While many organizations are taking the steps to ensure their building is secure, many are ignoring basic pieces of the puzzle that is physical security in and around a facility.
Tim Giles, a security consultant and author of ‘How to Develop and Implement a Security Master Plan,’ was once in charge of all IBM Security operations for the US and Canada and today advises clients about how to design a security plan that fits the risk-level and needs of their building. He gave CSO a run down of some common missteps organizations make when devising a building security plan.
1.) Creating post orders without advanced analysis put together a guard services contract and contract services with a company and they really have very limited ideas about how to manage it.
“Most companies don’t have an inside person with facilities security expertise,” said Giles. “Often the facilities manager will
Giles thinks the problem is that an outside contract company will often come into the assignment with their own post orders and place security personnel without first conducting a real analysis of the security needs of the building. And because there isn’t an experienced person within the company that understands security, there is no system of checks to ensure the contract security personnel are doing what they should be doing, said Giles. (Read a first-hand account of how easy it is for criminals to get in the door of a secure building in Anatomy of a Hack) Before any contract security services firm creates post orders for a building, they should first conduct a thorough assessment of the unique needs for security in the facility.
“Buildings differ primarily because of who the tenants are,” said Giles. “Security needs to evaluate who is in there and what kind of risks they bring with them. Some have a high-traffic volume of visitors. They could be controversial; some might face the possibility of problems with former or disgruntled employees. All of those things dictate what security should be doing at their posts.” (See Giles’s sample employee termination checklist in CSOonline’s Security Tools and Templates section)
- Placing aesthetics over security
Giles said this mistake can be made as early as when the building is designed by an architect. While ground-level lighting and hidden cameras may be more pleasing to the eye, neither are good for security. Giles said he once worked in a building where the architect had designed all the cameras to be out of sight.
“But someone seeing the camera is 50 percent of the value because it’s a deterrent,” noted Giles. “When people know they are on camera, they are much less likely to do something wrong.”
Another common design Giles sees that makes him cringe is shrubbery that runs along walkways and sidewalks.
“Suddenly someone who wants to rob someone has a nice hiding place,” he said.
- Neglecting to properly secure certain entrances
Giles believes in the rule that the fewer entrances into a building, the better.
“Every door is another opportunity for someone to get in,” he said.
While it is important to have several doors for emergency exits, Giles said they all too often get neglected. He suggested alarms at all doors that have been designated as emergency. Employees should also be asked to demand ID or badges from individuals entering a secure building, he said, and noted the best defense against intruders is a good security awareness program among workers that gets them to notice what is going on around them.
- Allowing management to ignore security rules
Sure, a good awareness program might ask employees to “check” on one another to ensure they are wearing badges or ID. But what if management is neglecting to follow the rules? Giles said it is a physical security mistake he sees all the time.
“I tell them you have to make a choice. If you are going to have badge-wearing program, you have to wear the badge. If you’re not going to wear one, do away with the program because if you don’t wear it, you undermine the program.”
- Failing to take time to understand your technology
Physical security technology, such as CCTV, has come a long way in the last decade, noted Giles. The problem is many people don’t know how to use it. Often Giles said a good CCTV recording system will be for naught because if there is an incident, the staff doesn’t know how to find the recording they need.
“Companies will have a contractor come in an install the cameras, and then there is no follow up to learn how to really use it.”
Giles said another common scenario is a building with 40 or more cameras around the facility which use a multiplexer to toggle between cameras and record images. But the switching is done at random and is therefore of little use.
“If you don’t set that up properly you might have situation where a person is breaking in a door but you don’t capture the event because the recorder was not on the door at that time.”
Giles recommends that monitoring systems be configured to have event-driven recording, which means a camera is activated whereever an alarm goes off. (SeeVMS: How to Manage Surveillance Video.)
- Failing to secure important rooms inside the building
“We used to have people working the server room all the time (in organizations),” said Giles. “But now they can control what is going on in there remotely. So if someone is going in and out of there, you really want to know who it is and why they are there.”
Giles recommends access control systems around data centers that include badges and/or access cards as well as cameras. (See 19 Ways to Build Physical Security into Your Data Center.) He also advises clients who have concerns about proprietary information to secure their mail rooms as well.
- Overdoing security
Lastly, it’s important to remember that these tips are not a one size fits all prescription for your building’s security, said Giles. The level of facility security will need to fit the level of risk an organization faces.
“I’m opposed to going into a facility and having them do as much security as they can do,” he said. “If you overdo it to where it doesn’t make sense, within six months people will have figured out ways to get around security and it will be a waste of money. It has to match the risk and culture of the business.