In June 2017 the UK official National Counter Terrorism Security Office (NaCTSO) published its 174-page Crowded Places Guidance. This advisory report focuses on protecting crowded locations including visitor attractions, shopping centres, sports stadia, bars, pubs and clubs which are easily accessible to the public and present a potential target for terrorists. Here Nigel Peers, pictured, focuses on the parts of NaCTSO’s Crowded Places Guidance which provide protective security advice to those who own, operate, manage, secure or work in visitor attractions.
It’s an area that I have in-depth expertise in – having managed security for the UK’s busiest zoo, boasting 1.9m visitors a year, for several years before joining NW Systems Group. Rather than summarising what is an incredibly detailed and instructive document, I thought it helpful to present some of the thinking and processes that I went through during a more than three-year period to harden security systems, plans and procedures – mitigating against key risks which were identified when I began my time in that role.
Identify the assets
Much of the hard work begins with asset identification and assessment. You need to assess and prioritise all assets to be protected and then the security risks across four different parameters:
1.People – staff, visitors, contractors
2.Physical assets – infrastructure, buildings, etc.
3.Information / data assets
4.Policy and procedures
In any Risk Assessment you must be able to identify, and rank risks based on a detailed assessment of the likelihood of a type of threat happening and the possible impact on the organisation should such an event occur. Four key questions to ask are:
1.What assets need to be protected?
2.What threats and vulnerabilities are out there?
3.What is the impact on the attraction if a given asset is compromised/attacked/breached?
4.What existing measures, systems and equipment already aid protection of these assets, mitigating against pre-identified threats?
All threats need to be placed in order of importance and any remedial action needed to improve mitigation measures needs to be proportionate to the level of threat and the assets identified for protection. During the process of prioritising which risks to mitigate first, and which to devote most resource to improving, it is worth considering key stakeholders and their priorities and concerns.
So, for a visitor attraction, key stakeholders might be:
1.CEO and other Board Directors responsible for the reputation and wellbeing of the organisation
2.IT Director/IT manager who may have to assist in preventing a cyber attack
3.Marketing department – who may have to ensure they are not making information public, which could be of use for hostile reconnaissance intelligence gathering
4.Security team – who are going to be pivotal to strengthening any security systems and procedures as the implementers
5.Health & Safety management – monitoring for slips, trips and falls, other potential injury, personal property damage or anti-social behaviour that may place staff, visitors or other assets at risk; and
6.Visitors – who may well have a part to play by remaining vigilant to surroundings and people around them that may be behaving unusually – they can be encouraged to report anything unusual including unattended bags.
When drawing up the risk assessment it is important to bear in mind that the best you can expect to do is reduce the risk to ‘as low as reasonably practicable’, while maintaining the friendly and welcoming atmosphere which is compatible with visitors enjoying a great day out.
Building a plan
Once the risk assessment has been completed the next step is to draw up a Strategic Security Plan. The Security Plan must be simple, clear and flexible as far as is possible.
It will need to detail:
1.Policies – for helping staff and visitors to be security-aware and as far as possible knowledgeable about what should be done if an incident happens
2.Operational change recommendations e.g. profiling of visitors by your security team, increasing patrolling levels, randomising patrol timings etc
3.Physical change recommendations e.g. barriers, IP video, access control, bollards, fixed furniture, waste bins etc.
4.Training and awareness requirements for the security team and the wider organisation
5.Validation procedures – to check you have got priorities and mitigations right
6.Partnership – you should be running plans through your local Counter Terrorism Security Advisor (CTSA) and other strategic partner agencies
7.Review and monitoring regime – how often will the plan be checked?
8.Communication and media elements – including knowing what should and should not be communicated about your security systems, procedures and assets. For example, some information may help hostile reconnaissance operatives. Other information should be made very public to deter hostiles targeting your venue.
Hostile reconnaissance
One key consideration is to work hard to Deny, Deter & Detect hostile reconnaissance. The more your security regime can deny would-be terrorists access to reconnaissance intelligence, the less likely your venue will be subject to a major attack. Spotting them early is the first crucial step to stopping any hostile reconnaissance team from gathering useful intelligence. Thereafter, if you can demonstrate a strong security appetite by proactively indicating you’ve ‘spotted them’, and provide identification-worthy CCTV evidence to the authorities, the more likely they are to be deterred from returning. Add to proactive profiling of possible hostiles by communicating the effectiveness of your security systems, or as the NaCTSO Guidelines put it, deterring them by putting out the message: ‘Come here and you are likely to get caught’, and you start to reduce the risk of an attack considerably.
