Sponsored briefing - Protecting Your Visitor Attraction | attractionsmanagement.com
POST YOUR JOB ONLINE
Free ezine/digital edition sign up
Jobs . News . Features . Video . Products . Magazine . Handbook . Advertise . Contact us  
Sponsored briefing
Part 1 - Protecting Your Visitor Attraction

Nigel Peers, senior consultant at NW Security Group, looks at the UK government’s guidance on crowded places and shares his expertise on how to make an attraction safe and secure

On 8 June, 2017, the UK’s National Counter Terrorism Security Office (NaCTSO) published its 174-page Crowded Places Guidance. This comprehensive advisory report focuses on protecting crowded locations, including visitor attractions, shopping centres, sports stadia, bars, pubs and clubs, which are easily accessible to the public and could present a potential target.

This article focuses on the parts of NaCTSO’s Crowded Places Guidance that provide protective security advice to those who own, operate, manage, secure or work in visitor attractions. It’s an area where I personally have in-depth expertise, having managed security for the UK’s busiest zoo – Chester Zoo, boasting 1.9 million visitors a year – for several years before joining NW Security Group.

Rather than summarising what is an incredibly detailed and instructive document, I thought it helpful to present some of the thinking and processes that I went through during a three-year-plus period to harden security systems, plans and procedures and mitigate against key risks which were identified when I began my time in that role.

Identify assets
Much of the hard work begins with asset identification and assessment. You need to assess and prioritise all assets to be protected and then the security risks across four different parameters:
• People – staff, visitors, contractors
• Physical assets – infrastructure, buildings, etc.
• Information and data assets
• Policy and procedures

In any risk assessment you must be able to identify and rank risks based on a detailed assessment of the likelihood of a type of threat happening and the possible impact on the organisation should such an event occur.

Four key questions to ask are:
• What assets need to be protected?
• What threats and vulnerabilities are out there?
• What is the impact on the attraction if a given asset is compromised/attacked/breached?
• What existing measures, systems and equipment already aid protection of these assets, mitigating against pre-identified threats?

All threats need to be placed in order of importance and any remedial action to improve mitigation measures needs to be proportionate to the level of threat and the assets identified for protection.

Consider stakeholders
During the process of prioritising which risks to mitigate first and which to devote most resources to improving, it is worth considering key stakeholders and their priorities and concerns. So, for a visitor attraction, key stakeholders might be:
• CEO and other board directors, responsible for the reputation and wellbeing of the organisation
• IT director/IT manager, who may have to assist in preventing a cyber attack
• Marketing department, who may have to ensure they are not making information public, which could be of use for hostile reconnaissance intelligence gathering
• Security team, who are going to be pivotal to strengthening any security systems and procedures
• Health and safety management team, monitoring for slips, trips, falls and other potential injury, personal property damage or anti-social behaviour that may place staff, visitors or assets at risk
• Visitors, who may well have a part to play by remaining vigilant to surroundings and people around them that may be behaving unusually. They can be encouraged to report anything unusual, including unattended bags

When drawing up the risk assessment it is important to bear in mind that the best you can expect to do is reduce the risk to ‘as low as reasonably practicable’, while maintaining the friendly and welcoming atmosphere which is compatible with visitors enjoying a great day out.

Building a security plan
Once the risk assessment has been completed, the next step is to draw up a strategic security plan. The security plan must be simple, clear and flexible as far as is possible. It will need to detail:
• Policies, for helping staff and visitors to be security-aware and as far as possible knowledgeable about what should be done if an incident happens
• Operational change recommendations; for example, profiling of visitors by your security team, increasing patrolling levels, randomising patrol timings
• Physical change recommendations; for example, barriers, IP (internet protocol) video/digital video cameras, access control, bollards, fixed furniture, bins
• Training and awareness requirements for the security team and wider organisation
• Validation procedures, to check you have got priorities and mitigations right
• Partnership; you should be running plans through your local Counter Terrorism Security Advisor (CTSA) and other strategic partner agencies
• Review and monitoring regime; how often will the plan be checked?
• Communication and media elements, including understanding what should and what should not be communicated about your security systems, procedures and assets. For example, some information could potentially assist hostile reconnaissance operatives whereas other information should be made very public to deter hostiles from targeting your venue.

