“Everything changed after 9/11” was a frequently heard refrain—from the president and other politicians and in law enforcement and private security circles. The same may, in time, be said of the Paris attacks in November. Targets included restaurants and bars and seemed to cement a disturbing trend: public spaces and private businesses have become the battleground of choice for international terrorists. While symbolism surely still matters, a preference has emerged for attacking vulnerable locations that can yield a high casualty count as opposed to well-fortified sites. When the goal is simply to spill as much blood as possible, private businesses, including retailers, are more likely to be attacked than government facilities.
Shopping centers and other hard-to-defend commercial places—such as large restaurants, department stores, and supermarkets—have occasionally been the subjects of alerts from the Department of Homeland Security (DHS) and in congressional testimony from government officials. Terrorists themselves have said they’re targets. Al-Shabab, the Somali terror group behind the days-long attack in 2013 on a Westgate mall in Kenya that left more than sixty dead, issued a video in 2015 threatening to attack shopping malls in the US, Canada, and England.
It has started to take a toll. In a recent research note, Jeffries financial analysts identified the Paris attacks as a contributing cause to soft sales at Tiffany’s. Starbucks closed all its stores in Belgium after the recent attacks there, as did Domino’s. And while most Americans feel safe while shopping, 18 percent said they don’t always feel secure in a store or mall, according to a survey conducted by consumer insight and consulting firm C4 post-San Bernardino.
The rise of the Islamic State (IS) group is increasing the risk, according to a new report by the House Committee on Homeland Security (Terrorism Gone Viral, March 2016). IS has been linked to at least seventy-five terrorism plots against Western countries with the US as its main target. IS-related plots more than doubled between 2014 and 2015 from nineteen to forty-eight, according to the study. “ISIS has reached an unprecedented level of terror plotting against the United States and our allies,” said US House of Representatives Homeland Security Committee Chairman Michael McCaul (R-TX). “The group’s focus on ‘do-it-yourself’ jihad has allowed them to franchise their attacks worldwide, achieving a tempo of violence that has surpassed even al-Qaeda’s most violent years.”
Bob Moraca, CPP, CFE, MBA, the National Retail Federation’s vice president of loss prevention, promises that retailers recognize the risk, as well as “their unique responsibility” in preparing for threats and emergencies. “Retailers will remain vigilant and proactive as they work with each other and domestic and international law enforcement agencies to bolster their security preparations after events like what took place in Brussels,” said Moraca.
Vigilant—but undoubtedly still vulnerable, said one Northeast retailer responding to a survey by Security Director’s Report (SDR). “Retail stores are tempting targets because people congregate there and there’s essentially no security. Can you imagine a suicide bomber exploding in a crowd during a grand opening or Christmas rush?”
Indeed, there is some suggestion that the retail industry—perhaps because of its extreme vulnerability and a lack of clarity on how to address it—has not always been aggressive in response to the terrorist threat. For example, a majority of retail industry chief financial officers in a survey by Financial Executives International after 9/11 said they were not changing security as a result of the attacks. Some 63.8 percent of retailers would keep security “as is,” they said. By comparison, only 41 percent of communication companies said the same. Retail also lags behind general industry in conducting terrorism risk assessments (see Figure 1). The low-likelihood but high-cost of a terrorist event has made—and continues to make—retail terrorism protection a risk-management conundrum.
For some potential targets action is clearly necessary (see case study), but for many it remains unclear what, if anything, they should do. Some businesses in select industries have been forced to comply with new security regulations, but retailers don’t operate under a specific mandate for action—no minimum standard to achieve. Brian Jenkins, a terrorism expert and one of the most interviewed sources on the subject, noted to SDR that terrorism defies risk models that security professionals are comfortable using. He asked, “How much security is enough? What is the optimum allocation of security dollars? What is the best combination of risk avoidance, insurance, security, and response preparedness?” And he added, “These are tough questions.”
