Security Abroad

1 2 Page 2
Page 2 of 2
"stolen" parking spaces, endless lines and out-of-stock merchandise. But across the street from the mall, in a squat nondescript building that's home to a company called iJet, a group of analysts (most with military or three-letter-agency backgrounds) calmly tracks a dozen hot spots around the world. And the pack of increasingly harried mothers at KB Toys isn't even a blip on the group's screens.

In the Democratic Republic of Congo, a stampede following a stadium concert kills four people and injures 30. Police in Jammu and Kashmir, India, are on high alert after a Delhi court sentences three people to death for a December 2001 attack on parliament. In Venezuela, instability is growing as a general strike continues into a second week, accompanied by street protests in Caracas and other cities. In Italy, a series of bomb threats raise speculation of a terrorist event in coming days; and in Spain, a shootout between Basque separatists and policemen kills one officer and wounds another. At iJet's Maryland headquarters, the mission is not only to monitor and push out updates on those events but to go beyond the often alarming headlines and make sense of world events for its customerscorporate security officers who depend on this intelligence to protect their people and interests in far-flung locations. It's a service that has taken on new meaning post-Sept. 11thone that companies increasingly find themselves incapable of performing on their own. "I can watch CNN, but what I want to know is how a situation will affect my people," says Mark Cheviron, corporate vice president and director of corporate security and services for Archer Daniels Midland (ADM), which has employees in more than 70 countries.

Few parts of the world are immune from terrorism. Political instability plagues a number of formerly peaceful regions. As a result, fewer companies are willing to indulge in speculative business ventures outside of the United States. However, some companies have no choice. Those whose success depends on exploiting international markets have to forge ahead despite the dangers. For many there is a distinct business advantage to be gained by having in place the travel intelligence and security framework necessary to protect employees who venture into unstable areas. One of iJet's clients, a Midwestern supermarket chain, regards the company's Travel Intelligence service as a competitive asset. The grocery chain still sends buyers into areas of South Africa and South America to find fruit, vegetables, clothing and shoes for its stores. Since many other companies have withdrawn from those regions, the chain can negotiate sweet deals on raw materials because it is willing and able to take the risk.

There are a number of players in the area of travel risk management: iJet (which is allied with security behemoth Kroll), Pinkerton and the U.K.-based Control Risks Group are among the leaders. Each provides some combination of a pushed information service (consisting of updates and prognostication) with in-depth reporting on specific regions and round-the-clock access to experts who can advise travelers in emergencies. What benefits can such services offer a global security organization? How do you get those benefits? And how should you select the right provider?Cooling Down the Hot SeatCompanies and their officers have the responsibility (or "duty to care") for employees' safety from the moment they leave on a business trip until they return. Each unprotected traveler or expatriated employee poses a significant liability to which boards of directors and CEOs are increasingly attuned. "Employee expectations have changed as well," says Cheviron. "Expats and travelers expect more from the company in terms of security intelligenceand so do their families."

When questions of employee safety arise, it's usually the CSO who ends up in the hot seat. Companies such as iJet have found this reality to be a helpful sales stimulus. "When the chairman of the board calls the global security director and says, 'Holy Hell! I just heard about the bombing in Bali. Do we have any employees there?' And you've got the security guy saying, 'What bombing?' or 'I don't know, I'll get back to you later today,' that's the wrong answer," says iJet CEO Bruce McIndoe. The most acute pain point for a CSO is not being in the know, and it's this knowledge gap that travel risk companies target.

At the core of iJet's services is a platform, called Worldcue, that integrates all the different databases on traveling and expat employees, providing stakeholders within the corporationfrom the CSO and HR department to the chief risk officer, travel manager and corporate medical personnelwith a quick, concise picture of exactly where in the world every employee is. Employees' profiles are combined with their itineraries and plugged into iJet's Worldcue database. That database contains everything from constantly updated travel advisories to information on weather, culture, local contacts and security precautions for all regions of the world. Regional and subject matter experts (category analysts) constantly scour websites, newspapers, TV reports and streaming video feeds, and receive updates from sources on the ground to keep data current. In addition to security matters, iJet's analysts weigh other factors that could significantly impact travel (including issues related to local health, transportation, communication, environment, culture and language).

