07.04.2017 Views

RiskUKApril2017

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

April 2017<br />

www.risk-uk.com<br />

Security and Fire Management<br />

Academic Endeavours<br />

Education Sector Safety and Security<br />

News Analysis: National Surveillance Camera Strategy<br />

PSIM Solutions: Procurement Advice for End Users<br />

UPS Systems: Evaluating The Balance of Power<br />

SABRE: Security Risk Management in Built Environments


“<br />

MY PASSION IS<br />

GETTING THE PERFECT<br />

WELD EVERY TIME<br />

”<br />

Phil Warman, Welder, 6 years with Jacksons<br />

OUR PASSION<br />

IS YOUR SECURITY<br />

We combine the highest<br />

quality perimeter security<br />

fencing and gates with seventy<br />

years of expertise to provide<br />

you with the right solution for<br />

your project, large or small.<br />

www.jacksons-fencing.co.uk<br />

Jacksons<br />

Fencing


April 2017<br />

Contents<br />

35 Smart About Access<br />

Jaroslav Barton describes the shift to NFC, Bluetooth Low Energy<br />

and advanced smart card technology<br />

ERM and ESRM in the Spotlight (pp20-21)<br />

5 Editorial Comment<br />

6 News Update<br />

Police Federation on Westminster terror attack. CREST global<br />

certification for BSI. Skills for Security accepted to join RoATP<br />

8 News Analysis: Surveillance Camera Strategy<br />

Brian Sims examines the main points contained within the<br />

National Surveillance Camera Strategy introduced by Tony Porter<br />

11 Opinion: ‘Security as a Service’<br />

By using ‘Security as a Service’, the customer gains access to a<br />

maintained and supervised solution. John Davies has the detail<br />

14 Opinion: SIA Stakeholder Conference 2017<br />

Peter Webster spoke at the 2017 SIA Stakeholder Conference,<br />

focusing on regulation, business licensing and the ACS<br />

17 BSIA Briefing<br />

James Kelly pinpoints the key considerations to be observed<br />

around security solutions management in the education sector<br />

20 ERM and ESRM: The Case for Convergence<br />

If Enterprise Risk Management and Enterprise Security Risk<br />

Management are here to stay, what does this mean for the<br />

future of risk management? Philip Strand offers his views<br />

22 Status Symbol: The CSyP Journey<br />

Peter Speight on Chartered Security Professional status<br />

24 PSIM: Only Fools Rush In...<br />

Stephen Smith outlines why end user buyers of PSIM solutions<br />

need to consider ongoing costs as well as the technology itself<br />

27 The ‘Insider’ Threat<br />

Emma Shaw plots a route forward for today’s organisations<br />

seeking to employ technical surveillance countermeasures<br />

30 An Education on Ransomware<br />

Defeating the spectre of ransomware is so important in the<br />

education sector. Wieland Age highlights Best Practice methods<br />

32 Security By The Book<br />

Peter Jackson documents physical security solutions for schools<br />

38 Building Blocks of Risk Management<br />

Several issues must be factored-in by construction sector<br />

businesses when addressing the delicate calculation between<br />

risk and reward. Carl Ghinn investigates<br />

40 Intelligent Prevention is the Future<br />

HD IP-based surveillance systems reviewed by Tristan Haage<br />

42 Evaluating The Balance of Power<br />

Leo Craig focuses on UPS solutions in the manufacturing sector<br />

45 SABRE: Security in the Built Environment<br />

Gavin Jones shines the spotlight on SABRE, a new security risk<br />

management standard specifically for the built environment<br />

48 The Security Institute’s View<br />

50 In The Spotlight: ASIS International UK Chapter<br />

52 FIA Technical Briefing<br />

54 Security Services: Best Practice Casebook<br />

56 Cyber: Mitigating Open Source Software Risks<br />

58 Training and Career Development<br />

60 Risk in Action<br />

62 Technology in Focus<br />

65 Appointments<br />

The latest people moves in the security and fire business sectors<br />

68 The Risk UK Directory<br />

ISSN 1740-3480<br />

Risk UK is published monthly by Pro-Activ Publications<br />

Ltd and specifically aimed at security and risk<br />

management, loss prevention, business continuity and<br />

fire safety professionals operating within the UK’s largest<br />

commercial organisations<br />

© Pro-Activ Publications Ltd 2017<br />

All rights reserved. No part of this publication may be<br />

reproduced or transmitted in any form or by any means<br />

electronic or mechanical (including photocopying, recording<br />

or any information storage and retrieval system) without the<br />

prior written permission of the publisher<br />

The views expressed in Risk UK are not necessarily those of<br />

the publisher<br />

Risk UK is currently available for an annual subscription rate of<br />

£78.00 (UK only)<br />

www.risk-uk.com<br />

Risk UK<br />

PO Box 332<br />

Dartford DA1 9FF<br />

Editor Brian Sims BA (Hons) Hon FSyI<br />

Tel: 0208 295 8304 Mob: 07500 606013<br />

e-mail: brian.sims@risk-uk.com<br />

Design and Production Matt Jarvis<br />

Tel: 0208 295 8310 Fax: 0870 429 2015<br />

e-mail: matt.jarvis@proactivpubs.co.uk<br />

Advertisement Director Paul Amura<br />

Tel: 0208 295 8307 Fax: 01322 292295<br />

e-mail: paul.amura@proactivpubs.co.uk<br />

Administration Tracey Beale<br />

Tel: 0208 295 8306 Fax: 01322 292295<br />

e-mail: tracey.beale@proactivpubs.co.uk<br />

Managing Director Mark Quittenton<br />

Chairman Larry O’Leary<br />

Editorial: 0208 295 8304<br />

Advertising: 0208 295 8307<br />

3<br />

www.risk-uk.com


Now you see me. Now you don’t.<br />

Actual size<br />

The smallest wireless contact we’ve ever made.<br />

The Micro Contact-W is so small it fits within most uPVC window frames, providing invisible but powerful protection. And at a<br />

diminutive 57mm x 27.5mm x 8.2mm in size, the Micro Contact-W all but disappears, even in plain sight.<br />

Outstanding features include:<br />

• Small size<br />

• Cost effective<br />

• 4 Year typical battery life<br />

• Three colour options<br />

• LED assisted setup procedure<br />

• EN 50131-2-6 Grade 2<br />

Visit us:<br />

Stand G1200


Editorial Comment<br />

Don’t just stop at the front door<br />

The Micro Contact-W can be used to protect almost<br />

anything, including doors, windows, drawers and<br />

cupboards - the list is endless!<br />

Internal door<br />

Patio door<br />

Window frame<br />

Bedside drawer<br />

An Eye on ID<br />

Cifas, the UK’s leading fraud prevention service, has issued<br />

new figures showing that identity fraud has hit the highest<br />

levels ever recorded. A record 172,919 episodes of such<br />

fraud were noted in 2016. Identity fraud now represents over half<br />

of all fraud chronicled by the UK’s not-for-profit fraud data<br />

sharing organisation, of which 88% was perpetrated online.<br />

In recent years, Cifas has been informed of growing numbers<br />

of young people falling victim to ID fraud. That upward trend<br />

continued last year with almost 25,000 victims aged under 30. In<br />

particular, there has been a 34% increase in the number of under<br />

21s subjected to ID fraud. On that basis, Cifas is again calling for<br />

better education around fraud and financial crime and urging<br />

youngsters to be vigilant about protecting their personal data.<br />

2016 also saw a rise in the number of ID fraud victims aged<br />

over 40, with 1,869 more victims recorded by Cifas members.<br />

Mike Haley, deputy CEO at Cifas, explained: “These new<br />

figures show that identity fraud continues to be the foremost<br />

fraud threat. With nine out of ten identity frauds committed<br />

online and all age groups presently at risk, we’re urging everyone<br />

to make it more difficult for the fraudsters to abuse individual<br />

identities. There are three simple steps that anyone can take to<br />

protect themselves: use strong passwords, download software<br />

updates when prompted to do so and avoid the use of public Wi-<br />

Fi for banking and online shopping.”<br />

Haley continued: “We all remember to safeguard our valued<br />

possessions through locking our house or car, but we don’t<br />

always take the same care to protect our most important asset –<br />

our identities. We all need to assume responsibility for securing<br />

our mail boxes, shredding documents like bank statements and<br />

utility bills and taking sensible precautions online. If not, we’re<br />

simply making ourselves a target for the identity fraudsters.”<br />

Commander Chris Greany, national co-ordinator for economic<br />

crime, commented: “These latest Cifas figures demonstrate how<br />

we all need to be alert to preventing identity theft now more<br />

than ever before. We do everything we can in order to stop the<br />

identity thieves in the fight against fraud, but it must be said<br />

that the key to success is both prevention and protection.”<br />

With instances of identity fraud set to rise, businesses and<br />

consumers alike simply must take action to address this<br />

damaging issue. Financial services companies should strengthen<br />

the security systems they have in place and the way in which<br />

they verify identities, and especially so for online transactions.<br />

Businesses need to invest in biometric processes designed to<br />

validate identities, at the same time implementing multi-layer<br />

approaches that challenge fraudsters’ attempts to compromise<br />

systems. “Myriad consumers are embracing biometrics in their<br />

everyday lives, for example by using them to access their smart<br />

phones,” observed John Marsden, head of identity and fraud at<br />

Equifax. “Financial services companies can maximise such<br />

technology to protect their customers and their businesses.”<br />

Certainly, the worrying knowledge gap exhibited by too many<br />

consumers when determining safe places in which to share their<br />

personal information must be plugged sooner rather than later.<br />

Brian Sims BA (Hons) Hon FSyI<br />

Editor<br />

www.texe.com<br />

Sales: +44 (0)1706 220460<br />

December 2012<br />

5<br />

www.risk-uk.com


“Right resources needed in wake of London<br />

terror attack” urges Police Federation<br />

The horrific terrorist attack in Westminster that<br />

claimed several innocent lives, including that of<br />

PC Keith Palmer, has reinforced the need for a<br />

police service with the right resources and<br />

support in place to continue “running towards<br />

danger”. That’s the firm belief of Steve White<br />

(pictured), chairman of the Police Federation of<br />

England and Wales, who took part in a BBC<br />

Panorama Special on Monday 27 March.<br />

Wednesday 22 March witnessed the UK<br />

Parliament and innocent citizens coming under<br />

attack in the most serious terror incident in the<br />

country for over a decade. Speaking to<br />

witnesses and the injured to compile the<br />

programme, BBC Panorama reporters pieced<br />

together what happened during the episode.<br />

The programme also examined the life of 52<br />

year-old attacker Khalid Masood, asking what<br />

motivated him to carry out this fatal strike in<br />

the heart of London, whereby he drove a car<br />

into pedestrians on the pavement along the<br />

south side of Westminster Bridge and Bridge<br />

Street, injuring more than 50 people.<br />

After the car crashed into the perimeter fence<br />

of the Palace grounds, Masood abandoned it<br />

and ran into New Palace Yard where he fatally<br />

stabbed PC Palmer. Masood was then shot by<br />

an armed police officer and died at the scene.<br />

“There are bound to be questions as to<br />

whether things would have been different if<br />

more officers were armed and if PC Palmer had<br />

possessed a firearm,” suggested White. “It’s<br />

entirely likely that we’ll never have a clear<br />

answer. What’s important is that there are many<br />

tactical options to mitigate threats that we need<br />

to consider.”<br />

White continued: “We have to police the<br />

threats that we currently face. For their part,<br />

MPs must take the advice of professionals in<br />

the police service on what we can do and how<br />

we can best do it. We no longer live in a world<br />

of traditional unarmed British bobbies walking<br />

the streets meaning that all will be well.”<br />

These points build on a comment piece by<br />

White which was published in the pages of The<br />

Sunday Express following the London attack. In<br />

the article, White outlines his fears that such an<br />

incident will happen again, but is clear that the<br />

police service will continue to rise to the<br />

challenge. White also touches on the need for<br />

members of the public to ensure that “what<br />

they want and what they demand from their<br />

police service is achievable.”<br />

Chief constable Sara Thornton, chair of the<br />

National Police Chiefs’ Council, said: “We’re<br />

deeply saddened by the horrific events that<br />

took place in London. Our thoughts and<br />

condolences are with the families and friends of<br />

the victims and all those injured and affected.<br />

We’re devastated by the loss of our brave<br />

colleague PC Keith Palmer as he went about his<br />

duties. Now and always, we stand together.”<br />

BSI enhances international capabilities with CREST global accreditation<br />

BSI, the business standards company, has boosted its newly-created cyber security and information<br />

resilience business stream with global membership of CREST, the organisation that spearheads the<br />

highest possible levels of security testing standards. In achieving this status, BSI now joins an elite<br />

group of seven organisations* who can offer myriad clients across the EMEA, the Americas, Asia<br />

and Australasia the heavyweight assurances synonymous with CREST.<br />

BSI has also consolidated its CREST-accredited services with recently acquired CREST member<br />

companies Espion and Info-Assure. Indeed, the business now offers CREST Penetration Testing,<br />

CREST Incident Response Services, CREST START (Simulated Targeted Attack and Response Testing)<br />

and Cyber Essentials.<br />

CREST membership is an important validation of the BSI’s cyber security testing and incident<br />

response capabilities. All member companies undergo stringent assessments of business<br />

processes, data security and security testing as well as incident response methodologies.<br />

Accreditation is very robust and a challenge to attain, in turn demonstrating complete assurances<br />

of processes and procedures.<br />

BSI is a strong proponent of CREST and its role in professionalising the technical security<br />

industry, as well as its efforts to advance the wider information security community through recent<br />

openings of international chapters in Singapore, Hong Kong and the USA. This approach has also<br />

garnered support from international regulators.<br />

*The seven CREST members with global accreditation are Cisco, Context Information Security,<br />

Deloitte Touche Tomatsu, Gotham Digital Science, the NCC Group, PwC and Trustwave SpiderLabs<br />

6<br />

www.risk-uk.com


News Update<br />

National Security Inspectorate<br />

re-appointed by Regulator as ACS<br />

assessment body<br />

Subject to contract, from 1 April 2017 the<br />

National Security Inspectorate (NSI) has been<br />

re-appointed as an assessing body for the<br />

Security Industry Authority’s (SIA) Approved<br />

Contractor Scheme (ACS) and as a provider of<br />

a ‘Passport’ route to ACS compliance. As of<br />

that date, the NSI (led by CEO Richard Jenkins,<br />

pictured) will be offering even more choice for<br />

guarding services companies in terms of how<br />

they can obtain and maintain ACS approval.<br />

The NSI provides assessment services to the<br />

widest variety of guarding services providers,<br />

ranging from small and local specialist<br />

operators through to many of the largest<br />

national operators. Most have chosen to hold<br />

NSI Guarding Gold with an integrated NSI<br />

‘Passport’ to ACS approval.<br />

This provides a cost-effective solution for<br />

businesses wanting to demonstrate both<br />

commitment to the holistic values embodied<br />

within the Regulator’s ACS and the rigour of<br />

comprehensive compliance with British<br />

Standards and the ISO 9001 standard for<br />

Quality Management Systems.<br />

The NSI ‘Passport’ route to ACS approval<br />

also provides cost benefits in holding multiple<br />

approvals with the NSI.<br />

A popular arrangement among typically<br />

more regional providers is to appoint the NSI<br />

to conduct assessments as part of the ACS<br />

standard route approval. Now, the NSI is<br />

offering these companies a new ‘middle way’:<br />

NSI Guarding Silver with the NSI’s ‘Passport’<br />

to ACS. This means companies can now<br />

‘upgrade’ to an NSI Guarding Silver approval<br />

with a ‘Passport’ to ACS approval,<br />

demonstrating full compliance with British<br />

Standards over and above the standard ACS<br />

without necessarily seeking approval to ISO<br />

9001 at the same time. This will prove a<br />

valuable and cost-effective stepping stone for<br />

companies wanting to differentiate themselves<br />

from the ‘Standard’ route to ACS approval and<br />

afford end user buyers additional confidence<br />

in their service providers’ ‘commitment to<br />

compliance’ with British Standards.<br />

Margaret Durr, the NSI’s head of field<br />

operations (services), commented: “Our team<br />

of auditors harbours industry expertise across<br />

a broad range of areas including security<br />

guarding, close protection, key holding, CCTV,<br />

door supervision, event security and<br />

investigative services. Feedback from our<br />

clients is testament to the added value<br />

independent assessment can bring to an<br />

organisation. The ultimate winners are<br />

security buyers and their staff, visitors and,<br />

indeed, members of the general public.”<br />

Skills for Security earns ‘trusted<br />

training provider’ status from<br />

Government with RoATP acceptance<br />

Skills for Security, the sector skills body for<br />

the private security business sector, has been<br />

accepted by the Skills Funding Agency’s<br />

Register of Apprenticeship Training Providers<br />

(RoATP), meaning that the organisation has<br />

now qualified for Government funding to<br />

deliver apprenticeships from May this year.<br />

Passing all elements of the application,<br />

including due diligence checks on compliance,<br />

quality and financial health, Skills for Security<br />

has fully satisfied the Skills Funding Agency<br />

that the organisation is capable of delivering<br />

high-quality apprenticeship training.<br />

Under the Government’s new apprenticeship<br />

policy, training providers must be on the<br />

RoATP to be eligible to deliver training – either<br />

directly or as a sub-contractor – to large,<br />

Apprenticeship Levy-paying employers. Out of<br />

2,327 applications, a total of 1,708 providers<br />

(73%) have made the grade, with the full list<br />

of providers published by the Department for<br />

Education on Tuesday 14 March.<br />

Speaking about this development, Peter<br />

Sherry (pictured), interim director general at<br />

Skills for Security, stated: “I’m absolutely<br />

delighted that Skills for Security has been<br />

accepted on to the RoATP, giving employers in<br />

the security sector the confidence that we, as<br />

the sector skills body for the industry, can<br />

provide them with trusted support and<br />

expertise in equipping the workforce of<br />

tomorrow with a solid educational foundation<br />

through a carefully considered system of<br />

training, assessment and qualifications.”<br />

The Government’s apprenticeship reforms<br />

aim to support an increase in the quality and<br />

quantity of apprenticeships, subsequently<br />

enabling a greater number of individuals to<br />

pursue a successful career. There will be<br />

regular opportunities for new providers to<br />

apply to the RoATP, with the chance for new<br />

applications at the end of March and quarterly<br />

thereafter encouraging diversity and<br />

competition among providers and supporting<br />

both quality and employer choice.<br />

The RoATP is a crucial milestone in<br />

delivering the Government’s wider reforms<br />

designed to make apprenticeships more<br />

rigorous, better structured, independently<br />

assessed and more clearly aligned with the<br />

needs of employers. Those reforms include the<br />

introduction of the new Apprenticeship Levy.<br />

7<br />

www.risk-uk.com


Home Office Commissioner introduces<br />

National Surveillance Camera Strategy<br />

Following on from a<br />

detailed consultation<br />

process that began<br />

last October, Tony<br />

Porter QPM LLB – the<br />

Surveillance Camera<br />

Commissioner at the<br />

Home Office – has<br />

launched a National<br />

Surveillance Camera<br />

Strategy for England<br />

and Wales with the<br />

specific aim of helping<br />

to keep people safe in<br />

public places while<br />

also respecting their<br />

right to privacy.<br />

Brian Sims examines<br />

the fine detail<br />

The 27-page strategy document aims to<br />

provide direction and leadership within and<br />

across the surveillance camera community,<br />

in turn enabling system operators to<br />

understand good and Best Practice as well as<br />

their legal obligations (such as those contained<br />

within the Protection of Freedoms Act, the Data<br />

Protection Act and the Private Security Industry<br />

Act 2001).<br />

It’s the Surveillance Camera Commissioner’s<br />

strategic vision to ensure members of the<br />

public are assured that any use of surveillance<br />

camera systems in a public place helps to<br />

protect them and keep them safe, while at the<br />

same time always respecting the individual’s<br />

right to privacy. That assurance is based upon<br />

deployment which is proportionate to a<br />

legitimate purpose, so too transparency<br />

demonstrating compliance with Best Practice<br />

and relevant legal obligations.<br />

The National Surveillance Camera Strategy<br />

aligns closely with the Home Office’s own key<br />

responsibilities to keep the UK safe from the<br />

threat of terrorism, reduce and prevent crime<br />

and criminality and ensure that people feel safe<br />

in both their homes and communities.<br />

The new strategy provides the Commissioner<br />

with a robust and transparent framework to<br />

fulfil his statutory functions as set out in the<br />

Protection of Freedoms Act, and also<br />

subsequently inform and underpin his Annual<br />

Report to the Home Secretary Amber Rudd.<br />

Speaking about the new National<br />

Surveillance Camera Strategy, Surveillance<br />

Camera Commissioner Tony Porter explained:<br />

“After much hard work, I’m delighted to be able<br />

to launch this strategy document. It’s a strategy<br />

that’s far-reaching, touching on many areas of<br />

surveillance camera use by the police service<br />

and local authorities, installers and<br />

manufacturers as well as training providers and<br />

regulators and, of course, how the use of<br />

surveillance cameras impacts members of the<br />

public on a daily basis.”<br />

Porter went on to state: “The responses to<br />

the consultation on the draft show that this<br />

strategy is extremely well supported, as do the<br />

number of organisations that have written to<br />

affirm their support. I look forward to delivering<br />

on this strategy for the next three years,<br />

ensuring that, where surveillance cameras are<br />

used, they keep people safe while protecting<br />

their right to privacy.”<br />

Endorsement from the BSIA<br />

Endorsing the National Surveillance Camera<br />

Strategy, James Kelly (CEO at the British<br />

Security Industry Association) explained: “The<br />

strategy is a very worthy and successful<br />

attempt to draw together multiple stakeholders<br />

from across what is certainly a diverse and<br />

critically important sector. The BSIA is proud to<br />

have been a contributor to the Commissioner’s<br />

efforts at providing direction and leadership on<br />

the appropriate use of such systems to secure<br />

the protection of our communities, while also<br />

safeguarding individuals’ right to privacy. I’m<br />

delighted to endorse the strategy and will<br />

continue to support the Surveillance Camera<br />

Commissioner’s work on standards and Best<br />

Practice in what’s undoubtedly a vital part of<br />

the UK’s economy.”<br />

To support the achievement of the<br />

Commissioner’s vision, eleven high-level<br />

objectives are outlined within the strategy, each<br />

of them to be led by an expert.<br />

Simon Adcock, chairman of the BSIA’s CCTV<br />

Section and lead on the industry strand of the<br />

National Surveillance Camera Strategy for<br />

England and Wales, commented: “The work of<br />

the industry strand of the strategy is focused<br />

on educating buyers around what to expect<br />

from a knowledgeable and professional service<br />

provider as well as providing practical guidance<br />

to help them comply with the Surveillance<br />

Camera Code of Practice. Ultimately, we’re<br />

aiming to establish and promote a set of<br />

8<br />

www.risk-uk.com


News Analysis: National Surveillance Camera Strategy<br />

guidelines to ensure that buyers can rely on<br />

their service providers for good practice.”<br />

Adcock went on to state: “Over the coming<br />

months, the industry strand will be defining<br />

what we mean by good practice. This will be<br />

centred around ensuring that there’s an<br />

Operational Requirement in place and that the<br />

resulting system meets agreed objectives. Our<br />

end-game is to ensure that anyone providing<br />

professional video surveillance services will, as<br />

a bare minimum standard, meet these good<br />

practice guidelines.”<br />

Adcock also commented: “The National<br />

Surveillance Camera Strategy for England and<br />

Wales represents an opportunity for the<br />

industry to assure members of the public that<br />

video surveillance systems are being used in<br />

public spaces on a legitimate basis, responsibly<br />

and transparently in order to keep them safe.<br />

The strategy document is fully supported by<br />

members of the BSIA’s CCTV Section and we<br />

very much look forward to seeing its content<br />

being delivered through to 2020.”<br />

NHS Foundation Trust certification<br />

Barnsley Hospital NHS Foundation Trust had<br />

been considering applying for the Surveillance<br />

Camera Commissioner’s third party certification<br />

scheme, but it wasn’t until Mike Lees (the<br />

Trust’s head of business security) heard Tony<br />

Porter speaking at a conference that the<br />

decision was taken to ‘go for it’.<br />

Lees stated: “Although we had been<br />

considering applying for some time, the turning<br />

point followed an excellent presentation by the<br />

Surveillance Camera Commissioner to NHS<br />

security managers late last year. This<br />

presentation clearly outlined the advantages to<br />

NHS organisations of following a process and<br />

how we could demonstrate the rationale of<br />

surveillance use.”<br />

Certification enables organisations to clearly<br />

demonstrate that they comply with the<br />

Surveillance Camera Code of Practice. For<br />

relevant authorities – such as local authorities<br />

and police forces – this is particularly important<br />

as they must show due regard to the Code. For<br />

other organisations, such as NHS Trusts,<br />

following the Code is a voluntary decision.<br />

The certification process provides assurances<br />

to hospital users and staff alike that<br />

surveillance cameras are deployed effectively,<br />

efficiently and proportionately. It also ensures<br />

that NHS Trusts are transparent about why they<br />

use cameras and where they’re sited.<br />

For its part, Barnsley Hospital NHS<br />

Foundation Trust approached the Security<br />

Systems and Alarms Inspection Board (SSAIB)<br />

and subsequently achieved Step 1 certification.<br />

“Responses to the consultation on the draft show that this<br />

strategy is extremely well supported, as do the number of<br />

organisations that have written to affirm their support”<br />

This involves completing the Surveillance<br />

Camera Commissioner’s self-assessment tool<br />

and then submitting the form to one of the<br />

certification bodies. The completed form and<br />

documents are then audited by the certification<br />

body who may contact the end user<br />

organisation for more information before<br />

recommending it to the Commissioner to award<br />

his certification mark which can then be used<br />

for the ensuing 12 months.<br />

Lees added: “The certification process was<br />

certainly challenging, but also very worthwhile.<br />

It allowed us to critically review the reasons for<br />

surveillance and scope these against our<br />

existing policies and procedures.”<br />

Accessible and affordable<br />

Certification is simple, accessible and<br />

affordable. There are currently three security<br />

industry certification bodies qualified to audit<br />

against the Code of Practice – the SSAIB, the<br />

National Security Inspectorate and IQ Verify.<br />

Barnsley Hospital NHS Foundation Trust is<br />

preparing its application for Step 2 certification,<br />

which involves a full site visit and audit. If<br />

successfully awarded the certification mark, the<br />

Trust can use this for a period of five years.<br />

Lees concluded: “Our application for Step 2<br />

certification is indeed already in motion. The<br />

Trust will be applying well in advance of the 12-<br />

month period that’s covered by Step 1. I would<br />

recommend any NHS Trust using surveillance<br />

cameras to apply for the mark.”<br />

The surveillance camera sector is substantial<br />

and an industry that will continue to grow. In<br />

2015, there was a £2,120 million turnover in the<br />

UK for video and CCTV surveillance equipment.<br />

The most recent estimates suggest that there<br />

are anywhere between four and six million<br />

CCTV cameras in the UK. That figure doesn’t<br />

include body-worn video cameras, Automatic<br />

Number Plate Recognition cameras or<br />

Unmanned Aerial Vehicles (ie drones).<br />

Approximately 85% of local authorities have<br />

shown due regard for the Code of Practice by<br />

completing the Commissioner’s selfassessment<br />

tool in respect of their main CCTV<br />

scheme (typically their town centre scheme).<br />

54% of local authorities in the UK have<br />

equipped some staff or contractors with bodyworn<br />

video cameras. Transport for London and<br />

Marks and Spencer have already adopted the<br />

Code of Practice on a voluntary basis.<br />

Tony Porter QPM LLB:<br />

Surveillance Camera<br />

Commissioner at the Home<br />

Office<br />

Simon Adcock: Chairman of the<br />

BSIA’s CCTV Section<br />

9<br />

www.risk-uk.com


FOCUS<br />

ON… protecting<br />

people,<br />

premises and profits.<br />

Our security solutions do much more than protect<br />

your manufacturing premises. With AXIS Camera Station<br />

software, you can manage your system remotely and even<br />

add smart features such as audio communication, access<br />

control and analytics. And that’s just a start. It’s all designed<br />

for simple set-up to make your job easier, so you can focus<br />

on productivity.<br />

Choose an Axis recorder pre-installed with<br />

AXIS Camera Station. Discover more at<br />

www.axis.com/products/video-recorders


Opinion: Physical Security as a Service<br />

The ongoing shift in consumer focus may<br />

feel a little surprising at first as the security<br />

industry – much like any other technology<br />

sector – has concentrated on ‘shifting boxes’ for<br />

quite a long time now. This was especially the<br />

case when proprietary systems were the norm.<br />

If an end user wanted more services, they<br />

bought a new product. From a basic sales point<br />

of view, this was both simple and economic for<br />

manufacturers and installers alike.<br />

However, a determined move towards<br />

integrated and open technology has<br />

transformed the way in which security<br />

consumers now view their purchase. It’s no<br />

surprise as this has proven to be the case with<br />

any form of consumer technology. When the<br />

option to source from different providers<br />

increases, so too does customer choice and<br />

interest in the physical product becomes<br />

eclipsed by the overall solution realised.<br />

This is certainly evident with smart devices<br />

and IT. Cloud services have put the onus on<br />

what the result looks like, with the device the<br />

user chooses losing much of its significance.<br />

We’re also starting to see this in areas that<br />

nobody would have predicted in the past, such<br />

as the automotive industry, for example.<br />

People in big cities don’t want the expense<br />

and hassle of owning – and parking – their own<br />

cars anymore. Unless you use your car every<br />

day, it makes more sense to rent one by the day<br />

or week specifically for those moments when<br />

you need to venture beyond the confines of<br />

public transport. For some, at least, the<br />

automobile has become a service item with the<br />

end result – ie a specific journey – assuming a<br />

greater importance than the type and<br />

specification of the vehicle being used.<br />

Service without stress<br />

At the crux of all this is the demand from<br />

consumers to identify the service need and for<br />

suppliers to provide the easiest and most costeffective<br />

solution.<br />

Equally, when it comes to specifying a<br />

security solution, the operator doesn’t<br />

necessarily want to know the full details of<br />

what’s going on ‘under the bonnet’. Rather,<br />

they’re more concerned that it ‘does the job’.<br />

Any sensible security buyer – ie the<br />

practising security or risk management<br />

professional – will be focused on their specific<br />

security requirements and the business drivers<br />

that need to be addressed (such as the<br />

protection of buildings, assets, data and<br />

employee safety) and that the chosen solution<br />

suits their budget. This is actually where<br />

service becomes key. For their part, customers<br />

need an expert on hand capable of addressing<br />

All Part of the (Physical<br />

Security) Service<br />

There are signs that the way in which we all buy our products<br />

and services is changing. The concept of buying and owning<br />

a service product is increasingly looking antiquated, as<br />

consumers focus more and more on the outcomes rather than<br />

the tools needed to achieve them. As the physical security<br />

industry becomes more integrated and offers true open<br />

systems, John Davies suggests there’s every reason to<br />

assume our sector will follow this trend<br />

their requirements with all of these parameters<br />

firmly in mind, and with a view to removing the<br />

stress of finding ‘the right product(s)’.<br />

In the past, specifying and using an<br />

unsuitable solution could be difficult at best,<br />

and potentially disastrous at worst. From an<br />

economic point of view, it’s also a challenge to<br />

finance a big install then try to accumulate<br />

resources again for the upgrade when the<br />

incumbent solution has reached its ‘end-of-life’.<br />

It’s far more sensible to moderate the costs<br />

of security investments by paying a monthly or<br />

annual fee that’s predictable and for which a<br />

budgeted sum may be readily set aside. This is<br />

where buying ‘Security Assurance as a Service’<br />

makes complete sense.<br />

Benefits for customers<br />

While the idea of procuring and servicing<br />

physical security on a subscription basis may<br />

seem groundbreaking and will undoubtedly<br />

involve a change of mindset for many<br />

traditional security buyers, there are some very<br />

John Davies:<br />

Managing Director of TDSi<br />

11<br />

www.risk-uk.com


Opinion: Physical Security as a Service<br />

persuasive and practical benefits to be realised<br />

for the customer in doing so.<br />

As the solution isn’t purchased outright,<br />

there’s no need to find a large capital outlay in<br />

one lump sum. At the same time, this capital<br />

can either be invested in a subscription for a<br />

more comprehensive security system or<br />

otherwise accumulated as a saving on the<br />

overall security budget.<br />

With a service-style approach, the<br />

installation and servicing costs are built into<br />

the overall fee, so there will be no unexpected<br />

bills for the business in the event of any issues<br />

or repairs. This is very similar to the benefits of<br />

renting a building or a fleet car, for example,<br />

whereby any maintenance costs become the<br />

concern of the lease company.<br />

Equally, by leasing the security solution, the<br />

end user customer gains instant access to<br />

greater technical expertise and support (for no<br />

extra cost), compared to maintaining these<br />

systems for themselves. This is particularly<br />

appealing when it comes to security systems,<br />

where the integrity – and, therefore, the level of<br />

protection – is of paramount importance. It’s<br />

also very helpful when it comes to integrating<br />

new security components or expanding the<br />

capabilities of the overall security network.<br />

End-of-life stage<br />

The benefits for the customer continue when<br />

the system reaches its end-of-life stage. The<br />

security service provider deals with the<br />

upgrade needs, along with the removal of the<br />

old equipment and installation of any new<br />

systems where required. This also affords a<br />

natural break in the lease, such that the<br />

customer can reassess the host business’<br />

security needs and make upgrades or continue<br />

with the same service levels as before, but with<br />

the attendant benefits of the latest solutions.<br />

Ultimately, by using ‘Security as a Service’,<br />

the customer gains access to a constantly<br />

maintained and supervised solution. This is a<br />

great way in which to ensure that a stable and<br />

reliable security service is realised on a<br />

24/7/365 basis, as well as throughout the<br />

lifespan of the system(s) being used.<br />

When an organisation purchases its own<br />

systems (and, as a consequence, often ends up<br />

using older systems, perhaps due to budgetary<br />

constraints) it can be a real challenge to ensure<br />

safety levels are maintained. It’s a pressure<br />

which most of today’s businesses would be<br />

only too happy to avoid.<br />

Opportunities for solution providers<br />

There are considerable benefits for security<br />

providers, too, both for manufacturers and<br />

installers. Rather than ‘shifting boxes’ (which<br />

any salesperson will tell you is an approach<br />

that can have considerable peaks and troughs),<br />

a move towards complete service solutions<br />

offers a far more stable business model. Rather<br />

than having to win new business with every<br />

product, it becomes possible to sell ongoing<br />

services for a set period.<br />

It’s my own fervent belief that the whole<br />

business model for the security industry will<br />

change and adapt itself to reflect this approach<br />

over the next five-to-ten years. Manufacturers<br />

are already cognisant of the change in<br />

customer expectations and are gearing up to<br />

meet this demand.<br />

The service or leasing approach has become<br />

entrenched in other industries and represents a<br />

firm indication of what’s to come in the<br />

professional security spectrum.<br />

If you look at the airline industry, it has<br />

embraced this model of supply because it<br />

makes sound economic sense for both the<br />

customer and the supplier. Whole aircraft and<br />

even individual key components – such as<br />

engines or seating – can be leased by the<br />

airlines. This yields much greater flexibility, but<br />

also means that the airlines (as consumerfacing<br />

businesses) can have the peace of mind<br />

needed to concentrate fully on providing the<br />

services their customers demand.<br />

The manufacturer and partners provide<br />

assurances and guarantees of service time for<br />

aircraft engines, then deal with servicing and<br />

the technical maintenance to ensure this is<br />

delivered. This model works just as well for the<br />

provision of security systems.<br />

We’ve now reached a point in time where<br />

there are major opportunities on the horizon for<br />

the security business sector, but this inevitably<br />

means that manufacturers and installers will<br />

need to shift their focus and perhaps realign<br />

their business model.<br />

Ultimately, we can begin to concentrate on<br />

developing the right systems for the market<br />

and be assured that our end user customers<br />

will be looking for the kind of support we’re<br />

ideally placed to deliver.<br />

“Ultimately, by using ‘Security as a Service’, the customer gains access<br />

to a constantly maintained and supervised solution. This is a great way in<br />

which to ensure that a stable and reliable security service is realised”<br />

12<br />

www.risk-uk.com


Always a suitable solution<br />

with the DIVAR hybrid<br />

and network recorders<br />

At Bosch, we believe that video surveillance solutions should be as easy to<br />

