to its
location, accessibility, how it’s protected and so
on. Once the process of identification has been
completed, consideration then needs to be
given to who can access this information and
who’s responsible for controlling and updating
control measures in the future.
Key questions for consideration here are:
• Who genuinely needs access to sensitive
information and who can obtain this
information from another source?
• What controls are in place to limit access to
those who need it to carry out their job roles?
• How can you identify unauthorised access?
Traditionally, the security market has focused
more on preventing threats from entering the
network than on detecting and stopping data
from being exfiltrated. While preventing
infections undoubtedly remains important,
more resources are now being made available
to search for ‘Indicators of Compromise’ and
protect valuable data from exfiltration.
According to a recent survey by Vormetric,
89% of respondents (globally) felt that their
organisation was now more at risk from an
Emma Shaw MBA CSyP FSyI
FCMI: Managing Director of
Esoteric Ltd
27
www.risk-uk.com
The Insider Threat: Technical Surveillance Countermeasures
insider attack, while 34% felt very or extremely
vulnerable to one occurring. When asked about
who posed the biggest internal threat to
corporate data, 55% of respondents said
privileged users. Nine percentage points behind
on 46% were contractors and service providers,
with business partners rated at 43%.
The report goes on to say that databases, file
servers and the cloud hold the vast bulk of
sensitive data assets, but for many (38% of
respondents, in fact) mobile is perceived as a
high-risk area of concern.
Vormetric’s analysis states: ‘Senior
management concerns over privileged user
access have reached the top of their security
agendas. They now understand the damage
that a rogue user with admin rights can do and
they recognise that, if this type of user isn’t
properly monitored and controlled, the damage
to the business can be far-reaching. Also, if a
privileged user’s credentials are acquired by an
external attacker – as US investigators say was
the case when a hacker stole the credentials of
a system administrator at Sony and
orchestrated the recent high-profile data
breach – the opportunity to gain free access to
key information repositories or deploy malware
is likely to be extensive’.
How a company handles its information and
communications clearly becomes a contributor
to the risk exposure. A risk analysis covering all
forms of communication and information
storage should be conducted to analyse the
assets which the company possesses and
understand the scenario of possible threats in
order to ultimately produce an appropriate and
proportionate programme of countermeasures.
Emerging threats to organisations
Social engineering attacks, which rely on
human interaction and fraudulent behaviour,
have been growing significantly since 2011.
Preventative methods include limiting the areas
or meeting rooms where sensitive
conversations take place, and then
implementing sufficiently appropriate and
proportionate measures to protect these areas
as reasonably and cost-efficiently as possible,
based upon the threat and risk of espionage.
The appropriate solution may be derived
through a programme of technical surveillance
countermeasures (TSCM) surveys, the
installation of permanent countermeasure
“The potential loss and reputational damage that an
information breach might incur can far outweigh the cost of
implementing a proactive TSCM strategy”
solutions, the training of in-house security
personnel and awareness education for key
members of staff.
It’s also important to note that a TSCM survey
involves more than just an electronic ‘sweep’.
As well as locating and identifying hostile
electronic surveillance devices, an effective
TSCM programme is designed to detect
technical security hazards, physical security
weaknesses or security policy and procedural
inadequacies that would allow your premises to
be technically or physically penetrated.
Benefits of TSCM
• Prevention: The potential loss and
reputational damage that an information
breach might incur can far outweigh the cost of
implementing a proactive TSCM strategy.
Prevention is far better than cure
• Best Practice: Having a proactive TSCM
programme in place demonstrates a Best
Practice approach which will reassure Board
members, clients and stakeholders alike
• Corporate Compliance and Corporate Social
Responsibility: The duty to identify and manage
regulatory risk is a key requirement of today’s
Boards of Directors and a proactive TSCM
programme will assist organisations in
achieving compliance around the protection of
their information
• Enhancements to security: A TSCM
programme will detect and report on physical
security weaknesses or inadequacies that
would allow a given premises to be technically
or physically penetrated, thus enhancing the
overall security of the organisation
• Deterrent effect: Having overt countersurveillance
policies in place can act as a
deterrent to thieves and errant employees
• Peace of mind: A proactive TSCM programme
provides peace of mind that strategic
conversations and information will remain
confidential and allow the host organisation to
concentrate on ‘business as usual’
Overall business strategy
The risk of insider attack and its effects should
be an integral part of risk management and the
business strategy. Most insider attacks happen
due to a company’s focus on more obvious
forms of security breaches, without any
consideration around what’s required to protect
the company from internal threats.
To be productive, companies need to give
their employees freedom to work efficiently and
largely unhindered. However, within this the
operation and effective management of simple
security systems helps in protecting the overall
security of company assets.
28
www.risk-uk.com
Institute of Risk Management
Are your staff risk ready?
It is essential that your staff have a knowledge of the
principles and practices of effective risk management.
Enterprise Risk Management is designed to do just that.
What’s in it for employers?
> Managing risks effectively will
lower your costs.
> Turn threats to your business into
opportunities.
> Enhance business performance
and improve risk taking
approaches.
> Develop a motivated, skilled and
knowledgeable team.
> Attract high-calibre professionals
by investing in personal
development.
What’s in it for students?
> Enhance your ability to design
and implement effective risk
management strategies.
> Develop a critical understanding
of the relationship between
risk management, governance,
internal control and compliance.
> Gain an internationally
months.
> Join our global network of risk
management practitioners.
Distance
Learning
International
Recognition
Relevant for
All Sectors
Email: studentqueries@theirm.org
Phone: +44 (0)20 7709 4125
or visit www.theirm.org/risk-uk
Ransomware is a
constantly growing
threat and a highly
effective one.
Osterman research
from 2016 found that
ransomware was used
to target 54% of UK
organisations, with
more than half paying
the ransom. Of those
who didn’t pay, nearly
a third ended up
losing their data.
Wieland Age looks at
why defeating
ransomware is so
important in today’s
education sector
An Education on Ransomware
Last year, Locky spawned a file-encrypting
epidemic. Since then, it has become the
most prevalent ransomware on the planet.
Targeting universities among many other large
institutions, its continuous, pitch-perfect
campaigns demonstrate how organised crime is
digitising faster and more successfully than
many ‘legitimate’ enterprises.
This emergence of Locky, which represents a
new strain of ransomware, demonstrates just
how successful cyber criminals are becoming at
mastering the digital transformation agenda.
Locky’s creators invested significant time and
resources in product development, identifying
the best user interface, performance and
encryption security protocols. So much so, in
fact, that the FBI actually recommended victims
pay any demanded ransom in order to gain the
correct decryption code.
To support their programme, the criminals
even created a ‘Customer Help Centre’ to
handle sales and support. If victims have
problems decrypting their data, online ‘staff’
are on-hand via chat rooms to walk ‘customers’
through the process. This ensures that there
are no negative social media reports from
victims who, having paid up, are then unable to
regain access to their data files.
When it comes to propagating Locky, the
online criminals have done their homework. In
December, their latest phishing campaign
reached millions of victims in over 100
countries within days. Most start-ups would be
overwhelmed by such success, but the
distributors of Locky have created a highly
mature online infrastructure designed to
manage high volumes of payments and
enquiries – in multiple languages – from the
victims whom they target.
Education: an unlikely target?
IT professionals operating in educational
institutions have been slow to adopt
ransomware defences, perhaps because there
has been an unfounded misconception that
they’re unlikely to be targeted. If that used to
be the case, it’s certainly not true any more.
Bournemouth University was hit by no less than
21 ransomware attacks last year, while Los
Angeles College was recently forced to pay a
$28,000 ransom to unlock critical data and
systems following a ransomware attack. It’s
shocking, but not altogether uncommon. In
many ways, educational establishments are a
logical target for malicious attackers.
With whole campuses full of independent,
computer-based study being carried out by
students, these younger users could be
perceived to be less wary of suspicious e-mails,
attachments and websites. Compound this with
the fact that each one of these thousands of
pupils likely has multiple devices, all connected
to the institution’s network, and it’s easy to see
how hackers might view schools, colleges and
universities as low hanging fruit. Millions of
highly sensitive records, treasured works and
confidential details, combined with a very real
need to aintain their reputations as trusted
organisations, mean that educational
institutions are seen by many as easy pickings.
Education sector IT budgets don’t normally
include blank cheques for combating cyber
criminals, so investing in anti-ransomware
measures should be a priority for any
educational organisation wanting to avoid a
nasty and expensive surprise.
Fortunately, it’s possible to halt digital
attacks with a combination of the right security
measures and user awareness.
Raising awareness
Most ransomware attacks begin with an e-mail
containing malicious links or attachments.
Consequently, to reduce the likelihood of a
successful attack, it’s imperative to ensure staff
and students know all about the dangers of
ransomware, understand how to practise safe
computing and can recognise the indicators of
malicious e-mails. It’s also important to
maintain awareness by implementing a
programme of regular reminders.
30
www.risk-uk.com
Education Sector Safety and Security: Mitigating The Ransomware Threat
The three key messages that users should
take away from training are:
• Don’t open suspicious e-mails. Treat anything
‘out of the ordinary’ as a potential attack, even
when coming from a trusted source. If
possible, contact known senders separately to
confirm an e-mail is authentic before opening it
• learn to spot ‘red flags’ including poor
spelling/grammar in supposedly professional
e-mails, e-mails received at strange hours,
misspelled domains that look convincing
(A.Anderson@gmoil.com) and buttons and links
in the e-mail connecting to suspicious URLs. To
check this, hover the cursor over the link or
button and the URL will appear at the bottom
left of the window
• when in doubt, delete the communication
Secure your network
Effective user training can help to prevent many
attacks, but keeping the network free of
malware also requires a combination of
effective perimeter filtering, specially-designed
network architecture and the ability to detect
and eliminate resident malware that may
already be inside the host network.
Attackers can be prevented from entering the
network by a next generation firewall or e-mail
gateway solution that filters out most threats.
The best solutions will scan incoming traffic
using signature matching, advanced heuristics,
behavioural analysis and sandboxing and have
the ability to correlate findings with real-time
global threat intelligence.
When looking at the IT estate, make sure you
can control and segment network access to
minimise the spread of any threats that may
enter. Ensure that students can only spread
malware within their own limited domain, while
also segmenting. You might need to allow
admin staff, teachers and guests to each have
limited or specific access to online resources.
Start off with a clean slate. The existing
infrastructure likely contains a number of latent
threats. For their part, e-mail inboxes are full of
malicious attachments and links just waiting to
be clicked on. All applications – whether locally
hosted or cloud-based – must be regularly
scanned and patched for vulnerabilities.
Serious back-up plan
When a ransomware attack succeeds, critical
files – HR, payroll, grades, health records,
confidential student files, e-mail records and so
on – will be encrypted. The only way to obtain
the decryption key is to pay the ransom.
However, if you’ve been diligent enough
about implementing and correctly running a
back-up system, you can simply ignore the
“Some organisations may be committed to a legacy ‘onpremises’
back-up solution. If so, it’s worth starting the
planning phase to transition towards a cloud-based system”
ransom demand and restore your files from
your most recent back-up. Your attackers will
then have to find someone else to rob.
Automated, cloud-based back-up services
will provide the greatest security for data. For
budgetary or other reasons, some educational
organisations may be committed to a legacy,
‘on-premises’ back-up solution. If so, it’s worth
starting the planning phase to transition
towards a cloud-based system. In the
meantime, on-premises systems can be
configured to back-up files regularly
throughout the day. Admins should also be
extremely diligent about moving current backups
to a secure, off-site location every evening.
Many digital security experts believe that
ransomware is set to evolve and make up the
majority of cyber attacks in 2017. Given that the
pursuit of profit is the primary motivation for
most criminals, it’s perhaps not surprising that
ransomware’s popularity has continued to grow.
Simply put, ransomware is the easiest and
most effective way in which to extort money
from businesses of all sizes. Educational
institutions face this threat, as do banks,
hospitals, retailers and even Governments.
Future UK workforce
While the tips and tricks outlined here are
easily actionable as part of educational
organisations’ battles against ransomware, only
recently has there been a particular spotlight
on the digital skills of the nation’s children who
are growing to become young people within a
world dominated by IT and the Internet.
In March, the Communications Committee for
the House of Lords reported that learning
Internet safety should be a top educational
priority, alongside literacy and mathematics.
For his part, Lord Best issued recommendations
building on findings from the Children’s
Commissioner that “digital literacy should be
the fourth pillar of a child’s education alongside
reading, writing and mathematics and be
resourced and taught accordingly”.
Half of all law-breaking in the UK now
happens online and, while there’s little doubt
that children are indeed becoming increasingly
digitally literate, this House of Lords report
rightly points to the fact that the education
system isn’t yet equipping them with decent
enough levels of digital knowledge before they
leave school and form our next workforce.
Wieland Age:
General Manager (EMEA) at
Barracuda Networks
31
www.risk-uk.com
Educational facilities
should be safe, secure
and healthy
environments that
encourage learning
and development.
However, criminal
activity can
compromise these
principles and, in turn,
undermine the hard
work of both teachers
and students. Peter
Jackson examines the
security solutions that
can be put in place to
prevent harm from
being perpetrated
Security By The Book
Only recently, an ITV News story revealed
that pupils at a primary school in
Leicestershire missed the first day of the
new term after vandals broke in and caused
thousands of pounds worth of damage. The
wreckage ranged from broken windows to the
destruction of furniture and play equipment.
The latest reported statistics show that there
were 13,003 incidents of theft, burglary and
robbery reported in schools in England, Wales
and Northern Ireland in 2014, alongside 4,106
investigations into damage or acts of arson.
The price of repairing physical damage and
replacing stolen equipment can have a
significant bearing on a school’s budget.
Indeed, financial restraints in UK schools are a
big factor to consider when assessing the
importance of adequate physical perimeter
security. Recent announcements by Government
ministers suggest that 5% of council schools
and 4% of Academy Trusts have budget deficits,
with the general secretary of the National Union
of Teachers estimating that 92% of schools in
England could face real terms budget cuts over
the next four years.
In spite of these tight constraints, vandalism
in Scottish schools, for example, cost the
taxpayer over £1 million in repairs in 2015 and
at least £4.5 million over the past five years.
These unplanned costs will generally mean
that less money is available for important
considerations such as recruiting personnel or
improving building facilities and equipment.
There are also the non-financial impacts
associated with these crimes that must be
considered. The reputation of a given
establishment, a fear of safety among members
of staff, parents and students as well as the
disruption caused to learning can all have longterm
effects that may be hard to shake off.
Physical security
A large number of people flow through
educational sites on a daily basis making it a
difficult task to keep track of crowds at
particular locations. The lack of a formal
security strategy for schools, coupled with the
fact that we don’t employ security personnel at
school sites, means that the use of physical
security solutions including gates, fences and
turnstiles is recommended.
For maximum effectiveness, physical security
solutions should be supported by some means
of electronic security equipment such as access
control to effectively manage and limit
movement within a site.
Initiatives such as Secured by Design provide
several guidance documents that aim to reduce
crime in the built environment. The latest
advice to schools incorporates several new and
improved security standards that have been
developed to address emerging methods of
criminal attack. The guide advocates a clear
management and maintenance programme to
ensure the permanency of any measures
undertaken. Periodically assessing for risks and
implementing solutions where necessary is a
good way of making sure that a site is always
meeting its Health and Safety obligations.
Developing a detailed school security policy
that identifies the risks and puts controls in
place to minimise harm to staff, pupils and
visitors is vital. Procedures should also be in
place to prevent security and safety breaches
as well as to educate members of staff around
them always being ‘security aware’.
Having visible physical measures and
processes in place will help to protect against a
range of threats and vulnerabilities. Public
safety must remain at the top of the agenda to
ensure the health and well-being of all
individuals in and around the school site.
To this end, Building Regulations, Local
Authority permits, Health and Safety and fire
prevention requirements must be strictly
adhered to and observed at all times.
Planning the perimeter
To safely and effectively secure a school,
college or university site, careful planning of
the perimeter security is paramount.
32
www.risk-uk.com
Education Sector Safety and Security: Physical Security System Design
Educational facilities are often complex sites to
secure, playing host to multiple buildings (each
with their own access points), open spaces
between those buildings, play areas and sports
facilities as well as fields. Perimeter security
solutions therefore need to integrate with the
overall site architecture and, ultimately, aim to
control the movement of people and vehicles
through the use of solutions such as fences,
gates, bollards and barriers.
It may be worth thinking about creating
separate traffic routes for pedestrians and cars
to make sure members of the public are safe
during peak periods. A plan should also be put
in place during quieter times in order to
maintain a ‘security conscious’ approach.
Having an understanding of the land layout
surrounding the site perimeter and its uses is
also crucial as certain aspects may contribute
to or otherwise assist in the perimeter being
breached. By way of example, if the school or
college is the neighbour of a pallet production
company then the latter’s stock of pallets next
to any school fence makes it easy for would-be
intruders to use those pallets as a means of
gaining illegal entry to the premises.
Alongside the various regulations to follow,
consultation with local residents and
neighbouring businesses is a vital aspect to
think about as these parties can provide
additional support that may well assist in
preventing a perimeter breach.
When considering access points into and
around an educational facility, it’s particularly
important to understand and manage
permissions for staff and students entering the
site and prevent or control access for other
individuals wishing to enter. Having clear
signposting and designated areas for visitors
including parents, local authority employees
and suppliers, etc is key alongside
supplementary measures such as a reception
area or a sign-in procedure orchestrated to help
establish the authenticity of a particular visit.
If for any reason an entrance is used to
provide unrestricted access, it must be
monitored in person by a member of staff so as
to provide an initial deterrence.
Locking down entry points
With safety being the first priority, it may be
worth considering locking down all entry points
on the perimeter of a site during the day with
access managed via a staffed reception. When
combined with durable high security fencing,
such a policy can not only help in denying
potential criminals entry, but it can also prevent
pupils in primary and secondary school-level
education from leaving without permission.
