In Crisis24’s experience, how should an organization approach evacuation when a country becomes unstable?
Graeme Hudson: Deciding to evacuate personnel from a country should never be taken lightly by an organization. The decision can elevate the risk to the organization’s personnel, impact key stakeholder’s reputations and be detrimental to overall business success. However, the ability to make timely and effective decisions is significantly enhanced when decision makers are supported by robust plans that pre-define triggers – or tripwires – and well-articulated decision prompts which guide the process.
Following events in Afghanistan and Ukraine, we have seen organizations adjust their approach to evacuation support and prioritize local staff and their families more. The moral compass has rightly shifted.
The first and most important aspect of any contingency planning is to maintain awareness. In the case of evacuation planning, an organization should gather all actionable information so that they do not get caught at the wrong end of a gradual destabilization. We saw this a lot in Ukraine in 2022. I had team members in Kyiv at the start of the year, and despite all the warnings and signposting given by various governments, nothing would shift the complacency that had set in across the country.
It is essential that organizations set their own risk tolerance. By having clarity of where the lines are drawn for tolerance, prudent decisions can be made to reduce footprints and minimize organizational exposure without fully withdrawing from the country. All this can be done before it becomes an absolute necessity to evacuate. With fewer people in harm’s way, these final decisions are easier to make and fewer resources are needed to assist in any evacuation.
In my experience, organizations wait until evacuation is absolutely necessary before starting the crisis management efforts. These efforts are better to be convened and focused when it was prudent to start implementing actions during a destabilization of a country.
What has been unique about the initial evacuation needs of Israel and Gaza?
Graeme Hudson: Following the attacks on October 7th, there was an initial and immediate increase in requests for evacuation support, primarily for business and tourist travelers caught in Israel and subsequently in Gaza. Interestingly, the primary trigger often applied for evacuation – major international government travel advice instructions for citizens to exit the country – never occurred. Insurers, however, recognized that this was a unique situation. Unlike our experience in Ukraine, we did not see a mass numbers of Israelis attempting to exit. This is a country and population that has lived in a
hostile environment for many years and feels well prepared to shelter-in-place and defend themselves when needed.
The global divide in support for Israel and the Palestinians was unexpected. The polarization of support manifested into protests in capital cities, airports, ports, universities and colleges. These protests resulted in business interruptions and Crisis24 responded to serious threats to individuals, organizations,
property and supply chains for overt or perceived support for either side of the conflict. In our experience, the threat behavior is comparable to the incidents during the 2016 U.S. Elections. In those incidents, journalists and political figures were targeted with racist and other hateful abuse under the guise of trolling.
Even though most of these incidents had no intent or capability to result in a true threat, they all needed to be taken seriously so that the real threats could be identified and appropriate measures be taken to safeguard targets and their families. With key general elections in the U.S., UK and France occurring
in 2024, there is a possibility of a repeat in this behavior.
In our ever increasingly connected world, have you seen an increase in threatening activity? What are some of the new trends?
Graeme Hudson: Crisis24’s Response Group’s experience involves threats and extortions. Over the last few years, we have seen an increase in standalone threats, whether that is threats to harm or kill or threats to disclose harmful information. Most of these threats are communicated over the internet, through emails, text messages, instant messaging applications and social media. Most of these threats do not progress beyond the threat actor venting and looking to elicit a reaction from their targets.
When dealing with any threat, it is essential to understand the intent and capability of the threat actor to carry out any threats made. Establishing information such as where the threat actor resides will certainly help with understanding capability. For example, if the target of the threat lives in New York but the threat actor is found to be in Melbourne, Australia, it will be difficult (but not impossible) to carry out the threat.
A growing and significant concern for organizations is that an active assailant is an insider. In some instances, employee behavior gives warning signs of these threats, such as a reaction to bad news like not getting the promotion they had been promised. If these warning signs are identified early enough, intervention activity can occur. Identifying the individual’s access to firearms, potential targets among colleagues or managers and collecting data from social media and other communication channels that may reveal threatening language is crucial to assess the threat actor’s intent and capability. Crisis24 frequently employs specialist psychological profiling of the potential or actual threat actor and implements de-escalation strategies to prevent violence.
Ghonche Alavi: As Graeme stated, most of these threats are over the internet. Crisis24 carefully examines messages and online posts while also reviewing the threat actor’s online profile as there is often a lot of information in their digital footprint. In most instances, this is the first step in our assessment to determine intent and capability. The main questions we ask in any threat case are, “is this threat credible, and is this person capable of either carrying out the threat themselves or influencing and mobilizing support for their cause?”.
Assessing the tone and language, and in particular noting where there are changes in the severity or frequency of posts can alert us to either an increased or diminished threat. Posts can be forensically examined to gather more details, including geolocating the threat actor. These are all integral to any investigation since assessing the feasibility of the threat actor to act on the threat is in part determined by their proximity to the potential victim.
These investigations are often coupled with monitoring of online chatter, including deep and dark web, to allow for a rolling assessment of the threat and providing evidence through actional intelligence.
These investigations are often coupled with monitoring of online chatter, including deep and dark web, to allow for a rolling assessment of the threat and providing evidence through actional intelligence.
Graeme Hudson is the Associate Director for All Hazards Response at Crisis24.
Ghonche Alavi is the Cyber Security Practice Lead at Crisis24.