Prepared for the worst

A year after the attacks on September 11, Nic Paton reports on five ways to improve workplace security.

Ask any HR professional whether their organisation has improved security and disaster planning in the wake of September 11, and the chances are the answer will be a firm yes. But while recognising the need for increased vigilance and evacuation measures is one thing, securing the necessary investment to make a real difference, is quite another.

According to Texas-based security specialist PentaSafe Security Technologies, the difficult global economic climate means that while security has now been elevated up the agenda, it is still just another cost to be weighed up and justified like any other.

PentaSafe has 1,250 customers, and advises major banks, consumer groups such as Johnson & Johnson and four of the top five US auditing firms.

Marketing director David Blackman believes firms are looking to tighten up their security and disaster planning without investing new money.

"If it is a new project, the organisation may go through an entire evaluation. But it's always against a backdrop of 'is this going to help us reduce our costs or increase revenues?'," he says.

The bill for extra security can run to many thousands of pounds, so it is vital to have a central strategy to prevent people pulling against each other, or wasting money on pet projects.

Some security initiatives can, in fact, help to reduce costs. An estimated 40 per cent of calls to IT help desks are related to forgotten or lost passwords. By putting an automated tool in place, for instance, the helpdesk can be freed to deal with bigger issues and security is not compromised, argues Blackman.

Here are five tips for making your organisation better prepared for the worst:

Be transparent

Effective disaster planning is as much about education as blueprints and secret manila folders. Make sure your staff know what to do in an emergency, make it clear and simple to understand and make sure you have emergency teams in place.

Who will come in at the weekend to set up offices in people's homes or in business partners' offices, for instance? "You need to be able to mobilise your staff," argues Blackman.

It is important to know at all times who has the facility to work from home and who can be used to hook back up to the office. Do you have a fall-back location? Where are your critical staff? What, for instance, would you do if a bomb took out the Underground or rail network, and employees could not get in?

Watch your back

When it comes to physical security, have a strategy that looks at all aspects of the building: front, back, side, top and bottom.

Organisations will often have stringent security for employees at the front, and then become lax about the goods' entrance or loading bays. Make sure partners and associates are equally stringent.

Assess what your options are if the building were to be destroyed, and determine which assets are critical and which less so. Is there a particularly vital server, HR database, central record or classified information that needs to be taken into account, for instance? Put a programme in place that will ensure that in the event of a disaster, you will still have access to this information.

Do trial runs

This doesn't necessarily mean everyone donning armbands and hurrying into the woods. It can entail running an exercise where you can't get into the network, for example, or doing an evacuation exercise, or choosing a department to assess how it might function in a crisis situation.

But, however useful, exercises still only have a limited use. "They are worthwhile, but when it happens for real, you still just have to deal with it," warns Blackman.

Disasters don't have to be spectacular

Financial fraud, hacking and industrial espionage can be just as damaging to a business as a high-profile terrorist attack. Fraud will often involve someone on the inside, so if you have a lot of sensitive information, it is imperative to make sure adequate checks are carried out on employees, contractors and suppliers.

When it comes to cyber attacks, ensure your IT people have configured all the firewalls correctly and, as far as possible, have closed off all opportunities for hackers.

Also look at your corporate website - are you giving too much away about your key locations, assets and executives?

Keep your plans updated

People may be on leave or out of the office when disaster strikes, so make sure staff know who's responsible for deputising when that person is away at all times.

Some organisations have 'buddy' systems where employees help each other out of the building.

Organisations will also often merge, so make sure disaster planning doesn't end up being put to one side in the newly formed business.