Jerry Scott is president of Baseops International, a travel logistics company that provides flight support services for many Fortune 500 corporations. Baseops subscribes to iJet's Country Intelligence Briefs for international travel into potentially dangerous regions and provides this information to its clients. Scott says the briefs help clients protect themselves in places like Central and South America, where kidnapping is a concern, and avoid some of the cultural pitfalls that travelers can encounter in various parts of the world. "Having an understanding of your host, their culture and customs is just good business," says Scott. For example, while Scott is not a coffee drinker, he will accept coffee when it's offered in the Middle East in order to avoid insulting his hosts and business partners. Although this kind of information might seem more pertinent to tourists planning vacations (and iJet markets to that segment as well), almost any destabilizing element can affect the security of a traveler. A basic grasp of the culture, customs and behavioral quirks of a given country can keep employees from offending the wrong person or being surprised by an unexpected turn of events. In areas of Southeast Asia and Central America, for instance, a severe storm is more than a travel nuisance. In the wake of a flood or mud slide, poorer areas may go days or weeks without power, food supplies and shelter, a situation that can lead to civil unrest.

The information gathered by iJet's analysts is presented and accessed in various ways. Corporate security officers get an e-mail brief each morning, updating them on the latest intelligence from around the world (travelers can access Worldcue themselves, either through iJet's website or their own intranets). CSOs can also have alerts of breaking events sent to their e-mail, pager or cell phone. Alerts are classified as either "informational" (situational awarenessrequiring no immediate action), "warning" (indicating a possible impact on travel) or "critical" (reserved for severe situations, such as an imminent typhoon or impending coup). Of the 400 to 500 alerts that go out each month, less than 3 percent of them are classified as critical.

Worldcue also provides an employee-locator feature based on trip dates, destinations, airports, airlines or flight numbers. In the event of a plane crash, a CSO could know within minutes whether any employees were booked on the flight, and if so, how to get in touch with those employees or a designated emergency contact. (Because of the number of impacted flights, Sept. 11th presented an unusually complex situation. On that day, ADM had 450 employees traveling outside the country. "Within two hours we knew where everyone was," says Cheviron.) Turning Data into ACTIONAn encyclopedic grasp of obscure current events and a sure knowledge of every employee's travel information might impress executive management, but deciphering what it all means for a company's operations is another matter entirely. While some vendors excel at providing reams of detailed information, CSOs need to put it in perspective. At Control Risks Group (CRG) based in London, Research Director for Information Services Jake Stratton directs an organization whose goal is to bring clarity to potentially dicey situations. At times when client companies and their employees might panic and be tempted to decamp, says Stratton, the analysts' goal is "to interpret events and give a feel for what'll happen next. Is this a trigger event that will incite unrest? Or is it no big deal?"

Cheviron uses both iJet and CRG. He has used the latter to make steady-handed decisions involving employees stationed in Abidjan, on the Ivory Coast, where a failed coup has led to widespread fighting. "They've kept us advised every day of the situation," he says, "and that information has helped us make rational judgments in getting our expats out and coming up with an evacuation plan."

Often, the goal of providing clarity requires that analysts dispel misconceptions. James Smither is a CRG analyst covering Africa. Every two months he travels to the region to get a realistic, current view of the security issues associated with traveling and doing business there. In the past year he's been to Angola, Ethiopia, Kenya, South Africa, Tanzania, Uganda and Zimbabwe. "Africa has such a bad reputation, and companies are nervous," says Smither, "because the only things that are ever reported are famine and war." While a high crime rate is a problem in some African countries, others have less crime than London and Washington, D.C., and some of the biggest risksfor example, the numerous car crashes and dangerous driving conditionsare seldom reported in the mainstream media.

