Workplace threats are numerous and most happen unexpectedly. While it may seem obvious that workplace preparedness is important, there are a lot of less clear benefits that come out of a comprehensive preparedness strategy. And as the type of threats that workplaces face evolves, preparedness programs need to grow alongside it.
Security teams aren’t the only ones concerned with workplace safety. A study published during the pandemic revealed that most workers (73%) worried about going back into the workplace. More than half of those surveyed said they would consider leaving their job if their employer didn’t prioritize their safety.
While the workplace has again become a place where employees gather to connect and collaborate in person, companies still need to be vigilant about keeping their space safe. Beyond a pandemic, there are many other workplace threats they need to be ready to prevent, detect, and respond to. It’s not only critical to providing employee safety and peace of mind; it’s crucial to company continuity. Use this guide as a playbook to understand the types of critical events that threaten the workplace and how to prepare for them.
About the author
Everbridge is a global software company that provides enterprise software applications that automate and accelerate organizations’ operational response to critical events in order to Keep People Safe and Businesses Running™. Over 5,300 global customers rely on the company’s Critical Event Management Platform to quickly and reliably aggregate and assess threat data, locate people at risk and responders able to assist, automate the execution of pre-defined communications processes through the secure delivery to over 100 different communication devices, and track progress on executing response plans.
1. The types of workplace threats
Workplace security threats are inevitable. One survey revealed that 100% of companies said they suffered at least one critical event in the past 24 months. In fact, companies often dealt with multiple critical events in that timeframe (more than four, on average). The events varied from natural disasters (33%) to supply chain disruption (22%).
Secure workplaces protect all their stakeholders from serious physical and financial harm. This includes employees, customers, partners, assets, and investors. If they don’t, the ripple effects of even one critical event can result in organizational damage. This includes hindering a company’s operational activity and putting personnel at risk. To prepare for a critical workplace threat, companies first need to identify the different security risks they face.
Here are some common workplace threats your company should prepare for:
Natural disaster or extreme weather
Natural disasters don’t spare workplaces when they strike. While these events are impossible to control or predict, companies can prepare to withstand a natural emergency and the hazards that may result. Failing to prepare for a natural disaster could put personnel at risk, disrupt workplace operations, and result in irrecoverable economic costs.
Theft of physical or intellectual property
The most plain security threats may be those to a company’s physical and intellectual property, which can include anything from patents and employee know-how to trade secrets, laptops, and physical documents. To prepare, organizations should train employees to keep their important physical and intellectual property safe and invest in technology that manages workplace access.
IT failure of a business-critical system
Hardware or software failures, accidental damage, network communication issues, or some other business-critical IT failure can do lasting damage to a business. At the very least, it can be time-consuming, expensive, and challenging to reverse. But, with the right preventative measures in place, organizations can minimize the impact caused by an IT failure, or in some cases, avoid it altogether.
Cybercrimes, though common among workplace security issues, are preventable. Companies need to develop a deep understanding of their cybersecurity vulnerabilities to safeguard against a cyber attack. Possible risks include privilege abuse, data mishandling, unapproved hardware and software, and email misuse.
Utility outages are hazardous at worst and inconvenient at best. In today’s modern workscape, a utility outage could cause major communication issues among employees, customers, and partners. In many cases, utility outages are preventable with preparation and training.
Executive protection includes risk mitigation procedures that ensure the safety of workers who may be at more personal risk due to their role, net worth, or public status. For some companies, ensuring the safety of at-risk personnel, like CEOs and executive-level employees, is board-mandated. Corporate protection services can include threat analysis, special event security, and travel risk management.
Brand and reputation crises
Brand reputation directly ties to a company’s market value. What may take years to grow can tarnish overnight. Nowadays, it can be a single tweet that takes a company down. Risks can come from any part of the business, including unethical suppliers, partners, employees, political groups that oppose how a company conducts business—even competition.
