Whether facilities have a physical security plan in place or are planning to implement one, there are a few common sense things to consider.
The planning, implementation, operation, and maintenance of physical security—whether for one facility or many—will benefit from facility executives taking a common-sense approach to the task.
The first thing that needs to be identified is “the purpose” of any given part of the system.
This sounds simple enough. However, for any physical security system—whether it be closed-circuit video, access control, or compulsion, the team must identify first the overall purpose of the methods that will be deployed.
Once the general sense has been identified, a deeper examination needs to take place to identify each component of the systems to ensure that each device deployed has a natural, defined purpose and use.
The basic rule here is that if the goal for a machine cannot be identified, it is probably not effective in the overall plan.
Consideration must also be given to the operators of the system—those individuals who will interface with these systems daily.
There is a vast selection of effective technology in the security industry today; the key is fitting the right technology to the organisation’s needs.
Just because it is the “latest and greatest” technology does not necessarily mean it is suitable for the application and requirements. Facility decision-makers should invest the time in research and due diligence to determine the right technologies.
Additionally, if the systems deployed are complicated to operate, the operators begin to discontinue relying on them as a tool. Aspects related to the operation of these systems need to be identified: Are you using in-house staff or a contract service?
How many hours a day is a system actively monitored? How and when are reports prepared, and by whom? These are just some of the questions to consider.
The next point of consideration would be the stakeholders. The rule of thumb here is that anyone who potentially interfaces with a physical security program should be considered as a stakeholder—no matter how minor.
Here is a list of potential stakeholders in a physical security program: facility managers, security managers, human resources departments, IT departments, owners, architects, engineers, security consultants, system operators, guard personnel, construction managers, and other trades (e.g., electrical and HVAC contractors).
A physical security program touches many facets of the business, whether a corporate office, a school or hospital campus, a government building, a mall or shopping centre or virtually any space that requires some security plan and implementation.
After evaluating the needs to be addressed with the security program, some other considerations should be considered. This involves an intimate knowledge of the business and how it operates.
Questions to ask about the site's future include: Will it be expanded or remodelled in the foreseeable future? Will second (or more) locations be involved in the future planning? Is this facility standalone, or is it a part of a group of similar facilities (such as a hospital or school campus)?
Many times the physical security plan and programs are predetermined by existing products or systems already in place in other facilities.
Questions need to be addressed as to whether the new systems being designed and deployed are the correct techniques to be interconnected with the existing systems and programs. Additionally, is the facility being planned to have any distinct needs?
All of the physical assets your organisation owns is your property, and your property is essential. You depend on your property in some different ways, depending on the type of organisation you are.
You Sell It
If you work in manufacturing or some form of retail, you likely have inventory ready to be shipped or sold. If this inventory gets damaged or stolen, your profits are out the window.
Even if the products are not ready yet, raw materials are also valuable and, if damaged, maybe unusable and hurt production. Wholesalers sit in inventory warehouses, and Etsy sellers have their stashes of raw materials – from yarn to wood to fabric to metal – waiting to be turned into something amasing to sell.
- Inventory waiting to be sold
- Products to be shipped to customers/retailers
- Raw materials (metal, ink, paper, fabric, etc.) are used to create your product
You Rely On It To Do Your Work.
Even the most minor organisations have the equipment they rely on and the supplies they need to do their work. Think of all the physical objects offices use every day:
- Pencils, pens, staplers, Post-its, paper
- Shipping materials, like boxes, envelopes, stamps, postage scales
- Scanners, computers, phones
- Toner and other supplies
Consider the things factories, auto shops, and medical facilities have
- Replacement parts
- Lab tests
- Diagnostic equipment
- Reference manuals
It Keeps You Comfortable.
All of the physical things in your environment that keep you safe and comfortable are property, too.
- The building, with walls and a roof to block out the elements and windows to let in natural light.
- Environmental control systems, heating and cooling, air handling, plumbing
- Furniture, including comfortable desk chairs, desks with drawers, shelving to store supplies
- Break and restroom facilities, which may include refrigerators, microwaves, and necessary fixtures.
- Parking lots or garages that let you park close to your office.