install as they are to use. It’s the thinking behind our completely new portfolio<br />

of DIVAR hybrid and network recording solutions. Specifically designed for<br />

24/7 operation, they offer the ability to create video surveillance solutions<br />

with professional security features. Solutions that can be tailored to fit the<br />

growing needs of small and medium businesses.<br />

boschsecurity.com


SIA Regulation, Business Licensing and<br />

the ACS: A Personal Perspective<br />

Tuesday 14 March<br />

witnessed the 2017<br />

edition of the Security<br />

Industry Authority’s<br />

(SIA) annual<br />

Stakeholder<br />

Conference, which ran<br />

at the Hallam<br />

Conference Centre in<br />

central London. A<br />

reflection of the<br />

partnership working<br />

theme for the day, the<br />

confirmed speakers<br />

emanated from<br />

academia, the police<br />

service and the NHS.<br />

Representing the<br />

private security<br />

industry, Peter<br />

Webster aired his<br />

views and now shares<br />

them with the readers<br />

of Risk UK<br />

The SIA’s Stakeholder Conference allowed<br />

me to share my perspectives on licensing<br />

and regulation with members of the<br />

audience. As regular readers of the Security’s<br />

VERTEX Voice section in Risk UK will know, this<br />

is a subject close to my heart. On that basis, I<br />

thought it would be useful to share with you<br />

the crux of my presentation as well as some of<br />

the reactions to it.<br />

First of all, let me begin by stating that I fully<br />

support regulation. As an industry trusted to<br />

keep people and property safe, we want to be<br />

regulated and, indeed, I’ve never met anyone<br />

who has advocated deregulation.<br />

I’m also particularly supportive of the current<br />

system of individual licensing, as administered<br />

by the SIA. An SIA licence gives an individual a<br />

passport to employment, meaning that he or<br />

she can work anywhere in our industry. This is<br />

undoubtedly a good thing for both employees<br />

and employers. While it gives individuals<br />

freedom to work across our industry, when<br />

someone comes to us with a licence we know<br />

they’ve been vetted and trained to a basic<br />

standard and checked by the SIA.<br />

If I’m to be critical of the current system,<br />

however, it is that it isn’t publicised enough.<br />

The wider public needs to understand that the<br />

SIA exists and affords a licensing framework for<br />

the industry. When I say ‘the public’, I include<br />

those who purchase and use security services<br />

in this realm, as well as the wider public.<br />

Indeed, I fear that the wider public has a<br />

stereotypical image of a security officer, fed by<br />

portrayals in the national media and fictional<br />

drama, as an unhelpful ‘jobsworth’ or a lazy<br />

and disinterested individual. This does a great<br />

disservice to the more than 300,000 people<br />

who work in our industry, who are licensed and<br />

serious about the job that they do. As it is, the<br />

negative perception of security in society<br />

reflects on our people and creates a downward<br />

spiral of low self-worth, which invites lower<br />

standards and impacts on professionalism.<br />

We need to flip this spiral around and build<br />

pride in our industry and the work that security<br />

officers do. Awareness of individual licensing is<br />

key to this. With the police service facing<br />

financial pressures, the security industry is<br />

beginning to play an increasingly important role<br />

in safeguarding critical infrastructure. If the<br />

public understood the process of licensing and<br />

regulation, I’m certain there would be more<br />

respect for the industry and its crucial role.<br />

Spectre of business licensing<br />

I’m strongly against business licensing, the<br />

spectre of which continues to loom large over<br />

the industry. While some regulation is good,<br />

there’s no justification for increased and<br />

unnecessary regulation. The last 30 years have<br />

seen business and Government trying to<br />

deregulate wherever practical and possible.<br />

Business licensing goes against that trend.<br />

Fundamentally, business licensing will create<br />

a greater burden on business, and at additional<br />

cost, for what is an already financially<br />

challenged industry. Preparing for my<br />

presentation last month, I discovered once<br />

again a chart from 2015 in which the SIA<br />

showed the administrative burden moving<br />

towards businesses and away from the<br />

Regulator. Furthermore, that chart highlights a<br />

decline in overall regulatory responsibility for<br />

the SIA as it transfers responsibilities to<br />

industry. Is this really what we want?<br />

I find it hard to believe that business<br />

licensing will even stop the behaviour it seeks<br />

to prevent. I’ve heard claims from the SIA that<br />

business licensing will drive out organised<br />

criminality, yet in all my time in the industry, I<br />

have never come across an operator working<br />

within the commercial environment whom I’ve<br />

suspected of being linked to organised crime.<br />

On a practical level, company law already<br />

exists to address illegal activity and, bearing in<br />

14<br />

www.risk-uk.com


Opinion: Security’s VERTEX Voice<br />

mind that even non-executive directors must at<br />

present hold ‘non-front line’ individual SIA<br />

licences, how can business licensing improve<br />

on that level of vetting? Do we not think that<br />

the criminal fraternity is clever enough to<br />

circumvent this? If criminals can successfully<br />

launder billions of pounds’ worth of drugs<br />

money, do we really believe a determined<br />

criminal organisation will not be able to<br />

override a self-administered vetting process?<br />

Of course, while business licensing would<br />

increase the burden on law abiding business,<br />

any unscrupulous organisation wouldn’t apply<br />

to the legal requirements anyway, so in fact the<br />

only companies really affected would be the<br />

honest and legitimate ones.<br />

Finally, it strikes me that business licensing is<br />

simply unworkable. How will it address the<br />

complexity of brass plaque organisations or<br />

companies with overseas shareholders? How<br />

can one insist on regulatory checks on<br />

shareholders in a Belgian-owned business or a<br />

holding company domiciled in Luxembourg?<br />

Approved Contractor Scheme<br />

There is, of course, a form of business licensing<br />

already in existence in the shape of the<br />

Approved Contractor Scheme (ACS). It’s<br />

voluntary. I know it has many detractors, but it’s<br />

a great deal better than not having any scheme<br />

at all. The introduction of mandatory business<br />

licensing would kill off the ACS. This would be a<br />

terrible mistake.<br />

From my perspective, I could easily live with<br />

any plans to drop the proposed business<br />

licensing and adopt a mandatory ACS. All of the<br />

reliable and trustworthy security companies are<br />

on the ACS Register anyway, meaning that<br />

application and approval would only be a<br />

burden to the fringes of the industry that the<br />

Regulator is seeking to eradicate.<br />

Indeed, in many respects ACS status provides<br />

a level of rigour that I, for one, welcome. For<br />

example, ACS requires vetting to BS 7858<br />

which, to my mind, is far more robust than SIA<br />

licence requirements as it looks at five-year<br />

employment histories. In particular, we should<br />

consider how it might be used to forge<br />

improvement across the industry and drive out<br />

those on the fringes that the proposed business<br />

licensing is meant to address.<br />

On that subject, the ACS should remain under<br />

the control of the Regulator and not be handed<br />

over to industry. This will leave the industry free<br />

to drive the important improvements needed.<br />

Introducing bands of attainment within the<br />

ACS would have the effect of encouraging<br />

organisations to strive to improve their score.<br />

While we don’t need to publicly compare<br />

actual ACS audit scores, the opportunity to<br />

‘band’ providers – whether Bronze, Silver or<br />

Gold, for example – would allow these same<br />

firms to demonstrate their expertise and use<br />

such a banding to differentiate their services in<br />

the quality end of the market.<br />

Reactions and responses<br />

At the Stakeholder Conference, it was very<br />

interesting to hear Ronnie Megaughin (chief<br />

inspector at Police Scotland) talk about his<br />

experiences of making ACS status mandatory<br />

for public sector tenders in Scotland. By all<br />

accounts, this has helped improve the quality of<br />

the security services provided north of the<br />

border and made tendering more transparent.<br />

This tells me that a mandatory ACS would work<br />

in England as well.<br />

That said, I was questioned from the floor<br />

about whether a mandatory ACS would add<br />

excessive cost and burden to smaller security<br />

providers. Naturally, the ACS requires a<br />

business to make a commitment in terms of<br />

people and time, but if it plays a central part in<br />

the continual improvement of that business,<br />

then I would view any associated cost as an<br />

investment in the company.<br />

For me, two points came across loud and<br />

clear at the SIA’s Stakeholder Conference. One<br />

was the need for partnership, whether between<br />

the regulatory body and private security<br />

providers or the industry and the police service.<br />

The second point I noticed was the welcome<br />

recognition of the crucial role that the security<br />

industry plays in keeping people, property and<br />

assets safe across the UK. As Elizabeth France<br />

(chair of the SIA) remarked, there are more<br />

security staff than police officers in the UK.<br />

That’s 300,000 pairs of ‘eyes and ears’ trained<br />

to support the police’s sterling work. At a time<br />

when policing budgets are under considerable<br />

pressure, our industry’s importance to the UK’s<br />

security infrastructure is crystal clear.<br />

However, the good work of the SIA, the<br />

existence of the ACS and the importance of the<br />

security business sector as a whole is poorly<br />

understood and unappreciated. As an industry<br />

we must act and take better control of our<br />

image. Indeed, it’s crucial that the private<br />

security industry buys into this key message.<br />

From my own point of view, the reputation of<br />

the industry depends on it, while its future<br />

growth relies on positive action being taken.<br />

Peter Webster: Chief Executive<br />

of Corps Security<br />

*The author of Risk UK’s regular<br />

column Security’s VERTEX Voice is<br />

Peter Webster, CEO of Corps<br />

Security. This is the space where<br />

Peter examines current and often<br />

key-critical issues directly<br />

affecting the security industry. The<br />

thoughts and opinions expressed<br />

here are intended to generate<br />

debate among practitioners within<br />

the professional security and risk<br />

management sectors. Whether you<br />

agree or disagree with the views<br />

outlined, or would like to make<br />

comment, do let us know (e-mail:<br />

pwebster@corpssecurity.co.uk or<br />

brian.sims@risk-uk.com)<br />

“The last 30 years have seen business and Government<br />

trying to deregulate wherever practical and possible.<br />

Business licensing goes against that trend”<br />

15<br />

www.risk-uk.com


INSPIRATION<br />

THROUGH INVALUABLE<br />

DIGITAL INSIGHT<br />

With approaches, systems and<br />

devices constantly changing,<br />

etailers need to be aware of the<br />

latest trends and innovations to<br />

gain significant competitive<br />

advantage from their eCommerce<br />

and mCommerce efforts.<br />

The eTailing Summit offers a day<br />

of a day of meetings and<br />

networking with industry suppliers<br />

and peers for idea gathering,<br />

inspirations, tools and tactics to<br />

help transform strategies in line<br />

with the latest technologies.<br />

11th July 2017<br />

Hilton London Canary Wharf<br />

For further information contact Katie Bullot on:<br />

01992 374049<br />

k.bullot@forumevents.co.uk<br />

forumevents.co.uk<br />

@eTailingSummit<br />

ForumEventsLtd<br />

forumevents<br />

MEDIA & INDUSTRY PARTNERS<br />

ORGANISED BY:


BSIA Briefing<br />

Last year, the National Counter-Terrorism<br />

Security Office produced some guidelines<br />

containing advice for leaders of schools and<br />

other educational establishments on reviewing<br />

protective security, in tandem pressing school<br />

officials to take the subject of risk management<br />

seriously. This advice followed a series of hoax<br />

telephone calls being made to educational<br />

sites across the UK, which forced at least 27<br />

schools to be evacuated after bomb and gun<br />

threats were made.<br />

It seems history may now be repeating itself.<br />

Last month, across no less than 11 counties in<br />

Britain, nearly 5,000 schoolchildren were<br />

evacuated after their schools received bomb<br />

threats. While these threats were treated as<br />

hoaxes, they do further solidify the fact that<br />

school leaders absolutely must take the time to<br />

review their security plans and ensure the<br />

measures they currently have in place are both<br />

effective and of good quality.<br />

Alongside potential bomb and gun attacks,<br />

educational establishments face a wide number<br />

of threats right across the year, including walkin<br />

thefts, the potential for personal data<br />

breaches, threats against students and staff<br />

and the possibility of arson. Bearing all of this<br />

in mind, school officials have a Duty of Care to<br />

both their fellow members of staff and pupils,<br />

as well as a legal responsibility to provide a<br />

safe environment in which people can learn.<br />

A lack of effective security can not only result<br />

in potentially life-threatening situations, but<br />

also the prospect of reputational damage. Back<br />

in March, two separate schools in Cumbria were<br />

placed under ‘special measures’ by Ofsted for<br />

security reasons. A small secondary school,<br />

Kirkby Stephen Grammar School failed its<br />

Ofsted inspection due to a perceived lack of<br />

perimeter security, with the school reportedly<br />

being criticised for its failure to put in place<br />

appropriate measures that would “minimise<br />

identified potential risks” to pupils.<br />

In short, Ofsted’s inspectors deemed the<br />

premises as being too readily accessible to<br />

members of the general public.<br />

According to a report in The Westmorland<br />

Gazette, the ‘special measures’ decision came<br />

after The Queen Katherine School in Kendal<br />

was also placed into this category due to<br />

safeguarding and security issues. Following the<br />

decision, the school is now moving forward<br />

with £30,000 plans that will include a perimeter<br />

fence designed to improve security in an effort<br />

to satisfy the Ofsted inspectors.<br />

Ofsted’s decision has angered school<br />

officials, with Kirkby Stephen Grammar School’s<br />

head teacher Ruth Houston and Simon Bennett<br />

(chairman of the governing body) sending a<br />

Learning By Inspection: The<br />

Importance of School Security<br />

Security and safety in UK schools is a highly emotive subject.<br />

Indeed, it’s one which is never far from the mindset of the<br />

presiding head teacher, the facilities team responsible for a<br />

given establishment, the governing body and/or members of<br />

the Local Education Authority, all of whom have key roles to<br />

play in the implementation of an effective strategy. Here,<br />

James Kelly examines the main considerations to be observed<br />

around security in the education sector<br />

letter to parents stating that they believed the<br />

decision was “a failing of the inspection<br />

system, not the school, if an overall judgement<br />

is defined by the lack of a fence or not enough<br />

locks on doors, rather than the excellent<br />

teaching, leadership, behaviour and outcomes<br />

of the school.”<br />

Students from Kirkby Stephen Grammar<br />

School have contacted Ofsted to express their<br />

own concerns. The Westmorland Gazette report<br />

stated that students told Ofsted they felt<br />

“valued, inspired and appreciated. Unsafe is<br />

something we never feel. A member of our Sixth<br />

Form remarked that ‘everybody knows<br />

everybody in Kirkby Stephen’. This same<br />

community ethos is reflected in our school, an<br />

ethos which would be changed for the worse by<br />

the severe security measures Ofsted would like<br />

us to put in place.”<br />

An integrated approach<br />

School security solutions extend well beyond<br />

perimeter fences and physical locks, with an<br />

James Kelly: CEO of the British<br />

Security Industry Association<br />

17<br />

www.risk-uk.com


BSIA Briefing<br />

integrated approach being the most effective<br />

way of protecting staff, students and assets<br />

alike. It’s also important to choose measures<br />

that integrate seamlessly with the design of a<br />

given school building so as not to intimidate<br />

pupils or their parents.<br />

Access control systems can be a great place<br />

to start, with electronic access control<br />

becoming increasingly more commonplace in<br />

schools. A combination of electronic access<br />

control and physical security measures will be<br />

vital in helping to manage known or anticipated<br />

threats by dint of controlling, monitoring and<br />

restricting movement around a given site.<br />

Schools can be quite complex in terms of<br />

their access control, with specific areas – such<br />

as a science laboratory or an IT room – needing<br />

to be restricted to certain people at specific<br />

times of the day. Outside of school hours,<br />

access control measures can be used to restrict<br />

entry to the entire building and may be<br />

integrated with gates or fences at the perimeter<br />

to grant access only to authorised personnel.<br />

Alongside electronic access control, as<br />

mentioned, high quality physical security<br />

measures should also be employed. In a school<br />

environment, particular doors – such as that<br />

allowing access to a caretaker’s storage room –<br />

can be fitted with a mechanical patented<br />

cylinder lock under a master key system.<br />

Escape doors may be fitted with crash bars or<br />

push pads for emergency exit only.<br />

On the subject of doors, it’s essential to<br />

consider the types of doors used that will<br />

provide the most streamlined access to and<br />

within a school, taking into account the<br />

demands made by the Equality Act 2010.<br />

Here, it’s vital measures are chosen that are<br />

both non-discriminatory and convenient in their<br />

nature. For example, if selecting revolving<br />

doors for a school entrance – which can act as a<br />

beneficial airlock to keep out draughts, noise,<br />

dust and dirt – then an automatic pass door<br />

should also be installed next to it in order to<br />

grant access to those less able to enter through<br />

a revolving door.<br />

Identification devices<br />

Once the physical barrier – such as a door,<br />

turnstile or speedgate – has been chosen, then<br />

officials must decide on which type of<br />

identification device will be most suited to the<br />

school. This can largely depend on which areas<br />

“Dynamic lockdown procedures have the ability to restrict<br />

access and egress at a site or building through physical<br />

measures, among them access-controlled doors”<br />

of the school require authorisation for access<br />

and by whom. For example, some schools may<br />

only have certain restricted areas and need to<br />

give permissions to authorised staff only,<br />

whereas at other schools there may be a<br />

requirement for all students to carry an<br />

identification device.<br />

Proximity cards – such as contactless keys, ID<br />

cards or fobs – can be very useful in achieving<br />

streamlined access throughout a school.<br />

However, it might also be beneficial to consider<br />

biometric access control measures, such as<br />

fingerprint readers, as they can eliminate the<br />

potential issues of children misplacing or<br />

forgetting their access devices.<br />

A good quality system can generally handle a<br />

large amount of users and will be able to<br />

identify individuals quickly and efficiently. As<br />

user information is very often linked to a<br />

dedicated database, it’s also wise to choose a<br />

system that doesn’t need to be online in order<br />

to make access decisions. This way, if the<br />

Internet connection is lost for any length of<br />

time, students and staff will still be able to<br />

access specific areas/zones of the school.<br />

Identification devices can also carry various<br />

added value benefits. They don’t simply have to<br />

contain access information. Rather, they can<br />

store important student and staff data, too,<br />

such as any notes on medical issues or dietary<br />

requirements, and are a useful way of logging<br />

time and attendance. They can also act as<br />

cashless vending devices, meaning children<br />

don’t have to carry cash with them to school,<br />

potentially reducing the risk of bullying.<br />

Dynamic lockdowns<br />

Another security measure that’s gradually<br />

becoming a part of school security strategies is<br />

that of dynamic lockdowns. A dynamic<br />

lockdown would generally occur in response to<br />

a fast-moving incident, such as a firearmsbased<br />

attack occurring either directly at the site<br />

or somewhere close by.<br />

Dynamic lockdown procedures have the<br />

ability to restrict access and egress at a site or<br />

building – or parts of it depending on its<br />

configuration – through physical measures,<br />

among them access-controlled doors. As well<br />

as verbally alerting staff to physically lock<br />

down the school, panic hardware can be fitted<br />

to doors and windows – and especially ‘final<br />

exit doors’ like playground doors – so that they<br />

automatically lock when the alarm is activated.<br />

The panic hardware must be capable of selflocking.<br />

Pullman-type latches integrated with<br />

door closers would be a good way to achieve<br />

this. A school’s access control system may also<br />

be integrated with a panic alarm system.<br />

18<br />

www.risk-uk.com


ERM and ESRM: Can They Continue<br />

to Exist Independently?<br />

If Enterprise Risk<br />

Management and<br />

Enterprise Security<br />

Risk Management are<br />

here to stay, what<br />

does this mean for the<br />

future of risk<br />

management? What<br />

models should we<br />

look forward to in the<br />

future, and what<br />

future should risk<br />

management<br />

practitioners prepare<br />

themselves for as time<br />

moves on? Philip<br />

Strand searches for<br />

some answers to<br />

these key questions<br />

Dr Philip Strand PhD MBA:<br />

Senior Risk Consultant at<br />

CornerStone<br />

20<br />

www.risk-uk.com<br />

Thought leaders in the risk management<br />

industry continue to evolve practitioners’<br />

views of the world they protect. In many<br />

ways, the recognition that the industry merited<br />

and required professional organisations such<br />

as ASIS International (1955), IAPSC (1984) and<br />

The Security Institute (1999) was an evolution<br />

in thought, both in and of itself.<br />

From this evolution, the industry gained<br />

platforms upon which leaders could develop<br />

their ideas more quickly and communicate with<br />

global reach. Significant paradigm shifts have<br />

included distinctions between security<br />

management and risk management and the<br />

convergence of IT and physical security<br />

operations in the 1990s.<br />

Joining the ranks of these industry-changing<br />

movements is the latest major shift in risk<br />

management thinking, namely Enterprise Risk<br />

Management (ERM) and its security-focused<br />

spin-off, Enterprise Security Risk Management<br />

(ESRM). Enough time has gone by to suggest<br />

that these strategic-level frameworks for risk<br />

management are more than just passing fads.<br />

Indeed, they’ve now firmly taken root.<br />

Risk management was originally developed<br />

as a concept in the mid-1950s to help the<br />

insurance industry conceptualise its role in<br />

society and achieve its commercial goals. By<br />

the early 1960s, two professors – namely<br />

Robert Mehr and Bob Hedges – had developed<br />

risk management for business enterprises into<br />

a more robust system of thought,<br />

encompassing not only risks related to readily<br />

insurable incidents (ie hazard risks), but also<br />

four distinct categories of business risk.<br />

Come the mid-1990s, these four categories<br />

became the foundation of ERM and<br />

encompassed hazard risk (ie employee illness<br />

and injury, theft, third party liabilities, natural<br />

disasters and property losses), operational risk<br />

(information transfers, bidding processes,<br />

construction management and accounting<br />

processes, etc), financial risk (ie costs of<br />

capital, market risks, bank and surety support<br />

and growth capitalisation) and strategic risk (ie<br />

changes in customers and industries, growth<br />

strategies, risks to brands and reputations and<br />

competition risks).<br />

Although Mehr and Hedges succeeded in<br />

bringing risk management out of a single<br />

industry and into the mainstream business<br />

world, their model left significant room for<br />

development. For one thing, their ERM<br />

framework didn’t make it clear how physical<br />

risks can cross-cut all four categories.<br />

At first glance, physical risks – which stem<br />

from threat actors ranging from criminals to<br />

incompetent employees through to natural<br />

disasters – most obviously relate to the ‘hazard<br />

risk’ category, but there are more subtle<br />

relationships to the other three categories that<br />

shouldn’t be understated.<br />

For example, strategic risks could be<br />

compounded by malicious damage caused to<br />

assets or processes that are vital to a<br />

company’s growth strategy. Likewise, robust<br />

physical risk mitigation measures might be<br />

marketed as a comparative advantage over<br />

competitors, thus giving a company an<br />

advantage in a specific market. Additionally,<br />

information transfers could be affected by the<br />

sudden and unfortunate loss of employees.<br />

In each of these examples, an understanding<br />

of physical security risk is an essential<br />

prerequisite to understanding operational,<br />

financial or strategic risk.<br />

While it’s wholly possible for risk managers<br />

to relate different security risks to each of the<br />

categories in the ERM framework, the<br />

development of ESRM in 2009 seems to have<br />

eliminated some practitioners’ desire to do so.<br />

ESRM is a risk management ‘philosophy’ that<br />

encourages practitioners to assess all forms of<br />

physical risk (ie information, cyber, physical<br />

security, asset management and business<br />

continuity risks) in an holistic manner similar to<br />

how ERM advocates assessing many business<br />

risks together.<br />

According to ESRM, risks should be assessed<br />

not only in terms of their immediate impact, but<br />

also according to their second and third order<br />

effects on other assets and processes within a<br />

given organisation.<br />

Clear evolution in thought<br />

ESRM represents a clear evolution of traditional<br />

security thinking in as much as it requires<br />

practitioners to examine the total impact that<br />

security incidents might exert on an<br />

organisation. From an ESRM perspective, a<br />

stolen laptop doesn’t only cost a company the<br />

replacement value of the laptop. ESRM enables<br />

us to see the loss at a higher level by factoring-


Enterprise Risk Management and Enterprise Security Risk Management<br />

in the value of the information on the laptop<br />

and the value of all of the business processes<br />

that the laptop facilitated.<br />

ESRM also encourages security managers to<br />

ensure that risk decisions are made by true risk<br />

owners. It brings security managers who’ve<br />

traditionally operated separately (eg physical<br />

security and IT security managers) together<br />

under the same umbrella whereby they can<br />

more easily determine how some risks might<br />

affect multiple stakeholders.<br />

Despite ESRM’s contributions to risk<br />

management thinking, there are still several<br />

ways in which ESRM must be further<br />

developed. While the ERM framework fails to<br />

recognise how security risks can impact<br />

business risks, ESRM also fails to adequately<br />

emphasise this point.<br />

Many models depicting ESRM as a process –<br />

among them ASIS International’s own widely<br />

accepted model – are narrowly focused on<br />

identifying and quantifying organisations’<br />

assets and the risks facing those assets. ESRM<br />

encourages CSOs to liaise with finance,<br />

executive and other C-Level officers to<br />

understand how security risks can affect<br />

multiple assets within their organisations<br />

(including intangible assets like reputation),<br />

but ESRM models stop short of emphasising<br />

the importance of understanding how assets<br />

facilitate the operational, financial and strategic<br />

goals of the organisation.<br />

While ESRM goes beyond ERM in several<br />

important ways, this lack of emphasis makes it<br />

possible for ESRM-minded security managers<br />

to miss out on the important elements of<br />

business risk upon which ERM focuses heavily.<br />

Embracing the philosophy<br />

In their 2016 book entitled ‘The Manager’s<br />

Guide to Enterprise Security Risk Management’,<br />

Allen and Loyear state that: “ESRM is not the<br />

same as ERM, and it certainly doesn’t replace<br />

it.” This appears to be quite true and, at<br />

present, large organisations are likely to need<br />

competent and experienced risk managers at<br />

the head of their ERM Departments as well as a<br />

series of similar risk managers embracing the<br />

ESRM philosophy throughout their<br />

organisational structures.<br />

Currently, there’s no single risk management<br />

framework that embraces all of the elements of<br />

both ESRM and ERM. This allows for a gap in<br />

risk management thinking because, by default,<br />

it means that there’s no single model plainly<br />

relating security risks and business risks in a<br />

single process.<br />

In order for risk managers to correctly<br />

prioritise assets and risks, they must fully<br />

understand the roles that assets play in helping<br />

organisations to achieve their missions and<br />

strategic objectives. ESRM aspires to do this,<br />

but the next evolution in risk management<br />

thinking must be to converge ERM and ESRM.<br />

The four business risk categories of ERM<br />

must be viewed in concert with the security risk<br />

categories of ESRM. The ‘holistic’ approach of<br />

both types of risk management merits<br />

applause, but neither type of risk management<br />

can claim to be truly holistic if they’re not<br />

assessing business and security risks together.<br />

If the convergence of ERM and ESRM looms<br />

in the future, then it’s natural to ask the<br />

question: ‘What would this convergence look<br />

like?’ It seems that it might be appropriate to<br />

add ESRM’s ‘security risks’ as a fifth category in<br />

the ERM model. This is indeed tempting for<br />

simplicity’s sake, but it’s noteworthy that, in<br />

most organisations, the impacts of the two risk<br />

models flow mostly in one direction.<br />

While security risks can – and often do –<br />

compound business risks, the latter tend to<br />

exacerbate security risks only under rare and<br />

extreme circumstances.<br />

Looking ahead, future models of converged<br />

ERM-ESRM frameworks must consider in depth<br />

the fact that assets and processes (which are<br />

directly affected by security risks) exist to<br />

support organisational objectives (which are<br />

directly affected by business risks and only<br />

affected by security risks when assets and<br />

processes are compromised).<br />

“ESRM represents a clear evolution of traditional security<br />

thinking in as much as it requires practitioners to examine<br />

the total impact that security incidents might exert”<br />

21<br />

www.risk-uk.com


Status Symbol: The Chartered Security<br />

Professional and Standards of Excellence<br />

The concept of<br />

chartered<br />

professionalism traces<br />

its roots back many<br />

centuries, in fact to<br />

the years following<br />

the Norman invasion<br />

of 1066. Now,<br />

in the 21st Century,<br />

being ‘Chartered’ is<br />

more relevant than<br />

ever in terms of both<br />

winning and securing<br />

public trust. Peter<br />

Speight examines the<br />

importance of<br />

Chartered Security<br />

Professional status for<br />

today’s practitioners<br />

Recently, a security manager whom I’ve<br />

known and worked with for some years<br />

now, namely Mike Topham, was keen to<br />

discuss pursuing the journey towards Chartered<br />

Security Professional (CSyP) status. Mike – who<br />

has held a number of security management<br />

positions – contacted me as he wished to know<br />

more about the whole subject of CSyP.<br />

For my part, I fully expected a relaxing cup of<br />

coffee or two and a general conversation with a<br />

couple of questions about CSyP thrown in, but<br />

Mike’s keen determination to learn as much as<br />

possible was obvious from the outset. Indeed,<br />

Mike asked several questions, all of them<br />

pertinent and very much to the point.<br />

Why would anyone want to attain this<br />

standard? What will it achieve for the practising<br />

security professional? How will customers<br />

benefit? Who should apply and why? What does<br />

the individual have to do if they pass muster?<br />

We had a great meeting and jointly agreed<br />

that Mike should carry out some detailed<br />

research of his own into CSyP in order to gain a<br />

feel for the ‘What?’, ‘Why?’ and ‘How?’<br />

Mike is right in his assessment that, as we<br />

head into the next few years, every aspect of<br />

the security environment in which we all now<br />

live whether in a local, national or global<br />

business context or as an individual has<br />

become more complex, technically challenging<br />

and generally more unstable than ever before.<br />

The sheer magnitude and range of threat<br />

types, from the technical vulnerability of<br />

information and systems through to fraud and<br />

terrorist activity and on to the local protection<br />

of people, premises and business assets<br />

demands the exponential development of the<br />

security sector. The emergence of fully riskbased<br />

methodologies along with this general<br />

growth has been accompanied by the<br />

development of many intelligent tools, both<br />

technical and academic. The security landscape<br />

refuses to stand still, then, even for a moment.<br />

In this maelstrom of activity, the burning<br />

question for customers has been where to turn<br />

in order to ensure that those engaged to advise<br />

on these matters are somehow up to the job<br />

and the best available. If there was a bridge to<br />

be built or the legal defence of a corporation to<br />

be conducted there would be a need for a<br />

proven group of professionals (ie engineers or<br />

lawyers) to transact such work. Their industries<br />

or commercial business sectors are chartered,<br />

with a Register of Chartered Professionals<br />

available as guidance.<br />

Until relatively recently, the security business<br />

sector had no such listing despite the growth of<br />

complex security threats. Thankfully, matters<br />

have changed much for the better.<br />

Strategic competencies<br />

CSyP is a professional certification in security<br />

established to show the attainment of strategic<br />

and higher operational level competencies in<br />

the discipline. The Security Institute operates<br />

the Register of Chartered Security Professionals<br />

on behalf of The Worshipful Company of<br />

Security Professionals and it’s expertly<br />

managed by the Chartered Security<br />

Professionals Registration Authority.<br />

The criteria for joining the Register of CSyPs<br />

is founded to a large degree on the UK<br />

Standard for Professional Engineering<br />

Competence. Advice was also sought from the<br />

Foundation for Science and Technology and The<br />

Engineering Council. The final version of the<br />

criteria for becoming a CSyP is, to an extent,<br />

based on the criteria for Chartered Engineers.<br />

22<br />

www.risk-uk.com


Chartered Security Professionals: ‘The Gold Standard’<br />

To be admitted to the Register, applicants<br />

must have a strong understanding of general<br />

security principles (although they may be a<br />

specialist in one field) and be operating at a<br />

strategic or senior operational level of security<br />

practice while demonstrating a high level of<br />

competence in five key areas: Security<br />

Knowledge, Practical Application,<br />

Communications, Leadership and Personal<br />

Commitment. Applications are also welcome<br />

from professionals working in the security<br />

business sector who are engaged primarily in<br />

teaching or in public or private sector<br />

organisations involved with security activity.<br />

To remain a CSyP, Continuing Professional<br />

Development (CPD) is mandatory, as is<br />

adherence to a professional Code of Ethics.<br />

The Security Institute and ASIS<br />

International’s UK Chapter are both eligible to<br />

receive applications from potential CSyPs,<br />

although applicants don’t have to be a member<br />

of either organisation. It’s testament to the<br />

vigorous protection of CSyP organisational<br />

standards that it took ASIS UK a year of hard<br />

work to demonstrate compliance with relevant<br />

standards in order to be awarded a licence to<br />

manage CSyP registration applications.<br />

Both ASIS UK and The Security Institute are<br />

fully committed to CSyP on several levels,<br />

including mentoring and promotional activities.<br />

Standards of excellence<br />

The five core competencies required for CSyP<br />

registration are weighted in favour of security<br />

knowledge and application skills. The<br />

weighting also requires CSyPs to be better than<br />

average. Achieving a mark of ‘Good’ across the<br />

board isn’t enough. Applicants must be better<br />

than ‘Good’ to be admitted as a CSyP. Those<br />

applying must be of undisputed integrity and<br />

have a sound level of expertise, operating at a<br />

strategic level or the senior end of the<br />

operational level of security practice.<br />

To date, the Register of Chartered Security<br />

Professionals has attracted successful<br />

applicants not only from the UK, but also<br />

Australia, the USA, Canada, the UAE, Spain,<br />

France, Albania, the Netherlands, the Czech<br />

Republic, Switzerland and Hong Kong.<br />

As substantial as the foundations are, and as<br />

undeniable as the commitment of the industry<br />

is to adapting to modern customer needs, in<br />

order to fully understand why an individual<br />

should submit themselves to the rigours of<br />

registration we must understand – as Mike<br />

asked of me – what the advantages of achieving<br />

CSyP status are for the individual in order for<br />

this ‘Gold Standard’ to become attractive to the<br />

next generation of security professionals.<br />

“For some time now, customers have been unhappy with<br />

the ‘single dimension’ security service delivery. Several<br />

fairly weighty voices have called for better informed and<br />

bespoke risk profiling of their businesses”<br />

‘Single dimension’ security<br />

For some time now, customers have been<br />

unhappy with the ‘single dimension’ security<br />

service delivery. Several fairly weighty voices<br />

have called for better informed and bespoke<br />

risk profiling of their businesses and a move<br />

towards Enterprise Risk Management on a<br />

service partnership level.<br />

Traditionally, ‘security’ has been viewed as a<br />

grudge purchase by some clients for a variety of<br />

reasons, which inevitably leads to price-driven<br />

procurement decisions based on hourly charge<br />

rates. The end result has often been poor<br />

service delivery by poorly-motivated security<br />

officers operating in a poorly-resourced<br />

environment. That’s the fact of the matter.<br />

The traditional corporate mindset is slowly<br />

changing, but still pervades among many of the<br />

current customer base. In essence, the key<br />

must be to manage expectation at the outset by<br />

demonstrating the professionalism, flexibility<br />

and tailored offering which our industry is now<br />

able and geared to deliver. A potential customer<br />

needs to be encouraged to found procurement<br />

decisions on the value added by the security<br />

services package based on a risk management<br />

methodology, and not simply on the charge rate<br />

for the officers delivering those services.<br />

Security professionals must drive to become<br />

actively involved in the full range of enterprise<br />

risk mitigation (including crisis first response)<br />

along with their customers, while also pressing<br />

to become integrated service partners.<br />

Returning to one of Mike’s key questions,<br />

why register for CSyP? The answer is to<br />

demonstrate that we understand and stand by<br />

the concept of ‘professionalising’ the security<br />

world around a single, transparent and<br />

continually relevant standard, and at the same<br />

time send a message into the marketplace that<br />

we’ve adapted to changing customer needs.<br />

Choosing a professional or a service provider<br />

from within our sector is now possible in a way<br />

that mirrors the seriousness of current threats.<br />

Registration as a CSyP also requires a<br />

demonstrable personal commitment to the<br />

development of security in its wider sense,<br />

through supporting colleagues, members of the<br />

public and immediate neighbourhoods.<br />

Applicants shouldn’t attempt to attain CSyP<br />

status without fully appreciating that ongoing<br />

commitment. This isn’t just a ‘tick-box’ exercise.<br />

Dr Peter Speight CSyP DBA<br />

MPhil MSc MIRM:<br />

Managing Director of Future<br />

Risk Management<br />

23<br />

www.risk-uk.com


Physical Security<br />

Information<br />

Management is a<br />

category of software<br />

that provides a<br />

platform and<br />

applications created<br />

by middleware<br />

developers specifically<br />

to integrate multiple<br />

unconnected security<br />

applications and<br />

devices and control<br />

them through one<br />

comprehensive user<br />

interface. Stephen<br />

Smith outlines why<br />

the end user buyers of<br />

such solutions need to<br />

consider not only the<br />

technology itself, but<br />

also the ongoing costs<br />

involved<br />

PSIM: Only Fools Rush In...<br />

Of late, there has been a fair degree of<br />

focus on how Physical Security<br />

Information Management (PSIM) solution<br />

developers are planning to offer integrated<br />

security systems aimed at the growing needs of<br />

large-scale enterprises. They would be doing so<br />

while also offering advanced functionality for<br />

more stakeholders and providing greater<br />

control from one central location.<br />

Within the world of PSIM, certain matters are<br />

crucial for the future development of our<br />

industry. One such is about understanding and<br />

resolving problems associated with the<br />

increasing geographical scope of clients, while<br />

adhering to a multi-tiered hierarchy – a socalled<br />

‘federated’ system – wherein total<br />

control is centralised, but allows individual<br />

sites to maintain local control.<br />

Providing more powerful systems is<br />

undoubtedly important. Perhaps more<br />

important, however, is the scalability of the<br />

solution, from a single PC through to those<br />

‘federated’ solutions that afford end users the<br />

power to match risk with budgets. It is indeed<br />

the case that big is beautiful up to a point, but<br />

what’s considerably more attractive, I would<br />

strongly argue, is the ability to scale a solution<br />

according to need. This will allow more<br />

businesses to realise the considerable<br />

advantages PSIM solutions can deliver.<br />

Also important is the issue of connectivity<br />

and, to be more specific, the subject of<br />

connectivity failure. It would seem obvious that,<br />

in locations where there are known connectivity<br />

challenges, and where connectivity failure is<br />

therefore a distinct possibility, the ability for a<br />

system to work in a standalone mode is<br />

essential. It would seem similarly obvious that<br />

managing an enterprise-wide PSIM-based<br />

solution doesn’t create huge volumes of data.<br />

Distributed architecture<br />

The distributed nature of the architecture<br />

within certain PSIM solutions means that each<br />

Control Room is autonomous. This in turn<br />

means that, if a connection is lost to the others,<br />

it will continue to run without interruption and<br />

monitor the systems assigned to it. To that end,<br />

it’s a genuine ‘hot reserve’, as opposed to being<br />

a ‘fail-over’ Control Room that has to be<br />

switched on and booted up.<br />

In my opinion, data bottlenecks should never<br />

be used as an excuse for a system going down,<br />

nor for creating a lack of ‘control’. It’s<br />

disingenuous to suggest otherwise. PSIM<br />

technology should have an efficient alarm<br />

escalation functionality, which means that if<br />

there’s a problem, the operator still knows<br />

exactly what to do should a critical event occur.<br />

For their part, operators must have access to<br />

all of the data, information and systems at their<br />

fingertips. None of that information should be<br />

‘lost’ in the event of a connectivity failure, or<br />

while waiting for the back-up to warm up.<br />

While some are seeking to develop more<br />

powerful solutions for ‘federated’-level security<br />

across larger organisations and smart cities,<br />

others are already being deployed throughout<br />

the world, from the UK to the United Arab<br />

Emirates. While some manufacturers appear to<br />

focus on the past, the more forward-thinking<br />

among us are already operating in the future.<br />

PSIM technology is of course capable of<br />

managing large numbers of systems – and not<br />

just video – from a single platform across<br />

multiple sites. This allows end users to manage<br />

incidents according to standard operating<br />

policies set by the customer or based upon<br />

best business practice, mitigating risks to life,<br />

security and assets accordingly.<br />

Importance of reputation<br />

Reputation is important in any industry and for<br />

any technology. Frustratingly, PSIM is already<br />

one of those technologies that has a poor<br />

reputation. It has come a long way in a<br />

comparatively short space of time, but such<br />

rapid evolution has been an element of the<br />

problem. This is partially because PSIM can be<br />

misunderstood and grouped erroneously with<br />

security management systems, but also partly<br />

because, in my opinion, some PSIM solution<br />

developers are misleading the market.<br />

24<br />

www.risk-uk.com


PSIM Solutions: Procurement Advice for End Users<br />

They seem to be doing this in two ways: first,<br />

in regard to what their technology is capable of<br />

achieving and, second, in relation to how much<br />

their clients should pay for the pleasure of<br />

having a PSIM solution installed. Indeed, this<br />

is the other great challenge and the other<br />

great myth: lifecycle costs.<br />

I have a genuine fear that these hidden costs,<br />

with particular regard to software licenses,<br />

combined with the lack of an adequate support<br />

service – or one that’s ludicrously expensive –<br />

are problems that continue to be unexplained<br />

and do our industry a tremendous disservice.<br />

This was certainly evidenced in the survey we<br />

ran in conjunction with Risk UK last year.<br />

Depending on the specific PSIM system and<br />

its manufacturer, these costs can be highly<br />

fragmented and split into many different ‘parts’<br />

or stages. This may be confusing to the end<br />

user buyer, since they can include the physical<br />

equipment cost, installation, initial software<br />

licenses, training packages and project<br />

management services, etc.<br />

What’s most alarming, however, is that these<br />

are only the ‘initial’ costs and don’t take into<br />

account factors such as annual licence fees,<br />

future upgrades and renewals which, when you<br />

think of the initial capital expenditure for<br />

implementing a system and the number of<br />

years you expect it to be functioning, could run<br />

into the many thousands – if not hundreds of<br />

thousands – of pounds.<br />

Specification: key points<br />

In specifying a PSIM solution, and identifying a<br />

reputable manufacturer with whom to work,<br />

what should the end user be looking for?<br />

Ensure the companies that are pitching to<br />

you state, in writing, their annual fees for the<br />

renewal of your licence and, if technical support<br />

is provided, what it entails and what it costs<br />

over a five-year period.<br />

Find out whether you will be expected to pay<br />

for system updates, too, and if so, how<br />

frequently these updates will occur. What are<br />

the fees? Is the cost a percentage of the initial<br />

capital outlay?<br />

Given the level of investment you’re making,<br />

insist that the software will be supported for a<br />

minimum of ten years or longer if possible.<br />

Sweat the small print pre-contract so you<br />

don’t expose yourself to risk that could well<br />

end up having a catastrophic impact on your<br />

organisation somewhere down the line. A small<br />

number of software providers are still known to<br />

build a ‘timer’ into their software. Worth<br />

bearing in mind, as this automatically shuts the<br />

software down if, for any reason, your annual<br />

renewal payments haven’t cleared.<br />

“Ensure the companies that are pitching to you state, in<br />

writing, their annual fees for the renewal of your licence<br />

and, if technical support is provided, what it entails and<br />

what it costs over a five-year period”<br />

Don’t evaluate a project based solely on the<br />

initial capital cost. What might appear to be a<br />

competitive initial cost could actually be the tip<br />

of a very big iceberg when you rack up the<br />

other additional costs for updates, licence<br />

renewal and technical support. Work out the<br />

lifetime cost. Don’t discover when you’re too far<br />

down the line that the cost of installing the<br />

system is lower than the ongoing annual costs.<br />

A decision was taken early on in our<br />

commercial history that we would never place<br />

clients in the unenviable position of budgeting<br />

for a capital expenditure only to find a raft of<br />

renewal and licensing costs emerging. Cost, of<br />

course, cannot be the only driver, but the<br />

danger is that the cost a client is quoted isn’t<br />

the ‘true’ cost that they end up paying when<br />

ongoing outlays are then taken into account.<br />

Transparency is paramount<br />

Over the years, I’ve lost count of the number of<br />

red-faced security managers berating a PSIM<br />

solution provider for metaphorically holding a<br />

gun to their head and, in effect, telling them to<br />

‘pay the ongoing fees or we will not support<br />

your system’. We certainly know of cases where<br />

public bodies are now having their PSIM<br />

systems ripped out because they cannot afford<br />

to maintain them from revenue budgets.<br />

PSIM solution providers must be 100%<br />

transparent and fair or otherwise risk going out<br />

of business on the back of an army of<br />

disgruntled customers. Short-term opportunism<br />

and narrow-mindedness could seriously impact<br />

the industry’s long-term credibility.<br />

PSIM is very much the system of tomorrow<br />

that’s already being used to great effect in the<br />

‘here and now’ today, but not always to the<br />

extent that it should, or indeed by the<br />

businesses that could benefit from it the most.<br />

Buying a PSIM solution can be fraught with<br />

difficulties, many of which are of our industry’s<br />

own making. It must be said that buying on<br />

initial capital cost alone is certainly a<br />

dangerous way of doing things.<br />

My best advice would be to conduct your due<br />

diligence very thoroughly indeed. Consider the<br />

technical implications of the risks to be<br />

overcome and the lifetime cost of a system<br />

rather than rushing unexpectedly into a brick<br />

wall of hidden fees or false promises. After all,<br />

only fools rush in where angels fear to tread.<br />

Stephen Smith:<br />

Managing Director of<br />

Intergrated Security<br />

Manufacturing (ISM)<br />

25<br />

www.risk-uk.com


The Insider Threat: Technical Surveillance Countermeasures<br />

Many cyber attacks come from halfway<br />

around the world, but the network<br />

openings that allow cyber attackers to<br />

infect databases and potentially take down an<br />

organisation’s file servers are mostly initiated<br />

by trusted employees.<br />

Insider threats are much harder to detect and<br />

potentially far more damaging financially and<br />

reputationally than an external attack. Whether<br />

malicious or simply negligent, workers need<br />

access to sensitive information and systems to<br />

do their jobs. As a result, if they accidentally or<br />

choose to steal, their actions can do an<br />

enormous amount of damage to a business.<br />

Statistics show the extent of the risk posed<br />

by insider threats. Accenture and HfS Research<br />

state that 69% of enterprise security executives<br />

have reported experiencing an attempted theft<br />

or corruption of data by insiders during the last<br />

12 months. According to The Ponemon Institute,<br />

62% of business users report that they have<br />

access to company data they probably<br />

shouldn’t see, while the SANS Institute<br />

observes that nearly a third of all organisations<br />

still have no capability in place to either<br />

prevent or deter an insider incident or attack.<br />

