Physical Security: The Shift in Perspective
The Current Landscape
An organization’s Physical Security program is the first layer of protection against malicious intent upon its people, assets, and physical property. Physical security programs and technologies used by most organizations have commonly been overlooked and are becoming far less effective at detecting and responding to threats. Preparation is critical to optimize their Physical Security frameworks to effectively identify and respond to cyber security threats, malicious actors, physical breaches, and internal & external risks.
Organizations must identify their posture now more than ever as Physical Security incidents are projected to grow in 2022 and beyond1. Moreover, as organizations return to the traditional or hybrid workplace model, facilities using aging, out-of-date technologies or neglected security programs are at a high risk of physical and cyber security breaches. This is further compounded by the inclusion of work from home in the operational model.
The Convergence of Physical Security and Cyber Security Programs
The 2020 global pandemic initiated the immediate need for organizations to move from the in-office workplace to a decentralized or hybrid remote working solution. With this transition, organizations are simultaneously required to consider how to ensure the security of their people, assets, and infrastructure in the traditional office-oriented workplace and are now required to address how to promote and extend physical security into the private realm; the home. Both considerations are equally important in preventing unauthorized access to organizational assets and preventing information breaches.
Industry trends have shown a significant rise in Cyber Security related crimes that are directly linked to Physical Security vulnerabilities. According to a 2021 Verizon report2, 85% of cyber security breaches involved a human element; this includes exposure to insider threats and physical breaches. Due to the increased focus on pandemic management, sustainability considerations, and the hybrid workplace, organizations need to examine their Physical Security programs as they relate to cyber security threats from this new operating model. A robust and cyber-converged Physical Security program is the first step to reducing cyber security threats and risks.
The Call for Change
As threats against organizations continue to increase, the Physical Security program requires security cyber-convergence, robust training, and awareness program as well as integration of other stakeholder groups through the digitalization of technologies. The goal is to create a resilient organization by breaking down silos, encouraging information sharing and preventing and minimizing exposure to threats and risks.
Security convergence relates to the holistic approach to tackling physical, personnel and cyber security while protecting an organization’s assets including its data, people, and facilities. As technology enables every critical function, threat actors will continue to look for the path of least resistance in an organization. Security convergence requires a realization and understanding that security is everyone’s responsibility, and upholding user privacy is a fiduciary duty of the organization. It entails having a security-minded culture in preparing for and tackling new risks.
Training, education, and awareness are ongoing principles of Physical Security. Developing a security-first culture should be top of mind for all stakeholders; incidents do not simply come with a notification to the organization, but rather an abrupt disruption that requires preparation and real-time response. Further, organizations and employees should be equipped with training on the processes to adequately communicate to stakeholders during an event, preventing events from occurring or returning to operations quickly after an incident.
An organization’s Physical Security program is dependent on the collaboration and the exchange of data with other stakeholder groups. Organizations should consider methods where the use of technology and program digitalization can be leveraged. An example of this would be a data integration between the physical security software and the business continuity plan to trigger real-time event-to-action alerts and notifications. The value of integration has long been ignored and those early adopters who have embraced advanced integration have seen those benefits, the reduced risk, and cost savings integrations create.
Security convergence, security awareness and collaboration with stakeholder groups allow an organization to remain resilient against risks and threats. As threat actors become more sophisticated, a Physical Security program must have a holistic and proactive approach to these advanced risks and threats. Failure to properly identify risks, or perform an early risk analysis, can result in injury, financial loss, or reputational damage.
The Way Forward
Organizations must gain insight into the current state of their Physical Security program and fundamental questions must be asked:
- Is there a defined Physical Security program and mandate in place?
- Does the organization exhibit a meaningful level of awareness of existing physical and cyber security measures?
- To understand the business drivers, are organizational leaders engaging with the Physical Security group when exploring new business initiatives?
- Are there sufficient technologies in place to prevent, detect and respond to Physical Security threats and breaches?
- Do you have defined KPIs and KRIs, to measure and monitor against, and identify risks and threats?
- Is the Physical Security program integrated with other stakeholder groups such as HR, finance, privacy, legal Cyber Security, Business Continuity, Risk, and Crisis management?
- Are third parties reviewed to ensure compliance with applicable regulatory requirements and internal or global/international standards?
So, why are these questions important? They are foundational in helping organizations understand the extent of their Physical Security program and technology gaps and the subsequent need to (re)focus and prioritize their Physical Security posture.
For instance, a broad review of the current state of an organization’s Physical Security program and technology will identify its strengths, weaknesses, and vulnerabilities. Oftentimes, a current state assessment becomes a moment of self-realization; organizations comprehend where their vulnerabilities exist. What this means is an opportunity for the organization to shift its perspective, consider the way forward and better prepare, prevent, and respond to incidents.
Key Contacts
If you would like to learn more or would like to have a conversation with our team to discuss Physical Security convergence and resilience, reach out to one of our subject matter advisors.
Return to the Responsible Business home page to discover more insights from our leaders.
Contacts
Nathan Spitse | Global / Canada | nspitse@deloitte.ca | Tel: +1 519 281 6936
Michael Mueller | Germany | micmueller@deloitte.de | Tel: +49 151 5800 0362
Jean-Francois Allard | Canada | jeallard@deloitte.ca | Tel: +15143937147
Stefanie Ruys | Nordics & Denmark | steruys@deloitte.dk | Tel: +45 30 93 52 87
Agnieszka Eile | United Kingdom | aeile@deloitte.co.uk | Tel: +44 7867 156 191
Eddie Sin Keung CHIU | Asia | eddchiu@deloitte.com.cn | Tel: +86 10 8520 7110
Koen Magnus | Belgium | kmagnus@deloitte.com | Tel: +32 485 46 65 90
Kim Speijer | Belgium | kspeijer@deloitte.com | Tel: +32 478 64 27 27
Danny Tinga | Netherlands | dtinga@deloitte.nl | Tel: +31 610 452 304
Enrique Bilbao Lazaro | Spain | ebilbaolazaro@deloitte.es | Tel: +34 666 500 907
Teemu Hokkanen | Finland | teemu.hokkanen@deloitte.fi | Tel: +35 820 755 5147
Paula Rosengren | Sweden | prosengren@deloitte.se | Tel:+46 70 080 24 24