Supply chain disruption
Companies should also prepare to assess and manage supply chain risks. Such risks can result from geopolitical and geophysical events, natural disasters, and various other causes. Conducting a supply chain vulnerability assessment and establishing a risk-management plan of action is essential to managing these types of threats.
Health security became the unexpected face of workplace security during the pandemic. Since then, companies have had to rethink how they are to operate in the event of another health scare or pandemic. While many companies have reopened their doors to employees and visitors alike, health threats like global pandemics will stay top of mind for well-prepared businesses.
Prevention and mitigation planning are both important to effectively minimize disruptions from workplace threats. Organizations need to be able to identify emerging problems before they become full-blown threats. Doing so also helps minimize damage caused by a workplace threat, should one happen, and prepares your company to support employees.
2. The benefits of workplace preparedness
Workplace threats are numerous and can happen unexpectedly. While it may seem obvious that workplace preparedness is important, there are a lot of less clear benefits that come out of a comprehensive preparedness strategy.
Here are four benefits of having a preparedness strategy for any workplace threat or incident:
Mitigate risk and liability
It’s near impossible to prevent an incident from occurring. Instead, it’s important to focus on what to do once a situation arises. The faster you can respond with the right plan of action, the more you can mitigate risk and exposure. By putting the systems and tools you need in place in advance, you can more efficiently respond if there is a crisis.
There are solutions that are less risky than others to put in place. You can update software on a regular basis to thwart off cyberattacks, for example. Plus, if your systems talk to each other, you can automate various parts of your preparedness plan to speed up the necessary response steps. If you automate the communications that go out to everyone in your office the moment an incident occurs, you can reduce chaos and ensure people know what to do.
Having a documented plan and activity logs can also help reduce the cumbersome legal and compliance processes that follow. With a process in place to record and track what happens during an incident, you can limit the amount of time your team needs to spend on the follow-up procedures. This ensures that you can continue working on the projects that matter most and prevent further incidents. Every minute you save could be the difference between a well-handled situation and a true disaster.
Increase employee productivity and retention
Ensuring that employees are safe while at work is critical to their job productivity and happiness. Safety comes in many forms, from ensuring only approved, healthy people can enter the workplace, to providing easy access to safety protocols and keeping personal identifiable information secure.
In a survey of employees, 55% of respondents said they would consider leaving their jobs if their employer were to have downplayed COVID-19, didn’t follow safety measures, or urged employees to work from the office before they were ready. When you communicate your preparedness plan to employees, you create an office environment that employees will choose to come into. Employees feel confident that you are prioritizing their health and safety. In doing so, they are able to be more productive while onsite. Plus, in a tight job market where companies are competing for talent, organizations that can point to employee protection will stand apart.
Positive brand recognition and reputation
No one wants their company to be in the news headlines regarding a security incident, but it happens more often than we think. Not only does a preparedness plan help to keep companies out of the spotlight, it can help to improve brand reputation. A survey of critical event management and operations personnel found that
3 out of 4 critical management and operations personnel think a unified approach to critical event management improves their brand reputation.
Having a plan also proves an organization’s resilience and further shines a light on your brand. Resilient organizations work across business units, combining internal resources, technology, and services to detect, manage and minimize the impact of emergency situations. This operational efficiency ensures that your brand maintains its positive reputation.
Impact to company revenue
A workplace incident can cause a large financial burden in many ways. It can not only have short term impacts of ransom or loss of intellectual property, but long term implications such as less trust in the organization or having to implement new technology to replace legacy gear. With a workplace preparedness plan, you can help lessen the impact to company revenue by keeping your supply chain stable, competitive information private, and investment strategies secure. If you handle these risks correctly, it can reduce the impact on revenue.
Another way to reduce costs is to decrease the number of errors that occur during a response. With an automated, connected solution, you can cut down the number of errors and provide a foundation for delivering a cost-efficient response to crises. Plus, with improved data and reporting on incidents, you can make informed decisions that will reduce the impact of future events. This includes understanding where communication gaps are, areas of opportunity for more process, and what roles you need on a critical response team. All of these decisions impact your business’ bottom line.
