On 8 June, 2017, the UK’s National Counter Terrorism Security Office (NaCTSO) published its 174-page Crowded Places Guidance. This comprehensive advisory report focuses on protecting crowded locations, including visitor attractions, shopping centres, sports stadia, bars, pubs and clubs, which are easily accessible to the public and could present a potential target.

This article focuses on the parts of NaCTSO’s Crowded Places Guidance that provide protective security advice to those who own, operate, manage, secure or work in visitor attractions. It’s an area where I personally have in-depth expertise, having managed security for the UK’s busiest zoo – Chester Zoo, boasting 1.9 million visitors a year – for several years before joining NW Security Group.

Rather than summarising what is an incredibly detailed and instructive document, I thought it helpful to present some of the thinking and processes that I went through during a three-year-plus period to harden security systems, plans and procedures and mitigate against key risks which were identified when I began my time in that role.

Identify assets
Much of the hard work begins with asset identification and assessment. You need to assess and prioritise all assets to be protected and then the security risks across four different parameters:
• People – staff, visitors, contractors
• Physical assets – infrastructure, buildings, etc.
• Information and data assets
• Policy and procedures

In any risk assessment you must be able to identify and rank risks based on a detailed assessment of the likelihood of a type of threat happening and the possible impact on the organisation should such an event occur.

Four key questions to ask are:
• What assets need to be protected?
• What threats and vulnerabilities are out there?
• What is the impact on the attraction if a given asset is compromised/attacked/breached?
• What existing measures, systems and equipment already aid protection of these assets, mitigating against pre-identified threats?

All threats need to be placed in order of importance and any remedial action to improve mitigation measures needs to be proportionate to the level of threat and the assets identified for protection.

Consider stakeholders
During the process of prioritising which risks to mitigate first and which to devote most resources to improving, it is worth considering key stakeholders and their priorities and concerns. So, for a visitor attraction, key stakeholders might be:
• CEO and other board directors, responsible for the reputation and wellbeing of the organisation
• IT director/IT manager, who may have to assist in preventing a cyber attack
• Marketing department, who may have to ensure they are not making information public, which could be of use for hostile reconnaissance intelligence gathering
• Security team, who are going to be pivotal to strengthening any security systems and procedures
• Health and safety management team, monitoring for slips, trips, falls and other potential injury, personal property damage or anti-social behaviour that may place staff, visitors or assets at risk
• Visitors, who may well have a part to play by remaining vigilant to surroundings and people around them that may be behaving unusually. They can be encouraged to report anything unusual, including unattended bags

When drawing up the risk assessment it is important to bear in mind that the best you can expect to do is reduce the risk to ‘as low as reasonably practicable’, while maintaining the friendly and welcoming atmosphere which is compatible with visitors enjoying a great day out.

Building a security plan
Once the risk assessment has been completed, the next step is to draw up a strategic security plan. The security plan must be simple, clear and flexible as far as is possible. It will need to detail:
• Policies, for helping staff and visitors to be security-aware and as far as possible knowledgeable about what should be done if an incident happens
• Operational change recommendations; for example, profiling of visitors by your security team, increasing patrolling levels, randomising patrol timings
• Physical change recommendations; for example, barriers, IP (internet protocol) video/digital video cameras, access control, bollards, fixed furniture, bins
• Training and awareness requirements for the security team and wider organisation
• Validation procedures, to check you have got priorities and mitigations right
• Partnership; you should be running plans through your local Counter Terrorism Security Advisor (CTSA) and other strategic partner agencies
• Review and monitoring regime; how often will the plan be checked?
• Communication and media elements, including understanding what should and what should not be communicated about your security systems, procedures and assets. For example, some information could potentially assist hostile reconnaissance operatives whereas other information should be made very public to deter hostiles from targeting your venue.

Deny, deter, detect
One key consideration is to work hard to “deny, deter and detect” hostile reconnaissance. The more your security regime can deny would-be terrorists access to reconnaissance intelligence, the less likely your venue will be subject to a major attack. Spotting them early is the first crucial step to stopping any hostile reconnaissance team from gathering useful intelligence. Thereafter, if you can demonstrate a strong security appetite by proactively indicating you’ve ‘spotted them’, and provide identification-worthy CCTV evidence to the authorities, the more likely they are to be deterred from returning.

