07.04.2017 Views

RiskUKApril2017

Do you know the secret to free website traffic?

Use this trick to increase the number of new potential customers.

April 2017

www.risk-uk.com

Security and Fire Management

Academic Endeavours

Education Sector Safety and Security

News Analysis: National Surveillance Camera Strategy

PSIM Solutions: Procurement Advice for End Users

UPS Systems: Evaluating The Balance of Power

SABRE: Security Risk Management in Built Environments



MY PASSION IS

GETTING THE PERFECT

WELD EVERY TIME


Phil Warman, Welder, 6 years with Jacksons

OUR PASSION

IS YOUR SECURITY

We combine the highest

quality perimeter security

fencing and gates with seventy

years of expertise to provide

you with the right solution for

your project, large or small.

www.jacksons-fencing.co.uk

Jacksons

Fencing


April 2017

Contents

35 Smart About Access

Jaroslav Barton describes the shift to NFC, Bluetooth Low Energy

and advanced smart card technology

ERM and ESRM in the Spotlight (pp20-21)

5 Editorial Comment

6 News Update

Police Federation on Westminster terror attack. CREST global

certification for BSI. Skills for Security accepted to join RoATP

8 News Analysis: Surveillance Camera Strategy

Brian Sims examines the main points contained within the

National Surveillance Camera Strategy introduced by Tony Porter

11 Opinion: ‘Security as a Service’

By using ‘Security as a Service’, the customer gains access to a

maintained and supervised solution. John Davies has the detail

14 Opinion: SIA Stakeholder Conference 2017

Peter Webster spoke at the 2017 SIA Stakeholder Conference,

focusing on regulation, business licensing and the ACS

17 BSIA Briefing

James Kelly pinpoints the key considerations to be observed

around security solutions management in the education sector

20 ERM and ESRM: The Case for Convergence

If Enterprise Risk Management and Enterprise Security Risk

Management are here to stay, what does this mean for the

future of risk management? Philip Strand offers his views

22 Status Symbol: The CSyP Journey

Peter Speight on Chartered Security Professional status

24 PSIM: Only Fools Rush In...

Stephen Smith outlines why end user buyers of PSIM solutions

need to consider ongoing costs as well as the technology itself

27 The ‘Insider’ Threat

Emma Shaw plots a route forward for today’s organisations

seeking to employ technical surveillance countermeasures

30 An Education on Ransomware

Defeating the spectre of ransomware is so important in the

education sector. Wieland Age highlights Best Practice methods

32 Security By The Book

Peter Jackson documents physical security solutions for schools

38 Building Blocks of Risk Management

Several issues must be factored-in by construction sector

businesses when addressing the delicate calculation between

risk and reward. Carl Ghinn investigates

40 Intelligent Prevention is the Future

HD IP-based surveillance systems reviewed by Tristan Haage

42 Evaluating The Balance of Power

Leo Craig focuses on UPS solutions in the manufacturing sector

45 SABRE: Security in the Built Environment

Gavin Jones shines the spotlight on SABRE, a new security risk

management standard specifically for the built environment

48 The Security Institute’s View

50 In The Spotlight: ASIS International UK Chapter

52 FIA Technical Briefing

54 Security Services: Best Practice Casebook

56 Cyber: Mitigating Open Source Software Risks

58 Training and Career Development

60 Risk in Action

62 Technology in Focus

65 Appointments

The latest people moves in the security and fire business sectors

68 The Risk UK Directory

ISSN 1740-3480

Risk UK is published monthly by Pro-Activ Publications

Ltd and specifically aimed at security and risk

management, loss prevention, business continuity and

fire safety professionals operating within the UK’s largest

commercial organisations

© Pro-Activ Publications Ltd 2017

All rights reserved. No part of this publication may be

reproduced or transmitted in any form or by any means

electronic or mechanical (including photocopying, recording

or any information storage and retrieval system) without the

prior written permission of the publisher

The views expressed in Risk UK are not necessarily those of

the publisher

Risk UK is currently available for an annual subscription rate of

£78.00 (UK only)

www.risk-uk.com

Risk UK

PO Box 332

Dartford DA1 9FF

Editor Brian Sims BA (Hons) Hon FSyI

Tel: 0208 295 8304 Mob: 07500 606013

e-mail: brian.sims@risk-uk.com

Design and Production Matt Jarvis

Tel: 0208 295 8310 Fax: 0870 429 2015

e-mail: matt.jarvis@proactivpubs.co.uk

Advertisement Director Paul Amura

Tel: 0208 295 8307 Fax: 01322 292295

e-mail: paul.amura@proactivpubs.co.uk

Administration Tracey Beale

Tel: 0208 295 8306 Fax: 01322 292295

e-mail: tracey.beale@proactivpubs.co.uk

Managing Director Mark Quittenton

Chairman Larry O’Leary

Editorial: 0208 295 8304

Advertising: 0208 295 8307

3

www.risk-uk.com


Now you see me. Now you don’t.

Actual size

The smallest wireless contact we’ve ever made.

The Micro Contact-W is so small it fits within most uPVC window frames, providing invisible but powerful protection. And at a

diminutive 57mm x 27.5mm x 8.2mm in size, the Micro Contact-W all but disappears, even in plain sight.

Outstanding features include:

• Small size

• Cost effective

• 4 Year typical battery life

• Three colour options

• LED assisted setup procedure

• EN 50131-2-6 Grade 2

Visit us:

Stand G1200


Editorial Comment

Don’t just stop at the front door

The Micro Contact-W can be used to protect almost

anything, including doors, windows, drawers and

cupboards - the list is endless!

Internal door

Patio door

Window frame

Bedside drawer

An Eye on ID

Cifas, the UK’s leading fraud prevention service, has issued

new figures showing that identity fraud has hit the highest

levels ever recorded. A record 172,919 episodes of such

fraud were noted in 2016. Identity fraud now represents over half

of all fraud chronicled by the UK’s not-for-profit fraud data

sharing organisation, of which 88% was perpetrated online.

In recent years, Cifas has been informed of growing numbers

of young people falling victim to ID fraud. That upward trend

continued last year with almost 25,000 victims aged under 30. In

particular, there has been a 34% increase in the number of under

21s subjected to ID fraud. On that basis, Cifas is again calling for

better education around fraud and financial crime and urging

youngsters to be vigilant about protecting their personal data.

2016 also saw a rise in the number of ID fraud victims aged

over 40, with 1,869 more victims recorded by Cifas members.

Mike Haley, deputy CEO at Cifas, explained: “These new

figures show that identity fraud continues to be the foremost

fraud threat. With nine out of ten identity frauds committed

online and all age groups presently at risk, we’re urging everyone

to make it more difficult for the fraudsters to abuse individual

identities. There are three simple steps that anyone can take to

protect themselves: use strong passwords, download software

updates when prompted to do so and avoid the use of public Wi-

Fi for banking and online shopping.”

Haley continued: “We all remember to safeguard our valued

possessions through locking our house or car, but we don’t

always take the same care to protect our most important asset –

our identities. We all need to assume responsibility for securing

our mail boxes, shredding documents like bank statements and

utility bills and taking sensible precautions online. If not, we’re

simply making ourselves a target for the identity fraudsters.”

Commander Chris Greany, national co-ordinator for economic

crime, commented: “These latest Cifas figures demonstrate how

we all need to be alert to preventing identity theft now more

than ever before. We do everything we can in order to stop the

identity thieves in the fight against fraud, but it must be said

that the key to success is both prevention and protection.”

With instances of identity fraud set to rise, businesses and

consumers alike simply must take action to address this

damaging issue. Financial services companies should strengthen

the security systems they have in place and the way in which

they verify identities, and especially so for online transactions.

Businesses need to invest in biometric processes designed to

validate identities, at the same time implementing multi-layer

approaches that challenge fraudsters’ attempts to compromise

systems. “Myriad consumers are embracing biometrics in their

everyday lives, for example by using them to access their smart

phones,” observed John Marsden, head of identity and fraud at

Equifax. “Financial services companies can maximise such

technology to protect their customers and their businesses.”

Certainly, the worrying knowledge gap exhibited by too many

consumers when determining safe places in which to share their

personal information must be plugged sooner rather than later.

Brian Sims BA (Hons) Hon FSyI

Editor

www.texe.com

Sales: +44 (0)1706 220460

December 2012

5

www.risk-uk.com


“Right resources needed in wake of London

terror attack” urges Police Federation

The horrific terrorist attack in Westminster that

claimed several innocent lives, including that of

PC Keith Palmer, has reinforced the need for a

police service with the right resources and

support in place to continue “running towards

danger”. That’s the firm belief of Steve White

(pictured), chairman of the Police Federation of

England and Wales, who took part in a BBC

Panorama Special on Monday 27 March.

Wednesday 22 March witnessed the UK

Parliament and innocent citizens coming under

attack in the most serious terror incident in the

country for over a decade. Speaking to

witnesses and the injured to compile the

programme, BBC Panorama reporters pieced

together what happened during the episode.

The programme also examined the life of 52

year-old attacker Khalid Masood, asking what

motivated him to carry out this fatal strike in

the heart of London, whereby he drove a car

into pedestrians on the pavement along the

south side of Westminster Bridge and Bridge

Street, injuring more than 50 people.

After the car crashed into the perimeter fence

of the Palace grounds, Masood abandoned it

and ran into New Palace Yard where he fatally

stabbed PC Palmer. Masood was then shot by

an armed police officer and died at the scene.

“There are bound to be questions as to

whether things would have been different if

more officers were armed and if PC Palmer had

possessed a firearm,” suggested White. “It’s

entirely likely that we’ll never have a clear

answer. What’s important is that there are many

tactical options to mitigate threats that we need

to consider.”

White continued: “We have to police the

threats that we currently face. For their part,

MPs must take the advice of professionals in

the police service on what we can do and how

we can best do it. We no longer live in a world

of traditional unarmed British bobbies walking

the streets meaning that all will be well.”

These points build on a comment piece by

White which was published in the pages of The

Sunday Express following the London attack. In

the article, White outlines his fears that such an

incident will happen again, but is clear that the

police service will continue to rise to the

challenge. White also touches on the need for

members of the public to ensure that “what

they want and what they demand from their

police service is achievable.”

Chief constable Sara Thornton, chair of the

National Police Chiefs’ Council, said: “We’re

deeply saddened by the horrific events that

took place in London. Our thoughts and

condolences are with the families and friends of

the victims and all those injured and affected.

We’re devastated by the loss of our brave

colleague PC Keith Palmer as he went about his

duties. Now and always, we stand together.”

BSI enhances international capabilities with CREST global accreditation

BSI, the business standards company, has boosted its newly-created cyber security and information

resilience business stream with global membership of CREST, the organisation that spearheads the

highest possible levels of security testing standards. In achieving this status, BSI now joins an elite

group of seven organisations* who can offer myriad clients across the EMEA, the Americas, Asia

and Australasia the heavyweight assurances synonymous with CREST.

BSI has also consolidated its CREST-accredited services with recently acquired CREST member

companies Espion and Info-Assure. Indeed, the business now offers CREST Penetration Testing,

CREST Incident Response Services, CREST START (Simulated Targeted Attack and Response Testing)

and Cyber Essentials.

CREST membership is an important validation of the BSI’s cyber security testing and incident

response capabilities. All member companies undergo stringent assessments of business

processes, data security and security testing as well as incident response methodologies.

Accreditation is very robust and a challenge to attain, in turn demonstrating complete assurances

of processes and procedures.

BSI is a strong proponent of CREST and its role in professionalising the technical security

industry, as well as its efforts to advance the wider information security community through recent

openings of international chapters in Singapore, Hong Kong and the USA. This approach has also

garnered support from international regulators.

*The seven CREST members with global accreditation are Cisco, Context Information Security,

Deloitte Touche Tomatsu, Gotham Digital Science, the NCC Group, PwC and Trustwave SpiderLabs

6

www.risk-uk.com


News Update

National Security Inspectorate

re-appointed by Regulator as ACS

assessment body

Subject to contract, from 1 April 2017 the

National Security Inspectorate (NSI) has been

re-appointed as an assessing body for the

Security Industry Authority’s (SIA) Approved

Contractor Scheme (ACS) and as a provider of

a ‘Passport’ route to ACS compliance. As of

that date, the NSI (led by CEO Richard Jenkins,

pictured) will be offering even more choice for

guarding services companies in terms of how

they can obtain and maintain ACS approval.

The NSI provides assessment services to the

widest variety of guarding services providers,

ranging from small and local specialist

operators through to many of the largest

national operators. Most have chosen to hold

NSI Guarding Gold with an integrated NSI

‘Passport’ to ACS approval.

This provides a cost-effective solution for

businesses wanting to demonstrate both

commitment to the holistic values embodied

within the Regulator’s ACS and the rigour of

comprehensive compliance with British

Standards and the ISO 9001 standard for

Quality Management Systems.

The NSI ‘Passport’ route to ACS approval

also provides cost benefits in holding multiple

approvals with the NSI.

A popular arrangement among typically

more regional providers is to appoint the NSI

to conduct assessments as part of the ACS

standard route approval. Now, the NSI is

offering these companies a new ‘middle way’:

NSI Guarding Silver with the NSI’s ‘Passport’

to ACS. This means companies can now

‘upgrade’ to an NSI Guarding Silver approval

with a ‘Passport’ to ACS approval,

demonstrating full compliance with British

Standards over and above the standard ACS

without necessarily seeking approval to ISO

9001 at the same time. This will prove a

valuable and cost-effective stepping stone for

companies wanting to differentiate themselves

from the ‘Standard’ route to ACS approval and

afford end user buyers additional confidence

in their service providers’ ‘commitment to

compliance’ with British Standards.

Margaret Durr, the NSI’s head of field

operations (services), commented: “Our team

of auditors harbours industry expertise across

a broad range of areas including security

guarding, close protection, key holding, CCTV,

door supervision, event security and

investigative services. Feedback from our

clients is testament to the added value

independent assessment can bring to an

organisation. The ultimate winners are

security buyers and their staff, visitors and,

indeed, members of the general public.”

Skills for Security earns ‘trusted

training provider’ status from

Government with RoATP acceptance

Skills for Security, the sector skills body for

the private security business sector, has been

accepted by the Skills Funding Agency’s

Register of Apprenticeship Training Providers

(RoATP), meaning that the organisation has

now qualified for Government funding to

deliver apprenticeships from May this year.

Passing all elements of the application,

including due diligence checks on compliance,

quality and financial health, Skills for Security

has fully satisfied the Skills Funding Agency

that the organisation is capable of delivering

high-quality apprenticeship training.

Under the Government’s new apprenticeship

policy, training providers must be on the

RoATP to be eligible to deliver training – either

directly or as a sub-contractor – to large,

Apprenticeship Levy-paying employers. Out of

2,327 applications, a total of 1,708 providers

(73%) have made the grade, with the full list

of providers published by the Department for

Education on Tuesday 14 March.

Speaking about this development, Peter

Sherry (pictured), interim director general at

Skills for Security, stated: “I’m absolutely

delighted that Skills for Security has been

accepted on to the RoATP, giving employers in

the security sector the confidence that we, as

the sector skills body for the industry, can

provide them with trusted support and

expertise in equipping the workforce of

tomorrow with a solid educational foundation

through a carefully considered system of

training, assessment and qualifications.”

The Government’s apprenticeship reforms

aim to support an increase in the quality and

quantity of apprenticeships, subsequently

enabling a greater number of individuals to

pursue a successful career. There will be

regular opportunities for new providers to

apply to the RoATP, with the chance for new

applications at the end of March and quarterly

thereafter encouraging diversity and

competition among providers and supporting

both quality and employer choice.

The RoATP is a crucial milestone in

delivering the Government’s wider reforms

designed to make apprenticeships more

rigorous, better structured, independently

assessed and more clearly aligned with the

needs of employers. Those reforms include the

introduction of the new Apprenticeship Levy.

7

www.risk-uk.com


Home Office Commissioner introduces

National Surveillance Camera Strategy

Following on from a

detailed consultation

process that began

last October, Tony

Porter QPM LLB – the

Surveillance Camera

Commissioner at the

Home Office – has

launched a National

Surveillance Camera

Strategy for England

and Wales with the

specific aim of helping

to keep people safe in

public places while

also respecting their

right to privacy.

Brian Sims examines

the fine detail

The 27-page strategy document aims to

provide direction and leadership within and

across the surveillance camera community,

in turn enabling system operators to

understand good and Best Practice as well as

their legal obligations (such as those contained

within the Protection of Freedoms Act, the Data

Protection Act and the Private Security Industry

Act 2001).

It’s the Surveillance Camera Commissioner’s

strategic vision to ensure members of the

public are assured that any use of surveillance

camera systems in a public place helps to

protect them and keep them safe, while at the

same time always respecting the individual’s

right to privacy. That assurance is based upon

deployment which is proportionate to a

legitimate purpose, so too transparency

demonstrating compliance with Best Practice

and relevant legal obligations.

The National Surveillance Camera Strategy

aligns closely with the Home Office’s own key

responsibilities to keep the UK safe from the

threat of terrorism, reduce and prevent crime

and criminality and ensure that people feel safe

in both their homes and communities.

The new strategy provides the Commissioner

with a robust and transparent framework to

fulfil his statutory functions as set out in the

Protection of Freedoms Act, and also

subsequently inform and underpin his Annual

Report to the Home Secretary Amber Rudd.

Speaking about the new National

Surveillance Camera Strategy, Surveillance

Camera Commissioner Tony Porter explained:

“After much hard work, I’m delighted to be able

to launch this strategy document. It’s a strategy

that’s far-reaching, touching on many areas of

surveillance camera use by the police service

and local authorities, installers and

manufacturers as well as training providers and

regulators and, of course, how the use of

surveillance cameras impacts members of the

public on a daily basis.”

Porter went on to state: “The responses to

the consultation on the draft show that this

strategy is extremely well supported, as do the

number of organisations that have written to

affirm their support. I look forward to delivering

on this strategy for the next three years,

ensuring that, where surveillance cameras are

used, they keep people safe while protecting

their right to privacy.”

Endorsement from the BSIA

Endorsing the National Surveillance Camera

Strategy, James Kelly (CEO at the British

Security Industry Association) explained: “The

strategy is a very worthy and successful

attempt to draw together multiple stakeholders

from across what is certainly a diverse and

critically important sector. The BSIA is proud to

have been a contributor to the Commissioner’s

efforts at providing direction and leadership on

the appropriate use of such systems to secure

the protection of our communities, while also

safeguarding individuals’ right to privacy. I’m

delighted to endorse the strategy and will

continue to support the Surveillance Camera

Commissioner’s work on standards and Best

Practice in what’s undoubtedly a vital part of

the UK’s economy.”

To support the achievement of the

Commissioner’s vision, eleven high-level

objectives are outlined within the strategy, each

of them to be led by an expert.

Simon Adcock, chairman of the BSIA’s CCTV

Section and lead on the industry strand of the

National Surveillance Camera Strategy for

England and Wales, commented: “The work of

the industry strand of the strategy is focused

on educating buyers around what to expect

from a knowledgeable and professional service

provider as well as providing practical guidance

to help them comply with the Surveillance

Camera Code of Practice. Ultimately, we’re

aiming to establish and promote a set of

8

www.risk-uk.com


News Analysis: National Surveillance Camera Strategy

guidelines to ensure that buyers can rely on

their service providers for good practice.”

Adcock went on to state: “Over the coming

months, the industry strand will be defining

what we mean by good practice. This will be

centred around ensuring that there’s an

Operational Requirement in place and that the

resulting system meets agreed objectives. Our

end-game is to ensure that anyone providing

professional video surveillance services will, as

a bare minimum standard, meet these good

practice guidelines.”

Adcock also commented: “The National

Surveillance Camera Strategy for England and

Wales represents an opportunity for the

industry to assure members of the public that

video surveillance systems are being used in

public spaces on a legitimate basis, responsibly

and transparently in order to keep them safe.

The strategy document is fully supported by

members of the BSIA’s CCTV Section and we

very much look forward to seeing its content

being delivered through to 2020.”

NHS Foundation Trust certification

Barnsley Hospital NHS Foundation Trust had

been considering applying for the Surveillance

Camera Commissioner’s third party certification

scheme, but it wasn’t until Mike Lees (the

Trust’s head of business security) heard Tony

Porter speaking at a conference that the

decision was taken to ‘go for it’.

Lees stated: “Although we had been

considering applying for some time, the turning

point followed an excellent presentation by the

Surveillance Camera Commissioner to NHS

security managers late last year. This

presentation clearly outlined the advantages to

NHS organisations of following a process and

how we could demonstrate the rationale of

surveillance use.”

Certification enables organisations to clearly

demonstrate that they comply with the

Surveillance Camera Code of Practice. For

relevant authorities – such as local authorities

and police forces – this is particularly important

as they must show due regard to the Code. For

other organisations, such as NHS Trusts,

following the Code is a voluntary decision.

The certification process provides assurances

to hospital users and staff alike that

surveillance cameras are deployed effectively,

efficiently and proportionately. It also ensures

that NHS Trusts are transparent about why they

use cameras and where they’re sited.

For its part, Barnsley Hospital NHS

Foundation Trust approached the Security

Systems and Alarms Inspection Board (SSAIB)

and subsequently achieved Step 1 certification.

“Responses to the consultation on the draft show that this

strategy is extremely well supported, as do the number of

organisations that have written to affirm their support”

This involves completing the Surveillance

Camera Commissioner’s self-assessment tool

and then submitting the form to one of the

certification bodies. The completed form and

documents are then audited by the certification

body who may contact the end user

organisation for more information before

recommending it to the Commissioner to award

his certification mark which can then be used

for the ensuing 12 months.

Lees added: “The certification process was

certainly challenging, but also very worthwhile.

It allowed us to critically review the reasons for

surveillance and scope these against our

existing policies and procedures.”

Accessible and affordable

Certification is simple, accessible and

affordable. There are currently three security

industry certification bodies qualified to audit

against the Code of Practice – the SSAIB, the

National Security Inspectorate and IQ Verify.

Barnsley Hospital NHS Foundation Trust is

preparing its application for Step 2 certification,

which involves a full site visit and audit. If

successfully awarded the certification mark, the

Trust can use this for a period of five years.

Lees concluded: “Our application for Step 2

certification is indeed already in motion. The

Trust will be applying well in advance of the 12-

month period that’s covered by Step 1. I would

recommend any NHS Trust using surveillance

cameras to apply for the mark.”

The surveillance camera sector is substantial

and an industry that will continue to grow. In

2015, there was a £2,120 million turnover in the

UK for video and CCTV surveillance equipment.

The most recent estimates suggest that there

are anywhere between four and six million

CCTV cameras in the UK. That figure doesn’t

include body-worn video cameras, Automatic

Number Plate Recognition cameras or

Unmanned Aerial Vehicles (ie drones).

Approximately 85% of local authorities have

shown due regard for the Code of Practice by

completing the Commissioner’s selfassessment

tool in respect of their main CCTV

scheme (typically their town centre scheme).

54% of local authorities in the UK have

equipped some staff or contractors with bodyworn

video cameras. Transport for London and

Marks and Spencer have already adopted the

Code of Practice on a voluntary basis.

Tony Porter QPM LLB:

Surveillance Camera

Commissioner at the Home

Office

Simon Adcock: Chairman of the

BSIA’s CCTV Section

9

www.risk-uk.com


FOCUS

ON… protecting

people,

premises and profits.

Our security solutions do much more than protect

your manufacturing premises. With AXIS Camera Station

software, you can manage your system remotely and even

add smart features such as audio communication, access

control and analytics. And that’s just a start. It’s all designed

for simple set-up to make your job easier, so you can focus

on productivity.

Choose an Axis recorder pre-installed with

AXIS Camera Station. Discover more at

www.axis.com/products/video-recorders


Opinion: Physical Security as a Service

The ongoing shift in consumer focus may

feel a little surprising at first as the security

industry – much like any other technology

sector – has concentrated on ‘shifting boxes’ for

quite a long time now. This was especially the

case when proprietary systems were the norm.

If an end user wanted more services, they

bought a new product. From a basic sales point

of view, this was both simple and economic for

manufacturers and installers alike.

However, a determined move towards

integrated and open technology has

transformed the way in which security

consumers now view their purchase. It’s no

surprise as this has proven to be the case with

any form of consumer technology. When the

option to source from different providers

increases, so too does customer choice and

interest in the physical product becomes

eclipsed by the overall solution realised.

This is certainly evident with smart devices

and IT. Cloud services have put the onus on

what the result looks like, with the device the

user chooses losing much of its significance.

We’re also starting to see this in areas that

nobody would have predicted in the past, such

as the automotive industry, for example.

People in big cities don’t want the expense

and hassle of owning – and parking – their own

cars anymore. Unless you use your car every

day, it makes more sense to rent one by the day

or week specifically for those moments when

you need to venture beyond the confines of

public transport. For some, at least, the

automobile has become a service item with the

end result – ie a specific journey – assuming a

greater importance than the type and

specification of the vehicle being used.

Service without stress

At the crux of all this is the demand from

consumers to identify the service need and for

suppliers to provide the easiest and most costeffective

solution.

Equally, when it comes to specifying a

security solution, the operator doesn’t

necessarily want to know the full details of

what’s going on ‘under the bonnet’. Rather,

they’re more concerned that it ‘does the job’.

Any sensible security buyer – ie the

practising security or risk management

professional – will be focused on their specific

security requirements and the business drivers

that need to be addressed (such as the

protection of buildings, assets, data and

employee safety) and that the chosen solution

suits their budget. This is actually where

service becomes key. For their part, customers

need an expert on hand capable of addressing

All Part of the (Physical

Security) Service

There are signs that the way in which we all buy our products

and services is changing. The concept of buying and owning

a service product is increasingly looking antiquated, as

consumers focus more and more on the outcomes rather than

the tools needed to achieve them. As the physical security

industry becomes more integrated and offers true open

systems, John Davies suggests there’s every reason to

assume our sector will follow this trend

their requirements with all of these parameters

firmly in mind, and with a view to removing the

stress of finding ‘the right product(s)’.

In the past, specifying and using an

unsuitable solution could be difficult at best,

and potentially disastrous at worst. From an

economic point of view, it’s also a challenge to

finance a big install then try to accumulate

resources again for the upgrade when the

incumbent solution has reached its ‘end-of-life’.

It’s far more sensible to moderate the costs

of security investments by paying a monthly or

annual fee that’s predictable and for which a

budgeted sum may be readily set aside. This is

where buying ‘Security Assurance as a Service’

makes complete sense.

