Physical Security – Is enough really too much?

Here at Solutionary, we take physical security very seriously. This is not just to protect company information, but also our clients’ information. Many of our clients, especially those in the financial sector, feel the same way. Solutionary performs physical security assessments for a variety of our clients. I sometimes wonder if we are going over-the-top with extremes with our security, or expect too much from clients when performing an assessment. For example, a client recently absorbed another floor in their building due to growth and asked us to perform a risk assessment to ensure they had all the proper controls in place. This assessment was slightly different than previous assessments because of the dynamics of the new floor. There were a few things to consider that previously were not really issues per se.

Now that they have a ground level floor there were many new vulnerabilities to consider including: windows, outdoor landscaping, trees, streets, lighting, camera views, viewing whiteboards and monitors from the outside, and the list goes on. Based on our suggestions, they loaded up on new exterior cameras and lighting to ensure no one would be lurking in the shadows. Next we discussed where they needed badge readers and where most employees should have access based on business needs. They tried to come up with valid justification (other than budgetary) to not use readers in general use areas but couldn’t without leaving potential for access to be circumvented.

Another thing we identified was that the perimeter doors on the new floor had the hinges exposed. Even though there were cameras covering every door and angle it was not secure. Someone could potentially tap the pins from the hinges and toss it aside, easily bypassing the two-factor biometric reader. The door contacts on the burglar alarm would see a “door ajar” alarm and the DVR would certainly record the intruder, but that could still leave someone enough time to do damage, steal equipment, or walk off with sensitive information. So as suggested, they fixed the hinges.

There were many other things they implemented to ensure the physical security of their new space exceeded good practice and some probably seemed over-the-top. Actually some preventative steps are over-the-top for an “average” office but since company and client information was in question, in the end, it was hard for them to place too much value on such sensitive information.

In addition to these measures, we suggested they update and beef-up annual security policy by sending out security tips throughout the year. For example, remind employees about tailgating – challenging the presence of unknown people without credentials.

By contrast, I flew to Chicago a couple weeks ago and took note of a few things while waiting to pass through the security checkpoint. The TSA asked several travelers to open their carry-on bags to inspect the contents. One woman had packed her curling iron, hair dryer, and some other beauty items. She had to unpack them, display them, and answer questions. The next woman carried her dog through the checkpoint. It was not a seeing eye dog or service dog of any sort. It was simply a little purse dog (albeit a very cute and friendly one). I was not even aware you could bring your dog through the checkpoint like that. They ran some light scanner test and a residue test on her hands and inspected the doggie treats she had in her carry-on. However, they did not look at the obviously gaudy collar the dog had on or the pockets in the pint-sized doggie carrier. I don’t know what they are supposed to look for but I could see the collar being something that would interest me for further inspection.

The TSA also randomly selected shoes to review more closely. I’m not really sure what the difference was between my sneakers and the guy in front of me, but they pulled him aside and really inspected his shoes. I was getting ready to offer mine to the TSA agent and he waved me off. All through the security process, the TSA made sure everyone stayed in line and waited their turn to go through the metal detector or x-ray machine. They were polite yet vigilant about keeping order.

However, I was perplexed when I saw a couple of presumed TSA people walk around the checkpoint and go directly past the security area without anyone questioning or even giving them a glance. They were dressed in the appropriate attire, and certainly looked the type, but there were so many TSA agents working that area that I had to wonder if they really knew every person there. Could they really afford to assume those people were TSA agents because their uniforms looked right? Did they have authorization to be there at that particular time of day?

So what could TSA have done better and how far do they take it at the taxpayer expense? If you go to many foreign countries, they have armed security personnel with assault rifles standing at security checkpoints and roaming about. Sometimes they have trained attack and drug-sniffing dogs and armored fighting vehicles on the tarmac. Does the U.S. feel that is not necessary, not cost-effective or outside of our comfort zone? Why haven’t they built security vestibules with iris, fingerprint, palm, or other two, even three-factor authentication to enter security areas? This is a more complex question than can be analyzed and discussed here, but no one should expect that the door marked “Authorized Entry Only” is really going to slow people down.

After analyzing what I experienced on my travels, I realized one could do a whole lot more but would it be overkill? Our client could add an x-ray scanner and metal-detector in their lobby with an armed guard to go through visitor’s laptop bags, suitcases, etc. Wait, no that would certainly offend and potentially embarrass visitors. So where do you draw the line?

When I reassess what makes sense from a business and risk perspective, we may have been a bit hard on our client and they probably went a little overboard on some of the controls they put in place. But they work, are not overly burdensome, and provide clients with an assurance that their information is safe with our client. They have more than appropriate controls. Would they feel the same way if an armed guard patted them down and rifled through their belongings before coming to a meeting? Certainly not, they’d probably feel as though they were being treated as criminals.

In the end, the client was very happy with our findings and implemented nearly all the suggestions indicated in the report. We explained our position and even told them they were NOT required to address every item to the extent we suggested and that there may be compensating controls available to remediate the issues in a more cost-effective manner. They deliberated with executive management and decided they could not place a monetary value on protecting sensitive information.

My suggestion for any company getting ready to assess their physical security environment is to view physical security like any other component of your active Security Program.

 

1. Identify the appropriate standards associated with your industry
2. Do a thorough risk assessment
3. Identify what is it you are trying to protect
4. Meet or slightly exceed the controls you selected

If you perform a proper assessment, you likely won’t go overboard and may even identify things you hadn’t thought of previously.