Why your organisation should take physical security seriously

Logical security has never been a hotter topic. Businesses are waking up to the threat of hackers and are investing heavily in systems to protect their customers’ personal information and their own sensitive commercial data. But even the strongest passwords, the most complex encryption and the tightest firewall are worth next to nothing if a company’s physical security is not up to scratch.

Today, there will often be just one person in charge of security. So while once upon a time the logical security manager and the physical security manager would be two different positions, the roles have gone on to be merged into one. This looks great on the balance sheet, and certainly has benefits when it comes to more joined-up thinking.

But the fact remains that where there were once two people to take responsibility, there is now only one – they are too stretched, with skills and training focused on one person instead of two. Compromises are inevitable, and maintenance and monitoring suffers.

This means that even with the best intentions, they cannot react quickly enough. If an alarm is triggered, there simply aren’t the resources in place to take action, unless there are guards in place who can react immediately.

As best practice, businesses should have a security or guard room where someone can monitor whether external barriers to entry have been left open or compromised and keep an eye on the CCTV system – after all, these are often expensive investments for businesses, and are wasted if they are not used correctly.

To make a security system work, attitudes need to change at the very top. In many organisations, it’s seen as just one more headache to be dealt with, or directors and senior management are so laid back about the whole issue that they don’t give it the right attention or budget – they think that there’s no point in bringing in somebody as a ‘just in case’ measure when budgets are squeezed and every penny of investment must be accounted for. It’s vital that the MD or CEO buys into the fact that physical security is important, and assigns to it the budget it needs.

Once the company’s board is on side, the same attitudes need to be disseminated throughout the company, so that everyone understands the importance of security and that adhering to the policies is absolutely key. All too often, the commitment is there at a strategic level, but the implementation is lacking.

I have worked with a number of companies that had fantastic security polices, however, with all the will in the world, without the correct awareness and training in place theywill never be effective.

On one inspection of a “heavily secure” site, I came across a post room with the door propped open because the airconditioning was broken – and through which anyone could have accessed the facility that was supposed to be protected. The employees were reducing security without even realising – they needed to change their mindset on a fundamental level.

Whether a business employs 10 people or 10,000, ongoing staff engagement and awareness of policies is essential. Everyone needs the correct access badges, and everyone needs to know who they should speak to about suspicious circumstances.

And businesses need to know just whatthey’re dealing with, and accord the appropriate investment; for example, if a small business in Europe wanted to compete with global megacorporations in the same space, they would need to be prepared to put money behind expensive although necessary compliance in order to compete and gain the same levels of qualification.

All in all, most people have the right intentions when it comes to security, and tend to put good systems in place at the very beginning. However, once this has been done, it needs to be maintained and communicated. It’s also a case of continual improvement and evolution.

Criminals will always be looking for new ways to get to the information or the product they want, and businesses need to stay one step ahead. Only once the right attitudes are in place throughout a company, and everyone takes personal responsibility for security, can businesses be said to be truly protected.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Paul Johnson is a specialist auditor and director at NGS Meridian, an NCC Group company. Paul has more than 15 years' experience in both logical and physical security and over 10 years of audit experience in these fields. Paul was the first auditor globally to be approved by MasterCard International to conduct GVCP security audits. Before establishing Meridian in 2001 Paul worked for a number of technology companies including MasterCard. Paul has a business management degree, he is a qualified electrical engineer and a qualified and globally experienced auditor.