Benefits for customers

While the idea of procuring and servicing

physical security on a subscription basis may

seem groundbreaking and will undoubtedly

involve a change of mindset for many

traditional security buyers, there are some very

John Davies:

Managing Director of TDSi

11

www.risk-uk.com


Opinion: Physical Security as a Service

persuasive and practical benefits to be realised

for the customer in doing so.

As the solution isn’t purchased outright,

there’s no need to find a large capital outlay in

one lump sum. At the same time, this capital

can either be invested in a subscription for a

more comprehensive security system or

otherwise accumulated as a saving on the

overall security budget.

With a service-style approach, the

installation and servicing costs are built into

the overall fee, so there will be no unexpected

bills for the business in the event of any issues

or repairs. This is very similar to the benefits of

renting a building or a fleet car, for example,

whereby any maintenance costs become the

concern of the lease company.

Equally, by leasing the security solution, the

end user customer gains instant access to

greater technical expertise and support (for no

extra cost), compared to maintaining these

systems for themselves. This is particularly

appealing when it comes to security systems,

where the integrity – and, therefore, the level of

protection – is of paramount importance. It’s

also very helpful when it comes to integrating

new security components or expanding the

capabilities of the overall security network.

End-of-life stage

The benefits for the customer continue when

the system reaches its end-of-life stage. The

security service provider deals with the

upgrade needs, along with the removal of the

old equipment and installation of any new

systems where required. This also affords a

natural break in the lease, such that the

customer can reassess the host business’

security needs and make upgrades or continue

with the same service levels as before, but with

the attendant benefits of the latest solutions.

Ultimately, by using ‘Security as a Service’,

the customer gains access to a constantly

maintained and supervised solution. This is a

great way in which to ensure that a stable and

reliable security service is realised on a

24/7/365 basis, as well as throughout the

lifespan of the system(s) being used.

When an organisation purchases its own

systems (and, as a consequence, often ends up

using older systems, perhaps due to budgetary

constraints) it can be a real challenge to ensure

safety levels are maintained. It’s a pressure

which most of today’s businesses would be

only too happy to avoid.

Opportunities for solution providers

There are considerable benefits for security

providers, too, both for manufacturers and

installers. Rather than ‘shifting boxes’ (which

any salesperson will tell you is an approach

that can have considerable peaks and troughs),

a move towards complete service solutions

offers a far more stable business model. Rather

than having to win new business with every

product, it becomes possible to sell ongoing

services for a set period.

It’s my own fervent belief that the whole

business model for the security industry will

change and adapt itself to reflect this approach

over the next five-to-ten years. Manufacturers

are already cognisant of the change in

customer expectations and are gearing up to

meet this demand.

The service or leasing approach has become

entrenched in other industries and represents a

firm indication of what’s to come in the

professional security spectrum.

If you look at the airline industry, it has

embraced this model of supply because it

makes sound economic sense for both the

customer and the supplier. Whole aircraft and

even individual key components – such as

engines or seating – can be leased by the

airlines. This yields much greater flexibility, but

also means that the airlines (as consumerfacing

businesses) can have the peace of mind

needed to concentrate fully on providing the

services their customers demand.

The manufacturer and partners provide

assurances and guarantees of service time for

aircraft engines, then deal with servicing and

the technical maintenance to ensure this is

delivered. This model works just as well for the

provision of security systems.

We’ve now reached a point in time where

there are major opportunities on the horizon for

the security business sector, but this inevitably

means that manufacturers and installers will

need to shift their focus and perhaps realign

their business model.

Ultimately, we can begin to concentrate on

developing the right systems for the market

and be assured that our end user customers

will be looking for the kind of support we’re

ideally placed to deliver.

“Ultimately, by using ‘Security as a Service’, the customer gains access

to a constantly maintained and supervised solution. This is a great way in

which to ensure that a stable and reliable security service is realised”

12

www.risk-uk.com


Always a suitable solution

with the DIVAR hybrid

and network recorders

At Bosch, we believe that video surveillance solutions should be as easy to

install as they are to use. It’s the thinking behind our completely new portfolio

of DIVAR hybrid and network recording solutions. Specifically designed for

24/7 operation, they offer the ability to create video surveillance solutions

with professional security features. Solutions that can be tailored to fit the

growing needs of small and medium businesses.

boschsecurity.com


SIA Regulation, Business Licensing and

the ACS: A Personal Perspective

Tuesday 14 March

witnessed the 2017

edition of the Security

Industry Authority’s

(SIA) annual

Stakeholder

Conference, which ran

at the Hallam

Conference Centre in

central London. A

reflection of the

partnership working

theme for the day, the

confirmed speakers

emanated from

academia, the police

service and the NHS.

Representing the

private security

industry, Peter

Webster aired his

views and now shares

them with the readers

of Risk UK

The SIA’s Stakeholder Conference allowed

me to share my perspectives on licensing

and regulation with members of the

audience. As regular readers of the Security’s

VERTEX Voice section in Risk UK will know, this

is a subject close to my heart. On that basis, I

thought it would be useful to share with you

the crux of my presentation as well as some of

the reactions to it.

First of all, let me begin by stating that I fully

support regulation. As an industry trusted to

keep people and property safe, we want to be

regulated and, indeed, I’ve never met anyone

who has advocated deregulation.

I’m also particularly supportive of the current

system of individual licensing, as administered

by the SIA. An SIA licence gives an individual a

passport to employment, meaning that he or

she can work anywhere in our industry. This is

undoubtedly a good thing for both employees

and employers. While it gives individuals

freedom to work across our industry, when

someone comes to us with a licence we know

they’ve been vetted and trained to a basic

standard and checked by the SIA.

If I’m to be critical of the current system,

however, it is that it isn’t publicised enough.

The wider public needs to understand that the

SIA exists and affords a licensing framework for

the industry. When I say ‘the public’, I include

those who purchase and use security services

in this realm, as well as the wider public.

Indeed, I fear that the wider public has a

stereotypical image of a security officer, fed by

portrayals in the national media and fictional

drama, as an unhelpful ‘jobsworth’ or a lazy

and disinterested individual. This does a great

disservice to the more than 300,000 people

who work in our industry, who are licensed and

serious about the job that they do. As it is, the

negative perception of security in society

reflects on our people and creates a downward

spiral of low self-worth, which invites lower

standards and impacts on professionalism.

We need to flip this spiral around and build

pride in our industry and the work that security

officers do. Awareness of individual licensing is

key to this. With the police service facing

financial pressures, the security industry is

beginning to play an increasingly important role

in safeguarding critical infrastructure. If the

public understood the process of licensing and

regulation, I’m certain there would be more

respect for the industry and its crucial role.

Spectre of business licensing

I’m strongly against business licensing, the

spectre of which continues to loom large over

the industry. While some regulation is good,

there’s no justification for increased and

unnecessary regulation. The last 30 years have

seen business and Government trying to

deregulate wherever practical and possible.

Business licensing goes against that trend.

Fundamentally, business licensing will create

a greater burden on business, and at additional

cost, for what is an already financially

challenged industry. Preparing for my

presentation last month, I discovered once

again a chart from 2015 in which the SIA

showed the administrative burden moving

towards businesses and away from the

Regulator. Furthermore, that chart highlights a

decline in overall regulatory responsibility for

the SIA as it transfers responsibilities to

industry. Is this really what we want?

I find it hard to believe that business

licensing will even stop the behaviour it seeks

to prevent. I’ve heard claims from the SIA that

business licensing will drive out organised

criminality, yet in all my time in the industry, I

have never come across an operator working

within the commercial environment whom I’ve

suspected of being linked to organised crime.

On a practical level, company law already

exists to address illegal activity and, bearing in

14

www.risk-uk.com


Opinion: Security’s VERTEX Voice

mind that even non-executive directors must at

present hold ‘non-front line’ individual SIA

licences, how can business licensing improve

on that level of vetting? Do we not think that

the criminal fraternity is clever enough to

circumvent this? If criminals can successfully

launder billions of pounds’ worth of drugs

money, do we really believe a determined

criminal organisation will not be able to

override a self-administered vetting process?

Of course, while business licensing would

increase the burden on law abiding business,

any unscrupulous organisation wouldn’t apply

to the legal requirements anyway, so in fact the

only companies really affected would be the

honest and legitimate ones.

Finally, it strikes me that business licensing is

simply unworkable. How will it address the

complexity of brass plaque organisations or

companies with overseas shareholders? How

can one insist on regulatory checks on

shareholders in a Belgian-owned business or a

holding company domiciled in Luxembourg?

Approved Contractor Scheme

There is, of course, a form of business licensing

already in existence in the shape of the

Approved Contractor Scheme (ACS). It’s

voluntary. I know it has many detractors, but it’s

a great deal better than not having any scheme

at all. The introduction of mandatory business

licensing would kill off the ACS. This would be a

terrible mistake.

From my perspective, I could easily live with

any plans to drop the proposed business

licensing and adopt a mandatory ACS. All of the

reliable and trustworthy security companies are

on the ACS Register anyway, meaning that

application and approval would only be a

burden to the fringes of the industry that the

Regulator is seeking to eradicate.

Indeed, in many respects ACS status provides

a level of rigour that I, for one, welcome. For

example, ACS requires vetting to BS 7858

which, to my mind, is far more robust than SIA

licence requirements as it looks at five-year

employment histories. In particular, we should

consider how it might be used to forge

improvement across the industry and drive out

those on the fringes that the proposed business

licensing is meant to address.

On that subject, the ACS should remain under

the control of the Regulator and not be handed

over to industry. This will leave the industry free

to drive the important improvements needed.

Introducing bands of attainment within the

ACS would have the effect of encouraging

organisations to strive to improve their score.

While we don’t need to publicly compare

actual ACS audit scores, the opportunity to

‘band’ providers – whether Bronze, Silver or

Gold, for example – would allow these same

firms to demonstrate their expertise and use

such a banding to differentiate their services in

the quality end of the market.

Reactions and responses

At the Stakeholder Conference, it was very

interesting to hear Ronnie Megaughin (chief

inspector at Police Scotland) talk about his

experiences of making ACS status mandatory

for public sector tenders in Scotland. By all

accounts, this has helped improve the quality of

the security services provided north of the

border and made tendering more transparent.

This tells me that a mandatory ACS would work

in England as well.

That said, I was questioned from the floor

about whether a mandatory ACS would add

excessive cost and burden to smaller security

providers. Naturally, the ACS requires a

business to make a commitment in terms of

people and time, but if it plays a central part in

the continual improvement of that business,

then I would view any associated cost as an

investment in the company.

For me, two points came across loud and

clear at the SIA’s Stakeholder Conference. One

was the need for partnership, whether between

the regulatory body and private security

providers or the industry and the police service.

The second point I noticed was the welcome

recognition of the crucial role that the security

industry plays in keeping people, property and

assets safe across the UK. As Elizabeth France

(chair of the SIA) remarked, there are more

security staff than police officers in the UK.

That’s 300,000 pairs of ‘eyes and ears’ trained

to support the police’s sterling work. At a time

when policing budgets are under considerable

pressure, our industry’s importance to the UK’s

security infrastructure is crystal clear.

However, the good work of the SIA, the

existence of the ACS and the importance of the

security business sector as a whole is poorly

understood and unappreciated. As an industry

we must act and take better control of our

image. Indeed, it’s crucial that the private

security industry buys into this key message.

From my own point of view, the reputation of

the industry depends on it, while its future

growth relies on positive action being taken.

Peter Webster: Chief Executive

of Corps Security

*The author of Risk UK’s regular

column Security’s VERTEX Voice is

Peter Webster, CEO of Corps

Security. This is the space where

Peter examines current and often

key-critical issues directly

affecting the security industry. The

thoughts and opinions expressed

here are intended to generate

debate among practitioners within

the professional security and risk

management sectors. Whether you

agree or disagree with the views

outlined, or would like to make

comment, do let us know (e-mail:

pwebster@corpssecurity.co.uk or

brian.sims@risk-uk.com)

“The last 30 years have seen business and Government

trying to deregulate wherever practical and possible.

Business licensing goes against that trend”

15

www.risk-uk.com


INSPIRATION

THROUGH INVALUABLE

DIGITAL INSIGHT

With approaches, systems and

devices constantly changing,

etailers need to be aware of the

latest trends and innovations to

gain significant competitive

advantage from their eCommerce

and mCommerce efforts.

The eTailing Summit offers a day

of a day of meetings and

networking with industry suppliers

and peers for idea gathering,

inspirations, tools and tactics to

help transform strategies in line

with the latest technologies.

11th July 2017

Hilton London Canary Wharf

For further information contact Katie Bullot on:

01992 374049

k.bullot@forumevents.co.uk

forumevents.co.uk

@eTailingSummit

ForumEventsLtd

forumevents

MEDIA & INDUSTRY PARTNERS

ORGANISED BY:


BSIA Briefing

Last year, the National Counter-Terrorism

Security Office produced some guidelines

containing advice for leaders of schools and

other educational establishments on reviewing

protective security, in tandem pressing school

officials to take the subject of risk management

seriously. This advice followed a series of hoax

telephone calls being made to educational

sites across the UK, which forced at least 27

schools to be evacuated after bomb and gun

threats were made.

It seems history may now be repeating itself.

Last month, across no less than 11 counties in

Britain, nearly 5,000 schoolchildren were

evacuated after their schools received bomb

threats. While these threats were treated as

hoaxes, they do further solidify the fact that

school leaders absolutely must take the time to

review their security plans and ensure the

measures they currently have in place are both

effective and of good quality.

Alongside potential bomb and gun attacks,

educational establishments face a wide number

of threats right across the year, including walkin

thefts, the potential for personal data

breaches, threats against students and staff

and the possibility of arson. Bearing all of this

in mind, school officials have a Duty of Care to

both their fellow members of staff and pupils,

as well as a legal responsibility to provide a

safe environment in which people can learn.

A lack of effective security can not only result

in potentially life-threatening situations, but

also the prospect of reputational damage. Back

in March, two separate schools in Cumbria were

placed under ‘special measures’ by Ofsted for

security reasons. A small secondary school,

Kirkby Stephen Grammar School failed its

Ofsted inspection due to a perceived lack of

perimeter security, with the school reportedly

being criticised for its failure to put in place

appropriate measures that would “minimise

identified potential risks” to pupils.

In short, Ofsted’s inspectors deemed the

premises as being too readily accessible to

members of the general public.

According to a report in The Westmorland

Gazette, the ‘special measures’ decision came

after The Queen Katherine School in Kendal

was also placed into this category due to

safeguarding and security issues. Following the

decision, the school is now moving forward

with £30,000 plans that will include a perimeter

fence designed to improve security in an effort

to satisfy the Ofsted inspectors.

Ofsted’s decision has angered school

officials, with Kirkby Stephen Grammar School’s

head teacher Ruth Houston and Simon Bennett

(chairman of the governing body) sending a

Learning By Inspection: The

Importance of School Security

Security and safety in UK schools is a highly emotive subject.

Indeed, it’s one which is never far from the mindset of the

presiding head teacher, the facilities team responsible for a

given establishment, the governing body and/or members of

the Local Education Authority, all of whom have key roles to

play in the implementation of an effective strategy. Here,

James Kelly examines the main considerations to be observed

around security in the education sector

letter to parents stating that they believed the

decision was “a failing of the inspection

system, not the school, if an overall judgement

is defined by the lack of a fence or not enough

locks on doors, rather than the excellent

teaching, leadership, behaviour and outcomes

of the school.”

Students from Kirkby Stephen Grammar

School have contacted Ofsted to express their

own concerns. The Westmorland Gazette report

stated that students told Ofsted they felt

“valued, inspired and appreciated. Unsafe is

something we never feel. A member of our Sixth

Form remarked that ‘everybody knows

everybody in Kirkby Stephen’. This same

community ethos is reflected in our school, an

ethos which would be changed for the worse by

the severe security measures Ofsted would like

us to put in place.”

An integrated approach

School security solutions extend well beyond

perimeter fences and physical locks, with an

James Kelly: CEO of the British

Security Industry Association

17

www.risk-uk.com


BSIA Briefing

integrated approach being the most effective

way of protecting staff, students and assets

alike. It’s also important to choose measures

that integrate seamlessly with the design of a

given school building so as not to intimidate

pupils or their parents.

Access control systems can be a great place

to start, with electronic access control

becoming increasingly more commonplace in

schools. A combination of electronic access

control and physical security measures will be

vital in helping to manage known or anticipated

threats by dint of controlling, monitoring and

restricting movement around a given site.

Schools can be quite complex in terms of

their access control, with specific areas – such

as a science laboratory or an IT room – needing

to be restricted to certain people at specific

times of the day. Outside of school hours,

access control measures can be used to restrict

entry to the entire building and may be

integrated with gates or fences at the perimeter

to grant access only to authorised personnel.

Alongside electronic access control, as

mentioned, high quality physical security

measures should also be employed. In a school

environment, particular doors – such as that

allowing access to a caretaker’s storage room –

can be fitted with a mechanical patented

cylinder lock under a master key system.

Escape doors may be fitted with crash bars or

push pads for emergency exit only.

On the subject of doors, it’s essential to

consider the types of doors used that will

provide the most streamlined access to and

within a school, taking into account the

demands made by the Equality Act 2010.

Here, it’s vital measures are chosen that are

both non-discriminatory and convenient in their

nature. For example, if selecting revolving

doors for a school entrance – which can act as a

beneficial airlock to keep out draughts, noise,

dust and dirt – then an automatic pass door

should also be installed next to it in order to

grant access to those less able to enter through

a revolving door.

Identification devices

Once the physical barrier – such as a door,

turnstile or speedgate – has been chosen, then

officials must decide on which type of

identification device will be most suited to the

school. This can largely depend on which areas

“Dynamic lockdown procedures have the ability to restrict

access and egress at a site or building through physical

measures, among them access-controlled doors”

of the school require authorisation for access

and by whom. For example, some schools may

only have certain restricted areas and need to

give permissions to authorised staff only,

whereas at other schools there may be a

requirement for all students to carry an

identification device.

Proximity cards – such as contactless keys, ID

cards or fobs – can be very useful in achieving

streamlined access throughout a school.

However, it might also be beneficial to consider

biometric access control measures, such as

fingerprint readers, as they can eliminate the

potential issues of children misplacing or

forgetting their access devices.

A good quality system can generally handle a

large amount of users and will be able to

identify individuals quickly and efficiently. As

user information is very often linked to a

dedicated database, it’s also wise to choose a

system that doesn’t need to be online in order

to make access decisions. This way, if the

Internet connection is lost for any length of

time, students and staff will still be able to

access specific areas/zones of the school.

Identification devices can also carry various

added value benefits. They don’t simply have to

contain access information. Rather, they can

store important student and staff data, too,

such as any notes on medical issues or dietary

requirements, and are a useful way of logging

time and attendance. They can also act as

cashless vending devices, meaning children

don’t have to carry cash with them to school,

potentially reducing the risk of bullying.

Dynamic lockdowns

Another security measure that’s gradually

becoming a part of school security strategies is

that of dynamic lockdowns. A dynamic

lockdown would generally occur in response to

a fast-moving incident, such as a firearmsbased

attack occurring either directly at the site

or somewhere close by.

Dynamic lockdown procedures have the

ability to restrict access and egress at a site or

building – or parts of it depending on its

configuration – through physical measures,

among them access-controlled doors. As well

as verbally alerting staff to physically lock

down the school, panic hardware can be fitted

to doors and windows – and especially ‘final

exit doors’ like playground doors – so that they

automatically lock when the alarm is activated.

The panic hardware must be capable of selflocking.

Pullman-type latches integrated with

door closers would be a good way to achieve

this. A school’s access control system may also

be integrated with a panic alarm system.

18

www.risk-uk.com


ERM and ESRM: Can They Continue

to Exist Independently?

If Enterprise Risk

Management and

Enterprise Security

Risk Management are

here to stay, what

does this mean for the

future of risk

management? What

models should we

look forward to in the

future, and what

future should risk

management

practitioners prepare

themselves for as time

moves on? Philip

Strand searches for

some answers to

these key questions

Dr Philip Strand PhD MBA:

Senior Risk Consultant at

CornerStone

20

www.risk-uk.com

Thought leaders in the risk management

industry continue to evolve practitioners’

views of the world they protect. In many

ways, the recognition that the industry merited

and required professional organisations such

as ASIS International (1955), IAPSC (1984) and

The Security Institute (1999) was an evolution

in thought, both in and of itself.

From this evolution, the industry gained

platforms upon which leaders could develop

their ideas more quickly and communicate with

global reach. Significant paradigm shifts have

included distinctions between security

management and risk management and the

convergence of IT and physical security

operations in the 1990s.

Joining the ranks of these industry-changing

movements is the latest major shift in risk

management thinking, namely Enterprise Risk

Management (ERM) and its security-focused

spin-off, Enterprise Security Risk Management

(ESRM). Enough time has gone by to suggest

that these strategic-level frameworks for risk

management are more than just passing fads.

Indeed, they’ve now firmly taken root.

Risk management was originally developed

as a concept in the mid-1950s to help the

insurance industry conceptualise its role in

society and achieve its commercial goals. By

the early 1960s, two professors – namely

Robert Mehr and Bob Hedges – had developed

risk management for business enterprises into

a more robust system of thought,

encompassing not only risks related to readily

insurable incidents (ie hazard risks), but also

four distinct categories of business risk.

Come the mid-1990s, these four categories

became the foundation of ERM and

encompassed hazard risk (ie employee illness

and injury, theft, third party liabilities, natural

disasters and property losses), operational risk

(information transfers, bidding processes,

construction management and accounting

processes, etc), financial risk (ie costs of

capital, market risks, bank and surety support

and growth capitalisation) and strategic risk (ie

changes in customers and industries, growth

strategies, risks to brands and reputations and

competition risks).

Although Mehr and Hedges succeeded in

bringing risk management out of a single

industry and into the mainstream business

world, their model left significant room for

development. For one thing, their ERM

framework didn’t make it clear how physical

risks can cross-cut all four categories.

At first glance, physical risks – which stem

from threat actors ranging from criminals to

incompetent employees through to natural

disasters – most obviously relate to the ‘hazard

risk’ category, but there are more subtle

relationships to the other three categories that

shouldn’t be understated.

For example, strategic risks could be

compounded by malicious damage caused to

assets or processes that are vital to a

company’s growth strategy. Likewise, robust

physical risk mitigation measures might be

marketed as a comparative advantage over

competitors, thus giving a company an

advantage in a specific market. Additionally,

information transfers could be affected by the

sudden and unfortunate loss of employees.

In each of these examples, an understanding

of physical security risk is an essential

prerequisite to understanding operational,

financial or strategic risk.

While it’s wholly possible for risk managers

to relate different security risks to each of the

categories in the ERM framework, the

development of ESRM in 2009 seems to have

eliminated some practitioners’ desire to do so.

ESRM is a risk management ‘philosophy’ that

encourages practitioners to assess all forms of

physical risk (ie information, cyber, physical

security, asset management and business

continuity risks) in an holistic manner similar to

how ERM advocates assessing many business

risks together.

According to ESRM, risks should be assessed

not only in terms of their immediate impact, but

also according to their second and third order

effects on other assets and processes within a

given organisation.

Clear evolution in thought

ESRM represents a clear evolution of traditional

security thinking in as much as it requires

practitioners to examine the total impact that

security incidents might exert on an

organisation. From an ESRM perspective, a

stolen laptop doesn’t only cost a company the

replacement value of the laptop. ESRM enables

us to see the loss at a higher level by factoring-


Enterprise Risk Management and Enterprise Security Risk Management

in the value of the information on the laptop

and the value of all of the business processes

that the laptop facilitated.

ESRM also encourages security managers to

ensure that risk decisions are made by true risk

owners. It brings security managers who’ve

traditionally operated separately (eg physical

security and IT security managers) together

under the same umbrella whereby they can

more easily determine how some risks might

affect multiple stakeholders.

Despite ESRM’s contributions to risk

management thinking, there are still several

ways in which ESRM must be further

developed. While the ERM framework fails to

recognise how security risks can impact

business risks, ESRM also fails to adequately

emphasise this point.

Many models depicting ESRM as a process –

among them ASIS International’s own widely

accepted model – are narrowly focused on

identifying and quantifying organisations’

assets and the risks facing those assets. ESRM

encourages CSOs to liaise with finance,

executive and other C-Level officers to

understand how security risks can affect

multiple assets within their organisations

(including intangible assets like reputation),

but ESRM models stop short of emphasising

the importance of understanding how assets

facilitate the operational, financial and strategic

goals of the organisation.

While ESRM goes beyond ERM in several

important ways, this lack of emphasis makes it

possible for ESRM-minded security managers

to miss out on the important elements of

business risk upon which ERM focuses heavily.

Embracing the philosophy

In their 2016 book entitled ‘The Manager’s

Guide to Enterprise Security Risk Management’,

Allen and Loyear state that: “ESRM is not the

same as ERM, and it certainly doesn’t replace

it.” This appears to be quite true and, at

present, large organisations are likely to need

competent and experienced risk managers at

the head of their ERM Departments as well as a

series of similar risk managers embracing the

ESRM philosophy throughout their

organisational structures.

Currently, there’s no single risk management

framework that embraces all of the elements of

both ESRM and ERM. This allows for a gap in

risk management thinking because, by default,

it means that there’s no single model plainly

relating security risks and business risks in a

single process.

In order for risk managers to correctly

prioritise assets and risks, they must fully

understand the roles that assets play in helping

organisations to achieve their missions and

strategic objectives. ESRM aspires to do this,

but the next evolution in risk management

thinking must be to converge ERM and ESRM.

The four business risk categories of ERM

must be viewed in concert with the security risk

categories of ESRM. The ‘holistic’ approach of

both types of risk management merits

applause, but neither type of risk management

can claim to be truly holistic if they’re not

assessing business and security risks together.

If the convergence of ERM and ESRM looms

in the future, then it’s natural to ask the

question: ‘What would this convergence look

like?’ It seems that it might be appropriate to

add ESRM’s ‘security risks’ as a fifth category in

the ERM model. This is indeed tempting for

simplicity’s sake, but it’s noteworthy that, in

most organisations, the impacts of the two risk

models flow mostly in one direction.

While security risks can – and often do –

compound business risks, the latter tend to

exacerbate security risks only under rare and

extreme circumstances.

Looking ahead, future models of converged

ERM-ESRM frameworks must consider in depth

the fact that assets and processes (which are

directly affected by security risks) exist to

support organisational objectives (which are

directly affected by business risks and only

affected by security risks when assets and

processes are compromised).

