12 Guides on How to Conduct a Tabletop Physical Security Exercise

12 Guides on How to Conduct a Tabletop Physical Security Exercise

A tabletop security exercise is a discussion based interactive session where stakeholders meet in either formal or informal setting (meeting or conference room) to discuss roles and expected responses in the event of a particular security breach. Other types of security simulation include drills, penetration test, seminar, or conference. A security practitioner grounded in operational risk management should leverage tabletop exercise as a vital tool for emergency preparedness and management. This should be a budget-based project; knowing that security team’s resilience and agility would depend on it. A security team who are conversant with exercises will outperform its peers who adopt nominal approach. To create and execute real-time issue-based tabletop exercise, first you should understand your organization inside out. The business’ critical assets, the threats landscape and the adversaries must be identified. The vulnerabilities which have potential to be exploited by threat actors should also be known. In the business world that is faced with increasing and complex threats; the question is no longer whether bad things would happen. They will surely happen, what is key how did the security team respond to them both during and after such incident? Typically, a facilitator would guide participants through the exercise. Taking them through a particular security incident narrative and raise question about what steps should be taken to response. It is usually better to syndicate participants for diverse perspectives and insights. Potential scenarios for tabletop exercises should include, although not limited to those threats which the organization has higher exposure to base on risk ranking. These threats will share similarity but may differ depending on the business, the industry, location, operating environment, and complexity. What should be the purpose of tabletop security exercise? The purpose of a tabletop security exercise should include to evaluate security team’s capabilities. The organization’s level of preparedness for security incidents and to educate participants of their roles during and after security breaches. Some benefits of tabletop security exercise Prepares security team for different case scenarios – that is good case, bad case and worst-case scenario. It builds team’s response skillset. Optimizes resource allocation especially during emergency. It sets up security team against adversaries and prevent them been caught unprepared. It serves as training tool – can be used to check out training requirement. It is cost effective, when compared to other types of simulation. How to conduct a tabletop physical security exercise Set objectives for the project: this will answer the question of what you want to achieve and provide clear insight to it. Reference the organization’s security plan: the organization’s security plan should be consulted to further guide on specific security incidents it has prepared for, otherwise general standard practices can suffice. Benchmark exercise on recent risk assessment: exercise should be preceded by recent security risk assessment which must have identified and prioritized the business’ security risk threshold. Consult team (downline and upline): getting input from internal stakeholders (within and outside security) as well as external stakeholders (industry practitioners) is highly recommended. Establish who is participating: identify persons or group who should play roles for the success of the exercise. Develop scenarios: create sequential narratives of security breach incident to be discussed. This should be done with open mind and a sort of intellectual humility. Run it on periodic schedule: security exercises should never be a one-off project, rather it should be scheduled to hold from time to time, e.g. monthly, quarterly, or annually. Set ground rules: rules must be set during the session to guide facilitation and moderation. For example, everyone must contribute to discussions, subject of discussion must not exceed allotted time, mobile phones to be on airplane mode, etc. Do hot wash: use hot wash to generate recommendations, insights and take-aways. This should be the crux of the tabletop exercise project. Document recommendations: for reference and archive, documentation of the entire exercise especially the hot wash is key. File project report: ensure formal communication is sent to appropriate authority. Create implementation plan: learnings from exercise will lose value if they were not practiced. An action plan to drive implementation of key learning is highly recommended. Threat actors are becoming more sophisticated in each passing day. They dedicate significant resources (funds and time) to plan and execute security breach. It is required that security team who are the defends against threats should devote sufficient time to rehearse how to frontally confront incidents when they come calling. Drill and exercise are regulatory subject in some industry, such as aviation and maritime. ALSO READ: Powerful Morning Routine Secrets: How Top Performers Start Their Day

10 Ways To Prevent Workplace Violence

10 ways to prevent workplace violence in your organization (1)

Workplace violence is a potential safety and security risk that must command committed attention from every organization. Any credible act of bully, harassment, aggression, intimidation, assault, and attack carried out within the confines of a business place can pass this test. Workplace varies in nature and culture; so, does the threats of violence. Some business places may be prone to this threat than some others. For instance, the threat of workplace violence will be high in health and medical facility, hospitality and night club, production or manufacturing organizations. Same phenomenon may score low in corporate settings like financial offices, ports, county/government offices and other corporate arena. However, regardless of environment, threat of  violence against persons holds water across board. Occupational safety which resonates closely with workplace violence was recently prioritized by the state of California in US through passing into law of SB 553 which now makes it mandatory for employers to have in place “an effective workplace violence prevention plan”. Hence, it becomes unlawful and illegal for an organization in California not to have in place a comprehensive and effective prevention plan for potential attacks in business settings. This move underscores the significance of putting the safety of world’s first assets (human resources) first and other resources next. Organizations have obligation to ensure safety of all persons at their work premises, regardless of the purpose of visit. To activate processes and communication towards fulfilling this obligation is the way to go for any business who truly prioritize occupational safety. Workplace violence is a very complex security threat, because it targets human resources which are key drivers to business success. David Burke’s act of extreme aggression on flight 1771 of Pacific Southwest Airlines in December 7, 1987 which led to the plane crash and the death of forty-three persons onboard is a classic example of a determined attacker in act of workplace violence.  Here are five common types of workplace violence: Crime based: this occurs in active crime scene where the victim is not a primary target, however, got caught up in the web. Customer based: this is where a customer transfers aggression of frustration against a worker, a fellow customer or some others. Worker based: this occurs when a disgruntled or unstable worker goes berserk. The act may be against an employer, a fellow workers, or others. David Burke’s flight 1771 case was a good example of worker-based workplace violence. Owner-based: this obtains when the employer is the one attacking persons in the business premise. Such attack could be against a worker, a customer, a vendor, etc. Authority based: this type is done by persons who use their statutory authority to unleash violence on others in a workplace. Example is when on-duty law enforcement personnel carry out aggression against defenseless citizens. Redflags for workplace violence that must be taken seriously. Substance abuse Workplace toxicity Subtle act of bullying Uncontrollable emotion Fascination for violence Direct or indirect threats Obsessive acts of stalking Uncontrollable temperament Subtle violation of simple rules Subtle lack of respect for authority Sense of entitlement to “authority shield”. 10-Ways to prevent and mitigate workplace violence: Carry out risk assessment: this will enable the organization determine its exposure to this threat. Establish workplace violence prevention policy and plan: the policy as a statement of intent will set the tone and the plan will roll out follow-up reactions. Engage the workforce and communicate the policy to them: workers and other stakeholders must be informed of the position of the business about it. Activate security measures and controls: such controls should be embedded in physical and procedural security operation; e.g., surveillance, alarm, and visibility. Create incident reporting and response channel: there must be open channels for victims and observers to speak up about signs or occurrence of attack. Respond promptly: every perceived suspicion or real act of workplace violence must be visited with full wrath of the policy and plan. Provide support system: those who might suffer direct or indirect impact of attacks should receive necessary supports that are legally available as a duty of care. Ensure smart hire through background check: organization must know who they want to hire and the implications or otherwise of such hire. Maintain continuous training: beside onboarding inductions, organizations must continue to keep workers aware of its stance on the subject. Carry out random drug and alcohol test in the premise: such exercise will expose persons who may likely be a threat to the workplace. Threats of attack at business place is a security risk that must receive deserved attention and prioritization. Prevention is the best approach. When its early warning beams, it should not be taken for granted. As complex as it appears, this piece has highlighted some strategic approach to apply. ALSO READ: How Your Organization Should Prepare For Civil Disturbance