Q. One of my areas of responsibility is developing an action plan for dealing with activist groups. Can you give me some pointers on evaluating and disseminating strategies that would minimize disruption and promote a safe environment during this type of activity or event? From an information security standpoint, what are the potential risks of monitoring these groups on the Internet?
The agendas and tactics of activist groups will vary. Some may want to influence your organization with civil discourse, while some want to stop it in its tracks through criminal intimidation. It is important to approach any potential interaction with an activist group objectively, with the intent of demonstrating principled conduct that is informed by your organizational mission and values.
Activist entities often consider themselves agents of change, typically demanding action from stakeholders – customers, employees, management or the Board – based on perceived moral or ethical grounds. Their demands and motivations may be based on fact, misinformation, or a combination of both.
Do Your Homework:
- Assess the demand. Consult with law enforcement if the demands are perceived as criminal threats implying harm to individuals, assets, business dependent processes or reputation. In the United States, interstate restraint of trade will typically be in the domain of the Federal Bureau of Investigation. Collect all communications from or to the group or individual, including customer service contacts.
- Assess the group. Groups and individuals that have an interest in your organization typically have a history. The Internet will likely have a wealth of resource material from organizational and personal site listings, replete with photos, friends and associates. There may be public records of activist subjects including suit, arrest, disruption, protest, harassment or trespass charges. But exercise caution: In searching this history, only employ an ethical, licensed and insured investigative entity that can gather legal information without attribution. Stakeholders should refrain from investigating groups or individuals of interest within the organization's IT network.
- Attempt to follow activists’ communications and action solicitations. When activist groups plan their actions, they may publicly advertise their meetings as a membership draw for similarly inclined individuals. The meeting information they provide sometimes outline tactics for business disruptions, ranging from boycott action to pamphleteering and street theater, including provocation of management representatives or law enforcement for arrest publicity.
- Consult peer organizations and law enforcement for factual intelligence that may not be publicly available. Benchmark the experience of other organizations, including best practices. If another organization has experienced the same activist group inundating the head office with pre-paid customer comment cards, or executing denial-of-service attacks on servers and telecommunications, you can use this information to inform your risk mitigation plans.
- Design or revisit existing countermeasures that address the known risks. Review access control and suspicion or risk reporting processes. Implement increased preventive patrol by security services or local law enforcement before, during, and after planned events. If the action is expected to take place during a public meeting consider implementing counter-surveillance and credential, bag, and coat checks. Brief management on potential conflict issues and countermeasures, including meeting decorum requirements to allow dissenters to civilly express a view, and the company’s preparation to address it on point and advise the person of follow-up. Public microphones and address systems should be secured to prevent misuse. Have personnel close by to take an issue off-line, warn for trespass, or lawfully remove obstructionists under the color of authority. First responder personnel may be pre-staged to ensure medical and public safety intervention if required.
- Apprise potentially affected personnel of threats with relevant precautionary security measures. Brief stakeholders on need-to–know information about the range of action employed by known groups. Consider whether personal and family security of key personnel, including board members, would be wise. Consider adding mail, package and service delivery security scrutiny at the office and home. You may also want to add protective personnel for public engagements to ensure uninterrupted transportation and to avoid public embarrassment or injury. Coordinate public and private investigative resources and countermeasures that will document any criminal action for prosecutorial accountability.
- Don't assume that groups or individuals with interest are unsupported by your stakeholders. Concerns about animal welfare and environmental or social responsibilities may be shared by clients, employees and other stakeholders. It’s important to respond to demands in a way that limits an activist group’s ability to frame the issue. Communicate in a way that is above board, factual, and tempered for unintended disclosure to the public.
- Do not act without cross-functional consultation. Coming together before an event to identify roles and responsibilities will serve your organization well. Ethical organizations cannot afford the appearance of an overzealous security group. Your service level agreement should automatically enable precautionary diligence and security risk mitigation reminders that reasonably protect people, assets and dependent processes.
Remember that activist events may serve as a public relations opportunity. Assess the group’s demands with a cross-functional team comprised of communications, legal, operational and security representatives. Draft a confidential position document that analyzes the activist group’s request for change on merit, and use that to inform all responses across the organization.
Answer provided by Francis D’Addario, SEC Emeritus Faculty for Strategic Innovation. For more of Francis’ insights on enterprise-wide all-hazards risk mitigation, see his book, Influencing Enterprise Risk Mitigation, 2nd Edition.