This is the third blog in a five-part series on the top trends in 2018 that we expect to see driving best practices and priorities across the U.S. and the world in: (1) threat and violence risk management, (2) investigations, (3) security risk management, (4) law enforcement, and (5) private client and family office services.
Security Risk Management Trend #1: Concerns about International Travel Risks Will Grow for Many Americans
At the start of 2017, we expected to see terror attacks increase against soft targets worldwide. These widely shared fears proved true. In one year, Europeans, for example, confronted attacks in cities such as Barcelona, Stockholm and Paris (on the Champs Elysees and, in a separate incident, the Louvre). With even greater frequency, the British withstood high-profile attacks on London Bridge and in London’s Finsbury Park mosque, as well as at an Ariana Grande concert in Manchester.
Concerns about international travel are growing. Just three years ago, a U.S. travel industry study indicated that 48 percent of Americans said they are “more concerned than in the past” about travelling; 15 percent said they would change the type of travel planned, and another 14 percent said they would change travel destination or cancel their plans completely. In 2017, a CNN global survey found that 67 percent of respondents say that “safety and security” matter most – over price and other factors.
Fast forward to 2018. As these apprehensions continue to grow, many U.S. employers, both public and private, will place a higher priority on technology, programs and initiatives that (1) monitor, aggregate and push destination-specific, open source intelligence to both corporate security centers and employees’ smart devices; and (2) educate employees on international travel security practices, as well as on how to respond when an attack in a workplace or mass-gathering event occurs.
Trend #2: Terrorism – Both Foreign and Domestic – Will Bring Homeland Security Issues to the Doorstep of U.S. Businesses
Foreign terrorist organizations (FTOs) continue to publicize their intentions to attack the U.S. and cause mass casualties. Recent attempts by FTOs coupled with actual events highlight the risks faced by many sites and entities in the U.S. – especially high-profile U.S. businesses, iconic and nationally prominent sites, and mass-gathering events. Perpetrators of these attacks – both foreign and domestic actors – fall into three categories:
- Violent Extremists: Individuals who carry out ideologically motivated terrorist activities to further political or social objectives promoted by an FTO.
- Home-Grown Violent Extremists: Those who once assimilated into the U.S., but have since rejected the cultural values, beliefs and environment of the U.S. in favor of a violent ideology, and then commit terrorism inside the U.S. without direct support or direction from an FTO.
- Domestic Terrorists: Individuals who engage in unlawful acts of violence to intimidate civilian populations or attempt to influence domestic policy without direction from or influence by a foreign actor.
Last year, high-profile domestic terror attacks in the U.S. included the stabbing of a police officer in Michigan’s Bishop International Airport, the explosion of a low-tech improvised explosive device (IED) in a busy New York City transportation hub, a truck ramming attack on a New York City pathway near the World Trade Center, and the killing of 58 musical festival participants from a “sniper’s nest” high in a nearby Las Vegas hotel.
As 2018 unfolds, we believe more of these types of events will occur on U.S. soil. This trend will prompt many more private and public sector entities to ensure that they are advancing appropriate prevention-oriented protocols in areas such as: (1) emergency preparedness; (2) active threat planning and prevention; (3) behavioral threat assessment and workplace violence prevention; (4) employee security awareness training; and (5) both liaison and information-sharing with federal, state and local agencies dedicated to homeland security, law enforcement and public safety.
Trend #3: Long-Range and Extended Threats Will Be Top-of-Mind for Event Security Planners
Although the risk of a sniper is regularly addressed by specialized teams responsible for protecting high-profile government leaders, it hasn’t typically been addressed by major event planners in the past, who tend to focus on establishing secure perimeters at the outer edge of the event site or just beyond it. The Las Vegas Mandalay Bay shooting has changed that. We are currently supporting many clients responsible for the security of mass-gathering events and other critical infrastructure as they adjust their security strategies – and extend their secure perimeters – to address the risk of long-range threats.