Deny, deter, detect
One key consideration is to work hard to “deny, deter and detect” hostile reconnaissance. The more your security regime can deny would-be terrorists access to reconnaissance intelligence, the less likely your venue will be subject to a major attack. Spotting them early is the first crucial step to stopping any hostile reconnaissance team from gathering useful intelligence. Thereafter, if you can demonstrate a strong security appetite by proactively indicating you’ve ‘spotted them’, and provide identification-worthy CCTV evidence to the authorities, the more likely they are to be deterred from returning.

Add to the proactive profiling of possible hostiles by communicating the effectiveness of your security systems – or, as the NaCTSO guidelines put it, deterring them by putting out the message ‘come here and you are likely to get caught’ – and you start to reduce the risk of an attack considerably.

Phased mitigation
You won’t be able to purchase and install the full shopping list of equipment and training requirements that you’ve identified in the first few months of completing the risk assessment – budgets rarely allow it.

So, if you need 200 new surveillance cameras and a new highly-secure control room, you will need to consider phasing in this work. So, is there scope to re-use a portion of the old analogue CCTV cameras for a period and bring the serviceable ones onto the network? And if there is budget for only 50 new network cameras, where exactly do those priority cameras need to be placed? The ‘top priority’ threats must be tackled first so that the biggest threats are mitigated before moving to the lesser threats as budgets and resources free up.

One valuable way to prioritise work is to attach an Operational Requirement (OR) statement to each piece of security equipment going in. Essentially, this needs to state precisely what security or other operational need this piece of equipment addresses. Each new camera has a specific purpose: one might be for perimeter security, another for animal welfare, a third for health and safety monitoring on a pedestrian thoroughfare, and so on.

It must be clear which area is covered by each camera. Further, the displacement consideration must be documented for all surveillance cameras: it’s important to understand that if a new camera is put in to cover one known area where crime is likely to be committed, that this crime may just move into a different area. Although this is a more significant concern in public space CCTV installations, displacement risk is always worth considering.

Access control
The OR process is fundamental to planning an efficient security solution and access control is no exception. Be it controlling pedestrian access to certain areas, or vehicles into the site, the principles are the same. Know who or what can go where and allocate passes to reflect this. Any access control system is only as good as the procedures and people that govern its use and a good security culture is paramount in ensuring your site remains secure.

Processes and procedures for issuing visitor and contractor passes are worthy of close attention as it is normally in these sorts of procedures and processes that vulnerabilities lie. Hostile Vehicle Mitigation (HVM) strategies are detailed in NaCTSO’s Crowded Places Guidance and I advise that they should be read carefully as this type of threat is being encouraged by terrorist groups via the internet right now, as we know all too well from recent Vehicle as a Weapon (VAW) attacks in Nice, London and New York.

VAWs, like many threats, demand defence in depth, multi-layered and overlapping security systems, processes and procedures. Retractable and fixed bollards at vehicle and pedestrian entrances, fencing, barriers, landscaping, fixed furniture, identification and pass checking, profiling, as well as well-placed CCTV and speakers to send audible alerts, can all work together to make a site as secure from a VAW as is practicable – particularly given the fact that you don’t want a visitor attraction to feel like Fort Knox.

Incident management
You need to be thoroughly drilled on the procedure to keep staff, visitors and other assets safe should an incident happen. All people on-site must know where to go and what to do in the event of a security incident. This could mean full or partial evacuation or ‘invacuation’ to a secure place either on-site or off-site.

You will want to deter any new people from entering an area where a security breach has occurred. By doing so you will reduce the risk of increasing the number of people exposed to the threat.

Alarm control points should be considered and sited where mustering points have been agreed and communicated. Methods for good communication flow must also be multi-layered so any public address can be supported by shortwave radio for security officers. Police and emergency services must be called in as early as possible to assist. Staff should be tested with regular scenario-based exercises, including desktop and practical activities.

Summary
The information and guidance discussed here allows for investigation of just some of the elements of securing a visitor attraction. It cannot be as comprehensive as the new NaTCSO guidance, which covers mitigation of many more threats than I’ve been able to cover here.