Now think of your workplace without some or all of these things. If your inventory is gone, you now have the hassle of filing an insurance claim – assuming you have insurance – and reordering/recreating your list, possibly at a loss.
Maybe you’ve had the experience of coming to work, and the copy machine or printer is down. Or your computer is on the frits. Computer downtime costs businesses $1.5million annually. You have to stop working and spend unproductive time waiting for it to get fixed. If your electronic equipment or furniture were damaged or stolen, you’d be in a bind. Imagine someone came in and stole all the office supplies and the toilet paper as a prank. Not only would you be unable to work, but the cost of money and time to replace it all is also frustrating.
If someone damages the building, sabotages the HVAC system and is now stiflingly hot, there is a cost associated with fixing it.
Even if you are a small organisation and the building itself isn’t yours – maybe the furniture and computers aren’t even yours! - you’d still want it protected because it is how you do your work. You lose productivity if your employees are uncomfortable or are in any way hampered in doing their jobs.
Your employees are your most valuable asset. Work would grind to a halt without them. The knowledge and skills they possess are not always easily replaceable. And while it shouldn’t have to be said, we’ll say it; they are people. They are human beings. Keeping them safe should be a top priority.
Certain workers are more likely to experience violence at work. These include those who
- Work alone
- Work early or late shifts, arriving or leaving when it is dark
- Handle money, either exchanging it with the public (as in a bank or retail space) or delivering it to a bank for deposit
- Work in fields with higher risks, like health care and social services
Violence isn’t the only thing to be concerned about, though it is the first thing that often comes to mind when people think about workplace security.
Security and safety go hand-in-hand. Some organisations have hasardous materials on site that should only be handled by experts. Others have heavy equipment that could easily injure a person while it is in use.
Even those who work in offices likely have rooms full of cleaning chemicals, HVAC equipment or other equipment that come with their own sets of risks.
There might be equipment sheds on site that contain snow ploughs, lawnmowers and hedge trimmers. Trying to use a piece of equipment they don’t know how to use could result in injury.
Securing the premises from vandals and thieves is also a way of protecting employees. If someone damages property or ransacks the office to steal something valuable, employees may get injured in the process.
Even if no one is at work at the time of the destruction, think of the hasards that might be left behind when employees return to work. Broken glass, overturned furniture, and slippery floors leave your employees at risk for injury.
Data And Intellectual Property
While most people often do not consider data and intellectual property to be physical assets, they can indeed be accessed physically and therefore stolen in such a manner.
They also happen to be vulnerable to theft and destruction via remote access, which is why so much attention is paid to the internet and network security.
However, data is just as likely to be stolen via the old school method of obtaining it in person, even dumpster diving. There are multiple ways this can occur.
- Paper files: Papers strewn on desks and in file cabinets are at risk of being stolen or photographed.
- External drives: Flash drives are small, easy to hide and easy to transport. On-site crooks can grab them quickly.
- Employee-owned devices: Laptops, tablets and mobile phones that contain copies of organisational materials may not be as secure as company-owned devices.
- Company devices: Even company-owned devices, if they are not appropriately secured, could be taken off-site and have the data harvested from them.
- Prototypes: if your organisation is developing a new physical product, there may be a prototype lying around. If this proprietary item is photographed or taken, the information could be leaked or sold to competitors.
- Listening ears: Sometimes data isn’t seen; it’s heard. Conversations are something that needs to be considered part of authorised data transfer.
Physical Security Planning, Step 1: Evaluate
Every consultant, framework, and advisory on physical security planning suggest evaluating the project before making any changes.
This is not without good reason. Only by first understanding the landscape can efficient defences be implemented by your team.
There are some considerations:
- Property Type – what type of property is it? Is there a requirement for obvious deterrents?
- Location – where is the site? Is it a location of civil unrest?
- Budget – what is the realistic budget to meet expectations?
- Assets – what is stored within the property? Is the property itself of value?
- Internal Stakeholders – who is likely to be onsite in the event of an attack? Could there be potential for loss of life?
- External Stakeholders – who could potentially be onsite? What level of authorisation is required?
- Threat – is the property/owner/business aware of any existing threats?
- Access/Operation – what access control will there be? Who will be the leading operator?
Other considerations may also be warranted depending on the nature of the facility.
