Mr Carrick has over 20 years’ experience in law enforcement. In particular, he is regarded as an expert in the field of threat identification and management. In 2007, Mr Carrick was appointed the National Capability Advisor on Counter Terrorism Intelligence to the Australian Government’s National Counter Terrorism Committee, a position he held until July 2013.
Mr Carrick is also the founding director of Global Business Resilience, a boutique, independent, resilience-building consultancy firm specialising in organisational strategy.
How would you describe the external environment that Australian organisations are operating in?
Society is probably facing its most challenging and complex era yet. There are more wars – many ongoing – and they are no longer “conventional”, geographically specific and reasonably contained, but instead cross many geo-political, social, religious and ideological borders.
One significant change has been in relation to the nature of some of the groups fighting. These groups often combine radical ideology and terrorist attacks with insurgency or even conventional warfare. They may draw support from communities with legitimate political or economic grievances while getting funding through criminal activities. Some control and govern territory while claiming to want to overturn the state system. They are as much a manifestation of instability in today’s world as its cause.
In this complex and unstable environment, it is important to consider – what does this all mean for organisations, boards and directors?
Beyond the threat to nation-states, communities and individuals, how are Australian corporations and organisations specifically affected by terrorism?
Terrorism appears in many forms and manifests itself in many ways that harm every element of society, including governments, businesses and citizens. Australian organisations may be affected directly and/or indirectly, including harm occasioned to an organisation’s infrastructure as well as to its people within Australia and globally.
Cyberterrorism is also a significant concern today. Cyber attackers may infiltrate organisations’ electronic systems, with potentially crippling effects. These types of attacks may be direct, or indirect through third party infiltration (e.g. through a digital business partner). Attacks are used, for example, to delete data and/or fraudulently appropriate funds.
In late 2014, a large European-based multinational was alerted by its Government to three significant state-sponsored attacks on its systems. The company had not previously seen itself as a likely target of a cyber-attack, and it operated in a traditional industry that was not previously thought to be at risk of cyber-attacks. The company had been relying on a fairly traditional security framework.
The company was lucky on this occasion and none of the attacks resulted in significant losses. The company believes that the attacker may have been interested in obtaining strategic intelligence regarding a particular sector that the company was operating in, or information on the consortium framework it belonged to for a specific project bid.
Organisations that have staff travelling overseas increase their risk profile as the organisation loses control over the work environment. Employees travel on planes and other forms of transport in locations that may have unstable social and political environments. Employees may be targeted by local criminal syndicates, or be kidnapped for ransom to extort funding from the organisation.
For example, it was recently reported that a new ISIS-affiliated group in Egypt wants to capture Western hostages. Other militant groups could also use the opportunity to abduct and sell hostages to ISIS. While this scenario is relevant to that particular geographic area, many examples are recorded annually of harm being occasioned to employees working overseas.
Insider threats should also be a real consideration for organisations, particularly given insiders’ relatively easy access to electronic systems and intellectual property. Insider attacks may lead to significant disruptions to business, reputational damage, and also impact shareholder/stakeholder confidence. Insider threat studies show that the majority of insiders that act against an organisation do not do so for terrorist or espionage purposes, but rather due to disgruntlement, revenge or criminal financial gain. However, trusted insiders can be extremely dangerous tools, as terrorists can leverage them to gain information or access premises.
The extent to which Australian corporations and organisations are affected by terrorism is related to domestic and global terror alert levels. In the current climate, organisations have to consider how to manage complex security related variables on an unparalleled level.
What should boards be doing to respond to the threat of terrorism?
Organisations and their boards have been considering the potential for a direct or indirect terror attack for almost ten years now. Many have a good understanding of certain key risk factors.
However, we continue to witness the evolving and shifting methodologies of terrorists, who are continually seeking to counter efforts by governments and industries to prepare and prevent acts of terrorism, respond when faced with a threat, and ensure detailed and tested recovery capabilities. As a result, we are seeing far more pervasive adversaries who seek to identify and exploit the weakest points in our defenses. It stands to reason that weaknesses in organisations’ security systems have and will continue to be exploited.
It is therefore imperative for boards to consider future focused resilience strategies. A broad focus is critical – both on long-term and sometimes unseen or unknown threats requiring a more strategic approach, as well as on existing and near term threats requiring immediate consideration and action. A risk strategy also needs to address both direct and indirect threats. Basically, boards need to help create organisational resilience to deal with fast moving and ever changing threat dynamics on a global, regional and local scale. This will help organisations to best ensure their long-term sustainability and growth.
Should organisations consider building security competencies at the executive and/or board levels?
This is an interesting question, and there has been widespread discussion about board competencies across many areas including IT and security. A board should either have on the board, or maintain access to, people with appropriate security competencies to help inform strategic risk assessments.
In terms of the executive level of organisations, we are already seeing a growing number of chief risk officers. This is a sign of the increased level of awareness and importance that boards and organisations are placing on maintaining clear and robust risk management processes.
So, in answering your question, I believe that organisations should maintain the capability to prepare, plan, respond and recover as a normal operational function. The organisational positioning of this capability will be affected by the size, profile and operating environment of the organisation. It is clear that the world currently has one of the most tumultuous environments ever witnessed. With the increasing globalisation of business, and uncertain political, social and economic environment, the need for organisational resilience should be a standing agenda item for boards and executives.