Threats are bound to be different for each attraction. Legacy security systems, range of assets, layout and size of the site and existing security personnel are all issues which need to influence your security priorities. However, the principles of good security planning and risk assessment should form a firm foundation for building a new and up-to-date security plan for any visitor attraction.

Quickstart guide to securing your facility

null,1. Identify & Prioritise Assets
Assess and prioritise all assets and security risks

2. Identify Threats & Prioritise Mitigation
Identify risks and their possible impact. Put mitigation measures in place

3. Satisfy Needs of Key Stakeholders
Terrorism-related threats and cybersecurity are moving further up directors’ agendas

4. Build Strategic Security Plan
Consider the following: policies, operational changes, site changes, staff training, partnering with local Counter Terrorism Security Advisor, external communications

5. Combat Hostile Reconnaissance
Be able to spot a hostile reconnaissance team and provide identification-worthy CCTV evidence to the authorities

6. Link new Security Equipment to Operational Requirements (OR)
Attach an OR statement to each piece of new security equipment being installed stating what security or other operational needs it addresses. Each camera will have a specific purpose

7. Stiffen Access Control Procedures
Procedures for issuing visitor and contractor passes are worthy of close attention. Multi-layered security systems may well be needed

8. Incident Management
Should an incident happen, all people on-site must know where to go and what to do. This could mean full or partial evacuation or ‘invacuation’ to a secure place

9. Keep up to speed with NaCTSO
Use the latest Crowded Places Guidance published by NaCTSO as your go-to reference for change, training specification, as well as procedures and processes reinforcement

10. Centralise Video Surveillance Monitoring
CCTV is only valuable if coverage is comprehensive and can be used to positively identify people. Build a centralised/networked video surveillance infrastructure with professional video management capability manned by fully-trained security officers



To read the NaTCSO guidance, go to
www.gov.uk/government/publications/crowded-places-guidance


About the author
Nigel Peers is a security consultant, data protection practitioner and trainer. With a military background and founder of a workplace compliance training company, Peers possesses a wealth of expertise in conducting security site surveys, vulnerability assessments and delivering Security Industry Authority (SIA) and other industry-related training courses.

About NW Security Group
NW Security Group provides security planning consultancy and training as well as planning and physical security equipment specification, configuration and installation services.

Nigel Peers, senior consultant at NW Security Group
Complete a risk assessment before proceeding to draw up a strategic security plan
Complete a risk assessment before proceeding to draw up a strategic security plan
Crowded Places Guidance is aimed at attractions, stadia, bars and other busy places
Many major attractions now have well-trained security staff and well-placed security equipment
Many major attractions now have well-trained security staff and well-placed security equipment Credit: shutterstock
COMPANY PROFILE
Picsolve International Ltd

The company is backed by Eight Roads, the private investment arm of Fidelity International Limited [more...]
+ More profiles  
FEATURED SUPPLIER

Red Raion: Meet the Team!
Have you ever wondered how a production studio creates its content? [more...]
VIDEO GALLERY

nWave Pictures - Birds of a Feather 4D Trailer
Flying south for winter, straitlaced bird BRIAN is unexpectedly knocked out the sky by overweight, loudmouthed pelican DEL. Find out more...
More videos:
Red Raion - VR/5D Films Showreel 2016 – Red Raion
Experience the experience – Polin Waterparks & Pool Systems
The innovative fun climbing concept – Clip 'n Climb
+ More videos  

CATALOGUE GALLERY
 

+ More catalogues  
ATTRACTIONS DIRECTORY
+ More directory  
ATTRACTIONS DIARY

28 Aug - 01 Sep 2018

World Leisure Congress 2018

tbc, Sao Paulo, Brazil
23-27 Sep 2018

EAS (Euro Attractions Show) 2018

RAI Exhibition and Convention Centre, Amsterdam, Germany
+ More diary  
LATEST ISSUES
+ View Magazine Archive

Attractions Management

2018 issue 2


View issue contents
View on turning pages
Download PDF
FREE digital subscription
Print subscription

Attractions Management

2018 issue 1


View issue contents
View on turning pages
Download PDF
FREE digital subscription
Print subscription

Attractions Management

2017 issue 4


View issue contents
View on turning pages
Download PDF
FREE digital subscription
Print subscription

