Skip to content
Illustration of a black eye with a radar in the pupil in the middle of a hurricane with red background. Criminals take advantage of distractions like extreme weather.

Illustration by Michael Austin

Keep Ahead of Crises by Planning for Complex Scenarios

During a crisis or major event it can be easy to focus on the matter at hand. But malicious actors often seek such distractions to use them to their advantage, so security professionals need to think critically about their vulnerabilities to limit opportunities for harm.

Many organizations have gone to great lengths to secure their facilities, whether that is a single building or an entire compound. But as adversaries’ capabilities advance and attack planning cycles accelerate due to the increased availability of open-source information, the days when an organization’s physical security program started at the perimeter fence are behind us.

This new era requires security programs and initiatives that prevail both inside and outside of the perimeter. Security professionals need to think like an adversary, constantly envisioning how a current event—whether planned or unplanned—could be used to an attacker’s advantage.

The traditional layered approach to physical security is a combination of the perimeter, external structure measures, and internal building measures. This involves identifying the sector and regional risks, designing and incorporating appropriate security measures for each layer, arranging for contract guard services, implementing standard operating procedures (SOPs), and exercising plans on a regular basis. Some security programs also use advanced countermeasures and technology, including drones.

Outside the perimeter, certain security initiatives can be implemented to provide an expanded, layered approach to security. Proactive security professionals leverage extensive intelligence networks, and—in some cases—these include confidential informants. Further capitalizing on threat intelligence, security leaders have engaged with regional fusion centers and benefited from industry and law enforcement organizations that share threat intelligence and situational awareness information.

Security leaders take the time to educate their teams through awareness programs, such as the U.S. Department of Homeland Security’s “See Something, Say Something” campaign, and communicate good practices to staff, contractors, and businesses and organizations in the area. The more individuals who provide natural surveillance and report any suspicious activity, the greater the likelihood of thwarting an attack. And while these measures help with day-to-day security, they can also come in handy during atypical times.

An initial attack or unusual event may simply be utilized as a diversionary tactic in which the main attack will occur at a different breach point.

Around the globe, natural disasters regularly disrupt operations, whether they occur with little forewarning—like derechos, earthquakes, or tornados—or advance notice, including hurricanes or typhoons. Critical incidents have similar divisions: human-caused accidents like train derailments or incident-triggered civil unrest can be unexpected, while other events like parades, sporting events, or festivals can be planned months ahead of time.

Any of these events can impact staffing, disrupt public works, and impact the availability of first responders. If an organization is not prepared, these changes provide bad actors with the opportunity to take advantage of distractions to possibly gain access to a facility. Criminals may seek to steal products if the opportunity is right, or may take advantage of an event to conduct an orchestrated theft of intellectual property. On a larger scale, ideology-driven violent extremists are committed to disrupting and crippling critical infrastructure for their cause, and a major event often sparks concern that threat actors will attack during the confusion.

“During an unusual event or critical incident that impacts a facility, it is the perfect time for an enemy to accelerate their planning process and launch an intrusion or attack,” says Brad Baker, a retired federal supervisory special agent and current security consultant. Baker has conducted physical security assessments and training for federal and private facilities worldwide. “An initial attack or unusual event may simply be utilized as a diversionary tactic in which the main attack will occur at a different breach point. It is imperative that security forces remain vigilant and be prepared for bad actors—whose mission is to take advantage of the current situation—to launch a follow-on attack.”

To maintain a heightened level of awareness, security professionals may find themselves reviewing daily weather forecasts to understand what events could impact their facility and community. Weather-related events can wreak havoc on critical infrastructure and associated facilities. Beyond that impact, incidents can stress security assignments and create an unusually high workload for the community’s first responders and public works services. There is also significant stress associated with disruptions to employees’ personal lives. This is often overlooked, but it should be addressed through family assistance programs or other means to allow employees to focus on their work.

To map out where an organization can boost its preparedness, consider four scenarios.

Unexpected weather. Your hypothetical facility has been affected by an unexpected thunderstorm. Torrential rain saturates the ground, accompanied by lightning, which interferes with your buried perimeter detection systems. The wind-driven rain limits the visibility of your external security cameras. Facility guards are still required to complete their patrol rounds, whether this is a walking route or one that can be done using a vehicle, but their visibility and comfort level are compromised. In addition, your facility might experience power or communications outages that—without a backup power source—can render some security countermeasures ineffective.

Meanwhile, a bad actor may see this as an excellent opportunity to execute an intrusion or attack, banking on the storm impacting your security plans.

From a security continuity perspective, how can you mitigate the potential effect of this situation? Consider installing a backup generator or microgrid and ensure all security systems are prioritized to be fed from this alternate power source. For mobile communications, do not rely on a single carrier. Instead, have devices or mobile hotspots available from an alternative carrier.


Your security plan should include a section or annex that outlines any revised SOPs for these types of situations, Baker says. This includes various mandates: call in extra personnel to increase guard levels; order activated perimeter patrols to ensure that intruders have not accessed the grounds; or lock down some entrances so that personnel can focus on securing a reduced number of ingress points.

Consider what steps adversaries could use to take advantage of the event, and then your team should develop processes that would counter a malicious actor’s potential actions.

Expected weather. You are the security leader for an organization with facilities across the United States, some of which are in a hurricane-prone area. A large tropical storm is forming, and it is expected to remain a tropical storm with winds of less than 70 miles per hour. One of your coastal facilities is in its path, so a decision is made to provide additional support by sending security personnel from your inland facilities. Your public information officer announces this decision on social media to show your organization’s response to the event, so the movement of security staff is now open knowledge.

Bad actors who have been surveilling your organization see this announcement and realize that your inland facilities will have temporary security personnel shortages. They also determine through research, open-source information, and their own surveillance that your organization has not invested in state-of-the-art countermeasures and is very dependent on a security force to monitor and control facility access. Their interest is piqued by your research and development (R&D) laboratory at one inland facility. Your organization is about to beta test a new chemical mixture and manufacturing process, and one of the bad actors determines that this intellectual property could be a valuable target.

By thinking like an adversary, you understand that because of the reduction in security staffing and the lack of in-depth countermeasures, your inland facilities will be more exposed to an intrusion. After an employee—who has embraced the “See Something, Say Something” initiative—reported someone parked down the street taking pictures of your facility, your concern is heightened further.

The facility security plan in this case cannot be focused solely on just one facility because the sites in the storm’s path justifiably need more staff. But the annex in your security plan should emphasize that due to the R&D lab’s risk profile, this facility should provide fewer personnel to the coastal facility than other sites. With the staff that does remain, the SOP annex should address the implementation of extended hours—including overtime pay—for the security staff. Consider having a pre-approved, vetted vendor on call to supplement some of your staffing needs with mobile video surveillance and camera monitoring or alarm verification services.

“It is critical that security leaders have established, vetted suppliers long before a storm, natural disaster, or civil unrest to support them,” says Marc Bognar, CPP, a security consultant with 40 years of experience in security services.

“As the storm or civil unrest is bearing down, it is often too late as suppliers will already have committed their resources, and any remaining resources will be very costly and could prove unreliable. Make sure you vet your intended supplier well in advance of the potential need to ensure they meet your insurance, state, and local licensing requirements,” adds Bognar, who has planned and executed multiple security team deployments during natural disasters, civil disturbances, and other crises.

“Do your due diligence to ensure they really have a plan and the resources to support you,” he continues. “Keep in mind that their local employees will also be impacted by a natural disaster and may struggle to support your needs. Having a plan to bring employees from outside of the impacted area is a good approach, but requires you to vet how they will house, feed, and transport employees. Although some jurisdictions will waive local licensing requirements during a natural disaster, provided the employees are similarly licensed in another jurisdiction, such a decision or declaration can take time.”

Planned event. In honor of a national holiday, your city announced a three-day celebration and a parade eight weeks from today. City officials expect huge crowds during each day of this festivity, and the parade route will feature entertainment and street vendors.

In reviewing the parade schedule, you identify that more than a dozen street vendor tents will be set up along Main Street, which runs along the south side of your building. A concert stage will be in the park across from your building, and the two streets on the east and west of your facility will be closed at their intersections with Main Street, although parking will still be permitted up to the road closure signs. Due to several bridge and road projects—which will not be completed in time for the parade—traffic is expected to be congested.

A lone actor or criminal enterprise in your proximity may see this as an opportunity to conduct surveillance or execute an attack. They could rent a vendor space and sell a product or craft from the front of the tent while they utilize the back to plot and launch their activity. They know that the concert performers across the street will create loud music, which could drown out any noise from saws and drills, and the ensuing light shows will complicate the field of view for security personnel who are monitoring cameras. The crowds themselves, along with the parade, will provide escape cover and ultimately affect police response times if the criminals’ activities are discovered.

Luckily for your organization, you think like an adversary and have an annex in place to address all of this. Since you have a few months to prepare and exercise your plan, you will be ready, no matter what these bad actors have in mind.

As the storm or civil unrest is bearing down, it is often too late as suppliers will already have committed their resources.

As Bognar suggests, you have vetted and secured extra security staff that will be in place several days prior to, during, and after the parade. Earlier in the year, you conducted a tabletop exercise that included the regional representative from your vetted security contractor, so the group is familiar with your plans and SOPs.

Your annex identifies a revised video monitoring schedule so that each member of the monitoring staff views a reduced number of cameras. This enables them to become intimately familiar with every aspect of their assigned camera views, which means they can detect anomalies faster.

All building accent lighting hardware will be cleaned or replaced to ensure the best possible lighting. All ground floor windows have been reinforced, and you have limited building traffic by requesting that personnel work from home if they can during the days of the event.

Because you have already partnered with the regional fusion center, you solicit any relevant intelligence and suspicious activity reports (SARs) and share that information with your security staff.

You work with the city planning department to create a space between your building and the vendor’s tents, and you get approval to have jersey barriers placed at the back of the vendor tents. This move protects pedestrians on the sidewalk and restricts access to these tents to the front only, facing away from your building. You also work with the city to have it restrict all parking along the north side of your building, convincing officials to instead use this open street parking to position first responder vehicles.

Unplanned critical incident. An event—from a fuel price hike to an incident of violence—triggers civil unrest, and thousands take to the streets in defiance of curfews and police orders. Some bad actors within the large crowds are looking for every opportunity to damage property, interrupt commerce, and congest traffic while they protest. They have taken to social media and threatened to firebomb businesses in the area. Unfortunately, your building is next to the news station, which has been targeted by protesters in the past. Law enforcement is caught off-guard by the speed, size, and intensity of the protests, so it has diverted all of its nearby resources to this incident.

Your building is set back from the road and has two parking lots between the facility and the news station. One parking area is closer to the building, and the other connects through several brick walkways. Due to the essential services that you provide to the community, your building needs to remain open.

Your SOP annex for this type of situation has been prepared using industry best practices, and it has been exercised and validated. Upon learning of the protests, your security team immediately activates the annex. The front entrance near the news station is closed, and signs are posted directing visitors to the rear parking lot entrance, which you have fully staffed. Removeable driveway bollards are put into place, closing the parking lot closest to the building. The design of your landscaping—utilizing decorative rock walls, strategically placed trees, and water gardens in accordance with crime prevention through environmental design (CPTED) principles—makes it virtually impossible to drive a vehicle near the building. All deliveries to the property have been canceled until further notice.

Your lobby staff, which now includes a security guard, is protected by bullet-resistant acrylic. The steel-reinforced, magnetically locked doors leading from the lobby into the rest of the facility are in lockdown mode, and public access is restricted to the lobby. All meetings that involve non-personnel at the facility have been canceled. All these procedures limit the number of people entering the facility while narrowing points of access to enable more effective controls.

It is difficult to quantify deterrence, and you might never know if the measures taken have stopped an intrusion. A bad actor may show up at a facility prepared to attempt access, only to observe that the security team is one step ahead and his or her chances of success seem extremely limited. Security’s unsung success may cause people to question why the extra efforts were necessary, but security teams should not be deterred from staying vigilant. 

Anthony Hurley, CPP, PCI, PSP, is a partner and consultant with Critical Preparedness, LLC, specializing in security management and emergency management assignments. He has worked with critical infrastructure, government, territorial, and tribal clients across the United States and internationally. He retired from a Fortune 200 company as a member of executive council. He is a FEMA Master Exercise Practitioner (MEP) and a fellow at the Institute of Strategic Risk Management.