As a result of all the major security breaches recently, the security discussion has focused on risk management, cyber attacks and data security. Unfortunately, there has been another type of attack we have heard too much about in the past few years: physical attacks on buildings, often involving bombs or guns. One of the most recent attacks that comes to mind is the deadly attack on the San Bernardino Administrative Center, Riverside County in California. For many organizations, this attack highlighted the need for a well-designed and well-implemented physical security program to be in place in case of emergency.
Here are a few basic topics that must be covered when creating and implementing a physical security plan within your business:
Assess your current program
Maybe your organization has established a physical security program in the past, but practices and potential threats that were planned for are out-of-date. Or maybe your organization has never formally prepared for a physical attack. It is important for businesses to be prepared for both online and physical threats. When developing a security plan, businesses must assess all current vulnerabilities and specific threats. Some threats are common to many organizations, and some are specific to a particular organization—these risks should each be examined and addressed.
Develop security measures
After determining which vulnerabilities and threats your company is faced with, a set of controls or measures used to prevent a security incident must be implemented. When considering security measures, the assessment should look from outside-in. One effective approach is to examine vulnerabilities from the perspective of an aggressor. Physical security measures are often grouped into three broad elements: operations, architecture and technology. Properly implemented, these controls can establish a balanced security program.
Today’s security directors must justify security budgets for CFOs. Often, they are expected to explain to the CFO how implemented systems will save money. Similar to calculating cyber security ROI, there are two areas to focus on value: qualitative and quantitative. Qualitative value is subjective and unable to be measured in dollar amounts. Quantitative value is what most people think of when they think of ROI – numbers and dollar amounts. Security plans must be able to show CEO and stakeholders what physical security is doing for the company and explain why it matters.
Communicate the plan
Once a security plan is created and approved within an organization, it must be clearly communicated to all stakeholders and employees—including owners, finance staff, security supervisors, officers and others with an interest in a facility’s physical security, and all staff and employees. Consider putting your list of security measures together in a security “playbook”, or master plan, which shows accurate budgeting, planning and implementation. All employees and staff must be educated and trained in on new physical security measures and what steps to take in case of an emergency.
Ultimately, while the focus has shifted to technological safety, physical security is just as important for businesses. Physical security protects your most important assets: your employees. If your business has lost focus on physical security, it may be time to reassess your program and make some changes.