Attractions Management

2017 issue 3


View issue contents
View on turning pages
Download PDF
FREE digital subscription
Print subscription

Attractions Management News

11 Jul 2018 issue 108


View on turning pages
Download PDF
View archive
FREE digital subscription
Print subscription

Attractions Handbook

2018


View issue contents
View on turning pages
Download PDF
FREE digital subscription
Print subscription
 
ABOUT LEISURE MEDIA
LEISURE MEDIA MAGAZINES
LEISURE MEDIA HANDBOOKS
LEISURE MEDIA WEBSITES
LEISURE MEDIA PRODUCT SEARCH
 
ATTRACTIONS MANAGEMENT
ATTRACTIONS MANAGEMENT NEWS
ATTRACTIONS HANDBOOK
PRINT SUBSCRIPTIONS
FREE DIGITAL SUBSCRIPTIONS
ADVERTISE . CONTACT US

Leisure Media, Portmill House, Portmill Lane,
Hitchin, Hertfordshire SG5 1DJ Tel: +44 (0)1462 431385

©Cybertrek 2018
Jobs . News . Products . Magazine
Sponsored briefing
Part 1 - Protecting Your Visitor Attraction

Nigel Peers, senior consultant at NW Security Group, looks at the UK government’s guidance on crowded places and shares his expertise on how to make an attraction safe and secure

On 8 June, 2017, the UK’s National Counter Terrorism Security Office (NaCTSO) published its 174-page Crowded Places Guidance. This comprehensive advisory report focuses on protecting crowded locations, including visitor attractions, shopping centres, sports stadia, bars, pubs and clubs, which are easily accessible to the public and could present a potential target.

This article focuses on the parts of NaCTSO’s Crowded Places Guidance that provide protective security advice to those who own, operate, manage, secure or work in visitor attractions. It’s an area where I personally have in-depth expertise, having managed security for the UK’s busiest zoo – Chester Zoo, boasting 1.9 million visitors a year – for several years before joining NW Security Group.

Rather than summarising what is an incredibly detailed and instructive document, I thought it helpful to present some of the thinking and processes that I went through during a three-year-plus period to harden security systems, plans and procedures and mitigate against key risks which were identified when I began my time in that role.

Identify assets
Much of the hard work begins with asset identification and assessment. You need to assess and prioritise all assets to be protected and then the security risks across four different parameters:
• People – staff, visitors, contractors
• Physical assets – infrastructure, buildings, etc.
• Information and data assets
• Policy and procedures

In any risk assessment you must be able to identify and rank risks based on a detailed assessment of the likelihood of a type of threat happening and the possible impact on the organisation should such an event occur.

Four key questions to ask are:
• What assets need to be protected?
• What threats and vulnerabilities are out there?
• What is the impact on the attraction if a given asset is compromised/attacked/breached?
• What existing measures, systems and equipment already aid protection of these assets, mitigating against pre-identified threats?

All threats need to be placed in order of importance and any remedial action to improve mitigation measures needs to be proportionate to the level of threat and the assets identified for protection.

Consider stakeholders
During the process of prioritising which risks to mitigate first and which to devote most resources to improving, it is worth considering key stakeholders and their priorities and concerns. So, for a visitor attraction, key stakeholders might be:
• CEO and other board directors, responsible for the reputation and wellbeing of the organisation
• IT director/IT manager, who may have to assist in preventing a cyber attack
• Marketing department, who may have to ensure they are not making information public, which could be of use for hostile reconnaissance intelligence gathering
• Security team, who are going to be pivotal to strengthening any security systems and procedures
• Health and safety management team, monitoring for slips, trips, falls and other potential injury, personal property damage or anti-social behaviour that may place staff, visitors or assets at risk
• Visitors, who may well have a part to play by remaining vigilant to surroundings and people around them that may be behaving unusually. They can be encouraged to report anything unusual, including unattended bags

When drawing up the risk assessment it is important to bear in mind that the best you can expect to do is reduce the risk to ‘as low as reasonably practicable’, while maintaining the friendly and welcoming atmosphere which is compatible with visitors enjoying a great day out.

