crises manager
TRANSCRIPT
Crisis management for special
security incidents
Guidelines
- For internal distribution only -
Issue 2004
Imprint
Published by:
Corporate Security OfficeD-80333 Munich, Wittelsbacher Platz 2
Management: Norbert WolfTel.: +49-89/636-34220Fax: +49-89/636-33505
E-mail: [email protected]
Intranet homepage: https://intranet.cso.siemens.de
2
Contents: Page(s)
1. Why crisis management? 4-13
1.1 How serious is it and how does it affect me? 4-5
1.2 What can lead to a security crisis? 6-7
1.3 Could I be affected by a crisis; how well 8-13am I prepared?
2. Crisis management in practice 14-32
2.1 Early recognition of possible crises 14-15
2.2 Risk analysis and risk evaluation 15-16
2.3 Advance planning and organizational preparations 17-29
a. Stock-taking and data management 17-18
- Software tool "Emergency Planning, Security"; aids for preparing
for and implementing local crisis management
b. Crisis management team 19-21
- Organization of a crisis management team
c. Functions and tasks in the crisis management team 22-29
- Manager 22
- Documentation and information 22-23
- Crisis communication, press and PR work 23-24
- Consultants 25-26
- Logistics, supply and technology 27-28
- Negotiations 29
2.4 Competence through training 29-30
2.5 Preparations for crisis situations. Instructional notes, 31
plans and checklists
3
1. Why crisis management?
1.1 How serious is it and how does it affect me?
From all the reports we receive in the media about the various
flashpoints around the world and the security incidents, some
spectacular, that have taken place in so many different countries we
could be forgiven for believing that crisis management was a matter
purely for politicians and the security services.
This simply is not the case, as actual practice shows. Crisis
management is an issue that affects the company throughout the
world, day in day out, and one that is very real. Examples of security
incidents that have led in the past to crisis management include
blackmail, protection rackets, bomb threats, know-how leaks,
abduction and unrest.
Factors affecting corporate security
4
Economic changes
Globalization Global networking Increased
competition Cost pressure
Political/social causes
Contentious issues
General shift in values
Open borders
Ethnic/religious conflicts
Minorities Religious
fundamentalism Pseudoreligious
groupsPolitical radicalism
Escalation of the security situation
Economic espionage Violent crime Information warfareOrganized crime Terrorism / extremism Cyber crime
It can affect anyone any time:
With our presence in more than 190 countries throughout the world
and an information and communication infrastructure that covers
virtually every part of the globe, our company is exposed more than
ever before to a complex spectrum of threats to our security.
No manager is exempt from being confronted with emergencies or
security crises at any time, in any place and in any way. And then
they have to make the right moves, in most cases under enormous
pressure.
If you are suitably prepared for a security crisis you are more likely to
react appropriately and therefore help prevent or limit the damage.
Statutory obligation: A lack of crisis prevention measures
may have consequences under civil or criminal law for the
company and for its employees in positions of responsibility.
Key words here are: security obligations, organizational
negligence and laws governing control and transparency in
the corporate sector.
References: At this point we should like to refer you to the
Risk Management Guideline from CF T 4 (Corporate Risk
Management), the communication guidelines of Siemens AG
(Z-Circular No. 11/2001) and the " Industrial Disaster
Prevention Regulations" (BKO) issued by CT ES FD.
5
1.2 What can lead to a security crisis?
There are many events that can develop into a crisis. Here are just a
few examples:
Data theft and manipulation with blackmail involved
Loss of data through negligence with an adverse PR effect
Smear campaign
Abduction, hostage-taking, hijacking
Blackmail and protection rackets
Bomb threats
Sabotage
Bomb attacks
Fire, catastrophe
Illegal stoppages/strikes/demonstrations
Product piracy
Contamination of food
Accidents involving injury/death, considerable material damage or serious repercussions for the local population, employees and/or the environment.
Business trips and projects in countries with high security risks.
6
Of increasing importance in "security-related crisis management" are the risks associated with the global networking of information and communication systems. These risks include:
virus attacks
hacking
"cyber crime" and internet criminality
economic espionage
Case study/headlines:
International hackers break into US Defense Department computers.
