Physical Security 101

Why Physical Security Is Important

An organized physical security program helps you better manage threats and prevents unnecessary costs from eating into your bottom line. Recovering from a poorly handled security incident can get expensive fast.

Good physical security will protect your business and employees during emergencies, like workplace violence and natural disasters. It will also protect against day-to-day risks like theft and negligence, managing who is in your facility and who has access to your valuable equipment.

Top Physical Security Problems Businesses Face Today

The security threats a business will face change from year to year. Today, some of the main threats businesses face have been found to include: 

• Insider threats 
• Targeted attacks on executives 
• Political instability 
• Threats to public and private infrastructure 
• Drones for industrial sabotage 

While these threats will constantly change, the assets every business must protect remain the same: their people, facilities, and equipment. They must also manage access to these assets, protecting entryways, personal credentials like ID cards, and physical keys. 

Planning Phase 

You need to define your desired outcomes to get the most value from a physical security purchase. What is your organization looking to gain from this purchase? 

• Improved safety?
• Better compliance?
• To align security operations with strategic goals? 

To answer that question properly, you need to do a few things: 

Identify Stakeholders 

Stakeholders are those inside and outside your organization who care about how your new physical security system will operate. Internal stakeholders could be from your security team, physical plant team, or IT department. External stakeholders could be local law enforcement or business partners, for example. 

Understand Their Expectations

Seek input from your stakeholders about what outcomes they want to see from this new system installation. Are they concerned about how it will be installed and used? 

Determine How to Assess Performance

What key performance indicators (KPIs) will determine how effectively your new system does its job? For example, if you’re considering purchasing a key control system, you might want to track the number of lost keys reported in your business to see if that number goes down. Or you might decide to use the number of rekeyings your business has to do each quarter as a measure of security breaches.

Design Phase 

Once you’ve reached an agreement about the outcomes you’re hoping to achieve and how you will measure performance, you can get down to designing your new physical security system. 

Identify Necessary Products

This is the correct time to purchase any tools or integrated security systems you need. You already understand the outcomes you hope to achieve, so you can evaluate each product against those needs to see how well it might perform.  

Plan Installation Location

Now, you need to decide how your new system will fit into the day-to-day workflows at your organization. Think about when and where staff will need to use it. Will your new system need to integrate with existing security products or building infrastructure? 

For example, if you’re deploying a new asset management system, you might be able to integrate it with your IT department’s incident tracking system. The asset management system could automatically send fault codes to your IT department when employees log a problem when they sign a device out or back in. 

Determine System Configuration

If the physical security systems you’ve purchased can be customized, now is the time to do that. Also, determine what physical layout you want your system to have. Will any of the integrations you’ve identified require software updates? 

If your new system uses access control, decide which access control methods you will deploy. This could be a method you already use at your organization that you integrate or something separate. 

If you want to choose a separate method, some options could include PIN codes, proximity (prox) cards, mobile phone apps, RFID tags, or biometrics like iris eye scans or fingerprints. We’ll go over access control in more detail in the next chapter.

Implementation Phase 

Correctly implementing a new physical security system requires more work than just setting up some hardware and software. You need to define appropriate policies governing the system’s use. Who is expected to use it? How is it supposed to be monitored? 

You also need to train employees in how to use the system. You’ve invested a great deal of time and money to get this far in your implementation. If no one uses the system effectively, your business is losing a lot of value.

Access Control

Access control solutions manage traffic flow through entryways and access points in your facility. Their purpose is to restrict the access of employees and visitors to sensitive areas. 

While security guards and other personnel can perform access control when needed, it is most cost-effective to use an electronic access control solution in most cases. Those solutions can include: 

Electronic Access Control

These systems connect to a central database where employee access privileges are recorded. When employees authenticate themselves at an access point, the system verifies whether they are allowed through and opens the access point accordingly.