In fact, coverage of global security issues by the press elicits a good deal of grousing from regional analysts. "Every media [outlet] is trying to be an intelligence source," complains Sarah Slenker, iJet's senior security analyst. "Every Tom, Dick and Harry that never worked in the security or travel world is being interviewed by the Fox News Network. We just focus on the sources we know are reliable. We want the information, not everybody's speculation." For example, one of iJet's sources on the ground in Venezuela is the Caracas-based chief of security for a major American oil company who is also a former member of the Venezuelan army.

A company's own employees can be independent and valuable sources of information. With operations in Ghana, Indonesia, the Philippines, Russia and Zimbabwe, H.J. Heinz needed travel security information that covered all areas of the world extensively. Director of Risk Management Ed Aiello recently started using iJet for the daily briefings and the employee-locator feature, but he believes that Heinz's own employees are sometimes the best sources. "We use a number of sources, and we find that sometimes travel services parrot State Department websites," he says. "In parts of the world where we have a lot of nationals on the ground, our intelligence is even somewhat ahead of what's coming from the State Department." Aiello stresses that services that focus strictly on travel should be a complement to other country intelligence programs rather than a substitute for them.Responding 24/7Few companies can respond to a traveling employee's security concerns 24 hours a day. And (be honest here) how many security executives would want to be awakened at 3 a.m. by an employee who has lost his passport? Or would you really know what to do if nervous executives called to report small arms fire in the street outside their hotel? Twenty-four-hour hotlines are the outsourcing solution to a problem that most CSOs have neither the expertise nor the budget to solve themselves. The hotlines vary in the way they are set up. Control Risks' CR24 line is staffed by security professionals with a special forces or corporate security background who field, on average, 60 queries a day through e-mail and telephone calls. Corporate travelers contact them seeking advice on everything from minor logistical questions to critical personal safety emergencies.

Peter Cheney, director of CR24, recounts a call received recently from the general manager of a U.S. company's outpost in Eastern Europe. The executive was traveling to Macedonia for the first time and wanted to know if there were any basic security precautions he should take. He received some advice and went on his way. One evening at 7 o'clock, the same man called back to say that he and his coworkers were in Belgrade on their way to Scopje, and their flight had been canceled. They were rushing to catch the overnight train and wondered whether that was a secure option. With the train leaving in five minutes, he asked if they should get on? He was advised to take the train only if the meeting was absolutely time-critical. If they took the train, he was cautioned to stay awake for the second half of the trip because people had recently been robbed, removed from the trains and beaten up after crossing into Macedonia. "In our eyes, a relatively minor situation, but important for the client," says Cheney.

A 24-hour hotline run by iJet functions slightly differently. Incoming calls go to a coordinator who triages each call and will hot link it to a specialist depending on the type of situation the caller faces. "We never want to let go of that traveler because we're their life line," says CEO McIndoe. In a recent situation in Guatemala, some corporate travelers called the hotline late at night when they heard small arms fire outside in the street. The iJet team started two responses in parallel. A Kroll associate in Buenos Aires was contacted, and he quickly made his way to the airport to travel to Guatemala. Meanwhile, the call coordinator and a security specialist worked with the travelers over the phone to continue assessing the situation. As a result, iJet hired a driver to take the employees to the airport. Once pickup was confirmed from the driver, the Kroll associate standing by in Buenos Aires was called off. The employees were evacuated from the town 90 minutes after first placing the call.

