The Governance Leadership Centre recently spoke to one of Australia’s most experienced counter-terrorism practitioners, Mark Carrick, about the implications of terrorism for Australian organisations and boards.
Mark Carrick GAICD is a former national capability adviser on counter-terrorism intelligence to the Australian Government’s National Counter Terrorism Committee. He is also the founding director of Global Business Resilience, a consultancy firm specialising in organisational strategy.
Governance Leadership Centre (GLC): How would you describe the external environment that Australian organisations are operating in?
Mark Carrick (MC): Society is probably facing its most challenging and complex era yet. There are more wars – many ongoing – and they are no longer “conventional”, geographically specific and reasonably contained, but instead cross many geo-political, social, religious and ideological borders.
One significant change has been in relation to the nature of some of the groups fighting. These groups often combine radical ideology and terrorist attacks with insurgency or even conventional warfare. They may draw support from communities with legitimate political or economic grievances while getting funding through criminal activities. Some control and govern territory while claiming to want to overturn the state system. They are as much a manifestation of instability in today’s world as its cause. In this complex and unstable environment, it is important to consider – what does this all mean for organisations, boards and directors?
GLC: Beyond the threat to nation-states, communities and individuals, how are Australian organisations specifically affected by terrorism?
MC: Terrorism appears in many forms and manifests itself in many ways that harm every element of society, including governments, businesses and citizens. Australian organisations may be affected directly and/or indirectly, including harm occasioned to an organisation’s infrastructure, as well as to its people within Australia and globally.
Cyber terrorism is also a significant concern today. Cyber attackers may infiltrate organisations’ electronic systems, with potentially crippling effects. These types of attacks may be direct, or indirect through third-party infiltration (for example, through a digital business partner). Attacks are used, for example, to delete data and/or fraudulently appropriate funds.
In late 2014, a large European-based multinational was alerted by its government to three significant state-sponsored attacks on its systems. The company had not previously seen itself as a likely target of a cyber attack, and it operated in a traditional industry that was not previously thought to be at risk of cyber attacks. The company had been relying on a fairly traditional security framework.
The company was lucky on this occasion and none of the attacks resulted in significant losses. The company believes that the attacker may have been interested in obtaining strategic intelligence regarding a particular sector that the company was operating in, or information on the consortium framework it belonged to for a specific project bid.
Organisations that have staff travelling overseas increase their risk profile, as the organisation loses control over the work environment. Employees travel on planes and other forms of transport in locations that may have unstable social and political environments. Employees may be targeted by local criminal syndicates, or be kidnapped for ransom to extort funding from the organisation.
For example, it was recently reported that a new ISIS-affiliated group in Egypt wants to capture western hostages. Other militant groups could also use the opportunity to abduct and sell hostages to ISIS. While this scenario is relevant to that particular geographic area, many examples are recorded annually of harm being occasioned to employees working overseas.
Insider threats should also be a real consideration for organisations, particularly given insiders’ relatively easy access to electronic systems and intellectual property. Insider attacks may lead to significant disruptions to business, reputational damage, and also impact shareholder/stakeholder confidence. Insider threat studies show that the majority of insiders that act against an organisation do not do so for terrorist or espionage purposes, but rather due to disgruntlement, revenge or criminal financial gain. However, trusted insiders can be extremely dangerous tools, as terrorists can leverage them to gain information or access premises.
The extent to which Australian corporations and organisations are affected by terrorism is related to domestic and global terror alert levels. In the current climate, organisations have to consider how to manage complex security-related variables on an unparalleled level.
GLC: What should boards be doing to respond to the threat of terrorism?
MC: Organisations and their boards have been considering the potential for a direct or indirect terror attack for almost 10 years now. Many have a good understanding of certain key risk factors.
However, we continue to witness the evolving and shifting methodologies of terrorists, who are continually seeking to counter efforts by governments and industries to prepare and prevent acts of terrorism, respond when faced with a threat, and ensure detailed and tested recovery capabilities. As a result, we are seeing far more pervasive adversaries who seek to identify and exploit the weakest points in our defences. It stands to reason that weaknesses in organisations’ security systems have and will continue to be exploited. It is therefore imperative for boards to consider future focused resilience strategies. A broad focus is critical – both on long-term and sometimes unseen or unknown threats requiring a more strategic approach, as well as on existing and near-term threats requiring immediate consideration and action. A risk strategy also needs to address both direct and indirect threats. Basically, boards need to help create organisational resilience to deal with fast-moving and ever-changing threat dynamics on a global, regional and local scale. This will help organisations to best ensure their long-term sustainability and growth.
GLC: Should organisations consider building security competencies at the executive and/or board levels?
MC: This is an interesting question, and there has been widespread discussion about board competencies across many areas including IT and security. A board should either have on the board, or maintain access to, people with appropriate security competencies to help inform strategic risk assessments. In terms of the executive level of organisations, we are already seeing a growing number of chief risk officers. This is a sign of the increased level of awareness and importance that boards and organisations are placing on maintaining clear and robust risk- management processes.
Managing risk is a critical part of what businesses do. It is the changing character, growing speed and apparent unexpectedness of events across the globe that is causing increasing uncertainty. An example of this is the Syrian refugee crisis, where terrorism has indirectly impacted on the global economy and created unprecedented levels of disruption to all sectors. Organisations should maintain the capability to prepare, plan, respond and recover as a normal operational function. The world currently has one of the most tumultuous environments ever witnessed.
Latest news
Already a member?
Login to view this content