Physical Security: The Shift in Perspective
The Current Landscape
An organisation’s Physical Security programme is the first layer of protection against malicious intent upon its people, assets and physical property. Physical security programmes and technologies used by most organisations have commonly been overlooked and are becoming far less effective at detecting and responding to threats. Preparation is critical to optimise their Physical Security frameworks to effectively identify and respond to cyber security threats, malicious actors, physical breaches and internal & external risks.
Organisations must identify their posture now more than ever as Physical Security incidents are projected to grow in 2022 and beyond1. Moreover, as organisations return to the traditional or hybrid workplace model, facilities using aging, out-of-date technologies or neglected security programmes are at a high risk of physical and cyber security breaches. This is further compounded by the inclusion of work from home in the operational model.
The Convergence of Physical Security and Cyber Security Programmes
The 2020 global pandemic initiated the immediate need for organisations to move from the in-office workplace to a decentralised or hybrid remote working solution. With this transition, organisations are simultaneously required to consider how to ensure the security of their people, assets and infrastructure in the traditional office-oriented workplace and are now required to address how to promote and extend physical security into the private realm; the home. Both considerations are equally important in preventing unauthorised access to organisational assets and preventing information breaches.
Industry trends have shown a significant rise in Cyber Security related crimes that are directly linked to Physical Security vulnerabilities. According to a 2021 Verizon report2, 85% of cyber security breaches involved a human element; this includes exposure to insider threats and physical breaches. Due to the increased focus on pandemic management, sustainability considerations and the hybrid workplace, organisations need to examine their Physical Security programmes as they relate to cyber security threats from this new operating model. A robust and cyber-converged Physical Security programme is the first step to reducing cyber security threats and risks.
The Call for Change
As threats against organisations continue to increase, the Physical Security programme requires security cyber-convergence, robust training and awareness programme as well as integration of other stakeholder groups through the digitalisation of technologies. The goal is to create a resilient organisation by breaking down silos, encouraging information sharing and preventing and minimising exposure to threats and risks.
Security convergence relates to the holistic approach to tackling physical, personnel and cyber security while protecting an organisation’s assets including its data, people and facilities. As technology enables every critical function, threat actors will continue to look for the path of least resistance in an organisation. Security convergence requires a realisation and understanding that security is everyone’s responsibility and upholding user privacy is a fiduciary duty of the organisation. It entails having a security-minded culture in preparing for and tackling new risks.
Training, education and awareness are ongoing principles of Physical Security. Developing a security-first culture should be top of mind for all stakeholders; incidents do not simply come with a notification to the organisation, but rather an abrupt disruption that requires preparation and real-time response. Further, organisations and employees should be equipped with training on the processes to adequately communicate to stakeholders during an event, preventing events from occurring or returning to operations quickly after an incident.
An organisation’s Physical Security programme is dependent on the collaboration and the exchange of data with other stakeholder groups. Organisations should consider methods where the use of technology and programme digitalisation can be leveraged. An example of this would be a data integration between the physical security software and the business continuity plan to trigger real-time event-to-action alerts and notifications. The value of integration has long been ignored and those early adopters who have embraced advanced integration have seen those benefits, the reduced risk and cost savings integrations create.
Security convergence, security awareness and collaboration with stakeholder groups allow an organisation to remain resilient against risks and threats. As threat actors become more sophisticated, a Physical Security programme must have a holistic and proactive approach to these advanced risks and threats. Failure to properly identify risks, or perform an early risk analysis, can result in injury, financial loss, or reputational damage.
The Way Forward
Organisations must gain insight into the current state of their Physical Security programme and fundamental questions must be asked:
- Is there a defined Physical Security programme and mandate in place?
- Does the organisation exhibit a meaningful level of awareness of existing physical and cyber security measures?
- To understand the business drivers, are organisational leaders engaging with the Physical Security group when exploring new business initiatives?
- Are there sufficient technologies in place to prevent, detect and respond to Physical Security threats and breaches?
- Do you have defined KPIs and KRIs, to measure and monitor against, and identify risks and threats?
- Is the Physical Security programme integrated with other stakeholder groups such as HR, finance, privacy, legal Cyber Security, Business Continuity, Risk and Crisis management?
- Are third parties reviewed to ensure compliance with applicable regulatory requirements and internal or global/international standards?
So, why are these questions important? They are foundational in helping organisations understand the extent of their Physical Security programme and technology gaps and the subsequent need to (re)focus and prioritise their Physical Security posture.
For instance, a broad review of the current state of an organisation’s Physical Security programme and technology will identify its strengths, weaknesses and vulnerabilities. Oftentimes, a current state assessment becomes a moment of self-realisation; organisations comprehend where their vulnerabilities exist. What this means is an opportunity for the organisation to shift its perspective, consider the way forward and better prepare, prevent and respond to incidents.
Key Contacts
If you would like to learn more or would like to have a conversation with our team to discuss Physical Security convergence and resilience, reach out to one of our subject matter advisors.
Return to the Responsible Business home page to discover more insights from our leaders.