Add to the proactive profiling of possible hostiles by communicating the effectiveness of your security systems – or, as the NaCTSO guidelines put it, deterring them by putting out the message ‘come here and you are likely to get caught’ – and you start to reduce the risk of an attack considerably.

Phased mitigation
You won’t be able to purchase and install the full shopping list of equipment and training requirements that you’ve identified in the first few months of completing the risk assessment – budgets rarely allow it.

So, if you need 200 new surveillance cameras and a new highly-secure control room, you will need to consider phasing in this work. So, is there scope to re-use a portion of the old analogue CCTV cameras for a period and bring the serviceable ones onto the network? And if there is budget for only 50 new network cameras, where exactly do those priority cameras need to be placed? The ‘top priority’ threats must be tackled first so that the biggest threats are mitigated before moving to the lesser threats as budgets and resources free up.

One valuable way to prioritise work is to attach an Operational Requirement (OR) statement to each piece of security equipment going in. Essentially, this needs to state precisely what security or other operational need this piece of equipment addresses. Each new camera has a specific purpose: one might be for perimeter security, another for animal welfare, a third for health and safety monitoring on a pedestrian thoroughfare, and so on.

It must be clear which area is covered by each camera. Further, the displacement consideration must be documented for all surveillance cameras: it’s important to understand that if a new camera is put in to cover one known area where crime is likely to be committed, that this crime may just move into a different area. Although this is a more significant concern in public space CCTV installations, displacement risk is always worth considering.

Access control
The OR process is fundamental to planning an efficient security solution and access control is no exception. Be it controlling pedestrian access to certain areas, or vehicles into the site, the principles are the same. Know who or what can go where and allocate passes to reflect this. Any access control system is only as good as the procedures and people that govern its use and a good security culture is paramount in ensuring your site remains secure.

Processes and procedures for issuing visitor and contractor passes are worthy of close attention as it is normally in these sorts of procedures and processes that vulnerabilities lie. Hostile Vehicle Mitigation (HVM) strategies are detailed in NaCTSO’s Crowded Places Guidance and I advise that they should be read carefully as this type of threat is being encouraged by terrorist groups via the internet right now, as we know all too well from recent Vehicle as a Weapon (VAW) attacks in Nice, London and New York.

VAWs, like many threats, demand defence in depth, multi-layered and overlapping security systems, processes and procedures. Retractable and fixed bollards at vehicle and pedestrian entrances, fencing, barriers, landscaping, fixed furniture, identification and pass checking, profiling, as well as well-placed CCTV and speakers to send audible alerts, can all work together to make a site as secure from a VAW as is practicable – particularly given the fact that you don’t want a visitor attraction to feel like Fort Knox.

Incident management
You need to be thoroughly drilled on the procedure to keep staff, visitors and other assets safe should an incident happen. All people on-site must know where to go and what to do in the event of a security incident. This could mean full or partial evacuation or ‘invacuation’ to a secure place either on-site or off-site.

You will want to deter any new people from entering an area where a security breach has occurred. By doing so you will reduce the risk of increasing the number of people exposed to the threat.

Alarm control points should be considered and sited where mustering points have been agreed and communicated. Methods for good communication flow must also be multi-layered so any public address can be supported by shortwave radio for security officers. Police and emergency services must be called in as early as possible to assist. Staff should be tested with regular scenario-based exercises, including desktop and practical activities.

Summary
The information and guidance discussed here allows for investigation of just some of the elements of securing a visitor attraction. It cannot be as comprehensive as the new NaTCSO guidance, which covers mitigation of many more threats than I’ve been able to cover here.

Threats are bound to be different for each attraction. Legacy security systems, range of assets, layout and size of the site and existing security personnel are all issues which need to influence your security priorities. However, the principles of good security planning and risk assessment should form a firm foundation for building a new and up-to-date security plan for any visitor attraction.