Nowadays, most new schools are built in
urban areas whereas existing ones are being
bordered by new residential developments. In
these cases, it’s important to consider the
surrounding neighbours in regard to the noise
created during the school day.
Acoustic fencing is suitable for ameliorating
noise as it can be used to deflect external
sound away from a school site as well as
contain and absorb internal noises from high
impact areas such as playgrounds. These
solutions can work together to provide school
users and neighbours alike with the optimum
combination of privacy and security.
Sports fields and courts are another area
within the school site that may require some
defences in place to safeguard pupils and staff
from harm and protect buildings from damage.
Stray footballs, for example, can cause pain
and injury to unsuspecting members of the
public passing by and realise destruction in the
form of smashed windows. Installing suitable
fences and gates around these areas can help
when it comes to preventing such occurrences
from taking place.
Importance of aesthetics
Aesthetics is one more important factor.
Creating a pleasant and welcoming appearance
is a key element that helps with staff
recruitment and retention, and also increases
student productivity. Security solutions in
secondary schools that feature bespoke
elements such as incorporating the school’s
logo and colours are also ideal as they can help
develop a strong identity as well as a shared
sense of loyalty among students and staff.
Primary schools, on the other hand, rely
highly on bright colours and soft features in the
playground to engage and aid pupil interaction.
In this scenario, using timber fencing around
the perimeter may be much more beneficial as
it can be styled and decorated accordingly.
Ultimately, having the most appropriate
solutions in the right places will help in
creating a safe and secure teaching and
learning environment which also benefits the
local community. A good school security policy
can undoubtedly assist in reducing incidences
of anti-social behaviour, increase collaboration
and cohesion in neighbourhoods and make an
establishment more attractive to prospective
staff and students alike.
Peter Jackson:
CEO of Jacksons Fencing
“For maximum effectiveness, physical security solutions
should be supported by some means of electronic security
such as access control to manage and limit on-site movement”
33
www.risk-uk.com
What plans do you have for
emergency evacuation?
As detailed in the Equality Act (2010) places of employment,
So in the event of an emergency
can you evacuate the mobility
impaired safely?
The Evac+Chair is the World’s No.1
Emergency Stairway Evacuation Chair
0121 796 1427 FREE evacuation
assessment www.evacchair.co.uk
Are false fire alarms
disrupting your day?
We’ve got you covered!
Advanced models
available
with sounder
and weatherproofing
Minimise disruption and downtime caused by unwanted false fire alarms.
Protective covers prolong the life and reliability of vulnerable call points.
www.sti-emea.com info@sti-emea.com 01527 520 999
Access Control: Integrated Business Solutions for End Users
When’s the best time to upgrade your
access control solution? Many
businesses choose to follow the policy:
‘If it isn’t broken, don’t fix it’ but this can be a
risky approach in a world where technology and
the threats posed to today’s organisations are
changing so rapidly.
The use of older, legacy access control
systems exposes an organisation, a building, a
server room and/or computers to the
possibility of unauthorised access and the
myriad consequences that follow.
Access control technology is widely present
across many aspects of an organisation and
benefits both physical security and IT security.
With the advancements in smart phone, smart
card and biometric technologies, it’s now time
for organisations to start using these devices to
not only save on costs, but also to improve
upon the end user experience and simplify the
integration process of new biometric
technologies when they’re introduced.
Why, though, is now the best time for end
users to upgrade their systems?
Data privacy issues
One of the biggest drivers for updating legacy
access control systems is the need for
enhanced levels of data privacy. This could
come about through the on-boarding of a client
that requires high levels of security, new
legislation being brought in for specific
industries or even new building tenants.
The driver remains the same: data or the
building itself is in some way exposed to or at
risk and needs added protection. Put simply,
yesterday’s technology is no longer sufficient
for confronting today’s access control and
identity management challenges.
With data breaches dominating the
technology, security and indeed national
headlines, end users are fully aware that the
risk posed to organisations is evolving, while
the need to protect their physical assets – and
consequently data assets – is of vital
importance. The ‘IFSEC International Access
Control Report 2016: Legacy Infrastructure and
Motivations for Upgrading’ report highlights the
fact it would take a security breach that
exposed a flaw in the current system for 92% of
respondents to consider changing their current
access control system, but not beforehand.
On any site at any one time, in addition to
regular employees, there are also individuals
and groups on the premises (contractors, for
instance) who have access to various parts of
the location for short periods of time. In the
IFSEC report, 75% of respondents have third
party members on site on a regular basis.
Smart About Access
Technology advancements in trusted identities will create a
mixed technology environment with smart cards, mobile
devices, ‘wearables’, embedded chips and other ‘smart’
objects driving the transformation from legacy access control
systems. As Jaroslav Barton outlines, the shift to NFC,
Bluetooth Low Energy and advanced smart card technology
will be necessary to meet evolving business requirements
Integrated visitor management solutions in
modern access control systems significantly
improve the distribution and use of temporary
credentials, but also safeguard various parts of
the site when it comes to any unwarranted
access. Access control solutions, such as
mobile access or modern smart card
technology, make it that much easier for
facilities and security managers to track who’s
accessing what parts of the site to ensure
nobody’s in an area that they shouldn’t be.
End user convenience
The continual development in consumer
technology has spilled over into the business
world with devices now being used for work as
well as our personal lives. Bring Your Own
Device, mobiles and ‘wearables’ are all
common features of today’s office environment.
Organisations can use the growing level of
secure technologies that employees are
carrying around with them on a daily basis. In
place of several key cards or fobs that could be
lost, end users can instead employ smart
phones or smart devices – their closest pieces
of technology – for secure access control.
Jaroslav Barton: Product
Marketing Director for Physical
Access Control Solutions
(EMEA) at HID Global
35
www.risk-uk.com
Access Control: Integrated Business Solutions for End Users
In addition, advanced smart card technology
allows for a single smart card to provide
multiple access requirements on a secure
footing. Mobile access control is increasingly
pervading the market and, it must be said, the
benefits this brings are numerous.
Understanding the requirements from
building occupants is an important step before
undertaking an access control update. The
IFSEC International report notes that 48% of
respondents would like an easy-to-use access
control system, with 32% requesting multiple
levels of access depending on the degree of
authority required. This added security element
is clearly an important function, and one that
can be easily designated with more modern
technologies to hand.
Having mobile credentials that allow for
multiple access levels, for instance, saves end
users from the prospect of multiple access
control devices that could lead to confusion or
possibly misplacement. The IFSEC survey also
notes that 29% of respondents would like
future-proof technology. This can easily be
provided through mobile access solutions
which grant end users modern techniques for
access control, but also a single credential for
multiple access devices. Using smart phones is
a very straightforward solution that solves
three of the top concerns of employees looking
for updated access control.
One of the largest stumbling blocks to
updating an enterprise’s access control system
is the perceived disruption that the upgrade
itself will cause. 69% of respondents in the
IFSEC report believe that upgrading to a new
access control system would be disruptive to
their daily business, while 55% cite cost as the
biggest misgiving when it comes to upgrades.
Despite the perceived disruption, many sites
can be retrofitted using existing access control
hardware behind the scenes, with minimal
replacements needed to upgrade technologies.
Not having to start from scratch also helps to
significantly lower the costs of the operation,
making it a more cost-efficient venture with
minimal disruption to the host business.
Secure communication
A new access control solution must be flexible
such that end users don’t just see it as an
‘expensive way of opening doors’. Open
Supervised Device Protocol (OSDP) for secure
“Despite the perceived disruption, many sites can be retrofitted
using existing access control hardware behind the scenes, with
minimal replacements needed to upgrade technologies”
communication between field devices in a
physical access control system has gained in
importance, allowing for standardisation, more
flexibility and freedom of choice for security
and risk managers.
Flexibility also supports multiple applications
for managing not only physical access, but also
logical access applications, such as those
related to computers and software logins.
Additional access control systems – among
them secure print management – require an
associated card issued to users. This represents
a prime opportunity for organisations to
consolidate around a single access control
device, such as a contactless ‘wearable’ or
smart phone that combines access control with
other key functions.
By exploiting modern technology, such as
mobile devices, smart cards and ‘wearables’,
end users are afforded the opportunity to
simplify their access control devices: one
device with one credential providing access to
multiple areas and requirements.
It was found that nearly a quarter of
respondents to the IFSEC International survey
wish to manage multiple credentials across a
single device. With mobile access solutions,
multiple credentials are rolled into one and
stored on a lone device. The facilities or
security/risk manager is capable of controlling
access and distributing credentials to those
with the right security clearance.
Technology such as the latest high-frequency
access control systems ensure that security is
independent of hardware and media. This
makes it far easier for organisations to support
functionality and higher levels of data privacy.
Infrastructure security
Although there are clearly several perceived
barriers to the adoption of more sophisticated
access control systems, organisations are
placing an increased importance on
safeguarding their physical assets as this also
supports the protection of IT infrastructure.
This is mainly due to the belief that current
systems in place are adequate enough until
they’re proven to have failed, coupled with the
fact that a replacement system is perceived to
be an unnecessary expense.
Despite technological advancements, end
users are still content with cards and key fobs,
regardless of the lack of sophisticated security
and encryption contained in them when
compared with mobile access control solutions.
That said, the change to a more sophisticated
solution is likely to come from the employees
themselves, rather than the decision-makers at
the top of a given organisation.
36
www.risk-uk.com
4 July 2017
Hilton London Canary Wharf
Start your planning for 2018 at the Security IT Summit.
Meet with the most trusted solution providers, learn from industry thought leaders and connect with
peers over the course of the Summit, which is entirely FREE to attend for security professionals.
Topics covered include: Access Control • Anti-Virus Browser • Security Data • Theft/Loss • Malware
• Mobile Security • Network Security Management • Trojan Detection • UK Cyber Strategy
For more information and to register, please contact Liz Cowell on:
01992 374072 or l.cowell@forumevents.co.uk.
@SECIT_SUMMIT #SITSUMMIT
SECURITYITSUMMIT.CO.UK
MEDIA & INDUSTRY PARTNERS:
HOSTED BY:
Fashioning The Building Blocks of
Construction Risk Management
agenda specifically designed to combat poor
payment practice and help SMEs continue to
operate. From my own point of view, it’s simply
unacceptable that large businesses are
withholding payment owed to smaller
companies. This initiative should help prevent
some of the 50,000 construction business
closures that occur every year.
Every business in
every sector that
tenders for work has
to weigh up the
potential risks versus
the potential rewards.
However, in the
construction industry,
it’s increasingly the
case that subcontractors,
otherwise
known as Tier 2 and
Tier 3 contractors, are
being expected to take
a larger chunk of the
risk for a lower slice of
the reward. This is due
to the significant
challenges they’re
facing, as Carl Ghinn
observes in detail
As a business, we work closely with
contractors of all shapes and sizes, both in
the construction and M&E sectors. There
are several issues that they must factor-in when
addressing the delicate calculation between
risk and reward, among them the payment risk,
the pricing risk, the product availability risk and
the skills shortage risk.
One of the biggest risks facing Tier 2 and Tier
3 sub-contractors is cashflow. In a survey run
by the Specialist Engineering Contractors’
Group, it was revealed that the country’s top
contractors were owed over £1 billion in unpaid
bills from organisations within the public
sector, with sub-contractors bearing the brunt
of this, being owed at least £800 million.
Commenting on this matter, Rob Driscoll (an
advisor to the Cabinet Office) explained: “In
businesses of any size, late payment stifles
both investment and innovation. Our latest
survey of the market shows that far too many
public sector bodies are still ignoring the legal
requirement to enable prompt payment along
the supply chain.”
As of this month, large companies will have
to publicly report twice a year on their payment
practices and performance. The move is part of
the Conservative Government’s transparency
‘The Pricing Risk’
Price fluctuation is one of the major risks in the
construction world. During the tender process,
contractors are understandably expected to
cost every element. However, this is often for
projects that sometimes may not start for at
least another six months.
If their tender is accepted they will be held to
this price regardless of any marketplace
changes. Yes, in some cases prices do go down,
but in many instances they go up, leaving the
contractor with a much-reduced margin or even
a loss. As highlighted previously, these
payments are not always received quickly,
resulting in a considerably stunted cashflow.
Other industries have different and arguably
better approaches, among them the operation
of a cost-plus model, which effectively protects
the contractor while at the same time
promoting transparency.
Rising costs are a great concern for many of
our customers. According to the Construction
Products Association’s (CPA) latest Construction
Trade Survey, there has been an 88% increase
in raw materials costs for civil engineering
contractors in recent times. Rebecca Larkin,
senior economist at the CPA, stated: “While
Government has a role to play in providing
certainty for projects, the industry will need to
find ways in which to navigate rising costs.”
Sadly, this is having an effect on morale in
the sector. Brian Berry, CEO of the Federation of
Master Builders, commented: “The optimism
that we saw emanating from many firms in the
construction sector during most of 2016 has
now diminished because of growing concerns
about rising costs.”
Last October, the price of steel increased by
8%. This was a huge problem for some of our
customers but, as we follow the markets
closely, we had decided to bulk-buy a large
number of products before this increase. With
the additional benefit of our 60-day credit
38
www.risk-uk.com
Risk Management in the Construction Sector
terms, we were able to soften the blow for our
clients who may need those products within the
next six months, reducing the risk involved.
Product availability risk
When we visit our clients on site, the subject of
product availability often arises. It’s a constant
concern for many that products are not going to
be available when they’re needed, whether
that’s due to last-minute orders or changes in
legislation causing an increase in demand.
One example which affected our customers
was Amendment 3 to the 17th Edition of the
IET’s Wiring Regulations. The revision changed
how professional electricians and contractors
should install wiring in escape routes so as to
prevent them from becoming blocked by the
premature collapse of cabling installations.
As a result, the sole use of plastic fixings and
cable ties no longer complies with the Wiring
Regulations, so our customers are starting to
use stainless steel cable ties and concrete
screws instead. In the event of a fire, they’re
capable of withstanding temperatures of over
500°C, significantly reducing the risk of cable
installations collapsing and causing unwanted
blockages in escape routes.
Initially, we found that the changes brought
about by Amendment 3 took their time to filter
through to contractors on site. However, we’re
now seeing a change in approach. While we’ve
stocked these items for a number of years,
we’ve recently witnessed a 124% year-on-year
increase in stainless steel cable tie sales and a
198% year-on-year increase in concrete screw
sales. This is just one example of how a change
in legislation can dramatically increase the
demand for particular product types.
Another issue our customers face is the fact
that many manufacturers are based in the
Midlands, making it difficult for contractors in
London and the South East to procure large
quantities of stock on a swift basis.
Furthermore, companies working within the
capital often don’t have the capacity to store
stock on site and don’t want to tie up valuable
cashflow in large stockholdings.
In addition, our customers are often affected
by changes in construction schedules driven by
other contractors and may need products
quickly and unexpectedly. Solution suppliers
need to guarantee that 100% of core lines are
always in stock in order to help customers
avoid additional cost and penalties.
In all honesty, it’s also a good policy to let
customers cancel any order up to two hours
before without any charge by way of
acknowledgement that these changes are often
out of their hands.
“The optimism that we saw emanating from many firms in
the construction sector during most of 2016 has now
diminished because of growing concerns about rising costs”
Skills shortage risk
It’s no secret that there’s a skills shortage in the
construction industry which is causing untold
difficulties for many. According to Arcadis, in
order for the Government to meet its housing
targets, the UK needs to recruit up to 400,000
construction workers each year until 2021, with
London and the South East needing to recruit
110,000 individuals alone. That equates to
approximately one worker every 77 seconds.
As a weaker pound has already resulted in
large numbers of Eastern European workers
returning home, contractors are having to pay
their staff more money in order to keep them,
thereby risking further reductions in margins.
The Royal Institute of Chartered Surveyors
(RICS) estimates that, should a hard Brexit take
place, the UK could miss out on an additional
215,000 migrant workers by 2020. On that
basis, the RICS has called on the Government
to prioritise building workers for visas in order
to go some way towards mitigating this risk.
Jeremy Blackburn, head of UK policy at the
RICS, explained: “A simple first step would be
to ensure that construction professions feature
on the Shortage Occupations List. Ballet
dancers will not improve our infrastructure or
solve the housing crisis, yet their skills are
currently viewed as being essential.”
Mitigating risk
There’s no doubt that mitigating risk has played
a big part in shaping the way in which
construction sector companies and their
suppliers operate in this day and age. Many of
our clients consistently have to weigh up the
very real possibility of losing money for every
job upon which they embark. They face onerous
changes in legislation, not to mention
difficulties in procuring last-minute orders and
a looming skills shortage.
All of this is combined with increasingly tight
margins and a tendency by first tier players to
push all of the risk on to sub-contractors by
implementing severe penalties for failures –
such as failed deliveries or supply of the wrong
product – that may be outside of their control.
By working closely with a specialist supplier
who understands the challenges faced by the
business, organisations in the construction
sector can at least mitigate some of those risks,
thereby allowing them more time to focus on
the core business of the day.
Carl Ghinn:
Managing Director of Fixmart
39
www.risk-uk.com
Intelligent Prevention is the Future
Camera models
developed in the new
generation of HD IPbased
video
surveillance
technologies are
offering end users
something more than
just better quality
images. Tristan Haage
examines the wider
impact of innovation
within this specialist
field and how it’s
actively helping to
solve more real world
problems in many
intelligent and
productive new ways
40
www.risk-uk.com
According to the latest statistics released by
the German Insurance Association, every
five minutes a fire starts at a company
facility somewhere in Germany. The resulting
financial damage amounts to several billion
Euros on an annual basis. The number of
burglaries within Germany has also
dramatically increased over the past five years
(by a figure of 30%, in fact).
