What is physical security and why does it matter?
Physical security is a set of security measures taken to ensure that only authorized personnel have access to equipment, resources and other assets in a facility, these measures are laid out for. Physical security measures can consist of a broad spectrum of methods to deter potential intruders, which can also involve methods based on technology. A well implemented physical security protects the facility, resources and equipment against theft, vandalism, natural disaster, sabotage, terrorist attack, cyber-attack and other malicious acts. A security perimeter is defined around a facility to implement physical security and a number of countermeasures can be enforced.
Where and how much physical security is needed?
Physical security is a comprehensive term for a broader security plan. It is fundamental to all other security measures, for example: barricading the entrance of a data center facility would be the first point of physical security and a biometric door to access a computer in the server room inside this building will be further level of security. Physical security becomes more important in case of critical systems and facilities for example: server rooms, production bays, data canters, nuclear reactors, electricity power grids, etc. A physical security plan is laid out after assessment of possible threats and analysis of losses that may occur it any events take place.
- Fenced walls, razor wires: works as a first point of physical security, deter intruders by posing a bodily harm
- Locks: typical physical security countermeasure, allows only individuals with a key
- Protective barriers: deter speedy or forced entry of persons, vehicles, etc.
- Security lighting: renders more visibility for security personal, surveillance cameras, etc.
- Security guards: adding human intelligence to physical security
- Surveillance cameras, sensors: can record and track movements, change in environment
- Smoke detectors, fire fighting systems: to cease event of fire
- Assess control (smart card, biometric): to allow only authorized personnel in a restricted area
Why physical security is important in organizations?
Business continuity is of extreme importance for organizations to survive in today’s competitive market and a potential loss event can affect it negatively. These events need to be addressed and mitigated. Security of sensitive information is also a crucial aspect for organizations as it any leakage of information can impact the business, for example: a new product design or next product launching plans.
About a third of the worst security breaches of the year resulted in financial loss as a result of lost assets. These included both physical assets and intellectual property. Small companies reported relatively small losses, averaging £150 – £350. The picture was much more variable for large organizations, with an average cost of £30,000 – £45000.”
Using technology in physical security has greatly improved the ability to secure facilities and resource; on the other hand, it poses new threats and loopholes as well. For example: a modern electricity power grid makes use of information technology and can connect through the network with other power grids, but this connectivity also opens doors for an unauthorized user, who has understanding of the system and its loopholes, gaining access to the power grid controls and blacking the entire city out.
How can effective physical security be achieved in organizations?
Organizations often tend to apply copy-paste approach in case of physical security. They choose to do what other organizations are doing to implement security. This approach ends up overlooking their particularity and criticality. For same kind and size of organization this approach may be effective, but not when they differ. To overcome this copy-paste tendency a risk based physical security planning is the best way to start with.
Spending a huge budged on implementing full-fledged physical security from fenced walls to gunned security guards and access control to drone surveillance may not be an appropriate choice, unless it’s a high security nuclear reactor or military weapon development facility. Spending on physical security must be justified by risk based approach to rollout security measures.
Identify your security risks
Without identifying security risks and potential losses they may cause, implementing physical security would be like taking medicine without knowing the disease. In a risk based physical security implementation approach, high priority risks are addressed first. For example: A factory engaged in manufacturing fireworks, mitigating the risk of fire should be the top priority, not installing a surveillance system.
High priority risks
High priority risks, if occurred, may not only bring operations to complete halt, but also pose a threat to human life and assets, which will in turn bring huge losses to business and value. Unfulfilled products or services will have a long term effects even after restoring business operations. Dealing with high priority risks can prevent events which can turn out be a nightmare for an organization. Security risks with moderate and low priority can be addressed when all high priority security risks have been dealt with.
Risk based physical security implementation starts with Identification of everything that could be at risk at some point of time or event. For example: People, Property, Information, National Security, Infrastructure, Brand Value, Reputation, etc.
Preparing risk matrix
A risk matrix can help you quickly compare likelihood, consequences and rank of all identified loss events. It can be used to quickly identify risks needs to be addressed on priority.