Building a security plan
Once the risk assessment has been completed, the next step is to draw up a strategic security plan. The security plan must be simple, clear and flexible as far as is possible. It will need to detail:
• Policies, for helping staff and visitors to be security-aware and as far as possible knowledgeable about what should be done if an incident happens
• Operational change recommendations; for example, profiling of visitors by your security team, increasing patrolling levels, randomising patrol timings
• Physical change recommendations; for example, barriers, IP (internet protocol) video/digital video cameras, access control, bollards, fixed furniture, bins
• Training and awareness requirements for the security team and wider organisation
• Validation procedures, to check you have got priorities and mitigations right
• Partnership; you should be running plans through your local Counter Terrorism Security Advisor (CTSA) and other strategic partner agencies
• Review and monitoring regime; how often will the plan be checked?
• Communication and media elements, including understanding what should and what should not be communicated about your security systems, procedures and assets. For example, some information could potentially assist hostile reconnaissance operatives whereas other information should be made very public to deter hostiles from targeting your venue.

Deny, deter, detect
One key consideration is to work hard to “deny, deter and detect” hostile reconnaissance. The more your security regime can deny would-be terrorists access to reconnaissance intelligence, the less likely your venue will be subject to a major attack. Spotting them early is the first crucial step to stopping any hostile reconnaissance team from gathering useful intelligence. Thereafter, if you can demonstrate a strong security appetite by proactively indicating you’ve ‘spotted them’, and provide identification-worthy CCTV evidence to the authorities, the more likely they are to be deterred from returning.

Add to the proactive profiling of possible hostiles by communicating the effectiveness of your security systems – or, as the NaCTSO guidelines put it, deterring them by putting out the message ‘come here and you are likely to get caught’ – and you start to reduce the risk of an attack considerably.

Phased mitigation
You won’t be able to purchase and install the full shopping list of equipment and training requirements that you’ve identified in the first few months of completing the risk assessment – budgets rarely allow it.

So, if you need 200 new surveillance cameras and a new highly-secure control room, you will need to consider phasing in this work. So, is there scope to re-use a portion of the old analogue CCTV cameras for a period and bring the serviceable ones onto the network? And if there is budget for only 50 new network cameras, where exactly do those priority cameras need to be placed? The ‘top priority’ threats must be tackled first so that the biggest threats are mitigated before moving to the lesser threats as budgets and resources free up.

One valuable way to prioritise work is to attach an Operational Requirement (OR) statement to each piece of security equipment going in. Essentially, this needs to state precisely what security or other operational need this piece of equipment addresses. Each new camera has a specific purpose: one might be for perimeter security, another for animal welfare, a third for health and safety monitoring on a pedestrian thoroughfare, and so on.

It must be clear which area is covered by each camera. Further, the displacement consideration must be documented for all surveillance cameras: it’s important to understand that if a new camera is put in to cover one known area where crime is likely to be committed, that this crime may just move into a different area. Although this is a more significant concern in public space CCTV installations, displacement risk is always worth considering.

Access control
The OR process is fundamental to planning an efficient security solution and access control is no exception. Be it controlling pedestrian access to certain areas, or vehicles into the site, the principles are the same. Know who or what can go where and allocate passes to reflect this. Any access control system is only as good as the procedures and people that govern its use and a good security culture is paramount in ensuring your site remains secure.

Processes and procedures for issuing visitor and contractor passes are worthy of close attention as it is normally in these sorts of procedures and processes that vulnerabilities lie. Hostile Vehicle Mitigation (HVM) strategies are detailed in NaCTSO’s Crowded Places Guidance and I advise that they should be read carefully as this type of threat is being encouraged by terrorist groups via the internet right now, as we know all too well from recent Vehicle as a Weapon (VAW) attacks in Nice, London and New York.

VAWs, like many threats, demand defence in depth, multi-layered and overlapping security systems, processes and procedures. Retractable and fixed bollards at vehicle and pedestrian entrances, fencing, barriers, landscaping, fixed furniture, identification and pass checking, profiling, as well as well-placed CCTV and speakers to send audible alerts, can all work together to make a site as secure from a VAW as is practicable – particularly given the fact that you don’t want a visitor attraction to feel like Fort Knox.