Phased mitigation
You will not be able to purchase and install the full shopping list of equipment and training requirements that you’ve identified within the first few months of completing the Risk Assessment work as budgets will rarely allow it. So, if you have assessed you need 200 new surveillance cameras and a new highly-secure Control Room, you will need to consider phasing in this work. So, is there scope to re-use a portion of the old analogue CCTV cameras for a period and bring the serviceable ones onto the network? And if there is budget for only 50 new network cameras – where exactly do those priority cameras need to be placed? The ‘top priority’ threats must be tackled first so that biggest threats are mitigated before moving to the lesser threats as budgets and resources free up.
One valuable way to prioritise work is to attach an Operational Requirement (OR) statement to each piece of security equipment going in. Essentially, this needs to state precisely what security or other operational need this piece of equipment addresses. Each new camera will have a specific purpose – one might be for perimeter security, another for animal welfare, a third for Health & Safety monitoring on a pedestrian thoroughfare, and so on.
It must be clear which area is covered by each camera. Further, the displacement consideration must be documented for all surveillance cameras: it’s important to understand that if a new camera is put in to cover one known area where crime is likely to be committed, that this crime may just move into a different area. Although this is a more significant concern in public space CCTV installations, displacement risk is always worth considering.
Access controlled
The OR process is fundamental to planning an efficient security solution and access control is no exception. Be it controlling pedestrian access to certain areas, or vehicles into the site, the principles are the same. Know who or what can go where and allocate passes to reflect this. Any access control system is only as good as the procedures and people that govern its use and a good security culture is paramount in ensuring your site remains secure.
Processes and procedures for issuing visitor and contractor passes are worthy of close attention as it is normally in these sorts of procedures and processes that vulnerabilities lie. Hostile Vehicle Mitigation (HVM) strategies are detailed in the Guidance and should be read carefully as this type of threat is being encouraged by terrorist groups via the internet right now, as we know all too well from recent Vehicle as a Weapon (VAW) attacks in Nice, London and New York. VAWs, like many threats, demand defence in depth, multi-layered and overlapping security systems, processes and procedures. Retractable and fixed bollards at vehicle and pedestrian entrances, fencing, barriers, landscaping, fixed furniture, identification and pass checking, profiling, as well as well-placed CCTV and speakers to send audible alerts, can all work together to make a site as secure from a VAW as is practicable – particularly given the fact that you don’t want a visitor attraction to feel like Fort Knox.
Incident management
Should an incident happen, you need to be thoroughly drilled on the procedure to keep staff, visitors and other assets safe. All people on site must know where to go and what to do in the event of a security incident. This could mean full or partial evacuation or ‘invacuation’ to a secure place on or off-site. You will want to deter any new people entering an area where a security breach has occurred. By doing so you will reduce risk of increasing the number of people exposed to the threat.
Alarm control points should be considered and sited where mustering points have been agreed and communicated. Methods for good communication flow must also be multi-layered so public address can be supported by shortwave radio for security officers. Police and emergency services must be called in as early as possible to assist. Staff should be tested with regular scenario based exercises including desktop and practical activities.
Summary
This canter through my experience securing one of the UK’s largest visitor attractions, only allows for investigation of just some of the elements of securing a Visitor Attraction. It cannot be as comprehensive as the new NaCTSO guidance which covers mitigation of many more threats than I’ve been able to cover here. Threats are bound to be different for each attraction. Legacy security systems, range of assets, layout and size of the site and existing security personnel are all issues which need to influence your security priorities. However, the principles of good security planning and risk assessment should form a firm foundation for building a new security plan for any visitor attraction.
About the author
Nigel Peers is a security consultant, certified Data Protection Practitioner and qualified Trainer. With a military background and as a previous founder of a workplace compliance training company, Nigel possesses expertise in conducting security site surveys, vulnerability assessments and delivering Security Industry Authority (SIA) and other industry-related training courses.
Prior to joining NW Systems, Nigel also set about the updating of security at Chester Zoo, one of the UK’s biggest tourist attractions. Nigel now heads the Consultancy & Training division at NW Systems Group, helping organisations understand the latest regulations and ensure risks, threats and vulnerabilities are correctly identified. Through strategic planning support, Nigel optimises security solution delivery from mitigation to implementation, risk and incident management to business continuity and recovery.
