On September 21, 2013, a group of terrorists attacked the Westgate shopping mall in Nairobi, Kenya. After the three-day siege, more than 60 civilians had been killed and 175 wounded. Insurance claims were estimated to be as high as 10 billion Kenyan shillings (approximately $160 million), representing a third of all insurance claims in the country that year, according to Kenyan regulatory authorities.
The Westgate mall had private security guards, central monitoring, physical barriers and other security measures and was located in a relatively stable area. How could this kind of attack happen in such a relatively secure high-density urban area? The New York City Police Department (NYPD) was so concerned by the attack that it conducted its own investigation, which was released in mid-December 2013.
The NYPD’s report characterized the local authorities’ response as confused and delayed at best. Kenyan authorities initially claimed that the attack was carried out by 15 heavily armed assailants. The NYPD investigation, however, suggested that it could have been the work of only four lightly armed attackers, all of whom may have escaped after only 12 hours.
According to the NYPD, the Kenyan Army shot its own unmarked police officers entering the mall, and the heaviest damage may have been caused by the army’s use of anti-tank missiles and rocket-propelled grenades. The lesson of the report is clear: the mall was on its own. These commercial urban targets must depend upon their own security and preparedness to avoid becoming the next terrorist battleground.
Despite the fact that the Westgate mall was in a crowded urban area, remote locations are no safer. In January 2013, a group of terrorists took more than 800 people hostage at a gas plant near In Amenas, Algeria. Algerian special forces eventually took back the plant, but not before up to 40 civilians were killed. Few details are known about the security force preparations and response, but there have been allegations in the press of lax plant security. The facility owner said that the Algerian government was responsible for securing the exterior and, since it depended upon those forces, it did not employ armed guards. According to reports, the security protocol for a terrorist attack was simply to “hide in offices or bedrooms, turn out all the lights, close all the windows and doors, get under the bed, stay hidden and wait.” There were no indications that there was a rally point or secured area to which workers should retreat.
These types of attacks on private commercial targets are certainly a wake-up call for companies operating in foreign locations. To be ready, risk managers need to consider implementing effective physical security safeguards in these facilities. One way managers can protect both facilities and employees is by understanding formal security processes and strategies and incorporating these lessons in personal practice.
Assessing Security Risk
To develop an effective security plan, first assemble a planning team. Optimally, this includes a mix of risk managers and professional security personnel. It is their responsibility to evaluate existing physical security, conduct a threat assessment, implement the security plan, train personnel and continue to survey and inspect the facility to be sure the plan is implemented correctly and effectively. Once the physical security plan has been synthesized, outside consultants that were not part of the planning process should test assumptions, plans and responses in order to avoid “groupthink”—where participants all agree with the plan and overlook its weaknesses.
One of the most important steps in plan development is threat assessment. Risk managers do not always have access to enough information to develop an informed analysis. However, local law enforcement and governments are usually willing to share their threat assessments with responsible parties, especially for natural disaster risk and preparedness.
If such information is not available from the host nation, military attachés and other law enforcement personnel at U.S. embassies around the globe can be an invaluable resource regarding potential threats. These dangers generally fall into the following categories: hostile intelligence gathering/commercial espionage, paramilitary forces, terrorists or saboteurs, traditional criminals, protest groups, disaffected persons, the stability and transparency of the host nation, and natural/man-made disasters. The greater the likelihood, skill and size of these threats, the more precautions will be necessary at the facility.
An additional consideration is the nature of the host country’s government. Can local forces or contract guards be trusted, or will they flee at first sign of trouble? Obviously, facilities located in countries with unstable, corrupt or incompetent governments will increase that risk. Paramilitary forces, terrorists and saboteurs could be directed to a commercial facility by a foreign state or terrorist group pursuant to its geopolitical or ideological policy. Criminal elements will be attracted by the value of the material in the facility. Protest groups may be prevalent at a facility involved in a line of work with perceived negative environmental or political consequences.
Hard and Soft Targets
Both criminals and terrorists are sensitive to targets of opportunity that are poorly defended, also known as “soft” targets. Terrorists and criminals carry out significant preliminary surveillance on prospective marks to determine which are least resistant to attack. Protective measures employed by government (“hard”) targets drive terrorists toward civilian targets like Westgate, where they face less resistance and can cause more damage. The goal of any physical security plan is to avoid being perceived as a target of opportunity.
In November 2008, more than 160 people were killed and 300 wounded in a series of coordinated shootings and bombings across Mumbai, India, over a four-day period. These strikes demonstrate how terrorists can take advantage of inadequate threat assessments and the presence of soft targets. The attacks, which took place in restaurants, hotels, train stations and taxis, serve as a reminder that terrorists are capable of carrying out complex offensives on multiple targets from unexpected directions.
