The goal of any physical security system is to permit only the movement that you actually want of people, assets, or data within your facility. That principle remains the same whether it’s officers and inmates in a corrections facility, mobile devices with sensitive data at a power plant, or forklifts in a warehouse.

Under such a singular guiding principle some outside the security discipline might think that designing building security programs is straightforward. But as anyone who’s ever done it can tell you, somewhere between that guiding principle and messy day-to-day reality many security programs break down.

Fortunately, many of the most common—and time-consuming, and expensive—pitfalls can be avoided with careful planning. Here are five of the most common mistakes we’ve seen made by organizations when building new security systems.


1. Overbuilding

This happens most often when building entirely new security programs. Overbuilding is not only costly—which it almost always is—it usually makes operations more cumbersome as security teams suddenly have new overlapping and conflicting layers of tools to work through. Because of this, overbuilt security systems also tend to be less

The Solution: Design around a flexible core system that can adapt to new risks as they appear and expand as your business grows.

While this approach often costs less up front than overbuilding a solution, it requires better planning. But when the core system is correctly planned to be flexible, scaling over time becomes highly cost-effective. Preparation is always more cost-effective than paying for recovery efforts.

2. Underbuilding

Some organizations build a security program designed to meet specific compliance regulations and say, “good enough.”  And while compliance standards are of course critically important, stopping there is literally the bare minimum you can do.

Determined attackers looking to exploit your organization are not going to put in the bare minimum effort. They also have the advantage of knowing the same regulations you need to abide by, and can use that knowledge to exploit weaknesses in your defenses.

The Solution: An effective security program needs to also account for such low-probability but high-damage threats posed by active attackers. They will look to leverage the latest tools available. Make sure your security team stays aware of these new threats as well as new opportunities and technologies that might keep you ahead of them.

One such technology to be aware of is Narrow Band Internet of Things (NB-IoT) wireless. Basically, a new set of networked enterprise infrastructure devices that can communicate out of doors over wireless cellular networks. You will soon be able to push your access control systems previously bound to indoor facilities outdoors with NB-IoT tools. Or get seamless real time positioning data in and out of doors on assets and people.

3. Ignoring the Human Factor

The weakest link in almost any security system is the people that use it. This has been known since the very inception of modern enterprise security. And yet, we continue to find new ways to underestimate people’s ability to break even the most organized security program.

It could be personnel giving keys to a coworker to return, which then mysteriously disappear. Or propping open a security door “just for a minute.” Or writing down a password where no one would ever think to look: under the keyboard. Technician preparing security check list in server room

The Solution: Every security plan needs to account for the bad luck and ‘ingenuity’ of the people that use it. Everyone that will enter your facility needs some degree of security training. That includes contractors and visitors, even if it’s just a quick checklist of do’s and don'ts.

Match your training and drills to the specific threats you face. A hydroelectric facility in an area prone to forest fires will need a very different emergency training schedule to a corrections facility experiencing a pattern of violent incidents.

4. Not Properly Integrating

This problem usually lurks unrecognized by management, the public, and security teams themselves until it’s too late. If a multi-site organization has two security teams running two different access control systems, over time inconsistencies will build up. The teams stop coordinating effectively as records fall out of sync. And then something slips through the cracks.

The issues that arise from poorly integrated security systems can be reputation-breaking, like data breaches or major internal losses.Security system integration

The Solution: Integrate from the ground up using a flexible security platform. This enables truly centralized monitoring which comes with a whole host of operational efficiency gains. Working with a security integration specialist can often help identify specific solutions that will prove most effective in your particular organization.

5. Not Using What You’ve Built

Security policies are only as effective as their actual enforcement. Likewise, technologies are only as effective as their actual use. You can have a fully integrated, flexible set of security measures, not too large or too small, that properly account for human errors, but if you’re not actually using the systems and enforcing the policies correctly you’re not actually protected.

The Solution: As with addressing the human factor the key here is training. Keep security at the front of your entire organization’s thinking by practicing specific incident responses. Experiencing mock security threats primes all personnel to retain the security training that will save them and your facility in case of any actual incident.

There are many details that can get overlooked designing new security programs for office or commercial buildings. Make sure to consider a key management system that will help you track, secure and control access to sensitive keys. A small amount of extra planning you can easily avoid these pitfalls.


Editor's Note: This post was originally published on March 31, 2017, and has been updated for accuracy and comprehensiveness.