Terrorism is often defined as "the systematic use or threatened use of violence to cause fear and intimidation with longer-term political and ideological goals." Among the definitions found in U.S. law, specifically, Title 22, Chapter 38, terrorism is defined as "premeditated, politically motivated violence perpetrated against noncombatant targets by sub-national groups or clandestine agents." But how does terrorism fit into a business continuity plan?
In the past, law enforcement agencies in the U.S., especially in major cities like New York City, were aware of terrorist organizations but did not focus closely on them. Following the events of September 11, 2001, this changed, and government agencies such as the Department of Homeland Security (DHS) were created to address terrorism and other threats.
Counterterrorism (CT) initiatives today are generally well-organized, with specialized organizations focusing exclusively on counterterrorism. Technologies such as security cameras and metal detectors support these efforts on a broader scale than ever imagined.
But where would we place a terrorist action on our disaster recovery (DR) emergency management timeline?
A terrorist act, such as detonating an explosive device, is handled generally the same as most other incidents on the disaster recovery management timeline. Immediately following the event, efforts are made to assess the incident and determine its severity, and potential for elimination, containment or expansion. If the terrorist action appears likely to continue and possibly expand, emergency management teams initiate procedures to evacuate people to safety and mitigate event severity, duration and impact. After that, the incident can be managed through to its containment and termination. If the severity and impact of the terrorist action is significant, such as the Sept. 11 attacks or the 1995 release of sarin gas in the Tokyo subway system, disaster recovery and business continuity plans may need to be activated. Many different organizations may be involved in a terrorist event, such as police, FBI, DHS and others, so coordination and communication are essential for success.
Terrorism's relationship to business continuity and disaster recovery planning
Counterterrorism and business continuity are usually in different chains of command within organizations. In most organizations, with a few exceptions, counterterrorism is not an operating function. Counterterrorism is usually associated with security and external public sector law enforcement agencies. And counterterrorism activities, similar to emergency management activities, usually precede business continuity/disaster recovery; inputs from counterterrorism professionals can be valuable to business continuity/disaster recovery (DR) staff, so that they can be aware of the types of disruptions that could occur, and from that develop appropriate recovery and restoration activities. As with BC/DR, counterterrorism professionals prepare, train and plan for situations that may or may not ever occur.
Counterterrorism professionals who deal with cyber threats should coordinate their efforts with IT security staff and ongoing initiatives. It may be possible and valuable for existing IT security staff to receive cyber security threat assessment training. It may also be worthwhile to assess the firm's potential for a terrorist attack, considering issues like physical locations, e.g., proximity to "soft" targets like hotels, and the type of business, e.g., one that serves ethnic groups that may be considered terrorist targets.
If the opportunity presents itself, counterterrorism professionals should periodically brief business continuity/disaster recovery planners and IT security staff on current threats. By establishing effective lines of communication and information sharing, the groups can provide added value to the organization. This can ensure that the groups are aligned with each other's goals as well as those of the organization.
One way to do this is to invite a counterterrorism organization, such as those operating in major metropolitan area police departments, to conduct a risk assessment and brief company management as well as security and BC/DR staff. Consulting firms with experience in counterterrorism, such as New Rochelle, NY-based Protective Countermeasures & Consulting can also be engaged to assess the situation and explain how to identify the warning signs of potential terrorist actions.
Business continuity/disaster recovery planners who have the opportunity to work alongside and collaborate with counterterrorism professionals -- both inside and outside the organization -- will be well advised to do so. Cross-training and rotating positions between the two organizations are useful ways to share experiences and to establish backup staff in case of an emergency. While most of a business continuity plan will focus on incidents that threaten company operations -- usually excluding the possibility of terrorism -- threats to employees from terrorist organizations should also be explored.
Counterterrorism professionals -- whether from the public or private sectors -- are trained in identifying a broad range of situations that could predict a terrorist action. They can analyze information from many sources and sift out data that collectively may suggest an impending incident. They are also trained to defuse an emerging terrorist action and mitigate the effects before the situation turns deadly. Like their counterterrorism colleagues, BC/DR professionals are responsible for protecting people, physical and information assets. Identify opportunities for collaborative projects, such as joint threat assessments, cyber threat assessments, surveillance techniques and information analyses. Periodic meetings of risk-related departments can reduce potential confusion in an actual emergency through better coordination and communication.
Standards and practices
Efforts have been made to develop counterterrorism diligence procedures and standards for federal, state and local governments. While the federal government continues to play the lead role in intelligence gathering and analysis, state and local governments, and the private sector have the principal responsibility for domestic security. So that all these communities can work cooperatively with DHS, there must be clear communications standards, guidelines and procedures in your business contiuity and disaster recovery plan. At the national level, the U.S. Counterterrorism Team provides a coordinated linkage with agencies in the White House, Departments of State, Defense, Treasury, Justice, Homeland Security, CIA, Director of National Intelligence, Agency for International Development and the National Counterterrorism Center.
Professional associations addressing terrorism and counterterrorism
Two organizations in the U.S. currently address counterterrorism efforts: the International Association for Counterterrorism and Security Professionals (IACSP) and International Counter-terrorism Officers Association (ICTOA). Both provide educational programs and conferences, publications, information on antiterrorist equipment, and networking among fellow professionals.
Overall, although the threat of terrorism may look like it's far away from your company, it's never safe to say you're not at risk for this type of disaster. Business continuity planners should adequately prepare and make terrorism and counterterrorism prevention an active part of their disaster recovery and business continuity plans.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.
This was first published in July 2010