Take a Data Centre, for example.
Due to the nature of this scenario, Security Operators or Facility Managers within the data centre must consider every threat within their initial physical security plan.
From untrustworthy personnel purposefully leaving the property insecure to unauthorised tradespeople gaining access with a master key to angle grinder attack out of business hours.
Paying equal attention to both cyber and physical threats, a number of these threats can be mitigated through new procedures.
The untrustworthy personnel lead to questioning the vetting process of new employees. Unauthorised intruders highlight a vulnerability in access control.
However, the angle grinder attack, more unlikely, would require a heavy-duty physical defence such as an Obexion MD SR4 Shutter.
This step highlights vulnerabilities in the project, therefore a vital part of the process.
Again within the scenario of the data centre, the physical security measures are ultimately seen as a preventative measure against professional means of attack.
In reality, this is simply one element of the more comprehensive security protocol in place.
Physical Security Planning, Step 2: Validate
Once the threats have highlighted vulnerabilities in the procedures, the physical security plan can be supported by industry security standards.
In our experience, the majority of clients understand before approaching us what their property requires.
This is determined by the evaluation we covered in Step 1. Then, supported by your security consultant and product manufacturer’s recommendations, the project can progress.
However, clients or contractors on some projects are unfamiliar with the recognised standards.
LPS 1175 and its security ratings are globally recognised for accrediting and testing security products.
Governed by the Loss Prevention Certification Board (LPCB), LPS 1175 is concerned
specifically with three critical elements:
- Detect (electronic)
- Deter & Delay (physical security)
- Respond (personnel)
How To Protect Your Organisation
There are multiple ways to work to secure the premises and be proactive about security and safety. Not all of these will be appropriate for all organisations.
The strategies for protecting people and for protecting property are often very similar.
- Access control systems: These systems are designed to verify a person’s identity using credentials previously supplied by the organisation. Only people with appropriate credentials are allowed to enter certain areas. Doors lock automatically and unlock only with approved credentials.
- Security personnel: In some organisations, it is appropriate to have on-staff security guards trained to keep an eye out and respond to threats. In others, it may be more relevant to have an on-call security company that can send staff when there is an anticipated threat, e.g. an employee is being fired who has exhibited anger issues.
- Visitor management systems: These systems require all guests to register upon arrival and sometimes to be issued a visitor badge identifying them as a guest. This can help prevent them from gaining access to dangerous areas. It is also a way of screening visitors, making staff aware of the arrival of a guest who is deemed a threat.
- Non-disclosure agreements: To protect data, employees and visitors alike may be required to sign documents agreeing to keep what they see and hear private. While this isn’t a silver bullet – someone with ill intentions to share organisational information likely will – it can discourage casual data transfer and give the organisation a path to seek damages.
- Security protocols: Perhaps the essential part of your security plan involves guidelines people follow and instilling these guidelines in your employees. It is likely your security handbook will have many different procedures to follow. A few examples:
- Always having employees go in pairs or be accompanied by a security guard to deposit money in the bank. This is a safeguard both for the employees and for the assets. (There is less temptation for the employee to steal from the money bag if there is another set of eyes.)
- They are prohibiting the transfer of company data to employee devices and vetting employee devices before allowing them on company systems.
- They require all visitors to sign in and have a visitor photo taken and encourage employees to pre-register guests.
- We are running regular safety drills and training employees on emergency procedures.
- Security cameras and alarm systems: Cameras and alarm systems, much like door locks, keep honest people honest. They also provide just-in-time notification to security personnel, law enforcement and emergency services in case of a problem. If there is a fire or robbery in progress, the right people can respond quickly to neutralise the threat. Even in discovering a crime after the fact, cameras create a record that can be used for investigation and prosecution.
What To Include In An Effective Plan
Effective physical security planning:
- accounts for increased risks in places where you have collections of information and physical assets, and higher concentrations of people
- accounts for the specific needs of your organisation’s different work locations
- includes scalable measures to meet increased threat levels and accommodate changes in the overall national threat level
- includes a system of controls and barriers to help your organisation deter, detect, delay, and respond to any threat: external or internal
- Addresses the risks associated with shared facilities and the security requirements for working away from the office.