Hidden Threat? They Know There’s a Problem, But Companies Are Still Failing to Intercept Real-World Dangers

U.S. corporations are facing an increased volume of threats driven by persistent political, social and economic issues, including Supreme Court decisions, gun violence, diversity, equity and inclusion, the war in Ukraine, return-to-office (RTO) orders and the ongoing Covid-19 pandemic. Concerned about the rise in threat data as well as keeping employees, their CEO and senior executives safe as they return to offices and work remotely, physical security, cybersecurity and IT, human resources and legal and compliance leaders feel increased pressure to identify threats to save their company money and reduce liabilities. 

But about one in four executives anticipate their firms will overlook at least half of these threats, while nearly one-third estimate they’ll miss at least a quarter of threats before they can cause damage, according to new study by the Ontic Center for Protective Intelligence titled, “2022 Mid-Year Outlook State of Protective Intelligence Report.” 

Based on perspectives from C-suite leaders at large U.S. companies, Ontic’s report included leaders in four functions responsible for protecting businesses — physical security, cybersecurity/IT, human resources and legal/compliance. A total of 400 respondents participated in the survey, which was conducted in June and July 2022, including chief compliance officers, chief security officers, chief HR officers, chief infosec officers and those in similar roles.

Few of the leaders Ontic surveyed said they believed their organizations would fail to respond to the majority of threats they’ll face through 2022, but the research also revealed that many companies appear to pay little more than lip service to physical safety, including extreme weather, hostile and violent behavior or threats, actions that compromise adherence to laws and regulations and events that impair IT security.

The majority of respondents (64%) said employees at their companies don’t report erratic or violent behavior or other warning signs in a timely manner, while a similar percentage (63%) say companies downplay risk to make their environments appear safe.

“Our study reaffirms that threats to businesses are many and varied, ranging from hostile written, verbal or physical actions against others, radical rhetoric or hate speech on social media and actions that compromise IT security or compliance with laws, to extreme weather events that can make working conditions unsafe,” said Fred Burton, executive director of Ontic’s Center for Protective Intelligence. “As such, cross-company threat data-sharing continues to be critical and even minor lapses in communications can result in serious security concerns.”

Here are a few more key findings from Ontic’s report:

• 98% said threat assessment or threat management training to recognize workplace behaviors that could turn violent or cause damage is important for their team to successfully execute their job, including 71% who say it is very important.
• 66% said in 2022 their company received or investigated one or more threats weekly, including one-quarter that are on track to receive or investigate up to 260 threats annually.
• Across all four functions, a majority of leaders said employees being furloughed or fired resulted in violence or harm because their departments weren’t notified. This effect was strongest in human resources, where 75% of respondents said failure to notify them led to harm or violence, compared to 72% of legal and compliance, 66% of physical security and 60% of cybersecurity/IT.
• 54% do not have a mechanism in place that allows employees to anonymously report issues, and 43% rely on employees to take the “if you see something, say something” approach to security, whether they are working from home or in the office.
• Among 110 publicly traded company executives surveyed, 78% said their company’s investment in security operations (e.g. funding, planning and policy development) is based directly on risk factors disclosed in its public SEC filings, including the 10-K risk factors; 77% agreed these barely skim the surface in terms of the scope and volume of security threats they investigate and receive.

“To function in this new turbulent normal, to grow and thrive, organizations must cultivate a culture of security. Information, action, communication, training and habit can mitigate business and mission-critical threats and liabilities, preserve business integrity and ensure critical resilience,” said Lukas Quanstrom, CEO of Ontic.

Quanstrom continued: “Communication silos still exist and different departments are inefficiently assessing the same threat. But it is heartening that U.S. companies continue to actively consolidate their multiple threat intelligence, monitoring and alerting solutions. Our research says it can’t happen fast enough: a majority said three-quarters of threats that disrupted business continuity resulting in harm or death at their company in 2022 could have been avoided if physical security, human resources, cybersecurity and IT, legal and compliance shared and viewed the same intelligence in a single software platform.”

Tips for legal & compliance teams

What are the best tactics legal and compliance teams can use to address physical threats? Ontic recommends a few moves:

• Solidify a response plan. Having an effective response plan in place can be instrumental in mitigating the impact of an incident. Once you formulate your response plan, make sure your team runs it through a tabletop exercise to ensure its effectiveness and identify gaps.
• Train employees on the response plan. Run through different scenarios with the team members responsible for addressing the threat to help identify additional gaps in the plan, and then update accordingly.
• Collaborate with your security team. Threats across cybersecurity, human resources, legal and physical security often stay in silos. Establish policies for cross-departmental collaboration before you need to build a policy during an incident.
• Review your policy with your insurance provider. Your insurance provider should play a role in helping you put your response plan in place (and don’t forget to add “notify carrier” in your response plan). While this may seem a given, it is a critical step that is often overlooked.
• Adopt a technology-driven approach. With the right system in place, both legal and security teams are able to access physical threats in real-time, allowing them to stay one step ahead of potential risks and to better protect their employees, assets and infrastructure.
• Maintain a reliable and robust audit trail. If your safety and compliance protocols ever come into question by clients, employees, authorities or shareholders, an accurate and thorough audit trail will allow you to demonstrate that the appropriate measures were taken by your organization to uphold its duty of care.