Due Diligence – Physical Security and Visitors
September 22, 2020
With the prevalence of cyber-related attacks and data breaches, it is easy for the focus of small business leaders to be drawn away from the physical security of their organization. But without a solid base of physical security, the policies and procedures we put in place to mitigate cyber-attacks become useless.
When implemented correctly, physical security should:
- Prevent unauthorised persons accessing your premises, information or assets;
- Maintain the trust and confidence of the people and organisations you serve or work with;
- Deliver services without disruption in the event of a disaster;
- Meet any regulatory obligations your business falls under.
Put simply, physical security is the combination of physical and procedural measures implemented to mitigate risks to your people, information and assets. Just like with any other steps we take to minimise potential harm to our businesses, the best way to start is with a risk-based approach. The people, information, physical assets and functions of your business should be identified and the risks that are posed to them catalogued. Of course, those things also pose a risk TO your business, so it is prudent to identify how to protect your business from them also.
Some things to keep in mind when evaluating your businesses physical security controls are:
- Keep and follow a documented standard operating procedure (SOP) for security.
Depending on the size of your organization and its physical location, this might be as simple as keeping lists of keys (or card) holders to the office space and others who are authorized entry on a regular basis. Or it could be a complex policy that considers different parts of a building, surveillance systems, security guards, external grounds, parking structures etc.
- Employee security awareness.
As always, employees can be your strongest allies or the weakest link in the chain of security. A properly engaged, trained and motivated staff should be your businesses eyes and ears for security threats. Make sure you have a robust security training plan in place.
- Take breaches seriously.
If a breach does occur, make sure that it is dealt with seriously so that everyone knows measures will be taken to ensure it does not happen again. It is not always possible to plan for every eventuality, but we should do our best to make sure they only happen once.
- Disposal of sensitive material appropriately.
This can include computer hardware, documentation, and anything else that you might need to dispose of from your business. Shredding documents might not be enough anymore to ensure documents cannot be repurposed to gain personal information, and simply deleting items from a computer does not really get rid of it. Look into the tools that are available now to ensure that when you need to destroy something, it gets destroyed permanently.
- Maintain your security equipment
All to often we see poorly maintained equipment that causes a security breach where it should be preventing one. Even equipment that is not security related can cause an issue. An air conditioning unit breaking down could cause a security breach if someone leaves a door or window propped open to let in some fresh air.
Managing visitors to your workplace is another key part of securing your employees and assets. Alarm systems and security cameras are great for managing this outside of normal business hours – if nobody should be there, the whole workspace can be locked down and monitored. But how do we manage people coming in during business hours, and how can we identify if they should really be there at all?
There may be some people who are required to regularly visit your office, like maintenance workers, mail delivery personnel, and other contractors you can recognise easily, but there needs to be a procedure in place to record and identify ALL visitors at all times. There are several things that can be done to maintain such a procedure.
- Have a designated space in the office where visitors sign in and out. This might be a reception area or lobby in some larger businesses, but could be a specific person’s desk near to the main entrance in small businesses. This might also mean giving someone the additional responsibility of keeping the log of all visitors.
- Make all your visitors wear a visitor’s ID badge. They should display it in a prominent position for the entire time they are in your workplace. Ensure that the badge includes the date that it is valid for and either the person they are visiting or the purpose of their visit.
- Keep the visitor log private. Having a visitor log where all new visitors can see who visited before them is not a good idea. At best this is a privacy issue for your visitors and at worst it leaves that information open to be used for nefarious purposes.
- Have a procedure in place for staff to report an unauthorized person. If your policies are being followed, an unauthorized visitor could be identified by their lack of a legitimate ID badge. Your staff should know how to react to this situation and who to notify before action is taken.
- Secure devices from improper access. Staff should be doing it already, but when visitors are in the office it should be made clear that computers and other devices should not be left unattended or unsecured. Leaving a device unlocked and unattended can have devastating consequences for any business.
As always, it is important to maintain a physical security awareness program for staff, but it is equally important to ensure your visitors are aware of the limitations they have when visiting your workspace. Don’t forget, you make the rules there just like you would at home, and your staff have every right to be just as safe and secure.