Meanwhile, the crime-solving rate for
burglaries at commercial buildings and
factories is less than 20%. All of this clearly
illustrates how important burglary and fire
prevention really are in the real world. In terms
of that last point, for Germany read the UK.
Intelligent security solutions with video and
thermal technology not only help solve crimes
in the event that they do occur, but also help
prevent criminality from occurring in the first
place. Given the rise in property theft, costefficient
and effective security solutions have
become ubiquitous with more and more
companies deciding to use video technology to
monitor their buildings, systems and premises.
That’s not surprising, as the financial damage
caused by theft, vandalism or fire can be quite
significant for an organisation. Not only do such
events incur direct material damage, but they
can also negatively impact productivity and,
consequently, cause insurance premiums to
increase. This has led to a greater focus on
crime prevention in which developing video
technology can play a crucial role.
Conventional video cameras realise video
material that makes it easier to solve crimes,
provided that the image quality is good enough
and the recording process is fail-safe. However,
many of the video systems currently available
on the market and installed don’t actually meet
these minimum requirements for end users.
The end results they realise are often
insufficient for capturing the evidential quality
images needed by investigators. According to a
study last year by market analyst IHS Research,
the majority of cameras sold today still have a
maximum resolution of three megapixels. Many
models are limited due to the low-light
sensitivity of their image sensors, which results
in motion blurring under poor lighting.
Moreover, the quality of a camera system
isn’t only determined by the clarity of the
moving images it records during day and night,
but also by whether or not it’s fail-safe. A
number of factors play a role in this: the
robustness and reliability of the camera as well
as the option to record on the camera itself in
the event of a network failure such that vital
image data crucial to solving a crime isn’t lost.
As a result, this has energised newer video
surveillance systems that use a decentralised
model placing as much intelligence as possible
in each camera. In this way, image processing
and analysis can still be carried out without the
need for a central server or Control Room.
Intelligent video analysis
New decentralised cameras not only serve to
provide images, but are also equipped with
high-performance computing and intelligent
software applications that make the video
system more efficient, and notably so when it
comes to preventing crimes and subsequent
damage. This is because an intelligent camera
will only spring into action when truly
necessary by dint of smart motion detection
software and analytics that enable reliable
alarm management.
For example, if somebody enters the
company premises within a specified time
frame, a given camera automatically plays an
announcement over the loudspeaker and
switches on additional lighting to scare off
undesired visitors. The camera can also notify
selected employees or the presiding security
company via VoIP telephony or e-mail.
Particularly advanced systems use intelligent
camera software that allows moving objects to
be differentiated from one another by their size,
CCTV and Surveillance: HD Technology and IP Solutions
depending on their position in the image. Using
this kind of 3D motion detection reduces false
alarms caused by the movement of birds or
small animals, for example, as well as sources
of interference such as trees or camera poles
swaying in the wind.
This trend towards camera systems
possessing a higher degree of intelligence,
intelligent motion detection software and active
alarm management is essential for highperformance,
preventative security solutions
that can promptly communicate to help prevent
break-ins and other hazardous situations.
When it comes to crime, theft from
commercial sites happens more often at night
and over the course of a weekend. The hours of
darkness are perceived as offering some
protection against detection, and it’s here that
older video surveillance technologies are often
hampered by lower night-time light levels.
In response, the newer generation of
intelligent video security solutions are now
adding thermal imaging technology which
provides many additional advantages. Dual
cameras featuring an image sensor and a
thermal sensor can be used to securely detect
moving objects across long distances based on
their thermal radiation, even in total darkness.
While the thermal sensor reliably records
movements, the high megapixel image sensor
simultaneously provides crisp video footage in
which people and actions can be precisely
identified in each individual frame – an
important factor in investigating a crime. To aid
this process at night, an intelligent camera
system can switch on a light source during
motion detection to boost its ‘thermal eye’.
A dual camera with both an image and a
thermal sensor not only enables effective
building and perimeter protection, but also
helps to protect privacy, which is particularly
important in public areas such as swimming
pools, sporting facilities and hospitals. The
thermal image shows a temperature profile that
doesn’t allow individuals to be recognised in
detail. When configured to do so, the dual
camera system automatically switches from the
thermal image to the image sensor and records
a high-resolution video sequence as soon as an
individual moves in the surveilled area.
Process monitoring
The advantages extend beyond pure security as
video and thermal technology is increasingly
being used as a method of identifying
hazardous situations during production
processes. For example, in the food industry,
video cameras monitor processes for quality
control purposes and, within manufacturing,
“Robust, high-quality cameras that can withstand
temperature fluctuations and moisture are absolutely vital
for today’s busy production facilities”
detect the correct operation of machinery. The
cameras used for this are often high-resolution
hemispheric models with a 360-degree view in
addition to a digital zoom option.
Robust, high-quality cameras that can
withstand temperature fluctuations and
moisture, and which are designed without
moving parts to be practically maintenancefree,
are vital for busy production facilities.
Dual cameras that feature a specially
calibrated thermal radiometry sensor alongside
an image sensor can also monitor temperaturecritical
processes. The intelligence in these
systems is also necessary for preventing
damage through overheating or fire. In the
event that temperatures exceed or fall below
defined limits, as well as in the event of a rapid
increase in temperature, the system
automatically triggers an alarm.
When these systems are integrated within a
SCADA system for monitoring and controlling
production in a given environment, the process
can be stopped and a cooling procedure started
before damage occurs.
Return on investment
Considering the high cost of both security
issues and production losses, an investment in
high-quality video security solutions featuring
robust, fail-safe cameras with intelligent
software offers a significant long-term return.
This is because the intelligence in these
cameras, along with higher quality imagery, is
necessary for analysing the collected data,
recognising hazards and triggering actions
designed to protect against risks and prevent
financial loss through theft, vandalism or fire.
Intelligent camera systems incur fewer total
costs than a conventional video solution,
allowing pay-back within a short period of time.
One of the reasons why is because, as stated,
image processing and analysis take place on
the camera itself while recording on a network
storage device is carried out only in response to
events instead of permanently requiring data to
move to a centralised location for processing.
Additionally, the cameras can save data
internally in the event of a network failure.
For many organisations, prevention is the
future. When it comes to purchasing a video
security system, the benefits offered by
intelligent solutions are now becoming the
deciding factor rather than the retail cost.
Dr Tristan Haage:
Chief Sales Officer at MOBOTIX
41
www.risk-uk.com
Evaluating The Balance of Power
While space in a Data
Centre is key, so too is
ensuring business
continuity, efficiency
and productivity. This
is precisely why
Uninterruptible Power
Supply solutions will
become even more
vital in the
manufacturing sector,
and particularly so
given the advent of
Industry 4.0. Leo Craig
has the fine detail
42
www.risk-uk.com
According to a recent report compiled by
Tech Nation, the UK’s tech sector is
growing faster than the UK’s economy. In
fact, the UK leads in Europe, attracting £28
billion in tech investment since 2011 compared
to £11 billion in France and £9.3 billion in
Germany. The impact of this growth in tech is
being felt across many sectors, but none more
so than in the industrial sphere, where digital
manufacturing is becoming more commonplace.
Also referenced as the Fourth Industrial
Revolution, Industry 4.0 is set to transform the
manufacturing and production world through
new digital innovations which will improve
productivity. Industry 4.0 is all about the
current trend of automation and data exchange
in manufacturing technologies, encompassing
cyber-physical systems, the Internet of Things
and cloud computing.
At its core, Industry 4.0 creates what has
been called a ‘smart factory’. Within the
modular structured smart factories, cyberphysical
systems monitor physical processes,
create a virtual copy of the physical world and
make decentralised decisions. Across the
Internet of Things, cyber-physical systems
communicate and co-operate with each other
and with humans in real-time. Via the Internet
of Services, both internal and crossorganisational
services are offered and used by
participants of the value chain.
There are four design principles in Industry
4.0 that support companies in identifying and
implementing Industry 4.0 scenarios:
• Interoperability: The ability of machines,
devices, sensors and people to connect and
communicate with each other via the Internet of
Things or the Internet of People
• Information transparency: The ability of
information systems to create a virtual copy of
the physical world by enriching digital plant
models with sensor data. This requires the
aggregation of raw sensor data to higher-value
context information
• Technical assistance: First, the ability of
assistance systems to support humans by
aggregating and visualising information
comprehensibly for making informed decisions
and solving urgent problems on short notice.
Second, the ability of cyber-physical systems to
physically support humans by conducting a
range of tasks deemed to be unpleasant, too
exhausting or simply unsafe in nature
• Decentralised decisions: The ability of cyberphysical
systems to make decisions on their
own and perform their tasks as autonomously
as possible. Only in the case of exceptions,
interferences or conflicting goals are tasks then
delegated to a higher level
From the Industrial Internet of Things and
robotics through to 3D printing and Artificial
Intelligence, the digitisation of manufacturing
will inevitably increase the demand for Data
Centre storage. While space in a Data Centre is
key, so too is ensuring business continuity,
efficiency and productivity.
Disastrous consequences
Power fluctuations and disturbances can have a
major impact in the industrial sector. At a largescale
manufacturing plant, for example, a
power shutdown or breakdown in the supply of
monitoring/control information may engender a
disastrous effect on productivity which,
ultimately, could adversely impact the
business’ bottom line. Statistics show that even
one unplanned downtime event can cost a
manufacturer somewhere around £1.6 million,
but in truth the real cost could be even higher.
Having a back-up power supply in place in
the form of a UPS solution is absolutely key for
a facility to be able to operate safely until such
time that full power is restored.
Machinery is vulnerable to numerous
electrical anomalies, from voltage sags and
spikes through to harmonic distortion and
other interruptions. When you consider that
45% of equipment failures occur due to voltage
disturbances, the importance of keeping
Power Supply Continuity and Management
voltage stable and minimising instances of
downtime becomes abundantly clear.
In this situation, a UPS can really come into
its own to not only protect against power
outages, but also in terms of operating as an
effective power conditioning unit. It works by
smoothing out sags, surges and brownouts to
provide a clean and stable power supply.
Ultimately, this prevents damage to sensitive
and more often than not expensive electronic
equipment. A UPS needs to be in online mode
to give full protection against the ‘dirty’ power
that causes disruptions to Data Centre services.
It’s also possible to use a UPS solution solely
as a power conditioner without batteries.
Batteries can only be kept in environments up
to 40 degrees Celsius so this method allows a
UPS to operate in higher temperatures. For
example, offices next to heavy industry, such as
cranes moving cargo at docks, can be affected
by flickering lights. In this situation, a UPS may
be used as a power conditioner on the power
supply to prevent this from happening.
Maintenance considerations
Manufacturing equipment should be subject to
regular maintenance to help reduce instances
of downtime caused by malfunction. While
most manufacturers have a maintenance plan in
place for standard equipment, it’s also
important to consider the UPS equipment. In an
industrial scenario, you simply cannot afford for
your equipment to fail. In turn, the UPS
supporting this must be maintained as well.
Given that it’s an electrical device, a UPS can
and will go wrong at some point in its lifetime.
A maintenance plan not only affords the
business the peace of mind of having access to
technical expertise, but essentially saves the
host organisation money by ensuring that the
lifespan of technology is maximised.
UPS maintenance plans are designed to
provide more comprehensive cover than a
warranty as well as a guaranteed emergency
response time defined in working or clock
hours. For example, with certain plans the end
user can choose between Silver (12 working
hours), Gold (eight working hours) or Platinum
(same day, four clock hours) maintenance.
These are guaranteed response times.
Having a maintenance agreement in place
with a trusted technical expert also affords the
end user 24/7 service availability and access to
spares. Foremost suppliers will stock all spare
parts/components in strategically placed
warehouses combined with a stock holding at
headquarters where UPS solutions of up to 500
kVA can be ready for immediate dispatch
within 24 hours.
Maintenance agreements can also cover
regular preventative engineer visits, firmware
updates and fully comprehensive cover as well
as remote monitoring and diagnosis.
Agreements are available either in or out of
warranty, although be aware that the ‘out of
warranty’ costs can rise. Best Practice would be
to request a price from your UPS supplier for a
fixed price maintenance plan.
Manufacturing’s future
With such a high cost placed on downtime,
manufacturers cannot afford to ignore power
protection like UPS and the importance of a
good maintenance plan. Complex industrial
installations are critical and require an
exceptional level of resilience and reliability
under all operating and environmental
conditions. Having the right UPS in place will
not only afford the host business peace of mind
if machinery does fail, but will also realise the
added reassurance that instances of downtime
will be reduced.
In manufacturing, the UPS can also be
deployed as a frequency converter allowing
conversion between 50 Hz and 60 Hz. The input
of the UPS will accept anything from 48 Hz-52
Hz, while the output can be selected to either
50 Hz or 60 Hz. Combining an output of the UPS
with a step-down transformer simulates
American electrical supply conditions, which is
ideal for testing equipment that may be used in
export applications.
On the output side, the transformer must be
matched to the rating of the UPS. On the input
side, the transformer needs to be oversized in
order to cater for input power factors, battery
charging and operating losses. When using the
UPS as a frequency converter, the static bypass
facility will be inhibited.
The UPS is a clever device which also works
to constantly regulate the electricity supply and
gain precisely the voltage required. It works to
reduce the mains power supply of incoming
voltage such that it matches the electrical
voltage level required by equipment on site.
The output tolerance is normally 230 V, but
using the UPS it’s possible to set the voltage to
a specified amount, for example 215 V, 218 V.
Optimising the voltage for a given Data Centre
means that the host organisation will also be
maximising operational efficiencies.
Leo Craig:
General Manager of Riello UPS
“It’s very much the case that, at any large-scale
manufacturing plant, a power shutdown or breakdown in
the supply of monitoring or control information may
engender a disastrous effect on productivity”
43
www.risk-uk.com
BENCHMARK
Smart Solutions
BENCHMARK
Innovative and smart solutions can add value and benefits to
modern systems for customers. With the technological landscape
rapidly evolving, the Benchmark Smart Solutions project assesses
the potential on offer from system integration, advanced
connectivity and intelligent technology. Bringing together field trials
and assessments, proof of concept and real-world experience of
implementing smart solutions, it represents an essential resource
for all involved in innovative system design.
Launching in 2017, Benchmark Smart Solutions will be the industry’s only real-world resource for
security professionals who are intent on offering added value through the delivery of smarter solutions.
@Benchmark_Smart
Partner Companies
www.benchmarksmart.com
Insurance Rewards for Managing Security Risks
There’s no doubt that insurance can be a
wise investment, and particularly so if a
business potentially faces threats from
episodes of terrorism or activism that could
result in substantial losses and disruption, even
in those instances where the business and its
assets may not have been the principal target
of an attack.
How, though, does an insurer determine an
appropriate premium for covering malevolent
acts and, importantly, how does the insured
party determine whether a premium offers
them good value for money?
In answering these questions it’s perhaps
important to recognise that the insurance
industry itself is highly competitive. This has
the effect of driving down margins across the
sector. Thanks to the Government-backed Pool
Re reinsurance scheme, affordable cover is
available even for acts of terrorism.
With most perils, a premium will be
established based on historic data and claims
trends. Such data provides insurers with
sufficient insight to be able to predict the likely
frequency and magnitude of claims for different
types of buildings and infrastructure. In the
case of terrorism, acts remain few and far
between, but can be catastrophic when they do
occur. In combination with a constantly
evolving modus operandi and changing target
preferences, this can make it difficult for an
insurer to accurately predict the likely value of
claims or to offer a different rate for cover of
one type of building over and above others.
That tends to lead to premiums driven mainly
by the desired level of cover – typically the
building value – and the building’s location.
Such a pricing approach doesn’t recognise or
reward an insured party’s investment in
protective security. From the perspective of the
insured, the insurer might be seen to be
benefiting from their investment, with the
insured paying twice to mitigate the same risk:
once for risk transfer (insurance) and again for
risk treatment (protective security).
However, from the insurer’s perspective, the
complexity of securing built assets against an
array of constantly changing threats means that
no security system could ever be 100%
effective. On that basis, if rewards are to be
offered, then those rewards need to be
determined based on the effectiveness of the
insured in terms of managing security risks.
Security capability
How does an insurer determine an insured
party’s security capability? First, it’s important
to recognise that they must look beyond the
physical and technical security and risk
SABRE: Incentivising
Good Security in the
Built Environment
Property protection insurance isn’t a legal necessity, but
without it a building owner is liable to pay for any damage
their property may suffer as the direct result of a security
incident. In addition, a business may lose income and might
even face legal action related to property damage or injury
through negligence if such negligence is proven in a Court of
Law. With this in mind, Gavin Jones outlines a new security
risk management standard for the built environment
management measures that have been
deployed at the premises. These components of
a security system tend to receive most
attention in any given survey of a facility simply
because they’re the most visible manifestations
of security investment. However, if these
systems were procured without due regard to
the facility’s security requirements, they may
well be ineffective and, it must be said, even
give a false sense of security.
Equally true is the fact that, if there’s no
ongoing review of performance and a
commitment to continual improvement, security
that’s effective one day may not be so the next.
When reviewing current industry
performance, it quickly transpires that those
organisations with effective security share a set
of common attributes. These organisations
have defined objectives, adopt a systematic
and risk-based approach towards safety and
Gavin Jones: Associate
Director (Security and
Resilience) at BRE Global
45
www.risk-uk.com
Insurance Rewards for Managing Security Risks
*For far too long, security has
been seen as a grudge
purchase, in the main due to
a lack of transparency in the
industry and an inability to
communicate to C-Level
decision-makers what they’re
receiving in return for their
monetary investment in
security measures. With
SABRE, we’re seeking to
shine a light on security.
