Physical Security Do’s and Don’ts
Protect Your Premises: Tips from PR’s Security Experts
Two of Perspective Risk’s physical security specialists – Abdul Ikbal and Neil Gibb* – share advice for improving the security of your building against criminals, malicious insiders and careless staff.
Other security consultants and many clients are often surprised to learn that we can usually compromise a building’s security perimeter in under an hour. One customer commented: “It would be great to have a reference to prepare us before you guys launch your attack.” (Simulated Red Team attack). We listened, and here it is.
Want to check how good your organisation’s security is? Click here.
The Security of your Reception
Many of the business premises we visit are shared with other companies and have a common reception area serviced by a facilities management company.
If you are not responsible for the security of the reception, you should still have some leverage in how it’s managed. A good time to do so is when you are negotiating the lease or its renewal.
Reception Security Do’s
- Ask visitors for identification.
- Ensure the reception is never left unmanned.
- Qualify all visitors and authenticate them with their hosts – i.e. those they claim to be visiting, before granting them access.
- Implement RFID access for lifts and stairwells (radio-frequency identification via the use of readers and tags).
Reception Security Don’ts
- Leave the visitor sign-in book for everyone to view.
- Ignore visitors and allow them to walk in unchallenged.
- Assume someone has a right to be there because they look important, wear a uniform, or behave with authority.
- Automatically trust people are who they claim to be.
- Leave ID cards, visitor badges, lanyards etc in easy reach of visitors.
- Allow yourself to be rushed. One person’s urgency is not your urgency. Take the time needed to make informed decisions before checking in the visitor.
The Security of your Offices
As well as technical controls, a key part of your security should be driven by the culture of your company. If managers don’t drive home the importance of security, don’t expect the staff to be vigilant.
Office Security Do’s
- Implement CCTV in sensitive areas to act as a deterrent.
- Display your visitor policy, which should be comprehensive and unambiguous.
- Foster a culture of security awareness – let staff know that it’s okay to challenge.
- Lock/secure staff entrances.
- Never leave your office reception area unmanned.
- Always ask visitors for ID.
- Consider requesting car registration numbers in advance of visits.
- Check appointments are genuine and, if necessary, ring your visitor’s organisation to authenticate them.
- Ask direct questions – being well mannered and assertive need not be mutually exclusive.
- If you are still suspicious, ask more questions.
- Think: criminals who are seeking to socially engineer their way inside your offices use sophisticated tactics and can be extremely convincing.
- Ring the visitor’s employer to authenticate them if necessary.
- Ensure all cabinets are drawers are lockable and insist staff lock them when not in use.
- Introduce a clear desk policy.
- Implement network perimeter controls to restrict opportunistic criminals
- Mandate the completion of security awareness training across all employees, regardless of seniority.
- Publish the results of security awareness training.
Office Security Don’ts
- Leave your visitor sign-in book lying around.
- Ignore unaccompanied visitors and assume they have a right be there.
- Leave empty/private office doors unlocked.
- Leave conference room doors unlocked – this is a great route for cyber criminals to plug into network points.
- Leave network cables on show, which may tempt opportunistic thieves.
- Leave visitors unsupervised, unless an explicit level of trust has been gained following your authenticity checks.
- Leave sensitive information, such as passwords, on whiteboards and pin up boards. Yes, it has been known.
- Leave keys in door locks.
- Don’t be British. By this we’re referring to our manners and fear of offending others. If you don’t recognise someone, you are protecting your organisation by questioning them.
- Hold external or security doors open for others. The practice of tailgating, when someone follows others inside to gain unauthorised access, is a common tactic.
- Leave operating system user accounts logged in.
- Leave mobile devices unattended.
- Leave password written down in plain sight. Yes, that’s also been known.
Perspective Risk offers a variety of workshops, online security awareness courses and specialist consultancy to help safeguard your business. For assistance, please click here to contact us.
*Neil Gibb was employed by the IT Lab group at the time of writing.