Private businesses are increasingly exposed to new and more security threats. Both in Denmark and abroad, the threat picture is dynamic and complex, and further complicated by technological developments that have increased the vulnerability of companies.
These security threats are many-sided and include industrial espionage, financial and organised crime, bribery and corruption as well as terrorism and political extremism. Relatedly, criminal methods also vary, ranging from sabotage, kidnappings and other forms of physical attacks, to IT-crime and cyber-attacks.
This development has resulted in a growing focus on corporate risk management and duty of care in the security realm also bringing renewed attention to the security measures that businesses implement to eliminate or reduce security risks, and thereby protect their assets, activities, employees and reputation.
Nonetheless, no matter how many efforts are introduced and how much money is invested in security solutions, a private business will never be able to eliminate all security risks. There will always be residual risks, and all businesses are eventually affected by a security incident, which may cause significant losses and damages to the individual business.
It is however possible to limit potential financial losses and other recovery costs stemming from security incidents. These opportunities are highly correlated with the business being well-prepared and having a well-functioning crisis management system.
For the last four years, CERTA has advised and supported both Danish and foreign private businesses in building and developing their emergency preparedness and crisis management systems related to security.
CERTA’s consultancy services are led by experienced analysts and advisors who have worked with emergency preparedness and crisis management in the Danish security and intelligence apparatus.
The purpose of assistance is to ensure that the business in question:
Moreover, CERTA will support each business in the planning and implementation stages of:
CERTA also offers advice and support for the business’ crisis management team in the event of an actual security incident.
Having an effective and well-functioning crisis management plan depends on carrying out dilemma-based crisis management exercises at regular intervals.
The purpose of these exercises is to test the crisis management organisation of a business in order to ensure that:
Because the business itself participates in the exercise, it typically requires external support to plan, carry out and evaluate the exercise in cooperation with the business. CERTA’s assistance is based on the following principles:
The exercise is tailored to each individual business and rooted in the threat and risk assessments for that business. It also takes into account any existing contingency plans.
The purpose of the exercise is to highlight how a series of actual dilemmas are handled by the crisis management system of the business. The exercise will train all participants in their own roles as well as test the implementation of existing plans. It will also allow for collection of feedback and experiences which can be directed towards optimising the existing crisis management set-up.
The exercise is led by an “exercise-leader” from CERTA, who is supported by a CERTA response-cell and takes direction from a predetermined playbook. The playbook includes a variety of relevant security incidents in parallel tracks that are to be handled. The playbook will be the product of dialogue and cooperation between CERTA and representatives of the business in question.
The following attributes will be trained and developed as part of a crisis management exercise:
The exercise will be evaluated in order to identify and report on any shortcomings and lessons learned. The exercise will also result in a report to be written after the completion of the exercise, that summarises lessons learned as well as recommendations for optimisation of the crisis management organisation in the business. The report will be presented to and discussed with the senior management of the business approximately two weeks after the exercise so the business can make the necessary adjustments and thereby strengthen its crisis management capacity. CERTA can at this stage support the business in implementing the recommendations as far as desired.
The exercise itself will be carried out in the location designated by the business, and there will only be access to those resources that would be available in a true security incident. The exercise can be carried out in Danish or in English.