Physical security really does matter. When it comes to protecting your property, stock, customers, employees or other assets, the physical security measures you can put in place form the foundations for any other loss prevention or information security program. Implementing good physical security measures saves you money in the long run and is often a basic requirement for insurance coverage.
Unfortunately, physical security measures are frequently overlooked. Even when they are considered, often organisations devolve this to the facilities management team rather than a centralised security domain. To make matters worse, even when physical security is a part of the organisation it is unfortunately common for this function to remain on a separate reporting chain to the rest of the security and risk management activities.
This is not good for your business because physical security is important. Just to reiterate something we have said lots of times – not having robust physical security processes, properly implemented, in your organisation undermines all your other security controls.
The problems with physical security
The world isn’t a perfect place and there are some factors which lead to problems when it comes to perfecting your security measures.
- Physical security isn’t generally exiting or newsworthy. It doesn’t matter how important physical protection measures are, information security and the threat of Cyber-Hackers is always going to grab the headlines. When it comes to spending priorities, headlines win.
- Physical security is sometimes (wrongly) seen as something anyone can do. Even though it is a very specialised field, there is an assumption that anyone can look at locks or put up a fence.
- It is often too late for the most cost effective physical security controls and this leads to organisational inertia against implementing new ones. The best time to implement security controls is at the design stage but for most, this is not an option and you are faced with bolting controls onto existing facilities.
Physical security – solutions?
The hardest solution is also the most important one. Security is important and all your key stakeholders need to realise this and fully understand the implications. If your organisation has a Chief Security Officer (CSO) then it is a step in the right direction, but there still needs to be continued effort to ensure that security gets the right profile. If you don’t have a CSO, then the job of selling security is yours. Work hard.
The second solution is to realise that physical security is very much a discipline that needs skilled, qualified and experienced professional staff for it to work. This comes at a price, but remember, if paying an unskilled, unqualified person to do physical security is not a saving – it is just a waste of money. You wouldn’t try to cut corners asking your sales manager to double as an accountant or legal advisor, so don’t do it with the security professionals. Facilities management is linked to physical security but it is not the same thing and there is no automatic assumption that someone good at one role is good at the other.
The last bullet point is where it gets interesting.
If you are moving to a new home, your business is building new premises or even just expanding, then you have the chance to get the best possible value from your physical security measures. Designing in security allows you to ensure that every control is suitable for your needs and implemented for as little cost as possible.
Sadly, this is a very rare situation.
It is more likely that you need to build security into an operating environment – be it a home built years ago, offices in constant use or a busy warehouse. Here you no longer have the option to specify what the walls will be made out of, or how high the windows will be from the floor, you simply have to implement physical security in the best possible manner.
The best way to do this is by using good physical security design.
This is not design in the way you might do it for a new site, where the physical security professional sits down with architectural drawings. Instead, it is using your experts to design a robust physical security program that fits your situation.
A well designed physical security plan will follow some common steps, similar to the normal quality assurance / continual improvement process models:
- Identify the goals of the physical security plan. [Plan]
- Design & implement the physical security system. [Do]
- Evaluate and test the system. [Check]
- Monitor and manage (and improve) the physical security system as part of your normal business. [Act]
It is a mistake to allow this process to turn into a box-ticking, check-list, exercise but for some stages having reference lists can help ensure that nothing gets overlooked and you can demonstrate due diligence to an external party.
An example of where a physical security check-list might help is during the planning stages when you need to carry out surveys of the site and determine what is already there and can be used. We have produced a physical security assessment form [available for free download] which can be used for this purpose or can form the basis of one developed for your own purposes.
At Halkyn Consulting we offer a wide range of physical security services, including design assessments for new build, risk management and physical security improvements. If you have your own security team, we are always happy to provide support, guidance and mentorship to help improve your security, protect your assets and reduce any losses. Get in touch to find out more.