We’re providing a robust and
consistent means by which
organisations can measure
performance and, in doing so,
facilitating improvement and
better value for money
We’re at the start of a long
journey, but we have a great
opportunity to deliver better
outcomes and reduced costs
and stimulate innovation
Insurers, insurance brokers
and building owners
interested in finding out more
about SABRE should access
the SABRE website
(www.bre.co.uk/sabre) or
contact BRE Global via e-mail
at: SABRE@bre.co.uk
security, employ competent persons at critical
intervals, monitor and evaluate ongoing
performance and actively seek to continually
improve their performance levels.
These are the attributes seen in management
systems which, for many years now, have been
used to deliver quality, sustainability and
Health and Safety. Furthermore, organisations
are increasingly seeking third party certification
to such systems in order to communicate their
performance in these areas.
Using these observations, the BRE Trust
funded a research project designed to assess
the feasibility of developing a security risk
management standard for the built
environment. More specifically, a standard that
can be used to improve security performance,
communicate security credentials to interested
parties, reduce procurement risk and,
ultimately, award an independent certification
of an organisation’s approach towards security.
The standard would need to respond to the
requirements of different stakeholders at the
various stages of a built asset’s procurement
and use, while at the same time recognising
that the familiarity of organisations with risk
management and management systems can
vary quite substantially.
Development of SABRE
That research resulted in the development of
SABRE which is assessor-led and can be readily
applied to either new or existing facilities.
Successful assessments result in third party
certification that’s recognised around the world.
The SABRE assessment process is led by an
independent SABRE assessor whose role is
essentially two-fold. First, they’ll verify
evidence against each of the 70 technical
issues covered by the scheme. Second, they
will undertake a scenario-based assessment of
current security risks based on the specific
attributes of a facility and its security.
The SABRE assessor will determine the
assessment score and the corresponding star
rating, with one star indicating an ‘Acceptable’
rating and five stars highlighting an
‘Outstanding’ score. If a given facility doesn’t
achieve the SABRE scheme’s minimum
standards, it will receive an ‘Unclassified’ rating
and not be eligible for certification.
In essence, these ratings provide insurers
with the ability to compare their customers’
“Following in the footsteps of BREEAM, the BRE’s highly
successful standard for sustainability, SABRE is assessorled
and can be applied to either new or existing facilities”
capabilities and commitments around security
and risk management. In addition to insurance
considerations, it can also be used within an
organisation to better understand priorities for
investment and identify improvement
opportunities across a portfolio of built assets.
The assessment of security risks will
highlight areas of vulnerability that should be
prioritised for investment and, equally so, those
areas where resources are potentially being
wasted and where existing or planned security
control offers poor cost benefit ratios.
By adopting a security-minded approach
towards planning and design, security risks can
be removed or reduced at lower cost using
integrated solutions. SABRE also recognises
and rewards the implementation of information
security controls that protect information
relating to a project and its security. This is an
increasingly important issue given the rapid
adoption of Building Information Modelling and
the increasing cyber threat.
Once a facility is occupied there are
significant opportunities to mitigate security
risks, even without further capital expenditure
on physical security. SABRE provides those
responsible for building and facility security
with a robust security risk management system
template, allowing measurement and
benchmarking of current performance and the
ability to demonstrate continual improvement.
Successful piloting
SABRE completed successful piloting and was
launched last December. Early adopters have
already welcomed SABRE, recognising the
benefits that a structured, risk-based approach
brings to security, in turn supporting design
quality and facilitating innovation.
Kevin Gausden, senior consultant at Arup,
explained: “We pride ourselves on providing
our clients with an holistic, whole-life security
and resilience consulting service. This new
SABRE certification means that we can offer our
clients greater transparency on spending and
reinforces the need for a structured, risk-based
approach to security. It affords our clients
further confidence, allows us to continually
adapt and provide innovative technologies and
solutions and absolutely reinforces the need for
early consideration of security issues.”
The BRE has initiated discussions with
property insurers to explain how SABRE
certification can be used as a robust and
consistent indicator for informing risk-based
pricing. With a view towards increasing the
overall uptake of SABRE and allowing for its
global delivery, the scheme will be delivered by
registered assessors.
46
www.risk-uk.com
Because one size
The most comprehensive
range of UPS yet.
Provides power protection to data
centres and telecommunications
systems, IT networks and other
critical systems.
• Multiple sizes
• Advanced communications
•
• Maximum reliability
and availability
www.riello-ups.co.uk
0800 269 394
sales@riello-ups.co.uk
Examining The Myriad Security
Challenges Surrounding ‘Fake News’
The ‘fake news’
phenomenon presents
serious security
challenges for
Governments,
businesses,
communities and
individuals alike.
These challenges are
often complex
problems and, as
Alison Wakefield
rightly observes,
addressing them
requires sophisticated
solutions as well as
significant knowledge
and capability building
across both the
security community
and, indeed, the wider
population
The media has always carried a certain
amount of disinformation, some of which
may be seen simply as careless reporting
or gossip. However, in today’s technologydriven
media landscape, the problem is
magnified many times over. Propaganda and
disinformation need to be seen alongside forms
of cyber crime as representing another growing
‘cyber-enabled’ threat: activities that have been
so transformed by network technology that
they present Governments and organisations
alike with substantial security challenges.
Having played a significant role in the First
and Second World Wars, they’re now
recognised as a significant element of
contemporary ‘hybrid warfare’, as
demonstrated in Russia’s actions in the
Ukraine, being duly employed to undermine
confidence in national Governments and
manipulate democratic processes.
My interest in writing about this topic was
prompted by the welcome announcement at the
end of January of a House of Commons Select
Committee Inquiry on ‘fake news’ by the
Culture, Media and Sport Committee and a call
for written submissions. Respondents to the
inquiry are asked to consider fundamental
questions such as ‘What is ‘fake news’?’, ‘What
impact has ‘fake news’ on public understanding
of the world?’, ‘What responsibilities rest with
search engines and social media platforms?’
and ‘How might we educate people in how to
assess and use different sources of news?’
The Committee refers to growing public
mistrust in traditional news sources and a shift
towards the Internet and social media for
information, presenting a heightened risk that
the public are being fed untruths, particularly
so in light of concerns that the extent of ‘fake
news’ may have had a significant effect on the
democratic processes involved with the 2016
US Presidential Election.
The term ‘fake news’ is actually unhelpful as
it places a wide range of activities and story
types under a single heading. Misleading or
inaccurate journalism is a very different
challenge to a rumour about a publicly-listed
company spread by cyber criminals seeking to
make stock market gains, or a disinformation or
propaganda campaign perpetrated by a foreign
power or political grouping that fosters
political, religious or other unrest. Stories that
potentially fall under the ‘fake news’ umbrella
will, in practice, rest somewhere on a spectrum
of fakery, or perhaps a matrix in which the other
axis captures the level of intent to mislead or
the extent to which stories are true or untrue.
Notably, stories that are 100% false may
actually be easier to refute as being false, as
those that are only partially false may be more
effective in building on the truthful elements to
weave a more convincing lie.
Deliberate propaganda
Much of what’s currently being framed as ‘fake
news’ is in fact deliberate propaganda and
disinformation that needs to be recognised and
labelled as such. In the US, as stated ‘fake
news’ is said to have played a part in Donald
Trump’s election, and to have led to a shooting
at a Washington pizza restaurant.
With the French and German elections
approaching, Western European countries are
starting to respond to the challenge of anti-
Western disinformation from Russia, which has
long been an issue in Eastern and Central
Europe. The European Union’s East StratCom
Task Force was set up in 2015 to counter
Russian propaganda and disinformation,
recently reporting that it has found evidence of
a massive ‘fake news’ campaign targeting
European countries. In January. the Task Force
worked to correct a widely-shared false story
48
www.risk-uk.com
The Security Institute’s View
claiming that Germany’s oldest church had
been burned down by a mob of 1,000 Muslims.
In a report on Russian information warfare
published last year, Lucas and Pomerantsev
observe how the nature of online media, and
especially social media, allows propagandists
to play to audiences who are already
mistrustful of their own systems and seeking
information that confirms their biases,
identifying and exploiting ‘echo chambers’
where facts and fact-checkers have little effect.
Here in the UK, concern is building among
privacy campaigners and watchdogs about the
use of Big Data analytics for profiling citizens,
including for political purposes. Reports on the
strategy used by US data mining company
Cambridge Analytica as part of the presidential
campaign of Donald Trump and the referendum
campaign of Leave.eu give an insight into how
political messages can be tailored to individual
social media users through the data analytics
of online activity. This is likely to become a
common feature of political campaigning in the
future. As a society, we need to do more to
ensure that appropriate data protection
principles and safeguards are in place to keep
up with such technological advances.
Governments also need to take account of
the related problem that the credibility of
established media outlets such as the BBC is
increasingly being questioned and perhaps
actively compromised by wider political forces.
If this situation intensifies, where are we to turn
for trustworthy reports of incidents or events
that impact on our security?
Much of the responsibility for this rests with
politicians, as has been seen in the US, with the
risk of such behaviour spreading across our
own political system. We’re increasingly seeing
the label ‘fake news’ being misapplied to the
mainstream press in order to suit political
agendas. In the US, such efforts to undermine
the media recently extended to the exclusion of
news organisations like CNN and the BBC from
a White House press conference.
While it may be tempting for politicians to
exclaim ‘fake news’ in response to criticism,
this sets a dangerous precedent. Journalists
and editors need to protect their interests – as
well as the national interest – by proactively
challenging such misuses of the phrase.
Dealing with a crisis
In a recent article in Politico Magazine, the
point was made that President Trump’s alleged
attempts to discredit the press and scientific
community could later serve to undermine his
administration’s capability to deal with a major
crisis. Events such as the Ebola crisis require
evidence-based understandings of the
problems at hand, trust between partners
involved in responding to the crisis and
effective public information campaigns
orchestrated to communicate risk information
and advice to the public. If such elements are
lacking then the crisis response will inevitably
be seriously impaired.
Propaganda and disinformation themselves
belong on the registers of major risks to
national Governments and corporations as
threats to their strategic objectives, reputation
and continuity of operations. These activities
may undermine democratic systems or stir up
community sentiment on an issue to such a
degree that it boils over into civil disorder, and
so need to be included in emergency
preparedness strategies of scenario planning
and exercising. One of the underpinning
features of a crisis is the erosion of the
infrastructure (ie power, telecommunications
and transportation systems) on which a
response strategy is dependent. If trust in
public information is undermined, the capacity
to make judgements is equally impaired.
In the corporate world, the brand is often an
organisation’s biggest asset. Misinformation
presents significant reputational risks and may
be employed by competitors or cyber criminals
seeking to gain stock market advantages. Back
in 2013, a hacker posted a bogus tweet by the
Associated Press about an explosion at the
White House which led to over £90 billion being
temporarily erased from the US stock market.
Companies are typically alerted after the fact
when share prices are already moving. A recent
report produced by BrandProtect and The
Ponemon Institute concludes that the threats
posed to companies by online incidents and
cyber attacks falling outside of the traditional
corporate security perimeter are high, yet the
capabilities to mitigate them are low.
‘Fake news’ presents a further threat to
companies and individuals as a tool for social
engineering, itself a significant dimension of
cyber crime as discussed by James Scott in a
report for the Institute of Critical Infrastructure
Technology. This type of threat sees both ‘fake
news’ and real news being ‘weaponised’, with
trending stories and sensational headlines
being used to draw people’s attention. Lures
range from the very basic to the highly tailored,
based on individuals’ social media activity.
Dr Alison Wakefield FSyI:
Vice-Chairman of The Security
Institute and Senior Lecturer in
Security Risk Management at
the University of Portsmouth
“Much of what’s currently being framed as ‘fake news’ is
in fact deliberate propaganda and disinformation that
needs to be recognised and labelled as such”
49
www.risk-uk.com
Female Business Travel Risk:
A Need for Special Treatment?
Business travellers will
always face a degree
of risk, and
particularly so when
venturing into an
unfamiliar
environment where
most individuals
speak another
language and have
different customs. An
increasing number of
today’s organisations
realise they can lessen
or avoid prohibitive
legal and/or financial
consequences by
proactively working
ahead of time to
reduce employee risks
during trips overseas.
Darren Carter delves
into the fine detail
Darren Carter: Head of Group
Security at Edwardian Hotels
London and Hotel Sector
Security Lead for ASIS UK
Despite the ever-present – and seemingly
increased – risk posed to business
travellers in today’s world, we continue to
see a vast amount of business travel taking
place right across the globe. Recent research
suggests that the proportion of those business
travellers who are female is now as high as
45%-50%: a direct correlation with the
increasing numbers of female executives
appointed into senior management roles.
On that note, I was recently invited to take
part in a panel discussion about this very
subject. The discussion was observed by a
varied audience of experts and interested
parties, among them travel managers, safety
and security managers and hotel and travel
agency staff. The premise for the discussion
was ‘Safeguarding Female Business Travellers’
and whether enough is being done to meet the
safety and security needs of that cohort.
Is there really a strong case to be made for
any ‘special treatment’ of females when, in
2017, most large companies will have gender
equality placed very highly among the key
‘must achieve’ tasks?
Two decades ago, when I first entered the
world of hotel security operations, we were
talking about female business traveller security
at that very juncture, so this isn’t by any means
an emerging subject. The discussion we held
during this latest gathering was in fact very
insightful and clearly demonstrated – at least in
my own mind – that there may well be a case
for special arrangements to be made that meet
both specific and defined needs.
More generally, travel risk for any category of
traveller has shifted significantly in the past
ten-to-15 years in particular. The completely
unpredictable nature of terrorism and rapidly
changing environmental conditions affecting
the travel and transport industry alone are two
areas where an impact can be felt.
As companies examine areas in which they
could potentially trim their costs, travel can
often suffer with significant reductions in
budgets. In some cases, this may considerably
alter the risk profile of a given business trip.
Is travel necessary?
In many respects, the question should be asked
as to whether the need for travel is absolutely
necessary. Indeed, even where there’s no
pressure being placed on budgets, this should
be the first question to be posed when
considering any business excursions.
Placing a rate cap on hotel accommodation
can often introduce further elements of
increased risk whereby there may be inferior
safety and security facilities at the chosen
property, in addition to less ably-equipped
staff. The area in which the hotel resides could
make it more susceptible to crime.
Where can hotels begin to customise their
business? How about tailor-made services for
female business travellers? Should the
arrangements made here be any different than
those chosen for other female or male guests?
Not for the first time, it was suggested that
hotels consider offering a ‘female only’ floor: an
area of a hotel completely off limits to male
guests, exclusively booked for ‘women only’
business travellers. I’m not entirely comfortable
with this concept. It feels a little odd to
completely isolate a group of people from the
rest of the hotel population. If it were the case
that guests occupying this class of room found
themselves in trouble, there would be no male
guests nearby who may come to their aid.
Commercially, such a scenario would be
almost impossible to deliver, both in terms of
honouring a brand promise or maximising
revenue returns. If a hotel had completely sold
out of its inventory with the exception of this
standard of room then it would most definitely
be sold to the first applicant who could well be
a male guest. Back in 2014, a Danish hotel was
found by a Court of Law to have discriminated
when it opened with a ‘female only’ floor offer.
CCTV and access control
From a safety and security perspective, such a
concept wouldn’t offer anything more than a
standard hotel bedroom. Most hotels will now
provide guests with key card access control to
lifts and bedroom corridors, alongside an
almost blanket coverage of CCTV throughout all
guest areas. If there were enhanced levels of
safety and security realised as part of this
‘upgraded’ room type, it would ask some fairly
challenging questions in times where guests in
other rooms become aware – or, worse still, are
an actual victim – of an act of criminality.
Most upscale hotel businesses will have a
constant product development programme in
50
www.risk-uk.com
In the Spotlight: ASIS International UK Chapter
place which reaches for competitive advantages
over peer groups in what’s an extremely
dynamic and ever-changing market. Safety and
security are featured prominently in the design
process, building environments which are
appealing and functional, but also as safe and
secure as possible. Procedures are then
constructed around them to further support
that environment.
The mere mention of a hotel room number at
the check-in desk could compromise the safety
of a lone female business traveller. Procedures
are in place to ensure no room numbers are
mentioned at all to any guest when checking in
to a hotel. This is common practice, although
not 100% observed in my experience.
In addition, there are a number of other areas
within a hotel operation where we constantly
strive to minimise risk and promote safer and
more secure businesses.
There are many people involved in the endto-end
process of planning for business travel.
Each individual will have made decisions which
may either provide for a problem-free safe
journey or lead to serious – and potentially lifethreatening
– situations arising.
The victims of crime – which may involve a
phone snatch or a bag theft – will often say that
the episode “came out of the blue” or
“happened so quickly”. Invariably, if we can
analyse such incidents a little further, we often
see a series of events or clear indicators that
the crime could – or was about to – happen. In
truth, it’s often lack of awareness which leads
to someone being targeted by a criminal.
Unprepared for travel
Often, it’s the case that individuals are
completely unprepared when they travel. Only
when they run into problems is this ever
identified. It’s a little like travelling without
insurance: it’s unthinkable in today’s world that
anyone would even consider this. As hoteliers,
we provide help and support to our guests,
even more so when they’re experiencing a time
of crisis, when they’re the victim of a crime, a
serious injury or a bereavement or even if
they’re just simply having a bad day.
A common and often surprising fact is how
little capacity a business traveller will have to
manage the situation in which they find
themselves. Often, we can and do resolve a
multitude of issues. What this does say is that
the individual’s employer may not be
adequately preparing them for travel, the
employee may not be listening or the advice
being given is wrong or not extensive enough.
Continuing this theme, I would strongly
encourage all visitors to a hotel to make use of
the in-room safe. It’s there to provide added
security. At the very least it may delay access to
a ‘would be’ burglar or even prevent the theft of
valuable property and travel documents.
