Defining physical security culture and awareness
When we talk about culture, we refer to the organisational norms meant to promote the right behaviours. Culture is the unique set of values, institutions and social behaviours shared by a specific group of people, through which this group defines what they view as right and wrong behaviour.
When we talk about physical security culture, the same definition applies. With the right security culture in place, the right security behaviour is more likely to follow.
For an organisation to be more resilient towards security threats, its people need to understand the role they play in the prevention, detection, deterrence and Reporting of security threats. This will result in (i) increased awareness of security threats, (ii) increased compliance with security measures, (iii) increased awareness of the impact of effective security on business successes and (iv) increased engagement levels and hence people taking responsibility for security issues.
So why do organisations need to invest in physical security culture and awareness? The answer is quite simple, because people remain the most vulnerable component of an organisation’s physical security strategy. With the ever-increasing use of technology, one might question the need for a security culture focused on the human aspect.
However, the technology is only as strong as the person using it. The challenge is to ensure that employees are not circumventing technologies or procedures to make their lives more convenient. A common example of this is the practice of holding a door open for someone to a restricted area without validating their access credentials. This is just one example of the human aspect of security, but there are of course other examples, such as tailgating (the act of allowing unauthorised people into a restricted area without presenting valid credentials), complacency and situational awareness, which brings us back to the need for a clear and sustainable security culture to be established and regularly reviewed.
In addition, business leaders should not view physical security only as a risk to be controlled, but also as an essential element to enable business growth. As Maslow’s hierarchy of needs shows, when people do not have to worry about their physical security, it allows them to unlock their creative thinking and enables more complex problem solving. Thus, employees should be allowed to work in a safe and secure environment, so they can fully focus on their roles and responsibilities within the organisation.
A sustainable physical security culture
For a physical security culture to work and be sustainable in the long run, organisations need to care for and invest in their physical security culture as part of their organisation’s standard practices and their DNA. A sustainable physical security culture can only happen when it is approached from both bottom-up and top-down.
Physical security culture and awareness should thus be a topic discussed in board meetings to ensure that it becomes part of the broader organisation’s conduct risk and culture framework. Moreover, to fully show the commitment of management, a physical security policy should be implemented that supports the acceptance and spreading of the physical security culture. This is easy to comprehend when talking about cyber security, however, it also applies to physical security. If we take access control as an example, teaching people not to allow tailgating is as much part of general business acumen as not clicking the link in the external email. In both cases, the organisation risks giving access to people with malicious intent to restricted areas or perimeters, thus potentially exposing themselves to huge Data leaks, theft, fraud or confidential information leaks.
By investing in the development of a mature and sustainable physical security culture your overall business will improve in the long run. The cost of a security breach is reflected not only in lost Data but also in lost productivity and time spent dealing with the ramifications of the breach. Therefore, investing in security will lower the risk of vulnerabilities and have an overall positive impact on the business. Investing in a robust training programme will improve the physical security posture of the organisation. At the same time, the investment made shows that the organisation truly cares about its people, property and assets.
Moreover, when your employees are aware of the most relevant physical security threats — and their potential impact on the organisation — they will likely feel responsible for upholding the physical security guidelines set forth by the organisation. This in turn will provide a more sustainable physical security culture with buy-in from all stakeholders. It is at this point, that the return on investment becomes clear. By investing in the security culture, the risk of human error is less likely, thus lowering the risk of being exposed to malicious intent.
Characteristics of the physical security culture in the hybrid workplace
As outlined above, for a physical security culture to be sustainable, it is imperative to have engaged employees across various business units and on all levels and positions. This is even more challenging in the hybrid workplace, where employees spent a large part of their worktime away from the office. A physical security culture should exist where everyone understands that they play a role in the overall security posture of the organisation. In a hybrid workplace, this can feel like an impossible task. In order for employees to stay engaged with the physical security culture of the hybrid workplace, these workplaces need to ensure the physical security culture remains present through training, reminders and bulletins. An enhanced physical security culture will also help in the complex issue of keeping the workforce’s sense of belonging to the organisation.
The first step to generating more engagement is by creating training programmes that are all-inclusive, reflecting all levels, roles and functions. If you want your employees to be able to make the right decision and do the right thing, they need to know what this looks like for them in their role. Inclusive training covering different roles will ensure that you are able to capture the attention of all employees. In this way, you are creating an environment wherein everyone feels equally responsible for security, not something perceived as only relevant for the security office and guards. Everyone is responsible to ensure the security of the organisation.
Another easy step is to make the training interactive and fun. While the generic posters hanging in each corridor may be useful as a daily reminder, more interactive training can strengthen the sense of involvement. Just because this training is mandatory for all, does not mean they cannot be made more interesting. A simple interactive video, that can be viewed from home at any time, could already be enough. Additionally, you could have security training as a theme of the organisation’s screen savers.
One way to keep people interested in these reoccurring trainings is by changing the theme of the trainings periodically. Organisations can use common themes or base themselves on current trends when creating new physical security trainings. Some of the areas that can be highlighted in the trainings include tailgating, duress alarms, scenario-based exercises, situational awareness, how to identify potential risks, how to avoid putting yourself or others at risk, how to report risks, how to develop a realistic and effective extension of physical security to the hybrid workplace etc.
When thinking of creative ways to incorporate security into the workplace, use what you already have. As Winston Churchill once said: “Never let a good crisis go to waste.” Simply by using real-life incidents as examples, you are creating more realistic training cases. For instance, you could send out short stories after an incident has happened to remind people of their role, showing them how the incident could have been avoided. Of course, the intention should never be to shame someone, so when using real-life cases always make sure the identity of people is protected.
Every organisation has a security culture; however not every organisation has a sustainable security culture. By becoming conscious of the maturity and unique features of your organisation’s security culture, you can actively work towards security becoming more embedded into the organisation. It takes time to change a culture, so don’t expect miracles overnight. Only when all your employees know the answer to the question “what does ‘doing the right thing’ mean for me?,” can you be certain that you are going in the right direction.
Contacts
If you would like to learn more or would like to have a conversation with our team to discuss Physical Security culture and awareness, keep in touch to one of our subject matter advisors.
Nathan Spitse | Global/Canada | nspitse@deloitte.ca | Tel: +1 519 281 6936
Michael Mueller | Germany | micmueller@deloitte.de | Tel: +49 151 5800 0362
Jean-Francois Allard | Canada | jeallard@deloitte.ca | Tel: +15143937147
Stefanie Ruys | Nordics & Denmark | steruys@deloitte.dk | Tel: +45 30 93 52 87
Agnieszka Eile | United Kingdom | aeile@deloitte.co.uk | Tel: +44 7867 156 191
Eddie Sin Keung CHIU | Asia | eddchiu@deloitte.com.cn | Tel: +86 10 8520 7110
Koen Magnus | Belgium | kmagnus@deloitte.com | Tel: +32 485 46 65 90
Kim Speijer | Belgium | kspeijer@deloitte.com | Tel: +32 478 64 27 27
Danny Tinga | Netherlands | dtinga@deloitte.nl | Tel: +31 610 452 304
Enrique Bilbao Lazaro | Spain | ebilbaolazaro@deloitte.es | Tel: +34 666 500 907
Teemu Hokkanen | Finland | teemu.hokkanen@deloitte.fi | Tel: +35 820 755 5147
Paula Rosengren | Sweden | prosengren@deloitte.se | Tel:+46 70 080 24 24
