Extremism is nothing new for seasoned security leaders, but with the violence by both left- and right-wing extremists this past year, it’s on everyone’s radar now more than ever. “As a career FBI agent with exposure to jurisdictions across the country, I can say with some degree of credibility that (extremism) has gotten worse in recent years,” says Adam S. Lee, Vice President and Chief Security Officer at Dominion Energy Services in Richmond, Va.
The United States and other countries have a history of political unrest and extremist acts, but Lee says the difference now is that society is more divided than he’s ever seen it. “Perhaps most concerning to me, our leaders—federal, state and local—too often excuse or even encourage lawlessness in pursuit of political ends,” he says. “After a quarter-century working these issues, that, in my assessment, is a new and dangerous dynamic.”
“I think (extremism) is going to be a bigger focus for security departments,” says Matt Hollandsworth, Director of Corporate Security, Facilities, and Safety at AMERICAN SYSTEMS in Chantilly, Va. “How do we prevent it? How do we detect it? And how do we train our staff appropriately to respond? I think, from that perspective, it’s going to affect us more.”
Extremism and Private Sector Organizations
Whether it’s a company’s people, property or shareholder value, extremist groups from either side of the spectrum can be a threat, says Tim Gallagher, Managing Director of Business Intelligence and Investigations at Kroll in New York City. “It doesn’t make a difference as to what the ideology is of the extremist group, if you’re running a company, you could be targeted,” he says.
Extremism has the potential to impact private sector organizations in multiple ways. For one, company employees could become involved. Companies like AMERICAN SYSTEMS who have government and private contracts may have staff members inadvertently caught up in extremist acts at government or other notable buildings, Hollandsworth explains.
If employees engage in extremist activities, this can reflect unfavorably on the company brand, says Greg Wurm, Vice President and Chief Security Officer at Anthem, Inc., Indianapolis.
Even worse, staff members could be associated with a foreign terrorist organization or be a member of a hate or anarchist group looking to carry out their goals through illegal means, Lee says. At least in these situations, Lee notes, company policies usually give security and human resource departments the ability to take action.
The more difficult circumstance, Lee believes, is employees who are expressing extreme views at work, looking at extremist material on company devices, and perhaps even exhibiting concerning behaviors, but are not members of an extremist group and haven’t made a declaration of extremist beliefs. In these cases, security leaders have the complicated task of figuring out how to manage and/or monitor these individuals more closely before any potential damage to the enterprise occurs.
Enterprises can also become the target of extremist acts due to factors such as their business model or their political affiliations, says Casey Johnston, Director of Global Security, Risk, and Intelligence at Anthem, Inc., Indianapolis. “Whether it’s environmental extremists upset at a company due to its impact on the environment or religious extremists targeting a company based on its support of a foreign government, those threats could be external or internal,” Johnston says.
Insider Threat Programs
Many enterprises have some sort of insider threat program in place. This may include monitoring employees’ internet use, for example. Gallagher says it’s important to have policies in place with human resources that include employee agreements to “a certain level of monitoring as a condition of employment, whether that be email traffic on your system or things that they post on social media.”
At Anthem, Johnston says they have awareness campaigns to teach employees when and how to report suspicious activity and concerning behaviors. They’ve also developed a cross-functional threat management program with team members from security, legal and human resources, as well as an external consultant, and trained the team to review these cases. “We’re really trying to spend more time and resources to increase some of our intelligence capabilities,” Wurm says. “I think it’s also important to do some information sharing and to belong to some of these large global security associations or groups to exchange information within the industry.”
Dominion Energy’s insider threat program looks for potential threats from employees (concerning behavior, suspicious network activity, misuse of company devices, etc.) while also working to make sure that staff members don’t feel like they’re being spied on, Lee says. Of course, any employee who is exhibiting extremist behavior needs closer examination or further action, but “our efforts are politically agnostic,” says Lee. “Our focus in providing security services is on our core values and the behaviors that create risk to our customers, our employees and our assets.”
For AMERICAN SYSTEMS, a strong insider threat program is key, Hollandsworth says. There’s the information technology (IT) side of network tracking and monitoring—in this case, for employees visiting extremist websites. There is also employee training on being aware of suspicious behavior, but “we tweak that a bit to look at not just the person’s emotional sense, but what are they doing? What are they talking about?” he says. The company also makes a point of having a culture that encourages reporting by allowing employees to disclose concerns anonymously.
Intelligence Sharing
Since 9-11, law enforcement and government entities have significantly increased the amount of intelligence they share with private entities, Gallagher says. Even so, “law enforcement is not able, in many cases, to actually provide the resources that mitigate that threat.” If security teams don’t have the bandwidth to mitigate potential radical or extremist threats, then working with an outside consultant can be helpful in this area.
As a former Special Agent in Charge with the FBI, Gallagher is familiar with intelligence sharing from both sides. “In the FBI, we were pushing information out to our private sector partners to help them stay safe and mitigate the threat. From this side, where I’m the recipient of the information, I utilize it now to formulate mitigation strategies to keep people safe,” he says.
Lee, who is also a former FBI Special Agent says that relationships with law enforcement are critical to security teams and enterprises globally to help manage the threat of extremism in the workplace. He notes, “Developing those relationships take time and involve trust.”
Outside Threats
Experts say that a large part of mitigating risk from extremism involves trolling social media for external threats. Because Dominion Energy powers intelligence community elements and Department of Defense facilities, its close connection to the government makes it a target. “Many extremist groups that are adversarial to the business operations of the energy sector are active and often threatening on social media platforms,” Lee says.
The summer of 2020 saw riots that affected downtown Richmond, including destruction of Dominion Energy property. Since then, the company has acquired new technology solutions to protect its people and assets from any type of outside threats, including extremism. The organization also recently completed active threat/workplace violence training with their staff to prepare them for potential threats.
Johnston says that most of Anthem’s security programs monitor and handle both internal and external threats. “Externally, we look at industry activism and the activity of those activist groups, as well as any decisions made by our company that could potentially increase negative sentiment or animosity toward us and put us into the cross hairs of one of these activist groups,” he says.
Boosting Extremism Planning
Many companies already have good programs in place when it comes to planning for extremism, Hollandsworth says. He advises looking at your existing programs through the lens of an extremist. “Maybe there are some additional things that you can do or some adjustments you can make,” he says.
Having a formal threat assessment team and program is useful, Wurm says. “They can weed through the true threats versus the white noise out there amongst all the disinformation campaigns,” he says. Wurm also believes that having a good working relationship with different departments within the company, such as HR and legal, are beneficial. These holistic relationships enable feedback that can help enhance your own program, he says.
Johnston says relationships with corporate communications and those in charge of the enterprise’s social media are important too, “since they’re the ones that are out there every day, looking at what’s being said about the company. They really are a force multiplier to assist with intelligence gathering.”
Perhaps most importantly when it comes to radicalism and extremism in terms of threats, is to have a strong handle on your organization’s risk profile. “There are so many different risks and threats out there, it’d be difficult to allocate the same level of resources across the board, so really understanding what your risk profile is helps to focus your efforts on those areas that present the greatest risk to the company,” Johnston advises.
In addition, Gallagher recommends developing a robust reporting program within the organization. “Have a system in place and encourage people to use it,” he says. Make sure employees know they can report anonymously. “People don’t want to come forward because they don’t want to risk someone’s reputation if they’re wrong,” he says.