Maximizing Value from Anti-terrorism Measures
Risk assessment is the most assured way to minimize costs as it focuses anti-terrorism where it’s most needed. Risk assessments serve as the foundation to mitigation and prevention, which makes it critical that they be accurate, detailed, and frequently updated. They should encompass external factors—country and city terror risk ratings, average emergency response times, the government’s capacity to disrupt terror plots—as well as store-specific factors, such as its proximity to high-value targets, standoff, and foot traffic. “More than likely, a terrorist isn’t going to target a Staples in Peoria or a Starbucks in Austin. They will probably target a mall in a major metro region or a high-profile store like Tiffany’s and Macy’s in New York City,” said Ronald Margulis, a retail consultant and managing director of RAM Communications. (And even that is less true than it used to be.)
A robust intelligence pipeline will keep security levels properly aligned with the threat (and prevent overspending out of fear). Loss prevention executives have a responsibility to stay effectively plugged into the threat-communication network, such as through a local joint terrorism task force and via contact with industry counterparts and law enforcement, so as to receive early warnings in time to take appropriate (not excessive) countermeasures.
Aiming security at the most likely attack scenario also helps to minimize terrorism prevention spending. But what is it? In a follow-up survey to SDR’s Corporate Anti-terrorism Benchmarks report, retailers said the most likely incident to impact them was the same in 2012 as back in 2006: disruption of a major event. They think the most likely attack method on a retail store is a knapsack suicide bomber or a shooter.
But how—without breaking the bank or disrupting business—can retail locations protect against a suicide attack? Staff already drawing a paycheck may provide the best opportunity.
A suicide bomber is unlikely to blend seamlessly with the crowd and may exhibit “multiple anomalies,” according to training guidance by the International Association of Chiefs of Police. Prevention may hinge on including suicide bomber awareness and response in loss prevention agents’ training and insisting that contract guards have such training.
Consultant Arik Arad, former head of shopping-center security in Israel, said the best way to stop or preempt an attack is to make “soft contact” by walking up to a suspect and asking, “Can I help you?” He said it’s often enough to force a bomber to abandon his plan and that foiling suicide bombers is about training, not guns.
Spotting indicators of terrorist planning is another key topic in counterterrorism training. Since 9/11, the preparatory conduct of terrorists has been the subject of significant study. A terrorist might loiter for weeks near a target to observe entry points and security measures, perhaps by posing as a panhandler or flower vendor. According to one study, excluding outliers, the average preparatory behavior phase for a terrorist attack is fifty-four days (Pre-Incident Indicators of Terrorist Incidents: The Identification of Behavioral, Geographic, and Temporal Patterns of Preparatory Conduct, Dept. of Justice). Security officers know to keep an eye out for anything suspicious—it’s at the core of their job—but refresher training should outline and emphasize the range of behaviors and specific activities that demand reporting (see “Counterterrorism Training Points”).
Simultaneously, loss prevention teams might assess if their suspicious activity reporting processes need refinement. A security camera might catch someone peeking in the store window after hours. A sales associate might tell an agent that a strange guy was hanging around the store all day. But then what? Corporate security teams need to examine their processes for encouraging reporting of suspicious activity; getting those reports into a written, trackable form; identifying patterns of clusters of pre-incident indicators; and delivering relevant information back to people in the field.
Finally, focusing on security strategies that serve a dual purpose can enhance terrorism prevention while mitigating its expense. For example, many of the same security strategies that reduce shoplifting and parking lot assaults can reduce the likelihood of a successful terrorist attack.
Possible Store-Level Solutions
- Improve coordination with others with whom you share a responsibility for security. In the aftermath of a scare at IKEA, in which explosives were found inside two IKEA stores, Sears said it had “stepped up its relationship with mall security.” Forging closer ties is an important prevention tool for all types of crime.
- Use bike patrols, marked security vehicles, or parking lot attendants to control large parking areas. These measures could push a car bomber to a softer target. It can also keep fire zones clear of parked cars, improve shoppers’ experience by improving the flow of traffic, prevent car break-ins, and limit parking garage or parking lot assaults—the top location for incidents resulting in negligent security lawsuits. Outside patrols also expand the detection perimeter, which is the best way to identify and intercept a suicide bomber before the store’s front door.