“ESRM represents a clear evolution of traditional security

thinking in as much as it requires practitioners to examine

the total impact that security incidents might exert”

21

www.risk-uk.com


Status Symbol: The Chartered Security

Professional and Standards of Excellence

The concept of

chartered

professionalism traces

its roots back many

centuries, in fact to

the years following

the Norman invasion

of 1066. Now,

in the 21st Century,

being ‘Chartered’ is

more relevant than

ever in terms of both

winning and securing

public trust. Peter

Speight examines the

importance of

Chartered Security

Professional status for

today’s practitioners

Recently, a security manager whom I’ve

known and worked with for some years

now, namely Mike Topham, was keen to

discuss pursuing the journey towards Chartered

Security Professional (CSyP) status. Mike – who

has held a number of security management

positions – contacted me as he wished to know

more about the whole subject of CSyP.

For my part, I fully expected a relaxing cup of

coffee or two and a general conversation with a

couple of questions about CSyP thrown in, but

Mike’s keen determination to learn as much as

possible was obvious from the outset. Indeed,

Mike asked several questions, all of them

pertinent and very much to the point.

Why would anyone want to attain this

standard? What will it achieve for the practising

security professional? How will customers

benefit? Who should apply and why? What does

the individual have to do if they pass muster?

We had a great meeting and jointly agreed

that Mike should carry out some detailed

research of his own into CSyP in order to gain a

feel for the ‘What?’, ‘Why?’ and ‘How?’

Mike is right in his assessment that, as we

head into the next few years, every aspect of

the security environment in which we all now

live whether in a local, national or global

business context or as an individual has

become more complex, technically challenging

and generally more unstable than ever before.

The sheer magnitude and range of threat

types, from the technical vulnerability of

information and systems through to fraud and

terrorist activity and on to the local protection

of people, premises and business assets

demands the exponential development of the

security sector. The emergence of fully riskbased

methodologies along with this general

growth has been accompanied by the

development of many intelligent tools, both

technical and academic. The security landscape

refuses to stand still, then, even for a moment.

In this maelstrom of activity, the burning

question for customers has been where to turn

in order to ensure that those engaged to advise

on these matters are somehow up to the job

and the best available. If there was a bridge to

be built or the legal defence of a corporation to

be conducted there would be a need for a

proven group of professionals (ie engineers or

lawyers) to transact such work. Their industries

or commercial business sectors are chartered,

with a Register of Chartered Professionals

available as guidance.

Until relatively recently, the security business

sector had no such listing despite the growth of

complex security threats. Thankfully, matters

have changed much for the better.

Strategic competencies

CSyP is a professional certification in security

established to show the attainment of strategic

and higher operational level competencies in

the discipline. The Security Institute operates

the Register of Chartered Security Professionals

on behalf of The Worshipful Company of

Security Professionals and it’s expertly

managed by the Chartered Security

Professionals Registration Authority.

The criteria for joining the Register of CSyPs

is founded to a large degree on the UK

Standard for Professional Engineering

Competence. Advice was also sought from the

Foundation for Science and Technology and The

Engineering Council. The final version of the

criteria for becoming a CSyP is, to an extent,

based on the criteria for Chartered Engineers.

22

www.risk-uk.com


Chartered Security Professionals: ‘The Gold Standard’

To be admitted to the Register, applicants

must have a strong understanding of general

security principles (although they may be a

specialist in one field) and be operating at a

strategic or senior operational level of security

practice while demonstrating a high level of

competence in five key areas: Security

Knowledge, Practical Application,

Communications, Leadership and Personal

Commitment. Applications are also welcome

from professionals working in the security

business sector who are engaged primarily in

teaching or in public or private sector

organisations involved with security activity.

To remain a CSyP, Continuing Professional

Development (CPD) is mandatory, as is

adherence to a professional Code of Ethics.

The Security Institute and ASIS

International’s UK Chapter are both eligible to

receive applications from potential CSyPs,

although applicants don’t have to be a member

of either organisation. It’s testament to the

vigorous protection of CSyP organisational

standards that it took ASIS UK a year of hard

work to demonstrate compliance with relevant

standards in order to be awarded a licence to

manage CSyP registration applications.

Both ASIS UK and The Security Institute are

fully committed to CSyP on several levels,

including mentoring and promotional activities.

Standards of excellence

The five core competencies required for CSyP

registration are weighted in favour of security

knowledge and application skills. The

weighting also requires CSyPs to be better than

average. Achieving a mark of ‘Good’ across the

board isn’t enough. Applicants must be better

than ‘Good’ to be admitted as a CSyP. Those

applying must be of undisputed integrity and

have a sound level of expertise, operating at a

strategic level or the senior end of the

operational level of security practice.

To date, the Register of Chartered Security

Professionals has attracted successful

applicants not only from the UK, but also

Australia, the USA, Canada, the UAE, Spain,

France, Albania, the Netherlands, the Czech

Republic, Switzerland and Hong Kong.

As substantial as the foundations are, and as

undeniable as the commitment of the industry

is to adapting to modern customer needs, in

order to fully understand why an individual

should submit themselves to the rigours of

registration we must understand – as Mike

asked of me – what the advantages of achieving

CSyP status are for the individual in order for

this ‘Gold Standard’ to become attractive to the

next generation of security professionals.

“For some time now, customers have been unhappy with

the ‘single dimension’ security service delivery. Several

fairly weighty voices have called for better informed and

bespoke risk profiling of their businesses”

‘Single dimension’ security

For some time now, customers have been

unhappy with the ‘single dimension’ security

service delivery. Several fairly weighty voices

have called for better informed and bespoke

risk profiling of their businesses and a move

towards Enterprise Risk Management on a

service partnership level.

Traditionally, ‘security’ has been viewed as a

grudge purchase by some clients for a variety of

reasons, which inevitably leads to price-driven

procurement decisions based on hourly charge

rates. The end result has often been poor

service delivery by poorly-motivated security

officers operating in a poorly-resourced

environment. That’s the fact of the matter.

The traditional corporate mindset is slowly

changing, but still pervades among many of the

current customer base. In essence, the key

must be to manage expectation at the outset by

demonstrating the professionalism, flexibility

and tailored offering which our industry is now

able and geared to deliver. A potential customer

needs to be encouraged to found procurement

decisions on the value added by the security

services package based on a risk management

methodology, and not simply on the charge rate

for the officers delivering those services.

Security professionals must drive to become

actively involved in the full range of enterprise

risk mitigation (including crisis first response)

along with their customers, while also pressing

to become integrated service partners.

Returning to one of Mike’s key questions,

why register for CSyP? The answer is to

demonstrate that we understand and stand by

the concept of ‘professionalising’ the security

world around a single, transparent and

continually relevant standard, and at the same

time send a message into the marketplace that

we’ve adapted to changing customer needs.

Choosing a professional or a service provider

from within our sector is now possible in a way

that mirrors the seriousness of current threats.

Registration as a CSyP also requires a

demonstrable personal commitment to the

development of security in its wider sense,

through supporting colleagues, members of the

public and immediate neighbourhoods.

Applicants shouldn’t attempt to attain CSyP

status without fully appreciating that ongoing

commitment. This isn’t just a ‘tick-box’ exercise.

Dr Peter Speight CSyP DBA

MPhil MSc MIRM:

Managing Director of Future

Risk Management

23

www.risk-uk.com


Physical Security

Information

Management is a

category of software

that provides a

platform and

applications created

by middleware

developers specifically

to integrate multiple

unconnected security

applications and

devices and control

them through one

comprehensive user

interface. Stephen

Smith outlines why

the end user buyers of

such solutions need to

consider not only the

technology itself, but

also the ongoing costs

involved

PSIM: Only Fools Rush In...

Of late, there has been a fair degree of

focus on how Physical Security

Information Management (PSIM) solution

developers are planning to offer integrated

security systems aimed at the growing needs of

large-scale enterprises. They would be doing so

while also offering advanced functionality for

more stakeholders and providing greater

control from one central location.

Within the world of PSIM, certain matters are

crucial for the future development of our

industry. One such is about understanding and

resolving problems associated with the

increasing geographical scope of clients, while

adhering to a multi-tiered hierarchy – a socalled

‘federated’ system – wherein total

control is centralised, but allows individual

sites to maintain local control.

Providing more powerful systems is

undoubtedly important. Perhaps more

important, however, is the scalability of the

solution, from a single PC through to those

‘federated’ solutions that afford end users the

power to match risk with budgets. It is indeed

the case that big is beautiful up to a point, but

what’s considerably more attractive, I would

strongly argue, is the ability to scale a solution

according to need. This will allow more

businesses to realise the considerable

advantages PSIM solutions can deliver.

Also important is the issue of connectivity

and, to be more specific, the subject of

connectivity failure. It would seem obvious that,

in locations where there are known connectivity

challenges, and where connectivity failure is

therefore a distinct possibility, the ability for a

system to work in a standalone mode is

essential. It would seem similarly obvious that

managing an enterprise-wide PSIM-based

solution doesn’t create huge volumes of data.

Distributed architecture

The distributed nature of the architecture

within certain PSIM solutions means that each

Control Room is autonomous. This in turn

means that, if a connection is lost to the others,

it will continue to run without interruption and

monitor the systems assigned to it. To that end,

it’s a genuine ‘hot reserve’, as opposed to being

a ‘fail-over’ Control Room that has to be

switched on and booted up.

In my opinion, data bottlenecks should never

be used as an excuse for a system going down,

nor for creating a lack of ‘control’. It’s

disingenuous to suggest otherwise. PSIM

technology should have an efficient alarm

escalation functionality, which means that if

there’s a problem, the operator still knows

exactly what to do should a critical event occur.

For their part, operators must have access to

all of the data, information and systems at their

fingertips. None of that information should be

‘lost’ in the event of a connectivity failure, or

while waiting for the back-up to warm up.

While some are seeking to develop more

powerful solutions for ‘federated’-level security

across larger organisations and smart cities,

others are already being deployed throughout

the world, from the UK to the United Arab

Emirates. While some manufacturers appear to

focus on the past, the more forward-thinking

among us are already operating in the future.

PSIM technology is of course capable of

managing large numbers of systems – and not

just video – from a single platform across

multiple sites. This allows end users to manage

incidents according to standard operating

policies set by the customer or based upon

best business practice, mitigating risks to life,

security and assets accordingly.

Importance of reputation

Reputation is important in any industry and for

any technology. Frustratingly, PSIM is already

one of those technologies that has a poor

reputation. It has come a long way in a

comparatively short space of time, but such

rapid evolution has been an element of the

problem. This is partially because PSIM can be

misunderstood and grouped erroneously with

security management systems, but also partly

because, in my opinion, some PSIM solution

developers are misleading the market.

24

www.risk-uk.com


PSIM Solutions: Procurement Advice for End Users

They seem to be doing this in two ways: first,

in regard to what their technology is capable of

achieving and, second, in relation to how much

their clients should pay for the pleasure of

having a PSIM solution installed. Indeed, this

is the other great challenge and the other

great myth: lifecycle costs.

I have a genuine fear that these hidden costs,

with particular regard to software licenses,

combined with the lack of an adequate support

service – or one that’s ludicrously expensive –

are problems that continue to be unexplained

and do our industry a tremendous disservice.

This was certainly evidenced in the survey we

ran in conjunction with Risk UK last year.

Depending on the specific PSIM system and

its manufacturer, these costs can be highly

fragmented and split into many different ‘parts’

or stages. This may be confusing to the end

user buyer, since they can include the physical

equipment cost, installation, initial software

licenses, training packages and project

management services, etc.

What’s most alarming, however, is that these

are only the ‘initial’ costs and don’t take into

account factors such as annual licence fees,

future upgrades and renewals which, when you

think of the initial capital expenditure for

implementing a system and the number of

years you expect it to be functioning, could run

into the many thousands – if not hundreds of

thousands – of pounds.

Specification: key points

In specifying a PSIM solution, and identifying a

reputable manufacturer with whom to work,

what should the end user be looking for?

Ensure the companies that are pitching to

you state, in writing, their annual fees for the

renewal of your licence and, if technical support

is provided, what it entails and what it costs

over a five-year period.

Find out whether you will be expected to pay

for system updates, too, and if so, how

frequently these updates will occur. What are

the fees? Is the cost a percentage of the initial

capital outlay?

Given the level of investment you’re making,

insist that the software will be supported for a

minimum of ten years or longer if possible.

Sweat the small print pre-contract so you

don’t expose yourself to risk that could well

end up having a catastrophic impact on your

organisation somewhere down the line. A small

number of software providers are still known to

build a ‘timer’ into their software. Worth

bearing in mind, as this automatically shuts the

software down if, for any reason, your annual

renewal payments haven’t cleared.

“Ensure the companies that are pitching to you state, in

writing, their annual fees for the renewal of your licence

and, if technical support is provided, what it entails and

what it costs over a five-year period”

Don’t evaluate a project based solely on the

initial capital cost. What might appear to be a

competitive initial cost could actually be the tip

of a very big iceberg when you rack up the

other additional costs for updates, licence

renewal and technical support. Work out the

lifetime cost. Don’t discover when you’re too far

down the line that the cost of installing the

system is lower than the ongoing annual costs.

A decision was taken early on in our

commercial history that we would never place

clients in the unenviable position of budgeting

for a capital expenditure only to find a raft of

renewal and licensing costs emerging. Cost, of

course, cannot be the only driver, but the

danger is that the cost a client is quoted isn’t

the ‘true’ cost that they end up paying when

ongoing outlays are then taken into account.

Transparency is paramount

Over the years, I’ve lost count of the number of

red-faced security managers berating a PSIM

solution provider for metaphorically holding a

gun to their head and, in effect, telling them to

‘pay the ongoing fees or we will not support

your system’. We certainly know of cases where

public bodies are now having their PSIM

systems ripped out because they cannot afford

to maintain them from revenue budgets.

PSIM solution providers must be 100%

transparent and fair or otherwise risk going out

of business on the back of an army of

disgruntled customers. Short-term opportunism

and narrow-mindedness could seriously impact

the industry’s long-term credibility.

PSIM is very much the system of tomorrow

that’s already being used to great effect in the

‘here and now’ today, but not always to the

extent that it should, or indeed by the

businesses that could benefit from it the most.

Buying a PSIM solution can be fraught with

difficulties, many of which are of our industry’s

own making. It must be said that buying on

initial capital cost alone is certainly a

dangerous way of doing things.

My best advice would be to conduct your due

diligence very thoroughly indeed. Consider the

technical implications of the risks to be

overcome and the lifetime cost of a system

rather than rushing unexpectedly into a brick

wall of hidden fees or false promises. After all,

only fools rush in where angels fear to tread.

Stephen Smith:

Managing Director of

Intergrated Security

Manufacturing (ISM)

25

www.risk-uk.com


The Insider Threat: Technical Surveillance Countermeasures

Many cyber attacks come from halfway

around the world, but the network

openings that allow cyber attackers to

infect databases and potentially take down an

organisation’s file servers are mostly initiated

by trusted employees.

Insider threats are much harder to detect and

potentially far more damaging financially and

reputationally than an external attack. Whether

malicious or simply negligent, workers need

access to sensitive information and systems to

do their jobs. As a result, if they accidentally or

choose to steal, their actions can do an

enormous amount of damage to a business.

Statistics show the extent of the risk posed

by insider threats. Accenture and HfS Research

state that 69% of enterprise security executives

have reported experiencing an attempted theft

or corruption of data by insiders during the last

12 months. According to The Ponemon Institute,

62% of business users report that they have

access to company data they probably

shouldn’t see, while the SANS Institute

observes that nearly a third of all organisations

still have no capability in place to either

prevent or deter an insider incident or attack.

In one study conducted by Gartner that

examined malicious insider incidents, 62%

involved employees looking to establish a

second stream of income by way of their

employers’ sensitive data, 29% stole

information on the way out of the door to help

future endeavours and 9% were saboteurs.

Defining insider attacks

Understanding what an insider attack is and

how it can happen will assist in reducing

exposure. Typically, an insider is usually a

trusted employee, student or contractor. It’s

someone who’s given a higher level of trust

than an outsider. This trust is usually

established through various formal and

informal processes, including references at the

employment stage and ‘earned’ trust as rapport

with the employee is built upon.

Recognising an ‘insider’ is the first step

towards classifying internal attacks.

Understanding what constitutes an insider

attack is the next one. Common attacks include

making an unintentional mistake, ignoring due

process and using ‘work arounds’ to access

information, trying to make a system do

something for which it wasn’t designed,

checking the system for weaknesses,

vulnerabilities or errors and acting with the

intention of causing harm.

To successfully protect a company’s

confidential information, its assets and current

controls need to be identified and assessed. For

The ‘Insider’ Threat

Colossal data breaches are fast becoming the ‘new normal’.

With each new incident invariably comes a feeble apology

‘for any inconvenience caused’. At best it’s embarrassing for

the company concerned, at worst the damage can be

catastrophic, often resulting in loss of reputation and profits

as well as law suits. Emma Shaw plots a path to safety for

today’s organisations

example, if a company stocks high value

equipment, thought will need to be given to its

location, accessibility, how it’s protected and so

on. Once the process of identification has been

completed, consideration then needs to be

given to who can access this information and

who’s responsible for controlling and updating

control measures in the future.

Key questions for consideration here are:

• Who genuinely needs access to sensitive

information and who can obtain this

information from another source?

• What controls are in place to limit access to

those who need it to carry out their job roles?

• How can you identify unauthorised access?

Traditionally, the security market has focused

more on preventing threats from entering the

network than on detecting and stopping data

from being exfiltrated. While preventing

infections undoubtedly remains important,

more resources are now being made available

to search for ‘Indicators of Compromise’ and

protect valuable data from exfiltration.

According to a recent survey by Vormetric,

89% of respondents (globally) felt that their

organisation was now more at risk from an

Emma Shaw MBA CSyP FSyI

FCMI: Managing Director of

Esoteric Ltd

27

www.risk-uk.com


The Insider Threat: Technical Surveillance Countermeasures

insider attack, while 34% felt very or extremely

vulnerable to one occurring. When asked about

who posed the biggest internal threat to

corporate data, 55% of respondents said

privileged users. Nine percentage points behind

on 46% were contractors and service providers,

with business partners rated at 43%.

The report goes on to say that databases, file

servers and the cloud hold the vast bulk of

sensitive data assets, but for many (38% of

respondents, in fact) mobile is perceived as a

high-risk area of concern.

Vormetric’s analysis states: ‘Senior

management concerns over privileged user

access have reached the top of their security

agendas. They now understand the damage

that a rogue user with admin rights can do and

they recognise that, if this type of user isn’t

properly monitored and controlled, the damage

to the business can be far-reaching. Also, if a

privileged user’s credentials are acquired by an

external attacker – as US investigators say was

the case when a hacker stole the credentials of

a system administrator at Sony and

orchestrated the recent high-profile data

breach – the opportunity to gain free access to

key information repositories or deploy malware

is likely to be extensive’.

How a company handles its information and

communications clearly becomes a contributor

to the risk exposure. A risk analysis covering all

forms of communication and information

storage should be conducted to analyse the

assets which the company possesses and

understand the scenario of possible threats in

order to ultimately produce an appropriate and

proportionate programme of countermeasures.

Emerging threats to organisations

Social engineering attacks, which rely on

human interaction and fraudulent behaviour,

have been growing significantly since 2011.

Preventative methods include limiting the areas

or meeting rooms where sensitive

conversations take place, and then

implementing sufficiently appropriate and

proportionate measures to protect these areas

as reasonably and cost-efficiently as possible,

based upon the threat and risk of espionage.

The appropriate solution may be derived

through a programme of technical surveillance

countermeasures (TSCM) surveys, the

installation of permanent countermeasure

“The potential loss and reputational damage that an

information breach might incur can far outweigh the cost of

implementing a proactive TSCM strategy”

solutions, the training of in-house security

personnel and awareness education for key

members of staff.

It’s also important to note that a TSCM survey

involves more than just an electronic ‘sweep’.

As well as locating and identifying hostile

electronic surveillance devices, an effective

TSCM programme is designed to detect

technical security hazards, physical security

weaknesses or security policy and procedural

inadequacies that would allow your premises to

be technically or physically penetrated.

Benefits of TSCM

• Prevention: The potential loss and

reputational damage that an information

breach might incur can far outweigh the cost of

implementing a proactive TSCM strategy.

Prevention is far better than cure

• Best Practice: Having a proactive TSCM

programme in place demonstrates a Best

Practice approach which will reassure Board

members, clients and stakeholders alike

• Corporate Compliance and Corporate Social

Responsibility: The duty to identify and manage

regulatory risk is a key requirement of today’s

Boards of Directors and a proactive TSCM

programme will assist organisations in

achieving compliance around the protection of

their information

• Enhancements to security: A TSCM

programme will detect and report on physical

security weaknesses or inadequacies that

would allow a given premises to be technically

or physically penetrated, thus enhancing the

overall security of the organisation

• Deterrent effect: Having overt countersurveillance

policies in place can act as a

deterrent to thieves and errant employees

• Peace of mind: A proactive TSCM programme

provides peace of mind that strategic

conversations and information will remain

confidential and allow the host organisation to

concentrate on ‘business as usual’

Overall business strategy

The risk of insider attack and its effects should

be an integral part of risk management and the

business strategy. Most insider attacks happen

due to a company’s focus on more obvious

forms of security breaches, without any

consideration around what’s required to protect

the company from internal threats.

To be productive, companies need to give

their employees freedom to work efficiently and

largely unhindered. However, within this the

operation and effective management of simple

security systems helps in protecting the overall

security of company assets.

28

www.risk-uk.com


Institute of Risk Management

Are your staff risk ready?


It is essential that your staff have a knowledge of the

principles and practices of effective risk management.


Enterprise Risk Management is designed to do just that.

What’s in it for employers?

> Managing risks effectively will

lower your costs.

> Turn threats to your business into

opportunities.

> Enhance business performance

and improve risk taking

approaches.

> Develop a motivated, skilled and

knowledgeable team.

> Attract high-calibre professionals

by investing in personal

development.

What’s in it for students?

> Enhance your ability to design

and implement effective risk

management strategies.

> Develop a critical understanding

of the relationship between

risk management, governance,

internal control and compliance.

> Gain an internationally


months.

> Join our global network of risk

management practitioners.

Distance

Learning

International

Recognition

Relevant for

All Sectors

Email: studentqueries@theirm.org

Phone: +44 (0)20 7709 4125

or visit www.theirm.org/risk-uk


Ransomware is a

constantly growing

threat and a highly

effective one.

Osterman research

from 2016 found that

ransomware was used

to target 54% of UK

organisations, with

more than half paying

the ransom. Of those

who didn’t pay, nearly

a third ended up

losing their data.

Wieland Age looks at

why defeating

ransomware is so

important in today’s

education sector

An Education on Ransomware

Last year, Locky spawned a file-encrypting

epidemic. Since then, it has become the

most prevalent ransomware on the planet.

Targeting universities among many other large

institutions, its continuous, pitch-perfect

campaigns demonstrate how organised crime is

digitising faster and more successfully than

many ‘legitimate’ enterprises.

This emergence of Locky, which represents a

new strain of ransomware, demonstrates just

how successful cyber criminals are becoming at

mastering the digital transformation agenda.

Locky’s creators invested significant time and

resources in product development, identifying

the best user interface, performance and

encryption security protocols. So much so, in

fact, that the FBI actually recommended victims

pay any demanded ransom in order to gain the

correct decryption code.

To support their programme, the criminals

even created a ‘Customer Help Centre’ to

handle sales and support. If victims have

problems decrypting their data, online ‘staff’

are on-hand via chat rooms to walk ‘customers’

through the process. This ensures that there

are no negative social media reports from

victims who, having paid up, are then unable to

regain access to their data files.

When it comes to propagating Locky, the

online criminals have done their homework. In

December, their latest phishing campaign

reached millions of victims in over 100

countries within days. Most start-ups would be

overwhelmed by such success, but the

distributors of Locky have created a highly

mature online infrastructure designed to

manage high volumes of payments and

enquiries – in multiple languages – from the

victims whom they target.

Education: an unlikely target?

IT professionals operating in educational

institutions have been slow to adopt

ransomware defences, perhaps because there

has been an unfounded misconception that

they’re unlikely to be targeted. If that used to

be the case, it’s certainly not true any more.

Bournemouth University was hit by no less than

21 ransomware attacks last year, while Los

Angeles College was recently forced to pay a

$28,000 ransom to unlock critical data and

systems following a ransomware attack. It’s

shocking, but not altogether uncommon. In

many ways, educational establishments are a

logical target for malicious attackers.

With whole campuses full of independent,

computer-based study being carried out by

students, these younger users could be

perceived to be less wary of suspicious e-mails,

attachments and websites. Compound this with

the fact that each one of these thousands of

pupils likely has multiple devices, all connected

to the institution’s network, and it’s easy to see

how hackers might view schools, colleges and

universities as low hanging fruit. Millions of

highly sensitive records, treasured works and

confidential details, combined with a very real

need to aintain their reputations as trusted

organisations, mean that educational

institutions are seen by many as easy pickings.

Education sector IT budgets don’t normally

include blank cheques for combating cyber

criminals, so investing in anti-ransomware

measures should be a priority for any

educational organisation wanting to avoid a

nasty and expensive surprise.

Fortunately, it’s possible to halt digital

attacks with a combination of the right security

measures and user awareness.

Raising awareness

Most ransomware attacks begin with an e-mail

containing malicious links or attachments.

Consequently, to reduce the likelihood of a

successful attack, it’s imperative to ensure staff

and students know all about the dangers of

ransomware, understand how to practise safe

computing and can recognise the indicators of

malicious e-mails. It’s also important to

maintain awareness by implementing a

programme of regular reminders.

30

www.risk-uk.com


Education Sector Safety and Security: Mitigating The Ransomware Threat

The three key messages that users should

take away from training are:

• Don’t open suspicious e-mails. Treat anything

‘out of the ordinary’ as a potential attack, even

when coming from a trusted source. If

possible, contact known senders separately to

confirm an e-mail is authentic before opening it

• learn to spot ‘red flags’ including poor

spelling/grammar in supposedly professional

e-mails, e-mails received at strange hours,

misspelled domains that look convincing

(A.Anderson@gmoil.com) and buttons and links

in the e-mail connecting to suspicious URLs. To

check this, hover the cursor over the link or

button and the URL will appear at the bottom

left of the window

• when in doubt, delete the communication

Secure your network

Effective user training can help to prevent many

attacks, but keeping the network free of

malware also requires a combination of

effective perimeter filtering, specially-designed

network architecture and the ability to detect

and eliminate resident malware that may

already be inside the host network.