Later analysis revealed that the Mumbai attacks were facilitated by targets’ business requirements for open access, an inherent security challenge that created vulnerability. The hotels that were victimized had believed they were protected from a coordinated attack by their proximity to other businesses and the lack of buffer space (an area from which to launch an attack). As a result, the hotels had no plan and no response.
With no buffer space, the terrorists instead attacked by water, as their targets were located near the coast. Analysis by major law enforcement and anti-terrorism agencies indicate that there was no resistance at all. The targets were large, public and known to be unguarded.
Perception itself can provide substantial deterrent, so commercial facilities’ physical security appearance should be constructed to dissuade a would-be attacker. Barbed wire, fences, ditches and jersey barriers may not be aesthetically desirable, but they are effective. Consider coordinating with federal, state and local agencies or those in the host country, assuming they are trustworthy. Even adjacent facilities can be valuable allies with which to exchange information on threats, operations and action plans to enhance a facility’s security.
To be scalable and flexible, there should be contingency plans that permit a facility to increase physical security measures and personnel based upon changes in perceived threat levels. This can be as simple as adding additional, better-armed guards and increasing the frequency of their patrols and density of positioning.
Protecting the Facility
The most vulnerable part of any facility is its entrance. All entry points should have layered levels of protection. Defenses need to increase closer to the building, a practice known as “defense in depth.” Both physical layout and manpower around the entrance are critical, as is a procedure issuing security identification badges to employees and visitors. The badges have little value if the process to obtain them is easily fooled or the system is not secure. Further, if it is easy to fabricate an excuse to enter without appropriate security identification badges or there are too many exceptions to the rules, they will lose their value as protective measures. Badging and security protocols must be stringent and consistent to be effective.
Physical security officers themselves must be appropriately vetted and compensated or their services may be ineffective or vulnerable to bribery. Security personnel need to be present in force in vulnerable areas. Access to the security control center should be restricted through hardened electronic and physical access control systems. Otherwise, the control center could become the terrorists’ tool, as allegedly happened at the Westgate mall. With monitoring, electronic access systems and identification cards, areas of the facility can be segregated and access restricted based on the activities in that area and an employees’ need to be there.
Facility systems should integrate physical protective measures—barriers, lighting and electronic security systems—with counterterrorism practices and procedural security measures utilized by both the employees and guards. Facility protective measures consist of site work elements for everything more than five feet from the building, which can include perimeter barriers, land forms and standoff distances. The buildings are protected by their own structural elements, such as walls, doors, windows and roofs. Any weakness in these may permit unwanted entry.
An important security consideration is stand-off distance, generally considered to be a minimum of 50 feet. No vehicles should be permitted closer in order to protect against a hidden bomb—one of the most effective modes of attack. For example, after being denied entry to the building, attackers in the 1996 Khobar Towers bombing in Saudi Arabia parked their gas tanker truck, filled with the equivalent of 30,000 pounds of TNT, next to a perimeter fence closest to a building housing U.S. military personnel. The Air Force building was located 22 meters from the fence line, which was reinforced by jersey barriers. The shockwave of the explosion was so intense that windows were shattered within a one-mile radius, but the jersey barriers channeled much of the blast upwards, perhaps preventing a total collapse.
Acting and Reacting
As important as it is to understand the risks and prepare before anything occurs, it is also imperative to establish a protocol for what happens during an attack. Reaction plans should identify the persons in control of operation, execution and after-action reporting. The chain of command should be clearly identified and disseminated to employees and to those other individuals responsible for executing the plans. Quick decision-making will be required—this is not a job for a committee.
In the case of the Khobar Towers bombing, the members of the U.S. Air Force residing in the building had practiced responding to an attack. Personnel on the roof recognized the threat when a vehicle was turned away from the entrance and then circled back toward the building. The sentries had begun an evacuation by the time the bomb exploded and, although 19 servicemen were killed, many more of the building’s personnel were safe inside a stairwell constructed of heavy marble located on the other side of the building away from the bomb—probably its safest point. The sentries’ authority to quickly order an evacuation was obeyed without question by the higher ranking personnel, demonstrating a flexible chain of command.
Unfortunately, not all facilities are as well prepared. At both Westgate and In Amenas, terrorists were able to penetrate the facilities with little resistance. In Westgate, they walked through a shopper entrance. At In Amenas, the terrorists entered through a gate. Westgate did not have any entry barriers for customers, only limited vehicle protection. Certainly, intrusion detection systems or hand-activated alarms could have been installed to alert the workers that an attack was imminent or underway. This might have allowed retreat to a defensible central position.
In the aftermath of these tragedies, the question remains if anyone performed an analysis on the security vulnerabilities at the Westgate mall or the In Amenas gas plant and whether testing the assumptions for attacks on these facilities would have led to better security. While planning considerations cannot eliminate all danger, by placing more focus on developing better security assessments and procedures, risk managers can at least identify threats and prepare safeguards to minimize the damage.