Why physical security is important, current thinking and best practices
By Jay Palter | July 20, 2023
Physical security is the discipline for protecting an organization’s real-world assets, such as people, property, real estate, IT infrastructure, vehicles, and merchandise. If an asset’s loss or compromise would harm your operations, you must protect it with physical security measures.
The threats physical security programs can protect against include theft, attack, natural disasters, and fire. The goals of instituting physical security measures could vary from organization to organization. One might care about mitigating financial losses, another reducing production downtime, and a third might prioritize protecting its people.
We may live in an increasingly digital world, but all the people, businesses, and infrastructure that matter are still in the real world. If anything, physical security for public and private organizations might be even more important today than ever before.
Network technology has allowed organizations to become much less centralized. Physical assets are more likely to be distributed across multiple local offices and worksites. That decentralization introduces many more perimeters and isolated clusters of assets that you must secure.
We now know what is physical security, but what is security convergence? Anyone getting up to speed on the latest business security practices must understand this topic. It is the blending of the physical and network security disciplines. The idea of convergence has been around for decades but has surged in importance recently due to the rise of Internet of Things (IoT) technology.
Now more than ever, the boundaries between the physical and digital worlds are becoming blurred. Physical attacks can target IoT infrastructure. Network attacks can take down connected real-world infrastructure. Our physical security teams must collaborate with their network security peers—potentially even as part of the same team.
Any physical security program you design or individual security measure you implement must still be considered within the context of your wider physical security goals. In most cases, the goal you will want to achieve is implementing as many of the Five Ds of Physical Security As possible:
Beyond simple perimeter security, several defense-in-depth physical security models have been developed over the years. Defense-in-depth is a security approach in which overlapping defensive mechanisms protect an organization's assets. If one mechanism fails, another taking a different security approach attempts to thwart the intruder.
This multi-layered approach includes purposeful redundancies to address as many different attack vectors as possible and increase the chances that any individual intrusion is eventually thwarted before reaching critical assets.
Two of the most commonly used modern defense-in-depth physical security strategies include the Onion Model and the Garlic Clove Model.
This model treats defense-in-depth as a series of concentric layers, like an onion. Each layer represents a different security method. The outer layers are the most accessible, while the inner layers are the most secure. If one layer of security fails, the other layers will still be in place to protect an organization’s assets.
When the physical security program works as intended, people and materials move between the layers only using accountable access control or other security you have implemented at their boundaries. For example, the first layer might only allow authorized personnel to enter the facility through the well-lit front door in an open, observable space. While the second requires swiping an access card at an access control point.
The onion model is a simple but effective way to visualize physical security. In comparison, the Garlic Clove Model is a more sophisticated and realistic extension of it. In the Garlic Clove model, the layers of security are not concentric layers but rather various pockets of security distributed throughout a facility inside an outer layer of perimeter security. Neither approach relies on a single outer perimeter to protect everything simultaneously.
These pockets make it more difficult for intruders to bypass every security measure. While it is more sophisticated and effective in the real world than the Onion Model, the Garlic Clove Model is also more complicated to implement as it requires a more detailed understanding of the facility and the assets that must be protected.
In most organizations, physical security operations consist of three processes: access control, surveillance, and testing and training. These are your primary methods for applying the five D’s of physical security. Each can be applied on its own, but are most effective when used in unison.
Access control is the process of limiting who has access to a facility, a specific zone within a facility, or an organization’s material assets. It is the first and most common defense against unauthorized access to an organization's people, equipment, vehicles, and other assets.
Surveillance is the use of personnel or technology—such as closed-circuit television (CCTV) or management system content surveillance—to monitor activity within a facility.
Testing is the process of evaluating the effectiveness of an organization's physical security program. Training is the process of instructing personnel how to apply that program most effectively. It is important to test and train regularly to ensure that your physical security program is sufficient to protect your organization's assets.
Many factors should be considered when deciding how to apply these processes, including:
It is important to tailor your physical security processes to the organization's specific needs.
Deploying an effective physical security program can be a complex process. Structuring your program according to the goals, models, and processes defined here can help point you in the right direction. Applying a few best practices can also help ensure a successful deployment.
Assess your organization's risk profile—the specific threats you face, the probability of each occurring, and your current capability to respond to each. That will help you identify the physical security controls you must implement to mitigate those threats best. For example, you don’t need to employ a whole team of security guards and a full-time asset manager to protect an equipment inventory when a smart asset management system will do.
Generic all-or-nothing access control is the easiest for a would-be attacker to compromise. Where possible, tailor access control for each staff member. For example, your CEO might need physical access to the C-suite offices and all other locations during the day, but perhaps not the warehouse during off hours. Meanwhile, your warehouse personnel might only need access to the warehouse, but for all hours.
Track who has access to your facilities and equipment and when they have access. Detailed access logs will help you to identify any unauthorized access attempts during or after the event.
You should also keep an inventory of all keys, equipment, and other secured assets. It is difficult to secure all of your assets if you don’t actually know what you have.
If your physical security program stands still, it falls behind. The only way to know whether your current measures are adequate is to test them. That might mean evacuation or other emergency response drills, system testing, mock disasters, or simple audits. The goal is to identify any weaknesses in your security program.
Vice President of Marketing