Sorting mayhem and misinformation are the new realities of crisis management

March 5, 2021
The pressures of a pandemic and social unrest are challenges security and risk professionals continue to address

A crisis inevitably seems to draw out the worst traits in some people. Nothing illustrates that point better in the United States these past 12 months than the ongoing COVID-19 pandemic and the acidic aftermath of a U.S. presidential election on Nov. 3, 2020. From “anti-vaccine” conspiracy theorists and COVID-deniers to the insurrection at the U.S. Capitol Building on Jan. 6 of this year that was a direct result of toxic political rhetoric that ignited followers of the former president, along with militia and white nationalists, this time period has been an illustrated textbook on bad and inciteful behavior.

In a just-released whitepaper from G4S, the authors acknowledge how a pandemic and politics has created the perfect storm of misinformation, mayhem, violence and death, stating: “A number of opportunistic and predatory criminal behaviors and non-criminal activity involving both physical and cyberspace risks have been detected, with threat actors representing an array of individuals, political movements and organized or state-sponsored criminal groups.

Since early in the pandemic, demonstrations have occurred by individuals and groups opposed to COVID-19 related public health measures. While some of this protest activity can be attributed to a range of concurrent and overlapping political, economic, health and environmental issues, demonstrations against government-imposed COVID-19 response have often been organized by members of anti-vaccine or far-right political groups who often espouse conspiracy theories surrounding the pandemic. Significantly, vaccines, along with masks, social distancing restrictions/ quarantines and testing are consistently denounced and protested, including in and around vaccination sites, which can cause disruptions and can also carry the potential for physical harassment or violence against those involved in vaccine distribution. G4S assesses that the risk of protests will continue throughout 2021 and is likely to center around mass vaccination sites, government buildings and corporate buildings of vaccine makers. Organizations and individuals, which feature in COVID- 19-related conspiracy theories may also be targeted. Isolated acts of violence are possible, similar to the type of isolated activity seen in recent months against individuals or businesses attempting to enforce other health measures, such as wearing masks.

A high demand for vaccines along with a limited supply and distribution has led to a number of further security concerns. These include frauds and scams (such as counterfeits and using this opportunity to target personal identifiable information) and heightened cybersecurity risk.”

A Clear and Present Danger

Despite his vast experience in both private and military sectors assessing and mitigating risk and providing comprehensive security consulting, it all has paled in comparison to the realities Robert Dodge has faced during this maddening stretch of social and pandemic upheaval. Dodge, who has been with G4S since 2014 and is currently the President of Corporate Risk Services Division at G4S, has previously been responsible for managing all international offices and operations in Latin America, Middle East, Africa, Europe and Asia along with the Global Supply Chain Security Consulting Division and Global Intelligence Division. Throughout his career, Dodge has managed and operated on security and investigative projects in more than 60 countries around the world. So, playing off the cheeky Farmers Insurance commercial campaign that touts, “We know a thing or two, because we’ve seen a thing or two,” Dodge can relate.

“It's been a challenging year, but actually from a business perspective, it's been one of our better years overall. We've kept quite busy with the whole multitude of things. Parts of our business have completely shut down, like no travel, security travel, risk management, a lot of the traditional things. But other areas, dealing with the social unrest, social justice issues that manifest themselves into acts of violence across the country, spurred a lot of additional types of services. Then, we rolled into the elections, and certainly, Covid-related services for certain organizations that requested additional security or other types of risk assessments along those lines have kept us busy,” admits Dodge commenting on the “new normal” of security services. “Things have moved quickly, and the dynamics have changed. We have had to really reposition ourselves to help organizations mitigate risk in different areas.”

G4S intelligence analysts have assessed that the security threats associated with the COVID-19 vaccine include counterfeits, thefts, cyber-attacks, threats to personal identifiable information, disinformation and misinformation, protests and physical violence. Overall high risk of fraud is likely, impacting several of these security threats. For example, frauds and scams are propagated by misinformation and disinformation, include counterfeits and can lead to the theft of personal identifiable information.

So, how does the current political and social climate set the tone for what's taking place across the Covid vaccination landscape, ranging from far-right political groups and their anti-government stances to the anti-vaxer conspiracy theorist fringe groups? Assessing the current risk environment, given all the existential outside influences, has called for a fresh approach according to Dodge.

“It's hard because a lot of this manifests itself on social media. Typically, when we look at threats, we use this formula: existence, capability, and intent. Existence, do they exist, are they local, are they within proximity to us? What type of capability do they have? Do they have access to weapons or other things that could hurt us? And then, lastly, do they really have intent? When those three factors are present --.for any particular risk or threat that we're looking at -- when those human threats or risks manifest themselves -- then they go to the top of our list,” points out Dodge. “In this landscape, when is it just one's hostile rhetoric actually becoming a real threat to an organization that requires us to ratchet up our security and react quickly, versus just empty threats? That's where you have to have people in an organization that have the experience and also the understanding of these different groups. The conspiracy theorists, the far-right groups of all kinds are adding fuel to the fire of vaccine conspiracies. Sometimes the issue may not be vaccines, but they're using it as a tool to intertwine those with other political or social agendas to get their message out.”