In one study conducted by Gartner that<br />

examined malicious insider incidents, 62%<br />

involved employees looking to establish a<br />

second stream of income by way of their<br />

employers’ sensitive data, 29% stole<br />

information on the way out of the door to help<br />

future endeavours and 9% were saboteurs.<br />

Defining insider attacks<br />

Understanding what an insider attack is and<br />

how it can happen will assist in reducing<br />

exposure. Typically, an insider is usually a<br />

trusted employee, student or contractor. It’s<br />

someone who’s given a higher level of trust<br />

than an outsider. This trust is usually<br />

established through various formal and<br />

informal processes, including references at the<br />

employment stage and ‘earned’ trust as rapport<br />

with the employee is built upon.<br />

Recognising an ‘insider’ is the first step<br />

towards classifying internal attacks.<br />

Understanding what constitutes an insider<br />

attack is the next one. Common attacks include<br />

making an unintentional mistake, ignoring due<br />

process and using ‘work arounds’ to access<br />

information, trying to make a system do<br />

something for which it wasn’t designed,<br />

checking the system for weaknesses,<br />

vulnerabilities or errors and acting with the<br />

intention of causing harm.<br />

To successfully protect a company’s<br />

confidential information, its assets and current<br />

controls need to be identified and assessed. For<br />

The ‘Insider’ Threat<br />

Colossal data breaches are fast becoming the ‘new normal’.<br />

With each new incident invariably comes a feeble apology<br />

‘for any inconvenience caused’. At best it’s embarrassing for<br />

the company concerned, at worst the damage can be<br />

catastrophic, often resulting in loss of reputation and profits<br />

as well as law suits. Emma Shaw plots a path to safety for<br />

today’s organisations<br />

example, if a company stocks high value<br />

equipment, thought will need to be given to its<br />

location, accessibility, how it’s protected and so<br />

on. Once the process of identification has been<br />

completed, consideration then needs to be<br />

given to who can access this information and<br />

who’s responsible for controlling and updating<br />

control measures in the future.<br />

Key questions for consideration here are:<br />

• Who genuinely needs access to sensitive<br />

information and who can obtain this<br />

information from another source?<br />

• What controls are in place to limit access to<br />

those who need it to carry out their job roles?<br />

• How can you identify unauthorised access?<br />

Traditionally, the security market has focused<br />

more on preventing threats from entering the<br />

network than on detecting and stopping data<br />

from being exfiltrated. While preventing<br />

infections undoubtedly remains important,<br />

more resources are now being made available<br />

to search for ‘Indicators of Compromise’ and<br />

protect valuable data from exfiltration.<br />

According to a recent survey by Vormetric,<br />

89% of respondents (globally) felt that their<br />

organisation was now more at risk from an<br />

Emma Shaw MBA CSyP FSyI<br />

FCMI: Managing Director of<br />

Esoteric Ltd<br />

27<br />

www.risk-uk.com


The Insider Threat: Technical Surveillance Countermeasures<br />

insider attack, while 34% felt very or extremely<br />

vulnerable to one occurring. When asked about<br />

who posed the biggest internal threat to<br />

corporate data, 55% of respondents said<br />

privileged users. Nine percentage points behind<br />

on 46% were contractors and service providers,<br />

with business partners rated at 43%.<br />

The report goes on to say that databases, file<br />

servers and the cloud hold the vast bulk of<br />

sensitive data assets, but for many (38% of<br />

respondents, in fact) mobile is perceived as a<br />

high-risk area of concern.<br />

Vormetric’s analysis states: ‘Senior<br />

management concerns over privileged user<br />

access have reached the top of their security<br />

agendas. They now understand the damage<br />

that a rogue user with admin rights can do and<br />

they recognise that, if this type of user isn’t<br />

properly monitored and controlled, the damage<br />

to the business can be far-reaching. Also, if a<br />

privileged user’s credentials are acquired by an<br />

external attacker – as US investigators say was<br />

the case when a hacker stole the credentials of<br />

a system administrator at Sony and<br />

orchestrated the recent high-profile data<br />

breach – the opportunity to gain free access to<br />

key information repositories or deploy malware<br />

is likely to be extensive’.<br />

How a company handles its information and<br />

communications clearly becomes a contributor<br />

to the risk exposure. A risk analysis covering all<br />

forms of communication and information<br />

storage should be conducted to analyse the<br />

assets which the company possesses and<br />

understand the scenario of possible threats in<br />

order to ultimately produce an appropriate and<br />

proportionate programme of countermeasures.<br />

Emerging threats to organisations<br />

Social engineering attacks, which rely on<br />

human interaction and fraudulent behaviour,<br />

have been growing significantly since 2011.<br />

Preventative methods include limiting the areas<br />

or meeting rooms where sensitive<br />

conversations take place, and then<br />

implementing sufficiently appropriate and<br />

proportionate measures to protect these areas<br />

as reasonably and cost-efficiently as possible,<br />

based upon the threat and risk of espionage.<br />

The appropriate solution may be derived<br />

through a programme of technical surveillance<br />

countermeasures (TSCM) surveys, the<br />

installation of permanent countermeasure<br />

“The potential loss and reputational damage that an<br />

information breach might incur can far outweigh the cost of<br />

implementing a proactive TSCM strategy”<br />

solutions, the training of in-house security<br />

personnel and awareness education for key<br />

members of staff.<br />

It’s also important to note that a TSCM survey<br />

involves more than just an electronic ‘sweep’.<br />

As well as locating and identifying hostile<br />

electronic surveillance devices, an effective<br />

TSCM programme is designed to detect<br />

technical security hazards, physical security<br />

weaknesses or security policy and procedural<br />

inadequacies that would allow your premises to<br />

be technically or physically penetrated.<br />

Benefits of TSCM<br />

• Prevention: The potential loss and<br />

reputational damage that an information<br />

breach might incur can far outweigh the cost of<br />

implementing a proactive TSCM strategy.<br />

Prevention is far better than cure<br />

• Best Practice: Having a proactive TSCM<br />

programme in place demonstrates a Best<br />

Practice approach which will reassure Board<br />

members, clients and stakeholders alike<br />

• Corporate Compliance and Corporate Social<br />

Responsibility: The duty to identify and manage<br />

regulatory risk is a key requirement of today’s<br />

Boards of Directors and a proactive TSCM<br />

programme will assist organisations in<br />

achieving compliance around the protection of<br />

their information<br />

• Enhancements to security: A TSCM<br />

programme will detect and report on physical<br />

security weaknesses or inadequacies that<br />

would allow a given premises to be technically<br />

or physically penetrated, thus enhancing the<br />

overall security of the organisation<br />

• Deterrent effect: Having overt countersurveillance<br />

policies in place can act as a<br />

deterrent to thieves and errant employees<br />

• Peace of mind: A proactive TSCM programme<br />

provides peace of mind that strategic<br />

conversations and information will remain<br />

confidential and allow the host organisation to<br />

concentrate on ‘business as usual’<br />

Overall business strategy<br />

The risk of insider attack and its effects should<br />

be an integral part of risk management and the<br />

business strategy. Most insider attacks happen<br />

due to a company’s focus on more obvious<br />

forms of security breaches, without any<br />

consideration around what’s required to protect<br />

the company from internal threats.<br />

To be productive, companies need to give<br />

their employees freedom to work efficiently and<br />

largely unhindered. However, within this the<br />

operation and effective management of simple<br />

security systems helps in protecting the overall<br />

security of company assets.<br />

28<br />

www.risk-uk.com


Institute of Risk Management<br />

Are your staff risk ready?<br />

<br />

It is essential that your staff have a knowledge of the<br />

principles and practices of effective risk management.<br />

<br />

Enterprise Risk Management is designed to do just that.<br />

What’s in it for employers?<br />

> Managing risks effectively will<br />

lower your costs.<br />

> Turn threats to your business into<br />

opportunities.<br />

> Enhance business performance<br />

and improve risk taking<br />

approaches.<br />

> Develop a motivated, skilled and<br />

knowledgeable team.<br />

> Attract high-calibre professionals<br />

by investing in personal<br />

development.<br />

What’s in it for students?<br />

> Enhance your ability to design<br />

and implement effective risk<br />

management strategies.<br />

> Develop a critical understanding<br />

of the relationship between<br />

risk management, governance,<br />

internal control and compliance.<br />

> Gain an internationally<br />

<br />

months.<br />

> Join our global network of risk<br />

management practitioners.<br />

Distance<br />

Learning<br />

International<br />

Recognition<br />

Relevant for<br />

All Sectors<br />

Email: studentqueries@theirm.org<br />

Phone: +44 (0)20 7709 4125<br />

or visit www.theirm.org/risk-uk


Ransomware is a<br />

constantly growing<br />

threat and a highly<br />

effective one.<br />

Osterman research<br />

from 2016 found that<br />

ransomware was used<br />

to target 54% of UK<br />

organisations, with<br />

more than half paying<br />

the ransom. Of those<br />

who didn’t pay, nearly<br />

a third ended up<br />

losing their data.<br />

Wieland Age looks at<br />

why defeating<br />

ransomware is so<br />

important in today’s<br />

education sector<br />

An Education on Ransomware<br />

Last year, Locky spawned a file-encrypting<br />

epidemic. Since then, it has become the<br />

most prevalent ransomware on the planet.<br />

Targeting universities among many other large<br />

institutions, its continuous, pitch-perfect<br />

campaigns demonstrate how organised crime is<br />

digitising faster and more successfully than<br />

many ‘legitimate’ enterprises.<br />

This emergence of Locky, which represents a<br />

new strain of ransomware, demonstrates just<br />

how successful cyber criminals are becoming at<br />

mastering the digital transformation agenda.<br />

Locky’s creators invested significant time and<br />

resources in product development, identifying<br />

the best user interface, performance and<br />

encryption security protocols. So much so, in<br />

fact, that the FBI actually recommended victims<br />

pay any demanded ransom in order to gain the<br />

correct decryption code.<br />

To support their programme, the criminals<br />

even created a ‘Customer Help Centre’ to<br />

handle sales and support. If victims have<br />

problems decrypting their data, online ‘staff’<br />

are on-hand via chat rooms to walk ‘customers’<br />

through the process. This ensures that there<br />

are no negative social media reports from<br />

victims who, having paid up, are then unable to<br />

regain access to their data files.<br />

When it comes to propagating Locky, the<br />

online criminals have done their homework. In<br />

December, their latest phishing campaign<br />

reached millions of victims in over 100<br />

countries within days. Most start-ups would be<br />

overwhelmed by such success, but the<br />

distributors of Locky have created a highly<br />

mature online infrastructure designed to<br />

manage high volumes of payments and<br />

enquiries – in multiple languages – from the<br />

victims whom they target.<br />

Education: an unlikely target?<br />

IT professionals operating in educational<br />

institutions have been slow to adopt<br />

ransomware defences, perhaps because there<br />

has been an unfounded misconception that<br />

they’re unlikely to be targeted. If that used to<br />

be the case, it’s certainly not true any more.<br />

Bournemouth University was hit by no less than<br />

21 ransomware attacks last year, while Los<br />

Angeles College was recently forced to pay a<br />

$28,000 ransom to unlock critical data and<br />

systems following a ransomware attack. It’s<br />

shocking, but not altogether uncommon. In<br />

many ways, educational establishments are a<br />

logical target for malicious attackers.<br />

With whole campuses full of independent,<br />

computer-based study being carried out by<br />

students, these younger users could be<br />

perceived to be less wary of suspicious e-mails,<br />

attachments and websites. Compound this with<br />

the fact that each one of these thousands of<br />

pupils likely has multiple devices, all connected<br />

to the institution’s network, and it’s easy to see<br />

how hackers might view schools, colleges and<br />

universities as low hanging fruit. Millions of<br />

highly sensitive records, treasured works and<br />

confidential details, combined with a very real<br />

need to aintain their reputations as trusted<br />

organisations, mean that educational<br />

institutions are seen by many as easy pickings.<br />

Education sector IT budgets don’t normally<br />

include blank cheques for combating cyber<br />

criminals, so investing in anti-ransomware<br />

measures should be a priority for any<br />

educational organisation wanting to avoid a<br />

nasty and expensive surprise.<br />

Fortunately, it’s possible to halt digital<br />

attacks with a combination of the right security<br />

measures and user awareness.<br />

Raising awareness<br />

Most ransomware attacks begin with an e-mail<br />

containing malicious links or attachments.<br />

Consequently, to reduce the likelihood of a<br />

successful attack, it’s imperative to ensure staff<br />

and students know all about the dangers of<br />

ransomware, understand how to practise safe<br />

computing and can recognise the indicators of<br />

malicious e-mails. It’s also important to<br />

maintain awareness by implementing a<br />

programme of regular reminders.<br />

30<br />

www.risk-uk.com


Education Sector Safety and Security: Mitigating The Ransomware Threat<br />

The three key messages that users should<br />

take away from training are:<br />

• Don’t open suspicious e-mails. Treat anything<br />

‘out of the ordinary’ as a potential attack, even<br />

when coming from a trusted source. If<br />

possible, contact known senders separately to<br />

confirm an e-mail is authentic before opening it<br />

• learn to spot ‘red flags’ including poor<br />

spelling/grammar in supposedly professional<br />

e-mails, e-mails received at strange hours,<br />

misspelled domains that look convincing<br />

(A.Anderson@gmoil.com) and buttons and links<br />

in the e-mail connecting to suspicious URLs. To<br />

check this, hover the cursor over the link or<br />

button and the URL will appear at the bottom<br />

left of the window<br />

• when in doubt, delete the communication<br />

Secure your network<br />

Effective user training can help to prevent many<br />

attacks, but keeping the network free of<br />

malware also requires a combination of<br />

effective perimeter filtering, specially-designed<br />

network architecture and the ability to detect<br />

and eliminate resident malware that may<br />

already be inside the host network.<br />

Attackers can be prevented from entering the<br />

network by a next generation firewall or e-mail<br />

gateway solution that filters out most threats.<br />

The best solutions will scan incoming traffic<br />

using signature matching, advanced heuristics,<br />

behavioural analysis and sandboxing and have<br />

the ability to correlate findings with real-time<br />

global threat intelligence.<br />

When looking at the IT estate, make sure you<br />

can control and segment network access to<br />

minimise the spread of any threats that may<br />

enter. Ensure that students can only spread<br />

malware within their own limited domain, while<br />

also segmenting. You might need to allow<br />

admin staff, teachers and guests to each have<br />

limited or specific access to online resources.<br />

Start off with a clean slate. The existing<br />

infrastructure likely contains a number of latent<br />

threats. For their part, e-mail inboxes are full of<br />

malicious attachments and links just waiting to<br />

be clicked on. All applications – whether locally<br />

hosted or cloud-based – must be regularly<br />

scanned and patched for vulnerabilities.<br />

Serious back-up plan<br />

When a ransomware attack succeeds, critical<br />

files – HR, payroll, grades, health records,<br />

confidential student files, e-mail records and so<br />

on – will be encrypted. The only way to obtain<br />

the decryption key is to pay the ransom.<br />

However, if you’ve been diligent enough<br />

about implementing and correctly running a<br />

back-up system, you can simply ignore the<br />

“Some organisations may be committed to a legacy ‘onpremises’<br />

back-up solution. If so, it’s worth starting the<br />

planning phase to transition towards a cloud-based system”<br />

ransom demand and restore your files from<br />

your most recent back-up. Your attackers will<br />

then have to find someone else to rob.<br />

Automated, cloud-based back-up services<br />

will provide the greatest security for data. For<br />

budgetary or other reasons, some educational<br />

organisations may be committed to a legacy,<br />

‘on-premises’ back-up solution. If so, it’s worth<br />

starting the planning phase to transition<br />

towards a cloud-based system. In the<br />

meantime, on-premises systems can be<br />

configured to back-up files regularly<br />

throughout the day. Admins should also be<br />

extremely diligent about moving current backups<br />

to a secure, off-site location every evening.<br />

Many digital security experts believe that<br />

ransomware is set to evolve and make up the<br />

majority of cyber attacks in 2017. Given that the<br />

pursuit of profit is the primary motivation for<br />

most criminals, it’s perhaps not surprising that<br />

ransomware’s popularity has continued to grow.<br />

Simply put, ransomware is the easiest and<br />

most effective way in which to extort money<br />

from businesses of all sizes. Educational<br />

institutions face this threat, as do banks,<br />

hospitals, retailers and even Governments.<br />

Future UK workforce<br />

While the tips and tricks outlined here are<br />

easily actionable as part of educational<br />

organisations’ battles against ransomware, only<br />

recently has there been a particular spotlight<br />

on the digital skills of the nation’s children who<br />

are growing to become young people within a<br />

world dominated by IT and the Internet.<br />

In March, the Communications Committee for<br />

the House of Lords reported that learning<br />

Internet safety should be a top educational<br />

priority, alongside literacy and mathematics.<br />

For his part, Lord Best issued recommendations<br />

building on findings from the Children’s<br />

Commissioner that “digital literacy should be<br />

the fourth pillar of a child’s education alongside<br />

reading, writing and mathematics and be<br />

resourced and taught accordingly”.<br />

Half of all law-breaking in the UK now<br />

happens online and, while there’s little doubt<br />

that children are indeed becoming increasingly<br />

digitally literate, this House of Lords report<br />

rightly points to the fact that the education<br />

system isn’t yet equipping them with decent<br />

enough levels of digital knowledge before they<br />

leave school and form our next workforce.<br />

Wieland Age:<br />

General Manager (EMEA) at<br />

Barracuda Networks<br />

31<br />

www.risk-uk.com


Educational facilities<br />

should be safe, secure<br />

and healthy<br />

environments that<br />

encourage learning<br />

and development.<br />

However, criminal<br />

activity can<br />

compromise these<br />

principles and, in turn,<br />

undermine the hard<br />

work of both teachers<br />

and students. Peter<br />

Jackson examines the<br />

security solutions that<br />

can be put in place to<br />

prevent harm from<br />

being perpetrated<br />

Security By The Book<br />

Only recently, an ITV News story revealed<br />

that pupils at a primary school in<br />

Leicestershire missed the first day of the<br />

new term after vandals broke in and caused<br />

thousands of pounds worth of damage. The<br />

wreckage ranged from broken windows to the<br />

destruction of furniture and play equipment.<br />

The latest reported statistics show that there<br />

were 13,003 incidents of theft, burglary and<br />

robbery reported in schools in England, Wales<br />

and Northern Ireland in 2014, alongside 4,106<br />

investigations into damage or acts of arson.<br />

The price of repairing physical damage and<br />

replacing stolen equipment can have a<br />

significant bearing on a school’s budget.<br />

Indeed, financial restraints in UK schools are a<br />

big factor to consider when assessing the<br />

importance of adequate physical perimeter<br />

security. Recent announcements by Government<br />

ministers suggest that 5% of council schools<br />

and 4% of Academy Trusts have budget deficits,<br />

with the general secretary of the National Union<br />

of Teachers estimating that 92% of schools in<br />

England could face real terms budget cuts over<br />

the next four years.<br />

In spite of these tight constraints, vandalism<br />

in Scottish schools, for example, cost the<br />

taxpayer over £1 million in repairs in 2015 and<br />

at least £4.5 million over the past five years.<br />

These unplanned costs will generally mean<br />

that less money is available for important<br />

considerations such as recruiting personnel or<br />

improving building facilities and equipment.<br />

There are also the non-financial impacts<br />

associated with these crimes that must be<br />

considered. The reputation of a given<br />

establishment, a fear of safety among members<br />

of staff, parents and students as well as the<br />

disruption caused to learning can all have longterm<br />

effects that may be hard to shake off.<br />

Physical security<br />

A large number of people flow through<br />

educational sites on a daily basis making it a<br />

difficult task to keep track of crowds at<br />

particular locations. The lack of a formal<br />

security strategy for schools, coupled with the<br />

fact that we don’t employ security personnel at<br />

school sites, means that the use of physical<br />

security solutions including gates, fences and<br />

turnstiles is recommended.<br />

For maximum effectiveness, physical security<br />

solutions should be supported by some means<br />

of electronic security equipment such as access<br />

control to effectively manage and limit<br />

movement within a site.<br />

Initiatives such as Secured by Design provide<br />

several guidance documents that aim to reduce<br />

crime in the built environment. The latest<br />

advice to schools incorporates several new and<br />

improved security standards that have been<br />

developed to address emerging methods of<br />

criminal attack. The guide advocates a clear<br />

management and maintenance programme to<br />

ensure the permanency of any measures<br />

undertaken. Periodically assessing for risks and<br />

implementing solutions where necessary is a<br />

good way of making sure that a site is always<br />

meeting its Health and Safety obligations.<br />

Developing a detailed school security policy<br />

that identifies the risks and puts controls in<br />

place to minimise harm to staff, pupils and<br />

visitors is vital. Procedures should also be in<br />

place to prevent security and safety breaches<br />

as well as to educate members of staff around<br />

them always being ‘security aware’.<br />

Having visible physical measures and<br />

processes in place will help to protect against a<br />

range of threats and vulnerabilities. Public<br />

safety must remain at the top of the agenda to<br />

ensure the health and well-being of all<br />

individuals in and around the school site.<br />

To this end, Building Regulations, Local<br />

Authority permits, Health and Safety and fire<br />

prevention requirements must be strictly<br />

adhered to and observed at all times.<br />

Planning the perimeter<br />

To safely and effectively secure a school,<br />

college or university site, careful planning of<br />

the perimeter security is paramount.<br />

32<br />

www.risk-uk.com


Education Sector Safety and Security: Physical Security System Design<br />

Educational facilities are often complex sites to<br />

secure, playing host to multiple buildings (each<br />

with their own access points), open spaces<br />

between those buildings, play areas and sports<br />

facilities as well as fields. Perimeter security<br />

solutions therefore need to integrate with the<br />

overall site architecture and, ultimately, aim to<br />

control the movement of people and vehicles<br />

through the use of solutions such as fences,<br />

gates, bollards and barriers.<br />

It may be worth thinking about creating<br />

separate traffic routes for pedestrians and cars<br />

to make sure members of the public are safe<br />

during peak periods. A plan should also be put<br />

in place during quieter times in order to<br />

maintain a ‘security conscious’ approach.<br />

Having an understanding of the land layout<br />

surrounding the site perimeter and its uses is<br />

also crucial as certain aspects may contribute<br />

to or otherwise assist in the perimeter being<br />

breached. By way of example, if the school or<br />

college is the neighbour of a pallet production<br />

company then the latter’s stock of pallets next<br />

to any school fence makes it easy for would-be<br />

intruders to use those pallets as a means of<br />

gaining illegal entry to the premises.<br />

Alongside the various regulations to follow,<br />

consultation with local residents and<br />

neighbouring businesses is a vital aspect to<br />

think about as these parties can provide<br />

additional support that may well assist in<br />

preventing a perimeter breach.<br />

When considering access points into and<br />

around an educational facility, it’s particularly<br />

important to understand and manage<br />

permissions for staff and students entering the<br />

site and prevent or control access for other<br />

individuals wishing to enter. Having clear<br />

signposting and designated areas for visitors<br />

including parents, local authority employees<br />

and suppliers, etc is key alongside<br />

supplementary measures such as a reception<br />

area or a sign-in procedure orchestrated to help<br />

establish the authenticity of a particular visit.<br />

If for any reason an entrance is used to<br />

provide unrestricted access, it must be<br />

monitored in person by a member of staff so as<br />

to provide an initial deterrence.<br />

Locking down entry points<br />

With safety being the first priority, it may be<br />

worth considering locking down all entry points<br />

on the perimeter of a site during the day with<br />

access managed via a staffed reception. When<br />

combined with durable high security fencing,<br />

such a policy can not only help in denying<br />

potential criminals entry, but it can also prevent<br />

pupils in primary and secondary school-level<br />

education from leaving without permission.<br />

Nowadays, most new schools are built in<br />

urban areas whereas existing ones are being<br />

bordered by new residential developments. In<br />

these cases, it’s important to consider the<br />

surrounding neighbours in regard to the noise<br />

created during the school day.<br />

Acoustic fencing is suitable for ameliorating<br />

noise as it can be used to deflect external<br />

sound away from a school site as well as<br />

contain and absorb internal noises from high<br />

impact areas such as playgrounds. These<br />

solutions can work together to provide school<br />

users and neighbours alike with the optimum<br />

combination of privacy and security.<br />

Sports fields and courts are another area<br />

within the school site that may require some<br />

defences in place to safeguard pupils and staff<br />

from harm and protect buildings from damage.<br />

Stray footballs, for example, can cause pain<br />

and injury to unsuspecting members of the<br />

public passing by and realise destruction in the<br />

form of smashed windows. Installing suitable<br />

fences and gates around these areas can help<br />

when it comes to preventing such occurrences<br />

from taking place.<br />

Importance of aesthetics<br />

Aesthetics is one more important factor.<br />

Creating a pleasant and welcoming appearance<br />

is a key element that helps with staff<br />

recruitment and retention, and also increases<br />

student productivity. Security solutions in<br />

secondary schools that feature bespoke<br />

elements such as incorporating the school’s<br />

logo and colours are also ideal as they can help<br />

develop a strong identity as well as a shared<br />

sense of loyalty among students and staff.<br />

Primary schools, on the other hand, rely<br />

highly on bright colours and soft features in the<br />

playground to engage and aid pupil interaction.<br />

In this scenario, using timber fencing around<br />

the perimeter may be much more beneficial as<br />

it can be styled and decorated accordingly.<br />

Ultimately, having the most appropriate<br />

solutions in the right places will help in<br />

creating a safe and secure teaching and<br />

learning environment which also benefits the<br />

local community. A good school security policy<br />

can undoubtedly assist in reducing incidences<br />

of anti-social behaviour, increase collaboration<br />

and cohesion in neighbourhoods and make an<br />

establishment more attractive to prospective<br />

staff and students alike.<br />

Peter Jackson:<br />

CEO of Jacksons Fencing<br />

“For maximum effectiveness, physical security solutions<br />

should be supported by some means of electronic security<br />

such as access control to manage and limit on-site movement”<br />

33<br />

www.risk-uk.com


What plans do you have for<br />

emergency evacuation?<br />

As detailed in the Equality Act (2010) places of employment,<br />

<br />

<br />

<br />

So in the event of an emergency<br />

can you evacuate the mobility<br />

impaired safely?<br />

<br />

<br />

<br />

<br />

The Evac+Chair is the World’s No.1<br />

Emergency Stairway Evacuation Chair<br />

0121 796 1427 FREE evacuation<br />

assessment www.evacchair.co.uk<br />

Are false fire alarms<br />

disrupting your day?<br />

We’ve got you covered!<br />

<br />

Advanced models<br />

available<br />

with sounder<br />

and weatherproofing<br />

Minimise disruption and downtime caused by unwanted false fire alarms.<br />

Protective covers prolong the life and reliability of vulnerable call points.<br />

www.sti-emea.com info@sti-emea.com 01527 520 999


Access Control: Integrated Business Solutions for End Users<br />

When’s the best time to upgrade your<br />

access control solution? Many<br />

businesses choose to follow the policy:<br />

‘If it isn’t broken, don’t fix it’ but this can be a<br />

risky approach in a world where technology and<br />

the threats posed to today’s organisations are<br />

changing so rapidly.<br />

The use of older, legacy access control<br />

systems exposes an organisation, a building, a<br />

server room and/or computers to the<br />

possibility of unauthorised access and the<br />

myriad consequences that follow.<br />

Access control technology is widely present<br />

across many aspects of an organisation and<br />

benefits both physical security and IT security.<br />

With the advancements in smart phone, smart<br />

card and biometric technologies, it’s now time<br />

for organisations to start using these devices to<br />

not only save on costs, but also to improve<br />

upon the end user experience and simplify the<br />

integration process of new biometric<br />

technologies when they’re introduced.<br />

Why, though, is now the best time for end<br />

users to upgrade their systems?<br />

Data privacy issues<br />

One of the biggest drivers for updating legacy<br />

access control systems is the need for<br />

enhanced levels of data privacy. This could<br />

come about through the on-boarding of a client<br />

that requires high levels of security, new<br />

legislation being brought in for specific<br />

industries or even new building tenants.<br />

The driver remains the same: data or the<br />

building itself is in some way exposed to or at<br />

risk and needs added protection. Put simply,<br />

yesterday’s technology is no longer sufficient<br />

for confronting today’s access control and<br />

identity management challenges.<br />

With data breaches dominating the<br />

technology, security and indeed national<br />

headlines, end users are fully aware that the<br />

risk posed to organisations is evolving, while<br />

the need to protect their physical assets – and<br />

consequently data assets – is of vital<br />

importance. The ‘IFSEC International Access<br />

Control Report 2016: Legacy Infrastructure and<br />

Motivations for Upgrading’ report highlights the<br />

fact it would take a security breach that<br />

exposed a flaw in the current system for 92% of<br />

respondents to consider changing their current<br />

access control system, but not beforehand.<br />

On any site at any one time, in addition to<br />

regular employees, there are also individuals<br />

and groups on the premises (contractors, for<br />

instance) who have access to various parts of<br />

the location for short periods of time. In the<br />

IFSEC report, 75% of respondents have third<br />

party members on site on a regular basis.<br />

Smart About Access<br />

Technology advancements in trusted identities will create a<br />

mixed technology environment with smart cards, mobile<br />

devices, ‘wearables’, embedded chips and other ‘smart’<br />

objects driving the transformation from legacy access control<br />

systems. As Jaroslav Barton outlines, the shift to NFC,<br />

Bluetooth Low Energy and advanced smart card technology<br />

will be necessary to meet evolving business requirements<br />

Integrated visitor management solutions in<br />

modern access control systems significantly<br />

improve the distribution and use of temporary<br />

credentials, but also safeguard various parts of<br />

the site when it comes to any unwarranted<br />

access. Access control solutions, such as<br />

mobile access or modern smart card<br />

technology, make it that much easier for<br />

facilities and security managers to track who’s<br />

accessing what parts of the site to ensure<br />

nobody’s in an area that they shouldn’t be.<br />

End user convenience<br />

The continual development in consumer<br />

technology has spilled over into the business<br />

world with devices now being used for work as<br />

well as our personal lives. Bring Your Own<br />

Device, mobiles and ‘wearables’ are all<br />

common features of today’s office environment.<br />

Organisations can use the growing level of<br />

secure technologies that employees are<br />

carrying around with them on a daily basis. In<br />

place of several key cards or fobs that could be<br />

lost, end users can instead employ smart<br />

phones or smart devices – their closest pieces<br />

of technology – for secure access control.<br />

Jaroslav Barton: Product<br />

Marketing Director for Physical<br />

Access Control Solutions<br />

(EMEA) at HID Global<br />

35<br />

www.risk-uk.com


Access Control: Integrated Business Solutions for End Users<br />

In addition, advanced smart card technology<br />

allows for a single smart card to provide<br />

multiple access requirements on a secure<br />

footing. Mobile access control is increasingly<br />

pervading the market and, it must be said, the<br />

benefits this brings are numerous.<br />

Understanding the requirements from<br />

building occupants is an important step before<br />

undertaking an access control update. The<br />

IFSEC International report notes that 48% of<br />

respondents would like an easy-to-use access<br />

control system, with 32% requesting multiple<br />

levels of access depending on the degree of<br />

authority required. This added security element<br />

is clearly an important function, and one that<br />

can be easily designated with more modern<br />

technologies to hand.<br />

Having mobile credentials that allow for<br />

multiple access levels, for instance, saves end<br />

users from the prospect of multiple access<br />

control devices that could lead to confusion or<br />

possibly misplacement. The IFSEC survey also<br />

notes that 29% of respondents would like<br />

future-proof technology. This can easily be<br />

provided through mobile access solutions<br />

which grant end users modern techniques for<br />

access control, but also a single credential for<br />

multiple access devices. Using smart phones is<br />

a very straightforward solution that solves<br />

three of the top concerns of employees looking<br />

for updated access control.<br />

One of the largest stumbling blocks to<br />

updating an enterprise’s access control system<br />

is the perceived disruption that the upgrade<br />

itself will cause. 69% of respondents in the<br />

IFSEC report believe that upgrading to a new<br />

access control system would be disruptive to<br />

their daily business, while 55% cite cost as the<br />

biggest misgiving when it comes to upgrades.<br />

Despite the perceived disruption, many sites<br />

can be retrofitted using existing access control<br />

hardware behind the scenes, with minimal<br />

replacements needed to upgrade technologies.<br />

Not having to start from scratch also helps to<br />

significantly lower the costs of the operation,<br />

making it a more cost-efficient venture with<br />

minimal disruption to the host business.<br />

Secure communication<br />

A new access control solution must be flexible<br />

such that end users don’t just see it as an<br />

‘expensive way of opening doors’. Open<br />

Supervised Device Protocol (OSDP) for secure<br />

“Despite the perceived disruption, many sites can be retrofitted<br />

using existing access control hardware behind the scenes, with<br />

minimal replacements needed to upgrade technologies”<br />

communication between field devices in a<br />

physical access control system has gained in<br />

importance, allowing for standardisation, more<br />

flexibility and freedom of choice for security<br />

and risk managers.<br />

Flexibility also supports multiple applications<br />

for managing not only physical access, but also<br />

logical access applications, such as those<br />

related to computers and software logins.<br />

Additional access control systems – among<br />

them secure print management – require an<br />

associated card issued to users. This represents<br />

a prime opportunity for organisations to<br />

consolidate around a single access control<br />

device, such as a contactless ‘wearable’ or<br />

smart phone that combines access control with<br />

other key functions.<br />

By exploiting modern technology, such as<br />

mobile devices, smart cards and ‘wearables’,<br />

end users are afforded the opportunity to<br />

simplify their access control devices: one<br />

device with one credential providing access to<br />

multiple areas and requirements.<br />

It was found that nearly a quarter of<br />

respondents to the IFSEC International survey<br />

wish to manage multiple credentials across a<br />

single device. With mobile access solutions,<br />

multiple credentials are rolled into one and<br />

stored on a lone device. The facilities or<br />

security/risk manager is capable of controlling<br />

access and distributing credentials to those<br />

with the right security clearance.<br />

Technology such as the latest high-frequency<br />

access control systems ensure that security is<br />

independent of hardware and media. This<br />

makes it far easier for organisations to support<br />

functionality and higher levels of data privacy.<br />

Infrastructure security<br />

Although there are clearly several perceived<br />

barriers to the adoption of more sophisticated<br />

access control systems, organisations are<br />

placing an increased importance on<br />

safeguarding their physical assets as this also<br />

supports the protection of IT infrastructure.<br />

This is mainly due to the belief that current<br />

systems in place are adequate enough until<br />

they’re proven to have failed, coupled with the<br />

fact that a replacement system is perceived to<br />

be an unnecessary expense.<br />

Despite technological advancements, end<br />

users are still content with cards and key fobs,<br />

regardless of the lack of sophisticated security<br />

and encryption contained in them when<br />

compared with mobile access control solutions.<br />

That said, the change to a more sophisticated<br />

solution is likely to come from the employees<br />

themselves, rather than the decision-makers at<br />

the top of a given organisation.<br />

36<br />

www.risk-uk.com


4 July 2017<br />

Hilton London Canary Wharf<br />

Start your planning for 2018 at the Security IT Summit.<br />

Meet with the most trusted solution providers, learn from industry thought leaders and connect with<br />

peers over the course of the Summit, which is entirely FREE to attend for security professionals.<br />

Topics covered include: Access Control • Anti-Virus Browser • Security Data • Theft/Loss • Malware<br />

• Mobile Security • Network Security Management • Trojan Detection • UK Cyber Strategy<br />

For more information and to register, please contact Liz Cowell on:<br />

01992 374072 or l.cowell@forumevents.co.uk.<br />

@SECIT_SUMMIT #SITSUMMIT<br />

SECURITYITSUMMIT.CO.UK<br />

MEDIA & INDUSTRY PARTNERS:<br />

HOSTED BY:


Fashioning The Building Blocks of<br />

Construction Risk Management<br />

agenda specifically designed to combat poor<br />

payment practice and help SMEs continue to<br />

operate. From my own point of view, it’s simply<br />

unacceptable that large businesses are<br />

withholding payment owed to smaller<br />

companies. This initiative should help prevent<br />

some of the 50,000 construction business<br />

closures that occur every year.<br />

Every business in<br />

every sector that<br />

tenders for work has<br />

to weigh up the<br />

potential risks versus<br />

the potential rewards.<br />

However, in the<br />

construction industry,<br />

it’s increasingly the<br />

case that subcontractors,<br />

otherwise<br />

known as Tier 2 and<br />

Tier 3 contractors, are<br />

being expected to take<br />

a larger chunk of the<br />

risk for a lower slice of<br />

the reward. This is due<br />

to the significant<br />

challenges they’re<br />

facing, as Carl Ghinn<br />

observes in detail<br />

As a business, we work closely with<br />

contractors of all shapes and sizes, both in<br />

the construction and M&E sectors. There<br />

are several issues that they must factor-in when<br />

addressing the delicate calculation between<br />

risk and reward, among them the payment risk,<br />

the pricing risk, the product availability risk and<br />

the skills shortage risk.<br />

One of the biggest risks facing Tier 2 and Tier<br />

3 sub-contractors is cashflow. In a survey run<br />

by the Specialist Engineering Contractors’<br />

Group, it was revealed that the country’s top<br />

contractors were owed over £1 billion in unpaid<br />

bills from organisations within the public<br />

sector, with sub-contractors bearing the brunt<br />

of this, being owed at least £800 million.<br />

Commenting on this matter, Rob Driscoll (an<br />

advisor to the Cabinet Office) explained: “In<br />

businesses of any size, late payment stifles<br />

both investment and innovation. Our latest<br />

survey of the market shows that far too many<br />

public sector bodies are still ignoring the legal<br />

requirement to enable prompt payment along<br />

the supply chain.”<br />

As of this month, large companies will have<br />

to publicly report twice a year on their payment<br />

practices and performance. The move is part of<br />

the Conservative Government’s transparency<br />

‘The Pricing Risk’<br />

Price fluctuation is one of the major risks in the<br />

construction world. During the tender process,<br />

contractors are understandably expected to<br />

cost every element. However, this is often for<br />

projects that sometimes may not start for at<br />

least another six months.<br />

If their tender is accepted they will be held to<br />

this price regardless of any marketplace<br />

changes. Yes, in some cases prices do go down,<br />

but in many instances they go up, leaving the<br />

contractor with a much-reduced margin or even<br />

a loss. As highlighted previously, these<br />

payments are not always received quickly,<br />

resulting in a considerably stunted cashflow.<br />

Other industries have different and arguably<br />

better approaches, among them the operation<br />

of a cost-plus model, which effectively protects<br />

the contractor while at the same time<br />

promoting transparency.<br />

Rising costs are a great concern for many of<br />

our customers. According to the Construction<br />

Products Association’s (CPA) latest Construction<br />

Trade Survey, there has been an 88% increase<br />

in raw materials costs for civil engineering<br />

contractors in recent times. Rebecca Larkin,<br />

senior economist at the CPA, stated: “While<br />

Government has a role to play in providing<br />

certainty for projects, the industry will need to<br />

find ways in which to navigate rising costs.”<br />

Sadly, this is having an effect on morale in<br />

the sector. Brian Berry, CEO of the Federation of<br />

Master Builders, commented: “The optimism<br />

that we saw emanating from many firms in the<br />

construction sector during most of 2016 has<br />

now diminished because of growing concerns<br />

about rising costs.”<br />

Last October, the price of steel increased by<br />

8%. This was a huge problem for some of our<br />

customers but, as we follow the markets<br />

closely, we had decided to bulk-buy a large<br />

number of products before this increase. With<br />

the additional benefit of our 60-day credit<br />

38<br />

www.risk-uk.com


Risk Management in the Construction Sector<br />

terms, we were able to soften the blow for our<br />

clients who may need those products within the<br />

next six months, reducing the risk involved.<br />

Product availability risk<br />

When we visit our clients on site, the subject of<br />

product availability often arises. It’s a constant<br />

concern for many that products are not going to<br />

be available when they’re needed, whether<br />

that’s due to last-minute orders or changes in<br />

legislation causing an increase in demand.<br />

One example which affected our customers<br />

was Amendment 3 to the 17th Edition of the<br />

IET’s Wiring Regulations. The revision changed<br />

how professional electricians and contractors<br />

should install wiring in escape routes so as to<br />

prevent them from becoming blocked by the<br />

premature collapse of cabling installations.<br />

As a result, the sole use of plastic fixings and<br />

cable ties no longer complies with the Wiring<br />

Regulations, so our customers are starting to<br />

use stainless steel cable ties and concrete<br />

screws instead. In the event of a fire, they’re<br />

capable of withstanding temperatures of over<br />

500°C, significantly reducing the risk of cable<br />

installations collapsing and causing unwanted<br />

blockages in escape routes.<br />

Initially, we found that the changes brought<br />

about by Amendment 3 took their time to filter<br />

through to contractors on site. However, we’re<br />

now seeing a change in approach. While we’ve<br />

stocked these items for a number of years,<br />

we’ve recently witnessed a 124% year-on-year<br />

increase in stainless steel cable tie sales and a<br />

198% year-on-year increase in concrete screw<br />

sales. This is just one example of how a change<br />

in legislation can dramatically increase the<br />

demand for particular product types.<br />

Another issue our customers face is the fact<br />

that many manufacturers are based in the<br />

Midlands, making it difficult for contractors in<br />

London and the South East to procure large<br />

quantities of stock on a swift basis.<br />

Furthermore, companies working within the<br />

capital often don’t have the capacity to store<br />

stock on site and don’t want to tie up valuable<br />

cashflow in large stockholdings.<br />

In addition, our customers are often affected<br />

by changes in construction schedules driven by<br />

other contractors and may need products<br />

quickly and unexpectedly. Solution suppliers<br />

need to guarantee that 100% of core lines are<br />

always in stock in order to help customers<br />

avoid additional cost and penalties.<br />

In all honesty, it’s also a good policy to let<br />

customers cancel any order up to two hours<br />

before without any charge by way of<br />

acknowledgement that these changes are often<br />

out of their hands.<br />

“The optimism that we saw emanating from many firms in<br />

the construction sector during most of 2016 has now<br />

diminished because of growing concerns about rising costs”<br />

Skills shortage risk<br />

It’s no secret that there’s a skills shortage in the<br />

construction industry which is causing untold<br />

difficulties for many. According to Arcadis, in<br />

order for the Government to meet its housing<br />

targets, the UK needs to recruit up to 400,000<br />

construction workers each year until 2021, with<br />

London and the South East needing to recruit<br />

110,000 individuals alone. That equates to<br />

approximately one worker every 77 seconds.<br />

As a weaker pound has already resulted in<br />

large numbers of Eastern European workers<br />

returning home, contractors are having to pay<br />

their staff more money in order to keep them,<br />

thereby risking further reductions in margins.<br />

The Royal Institute of Chartered Surveyors<br />

(RICS) estimates that, should a hard Brexit take<br />

place, the UK could miss out on an additional<br />

215,000 migrant workers by 2020. On that<br />

basis, the RICS has called on the Government<br />

to prioritise building workers for visas in order<br />

to go some way towards mitigating this risk.<br />

Jeremy Blackburn, head of UK policy at the<br />

RICS, explained: “A simple first step would be<br />

to ensure that construction professions feature<br />

on the Shortage Occupations List. Ballet<br />

dancers will not improve our infrastructure or<br />

solve the housing crisis, yet their skills are<br />

currently viewed as being essential.”<br />

Mitigating risk<br />

There’s no doubt that mitigating risk has played<br />

a big part in shaping the way in which<br />

construction sector companies and their<br />

suppliers operate in this day and age. Many of<br />

our clients consistently have to weigh up the<br />

very real possibility of losing money for every<br />

job upon which they embark. They face onerous<br />

changes in legislation, not to mention<br />

difficulties in procuring last-minute orders and<br />

a looming skills shortage.<br />

All of this is combined with increasingly tight<br />

margins and a tendency by first tier players to<br />

push all of the risk on to sub-contractors by<br />

implementing severe penalties for failures –<br />

such as failed deliveries or supply of the wrong<br />

product – that may be outside of their control.<br />

By working closely with a specialist supplier<br />

who understands the challenges faced by the<br />

business, organisations in the construction<br />

sector can at least mitigate some of those risks,<br />

thereby allowing them more time to focus on<br />

the core business of the day.<br />

Carl Ghinn:<br />

Managing Director of Fixmart<br />

39<br />

www.risk-uk.com


Intelligent Prevention is the Future<br />

Camera models<br />

developed in the new<br />

generation of HD IPbased<br />

video<br />

surveillance<br />

technologies are<br />

offering end users<br />

something more than<br />

just better quality<br />

images. Tristan Haage<br />

examines the wider<br />

impact of innovation<br />

within this specialist<br />

field and how it’s<br />

actively helping to<br />

solve more real world<br />

problems in many<br />

intelligent and<br />

productive new ways<br />

40<br />

www.risk-uk.com<br />

According to the latest statistics released by<br />

the German Insurance Association, every<br />

five minutes a fire starts at a company<br />

facility somewhere in Germany. The resulting<br />

financial damage amounts to several billion<br />

Euros on an annual basis. The number of<br />

burglaries within Germany has also<br />

dramatically increased over the past five years<br />

(by a figure of 30%, in fact).<br />

Meanwhile, the crime-solving rate for<br />

burglaries at commercial buildings and<br />

factories is less than 20%. All of this clearly<br />

illustrates how important burglary and fire<br />

prevention really are in the real world. In terms<br />

of that last point, for Germany read the UK.<br />

Intelligent security solutions with video and<br />

thermal technology not only help solve crimes<br />

in the event that they do occur, but also help<br />

prevent criminality from occurring in the first<br />

place. Given the rise in property theft, costefficient<br />

and effective security solutions have<br />

become ubiquitous with more and more<br />

companies deciding to use video technology to<br />

monitor their buildings, systems and premises.<br />

That’s not surprising, as the financial damage<br />

caused by theft, vandalism or fire can be quite<br />

significant for an organisation. Not only do such<br />

events incur direct material damage, but they<br />

can also negatively impact productivity and,<br />

consequently, cause insurance premiums to<br />

increase. This has led to a greater focus on<br />

crime prevention in which developing video<br />

technology can play a crucial role.<br />

Conventional video cameras realise video<br />

material that makes it easier to solve crimes,<br />

provided that the image quality is good enough<br />

and the recording process is fail-safe. However,<br />

many of the video systems currently available<br />

on the market and installed don’t actually meet<br />

these minimum requirements for end users.<br />

The end results they realise are often<br />

insufficient for capturing the evidential quality<br />

images needed by investigators. According to a<br />

study last year by market analyst IHS Research,<br />

the majority of cameras sold today still have a<br />

maximum resolution of three megapixels. Many<br />

models are limited due to the low-light<br />

sensitivity of their image sensors, which results<br />

in motion blurring under poor lighting.<br />

Moreover, the quality of a camera system<br />

isn’t only determined by the clarity of the<br />

moving images it records during day and night,<br />

but also by whether or not it’s fail-safe. A<br />

number of factors play a role in this: the<br />

robustness and reliability of the camera as well<br />

as the option to record on the camera itself in<br />

the event of a network failure such that vital<br />

image data crucial to solving a crime isn’t lost.<br />

As a result, this has energised newer video<br />

surveillance systems that use a decentralised<br />

model placing as much intelligence as possible<br />

in each camera. In this way, image processing<br />

and analysis can still be carried out without the<br />

need for a central server or Control Room.<br />

Intelligent video analysis<br />

New decentralised cameras not only serve to<br />

provide images, but are also equipped with<br />

high-performance computing and intelligent<br />

software applications that make the video<br />

system more efficient, and notably so when it<br />

comes to preventing crimes and subsequent<br />

damage. This is because an intelligent camera<br />

will only spring into action when truly<br />

necessary by dint of smart motion detection<br />

software and analytics that enable reliable<br />

alarm management.<br />

For example, if somebody enters the<br />

company premises within a specified time<br />

frame, a given camera automatically plays an<br />

announcement over the loudspeaker and<br />

switches on additional lighting to scare off<br />

undesired visitors. The camera can also notify<br />

selected employees or the presiding security<br />

company via VoIP telephony or e-mail.<br />

Particularly advanced systems use intelligent<br />

camera software that allows moving objects to<br />

be differentiated from one another by their size,


CCTV and Surveillance: HD Technology and IP Solutions<br />

depending on their position in the image. Using<br />

this kind of 3D motion detection reduces false<br />

alarms caused by the movement of birds or<br />

small animals, for example, as well as sources<br />

of interference such as trees or camera poles<br />

swaying in the wind.<br />

This trend towards camera systems<br />

possessing a higher degree of intelligence,<br />

intelligent motion detection software and active<br />

alarm management is essential for highperformance,<br />

preventative security solutions<br />

that can promptly communicate to help prevent<br />

break-ins and other hazardous situations.<br />

When it comes to crime, theft from<br />

commercial sites happens more often at night<br />

and over the course of a weekend. The hours of<br />

darkness are perceived as offering some<br />

protection against detection, and it’s here that<br />

older video surveillance technologies are often<br />

hampered by lower night-time light levels.<br />

In response, the newer generation of<br />

intelligent video security solutions are now<br />

adding thermal imaging technology which<br />

provides many additional advantages. Dual<br />

cameras featuring an image sensor and a<br />

thermal sensor can be used to securely detect<br />

moving objects across long distances based on<br />

their thermal radiation, even in total darkness.<br />

While the thermal sensor reliably records<br />

movements, the high megapixel image sensor<br />

simultaneously provides crisp video footage in<br />

which people and actions can be precisely<br />

identified in each individual frame – an<br />

important factor in investigating a crime. To aid<br />

this process at night, an intelligent camera<br />

system can switch on a light source during<br />

motion detection to boost its ‘thermal eye’.<br />

A dual camera with both an image and a<br />

thermal sensor not only enables effective<br />

building and perimeter protection, but also<br />

helps to protect privacy, which is particularly<br />

important in public areas such as swimming<br />

pools, sporting facilities and hospitals. The<br />

thermal image shows a temperature profile that<br />

doesn’t allow individuals to be recognised in<br />

detail. When configured to do so, the dual<br />

camera system automatically switches from the<br />

thermal image to the image sensor and records<br />

a high-resolution video sequence as soon as an<br />

individual moves in the surveilled area.<br />

Process monitoring<br />

The advantages extend beyond pure security as<br />

video and thermal technology is increasingly<br />

being used as a method of identifying<br />

hazardous situations during production<br />

processes. For example, in the food industry,<br />

video cameras monitor processes for quality<br />

control purposes and, within manufacturing,<br />

“Robust, high-quality cameras that can withstand<br />

temperature fluctuations and moisture are absolutely vital<br />

for today’s busy production facilities”<br />

detect the correct operation of machinery. The<br />

cameras used for this are often high-resolution<br />

hemispheric models with a 360-degree view in<br />

addition to a digital zoom option.<br />

Robust, high-quality cameras that can<br />

withstand temperature fluctuations and<br />

moisture, and which are designed without<br />

moving parts to be practically maintenancefree,<br />

are vital for busy production facilities.<br />

Dual cameras that feature a specially<br />

calibrated thermal radiometry sensor alongside<br />

an image sensor can also monitor temperaturecritical<br />

processes. The intelligence in these<br />

systems is also necessary for preventing<br />

damage through overheating or fire. In the<br />

event that temperatures exceed or fall below<br />

defined limits, as well as in the event of a rapid<br />

increase in temperature, the system<br />

automatically triggers an alarm.<br />

When these systems are integrated within a<br />

SCADA system for monitoring and controlling<br />

production in a given environment, the process<br />

can be stopped and a cooling procedure started<br />

before damage occurs.<br />

Return on investment<br />

Considering the high cost of both security<br />

issues and production losses, an investment in<br />

high-quality video security solutions featuring<br />

robust, fail-safe cameras with intelligent<br />

software offers a significant long-term return.<br />

This is because the intelligence in these<br />

cameras, along with higher quality imagery, is<br />

necessary for analysing the collected data,<br />

recognising hazards and triggering actions<br />

designed to protect against risks and prevent<br />

financial loss through theft, vandalism or fire.<br />

Intelligent camera systems incur fewer total<br />

costs than a conventional video solution,<br />

allowing pay-back within a short period of time.<br />

One of the reasons why is because, as stated,<br />

image processing and analysis take place on<br />

the camera itself while recording on a network<br />

storage device is carried out only in response to<br />

events instead of permanently requiring data to<br />

move to a centralised location for processing.<br />

Additionally, the cameras can save data<br />

internally in the event of a network failure.<br />

For many organisations, prevention is the<br />

future. When it comes to purchasing a video<br />

security system, the benefits offered by<br />

intelligent solutions are now becoming the<br />

deciding factor rather than the retail cost.<br />

Dr Tristan Haage:<br />

Chief Sales Officer at MOBOTIX<br />

41<br />

www.risk-uk.com


Evaluating The Balance of Power<br />

While space in a Data<br />

Centre is key, so too is<br />

ensuring business<br />

continuity, efficiency<br />

and productivity. This<br />

is precisely why<br />

Uninterruptible Power<br />

Supply solutions will<br />

become even more<br />

vital in the<br />

manufacturing sector,<br />

and particularly so<br />

given the advent of<br />

Industry 4.0. Leo Craig<br />

has the fine detail<br />

42<br />

www.risk-uk.com<br />

According to a recent report compiled by<br />

Tech Nation, the UK’s tech sector is<br />

growing faster than the UK’s economy. In<br />

fact, the UK leads in Europe, attracting £28<br />

billion in tech investment since 2011 compared<br />

to £11 billion in France and £9.3 billion in<br />

Germany. The impact of this growth in tech is<br />

being felt across many sectors, but none more<br />

so than in the industrial sphere, where digital<br />

manufacturing is becoming more commonplace.<br />

Also referenced as the Fourth Industrial<br />

Revolution, Industry 4.0 is set to transform the<br />

manufacturing and production world through<br />

new digital innovations which will improve<br />

productivity. Industry 4.0 is all about the<br />

current trend of automation and data exchange<br />

in manufacturing technologies, encompassing<br />

cyber-physical systems, the Internet of Things<br />

and cloud computing.<br />

At its core, Industry 4.0 creates what has<br />

been called a ‘smart factory’. Within the<br />

modular structured smart factories, cyberphysical<br />

systems monitor physical processes,<br />

create a virtual copy of the physical world and<br />

make decentralised decisions. Across the<br />

Internet of Things, cyber-physical systems<br />

communicate and co-operate with each other<br />

and with humans in real-time. Via the Internet<br />

of Services, both internal and crossorganisational<br />

services are offered and used by<br />

participants of the value chain.<br />

There are four design principles in Industry<br />

4.0 that support companies in identifying and<br />

implementing Industry 4.0 scenarios:<br />

• Interoperability: The ability of machines,<br />

devices, sensors and people to connect and<br />

communicate with each other via the Internet of<br />

Things or the Internet of People<br />

• Information transparency: The ability of<br />

information systems to create a virtual copy of<br />

the physical world by enriching digital plant<br />

models with sensor data. This requires the<br />

aggregation of raw sensor data to higher-value<br />

context information<br />

• Technical assistance: First, the ability of<br />

assistance systems to support humans by<br />

aggregating and visualising information<br />

comprehensibly for making informed decisions<br />

and solving urgent problems on short notice.<br />

Second, the ability of cyber-physical systems to<br />

physically support humans by conducting a<br />

range of tasks deemed to be unpleasant, too<br />

exhausting or simply unsafe in nature<br />

• Decentralised decisions: The ability of cyberphysical<br />

systems to make decisions on their<br />

own and perform their tasks as autonomously<br />

as possible. Only in the case of exceptions,<br />

interferences or conflicting goals are tasks then<br />

delegated to a higher level<br />

From the Industrial Internet of Things and<br />

robotics through to 3D printing and Artificial<br />

Intelligence, the digitisation of manufacturing<br />

will inevitably increase the demand for Data<br />

Centre storage. While space in a Data Centre is<br />

key, so too is ensuring business continuity,<br />

efficiency and productivity.<br />

Disastrous consequences<br />

Power fluctuations and disturbances can have a<br />

major impact in the industrial sector. At a largescale<br />

manufacturing plant, for example, a<br />

power shutdown or breakdown in the supply of<br />

monitoring/control information may engender a<br />

disastrous effect on productivity which,<br />

ultimately, could adversely impact the<br />

business’ bottom line. Statistics show that even<br />

one unplanned downtime event can cost a<br />

manufacturer somewhere around £1.6 million,<br />

but in truth the real cost could be even higher.<br />

Having a back-up power supply in place in<br />

the form of a UPS solution is absolutely key for<br />

a facility to be able to operate safely until such<br />

time that full power is restored.<br />

Machinery is vulnerable to numerous<br />

electrical anomalies, from voltage sags and<br />

spikes through to harmonic distortion and<br />

other interruptions. When you consider that<br />

45% of equipment failures occur due to voltage<br />

disturbances, the importance of keeping


Power Supply Continuity and Management<br />

voltage stable and minimising instances of<br />

downtime becomes abundantly clear.<br />

In this situation, a UPS can really come into<br />

its own to not only protect against power<br />

outages, but also in terms of operating as an<br />

effective power conditioning unit. It works by<br />

smoothing out sags, surges and brownouts to<br />

provide a clean and stable power supply.<br />

Ultimately, this prevents damage to sensitive<br />

and more often than not expensive electronic<br />

equipment. A UPS needs to be in online mode<br />

to give full protection against the ‘dirty’ power<br />

that causes disruptions to Data Centre services.<br />

It’s also possible to use a UPS solution solely<br />

as a power conditioner without batteries.<br />

Batteries can only be kept in environments up<br />

to 40 degrees Celsius so this method allows a<br />

UPS to operate in higher temperatures. For<br />

example, offices next to heavy industry, such as<br />

cranes moving cargo at docks, can be affected<br />

by flickering lights. In this situation, a UPS may<br />

be used as a power conditioner on the power<br />

supply to prevent this from happening.<br />

Maintenance considerations<br />

Manufacturing equipment should be subject to<br />

regular maintenance to help reduce instances<br />

of downtime caused by malfunction. While<br />

most manufacturers have a maintenance plan in<br />

place for standard equipment, it’s also<br />

important to consider the UPS equipment. In an<br />

industrial scenario, you simply cannot afford for<br />

your equipment to fail. In turn, the UPS<br />

supporting this must be maintained as well.<br />

Given that it’s an electrical device, a UPS can<br />

and will go wrong at some point in its lifetime.<br />

A maintenance plan not only affords the<br />

business the peace of mind of having access to<br />

technical expertise, but essentially saves the<br />

host organisation money by ensuring that the<br />

lifespan of technology is maximised.<br />

UPS maintenance plans are designed to<br />

provide more comprehensive cover than a<br />

warranty as well as a guaranteed emergency<br />

response time defined in working or clock<br />

hours. For example, with certain plans the end<br />

user can choose between Silver (12 working<br />

hours), Gold (eight working hours) or Platinum<br />

(same day, four clock hours) maintenance.<br />

These are guaranteed response times.<br />

Having a maintenance agreement in place<br />

with a trusted technical expert also affords the<br />

end user 24/7 service availability and access to<br />

spares. Foremost suppliers will stock all spare<br />

parts/components in strategically placed<br />

warehouses combined with a stock holding at<br />

headquarters where UPS solutions of up to 500<br />

kVA can be ready for immediate dispatch<br />

within 24 hours.<br />

Maintenance agreements can also cover<br />

regular preventative engineer visits, firmware<br />

updates and fully comprehensive cover as well<br />

as remote monitoring and diagnosis.<br />

Agreements are available either in or out of<br />

warranty, although be aware that the ‘out of<br />

warranty’ costs can rise. Best Practice would be<br />

to request a price from your UPS supplier for a<br />

fixed price maintenance plan.<br />

Manufacturing’s future<br />

With such a high cost placed on downtime,<br />

manufacturers cannot afford to ignore power<br />

protection like UPS and the importance of a<br />

good maintenance plan. Complex industrial<br />

installations are critical and require an<br />

exceptional level of resilience and reliability<br />

under all operating and environmental<br />

conditions. Having the right UPS in place will<br />

not only afford the host business peace of mind<br />

if machinery does fail, but will also realise the<br />

added reassurance that instances of downtime<br />

will be reduced.<br />

In manufacturing, the UPS can also be<br />

deployed as a frequency converter allowing<br />

conversion between 50 Hz and 60 Hz. The input<br />

of the UPS will accept anything from 48 Hz-52<br />

Hz, while the output can be selected to either<br />

50 Hz or 60 Hz. Combining an output of the UPS<br />

with a step-down transformer simulates<br />

American electrical supply conditions, which is<br />

ideal for testing equipment that may be used in<br />

export applications.<br />

On the output side, the transformer must be<br />

matched to the rating of the UPS. On the input<br />

side, the transformer needs to be oversized in<br />

order to cater for input power factors, battery<br />

charging and operating losses. When using the<br />

UPS as a frequency converter, the static bypass<br />

facility will be inhibited.<br />

The UPS is a clever device which also works<br />

to constantly regulate the electricity supply and<br />

gain precisely the voltage required. It works to<br />

reduce the mains power supply of incoming<br />

voltage such that it matches the electrical<br />

voltage level required by equipment on site.<br />

The output tolerance is normally 230 V, but<br />

using the UPS it’s possible to set the voltage to<br />

a specified amount, for example 215 V, 218 V.<br />

Optimising the voltage for a given Data Centre<br />

means that the host organisation will also be<br />

maximising operational efficiencies.<br />

Leo Craig:<br />

General Manager of Riello UPS<br />

“It’s very much the case that, at any large-scale<br />

manufacturing plant, a power shutdown or breakdown in<br />

the supply of monitoring or control information may<br />

engender a disastrous effect on productivity”<br />

43<br />

www.risk-uk.com


BENCHMARK<br />

Smart Solutions<br />

BENCHMARK<br />

Innovative and smart solutions can add value and benefits to<br />

modern systems for customers. With the technological landscape<br />

rapidly evolving, the Benchmark Smart Solutions project assesses<br />

the potential on offer from system integration, advanced<br />

connectivity and intelligent technology. Bringing together field trials<br />

and assessments, proof of concept and real-world experience of<br />

implementing smart solutions, it represents an essential resource<br />

for all involved in innovative system design.<br />

Launching in 2017, Benchmark Smart Solutions will be the industry’s only real-world resource for<br />

security professionals who are intent on offering added value through the delivery of smarter solutions.<br />

