Skip to content

Illustration by Security Management; iStock

American Companies Missing Half of All Threats, but Downplaying Risks

Threats to private sector organizations abound—exacerbated by persistent political, social, and economic issues—but U.S. companies aren’t keeping up. By the end of 2022, 26 percent of executives at American companies anticipate they will miss at least 51 percent of threats, and another 31 percent guessed that they will miss between 26 and 50 percent of threats before they cause harm or damage, according to the 2022 Mid-Year Outlook State of Protective Intelligence Report from the Ontic Center for Protective Intelligence.

Across the board, Ontic has observed that “threats are rising and expanding across many categories,” says Chuck Randolph, executive director of strategic intelligence at Ontic. “Risk events are often related to backlash related to rising extremism, social and political issues, healthcare protocols, and COVID-19 vaccination requirements, as well as insider threats—some of which emanate from both cyber and physical security incidents.”

The report surveyed 400 C-suite level leaders at U.S. companies with more than 5,000 employees, specifically focusing on respondents with cybersecurity, HR, legal, or physical security responsibilities. These four departments are often assessing and investigating the same threats independently of each other, but with different lenses and priorities. While these functions are consolidating, there are still significant hurdles facing companies attempting to build a unified threat management system, including the volume of threats, lack of data sharing, and poor communication, the report found.

The survey data showed that about half of respondents said 51 percent or more of threats that disrupted business continuity resulting in harm or death at their company in 2022 could have been avoided if physical security, HR, cybersecurity/IT, and legal and compliance shared and viewed the same intelligence in a unified platform.

“When all functions responsible for protecting an enterprise are viewing the same data, and teams are on the same page and communicating regarding their various investigations and threats assessments, not only can efficiencies be realized—but opportunities for confusion decrease,” Randolph says. “Holistic data analysis can provide deeper visibility, enable faster decision-making, and generate clear communications across the company when it is most critically needed.

“As our study found, when various teams such as IT, HR, and legal have an overlapping interest in the same issues, yet operate independently, they fail to connect valuable information—and the opportunity to generate critical intelligence is lost,” he continues.

What Counts as a Threat?

Despite the benefits of a unified threat assessment approach, executives often define threats in different ways. While two-thirds of physical security, cybersecurity, and legal executives selected “hostile written, verbal, or physical actions with the potential to compromise individuals’ mental or physical well-being at the workplace or on duty” as their primary definition of a threat, two-thirds of HR professionals selected four out of the six definitions provided, indicating “that they define threats across an organization in broad and diverse ways, and align and overlap with multiple colleagues’ functions.”

These definitions included the typical “hospital written, verbal, or physical actions,” as well as “actions or events that compromise company adherence to regulations and laws,” “negative actions that compromise the security of your company’s IT and network systems,” and “extreme weather events that compromise the safety and integrity of infrastructure, including buildings, facilities, and working conditions for executives and employees.”

HR was also the only function where a majority (58 percent) also selected “extreme rhetoric, hate speech on social media, in writing, or conversation” as a threat definition.

“The rise in extreme rhetoric and hate speech, whether on social media or elsewhere, should be something that all security leaders are focused on,” Randolph says. “We have seen time and time again, as we did with the Uvalde shooter and others, that such postings can signal a pathway to violence. Security professionals should be advocating for connecting the monitoring of social platforms—some of which may reside with a company’s marketing team—to the data and intelligence that security, HR, IT, and legal are receiving.”

The least cited definition of a threat faced by U.S. businesses was geopolitical risks, the report found. While 48 percent of respondents said they experience between three to 10 geopolitical threats to their business every year, only 24 percent of physical security, 17 percent of HR, 23 percent of cybersecurity, and 26 percent of legal professionals said they are included in their business’s definition of threats and business risks.

“Threats directly or indirectly from geopolitical issues will continue to affect corporations,” Randolph says. “Supply chain disruption, IP theft, travel security concerns, employee safety, and directed threats to executives are among the effects that security organizations must contend with from world events. Customers increasingly expect company leaders to have a position on arising issues, meaning they will likely face (at times extreme) objections from part of their base, sometimes manifesting into real threats.

“From Russia and Ukraine to China and Taiwan, the fallout from geopolitical issues also signifies the continued need to focus on monitoring issues such as insider threats, cybersecurity, information security, and corporate espionage,” he continues.

Primary Physical Security Program Concerns

The change in work arrangements due to the COVID-19 pandemic have shifted security professionals’ priorities when it comes to threat management. According to the Ontic report, respondents’ top physical security concerns for the rest of 2022 are:

  • Keeping employees safe as they return to the office (37 percent)

  • The increased volume of threat data (34 percent)

  • Increased pressure to identify potential threats to save the company money and reduce liabilities (34 percent)

  • Management is predominantly focused on global risk and supply chain security issues, so mitigating location-specific physical threats is not a priority (32 percent)

  • Keeping employees safe as they work remotely (32 percent)

  • Increased physical attacks and company backlash related to geopolitical, activism, and social issues (31 percent)

  • Threat data is held in different departmental silos and not shared, so it is difficult to effectively manage the volume of threat data across the company (30 percent)

  • Cyber-related insider threats that also share physical security implications (30 percent)

  • Protecting our CEO and senior executives from harm when working from their private residence or while traveling (29 percent)

  • Identifying employees with extremist views and mental health issues (28 percent)

  • COVID variant spikes and their impact on employee mental health (27 percent)

  • Potential threats from former employees (27 percent)

  • Leadership is predominantly focused on cybersecurity and believes it does not strongly tie to physical security risks (26 percent)

  • Preventing an active shooter event at one of your locations (26 percent)

  • Increased physical threats to my CEO and senior executives and company posted on social media (22 percent)

Even though senior leadership may be focused on global threats and issues, the local challenges remain.