Before deciding to build this sort of capability in-house, you should know that supporting a single hotline can be pricey. McIndoe says that to have just one person available 24 hours a day, seven days a week, a company would actually need six full-time employees. He reckons a CSO would have to pay each of those six employees at least $30,000 a year, a figure that doubles when you factor in benefits and overhead. The result? "You're paying $480,000 for one warm body," he says. A ballpark annual fee for the CR24 service would run somewhere between $24,000 and $36,000.Picking the Right ProviderAlthough CSOs are among the main beneficiaries of travel risk services, they can also, ironically, be a tough sell. The problem, notes Jack Stradley, managing director of Crucible, a Kroll-owned security training and support company (see "Training for the Last Resort," Page 29), is that CSOs are often "reluctant to admit that they can't know everything about everything." They're under enormous pressure from management to be the last word on anything to do with security. When Stradley recommends a training seminar, he finds that CSOs often worry that management will respond along the lines of, "Well, why did we hire you?" Stradley, retired from the Marine Corps, worked in reconnaissance in South America for several years and as a drug enforcement officer in Bolivia, Peru and Venezuela. "Our folks have worked in high-risk environments and have lived to tell the tale," he says. "It's not derogatory to say that [the average CSO is] not equipped for this. You can't be a specialist in everything."

There are several key things a CSO should look for in a travel risk partner. The most critical element is the quality of the information offering. A service such as iJet touts its use of more than 6,000 sources in compiling intelligence. McIndoe estimates that about 300 to 400 of those are actual on-location human sources. Before information is sent out as an iJet alert, it's evaluated by category and relevance. It then undergoes further scrutiny by subject-area experts. An item on a viral outbreak in Nigeria, for example, would go both to a health expert and to the African region analyst. They would vet the information and write an alert if they deemed it worthwhile. Such an item would still need to go through the watch operations desk as well as to an editor to ensure that the text meets standards of accuracy, clarity, brevity and quality. The goal of all this attention is to avoid numbing clients with constant alerts that could be a nuisance at the least and erroneous at worst.

Data also gets stale very quickly. McIndoe claims some services sell country risk reports that are more than one to two years oldhopelessly out of date given the current pace of world events. CSOs should freshness test any reports or packaged analyses they are offered. Some firms generate their reports on demand only, which is an assurance of fresh content. The most strategic intelligence, upon which companies base future travel and business decisions, can be updated on a monthly or even quarterly basis without getting stale.

It's also important to pay attention to the breadth of expertise behind the information. "We never just rely on one person [in a region]," says CRG's Smither. "Everyone is connected to different things. [We draw upon] political circles, police and special forces, experts on corruption, local and foreign journalists, and academics. One person might know who will be the next president, while another knows which roads to go down in Angola." Few vendors will disclose their sources, but a careful look at their reporting over a period of weeks should give a sense of how well-placed and useful the sources are.

Buyers should be aware that companies may exaggerate the number of sources and security professionals they have on the ground in a given region. If an emergency situation develops and a CSO has employees who need to be extracted from a region, it's critical to know how many actual responders are available to help. A company might say it has 100 offices around the world, but if they're mostly sales offices staffed by a secretary and a suit, that won't do much good for the CSO or his imperiled employees. Likewise, a CSO can infer from a travel risk company's depth of expertise whether it will be able to put information into perspective. Those companies, says Cheviron, "can give you so much information it makes you sick. They have to be able to cull out what's important."

Cheviron also recommends asking for a list of client references to take the measure of different vendors. Many clients' security directors are members of groups like the International Security Management Association (ISMA). Cheviron has no compunction about calling his fellow ISMA members and asking for frank assessments of a prospective vendor.

The 24-hour capabilities of a travel risk company can also be measured by the traditional yardsticks of any call center: availability and response time. The last thing a CSO wants is for employees in an emergency situation to get a busy signal or be put on hold. The time frame for having personnel on the ground responding to an incident is also an important barometer. CSOs should look at the specific elapsed time a vendor company is willing to commit to for getting a responder to the scene of an emergency and resolving the situation. As with any contract, read the fine print. Some companies insert an impressive list of caveats (a.k.a., loopholes) that can take the teeth out of travel risk services. "I know of [companies] where one of the basic caveats is that they're not obligated to send their people into a country where there is a current dangerous situation," says McIndoe. If that's the case, he adds rhetorically, "What good are they?"

Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)