@Benchmark_Smart<br />

Partner Companies<br />

www.benchmarksmart.com


Insurance Rewards for Managing Security Risks<br />

There’s no doubt that insurance can be a<br />

wise investment, and particularly so if a<br />

business potentially faces threats from<br />

episodes of terrorism or activism that could<br />

result in substantial losses and disruption, even<br />

in those instances where the business and its<br />

assets may not have been the principal target<br />

of an attack.<br />

How, though, does an insurer determine an<br />

appropriate premium for covering malevolent<br />

acts and, importantly, how does the insured<br />

party determine whether a premium offers<br />

them good value for money?<br />

In answering these questions it’s perhaps<br />

important to recognise that the insurance<br />

industry itself is highly competitive. This has<br />

the effect of driving down margins across the<br />

sector. Thanks to the Government-backed Pool<br />

Re reinsurance scheme, affordable cover is<br />

available even for acts of terrorism.<br />

With most perils, a premium will be<br />

established based on historic data and claims<br />

trends. Such data provides insurers with<br />

sufficient insight to be able to predict the likely<br />

frequency and magnitude of claims for different<br />

types of buildings and infrastructure. In the<br />

case of terrorism, acts remain few and far<br />

between, but can be catastrophic when they do<br />

occur. In combination with a constantly<br />

evolving modus operandi and changing target<br />

preferences, this can make it difficult for an<br />

insurer to accurately predict the likely value of<br />

claims or to offer a different rate for cover of<br />

one type of building over and above others.<br />

That tends to lead to premiums driven mainly<br />

by the desired level of cover – typically the<br />

building value – and the building’s location.<br />

Such a pricing approach doesn’t recognise or<br />

reward an insured party’s investment in<br />

protective security. From the perspective of the<br />

insured, the insurer might be seen to be<br />

benefiting from their investment, with the<br />

insured paying twice to mitigate the same risk:<br />

once for risk transfer (insurance) and again for<br />

risk treatment (protective security).<br />

However, from the insurer’s perspective, the<br />

complexity of securing built assets against an<br />

array of constantly changing threats means that<br />

no security system could ever be 100%<br />

effective. On that basis, if rewards are to be<br />

offered, then those rewards need to be<br />

determined based on the effectiveness of the<br />

insured in terms of managing security risks.<br />

Security capability<br />

How does an insurer determine an insured<br />

party’s security capability? First, it’s important<br />

to recognise that they must look beyond the<br />

physical and technical security and risk<br />

SABRE: Incentivising<br />

Good Security in the<br />

Built Environment<br />

Property protection insurance isn’t a legal necessity, but<br />

without it a building owner is liable to pay for any damage<br />

their property may suffer as the direct result of a security<br />

incident. In addition, a business may lose income and might<br />

even face legal action related to property damage or injury<br />

through negligence if such negligence is proven in a Court of<br />

Law. With this in mind, Gavin Jones outlines a new security<br />

risk management standard for the built environment<br />

management measures that have been<br />

deployed at the premises. These components of<br />

a security system tend to receive most<br />

attention in any given survey of a facility simply<br />

because they’re the most visible manifestations<br />

of security investment. However, if these<br />

systems were procured without due regard to<br />

the facility’s security requirements, they may<br />

well be ineffective and, it must be said, even<br />

give a false sense of security.<br />

Equally true is the fact that, if there’s no<br />

ongoing review of performance and a<br />

commitment to continual improvement, security<br />

that’s effective one day may not be so the next.<br />

When reviewing current industry<br />

performance, it quickly transpires that those<br />

organisations with effective security share a set<br />

of common attributes. These organisations<br />

have defined objectives, adopt a systematic<br />

and risk-based approach towards safety and<br />

Gavin Jones: Associate<br />

Director (Security and<br />

Resilience) at BRE Global<br />

45<br />

www.risk-uk.com


Insurance Rewards for Managing Security Risks<br />

*For far too long, security has<br />

been seen as a grudge<br />

purchase, in the main due to<br />

a lack of transparency in the<br />

industry and an inability to<br />

communicate to C-Level<br />

decision-makers what they’re<br />

receiving in return for their<br />

monetary investment in<br />

security measures. With<br />

SABRE, we’re seeking to<br />

shine a light on security.<br />

We’re providing a robust and<br />

consistent means by which<br />

organisations can measure<br />

performance and, in doing so,<br />

facilitating improvement and<br />

better value for money<br />

We’re at the start of a long<br />

journey, but we have a great<br />

opportunity to deliver better<br />

outcomes and reduced costs<br />

and stimulate innovation<br />

Insurers, insurance brokers<br />

and building owners<br />

interested in finding out more<br />

about SABRE should access<br />

the SABRE website<br />

(www.bre.co.uk/sabre) or<br />

contact BRE Global via e-mail<br />

at: SABRE@bre.co.uk<br />

security, employ competent persons at critical<br />

intervals, monitor and evaluate ongoing<br />

performance and actively seek to continually<br />

improve their performance levels.<br />

These are the attributes seen in management<br />

systems which, for many years now, have been<br />

used to deliver quality, sustainability and<br />

Health and Safety. Furthermore, organisations<br />

are increasingly seeking third party certification<br />

to such systems in order to communicate their<br />

performance in these areas.<br />

Using these observations, the BRE Trust<br />

funded a research project designed to assess<br />

the feasibility of developing a security risk<br />

management standard for the built<br />

environment. More specifically, a standard that<br />

can be used to improve security performance,<br />

communicate security credentials to interested<br />

parties, reduce procurement risk and,<br />

ultimately, award an independent certification<br />

of an organisation’s approach towards security.<br />

The standard would need to respond to the<br />

requirements of different stakeholders at the<br />

various stages of a built asset’s procurement<br />

and use, while at the same time recognising<br />

that the familiarity of organisations with risk<br />

management and management systems can<br />

vary quite substantially.<br />

Development of SABRE<br />

That research resulted in the development of<br />

SABRE which is assessor-led and can be readily<br />

applied to either new or existing facilities.<br />

Successful assessments result in third party<br />

certification that’s recognised around the world.<br />

The SABRE assessment process is led by an<br />

independent SABRE assessor whose role is<br />

essentially two-fold. First, they’ll verify<br />

evidence against each of the 70 technical<br />

issues covered by the scheme. Second, they<br />

will undertake a scenario-based assessment of<br />

current security risks based on the specific<br />

attributes of a facility and its security.<br />

The SABRE assessor will determine the<br />

assessment score and the corresponding star<br />

rating, with one star indicating an ‘Acceptable’<br />

rating and five stars highlighting an<br />

‘Outstanding’ score. If a given facility doesn’t<br />

achieve the SABRE scheme’s minimum<br />

standards, it will receive an ‘Unclassified’ rating<br />

and not be eligible for certification.<br />

In essence, these ratings provide insurers<br />

with the ability to compare their customers’<br />

“Following in the footsteps of BREEAM, the BRE’s highly<br />

successful standard for sustainability, SABRE is assessorled<br />

and can be applied to either new or existing facilities”<br />

capabilities and commitments around security<br />

and risk management. In addition to insurance<br />

considerations, it can also be used within an<br />

organisation to better understand priorities for<br />

investment and identify improvement<br />

opportunities across a portfolio of built assets.<br />

The assessment of security risks will<br />

highlight areas of vulnerability that should be<br />

prioritised for investment and, equally so, those<br />

areas where resources are potentially being<br />

wasted and where existing or planned security<br />

control offers poor cost benefit ratios.<br />

By adopting a security-minded approach<br />

towards planning and design, security risks can<br />

be removed or reduced at lower cost using<br />

integrated solutions. SABRE also recognises<br />

and rewards the implementation of information<br />

security controls that protect information<br />

relating to a project and its security. This is an<br />

increasingly important issue given the rapid<br />

adoption of Building Information Modelling and<br />

the increasing cyber threat.<br />

Once a facility is occupied there are<br />

significant opportunities to mitigate security<br />

risks, even without further capital expenditure<br />

on physical security. SABRE provides those<br />

responsible for building and facility security<br />

with a robust security risk management system<br />

template, allowing measurement and<br />

benchmarking of current performance and the<br />

ability to demonstrate continual improvement.<br />

Successful piloting<br />

SABRE completed successful piloting and was<br />

launched last December. Early adopters have<br />

already welcomed SABRE, recognising the<br />

benefits that a structured, risk-based approach<br />

brings to security, in turn supporting design<br />

quality and facilitating innovation.<br />

Kevin Gausden, senior consultant at Arup,<br />

explained: “We pride ourselves on providing<br />

our clients with an holistic, whole-life security<br />

and resilience consulting service. This new<br />

SABRE certification means that we can offer our<br />

clients greater transparency on spending and<br />

reinforces the need for a structured, risk-based<br />

approach to security. It affords our clients<br />

further confidence, allows us to continually<br />

adapt and provide innovative technologies and<br />

solutions and absolutely reinforces the need for<br />

early consideration of security issues.”<br />

The BRE has initiated discussions with<br />

property insurers to explain how SABRE<br />

certification can be used as a robust and<br />

consistent indicator for informing risk-based<br />

pricing. With a view towards increasing the<br />

overall uptake of SABRE and allowing for its<br />

global delivery, the scheme will be delivered by<br />

registered assessors.<br />

46<br />

www.risk-uk.com


Because one size<br />

<br />

<br />

The most comprehensive<br />

range of UPS yet.<br />

Provides power protection to data<br />

centres and telecommunications<br />

systems, IT networks and other<br />

critical systems.<br />

<br />

• Multiple sizes<br />

• Advanced communications<br />

• <br />

• Maximum reliability<br />

and availability<br />

www.riello-ups.co.uk<br />

0800 269 394<br />

sales@riello-ups.co.uk


Examining The Myriad Security<br />

Challenges Surrounding ‘Fake News’<br />

The ‘fake news’<br />

phenomenon presents<br />

serious security<br />

challenges for<br />

Governments,<br />

businesses,<br />

communities and<br />

individuals alike.<br />

These challenges are<br />

often complex<br />

problems and, as<br />

Alison Wakefield<br />

rightly observes,<br />

addressing them<br />

requires sophisticated<br />

solutions as well as<br />

significant knowledge<br />

and capability building<br />

across both the<br />

security community<br />

and, indeed, the wider<br />

population<br />

The media has always carried a certain<br />

amount of disinformation, some of which<br />

may be seen simply as careless reporting<br />

or gossip. However, in today’s technologydriven<br />

media landscape, the problem is<br />

magnified many times over. Propaganda and<br />

disinformation need to be seen alongside forms<br />

of cyber crime as representing another growing<br />

‘cyber-enabled’ threat: activities that have been<br />

so transformed by network technology that<br />

they present Governments and organisations<br />

alike with substantial security challenges.<br />

Having played a significant role in the First<br />

and Second World Wars, they’re now<br />

recognised as a significant element of<br />

contemporary ‘hybrid warfare’, as<br />

demonstrated in Russia’s actions in the<br />

Ukraine, being duly employed to undermine<br />

confidence in national Governments and<br />

manipulate democratic processes.<br />

My interest in writing about this topic was<br />

prompted by the welcome announcement at the<br />

end of January of a House of Commons Select<br />

Committee Inquiry on ‘fake news’ by the<br />

Culture, Media and Sport Committee and a call<br />

for written submissions. Respondents to the<br />

inquiry are asked to consider fundamental<br />

questions such as ‘What is ‘fake news’?’, ‘What<br />

impact has ‘fake news’ on public understanding<br />

of the world?’, ‘What responsibilities rest with<br />

search engines and social media platforms?’<br />

and ‘How might we educate people in how to<br />

assess and use different sources of news?’<br />

The Committee refers to growing public<br />

mistrust in traditional news sources and a shift<br />

towards the Internet and social media for<br />

information, presenting a heightened risk that<br />

the public are being fed untruths, particularly<br />

so in light of concerns that the extent of ‘fake<br />

news’ may have had a significant effect on the<br />

democratic processes involved with the 2016<br />

US Presidential Election.<br />

The term ‘fake news’ is actually unhelpful as<br />

it places a wide range of activities and story<br />

types under a single heading. Misleading or<br />

inaccurate journalism is a very different<br />

challenge to a rumour about a publicly-listed<br />

company spread by cyber criminals seeking to<br />

make stock market gains, or a disinformation or<br />

propaganda campaign perpetrated by a foreign<br />

power or political grouping that fosters<br />

political, religious or other unrest. Stories that<br />

potentially fall under the ‘fake news’ umbrella<br />

will, in practice, rest somewhere on a spectrum<br />

of fakery, or perhaps a matrix in which the other<br />

axis captures the level of intent to mislead or<br />

the extent to which stories are true or untrue.<br />

Notably, stories that are 100% false may<br />

actually be easier to refute as being false, as<br />

those that are only partially false may be more<br />

effective in building on the truthful elements to<br />

weave a more convincing lie.<br />

Deliberate propaganda<br />

Much of what’s currently being framed as ‘fake<br />

news’ is in fact deliberate propaganda and<br />

disinformation that needs to be recognised and<br />

labelled as such. In the US, as stated ‘fake<br />

news’ is said to have played a part in Donald<br />

Trump’s election, and to have led to a shooting<br />

at a Washington pizza restaurant.<br />

With the French and German elections<br />

approaching, Western European countries are<br />

starting to respond to the challenge of anti-<br />

Western disinformation from Russia, which has<br />

long been an issue in Eastern and Central<br />

Europe. The European Union’s East StratCom<br />

Task Force was set up in 2015 to counter<br />

Russian propaganda and disinformation,<br />

recently reporting that it has found evidence of<br />

a massive ‘fake news’ campaign targeting<br />

European countries. In January. the Task Force<br />

worked to correct a widely-shared false story<br />

48<br />

www.risk-uk.com


The Security Institute’s View<br />

claiming that Germany’s oldest church had<br />

been burned down by a mob of 1,000 Muslims.<br />

In a report on Russian information warfare<br />

published last year, Lucas and Pomerantsev<br />

observe how the nature of online media, and<br />

especially social media, allows propagandists<br />

to play to audiences who are already<br />

mistrustful of their own systems and seeking<br />

information that confirms their biases,<br />

identifying and exploiting ‘echo chambers’<br />

where facts and fact-checkers have little effect.<br />

Here in the UK, concern is building among<br />

privacy campaigners and watchdogs about the<br />

use of Big Data analytics for profiling citizens,<br />

including for political purposes. Reports on the<br />

strategy used by US data mining company<br />

Cambridge Analytica as part of the presidential<br />

campaign of Donald Trump and the referendum<br />

campaign of Leave.eu give an insight into how<br />

political messages can be tailored to individual<br />

social media users through the data analytics<br />

of online activity. This is likely to become a<br />

common feature of political campaigning in the<br />

future. As a society, we need to do more to<br />

ensure that appropriate data protection<br />

principles and safeguards are in place to keep<br />

up with such technological advances.<br />

Governments also need to take account of<br />

the related problem that the credibility of<br />

established media outlets such as the BBC is<br />

increasingly being questioned and perhaps<br />

actively compromised by wider political forces.<br />

If this situation intensifies, where are we to turn<br />

for trustworthy reports of incidents or events<br />

that impact on our security?<br />

Much of the responsibility for this rests with<br />

politicians, as has been seen in the US, with the<br />

risk of such behaviour spreading across our<br />

own political system. We’re increasingly seeing<br />

the label ‘fake news’ being misapplied to the<br />

mainstream press in order to suit political<br />

agendas. In the US, such efforts to undermine<br />

the media recently extended to the exclusion of<br />

news organisations like CNN and the BBC from<br />

a White House press conference.<br />

While it may be tempting for politicians to<br />

exclaim ‘fake news’ in response to criticism,<br />

this sets a dangerous precedent. Journalists<br />

and editors need to protect their interests – as<br />

well as the national interest – by proactively<br />

challenging such misuses of the phrase.<br />

Dealing with a crisis<br />

In a recent article in Politico Magazine, the<br />

point was made that President Trump’s alleged<br />

attempts to discredit the press and scientific<br />

community could later serve to undermine his<br />

administration’s capability to deal with a major<br />

crisis. Events such as the Ebola crisis require<br />

evidence-based understandings of the<br />

problems at hand, trust between partners<br />

involved in responding to the crisis and<br />

effective public information campaigns<br />

orchestrated to communicate risk information<br />

and advice to the public. If such elements are<br />

lacking then the crisis response will inevitably<br />

be seriously impaired.<br />

Propaganda and disinformation themselves<br />

belong on the registers of major risks to<br />

national Governments and corporations as<br />

threats to their strategic objectives, reputation<br />

and continuity of operations. These activities<br />

may undermine democratic systems or stir up<br />

community sentiment on an issue to such a<br />

degree that it boils over into civil disorder, and<br />

so need to be included in emergency<br />

preparedness strategies of scenario planning<br />

and exercising. One of the underpinning<br />

features of a crisis is the erosion of the<br />

infrastructure (ie power, telecommunications<br />

and transportation systems) on which a<br />

response strategy is dependent. If trust in<br />

public information is undermined, the capacity<br />

to make judgements is equally impaired.<br />

In the corporate world, the brand is often an<br />

organisation’s biggest asset. Misinformation<br />

presents significant reputational risks and may<br />

be employed by competitors or cyber criminals<br />

seeking to gain stock market advantages. Back<br />

in 2013, a hacker posted a bogus tweet by the<br />

Associated Press about an explosion at the<br />

White House which led to over £90 billion being<br />

temporarily erased from the US stock market.<br />

Companies are typically alerted after the fact<br />

when share prices are already moving. A recent<br />

report produced by BrandProtect and The<br />

Ponemon Institute concludes that the threats<br />

posed to companies by online incidents and<br />

cyber attacks falling outside of the traditional<br />

corporate security perimeter are high, yet the<br />

capabilities to mitigate them are low.<br />

‘Fake news’ presents a further threat to<br />

companies and individuals as a tool for social<br />

engineering, itself a significant dimension of<br />

cyber crime as discussed by James Scott in a<br />

report for the Institute of Critical Infrastructure<br />

Technology. This type of threat sees both ‘fake<br />

news’ and real news being ‘weaponised’, with<br />

trending stories and sensational headlines<br />

being used to draw people’s attention. Lures<br />

range from the very basic to the highly tailored,<br />

based on individuals’ social media activity.<br />

Dr Alison Wakefield FSyI:<br />

Vice-Chairman of The Security<br />

Institute and Senior Lecturer in<br />

Security Risk Management at<br />

the University of Portsmouth<br />

“Much of what’s currently being framed as ‘fake news’ is<br />

in fact deliberate propaganda and disinformation that<br />

needs to be recognised and labelled as such”<br />

49<br />

www.risk-uk.com


Female Business Travel Risk:<br />

A Need for Special Treatment?<br />

Business travellers will<br />

always face a degree<br />

of risk, and<br />

particularly so when<br />

venturing into an<br />

unfamiliar<br />

environment where<br />

most individuals<br />

speak another<br />

language and have<br />

different customs. An<br />

increasing number of<br />

today’s organisations<br />

realise they can lessen<br />

or avoid prohibitive<br />

legal and/or financial<br />

consequences by<br />

proactively working<br />

ahead of time to<br />

reduce employee risks<br />

during trips overseas.<br />

Darren Carter delves<br />

into the fine detail<br />

Darren Carter: Head of Group<br />

Security at Edwardian Hotels<br />

London and Hotel Sector<br />

Security Lead for ASIS UK<br />

Despite the ever-present – and seemingly<br />

increased – risk posed to business<br />

travellers in today’s world, we continue to<br />

see a vast amount of business travel taking<br />

place right across the globe. Recent research<br />

suggests that the proportion of those business<br />

travellers who are female is now as high as<br />

45%-50%: a direct correlation with the<br />

increasing numbers of female executives<br />

appointed into senior management roles.<br />

On that note, I was recently invited to take<br />

part in a panel discussion about this very<br />

subject. The discussion was observed by a<br />

varied audience of experts and interested<br />

parties, among them travel managers, safety<br />

and security managers and hotel and travel<br />

agency staff. The premise for the discussion<br />

was ‘Safeguarding Female Business Travellers’<br />

and whether enough is being done to meet the<br />

safety and security needs of that cohort.<br />

Is there really a strong case to be made for<br />

any ‘special treatment’ of females when, in<br />

2017, most large companies will have gender<br />

equality placed very highly among the key<br />

‘must achieve’ tasks?<br />

Two decades ago, when I first entered the<br />

world of hotel security operations, we were<br />

talking about female business traveller security<br />

at that very juncture, so this isn’t by any means<br />

an emerging subject. The discussion we held<br />

during this latest gathering was in fact very<br />

insightful and clearly demonstrated – at least in<br />

my own mind – that there may well be a case<br />

for special arrangements to be made that meet<br />

both specific and defined needs.<br />

More generally, travel risk for any category of<br />

traveller has shifted significantly in the past<br />

ten-to-15 years in particular. The completely<br />

unpredictable nature of terrorism and rapidly<br />

changing environmental conditions affecting<br />

the travel and transport industry alone are two<br />

areas where an impact can be felt.<br />

As companies examine areas in which they<br />

could potentially trim their costs, travel can<br />

often suffer with significant reductions in<br />

budgets. In some cases, this may considerably<br />

alter the risk profile of a given business trip.<br />

Is travel necessary?<br />

In many respects, the question should be asked<br />

as to whether the need for travel is absolutely<br />

necessary. Indeed, even where there’s no<br />

pressure being placed on budgets, this should<br />

be the first question to be posed when<br />

considering any business excursions.<br />

Placing a rate cap on hotel accommodation<br />

can often introduce further elements of<br />

increased risk whereby there may be inferior<br />

safety and security facilities at the chosen<br />

property, in addition to less ably-equipped<br />

staff. The area in which the hotel resides could<br />

make it more susceptible to crime.<br />

Where can hotels begin to customise their<br />

business? How about tailor-made services for<br />

female business travellers? Should the<br />

arrangements made here be any different than<br />

those chosen for other female or male guests?<br />

Not for the first time, it was suggested that<br />

hotels consider offering a ‘female only’ floor: an<br />

area of a hotel completely off limits to male<br />

guests, exclusively booked for ‘women only’<br />

business travellers. I’m not entirely comfortable<br />

with this concept. It feels a little odd to<br />

completely isolate a group of people from the<br />

rest of the hotel population. If it were the case<br />

that guests occupying this class of room found<br />

themselves in trouble, there would be no male<br />

guests nearby who may come to their aid.<br />

Commercially, such a scenario would be<br />

almost impossible to deliver, both in terms of<br />

honouring a brand promise or maximising<br />

revenue returns. If a hotel had completely sold<br />

out of its inventory with the exception of this<br />

standard of room then it would most definitely<br />

be sold to the first applicant who could well be<br />

a male guest. Back in 2014, a Danish hotel was<br />

found by a Court of Law to have discriminated<br />

when it opened with a ‘female only’ floor offer.<br />

CCTV and access control<br />

From a safety and security perspective, such a<br />

concept wouldn’t offer anything more than a<br />

standard hotel bedroom. Most hotels will now<br />

provide guests with key card access control to<br />

lifts and bedroom corridors, alongside an<br />

almost blanket coverage of CCTV throughout all<br />

guest areas. If there were enhanced levels of<br />

safety and security realised as part of this<br />

‘upgraded’ room type, it would ask some fairly<br />

challenging questions in times where guests in<br />

other rooms become aware – or, worse still, are<br />

an actual victim – of an act of criminality.<br />

Most upscale hotel businesses will have a<br />

constant product development programme in<br />

50<br />

www.risk-uk.com


In the Spotlight: ASIS International UK Chapter<br />

place which reaches for competitive advantages<br />

over peer groups in what’s an extremely<br />

dynamic and ever-changing market. Safety and<br />

security are featured prominently in the design<br />

process, building environments which are<br />

appealing and functional, but also as safe and<br />

secure as possible. Procedures are then<br />

constructed around them to further support<br />

that environment.<br />

The mere mention of a hotel room number at<br />

the check-in desk could compromise the safety<br />

of a lone female business traveller. Procedures<br />

are in place to ensure no room numbers are<br />

mentioned at all to any guest when checking in<br />

to a hotel. This is common practice, although<br />

not 100% observed in my experience.<br />

In addition, there are a number of other areas<br />

within a hotel operation where we constantly<br />

strive to minimise risk and promote safer and<br />

more secure businesses.<br />

There are many people involved in the endto-end<br />

process of planning for business travel.<br />

Each individual will have made decisions which<br />

may either provide for a problem-free safe<br />

journey or lead to serious – and potentially lifethreatening<br />

– situations arising.<br />

The victims of crime – which may involve a<br />

phone snatch or a bag theft – will often say that<br />

the episode “came out of the blue” or<br />

“happened so quickly”. Invariably, if we can<br />

analyse such incidents a little further, we often<br />

see a series of events or clear indicators that<br />

the crime could – or was about to – happen. In<br />

truth, it’s often lack of awareness which leads<br />

to someone being targeted by a criminal.<br />

Unprepared for travel<br />

Often, it’s the case that individuals are<br />

completely unprepared when they travel. Only<br />

when they run into problems is this ever<br />

identified. It’s a little like travelling without<br />

insurance: it’s unthinkable in today’s world that<br />

anyone would even consider this. As hoteliers,<br />

we provide help and support to our guests,<br />

even more so when they’re experiencing a time<br />

of crisis, when they’re the victim of a crime, a<br />

serious injury or a bereavement or even if<br />

they’re just simply having a bad day.<br />

A common and often surprising fact is how<br />

little capacity a business traveller will have to<br />

manage the situation in which they find<br />

themselves. Often, we can and do resolve a<br />

multitude of issues. What this does say is that<br />

the individual’s employer may not be<br />

adequately preparing them for travel, the<br />

employee may not be listening or the advice<br />

being given is wrong or not extensive enough.<br />

Continuing this theme, I would strongly<br />

encourage all visitors to a hotel to make use of<br />

the in-room safe. It’s there to provide added<br />

security. At the very least it may delay access to<br />

a ‘would be’ burglar or even prevent the theft of<br />

valuable property and travel documents.<br />

Preparing employees to be able to deal with<br />

a range of predictable situations in the<br />

workplace is, of course, the responsibility of<br />

their employer, whether for travel purposes or<br />

otherwise. Business travel introduces a<br />

dramatic uplift in risk, whereupon an employee<br />

is exposed to a much greater selection of<br />

scenarios. Without doubt, it’s the responsibility<br />

of the individual to ensure that he or she is<br />

ready for travel, fully-briefed and absolutely<br />

comfortable with the information provided. If<br />

not, they should challenge it or otherwise seek<br />

alternative advice or guidance, only travelling<br />

when totally satisfied.<br />

What was abundantly clear at the recent<br />

panel discussion is that there’s a detailed<br />

debate to be had about the future of travel<br />

security in general, and not just for female<br />

business travellers. It’s always right and proper<br />

to question whether the advanced planning in<br />

place is as good as it can possibly be.<br />

“There are many people involved in the end-to-end process<br />

of planning business travel. Each individual will have made<br />

decisions which may either provide for a problem-free safe<br />

journey or potentially lead to serious situations arising”<br />

51<br />

www.risk-uk.com


Right now, there’s a<br />

lack of skilled fire<br />

alarm technicians,<br />

with very few young<br />

people entering the<br />

industry. Companies<br />

left, right and centre<br />

are struggling to hire<br />

and keep hold of more<br />

experienced<br />

technicians, with<br />

others simply jostling<br />

for that one extra<br />

cherry on the top of<br />

the cake that might tip<br />

the balance in their<br />

favour and pull in<br />

more customers.<br />

Martin Duggan<br />

considers the shape of<br />

a formal qualification<br />

in fire detection and<br />

alarm systems<br />

52<br />

www.risk-uk.com<br />

Fire Detection and Alarm Systems:<br />

Envisioning a Formal Qualification<br />

There’s so much talk about the need for a<br />

formal qualification in fire detection and<br />

alarm systems, but to date no-one has<br />

actually considered in any great depth what<br />

such a qualification might look like. Certainly,<br />

with so many different job roles, there are many<br />

areas that need to be covered.<br />

Think about it for a moment. What does a fire<br />

alarm maintenance technician need to know<br />

when compared to a system designer? What<br />

about an installer or a commissioning<br />

technician? These are all different areas of<br />

expertise with a significant amount of overlap,<br />

yet also with a different knowledge requirement<br />

for each job function. Is it feasible to have a<br />

‘one-size-fits-all’ approach to fire detection and<br />

alarm systems? What would each person in<br />

each job role need to know?<br />

I’m glad to say that, after receiving the<br />

results from a survey we sent out to our<br />

members, we now have a much clearer insight<br />

in terms of the answers to these questions.<br />

We also held a ‘Voice of the Customer’ Day,<br />

where Fire Industry Association (FIA) members<br />

were invited to tell us what areas would need<br />

to be covered for each job role. In addition,<br />

members also considered the lack of a defined<br />

career path for those joining the fire industry.<br />

The results of the survey state what the top<br />

areas of learning would need to be for each job<br />

role, while the ‘Voice of the Customer’ Day<br />

allowed FIA members to air their opinions and<br />

suggest paths of study for times ahead.<br />

The Maintenance Technician<br />

No less than 15 topic areas were revealed to be<br />

important in this job role. A basic grounding in<br />

electronics may be needed. Unfortunately, this<br />

isn’t a required subject at school so those<br />

joining the industry don’t always have firsthand<br />

knowledge. 98% of those surveyed stated<br />

that understanding BS 5839 is necessary.<br />

No surprise there, but a qualification would<br />

have to afford a solid foundation in the whole<br />

standard, as well as cover the maintenance<br />

standards in greater detail. Other areas such as<br />

waste management, communication and sales<br />

skills, simple design principles and knowledge<br />

of BS 6266 Fire Protection for Electronic<br />

Equipment were also duly highlighted.<br />

Additionally, other areas that are not covered<br />

by current training were pointed out by<br />

members at the ‘Voice of the Customer’ Day,<br />

with 87% stating that the Health & Safety at<br />

Work Act is particularly important.<br />

The survey also revealed some other topics<br />

of note: documentation/certification (91% of<br />

respondents said this would be required),<br />

testing methodology (90%), fire detection and<br />

alarm technology (75%) and a strong grounding<br />

in current fire legislation such as the Fire<br />

(Scotland) Act and the Regulatory Reform (Fire<br />

Safety Order) 2005 (67%).<br />

The Installation Technician<br />

The ‘Voice of the Customer’ Day revealed some<br />

useful insight, namely that it shouldn’t be a<br />

requirement to be a maintenance technician<br />

prior to being an installation technician. In fact,<br />

it was revealed that installers often moved into<br />

maintenance at a later stage. As such, the level<br />

of knowledge should still be high, but with less<br />

topic areas required.<br />

For the system installer, eight topic areas<br />

were compiled compared to the 15 topic areas<br />

for the maintenance technician. Again, no<br />

surprises here. The survey revealed that 96%<br />

voted for a broader understanding of BS 5839<br />

to be required, as well as a focus upon the<br />

installation and testing standards, which many<br />

feel ought to be covered in greater detail.<br />

No less than 88% of respondents felt that the<br />

Health & Safety at Work Act is important.<br />

Members attending the ‘Voice of the Customer’<br />

Day confirmed this belief, stating that an<br />

awareness of asbestos and working at height<br />

would be necessary. As is the case for the<br />

maintenance technician, a need to cover system<br />

documentation and certification is also going to<br />

be necessary in any qualification for this role.<br />

Other areas included electrical competency<br />

(77% of survey participants said this was<br />

important), understanding BS 76761 17th<br />

Edition (67%), understanding current<br />

legislation (58%) and a comprehension of the<br />

Building Regulations (56%).<br />

In order to be completely up-to-date with<br />

present technology, electrical competency<br />

should also cover in some depth subjects such<br />

as electronic principles and data<br />

communications, possibly as separate areas.<br />

“Communications are changing,” was the<br />

opinion of one survey respondent. “Installation<br />

engineers in our sector need to have an idea of<br />

IT infrastructure and data connections such as<br />

Ethernet/fibre optics.”