Incident management
You need to be thoroughly drilled on the procedure to keep staff, visitors and other assets safe should an incident happen. All people on-site must know where to go and what to do in the event of a security incident. This could mean full or partial evacuation or ‘invacuation’ to a secure place either on-site or off-site.

You will want to deter any new people from entering an area where a security breach has occurred. By doing so you will reduce the risk of increasing the number of people exposed to the threat.

Alarm control points should be considered and sited where mustering points have been agreed and communicated. Methods for good communication flow must also be multi-layered so any public address can be supported by shortwave radio for security officers. Police and emergency services must be called in as early as possible to assist. Staff should be tested with regular scenario-based exercises, including desktop and practical activities.

Summary
The information and guidance discussed here allows for investigation of just some of the elements of securing a visitor attraction. It cannot be as comprehensive as the new NaTCSO guidance, which covers mitigation of many more threats than I’ve been able to cover here.

Threats are bound to be different for each attraction. Legacy security systems, range of assets, layout and size of the site and existing security personnel are all issues which need to influence your security priorities. However, the principles of good security planning and risk assessment should form a firm foundation for building a new and up-to-date security plan for any visitor attraction.

Quickstart guide to securing your facility

null,1. Identify & Prioritise Assets
Assess and prioritise all assets and security risks

2. Identify Threats & Prioritise Mitigation
Identify risks and their possible impact. Put mitigation measures in place

3. Satisfy Needs of Key Stakeholders
Terrorism-related threats and cybersecurity are moving further up directors’ agendas

4. Build Strategic Security Plan
Consider the following: policies, operational changes, site changes, staff training, partnering with local Counter Terrorism Security Advisor, external communications

5. Combat Hostile Reconnaissance
Be able to spot a hostile reconnaissance team and provide identification-worthy CCTV evidence to the authorities

6. Link new Security Equipment to Operational Requirements (OR)
Attach an OR statement to each piece of new security equipment being installed stating what security or other operational needs it addresses. Each camera will have a specific purpose

7. Stiffen Access Control Procedures
Procedures for issuing visitor and contractor passes are worthy of close attention. Multi-layered security systems may well be needed

8. Incident Management
Should an incident happen, all people on-site must know where to go and what to do. This could mean full or partial evacuation or ‘invacuation’ to a secure place

9. Keep up to speed with NaCTSO
Use the latest Crowded Places Guidance published by NaCTSO as your go-to reference for change, training specification, as well as procedures and processes reinforcement

10. Centralise Video Surveillance Monitoring
CCTV is only valuable if coverage is comprehensive and can be used to positively identify people. Build a centralised/networked video surveillance infrastructure with professional video management capability manned by fully-trained security officers



To read the NaTCSO guidance, go to
www.gov.uk/government/publications/crowded-places-guidance


About the author
Nigel Peers is a security consultant, data protection practitioner and trainer. With a military background and founder of a workplace compliance training company, Peers possesses a wealth of expertise in conducting security site surveys, vulnerability assessments and delivering Security Industry Authority (SIA) and other industry-related training courses.

About NW Security Group
NW Security Group provides security planning consultancy and training as well as planning and physical security equipment specification, configuration and installation services.

Nigel Peers, senior consultant at NW Security Group
Complete a risk assessment before proceeding to draw up a strategic security plan
Complete a risk assessment before proceeding to draw up a strategic security plan
Crowded Places Guidance is aimed at attractions, stadia, bars and other busy places
Many major attractions now have well-trained security staff and well-placed security equipment
Many major attractions now have well-trained security staff and well-placed security equipment Credit: shutterstock
 


ADVERTISE . CONTACT US

Leisure Media, Portmill House, Portmill Lane,
Hitchin, Hertfordshire SG5 1DJ Tel: +44 (0)1462 431385

©Cybertrek 2018

ABOUT LEISURE MEDIA
LEISURE MEDIA MAGAZINES
LEISURE MEDIA HANDBOOKS
LEISURE MEDIA WEBSITES
LEISURE MEDIA PRODUCT SEARCH
ATTRACTIONS MANAGEMENT NEWS
ATTRACTIONS HANDBOOK
PRINT SUBSCRIPTIONS
FREE DIGITAL SUBSCRIPTIONS