Given the growing rate of cyber-related attacks, it’s no wonder small business leaders are beginning to shift focus away from physical security, in favor of data security. But the procedures we put in place to mitigate cyber-attacks are useless without a solid base of physical security.
The Importance of Physical Security
When implemented correctly, physical security should:
- Prevent unauthorised persons from accessing your premises, information, or assets;
- Maintain the trust and confidence of the people and organisations you serve or work with;
- Deliver services without disruption in the event of a disaster; and
- Meet all of your business’s regulatory obligations.
Put simply, physical security is the combination of physical and procedural measures implemented to mitigate risks to your people, information, and assets. As with any other steps we take to minimise harm to our businesses, the best way to start is by taking a risk-based approach. Identify the people, information, physical assets, and functions of your business that may pose a risk, and then catalogue these risks.
Of course, those things also pose a risk to your business, so it is also prudent to identify how to protect your business from them. Here are some things to keep in mind when evaluating your business’s physical security controls:
Keep and follow a documented standard operating procedure (SOP) for security
Depending on the size of your organization and its physical location, this might be as simple as keeping lists of those who are authorized entry to the office space on a regular basis. Or, on the other hand, it could be a complex policy that considers different parts of a building, surveillance systems, security guards, etc.
Employee security awareness
It should go without saying, employees can be your strongest allies or the weakest link in the chain of security. They are your business’s eyes and ears. Implement a robust security training plan. This way, your are properly engaging and motivating your staff.
Take breaches seriously
If a breach does occur, make sure that it is dealt with seriously so that everyone can see the measures you’re taking to ensure it never happens again. It may not always be possible to plan for every incident. But we should do our best to make sure that if a breach happens, it only happens once.
Dispose of sensitive material appropriately
Sensitive material can include computer hardware, documentation, or anything else that you might give someone access to your organization. Nowadays, shredding documents isn’t always enough to ensure documents are not repurposed to gain personal information. And simply deleting items from a computer does not really get rid of it. Look into the tools that are available on your devices. Make sure that when you destroy sensitive material, you destroy it permanently.
Maintain your security equipment
All too often, poorly maintained equipment leaves the door open for security breaches that could have otherwise been prevented. Even equipment that is not security related can cause issues. An air conditioning unit breaking down may lead to a security breach if someone leaves a door or window propped open to let in fresh air.
Another important way to keep your employees and assets secure is through managing visitors to your workplace. Alarm systems and security cameras are great for managing this outside of normal business hours. Even when the whole workspace is locked down and vacant, you can monitor everything with these security measures in place.
But how do we manage people coming in during business hours? And how can we identify if they should really be there at all?
Your office may require routine visitors. These can include maintenance workers, mail delivery personnel, and other contractors you easily recognise. But there needs to be a procedure in place to record and identify all visitors at all times.
Here are several ways to maintain such a procedure:
Designate a space in the office where visitors can sign in and out
This could look like a reception area or lobby in a large business. Or, in smaller businesses, this could be a specific person’s desk near the main entrance. Keep in mind, you’ll also need to task someone with the additional responsibility of logging all visitors.
Make all your visitors wear an ID badge
They should display it in a prominent position for their entire visit in your workplace. Ensure that the badge includes the date for which it is valid, along with either the person they are visiting or the purpose of their visit.
Keep the visitor log private
It is not a good idea to keep your visitor log out in the open, where all new visitors can see who signed in before them. At best, this creates a privacy issue for your visitors. And at worst, it leaves that information open for taking.
Make a procedure for reporting unauthorized trespassers
It’s easy to identify unauthorized visitors when all your policies are in place. You know anyone not wearing a valid ID/visitor badge should not be there. Your staff should then also know how to react to this situation, along with who to notify before taking action.
Secure devices from improper access
Staff should know this already, but when visitors are in the office, make it clear that computers and other devices should not be left unattended or unsecured. Leaving a device unlocked or unattended can lead to awful consequences.
As always, it is important to host physical security awareness programs for staff. However, it is just as important to make sure your visitors know the limitations they have when visiting your workspace too. Don’t forget, you make the rules at your workplace, just like you would at home. And your staff has every right to feel just as safe and secure.