Hacker changes patient records on hospital computer.
I love you virus cripples three million computers around the world.
Online banking data found on the internet.
CD-ROM with Siemens data for sale on the black market.
More and more such incidents also involve blackmail. These "new
risks" find enormous resonance in the media and may involve not
only financial damage but also loss of confidence among customers
and business partners.
7
1.3 Could I be affected by a crisis; how well am I
prepared?
Various security incidents cannot usually be handled with the
organizational structures and resources provided for "normal
everyday business" and therefore require crisis management.
Crisis management begins with a systematic review of the current
situation, progresses to the definition and evaluation of the risks
involved and leads to the development of timely and appropriate
reactions to various crisis scenarios. In actual practice, this means:
Considering realistic threat scenarios at a very early stage and
then analyzing and evaluating the possible risks.
"Early warning system": What is the security environment
in which my unit operates? What are the conceivable and
probable crisis scenarios (serious software theft, strategic
insider information leaked to the media, blackmail, smear
campaign, and so on)?
Preventative risk evaluation: What are the potential risks of
the scenarios for people, processes, the infrastructure and
my business overall?
Status of prevention: What preventative security measures
are being taken in my unit? Are they adequate in view of the
risks? What more needs to be done?
8
Creating the framework for rapid and appropriate reaction -
emergency planning.
Creating alarm plans and communication lists: How do I
get in touch with someone from the legal department on a
Sunday? Which emergency services (power supplies,
medical, telecommunication, and so on) are available and
accessible in an emergency? Which projects are running
where in the country; how many employees of which
nationalities are involved; how and above all how quickly can
I contact them?
Structure of a crisis management team: A highly trained
group of employees capable of handling various scenarios.
Reviewing strategies for crisis management: Can incident
plans be devised to deal with the various crisis scenarios?
Who does what, when and how? What resources are used?
How prepared are you for dealing with serious
security incidents?
Read the following case studies and see how you would fare.
How well could you cope with the following crisis scenarios? The
case studies are based on actual incidents. We have simply changed
the names to preserve anonymity.
9
Case study 1: Blackmail
You are head of the B. Division. Your secretary receives a fax from country C. The fax reads as follows: I have in my possession a number of PCs from authority XY. Your company supplied these PCs and you were asked to dispose of them after they had been replaced.
Well now I have hold of them. They contain sensitive data stored by authority XY. I think it's worth US $ three million not to tell authority XY or leak this story to the press. You have one week to think this matter over. I will be in touch again.
Does the blackmail note sound convincing? Has the company had dealings with authority XY? What was the nature of these dealings? Were PCs supplied to the authorities? Was there a request to dispose of the PCs? Does the company have any links to country C?
What are the contractual requirements relating to any disposal request? Who is responsible for data backup/destruction of hard disks?
How sensitive do you think the matter is? Should you use a scrambler on the phone? Do you have the necessary hardware to scramble calls?
Whom do you think you should tell? Who absolutely needs to know? Who can help? Corporate Security, Corporate Communication, Legal Services, Key Account Managers, authority XY?
Who is the best person to speak to in authority XY? Should this person be told? If so, at what stage? Who should tell him/her?
Do you need to call in the security services? Is it best to let them know immediately? Do you know someone you can trust?
Who will be handling the next call? Do you have someone suitable in your team? What strategy will be adopted? Who will be drawing up this strategy?
10
Case study 2: Know-how leak/blackmail
You receive a letter from a person unknown stating that he has information that a complete forgery of one of your products will shortly be appearing on the market. The forgery looks convincing but the quality is extremely poor and there are risks involved in using it.
The forgers indicate that they have gained insider knowledge from your unit. The letter is accompanied by a sample of the forgery for your inspection.
The author of the letter is demanding US $ ten million to hand over detailed information. He also threatens to go public unless his demand is met within one week.
Should the threat be taken seriously? What does the sample contain? Who in your unit can find out quickly?
Should the police be called in? What is the legal position? Who knows someone they can trust to talk to?
What will be the effect on your customers if they can buy a product with identical features for less? How will you deal with this problem?
Where might the insider information come from? Who in your Group can carry out the necessary investigation?
What might the consequences be for the image of your Group if the public were to find out that your development know-how is not adequately protected? Would you be prepared for this? What specific action should you take?
Which corporate offices in the company should be informed? Legal Services, specialists in patent law, Corporate Communications, Corporate Security?
11
Case study 3: Attack, kidnapping, blackmail
You are the sales manager for Region XY within the AA Division. At present you are responsible for an installation project at a river delta in the jungle of "Backofbeyondland".
It's Sunday and you receive a call from one of the 20 European project workers working on the site.
He is extremely agitated. He tells you that an hour ago they were attacked by a group of jungle fighters. Three local security men were killed and the site manager, who works for your unit, has been kidnapped.
The leader of the jungle fighters has threatened to kill the site manager within 24 hours unless the company provides someone in authority to listen to their financial and political demands. The leader intends to renew contact with Siemens in 24 hours through a messenger.
Do you know the project details? How many employees are definitely in the area (age, nationality, next of kin)? Are they all on site or are some working elsewhere in the country? Where is their accommodation located? How can they be reached– communication links, message paths? Who can give you all this information within a reasonable time?
Does the project have a security concept? Security personnel, security equipment and facilities, evacuation plans, transfer options, nearest military base? How reliable is the local government, how reliable are the security forces?
Who is now empowered at the site to make decisions? Have any contingency agreements been made?
Who do you need to inform within the company? Do you know the relevant emergency numbers, for example of Corporate Security?
12
Case study 4: Abduction
You are the HR manager of a Regional Company. The head of your company, Mr X, is visiting an important customer. His second-in-command, Mr Y, the Commercial Director, is on a business trip abroad. It is 5 o'clock in the afternoon. Mr X was due back two hours ago and cannot be contacted on his mobile phone or car telephone. You ring the customer, who tells you that Mr X drove off about two hours ago. It is now quarter past five. Your switchboard receives a call from a person who declines to give his name. The caller claims to be holding Mr X and demands to speak to someone in authority. He says he will call back at six o'clock.
Are you convinced that this is not a sick joke? Did the person who received the call hear correctly? Does your switchboard have a recording facility or a checklist for logging and dealing with suspicious calls? Are your staff sufficiently well prepared from the security point of view to deal with such calls?
Who do you have to inform immediately? The parent company, the police, the man's family? Who informs whom and how? What do you say? Is there someone in the relevant authorities that you can speak to in confidence? Do you call in the German Embassy?
Who will take the next call? Who should negotiate with the suspected kidnapper? Are the police reliable and will they take over as negotiators if the kidnapping is genuine? Are there any reasons why you and your appointed team would have to handle the negotiations? Are there suitable employees you could turn to? In the absence of the boss and his second-in-command, who is authorized to take decisions?
Which members of staff do you need to handle this crisis as it begins to unfold? What characteristics are you looking for? Are the right people available? Do you have the means of getting in touch with them? Who will alert whom and how?
Is there a strategy in place for starting possible negotiations when the next call is received? How will you behave? What will you say to the kidnapper if he demands a large ransom? Do you know the legal position with regard to negotiating with kidnappers or paying ransom money?
13
2. Crisis management in practice:
There is no "patent recipe" for managing a crisis. In actual practice,
however, various basic patterns and procedures have proved to be
successful. These are presented below.
2.1 Early recognition of possible crises
If only we had noticed earlier .............
Crisis management starts before the crisis starts. The ability to detect
potential crises calls for an in-depth knowledge of the security
situation in your area of responsibility.
America, Asia, Europe, Africa - different countries, different customs.
It is not only the security risks that vary from country to country. The
political and social environment, the legal framework, the infra-
structure and possibly also the skills and reliability of the local
authorities call for separate assessments and preparations for each
country.
If there is no full-time security officer it is best to appoint an employee
(and two deputies) who will devote some of his or her time to security
and crisis management. The tasks of such an appointee may include
the following:
Producing a security analysis
Reporting to management
Collecting, evaluating and forwarding information
Acting as a contact in security matters for internal departments
and outside agencies
14
Practical experience has shown that in order to build up an objective
picture it is best for Operating Groups, Regional Units, support
centers and projects abroad to cooperate closely with Siemens
headquarters. Corporate Security with its contacts to international
security authorities and -consultants can lend vital support.
2.2 Risk analysis and risk evaluation
What are the security risks in your area of responsibility (e.g.
Operating Group, Division, Regional Unit, site, project or factory)?
How well are you prepared for possible emergencies?
You may find it helpful to have a questionnaire that has been tailored
to your particular circumstances. Such a questionnaire may contain
the following questions:
What is the security situation in the country (e.g. political and
social developments, crime levels, kidnapping risks)?
What do I do if confidential strategic information is regularly
finding its way into the press?
How should I react if someone offers me confidential
documents from my Division?
15
What should I do if workers go on strike and shut down
production in my factory?
Where are all the various projects taking place? How
exposed are they from a security point of view? What
protection measures have already been taken (e.g. fire,
buildings, know-how)?
In the event of an emergency how do I contact all the
employees throughout the country and how long will it take?
How can I evacuate the employees and how long will it take?
What do the people on the switchboard do if they receive a
bomb threat?
What contact do I have to the security authorities?
What should I do if I am being blackmailed (by a protection
racket for example)?
What should I do if I find out that an unencrypted email
containing details of a tender for a major project has found its
way to a competitor?
Do I have a contingency plan to deal with serious food
poisoning in my factory?
2.3 Advance planning and organizational preparations
16
You should inform Corporate Security whenever there is
a major security incident, such as kidnapping or
blackmail. They can quickly arrange for a task force to
be sent.
In such cases, as indeed in all cases, the following applies however:
Crisis management can generally only run efficiently if you are aware
of the latest plans and preparations for dealing with possible crisis
scenarios in your area of responsibility.
a. Stock-taking and data management
Case study:
Imagine you are the head of Regional Unit XY. Because of a major earthquake in the north of the country, the Corporate Crises Management has decided to close the factory there, place all projects on hold and evacuate the workforce and their families.
For many crises you need a detailed inventory of equipment and
facilities (locations, offices, projects, work sites). A knowledge of the
existing and available infrastructure is essential particularly with
regard to medical care, transportation, security services and the
emergency services.
17
In addition, access lists, alarm plans, information sheets and
checklists need to be prepared. City and building plans need to be
produced. Communication links must be established and
safeguarded, and consideration must be given to alternatives (such
as satellite telephones).
To provide concrete support in the preparation and
implementation of local crisis management, particularly
outside Germany, Corporate Security Office has
developed a web-based "Emergency Planning -
Security" software tool. Go to Softwaretool „ Emergency
Planning - Security“
There is a CD-ROM that provides a central repository
and efficient tool for handling all the data and
information (checklists/information sheets) relating to
security crisis management, such as access lists, alarm
plans, maps, communication directories and
documentation.
You will require advice on how to use the software tool.
For further details please contact Corporate Security
directly.
Email: [email protected]
Tel.: +49-89-636-34220
+49-89-636-32883
+49-89-636-33345 (24 hours)
18
b. Crisis management team
Case studies:
You Information Security Coordinator warns you that sensitive in-house software from your unit is freely available on an American server and the American press and the FBI have already been informed.
Your switchboard receives a fax in which someone claims he is in possession of a hard disk containing sensitive strategic data from your unit and he will hand it over in exchange for a "ransom", otherwise he will go to the press.
Criminals report that they have abducted an employee and give you three hours to let them know what you intend doing. They are demanding a ransom of $3 million.
Crises call for instant and efficient responses: The initial response is
critical in dealing successfully with crises.
The objective in any crisis must be to mitigate the shock of the crisis,
isolate the conflict, improve the negotiating position and thereby
avoid or limit the damage.
To create the necessary framework and freedom to produce an
appropriate response, the crisis management team needs to offer
organized support and prepare proposals.
19
The tasks to be performed by a crisis management team include the
following:
Collect and evaluate information
Report on the current situation
Liaise with internal departments, authorities and
institutions
Carry out PR work
Present and recommend the various options
Document all products and activities
The description below of the organization and activities of a crisis
management team represents the ideal situation.
The actual makeup and size of such a team should be decided for
each area of responsibility, based on the prevailing local conditions
and security problems as these vary throughout the world.
The important factor is not the size of the team but the quality and
skills of the team members in handling exceptional security incidents
and performing the tasks described below.
20
In crisis situations special demands are placed on employees in
terms of their stress levels and ability to make decisions.
The makeup of the crisis management team should therefore be
based exclusively on the personal and professional suitability of the
people involved.
Crises have no respect for schedules. The head of your crisis
management team is on holiday, the press spokesperson is on a
business trip and your security officer is in hospital.
Always bear in mind that you need an adequate number of people to
stand in for others.
21
c. Functions and tasks in the crisis management team
The head of the crisis management team should come from
corporate management, construction management or project
management because he or she will have the necessary experience
and authority to make decisions. This person should report directly to
the person in overall authority. The tasks to be performed include the
following:
Defining the tasks in the crisis management team
Coordinating the work processes
Informing the person in charge
Preparing possible solutions for the person in charge
Documentation and information
Case study:
Following the outbreak of a fire you have evacuated the factory in what you think is only a short time. Even so, 10 people have to go to hospital suffering from severe smoke inhalation. An official inquiry is held. You are criticized for starting the evacuation too late. What's more, two of the injured workers could not hear the loudspeaker announcements to evacuate the building because they were in the washroom at the time.
A full documentation of the taken measures could help you to refute the reproaches.
22
One of the tasks of the Documentation and Information Department
is to collect, evaluate and forward relevant information.
It evaluates the incoming information and records the decisions and
actions taken (situation report).
Full documentation is extremely important, not least because of
possible legal consequences.
Crisis communication, press and PR work
Case study:
Following an illegal strike in your factory you have to use security forces to exercise your right of entry and have two former employees arrested for trespassing on the site.
At the factory gates there is a camera team from the local television station and a pack of reporters.
Whether it is food poisoning in the canteen, a fire at the factory, a
bomb threat or kidnapping, the PR pressure on a global company is
enormous and extraordinary incidents are always going to attract the
attentions of the media. This is particularly the case if the company in
question makes a mistake in handling the emergency.
23
Crisis communication is an essential part of crisis management and
must be covered by persons with appropriate skills.
A press spokesperson must be aware of the current situation and the
plan of action.
Crisis communication and all press and PR work relating to the crisis
must be handled via this channel with the approval of the head of the
crisis management teams or the person in overall charge.
The tasks involved in crisis communication include the following:
Monitoring and evaluating the local and regional media.
Informing and supporting the media representatives and
employees as appropriate.
Planning/preparing press conferences and/or interviews.
24
Consultants
Case studies:
A competitor is manufacturing almost identical products and there is a suspicion that it is using some of the software developed within your unit (violating your patent rights). Customers switch to the cheaper product and the damage due to loss of orders amounts to several million US $. You suspect that the competitor is being helped by someone in the unit (who is conducting research?).
Criminals are blackmailing the company for US $ 2 million. The crisis management team is not sure whether such a payment is permitted under the laws of the country and who could obtain this amount of money.
Many crisis situations call for specialist knowledge. Depending on the
situation, it is therefore often necessary for the local crisis
management team to be advised by consultants. The following are
available, for example, at Siemens headquarters:
CD S
Corporate Security Office
Legal Services (LS)
Corporate Finance (CF)
Corporate Communications (CC)
Other specialist departments (such as CIO IS and CERT)
25
Other possible consultants:
Psychologists
Interpreters
Relatives
Doctors
Engineers
Representatives from friendly companies
Employees of the Regional Unit, unless they are
integrated in the crisis management team
Officials from the German Embassy (or Consulate),
Chambers of Commerce and other such agencies
Liaison officers with the local police/military or other state
institutions
Representatives of airlines, shipping companies,
communication and/or media companies
26
Logistics, supply and technology
In a crisis you generally need what you don't have
A person in the crisis management team should be appointed to
handle issues concerning logistics, supply chains and technology.