FIA Technical Briefing: Fire Detection and Alarm Systems<br />

The System Designer<br />

The role of the system designer was assumed<br />

to be a much more advanced position by the<br />

group of professionals present at the ‘Voice of<br />

the Customer’ Day – not just in terms of<br />

standards relating to fire safety systems, but<br />

also in view of current legislation, present fire<br />

guidance and the Building Regulations.<br />

A system designer needs to know a lot more<br />

than an installer or maintainer and, as such, the<br />

amount of study required would be<br />

considerably more. 90% of respondents to the<br />

survey suggested that understanding building<br />

design was essential to the role, alongside 83%<br />

stating that understanding the Building<br />

Regulations is important.<br />

Clearly, a working knowledge of the built<br />

environment is vital to the role and, as such,<br />

would need to be studied.<br />

There were also many other additional skills<br />

mentioned, such as an ability to use and<br />

understand Computer-Aided Design, an<br />

understanding of the Equality Act and a need<br />

for ‘soft skills’ around the subjects of<br />

communications, sales and Health and Safety.<br />

A formal qualification for this career path<br />

would need to cover a wide range of areas and<br />

be robust enough to afford the designer a<br />

starting point for his or her future projects.<br />

The Commissioning Engineer<br />

There were a number of different opinions<br />

expressed about whether a commissioning<br />

engineer would have been an installer or a<br />

maintainer prior to becoming a commissioning<br />

engineer. Those at the ‘Voice of the Customer’<br />

Day felt that this would not be a job role taken<br />

upon entering the industry. Most individuals<br />

would have been a maintenance technician or a<br />

systems installer at some point beforehand.<br />

Skills for this role are likely to be similar to<br />

the maintenance technician or installer, but<br />

with a few slight differences. The results of the<br />

survey were very clear: 100% of respondents<br />

said the BS 5839 commissioning standards<br />

would be required, 95% felt that there was a<br />

need to have a foundation level understanding<br />

of the whole of BS 5839, 94% thought faultfinding<br />

was a necessary skill and 87% felt that<br />

false alarm management and simple design<br />

principles respectively were important. Another<br />

80% wanted their commissioning technician to<br />

have instructional techniques.<br />

At 62%, electronic knowledge here wasn’t<br />

seen as being quite so vital, but is still deemed<br />

more important to the commissioning<br />

technician than the maintenance technician.<br />

Looking to the future<br />

The future of the fire safety industry certainly<br />

does seem to hinge on the need for those<br />

working in the realm of fire detection and alarm<br />

systems to be more comprehensively educated.<br />

There also needs to be a pathway for new<br />

people to join the industry.<br />

While the new ‘Trailblazer’ apprenticeship<br />

scheme represents a great start for those<br />

joining straight from school, there’s still a huge<br />

need for those already of working age to find a<br />

way in which to join the industry – and the only<br />

real way is through a qualification.<br />

A formal qualification is something that the<br />

industry both desires and needs. A blanket<br />

‘one-size-fits-all’ qualification isn’t going to be<br />

sufficient for the fire industry – we need one for<br />

each of the different disciplines within the fire<br />

alarm and detection sector, since being a<br />

designer is so different from the role of a<br />

maintainer or installer (and so on).<br />

A formal qualification might be just the thing<br />

to open the door to a bright new future, but it’s<br />

up to the industry itself to walk through it.<br />

Martin Duggan:<br />

General Manager of the Fire<br />

Industry Association<br />

“The results of the survey state what the top areas of learning would need<br />

to be for each job role, while the ‘Voice of the Customer’ Day allowed FIA<br />

members to air their opinions on paths of study for the immediate future”<br />

53<br />

www.risk-uk.com


Examining The Changing Face of The<br />

Private Security Industry in 2017<br />

The security landscape<br />

is still in transition,<br />

but there are clear<br />

trends developing, the<br />

origins of which date<br />

back to two significant<br />

incidents in 2001 and<br />

2008. Paul Harvey<br />

recounts those events<br />

and what has<br />

happened since,<br />

subsequently<br />

outlining today’s<br />

security model and<br />

where it could – and<br />

should – be heading in<br />

2017 and beyond<br />

54<br />

www.risk-uk.com<br />

The terrorist attacks in New York on<br />

September 11 2001 and the resulting<br />

responses had a significant impact across<br />

the globe. That’s still true today. The world has<br />

also recently witnessed a concerning increase<br />

in global terrorism with horrific episodes in<br />

Nice, Paris, Brussels and Germany.<br />

Second, the Lehman Brothers bankruptcy in<br />

2008, predominantly due to its involvement in<br />

the subprime mortgage crisis, is considered to<br />

have played a major role in the unfolding of the<br />

global financial crisis during the late-2000s.<br />

The UK security market wasn’t (and isn’t)<br />

immune from the effects of global financial<br />

instability. As a predominantly labour-based<br />

business, the guarding sector in particular<br />

requires large amounts of working capital. As<br />

payments to the supply chain slowed, with – in<br />

the more extreme cases – clients becoming<br />

insolvent and leaving significant debt, the<br />

financial pressure increased for many<br />

companies. Banks were unable or sometimes<br />

unwilling to support businesses of varying sizes<br />

and some security companies failed. This<br />

wasn’t necessarily related to profitability. It was<br />

often purely as a result of cashflow.<br />

Clients experienced downturns and,<br />

inevitably, expenditure was reviewed. Often an<br />

expensive purchase with no clear way of<br />

demonstrating its value, security was analysed<br />

with the intention of reducing or eliminating<br />

cost. With pay rates largely set and the TUPE<br />

Regulations protecting employees’ Terms and<br />

Conditions, indirect overheads and margin<br />

became the battleground for reducing charges.<br />

Companies fighting for survival didn’t have the<br />

luxury of considering the longer term. The need<br />

to retain or secure new business became<br />

critical. If you cannot differentiate on service,<br />

then service-buying clients predominantly<br />

select on price.<br />

Thus the environment was created that<br />

impacts us today. We hear of complaints about<br />

low margins, but many businesses continue to<br />

compete on price, often with unsustainably low<br />

margins. The industry must hold itself to<br />

account. The sector – and individual companies<br />

within it – hasn’t been bold enough to stand up<br />

and say ‘enough is enough’ and follow this<br />

through with determined courses of action.<br />

Legislative framework<br />

The legislative framework for operation hasn’t<br />

changed. There appears little appetite from the<br />

Government to push forward with the proposed<br />

agenda of compulsory business licensing. Nor<br />

does there seem to be significant progression<br />

in the Security Industry Authority’s Approved<br />

Contractor Scheme. To be frank, then, it’s<br />

incumbent upon service providers themselves<br />

to be the agents of change.<br />

Aside from the ongoing increase in statutory<br />

areas such as pensions, the big agenda item for<br />

2017 is the incoming Apprenticeship Levy.<br />

Although companies will be required to<br />

contribute to the scheme, at present there’s no<br />

security guarding-specific apprenticeship.<br />

Furthermore, there’s currently no provision for a<br />

replacement to the City and Guilds scheme that<br />

has been in place previously. There are<br />

discussions around which organisation will be<br />

the provider moving forwards, but as yet there<br />

have been no takers. This means that there’s no<br />

course – or training – in place for the money to<br />

be spent which, given the amount of funding<br />

this relates to, is quite simply staggering.<br />

Apprenticeships have existed for a long time<br />

in other sectors such as CCTV engineering.<br />

Another case of a reactive sector, then?<br />

According to the Infologue.com listings, the<br />

Top 20 security companies (based on turnover)<br />

control 71% of the UK market. Forward-thinking<br />

companies are taking the opportunity to be<br />

disruptive or find a niche that offers greater<br />

success and, potentially, profitability. As a<br />

result, 2017 will be a year in which the UK


Security Services: Best Practice Casebook<br />

security market begins to benefit from the<br />

platform created as it moves into the next<br />

logical phase of the industry’s future.<br />

The demand for change is being fuelled by<br />

increasing levels of expectation and a<br />

requirement for flexibility in service provision<br />

called for by today’s discerning clients. Key<br />

transformations are beginning to emerge,<br />

namely specialism and expertise.<br />

Specialism and expertise<br />

First, there are the large-scale, national and/or<br />

multinational businesses. They offer a wide<br />

range of security and facility services, and are<br />

predominantly (although not exclusively)<br />

focused on high value and potentially multiservice<br />

contracts. There’s a clear demand for<br />

this capability. Competitors simply don’t have<br />

the capability or scalability to compete, and nor<br />

should they attempt to do so.<br />

Second, there are organisations that will<br />

continue to focus on specialist services, skills,<br />

clients, contract sizes and geographies, etc.<br />

These businesses truly understand their core<br />

role and continue to be selective in how they<br />

target growth and assess their value<br />

proposition. Our own organisation falls into this<br />

category. We’re focused on the central London<br />

market. We know full well that our model<br />

doesn’t fit everyone and we fully understand<br />

our capability. We’re aware, for example, that<br />

we don’t have the infrastructure to deliver<br />

national accounts with multiple low value<br />

contracts, so we don’t try to do so.<br />

Third, the area where it’s possible to see<br />

accelerated development in 2017, and which to<br />

some degree is the most interesting, is that of<br />

collaborative business partnerships<br />

incorporating convergence and the alignment of<br />

operational and security strategies.<br />

Security suppliers with specific expertise will<br />

be working collaboratively to deliver highperforming,<br />

flexible and complimentary<br />

solutions. The convergence of physical and<br />

cyber security delivers improved information<br />

sharing on risks and can result in synergies and<br />

more effective leveraging of resources.<br />

Convergence can provide the benefit of<br />

comprehensive capability, but with no dilution<br />

in expertise. Individual solution providers will<br />

heighten their knowledge and competencies. In<br />

most cases, there’s a clear lead on provision.<br />

To position this, security is – and should only<br />

ever be – a supporting functionality that’s there<br />

to enable a client’s core business. Many<br />

business operations typically work in separate<br />

silos and use different information and tools.<br />

This can lead to overlapping processes and<br />

higher costs. To alleviate inefficiencies, there<br />

will be a move towards integrating operational<br />

and security risk management.<br />

Integrating disciplines<br />

Often, organisations manage operational risk<br />

and security risk separately. This incorporates<br />

areas such as threat and vulnerability<br />

management and continuous monitoring as<br />

well as incident management.<br />

Security risk management isn’t just about<br />

security operations, but rather a bottom-up<br />

approach that drives ‘actionability’ against<br />

threats, vulnerabilities and incidents in order to<br />

provide assurances for businesses.<br />

While separating both operational and<br />

security risk management has been a common<br />

practice, dynamic changes in the threat<br />

landscape are forcing organisations to integrate<br />

the two disciplines and therefore gain a more<br />

holistic view of risk. The unfortunate truth is<br />

that one can schedule an audit, but one cannot<br />

schedule an attack, in any of its various forms.<br />

In light of this, an integrated approach to risk<br />

that takes compliance, threats and<br />

vulnerabilities as well as business impact into<br />

account will become Best Practice. Without a<br />

clear understanding of the business criticality<br />

that an asset represents, an organisation is<br />

unable to prioritise its efforts. A risk-driven<br />

approach addresses both security and business<br />

impact to increase operational efficiencies,<br />

improve assessment accuracy, reduce attacks<br />

and enhance investment decision-making.<br />

The transition from the traditional<br />

client/contractor relationship into genuine<br />

partner and trusted advisor, and a compliancedriven<br />

approach to a risk-based model, enables<br />

businesses to evaluate the ongoing definition,<br />

remediation and analysis of their risk.<br />

Remote access is an increasing risk, and<br />

indeed for many organisations has become<br />

their key security focus. Furthermore, the<br />

insider threat remains a concern given the<br />

deluge of interconnected devices available.<br />

Looking ahead, the industry will continue to<br />

be subject to evolution rather than revolution in<br />

the short term, but the pace and appetite for<br />

change is increasing. If you look closely<br />

enough, business models are becoming more<br />

specific, technically competent and<br />

sophisticated. This is a critical factor for<br />

success when it comes to corporate stability.<br />

Paul Harvey:<br />

Commercial Director of<br />

Ultimate Security Services<br />

“There appears little appetite from the Government to push<br />

forward with the proposed agenda of compulsory business<br />

licensing. Nor does there seem to be significant<br />

progression in the SIA’s Approved Contractor Scheme”<br />

55<br />

www.risk-uk.com


Open Source Software: Risk Management<br />

Designed to Combat the Vulnerabilities<br />

Software has<br />

transformed the way<br />

in which we work and<br />

live and is missioncritical<br />

to an everincreasing<br />

number of<br />

organisations. Open<br />

source is the<br />

foundation of modern<br />

applications, often<br />

comprising as much as<br />

90% of application<br />

code. Gartner reports<br />

that over 80% of<br />

cyber attacks are<br />

directed at<br />

applications. With<br />

open source<br />

vulnerabilities often<br />

exposing software to<br />

security breaches,<br />

Chris Fearon asserts<br />

why open source risk<br />

management is now a<br />

‘must’ for businesses<br />

56<br />

www.risk-uk.com<br />

Open source software is a vital component<br />

in application development worldwide,<br />

with open source components comprising<br />

50% or more of many applications. Indeed, a<br />

recent Forrester report takes those numbers<br />

one step further, claiming that to address the<br />

demand for more and better applications and<br />

accelerate application development, developers<br />

now regularly “use open source components as<br />

their foundation, creating applications using<br />

only 10%-20% new code.”<br />

Obviously, the benefits of open source<br />

software are hard to ignore. Businesses are<br />

geared towards driving revenues with pressures<br />

increasing on development teams to deliver.<br />

With quicker lead times for development and<br />

the competitive nature of applications, the use<br />

of open source is an absolute requirement.<br />

Even if they know that open source is a key<br />

part of their firm’s success, some executives –<br />

even those resident inside the IT Department –<br />

might be surprised to find how much their<br />

business’ solutions depend on open source and<br />

how much open source they use to deliver<br />

within a continuous integration environment<br />

and on a continuous release schedule.<br />

We regularly undertake code audits of<br />

proprietary applications, often as part of<br />

merger and acquisition activities. As part of<br />

their due diligence, buyers need to ensure that<br />

any software they’re acquiring as part of a<br />

merger doesn’t also bring with it an<br />

unacceptable level of risk or create Intellectual<br />

Property issues. Firms may undertake static<br />

and dynamic testing of code, but those tests<br />

rarely identify potential open source issues.<br />

Last year, we reviewed 200 business<br />

applications for a report later issued under the<br />

title ‘The State of Open Source Security in<br />

Commercial Applications’. No less than 95% of<br />

the applications we examined contained open<br />

source components of some kind. The average<br />

number of open source components we found<br />

in each application was 105. Nearly 70% of the<br />

applications had vulnerabilities in those open<br />

source components, while 40% of the noted<br />

vulnerabilities were rated as ‘Severe’.<br />

More surprising was the fact that the average<br />

age of the vulnerabilities was 1,894 days. In<br />

other words, there’s a high likelihood of<br />

vulnerabilities in many applications for which<br />

potential attackers have had plenty of time to<br />

develop exploits. Indeed, 10% of the<br />

applications we reviewed in 2016 were still<br />

vulnerable to the infamous Heartbleed bug in<br />

the OpenSSL cryptographic library some two<br />

years after this vulnerability was first disclosed.<br />

Unique security risks<br />

If this is making open source sound insecure,<br />

that’s not my point. Open source is neither less<br />

nor more secure than proprietary software.<br />

However, open source vulnerabilities can pose<br />

unique security risks. Due to its ubiquity,<br />

attackers see popular open source as a targetrich<br />

environment. In the same report cited<br />

earlier, Forrester also notes that: “One out of<br />

every 16 open source download requests is for<br />

a component with a known vulnerability.”<br />

Information is publicly available on known<br />

open source vulnerabilities as well as detailed<br />

instructions on how to exploit them. As soon as<br />

a vulnerability is reported, a means to exploit<br />

that vulnerability is almost always<br />

simultaneously published. Of course, patches<br />

for these vulnerabilities are often issued just as<br />

quickly, but unless a business is aware that a<br />

vulnerable open source component’s included<br />

in its application(s), it’s highly probable that<br />

component will remain unpatched. Therein lies<br />

the very heart of the problem.<br />

When a new open source vulnerability is<br />

reported, a race is then on between the host<br />

business and potential attackers. For the host<br />

business to win that race, it needs to be able to


Cyber Security: Mitigating Risks Posed by Open Source Software<br />

answer the following important questions:<br />

• will you know if you’re using an open source<br />

component with a known vulnerability?<br />

• will you know if that vulnerability exposes<br />

your software to attack?<br />

• will you know how prevalent that open<br />

source component is in your firm’s internal and<br />

public-facing applications?<br />

• will you know how to effectively manage and<br />

mitigate any risk exposed by that vulnerability?<br />

How can you know if your open source is<br />

secure? You cannot secure what you’re not<br />

tracking, so a first step – if your business hasn’t<br />

already done so – needs to be the compilation<br />

of an inventory of all open source components<br />

your development teams are using. Some<br />

organisations initiate a manual process to<br />

manage their open source usage, but quickly<br />

discover that manual processes seldom<br />

maintain either a complete or a completely<br />

accurate inventory of open source.<br />

A complete open source inventory must<br />

include all open source components, the<br />

version(s) in use and download locations for<br />

each project in usage or in development. You’ll<br />

also need to include all dependencies – the<br />

libraries your code is calling to and/or the<br />

libraries to which your dependencies are linked<br />

– within your inventory.<br />

Fixing a vulnerability<br />

As with tracking open source components, to fix<br />

an open source vulnerability you first have to<br />

know it exists. There are some vulnerability<br />

databases – such as the US Government<br />

vulnerability disclosure database, the National<br />

Vulnerability Database (https://nvd.nist.gov/) –<br />

that can help to identify issues.<br />

However, not all vulnerabilities are reported<br />

to the NVD, while the format of NVD records<br />

often makes it difficult to determine which<br />

versions of a given open source component are<br />

affected by a vulnerability.<br />

Other useful sources of information include<br />

project distribution sites such as those<br />

maintained by the Debian<br />

(https://www.debian.org/security/) and Python<br />

(http://bugs.python.org/) projects.<br />

Security blogs and message boards like the<br />

US-CERT alerts page (https://www.uscert.gov/ncas/alerts)<br />

and Google’s security<br />

blog (https://security.googleblog.com/) can<br />

also be helpful.<br />

If your firm builds packaged, embedded or<br />

commercial SaaS software, open source license<br />

compliance should be of concern. Using your<br />

inventory of open source components, you’ll<br />

want to compile detailed license texts<br />

associated with those components such that<br />

“Security and licensing concerns aside, how do you know<br />

you’re using high quality open source components? Are<br />

you employing a current version of the software? Is the<br />

component actively maintained by a robust community?”<br />

you can flag any components not compatible<br />

with your software’s distribution and license<br />

requirements and generate a license notices<br />

report to include with your shipped software.<br />

Security and licensing concerns aside, how<br />

do you know you’re using high quality open<br />

source components? Are you employing a<br />

current version of the software? Is it the most<br />

stable? Is the component actively maintained<br />

by a robust community?<br />

Determining all of this can be both timeconsuming<br />

and impact developer productivity,<br />

which is a reason why many organisations<br />

struggle with effective open source governance<br />

and turn towards an automated solution to<br />

simplify open source risk management.<br />

Continuous risk management<br />

After identifying any vulnerability, licensing or<br />

component quality risks in your open source,<br />

you’ll need to determine what remediation<br />

tasks – if any – need to be conducted and track<br />

the subsequent remediation process to ensure<br />

it’s actually being carried out correctly.<br />

As with inventorying and identifying risks,<br />

challenges you can expect to face include time<br />

and cost issues. Manual review tends to result<br />

in remediation late in the development cycle,<br />

when the cost to fix is high and release<br />

deadlines must be met. Manual review is also<br />

incompatible with the rapid pace and<br />

automation at the core of modern agile build<br />

and continuous integration environments.<br />

The job of open source vulnerability<br />

management doesn’t stop when the application<br />

ships. You’ll need to continue to monitor for<br />

vulnerabilities as long as the application’s in<br />

use. An average of ten new open source<br />

vulnerabilities are discovered daily, while many<br />

vulnerabilities are not reported for months – or,<br />

on occasion, even years – after they’re<br />

introduced to a component.<br />

With open source usage and creation rapidly<br />

growing, there’s a tendency towards continuing<br />

to re-use components which are well known to<br />

architects/developers due to familiarity and<br />

historical use. Continuously monitoring open<br />

source should include regular evaluation of<br />

components. In truth, rigorously checking<br />

directories of open source software may<br />

disclose alternative components that offer the<br />

same functionality with less risk.<br />

Chris Fearon:<br />

Research Director at Black<br />

Duck Software<br />

57<br />

www.risk-uk.com


Security Qualifications: Observing The<br />

View from the Wrong End of the Telescope<br />

needs to be conducted on the scale and nature<br />

of the problem across the qualifications system<br />

from which specific sector issues might feed.<br />

A review of the problem based upon the<br />

selection of half a dozen of the Conditions for<br />

Recognition, which define the requirements for<br />

awarding organisations, is too narrow a focus.<br />

Picking up one of the criticisms in the report,<br />

the absence of enforceable agreements would<br />

have had little or no impact on the Ashley<br />

Commerce College or the Get Licensed cases.<br />

The Ofqual report<br />

issued following the<br />

Regulator’s<br />

consideration of<br />

license to practice<br />

qualifications in the<br />

security industry was<br />

finally published at<br />

the end of January. For<br />

some, the report<br />

added little to what’s<br />

widely known in the<br />

sector and very little<br />

by way of solutions.<br />

Despite this, there’s<br />

the genesis of some<br />

interesting thinking<br />

which, in Raymond<br />

Clarke’s view, could<br />

provide the necessary<br />

foundations for<br />

ongoing improvement<br />

Before considering the positives contained<br />

within the 28-page Ofqual report, entitled<br />

‘Licence-Linked Qualifications Used in<br />

Private Security’, it’s perhaps prudent to ponder<br />

on the limitations. Having perhaps spent more<br />

time considering the issues around malpractice<br />

and fraud over the last couple of years than<br />

most, the two key concerns for me relate to the<br />

lack of context for the report and the<br />

presumption that the actions required to be<br />

taken rest with those other than Ofqual itself.<br />

A key criticism of the Ofqual report, and<br />

indeed its response to malpractice, is the<br />

preoccupation with micro issues. Fraud and<br />

malpractice are not contained or constrained<br />

within particular sectors, but are fluid and can<br />

migrate across sector boundaries. Those<br />

involved in wrongdoing can move readily in and<br />

out of sectors: security today, construction<br />

tomorrow, health and social care this time next<br />

year. There’s no doubt those sectors that are<br />

licensed, and where there are labour shortages<br />

or funding is readily available, are placed at a<br />

higher risk. The security industry ticks at least<br />

some of these boxes.<br />

A positive aspect of the report is the<br />

indication that Ofqual will be broadening its<br />

review to consider the extent to which<br />

malpractice is evident in other sectors. While<br />

this is to be welcomed, Industry Qualifications<br />

(IQ) takes the view that independent research<br />

Commentator or Participant?<br />

The second concern relates to the role of<br />

Ofqual itself. The Regulator has a statutory<br />

duty to ensure confidence in the UK system of<br />

regulated qualifications. The question is<br />

whether this is exercised solely through<br />

investigating and commentating on the efforts<br />

of others, or whether the Regulator has a more<br />

active role to play.<br />

My view is that Ofqual has a responsibility to<br />

ensure the overarching system and framework<br />

is fit for purpose. It’s then the role of Awarding<br />

Organisations and others to operate within that<br />

framework. A system which allows those<br />

involved in wrongdoing to continually re-enter<br />

the education market, those involved in fraud<br />

to avoid prosecution and one which singularly<br />

fails to consider the risks associated with<br />

safety-critical qualifications any differently than<br />

it does those for a GCSE in ‘Art’ needs to be<br />

reviewed at both a macro and a strategic level.<br />

IQ has therefore called publicly for the<br />

establishment of an independent expert panel<br />

to review qualifications fraud. Disappointingly,<br />

the response from Ofqual was that it’s the<br />

responsibility of Awarding Organisations to<br />

have robust procedures in place.<br />

Positives in the report<br />

The most promising aspects of the report relate<br />

to three statements of future activity.<br />

First, there’s due recognition that fraud and<br />

malpractice may need to be considered in other<br />

sectors. While welcome, we would encourage<br />

the start point to be the development of a<br />

macro understanding of fraud before<br />

considering the implications at a sector level.<br />

Second, there’s the proposal that Awarding<br />

Organisations should work together to<br />

establish and apply a robust set of industry<br />

standards or a Code of Conduct as a means to<br />

58<br />

www.risk-uk.com


Training and Career Development<br />

strengthen their approach towards risk<br />

management and quality assurance. This is a<br />

positive suggestion. It’s one that builds upon<br />

the co-operation that has developed across the<br />

awarding bodies concerned in recent years.<br />

Third is the desire of Ofqual to be advised<br />

when the Security Industry Authority (SIA)<br />

provides intelligence to Awarding Organisations<br />

about malpractice or wrongdoing by individuals<br />

of centres. Ofqual has indicated that it might<br />

then require Awarding Organisations to<br />

demonstrate how this information has been<br />

used. However, there’s also a requirement for<br />

Ofqual to consider how it manages and uses<br />

intelligence in support of wider objectives.<br />

Code of Practice<br />

I’m broadly attracted by the concept of a Code<br />

of Practice and welcome the encouragement for<br />

Awarding Organisations to take the lead on this<br />

matter. I would, however, go one step further<br />

and make it a requirement of the SIA<br />

recognition for an Awarding Organisation<br />

working in the security industry that it complies<br />

with any such document.<br />

Common standards for centre approval and<br />

centre monitoring would go a long way. More<br />

work on standardising approaches to<br />

assessment would be another step forward.<br />

Competition based on the price, quality of<br />

service and breadth of an individual Awarding<br />

Organisation’s offer is to be encouraged.<br />

Competition driven by cost reduction through<br />

squeezing quality assurance costs or dumbing<br />

down assessment standards to increase pass<br />

rates should be outlawed. While there may be<br />

differences of opinion on the precise detail, the<br />

overall objective is easily supported.<br />

The report also encourages the improved<br />

sharing of intelligence. While IQ supports the<br />

intent, it’s here that our opinions begin to<br />

diverge from that of the Regulator, largely in<br />

terms of where responsibilities lie.<br />

IQ first raised its concern with Ofqual in 2015<br />

that intelligence wasn’t available to Awarding<br />

Organisations when making decisions about<br />

centre approval or the approval of<br />

trainers/assessors. The current system relies<br />

on Awarding Organisations operating in the<br />

same sector (or offering similar qualifications to<br />

other Awarding Organisations) to notify others<br />

of malpractice or maladministration. Ofqual is<br />

also advised each time a notification is made<br />

and is the only organisation that’s in receipt of<br />

all such notifications for all sectors.<br />

The current system is, in my view, clearly<br />

flawed. Awarding Organisations new to a sector<br />

are disproportionately exposed to risk as they<br />

don’t have access to any historic records. For its<br />

“Competition driven by cost reduction through squeezing<br />

quality assurance costs or dumbing down assessment<br />

standards to increase pass rates should be outlawed”<br />

part, in my opinion Ofqual doesn’t appear to<br />

maintain reliable records and what’s available<br />

isn’t accessible to Awarding Organisations.<br />

Investment in capability<br />

IQ was exposed as a result of this failing in<br />

relation to Ashley Commerce College and we<br />

know of others that have been affected in a<br />

similar way. Fortunately for them, they were not<br />

included in a BBC broadcast. Due to the<br />

weakness in the system, it’s an unfortunate but<br />

pretty obvious fact of life that a new Awarding<br />

Organisation in the sector can be a strong<br />

magnet for those involved in wrongdoing.<br />

The system also assumes that the same and<br />

consistent standards of analysis and reporting<br />

across all Awarding Organisations is common.<br />

In truth, investigating fraud, malpractice and<br />

maladministration to a point where information<br />

is at an evidential level requires an investment<br />

in investigative capability that many Awarding<br />

Organisations would prefer to avoid.<br />

It’s cheaper and quicker to move the problem<br />

on. It’s the training sector’s own ‘traveller’<br />

problem: ‘While they’re on the land of someone<br />

else, they’re not on mine’.<br />

The analysis conducted by Ofqual highlights<br />

the need for sharing intelligence across the<br />

sector. What’s missing, though, is any<br />

recognition of the pivotal role that Ofqual itself<br />

should be playing, ensuring the validity of that<br />

intelligence and sharing this knowledge across<br />

the wider education sector.<br />

A system in denial<br />

Our experience over the last two years is of a<br />

regulatory system unable to separate<br />

malpractice from fraud and one that appears to<br />

be largely in denial of fraud.<br />

When the issue at Ashley Commerce College<br />

was exposed by the BBC, you couldn’t see<br />

Ofqual for dust. Instead of using the situation<br />

to expose wider networks of fraud, the<br />

apparent approach taken by the Regulator was<br />

to distance itself from the issue and cast blame.<br />

The end result remains that no action has been<br />

taken against those who committed the fraud.<br />

Until the Regulator acknowledges the<br />

problem is systemic, requires a collective and<br />

intelligence-led response and then develops an<br />

appetite for tackling the issue, those involved<br />

in wrongdoing will continue to thrive no matter<br />

the number of reports Ofqual might produce.<br />

Raymond Clarke:<br />

Chief Executive of Industry<br />

Qualifications<br />

59<br />

www.risk-uk.com


Risk in Action<br />

Evolution assists Uxbridge College to pass its security<br />

management examinations with flying colours<br />

A sophisticated integrated access control and CCTV solution is playing a key<br />

role in managing the safety and security of students, staff and visitors at<br />

Uxbridge College across both of its campuses in Uxbridge and Hayes.<br />

The challenge presented to Evolution was in servicing, maintaining and<br />

upgrading a system that protects no less than 4,000 students and 600<br />

members of staff, while also taking into account the College’s ongoing growth<br />

ambitions and constantly changing infrastructure.<br />

Evolution is now fully supporting an IP-based system with card access,<br />

turnstiles and proximity readers to control the movement of card holders across<br />

the two sites, as well as a network of CCTV cameras designed to monitor those<br />

seeking unauthorised access and provide a further layer of security.<br />

Michael McDonagh, head of security at Uxbridge College, stated: “Should a<br />

student forget their pass, we can immediately issue a replacement. However, in<br />

maintaining full control, the student’s ‘forgotten’ or ‘lost’ pass is automatically<br />

de-activated. Each card also has the shelf life of a student’s course length, so<br />

will automatically expire when they finish for the year. Should an end user<br />

attempt to gain access with a de-activated card, we’re immediately notified.”<br />

Each of the passes provided is specifically tailored to take into account a<br />

student’s studies and lifestyle. They control which ‘zones’ that student can<br />

enter, identify whether or not<br />

a student has a pre-paid car<br />

parking permit and even<br />

enable access to extracurricular<br />

activities such as<br />

sport or drama.<br />

There are more than 120<br />

controlled-entry doors and<br />

80 CCTV cameras, which<br />

Control Room operators can<br />

use to pinpoint and track<br />

unauthorised access. Both<br />

campuses are integrated<br />

under the single system.<br />

SharpView solution courtesy of Zaun<br />

Group company EyeLynx secures<br />

vital London water supply<br />

The integrity of the fresh water supply delivered<br />

to London’s residents has been notably stepped<br />

up thanks to the recent installation of an array<br />

of cameras, high-security fencing, vibration<br />

sensors and lengths of razor wire.<br />

The risk posed to the water supply forced the<br />

UK’s largest water and waste water company to<br />

further enhance the security along one side of<br />

the perimeter of reservoirs in South London,<br />

where a public footpath has provided easier<br />

access for trespassers and committed graffiti<br />

‘vandals’ to gain entry.<br />

The Zaun Group had already installed<br />

ArmaWeave and razor topping around the<br />

whole site. Thames Water then asked software<br />

security expert EyeLynx to design a solution<br />

based on its SharpView CCTV system and<br />

protect the Critical National Infrastructure site.<br />

Zaun Group companies EyeLynx and Binns<br />

Fencing installed two huge temporary CCTV<br />

masts complete with high-performance PTZ<br />

cameras, thermal cameras with video analytics,<br />

horn speakers and high-powered WiFi to link<br />

the two with a SharpView NVR.<br />

Selection of UK’s oldest and most<br />

important artefacts safeguarded by<br />

Chubb at Rochester Cathedral<br />

Chubb Fire and Security has installed a<br />

security intruder alarm system designed for<br />

sensitive environments at Rochester Cathedral<br />

with a view to securing some of the UK’s<br />

oldest and most important artefacts.<br />

First built in 604 AD, the Rochester<br />

Cathedral in Kent is the second oldest in<br />

England. It’s home to the Textus Roffensis, the<br />

oldest example of English written law, which<br />

dates right back to the 10th Century and the<br />

creation of the English State.<br />

The security tender followed a Heritage<br />

Lottery Fund grant as part of the Cathedral’s<br />

‘Hidden Treasures Fresh Expressions’ project.<br />

In addition to the restoration of the<br />

Cathedral’s library and strong room, the<br />

project saw the creation of a secure exhibition<br />

space within the medieval crypt.<br />

Morgan Flynn, senior security<br />

installer/commissioning engineer at Chubb,<br />

said: “The present Cathedral dates back to<br />

1080, necessitating an entirely bespoke<br />

approach. No drilling of the stonework was<br />

permitted. Sensors and switches needed to be<br />

hidden from visitors, while the quarter-tonne<br />

steel doors and ornate leadlight windows<br />

required sensitive design and installation.”<br />

Following a risk assessment, Chubb has now<br />

installed a sophisticated Grade 3 intruder<br />

alarm system, typically found in the most<br />

high-risk environments such as banks, art<br />

galleries and museums.<br />

60<br />

www.risk-uk.com


Risk in Action<br />

Porthcawl’s RNLI: Improving<br />

education and saving lives with<br />

network camera technology<br />

Porthcawl’s RNLI station is aiming to<br />

improve education and safety around the<br />

water with the implementation of innovative<br />

surveillance technology from Swanseabased<br />

PC1 and Axis Communications.<br />

With high tourism levels and fast-shifting<br />

tides, the installation at Porthcawl Pier<br />

provides an online live-stream. This ensures<br />

visitors are prepared for the conditions they<br />

will face, minimising the necessity of lifeboat<br />

launches and reducing overall costs.<br />

RNLI statistics show that 44% of lifeboat<br />

launches in 2015 were due to persons in<br />

distress, either ashore, offshore or using<br />

manual craft such as surfboards or kayaks.<br />

The camera points directly at Porthcawl<br />

Pier, one of the highest risk areas. During<br />

storms and rough weather conditions,<br />

visitors are in danger of being swept out to<br />

sea by tides that can reach up to 7 knots (8<br />

mph). The installation of the Axis Q1775-E<br />

fixed network camera, combined with a hightech<br />

weather installation, ensures Porthcawl<br />

RNLI can access weather metrics, tide<br />

activity, conditions monitoring and more.<br />

With 10x optical zoom and autofocus<br />

capabilities, the RNLI decided the camera<br />

was the stand-out choice due to its weather<br />

resilience, providing 24/7 surveillance<br />

capabilities and excellent image quality.<br />

Ian Stroud, retired member of the Deputy<br />

Launch Authority at Porthcawl RNLI, said:<br />

“One of the most significant tasks a lifeboat<br />

station must undertake is observing sea<br />

conditions to make judgements on the<br />

equipment lifeboat operators will need.”<br />

Speaking about the installation itself,<br />

Graham Thomas (IT and online projects<br />

manager at PC1) observed: “We installed a<br />

weather station and connected the<br />

installation to YouTube, allowing the public<br />

and lifeboat staff alike to view real-time<br />

images and accurate weather reports.”<br />

Notifier by Honeywell’s the King of the Castle in the eyes of<br />

money.co.uk<br />

money.co.uk has<br />

recently completed a<br />

£3 million renovation<br />

project in order to<br />

transform a Grade IIlisted<br />

Victorian castle<br />

on the Bathurst Estate<br />

in Cirencester into the<br />

ultimate high-tech<br />

workplace.<br />

Life safety is rightly<br />

considered paramount<br />

on site. With this in mind, Bristol-based APE Fire & Security asked Interaction<br />

(the main contractor for the project) to design, specify, install and commission<br />

a fire detection system that could offer staff and visitors alike the very highest<br />

levels of protection.<br />

To keep employees and visitors safe, fire detection technology from Notifier<br />

by Honeywell has been installed throughout and is based around the<br />

company’s Pearl intelligent addressable control panels. The networkable fire<br />

detection control panel has been specifically created to be immune from the<br />

threat of unwanted alarms.<br />

Linked to the Pearl control panels are Notifier’s Opal photoelectric smoke<br />

detectors. In the kitchen areas, SMART3 detectors use optical smoke sensing in<br />

conjunction with heat sensors, infrared flame sensing technology and<br />

sophisticated alarm algorithms to offer a fast response to flaming fires, while<br />

at the same time providing superior unwanted alarm immunity.<br />

Thanks to some very clever ‘cause and effect’ programming, APE Fire &<br />

Security has been able to integrate the Pearl control panel with the existing<br />

intruder and access control system.<br />

ACT’s in store with Asda in wake of<br />

IP access control solution roll-out<br />

CBES has installed IP access control systems<br />

from ACT at Asda stores and distribution<br />

centres across the UK. The roll-out has already<br />

covered 500 sites, all of which are networked<br />

to Asda’s corporate headquarters in Leeds.<br />

Asda is benefiting from ACTpro 4000 twodoor<br />

controllers which can extend to 16 doors<br />

via ACTpro door stations. In turn, up to 250 of the controllers may be<br />

networked via a PC interface. The ACT hardware offers low bandwidth and autodiscovery<br />

for easy installation and maintenance, alongside features such as<br />

timed anti-passback and counting areas.<br />

The Asda sites are using ACT’s specialist software platform, designated<br />

ACTpro Enterprise, which distinguishes between different user types such as<br />

installer, security officer or system administrator so as to factor out accidental<br />

system changes and minimise maintenance. ACTpro Enterprise affords end<br />

users a familiar web-browser experience using hyperlinks, ‘backwards’ and<br />

‘forwards’ buttons and powerful search functionality.<br />

An Asda staff member might present their MIFARE contactless smart card to<br />

a reader in order to access a secure area of a site. The ACT software then grants<br />

or denies access according to the user’s privileges which can be defined in<br />

relation to seniority, job profile, time of day and day of the week. Asda’s<br />

managers are benefiting from the integration of access control with CCTV and<br />

intercoms through the Sky-Walker Integration Platform from Entelec.<br />

61<br />

www.risk-uk.com


Technology in Focus<br />

Vanderbilt integrates ACTEnterprise and Eventys for a ‘plug<br />

and protect’ security management solution<br />

The latest product offering from Vanderbilt blends access control with video<br />

management, as ACTEnterprise now supports integration with Eventys EX NVRs.<br />

Simple to set up and operate, Eventys NVRs offer powerful, seamless and<br />

reliable, yet inexpensive video recording of up to 16 IP cameras. Now,<br />

ACTEnterprise allows cameras connected to an Eventys EX NVR to be associated<br />

with access control doors.<br />

Any events recorded in the access control log such as ‘access denied’ or ‘door<br />

forced’ can be linked with the associated footage stored on the NVR. Events on<br />

a door with a camera associated will<br />

display a camera icon which allows<br />

clicking on the camera icon to replay<br />

the footage.<br />

The main features associated with<br />

this integration platform are Live<br />

Video Display and Playback<br />

Recordings. The Live Video Display<br />

allows switching between the<br />

different video camera sources.<br />

www.vanderbiltindustries.com<br />

360 Vision Technology brings to<br />

market the all-new Predator<br />

Overview camera system<br />

360 Vision Technology continues to expand<br />

its camera range with the release of Predator<br />

Overview, a dual camera head, high-speed<br />

and ‘ruggedised’ PTZ HD colour/mono<br />

camera system for end users.<br />

Borne out of customer feedback, the new<br />

Predator Overview features a Full-HD 1080p<br />

wide angle Overview camera combined with<br />

a separate 30x optical, ultra-low light Sony<br />

STARVIS Full-HD ‘Zoom’ camera.<br />

Overview is ideal for those live monitored<br />

applications such as town centres, container<br />

ports and transportation hubs where an<br />

overview (of up to a 90° field of view) of the<br />

incident or target area is desirable.<br />

www.360visiontechnology.com<br />

CEM Systems introduces latest version of popular AC2000<br />

Security Management System for end users<br />

Tyco Security Products has released AC2000 v8, which offers new features that<br />

increase the performance, simplicity and scope of the AC2000 access control<br />

system suite from CEM Systems. These include AC2000 data partitioning and<br />

enhancements to the AC2000 Security Hub Command and Control application.<br />

In addition, CEM Systems has also released enhancements to the emerald<br />

Intelligent Access Terminal range in the shape of the emerald TS100f and<br />

TS200f fingerprint terminals.<br />

“The latest release of AC2000, which includes data partitioning, offers<br />

enhancements for both multi-site and multi-tenanted customers,” said Richard<br />

Fletcher, product manager at CEM Systems. “AC2000 Database Partitioning is a<br />

powerful feature for scenarios where multiple companies use a single security<br />

management system. It empowers each company by giving them control over<br />

their own private access areas, while still allowing them access to common<br />

areas within the building or campus.”<br />

Enhancements within the AC2000 Security Hub centralised Command and<br />

Control application include Map Zones, reports and a “seamless” video<br />

integration interface which enables live video footage for specific configured<br />

alarms to be displayed. This release also offers enhanced functionality of<br />

emerald, CEM Systems’ award-winning intelligent access terminal. Designed<br />

for use with AC2000, emerald terminals not only control access to restricted<br />

