Nigel Peers, senior consultant at NW Security Group, looks at the UK government’s guidance on crowded places and shares his expertise on how to make an attraction safe and secure
On 8 June, 2017, the UK’s National Counter Terrorism Security Office (NaCTSO) published its 174-page Crowded Places Guidance. This comprehensive advisory report focuses on protecting crowded locations, including visitor attractions, shopping centres, sports stadia, bars, pubs and clubs, which are easily accessible to the public and could present a potential target.
This article focuses on the parts of NaCTSO’s Crowded Places Guidance that provide protective security advice to those who own, operate, manage, secure or work in visitor attractions. It’s an area where I personally have in-depth expertise, having managed security for the UK’s busiest zoo – Chester Zoo, boasting 1.9 million visitors a year – for several years before joining NW Security Group.
Rather than summarising what is an incredibly detailed and instructive document, I thought it helpful to present some of the thinking and processes that I went through during a three-year-plus period to harden security systems, plans and procedures and mitigate against key risks which were identified when I began my time in that role.
Identify assets Much of the hard work begins with asset identification and assessment. You need to assess and prioritise all assets to be protected and then the security risks across four different parameters: • People – staff, visitors, contractors • Physical assets – infrastructure, buildings, etc. • Information and data assets • Policy and procedures
In any risk assessment you must be able to identify and rank risks based on a detailed assessment of the likelihood of a type of threat happening and the possible impact on the organisation should such an event occur.
Four key questions to ask are: • What assets need to be protected? • What threats and vulnerabilities are out there? • What is the impact on the attraction if a given asset is compromised/attacked/breached? • What existing measures, systems and equipment already aid protection of these assets, mitigating against pre-identified threats?
All threats need to be placed in order of importance and any remedial action to improve mitigation measures needs to be proportionate to the level of threat and the assets identified for protection.
Consider stakeholders During the process of prioritising which risks to mitigate first and which to devote most resources to improving, it is worth considering key stakeholders and their priorities and concerns. So, for a visitor attraction, key stakeholders might be: • CEO and other board directors, responsible for the reputation and wellbeing of the organisation • IT director/IT manager, who may have to assist in preventing a cyber attack • Marketing department, who may have to ensure they are not making information public, which could be of use for hostile reconnaissance intelligence gathering • Security team, who are going to be pivotal to strengthening any security systems and procedures • Health and safety management team, monitoring for slips, trips, falls and other potential injury, personal property damage or anti-social behaviour that may place staff, visitors or assets at risk • Visitors, who may well have a part to play by remaining vigilant to surroundings and people around them that may be behaving unusually. They can be encouraged to report anything unusual, including unattended bags
When drawing up the risk assessment it is important to bear in mind that the best you can expect to do is reduce the risk to ‘as low as reasonably practicable’, while maintaining the friendly and welcoming atmosphere which is compatible with visitors enjoying a great day out.
Building a security plan Once the risk assessment has been completed, the next step is to draw up a strategic security plan. The security plan must be simple, clear and flexible as far as is possible. It will need to detail: • Policies, for helping staff and visitors to be security-aware and as far as possible knowledgeable about what should be done if an incident happens • Operational change recommendations; for example, profiling of visitors by your security team, increasing patrolling levels, randomising patrol timings • Physical change recommendations; for example, barriers, IP (internet protocol) video/digital video cameras, access control, bollards, fixed furniture, bins • Training and awareness requirements for the security team and wider organisation • Validation procedures, to check you have got priorities and mitigations right • Partnership; you should be running plans through your local Counter Terrorism Security Advisor (CTSA) and other strategic partner agencies • Review and monitoring regime; how often will the plan be checked? • Communication and media elements, including understanding what should and what should not be communicated about your security systems, procedures and assets. For example, some information could potentially assist hostile reconnaissance operatives whereas other information should be made very public to deter hostiles from targeting your venue.
Deny, deter, detect One key consideration is to work hard to “deny, deter and detect” hostile reconnaissance. The more your security regime can deny would-be terrorists access to reconnaissance intelligence, the less likely your venue will be subject to a major attack. Spotting them early is the first crucial step to stopping any hostile reconnaissance team from gathering useful intelligence. Thereafter, if you can demonstrate a strong security appetite by proactively indicating you’ve ‘spotted them’, and provide identification-worthy CCTV evidence to the authorities, the more likely they are to be deterred from returning.