Preparing employees to be able to deal with
a range of predictable situations in the
workplace is, of course, the responsibility of
their employer, whether for travel purposes or
otherwise. Business travel introduces a
dramatic uplift in risk, whereupon an employee
is exposed to a much greater selection of
scenarios. Without doubt, it’s the responsibility
of the individual to ensure that he or she is
ready for travel, fully-briefed and absolutely
comfortable with the information provided. If
not, they should challenge it or otherwise seek
alternative advice or guidance, only travelling
when totally satisfied.
What was abundantly clear at the recent
panel discussion is that there’s a detailed
debate to be had about the future of travel
security in general, and not just for female
business travellers. It’s always right and proper
to question whether the advanced planning in
place is as good as it can possibly be.
“There are many people involved in the end-to-end process
of planning business travel. Each individual will have made
decisions which may either provide for a problem-free safe
journey or potentially lead to serious situations arising”
51
www.risk-uk.com
Right now, there’s a
lack of skilled fire
alarm technicians,
with very few young
people entering the
industry. Companies
left, right and centre
are struggling to hire
and keep hold of more
experienced
technicians, with
others simply jostling
for that one extra
cherry on the top of
the cake that might tip
the balance in their
favour and pull in
more customers.
Martin Duggan
considers the shape of
a formal qualification
in fire detection and
alarm systems
52
www.risk-uk.com
Fire Detection and Alarm Systems:
Envisioning a Formal Qualification
There’s so much talk about the need for a
formal qualification in fire detection and
alarm systems, but to date no-one has
actually considered in any great depth what
such a qualification might look like. Certainly,
with so many different job roles, there are many
areas that need to be covered.
Think about it for a moment. What does a fire
alarm maintenance technician need to know
when compared to a system designer? What
about an installer or a commissioning
technician? These are all different areas of
expertise with a significant amount of overlap,
yet also with a different knowledge requirement
for each job function. Is it feasible to have a
‘one-size-fits-all’ approach to fire detection and
alarm systems? What would each person in
each job role need to know?
I’m glad to say that, after receiving the
results from a survey we sent out to our
members, we now have a much clearer insight
in terms of the answers to these questions.
We also held a ‘Voice of the Customer’ Day,
where Fire Industry Association (FIA) members
were invited to tell us what areas would need
to be covered for each job role. In addition,
members also considered the lack of a defined
career path for those joining the fire industry.
The results of the survey state what the top
areas of learning would need to be for each job
role, while the ‘Voice of the Customer’ Day
allowed FIA members to air their opinions and
suggest paths of study for times ahead.
The Maintenance Technician
No less than 15 topic areas were revealed to be
important in this job role. A basic grounding in
electronics may be needed. Unfortunately, this
isn’t a required subject at school so those
joining the industry don’t always have firsthand
knowledge. 98% of those surveyed stated
that understanding BS 5839 is necessary.
No surprise there, but a qualification would
have to afford a solid foundation in the whole
standard, as well as cover the maintenance
standards in greater detail. Other areas such as
waste management, communication and sales
skills, simple design principles and knowledge
of BS 6266 Fire Protection for Electronic
Equipment were also duly highlighted.
Additionally, other areas that are not covered
by current training were pointed out by
members at the ‘Voice of the Customer’ Day,
with 87% stating that the Health & Safety at
Work Act is particularly important.
The survey also revealed some other topics
of note: documentation/certification (91% of
respondents said this would be required),
testing methodology (90%), fire detection and
alarm technology (75%) and a strong grounding
in current fire legislation such as the Fire
(Scotland) Act and the Regulatory Reform (Fire
Safety Order) 2005 (67%).
The Installation Technician
The ‘Voice of the Customer’ Day revealed some
useful insight, namely that it shouldn’t be a
requirement to be a maintenance technician
prior to being an installation technician. In fact,
it was revealed that installers often moved into
maintenance at a later stage. As such, the level
of knowledge should still be high, but with less
topic areas required.
For the system installer, eight topic areas
were compiled compared to the 15 topic areas
for the maintenance technician. Again, no
surprises here. The survey revealed that 96%
voted for a broader understanding of BS 5839
to be required, as well as a focus upon the
installation and testing standards, which many
feel ought to be covered in greater detail.
No less than 88% of respondents felt that the
Health & Safety at Work Act is important.
Members attending the ‘Voice of the Customer’
Day confirmed this belief, stating that an
awareness of asbestos and working at height
would be necessary. As is the case for the
maintenance technician, a need to cover system
documentation and certification is also going to
be necessary in any qualification for this role.
Other areas included electrical competency
(77% of survey participants said this was
important), understanding BS 76761 17th
Edition (67%), understanding current
legislation (58%) and a comprehension of the
Building Regulations (56%).
In order to be completely up-to-date with
present technology, electrical competency
should also cover in some depth subjects such
as electronic principles and data
communications, possibly as separate areas.
“Communications are changing,” was the
opinion of one survey respondent. “Installation
engineers in our sector need to have an idea of
IT infrastructure and data connections such as
Ethernet/fibre optics.”
FIA Technical Briefing: Fire Detection and Alarm Systems
The System Designer
The role of the system designer was assumed
to be a much more advanced position by the
group of professionals present at the ‘Voice of
the Customer’ Day – not just in terms of
standards relating to fire safety systems, but
also in view of current legislation, present fire
guidance and the Building Regulations.
A system designer needs to know a lot more
than an installer or maintainer and, as such, the
amount of study required would be
considerably more. 90% of respondents to the
survey suggested that understanding building
design was essential to the role, alongside 83%
stating that understanding the Building
Regulations is important.
Clearly, a working knowledge of the built
environment is vital to the role and, as such,
would need to be studied.
There were also many other additional skills
mentioned, such as an ability to use and
understand Computer-Aided Design, an
understanding of the Equality Act and a need
for ‘soft skills’ around the subjects of
communications, sales and Health and Safety.
A formal qualification for this career path
would need to cover a wide range of areas and
be robust enough to afford the designer a
starting point for his or her future projects.
The Commissioning Engineer
There were a number of different opinions
expressed about whether a commissioning
engineer would have been an installer or a
maintainer prior to becoming a commissioning
engineer. Those at the ‘Voice of the Customer’
Day felt that this would not be a job role taken
upon entering the industry. Most individuals
would have been a maintenance technician or a
systems installer at some point beforehand.
Skills for this role are likely to be similar to
the maintenance technician or installer, but
with a few slight differences. The results of the
survey were very clear: 100% of respondents
said the BS 5839 commissioning standards
would be required, 95% felt that there was a
need to have a foundation level understanding
of the whole of BS 5839, 94% thought faultfinding
was a necessary skill and 87% felt that
false alarm management and simple design
principles respectively were important. Another
80% wanted their commissioning technician to
have instructional techniques.
At 62%, electronic knowledge here wasn’t
seen as being quite so vital, but is still deemed
more important to the commissioning
technician than the maintenance technician.
Looking to the future
The future of the fire safety industry certainly
does seem to hinge on the need for those
working in the realm of fire detection and alarm
systems to be more comprehensively educated.
There also needs to be a pathway for new
people to join the industry.
While the new ‘Trailblazer’ apprenticeship
scheme represents a great start for those
joining straight from school, there’s still a huge
need for those already of working age to find a
way in which to join the industry – and the only
real way is through a qualification.
A formal qualification is something that the
industry both desires and needs. A blanket
‘one-size-fits-all’ qualification isn’t going to be
sufficient for the fire industry – we need one for
each of the different disciplines within the fire
alarm and detection sector, since being a
designer is so different from the role of a
maintainer or installer (and so on).
A formal qualification might be just the thing
to open the door to a bright new future, but it’s
up to the industry itself to walk through it.
Martin Duggan:
General Manager of the Fire
Industry Association
“The results of the survey state what the top areas of learning would need
to be for each job role, while the ‘Voice of the Customer’ Day allowed FIA
members to air their opinions on paths of study for the immediate future”
53
www.risk-uk.com
Examining The Changing Face of The
Private Security Industry in 2017
The security landscape
is still in transition,
but there are clear
trends developing, the
origins of which date
back to two significant
incidents in 2001 and
2008. Paul Harvey
recounts those events
and what has
happened since,
subsequently
outlining today’s
security model and
where it could – and
should – be heading in
2017 and beyond
54
www.risk-uk.com
The terrorist attacks in New York on
September 11 2001 and the resulting
responses had a significant impact across
the globe. That’s still true today. The world has
also recently witnessed a concerning increase
in global terrorism with horrific episodes in
Nice, Paris, Brussels and Germany.
Second, the Lehman Brothers bankruptcy in
2008, predominantly due to its involvement in
the subprime mortgage crisis, is considered to
have played a major role in the unfolding of the
global financial crisis during the late-2000s.
The UK security market wasn’t (and isn’t)
immune from the effects of global financial
instability. As a predominantly labour-based
business, the guarding sector in particular
requires large amounts of working capital. As
payments to the supply chain slowed, with – in
the more extreme cases – clients becoming
insolvent and leaving significant debt, the
financial pressure increased for many
companies. Banks were unable or sometimes
unwilling to support businesses of varying sizes
and some security companies failed. This
wasn’t necessarily related to profitability. It was
often purely as a result of cashflow.
Clients experienced downturns and,
inevitably, expenditure was reviewed. Often an
expensive purchase with no clear way of
demonstrating its value, security was analysed
with the intention of reducing or eliminating
cost. With pay rates largely set and the TUPE
Regulations protecting employees’ Terms and
Conditions, indirect overheads and margin
became the battleground for reducing charges.
Companies fighting for survival didn’t have the
luxury of considering the longer term. The need
to retain or secure new business became
critical. If you cannot differentiate on service,
then service-buying clients predominantly
select on price.
Thus the environment was created that
impacts us today. We hear of complaints about
low margins, but many businesses continue to
compete on price, often with unsustainably low
margins. The industry must hold itself to
account. The sector – and individual companies
within it – hasn’t been bold enough to stand up
and say ‘enough is enough’ and follow this
through with determined courses of action.
Legislative framework
The legislative framework for operation hasn’t
changed. There appears little appetite from the
Government to push forward with the proposed
agenda of compulsory business licensing. Nor
does there seem to be significant progression
in the Security Industry Authority’s Approved
Contractor Scheme. To be frank, then, it’s
incumbent upon service providers themselves
to be the agents of change.
Aside from the ongoing increase in statutory
areas such as pensions, the big agenda item for
2017 is the incoming Apprenticeship Levy.
Although companies will be required to
contribute to the scheme, at present there’s no
security guarding-specific apprenticeship.
Furthermore, there’s currently no provision for a
replacement to the City and Guilds scheme that
has been in place previously. There are
discussions around which organisation will be
the provider moving forwards, but as yet there
have been no takers. This means that there’s no
course – or training – in place for the money to
be spent which, given the amount of funding
this relates to, is quite simply staggering.
Apprenticeships have existed for a long time
in other sectors such as CCTV engineering.
Another case of a reactive sector, then?
According to the Infologue.com listings, the
Top 20 security companies (based on turnover)
control 71% of the UK market. Forward-thinking
companies are taking the opportunity to be
disruptive or find a niche that offers greater
success and, potentially, profitability. As a
result, 2017 will be a year in which the UK
Security Services: Best Practice Casebook
security market begins to benefit from the
platform created as it moves into the next
logical phase of the industry’s future.
The demand for change is being fuelled by
increasing levels of expectation and a
requirement for flexibility in service provision
called for by today’s discerning clients. Key
transformations are beginning to emerge,
namely specialism and expertise.
Specialism and expertise
First, there are the large-scale, national and/or
multinational businesses. They offer a wide
range of security and facility services, and are
predominantly (although not exclusively)
focused on high value and potentially multiservice
contracts. There’s a clear demand for
this capability. Competitors simply don’t have
the capability or scalability to compete, and nor
should they attempt to do so.
Second, there are organisations that will
continue to focus on specialist services, skills,
clients, contract sizes and geographies, etc.
These businesses truly understand their core
role and continue to be selective in how they
target growth and assess their value
proposition. Our own organisation falls into this
category. We’re focused on the central London
market. We know full well that our model
doesn’t fit everyone and we fully understand
our capability. We’re aware, for example, that
we don’t have the infrastructure to deliver
national accounts with multiple low value
contracts, so we don’t try to do so.
Third, the area where it’s possible to see
accelerated development in 2017, and which to
some degree is the most interesting, is that of
collaborative business partnerships
incorporating convergence and the alignment of
operational and security strategies.
Security suppliers with specific expertise will
be working collaboratively to deliver highperforming,
flexible and complimentary
solutions. The convergence of physical and
cyber security delivers improved information
sharing on risks and can result in synergies and
more effective leveraging of resources.
Convergence can provide the benefit of
comprehensive capability, but with no dilution
in expertise. Individual solution providers will
heighten their knowledge and competencies. In
most cases, there’s a clear lead on provision.
To position this, security is – and should only
ever be – a supporting functionality that’s there
to enable a client’s core business. Many
business operations typically work in separate
silos and use different information and tools.
This can lead to overlapping processes and
higher costs. To alleviate inefficiencies, there
will be a move towards integrating operational
and security risk management.
Integrating disciplines
Often, organisations manage operational risk
and security risk separately. This incorporates
areas such as threat and vulnerability
management and continuous monitoring as
well as incident management.
Security risk management isn’t just about
security operations, but rather a bottom-up
approach that drives ‘actionability’ against
threats, vulnerabilities and incidents in order to
provide assurances for businesses.
While separating both operational and
security risk management has been a common
practice, dynamic changes in the threat
landscape are forcing organisations to integrate
the two disciplines and therefore gain a more
holistic view of risk. The unfortunate truth is
that one can schedule an audit, but one cannot
schedule an attack, in any of its various forms.
In light of this, an integrated approach to risk
that takes compliance, threats and
vulnerabilities as well as business impact into
account will become Best Practice. Without a
clear understanding of the business criticality
that an asset represents, an organisation is
unable to prioritise its efforts. A risk-driven
approach addresses both security and business
impact to increase operational efficiencies,
improve assessment accuracy, reduce attacks
and enhance investment decision-making.
The transition from the traditional
client/contractor relationship into genuine
partner and trusted advisor, and a compliancedriven
approach to a risk-based model, enables
businesses to evaluate the ongoing definition,
remediation and analysis of their risk.
Remote access is an increasing risk, and
indeed for many organisations has become
their key security focus. Furthermore, the
insider threat remains a concern given the
deluge of interconnected devices available.
Looking ahead, the industry will continue to
be subject to evolution rather than revolution in
the short term, but the pace and appetite for
change is increasing. If you look closely
enough, business models are becoming more
specific, technically competent and
sophisticated. This is a critical factor for
success when it comes to corporate stability.
Paul Harvey:
Commercial Director of
Ultimate Security Services
“There appears little appetite from the Government to push
forward with the proposed agenda of compulsory business
licensing. Nor does there seem to be significant
progression in the SIA’s Approved Contractor Scheme”
55
www.risk-uk.com
Open Source Software: Risk Management
Designed to Combat the Vulnerabilities
Software has
transformed the way
in which we work and
live and is missioncritical
to an everincreasing
number of
organisations. Open
source is the
foundation of modern
applications, often
comprising as much as
90% of application
code. Gartner reports
that over 80% of
cyber attacks are
directed at
applications. With
open source
vulnerabilities often
exposing software to
security breaches,
Chris Fearon asserts
why open source risk
management is now a
‘must’ for businesses
56
www.risk-uk.com
Open source software is a vital component
in application development worldwide,
with open source components comprising
50% or more of many applications. Indeed, a
recent Forrester report takes those numbers
one step further, claiming that to address the
demand for more and better applications and
accelerate application development, developers
now regularly “use open source components as
their foundation, creating applications using
only 10%-20% new code.”
Obviously, the benefits of open source
software are hard to ignore. Businesses are
geared towards driving revenues with pressures
increasing on development teams to deliver.
With quicker lead times for development and
the competitive nature of applications, the use
of open source is an absolute requirement.
Even if they know that open source is a key
part of their firm’s success, some executives –
even those resident inside the IT Department –
might be surprised to find how much their
business’ solutions depend on open source and
how much open source they use to deliver
within a continuous integration environment
and on a continuous release schedule.
We regularly undertake code audits of
proprietary applications, often as part of
merger and acquisition activities. As part of
their due diligence, buyers need to ensure that
any software they’re acquiring as part of a
merger doesn’t also bring with it an
unacceptable level of risk or create Intellectual
Property issues. Firms may undertake static
and dynamic testing of code, but those tests
rarely identify potential open source issues.
Last year, we reviewed 200 business
applications for a report later issued under the
title ‘The State of Open Source Security in
Commercial Applications’. No less than 95% of
the applications we examined contained open
source components of some kind. The average
number of open source components we found
in each application was 105. Nearly 70% of the
applications had vulnerabilities in those open
source components, while 40% of the noted
vulnerabilities were rated as ‘Severe’.
More surprising was the fact that the average
age of the vulnerabilities was 1,894 days. In
other words, there’s a high likelihood of
vulnerabilities in many applications for which
potential attackers have had plenty of time to
develop exploits. Indeed, 10% of the
applications we reviewed in 2016 were still
vulnerable to the infamous Heartbleed bug in
the OpenSSL cryptographic library some two
years after this vulnerability was first disclosed.
Unique security risks
If this is making open source sound insecure,
that’s not my point. Open source is neither less
nor more secure than proprietary software.
However, open source vulnerabilities can pose
unique security risks. Due to its ubiquity,
attackers see popular open source as a targetrich
environment. In the same report cited
earlier, Forrester also notes that: “One out of
every 16 open source download requests is for
a component with a known vulnerability.”
Information is publicly available on known
open source vulnerabilities as well as detailed
instructions on how to exploit them. As soon as
a vulnerability is reported, a means to exploit
that vulnerability is almost always
simultaneously published. Of course, patches
for these vulnerabilities are often issued just as
quickly, but unless a business is aware that a
vulnerable open source component’s included
in its application(s), it’s highly probable that
component will remain unpatched. Therein lies
the very heart of the problem.