Identifying possible loss events
There can be a number of possible loss events that can occur within an organization. Reasons of these loss events could be external or internal. Some loss events may depend on the specific industry type and vary from organization to organization. Theft, robbery, sabotage, burglary, terrorist attack, vandalism, disclosure of sensitive information, etc., are some of the examples of loss events.
Determine likelihood of event
In the above example of fireworks factory, event of fire would be a very likely event and can straightaway be treated as a high priority risk. High priority security threats should always be addressed on priority. Other measures and surrounding can also be taken into consideration when determining likelihood of an event. For example: damped walls with poor electricity fittings or a chemical/gas plant next to the fireworks factory will greatly elevate likelihood of fire. Likelihood of an event can be placed into different categories like very likely, likely, moderately likely, unlikely and very unlikely.
Likely: 50% – 90% possibility of occurrence
Moderately likely: 20% – 50% possibility of occurrence
Unlikely: 5% – 20% possibility of occurrence
Very unlikely: > 5% chance of occurrence
Sometimes, it can be practically very hard to establish the likelihood of an event if that hasn’t occurred in the past. Had security specialists taken 9/11 terrorists attacks on New York city’s World Trade Center building as a high priority security risk before the attack, if likelihood would have been determined? Even if they had, had they imagined the attacks may be airborne? And what measures they could have been taken to deter an aircraft hitting the building?
Determine consequences of events
Consequences of events can be determined by specifying criteria like operational downtime, range of losses and number of injuries / loss of life. Different categories can be decided based on these ranges, for example:
|Seriousness of event
|Consequences of events
|No injuries, no downtime, $0 to $5,000 financial loss.
|Not too serious
|Minor injuries, less than 1 day of downtime. $5,000 to $50,000 financial loss.
|Serious injuries, 1 to 7 days of downtime. $50,000 to $500,000 financial loss.
|Loss of life or severe injuries, 7 to 30 days downtime. $500,000 to $1,000,000 financial loss.
|Loss of multiple lives or multiple severe injuries, significant or total destruction of facility, greater than $1,000,000 financial loss.
These figures and ranges can vary depending on the organization’s internal structure and policies.
Entering data in risk matrix
Entering all possible loss events and their likelihood of occurrence and consequences in their respective columns provides further visibility.
|Possible loss event
Determine level of security risk
After determining likelihood and consequence of events, level of security can be determined by multiplying both the factors and putting them in a matrix.
List ranking on risk matrix
Risk matrix provides feasibility to quickly overview all possible loss events, their likelihood of occurrence and consequences on the scale of seriousness.
Once risk matrix is created, physical security personnel can prepare an action plan and start addressing high priority risks first by determining appropriate measures to mitigate each security risk. For example: Theft of Information is a high security risk so countermeasures could include background check of employees, making employees sign integrity agreement, creating restricted access areas, setting user privileges in computers and network access, etc.
Multi-layer implementation of physical security
Multi-layer implementation of physical security ensures that an intruder will face hurdles at all levels and it would be hard to gain access to facility or resources. Multi-layer security is also called concentric circle of protection as it works like concentric circles and where circumference of each circle is a layer of security implemented to deter a possible threat or intruder.
Center of the circle is where the most crucial assets or resources are kept so that an intruder has to face all layers of security to reach the center. Layered security comes under the best practices of implementing physical security. Layered security also makes it possible to add extra layers or strengthen a particular layer when required, for example: deputing more guards at entry doors or introducing a metal detector at the same layer. Making employees aware of security threats and conducting a training program or workshops about security also works as an additional layer of security, which is invisible yet effective.
Common security mistakes
- Not keeping and following a documented standard operating procedures for security
- Poor employee awareness about security, not conducting any training or workshop
- Not taking security breaches or crimes seriously within the organization
- Cutting budget to security measures to save money
- Not aware of the security breaches or crimes happening in neighborhood
- Not listening to safety concerns of employees
- Poor disposal practices of sensitive documents
- Unattended security measures or poorly maintained security equipment
With the advancement of information technology and its proven ability to improve efficiency, most systems and facilities, small or large, greatly depends on it. Dependence on information technology has also introduced newer concerns of security. Physical Security is a continuous effort and at no point of time it can be considered as perfect. There may always be chances of unseen and unpredictable events, even those which have never occurred in the history. A balance approach is required to ascertain that physical security can play its part when needed.