Add to the proactive profiling of possible hostiles by communicating the effectiveness of your security systems – or, as the NaCTSO guidelines put it, deterring them by putting out the message ‘come here and you are likely to get caught’ – and you start to reduce the risk of an attack considerably.
Phased mitigation You won’t be able to purchase and install the full shopping list of equipment and training requirements that you’ve identified in the first few months of completing the risk assessment – budgets rarely allow it.
So, if you need 200 new surveillance cameras and a new highly-secure control room, you will need to consider phasing in this work. So, is there scope to re-use a portion of the old analogue CCTV cameras for a period and bring the serviceable ones onto the network? And if there is budget for only 50 new network cameras, where exactly do those priority cameras need to be placed? The ‘top priority’ threats must be tackled first so that the biggest threats are mitigated before moving to the lesser threats as budgets and resources free up.
One valuable way to prioritise work is to attach an Operational Requirement (OR) statement to each piece of security equipment going in. Essentially, this needs to state precisely what security or other operational need this piece of equipment addresses. Each new camera has a specific purpose: one might be for perimeter security, another for animal welfare, a third for health and safety monitoring on a pedestrian thoroughfare, and so on.
It must be clear which area is covered by each camera. Further, the displacement consideration must be documented for all surveillance cameras: it’s important to understand that if a new camera is put in to cover one known area where crime is likely to be committed, that this crime may just move into a different area. Although this is a more significant concern in public space CCTV installations, displacement risk is always worth considering.
Access control The OR process is fundamental to planning an efficient security solution and access control is no exception. Be it controlling pedestrian access to certain areas, or vehicles into the site, the principles are the same. Know who or what can go where and allocate passes to reflect this. Any access control system is only as good as the procedures and people that govern its use and a good security culture is paramount in ensuring your site remains secure.
Processes and procedures for issuing visitor and contractor passes are worthy of close attention as it is normally in these sorts of procedures and processes that vulnerabilities lie. Hostile Vehicle Mitigation (HVM) strategies are detailed in NaCTSO’s Crowded Places Guidance and I advise that they should be read carefully as this type of threat is being encouraged by terrorist groups via the internet right now, as we know all too well from recent Vehicle as a Weapon (VAW) attacks in Nice, London and New York.
VAWs, like many threats, demand defence in depth, multi-layered and overlapping security systems, processes and procedures. Retractable and fixed bollards at vehicle and pedestrian entrances, fencing, barriers, landscaping, fixed furniture, identification and pass checking, profiling, as well as well-placed CCTV and speakers to send audible alerts, can all work together to make a site as secure from a VAW as is practicable – particularly given the fact that you don’t want a visitor attraction to feel like Fort Knox.
Incident management You need to be thoroughly drilled on the procedure to keep staff, visitors and other assets safe should an incident happen. All people on-site must know where to go and what to do in the event of a security incident. This could mean full or partial evacuation or ‘invacuation’ to a secure place either on-site or off-site.
You will want to deter any new people from entering an area where a security breach has occurred. By doing so you will reduce the risk of increasing the number of people exposed to the threat.
Alarm control points should be considered and sited where mustering points have been agreed and communicated. Methods for good communication flow must also be multi-layered so any public address can be supported by shortwave radio for security officers. Police and emergency services must be called in as early as possible to assist. Staff should be tested with regular scenario-based exercises, including desktop and practical activities.
Summary The information and guidance discussed here allows for investigation of just some of the elements of securing a visitor attraction. It cannot be as comprehensive as the new NaTCSO guidance, which covers mitigation of many more threats than I’ve been able to cover here.
Threats are bound to be different for each attraction. Legacy security systems, range of assets, layout and size of the site and existing security personnel are all issues which need to influence your security priorities. However, the principles of good security planning and risk assessment should form a firm foundation for building a new and up-to-date security plan for any visitor attraction.