When a new open source vulnerability is
reported, a race is then on between the host
business and potential attackers. For the host
business to win that race, it needs to be able to
Cyber Security: Mitigating Risks Posed by Open Source Software
answer the following important questions:
• will you know if you’re using an open source
component with a known vulnerability?
• will you know if that vulnerability exposes
your software to attack?
• will you know how prevalent that open
source component is in your firm’s internal and
public-facing applications?
• will you know how to effectively manage and
mitigate any risk exposed by that vulnerability?
How can you know if your open source is
secure? You cannot secure what you’re not
tracking, so a first step – if your business hasn’t
already done so – needs to be the compilation
of an inventory of all open source components
your development teams are using. Some
organisations initiate a manual process to
manage their open source usage, but quickly
discover that manual processes seldom
maintain either a complete or a completely
accurate inventory of open source.
A complete open source inventory must
include all open source components, the
version(s) in use and download locations for
each project in usage or in development. You’ll
also need to include all dependencies – the
libraries your code is calling to and/or the
libraries to which your dependencies are linked
– within your inventory.
Fixing a vulnerability
As with tracking open source components, to fix
an open source vulnerability you first have to
know it exists. There are some vulnerability
databases – such as the US Government
vulnerability disclosure database, the National
Vulnerability Database (https://nvd.nist.gov/) –
that can help to identify issues.
However, not all vulnerabilities are reported
to the NVD, while the format of NVD records
often makes it difficult to determine which
versions of a given open source component are
affected by a vulnerability.
Other useful sources of information include
project distribution sites such as those
maintained by the Debian
(https://www.debian.org/security/) and Python
(http://bugs.python.org/) projects.
Security blogs and message boards like the
US-CERT alerts page (https://www.uscert.gov/ncas/alerts)
and Google’s security
blog (https://security.googleblog.com/) can
also be helpful.
If your firm builds packaged, embedded or
commercial SaaS software, open source license
compliance should be of concern. Using your
inventory of open source components, you’ll
want to compile detailed license texts
associated with those components such that
“Security and licensing concerns aside, how do you know
you’re using high quality open source components? Are
you employing a current version of the software? Is the
component actively maintained by a robust community?”
you can flag any components not compatible
with your software’s distribution and license
requirements and generate a license notices
report to include with your shipped software.
Security and licensing concerns aside, how
do you know you’re using high quality open
source components? Are you employing a
current version of the software? Is it the most
stable? Is the component actively maintained
by a robust community?
Determining all of this can be both timeconsuming
and impact developer productivity,
which is a reason why many organisations
struggle with effective open source governance
and turn towards an automated solution to
simplify open source risk management.
Continuous risk management
After identifying any vulnerability, licensing or
component quality risks in your open source,
you’ll need to determine what remediation
tasks – if any – need to be conducted and track
the subsequent remediation process to ensure
it’s actually being carried out correctly.
As with inventorying and identifying risks,
challenges you can expect to face include time
and cost issues. Manual review tends to result
in remediation late in the development cycle,
when the cost to fix is high and release
deadlines must be met. Manual review is also
incompatible with the rapid pace and
automation at the core of modern agile build
and continuous integration environments.
The job of open source vulnerability
management doesn’t stop when the application
ships. You’ll need to continue to monitor for
vulnerabilities as long as the application’s in
use. An average of ten new open source
vulnerabilities are discovered daily, while many
vulnerabilities are not reported for months – or,
on occasion, even years – after they’re
introduced to a component.
With open source usage and creation rapidly
growing, there’s a tendency towards continuing
to re-use components which are well known to
architects/developers due to familiarity and
historical use. Continuously monitoring open
source should include regular evaluation of
components. In truth, rigorously checking
directories of open source software may
disclose alternative components that offer the
same functionality with less risk.
Chris Fearon:
Research Director at Black
Duck Software
57
www.risk-uk.com
Security Qualifications: Observing The
View from the Wrong End of the Telescope
needs to be conducted on the scale and nature
of the problem across the qualifications system
from which specific sector issues might feed.
A review of the problem based upon the
selection of half a dozen of the Conditions for
Recognition, which define the requirements for
awarding organisations, is too narrow a focus.
Picking up one of the criticisms in the report,
the absence of enforceable agreements would
have had little or no impact on the Ashley
Commerce College or the Get Licensed cases.
The Ofqual report
issued following the
Regulator’s
consideration of
license to practice
qualifications in the
security industry was
finally published at
the end of January. For
some, the report
added little to what’s
widely known in the
sector and very little
by way of solutions.
Despite this, there’s
the genesis of some
interesting thinking
which, in Raymond
Clarke’s view, could
provide the necessary
foundations for
ongoing improvement
Before considering the positives contained
within the 28-page Ofqual report, entitled
‘Licence-Linked Qualifications Used in
Private Security’, it’s perhaps prudent to ponder
on the limitations. Having perhaps spent more
time considering the issues around malpractice
and fraud over the last couple of years than
most, the two key concerns for me relate to the
lack of context for the report and the
presumption that the actions required to be
taken rest with those other than Ofqual itself.
A key criticism of the Ofqual report, and
indeed its response to malpractice, is the
preoccupation with micro issues. Fraud and
malpractice are not contained or constrained
within particular sectors, but are fluid and can
migrate across sector boundaries. Those
involved in wrongdoing can move readily in and
out of sectors: security today, construction
tomorrow, health and social care this time next
year. There’s no doubt those sectors that are
licensed, and where there are labour shortages
or funding is readily available, are placed at a
higher risk. The security industry ticks at least
some of these boxes.
A positive aspect of the report is the
indication that Ofqual will be broadening its
review to consider the extent to which
malpractice is evident in other sectors. While
this is to be welcomed, Industry Qualifications
(IQ) takes the view that independent research
Commentator or Participant?
The second concern relates to the role of
Ofqual itself. The Regulator has a statutory
duty to ensure confidence in the UK system of
regulated qualifications. The question is
whether this is exercised solely through
investigating and commentating on the efforts
of others, or whether the Regulator has a more
active role to play.
My view is that Ofqual has a responsibility to
ensure the overarching system and framework
is fit for purpose. It’s then the role of Awarding
Organisations and others to operate within that
framework. A system which allows those
involved in wrongdoing to continually re-enter
the education market, those involved in fraud
to avoid prosecution and one which singularly
fails to consider the risks associated with
safety-critical qualifications any differently than
it does those for a GCSE in ‘Art’ needs to be
reviewed at both a macro and a strategic level.
IQ has therefore called publicly for the
establishment of an independent expert panel
to review qualifications fraud. Disappointingly,
the response from Ofqual was that it’s the
responsibility of Awarding Organisations to
have robust procedures in place.
Positives in the report
The most promising aspects of the report relate
to three statements of future activity.
First, there’s due recognition that fraud and
malpractice may need to be considered in other
sectors. While welcome, we would encourage
the start point to be the development of a
macro understanding of fraud before
considering the implications at a sector level.
Second, there’s the proposal that Awarding
Organisations should work together to
establish and apply a robust set of industry
standards or a Code of Conduct as a means to
58
www.risk-uk.com
Training and Career Development
strengthen their approach towards risk
management and quality assurance. This is a
positive suggestion. It’s one that builds upon
the co-operation that has developed across the
awarding bodies concerned in recent years.
Third is the desire of Ofqual to be advised
when the Security Industry Authority (SIA)
provides intelligence to Awarding Organisations
about malpractice or wrongdoing by individuals
of centres. Ofqual has indicated that it might
then require Awarding Organisations to
demonstrate how this information has been
used. However, there’s also a requirement for
Ofqual to consider how it manages and uses
intelligence in support of wider objectives.
Code of Practice
I’m broadly attracted by the concept of a Code
of Practice and welcome the encouragement for
Awarding Organisations to take the lead on this
matter. I would, however, go one step further
and make it a requirement of the SIA
recognition for an Awarding Organisation
working in the security industry that it complies
with any such document.
Common standards for centre approval and
centre monitoring would go a long way. More
work on standardising approaches to
assessment would be another step forward.
Competition based on the price, quality of
service and breadth of an individual Awarding
Organisation’s offer is to be encouraged.
Competition driven by cost reduction through
squeezing quality assurance costs or dumbing
down assessment standards to increase pass
rates should be outlawed. While there may be
differences of opinion on the precise detail, the
overall objective is easily supported.
The report also encourages the improved
sharing of intelligence. While IQ supports the
intent, it’s here that our opinions begin to
diverge from that of the Regulator, largely in
terms of where responsibilities lie.
IQ first raised its concern with Ofqual in 2015
that intelligence wasn’t available to Awarding
Organisations when making decisions about
centre approval or the approval of
trainers/assessors. The current system relies
on Awarding Organisations operating in the
same sector (or offering similar qualifications to
other Awarding Organisations) to notify others
of malpractice or maladministration. Ofqual is
also advised each time a notification is made
and is the only organisation that’s in receipt of
all such notifications for all sectors.
The current system is, in my view, clearly
flawed. Awarding Organisations new to a sector
are disproportionately exposed to risk as they
don’t have access to any historic records. For its
“Competition driven by cost reduction through squeezing
quality assurance costs or dumbing down assessment
standards to increase pass rates should be outlawed”
part, in my opinion Ofqual doesn’t appear to
maintain reliable records and what’s available
isn’t accessible to Awarding Organisations.
Investment in capability
IQ was exposed as a result of this failing in
relation to Ashley Commerce College and we
know of others that have been affected in a
similar way. Fortunately for them, they were not
included in a BBC broadcast. Due to the
weakness in the system, it’s an unfortunate but
pretty obvious fact of life that a new Awarding
Organisation in the sector can be a strong
magnet for those involved in wrongdoing.
The system also assumes that the same and
consistent standards of analysis and reporting
across all Awarding Organisations is common.
In truth, investigating fraud, malpractice and
maladministration to a point where information
is at an evidential level requires an investment
in investigative capability that many Awarding
Organisations would prefer to avoid.
It’s cheaper and quicker to move the problem
on. It’s the training sector’s own ‘traveller’
problem: ‘While they’re on the land of someone
else, they’re not on mine’.
The analysis conducted by Ofqual highlights
the need for sharing intelligence across the
sector. What’s missing, though, is any
recognition of the pivotal role that Ofqual itself
should be playing, ensuring the validity of that
intelligence and sharing this knowledge across
the wider education sector.
A system in denial
Our experience over the last two years is of a
regulatory system unable to separate
malpractice from fraud and one that appears to
be largely in denial of fraud.
When the issue at Ashley Commerce College
was exposed by the BBC, you couldn’t see
Ofqual for dust. Instead of using the situation
to expose wider networks of fraud, the
apparent approach taken by the Regulator was
to distance itself from the issue and cast blame.
The end result remains that no action has been
taken against those who committed the fraud.
Until the Regulator acknowledges the
problem is systemic, requires a collective and
intelligence-led response and then develops an
appetite for tackling the issue, those involved
in wrongdoing will continue to thrive no matter
the number of reports Ofqual might produce.
Raymond Clarke:
Chief Executive of Industry
Qualifications
59
www.risk-uk.com
Risk in Action
Evolution assists Uxbridge College to pass its security
management examinations with flying colours
A sophisticated integrated access control and CCTV solution is playing a key
role in managing the safety and security of students, staff and visitors at
Uxbridge College across both of its campuses in Uxbridge and Hayes.
The challenge presented to Evolution was in servicing, maintaining and
upgrading a system that protects no less than 4,000 students and 600
members of staff, while also taking into account the College’s ongoing growth
ambitions and constantly changing infrastructure.
Evolution is now fully supporting an IP-based system with card access,
turnstiles and proximity readers to control the movement of card holders across
the two sites, as well as a network of CCTV cameras designed to monitor those
seeking unauthorised access and provide a further layer of security.
Michael McDonagh, head of security at Uxbridge College, stated: “Should a
student forget their pass, we can immediately issue a replacement. However, in
maintaining full control, the student’s ‘forgotten’ or ‘lost’ pass is automatically
de-activated. Each card also has the shelf life of a student’s course length, so
will automatically expire when they finish for the year. Should an end user
attempt to gain access with a de-activated card, we’re immediately notified.”
Each of the passes provided is specifically tailored to take into account a
student’s studies and lifestyle. They control which ‘zones’ that student can
enter, identify whether or not
a student has a pre-paid car
parking permit and even
enable access to extracurricular
activities such as
sport or drama.
There are more than 120
controlled-entry doors and
80 CCTV cameras, which
Control Room operators can
use to pinpoint and track
unauthorised access. Both
campuses are integrated
under the single system.
SharpView solution courtesy of Zaun
Group company EyeLynx secures
vital London water supply
The integrity of the fresh water supply delivered
to London’s residents has been notably stepped
up thanks to the recent installation of an array
of cameras, high-security fencing, vibration
sensors and lengths of razor wire.
The risk posed to the water supply forced the
UK’s largest water and waste water company to
further enhance the security along one side of
the perimeter of reservoirs in South London,
where a public footpath has provided easier
access for trespassers and committed graffiti
‘vandals’ to gain entry.
The Zaun Group had already installed
ArmaWeave and razor topping around the
whole site. Thames Water then asked software
security expert EyeLynx to design a solution
based on its SharpView CCTV system and
protect the Critical National Infrastructure site.
Zaun Group companies EyeLynx and Binns
Fencing installed two huge temporary CCTV
masts complete with high-performance PTZ
cameras, thermal cameras with video analytics,
horn speakers and high-powered WiFi to link
the two with a SharpView NVR.
Selection of UK’s oldest and most
important artefacts safeguarded by
Chubb at Rochester Cathedral
Chubb Fire and Security has installed a
security intruder alarm system designed for
sensitive environments at Rochester Cathedral
with a view to securing some of the UK’s
oldest and most important artefacts.
First built in 604 AD, the Rochester
Cathedral in Kent is the second oldest in
England. It’s home to the Textus Roffensis, the
oldest example of English written law, which
dates right back to the 10th Century and the
creation of the English State.
The security tender followed a Heritage
Lottery Fund grant as part of the Cathedral’s
‘Hidden Treasures Fresh Expressions’ project.
In addition to the restoration of the
Cathedral’s library and strong room, the
project saw the creation of a secure exhibition
space within the medieval crypt.
Morgan Flynn, senior security
installer/commissioning engineer at Chubb,
said: “The present Cathedral dates back to
1080, necessitating an entirely bespoke
approach. No drilling of the stonework was
permitted. Sensors and switches needed to be
hidden from visitors, while the quarter-tonne
steel doors and ornate leadlight windows
required sensitive design and installation.”
Following a risk assessment, Chubb has now
installed a sophisticated Grade 3 intruder
alarm system, typically found in the most
high-risk environments such as banks, art
galleries and museums.
60
www.risk-uk.com
Risk in Action
Porthcawl’s RNLI: Improving
education and saving lives with
network camera technology
Porthcawl’s RNLI station is aiming to
improve education and safety around the
water with the implementation of innovative
surveillance technology from Swanseabased
PC1 and Axis Communications.
With high tourism levels and fast-shifting
tides, the installation at Porthcawl Pier
provides an online live-stream. This ensures
visitors are prepared for the conditions they
will face, minimising the necessity of lifeboat
launches and reducing overall costs.
RNLI statistics show that 44% of lifeboat
launches in 2015 were due to persons in
distress, either ashore, offshore or using
manual craft such as surfboards or kayaks.
The camera points directly at Porthcawl
Pier, one of the highest risk areas. During
storms and rough weather conditions,
visitors are in danger of being swept out to
sea by tides that can reach up to 7 knots (8
mph). The installation of the Axis Q1775-E
fixed network camera, combined with a hightech
weather installation, ensures Porthcawl
RNLI can access weather metrics, tide
activity, conditions monitoring and more.
With 10x optical zoom and autofocus
capabilities, the RNLI decided the camera
was the stand-out choice due to its weather
resilience, providing 24/7 surveillance
capabilities and excellent image quality.
Ian Stroud, retired member of the Deputy
Launch Authority at Porthcawl RNLI, said:
“One of the most significant tasks a lifeboat
station must undertake is observing sea
conditions to make judgements on the
equipment lifeboat operators will need.”
Speaking about the installation itself,
Graham Thomas (IT and online projects
manager at PC1) observed: “We installed a
weather station and connected the
installation to YouTube, allowing the public
and lifeboat staff alike to view real-time
images and accurate weather reports.”
Notifier by Honeywell’s the King of the Castle in the eyes of
money.co.uk
money.co.uk has
recently completed a
£3 million renovation
project in order to
transform a Grade IIlisted
Victorian castle
on the Bathurst Estate
in Cirencester into the
ultimate high-tech
workplace.
Life safety is rightly
considered paramount
on site. With this in mind, Bristol-based APE Fire & Security asked Interaction
(the main contractor for the project) to design, specify, install and commission
a fire detection system that could offer staff and visitors alike the very highest
levels of protection.
To keep employees and visitors safe, fire detection technology from Notifier
by Honeywell has been installed throughout and is based around the
company’s Pearl intelligent addressable control panels. The networkable fire
detection control panel has been specifically created to be immune from the
threat of unwanted alarms.
Linked to the Pearl control panels are Notifier’s Opal photoelectric smoke
detectors. In the kitchen areas, SMART3 detectors use optical smoke sensing in
conjunction with heat sensors, infrared flame sensing technology and
sophisticated alarm algorithms to offer a fast response to flaming fires, while
at the same time providing superior unwanted alarm immunity.
Thanks to some very clever ‘cause and effect’ programming, APE Fire &
Security has been able to integrate the Pearl control panel with the existing
intruder and access control system.
ACT’s in store with Asda in wake of
IP access control solution roll-out
CBES has installed IP access control systems
from ACT at Asda stores and distribution
centres across the UK. The roll-out has already
covered 500 sites, all of which are networked
to Asda’s corporate headquarters in Leeds.
