How to Prepare for Incidents of Terrorism | Risks of Digital Terror
8 Piedmont Center
Suite 420
Atlanta, GA, 30305
Visit our web site: www.cmiatl.com
800.274.7470
404.841.3400
info@cmiatl.com
If you have questions or would like information on CMI's services, contact:
Randy Hudson
Director of Client Services
800-898-0947
Volume I, Issue II, April 2003
Facing the Unthinkable: How to Prepare for Incidents of Terrorism and Avoid Being Blindsided
By Bruce T. Blythe
Whatever their opinions about the U.S. invasion of Iraq, most people agree that
the war and occupation may provoke terrorist acts of revenge here at
home. People in some other countries have been living with such threats for years. But for Americans, the knowledge that we are vulnerable to terrorism is still painfully new. The very names of things that could happen – radioactive “dirty bombs,” poisonous chemical releases, suicide attacks – create a new sense of discomfort and threatened security.
But we each have a choice. We can be passive – and let ourselves be blindsided whenever something horrible does occur – or we can begin to prepare. And the first step to preparedness is facing the unthinkable: looking at it hard, breaking it down into manageable parts, and working through reasonable plans for how to respond.
If you are a company manager, you have a duty to your people to do this. As individuals, every one of us has that responsibility, too – to our families and ourselves.
Try this: imagine that a paralyzing nerve gas has been released near where you are. I’ll bet you thought something like, “Oh my God, that would be horrible –” and then quickly pushed the idea away. Your mind naturally wants to protect itself from things that are so nightmarish.
But if you don’t want to be caught unprepared, you will have to keep your mind open long enough to visualize what might happen, and how you should best respond. You must make yourself consider it deeply. You have to think it through.
I myself tried to consider the idea that a terrorist attack on a nuclear power plant could release a radioactive plume in the direction of my family’s home. I thought, “Well, we would just get the heck out of Dodge.” Then it occurred to me that the drive to our planned “safe haven” is too far for one tank. So then I thought, “Quickly, I would need to gas up and keep an extra full gas can.” And then I realized that the roads would be unbelievably jam packed with frantic people; other cars would run out of gas and wrecks would occur, and traffic could come to a standstill. That brought me to examine an alternative approach: “Maybe we’re going to have to stay put. So what would that mean we should do?”
Facing the unthinkable and working through possible scenarios this way vastly increases the likelihood that you’re going to respond effectively. Even if what happens is quite different from anything you pictured, the very experience of having broken down the possibilities makes you more alert, rational and flexible in a pinch. And even if it turns out that you have to improvise, you will not be completely blindsided.
You will not only have equipped yourself with specific tactics that could still be useful as part of your response; you will also have practiced the kind of thinking that could save your life. We know that emergency medical technicians, fire fighters, police officers, soldiers – who face life-threatening situations routinely –– respond better to unpredictable situations than most of us. Why? Because they have trained, practiced and rehearsed – both physically and in their minds.
The Israelis, similarly, have acclimated to an environment where terrorist acts are to be expected. As a result, their idea of a normal lifestyle is a bit different from ours. They think twice, for instance, about going to public gatherings. When they do go out, they make a point of telling each other where they’ll be and how they’ll travel, and they check in with each other frequently. They plan contingencies right into their daily living. Do they like having to do this? Certainly not. But they’ve learned the hard way not to let themselves be blindsided.
Analyzing Your Vulnerabilities
Before you can consider what you should do in crisis situations, you must pin down the likely nature of the incidents that could befall you.
Many large companies have managers who are responsible for emergency preparedness. They analyze the risks their organizations face. They develop, constantly practice and refine, strategies to avoid those if possible, and respond to them if necessary. Small businesses may not be able to devote equivalent resources to crisis preparedness, but they should still do the best they can. And that means starting with the same question: What are the particular risks we face? Even if you are only trying to plan for your own family’s safety, with a pencil on a napkin, you should ask yourself many of the same questions.
Some vulnerabilities are location-specific. Ask yourself if you are close to potential targets such
as: nuclear power plants, oil or gas pipelines or refineries, airport approach paths,
military installations, icons of American culture or government.
That last category can be disconcerting to contemplate. I live in Atlanta, for instance, which is also home to Coca-Cola, CNN, the busiest airport in the world and the Centers for Disease Control. I like to think of these as benign, if not benevolent, institutions. But when I regard them through the eyes of an anti-American terrorist, they take on a different significance. What was the World Trade Center, after all? To most Americans, it was really nothing more than a huge office complex where thousands of people just like ourselves went to work every day. But to the perpetrators of the September 11 attack, it was a universally recognizable symbol of America’s economic power – and vulnerability.
Sometimes the location-specific issues can be subtle, and you must look a little
deeper: Who else has space in your building? Is one of the other tenants a government agency – or a firm that, because of what it does or where it operates in the world, could be a possible target?
Perhaps your plant is in an industrial park where, among your neighbors, is a facility that is vulnerable to attack because it manufactures something emblematic of American culture, or because its parent company operates in countries where there is hostility toward the U.S.
Other risks come not from where you are but from what you do. For example:Do you or your people travel frequently, passing through airports? Do you spend time in potentially unfriendly countries?
Does your work make you seem to be a personification of America in some way, as can be the case with people in the media? We know that Daniel Pearl, the Wall Street Journal reporter, was just a professional doing his job, and not an instrument of U.S. policy; the people from al Qaeda who kidnapped and beheaded him in Pakistan saw him differently.
Formulating Response Plans
Once you have taken a hard look at where you are and what you do, to analyze your vulnerabilities, you can begin to think through each possible scenario to plan how you would respond.