Employees authenticate themselves using a “token,” such as: 

• Swipe cards - Identification data is stored on a magnetic strip, like on a credit card. The card is swiped at a reader to authenticate the holder.
• RFID fobs - Radio frequency identification tokens that communicate over short-range wireless. The fob is waved near a reader to authenticate.
• Prox cards - are flat cards pressed against readers to authenticate the holder. Newer prox cards use embedded RFID antennas to transmit credentials.
• Mobile phone apps - A secure app on a user’s phone identifies them when they approach access points. Phones authenticate the holder by transmitting their identity over Bluetooth or NFC—short-range wireless standards universally available on mobile devices.
• Biometrics - Personnel use a unique pattern on their body to verify identity. The two most common are fingerprint scans and iris eye scans. The blood vessel patterns in everyone's eyes are unique.

Electronic access controls are very secure, but they can be expensive. Most organizations only deploy electronic access control at their most sensitive access points. 

Mechanical Access Control

Given the high cost of electronic access control, mechanical key and lock systems continue to secure most doors and other access points. Mechanical access control is very cost-effective for managing access points with routine levels of security. The major downside to using mechanical controls is that they lack built-in tracking and accountability like their electronic counterparts. 

Key Management Systems

Combining mechanical access controls with an electronic key management system is one model that many organizations employ as a cost-effective alternative to electronic access control. At their core, key management systems are secure cabinets with electronic access control terminals attached.  

Users authenticate themselves at the terminal and specify which keyring they want to sign out. The request is logged, and the system unlocks only the keyring selected. 

Key management systems can also automate many useful but time-consuming administrative tasks. Managers can set curfews on key sign-outs or limit the number of keys a single employee can have in their possession at one time. If a return curfew is missed or keys are not returned at the end of a shift, the key management system can alert the employee’s supervisor. 

Asset Management Systems

As with keys, many businesses find controlling access to sensitive or expensive equipment beneficial. Similarly to key management systems, asset management systems use a combination of secure cabinets, access control terminals, and smart sensor technology to control who, when, and how stored assets are used. 

Asset surveillance sensors inside locker compartments can identify assets when signed out or returned for better accountability and inventory tracking. Curfews and alerts also help prevent unnecessary losses and ensure vital equipment is ready when employees need it.

Surveillance

Surveillance is the process of gathering information relevant to an organization’s physical security. That information commonly includes the locations of potential threats, the locations of personnel and valuable equipment moving through your facility, and the activities of security personnel. 

Video Surveillance

Traditionally, video surveillance systems had to be actively monitored by security personnel to identify threats on screen. Either that or they were just used to passively collect footage for review if a security incident occurred. 

More modern security systems use video analytics software capable of detecting potential threats on their own. This software can recognize cars entering a secured lot after hours or even the motion of an attacker swinging a punch. When a potential threat is recognized, the analytics automatically notify human security personnel so they can respond. 

Alarms

Whereas video surveillance systems record what is happening inside a particular location, alarm systems monitor for attempts in access to unattended locations. Different kinds of sensors are employed for different alarm functions. 

Motion sensors detect movement in low-light or dark environments. Perimeter sensors detect when a door or other access point is breached. Glass break sensors detect the unique frequency of glass breaking. 

These are some of the most common sensor types. All of them notify security personnel to respond when a breach is detected.

Deterrence 

The purpose of deterrents is to prevent threats from ever arising in the first place.

Lighting 

Maintaining good visibility indoors and outdoors is an excellent way to deter potential threats. Lighting is particularly important around access points like doors and windows. It is also important in parking lots and other areas where people are likely to be alone. 

Physical Barriers  

Fences, vehicle gates, walls, and even shrubbery can deter criminals looking for an easy target. A barrier can deter many threats from trying to breach your perimeter if it requires extra effort to cross. 

Environmental Design  

This is most important for organizations with large, open campuses, like universities and medical centers. Open pathways, courtyards, and plazas increase visibility, leaving criminals with no hidden locations in which to operate. Consider reducing tall vegetation inside the perimeter of your campus to maintain sightlines in every possible direction.

