This week, I’m following up with my two prior blogs on this emerging trend in corporate security risk management in 2016. If you missed those, you can access them here: (1) “The Growing IED Threat in the U.S. Today: An Executive Briefing for Business and Security Leaders” and (2) “IEDs in the United States – and Corporate Security: Three Types of Attackers.”
As I referenced tangentially in my first blog, the most effective ways to counter the risks that improvised-explosive devices (IEDs) – including person-borne IEDs (PBIEDs) and vehicle-borne IEDs (VBIEDs) – pose to a given office, facility, landmark or location requires an integrated and layered approach.
This must be undertaken in a careful manner that coordinates the investment across strategy, structure, people, process and technology. While a full discussion of this stands outside the scope of this blog mini-series, such a best-practice-based approach to IED threat assessments includes tasks such as the following:
- Identify the top 10 to 12 risks confronting your organization – Determine inclusion on this list based on three factors: threats, vulnerabilities and consequences. Only after establishing a clear, 360-degree perspective of your risks should your team determine whether or not IEDs should be represented and how highly it should be ranked.
- Evaluate the efficacy of a three-perimeter approach to site-specific security – There are distinct tactics and countermeasures involving personnel, policies, processes and technologies that apply to the defined areas that fall within the “outer”, “middle” and “inner” perimeters. Get to know what these are and apply them.
- Based on the characteristics of your location and other drivers of risk, investigate and implement an integrated set of solutions – Be sure to examine, in particular, prevention-enabling anti-IED measures such as incident management and emergency operations center capabilities; prevention-oriented architectural and building design; permanent and mobile bollards and mandatory stand-off distances; controlled shipment schedule, screening and receipts; and screening of people, vehicles and packages via explosive canine teams, explosive detection systems (EDS), and explosive trace detection (ETD).
- Conduct active and continuous liaison with international, federal, state and local authorities as well as private sector partners – Request and share information on the threat environment. Consider resource service agreements and Memorandums of Understanding with nearby like-sized organizations seeking to mitigate comparable risks.
- Develop alternative sites and backup sources for critical infrastructure resources – Do so for each of the resources crucial to the safety of your people and the continuity of your operations – such as electric power, natural gas, communications, information technology, water, wastewater, transportation and critical products.
- Depending on the type of asset you’re seeking to protect, consider training security personnel to use both physical and electronic countersurveillance techniques and practices – Building, transporting, and detonating an IED, PBIED or VBIED requires a high level of planning. A critical part of this preparation involves behaviors observable by others – security personnel, employees, bystanders, families and friends – such as surveilling potential targets, conducting Internet searches for target selection, suspicious acquisition of maps and blueprints, lying to law enforcement officers and obstructing investigations, taking photographs, conducting “dry runs” through security, and exhibiting communication security techniques and tradecraft (e.g., changing SIM cards, phone numbers or using disposable “burner” phones). Consider the benefits of requiring all in-house and contract security personnel to undergo counter-surveillance training. Also consider integrating some of these “mobilizing behaviors”, where appropriate, in your organization’s security awareness training curriculum.
In closing, you may or may not need to take action to mitigate the risks of an IED for your people, teams, facilities and operations here in the United States. But depending on your industry, location, business model and other factors, you may be better off formally managing this risk than shrugging it off.