These days, almost all information that is important to a business is stored digitally–everything from schematics to passwords to customer information.
But while cybersecurity and IT are important bases for a business to cover, when it comes to protecting your information, physical security can’t be overlooked.
In this guide we’ll talk about why physical security matters, show some examples of times when it’s been neglected, and show you how to build and execute an effective policy for your own business.
Why Physical Security Matters
When it comes to information, it’s not enough to protect it from cyberattacks. You also need to consider how that information could be vulnerable in the physical world, too.
At its most basic level, a physical security plan is there to protect your information from anyone who does not have your business’s best interests in mind. Culprits can be anyone from rival businesses to disgruntled employees.
Real-life examples of physical security breaches
In 1997, an employee of the Gillette razor company, upset after he was demoted, attempted to sabotage the company’s Mach 3 triple-blade razor– a project that the company had already invested in to the tune of $750 million dollars.
Steven L. Davis was a process controls engineer with Wright Industries, a company that subcontracted with Gillette for the Mach 3 project. After he was demoted, Davis struck back by faxing copies of the design to American Safety Razor Co., Bic, and Schick–all competitors of Gillette. Davis was only caught and held accountable because Shick reported the incident to Gillette, who then called in the FBI.
Just a few years later in mid-2001, individuals hired by Procter & Gamble Co. literally dug through the trash outside of competitor Unilever’s Chicago headquarters, searching for any sensitive information that may have been tossed.
The dumpster divers were caught, and following an internal investigation P&G executives made the unpleasant discovery that at least three of their senior employees had been using underhanded and potentially illegal measures to spy on Unilever. P&G returned over 80 ill-gotten documents to Unilever and settled with them out of court for an undisclosed sum.
These cases of high-profile security breaches highlight how important it is for companies to be aware of who has access to their property, equipment, and sensitive documents–in other words, the importance of a physical security policy.
What Is The Purpose of a Physical Security Policy?
A comprehensive physical security policy creates guidelines and rules for personnel and equipment that ensure that your business’s information, resources, and facilities are protected from danger, damage, or removal.
The goal of your policy is to identify assets and make a plan to protect them. Your physical security policy and protocols will determine when and where physical access to these assets are allowed, controlled, monitored, or prevented.
Four parts to a Robust Physical Security Policy
Access Control
This is what first comes to mind when people think of physical security as a concept–things like walls, doors, turnstiles, or gates. Access control lets you admit only those who are verified personnel into specific areas.
Even in the event that individuals are able to make their way through the access control, having to go through physical barriers will delay them and often alert the security system that something is wrong.
For even greater security, you can outfit doors, gates, and turnstiles with extra verification features like:
- Keypads
- Fingerprint readers
- Smart card readers
- Telephone and video intercom systems
Document Diligence
As we saw in the examples above, company documents in the hands of the wrong people can be a major security risk.
Make sure that any documents or data stored in a digital format are housed on secure, password-protected servers. If your servers are located within your own facility, make sure that the room has high-level access control.
As for any important physical documents, we recommend that you:
- Store them in a secure, restricted-access location when not in use
- Keep track of when, where, and by whom they are removed for use
- Shred or incinerate when no longer needed
Detection
The next level of physical security is detection. These are parts of a security system that alert potential intruders or security risks. Detection measures include:
- Security guards
- Burglar alarms
- Motion sensors
- CCTV cameras
- 24/7 monitoring service
- Fire alarms
In large part, your physical security policy and procedures will be based around reactions to these alerts. So it is also important that you regularly review your procedures for effectiveness and, in certain cases, have a simulated alert in order to test them.
Another benefit to surveillance measures like these is their ability to record incidents, which can be helpful when you are investigating an incident after the fact or determining liability.
Response
As you build your physical security policy, it’s easy to focus on prevention of theft or crime, but you also need to plan and practice how you and your personnel will respond when things go wrong.
What do you and your personnel do when a security event occurs? Here are some things to think about:
- Take steps to secure data/documents/equipment
- Building lockdown procedure
- Building evacuation procedure
- Contact emergency services
Make sure that you assign the necessary roles to specific employees, and make sure that those employees know how to carry them out.
If you have a small workforce or you’re especially concerned about security incidents happening at night, consider working with a professional video monitoring service to keep an eye on the place when you can’t.
Physical Security Policy Outline
Your physical security policy document should be easily available to your employees for review, and also easy to read. We recommend a basic numbered outline like the one below.
1.0 Purpose
The purpose of your policy is to establish the rules for physical access to the facility, as well the control and monitoring of equipment and proprietary information.
2.0 Scope
State what the policy applies to, such as:
- Guests and personnel on the property
- Equipment
- Facilities
- Storage media
- Computers
- Blueprints, recipes, etc.
3.0 Policy
- 3.1 Controlled Access Zones
- 3.2 Controlled Access Measures (smart cards, keypads, sign-in lists, etc.)
- 3.3 Physical Data Security (how to handle confidential or sensitive information)
- 3.6 Fire Prevention
4.0 Enforcement (how will incidents be handled, and by whom?)
5.0 Revision History (keep track of changes made to the plan)
Physical Security Policy and Employees
Your physical security policy will work best when it has clear, well-defined, practical guidelines that are well-known to your personnel. Whenever you update your policy, make sure your employees are aware of the changes and where they can direct their questions about policy and procedures.
Above all, you want your physical security policy to be easy to understand and easy to implement. Adding multiple layers to your security system, such as cameras, intercoms, video monitoring services, and security system integration, will all increase the effectiveness of a physical security policy.