Physical security is an important aspect of protecting any organisation. The aim is to control access and movement to protect employees, systems, critical processes and sensitive data. This translates into controls such as; security fences, gates, turnstiles, mantraps, manned reception points, locked doors, locked filling cabinets, signage and placement of critical assets, for example.

Determining which controls to use and how to deploy them

When choosing security controls, look at a plan of the facility and consider the following:

  • Which rooms are sensitive or critical to operations?

  • What controls can be used to protect these locations?


The amount of controls and how much you are willing to spend on them depend entirely on how important the location is. For example:

  • A room where employees are working on a new product design with high commercial value may require greater protection. This room might benefit from cipher locks, blinds, and should be centrally located within the complex.

  • A loading bay or delivery point also constitutes a serious risk to most facilities because they frequently have unfamiliar people coming and going with easy access to the site. As such, increased monitoring and supervision of people in these areas is an absolute necessity. It is also important to consider how goods and deliveries will be secured and protected until they are internally distributed.

When protecting a site, most organisations will try to implement multiple check points to different zones to prevent unwarranted access to critical areas. Rather like an onion - each layer of skin adds concentric security and provides ample opportunities to deter, detect, delay and respond to would be trespassers.

The role of policy and procedures

Strong procedures are also needed to add gravitas to these controls. For example, you might introduce rules about:

  • The use of USB drives and mobile phones in restricted zones.

  • Out of hours working.

  • Lone working.

  • The use of identity badges.

  • Challenging unfamiliar personnel.

  • Visitor registration and monitoring.

  • Leaving sensitive documentation on desks or internal telephone directories in plain sight.

  • Using privacy screens where possible.

  • Leaving devices unattended.

  • Eating and drinking near equipment.

Such rules and procedures need embedding as part of everyone’s job description or formalised into mandatory policy which all personnel agree to every year. Supplemental training, should also be delivered so that everyone knows what is expected of them.  In short, cybersecurity is everyone's responsibility and with relevant training and support, employees can spot issues and be part of the solution.


Threats to business continuity

Like any other security threat, the risk of fire, flood, civil unrest or the dangers posed by contentious neighbouring organisations should also be translated into building design and staff training. These events tend to threaten continuity of operations.  As do the loss of utility services, such as; electricity, water, heating, ventilation and

broadband access. For these reasons, an organisation may:

  • Regularly inspect and test services: As well as set up alarms to flag predicted outages.

  • Develop contact lists: Of critical 3rd parties as well as cascade lists to disseminate messaging quickly & efficiently.

  • Create redundancies: Such as failover servers, networking equipment, digital devices and multiple copies of critical data.

  • Change working procedures: By rotating staff and offering cross training.


Using a cloud vendor

Special consideration should also be given to the growing number of businesses who are moving across to the cloud, which provides:​

  • Broad network access: For remote working

  • Rapid elasticity: To meet IT infrastructure requirements quickly and easily during a crisis.

  • Metered usage: So you only pay for what you use.

  • Self service: To get what you want, when you want, at a click of a button.

For more information on securing your online business, see here.


Looking After Equipment

When discussing physical security, it would be remiss to exclude the effects of environmental conditions such as poor humidity, temperature and dust, which can dramatically influence

  • The expected lifespan of equipment (MTTF)

  • The mean time to repair equipment (MTR)

  • The mean time between equipment failure (MTBF)


As such, all businesses should conduct a risk assessment of critical equipment to ensure proper maintenance and operational procedures. This may include ‘Heating Ventilation and Air Conditioning systems’ (HVAC), warm or colds aisle, cable trunking or using an external specialist to carry out repairs and maintenance.  Whenever a 3rd party is called in check:

  • That they are suitably qualified and monitored when on site

  • That they are not exposed to sensitive data during maintenance, and

  • Maintenance is logged so that the life expectancy (MTTF) and repair schedule (MTBF) is known.


This enables an enterprise to anticipate when a piece of equipment is going to cause a problem so that the people who depend on them are not adversely affected.


Loaned Equipment

Lastly, many different security frameworks recognise the importance of monitoring equipment taken off site. If this common practice in your organisation, you should formally authorise and log loaned equipment. Perhaps based on a booking system that is periodically tested using spot checks. Not knowing who has what, is a serious data breach waiting to happen. Finally, long term loans, should periodically require the employee to attest that the item is

  • Still in their possession

  • Is in good condition

  • Is still required to perform work related responsibilities


All of these controls and procedures must be periodically reviewed and discussed to check adequacy and validity.

See something not quite right? Email: