What is a security culture?
The benefits of an effective security culture are:
a workforce that is more likely to be engaged with, and take responsibility for, security issues
increased compliance with protective security measures, such as those set out in this guidance
reduced risk of insider incidents
awareness of the most relevant security threats
employees are more likely to think and act in a security-conscious manner
Security behaviours in your organisation
A strong security culture will promote positive security behaviours across your workforce.
Using the National Protective Security Authority (NPSA) 5Es framework (Educate, Enable, Shape the Environment, Encourage the Action and Evaluate the Impact) an organisation can embed and sustain security behaviours within their workforce.
The NPSA ‘Embedding Security Behaviours: using the 5Es Framework’ document provides guidance on how to implement the 5Es within an organisation .
Vigilance and reporting suspicious behaviour
In an emergency always ring 999. Security awareness, vigilance and reporting suspicious behaviour, increases the likelihood that people with hostile intentions will be detected or deterred.
Employee vigilance complements other elements of protective security.
Procedures for reporting any unusual behaviour to supervisors and police, should be developed and briefed to all staff.
We recommend reporting any concerns via the National Counter Terrorism Policing (NCTPHQ) Action Counters Terrorism (ACT) campaign:
‘If you’ve seen or heard something that could suggest a terrorist threat to the UK do not ignore it, report it’.
Report suspicious activity to the police by calling confidentially on 0800 789 321 or through the report in confidence service on the page: https://act.campaign.gov.uk.
The public already contribute intelligence to around a third of the most serious terrorism investigations. Staff should be reassured that they need not be concerned about wasting police time or getting someone into trouble.
Due to the nature of security operations you may not hear back from the Police, this does not mean they have ignored you concerns.
Vigilance will be further promoted by putting in place systems for recording site security patrols, monitoring and checking visitors and vehicles.
Identification passes should be issued to staff and visitors and worn at all times. All staff should be encouraged to challenge anyone on your premises who is not wearing a pass.
Company security plan
A security plan is the cornerstone of a secure goods vehicle operation that sets the basis for strong security behaviours, culture and security practice.
A company security plan should cover at least the following steps, themes and elements:
allocate security responsibilities to a staff member who has appropriate authority to make security-related decisions and implement them
assess risks posed by your vehicle operations. Involve key business partners including customers, shippers, freight forwarders, carriers, security service providers, and insurance experts in the risk assessment, if possible. Define and understand the security risks in vehicle operations including the ‘insider threat’
identify possible solutions that will prevent one of your vehicles being used in an attack, while considering options, for example, that all vehicles should be locked when not in use. Security plans and procedures should be updated regularly. Collect feedback from drivers and consider the drivers’ needs and wishes in day-to-day vehicle security management. When implementing decisions ensure employees have been consulted. Undertake regular reviews to monitor results and progress
altogether, when designing security plans, managers should consider the five-step model illustrated above which guides them through the most important aspects and themes of goods vehicle security management
Countering the insider threat with pre-employment checks
An insider is a person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes.
Insiders with access to your processes and assets can be a source of threat. An insider could be a full time or part-time employee, a contractor or even a business partner. They could deliberately join your organisation to gain access to your organisation’s assets to mount an attack, or they may be triggered to act at some point during their employment.
Organisations should provide a trusted resource for staff to report security concerns or suspicions, either anonymously or otherwise, this is a positive way of nurturing a security culture within an organisation.
Robust pre-employment checks for all employees can help mitigate the insider threat by:
deterring applicants who may wish to harm your organisation from applying for employment
detecting individuals with an intent to harm your organisation at the recruitment/application phase
and denying employment to individuals intending to harm your organisation, and deny employment in roles for which the applicant is unsuitable
Remember: deter - detect - deny
Consideration should be given to using British Standard 7858 (or equivalent) for security screening of employees.
This standard involves conducting basic identity, financial, employment and criminal records checks. We recommend that the following additional steps are taken when employing drivers:
check a driver’s references and previous employment history (minimum of five years)
speak to previous employers
inform applicants that false details on application forms may lead to dismissal
check driving licences are valid and look for endorsements before you employ someone, and then at six-monthly intervals afterwards. Drivers should tell you of any changes to their licence
check if the applicant has any prosecutions pending or is waiting for sentencing by a court
for agency drivers, ensure that the agency has carried out all of these checks including criminal records checks
and use only reputable recruitment agencies that are affiliated with a recognised UK trade organisation