A strong physical security program should protect your organization against major threats like crime, natural disasters, and pandemics. It should also protect against day-to-day risks by tracking who is coming and going from your facility, who is using expensive equipment, and where they are going with that equipment.
Many organizations mistakenly think they have a good handle on these day-to-day security concerns when they actually don’t. Studies have found that only a quarter of any given workforce are aware of all the necessary security practices for their organization.
Does that sound like your organization? Does it also feel daunting to figure out how to improve your organization’s security awareness? Don’t worry, we’ve compiled a checklist of 36 physical security awareness tips you can use to improve your organization’s readiness.
Expand the responsibility for security awareness beyond a small team of dedicated staff. Make security awareness everyone’s responsibility, and your organization will be able to respond to threats the instant they appear.
Training gives employees a deeper understanding of the potential threats they may encounter. You can also teach them proven ways to respond so they aren’t left guessing what to do in a moment of crisis.
Make sure you have policies documenting how to handle the most common security problems your organization will face. At most businesses, this will mean threats like theft and trespassers.
You also need to document the emergency response plan for more serious events unique to your area. For example, if your region experiences hurricanes or wildfires, you will want a natural disaster response policy.
It is rare that a business can instantly shut down every single operation when an emergency is declared. Critical equipment, such as in manufacturing assembly lines, may require special shutdown procedures. Identify who in your organization needs to continue working on which tasks when an emergency is declared.
One essential staff role every business needs to assign is an emergency manager. Emergency managers stay behind to ensure your facility is vacant during emergency evacuations, and they take roll calls at muster points to confirm that everyone is accounted for.
Contagious disease can be a security threat to businesses, just like fire or theft. Make your employees aware of the risk. Make sure you have a way to screen for illnesses and a procedure for responding when a sick individual is identified.
If a visitor or contractor is acting suspiciously, say something. Only share organizational information when absolutely necessary. Discretion in everything is a good habit to cultivate.
External access points should be few, and should always be lockable and fireproof. This includes both doors and windows. The greater security a space demands, the fewer windows you should install.
For main entryways and other hard-to-secure locations, you need strong access control. Have a system for authenticating the identity of every person that needs to move between secured spaces.
Tailgating is when an unauthorized person follows an authorized person through an access control point. Even minor tailgating incidents need to be discouraged to prevent bad habits from forming. Bad habits might permit a serious breach down the road.
Authentication methods need to be appropriately strong for each location. For low-risk facilities, an inexpensive PIN code lock might be suitable. To protect high-value assets or space, biometric access control might be more appropriate.
Most major access control systems allow third-party integrations. This means you can connect one master staff and access role database to multiple security systems at once for easier management.
Much like tailgating, attackers use social engineering to exploit your employees’ good intentions in order to gain access to secure resources; for example, by innocently asking to borrow a coworker’s access card, which they use to steal company equipment. Your access control measures should verify the identity of the requesting individual and log the access request in case it needs to be audited later.
An EAP details how your business will respond to any emergency that forces you to suspend normal operations. It should include instructions for emergency managers. It should also include instructions for how to protect employees and business resources.
A business continuity plan could be part of an EAP, or separate, depending on your specific needs. You need a documented procedure outlining what your organization needs to do during an emergency and after a shutdown in order to maintain business as usual.
The more processes you can automate, the more efficient your overall security program will become. Automated security procedures are more reliable mainly because they avoid human error.
Authentication is much easier when employee ID photos are part of your credentials. Consider using access control systems that have a camera to record transaction requests.
Threats are always evolving. Your organization's security awareness needs to evolve with them. Schedule annual security assessments that look at your program’s performance for the previous year and look ahead to what you need to change in the coming year.
In addition to major annual reviews, you should build in smaller periodic assessments of your security program. This helps build the habit of security awareness and keeps your program running efficiently.
Surveillance systems have multiple uses in a security program. They improve your awareness of who and what are moving around your facility. Conspicuous surveillance systems can act as a deterrent to criminals who don’t want to be filmed. Surveillance recordings can also aid investigations after a security incident occurs.
No single security measure can protect your business from every threat. Use layers of different security measures to protect against a range of different threats.
Environmental deterrents, like fences, lighting, and good sight-lines, can stop crimes before they happen. These deterrents are especially important for organizations with large, open campuses, like colleges or industrial parks.
Fires are some of the most common emergencies a business could face. Even if your municipality doesn’t enforce fire ordinances, a good security awareness program should include fire prevention, response, and evacuation training.
Managing mobile devices requires a convergence of physical and IT security systems. The physical devices are costly to replace if lost or stolen. They also carry sensitive corporate data and can become gateways to your entire IT network if they fall into the wrong hands.
This is important for all IT systems, but it is especially important to mention alongside mobile device security. Security-aware organizations go to great lengths to properly manage all passwords. Enforce strong password policies, do not write passwords down, and require them to be changed on a regular schedule.
Back up all important business data, including access control databases and security logs. If a fire or other disaster damages business infrastructure, you want to be able to restore normal operations as fast as possible. That should include your security measures.
Encryption scrambles data so that it can only be unlocked and read by trusted users with the correct digital key. It is often required under industry security regulations, such as HIPAA in healthcare. When possible, encrypt mobile devices to provide an added layer of data security in the event that they are stolen.
It takes some effort to compile and maintain a complete record of every piece of equipment in your business, but that effort is well worth it. Fewer assets will go missing, damaged equipment can be tracked and repaired, and usage patterns will reveal themselves as data is collected over time. The efficiency gains will quickly outpace the overhead costs.
Your asset inventory will only be as good as how often it is updated. As part of your business’s security awareness program, make sure staff report missing equipment immediately. The longer equipment is missing, the lower the chance of recovery.
Security technology eliminates many risks of human error. An automated access control system won’t forget to log someone’s access request or be fooled by social engineering, although you should make sure to do your research so your technology purchases are cost-effective.
Good network security actually depends on good physical security. Use high-quality access control at data centers and other key network infrastructure locations.
Apply good key control practices to manage access to all valuable assets and locations in your business. Treat the keys that permit access to those resources with the same level of care you give to the resources themselves.
Even when an employee leaves the organization on the best possible terms, you should immediately collect their keys and remove their accounts. Always allow the least access possible to your buildings and IT networks.
A good security program needs to monitor threats coming from both the outside and the inside. Employees or contractors that decide to act against your business can potentially do much more damage, thanks to their insider access.
Even in our digital era, a great deal of sensitive information leaves your business on paper. Give staff collection points where they can easily deposit all business materials for secure shredding.
At its core, security awareness is about constant vigilance. This doesn’t mean you encourage your employees to live and work in fear, but you should encourage them to look out for each other and the business at all times.
The point of security awareness is to expand responsibility for security beyond a small team of dedicated staff. Make security awareness everyone’s responsibility and your organization will be able to respond to threats the instant they appear.
These physical security awareness tips are a great way to start improving your organization’s readiness. But there is always more you can learn.
Prepare your organization for whatever awaits. Download our guide, Best Practices for Physical Asset Management.