areas, but also “open up a<br />

world of possibilities” by<br />

bringing AC2000 intelligence<br />

directly to the edge.<br />

emerald now supports a<br />

‘Boarding and Deplaning Route<br />

Management’ (BDRM) mode<br />

which provides a sophisticated<br />

touch screen-based passenger<br />

routing system for airports.<br />

www.cemsys.com<br />

Norbain turns its attentions towards<br />

Bosch Security Systems’ DIVAR<br />

hybrid network recorders<br />

Norbain is now offering the new DIVAR hybrid<br />

and network recording solutions from Bosch<br />

Security Systems. Designed for 24/7 operation,<br />

they afford the ability to create surveillance<br />

solutions with professional security features.<br />

These solutions can be tailored to fit the<br />

growing needs of many businesses.<br />

With DIVAR recorders, it’s easy to watch live<br />

footage, play recorded content or reconfigure<br />

local unit settings anytime from anywhere. This<br />

can be carried out via the DIVAR Mobile Viewer<br />

app, available on smart phones (iOS and<br />

Android) and via the web browser.<br />

The direct monitor output is ideal for desktop<br />

models often positioned on a counter. The<br />

monitor can be placed on or beside the device,<br />

giving the business owner an overview of live<br />

images from all connected cameras.<br />

www.norbain.com<br />

62<br />

www.risk-uk.com


Technology in Focus<br />

Disruptive technology harnesses<br />

power of Big Data to give guarding<br />

end users<br />

“real insight”<br />

into security<br />

Cardinal Security<br />

is looking to<br />

revolutionise<br />

security guarding with the release of a new<br />

operations platform. Designed to provide end<br />

users with a level of insight unavailable to date,<br />

the intelligence-led approach provided by<br />

Guarded 365 affords users “full transparency<br />

and real control” over their security spend.<br />

Jason Trigg, CEO of Cardinal Security, believes<br />

that every end user of guarding services should<br />

demand this data and have proper visibility on<br />

where their investment is being made.<br />

“What people worry about in this business is<br />

what they’re receiving for their money, and<br />

rightly so. Most providers don’t deliver<br />

sufficient insight into Return on Investment.”<br />

Cardinal’s response to the challenge is the<br />

Guarded 365 intelligent platform, which is<br />

linked to a central data management system.<br />

When an officer arrives at the start of a shift<br />

they use a geocoded tablet – or an app on their<br />

own device – to take a picture of their face. A<br />

controller from Cardinal Security matches this<br />

against a database of staff members and then<br />

approves the officer to begin their shift.<br />

In essence, this simple process ensures<br />

timekeeping is accurate and that the correct,<br />

fully-licensed operative is on duty and wearing<br />

the correct uniform.<br />

www.cardinalsecurity.co.uk<br />

Bespoke power supply<br />

solutions for access control<br />

projects unveiled by<br />

Elmdene International<br />

Elmdene International has just<br />

launched a new range of power<br />

supplies specifically for use with<br />

access control systems.<br />

The Access Control range has<br />

been carefully designed to house<br />

some of the most common door controllers<br />

in order to ensure both convenience and<br />

flexibility for installations.<br />

With different power options and<br />

enclosure sizes available, this new access<br />

control range offers the security professional<br />

a choice of PSUs for a variety of<br />

applications. The range could also mean cost<br />

savings, with some of the units having the<br />

capability to provide battery-backed power<br />

for multiple door controllers, saving time<br />

and money on installing singular units.<br />

The Access Control range also includes<br />

multi-access PSUs. These models are<br />

supplied with a hinged cabling system and<br />

can provide either 12 V or 24 V, while also<br />

offering an independent ancillary relay that<br />

can be used for applications such as a fire<br />

door release relay.<br />

The enclosure is also a larger design<br />

capable of accommodating expander plates<br />

should additional door controllers be<br />

required, in turn further adding to the<br />

flexibility this range is able to offer.<br />

www.elmdene.co.uk<br />

Integrated technologies are the key<br />

for ievo and Keytracker partnership<br />

An integration of cutting-edge biometric<br />

recognition technology and key management<br />

systems is offering the very highest levels of<br />

security for organisations managing a large<br />

number of priority keys.<br />

The system is the result of determined cooperation<br />

between ievo, the Newcastle-based<br />

manufacturer of biometric recognition<br />

systems, and Keytracker (the Midlands<br />

manufacturer of key management systems).<br />

Andy Smith, general manager at Keytracker,<br />

explained: “We’ve developed our restricted<br />

key access systems for a huge variety of<br />

sectors ranging from the construction,<br />

engineering, property, education and health<br />

sectors to the vehicle retail trade. By<br />

combining these systems with ievo’s biometric<br />

recognition technology and the corresponding<br />

software, we’ve created<br />

an ultra-secure solution<br />

that tracks the release<br />

of specific keys to<br />

specific people.”<br />

The ‘Restricted Key<br />

Access System’<br />

incorporates state-ofthe-art<br />

hardware with<br />

easy-to-operate<br />

administration software<br />

restricting access to<br />

only those keys the<br />

user is authorised to<br />

use. Integration of the<br />

ievo ultimate fingerprint<br />

readers ensures that the potential for<br />

fraudulent access via stolen swipe cards or<br />

PIN codes is removed. The registration process<br />

has been integrated into the existing software.<br />

www.ievoreader.com<br />

63<br />

www.risk-uk.com


thepaper<br />

Business News for Security Professionals<br />

Pro-Activ Publications is embarking on a revolutionary<br />

launch: a FORTNIGHTLY NEWSPAPER dedicated to the<br />

latest financial and business information for<br />

professionals operating in the security sector<br />

The Paper will bring subscribers (including CEOs,<br />

managing directors and finance directors within the<br />

UK’s major security businesses) all the latest company<br />

and sector financials, details of business re-brands,<br />

market research and trends and M&A activity<br />

FOR FURTHER INFORMATION<br />

ON THE PAPER CONTACT:<br />

Brian Sims BA (Hons) Hon FSyI<br />

(Editor, The Paper and Risk UK)<br />

Telephone: 020 8295 8304<br />

e-mail: brian.sims@risk-uk.com<br />

www.thepaper.uk.com


Appointments<br />

Joey Hambidge<br />

Skills for Security has<br />

announced the appointment<br />

of Joey Hambidge in the<br />

newly-created role of<br />

operations manager. This<br />

position at the sector skills<br />

body for the private security<br />

business sector has been<br />

realised to provide the<br />

organisation with essential operational support.<br />

Hambidge will now be responsible for a broad<br />

remit including accreditations, apprenticeship<br />

standards, qualifications and the day-to-day<br />

management of Skills for Security’s operations<br />

and members of staff.<br />

With an extensive background in training,<br />

course design and employer liaison, Hambidge<br />

boasts much experience in delivering<br />

employability training and mapping course<br />

content to an established curriculum.<br />

Commenting on the appointment, Skills for<br />

Security’s interim director general Peter Sherry<br />

explained: “2017 is set to be an exciting year at<br />

Skills for Security as we gear up to provide<br />

guidance and support for security employers<br />

ahead of the introduction of a new<br />

apprenticeship standard. As such, we’re very<br />

pleased to welcome Joey to the organisation,<br />

where his extensive experience of employer<br />

liaison and course development will help us to<br />

develop our current offering and better meet<br />

the needs of the security industry as a whole.”<br />

Speaking about his new role, Hambidge<br />

informed Risk UK: “I’m looking forward to<br />

working for Skills for Security to improve<br />

diversity and inclusion in apprenticeships. By<br />

liaising closely with employers, it’s my goal that<br />

Skills for Security becomes recognised as the<br />

industry leader for new apprenticeship<br />

standards within our sector.”<br />

Craig Menzies<br />

CNL Software, the specialist in Physical<br />

Security Information Management (PSIM)<br />

solutions, is pleased to announce that it has<br />

appointed Craig Menzies to the role of general<br />

manager for the Middle East. Menzies will<br />

assume direct responsibility for all customerfacing<br />

departments as the company prepares<br />

for further expansion in the region.<br />

Menzies joins CNL from Tyco Fire & Security<br />

UAE where he was the Security Division’s<br />

manager, overseeing multi-disciplinary teams<br />

working on state-of-the-art security solutions<br />

for high-profile projects on behalf of Dolphin<br />

Energy, KOC, the Abu Dhabi Airports Company<br />

and the Road Transport Authority.<br />

Appointments<br />

Risk UK keeps you up-to-date with all the latest people<br />

moves in the security, fire, IT and Government sectors<br />

Gareth Walsh<br />

Elmdene International is pleased to announce a<br />

new addition to complete the business’ sales<br />

team in the UK. Gareth Walsh has now joined<br />

the company as regional sales manager looking<br />

after the Northern UK area.<br />

In his new role, Walsh will be leading<br />

Elmdene’s growth within the region by<br />

supporting strategic business plans.<br />

Walsh comes to Elmdene with 12 years’<br />

experience in the fire and security industry,<br />

having worked in sales positions at EU Fire and<br />

Security for ten years and at Illumino Ignis for<br />

almost two years, covering the North West<br />

region at both companies.<br />

Previously, Walsh has project-managed and<br />

commissioned the design and implementation<br />

of various system set-ups including fire alarm<br />

systems, emergency lighting systems and<br />

disabled refuge solutions.<br />

Sharon Ramsay, general manager at Elmdene<br />

International, explained: “Gareth brings vast<br />

experience from the industry, in turn adding to<br />

the skills and knowledge of our existing sales<br />

team. Along with our future growth plans,<br />

commitment to customer service and ongoing<br />

product development, the addition of Gareth to<br />

the team means we now have a dedicated focus<br />

in the North of the UK.”<br />

Walsh himself stated: “I’m delighted to be<br />

joining Elmdene. I’m looking forward to sharing<br />

my knowledge with the team, working with our<br />

customer base and building new relationships.”<br />

Menzies brings over 30 years’ experience of<br />

providing technology leadership and<br />

innovation in security solutions, of which 25<br />

have been spent in the Middle East, resulting<br />

in an in-depth understanding of customers and<br />

partners right across the region.<br />

“We’re excited to have Craig join CNL<br />

Software in the Middle East, particularly at a<br />

time when we’re strengthening our teams<br />

globally and deepening collaboration with our<br />

partners to support the growing demand for<br />

our IPSecurityCenter PSIM solution,” said<br />

James Condron, vice-president of global sales<br />

and marketing at CNL Software.<br />

Menzies informed Risk UK: “I’m delighted to<br />

join an already impressive team that boasts a<br />

great track record of innovation.”<br />

65<br />

www.risk-uk.com


Appointments<br />

Waleed Eltayib<br />

Axis Security, one of the UK’s leading security guarding<br />

and electronic security groups, has appointed Waleed<br />

Eltayib as key account director.<br />

Eltayib’s role includes overseeing the account teams at<br />

the company’s largest sites in London and the South East,<br />

as well as ensuring the delivery of a customer-centric<br />

approach and optimum service levels.<br />

An experienced security operations professional,<br />

Eltayib has worked for Axis Security for the past three<br />

years at the Crown Estate St James’ Portfolio managed by BNP Paribas Real<br />

Estate. Prior to this, Eltayib held senior contract management positions on<br />

behalf of Broadgate Estates, GVA West End Management and ABN Amro.<br />

“It’s useful to look at contract delivery with a fresh pair of eyes,<br />

understanding the host business’ culture and how we can adapt our service<br />

delivery to complement it,” explained Eltayib in conversation with Risk UK.<br />

In his new role, Eltayib is reporting to Axis Security’s operations director John<br />

Fitzpatrick. Key to his remit will be the Rathbone Square project, a flagship<br />

office, retail and residential development which is new to Axis Security’s<br />

London portfolio. Eltayib will be the main point of contact for the management<br />

team and a visible and regular presence on site.<br />

Jos Beernink<br />

Genetec, a leading<br />

provider of open<br />

architecture and unified IP<br />

security solutions, has<br />

recently unveiled two new<br />

senior executive<br />

appointments.<br />

Jos Beernink has been<br />

appointed vice-president<br />

of sales for Europe, the Middle East and Africa,<br />

where he will direct the sales organisation,<br />

developing new business and helping the<br />

channels address growing business demand.<br />

Beernink joins from a valued Genetec partner,<br />

Honeywell, where he served as vice-president<br />

of sales and marketing. In this role, his primary<br />

remit was to drive territory growth, which he<br />

will now apply in his new position at Genetec.<br />

Beernink has been a highly respected member<br />

of the technology sector for over two decades.<br />

In addition, Cyrille Becker joins as general<br />

manager for Europe to oversee European<br />

operations, positioning the business for growth<br />

within the European market.<br />

Becker is a seasoned business developer<br />

with 15 years’ experience gained in the security<br />

industry. He most recently served as a business<br />

unit general manager at Stanley Security<br />

France, a long-time Genetec partner.<br />

“With the appointments of Jos and Cyrille,<br />

we’re well positioned to address the rapid<br />

business growth that Genetec has experienced<br />

over recent years, while also meeting the needs<br />

of physical security projects across the many<br />

different vertical markets we serve in Europe,”<br />

said chief commercial officer Georges Karam.<br />

Georgios Kastias<br />

Apollo Fire Detectors has<br />

announced the<br />

appointment of Georgios<br />

Kastias as the company’s<br />

new operations director.<br />

Bringing a raft of<br />

experience to the role,<br />

Kastias’ appointment<br />

reflects the commitment<br />

made by Apollo to achieving organisational<br />

excellence within the company, spearheaded by<br />

a dynamic and effective leadership team.<br />

Born and raised in Greece, Kastias later<br />

obtained a BEng in Mechanical Engineering at<br />

Heriot-Watt University, followed by an MSc from<br />

Cranfield University and, more recently, an MBA<br />

which was gained at the Imperial College<br />

Business School.<br />

Kastias joins Apollo Fire Detectors from<br />

Danfoss, where he held the role of operations<br />

director, duly transforming the business into a<br />

high-performing organisation thanks to a<br />

determined focus on operational excellence and<br />

effective cultural change.<br />

Speaking about his new role, Kastias told<br />

Risk UK: “I’m absolutely delighted to be joining<br />

Apollo’s leadership team.”<br />

Kim Jørgensen<br />

Milestone Systems, the<br />

specialist in open<br />

platform IP video<br />

management software,<br />

has made two seniorlevel<br />

appointments.<br />

To strengthen<br />

Milestone’s business<br />

support, Kim Jørgensen<br />

joins in the newly-created position of vicepresident<br />

for global IT and operations. In this<br />

role, he will be part of Milestone’s extended<br />

leadership team with a focus on continued<br />

improvements around internal IT solutions,<br />

as well as online services.<br />

Jørgensen brings a strong business and<br />

technical background to the role as well as a<br />

proven track record of helping fast-growing<br />

businesses to both align and mature their<br />

technical services with underlying<br />

Information Technology infrastructures.<br />

After more than 15 years at Microsoft,<br />

Jesper Lachance Raebild has joined<br />

Milestone as director of product marketing.<br />

Heading up the global product marketing<br />

team in Copenhagen, he will use his strong<br />

background in software channel business<br />

and global product marketing to accelerate<br />

the Milestone platform and products.<br />

66<br />

www.risk-uk.com


20 - 22 JUNE 2017 EXCEL LONDON, UK<br />

New exhibition within<br />

IFSEC International 2017<br />

AT BORDERS & INFRASTRUCTURE EXPO YOU WILL BENEFIT FROM:<br />

• Access a VIP Meeting Service<br />

<br />

live product demonstration and testing area<br />

BRE Global<br />

Networking Lounge<br />

<br />

• See the latest UAVs at The Drone Zone.<br />

<br />

<br />

against them


Best Value Security Products from Insight Security<br />

www.insight-security.com Tel: +44 (0)1273 475500<br />

...and<br />

lots<br />

more<br />

Computer<br />

Security<br />

Anti-Climb Paints<br />

& Barriers<br />

Metal Detectors<br />

(inc. Walkthru)<br />

Security, Search<br />

& Safety Mirrors<br />

Security Screws &<br />

Fastenings<br />

Padlocks, Hasps<br />

& Security Chains<br />

Key Safes & Key<br />

Control Products<br />

Traffic Flow &<br />

Management<br />

see our<br />

website<br />

ACCESS CONTROL<br />

KERI SYSTEMS UK LTD<br />

Tel: + 44 (0) 1763 273 243<br />

Fax: + 44 (0) 1763 274 106<br />

Email: sales@kerisystems.co.uk<br />

www.kerisystems.co.uk<br />

ACCESS CONTROL<br />

ACCESS CONTROL<br />

ACT<br />

ACT – Ireland, Unit C1, South City Business Park,<br />

Tallaght, Dublin, D24 PN28.Ireland. Tel: +353 1 960 1100<br />

ACT - United Kingdom, 601 Birchwood One, Dewhurst Road,<br />

Warrington, WA3 7GB. Tel: +44 161 236 9488<br />

sales@act.eu www.act.eu<br />

ACCESS CONTROL – BARRIERS, GATES, CCTV<br />

ABSOLUTE ACCESS<br />

Aberford Road, Leeds, LS15 4EF<br />

Tel: 01132 813511<br />

E: richard.samwell@absoluteaccess.co.uk<br />

www.absoluteaccess.co.uk<br />

Access Control, Automatic Gates, Barriers, Blockers, CCTV<br />

ACCESS CONTROL<br />

COVA SECURITY GATES LTD<br />

Bi-Folding Speed Gates, Sliding Cantilevered Gates, Road Blockers & Bollards<br />

Consultancy, Design, Installation & Maintenance - UK Manufacturer - PAS 68<br />

Tel: 01293 553888 Fax: 01293 611007<br />

Email: sales@covasecuritygates.com<br />

Web: www.covasecuritygates.com<br />

ACCESS CONTROL & DOOR HARDWARE<br />

ALPRO ARCHITECTURAL HARDWARE<br />

Products include Electric Strikes, Deadlocking Bolts, Compact Shearlocks,<br />

Waterproof Keypads, Door Closers, Deadlocks plus many more<br />

T: 01202 676262 Fax: 01202 680101<br />

E: info@alpro.co.uk<br />

Web: www.alpro.co.uk<br />

ACCESS CONTROL – SPEED GATES, BI-FOLD GATES<br />

HTC PARKING AND SECURITY LIMITED<br />

St. James’ Bus. Centre, Wilderspool Causeway,<br />

Warrington Cheshire WA4 6PS<br />

Tel 01925 552740 M: 07969 650 394<br />

info@htcparkingandsecurity.co.uk<br />

www.htcparkingandsecurity.co.uk<br />

ACCESS CONTROL<br />

INTEGRATED DESIGN LIMITED<br />

Integrated Design Limited, Feltham Point,<br />

Air Park Way, Feltham, Middlesex. TW13 7EQ<br />

Tel: +44 (0) 208 890 5550<br />

sales@idl.co.uk<br />

www.fastlane-turnstiles.com<br />

ACCESS CONTROL<br />

SECURE ACCESS TECHNOLOGY LIMITED<br />

Authorised Dealer<br />

Tel: 0845 1 300 855 Fax: 0845 1 300 866<br />

Email: info@secure-access.co.uk<br />

Website: www.secure-access.co.uk<br />

ACCESS CONTROL MANUFACTURER<br />

NORTECH CONTROL SYSTEMS LTD.<br />

Nortech House, William Brown Close<br />

Llantarnam Park, Cwmbran NP44 3AB<br />

Tel: 01633 485533<br />

Email: sales@nortechcontrol.com<br />

www.nortechcontrol.com<br />

Custom Designed Equipment<br />

• Indicator Panels<br />

• Complex Door Interlocking<br />

• Sequence Control<br />

• Door Status Systems<br />

• Panic Alarms<br />

<br />

• Bespoke Products<br />

www.hoyles.com<br />

sales@hoyles.com<br />

Tel: +44 (0)1744 886600<br />

ACCESS CONTROL – BIOMETRICS, BARRIERS, CCTV, TURNSTILES<br />

UKB INTERNATIONAL LTD<br />

Planet Place, Newcastle upon Tyne<br />

Tyne and Wear NE12 6RD<br />

Tel: 0845 643 2122<br />

Email: sales@ukbinternational.com<br />

Web: www.ukbinternational.com<br />

Hoyles are the UK’s leading supplier of<br />

custom designed equipment for the<br />

security and access control industry.<br />

From simple indicator panels to<br />

complex door interlock systems.<br />

BUSINESS CONTINUITY<br />

ACCESS CONTROL, INTRUSION DETECTION AND VIDEO MANAGEMENT<br />

VANDERBILT INTERNATIONAL (UK) LTD<br />

Suite 7, Castlegate Business Park<br />

Caldicot, South Wales NP26 5AD UK<br />

Main: +44 (0) 2036 300 670<br />

email: info.uk@vanderbiltindustries.com<br />

web: www.vanderbiltindustries.com<br />

BUSINESS CONTINUITY MANAGEMENT<br />

CONTINUITY FORUM<br />

Creating Continuity ....... Building Resilience<br />

A not-for-profit organisation providing help and support<br />

Tel: +44(0)208 993 1599 Fax: +44(0)1886 833845<br />

Email: membership@continuityforum.org<br />

Web: www.continuityforum.org<br />

www.insight-security.com Tel: +44 (0)1273 475500


CCTV<br />

CONTROL ROOM & MONITORING SERVICES<br />

CCTV<br />

Rapid Deployment Digital IP High Resolution CCTV<br />

40 hour battery, Solar, Wind Turbine and Thermal Imaging<br />

Wired or wireless communication fixed IP<br />

CE Certified<br />

Modicam Europe, 5 Station Road, Shepreth,<br />

Cambridgeshire SG8 6PZ<br />

www.modicam.com sales@modicameurope.com<br />

CCTV POLES, COLUMNS, TOWERS AND MOUNTING PRODUCTS<br />

ALTRON COMMUNICATIONS EQUIPMENT LTD<br />

Tower House, Parc Hendre, Capel Hendre, Carms. SA18 3SJ<br />

Tel: +44 (0) 1269 831431<br />

Email: cctvsales@altron.co.uk<br />

Web: www.altron.co.uk<br />

ADVANCED MONITORING SERVICES<br />

EUROTECH MONITORING SERVICES LTD.<br />

Specialist in:- Outsourced Control Room Facilities • Lone Worker Monitoring<br />

• Vehicle Tracking • Message Handling<br />

• Help Desk Facilities • Keyholding/Alarm Response<br />

Tel: 0208 889 0475 Fax: 0208 889 6679<br />

E-MAIL eurotech@eurotechmonitoring.net<br />

Web: www.eurotechmonitoring.net<br />

DISTRIBUTORS<br />

CCTV<br />

G-TEC<br />

Gtec House, 35-37 Whitton Dene<br />

Hounslow, Middlesex TW3 2JN<br />

Tel: 0208 898 9500<br />

www.gtecsecurity.co.uk<br />

sales@gtecsecurity.co.uk<br />

CCTV/IP SOLUTIONS<br />

DALLMEIER UK LTD<br />

3 Beaufort Trade Park, Pucklechurch, Bristol BS16 9QH<br />

Tel: +44 (0) 117 303 9 303<br />

Fax: +44 (0) 117 303 9 302<br />

Email: dallmeieruk@dallmeier.com<br />

SPECIALISTS IN HD CCTV<br />

MaxxOne<br />

Unit A10 Pear Mill, Lower Bredbury, Stockport. SK6 2BP<br />

Tel +44 (0)161 430 3849<br />

www.maxxone.com<br />

sales@onlinesecurityproducts.co.uk<br />

www.onlinesecurityproducts.co.uk<br />

AWARD-WINNING, LEADING GLOBAL WHOLESALE<br />

DISTRIBUTOR OF SECURITY AND LOW VOLTAGE PRODUCTS.<br />

ADI GLOBAL DISTRIBUTION<br />

Distributor of electronic security systems and solutions for over 250 leading manufacturers, the company<br />

also offers an internal technical support team, dedicated field support engineers along with a suite of<br />

training courses and services. ADI also offers a variety of fast, reliable delivery options, including specified<br />

time delivery, next day or collection from any one of 28 branches nationwide. Plus, with an ADI online<br />

account, installers can order up to 7pm for next day delivery.<br />

Tel: 0161 767 2990 Fax: 0161 767 2999 Email: sales.uk@adiglobal.com www.adiglobal.com/uk<br />

CCTV & IP SECURITY SOLUTIONS<br />

PANASONIC SYSTEM COMMUNICATIONS COMPANY<br />

EUROPE<br />

Panasonic House, Willoughby Road<br />

Bracknell, Berkshire RG12 8FP UK<br />

Tel: 0207 0226530<br />

Email: info@business.panasonic.co.uk<br />

WHY MAYFLEX? ALL TOGETHER. PRODUCTS, PARTNERS,<br />

PEOPLE, SERVICE – MAYFLEX BRINGS IT ALL TOGETHER.<br />

MAYFLEX<br />

Excel House, Junction Six Industrial Park, Electric Avenue, Birmingham B6 7JJ<br />

Tel: 0800 881 5199<br />

Email: securitysales@mayflex.com<br />

Web: www.mayflex.com<br />

COMMUNICATIONS & TRANSMISSION EQUIPMENT<br />

KBC NETWORKS LTD.<br />

Barham Court, Teston, Maidstone, Kent ME18 5BZ<br />

www.kbcnetworks.com<br />

Phone: 01622 618787<br />

Fax: 020 7100 8147<br />

Email: emeasales@kbcnetworks.com<br />

DIGITAL IP CCTV<br />

SESYS LTD<br />

High resolution ATEX certified cameras, rapid deployment<br />

cameras and fixed IP CCTV surveillance solutions available with<br />

wired or wireless communications.<br />

1 Rotherbrook Court, Bedford Road, Petersfield, Hampshire, GU32 3QG<br />

Tel +44 (0) 1730 230530 Fax +44 (0) 1730 262333<br />

Email: info@sesys.co.uk www.sesys.co.uk<br />

THE UK’S MOST SUCCESSFUL DISTRIBUTOR OF IP, CCTV, ACCESS<br />

CONTROL AND INTRUDER DETECTION SOLUTIONS<br />

NORBAIN SD LTD<br />

210 Wharfedale Road, IQ Winnersh, Wokingham, Berkshire, RG41 5TP<br />

Tel: 0118 912 5000 Fax: 0118 912 5001<br />

www.norbain.com<br />

Email: info@norbain.com<br />

CCTV SPECIALISTS<br />

PLETTAC SECURITY LTD<br />

Unit 39 Sir Frank Whittle Business Centre,<br />

Great Central Way, Rugby, Warwickshire CV21 3XH<br />

Tel: 01788 567811 Fax: 01788 544 549<br />

Email: jackie@plettac.co.uk<br />

www.plettac.co.uk<br />

UK LEADERS IN BIG BRAND CCTV DISTRIBUTION<br />

SATSECURE<br />

Hikivision & MaxxOne (logos) Authorised Dealer<br />

Unit A10 Pear Mill, Lower Bredbury,<br />

Stockport. SK6 2BP<br />

Tel +44 (0)161 430 3849<br />

www.satsecure.uk<br />

www.insight-security.com Tel: +44 (0)1273 475500


EMPLOYMENT<br />

FIRE AND SECURITY INDUSTRY RECRUITMENT<br />

SECURITY VACANCIES<br />

www.securityvacancies.com<br />

Telephone: 01420 525260<br />

INTEGRATED SECURITY SOLUTIONS<br />

INNER RANGE EUROPE LTD<br />

Units 10 - 11, Theale Lakes Business Park, Moulden Way, Sulhampstead,<br />

Reading, Berkshire RG74GB, United Kingdom<br />

Tel: +44(0) 845 470 5000 Fax: +44(0) 845 470 5001<br />

Email: ireurope@innerrange.co.uk<br />

www.innerrange.com<br />

PERIMETER PROTECTION<br />

IDENTIFICATION<br />

ADVANCED PRESENCE DETECTION AND SECURITY LIGHTING SYSTEMS<br />

GJD MANUFACTURING LTD<br />

Unit 2 Birch Business Park, Whittle Lane, Heywood, OL10 2SX<br />

Tel: + 44 (0) 1706 363998<br />

Fax: + 44 (0) 1706 363991<br />

Email: info@gjd.co.uk<br />

www.gjd.co.uk<br />

COMPLETE SOLUTIONS FOR IDENTIFICATION<br />

DATABAC GROUP LIMITED<br />

1 The Ashway Centre, Elm Crescent,<br />

Kingston upon Thames, Surrey KT2 6HH<br />

Tel: +44 (0)20 8546 9826<br />

Fax:+44 (0)20 8547 1026<br />

enquiries@databac.com<br />

PERIMETER PROTECTION<br />

GPS PERIMETER SYSTEMS LTD<br />

14 Low Farm Place, Moulton Park<br />

Northampton, NN3 6HY UK<br />

Tel: +44(0)1604 648344 Fax: +44(0)1604 646097<br />

E-mail: info@gpsperimeter.co.uk<br />

Web site: www.gpsperimeter.co.uk<br />

POWER<br />

INDUSTRY ORGANISATIONS<br />

TRADE ASSOCIATION FOR THE PRIVATE SECURITY INDUSTRY<br />

BRITISH SECURITY INDUSTRY ASSOCIATION<br />

Tel: 0845 389 3889<br />

Email: info@bsia.co.uk<br />

Website: www.bsia.co.uk<br />

Twitter: @thebsia<br />

THE LEADING CERTIFICATION BODY FOR THE SECURITY INDUSTRY<br />

SSAIB<br />

7-11 Earsdon Road, West Monkseaton<br />

Whitley Bay, Tyne & Wear<br />

NE25 9SX<br />

Tel: 0191 2963242<br />

Web: www.ssaib.org<br />

INTEGRATED SECURITY SOLUTIONS<br />

POWER SUPPLIES – DC SWITCH MODE AND AC<br />

DYCON LTD<br />

Unit A, Cwm Cynon Business Park, Mountain Ash, CF45 4ER<br />

Tel: 01443 471900 Fax: 01443 479 374<br />

Email: sales@dyconpower.com<br />

www.dyconpower.com<br />

STANDBY POWER<br />

UPS SYSTEMS PLC<br />

Herongate, Hungerford, Berkshire RG17 0YU<br />

Tel: 01488 680500<br />

sales@upssystems.co.uk<br />

www.upssystems.co.uk<br />

UPS - UNINTERRUPTIBLE POWER SUPPLIES<br />

ADEPT POWER SOLUTIONS LTD<br />

Adept House, 65 South Way, Walworth Business Park<br />

Andover, Hants SP10 5AF<br />

Tel: 01264 351415 Fax: 01264 351217<br />

Web: www.adeptpower.co.uk<br />

E-mail: sales@adeptpower.co.uk<br />

SECURITY PRODUCTS AND INTEGRATED SOLUTIONS<br />

HONEYWELL SECURITY AND FIRE<br />

Tel: +44 (0) 844 8000 235<br />

E-mail: securitysales@honeywell.com<br />

UPS - UNINTERRUPTIBLE POWER SUPPLIES<br />

UNINTERRUPTIBLE POWER SUPPLIES LTD<br />

Woodgate, Bartley Wood Business Park<br />

Hook, Hampshire RG27 9XA<br />

Tel: 01256 386700 5152 e-mail:<br />

sales@upspower.co.uk<br />

www.upspower.co.uk<br />

www.insight-security.com Tel: +44 (0)1273 475500


SECURITY<br />

CASH & VALUABLES IN TRANSIT<br />

CONTRACT SECURITY SERVICES LTD<br />

Challenger House, 125 Gunnersbury Lane, London W3 8LH<br />

Tel: 020 8752 0160 Fax: 020 8992 9536<br />

E: info@contractsecurity.co.uk<br />

E: sales@contractsecurity.co.uk<br />

Web: www.contractsecurity.co.uk<br />

QUALITY SECURITY AND SUPPORT SERVICES<br />

CONSTANT SECURITY SERVICES<br />

Cliff Street, Rotherham, South Yorkshire S64 9HU<br />

Tel: 0845 330 4400<br />

Email: contact@constant-services.com<br />

www.constant-services.com<br />

FENCING SPECIALISTS<br />

J B CORRIE & CO LTD<br />

Frenchmans Road<br />

Petersfield, Hampshire GU32 3AP<br />

Tel: 01730 237100<br />

Fax: 01730 264915<br />

email: fencing@jbcorrie.co.uk<br />

INTRUSION DETECTION AND PERIMETER PROTECTION<br />

OPTEX (EUROPE) LTD<br />

Redwall® infrared and laser detectors for CCTV applications and Fiber SenSys® fibre<br />

optic perimeter security solutions are owned by Optex. Platinum House, Unit 32B<br />

Clivemont Road, Cordwallis Industrial Estate, Maidenhead, Berkshire, SL6 7BZ<br />

Tel: +44 (0) 1628 631000 Fax: +44 (0) 1628 636311<br />

Email: sales@optex-europe.com<br />

www.optex-europe.com<br />

LIFE SAFETY EQUIPMENT<br />

C-TEC<br />

Challenge Way, Martland Park,<br />

Wigan WN5 OLD United Kingdom<br />

Tel: +44 (0) 1942 322744<br />

Fax: +44 (0) 1942 829867<br />

Website: www.c-tec.com<br />

PERIMETER SECURITY<br />

TAKEX EUROPE LTD<br />

Aviary Court, Wade Road, Basingstoke<br />

Hampshire RG24 8PE<br />

Tel: +44 (0) 1256 475555<br />

Fax: +44 (0) 1256 466268<br />

Email: sales@takex.com<br />

Web: www.takex.com<br />

PHYSICAL CONTROL PRODUCTS, ESP. ANTI-CLIMB<br />

INSIGHT SECURITY<br />

Units 1 & 2 Cliffe Industrial Estate<br />

Lewes, East Sussex BN8 6JL<br />

Tel: 01273 475500<br />

Email:info@insight-security.com<br />

www.insight-security.com<br />

SECURITY EQUIPMENT<br />

PYRONIX LIMITED<br />

Secure House, Braithwell Way, Hellaby,<br />

Rotherham, South Yorkshire, S66 8QY.<br />

Tel: +44 (0) 1709 700 100 Fax: +44 (0) 1709 701 042<br />

www.facebook.com/Pyronix<br />

www.linkedin.com/company/pyronix www.twitter.com/pyronix<br />

INTRUDER AND FIRE PRODUCTS<br />

CQR SECURITY<br />

125 Pasture road, Moreton, Wirral UK CH46 4 TH<br />

Tel: 0151 606 1000<br />

Fax: 0151 606 1122<br />

Email: andyw@cqr.co.uk<br />

www.cqr.co.uk<br />

SECURITY SYSTEMS<br />

BOSCH SECURITY SYSTEMS LTD<br />

PO Box 750, Uxbridge, Middlesex UB9 5ZJ<br />

Tel: 0330 1239979<br />

E-mail: uk.securitysystems@bosch.com<br />

Web: uk.boschsecurity.com<br />

INTRUDER ALARMS – DUAL SIGNALLING<br />

CSL<br />

Salamander Quay West, Park Lane<br />

Harefield , Middlesex UB9 6NZ<br />

T: +44 (0)1895 474 474<br />

@CSLDualCom<br />

www.csldual.com<br />

SECURITY EQUIPMENT<br />

CASTLE<br />

Secure House, Braithwell Way, Hellaby,<br />

Rotherham, South Yorkshire, S66 8QY<br />

TEL +44 (0) 1709 700 100 FAX +44 (0) 1709 701 042<br />

www.facebook.com/castlesecurity www.linkedin.com/company/castlesecurity<br />

www.twitter.com/castlesecurity<br />

INTRUDER ALARMS AND SECURITY MANAGEMENT SOLUTIONS<br />

RISCO GROUP<br />

Commerce House, Whitbrook Way, Stakehill Distribution Park, Middleton,<br />

Manchester, M24 2SS<br />

Tel: 0161 655 5500 Fax: 0161 655 5501<br />

Email: sales@riscogroup.co.uk<br />

Web: www.riscogroup.com/uk<br />

SECURITY PRODUCTS<br />

EATON<br />

Eaton is one of the world’s leading manufacturers of security equipment<br />

its Scantronic and Menvier product lines are suitable for all types of<br />

commercial and residential installations.<br />

Tel: 01594 545 400 Email: securitysales@eaton.com<br />

Web: www.uk.eaton.com Twitter: @securityTP<br />

ONLINE SECURITY SUPERMARKET<br />

EBUYELECTRICAL.COM<br />

Lincoln House,<br />

Malcolm Street<br />

Derby DE23 8LT<br />

Tel: 0871 208 1187<br />

www.ebuyelectrical.com<br />

SECURITY SYSTEMS<br />

VICON INDUSTRIES LTD.<br />

Brunel Way, Fareham<br />

Hampshire, PO15 5TX<br />

United Kingdom<br />

www.vicon.com<br />

www.insight-security.com Tel: +44 (0)1273 475500


Simple & Easy Installation<br />

Integrated Security - Access Control<br />

Inception is an integrated access<br />

control and security alarm system with<br />

a design edge that sets it apart from the pack.<br />

Featuring built in web based software, the Inception<br />

system is simple to access using a web browser on a<br />

Computer, Tablet or Smartphone.<br />

With a step by step commissioning guide and outstanding user interface,<br />

Inception is easy to install and very easy to operate.<br />

For more information, visit www.innerrange.com/inception.<br />

There you will find installation guides and videos to help you<br />

get the most out of your Inception system.<br />

IN<br />

DESIGNED<br />

A U ST R A<br />

R<br />

LIA<br />

Security<br />

Alarm<br />

Access<br />

Control<br />

Automation<br />

No Software<br />

Required<br />

Multiple<br />

Devices<br />

Easy Setup<br />

with Checklist<br />

Prompting<br />

Send IP Alarms via<br />

the Multipath-IP<br />

Network<br />

Visit www.innerrange.com or call 0845 470 5000 for further information

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!