Security Lessons from the UK

Europeans, and Brits specifically, handle security differently than do the Yanks. Understanding why and how can help give both sides new ideas.

It's not just that U.K. security procedures are more likely to have the resilience that comes from being battle-honed, according to Larson, but also the severity and duration of the threat has produced a more mature mind-set. "Government and industry are much more integrated in terms of formulating a response: The U.K. government has recognized the cost of poor security to its economy and infrastructure, and has partnered with industry to improve it," he says. "Attitudes in the U.S. are maturing but aren't at U.K. levels yet," he adds, pointing to a post-9/11 shift within the United States. (For example, a recent U.K. government initiative requires security personnel to be licensed. See "May I See Your License?" on Page 50.)

Mike O'Neill, a former British Army major who saw active service in Northern Ireland and the Falklands War as part of Britain's elite Parachute Regiment, and who is now head of Theale-based risk and security management consultancy Greymans, agrees. "A lot of British businessesand especially the more London-based businesseshave been through an unending threat of terrorist action for a long time. Business continuity and crisis management has moved beyond being a security issue to being a well-understood business resilience issue: Security is just one layer of the onion. Businesses understand that the risk [of terrorist incidents] is something that they simply must addressa lesson that they've learned by taking some hard knocks," he says.Law's Long ArmBut many of those same businesses are also pushed toward their security stances by regulatory pressures. In particular, a raft of European and British laws, regulations and accords impose security requirements that are either lacking in the United States, or are very different there.

For example, every British company, large or small, has a legal duty of care when it comes to information privacy, enshrined within the Data Protection Act of 1984 and its 1998 successor bill that stretched a single (and largely British-inspired) law of information privacy across Europe. Among its stipulations, says Dino Wilkinson, an IT lawyer at Milton Keynes-based law firm Kimbells, is the requirement that companies take "appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data."

Publicly quoted companies must also comply with the requirements of the Turnbull Report, a set of recommendations published by the Institute of Chartered Accountants in England and Wales. More than five years old, these requirements oblige such companies to follow specific recommendations in terms of approaches toward risk management (think a British version of Sarbanes-Oxley). These recommendations don't have force of law, admittedly, but compliance is handy if you want your auditors to sign off on your accounts, or to see your stock price quoted by the London Stock Exchange.