Attackers can be prevented from entering the

network by a next generation firewall or e-mail

gateway solution that filters out most threats.

The best solutions will scan incoming traffic

using signature matching, advanced heuristics,

behavioural analysis and sandboxing and have

the ability to correlate findings with real-time

global threat intelligence.

When looking at the IT estate, make sure you

can control and segment network access to

minimise the spread of any threats that may

enter. Ensure that students can only spread

malware within their own limited domain, while

also segmenting. You might need to allow

admin staff, teachers and guests to each have

limited or specific access to online resources.

Start off with a clean slate. The existing

infrastructure likely contains a number of latent

threats. For their part, e-mail inboxes are full of

malicious attachments and links just waiting to

be clicked on. All applications – whether locally

hosted or cloud-based – must be regularly

scanned and patched for vulnerabilities.

Serious back-up plan

When a ransomware attack succeeds, critical

files – HR, payroll, grades, health records,

confidential student files, e-mail records and so

on – will be encrypted. The only way to obtain

the decryption key is to pay the ransom.

However, if you’ve been diligent enough

about implementing and correctly running a

back-up system, you can simply ignore the

“Some organisations may be committed to a legacy ‘onpremises’

back-up solution. If so, it’s worth starting the

planning phase to transition towards a cloud-based system”

ransom demand and restore your files from

your most recent back-up. Your attackers will

then have to find someone else to rob.

Automated, cloud-based back-up services

will provide the greatest security for data. For

budgetary or other reasons, some educational

organisations may be committed to a legacy,

‘on-premises’ back-up solution. If so, it’s worth

starting the planning phase to transition

towards a cloud-based system. In the

meantime, on-premises systems can be

configured to back-up files regularly

throughout the day. Admins should also be

extremely diligent about moving current backups

to a secure, off-site location every evening.

Many digital security experts believe that

ransomware is set to evolve and make up the

majority of cyber attacks in 2017. Given that the

pursuit of profit is the primary motivation for

most criminals, it’s perhaps not surprising that

ransomware’s popularity has continued to grow.

Simply put, ransomware is the easiest and

most effective way in which to extort money

from businesses of all sizes. Educational

institutions face this threat, as do banks,

hospitals, retailers and even Governments.

Future UK workforce

While the tips and tricks outlined here are

easily actionable as part of educational

organisations’ battles against ransomware, only

recently has there been a particular spotlight

on the digital skills of the nation’s children who

are growing to become young people within a

world dominated by IT and the Internet.

In March, the Communications Committee for

the House of Lords reported that learning

Internet safety should be a top educational

priority, alongside literacy and mathematics.

For his part, Lord Best issued recommendations

building on findings from the Children’s

Commissioner that “digital literacy should be

the fourth pillar of a child’s education alongside

reading, writing and mathematics and be

resourced and taught accordingly”.

Half of all law-breaking in the UK now

happens online and, while there’s little doubt

that children are indeed becoming increasingly

digitally literate, this House of Lords report

rightly points to the fact that the education

system isn’t yet equipping them with decent

enough levels of digital knowledge before they

leave school and form our next workforce.

Wieland Age:

General Manager (EMEA) at

Barracuda Networks

31

www.risk-uk.com


Educational facilities

should be safe, secure

and healthy

environments that

encourage learning

and development.

However, criminal

activity can

compromise these

principles and, in turn,

undermine the hard

work of both teachers

and students. Peter

Jackson examines the

security solutions that

can be put in place to

prevent harm from

being perpetrated

Security By The Book

Only recently, an ITV News story revealed

that pupils at a primary school in

Leicestershire missed the first day of the

new term after vandals broke in and caused

thousands of pounds worth of damage. The

wreckage ranged from broken windows to the

destruction of furniture and play equipment.

The latest reported statistics show that there

were 13,003 incidents of theft, burglary and

robbery reported in schools in England, Wales

and Northern Ireland in 2014, alongside 4,106

investigations into damage or acts of arson.

The price of repairing physical damage and

replacing stolen equipment can have a

significant bearing on a school’s budget.

Indeed, financial restraints in UK schools are a

big factor to consider when assessing the

importance of adequate physical perimeter

security. Recent announcements by Government

ministers suggest that 5% of council schools

and 4% of Academy Trusts have budget deficits,

with the general secretary of the National Union

of Teachers estimating that 92% of schools in

England could face real terms budget cuts over

the next four years.

In spite of these tight constraints, vandalism

in Scottish schools, for example, cost the

taxpayer over £1 million in repairs in 2015 and

at least £4.5 million over the past five years.

These unplanned costs will generally mean

that less money is available for important

considerations such as recruiting personnel or

improving building facilities and equipment.

There are also the non-financial impacts

associated with these crimes that must be

considered. The reputation of a given

establishment, a fear of safety among members

of staff, parents and students as well as the

disruption caused to learning can all have longterm

effects that may be hard to shake off.

Physical security

A large number of people flow through

educational sites on a daily basis making it a

difficult task to keep track of crowds at

particular locations. The lack of a formal

security strategy for schools, coupled with the

fact that we don’t employ security personnel at

school sites, means that the use of physical

security solutions including gates, fences and

turnstiles is recommended.

For maximum effectiveness, physical security

solutions should be supported by some means

of electronic security equipment such as access

control to effectively manage and limit

movement within a site.

Initiatives such as Secured by Design provide

several guidance documents that aim to reduce

crime in the built environment. The latest

advice to schools incorporates several new and

improved security standards that have been

developed to address emerging methods of

criminal attack. The guide advocates a clear

management and maintenance programme to

ensure the permanency of any measures

undertaken. Periodically assessing for risks and

implementing solutions where necessary is a

good way of making sure that a site is always

meeting its Health and Safety obligations.

Developing a detailed school security policy

that identifies the risks and puts controls in

place to minimise harm to staff, pupils and

visitors is vital. Procedures should also be in

place to prevent security and safety breaches

as well as to educate members of staff around

them always being ‘security aware’.

Having visible physical measures and

processes in place will help to protect against a

range of threats and vulnerabilities. Public

safety must remain at the top of the agenda to

ensure the health and well-being of all

individuals in and around the school site.

To this end, Building Regulations, Local

Authority permits, Health and Safety and fire

prevention requirements must be strictly

adhered to and observed at all times.

Planning the perimeter

To safely and effectively secure a school,

college or university site, careful planning of

the perimeter security is paramount.

32

www.risk-uk.com


Education Sector Safety and Security: Physical Security System Design

Educational facilities are often complex sites to

secure, playing host to multiple buildings (each

with their own access points), open spaces

between those buildings, play areas and sports

facilities as well as fields. Perimeter security

solutions therefore need to integrate with the

overall site architecture and, ultimately, aim to

control the movement of people and vehicles

through the use of solutions such as fences,

gates, bollards and barriers.

It may be worth thinking about creating

separate traffic routes for pedestrians and cars

to make sure members of the public are safe

during peak periods. A plan should also be put

in place during quieter times in order to

maintain a ‘security conscious’ approach.

Having an understanding of the land layout

surrounding the site perimeter and its uses is

also crucial as certain aspects may contribute

to or otherwise assist in the perimeter being

breached. By way of example, if the school or

college is the neighbour of a pallet production

company then the latter’s stock of pallets next

to any school fence makes it easy for would-be

intruders to use those pallets as a means of

gaining illegal entry to the premises.

Alongside the various regulations to follow,

consultation with local residents and

neighbouring businesses is a vital aspect to

think about as these parties can provide

additional support that may well assist in

preventing a perimeter breach.

When considering access points into and

around an educational facility, it’s particularly

important to understand and manage

permissions for staff and students entering the

site and prevent or control access for other

individuals wishing to enter. Having clear

signposting and designated areas for visitors

including parents, local authority employees

and suppliers, etc is key alongside

supplementary measures such as a reception

area or a sign-in procedure orchestrated to help

establish the authenticity of a particular visit.

If for any reason an entrance is used to

provide unrestricted access, it must be

monitored in person by a member of staff so as

to provide an initial deterrence.

Locking down entry points

With safety being the first priority, it may be

worth considering locking down all entry points

on the perimeter of a site during the day with

access managed via a staffed reception. When

combined with durable high security fencing,

such a policy can not only help in denying

potential criminals entry, but it can also prevent

pupils in primary and secondary school-level

education from leaving without permission.

Nowadays, most new schools are built in

urban areas whereas existing ones are being

bordered by new residential developments. In

these cases, it’s important to consider the

surrounding neighbours in regard to the noise

created during the school day.

Acoustic fencing is suitable for ameliorating

noise as it can be used to deflect external

sound away from a school site as well as

contain and absorb internal noises from high

impact areas such as playgrounds. These

solutions can work together to provide school

users and neighbours alike with the optimum

combination of privacy and security.

Sports fields and courts are another area

within the school site that may require some

defences in place to safeguard pupils and staff

from harm and protect buildings from damage.

Stray footballs, for example, can cause pain

and injury to unsuspecting members of the

public passing by and realise destruction in the

form of smashed windows. Installing suitable

fences and gates around these areas can help

when it comes to preventing such occurrences

from taking place.

Importance of aesthetics

Aesthetics is one more important factor.

Creating a pleasant and welcoming appearance

is a key element that helps with staff

recruitment and retention, and also increases

student productivity. Security solutions in

secondary schools that feature bespoke

elements such as incorporating the school’s

logo and colours are also ideal as they can help

develop a strong identity as well as a shared

sense of loyalty among students and staff.

Primary schools, on the other hand, rely

highly on bright colours and soft features in the

playground to engage and aid pupil interaction.

In this scenario, using timber fencing around

the perimeter may be much more beneficial as

it can be styled and decorated accordingly.

Ultimately, having the most appropriate

solutions in the right places will help in

creating a safe and secure teaching and

learning environment which also benefits the

local community. A good school security policy

can undoubtedly assist in reducing incidences

of anti-social behaviour, increase collaboration

and cohesion in neighbourhoods and make an

establishment more attractive to prospective

staff and students alike.

Peter Jackson:

CEO of Jacksons Fencing

“For maximum effectiveness, physical security solutions

should be supported by some means of electronic security

such as access control to manage and limit on-site movement”

33

www.risk-uk.com


What plans do you have for

emergency evacuation?

As detailed in the Equality Act (2010) places of employment,




So in the event of an emergency

can you evacuate the mobility

impaired safely?





The Evac+Chair is the World’s No.1

Emergency Stairway Evacuation Chair

0121 796 1427 FREE evacuation

assessment www.evacchair.co.uk

Are false fire alarms

disrupting your day?

We’ve got you covered!


Advanced models

available

with sounder

and weatherproofing

Minimise disruption and downtime caused by unwanted false fire alarms.

Protective covers prolong the life and reliability of vulnerable call points.

www.sti-emea.com info@sti-emea.com 01527 520 999


Access Control: Integrated Business Solutions for End Users

When’s the best time to upgrade your

access control solution? Many

businesses choose to follow the policy:

‘If it isn’t broken, don’t fix it’ but this can be a

risky approach in a world where technology and

the threats posed to today’s organisations are

changing so rapidly.

The use of older, legacy access control

systems exposes an organisation, a building, a

server room and/or computers to the

possibility of unauthorised access and the

myriad consequences that follow.

Access control technology is widely present

across many aspects of an organisation and

benefits both physical security and IT security.

With the advancements in smart phone, smart

card and biometric technologies, it’s now time

for organisations to start using these devices to

not only save on costs, but also to improve

upon the end user experience and simplify the

integration process of new biometric

technologies when they’re introduced.

Why, though, is now the best time for end

users to upgrade their systems?

Data privacy issues

One of the biggest drivers for updating legacy

access control systems is the need for

enhanced levels of data privacy. This could

come about through the on-boarding of a client

that requires high levels of security, new

legislation being brought in for specific

industries or even new building tenants.

The driver remains the same: data or the

building itself is in some way exposed to or at

risk and needs added protection. Put simply,

yesterday’s technology is no longer sufficient

for confronting today’s access control and

identity management challenges.

With data breaches dominating the

technology, security and indeed national

headlines, end users are fully aware that the

risk posed to organisations is evolving, while

the need to protect their physical assets – and

consequently data assets – is of vital

importance. The ‘IFSEC International Access

Control Report 2016: Legacy Infrastructure and

Motivations for Upgrading’ report highlights the

fact it would take a security breach that

exposed a flaw in the current system for 92% of

respondents to consider changing their current

access control system, but not beforehand.

On any site at any one time, in addition to

regular employees, there are also individuals

and groups on the premises (contractors, for

instance) who have access to various parts of

the location for short periods of time. In the

IFSEC report, 75% of respondents have third

party members on site on a regular basis.

Smart About Access

Technology advancements in trusted identities will create a

mixed technology environment with smart cards, mobile

devices, ‘wearables’, embedded chips and other ‘smart’

objects driving the transformation from legacy access control

systems. As Jaroslav Barton outlines, the shift to NFC,

Bluetooth Low Energy and advanced smart card technology

will be necessary to meet evolving business requirements

Integrated visitor management solutions in

modern access control systems significantly

improve the distribution and use of temporary

credentials, but also safeguard various parts of

the site when it comes to any unwarranted

access. Access control solutions, such as

mobile access or modern smart card

technology, make it that much easier for

facilities and security managers to track who’s

accessing what parts of the site to ensure

nobody’s in an area that they shouldn’t be.

End user convenience

The continual development in consumer

technology has spilled over into the business

world with devices now being used for work as

well as our personal lives. Bring Your Own

Device, mobiles and ‘wearables’ are all

common features of today’s office environment.

Organisations can use the growing level of

secure technologies that employees are

carrying around with them on a daily basis. In

place of several key cards or fobs that could be

lost, end users can instead employ smart

phones or smart devices – their closest pieces

of technology – for secure access control.

Jaroslav Barton: Product

Marketing Director for Physical

Access Control Solutions

(EMEA) at HID Global

35

www.risk-uk.com


Access Control: Integrated Business Solutions for End Users

In addition, advanced smart card technology

allows for a single smart card to provide

multiple access requirements on a secure

footing. Mobile access control is increasingly

pervading the market and, it must be said, the

benefits this brings are numerous.

Understanding the requirements from

building occupants is an important step before

undertaking an access control update. The

IFSEC International report notes that 48% of

respondents would like an easy-to-use access

control system, with 32% requesting multiple

levels of access depending on the degree of

authority required. This added security element

is clearly an important function, and one that

can be easily designated with more modern

technologies to hand.

Having mobile credentials that allow for

multiple access levels, for instance, saves end

users from the prospect of multiple access

control devices that could lead to confusion or

possibly misplacement. The IFSEC survey also

notes that 29% of respondents would like

future-proof technology. This can easily be

provided through mobile access solutions

which grant end users modern techniques for

access control, but also a single credential for

multiple access devices. Using smart phones is

a very straightforward solution that solves

three of the top concerns of employees looking

for updated access control.

One of the largest stumbling blocks to

updating an enterprise’s access control system

is the perceived disruption that the upgrade

itself will cause. 69% of respondents in the

IFSEC report believe that upgrading to a new

access control system would be disruptive to

their daily business, while 55% cite cost as the

biggest misgiving when it comes to upgrades.

Despite the perceived disruption, many sites

can be retrofitted using existing access control

hardware behind the scenes, with minimal

replacements needed to upgrade technologies.

Not having to start from scratch also helps to

significantly lower the costs of the operation,

making it a more cost-efficient venture with

minimal disruption to the host business.

Secure communication

A new access control solution must be flexible

such that end users don’t just see it as an

‘expensive way of opening doors’. Open

Supervised Device Protocol (OSDP) for secure

“Despite the perceived disruption, many sites can be retrofitted

using existing access control hardware behind the scenes, with

minimal replacements needed to upgrade technologies”

communication between field devices in a

physical access control system has gained in

importance, allowing for standardisation, more

flexibility and freedom of choice for security

and risk managers.

Flexibility also supports multiple applications

for managing not only physical access, but also

logical access applications, such as those

related to computers and software logins.

Additional access control systems – among

them secure print management – require an

associated card issued to users. This represents

a prime opportunity for organisations to

consolidate around a single access control

device, such as a contactless ‘wearable’ or

smart phone that combines access control with

other key functions.

By exploiting modern technology, such as

mobile devices, smart cards and ‘wearables’,

end users are afforded the opportunity to

simplify their access control devices: one

device with one credential providing access to

multiple areas and requirements.

It was found that nearly a quarter of

respondents to the IFSEC International survey

wish to manage multiple credentials across a

single device. With mobile access solutions,

multiple credentials are rolled into one and

stored on a lone device. The facilities or

security/risk manager is capable of controlling

access and distributing credentials to those

with the right security clearance.

Technology such as the latest high-frequency

access control systems ensure that security is

independent of hardware and media. This

makes it far easier for organisations to support

functionality and higher levels of data privacy.

Infrastructure security

Although there are clearly several perceived

barriers to the adoption of more sophisticated

access control systems, organisations are

placing an increased importance on

safeguarding their physical assets as this also

supports the protection of IT infrastructure.

This is mainly due to the belief that current

systems in place are adequate enough until

they’re proven to have failed, coupled with the

fact that a replacement system is perceived to

be an unnecessary expense.

Despite technological advancements, end

users are still content with cards and key fobs,

regardless of the lack of sophisticated security

and encryption contained in them when

compared with mobile access control solutions.

That said, the change to a more sophisticated

solution is likely to come from the employees

themselves, rather than the decision-makers at

the top of a given organisation.

36

www.risk-uk.com


4 July 2017

Hilton London Canary Wharf

Start your planning for 2018 at the Security IT Summit.

Meet with the most trusted solution providers, learn from industry thought leaders and connect with

peers over the course of the Summit, which is entirely FREE to attend for security professionals.

Topics covered include: Access Control • Anti-Virus Browser • Security Data • Theft/Loss • Malware

• Mobile Security • Network Security Management • Trojan Detection • UK Cyber Strategy

For more information and to register, please contact Liz Cowell on:

01992 374072 or l.cowell@forumevents.co.uk.

@SECIT_SUMMIT #SITSUMMIT

SECURITYITSUMMIT.CO.UK

MEDIA & INDUSTRY PARTNERS:

HOSTED BY:


Fashioning The Building Blocks of

Construction Risk Management

agenda specifically designed to combat poor

payment practice and help SMEs continue to

operate. From my own point of view, it’s simply

unacceptable that large businesses are

withholding payment owed to smaller

companies. This initiative should help prevent

some of the 50,000 construction business

closures that occur every year.

Every business in

every sector that

tenders for work has

to weigh up the

potential risks versus

the potential rewards.

However, in the

construction industry,

it’s increasingly the

case that subcontractors,

otherwise

known as Tier 2 and

Tier 3 contractors, are

being expected to take

a larger chunk of the

risk for a lower slice of

the reward. This is due

to the significant

challenges they’re

facing, as Carl Ghinn

observes in detail

As a business, we work closely with

contractors of all shapes and sizes, both in

the construction and M&E sectors. There

are several issues that they must factor-in when

addressing the delicate calculation between

risk and reward, among them the payment risk,

the pricing risk, the product availability risk and

the skills shortage risk.

One of the biggest risks facing Tier 2 and Tier

3 sub-contractors is cashflow. In a survey run

by the Specialist Engineering Contractors’

Group, it was revealed that the country’s top

contractors were owed over £1 billion in unpaid

bills from organisations within the public

sector, with sub-contractors bearing the brunt

of this, being owed at least £800 million.

Commenting on this matter, Rob Driscoll (an

advisor to the Cabinet Office) explained: “In

businesses of any size, late payment stifles

both investment and innovation. Our latest

survey of the market shows that far too many

public sector bodies are still ignoring the legal

requirement to enable prompt payment along

the supply chain.”

As of this month, large companies will have

to publicly report twice a year on their payment

practices and performance. The move is part of

the Conservative Government’s transparency

‘The Pricing Risk’

Price fluctuation is one of the major risks in the

construction world. During the tender process,

contractors are understandably expected to

cost every element. However, this is often for

projects that sometimes may not start for at

least another six months.

If their tender is accepted they will be held to

this price regardless of any marketplace

changes. Yes, in some cases prices do go down,

but in many instances they go up, leaving the

contractor with a much-reduced margin or even

a loss. As highlighted previously, these

payments are not always received quickly,

resulting in a considerably stunted cashflow.

Other industries have different and arguably

better approaches, among them the operation

of a cost-plus model, which effectively protects

the contractor while at the same time

promoting transparency.

Rising costs are a great concern for many of

our customers. According to the Construction

Products Association’s (CPA) latest Construction

Trade Survey, there has been an 88% increase

in raw materials costs for civil engineering

contractors in recent times. Rebecca Larkin,

senior economist at the CPA, stated: “While

Government has a role to play in providing

certainty for projects, the industry will need to

find ways in which to navigate rising costs.”

Sadly, this is having an effect on morale in

the sector. Brian Berry, CEO of the Federation of

Master Builders, commented: “The optimism

that we saw emanating from many firms in the

construction sector during most of 2016 has

now diminished because of growing concerns

about rising costs.”

Last October, the price of steel increased by

8%. This was a huge problem for some of our

customers but, as we follow the markets

closely, we had decided to bulk-buy a large

number of products before this increase. With

the additional benefit of our 60-day credit

38

www.risk-uk.com


Risk Management in the Construction Sector

terms, we were able to soften the blow for our

clients who may need those products within the

next six months, reducing the risk involved.

Product availability risk

When we visit our clients on site, the subject of

product availability often arises. It’s a constant

concern for many that products are not going to

be available when they’re needed, whether

that’s due to last-minute orders or changes in

legislation causing an increase in demand.

One example which affected our customers

was Amendment 3 to the 17th Edition of the

IET’s Wiring Regulations. The revision changed

how professional electricians and contractors

should install wiring in escape routes so as to

prevent them from becoming blocked by the

premature collapse of cabling installations.

As a result, the sole use of plastic fixings and

cable ties no longer complies with the Wiring

Regulations, so our customers are starting to

use stainless steel cable ties and concrete

screws instead. In the event of a fire, they’re

capable of withstanding temperatures of over

500°C, significantly reducing the risk of cable

installations collapsing and causing unwanted

blockages in escape routes.

Initially, we found that the changes brought

about by Amendment 3 took their time to filter

through to contractors on site. However, we’re

now seeing a change in approach. While we’ve

stocked these items for a number of years,

we’ve recently witnessed a 124% year-on-year

increase in stainless steel cable tie sales and a

198% year-on-year increase in concrete screw

sales. This is just one example of how a change

in legislation can dramatically increase the

demand for particular product types.

Another issue our customers face is the fact

that many manufacturers are based in the

Midlands, making it difficult for contractors in

London and the South East to procure large

quantities of stock on a swift basis.

Furthermore, companies working within the

capital often don’t have the capacity to store

stock on site and don’t want to tie up valuable

cashflow in large stockholdings.

In addition, our customers are often affected

by changes in construction schedules driven by

other contractors and may need products

quickly and unexpectedly. Solution suppliers

need to guarantee that 100% of core lines are

always in stock in order to help customers

avoid additional cost and penalties.

In all honesty, it’s also a good policy to let

customers cancel any order up to two hours

before without any charge by way of

acknowledgement that these changes are often

out of their hands.

“The optimism that we saw emanating from many firms in

the construction sector during most of 2016 has now

diminished because of growing concerns about rising costs”

Skills shortage risk

It’s no secret that there’s a skills shortage in the

construction industry which is causing untold

difficulties for many. According to Arcadis, in

order for the Government to meet its housing

targets, the UK needs to recruit up to 400,000

construction workers each year until 2021, with

London and the South East needing to recruit

110,000 individuals alone. That equates to

approximately one worker every 77 seconds.

As a weaker pound has already resulted in

large numbers of Eastern European workers

returning home, contractors are having to pay

their staff more money in order to keep them,

thereby risking further reductions in margins.

The Royal Institute of Chartered Surveyors

(RICS) estimates that, should a hard Brexit take

place, the UK could miss out on an additional

215,000 migrant workers by 2020. On that

basis, the RICS has called on the Government

to prioritise building workers for visas in order

to go some way towards mitigating this risk.

Jeremy Blackburn, head of UK policy at the

RICS, explained: “A simple first step would be

to ensure that construction professions feature

on the Shortage Occupations List. Ballet

dancers will not improve our infrastructure or

solve the housing crisis, yet their skills are

currently viewed as being essential.”

Mitigating risk

There’s no doubt that mitigating risk has played

a big part in shaping the way in which

construction sector companies and their

suppliers operate in this day and age. Many of

our clients consistently have to weigh up the

very real possibility of losing money for every

job upon which they embark. They face onerous

changes in legislation, not to mention

difficulties in procuring last-minute orders and

a looming skills shortage.

All of this is combined with increasingly tight

margins and a tendency by first tier players to

push all of the risk on to sub-contractors by

implementing severe penalties for failures –

such as failed deliveries or supply of the wrong

product – that may be outside of their control.

By working closely with a specialist supplier

who understands the challenges faced by the

business, organisations in the construction

sector can at least mitigate some of those risks,

thereby allowing them more time to focus on

the core business of the day.

Carl Ghinn:

Managing Director of Fixmart

39

www.risk-uk.com


Intelligent Prevention is the Future

Camera models

developed in the new

generation of HD IPbased

video

surveillance

technologies are

offering end users

something more than

just better quality

images. Tristan Haage

examines the wider

impact of innovation

within this specialist

field and how it’s

actively helping to

solve more real world

problems in many

intelligent and

productive new ways

40

www.risk-uk.com

According to the latest statistics released by

the German Insurance Association, every

five minutes a fire starts at a company

facility somewhere in Germany. The resulting

financial damage amounts to several billion

Euros on an annual basis. The number of

burglaries within Germany has also

dramatically increased over the past five years

(by a figure of 30%, in fact).

Meanwhile, the crime-solving rate for

burglaries at commercial buildings and

factories is less than 20%. All of this clearly

illustrates how important burglary and fire

prevention really are in the real world. In terms

of that last point, for Germany read the UK.

Intelligent security solutions with video and

thermal technology not only help solve crimes

in the event that they do occur, but also help

prevent criminality from occurring in the first

place. Given the rise in property theft, costefficient

and effective security solutions have

become ubiquitous with more and more

companies deciding to use video technology to

monitor their buildings, systems and premises.