3. How to prepare for any workplace threat
With those benefits in mind, it’s time to get serious about getting prepared. In today’s world, organizations need to respond more quickly and decisively to critical events, but with fewer resources. Without an end-to-end process to manage these events, it’s nearly impossible to satisfy this mandate.
In most cases, organizations are trying to deal with threats using manual processes and disjointed systems. As a result, they are unable to efficiently and effectively manage these events.
With the right plan in place, your organization can prepare for any workplace threat. Here are the five steps to creating a workplace preparedness strategy:
1. Devise a plan
This might seem simple enough, but the plan must be comprehensive in order to be effective. It starts with a general foundation then expands to cover various types of threats. For each type of threat, map your plan to appropriate resources and response activities.
Given the types of threats your business may face, you should:
- Appropriately categorize critical events by type, predictability, cause and scope
- Differentiate between routine emergencies and crisis events
- Determine how to deal with each event and who will take the lead
- Tailor your plan depending on the severity of the threat or crisis so you can activate your plan as quickly as possible
When getting started with your crisis management plans, start in order of predictability. For example, if you operate in a hurricane-prone region, start by developing a hurricane plan, including one to deal with office closings. If your business operates in many locations, you should standardize your plans.
2. Assess your sources of information
With a plan in place, it’s time to assess how well the organization can navigate critical events. One of the biggest issues is not knowing when a threat develops and then not being able to confidently vet what happened.
Here are a few different sources of information that you should routinely monitor to stay abreast of critical events:
- Disaster facilities
- Social media
- Cameras onsite
The goal of this assessment is to confirm the threat event and ensure the appropriate team has all needed input and contextual feeds in one place to make the appropriate decisions.
That means lining up trusted information sources for all types of risks. This undertaking can get complex, especially in larger organizations. Start by understanding the event in the context of the five key assets: people, buildings, IT systems, supply chain, and brand/reputation.
3. Quantify and prioritize your risks
The next step is to figure out what is critical and what isn’t. Answer the big question: What is the impact and exposure? An effective approach to answering this question is to quantify risk based on:
- The threat
- The threat’s nature
- The organization’s overall vulnerability or exposure
- The overall impact to people, assets, and the business
Unfortunately, it’s not a simple equation. Consider the timeline, which is often dynamic. For instance, it’s not sufficient to ask, “How many employees are in HQ right now?” since employees are constantly on the move.
While it’s critical to quantify risk, keep in mind that the impact from a single event can differ across the company and can impact different assets in different ways. For instance, a labor strike in Paris is not a critical event for local employees who know how to deal with it, but it is for traveling employees who aren’t accustomed to this.
In other words, context matters, and can change the risk profile. The key is to understand risk based on all variables to determine the best response to any event.
Identify and locate all stakeholders
Quickly locating, communicating with, and assisting employees and visitors in a crisis is a priority. To that end, typically in any type of critical event, organizations will be dealing with three groups of stakeholders:
The people who can do something about the event.
These people can put context around the situation and can help assess the threat to determine who’s impacted. Some organizations call them responders or resolvers. In larger organizations, this might be an incident response team. When creating a list of responders, organizations should take into consideration schedules, rotations and locations.
In addition to identifying impacted people, you must know where they are located so you can quickly notify them. Automating communication can save even more time.
Those needing to know about the event.
Who needs to know about the event? Should you wake up the CEO at 2 am? Can you handle the event regionally? Determining this ahead of time is key to reducing the impact of the event.
To avoid alert fatigue or “the boy who cried wolf” syndrome, only inform those who need to know. At the same time, make sure people aren’t bombarded with updates. If possible, let the appropriate people see all necessary information in one place.
3. Analyze performance
The final step is to close the loop by analyzing how well your organization responded. Start your after-action review by trying to understand the following:
- Has this happened before?
- What was the impact?
- What did we do well?
- What could we have done better?
- What slowed us down?
- Who was involved?
- Who responded fastest?
The key is to not only perform these reviews but to close the loop by learning from experience and continually improving the plan and response.