Guidance For Organisations

Many hostile actors operator covertly, making it hard to discover their intentions and capabilities. Information about security threats is often incomplete and uncertain. Therefore, judgements about the nature and scale of protective security should be based on risk rather than threat alone. where reliable threat information is available, it should be heeded.

When assessing the security risk to staff, it is essential to develop a clear picture of:

• What is the threat and to which staff members? What are the circumstances when the threat is more likely to occur? 

 What is the vulnerability and exposure of the individual(s) to those threats?

• What is the harm and wider consequences of the threat, to both the individuals and the organisation itself?
• The organisation should consider what impact this threat might have on others within the organisation who are not being directly targeted but could become at risk due to their association with the organisation or high-risk individual.
• As part of the organisation’s security culture, all staff should understand safety and security policies and procedures, and their role in protecting the organisation and others.

Effective governance will include, for example:

• Having a senior responsible owner 
• Having risk management processes in place
• Having policies and procedures embedded, and their effectiveness regularly evaluated.

For more information, see NPSA guidance on Leadership and Governance for effective security strategies and Passport to Good Security for senior executives.

For example, if a member of staff has received several specific credible death threats, consider what support you will provide outside of the workplace. If a member of staff has been sanctioned by a state-backed organisation, consider what your position will be regarding work and personal travel.

Unlike many other areas of security risk, some security measures you consider may intrude on the personal lives of those affected. These may or may not be welcomed.

Personal security will primarily focus on informing and shaping your staff’s behaviours, so it is essential they:

• Understand the threat. Staff will have their own perceptions of the threat and you should be prepared for these not necessarily aligning to those of the organisation. It is important to listen and understand these and address any issues that could harm their safety and security.
• Recognise the importance of their role in in their own security. Staff are often most vulnerable when they are away from their normal place of work, so their own behaviours and levels of preparedness are critical. This may be uncomfortable for some staff, but it’s very important they understand this. Listen to their views and ideas regarding security measures and training – they need to buy into these and feel they are appropriate. It is important to be clear about "red lines" - measures that are so important they must be undertaken. 
• Recognise that complacency is an issue. Staff can suffer from “threat fatigue”, when they are regularly exposed to threat but it has not to date materialised into physical harm. In effect, it can become “normalised” and staff can become complacent. It is important that engagement with staff addresses this issue because it is often the case that the threat remained the same, but it is the individual's perceptions that have changed, and this can be dangerous.
• Feel confident in undertaking their role, in their training and in the security measures designed to minimise the risk to them.

Where necessary, this should be supported by training. Identifying and deciding what mitigations are appropriate is complex and it may be helpful to divide them into the following categories:

• Those that relate to organisational practices, such as:
  • Do individuals use their own personal devices on corporate IT systems? 
  • Are they mixing corporate and private lives through social media?  
  • How are threats communicated to staff?
• Those that relate to work locations, such as permanent, temporary, remote working, and public engagements.
• Work related travel. Are there any additional threat or vulnerability considerations? How will you know where your high-risk staff are and what support is needed?
• Staff behaviours and organisational culture. Are staff aware of the threat? Have they been trained to be vigilant and develop situational awareness skills? Do they know what to look for and what to do in the event of a security concern? 
• Those related to staff private lives such as personal travel, security at their home, home IT, personal devices, use of social media etc. See plan ahead guidance for more information.

These should be assessed at a “case” level and across cases, to help spot trends. Hostile actors are often covert and use a variety of means to target individuals online and in-person. It is important that all relevant departments in your organisation are engaged in the process, including Human Resources, Physical Security and Information Technology and Cyber Security.

Employers should also share guidance with staff that can help them to understand what they need to do if an incident arises and reinforce the message that if it is an emergency, if they are in imminent danger or a crime is being committed, they should phone 999.

Consider whether your employee assistance programmes are appropriate to support staff at heightened risk. Ensure procedures are in place to help those who are impacted by the threat, either directly or indirectly. Staff will benefit from advice, information and support on the issues they face, as well as provisions such as psychological first aid and compassionate leave in some circumstances.

Having welfare support in place is important for staff who may be feeling the stresses of a potential threat to them and their families, as well as in the aftermath of an incident.

Consider using NPSA’s Personnel Security Maturity Model as a method of evaluating how things are going – this can be tailored specifically to address personal security issues.