That’s not surprising, as the financial damage

caused by theft, vandalism or fire can be quite

significant for an organisation. Not only do such

events incur direct material damage, but they

can also negatively impact productivity and,

consequently, cause insurance premiums to

increase. This has led to a greater focus on

crime prevention in which developing video

technology can play a crucial role.

Conventional video cameras realise video

material that makes it easier to solve crimes,

provided that the image quality is good enough

and the recording process is fail-safe. However,

many of the video systems currently available

on the market and installed don’t actually meet

these minimum requirements for end users.

The end results they realise are often

insufficient for capturing the evidential quality

images needed by investigators. According to a

study last year by market analyst IHS Research,

the majority of cameras sold today still have a

maximum resolution of three megapixels. Many

models are limited due to the low-light

sensitivity of their image sensors, which results

in motion blurring under poor lighting.

Moreover, the quality of a camera system

isn’t only determined by the clarity of the

moving images it records during day and night,

but also by whether or not it’s fail-safe. A

number of factors play a role in this: the

robustness and reliability of the camera as well

as the option to record on the camera itself in

the event of a network failure such that vital

image data crucial to solving a crime isn’t lost.

As a result, this has energised newer video

surveillance systems that use a decentralised

model placing as much intelligence as possible

in each camera. In this way, image processing

and analysis can still be carried out without the

need for a central server or Control Room.

Intelligent video analysis

New decentralised cameras not only serve to

provide images, but are also equipped with

high-performance computing and intelligent

software applications that make the video

system more efficient, and notably so when it

comes to preventing crimes and subsequent

damage. This is because an intelligent camera

will only spring into action when truly

necessary by dint of smart motion detection

software and analytics that enable reliable

alarm management.

For example, if somebody enters the

company premises within a specified time

frame, a given camera automatically plays an

announcement over the loudspeaker and

switches on additional lighting to scare off

undesired visitors. The camera can also notify

selected employees or the presiding security

company via VoIP telephony or e-mail.

Particularly advanced systems use intelligent

camera software that allows moving objects to

be differentiated from one another by their size,


CCTV and Surveillance: HD Technology and IP Solutions

depending on their position in the image. Using

this kind of 3D motion detection reduces false

alarms caused by the movement of birds or

small animals, for example, as well as sources

of interference such as trees or camera poles

swaying in the wind.

This trend towards camera systems

possessing a higher degree of intelligence,

intelligent motion detection software and active

alarm management is essential for highperformance,

preventative security solutions

that can promptly communicate to help prevent

break-ins and other hazardous situations.

When it comes to crime, theft from

commercial sites happens more often at night

and over the course of a weekend. The hours of

darkness are perceived as offering some

protection against detection, and it’s here that

older video surveillance technologies are often

hampered by lower night-time light levels.

In response, the newer generation of

intelligent video security solutions are now

adding thermal imaging technology which

provides many additional advantages. Dual

cameras featuring an image sensor and a

thermal sensor can be used to securely detect

moving objects across long distances based on

their thermal radiation, even in total darkness.

While the thermal sensor reliably records

movements, the high megapixel image sensor

simultaneously provides crisp video footage in

which people and actions can be precisely

identified in each individual frame – an

important factor in investigating a crime. To aid

this process at night, an intelligent camera

system can switch on a light source during

motion detection to boost its ‘thermal eye’.

A dual camera with both an image and a

thermal sensor not only enables effective

building and perimeter protection, but also

helps to protect privacy, which is particularly

important in public areas such as swimming

pools, sporting facilities and hospitals. The

thermal image shows a temperature profile that

doesn’t allow individuals to be recognised in

detail. When configured to do so, the dual

camera system automatically switches from the

thermal image to the image sensor and records

a high-resolution video sequence as soon as an

individual moves in the surveilled area.

Process monitoring

The advantages extend beyond pure security as

video and thermal technology is increasingly

being used as a method of identifying

hazardous situations during production

processes. For example, in the food industry,

video cameras monitor processes for quality

control purposes and, within manufacturing,

“Robust, high-quality cameras that can withstand

temperature fluctuations and moisture are absolutely vital

for today’s busy production facilities”

detect the correct operation of machinery. The

cameras used for this are often high-resolution

hemispheric models with a 360-degree view in

addition to a digital zoom option.

Robust, high-quality cameras that can

withstand temperature fluctuations and

moisture, and which are designed without

moving parts to be practically maintenancefree,

are vital for busy production facilities.

Dual cameras that feature a specially

calibrated thermal radiometry sensor alongside

an image sensor can also monitor temperaturecritical

processes. The intelligence in these

systems is also necessary for preventing

damage through overheating or fire. In the

event that temperatures exceed or fall below

defined limits, as well as in the event of a rapid

increase in temperature, the system

automatically triggers an alarm.

When these systems are integrated within a

SCADA system for monitoring and controlling

production in a given environment, the process

can be stopped and a cooling procedure started

before damage occurs.

Return on investment

Considering the high cost of both security

issues and production losses, an investment in

high-quality video security solutions featuring

robust, fail-safe cameras with intelligent

software offers a significant long-term return.

This is because the intelligence in these

cameras, along with higher quality imagery, is

necessary for analysing the collected data,

recognising hazards and triggering actions

designed to protect against risks and prevent

financial loss through theft, vandalism or fire.

Intelligent camera systems incur fewer total

costs than a conventional video solution,

allowing pay-back within a short period of time.

One of the reasons why is because, as stated,

image processing and analysis take place on

the camera itself while recording on a network

storage device is carried out only in response to

events instead of permanently requiring data to

move to a centralised location for processing.

Additionally, the cameras can save data

internally in the event of a network failure.

For many organisations, prevention is the

future. When it comes to purchasing a video

security system, the benefits offered by

intelligent solutions are now becoming the

deciding factor rather than the retail cost.

Dr Tristan Haage:

Chief Sales Officer at MOBOTIX

41

www.risk-uk.com


Evaluating The Balance of Power

While space in a Data

Centre is key, so too is

ensuring business

continuity, efficiency

and productivity. This

is precisely why

Uninterruptible Power

Supply solutions will

become even more

vital in the

manufacturing sector,

and particularly so

given the advent of

Industry 4.0. Leo Craig

has the fine detail

42

www.risk-uk.com

According to a recent report compiled by

Tech Nation, the UK’s tech sector is

growing faster than the UK’s economy. In

fact, the UK leads in Europe, attracting £28

billion in tech investment since 2011 compared

to £11 billion in France and £9.3 billion in

Germany. The impact of this growth in tech is

being felt across many sectors, but none more

so than in the industrial sphere, where digital

manufacturing is becoming more commonplace.

Also referenced as the Fourth Industrial

Revolution, Industry 4.0 is set to transform the

manufacturing and production world through

new digital innovations which will improve

productivity. Industry 4.0 is all about the

current trend of automation and data exchange

in manufacturing technologies, encompassing

cyber-physical systems, the Internet of Things

and cloud computing.

At its core, Industry 4.0 creates what has

been called a ‘smart factory’. Within the

modular structured smart factories, cyberphysical

systems monitor physical processes,

create a virtual copy of the physical world and

make decentralised decisions. Across the

Internet of Things, cyber-physical systems

communicate and co-operate with each other

and with humans in real-time. Via the Internet

of Services, both internal and crossorganisational

services are offered and used by

participants of the value chain.

There are four design principles in Industry

4.0 that support companies in identifying and

implementing Industry 4.0 scenarios:

• Interoperability: The ability of machines,

devices, sensors and people to connect and

communicate with each other via the Internet of

Things or the Internet of People

• Information transparency: The ability of

information systems to create a virtual copy of

the physical world by enriching digital plant

models with sensor data. This requires the

aggregation of raw sensor data to higher-value

context information

• Technical assistance: First, the ability of

assistance systems to support humans by

aggregating and visualising information

comprehensibly for making informed decisions

and solving urgent problems on short notice.

Second, the ability of cyber-physical systems to

physically support humans by conducting a

range of tasks deemed to be unpleasant, too

exhausting or simply unsafe in nature

• Decentralised decisions: The ability of cyberphysical

systems to make decisions on their

own and perform their tasks as autonomously

as possible. Only in the case of exceptions,

interferences or conflicting goals are tasks then

delegated to a higher level

From the Industrial Internet of Things and

robotics through to 3D printing and Artificial

Intelligence, the digitisation of manufacturing

will inevitably increase the demand for Data

Centre storage. While space in a Data Centre is

key, so too is ensuring business continuity,

efficiency and productivity.

Disastrous consequences

Power fluctuations and disturbances can have a

major impact in the industrial sector. At a largescale

manufacturing plant, for example, a

power shutdown or breakdown in the supply of

monitoring/control information may engender a

disastrous effect on productivity which,

ultimately, could adversely impact the

business’ bottom line. Statistics show that even

one unplanned downtime event can cost a

manufacturer somewhere around £1.6 million,

but in truth the real cost could be even higher.

Having a back-up power supply in place in

the form of a UPS solution is absolutely key for

a facility to be able to operate safely until such

time that full power is restored.

Machinery is vulnerable to numerous

electrical anomalies, from voltage sags and

spikes through to harmonic distortion and

other interruptions. When you consider that

45% of equipment failures occur due to voltage

disturbances, the importance of keeping


Power Supply Continuity and Management

voltage stable and minimising instances of

downtime becomes abundantly clear.

In this situation, a UPS can really come into

its own to not only protect against power

outages, but also in terms of operating as an

effective power conditioning unit. It works by

smoothing out sags, surges and brownouts to

provide a clean and stable power supply.

Ultimately, this prevents damage to sensitive

and more often than not expensive electronic

equipment. A UPS needs to be in online mode

to give full protection against the ‘dirty’ power

that causes disruptions to Data Centre services.

It’s also possible to use a UPS solution solely

as a power conditioner without batteries.

Batteries can only be kept in environments up

to 40 degrees Celsius so this method allows a

UPS to operate in higher temperatures. For

example, offices next to heavy industry, such as

cranes moving cargo at docks, can be affected

by flickering lights. In this situation, a UPS may

be used as a power conditioner on the power

supply to prevent this from happening.

Maintenance considerations

Manufacturing equipment should be subject to

regular maintenance to help reduce instances

of downtime caused by malfunction. While

most manufacturers have a maintenance plan in

place for standard equipment, it’s also

important to consider the UPS equipment. In an

industrial scenario, you simply cannot afford for

your equipment to fail. In turn, the UPS

supporting this must be maintained as well.

Given that it’s an electrical device, a UPS can

and will go wrong at some point in its lifetime.

A maintenance plan not only affords the

business the peace of mind of having access to

technical expertise, but essentially saves the

host organisation money by ensuring that the

lifespan of technology is maximised.

UPS maintenance plans are designed to

provide more comprehensive cover than a

warranty as well as a guaranteed emergency

response time defined in working or clock

hours. For example, with certain plans the end

user can choose between Silver (12 working

hours), Gold (eight working hours) or Platinum

(same day, four clock hours) maintenance.

These are guaranteed response times.

Having a maintenance agreement in place

with a trusted technical expert also affords the

end user 24/7 service availability and access to

spares. Foremost suppliers will stock all spare

parts/components in strategically placed

warehouses combined with a stock holding at

headquarters where UPS solutions of up to 500

kVA can be ready for immediate dispatch

within 24 hours.

Maintenance agreements can also cover

regular preventative engineer visits, firmware

updates and fully comprehensive cover as well

as remote monitoring and diagnosis.

Agreements are available either in or out of

warranty, although be aware that the ‘out of

warranty’ costs can rise. Best Practice would be

to request a price from your UPS supplier for a

fixed price maintenance plan.

Manufacturing’s future

With such a high cost placed on downtime,

manufacturers cannot afford to ignore power

protection like UPS and the importance of a

good maintenance plan. Complex industrial

installations are critical and require an

exceptional level of resilience and reliability

under all operating and environmental

conditions. Having the right UPS in place will

not only afford the host business peace of mind

if machinery does fail, but will also realise the

added reassurance that instances of downtime

will be reduced.

In manufacturing, the UPS can also be

deployed as a frequency converter allowing

conversion between 50 Hz and 60 Hz. The input

of the UPS will accept anything from 48 Hz-52

Hz, while the output can be selected to either

50 Hz or 60 Hz. Combining an output of the UPS

with a step-down transformer simulates

American electrical supply conditions, which is

ideal for testing equipment that may be used in

export applications.

On the output side, the transformer must be

matched to the rating of the UPS. On the input

side, the transformer needs to be oversized in

order to cater for input power factors, battery

charging and operating losses. When using the

UPS as a frequency converter, the static bypass

facility will be inhibited.

The UPS is a clever device which also works

to constantly regulate the electricity supply and

gain precisely the voltage required. It works to

reduce the mains power supply of incoming

voltage such that it matches the electrical

voltage level required by equipment on site.

The output tolerance is normally 230 V, but

using the UPS it’s possible to set the voltage to

a specified amount, for example 215 V, 218 V.

Optimising the voltage for a given Data Centre

means that the host organisation will also be

maximising operational efficiencies.

Leo Craig:

General Manager of Riello UPS

“It’s very much the case that, at any large-scale

manufacturing plant, a power shutdown or breakdown in

the supply of monitoring or control information may

engender a disastrous effect on productivity”

43

www.risk-uk.com


BENCHMARK

Smart Solutions

BENCHMARK

Innovative and smart solutions can add value and benefits to

modern systems for customers. With the technological landscape

rapidly evolving, the Benchmark Smart Solutions project assesses

the potential on offer from system integration, advanced

connectivity and intelligent technology. Bringing together field trials

and assessments, proof of concept and real-world experience of

implementing smart solutions, it represents an essential resource

for all involved in innovative system design.

Launching in 2017, Benchmark Smart Solutions will be the industry’s only real-world resource for

security professionals who are intent on offering added value through the delivery of smarter solutions.

@Benchmark_Smart

Partner Companies

www.benchmarksmart.com


Insurance Rewards for Managing Security Risks

There’s no doubt that insurance can be a

wise investment, and particularly so if a

business potentially faces threats from

episodes of terrorism or activism that could

result in substantial losses and disruption, even

in those instances where the business and its

assets may not have been the principal target

of an attack.

How, though, does an insurer determine an

appropriate premium for covering malevolent

acts and, importantly, how does the insured

party determine whether a premium offers

them good value for money?

In answering these questions it’s perhaps

important to recognise that the insurance

industry itself is highly competitive. This has

the effect of driving down margins across the

sector. Thanks to the Government-backed Pool

Re reinsurance scheme, affordable cover is

available even for acts of terrorism.

With most perils, a premium will be

established based on historic data and claims

trends. Such data provides insurers with

sufficient insight to be able to predict the likely

frequency and magnitude of claims for different

types of buildings and infrastructure. In the

case of terrorism, acts remain few and far

between, but can be catastrophic when they do

occur. In combination with a constantly

evolving modus operandi and changing target

preferences, this can make it difficult for an

insurer to accurately predict the likely value of

claims or to offer a different rate for cover of

one type of building over and above others.

That tends to lead to premiums driven mainly

by the desired level of cover – typically the

building value – and the building’s location.

Such a pricing approach doesn’t recognise or

reward an insured party’s investment in

protective security. From the perspective of the

insured, the insurer might be seen to be

benefiting from their investment, with the

insured paying twice to mitigate the same risk:

once for risk transfer (insurance) and again for

risk treatment (protective security).

However, from the insurer’s perspective, the

complexity of securing built assets against an

array of constantly changing threats means that

no security system could ever be 100%

effective. On that basis, if rewards are to be

offered, then those rewards need to be

determined based on the effectiveness of the

insured in terms of managing security risks.

Security capability

How does an insurer determine an insured

party’s security capability? First, it’s important

to recognise that they must look beyond the

physical and technical security and risk

SABRE: Incentivising

Good Security in the

Built Environment

Property protection insurance isn’t a legal necessity, but

without it a building owner is liable to pay for any damage

their property may suffer as the direct result of a security

incident. In addition, a business may lose income and might

even face legal action related to property damage or injury

through negligence if such negligence is proven in a Court of

Law. With this in mind, Gavin Jones outlines a new security

risk management standard for the built environment

management measures that have been

deployed at the premises. These components of

a security system tend to receive most

attention in any given survey of a facility simply

because they’re the most visible manifestations

of security investment. However, if these

systems were procured without due regard to

the facility’s security requirements, they may

well be ineffective and, it must be said, even

give a false sense of security.

Equally true is the fact that, if there’s no

ongoing review of performance and a

commitment to continual improvement, security

that’s effective one day may not be so the next.

When reviewing current industry

performance, it quickly transpires that those

organisations with effective security share a set

of common attributes. These organisations

have defined objectives, adopt a systematic

and risk-based approach towards safety and

Gavin Jones: Associate

Director (Security and

Resilience) at BRE Global

45

www.risk-uk.com


Insurance Rewards for Managing Security Risks

*For far too long, security has

been seen as a grudge

purchase, in the main due to

a lack of transparency in the

industry and an inability to

communicate to C-Level

decision-makers what they’re

receiving in return for their

monetary investment in

security measures. With

SABRE, we’re seeking to

shine a light on security.

We’re providing a robust and

consistent means by which

organisations can measure

performance and, in doing so,

facilitating improvement and

better value for money

We’re at the start of a long

journey, but we have a great

opportunity to deliver better

outcomes and reduced costs

and stimulate innovation

Insurers, insurance brokers

and building owners

interested in finding out more

about SABRE should access

the SABRE website

(www.bre.co.uk/sabre) or

contact BRE Global via e-mail

at: SABRE@bre.co.uk

security, employ competent persons at critical

intervals, monitor and evaluate ongoing

performance and actively seek to continually

improve their performance levels.

These are the attributes seen in management

systems which, for many years now, have been

used to deliver quality, sustainability and

Health and Safety. Furthermore, organisations

are increasingly seeking third party certification

to such systems in order to communicate their

performance in these areas.

Using these observations, the BRE Trust

funded a research project designed to assess

the feasibility of developing a security risk

management standard for the built

environment. More specifically, a standard that

can be used to improve security performance,

communicate security credentials to interested

parties, reduce procurement risk and,

ultimately, award an independent certification

of an organisation’s approach towards security.

The standard would need to respond to the

requirements of different stakeholders at the

various stages of a built asset’s procurement

and use, while at the same time recognising

that the familiarity of organisations with risk

management and management systems can

vary quite substantially.

Development of SABRE

That research resulted in the development of

SABRE which is assessor-led and can be readily

applied to either new or existing facilities.

Successful assessments result in third party

certification that’s recognised around the world.

The SABRE assessment process is led by an

independent SABRE assessor whose role is

essentially two-fold. First, they’ll verify

evidence against each of the 70 technical

issues covered by the scheme. Second, they

will undertake a scenario-based assessment of

current security risks based on the specific

attributes of a facility and its security.

The SABRE assessor will determine the

assessment score and the corresponding star

rating, with one star indicating an ‘Acceptable’

rating and five stars highlighting an

‘Outstanding’ score. If a given facility doesn’t

achieve the SABRE scheme’s minimum

standards, it will receive an ‘Unclassified’ rating

and not be eligible for certification.

In essence, these ratings provide insurers

with the ability to compare their customers’

“Following in the footsteps of BREEAM, the BRE’s highly

successful standard for sustainability, SABRE is assessorled

and can be applied to either new or existing facilities”

capabilities and commitments around security

and risk management. In addition to insurance

considerations, it can also be used within an

organisation to better understand priorities for

investment and identify improvement

opportunities across a portfolio of built assets.

The assessment of security risks will

highlight areas of vulnerability that should be

prioritised for investment and, equally so, those

areas where resources are potentially being

wasted and where existing or planned security

control offers poor cost benefit ratios.

By adopting a security-minded approach

towards planning and design, security risks can

be removed or reduced at lower cost using

integrated solutions. SABRE also recognises

and rewards the implementation of information

security controls that protect information

relating to a project and its security. This is an

increasingly important issue given the rapid

adoption of Building Information Modelling and

the increasing cyber threat.

Once a facility is occupied there are

significant opportunities to mitigate security

risks, even without further capital expenditure

on physical security. SABRE provides those

responsible for building and facility security

with a robust security risk management system

template, allowing measurement and

benchmarking of current performance and the

ability to demonstrate continual improvement.

Successful piloting

SABRE completed successful piloting and was

launched last December. Early adopters have

already welcomed SABRE, recognising the

benefits that a structured, risk-based approach

brings to security, in turn supporting design

quality and facilitating innovation.

Kevin Gausden, senior consultant at Arup,

explained: “We pride ourselves on providing

our clients with an holistic, whole-life security

and resilience consulting service. This new

SABRE certification means that we can offer our

clients greater transparency on spending and

reinforces the need for a structured, risk-based

approach to security. It affords our clients

further confidence, allows us to continually

adapt and provide innovative technologies and

solutions and absolutely reinforces the need for

early consideration of security issues.”

The BRE has initiated discussions with

property insurers to explain how SABRE

certification can be used as a robust and

consistent indicator for informing risk-based

pricing. With a view towards increasing the

overall uptake of SABRE and allowing for its

global delivery, the scheme will be delivered by

registered assessors.

46

www.risk-uk.com


Because one size



The most comprehensive

range of UPS yet.

Provides power protection to data

centres and telecommunications

systems, IT networks and other

critical systems.


• Multiple sizes

• Advanced communications


• Maximum reliability

and availability

www.riello-ups.co.uk

0800 269 394

sales@riello-ups.co.uk


Examining The Myriad Security

Challenges Surrounding ‘Fake News’

The ‘fake news’

phenomenon presents

serious security

challenges for

Governments,

businesses,

communities and

individuals alike.

These challenges are

often complex

problems and, as

Alison Wakefield

rightly observes,

addressing them

requires sophisticated

solutions as well as

significant knowledge

and capability building

across both the

security community

and, indeed, the wider

population

The media has always carried a certain

amount of disinformation, some of which

may be seen simply as careless reporting

or gossip. However, in today’s technologydriven

media landscape, the problem is

magnified many times over. Propaganda and

disinformation need to be seen alongside forms

of cyber crime as representing another growing

‘cyber-enabled’ threat: activities that have been

so transformed by network technology that

they present Governments and organisations

alike with substantial security challenges.

Having played a significant role in the First

and Second World Wars, they’re now

recognised as a significant element of

contemporary ‘hybrid warfare’, as

demonstrated in Russia’s actions in the

Ukraine, being duly employed to undermine

confidence in national Governments and

manipulate democratic processes.

My interest in writing about this topic was

prompted by the welcome announcement at the

end of January of a House of Commons Select

Committee Inquiry on ‘fake news’ by the

Culture, Media and Sport Committee and a call

for written submissions. Respondents to the

inquiry are asked to consider fundamental

questions such as ‘What is ‘fake news’?’, ‘What

impact has ‘fake news’ on public understanding

of the world?’, ‘What responsibilities rest with

search engines and social media platforms?’

and ‘How might we educate people in how to

assess and use different sources of news?’

The Committee refers to growing public

mistrust in traditional news sources and a shift

towards the Internet and social media for

information, presenting a heightened risk that

the public are being fed untruths, particularly

so in light of concerns that the extent of ‘fake

news’ may have had a significant effect on the

democratic processes involved with the 2016

US Presidential Election.

The term ‘fake news’ is actually unhelpful as

it places a wide range of activities and story

types under a single heading. Misleading or

inaccurate journalism is a very different

challenge to a rumour about a publicly-listed

company spread by cyber criminals seeking to

make stock market gains, or a disinformation or

propaganda campaign perpetrated by a foreign

power or political grouping that fosters

political, religious or other unrest. Stories that

potentially fall under the ‘fake news’ umbrella

will, in practice, rest somewhere on a spectrum

of fakery, or perhaps a matrix in which the other

axis captures the level of intent to mislead or

the extent to which stories are true or untrue.

Notably, stories that are 100% false may

actually be easier to refute as being false, as

those that are only partially false may be more

effective in building on the truthful elements to

weave a more convincing lie.

Deliberate propaganda

Much of what’s currently being framed as ‘fake

news’ is in fact deliberate propaganda and

disinformation that needs to be recognised and

labelled as such. In the US, as stated ‘fake

news’ is said to have played a part in Donald

Trump’s election, and to have led to a shooting

at a Washington pizza restaurant.

With the French and German elections

approaching, Western European countries are

starting to respond to the challenge of anti-

Western disinformation from Russia, which has

long been an issue in Eastern and Central

Europe. The European Union’s East StratCom

Task Force was set up in 2015 to counter

Russian propaganda and disinformation,

recently reporting that it has found evidence of

a massive ‘fake news’ campaign targeting

European countries. In January. the Task Force

worked to correct a widely-shared false story

48

www.risk-uk.com


The Security Institute’s View

claiming that Germany’s oldest church had

been burned down by a mob of 1,000 Muslims.

In a report on Russian information warfare

published last year, Lucas and Pomerantsev

observe how the nature of online media, and

especially social media, allows propagandists

to play to audiences who are already

mistrustful of their own systems and seeking

information that confirms their biases,

identifying and exploiting ‘echo chambers’

where facts and fact-checkers have little effect.

Here in the UK, concern is building among

privacy campaigners and watchdogs about the

use of Big Data analytics for profiling citizens,

including for political purposes. Reports on the

strategy used by US data mining company

Cambridge Analytica as part of the presidential

campaign of Donald Trump and the referendum

campaign of Leave.eu give an insight into how

political messages can be tailored to individual

social media users through the data analytics

of online activity. This is likely to become a

common feature of political campaigning in the

future. As a society, we need to do more to

ensure that appropriate data protection

principles and safeguards are in place to keep

up with such technological advances.

Governments also need to take account of

the related problem that the credibility of

established media outlets such as the BBC is

increasingly being questioned and perhaps

actively compromised by wider political forces.

If this situation intensifies, where are we to turn

for trustworthy reports of incidents or events

that impact on our security?

Much of the responsibility for this rests with

politicians, as has been seen in the US, with the

risk of such behaviour spreading across our

own political system. We’re increasingly seeing

the label ‘fake news’ being misapplied to the

mainstream press in order to suit political

agendas. In the US, such efforts to undermine

the media recently extended to the exclusion of

news organisations like CNN and the BBC from

a White House press conference.

While it may be tempting for politicians to

exclaim ‘fake news’ in response to criticism,

this sets a dangerous precedent. Journalists

and editors need to protect their interests – as

well as the national interest – by proactively

challenging such misuses of the phrase.

