While enjoying a temperate January morning in Mumbai, we sat occupying a 5th floor conference room in our firm's offices, taking in an unobstructed view of the lush business park and the chaotic street traffic below. The day's business at hand involved final planning and execution of an all-hazards security and emergency readiness review for our U.S.-based employer’s Indian insurance and financial services operation. Because the business resides on multiple non-contiguous floors across several buildings, we anticipated challenges and were likely to encounter substantive findings. Local senior management in Mumbai had invited the four of us, a corporate security team consisting of security directors representing both New York headquarters and our Hong Kong regional office, to visit in order to assess existing security and to conduct awareness training. Because local Indian management sponsored our week-long visit, we were very desirous of delivering a quality product.
As we sat with our colleagues, drinking very strong tea in extremely small cups, our attention was drawn away from the security documents and plans to the immediate observation that vehicles of all sorts—taxis, private cars, buses, and motor scooters—were freely entering the office park. Although guards were posted and sliding gates were present, automobiles careened from the adjacent busy street undeterred through the open gates and made a beeline for the first of the park's detached mid-rise buildings. This observation reinforced our belief that any security recommendations would need to be sound and also in line with the realities of doing business in India. We knew that our security recommendations must not contradict the local culture. If we did, we would lose credibility with our local sponsors.
Confronting Deteriorating Security Head-on
We arrived in early 2008 with the mission of carrying out a multi-faceted security program in support of our global employer's local businesses. Key deliverables included conducting a security conference for senior and mid-level management, assessing executive residential security, reviewing office physical security, and training executive drivers in security tactics. Driving our visit and work program was the company’s rapid growth across India, with new office expansions and significant hiring underway.
But Western businesses expanding across India today, must also confront head-on diminishing security. The most prevalent security issues facing businesses operating in India are terrorism, crime, and emergency preparedness. Confronting these external threat factors will allow security professionals to consider appropriate countermeasures. While highlighting the current landscape across these and other categories of security concern, we will cite our team's experiences during our visit last year and note some challenges we encountered. We will also suggest key India security program elements for your consideration. Finally, we will share our cultural insights to assist other security professionals in achieving successful risk mitigation.
Terrorism. Currently, the most severe threat to organizations operating in India remains terrorism. In November of last year, Mumbai's security climate saturated worldwide media coverage when jihadists launched an organized series of commando attacks against civilian targets such as a train station, a Jewish center, and two luxury hotels. Hostages were taken, with terrorists intent on targeting Westerners. The Indian government reacted by storming the hotels held under siege, eventually routing the perpetrators. Terrorists had previously demonstrated their desire to target large numbers of people with near-simultaneous attacks in the heart of the capital, New Delhi, in September 2008. Following those horrendous bombings, attacks occurred in the militant-ridden northeastern portion of the country, with a wave of explosions striking crowded public places. Even more recently, reports describe attempted attacks on transportation, communications hubs, and authorities, some attributed to the Islamist militant threat and others to Maoist rebels.
In this climate, some travelers to India are reluctant to stay in Western-style hotels. We suggest travelers reside in corporate housing, if available, as an alternative. Visitors to India need to be cautious in the vicinity of key government locations and tourist sites and when attending public events such as religious and sporting events. Special attention should be given in hotels, airports, shopping malls, and markets. Westerners should avoid public transportation. Take note of calendar dates representing national significance, such as Republic Day on January 26, Independence Day on August 15, and Ramadan throughout the late summer. Terrorists have used such occasions to mount attacks. It is wise to refrain from taking pictures of Indian Government facilities, train stations, airports, power plants, or other potentially sensitive sites, as photography may be viewed as hostile in nature by locals.
Terrorist targets are often public in nature, and therefore the attacks are seemingly indiscriminate. Yet, as was experienced in the Mumbai attacks, Westerners, specifically American and British passport holders, were singled out by the assailants. During our visit, we learned that security professionals are concerned future terrorist attacks will target Western business. Our employer's American-branded company name served to potentially raise its profile in a negative manner. Signage and local common knowledge served to readily identify the firm with Wall Street. To mitigate these risks, some companies operating in India partner with local firms and utilize local corporate names, thereby attracting less hostile attention.
In response to this terrorist threat posture we conducted a detailed site review of our company's Mumbai location, evaluating items to include stand-off perimeter protection, structural design (blast protection), guard postings, procedural security, and video surveillance. Among our findings we noted that the British-era grounds included a 7-foot-high perimeter wall, but trees had been allowed to grow over this barrier, easily allowing a would-be intruder access by simply dropping off a limb. Shrubs also allowed concealment opportunities and could offer an opportune place for an improvised explosive device. We discussed this threat with the property management and raised their awareness to the vulnerability. They reaffirmed guard force roving patrols at the perimeter as a solution.
To address physical security concerns, we made recommendations to management to deploy a "Concentric Rings of Security Model." This methodology centers on redundant security measures designed to defeat intrusions or attacks. Security managers may deter terrorist targeting through the use of adequate stand-off perimeter protection and tight access control. Satisfactory perimeter dusk-to-dawn lighting, guard posts, and vehicular control should also be considered. Interior security may be heightened through conducting fluid security applications (such as avoiding routine and thus predictable security officer shift change schedules), which serves to confuse terrorist planning. We believe that this approach matches well with the precise terrorist modus operandi in India, as intense hostile surveillance precedes attempted attacks. Alert security personnel may detect preoperational surveillance and disrupt the attack cycle.
We stressed to our Indian colleagues the importance of staying abreast of the current threat climate by developing local security intelligence. Monitoring the local news, being engaged with private and public sector sources of information, and remaining attentive to government warnings promote understanding of a fluid risk environment.
Accounting for employee whereabouts and status is critical in the aftermath of a terrorist attacks. Due to the frequency of attacks in India, this is a recurring concern. Private sector intelligence and security firms offer useful services which alert security management to terrorist events in India. Security, in turn, coordinates with their Business Continuity and Disaster Recovery counterparts to determine if there is any negative impact to employees or operations. The emergency notification process is enhanced when firms possess the ability to communicate quickly with employees and management. Tools such as automated access control and visitor management software are helpful in providing data of building occupants whereabouts in the aftermath of an event. Mass notification software and calling trees are also recommended to communicate to employees during emergencies. It is imperative that Western businesses possess developed and exercised continuity plans addressing remote work sites and work from home scenarios.