Quickstart guide to securing your facility null,1. Identify & Prioritise Assets Assess and prioritise all assets and security risks
2. Identify Threats & Prioritise Mitigation Identify risks and their possible impact. Put mitigation measures in place
3. Satisfy Needs of Key Stakeholders Terrorism-related threats and cybersecurity are moving further up directors’ agendas
4. Build Strategic Security Plan Consider the following: policies, operational changes, site changes, staff training, partnering with local Counter Terrorism Security Advisor, external communications
5. Combat Hostile Reconnaissance Be able to spot a hostile reconnaissance team and provide identification-worthy CCTV evidence to the authorities
6. Link new Security Equipment to Operational Requirements (OR) Attach an OR statement to each piece of new security equipment being installed stating what security or other operational needs it addresses. Each camera will have a specific purpose
7. Stiffen Access Control Procedures Procedures for issuing visitor and contractor passes are worthy of close attention. Multi-layered security systems may well be needed
8. Incident Management Should an incident happen, all people on-site must know where to go and what to do. This could mean full or partial evacuation or ‘invacuation’ to a secure place
9. Keep up to speed with NaCTSO Use the latest Crowded Places Guidance published by NaCTSO as your go-to reference for change, training specification, as well as procedures and processes reinforcement
10. Centralise Video Surveillance Monitoring CCTV is only valuable if coverage is comprehensive and can be used to positively identify people. Build a centralised/networked video surveillance infrastructure with professional video management capability manned by fully-trained security officers
Nigel Peers is a security consultant, data protection practitioner and trainer. With a military background and founder of a workplace compliance training company, Peers possesses a wealth of expertise in conducting security site surveys, vulnerability assessments and delivering Security Industry Authority (SIA) and other industry-related training courses.
About NW Security Group NW Security Group provides security planning consultancy and training as well as planning and physical security equipment specification, configuration and installation services.
Nigel Peers, senior consultant at NW Security Group
Complete a risk assessment before proceeding to draw up a strategic security plan
Complete a risk assessment before proceeding to draw up a strategic security plan
Crowded Places Guidance is aimed at attractions, stadia, bars and other busy places
Many major attractions now have well-trained security staff and
well-placed security equipment
Many major attractions now have well-trained security staff and
well-placed security equipment Credit: shutterstock
Nigel Peers, senior consultant at NW Security Group, looks at the UK government’s guidance on crowded places and shares his expertise on how to make an attraction safe and secure
On 8 June, 2017, the UK’s National Counter Terrorism Security Office (NaCTSO) published its 174-page Crowded Places Guidance. This comprehensive advisory report focuses on protecting crowded locations, including visitor attractions, shopping centres, sports stadia, bars, pubs and clubs, which are easily accessible to the public and could present a potential target.
This article focuses on the parts of NaCTSO’s Crowded Places Guidance that provide protective security advice to those who own, operate, manage, secure or work in visitor attractions. It’s an area where I personally have in-depth expertise, having managed security for the UK’s busiest zoo – Chester Zoo, boasting 1.9 million visitors a year – for several years before joining NW Security Group.
Rather than summarising what is an incredibly detailed and instructive document, I thought it helpful to present some of the thinking and processes that I went through during a three-year-plus period to harden security systems, plans and procedures and mitigate against key risks which were identified when I began my time in that role.
Identify assets Much of the hard work begins with asset identification and assessment. You need to assess and prioritise all assets to be protected and then the security risks across four different parameters: • People – staff, visitors, contractors • Physical assets – infrastructure, buildings, etc. • Information and data assets • Policy and procedures
In any risk assessment you must be able to identify and rank risks based on a detailed assessment of the likelihood of a type of threat happening and the possible impact on the organisation should such an event occur.
Four key questions to ask are: • What assets need to be protected? • What threats and vulnerabilities are out there? • What is the impact on the attraction if a given asset is compromised/attacked/breached? • What existing measures, systems and equipment already aid protection of these assets, mitigating against pre-identified threats?
All threats need to be placed in order of importance and any remedial action to improve mitigation measures needs to be proportionate to the level of threat and the assets identified for protection.
Consider stakeholders During the process of prioritising which risks to mitigate first and which to devote most resources to improving, it is worth considering key stakeholders and their priorities and concerns. So, for a visitor attraction, key stakeholders might be: • CEO and other board directors, responsible for the reputation and wellbeing of the organisation • IT director/IT manager, who may have to assist in preventing a cyber attack • Marketing department, who may have to ensure they are not making information public, which could be of use for hostile reconnaissance intelligence gathering • Security team, who are going to be pivotal to strengthening any security systems and procedures • Health and safety management team, monitoring for slips, trips, falls and other potential injury, personal property damage or anti-social behaviour that may place staff, visitors or assets at risk • Visitors, who may well have a part to play by remaining vigilant to surroundings and people around them that may be behaving unusually. They can be encouraged to report anything unusual, including unattended bags
When drawing up the risk assessment it is important to bear in mind that the best you can expect to do is reduce the risk to ‘as low as reasonably practicable’, while maintaining the friendly and welcoming atmosphere which is compatible with visitors enjoying a great day out.
