Corporate Security: A Key Component of Operational Resilience

Corporate security is an organisation’s comprehensive approach to protecting its physical, digital, and intellectual assets from various threats, both internal and external. This includes implementing policies, procedures, and technologies to safeguard sensitive information, infrastructure, and personnel, as well as ensuring compliance with relevant regulations and industry standards.

By proactively managing risks and addressing vulnerabilities, corporate security helps organisations maintain their reputation, safeguard business resilience and support long-term growth.

When discussing operational resilience, financial services organisations focus efforts on five key pillars of important business services. These being 'People, Property, Data, Technology and Third Parties’. Corporate Security permeates through all of these areas and poor maturity can lead to a breach of impact tolerances for your important business services.  To articulate this point further, there are three areas where corporate security, cyber security, and operational resilience cross over.

Risk events involving an organisation’s people happen frequently, according to the 2023 data breach investigation report by Verizon. 74 per cent of breaches involved a human element, which includes social engineering attacks, errors, or misuse. Alongside this spear-phishing is an already common attack method for threat actors to use however to create a more plausible attack, a threat actor may look to take things a step further by gathering information on a person through social engineering or Open-source intelligence (OSINT) methods.

It is important to contest your organisations internal thoughts about corporate security, as it may be wrongly assumed that the linked controls are successfully managed, have transparent ownership, and are subject to testing in accordance with company procedures. This unchallenged perception can result in exploitable gaps being discovered which can be used to disrupt your organisation.

When discussing perception, considerations should also be made at the impacts of public perception. Organisations are increasingly become vulnerable to negative reputational perceptions and subsequent retaliatory actions from social amplification through social media. These retaliatory actions can be escalated to protests, vandalism or full targeted attacks on your premises. In some cases, your organisation may not be the target of however due to co-leasing arrangements within office building, your organisation could still be indirectly disrupted.

In a post-pandemic world, where face-to-face interactions vary and new hires are still being virtually introduced to an organisation, a new environment has been created in which people can be potentially exploited. Staff can no longer potentially recognise who is a colleague and who is a possible threat actor as the intuition that people have built up has diminished. This can be exploited by threat actors who can potentially socially engineer themselves access your organisation’s crown jewels. The 2023 data breach investigation report by Verizon also details that 50% of all social engineering attacks are pretexting incidents which are when threat actors create a scenario or pretext for which to exploits victims from. These types of incidents can have significant consequences for an organisation as they can lead to the safety and security of staff being further compromised because of exploitation from the initial pretext.

Alongside this, as organisations are further encouraging employees back to their home office premises. It is important that the corporate security and resilience are recognised as being priority focus areas for avoiding disruption.

With the evolution of working environments to a hybrid model, corporate security can be perceived as having a lower risk due to fewer people being based in a single premise; however, this perception is ultimately flawed. Property takes into consideration not just the premise of where your organisation is based and locations it operates from but also the storage of critical assets.

A key example of this is information assets such as your organisation’s back up servers. Organisations often look to outsource the provision of back up servers to a third-party location rather than storing them on premises. With that though brings risks, for example: does your organisation know the condition which your servers are being stored in? Do you know the exact location of where your data is being stored in and what physical security controls are being used to ensure that your servers are protected from malicious threat actors?

The interconnected nature of operational resilience and corporate security is a crucial aspect of an organisation's overall resilience. These two disciplines, while distinct in their focus, work together to create a comprehensive approach that ensures the organisation's stability and growth.

Operational resilience focuses on an organisation's ability to adapt and recover from disruptions, such as natural disasters, cyberattacks, or supply chain issues. It involves identifying potential risks, assessing their impact, and developing strategies to mitigate or recover from these disruptions. On the other hand, corporate security is concerned with protecting the organisation's physical, digital, and intellectual assets from threats, both internal and external.

When these two disciplines are effectively integrated, they strengthen an organisation's overall risk management strategy. For example, a robust corporate security plan can help prevent an attack that could disrupt operations, while a well-developed operational resilience strategy ensures that the organisation can quickly recover and resume normal operations in the event of a successful attack. As a result, an organisation can increase their ability to operate their important business services throughout a disruption as well as stay within their impact tolerances.

Implementing effective corporate security controls can lead to a lower risk of disruption and improvement in your organisation’s resilience, keeping your response and recovery within the impact tolerances for your Important Business Services.  Here are some of the key actions your organisations can undertake to enhance its operational resilience and corporate security maturity:

1. Establish and encourage collaborative relationship between those responsible for security and operational resilience within your organisation.
2. Create joint corporate security and operational resilience playbooks for responses to disruptive events.
3. Conduct joint exercises and testing between security and operational resilience teams using relevant, realistic security scenarios.
4. Ensure there is a consistent tone from the top for leadership as well as direct reporting lines for both corporate security and operational resilience with clear goals, strategy, and alignment ambitions.
5. Involve the wider organisation in achieving a shared vision of corporate security and operational resilience collaboration.