- Use vehicle-halting planters or concrete bollards to prevent trucks or cars from getting too close. In addition to limiting damage from a truck bomb, such devices can reduce pedestrian-vehicle accidents.
- Tighten parking controls. Simon Property Group, which owns or has an interest in 325 malls or shopping centers nationwide, instituted a ban on overnight parking in response to the terrorism threat. Such a policy may also prevent after-hours crime.
- Enforce access restrictions. Controlling access to restricted areas within stores can prevent theft as well as prevent a terrorist from gaining access to a store’s heating and air-conditioning system where there is the potential for introducing poisonous gases.
- Place uniformed guards in plain sight. Visible security on patrols in shopping areas was once bad for business, but perhaps not any more, say experts. Bringing officers out into the open helps them control crowds and keep a closer eye on shopping-area crime, as well as giving a potential target-seeking terrorist pause. Jenkins suggests supplementing visible security with plainclothes agents. “Their presence, occasionally publicized through arrests, greatly increases uncertainty on the part of would-be bombers.”
- Get employees to be on the lookout for individuals leaving behind packages. Such security awareness may help foil a terrorist bomb plot, but will more likely engender customer goodwill and save money. (Although there’s no need to isolate an area for a suspicious package.)
- Let law enforcement review your evacuation plan for a special event to help save lives in the rare event of a terrorist strike. It can also help protect individuals in more likely crises: power failures, earthquakes, or weather events.
- Employ visible video surveillance and enforce routine camera inspection schedules. CCTV is a vital tool to prevent many types of crime, and in plots in which an escape is planned, terrorists do seem to avoid security video. “One jihadist manual advised would-be terrorists to avoid train stations with CCTV cameras, which suggests that the cameras have some deterrent value,” a recent report concluded (Carnage Interrupted: An Analysis of Fifteen Terrorist Plots Against Public Surface Transportation, Brian Jenkins and Joseph Trella, Mineta Transportation Institute, April 2012).
- Employ store greeters to spook or spot suspicious persons as well as enhance customer service.
- Review shipping and receiving security. Pre-schedule loading dock deliveries, make trucks subject to search, accept deliveries at the side of the store instead of underneath it, insist on identification, and use cameras to record delivery areas. Stricter access controls in sensitive areas such as delivery zones and loading docks reduce the risk of a catastrophic terrorist event while curbing theft during shipping and receiving.
- Plan and practice for going on high alert. Confusion and unnecessary spending go hand in hand, so preparing for coordinated attacks on several targets in different locations (a multiple dispersed attack) could help check costs. For example, if a suicide bomber attacks a retail strip in Las Vegas, retailers elsewhere might mobilize security staff to conduct security checks at entrances, check delivery drivers’ IDs, inspect truck trailers, and conduct spot checks of customers’ bags. Ask yourself these questions: Would we immediately learn of an attack? Would we be able to quickly make a decision about procedures to implement? Could we efficiently communicate the alert to every store location that needs to know? Are those store units prepared to quickly implement our high-alert security procedures?
Case Study: What Can You Take from Israeli-Style Security?
The Mall of America is big—520 stores, eight acres of skylights, and 42 million annual visitors big. With the public encouraged to enter through any of its twenty-four entrances and shop at its 4.3 miles of total storefront footage and as a symbol of America’s consumer culture, it is a stereotypical terrorist target. It faces all the risk of a retail location—multiplied.
So on what does the Mall of America (MOA) rely for protection? A lot of it derives not from the latest technology but from the sharp eyes and quick intervention and interviewing skills of the officers in its Risk Assessment and Mitigation (RAM) unit. “We didn’t want all the facial recognition and metal detectors that the mall wanted to buy us after 9/11,” said Doug Reynolds, director of security. Instead, the security team looked to a model of counterterrorism used to protect Ben Gurion Airport in Israel that centers on behavior detection and assessment (BDA). Naturally, the MOA uses the typical layered security approach to prevent crime, but it’s behavior detection that is central to its effort to minimize the damage and potential for a terrorist attack. The mall’s RAM officers spot anomalous behavior and quickly move in to interview subjects.