Controlling Access Limits Risks

Dodge warns that although the stress levels across the board of our society may not be quite off the charts, they are very high. So, he figures anything that people can latch onto, whether it's identity politics or getting involved in a fringe organization, the result is a frightening expansion in those sympathetic to far-right political and hate groups or other left-leaning factions and the growing number of those trading in a conspiracy and outright misinformation.

“The numbers are swelling and growing. People are in a sense trapped in front of their computers, and there's all kinds of hostile rhetoric, disinformation on vaccines and everything else that I think people are kind of clamoring to believe in. It takes almost a full-time approach and seasoned capability to really assess which ones are real and what you should be worried about, versus is it Osama bin Laden coming to a town near me. But today, it is most likely the guy up the street, Bob from accounting, that I need to be worried about in our current fluid pandemic landscape,” Dodge laments.

For global risk consulting firms like G4S and veteran analysts like Dodge, how do they break down and assess the physical and the cyber threat vectors and address them, and determine if they are indeed converged threats or separate threats?

“In the world of risk management, both require access to hurt you. The ideal security risk program is about how confidently we handle access control, either physically or virtually. Usually, when we look at these threats and risks, it's not always the source of the threat or risk but it's the potential for damage and impact that gets us more concerned. That could be why we hear a lot about insider risk. Because the dollars and cents go way up if somebody already has that access. When you look at cyber risk and the potential damage that could be done by disrupting a power grid, by changing something electronically, that increases the temperature,” says Dodge. “But when we're talking about vaccines and other things, how well are we conducting physical access control at these facilities, segmenting vaccines and secure areas, protecting them from the bad guys, from bad actors, fluctuating temperatures? On the cyber side, we must assess the threats and mitigate things like risks revolving around selling counterfeits, theft of your personal information. We must certainly assess any type of direct cyber threat and increase our understanding of what that means and curtail the spread of damaging disinformation. I think they both (physical and cybersecurity) go hand in glove. But it's how well we do the basics, and how we educate clients to understand what these threat indicators look like will measure our success.”

The Vaccine Threat

While the physical security threats may prove a bit more obvious than the more covert and insidious cyber threats, they are all converging when a security director is assessing blowback from violent protests and possible armed militias at mass vaccine sites or government buildings. Add to that equation potential tampering with supply chain protocols or maybe even sabotaging the vaccine itself, the threats blossom into an elaborate set of challenges.

Dodge insists that the vaccine tampering risks have to be assessed in different stages, from the manufacturing sites to the transportation of the actual vaccines and all the points of distribution in between. Then throw in the health clinics, pharmacies and myriad healthcare facilities, each vulnerable to different threats, the threat spectrum substantially increases.

“If you think about some of these distribution centers like large stadiums, you're getting large numbers of people accumulating. How well thought out are some of those security threats? We've seen some examples of insider threat as well, like the pharmacist in Massachusetts (I think it was) who was a believer in those (vaccine) conspiracies. He basically took some of the vaccines out of the refrigerator, contaminating it because he didn't want it going out to people. There we’ve got the insider risk where we’ve also seen employees stealing the vaccines for their own benefits or uses,” continues Dodge, saying that from the pharma perspective and distribution, hijacking has been a concern, as well as corporate espionage-related incidents citing where multiple state actors have expressed interest in finding the vaccine formulas and attempting to -- either through cyber or physical means -- attack the vaccine and the pharmaceutical companies that are making them.

"I think that the widespread protest outside vaccine sites will continue. How widespread they will become, only time will tell. We are anticipating potential acts of physical violence, especially if we see a (vaccine) caste system built. You know, where we see rules that bar you from boarding an airplane if you haven't been vaccinated or the same protocols in order to eat in this restaurant. This mirrors some of the same outrages we’ve seen with masks, so I really think if it starts to drive into the vaccine area, we need to reorient our threat assessment along those lines and begin to mitigate those challenges. I suspect that will alienate some of these folks, even more, give them ammunition for their own conspiracies or disinformation campaigns.”

Key Action Items

Dodge and his team recommend some key action items to ensure your organization’s COVID risk mitigation strategies are aligned. Some of these are:

  • Businesses review local hotspot maps to determine if their office(s), facilities, and/or critical infrastructure are in a high-risk location for transmission of COVID-19.
  • A high degree of vigilance is recommended for cybersecurity awareness.
  • Companies should review their own cybersecurity policies and remind employees to update cybersecurity software on all devices.
  • Companies should raise awareness amongst employees not to share specific information about vaccinations online.
  • Clear communication is essential to counter disinformation or misinformation.
  • Employees should be provided with information on identifying fraudulent PPE, especially masks.
  • Update and review internal security practices that cover physical security, employee security and internal threats (cyber-attacks, disgruntled employees, carelessness, etc.)
  • Employees should be reminded that no legitimate vaccine is ever sold online.
  • A review of physical security is recommended at vaccination sites; particularly mass vaccination sites and ones that have received notable media attention.
  • All facilities involved in the vaccination process should carefully review the careful disposal of items related to the vaccine sine improper disposal may increase the risk of convincing counterfeits entering the market.

About the Author:

Steve Lasky is the Editorial Director of the Endeavor Media Security Group and is a 34-year veteran of the security industry. He can be reached at [email protected].

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]