Threat Intelligence Blog


By Hans Mathias Moeller

This is the second blog in a two-part series from one of our analysts in our Special Investigations Unit. Today, we provide specific physical security procedures for preparing and responding to physical threats.

Yesterday we discussed why businesses need threat intelligence to prepare for physical threats, and today we’ll review the how.

There are typically six steps we recommend when it comes to physical security procedures for protecting your organization from physical threats:


Gain an understanding of the threat environment. This includes identifying any physical groups or individuals who have or may have grievances against your company or executives. Determine if your company may be the target of expressive or aggressive crowds with a propensity for riots or social unrest.

An expressive crowd is generally people gathering to express a common frustration or sentiment without any long-term purpose beyond venting emotions. They can erupt suddenly and without much advance notice. Aggressive crowds are more organized and can be noisy, impulsive, and emotional. At times they will engage in destructiveness and violence, such as riots or mobs

In addition to determining if there are individuals who might pose a threat, you should also identify any nearby targets that if attacked, could result in collateral damage to your business. This could include adjacent neighborhoods, public meeting venues, businesses, government agencies, or religious and political organization offices that could be targets.


Assess the threat level and determine the credibility and seriousness of the threat. You should specifically assess:

    • Capability: What resources does the threat actor have at their disposal, number of members, etc.?
    • Existence: Is the threat currently present or believed to be present?
    • Intent: Has a threat actor expressed a desire to target your business?
    • Targeting: Has a threat actor conducted any surveillance against your buildings and executives?
    • History: What has the threat actor done in the past, what was the outcome, when was the most recent incident, what tactics were used, and against what target?

The threat is higher if all these factors are present. Once you determine your threat level, you can identify the appropriate actions to reduce the risk of a threat and tailor a response.


Prepare for attacks by increasing your situational awareness of threat actors who are known to use organized protests. Many groups plan, coordinate, and disseminate information about upcoming actions via social media to get media attention and to maximize support during protests. Advanced knowledge about protest dates, locations, and number of attendees can help reduce risks and allow for corporate security, communications, and legal to customize responses.

Here are some recommendations for preparing for physical threats:

    • Conduct regular training exercises to make sure your response policy is accurate and up to date.  Exercises are the best way to counteract complacency.
    • Review evacuation protocols for employees in the event peaceful protests escalate and become violent.
    • Review your CCTV system to make sure it has sufficient coverage inside and outside the premises.
    • Contact and coordinate with law enforcement in advance if the protest group or individual has a history of violence and arrests.
    • Review the perimeter around the facilities and install crowd control measures, including barriers to control and contain larger crowds.
    • Monitor social media before the protest to anticipate activity in advance of a protest.
    • Coordinate with your media department and draft a response in the event media shows up on site during the protest.
    • Increase the number of security guards and ensure they know their roles and responsibilities. In particular how to respond to provocative activists. Any form of overreaction can result in legal proceeding and reputational damage.


Prevent disruptions to business operations by having a contingency or incident management plan – that has been practiced – ready.

    • Identify a secondary secure location for a control room (if available) as part of your contingency plan.
    • Prepare employees to work remotely if the protest group has a history of violence or is expected to disrupt business operations.
    • If a threat actor is expected to disrupt a vendor, make sure to have a least two backup vendors that can provide critical goods.
    • If evacuation is needed, make sure to have an offsite business location where employees can assemble after they receive a notification.
    • If damages occur, ensure that a business contingency management team identifies who and what has been impacted.


Respond to control the situation and minimize the impact on employees, corporate facilities, and clients. Here are some tips for responding to physical threats:

    • Send out regular situation reports to executives and senior leadership to provide updates as the incident evolves, including the start of the incident and the all clear.
    • If necessary, send out notifications about the protest or unrest to employees using incident management notification tools.
    • Monitor social media accounts (Twitter and Facebook) of protest groups and individuals as the protest evolves. This can provide valuable insight into where activists are going and what they are planning to do.
    • Maintain communication with security guards during the planned protest along the perimeter of the property and entrances for updates.


Security teams and executives should resume business to normal operations after an incident, and keep an eye on processes and continuity needs. This is of utmost importance if business operations face a sudden power outage, interruption of services, or loss of data. Keep an open line of communication with employees and provide updates on any changes you will be making to your corporate facilities as a result of an incident.

Recover any data that was backed-up and stored on another on-site system, or that was sent to an offsite system, and ensure that all hardware, applications, and data is restored in time to meet business needs. Review and update your disaster recovery plan on a regular basis to ensure it remains accurate.

In the event that your company needs to respond to an incident, following these steps can minimize damages to corporate facilities and help protect your company’s greatest asset: the employees. Threat intelligence is key to increasing situational awareness and better preparing your organization for future threats.

Contact us for more information on deep-dive assessments performed by our Special Investigations Unit.


Additional Posts

LookingGlass Announces Cyveillance Acquisition and $50 Million Funding

LookingGlass Announces Cyveillance Acquisition and $50 Million Funding Acquisition positions ...

The Duty of Care: Using Threat Intelligence to Prepare for Physical Threats

By Hans Mathias Moeller This is the first blog in a two-part series from one of our analysts in our ...