Building a security plan Once the risk assessment has been completed, the next step is to draw up a strategic security plan. The security plan must be simple, clear and flexible as far as is possible. It will need to detail: • Policies, for helping staff and visitors to be security-aware and as far as possible knowledgeable about what should be done if an incident happens • Operational change recommendations; for example, profiling of visitors by your security team, increasing patrolling levels, randomising patrol timings • Physical change recommendations; for example, barriers, IP (internet protocol) video/digital video cameras, access control, bollards, fixed furniture, bins • Training and awareness requirements for the security team and wider organisation • Validation procedures, to check you have got priorities and mitigations right • Partnership; you should be running plans through your local Counter Terrorism Security Advisor (CTSA) and other strategic partner agencies • Review and monitoring regime; how often will the plan be checked? • Communication and media elements, including understanding what should and what should not be communicated about your security systems, procedures and assets. For example, some information could potentially assist hostile reconnaissance operatives whereas other information should be made very public to deter hostiles from targeting your venue.
Deny, deter, detect One key consideration is to work hard to “deny, deter and detect” hostile reconnaissance. The more your security regime can deny would-be terrorists access to reconnaissance intelligence, the less likely your venue will be subject to a major attack. Spotting them early is the first crucial step to stopping any hostile reconnaissance team from gathering useful intelligence. Thereafter, if you can demonstrate a strong security appetite by proactively indicating you’ve ‘spotted them’, and provide identification-worthy CCTV evidence to the authorities, the more likely they are to be deterred from returning.
Add to the proactive profiling of possible hostiles by communicating the effectiveness of your security systems – or, as the NaCTSO guidelines put it, deterring them by putting out the message ‘come here and you are likely to get caught’ – and you start to reduce the risk of an attack considerably.
Phased mitigation You won’t be able to purchase and install the full shopping list of equipment and training requirements that you’ve identified in the first few months of completing the risk assessment – budgets rarely allow it.
So, if you need 200 new surveillance cameras and a new highly-secure control room, you will need to consider phasing in this work. So, is there scope to re-use a portion of the old analogue CCTV cameras for a period and bring the serviceable ones onto the network? And if there is budget for only 50 new network cameras, where exactly do those priority cameras need to be placed? The ‘top priority’ threats must be tackled first so that the biggest threats are mitigated before moving to the lesser threats as budgets and resources free up.
One valuable way to prioritise work is to attach an Operational Requirement (OR) statement to each piece of security equipment going in. Essentially, this needs to state precisely what security or other operational need this piece of equipment addresses. Each new camera has a specific purpose: one might be for perimeter security, another for animal welfare, a third for health and safety monitoring on a pedestrian thoroughfare, and so on.
It must be clear which area is covered by each camera. Further, the displacement consideration must be documented for all surveillance cameras: it’s important to understand that if a new camera is put in to cover one known area where crime is likely to be committed, that this crime may just move into a different area. Although this is a more significant concern in public space CCTV installations, displacement risk is always worth considering.
Access control The OR process is fundamental to planning an efficient security solution and access control is no exception. Be it controlling pedestrian access to certain areas, or vehicles into the site, the principles are the same. Know who or what can go where and allocate passes to reflect this. Any access control system is only as good as the procedures and people that govern its use and a good security culture is paramount in ensuring your site remains secure.
Processes and procedures for issuing visitor and contractor passes are worthy of close attention as it is normally in these sorts of procedures and processes that vulnerabilities lie. Hostile Vehicle Mitigation (HVM) strategies are detailed in NaCTSO’s Crowded Places Guidance and I advise that they should be read carefully as this type of threat is being encouraged by terrorist groups via the internet right now, as we know all too well from recent Vehicle as a Weapon (VAW) attacks in Nice, London and New York.