Within the timeline of a typical attack, there are just a few chances for a target’s security team to intervene: (1) when attackers conduct surveillance of
the target; (2) when they conduct a rehearsal of the attack; and (3) during the actual execution. It is within these small
windows that RAM officers have an opportunity to thwart a potentially deadly incident. “There is no possible way, operationally, that you can racially profile—there are too many motives, too many types of individuals,” said Michael Rozin, president of Rozin Security Consulting LLC, who helped the MOA set up its behavior detection program. Instead, RAM officers focus on detecting intent—one thing that all attackers have in common.
How do RAM officers detect intent? It starts by understanding the normal, legitimate behavior that exists within each area of the mall. (Normal behavior in the amusement park differs from that in shopping areas, for example.) It’s up to RAM officers—in the fifteen or so seconds they usually have—to notice individuals exhibiting atypical behavior, whether in their body language, what they are carrying, or their attire. If something seems amiss, RAM officers—skilled in security interviewing—talk to the individual to probe the situation and determine if a legitimate threat exists.
Case in point: On January 29, 2011, RAM officers noticed an individual exhibiting atypical behavior at a Government on Display event, including frequent touching of various body parts and other signs of nervousness. He also appeared to be carrying a concealed item. A RAM officer approached, and the suspect ran. Caught later by Bloomington police, he turned out to have a loaded gun and was a “sovereign citizen” (a group that denies the legitimacy of the U.S. government).
Making It Work
Whether or not a threat is successfully (a) noticed and (b) investigated depends foremost on the extent and quality of the specialized training that officers need to receive in behavior detection and interviewing. However, there are also program obstacles and best practices, and Reynolds and Rozin shared them at a recent national security conference.
Stick with It. A behavior detection program requires ongoing attention, frequent retraining, and continuous improvement. “Everyone loves a puppy,” warned Reynolds, noting that the program is not a good fit for a security department looking to implement a counterterrorism program and then forget about it.
Hire the Right People. Security interviews are central to the program’s effectiveness, and the vast majority of them are conducted with legitimate visitors who happen to exhibit suspicious behavior. Because of this, Reynolds said interviews need to be conducted in an open and friendly manner, and MOA hires people specifically suited to that type of role. “Most of them have a sales background or other social contact positions. We want individuals who can find a way to socially engage anybody they come across.”
Implement an Organization-Wide Behavior Detection Culture. “A RAM unit alone is by itself insufficient,” noted Rozin. RAM officers may undergo ten to twelve weeks of training. But everyone—from housekeeping to amusement ride operators—might need one to two days of training to implement a culture change. Appropriate groups also receive training specifically tailored to the intersection of their jobs and terrorism: human resources and insider threats, the leasing department and applicant screening, events staff and security design and threat detection, and so on. The RAM unit is the heart of the program but “to a lesser degree everyone is involved in RAM,” said Reynolds.
Adopt a New Attitude Toward PR. The MOA security department had a typically adversarial relationship with the media but now uses the media as a tool to promote the work of the RAM unit and the mall’s concern for visitor safety. MOA was specifically named in a 2015 video by al-Shabab, a Somali terror group. Homeland Security Secretary Jeh Johnson then told CNN, “If anyone is planning to go to the Mall of America today, they’ve got to be particularly careful.” Facing the prospect of shoppers staying away, MOA undertook a very public campaign to reassure potential shoppers that the mall’s security was up to the job. It invited in news media for a rare inside look at its operation, resulting in numerous reports on its diverse protection measures, including bomb-sniffing dogs, bike patrols, social media monitoring, hundreds of cameras, and explosives screening of delivery trucks. And promoting security may have worked. Despite the very specific and public threat, subsequent headlines such as “Mall of America shoppers take terror alert in stride” were commonplace.
Define the Information-Sharing Process. How and to whom will you report information that a RAM unit learns?
Reinforce Vigilance through Red Teaming. MOA uses individuals to probe for holes in the security defense and test whether RAM officers identify the problem. “It’s not easy to leave an unintended bag or to act nervous in the MOA and not get noticed,” said Rozin. “Again, though, security can’t get it done all by themselves.”