A physical security risk assessment is one of the best tools any business can use to improve its security practices. So whether you’re developing a new business security plan or updating an existing one, the first step is to conduct one of these assessments.
What is a Physical Security Risk Assessment?
A physical security risk assessment is a top-to-bottom analysis of your organization, facilities, and physical security practices. Some security professionals have the expertise to carry out these assessments in-house. However, many organizations hire contractors or an entire security firm to conduct an assessment.
A good assessment will examine your day-to-day operations and high-level strategic security plan. A physical security risk assessment aims to help you better understand how each security process benefits your organization and how each fits into your wider security plan.
Who Needs Physical Security Risk Assessments?
If your organization has any type of facility, personnel, or physical assets, you will benefit from conducting one. That may not seem relevant in an increasingly digital workplace, but the future of business isn’t purely digital.
Physical and digital business practices are converging. The uptick in hybrid working is just one recent example of this trend. Hybrid working seamlessly blends remote and on-premise working thanks to a combination of physical and digital tools and practices.
The benefits of these arrangements are clear, and lingering resistance to hybridizing—or converging—other parts of the business will soon fade away. Companies looking to stay competitive will need to converge their own security practices. That means ensuring physical security gets appropriate attention.
Risk assessments are mandatory in some regulated industries
Some compliance standards enforce physical security risk assessments. If your organization has to work under any of the following standards, and you don’t already have a risk assessment process, then you need to develop one.
- International Organization for Standardization (ISO) 27001 —This is a comprehensive set of guidelines for Information Security Management. ISO 27001 includes provisions for both digital and physical security assessments.
- The Health Insurance Portability and Accountability Act (HIPAA) —this is a US body of law mandating the secure handling of patient records. Under HIPAA, you can’t plead ignorance and claim you didn’t know about security vulnerabilities. Instead, organizations are expected to know when patient data is at risk when exposed and to document how they secure patient data with both physical and digital safeguards.
- Payment Card Industry Data Security Standards (PCI-DSS) —This is an information and physical security standard for businesses processing credit card payments. This is perhaps the most widely enforced standard of the three listed here.
Simple 5-Step Physical Security Risk Assessment
While a comprehensive physical security risk assessment is best carried out by a professional, there is plenty of value in conducting one yourself in-house. Follow this five-step process to evaluate your organization’s physical security readiness.
Example: Securing Handheld Radios
Conducting a physical security risk assessment for an entire organization is well worth the effort, but it does take time. So let’s walk through one small example where we assess whether a particular asset locker solution is cost-effective for a customer looking to secure radios.
Radios are portable and targets of thieves, both external and internal, as they have resale value. If you don’t have an asset locker system for securing them when idle, they can be very easy to steal.
This is the easiest factor to consider since it’s already quantified. But, unfortunately, it’s also usually the least important. Many radio models are available today, from $50 off-the-shelf consumer models to hardened APCO-25 police radios costing thousands. So the impact of this asset loss can range anywhere from inconvenient to mission-critical.
For keys, rekeying costs can range from pennies up to hundreds of dollars for high-security master keys.
At the upper end of that range, an organization with only a handful of P25 radios could justify the purchase of an electronic asset locker system on the replacement cost of the radios alone. But for many organizations using more standard commercial radios, this isn’t the case.
The more integral an asset is to your operations, the greater you will feel its loss. And often, the labor cost in staff hours spent managing its loss will be greater than the direct replacement cost. For example, searching for it, reordering, configuring, and so on.
Let’s consider an example. A hotel or other organization in the hospitality industry may use radios only to help coordinate periodic conferences. Not mission-critical. However, a large, multi-building corrections facility may rely on radios constantly. Very mission-critical and often regulated.
Quantifying the operational impact of lost radios in the second scenario very likely makes electronic asset lockers cost-effective for that corrections facility. Lost facilities keys slow down every workflow in which they’re used.
Then there’s the risk of further damage to the organization if the asset is lost or stolen. Let’s take radios in corrections facilities. There’s also a need to control inmate access to institutional assets like radios. If you’re not protecting assets, their theft could create a public safety risk beyond the immediate risk to the facility.
At this point, if there’s a quantifiable risk to the public, an organization’s intellectual property, or other intangible, beyond the direct replacement cost and operational impact, in most cases, it immediately becomes cost-effective to deploy a high-end security solution for asset management.
This three-point analysis is a good back-of-the-envelope way to evaluate the cost-effectiveness of any security system. Rather than comparing product features, the key is to focus on the value delivered to your organization and the unique demands they can meet. It’s not about technology. It’s about your business.
For an even deeper dive into security ROI check out our 6-Step Purchasing Guide, which gives more details on quantifying risks and calculating the Total Cost of Ownership for higher-end security solutions.
Download the Purchasing Guide
Check out our 6-Step Purchasing Guide for more details on calculating the total cost of ownership for higher-end security solutions and quantifying risks.
About the Author
Vice President of Marketing
Jay oversees marketing and strategic partnerships at Real Time Networks and has over three decades of experience in leadership roles in the financial services and technology industries.