VAWs, like many threats, demand defence in depth, multi-layered and overlapping security systems, processes and procedures. Retractable and fixed bollards at vehicle and pedestrian entrances, fencing, barriers, landscaping, fixed furniture, identification and pass checking, profiling, as well as well-placed CCTV and speakers to send audible alerts, can all work together to make a site as secure from a VAW as is practicable – particularly given the fact that you don’t want a visitor attraction to feel like Fort Knox.
Incident management You need to be thoroughly drilled on the procedure to keep staff, visitors and other assets safe should an incident happen. All people on-site must know where to go and what to do in the event of a security incident. This could mean full or partial evacuation or ‘invacuation’ to a secure place either on-site or off-site.
You will want to deter any new people from entering an area where a security breach has occurred. By doing so you will reduce the risk of increasing the number of people exposed to the threat.
Alarm control points should be considered and sited where mustering points have been agreed and communicated. Methods for good communication flow must also be multi-layered so any public address can be supported by shortwave radio for security officers. Police and emergency services must be called in as early as possible to assist. Staff should be tested with regular scenario-based exercises, including desktop and practical activities.
Summary The information and guidance discussed here allows for investigation of just some of the elements of securing a visitor attraction. It cannot be as comprehensive as the new NaTCSO guidance, which covers mitigation of many more threats than I’ve been able to cover here.
Threats are bound to be different for each attraction. Legacy security systems, range of assets, layout and size of the site and existing security personnel are all issues which need to influence your security priorities. However, the principles of good security planning and risk assessment should form a firm foundation for building a new and up-to-date security plan for any visitor attraction.
Quickstart guide to securing your facility null,1. Identify & Prioritise Assets Assess and prioritise all assets and security risks
2. Identify Threats & Prioritise Mitigation Identify risks and their possible impact. Put mitigation measures in place
3. Satisfy Needs of Key Stakeholders Terrorism-related threats and cybersecurity are moving further up directors’ agendas
4. Build Strategic Security Plan Consider the following: policies, operational changes, site changes, staff training, partnering with local Counter Terrorism Security Advisor, external communications
5. Combat Hostile Reconnaissance Be able to spot a hostile reconnaissance team and provide identification-worthy CCTV evidence to the authorities
6. Link new Security Equipment to Operational Requirements (OR) Attach an OR statement to each piece of new security equipment being installed stating what security or other operational needs it addresses. Each camera will have a specific purpose
7. Stiffen Access Control Procedures Procedures for issuing visitor and contractor passes are worthy of close attention. Multi-layered security systems may well be needed
8. Incident Management Should an incident happen, all people on-site must know where to go and what to do. This could mean full or partial evacuation or ‘invacuation’ to a secure place
9. Keep up to speed with NaCTSO Use the latest Crowded Places Guidance published by NaCTSO as your go-to reference for change, training specification, as well as procedures and processes reinforcement
10. Centralise Video Surveillance Monitoring CCTV is only valuable if coverage is comprehensive and can be used to positively identify people. Build a centralised/networked video surveillance infrastructure with professional video management capability manned by fully-trained security officers
Nigel Peers is a security consultant, data protection practitioner and trainer. With a military background and founder of a workplace compliance training company, Peers possesses a wealth of expertise in conducting security site surveys, vulnerability assessments and delivering Security Industry Authority (SIA) and other industry-related training courses.
About NW Security Group NW Security Group provides security planning consultancy and training as well as planning and physical security equipment specification, configuration and installation services.
Nigel Peers, senior consultant at NW Security Group
Complete a risk assessment before proceeding to draw up a strategic security plan
Complete a risk assessment before proceeding to draw up a strategic security plan
Crowded Places Guidance is aimed at attractions, stadia, bars and other busy places
Many major attractions now have well-trained security staff and
well-placed security equipment
Many major attractions now have well-trained security staff and
well-placed security equipment Credit: shutterstock
Off the back of the success of the first round of Everyday Heritage Grants in 2022, Historic
England is funding 56 creative projects that honour the heritage of working-class England.
Universal has revealed it will be adding new Harry Potter attractions, alongside Super Nintendo
and How to Train Your Dragon worlds to its Florida resort.
Populous have unveiled their plans for a state-of-the-art e-sports arena, designed to stand as a
central landmark in Qiddaya City’s gaming and e-sports district, Saudi Arabia.
Immersive entertainment specialists, Layered Reality, is creating a tribute to Elvis Presley
featuring a concert experience with a life-sized digital Elvis.