Response  

Lastly, physical security can use electronic solutions to aid response efforts after identifying a threat. 

Personnel Tracking  

This is most important in high-security environments, like corrections centers. Any facility at high risk of experiencing violence or of becoming the target of an attack must be able to identify the locations of security personnel for rapid response instantly. A guard tour system is one solution that monitors personnel movement in real time to ensure maximum readiness.

Evacuation Management   

Fires, natural disasters, and other emergencies require an immediate response from all parts of your organization to ensure your personnel's and your business's safety. Managing evacuations is one of the most important parts of emergency management. 

Automated emergency mustering and roll call systems verify whether personnel are safe at muster points or at risk inside your facility. This information helps emergency managers and first responders act more effectively during chaotic and dangerous circumstances. 

Building a True Culture of Cybersecurity 

Security becomes everyone's job when threats can come from anywhere, physical or digital. However, building an effective culture of security—specifically cybersecurity—requires weaving awareness of threats into the fabric of daily operations. Occasional training or policy updates are not enough. 

Employees need to be empowered. They need to understand their role in your organization’s security push. And it's about strategically using smart technology to simplify secure practices, making them intuitive. 

While there’s no single blueprint for security convergence and culture building, there are established best practices and industry standards that can provide a reliable framework. 

For cybersecurity, some of the most popular include: 

• ISO 
• NIST 
• COBIT 
• CIS Controls 

And don't try to do everything at once. Within those standards, find one practical cybersecurity or converged security process you can adopt, master it, and then expand from there. Keeping it simple and maintaining consistent progress are key. 

Here are a few potential starting points for converged security practices you can work with: 

• Identity Management: Focus on controlling access. Implement role-based access and multi-factor authentication for critical assets, both physical and network-based. 

• Incident Response: Develop a clear, concise plan for responding to emergencies. Outline roles, responsibilities, and escalation procedures. This prepares your team to react effectively when something does occur. 

• Data Backup: Protect your data with regular backups. Store them off-site and encrypt them. This safeguards against data loss from both hardware failure and cyberattacks. 

Take a Multi-Level Approach to Cybersecurity Culturebuilding

Cybersecurity culture-building requires buy-in from every level of your organization. But what you need from each level is different.

Executive Level—Setting the Tone 

Culture starts at the top, and an executive champion provides invaluable support for culture-building initiatives. Leaders must champion cybersecurity as one of their organization’s core values. They need to demonstrate their commitment to it through visible actions and consistent communication. Your CIO or CISO will drive strategy for cybersecurity, but non-technical executives should also play their part by modeling secure behaviors.  

Departmental Level—Ownership and Integration 

At the departmental level, directors and managers must embrace cybersecurity as an integral part of their daily operations. They should encourage teams to discuss security as a regular agenda item during meetings and promote collaboration between their business units and security teams. 

Individual Employees—Empowerment and Accountability 

The executive level provides top-down reinforcement. But you also need to take a bottom-up approach. Employees need to understand the specific threats they might face daily and feel empowered to act when something happens. Combat the bystander effect by fostering a sense of individual responsibility. Ensure employees know how to recognize suspicious activity and have clear reporting procedures. 

AI Augments Human Security 

AI-driven tools offer significant advantages in security, where rapid responses are frequently necessary. AI and Large Language Model (LLM) systems can process and respond to information, camera feeds, and other security systems much faster than human operators. 

AIs are also capable of more sophisticated responses than traditional IT systems. Despite their best efforts, human security personnel are susceptible to fatigue and lapses in judgment. AI, on the other hand, provides constant vigilance. And as computer viruses and phishing attacks become more sophisticated and harder to detect, AI endpoint security tools can more rapidly assess when a user’s mobile device or computer is compromised. 

It is important to note that human-equivalent AI does not currently exist and may never exist. Today’s AIs are specialists, very reliable, and fast at performing very specific tasks. While AI can identify potential threats, the crucial decision-making and response remain firmly in human hands. Their role in security is to augment, not replace, human judgment. 

