As organizations move into 2023 and 2024, emerging risks continue to emerge, and security teams must be prepared to respond to and mitigate potential threats to people, operations, and assets.
Organizations in the United States will continue to face increased risk from natural disasters such as wildfires in the West, tornadoes in the Midwest, and hurricanes in the Atlantic Basin.
Increased losses from natural disasters can be attributed to a number of factors, including development in risk-prone regions and climate change. Organizations must be prepared to mitigate and respond to natural risks, including having redundancy in place, limited points of failure, or the possibility to shift operations.
Additionally, organizations must prepare for increasing human and technological risks, such as active threats, corporate espionage, cyberattacks, terrorism, and infrastructure failures.
Many organizations continue to see an increase in attacks on critical infrastructure that supports corporate and government operations. Continuous efforts must be made to ensure that risks are properly identified and appropriate mitigations are taken to minimize potential losses.
A defense-in-depth posture deploys a layered approach to security that combines people, process, and technology to protect assets. Companies and government entities should develop a layered security approach to help detect, deter, and respond to human and technological risk.
Conduct a Tailored Risk Assessment
While many industries face the same natural hazards due to geography, technological and human risks can vary widely by industry type or facility use.
Due to the variety of potential threats, security practitioners and risk regulators should modify the way they conduct their assessments. A one-size-fits-all assessment that fails to take into account business operations and industry-specific threats will likely not deliver the results customers need to properly mitigate potential vulnerabilities.
Instead, assessments must be tailored to the systems and operations of the organization being assessed and take an all-hazards approach.
Developing a comprehensive list of threats that could impact operations is the first step in assessing enterprise risk.
Once threats have been initially identified, establishing a review radius for assessing locations will help refine potential human and technological risks within the operational area.
Next steps will include reviewing the assessed site demographics and operating environment against open source and proprietary data to ensure all potential threats are properly identified.
A follow-up on-site review to verify the collected information is always recommended to ensure the source data is correct.
In many cases, the initial list of potential threats identified by the organization failed to include the human risks of operating within the defined operational radius of review.
For example, a facility operator's failure to identify critical infrastructure (e.g., pipelines, substations, rail lines) or hazardous materials facilities (e.g., chemical manufacturers, oil storage facilities) operating within the same geographic space could lead to potential facility impacts, Including the need to shelter in place or evacuate.
Understanding the overall threat landscape will allow security teams to properly develop mitigation strategies to help minimize operational impact and improve the ability to restore operations.
review controls
Once assessors have properly identified threats, the next step is to review the controls the organization has in place to protect facilities and assets.
This step includes examining measures to harden targets, means deployed to detect and delay potential threats, and operational processes to properly respond to threats. Standard mitigation measures for most organizations involve physical barriers, security technologies, and security policies and procedures to minimize the potential for impacts to the facility and help occupants respond appropriately to incidents.
This review takes a balanced approach to ensure that intended operations can be maintained without compromising security.
Physical security controls in public or semi-public spaces, such as schools or houses of worship, take a very different approach than security controls in controlled-access facilities such as data centers or power plants.
Security professionals conducting risk assessments must consider how the facility being assessed will be used to ensure that existing controls (or proposed controls) will operate successfully. Therefore, it is crucial to create an assessment template that considers the type of facility use and target audience.
Security professionals must take a balanced approach and conduct proper research before undertaking a facility risk assessment. Creating unique assessments for each type of facility use will yield the best results for your organization. Considering all potential hazards will determine the potential threats a facility may face.
A complete information and on-site review of the facility will yield comprehensive results and provide the facility operator with a holistic view of the risk environment to develop appropriate mitigation strategies to minimize losses.