Q. One of my areas of responsibility is developing an action plan for dealing with activists groups. With the intent of minimizing the risks that these groups could potentially pose with regard to disruption, can you give me some pointers on evaluating and disseminating strategies that would minimize disruption and promote a safe environment during this type of activity or event? From an information security standpoint, what are the potential risks of monitoring these groups on the Internet?
A. Consider classifying potential activists as “groups or individuals with interest.” Agendas may vary from influencing your organization to stopping it in its tracks. Tactics can range from socially acceptable civil intercourse to criminal intimidation. It is important to approach any potential contest objectively. Any issue that rises to the interest of a public forum should demonstrate principled conduct that is informed by your organizational mission and values.
Activist entities often consider themselves as “change agents.” Their appeal for an audience will cover a wide range of potential stakeholders from your customers, employees, management and the Board of Directors. Typically activists demand action based on perceived moral or ethical grounds. Demands for action, including amending or abandoning existing processes, may be outlined based on fact, misinformation or a combination of both.
Anticipate a public relations opportunity by assessing the demand with a cross-functional team comprised of communications, legal, operational and security representatives. Drafting a position document that analyzes the activist group’s request for change on merit puts management on the same page. Communications may be privileged. Risks and benefits should be surmised for options. Security's role is commonly diligence and risk mitigation.
Do Your Homework:
1. Assess the demand. Consult with law enforcement if demands are perceived as criminal threats implying harm to individuals, assets, business dependent processes or reputation. In the United States interstate restraint of trade will typically be in the domain of the Federal Bureau of Investigation. Collect all communications from or to the group or individual, including customer service contacts.
2. Assess the group. Groups and individuals that have an interest in your organization typically have a history. The Internet has a wealth of resource material from organizational and personal site listings replete with photos, friends and associates. Caution should be exercised by only employing an ethical, licensed and insured investigative entity that can gather legal information without attribution. Proprietary investigators may undertake the same objective course of action. Site interest translates to encouraging rather than discouraging interested parties. Searches of subjects including suit, arrest, disruption, protest, harassment or trespass may yield a quantity of publicly available information. Stakeholders should refrain from investigating groups or individuals of interest within the organization's IT network.
3. Attempt to follow activists’ communications and action solicitations. Action planning by adversarial groups is often a membership draw for similarly inclined individuals. Meetings sometimes outline tactics for business disruptions ranging from boycott action to pamphleteering and street theater including provocation of management representatives or law enforcement for arrest publicity.
4. Consult peer organizations and law enforcement for factual intelligence that may not be publicly available. Benchmark the experience of other organizations including best practices. Risk mitigation tactics will be formed by event history. For instance, action history may range from inundating the head office with pre-paid customer comment cards to denial of service attacks on servers and telecommunications. Operational disruptions can include impeding opening and closing offices by malicious destruction (from window smashing to graffiti message tagging and intimidation of personnel) to “street theater” that precludes service offerings.
5. Design or revisit existing countermeasures that address the known risks. Access control and exceptional suspicion or risk reporting are valuable capabilities. Increased preventive patrol by security services or local law enforcement is recommended before, during and after planned events. Public meeting precautions may include counter-surveillance and credential, bag and coat checks. Management briefs on potential conflict issues and countermeasures should include meeting decorum requirements to allow dissenters to civilly express a view, the company’s preparation to address it on point and advise the person of follow-up. Contingencies to have personnel close by to take an issue off-line, warn for trespass or lawfully remove obstructionists under the color of authority are recommended. Public microphones and address systems should be secured to prevent misuse. First responder personnel may be pre-staged to assure medical and public safety intervention if required.
6. Apprise potentially affected personnel of threats with relevant precautionary security measures. Brief need-to–know information to stakeholders on the range of action employed by known groups. Personal and family security of key personnel including board members may be advisable with the ready availability of household information. Mail, package and service delivery security scrutiny at the office and home may be required with the usual access control capabilities. Protective personnel for public engagements may be considered to ensure uninterrupted transportation and avoidance of public embarrassment or injury. Coordinate public and private investigative resources and countermeasures that will document any criminal action for prosecutorial accountability.
7. Don't assume that groups or individuals with interest are unsupported by your stakeholders. Adversaries of record may also be your shareholders. Inaction for responding to unreasonable demands may allow groups with interest to frame the issue. Interests from animal welfare to environmental and other perceived social responsibilities may be shared by clients, employees and other stakeholders. Relevant communications must be above board, factual and tempered for unintended disclosure to the public. Authorized use and dissemination of information should be clearly embedded in policy with known accountabilities for violations.
8. Do not act unilaterally without cross-functional consultation. Ethical organizations cannot afford the appearance of an overzealous security group. Your service level agreement should automatically enable precautionary diligence and security risk mitigation reminders that reasonably protect people, assets and dependent processes.
Bottom line, coming together before an event to identify roles and responsibilities will serve your organization well.
Answer provided by Francis D’Addario, Security Executive Council Member Board of Advisors. Sign up for notification when his new book, "Not A Moment To Lose... Influencing Global Security One Community at a Time," is available to purchase at https://www.securityexecutivecouncil.com/sec/fdbook/