Again, it is critical – and might make the difference between life and death – to be thorough. When I considered my family’s response to that possible radiation release, I came to the conclusion that we should hunker down at home instead of hitting the road. But what would that mean, precisely? Airborne radiation would likely land on the roof of our house. So we would want to stay in the basement, keeping as many layers of material as possible between it and us.
But suppose there were a plume of poisonous chemicals coming our way, instead. We might opt to stay home instead of evacuating, for the same reasons. But most chemicals are heavier than air, and will sink to the ground. So in that event, we would probably be safest upstairs; we would certainly stay out of the basement.
It’s confusing. It’s frightening. And that’s only a single subtle detail. But this is the kind of thinking you must do to arrive at a response plan that will work for you. Companies can get help from crisis management consultants. Individuals will find a clear framework for thinking such issues through at a web site maintained by the Department of Homeland Security, at
http://www.ready.gov.
The more deeply you think through and prepare for these scenarios of terrorist attack, in advance, the less likely you are to make panicked and incorrect choices in such an emergency – and the less likely it is that you will be blindsided.
Bruce T. Blythe is the author of Blindsided: A Manager’s Guide to Catastrophic Incidents in the Workplace. As CEO of Atlanta-based Crisis Management International
(http://www.cmiatl.com), he heads a worldwide network of crisis consultants who have worked with hundreds of companies on virtually every aspect of crisis preparedness, response and recovery – helping shell-shocked executives pick up the pieces, and assisting employees, families, customers and stockholders to recover.
Assessing the Risks of Digital
Terror
By John Cloonan
Digital terror conjures up images of hackers unleashing vicious attacks against unsuspecting opponents’ computers and networks, wreaking havoc and paralyzing nations. While this is a frightening scenario, how likely is it to occur? What would the effects be on a potential opponent?
Recent experience has shown that during times of increased international tension, computer hacking activity often escalates. Attacks may have several motivations, but in times of international tension, they can be boiled down to political activism by either side, or criminal activity using the current crisis as a masquerade.
While computer network vulnerabilities are a serious business problem, their threat to national security tends to be overstated. Modern industrial societies are more robust than they appear at first glance, and in all cases, digital attacks are far less effective in disrupting infrastructure than physical attacks.
Studies have shown that in order for an infrastructure disruption to continue for an appreciable period of time, it must be attacked repeatedly – a single attack is rarely enough to disrupt critical infrastructure for an effective time period. By contrast, digital terror is likely to be in the form of a single attack. Once a hacker has gained access and performed the damaging deeds, the target of the damage quickly responds to close off the vulnerability allowing the line of attack, and frequently enhances other IT security. Hackers would continually need to find and exploit new vulnerabilities in an environment of increasingly heightened security.
Further, most infrastructure systems consist of multiple redundant systems in diverse areas, prepared for routine system failure and disruption. The US electrical power grid, as an example, is a highly interconnected system of over 3,000 public and private utilities and cooperatives. These power providers each use a variety of different technologies to control power generation and transmission. A hacker, or even a large group of hackers, would have to find vulnerabilities in multiple systems, and then coordinate their disruption to significantly disrupt the power supply even in one area of the country. Even then, an attack might only disrupt service for a few hours.
During times of potentially increased digital terror, companies should review their IT security policies and procedures, and instruct end users and system administrators of the importance of IT security.
Some of the most basic and effective measures include:
-
Use of firewalls
-
Update anti-virus software
-
Blocking access to potentially disruptive web sites
-
Filter suspicious e-mail attachments at the server level
-
Establish policies and procedures for response and recovery
Users should be aware that malicious code can be induced to spread rapidly by using patriotic or otherwise catchy titles, encouraging users to click on a document, picture or word which automatically spreads the damaging code.
With these protections in place, it is far more difficult for a hacker to access a company’s systems, either directly or indirectly, decreasing the likelihood of damage. For while it’s unlikely a digital attack could disrupt critical public infrastructure, the infrastructure of a single company could be far more easily effected.
Blythe chairs 2003 Corporate Security & Crisis Management Conference
Bruce Blythe will be chairing The Conference Board’s Corporate Security and Crisis Management Conference, held Monday, April 28, 2003 in San Diego, and Wednesday, May 21, 2003 in New York.
Blythe will also be presenting twice during the conference. The first presentation, The Anatomy of Crisis Management, will incorporate such issues as developing and implementing an effective crisis management system, aligning crisis management policies and procedures with corporate objectives, and converting a crisis management plan into a successful business recovery and continuity process.
The second session, The Human Dimension of Business Continuity and the Negligent Failure to Plan will be co-presented by Blythe and Terri Butler Stivarius, and Attorney Shareholder of Littler Mendelson, and will include information on the protection of employees, customers, suppliers and contractors on company property; the relative costs of implementation versus inaction; and critical privacy, civil liberties, legal, and liability issues.
Bruce Blythe is the founder and CEO of Crisis Management International, and the author of Blindsided: The Manager’s Guide to Catastrophic Incidents in the Workplace, published by Penguin Putnam.
For more information on the Corporate Security and Crisis Management Conference, please see the conference web site at
-
http://www.conference-board.org/continuity.htm.
CMI is the largest network of specially trained crisis management professionals dedicated to the human side of crisis. Our services include:
- Crisis preparedness: Foreseeable risks analysis • Crisis planning & implementation • Workplace violence training • Crisis management & threat response • Team training • Crisis leadership coaching • Simulation exercises
- Crisis response: Threat of violence consultation • Crisis response intervention & management counseling.