“Security professionals responsible for mitigating and managing threats at the local level may be challenged to secure resources and maintain focus if management is prioritizing global risk and supply chain issues,” Randolph says. “That doesn’t mean local security issues become less important—but rather it puts more of a burden on those security teams who are already overwhelmed with the increase in their domestic threat volume.”

This can include direct threats to a person or a facility. In 2022, a lack of data sharing functionality resulted in significant incidents at many companies surveyed.

For 38 percent of respondents, an employee was threatened or harmed while working at the company’s facilities. For 35 percent, an insider abused authorized cyber access, leading to property theft or supply chain damage. For 34 percent, a former employee threatened or harmed a current employee. And for 31 percent, an employee was threatened or harmed while working remotely.

“The actions companies take in the wake of threats and violence can have a lasting impact on culture, morale, behaviors, and keeping all safe in the future,” the report said. “While more needs to be done more consistently at businesses, 63 percent of those who had one of the above such incidents said after an employee was threatened and/or harmed at one of its locations or while working remotely, their company reassessed and revised their existing threat assessment management team or something similar to eliminate vulnerable gaps. Sixty-two percent implemented a threat assessment management team or something similar for the first time as well as active shooter training exercises. Staff was trained in how to Stop the Bleed (39 percent), additional security personnel were hired at the location (35 percent), and 5 percent closed the location altogether.”

Corporate Stances—Silent or Spoken—Tied to Growing Threats

At the start of 2022, only 12 percent of physical security executives thought COVID-19 recovery and its effect on office structures would be among their biggest challenges this year, the 2022 State of Protective Intelligence Report found. By the halfway mark this year, though, 62 percent of security leaders said COVID-19 and health protocols are among their top issues, driven by vaccine and testing requirements at their organization. The polarizing nature of these decisions makes them a security threat.

“Awareness at companies around the potential for backlash no matter what position leaders take persists, driven partly by COVID-19, which continues to be a polarizing issue,” Randolph says. “This risk drives home how critical common operating data and intelligence are but also underscores creating cross-functional teams so that, for example, public relations can alert security, Human Resources, IT, and legal when it is aware of future CEO communications internally and externally regarding topics that have the potential to be controversial.”

And COVID-19 isn’t the only divisive issue on the table.

Diversity, equity, and inclusion (DE&I) issues resulted in threats to 33 percent of the companies surveyed in mid-2022, with 79 percent of threats occurring because their company or CEO expressed support for racial diversity and/or LBGTQ+ communities. But staying quiet doesn’t always help—22 percent said threats occurred because support was not expressed by their company or CEO.

Other issues resulting in threats to American businesses? Return to office mandates (28 percent), permanent hybrid work (25 percent), sustainability and climate change (21 percent), the war in Ukraine (16 percent), gun control issues (16 percent), and abortion rights (9 percent).

“Companies shouldn’t narrowly view risk but openly discuss threats within a hub of strategic partners focusing on shared risks, priorities, and requirements,” Randolph adds. “A complete understanding of a threat landscape means more collective leadership, threat management, and communications, which empowers company executives to make risk-based decisions based on a more informed picture.”

Culture of Security vs. Culture of Fear

While 84 percent of survey respondents agree that their company’s physical and cybersecurity, HR, and legal professionals have been adequately training to assess threats—including reporting erratic behavior or warning signs that could lead to workplace violence—64 percent agree that employees overall do not report erratic or violent behavior in a timely manner.

Nearly two-thirds of respondents said that their company is downplaying risk to emulate a safe environment, and as such 54 percent of respondents do not have a mechanism in place to let employee anonymously report issues. Instead, 43 percent rely on employees to come forward and report issues, whether they are working remotely or on company premises.

Remote and hybrid work is further complicating workplace violence prevention training and programs. Thirty-five percent of respondents say they provide training for workplace violence from time to time but don’t have a formal program in place, and 33 percent say workplace violence training is not a priority for their company since most employees are not working on-site full-time.

“At the same level, one-third of respondents say their company believes that workplace violence training may create a culture of fear, wants to take a reactive strategy and does not see the ultimate risk to business continuity by inaction,” according to the 2022 Mid-Year Outlook State of Protective Intelligence Report.

“One quarter (25 percent) say their company does not believe it will be a target for significant physical harm and does not value employee training and preparedness for dealing with such crises, while 21 percent say their company has never addressed the potential for workplace violence and employees would not know what to do if an active shooter was at their facilities,” the report said. “On a positive note, however, 39 percent of those surveyed said they have an active shooter/active assailant plan in place and employees receive regular training.”