Perform a Strategic AI Rollout 

As with other major integrations we’ve discussed here, a phased approach is best if you're considering integrating AI into your physical security strategy. Start with pilot projects, testing the technology in specific departments. This allows you to evaluate effectiveness and fine-tune your approach before wider implementation. 

For expert guidance, consider partnering with security specialists. They can assist with site assessments, equipment placement, and comprehensive training for security personnel and administrators. 

Develop a Full Physical Security Program 

Tackling security challenges one issue at a time is inefficient in the long run. It is like locking your front door because there’s someone threatening you on your porch and then waiting for another reason to close the windows out back. 

Developing a fully integrated physical security program is a much more comprehensive approach. Physical security programs are made up of people, processes, technology, and documentation. They also include the performance data you collect on how those elements function. 

These elements will be designed and measured against a recognized security framework in a good physical security program. Doing so allows you to benchmark, evaluate your performance, and apply changes to your program according to established best practices. Many professional or industry-specific standards, such as ISO 27001 and NIST PE-3, are available to guide these decisions, which are linked in the Resources section below. 

How to Identify Your Physical Security Gaps 

Your organization is only as safe as its least secure asset. Identifying where these shortcomings are in your security program is called a gap analysis. You measure the gap separating how effective you are today at a given security practice and where you want to be. 

To take key management as an example, are you handing out keys to third-shift contract cleaners? Are those key transactions time-stamped and recorded? If the answer is no, what security incidents could be avoided if you implement that tracking? 

Penetration testing is one method you can use as part of a gap analysis taken from network security. This involves conducting mock attacks against your security measures to see how far an attacker can penetrate your organization’s defenses. Conduct your penetration testing and gap analysis according to the best practices outlined in a security framework that makes sense for your business. 

Employee Accountability 

Physical security programs do more than manage major risks associated with crime and natural disasters. They also protect your business against costly day-to-day accidents and errors. They can protect against things like lost or damaged equipment hurting productivity, especially when they can result in regulatory violations.  

Physical security programs can also prevent small operational inefficiencies from snowballing into full-blown safety and security problems. For example, poorly maintained equipment might cause a fire that requires an emergency evacuation. 

Learn More 

• ISO 27001  
• NIST PE-3  

Designing a Secure Facility

• Keep signage for high-security facilities to a minimum. Don’t help attackers by enhancing the facility’s visibility. 
• During design, invest in fireproofed doors, walls, and ceilings. 
• Remove all non-essential flammable materials from high-security spaces. 
• Have two entryways at most to these facilities. More entries means more monitoring and more potential points to be compromised. 
• Reduce the size of windows so they can’t be used to gain access. 
• Train personnel authorized for these facilities in specialized emergency evacuation and lockdown procedures. 

Protecting Business Equipment 

• Identify which is general-use equipment and which is essential equipment. Store and manage them separately. 
  
• Store equipment away from doors, windows, and HVAC systems, like air conditioning vents and radiators. 
  
• Secure loose cabling away from high foot traffic areas. 
  
• Maintain records for all essential equipment, including model numbers, serial numbers, and warranty information. 
  
• Before maintenance is needed, identify internal or external technicians certified to repair essential equipment. 
  

Prevent Theft 

• Clearly and permanently label all expensive and essential equipment with your organization’s contact information. 
  
• Train staff to challenge all visitors who are not clearly presenting access credentials. 
  
• Log all equipment transfers into and out of secured facilities. Log both essential and general-use equipment. 
  
• Train staff in secure transportation and storage procedures for mobile electronics.

Protect Business Data on Paper, Too 

• Keep photocopiers, fax machines, and scanners away from high foot traffic areas and out of view. 
  
• Configure printers and copiers to label all confidential materials as “confidential” upon printing. 
  
• Provide secure shredding bins for staff to discard confidential paper records.