Dealing with a crisis

In a recent article in Politico Magazine, the

point was made that President Trump’s alleged

attempts to discredit the press and scientific

community could later serve to undermine his

administration’s capability to deal with a major

crisis. Events such as the Ebola crisis require

evidence-based understandings of the

problems at hand, trust between partners

involved in responding to the crisis and

effective public information campaigns

orchestrated to communicate risk information

and advice to the public. If such elements are

lacking then the crisis response will inevitably

be seriously impaired.

Propaganda and disinformation themselves

belong on the registers of major risks to

national Governments and corporations as

threats to their strategic objectives, reputation

and continuity of operations. These activities

may undermine democratic systems or stir up

community sentiment on an issue to such a

degree that it boils over into civil disorder, and

so need to be included in emergency

preparedness strategies of scenario planning

and exercising. One of the underpinning

features of a crisis is the erosion of the

infrastructure (ie power, telecommunications

and transportation systems) on which a

response strategy is dependent. If trust in

public information is undermined, the capacity

to make judgements is equally impaired.

In the corporate world, the brand is often an

organisation’s biggest asset. Misinformation

presents significant reputational risks and may

be employed by competitors or cyber criminals

seeking to gain stock market advantages. Back

in 2013, a hacker posted a bogus tweet by the

Associated Press about an explosion at the

White House which led to over £90 billion being

temporarily erased from the US stock market.

Companies are typically alerted after the fact

when share prices are already moving. A recent

report produced by BrandProtect and The

Ponemon Institute concludes that the threats

posed to companies by online incidents and

cyber attacks falling outside of the traditional

corporate security perimeter are high, yet the

capabilities to mitigate them are low.

‘Fake news’ presents a further threat to

companies and individuals as a tool for social

engineering, itself a significant dimension of

cyber crime as discussed by James Scott in a

report for the Institute of Critical Infrastructure

Technology. This type of threat sees both ‘fake

news’ and real news being ‘weaponised’, with

trending stories and sensational headlines

being used to draw people’s attention. Lures

range from the very basic to the highly tailored,

based on individuals’ social media activity.

Dr Alison Wakefield FSyI:

Vice-Chairman of The Security

Institute and Senior Lecturer in

Security Risk Management at

the University of Portsmouth

“Much of what’s currently being framed as ‘fake news’ is

in fact deliberate propaganda and disinformation that

needs to be recognised and labelled as such”

49

www.risk-uk.com


Female Business Travel Risk:

A Need for Special Treatment?

Business travellers will

always face a degree

of risk, and

particularly so when

venturing into an

unfamiliar

environment where

most individuals

speak another

language and have

different customs. An

increasing number of

today’s organisations

realise they can lessen

or avoid prohibitive

legal and/or financial

consequences by

proactively working

ahead of time to

reduce employee risks

during trips overseas.

Darren Carter delves

into the fine detail

Darren Carter: Head of Group

Security at Edwardian Hotels

London and Hotel Sector

Security Lead for ASIS UK

Despite the ever-present – and seemingly

increased – risk posed to business

travellers in today’s world, we continue to

see a vast amount of business travel taking

place right across the globe. Recent research

suggests that the proportion of those business

travellers who are female is now as high as

45%-50%: a direct correlation with the

increasing numbers of female executives

appointed into senior management roles.

On that note, I was recently invited to take

part in a panel discussion about this very

subject. The discussion was observed by a

varied audience of experts and interested

parties, among them travel managers, safety

and security managers and hotel and travel

agency staff. The premise for the discussion

was ‘Safeguarding Female Business Travellers’

and whether enough is being done to meet the

safety and security needs of that cohort.

Is there really a strong case to be made for

any ‘special treatment’ of females when, in

2017, most large companies will have gender

equality placed very highly among the key

‘must achieve’ tasks?

Two decades ago, when I first entered the

world of hotel security operations, we were

talking about female business traveller security

at that very juncture, so this isn’t by any means

an emerging subject. The discussion we held

during this latest gathering was in fact very

insightful and clearly demonstrated – at least in

my own mind – that there may well be a case

for special arrangements to be made that meet

both specific and defined needs.

More generally, travel risk for any category of

traveller has shifted significantly in the past

ten-to-15 years in particular. The completely

unpredictable nature of terrorism and rapidly

changing environmental conditions affecting

the travel and transport industry alone are two

areas where an impact can be felt.

As companies examine areas in which they

could potentially trim their costs, travel can

often suffer with significant reductions in

budgets. In some cases, this may considerably

alter the risk profile of a given business trip.

Is travel necessary?

In many respects, the question should be asked

as to whether the need for travel is absolutely

necessary. Indeed, even where there’s no

pressure being placed on budgets, this should

be the first question to be posed when

considering any business excursions.

Placing a rate cap on hotel accommodation

can often introduce further elements of

increased risk whereby there may be inferior

safety and security facilities at the chosen

property, in addition to less ably-equipped

staff. The area in which the hotel resides could

make it more susceptible to crime.

Where can hotels begin to customise their

business? How about tailor-made services for

female business travellers? Should the

arrangements made here be any different than

those chosen for other female or male guests?

Not for the first time, it was suggested that

hotels consider offering a ‘female only’ floor: an

area of a hotel completely off limits to male

guests, exclusively booked for ‘women only’

business travellers. I’m not entirely comfortable

with this concept. It feels a little odd to

completely isolate a group of people from the

rest of the hotel population. If it were the case

that guests occupying this class of room found

themselves in trouble, there would be no male

guests nearby who may come to their aid.

Commercially, such a scenario would be

almost impossible to deliver, both in terms of

honouring a brand promise or maximising

revenue returns. If a hotel had completely sold

out of its inventory with the exception of this

standard of room then it would most definitely

be sold to the first applicant who could well be

a male guest. Back in 2014, a Danish hotel was

found by a Court of Law to have discriminated

when it opened with a ‘female only’ floor offer.

CCTV and access control

From a safety and security perspective, such a

concept wouldn’t offer anything more than a

standard hotel bedroom. Most hotels will now

provide guests with key card access control to

lifts and bedroom corridors, alongside an

almost blanket coverage of CCTV throughout all

guest areas. If there were enhanced levels of

safety and security realised as part of this

‘upgraded’ room type, it would ask some fairly

challenging questions in times where guests in

other rooms become aware – or, worse still, are

an actual victim – of an act of criminality.

Most upscale hotel businesses will have a

constant product development programme in

50

www.risk-uk.com


In the Spotlight: ASIS International UK Chapter

place which reaches for competitive advantages

over peer groups in what’s an extremely

dynamic and ever-changing market. Safety and

security are featured prominently in the design

process, building environments which are

appealing and functional, but also as safe and

secure as possible. Procedures are then

constructed around them to further support

that environment.

The mere mention of a hotel room number at

the check-in desk could compromise the safety

of a lone female business traveller. Procedures

are in place to ensure no room numbers are

mentioned at all to any guest when checking in

to a hotel. This is common practice, although

not 100% observed in my experience.

In addition, there are a number of other areas

within a hotel operation where we constantly

strive to minimise risk and promote safer and

more secure businesses.

There are many people involved in the endto-end

process of planning for business travel.

Each individual will have made decisions which

may either provide for a problem-free safe

journey or lead to serious – and potentially lifethreatening

– situations arising.

The victims of crime – which may involve a

phone snatch or a bag theft – will often say that

the episode “came out of the blue” or

“happened so quickly”. Invariably, if we can

analyse such incidents a little further, we often

see a series of events or clear indicators that

the crime could – or was about to – happen. In

truth, it’s often lack of awareness which leads

to someone being targeted by a criminal.

Unprepared for travel

Often, it’s the case that individuals are

completely unprepared when they travel. Only

when they run into problems is this ever

identified. It’s a little like travelling without

insurance: it’s unthinkable in today’s world that

anyone would even consider this. As hoteliers,

we provide help and support to our guests,

even more so when they’re experiencing a time

of crisis, when they’re the victim of a crime, a

serious injury or a bereavement or even if

they’re just simply having a bad day.

A common and often surprising fact is how

little capacity a business traveller will have to

manage the situation in which they find

themselves. Often, we can and do resolve a

multitude of issues. What this does say is that

the individual’s employer may not be

adequately preparing them for travel, the

employee may not be listening or the advice

being given is wrong or not extensive enough.

Continuing this theme, I would strongly

encourage all visitors to a hotel to make use of

the in-room safe. It’s there to provide added

security. At the very least it may delay access to

a ‘would be’ burglar or even prevent the theft of

valuable property and travel documents.

Preparing employees to be able to deal with

a range of predictable situations in the

workplace is, of course, the responsibility of

their employer, whether for travel purposes or

otherwise. Business travel introduces a

dramatic uplift in risk, whereupon an employee

is exposed to a much greater selection of

scenarios. Without doubt, it’s the responsibility

of the individual to ensure that he or she is

ready for travel, fully-briefed and absolutely

comfortable with the information provided. If

not, they should challenge it or otherwise seek

alternative advice or guidance, only travelling

when totally satisfied.

What was abundantly clear at the recent

panel discussion is that there’s a detailed

debate to be had about the future of travel

security in general, and not just for female

business travellers. It’s always right and proper

to question whether the advanced planning in

place is as good as it can possibly be.

“There are many people involved in the end-to-end process

of planning business travel. Each individual will have made

decisions which may either provide for a problem-free safe

journey or potentially lead to serious situations arising”

51

www.risk-uk.com


Right now, there’s a

lack of skilled fire

alarm technicians,

with very few young

people entering the

industry. Companies

left, right and centre

are struggling to hire

and keep hold of more

experienced

technicians, with

others simply jostling

for that one extra

cherry on the top of

the cake that might tip

the balance in their

favour and pull in

more customers.

Martin Duggan

considers the shape of

a formal qualification

in fire detection and

alarm systems

52

www.risk-uk.com

Fire Detection and Alarm Systems:

Envisioning a Formal Qualification

There’s so much talk about the need for a

formal qualification in fire detection and

alarm systems, but to date no-one has

actually considered in any great depth what

such a qualification might look like. Certainly,

with so many different job roles, there are many

areas that need to be covered.

Think about it for a moment. What does a fire

alarm maintenance technician need to know

when compared to a system designer? What

about an installer or a commissioning

technician? These are all different areas of

expertise with a significant amount of overlap,

yet also with a different knowledge requirement

for each job function. Is it feasible to have a

‘one-size-fits-all’ approach to fire detection and

alarm systems? What would each person in

each job role need to know?

I’m glad to say that, after receiving the

results from a survey we sent out to our

members, we now have a much clearer insight

in terms of the answers to these questions.

We also held a ‘Voice of the Customer’ Day,

where Fire Industry Association (FIA) members

were invited to tell us what areas would need

to be covered for each job role. In addition,

members also considered the lack of a defined

career path for those joining the fire industry.

The results of the survey state what the top

areas of learning would need to be for each job

role, while the ‘Voice of the Customer’ Day

allowed FIA members to air their opinions and

suggest paths of study for times ahead.

The Maintenance Technician

No less than 15 topic areas were revealed to be

important in this job role. A basic grounding in

electronics may be needed. Unfortunately, this

isn’t a required subject at school so those

joining the industry don’t always have firsthand

knowledge. 98% of those surveyed stated

that understanding BS 5839 is necessary.

No surprise there, but a qualification would

have to afford a solid foundation in the whole

standard, as well as cover the maintenance

standards in greater detail. Other areas such as

waste management, communication and sales

skills, simple design principles and knowledge

of BS 6266 Fire Protection for Electronic

Equipment were also duly highlighted.

Additionally, other areas that are not covered

by current training were pointed out by

members at the ‘Voice of the Customer’ Day,

with 87% stating that the Health & Safety at

Work Act is particularly important.

The survey also revealed some other topics

of note: documentation/certification (91% of

respondents said this would be required),

testing methodology (90%), fire detection and

alarm technology (75%) and a strong grounding

in current fire legislation such as the Fire

(Scotland) Act and the Regulatory Reform (Fire

Safety Order) 2005 (67%).

The Installation Technician

The ‘Voice of the Customer’ Day revealed some

useful insight, namely that it shouldn’t be a

requirement to be a maintenance technician

prior to being an installation technician. In fact,

it was revealed that installers often moved into

maintenance at a later stage. As such, the level

of knowledge should still be high, but with less

topic areas required.

For the system installer, eight topic areas

were compiled compared to the 15 topic areas

for the maintenance technician. Again, no

surprises here. The survey revealed that 96%

voted for a broader understanding of BS 5839

to be required, as well as a focus upon the

installation and testing standards, which many

feel ought to be covered in greater detail.

No less than 88% of respondents felt that the

Health & Safety at Work Act is important.

Members attending the ‘Voice of the Customer’

Day confirmed this belief, stating that an

awareness of asbestos and working at height

would be necessary. As is the case for the

maintenance technician, a need to cover system

documentation and certification is also going to

be necessary in any qualification for this role.

Other areas included electrical competency

(77% of survey participants said this was

important), understanding BS 76761 17th

Edition (67%), understanding current

legislation (58%) and a comprehension of the

Building Regulations (56%).

In order to be completely up-to-date with

present technology, electrical competency

should also cover in some depth subjects such

as electronic principles and data

communications, possibly as separate areas.

“Communications are changing,” was the

opinion of one survey respondent. “Installation

engineers in our sector need to have an idea of

IT infrastructure and data connections such as

Ethernet/fibre optics.”


FIA Technical Briefing: Fire Detection and Alarm Systems

The System Designer

The role of the system designer was assumed

to be a much more advanced position by the

group of professionals present at the ‘Voice of

the Customer’ Day – not just in terms of

standards relating to fire safety systems, but

also in view of current legislation, present fire

guidance and the Building Regulations.

A system designer needs to know a lot more

than an installer or maintainer and, as such, the

amount of study required would be

considerably more. 90% of respondents to the

survey suggested that understanding building

design was essential to the role, alongside 83%

stating that understanding the Building

Regulations is important.

Clearly, a working knowledge of the built

environment is vital to the role and, as such,

would need to be studied.

There were also many other additional skills

mentioned, such as an ability to use and

understand Computer-Aided Design, an

understanding of the Equality Act and a need

for ‘soft skills’ around the subjects of

communications, sales and Health and Safety.

A formal qualification for this career path

would need to cover a wide range of areas and

be robust enough to afford the designer a

starting point for his or her future projects.

The Commissioning Engineer

There were a number of different opinions

expressed about whether a commissioning

engineer would have been an installer or a

maintainer prior to becoming a commissioning

engineer. Those at the ‘Voice of the Customer’

Day felt that this would not be a job role taken

upon entering the industry. Most individuals

would have been a maintenance technician or a

systems installer at some point beforehand.

Skills for this role are likely to be similar to

the maintenance technician or installer, but

with a few slight differences. The results of the

survey were very clear: 100% of respondents

said the BS 5839 commissioning standards

would be required, 95% felt that there was a

need to have a foundation level understanding

of the whole of BS 5839, 94% thought faultfinding

was a necessary skill and 87% felt that

false alarm management and simple design

principles respectively were important. Another

80% wanted their commissioning technician to

have instructional techniques.

At 62%, electronic knowledge here wasn’t

seen as being quite so vital, but is still deemed

more important to the commissioning

technician than the maintenance technician.

Looking to the future

The future of the fire safety industry certainly

does seem to hinge on the need for those

working in the realm of fire detection and alarm

systems to be more comprehensively educated.

There also needs to be a pathway for new

people to join the industry.

While the new ‘Trailblazer’ apprenticeship

scheme represents a great start for those

joining straight from school, there’s still a huge

need for those already of working age to find a

way in which to join the industry – and the only

real way is through a qualification.

A formal qualification is something that the

industry both desires and needs. A blanket

‘one-size-fits-all’ qualification isn’t going to be

sufficient for the fire industry – we need one for

each of the different disciplines within the fire

alarm and detection sector, since being a

designer is so different from the role of a

maintainer or installer (and so on).

A formal qualification might be just the thing

to open the door to a bright new future, but it’s

up to the industry itself to walk through it.

Martin Duggan:

General Manager of the Fire

Industry Association

“The results of the survey state what the top areas of learning would need

to be for each job role, while the ‘Voice of the Customer’ Day allowed FIA

members to air their opinions on paths of study for the immediate future”

53

www.risk-uk.com


Examining The Changing Face of The

Private Security Industry in 2017

The security landscape

is still in transition,

but there are clear

trends developing, the

origins of which date

back to two significant

incidents in 2001 and

2008. Paul Harvey

recounts those events

and what has

happened since,

subsequently

outlining today’s

security model and

where it could – and

should – be heading in

2017 and beyond

54

www.risk-uk.com

The terrorist attacks in New York on

September 11 2001 and the resulting

responses had a significant impact across

the globe. That’s still true today. The world has

also recently witnessed a concerning increase

in global terrorism with horrific episodes in

Nice, Paris, Brussels and Germany.

Second, the Lehman Brothers bankruptcy in

2008, predominantly due to its involvement in

the subprime mortgage crisis, is considered to

have played a major role in the unfolding of the

global financial crisis during the late-2000s.

The UK security market wasn’t (and isn’t)

immune from the effects of global financial

instability. As a predominantly labour-based

business, the guarding sector in particular

requires large amounts of working capital. As

payments to the supply chain slowed, with – in

the more extreme cases – clients becoming

insolvent and leaving significant debt, the

financial pressure increased for many

companies. Banks were unable or sometimes

unwilling to support businesses of varying sizes

and some security companies failed. This

wasn’t necessarily related to profitability. It was

often purely as a result of cashflow.

Clients experienced downturns and,

inevitably, expenditure was reviewed. Often an

expensive purchase with no clear way of

demonstrating its value, security was analysed

with the intention of reducing or eliminating

cost. With pay rates largely set and the TUPE

Regulations protecting employees’ Terms and

Conditions, indirect overheads and margin

became the battleground for reducing charges.

Companies fighting for survival didn’t have the

luxury of considering the longer term. The need

to retain or secure new business became

critical. If you cannot differentiate on service,

then service-buying clients predominantly

select on price.

Thus the environment was created that

impacts us today. We hear of complaints about

low margins, but many businesses continue to

compete on price, often with unsustainably low

margins. The industry must hold itself to

account. The sector – and individual companies

within it – hasn’t been bold enough to stand up

and say ‘enough is enough’ and follow this

through with determined courses of action.

Legislative framework

The legislative framework for operation hasn’t

changed. There appears little appetite from the

Government to push forward with the proposed

agenda of compulsory business licensing. Nor

does there seem to be significant progression

in the Security Industry Authority’s Approved

Contractor Scheme. To be frank, then, it’s

incumbent upon service providers themselves

to be the agents of change.

Aside from the ongoing increase in statutory

areas such as pensions, the big agenda item for

2017 is the incoming Apprenticeship Levy.

Although companies will be required to

contribute to the scheme, at present there’s no

security guarding-specific apprenticeship.

Furthermore, there’s currently no provision for a

replacement to the City and Guilds scheme that

has been in place previously. There are

discussions around which organisation will be

the provider moving forwards, but as yet there

have been no takers. This means that there’s no

course – or training – in place for the money to

be spent which, given the amount of funding

this relates to, is quite simply staggering.

Apprenticeships have existed for a long time

in other sectors such as CCTV engineering.

Another case of a reactive sector, then?

According to the Infologue.com listings, the

Top 20 security companies (based on turnover)

control 71% of the UK market. Forward-thinking

companies are taking the opportunity to be

disruptive or find a niche that offers greater

success and, potentially, profitability. As a

result, 2017 will be a year in which the UK


Security Services: Best Practice Casebook

security market begins to benefit from the

platform created as it moves into the next

logical phase of the industry’s future.

The demand for change is being fuelled by

increasing levels of expectation and a

requirement for flexibility in service provision

called for by today’s discerning clients. Key

transformations are beginning to emerge,

namely specialism and expertise.

Specialism and expertise

First, there are the large-scale, national and/or

multinational businesses. They offer a wide

range of security and facility services, and are

predominantly (although not exclusively)

focused on high value and potentially multiservice

contracts. There’s a clear demand for

this capability. Competitors simply don’t have

the capability or scalability to compete, and nor

should they attempt to do so.

Second, there are organisations that will

continue to focus on specialist services, skills,

clients, contract sizes and geographies, etc.

These businesses truly understand their core

role and continue to be selective in how they

target growth and assess their value

proposition. Our own organisation falls into this

category. We’re focused on the central London

market. We know full well that our model

doesn’t fit everyone and we fully understand

our capability. We’re aware, for example, that

we don’t have the infrastructure to deliver

national accounts with multiple low value

contracts, so we don’t try to do so.

Third, the area where it’s possible to see

accelerated development in 2017, and which to

some degree is the most interesting, is that of

collaborative business partnerships

incorporating convergence and the alignment of

operational and security strategies.

Security suppliers with specific expertise will

be working collaboratively to deliver highperforming,

flexible and complimentary

solutions. The convergence of physical and

cyber security delivers improved information

sharing on risks and can result in synergies and

more effective leveraging of resources.

Convergence can provide the benefit of

comprehensive capability, but with no dilution

in expertise. Individual solution providers will

heighten their knowledge and competencies. In

most cases, there’s a clear lead on provision.

To position this, security is – and should only

ever be – a supporting functionality that’s there

to enable a client’s core business. Many

business operations typically work in separate

silos and use different information and tools.

This can lead to overlapping processes and

higher costs. To alleviate inefficiencies, there

will be a move towards integrating operational

and security risk management.

Integrating disciplines

Often, organisations manage operational risk

and security risk separately. This incorporates

areas such as threat and vulnerability

management and continuous monitoring as

well as incident management.

Security risk management isn’t just about

security operations, but rather a bottom-up

approach that drives ‘actionability’ against

threats, vulnerabilities and incidents in order to

provide assurances for businesses.

While separating both operational and

security risk management has been a common

practice, dynamic changes in the threat

landscape are forcing organisations to integrate

the two disciplines and therefore gain a more

holistic view of risk. The unfortunate truth is

that one can schedule an audit, but one cannot

schedule an attack, in any of its various forms.

In light of this, an integrated approach to risk

that takes compliance, threats and

vulnerabilities as well as business impact into

account will become Best Practice. Without a

clear understanding of the business criticality

that an asset represents, an organisation is

unable to prioritise its efforts. A risk-driven

approach addresses both security and business

impact to increase operational efficiencies,

improve assessment accuracy, reduce attacks

and enhance investment decision-making.

The transition from the traditional

client/contractor relationship into genuine

partner and trusted advisor, and a compliancedriven

approach to a risk-based model, enables

businesses to evaluate the ongoing definition,

remediation and analysis of their risk.

Remote access is an increasing risk, and

indeed for many organisations has become

their key security focus. Furthermore, the

insider threat remains a concern given the

deluge of interconnected devices available.

Looking ahead, the industry will continue to

be subject to evolution rather than revolution in

the short term, but the pace and appetite for

change is increasing. If you look closely

enough, business models are becoming more

specific, technically competent and

sophisticated. This is a critical factor for

success when it comes to corporate stability.

Paul Harvey:

Commercial Director of

Ultimate Security Services

“There appears little appetite from the Government to push

forward with the proposed agenda of compulsory business

licensing. Nor does there seem to be significant

progression in the SIA’s Approved Contractor Scheme”

55

www.risk-uk.com


Open Source Software: Risk Management

Designed to Combat the Vulnerabilities

Software has

transformed the way

in which we work and

live and is missioncritical

to an everincreasing

number of

organisations. Open

source is the

foundation of modern

applications, often

comprising as much as

90% of application

code. Gartner reports

that over 80% of

cyber attacks are

directed at

applications. With

open source

vulnerabilities often

exposing software to

security breaches,

Chris Fearon asserts

why open source risk

management is now a

‘must’ for businesses

56

www.risk-uk.com

Open source software is a vital component

in application development worldwide,

with open source components comprising

50% or more of many applications. Indeed, a

recent Forrester report takes those numbers

one step further, claiming that to address the

demand for more and better applications and

accelerate application development, developers

now regularly “use open source components as

their foundation, creating applications using

only 10%-20% new code.”

Obviously, the benefits of open source

software are hard to ignore. Businesses are

geared towards driving revenues with pressures

increasing on development teams to deliver.

With quicker lead times for development and

the competitive nature of applications, the use

of open source is an absolute requirement.

Even if they know that open source is a key

part of their firm’s success, some executives –

even those resident inside the IT Department –

might be surprised to find how much their

business’ solutions depend on open source and

how much open source they use to deliver

within a continuous integration environment

and on a continuous release schedule.

We regularly undertake code audits of

proprietary applications, often as part of

merger and acquisition activities. As part of

their due diligence, buyers need to ensure that

any software they’re acquiring as part of a

merger doesn’t also bring with it an

unacceptable level of risk or create Intellectual

Property issues. Firms may undertake static

and dynamic testing of code, but those tests

rarely identify potential open source issues.

Last year, we reviewed 200 business

applications for a report later issued under the

title ‘The State of Open Source Security in

Commercial Applications’. No less than 95% of

the applications we examined contained open

source components of some kind. The average

number of open source components we found

in each application was 105. Nearly 70% of the

applications had vulnerabilities in those open

source components, while 40% of the noted

vulnerabilities were rated as ‘Severe’.

More surprising was the fact that the average

age of the vulnerabilities was 1,894 days. In

other words, there’s a high likelihood of

vulnerabilities in many applications for which

potential attackers have had plenty of time to

develop exploits. Indeed, 10% of the

applications we reviewed in 2016 were still

vulnerable to the infamous Heartbleed bug in

the OpenSSL cryptographic library some two

years after this vulnerability was first disclosed.

Unique security risks

If this is making open source sound insecure,

that’s not my point. Open source is neither less

nor more secure than proprietary software.

However, open source vulnerabilities can pose

unique security risks. Due to its ubiquity,

attackers see popular open source as a targetrich

environment. In the same report cited

earlier, Forrester also notes that: “One out of

every 16 open source download requests is for

a component with a known vulnerability.”

Information is publicly available on known

open source vulnerabilities as well as detailed

instructions on how to exploit them. As soon as

a vulnerability is reported, a means to exploit

that vulnerability is almost always

simultaneously published. Of course, patches

for these vulnerabilities are often issued just as

quickly, but unless a business is aware that a

vulnerable open source component’s included

in its application(s), it’s highly probable that

component will remain unpatched. Therein lies

the very heart of the problem.

When a new open source vulnerability is

reported, a race is then on between the host

business and potential attackers. For the host

business to win that race, it needs to be able to


Cyber Security: Mitigating Risks Posed by Open Source Software

answer the following important questions:

• will you know if you’re using an open source

component with a known vulnerability?

