Chris Phillips is Head of Physical Security Consulting at 2-sec. He is one of the most experienced physical and cyber security consultants in the world. He specializes in giving strategic counter terrorism advice and best practice to “at risk” companies, individuals and governments.
Chris started his security career as a police officer, and gained hands on knowledge of event and business security at some very high profile government and sporting events in the 1980s and 90s. During the last seven years of his service Chris was Head of the National Counter Terrorism Security Office. Whilst he was there, he was asked to devise and develop protective security for businesses against the new and developing threat of terrorism. After he left the police, Chris founded and continues to manage the International Project and Prepare Security Office (IPPSO).
As Head of Physical Security Consulting at 2-sec, Chris advises on physical security assessments and penetration testing exercises for UK businesses. His experience includes covert surveillance of premises and simulating what a real criminal would be doing in order to gain access to offices and information, and his team can bypass a company's security to do something as innocuous as helping themselves to a cup of tea, through to full access to accounting filing systems and company records.
In his most recent media interview for Sky TV, Chris was asked his views on the recent news that the UK Government is preparing to grant police extra powers to force internet firms to hand over details that could help identify terrorists.
He comments, “By the time a terrorist decides to attack someone, it's usually already far too late. We actually need communities to pick up people that are turning themselves into terrorists before it gets to the stage of an attack. The police have warned us that they cannot face the threat of terrorism without help from UK businesses. This year the police have made 271 arrests following counter-terrorism investigations and have foiled up to five suspected terrorist plots. As a result of this and other information, the nationwide terror threat level in the UK has been raised from substantial to severe, meaning a terrorist attack is highly likely. The police need vigilance from the general public and businesses need to be educated on how to keep themselves and their communities safe”.
What can UK businesses do? According to the police they need to be “vigilant and report suspicious activity” and check that their security measures are “effective”.
Chris also commented, “As well as effective physical security measures, it is also vitally important that businesses understand that modern terrorists are sophisticated hackers and can target data through advanced online cyber-attacks. It was reported as far back as 1991 that through the internet, terrorists have the ability to create a national security disaster by attacking the critical infrastructure of a country, such as the electric grid, transportation hubs, military computer networks, or private sector targets such as financial institutions.”
The increased threat of cyber terrorism comes at a time when the UK privacy watchdog the Information Commissioner’s Office (ICO) has fined companies £2.17 million over the past 22 months for failing to prevent the personal data they hold being accidently or deliberately compromised (i.e. the seventh principle of the Data Protection Act).
It seems that many UK businesses are neglecting cyber security basics and failing to secure their data effectively. Fundamentally, some fail to understand the increasing threat and sophistication of cyber-attacks and the possibility of terrorists being interested in their company and customers’ details.
According to the report by the ICO, the main reason for data breaches was employee error or negligence, which betrays a lack of staff awareness and training. One third (32%) of all incidents were due to personal or sensitive data being inappropriately disclosed or sent to the wrong recipient. The report was unable to break down the results according to company size, but councils were responsible for 33% of all the fines imposed, and the healthcare and justice industries received the biggest fines.
We asked Chris about this threat of cyber terrorism, and the impact of the ICO report.
“The fact that the majority of these fines were down to employee negligence is not surprising at all. In my experience many small firms don’t recognise that their business and information is just as attractive to cyber criminals as bigger firms. Often, to a hacker, the easiest way to get into the global companies is to target a small business, who is the weakest point in the chain, and from that point it is straightforward for them to follow that lead back up to biggest organisations. One of the most important ways to improve a business’ physical and cyber security is employee awareness training.
One simple technique that cyber criminals use to gain access to company data is “social engineering”, which is basically the skill of manipulating a person to give up confidential information. One simple way is doing this is calling the target company, pretending to be IT support and asking for the employee’s passwords and log in details to fix a bogus problem. It’s been done, it’s wide spread and the general public need to be educated as to how these criminals work”.
Criminal hackers rely on the fact that people are not aware of the value of the information they possess and are careless about defending this data against attacks. The ICO report highlights the fact that UK businesses desperately need to educate themselves and their employees of the current high threat level, and how to protect themselves, both physically and on-line.
Chris Phillips is THE expert in physical security in the UK – he embraces a holistic view of security and is one of the people best-placed to advise any client on how to counter threats and protect assets.
If you would like to speak to Chris and his team about physical security and penetration testing exercises, please contact us on 0844 502 2066 or email contact@2-sec.com