Asda is benefiting from ACTpro 4000 twodoor
controllers which can extend to 16 doors
via ACTpro door stations. In turn, up to 250 of the controllers may be
networked via a PC interface. The ACT hardware offers low bandwidth and autodiscovery
for easy installation and maintenance, alongside features such as
timed anti-passback and counting areas.
The Asda sites are using ACT’s specialist software platform, designated
ACTpro Enterprise, which distinguishes between different user types such as
installer, security officer or system administrator so as to factor out accidental
system changes and minimise maintenance. ACTpro Enterprise affords end
users a familiar web-browser experience using hyperlinks, ‘backwards’ and
‘forwards’ buttons and powerful search functionality.
An Asda staff member might present their MIFARE contactless smart card to
a reader in order to access a secure area of a site. The ACT software then grants
or denies access according to the user’s privileges which can be defined in
relation to seniority, job profile, time of day and day of the week. Asda’s
managers are benefiting from the integration of access control with CCTV and
intercoms through the Sky-Walker Integration Platform from Entelec.
61
www.risk-uk.com
Technology in Focus
Vanderbilt integrates ACTEnterprise and Eventys for a ‘plug
and protect’ security management solution
The latest product offering from Vanderbilt blends access control with video
management, as ACTEnterprise now supports integration with Eventys EX NVRs.
Simple to set up and operate, Eventys NVRs offer powerful, seamless and
reliable, yet inexpensive video recording of up to 16 IP cameras. Now,
ACTEnterprise allows cameras connected to an Eventys EX NVR to be associated
with access control doors.
Any events recorded in the access control log such as ‘access denied’ or ‘door
forced’ can be linked with the associated footage stored on the NVR. Events on
a door with a camera associated will
display a camera icon which allows
clicking on the camera icon to replay
the footage.
The main features associated with
this integration platform are Live
Video Display and Playback
Recordings. The Live Video Display
allows switching between the
different video camera sources.
www.vanderbiltindustries.com
360 Vision Technology brings to
market the all-new Predator
Overview camera system
360 Vision Technology continues to expand
its camera range with the release of Predator
Overview, a dual camera head, high-speed
and ‘ruggedised’ PTZ HD colour/mono
camera system for end users.
Borne out of customer feedback, the new
Predator Overview features a Full-HD 1080p
wide angle Overview camera combined with
a separate 30x optical, ultra-low light Sony
STARVIS Full-HD ‘Zoom’ camera.
Overview is ideal for those live monitored
applications such as town centres, container
ports and transportation hubs where an
overview (of up to a 90° field of view) of the
incident or target area is desirable.
www.360visiontechnology.com
CEM Systems introduces latest version of popular AC2000
Security Management System for end users
Tyco Security Products has released AC2000 v8, which offers new features that
increase the performance, simplicity and scope of the AC2000 access control
system suite from CEM Systems. These include AC2000 data partitioning and
enhancements to the AC2000 Security Hub Command and Control application.
In addition, CEM Systems has also released enhancements to the emerald
Intelligent Access Terminal range in the shape of the emerald TS100f and
TS200f fingerprint terminals.
“The latest release of AC2000, which includes data partitioning, offers
enhancements for both multi-site and multi-tenanted customers,” said Richard
Fletcher, product manager at CEM Systems. “AC2000 Database Partitioning is a
powerful feature for scenarios where multiple companies use a single security
management system. It empowers each company by giving them control over
their own private access areas, while still allowing them access to common
areas within the building or campus.”
Enhancements within the AC2000 Security Hub centralised Command and
Control application include Map Zones, reports and a “seamless” video
integration interface which enables live video footage for specific configured
alarms to be displayed. This release also offers enhanced functionality of
emerald, CEM Systems’ award-winning intelligent access terminal. Designed
for use with AC2000, emerald terminals not only control access to restricted
areas, but also “open up a
world of possibilities” by
bringing AC2000 intelligence
directly to the edge.
emerald now supports a
‘Boarding and Deplaning Route
Management’ (BDRM) mode
which provides a sophisticated
touch screen-based passenger
routing system for airports.
www.cemsys.com
Norbain turns its attentions towards
Bosch Security Systems’ DIVAR
hybrid network recorders
Norbain is now offering the new DIVAR hybrid
and network recording solutions from Bosch
Security Systems. Designed for 24/7 operation,
they afford the ability to create surveillance
solutions with professional security features.
These solutions can be tailored to fit the
growing needs of many businesses.
With DIVAR recorders, it’s easy to watch live
footage, play recorded content or reconfigure
local unit settings anytime from anywhere. This
can be carried out via the DIVAR Mobile Viewer
app, available on smart phones (iOS and
Android) and via the web browser.
The direct monitor output is ideal for desktop
models often positioned on a counter. The
monitor can be placed on or beside the device,
giving the business owner an overview of live
images from all connected cameras.
www.norbain.com
62
www.risk-uk.com
Technology in Focus
Disruptive technology harnesses
power of Big Data to give guarding
end users
“real insight”
into security
Cardinal Security
is looking to
revolutionise
security guarding with the release of a new
operations platform. Designed to provide end
users with a level of insight unavailable to date,
the intelligence-led approach provided by
Guarded 365 affords users “full transparency
and real control” over their security spend.
Jason Trigg, CEO of Cardinal Security, believes
that every end user of guarding services should
demand this data and have proper visibility on
where their investment is being made.
“What people worry about in this business is
what they’re receiving for their money, and
rightly so. Most providers don’t deliver
sufficient insight into Return on Investment.”
Cardinal’s response to the challenge is the
Guarded 365 intelligent platform, which is
linked to a central data management system.
When an officer arrives at the start of a shift
they use a geocoded tablet – or an app on their
own device – to take a picture of their face. A
controller from Cardinal Security matches this
against a database of staff members and then
approves the officer to begin their shift.
In essence, this simple process ensures
timekeeping is accurate and that the correct,
fully-licensed operative is on duty and wearing
the correct uniform.
www.cardinalsecurity.co.uk
Bespoke power supply
solutions for access control
projects unveiled by
Elmdene International
Elmdene International has just
launched a new range of power
supplies specifically for use with
access control systems.
The Access Control range has
been carefully designed to house
some of the most common door controllers
in order to ensure both convenience and
flexibility for installations.
With different power options and
enclosure sizes available, this new access
control range offers the security professional
a choice of PSUs for a variety of
applications. The range could also mean cost
savings, with some of the units having the
capability to provide battery-backed power
for multiple door controllers, saving time
and money on installing singular units.
The Access Control range also includes
multi-access PSUs. These models are
supplied with a hinged cabling system and
can provide either 12 V or 24 V, while also
offering an independent ancillary relay that
can be used for applications such as a fire
door release relay.
The enclosure is also a larger design
capable of accommodating expander plates
should additional door controllers be
required, in turn further adding to the
flexibility this range is able to offer.
www.elmdene.co.uk
Integrated technologies are the key
for ievo and Keytracker partnership
An integration of cutting-edge biometric
recognition technology and key management
systems is offering the very highest levels of
security for organisations managing a large
number of priority keys.
The system is the result of determined cooperation
between ievo, the Newcastle-based
manufacturer of biometric recognition
systems, and Keytracker (the Midlands
manufacturer of key management systems).
Andy Smith, general manager at Keytracker,
explained: “We’ve developed our restricted
key access systems for a huge variety of
sectors ranging from the construction,
engineering, property, education and health
sectors to the vehicle retail trade. By
combining these systems with ievo’s biometric
recognition technology and the corresponding
software, we’ve created
an ultra-secure solution
that tracks the release
of specific keys to
specific people.”
The ‘Restricted Key
Access System’
incorporates state-ofthe-art
hardware with
easy-to-operate
administration software
restricting access to
only those keys the
user is authorised to
use. Integration of the
ievo ultimate fingerprint
readers ensures that the potential for
fraudulent access via stolen swipe cards or
PIN codes is removed. The registration process
has been integrated into the existing software.
www.ievoreader.com
63
www.risk-uk.com
thepaper
Business News for Security Professionals
Pro-Activ Publications is embarking on a revolutionary
launch: a FORTNIGHTLY NEWSPAPER dedicated to the
latest financial and business information for
professionals operating in the security sector
The Paper will bring subscribers (including CEOs,
managing directors and finance directors within the
UK’s major security businesses) all the latest company
and sector financials, details of business re-brands,
market research and trends and M&A activity
FOR FURTHER INFORMATION
ON THE PAPER CONTACT:
Brian Sims BA (Hons) Hon FSyI
(Editor, The Paper and Risk UK)
Telephone: 020 8295 8304
e-mail: brian.sims@risk-uk.com
www.thepaper.uk.com
Appointments
Joey Hambidge
Skills for Security has
announced the appointment
of Joey Hambidge in the
newly-created role of
operations manager. This
position at the sector skills
body for the private security
business sector has been
realised to provide the
organisation with essential operational support.
Hambidge will now be responsible for a broad
remit including accreditations, apprenticeship
standards, qualifications and the day-to-day
management of Skills for Security’s operations
and members of staff.
With an extensive background in training,
course design and employer liaison, Hambidge
boasts much experience in delivering
employability training and mapping course
content to an established curriculum.
Commenting on the appointment, Skills for
Security’s interim director general Peter Sherry
explained: “2017 is set to be an exciting year at
Skills for Security as we gear up to provide
guidance and support for security employers
ahead of the introduction of a new
apprenticeship standard. As such, we’re very
pleased to welcome Joey to the organisation,
where his extensive experience of employer
liaison and course development will help us to
develop our current offering and better meet
the needs of the security industry as a whole.”
Speaking about his new role, Hambidge
informed Risk UK: “I’m looking forward to
working for Skills for Security to improve
diversity and inclusion in apprenticeships. By
liaising closely with employers, it’s my goal that
Skills for Security becomes recognised as the
industry leader for new apprenticeship
standards within our sector.”
Craig Menzies
CNL Software, the specialist in Physical
Security Information Management (PSIM)
solutions, is pleased to announce that it has
appointed Craig Menzies to the role of general
manager for the Middle East. Menzies will
assume direct responsibility for all customerfacing
departments as the company prepares
for further expansion in the region.
Menzies joins CNL from Tyco Fire & Security
UAE where he was the Security Division’s
manager, overseeing multi-disciplinary teams
working on state-of-the-art security solutions
for high-profile projects on behalf of Dolphin
Energy, KOC, the Abu Dhabi Airports Company
and the Road Transport Authority.
Appointments
Risk UK keeps you up-to-date with all the latest people
moves in the security, fire, IT and Government sectors
Gareth Walsh
Elmdene International is pleased to announce a
new addition to complete the business’ sales
team in the UK. Gareth Walsh has now joined
the company as regional sales manager looking
after the Northern UK area.
In his new role, Walsh will be leading
Elmdene’s growth within the region by
supporting strategic business plans.
Walsh comes to Elmdene with 12 years’
experience in the fire and security industry,
having worked in sales positions at EU Fire and
Security for ten years and at Illumino Ignis for
almost two years, covering the North West
region at both companies.
Previously, Walsh has project-managed and
commissioned the design and implementation
of various system set-ups including fire alarm
systems, emergency lighting systems and
disabled refuge solutions.
Sharon Ramsay, general manager at Elmdene
International, explained: “Gareth brings vast
experience from the industry, in turn adding to
the skills and knowledge of our existing sales
team. Along with our future growth plans,
commitment to customer service and ongoing
product development, the addition of Gareth to
the team means we now have a dedicated focus
in the North of the UK.”
Walsh himself stated: “I’m delighted to be
joining Elmdene. I’m looking forward to sharing
my knowledge with the team, working with our
customer base and building new relationships.”
Menzies brings over 30 years’ experience of
providing technology leadership and
innovation in security solutions, of which 25
have been spent in the Middle East, resulting
in an in-depth understanding of customers and
partners right across the region.
“We’re excited to have Craig join CNL
Software in the Middle East, particularly at a
time when we’re strengthening our teams
globally and deepening collaboration with our
partners to support the growing demand for
our IPSecurityCenter PSIM solution,” said
James Condron, vice-president of global sales
and marketing at CNL Software.
Menzies informed Risk UK: “I’m delighted to
join an already impressive team that boasts a
great track record of innovation.”
65
www.risk-uk.com
Appointments
Waleed Eltayib
Axis Security, one of the UK’s leading security guarding
and electronic security groups, has appointed Waleed
Eltayib as key account director.
Eltayib’s role includes overseeing the account teams at
the company’s largest sites in London and the South East,
as well as ensuring the delivery of a customer-centric
approach and optimum service levels.
An experienced security operations professional,
Eltayib has worked for Axis Security for the past three
years at the Crown Estate St James’ Portfolio managed by BNP Paribas Real
Estate. Prior to this, Eltayib held senior contract management positions on
behalf of Broadgate Estates, GVA West End Management and ABN Amro.
“It’s useful to look at contract delivery with a fresh pair of eyes,
understanding the host business’ culture and how we can adapt our service
delivery to complement it,” explained Eltayib in conversation with Risk UK.
In his new role, Eltayib is reporting to Axis Security’s operations director John
Fitzpatrick. Key to his remit will be the Rathbone Square project, a flagship
office, retail and residential development which is new to Axis Security’s
London portfolio. Eltayib will be the main point of contact for the management
team and a visible and regular presence on site.
Jos Beernink
Genetec, a leading
provider of open
architecture and unified IP
security solutions, has
recently unveiled two new
senior executive
appointments.
Jos Beernink has been
appointed vice-president
of sales for Europe, the Middle East and Africa,
where he will direct the sales organisation,
developing new business and helping the
channels address growing business demand.
Beernink joins from a valued Genetec partner,
Honeywell, where he served as vice-president
of sales and marketing. In this role, his primary
remit was to drive territory growth, which he
will now apply in his new position at Genetec.
Beernink has been a highly respected member
of the technology sector for over two decades.
In addition, Cyrille Becker joins as general
manager for Europe to oversee European
operations, positioning the business for growth
within the European market.
Becker is a seasoned business developer
with 15 years’ experience gained in the security
industry. He most recently served as a business
unit general manager at Stanley Security
France, a long-time Genetec partner.
“With the appointments of Jos and Cyrille,
we’re well positioned to address the rapid
business growth that Genetec has experienced
over recent years, while also meeting the needs
of physical security projects across the many
different vertical markets we serve in Europe,”
said chief commercial officer Georges Karam.
Georgios Kastias
Apollo Fire Detectors has
announced the
appointment of Georgios
Kastias as the company’s
new operations director.
Bringing a raft of
experience to the role,
Kastias’ appointment
reflects the commitment
made by Apollo to achieving organisational
excellence within the company, spearheaded by
a dynamic and effective leadership team.
Born and raised in Greece, Kastias later
obtained a BEng in Mechanical Engineering at
Heriot-Watt University, followed by an MSc from
Cranfield University and, more recently, an MBA
which was gained at the Imperial College
Business School.
Kastias joins Apollo Fire Detectors from
Danfoss, where he held the role of operations
director, duly transforming the business into a
high-performing organisation thanks to a
determined focus on operational excellence and
effective cultural change.
Speaking about his new role, Kastias told
Risk UK: “I’m absolutely delighted to be joining
Apollo’s leadership team.”
Kim Jørgensen
Milestone Systems, the
specialist in open
platform IP video
management software,
has made two seniorlevel
appointments.
To strengthen
Milestone’s business
support, Kim Jørgensen
joins in the newly-created position of vicepresident
for global IT and operations. In this
role, he will be part of Milestone’s extended
leadership team with a focus on continued
improvements around internal IT solutions,
as well as online services.
Jørgensen brings a strong business and
technical background to the role as well as a
proven track record of helping fast-growing
businesses to both align and mature their
technical services with underlying
Information Technology infrastructures.
After more than 15 years at Microsoft,
Jesper Lachance Raebild has joined
Milestone as director of product marketing.
Heading up the global product marketing
team in Copenhagen, he will use his strong
background in software channel business
and global product marketing to accelerate
the Milestone platform and products.
66
www.risk-uk.com
20 - 22 JUNE 2017 EXCEL LONDON, UK
New exhibition within
IFSEC International 2017
AT BORDERS & INFRASTRUCTURE EXPO YOU WILL BENEFIT FROM:
• Access a VIP Meeting Service
live product demonstration and testing area
BRE Global
Networking Lounge
• See the latest UAVs at The Drone Zone.
against them
Best Value Security Products from Insight Security
www.insight-security.com Tel: +44 (0)1273 475500
...and
lots
more
Computer
Security
Anti-Climb Paints
& Barriers
Metal Detectors
(inc. Walkthru)
Security, Search
& Safety Mirrors
Security Screws &
Fastenings
Padlocks, Hasps
& Security Chains
Key Safes & Key
Control Products
Traffic Flow &
Management
see our
website
ACCESS CONTROL
KERI SYSTEMS UK LTD
Tel: + 44 (0) 1763 273 243
Fax: + 44 (0) 1763 274 106
Email: sales@kerisystems.co.uk
www.kerisystems.co.uk
ACCESS CONTROL
ACCESS CONTROL
ACT
ACT – Ireland, Unit C1, South City Business Park,
Tallaght, Dublin, D24 PN28.Ireland. Tel: +353 1 960 1100
ACT - United Kingdom, 601 Birchwood One, Dewhurst Road,
Warrington, WA3 7GB. Tel: +44 161 236 9488
sales@act.eu www.act.eu
ACCESS CONTROL – BARRIERS, GATES, CCTV
ABSOLUTE ACCESS
Aberford Road, Leeds, LS15 4EF
Tel: 01132 813511
E: richard.samwell@absoluteaccess.co.uk
www.absoluteaccess.co.uk
Access Control, Automatic Gates, Barriers, Blockers, CCTV
ACCESS CONTROL
COVA SECURITY GATES LTD
Bi-Folding Speed Gates, Sliding Cantilevered Gates, Road Blockers & Bollards
Consultancy, Design, Installation & Maintenance - UK Manufacturer - PAS 68
Tel: 01293 553888 Fax: 01293 611007
Email: sales@covasecuritygates.com
Web: www.covasecuritygates.com
ACCESS CONTROL & DOOR HARDWARE
ALPRO ARCHITECTURAL HARDWARE
Products include Electric Strikes, Deadlocking Bolts, Compact Shearlocks,
Waterproof Keypads, Door Closers, Deadlocks plus many more
T: 01202 676262 Fax: 01202 680101
E: info@alpro.co.uk
Web: www.alpro.co.uk
ACCESS CONTROL – SPEED GATES, BI-FOLD GATES
HTC PARKING AND SECURITY LIMITED
St. James’ Bus. Centre, Wilderspool Causeway,
Warrington Cheshire WA4 6PS
Tel 01925 552740 M: 07969 650 394
info@htcparkingandsecurity.co.uk
www.htcparkingandsecurity.co.uk
ACCESS CONTROL
INTEGRATED DESIGN LIMITED
Integrated Design Limited, Feltham Point,
Air Park Way, Feltham, Middlesex. TW13 7EQ
Tel: +44 (0) 208 890 5550
sales@idl.co.uk
www.fastlane-turnstiles.com
ACCESS CONTROL
SECURE ACCESS TECHNOLOGY LIMITED
Authorised Dealer
Tel: 0845 1 300 855 Fax: 0845 1 300 866
Email: info@secure-access.co.uk
Website: www.secure-access.co.uk
ACCESS CONTROL MANUFACTURER
NORTECH CONTROL SYSTEMS LTD.