Doing so requires tactics and countermeasures unfamiliar to many private security teams – and even some law enforcement agencies. In effect, we expect that 2018 will be the year when many in-house security teams and third-party law enforcement organizations begin to plan, train and conduct exercises that will prevent this type of threat from occurring in the future and ultimately save lives.
Trend #4: Corporate Security Departments Will Adjust Tactics to Counter the Risks of Vehicle Attacks
In addition to “extended security perimeter,” another priority that will command security resources in 2018 and beyond will be a higher level of emphasis placed by security departments on preventing vehicle attacks. From 2014 through mid-August 2017, according to CNN National Security Analyst Peter Bergen, more than 129 people have been killed in vehicle ramming attacks. Since 2014, there have been 14 such incidents – and the number is rising, including the Manhattan bike-lane attack in October 2017.
Bollard emplacement and other tactics have long been used by federal, state and local agencies with missions related to homeland security and law enforcement, as well as the protection of critical infrastructure facilities such as high-traffic commercial sites, transportation networks, chemical and industrial plants, the defense industrial base and nuclear reactors. Major U.S. cities – such as New York and Las Vegas – for example, are increasing these protections. That’s not surprising. What’s new in 2018 is that many more corporate security departments will begin asking, “What’s our risk in this regard – and how should we address it?”
Trend #5: Sophisticated Phishing and Ransomware Attacks Will Cripple More Small Businesses
The stats tell the story. According to Symantec, cybercriminals targeted 43 percent of small businesses in 2017 – a dramatic increase from 18 percent in 2011. Another study – this one published by Keeper Security and the Ponemon Institute – discovered that only 14 percent of small businesses targeted rated their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. Small businesses are not necessarily as resilient to such attacks. The Ponemon Institute projects average clean-up costs per incident to be approximately $690,000, which can be crippling. In fact, the U.S. National Cyber Security Alliance has determined that 60 percent of small companies that suffer a cyber attack are out of business within six months. The publication Small Business Trends reports that an estimated 43 percent of the attacks against small companies were a variation of phishing and two percent were associated with ransomware.
As this trend continues into 2018, we anticipate that a higher percentage of small businesses will increase their focus on three critical areas: (1) information security awareness training for employees and contractors, including how to identify malicious emails with increasingly more sophisticated tactics to introduce harmful agents; (2) policies and procedures from acceptable use practices to penetration and social engineering testing; and (3) technology solutions including automation, role-based access privileges, layered network design, SPAM filtering and robust virus and malware software.
Trend #6: State-Sponsored Cyber-Attacks Will Continue to Proliferate
State-sponsored intelligence gathering will continue, escalate and prove more damaging to nations and their governments, corporations and public service organizations and, to a lesser extent, individuals. As Experian published in its 2017 Data Breach Industry Forecast, “[t]he progression of cyber-attacks driven by nation-states will undoubtedly place critical infrastructure in the crosshairs, potentially leading to widespread outages or exposed personal information that could impact millions of innocent consumers.”
While the volume of human, technological and financial resources to protect against these attacks has increased exponentially, the tools and methods to collect massive amounts of coveted data has significantly outpaced the corporate and government protocols to keep data secure. The reality is it’s easier and cheaper than ever before for “armies of hackers” working on behalf of another country to sit on the other side of the world, targeting systems, stalking weaknesses and leveraging security gaps to gain access to corporate data that may be used to further their agenda.
If government agencies can’t adequately protect themselves from these types of attacks, how can corporations? An enterprise-wide commitment to secure hygiene, one that is visibly championed by the C-suite, is vital. We anticipate a renewed focus in this arena – perhaps with urgency – on (1) maintaining simple but effective baseline controls, (2) addressing easily exploitable vulnerabilities, (3) enforcing good configuration policy, (4) ensuring systems are protected by firewalls, (5) encrypting all confidential data, and (6) enforcing password and authentication best practices.
What’s on your security risk management agenda in 2018? What trends are you seeing?
How are you preparing for the upcoming year? Over the next few weeks, we’ll be addressing other Top Trends to Watch in 2018 in our other practice arenas. Want an automatic alert when the next blog goes up? If you’re not a subscriber already, fill out the form below.