This person should ensure that the necessary resources are
complete, operational and available. Their tasks include obtaining
vehicles, couriers, accommodation, food and equipment.
Depending on the situation, a suite of rooms should be
commandeered and equipped for crisis management. It is best for
these rooms to be located close to the offices used by corporate
management and the people authorized to take decisions.
An access control system should be installed and escape routes
should be identified. The technical equipment needed to handle a
crisis must be identified at the planning stage.
The following table represents the ideal situation and shows the best
possible solution for the number and layout of the rooms for the crisis
management team and the technical/logistic equipment for the
rooms. "Scaled-down" practical solutions need to be found for
smaller sites, support centers and projects.
27
We can sum up as follows: Specific arrangements will depend on the
nature of the threat and on the economic facilities on site.
Room for person in charge Room for information and documentation
Equipment:
Normal telephone line Scrambler telephone Tape recorder attached to
telephone
Equipment:
Normal telephone line Tape recorder attached to
telephone Overhead projector, laptop-based
projector Flipchart Television and video recorder Radio/short-wave receiver Town plans, maps
Room for secretary Special room
Equipment:
PC with internet and email Normal telephone line Answering machine Scrambler fax Tape recorder attached to
telephone
Equipment:
Normal telephone line Additional confidential exchange
line Tape recorder attached to
telephone
Room for head of crisis management team
Equipment:
Normal telephone line Scrambler telephone Tape recorder attached to
telephone
Common room for drivers, clerks, messengers, etc.
Equipment:
Normal telephone line
28
Negotiations
Depending on the nature of the crisis it may be necessary to conduct
negotiations.
For this, a skilled spokesperson is needed as part of the crisis
management team. This spokesperson will receive bulletins,
demands and proposals from the protagonists and forward them to
management or the person in overall charge. Conversely, the
spokesman will pass on proposals and decisions from the crisis
management team to the protagonists. Negotiations in the event of a
crisis serve to stabilize the situation, give the crisis team time and
provide the team with important information on the situation, the
perpetrators and any victims.
The people to be appointed as negotiators must meet extremely high
demands in terms of their personality and ability to handle stress.
This should be taken into consideration when appointing people to a
crisis management teams. Corporate Security can offer advice and
support on this specific aspect.
2.4 Competence through training
Training is the recipe for success for any team. Training exercises
must be realistic and cost-effective. The nature and scope of the
exercises will depend on the security situation, the actual risks and
the resulting need for action. In practice, this may take the following
form:
29
Discuss realistic scenarios with your crisis management team
Call the crisis management team together. Can all the members
be reached, are they all available, is the technology in place, are
the logistics right?
Practise role play. Does the team perform well?
Practise the process of developing a strategy and taking
decisions on the basis of a realistic scenario. How do you rate
your prospects in a real-life situation?
Liaise with important external agencies. How high is the level of
cooperation?
Practise trial alarms. Did you contact everyone, how long did it
take, were there any problems with the selection, functionality and
operation of the communication equipment, were the message
paths correctly defined?
Set up evacuation plans and carry out an evacuation. Were the
response times as expected, where were the difficulties and what
were they?
In effect, only appropriate crisis management training (at least once a
year) can indicate whether preparations are adequate, strategies are
effective, the persons are right for the job and the necessary
equipment and logistics are appropriate and operational. Corporate
Security can offer specialist advice on setting up crisis management
teams and conducting exercises.
30
2.5 Preparations for crisis situations: Instructional notes, plans and
checklists
The success or failure of crisis management is determined in many
cases in the first 24 hours after the onset of the crisis. The quality of
your preparations is crucial to the outcome. Generally speaking, you
will not have the time to catch up on what you have not done.
To help you make the necessary preparations for effective crisis
management for special security incidents, Corporate Security
has produced a wide variety of instructional notes and
checklists notes and checklists covering the issues raised. You
can find it in the intranet under https://intranet.cso.siemens.de.
31