Nortech House, William Brown Close
Llantarnam Park, Cwmbran NP44 3AB
Tel: 01633 485533
Email: sales@nortechcontrol.com
www.nortechcontrol.com
Custom Designed Equipment
• Indicator Panels
• Complex Door Interlocking
• Sequence Control
• Door Status Systems
• Panic Alarms
• Bespoke Products
www.hoyles.com
sales@hoyles.com
Tel: +44 (0)1744 886600
ACCESS CONTROL – BIOMETRICS, BARRIERS, CCTV, TURNSTILES
UKB INTERNATIONAL LTD
Planet Place, Newcastle upon Tyne
Tyne and Wear NE12 6RD
Tel: 0845 643 2122
Email: sales@ukbinternational.com
Web: www.ukbinternational.com
Hoyles are the UK’s leading supplier of
custom designed equipment for the
security and access control industry.
From simple indicator panels to
complex door interlock systems.
BUSINESS CONTINUITY
ACCESS CONTROL, INTRUSION DETECTION AND VIDEO MANAGEMENT
VANDERBILT INTERNATIONAL (UK) LTD
Suite 7, Castlegate Business Park
Caldicot, South Wales NP26 5AD UK
Main: +44 (0) 2036 300 670
email: info.uk@vanderbiltindustries.com
web: www.vanderbiltindustries.com
BUSINESS CONTINUITY MANAGEMENT
CONTINUITY FORUM
Creating Continuity ....... Building Resilience
A not-for-profit organisation providing help and support
Tel: +44(0)208 993 1599 Fax: +44(0)1886 833845
Email: membership@continuityforum.org
Web: www.continuityforum.org
www.insight-security.com Tel: +44 (0)1273 475500
CCTV
CONTROL ROOM & MONITORING SERVICES
CCTV
Rapid Deployment Digital IP High Resolution CCTV
40 hour battery, Solar, Wind Turbine and Thermal Imaging
Wired or wireless communication fixed IP
CE Certified
Modicam Europe, 5 Station Road, Shepreth,
Cambridgeshire SG8 6PZ
www.modicam.com sales@modicameurope.com
CCTV POLES, COLUMNS, TOWERS AND MOUNTING PRODUCTS
ALTRON COMMUNICATIONS EQUIPMENT LTD
Tower House, Parc Hendre, Capel Hendre, Carms. SA18 3SJ
Tel: +44 (0) 1269 831431
Email: cctvsales@altron.co.uk
Web: www.altron.co.uk
ADVANCED MONITORING SERVICES
EUROTECH MONITORING SERVICES LTD.
Specialist in:- Outsourced Control Room Facilities • Lone Worker Monitoring
• Vehicle Tracking • Message Handling
• Help Desk Facilities • Keyholding/Alarm Response
Tel: 0208 889 0475 Fax: 0208 889 6679
E-MAIL eurotech@eurotechmonitoring.net
Web: www.eurotechmonitoring.net
DISTRIBUTORS
CCTV
G-TEC
Gtec House, 35-37 Whitton Dene
Hounslow, Middlesex TW3 2JN
Tel: 0208 898 9500
www.gtecsecurity.co.uk
sales@gtecsecurity.co.uk
CCTV/IP SOLUTIONS
DALLMEIER UK LTD
3 Beaufort Trade Park, Pucklechurch, Bristol BS16 9QH
Tel: +44 (0) 117 303 9 303
Fax: +44 (0) 117 303 9 302
Email: dallmeieruk@dallmeier.com
SPECIALISTS IN HD CCTV
MaxxOne
Unit A10 Pear Mill, Lower Bredbury, Stockport. SK6 2BP
Tel +44 (0)161 430 3849
www.maxxone.com
sales@onlinesecurityproducts.co.uk
www.onlinesecurityproducts.co.uk
AWARD-WINNING, LEADING GLOBAL WHOLESALE
DISTRIBUTOR OF SECURITY AND LOW VOLTAGE PRODUCTS.
ADI GLOBAL DISTRIBUTION
Distributor of electronic security systems and solutions for over 250 leading manufacturers, the company
also offers an internal technical support team, dedicated field support engineers along with a suite of
training courses and services. ADI also offers a variety of fast, reliable delivery options, including specified
time delivery, next day or collection from any one of 28 branches nationwide. Plus, with an ADI online
account, installers can order up to 7pm for next day delivery.
Tel: 0161 767 2990 Fax: 0161 767 2999 Email: sales.uk@adiglobal.com www.adiglobal.com/uk
CCTV & IP SECURITY SOLUTIONS
PANASONIC SYSTEM COMMUNICATIONS COMPANY
EUROPE
Panasonic House, Willoughby Road
Bracknell, Berkshire RG12 8FP UK
Tel: 0207 0226530
Email: info@business.panasonic.co.uk
WHY MAYFLEX? ALL TOGETHER. PRODUCTS, PARTNERS,
PEOPLE, SERVICE – MAYFLEX BRINGS IT ALL TOGETHER.
MAYFLEX
Excel House, Junction Six Industrial Park, Electric Avenue, Birmingham B6 7JJ
Tel: 0800 881 5199
Email: securitysales@mayflex.com
Web: www.mayflex.com
COMMUNICATIONS & TRANSMISSION EQUIPMENT
KBC NETWORKS LTD.
Barham Court, Teston, Maidstone, Kent ME18 5BZ
www.kbcnetworks.com
Phone: 01622 618787
Fax: 020 7100 8147
Email: emeasales@kbcnetworks.com
DIGITAL IP CCTV
SESYS LTD
High resolution ATEX certified cameras, rapid deployment
cameras and fixed IP CCTV surveillance solutions available with
wired or wireless communications.
1 Rotherbrook Court, Bedford Road, Petersfield, Hampshire, GU32 3QG
Tel +44 (0) 1730 230530 Fax +44 (0) 1730 262333
Email: info@sesys.co.uk www.sesys.co.uk
THE UK’S MOST SUCCESSFUL DISTRIBUTOR OF IP, CCTV, ACCESS
CONTROL AND INTRUDER DETECTION SOLUTIONS
NORBAIN SD LTD
210 Wharfedale Road, IQ Winnersh, Wokingham, Berkshire, RG41 5TP
Tel: 0118 912 5000 Fax: 0118 912 5001
www.norbain.com
Email: info@norbain.com
CCTV SPECIALISTS
PLETTAC SECURITY LTD
Unit 39 Sir Frank Whittle Business Centre,
Great Central Way, Rugby, Warwickshire CV21 3XH
Tel: 01788 567811 Fax: 01788 544 549
Email: jackie@plettac.co.uk
www.plettac.co.uk
UK LEADERS IN BIG BRAND CCTV DISTRIBUTION
SATSECURE
Hikivision & MaxxOne (logos) Authorised Dealer
Unit A10 Pear Mill, Lower Bredbury,
Stockport. SK6 2BP
Tel +44 (0)161 430 3849
www.satsecure.uk
www.insight-security.com Tel: +44 (0)1273 475500
EMPLOYMENT
FIRE AND SECURITY INDUSTRY RECRUITMENT
SECURITY VACANCIES
www.securityvacancies.com
Telephone: 01420 525260
INTEGRATED SECURITY SOLUTIONS
INNER RANGE EUROPE LTD
Units 10 - 11, Theale Lakes Business Park, Moulden Way, Sulhampstead,
Reading, Berkshire RG74GB, United Kingdom
Tel: +44(0) 845 470 5000 Fax: +44(0) 845 470 5001
Email: ireurope@innerrange.co.uk
www.innerrange.com
PERIMETER PROTECTION
IDENTIFICATION
ADVANCED PRESENCE DETECTION AND SECURITY LIGHTING SYSTEMS
GJD MANUFACTURING LTD
Unit 2 Birch Business Park, Whittle Lane, Heywood, OL10 2SX
Tel: + 44 (0) 1706 363998
Fax: + 44 (0) 1706 363991
Email: info@gjd.co.uk
www.gjd.co.uk
COMPLETE SOLUTIONS FOR IDENTIFICATION
DATABAC GROUP LIMITED
1 The Ashway Centre, Elm Crescent,
Kingston upon Thames, Surrey KT2 6HH
Tel: +44 (0)20 8546 9826
Fax:+44 (0)20 8547 1026
enquiries@databac.com
PERIMETER PROTECTION
GPS PERIMETER SYSTEMS LTD
14 Low Farm Place, Moulton Park
Northampton, NN3 6HY UK
Tel: +44(0)1604 648344 Fax: +44(0)1604 646097
E-mail: info@gpsperimeter.co.uk
Web site: www.gpsperimeter.co.uk
POWER
INDUSTRY ORGANISATIONS
TRADE ASSOCIATION FOR THE PRIVATE SECURITY INDUSTRY
BRITISH SECURITY INDUSTRY ASSOCIATION
Tel: 0845 389 3889
Email: info@bsia.co.uk
Website: www.bsia.co.uk
Twitter: @thebsia
THE LEADING CERTIFICATION BODY FOR THE SECURITY INDUSTRY
SSAIB
7-11 Earsdon Road, West Monkseaton
Whitley Bay, Tyne & Wear
NE25 9SX
Tel: 0191 2963242
Web: www.ssaib.org
INTEGRATED SECURITY SOLUTIONS
POWER SUPPLIES – DC SWITCH MODE AND AC
DYCON LTD
Unit A, Cwm Cynon Business Park, Mountain Ash, CF45 4ER
Tel: 01443 471900 Fax: 01443 479 374
Email: sales@dyconpower.com
www.dyconpower.com
STANDBY POWER
UPS SYSTEMS PLC
Herongate, Hungerford, Berkshire RG17 0YU
Tel: 01488 680500
sales@upssystems.co.uk
www.upssystems.co.uk
UPS - UNINTERRUPTIBLE POWER SUPPLIES
ADEPT POWER SOLUTIONS LTD
Adept House, 65 South Way, Walworth Business Park
Andover, Hants SP10 5AF
Tel: 01264 351415 Fax: 01264 351217
Web: www.adeptpower.co.uk
E-mail: sales@adeptpower.co.uk
SECURITY PRODUCTS AND INTEGRATED SOLUTIONS
HONEYWELL SECURITY AND FIRE
Tel: +44 (0) 844 8000 235
E-mail: securitysales@honeywell.com
UPS - UNINTERRUPTIBLE POWER SUPPLIES
UNINTERRUPTIBLE POWER SUPPLIES LTD
Woodgate, Bartley Wood Business Park
Hook, Hampshire RG27 9XA
Tel: 01256 386700 5152 e-mail:
sales@upspower.co.uk
www.upspower.co.uk
www.insight-security.com Tel: +44 (0)1273 475500
SECURITY
CASH & VALUABLES IN TRANSIT
CONTRACT SECURITY SERVICES LTD
Challenger House, 125 Gunnersbury Lane, London W3 8LH
Tel: 020 8752 0160 Fax: 020 8992 9536
E: info@contractsecurity.co.uk
E: sales@contractsecurity.co.uk
Web: www.contractsecurity.co.uk
QUALITY SECURITY AND SUPPORT SERVICES
CONSTANT SECURITY SERVICES
Cliff Street, Rotherham, South Yorkshire S64 9HU
Tel: 0845 330 4400
Email: contact@constant-services.com
www.constant-services.com
FENCING SPECIALISTS
J B CORRIE & CO LTD
Frenchmans Road
Petersfield, Hampshire GU32 3AP
Tel: 01730 237100
Fax: 01730 264915
email: fencing@jbcorrie.co.uk
INTRUSION DETECTION AND PERIMETER PROTECTION
OPTEX (EUROPE) LTD
Redwall® infrared and laser detectors for CCTV applications and Fiber SenSys® fibre
optic perimeter security solutions are owned by Optex. Platinum House, Unit 32B
Clivemont Road, Cordwallis Industrial Estate, Maidenhead, Berkshire, SL6 7BZ
Tel: +44 (0) 1628 631000 Fax: +44 (0) 1628 636311
Email: sales@optex-europe.com
www.optex-europe.com
LIFE SAFETY EQUIPMENT
C-TEC
Challenge Way, Martland Park,
Wigan WN5 OLD United Kingdom
Tel: +44 (0) 1942 322744
Fax: +44 (0) 1942 829867
Website: www.c-tec.com
PERIMETER SECURITY
TAKEX EUROPE LTD
Aviary Court, Wade Road, Basingstoke
Hampshire RG24 8PE
Tel: +44 (0) 1256 475555
Fax: +44 (0) 1256 466268
Email: sales@takex.com
Web: www.takex.com
PHYSICAL CONTROL PRODUCTS, ESP. ANTI-CLIMB
INSIGHT SECURITY
Units 1 & 2 Cliffe Industrial Estate
Lewes, East Sussex BN8 6JL
Tel: 01273 475500
Email:info@insight-security.com
www.insight-security.com
SECURITY EQUIPMENT
PYRONIX LIMITED
Secure House, Braithwell Way, Hellaby,
Rotherham, South Yorkshire, S66 8QY.
Tel: +44 (0) 1709 700 100 Fax: +44 (0) 1709 701 042
www.facebook.com/Pyronix
www.linkedin.com/company/pyronix www.twitter.com/pyronix
INTRUDER AND FIRE PRODUCTS
CQR SECURITY
125 Pasture road, Moreton, Wirral UK CH46 4 TH
Tel: 0151 606 1000
Fax: 0151 606 1122
Email: andyw@cqr.co.uk
www.cqr.co.uk
SECURITY SYSTEMS
BOSCH SECURITY SYSTEMS LTD
PO Box 750, Uxbridge, Middlesex UB9 5ZJ
Tel: 0330 1239979
E-mail: uk.securitysystems@bosch.com
Web: uk.boschsecurity.com
INTRUDER ALARMS – DUAL SIGNALLING
CSL
Salamander Quay West, Park Lane
Harefield , Middlesex UB9 6NZ
T: +44 (0)1895 474 474
@CSLDualCom
www.csldual.com
SECURITY EQUIPMENT
CASTLE
Secure House, Braithwell Way, Hellaby,
Rotherham, South Yorkshire, S66 8QY
TEL +44 (0) 1709 700 100 FAX +44 (0) 1709 701 042
www.facebook.com/castlesecurity www.linkedin.com/company/castlesecurity
www.twitter.com/castlesecurity
INTRUDER ALARMS AND SECURITY MANAGEMENT SOLUTIONS
RISCO GROUP
Commerce House, Whitbrook Way, Stakehill Distribution Park, Middleton,
Manchester, M24 2SS
Tel: 0161 655 5500 Fax: 0161 655 5501
Email: sales@riscogroup.co.uk
Web: www.riscogroup.com/uk
SECURITY PRODUCTS
EATON
Eaton is one of the world’s leading manufacturers of security equipment
its Scantronic and Menvier product lines are suitable for all types of
commercial and residential installations.
Tel: 01594 545 400 Email: securitysales@eaton.com
Web: www.uk.eaton.com Twitter: @securityTP
ONLINE SECURITY SUPERMARKET
EBUYELECTRICAL.COM
Lincoln House,
Malcolm Street
Derby DE23 8LT
Tel: 0871 208 1187
www.ebuyelectrical.com
SECURITY SYSTEMS
VICON INDUSTRIES LTD.
Brunel Way, Fareham
Hampshire, PO15 5TX
United Kingdom
www.vicon.com
www.insight-security.com Tel: +44 (0)1273 475500
Simple & Easy Installation
Integrated Security - Access Control
Inception is an integrated access
control and security alarm system with
a design edge that sets it apart from the pack.
Featuring built in web based software, the Inception
system is simple to access using a web browser on a
Computer, Tablet or Smartphone.
With a step by step commissioning guide and outstanding user interface,
Inception is easy to install and very easy to operate.
For more information, visit www.innerrange.com/inception.
There you will find installation guides and videos to help you
get the most out of your Inception system.
IN
DESIGNED
A U ST R A
R
LIA
Security
Alarm
Access
Control
Automation
No Software
Required
Multiple
Devices
Easy Setup
with Checklist
Prompting
Send IP Alarms via
the Multipath-IP
Network
Visit www.innerrange.com or call 0845 470 5000 for further information
Change language