• will you know if that vulnerability exposes

your software to attack?

• will you know how prevalent that open

source component is in your firm’s internal and

public-facing applications?

• will you know how to effectively manage and

mitigate any risk exposed by that vulnerability?

How can you know if your open source is

secure? You cannot secure what you’re not

tracking, so a first step – if your business hasn’t

already done so – needs to be the compilation

of an inventory of all open source components

your development teams are using. Some

organisations initiate a manual process to

manage their open source usage, but quickly

discover that manual processes seldom

maintain either a complete or a completely

accurate inventory of open source.

A complete open source inventory must

include all open source components, the

version(s) in use and download locations for

each project in usage or in development. You’ll

also need to include all dependencies – the

libraries your code is calling to and/or the

libraries to which your dependencies are linked

– within your inventory.

Fixing a vulnerability

As with tracking open source components, to fix

an open source vulnerability you first have to

know it exists. There are some vulnerability

databases – such as the US Government

vulnerability disclosure database, the National

Vulnerability Database (https://nvd.nist.gov/) –

that can help to identify issues.

However, not all vulnerabilities are reported

to the NVD, while the format of NVD records

often makes it difficult to determine which

versions of a given open source component are

affected by a vulnerability.

Other useful sources of information include

project distribution sites such as those

maintained by the Debian

(https://www.debian.org/security/) and Python

(http://bugs.python.org/) projects.

Security blogs and message boards like the

US-CERT alerts page (https://www.uscert.gov/ncas/alerts)

and Google’s security

blog (https://security.googleblog.com/) can

also be helpful.

If your firm builds packaged, embedded or

commercial SaaS software, open source license

compliance should be of concern. Using your

inventory of open source components, you’ll

want to compile detailed license texts

associated with those components such that

“Security and licensing concerns aside, how do you know

you’re using high quality open source components? Are

you employing a current version of the software? Is the

component actively maintained by a robust community?”

you can flag any components not compatible

with your software’s distribution and license

requirements and generate a license notices

report to include with your shipped software.

Security and licensing concerns aside, how

do you know you’re using high quality open

source components? Are you employing a

current version of the software? Is it the most

stable? Is the component actively maintained

by a robust community?

Determining all of this can be both timeconsuming

and impact developer productivity,

which is a reason why many organisations

struggle with effective open source governance

and turn towards an automated solution to

simplify open source risk management.

Continuous risk management

After identifying any vulnerability, licensing or

component quality risks in your open source,

you’ll need to determine what remediation

tasks – if any – need to be conducted and track

the subsequent remediation process to ensure

it’s actually being carried out correctly.

As with inventorying and identifying risks,

challenges you can expect to face include time

and cost issues. Manual review tends to result

in remediation late in the development cycle,

when the cost to fix is high and release

deadlines must be met. Manual review is also

incompatible with the rapid pace and

automation at the core of modern agile build

and continuous integration environments.

The job of open source vulnerability

management doesn’t stop when the application

ships. You’ll need to continue to monitor for

vulnerabilities as long as the application’s in

use. An average of ten new open source

vulnerabilities are discovered daily, while many

vulnerabilities are not reported for months – or,

on occasion, even years – after they’re

introduced to a component.

With open source usage and creation rapidly

growing, there’s a tendency towards continuing

to re-use components which are well known to

architects/developers due to familiarity and

historical use. Continuously monitoring open

source should include regular evaluation of

components. In truth, rigorously checking

directories of open source software may

disclose alternative components that offer the

same functionality with less risk.

Chris Fearon:

Research Director at Black

Duck Software

57

www.risk-uk.com


Security Qualifications: Observing The

View from the Wrong End of the Telescope

needs to be conducted on the scale and nature

of the problem across the qualifications system

from which specific sector issues might feed.

A review of the problem based upon the

selection of half a dozen of the Conditions for

Recognition, which define the requirements for

awarding organisations, is too narrow a focus.

Picking up one of the criticisms in the report,

the absence of enforceable agreements would

have had little or no impact on the Ashley

Commerce College or the Get Licensed cases.

The Ofqual report

issued following the

Regulator’s

consideration of

license to practice

qualifications in the

security industry was

finally published at

the end of January. For

some, the report

added little to what’s

widely known in the

sector and very little

by way of solutions.

Despite this, there’s

the genesis of some

interesting thinking

which, in Raymond

Clarke’s view, could

provide the necessary

foundations for

ongoing improvement

Before considering the positives contained

within the 28-page Ofqual report, entitled

‘Licence-Linked Qualifications Used in

Private Security’, it’s perhaps prudent to ponder

on the limitations. Having perhaps spent more

time considering the issues around malpractice

and fraud over the last couple of years than

most, the two key concerns for me relate to the

lack of context for the report and the

presumption that the actions required to be

taken rest with those other than Ofqual itself.

A key criticism of the Ofqual report, and

indeed its response to malpractice, is the

preoccupation with micro issues. Fraud and

malpractice are not contained or constrained

within particular sectors, but are fluid and can

migrate across sector boundaries. Those

involved in wrongdoing can move readily in and

out of sectors: security today, construction

tomorrow, health and social care this time next

year. There’s no doubt those sectors that are

licensed, and where there are labour shortages

or funding is readily available, are placed at a

higher risk. The security industry ticks at least

some of these boxes.

A positive aspect of the report is the

indication that Ofqual will be broadening its

review to consider the extent to which

malpractice is evident in other sectors. While

this is to be welcomed, Industry Qualifications

(IQ) takes the view that independent research

Commentator or Participant?

The second concern relates to the role of

Ofqual itself. The Regulator has a statutory

duty to ensure confidence in the UK system of

regulated qualifications. The question is

whether this is exercised solely through

investigating and commentating on the efforts

of others, or whether the Regulator has a more

active role to play.

My view is that Ofqual has a responsibility to

ensure the overarching system and framework

is fit for purpose. It’s then the role of Awarding

Organisations and others to operate within that

framework. A system which allows those

involved in wrongdoing to continually re-enter

the education market, those involved in fraud

to avoid prosecution and one which singularly

fails to consider the risks associated with

safety-critical qualifications any differently than

it does those for a GCSE in ‘Art’ needs to be

reviewed at both a macro and a strategic level.

IQ has therefore called publicly for the

establishment of an independent expert panel

to review qualifications fraud. Disappointingly,

the response from Ofqual was that it’s the

responsibility of Awarding Organisations to

have robust procedures in place.

Positives in the report

The most promising aspects of the report relate

to three statements of future activity.

First, there’s due recognition that fraud and

malpractice may need to be considered in other

sectors. While welcome, we would encourage

the start point to be the development of a

macro understanding of fraud before

considering the implications at a sector level.

Second, there’s the proposal that Awarding

Organisations should work together to

establish and apply a robust set of industry

standards or a Code of Conduct as a means to

58

www.risk-uk.com


Training and Career Development

strengthen their approach towards risk

management and quality assurance. This is a

positive suggestion. It’s one that builds upon

the co-operation that has developed across the

awarding bodies concerned in recent years.

Third is the desire of Ofqual to be advised

when the Security Industry Authority (SIA)

provides intelligence to Awarding Organisations

about malpractice or wrongdoing by individuals

of centres. Ofqual has indicated that it might

then require Awarding Organisations to

demonstrate how this information has been

used. However, there’s also a requirement for

Ofqual to consider how it manages and uses

intelligence in support of wider objectives.

Code of Practice

I’m broadly attracted by the concept of a Code

of Practice and welcome the encouragement for

Awarding Organisations to take the lead on this

matter. I would, however, go one step further

and make it a requirement of the SIA

recognition for an Awarding Organisation

working in the security industry that it complies

with any such document.

Common standards for centre approval and

centre monitoring would go a long way. More

work on standardising approaches to

assessment would be another step forward.

Competition based on the price, quality of

service and breadth of an individual Awarding

Organisation’s offer is to be encouraged.

Competition driven by cost reduction through

squeezing quality assurance costs or dumbing

down assessment standards to increase pass

rates should be outlawed. While there may be

differences of opinion on the precise detail, the

overall objective is easily supported.

The report also encourages the improved

sharing of intelligence. While IQ supports the

intent, it’s here that our opinions begin to

diverge from that of the Regulator, largely in

terms of where responsibilities lie.

IQ first raised its concern with Ofqual in 2015

that intelligence wasn’t available to Awarding

Organisations when making decisions about

centre approval or the approval of

trainers/assessors. The current system relies

on Awarding Organisations operating in the

same sector (or offering similar qualifications to

other Awarding Organisations) to notify others

of malpractice or maladministration. Ofqual is

also advised each time a notification is made

and is the only organisation that’s in receipt of

all such notifications for all sectors.

The current system is, in my view, clearly

flawed. Awarding Organisations new to a sector

are disproportionately exposed to risk as they

don’t have access to any historic records. For its

“Competition driven by cost reduction through squeezing

quality assurance costs or dumbing down assessment

standards to increase pass rates should be outlawed”

part, in my opinion Ofqual doesn’t appear to

maintain reliable records and what’s available

isn’t accessible to Awarding Organisations.

Investment in capability

IQ was exposed as a result of this failing in

relation to Ashley Commerce College and we

know of others that have been affected in a

similar way. Fortunately for them, they were not

included in a BBC broadcast. Due to the

weakness in the system, it’s an unfortunate but

pretty obvious fact of life that a new Awarding

Organisation in the sector can be a strong

magnet for those involved in wrongdoing.

The system also assumes that the same and

consistent standards of analysis and reporting

across all Awarding Organisations is common.

In truth, investigating fraud, malpractice and

maladministration to a point where information

is at an evidential level requires an investment

in investigative capability that many Awarding

Organisations would prefer to avoid.

It’s cheaper and quicker to move the problem

on. It’s the training sector’s own ‘traveller’

problem: ‘While they’re on the land of someone

else, they’re not on mine’.

The analysis conducted by Ofqual highlights

the need for sharing intelligence across the

sector. What’s missing, though, is any

recognition of the pivotal role that Ofqual itself

should be playing, ensuring the validity of that

intelligence and sharing this knowledge across

the wider education sector.

A system in denial

Our experience over the last two years is of a

regulatory system unable to separate

malpractice from fraud and one that appears to

be largely in denial of fraud.

When the issue at Ashley Commerce College

was exposed by the BBC, you couldn’t see

Ofqual for dust. Instead of using the situation

to expose wider networks of fraud, the

apparent approach taken by the Regulator was

to distance itself from the issue and cast blame.

The end result remains that no action has been

taken against those who committed the fraud.

Until the Regulator acknowledges the

problem is systemic, requires a collective and

intelligence-led response and then develops an

appetite for tackling the issue, those involved

in wrongdoing will continue to thrive no matter

the number of reports Ofqual might produce.

Raymond Clarke:

Chief Executive of Industry

Qualifications

59

www.risk-uk.com


Risk in Action

Evolution assists Uxbridge College to pass its security

management examinations with flying colours

A sophisticated integrated access control and CCTV solution is playing a key

role in managing the safety and security of students, staff and visitors at

Uxbridge College across both of its campuses in Uxbridge and Hayes.

The challenge presented to Evolution was in servicing, maintaining and

upgrading a system that protects no less than 4,000 students and 600

members of staff, while also taking into account the College’s ongoing growth

ambitions and constantly changing infrastructure.

Evolution is now fully supporting an IP-based system with card access,

turnstiles and proximity readers to control the movement of card holders across

the two sites, as well as a network of CCTV cameras designed to monitor those

seeking unauthorised access and provide a further layer of security.

Michael McDonagh, head of security at Uxbridge College, stated: “Should a

student forget their pass, we can immediately issue a replacement. However, in

maintaining full control, the student’s ‘forgotten’ or ‘lost’ pass is automatically

de-activated. Each card also has the shelf life of a student’s course length, so

will automatically expire when they finish for the year. Should an end user

attempt to gain access with a de-activated card, we’re immediately notified.”

Each of the passes provided is specifically tailored to take into account a

student’s studies and lifestyle. They control which ‘zones’ that student can

enter, identify whether or not

a student has a pre-paid car

parking permit and even

enable access to extracurricular

activities such as

sport or drama.

There are more than 120

controlled-entry doors and

80 CCTV cameras, which

Control Room operators can

use to pinpoint and track

unauthorised access. Both

campuses are integrated

under the single system.

SharpView solution courtesy of Zaun

Group company EyeLynx secures

vital London water supply

The integrity of the fresh water supply delivered

to London’s residents has been notably stepped

up thanks to the recent installation of an array

of cameras, high-security fencing, vibration

sensors and lengths of razor wire.

The risk posed to the water supply forced the

UK’s largest water and waste water company to

further enhance the security along one side of

the perimeter of reservoirs in South London,

where a public footpath has provided easier

access for trespassers and committed graffiti

‘vandals’ to gain entry.

The Zaun Group had already installed

ArmaWeave and razor topping around the

whole site. Thames Water then asked software

security expert EyeLynx to design a solution

based on its SharpView CCTV system and

protect the Critical National Infrastructure site.

Zaun Group companies EyeLynx and Binns

Fencing installed two huge temporary CCTV

masts complete with high-performance PTZ

cameras, thermal cameras with video analytics,

horn speakers and high-powered WiFi to link

the two with a SharpView NVR.

Selection of UK’s oldest and most

important artefacts safeguarded by

Chubb at Rochester Cathedral

Chubb Fire and Security has installed a

security intruder alarm system designed for

sensitive environments at Rochester Cathedral

with a view to securing some of the UK’s

oldest and most important artefacts.

First built in 604 AD, the Rochester

Cathedral in Kent is the second oldest in

England. It’s home to the Textus Roffensis, the

oldest example of English written law, which

dates right back to the 10th Century and the

creation of the English State.

The security tender followed a Heritage

Lottery Fund grant as part of the Cathedral’s

‘Hidden Treasures Fresh Expressions’ project.

In addition to the restoration of the

Cathedral’s library and strong room, the

project saw the creation of a secure exhibition

space within the medieval crypt.

Morgan Flynn, senior security

installer/commissioning engineer at Chubb,

said: “The present Cathedral dates back to

1080, necessitating an entirely bespoke

approach. No drilling of the stonework was

permitted. Sensors and switches needed to be

hidden from visitors, while the quarter-tonne

steel doors and ornate leadlight windows

required sensitive design and installation.”

Following a risk assessment, Chubb has now

installed a sophisticated Grade 3 intruder

alarm system, typically found in the most

high-risk environments such as banks, art

galleries and museums.

60

www.risk-uk.com


Risk in Action

Porthcawl’s RNLI: Improving

education and saving lives with

network camera technology

Porthcawl’s RNLI station is aiming to

improve education and safety around the

water with the implementation of innovative

surveillance technology from Swanseabased

PC1 and Axis Communications.

With high tourism levels and fast-shifting

tides, the installation at Porthcawl Pier

provides an online live-stream. This ensures

visitors are prepared for the conditions they

will face, minimising the necessity of lifeboat

launches and reducing overall costs.

RNLI statistics show that 44% of lifeboat

launches in 2015 were due to persons in

distress, either ashore, offshore or using

manual craft such as surfboards or kayaks.

The camera points directly at Porthcawl

Pier, one of the highest risk areas. During

storms and rough weather conditions,

visitors are in danger of being swept out to

sea by tides that can reach up to 7 knots (8

mph). The installation of the Axis Q1775-E

fixed network camera, combined with a hightech

weather installation, ensures Porthcawl

RNLI can access weather metrics, tide

activity, conditions monitoring and more.

With 10x optical zoom and autofocus

capabilities, the RNLI decided the camera

was the stand-out choice due to its weather

resilience, providing 24/7 surveillance

capabilities and excellent image quality.

Ian Stroud, retired member of the Deputy

Launch Authority at Porthcawl RNLI, said:

“One of the most significant tasks a lifeboat

station must undertake is observing sea

conditions to make judgements on the

equipment lifeboat operators will need.”

Speaking about the installation itself,

Graham Thomas (IT and online projects

manager at PC1) observed: “We installed a

weather station and connected the

installation to YouTube, allowing the public

and lifeboat staff alike to view real-time

images and accurate weather reports.”

Notifier by Honeywell’s the King of the Castle in the eyes of

money.co.uk

money.co.uk has

recently completed a

£3 million renovation

project in order to

transform a Grade IIlisted

Victorian castle

on the Bathurst Estate

in Cirencester into the

ultimate high-tech

workplace.

Life safety is rightly

considered paramount

on site. With this in mind, Bristol-based APE Fire & Security asked Interaction

(the main contractor for the project) to design, specify, install and commission

a fire detection system that could offer staff and visitors alike the very highest

levels of protection.

To keep employees and visitors safe, fire detection technology from Notifier

by Honeywell has been installed throughout and is based around the

company’s Pearl intelligent addressable control panels. The networkable fire

detection control panel has been specifically created to be immune from the

threat of unwanted alarms.

Linked to the Pearl control panels are Notifier’s Opal photoelectric smoke

detectors. In the kitchen areas, SMART3 detectors use optical smoke sensing in

conjunction with heat sensors, infrared flame sensing technology and

sophisticated alarm algorithms to offer a fast response to flaming fires, while

at the same time providing superior unwanted alarm immunity.

Thanks to some very clever ‘cause and effect’ programming, APE Fire &

Security has been able to integrate the Pearl control panel with the existing

intruder and access control system.

ACT’s in store with Asda in wake of

IP access control solution roll-out

CBES has installed IP access control systems

from ACT at Asda stores and distribution

centres across the UK. The roll-out has already

covered 500 sites, all of which are networked

to Asda’s corporate headquarters in Leeds.

Asda is benefiting from ACTpro 4000 twodoor

controllers which can extend to 16 doors

via ACTpro door stations. In turn, up to 250 of the controllers may be

networked via a PC interface. The ACT hardware offers low bandwidth and autodiscovery

for easy installation and maintenance, alongside features such as

timed anti-passback and counting areas.

The Asda sites are using ACT’s specialist software platform, designated

ACTpro Enterprise, which distinguishes between different user types such as

installer, security officer or system administrator so as to factor out accidental

system changes and minimise maintenance. ACTpro Enterprise affords end

users a familiar web-browser experience using hyperlinks, ‘backwards’ and

‘forwards’ buttons and powerful search functionality.

An Asda staff member might present their MIFARE contactless smart card to

a reader in order to access a secure area of a site. The ACT software then grants

or denies access according to the user’s privileges which can be defined in

relation to seniority, job profile, time of day and day of the week. Asda’s

managers are benefiting from the integration of access control with CCTV and

intercoms through the Sky-Walker Integration Platform from Entelec.

61

www.risk-uk.com


Technology in Focus

Vanderbilt integrates ACTEnterprise and Eventys for a ‘plug

and protect’ security management solution

The latest product offering from Vanderbilt blends access control with video

management, as ACTEnterprise now supports integration with Eventys EX NVRs.

Simple to set up and operate, Eventys NVRs offer powerful, seamless and

reliable, yet inexpensive video recording of up to 16 IP cameras. Now,

ACTEnterprise allows cameras connected to an Eventys EX NVR to be associated

with access control doors.

Any events recorded in the access control log such as ‘access denied’ or ‘door

forced’ can be linked with the associated footage stored on the NVR. Events on

a door with a camera associated will

display a camera icon which allows

clicking on the camera icon to replay

the footage.

The main features associated with

this integration platform are Live

Video Display and Playback

Recordings. The Live Video Display

allows switching between the

different video camera sources.

www.vanderbiltindustries.com

360 Vision Technology brings to

market the all-new Predator

Overview camera system

360 Vision Technology continues to expand

its camera range with the release of Predator

Overview, a dual camera head, high-speed

and ‘ruggedised’ PTZ HD colour/mono

camera system for end users.

Borne out of customer feedback, the new

Predator Overview features a Full-HD 1080p

wide angle Overview camera combined with

a separate 30x optical, ultra-low light Sony

STARVIS Full-HD ‘Zoom’ camera.

Overview is ideal for those live monitored

applications such as town centres, container

ports and transportation hubs where an

overview (of up to a 90° field of view) of the

incident or target area is desirable.

www.360visiontechnology.com

CEM Systems introduces latest version of popular AC2000

Security Management System for end users

Tyco Security Products has released AC2000 v8, which offers new features that

increase the performance, simplicity and scope of the AC2000 access control

system suite from CEM Systems. These include AC2000 data partitioning and

enhancements to the AC2000 Security Hub Command and Control application.

In addition, CEM Systems has also released enhancements to the emerald

Intelligent Access Terminal range in the shape of the emerald TS100f and

TS200f fingerprint terminals.

“The latest release of AC2000, which includes data partitioning, offers

enhancements for both multi-site and multi-tenanted customers,” said Richard

Fletcher, product manager at CEM Systems. “AC2000 Database Partitioning is a

powerful feature for scenarios where multiple companies use a single security

management system. It empowers each company by giving them control over

their own private access areas, while still allowing them access to common

areas within the building or campus.”

Enhancements within the AC2000 Security Hub centralised Command and

Control application include Map Zones, reports and a “seamless” video

integration interface which enables live video footage for specific configured

alarms to be displayed. This release also offers enhanced functionality of

emerald, CEM Systems’ award-winning intelligent access terminal. Designed

for use with AC2000, emerald terminals not only control access to restricted

areas, but also “open up a

world of possibilities” by

bringing AC2000 intelligence

directly to the edge.

emerald now supports a

‘Boarding and Deplaning Route

Management’ (BDRM) mode

which provides a sophisticated

touch screen-based passenger

routing system for airports.

www.cemsys.com

Norbain turns its attentions towards

Bosch Security Systems’ DIVAR

hybrid network recorders

Norbain is now offering the new DIVAR hybrid

and network recording solutions from Bosch

Security Systems. Designed for 24/7 operation,

they afford the ability to create surveillance

solutions with professional security features.

These solutions can be tailored to fit the

growing needs of many businesses.

With DIVAR recorders, it’s easy to watch live

footage, play recorded content or reconfigure

local unit settings anytime from anywhere. This

can be carried out via the DIVAR Mobile Viewer

app, available on smart phones (iOS and

Android) and via the web browser.

The direct monitor output is ideal for desktop

models often positioned on a counter. The

monitor can be placed on or beside the device,

giving the business owner an overview of live

images from all connected cameras.

www.norbain.com

62

www.risk-uk.com


Technology in Focus

Disruptive technology harnesses

power of Big Data to give guarding

end users

“real insight”

into security

Cardinal Security

is looking to

revolutionise

security guarding with the release of a new

operations platform. Designed to provide end

users with a level of insight unavailable to date,

the intelligence-led approach provided by

Guarded 365 affords users “full transparency

and real control” over their security spend.

Jason Trigg, CEO of Cardinal Security, believes

that every end user of guarding services should

demand this data and have proper visibility on

where their investment is being made.

“What people worry about in this business is

what they’re receiving for their money, and

rightly so. Most providers don’t deliver

sufficient insight into Return on Investment.”

Cardinal’s response to the challenge is the

Guarded 365 intelligent platform, which is

linked to a central data management system.

When an officer arrives at the start of a shift

they use a geocoded tablet – or an app on their

own device – to take a picture of their face. A

controller from Cardinal Security matches this

against a database of staff members and then

approves the officer to begin their shift.

In essence, this simple process ensures

timekeeping is accurate and that the correct,

fully-licensed operative is on duty and wearing

the correct uniform.

www.cardinalsecurity.co.uk

Bespoke power supply

solutions for access control

projects unveiled by

Elmdene International

Elmdene International has just

launched a new range of power

supplies specifically for use with

access control systems.

The Access Control range has

been carefully designed to house

some of the most common door controllers

in order to ensure both convenience and

flexibility for installations.

With different power options and

enclosure sizes available, this new access

control range offers the security professional

a choice of PSUs for a variety of

applications. The range could also mean cost

savings, with some of the units having the

capability to provide battery-backed power

for multiple door controllers, saving time

and money on installing singular units.

The Access Control range also includes

multi-access PSUs. These models are

supplied with a hinged cabling system and

can provide either 12 V or 24 V, while also

offering an independent ancillary relay that

can be used for applications such as a fire

door release relay.

The enclosure is also a larger design

capable of accommodating expander plates

should additional door controllers be

required, in turn further adding to the

flexibility this range is able to offer.

www.elmdene.co.uk

Integrated technologies are the key

for ievo and Keytracker partnership

An integration of cutting-edge biometric

recognition technology and key management

systems is offering the very highest levels of

security for organisations managing a large

number of priority keys.

The system is the result of determined cooperation

between ievo, the Newcastle-based

manufacturer of biometric recognition

systems, and Keytracker (the Midlands

manufacturer of key management systems).

Andy Smith, general manager at Keytracker,

explained: “We’ve developed our restricted

key access systems for a huge variety of

sectors ranging from the construction,

engineering, property, education and health

sectors to the vehicle retail trade. By

combining these systems with ievo’s biometric

recognition technology and the corresponding

software, we’ve created

an ultra-secure solution

that tracks the release

of specific keys to

specific people.”

The ‘Restricted Key

Access System’

incorporates state-ofthe-art

hardware with

easy-to-operate

administration software

restricting access to

only those keys the

user is authorised to

use. Integration of the

ievo ultimate fingerprint

readers ensures that the potential for

fraudulent access via stolen swipe cards or

PIN codes is removed. The registration process

has been integrated into the existing software.

www.ievoreader.com

63

www.risk-uk.com


thepaper

Business News for Security Professionals

Pro-Activ Publications is embarking on a revolutionary

launch: a FORTNIGHTLY NEWSPAPER dedicated to the

latest financial and business information for

professionals operating in the security sector

The Paper will bring subscribers (including CEOs,

managing directors and finance directors within the

UK’s major security businesses) all the latest company

and sector financials, details of business re-brands,

market research and trends and M&A activity

FOR FURTHER INFORMATION

ON THE PAPER CONTACT:

Brian Sims BA (Hons) Hon FSyI

(Editor, The Paper and Risk UK)

Telephone: 020 8295 8304

e-mail: brian.sims@risk-uk.com

www.thepaper.uk.com


Appointments

Joey Hambidge

Skills for Security has

announced the appointment

of Joey Hambidge in the

newly-created role of

operations manager. This

position at the sector skills

body for the private security

business sector has been

realised to provide the

organisation with essential operational support.

Hambidge will now be responsible for a broad

remit including accreditations, apprenticeship

standards, qualifications and the day-to-day

management of Skills for Security’s operations

and members of staff.

With an extensive background in training,

course design and employer liaison, Hambidge

boasts much experience in delivering

employability training and mapping course

content to an established curriculum.

Commenting on the appointment, Skills for

Security’s interim director general Peter Sherry

explained: “2017 is set to be an exciting year at

Skills for Security as we gear up to provide

guidance and support for security employers

ahead of the introduction of a new

apprenticeship standard. As such, we’re very

pleased to welcome Joey to the organisation,

where his extensive experience of employer

liaison and course development will help us to

develop our current offering and better meet

the needs of the security industry as a whole.”

Speaking about his new role, Hambidge

informed Risk UK: “I’m looking forward to

working for Skills for Security to improve

diversity and inclusion in apprenticeships. By

liaising closely with employers, it’s my goal that

Skills for Security becomes recognised as the

industry leader for new apprenticeship

standards within our sector.”

Craig Menzies

CNL Software, the specialist in Physical

Security Information Management (PSIM)

solutions, is pleased to announce that it has

appointed Craig Menzies to the role of general

manager for the Middle East. Menzies will

assume direct responsibility for all customerfacing

departments as the company prepares

for further expansion in the region.

Menzies joins CNL from Tyco Fire & Security

UAE where he was the Security Division’s

manager, overseeing multi-disciplinary teams

working on state-of-the-art security solutions

for high-profile projects on behalf of Dolphin

Energy, KOC, the Abu Dhabi Airports Company

and the Road Transport Authority.

Appointments

Risk UK keeps you up-to-date with all the latest people

moves in the security, fire, IT and Government sectors

Gareth Walsh

Elmdene International is pleased to announce a

new addition to complete the business’ sales

team in the UK. Gareth Walsh has now joined

the company as regional sales manager looking

after the Northern UK area.

In his new role, Walsh will be leading

Elmdene’s growth within the region by

supporting strategic business plans.

Walsh comes to Elmdene with 12 years’

experience in the fire and security industry,

having worked in sales positions at EU Fire and

Security for ten years and at Illumino Ignis for

almost two years, covering the North West

region at both companies.

Previously, Walsh has project-managed and

commissioned the design and implementation

of various system set-ups including fire alarm

systems, emergency lighting systems and

disabled refuge solutions.

Sharon Ramsay, general manager at Elmdene

International, explained: “Gareth brings vast

experience from the industry, in turn adding to

the skills and knowledge of our existing sales

team. Along with our future growth plans,

commitment to customer service and ongoing

product development, the addition of Gareth to

the team means we now have a dedicated focus

in the North of the UK.”

Walsh himself stated: “I’m delighted to be

joining Elmdene. I’m looking forward to sharing

my knowledge with the team, working with our

customer base and building new relationships.”

Menzies brings over 30 years’ experience of

providing technology leadership and

innovation in security solutions, of which 25

have been spent in the Middle East, resulting

in an in-depth understanding of customers and

partners right across the region.

“We’re excited to have Craig join CNL

Software in the Middle East, particularly at a

time when we’re strengthening our teams

globally and deepening collaboration with our

partners to support the growing demand for

our IPSecurityCenter PSIM solution,” said

James Condron, vice-president of global sales

and marketing at CNL Software.

Menzies informed Risk UK: “I’m delighted to

join an already impressive team that boasts a

great track record of innovation.”

65

www.risk-uk.com


Appointments

Waleed Eltayib

Axis Security, one of the UK’s leading security guarding

and electronic security groups, has appointed Waleed

Eltayib as key account director.

Eltayib’s role includes overseeing the account teams at

the company’s largest sites in London and the South East,

as well as ensuring the delivery of a customer-centric

approach and optimum service levels.

An experienced security operations professional,

Eltayib has worked for Axis Security for the past three

years at the Crown Estate St James’ Portfolio managed by BNP Paribas Real

Estate. Prior to this, Eltayib held senior contract management positions on

behalf of Broadgate Estates, GVA West End Management and ABN Amro.

“It’s useful to look at contract delivery with a fresh pair of eyes,

understanding the host business’ culture and how we can adapt our service

delivery to complement it,” explained Eltayib in conversation with Risk UK.

In his new role, Eltayib is reporting to Axis Security’s operations director John

Fitzpatrick. Key to his remit will be the Rathbone Square project, a flagship

office, retail and residential development which is new to Axis Security’s

London portfolio. Eltayib will be the main point of contact for the management

team and a visible and regular presence on site.

Jos Beernink

Genetec, a leading

provider of open

architecture and unified IP

security solutions, has

recently unveiled two new

senior executive

appointments.

Jos Beernink has been

appointed vice-president

of sales for Europe, the Middle East and Africa,

where he will direct the sales organisation,

developing new business and helping the

channels address growing business demand.

Beernink joins from a valued Genetec partner,

Honeywell, where he served as vice-president

of sales and marketing. In this role, his primary

remit was to drive territory growth, which he

will now apply in his new position at Genetec.

Beernink has been a highly respected member

of the technology sector for over two decades.

In addition, Cyrille Becker joins as general

manager for Europe to oversee European

operations, positioning the business for growth

within the European market.

Becker is a seasoned business developer

with 15 years’ experience gained in the security

industry. He most recently served as a business

unit general manager at Stanley Security

France, a long-time Genetec partner.

“With the appointments of Jos and Cyrille,

we’re well positioned to address the rapid

business growth that Genetec has experienced

over recent years, while also meeting the needs

of physical security projects across the many

different vertical markets we serve in Europe,”

said chief commercial officer Georges Karam.

Georgios Kastias

Apollo Fire Detectors has

announced the

appointment of Georgios

Kastias as the company’s

new operations director.

Bringing a raft of

experience to the role,

Kastias’ appointment

reflects the commitment

made by Apollo to achieving organisational

excellence within the company, spearheaded by

a dynamic and effective leadership team.

Born and raised in Greece, Kastias later

obtained a BEng in Mechanical Engineering at

Heriot-Watt University, followed by an MSc from

Cranfield University and, more recently, an MBA

which was gained at the Imperial College

Business School.

Kastias joins Apollo Fire Detectors from

Danfoss, where he held the role of operations

director, duly transforming the business into a

high-performing organisation thanks to a

determined focus on operational excellence and

effective cultural change.

Speaking about his new role, Kastias told

Risk UK: “I’m absolutely delighted to be joining

Apollo’s leadership team.”

Kim Jørgensen

Milestone Systems, the

specialist in open

platform IP video

management software,

has made two seniorlevel

appointments.

To strengthen

Milestone’s business

support, Kim Jørgensen

joins in the newly-created position of vicepresident

for global IT and operations. In this

role, he will be part of Milestone’s extended

leadership team with a focus on continued

improvements around internal IT solutions,

as well as online services.

Jørgensen brings a strong business and

technical background to the role as well as a

proven track record of helping fast-growing

businesses to both align and mature their

technical services with underlying

Information Technology infrastructures.

After more than 15 years at Microsoft,

Jesper Lachance Raebild has joined

Milestone as director of product marketing.

Heading up the global product marketing

team in Copenhagen, he will use his strong

background in software channel business

and global product marketing to accelerate

the Milestone platform and products.

66

www.risk-uk.com


20 - 22 JUNE 2017 EXCEL LONDON, UK

New exhibition within

IFSEC International 2017

AT BORDERS & INFRASTRUCTURE EXPO YOU WILL BENEFIT FROM:

• Access a VIP Meeting Service


live product demonstration and testing area

BRE Global

Networking Lounge


• See the latest UAVs at The Drone Zone.



against them


Best Value Security Products from Insight Security

www.insight-security.com Tel: +44 (0)1273 475500

...and

lots

more

Computer

Security

Anti-Climb Paints

& Barriers

Metal Detectors

(inc. Walkthru)

Security, Search

& Safety Mirrors

Security Screws &

Fastenings

Padlocks, Hasps

& Security Chains

Key Safes & Key

Control Products

Traffic Flow &

Management

see our

website

ACCESS CONTROL

KERI SYSTEMS UK LTD

Tel: + 44 (0) 1763 273 243

Fax: + 44 (0) 1763 274 106

Email: sales@kerisystems.co.uk

www.kerisystems.co.uk

ACCESS CONTROL

ACCESS CONTROL

ACT

ACT – Ireland, Unit C1, South City Business Park,

Tallaght, Dublin, D24 PN28.Ireland. Tel: +353 1 960 1100

ACT - United Kingdom, 601 Birchwood One, Dewhurst Road,

Warrington, WA3 7GB. Tel: +44 161 236 9488

sales@act.eu www.act.eu

ACCESS CONTROL – BARRIERS, GATES, CCTV

ABSOLUTE ACCESS

Aberford Road, Leeds, LS15 4EF

Tel: 01132 813511

E: richard.samwell@absoluteaccess.co.uk

www.absoluteaccess.co.uk

Access Control, Automatic Gates, Barriers, Blockers, CCTV

ACCESS CONTROL

COVA SECURITY GATES LTD

Bi-Folding Speed Gates, Sliding Cantilevered Gates, Road Blockers & Bollards

Consultancy, Design, Installation & Maintenance - UK Manufacturer - PAS 68

Tel: 01293 553888 Fax: 01293 611007

Email: sales@covasecuritygates.com

Web: www.covasecuritygates.com

ACCESS CONTROL & DOOR HARDWARE

ALPRO ARCHITECTURAL HARDWARE

Products include Electric Strikes, Deadlocking Bolts, Compact Shearlocks,

Waterproof Keypads, Door Closers, Deadlocks plus many more

T: 01202 676262 Fax: 01202 680101

E: info@alpro.co.uk

Web: www.alpro.co.uk

ACCESS CONTROL – SPEED GATES, BI-FOLD GATES

HTC PARKING AND SECURITY LIMITED

St. James’ Bus. Centre, Wilderspool Causeway,

Warrington Cheshire WA4 6PS

Tel 01925 552740 M: 07969 650 394

info@htcparkingandsecurity.co.uk

www.htcparkingandsecurity.co.uk

ACCESS CONTROL

INTEGRATED DESIGN LIMITED

Integrated Design Limited, Feltham Point,

Air Park Way, Feltham, Middlesex. TW13 7EQ

Tel: +44 (0) 208 890 5550

sales@idl.co.uk

www.fastlane-turnstiles.com

ACCESS CONTROL

SECURE ACCESS TECHNOLOGY LIMITED

Authorised Dealer

Tel: 0845 1 300 855 Fax: 0845 1 300 866

Email: info@secure-access.co.uk

Website: www.secure-access.co.uk

ACCESS CONTROL MANUFACTURER

NORTECH CONTROL SYSTEMS LTD.

Nortech House, William Brown Close

Llantarnam Park, Cwmbran NP44 3AB

Tel: 01633 485533

Email: sales@nortechcontrol.com

www.nortechcontrol.com

Custom Designed Equipment

• Indicator Panels

• Complex Door Interlocking

• Sequence Control

• Door Status Systems

• Panic Alarms


• Bespoke Products

www.hoyles.com

sales@hoyles.com

Tel: +44 (0)1744 886600

ACCESS CONTROL – BIOMETRICS, BARRIERS, CCTV, TURNSTILES

UKB INTERNATIONAL LTD

Planet Place, Newcastle upon Tyne

Tyne and Wear NE12 6RD

Tel: 0845 643 2122

Email: sales@ukbinternational.com

Web: www.ukbinternational.com

Hoyles are the UK’s leading supplier of

custom designed equipment for the

security and access control industry.

From simple indicator panels to

complex door interlock systems.

BUSINESS CONTINUITY

ACCESS CONTROL, INTRUSION DETECTION AND VIDEO MANAGEMENT

VANDERBILT INTERNATIONAL (UK) LTD

Suite 7, Castlegate Business Park

Caldicot, South Wales NP26 5AD UK

Main: +44 (0) 2036 300 670

email: info.uk@vanderbiltindustries.com

web: www.vanderbiltindustries.com

BUSINESS CONTINUITY MANAGEMENT

CONTINUITY FORUM

Creating Continuity ....... Building Resilience

A not-for-profit organisation providing help and support

Tel: +44(0)208 993 1599 Fax: +44(0)1886 833845

Email: membership@continuityforum.org

Web: www.continuityforum.org

www.insight-security.com Tel: +44 (0)1273 475500


CCTV

CONTROL ROOM & MONITORING SERVICES

CCTV

Rapid Deployment Digital IP High Resolution CCTV

40 hour battery, Solar, Wind Turbine and Thermal Imaging

Wired or wireless communication fixed IP

CE Certified

Modicam Europe, 5 Station Road, Shepreth,

Cambridgeshire SG8 6PZ

www.modicam.com sales@modicameurope.com

CCTV POLES, COLUMNS, TOWERS AND MOUNTING PRODUCTS

ALTRON COMMUNICATIONS EQUIPMENT LTD

Tower House, Parc Hendre, Capel Hendre, Carms. SA18 3SJ

Tel: +44 (0) 1269 831431

Email: cctvsales@altron.co.uk

Web: www.altron.co.uk

ADVANCED MONITORING SERVICES

EUROTECH MONITORING SERVICES LTD.

Specialist in:- Outsourced Control Room Facilities • Lone Worker Monitoring

• Vehicle Tracking • Message Handling

• Help Desk Facilities • Keyholding/Alarm Response

Tel: 0208 889 0475 Fax: 0208 889 6679

E-MAIL eurotech@eurotechmonitoring.net

Web: www.eurotechmonitoring.net

DISTRIBUTORS

CCTV

G-TEC

Gtec House, 35-37 Whitton Dene

Hounslow, Middlesex TW3 2JN

Tel: 0208 898 9500

www.gtecsecurity.co.uk

sales@gtecsecurity.co.uk

CCTV/IP SOLUTIONS

DALLMEIER UK LTD

3 Beaufort Trade Park, Pucklechurch, Bristol BS16 9QH

Tel: +44 (0) 117 303 9 303

Fax: +44 (0) 117 303 9 302

Email: dallmeieruk@dallmeier.com

SPECIALISTS IN HD CCTV

MaxxOne

Unit A10 Pear Mill, Lower Bredbury, Stockport. SK6 2BP

Tel +44 (0)161 430 3849

www.maxxone.com

sales@onlinesecurityproducts.co.uk

www.onlinesecurityproducts.co.uk

AWARD-WINNING, LEADING GLOBAL WHOLESALE

DISTRIBUTOR OF SECURITY AND LOW VOLTAGE PRODUCTS.

ADI GLOBAL DISTRIBUTION

Distributor of electronic security systems and solutions for over 250 leading manufacturers, the company

also offers an internal technical support team, dedicated field support engineers along with a suite of

training courses and services. ADI also offers a variety of fast, reliable delivery options, including specified

time delivery, next day or collection from any one of 28 branches nationwide. Plus, with an ADI online

account, installers can order up to 7pm for next day delivery.

Tel: 0161 767 2990 Fax: 0161 767 2999 Email: sales.uk@adiglobal.com www.adiglobal.com/uk

CCTV & IP SECURITY SOLUTIONS

PANASONIC SYSTEM COMMUNICATIONS COMPANY

EUROPE

Panasonic House, Willoughby Road

Bracknell, Berkshire RG12 8FP UK

Tel: 0207 0226530

Email: info@business.panasonic.co.uk

WHY MAYFLEX? ALL TOGETHER. PRODUCTS, PARTNERS,

PEOPLE, SERVICE – MAYFLEX BRINGS IT ALL TOGETHER.

MAYFLEX

Excel House, Junction Six Industrial Park, Electric Avenue, Birmingham B6 7JJ

Tel: 0800 881 5199

Email: securitysales@mayflex.com

Web: www.mayflex.com

COMMUNICATIONS & TRANSMISSION EQUIPMENT

KBC NETWORKS LTD.

Barham Court, Teston, Maidstone, Kent ME18 5BZ

www.kbcnetworks.com

Phone: 01622 618787

Fax: 020 7100 8147

Email: emeasales@kbcnetworks.com

DIGITAL IP CCTV

SESYS LTD

High resolution ATEX certified cameras, rapid deployment

cameras and fixed IP CCTV surveillance solutions available with

wired or wireless communications.

1 Rotherbrook Court, Bedford Road, Petersfield, Hampshire, GU32 3QG

Tel +44 (0) 1730 230530 Fax +44 (0) 1730 262333

Email: info@sesys.co.uk www.sesys.co.uk

THE UK’S MOST SUCCESSFUL DISTRIBUTOR OF IP, CCTV, ACCESS

CONTROL AND INTRUDER DETECTION SOLUTIONS

NORBAIN SD LTD

210 Wharfedale Road, IQ Winnersh, Wokingham, Berkshire, RG41 5TP

Tel: 0118 912 5000 Fax: 0118 912 5001

www.norbain.com

Email: info@norbain.com

CCTV SPECIALISTS

PLETTAC SECURITY LTD

Unit 39 Sir Frank Whittle Business Centre,

Great Central Way, Rugby, Warwickshire CV21 3XH

Tel: 01788 567811 Fax: 01788 544 549

Email: jackie@plettac.co.uk

www.plettac.co.uk

UK LEADERS IN BIG BRAND CCTV DISTRIBUTION

SATSECURE

Hikivision & MaxxOne (logos) Authorised Dealer

Unit A10 Pear Mill, Lower Bredbury,

Stockport. SK6 2BP

Tel +44 (0)161 430 3849

www.satsecure.uk

www.insight-security.com Tel: +44 (0)1273 475500


EMPLOYMENT

FIRE AND SECURITY INDUSTRY RECRUITMENT

SECURITY VACANCIES

www.securityvacancies.com

Telephone: 01420 525260

INTEGRATED SECURITY SOLUTIONS

INNER RANGE EUROPE LTD

Units 10 - 11, Theale Lakes Business Park, Moulden Way, Sulhampstead,

Reading, Berkshire RG74GB, United Kingdom

Tel: +44(0) 845 470 5000 Fax: +44(0) 845 470 5001

Email: ireurope@innerrange.co.uk

www.innerrange.com

PERIMETER PROTECTION

IDENTIFICATION

ADVANCED PRESENCE DETECTION AND SECURITY LIGHTING SYSTEMS

GJD MANUFACTURING LTD

Unit 2 Birch Business Park, Whittle Lane, Heywood, OL10 2SX

Tel: + 44 (0) 1706 363998

Fax: + 44 (0) 1706 363991

Email: info@gjd.co.uk

www.gjd.co.uk

COMPLETE SOLUTIONS FOR IDENTIFICATION

DATABAC GROUP LIMITED

1 The Ashway Centre, Elm Crescent,

Kingston upon Thames, Surrey KT2 6HH

Tel: +44 (0)20 8546 9826

Fax:+44 (0)20 8547 1026

enquiries@databac.com

PERIMETER PROTECTION

GPS PERIMETER SYSTEMS LTD

14 Low Farm Place, Moulton Park

Northampton, NN3 6HY UK

Tel: +44(0)1604 648344 Fax: +44(0)1604 646097

E-mail: info@gpsperimeter.co.uk

Web site: www.gpsperimeter.co.uk

POWER

INDUSTRY ORGANISATIONS

TRADE ASSOCIATION FOR THE PRIVATE SECURITY INDUSTRY

BRITISH SECURITY INDUSTRY ASSOCIATION

Tel: 0845 389 3889

Email: info@bsia.co.uk

Website: www.bsia.co.uk

Twitter: @thebsia

THE LEADING CERTIFICATION BODY FOR THE SECURITY INDUSTRY

SSAIB

7-11 Earsdon Road, West Monkseaton

Whitley Bay, Tyne & Wear

NE25 9SX

Tel: 0191 2963242

Web: www.ssaib.org

INTEGRATED SECURITY SOLUTIONS

POWER SUPPLIES – DC SWITCH MODE AND AC

DYCON LTD

Unit A, Cwm Cynon Business Park, Mountain Ash, CF45 4ER

Tel: 01443 471900 Fax: 01443 479 374

Email: sales@dyconpower.com

www.dyconpower.com

STANDBY POWER

UPS SYSTEMS PLC

Herongate, Hungerford, Berkshire RG17 0YU

Tel: 01488 680500

sales@upssystems.co.uk

www.upssystems.co.uk

UPS - UNINTERRUPTIBLE POWER SUPPLIES

ADEPT POWER SOLUTIONS LTD

Adept House, 65 South Way, Walworth Business Park

Andover, Hants SP10 5AF

Tel: 01264 351415 Fax: 01264 351217

Web: www.adeptpower.co.uk

E-mail: sales@adeptpower.co.uk

SECURITY PRODUCTS AND INTEGRATED SOLUTIONS

HONEYWELL SECURITY AND FIRE

Tel: +44 (0) 844 8000 235

E-mail: securitysales@honeywell.com

UPS - UNINTERRUPTIBLE POWER SUPPLIES

UNINTERRUPTIBLE POWER SUPPLIES LTD

Woodgate, Bartley Wood Business Park

Hook, Hampshire RG27 9XA

Tel: 01256 386700 5152 e-mail:

sales@upspower.co.uk

www.upspower.co.uk

www.insight-security.com Tel: +44 (0)1273 475500


SECURITY

CASH & VALUABLES IN TRANSIT

CONTRACT SECURITY SERVICES LTD

Challenger House, 125 Gunnersbury Lane, London W3 8LH

Tel: 020 8752 0160 Fax: 020 8992 9536

E: info@contractsecurity.co.uk

E: sales@contractsecurity.co.uk

Web: www.contractsecurity.co.uk

QUALITY SECURITY AND SUPPORT SERVICES

CONSTANT SECURITY SERVICES

Cliff Street, Rotherham, South Yorkshire S64 9HU

Tel: 0845 330 4400

Email: contact@constant-services.com

www.constant-services.com

FENCING SPECIALISTS

J B CORRIE & CO LTD

Frenchmans Road

Petersfield, Hampshire GU32 3AP

Tel: 01730 237100

Fax: 01730 264915

email: fencing@jbcorrie.co.uk

INTRUSION DETECTION AND PERIMETER PROTECTION

OPTEX (EUROPE) LTD

Redwall® infrared and laser detectors for CCTV applications and Fiber SenSys® fibre

optic perimeter security solutions are owned by Optex. Platinum House, Unit 32B

Clivemont Road, Cordwallis Industrial Estate, Maidenhead, Berkshire, SL6 7BZ

Tel: +44 (0) 1628 631000 Fax: +44 (0) 1628 636311

Email: sales@optex-europe.com

www.optex-europe.com

LIFE SAFETY EQUIPMENT

C-TEC

Challenge Way, Martland Park,

Wigan WN5 OLD United Kingdom

Tel: +44 (0) 1942 322744

Fax: +44 (0) 1942 829867

Website: www.c-tec.com

PERIMETER SECURITY

TAKEX EUROPE LTD

Aviary Court, Wade Road, Basingstoke

Hampshire RG24 8PE

Tel: +44 (0) 1256 475555

Fax: +44 (0) 1256 466268

Email: sales@takex.com

Web: www.takex.com

PHYSICAL CONTROL PRODUCTS, ESP. ANTI-CLIMB

INSIGHT SECURITY

Units 1 & 2 Cliffe Industrial Estate

Lewes, East Sussex BN8 6JL

Tel: 01273 475500

Email:info@insight-security.com

www.insight-security.com

SECURITY EQUIPMENT

PYRONIX LIMITED

Secure House, Braithwell Way, Hellaby,

Rotherham, South Yorkshire, S66 8QY.

Tel: +44 (0) 1709 700 100 Fax: +44 (0) 1709 701 042

www.facebook.com/Pyronix

www.linkedin.com/company/pyronix www.twitter.com/pyronix

INTRUDER AND FIRE PRODUCTS

CQR SECURITY

125 Pasture road, Moreton, Wirral UK CH46 4 TH

Tel: 0151 606 1000

Fax: 0151 606 1122

Email: andyw@cqr.co.uk

www.cqr.co.uk

SECURITY SYSTEMS

BOSCH SECURITY SYSTEMS LTD

PO Box 750, Uxbridge, Middlesex UB9 5ZJ

Tel: 0330 1239979

E-mail: uk.securitysystems@bosch.com

Web: uk.boschsecurity.com

INTRUDER ALARMS – DUAL SIGNALLING

CSL

Salamander Quay West, Park Lane

Harefield , Middlesex UB9 6NZ

T: +44 (0)1895 474 474

@CSLDualCom

www.csldual.com

SECURITY EQUIPMENT

CASTLE

Secure House, Braithwell Way, Hellaby,

Rotherham, South Yorkshire, S66 8QY

TEL +44 (0) 1709 700 100 FAX +44 (0) 1709 701 042

www.facebook.com/castlesecurity www.linkedin.com/company/castlesecurity

www.twitter.com/castlesecurity

INTRUDER ALARMS AND SECURITY MANAGEMENT SOLUTIONS

RISCO GROUP

Commerce House, Whitbrook Way, Stakehill Distribution Park, Middleton,

Manchester, M24 2SS

Tel: 0161 655 5500 Fax: 0161 655 5501

Email: sales@riscogroup.co.uk

Web: www.riscogroup.com/uk

SECURITY PRODUCTS

EATON

Eaton is one of the world’s leading manufacturers of security equipment

its Scantronic and Menvier product lines are suitable for all types of

commercial and residential installations.

Tel: 01594 545 400 Email: securitysales@eaton.com

Web: www.uk.eaton.com Twitter: @securityTP

ONLINE SECURITY SUPERMARKET

EBUYELECTRICAL.COM

Lincoln House,

Malcolm Street

Derby DE23 8LT

Tel: 0871 208 1187

www.ebuyelectrical.com

SECURITY SYSTEMS

VICON INDUSTRIES LTD.

Brunel Way, Fareham

Hampshire, PO15 5TX

United Kingdom

www.vicon.com

www.insight-security.com Tel: +44 (0)1273 475500


Simple & Easy Installation

Integrated Security - Access Control

Inception is an integrated access

control and security alarm system with

a design edge that sets it apart from the pack.

Featuring built in web based software, the Inception

system is simple to access using a web browser on a

Computer, Tablet or Smartphone.

With a step by step commissioning guide and outstanding user interface,

Inception is easy to install and very easy to operate.

For more information, visit www.innerrange.com/inception.

There you will find installation guides and videos to help you

get the most out of your Inception system.

IN

DESIGNED

A U ST R A

R

LIA

Security

Alarm

Access

Control

Automation

No Software

Required

Multiple

Devices

Easy Setup

with Checklist

Prompting

Send IP Alarms via

the Multipath-IP

Network

Visit www.innerrange.com or call 0845 470 5000 for further information

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!