How to Mitigate Physical Security Risks in a Corporate Environment

June 11, 2024
Knowing your organization’s risk appetite is critical in mitigating physical security risks

Corporate security plays a vital role in derisking the environment from a wide range of threats, both natural and man-made. Their efforts are instrumental in fortifying organizational resiliency in an increasingly complex threat landscape.

Security lapses in regulated industries can have severe consequences. The tone for a heightened security culture is set at the executive level and permeates down to front-line staff. In these environments, security breaches can lead to termination, disciplinary action, and even regulatory liability for financial losses.

Vulnerabilities associated with the cybersecurity of network-connected physical security devices, such as security cameras and mobile phones, are often overlooked. This attack vector seeks to exploit inadequate cybersecurity controls to gain unauthorized access into the network, breaching physical security field devices. If successful, these surreptitious activities create genuine negative outcomes for the organization.

Physical Security System Accountability

Amidst the myriad tools available to evaluate threats and risks, it's empowering to know that contemporary security risk management practices have evolved. These practices now emphasize proactive measures, including coordinating with internal and external parties to ensure a compliant risk-based solution is deployed and regularly maintained. This enhanced approach to risk management bolsters our ability to stay ahead of potential threats, giving us a sense of control in an otherwise unpredictable environment.

With a vast network of video surveillance cameras (from various manufacturers) deployed globally across multiple network infrastructures and managed through four different regional video management systems, a leading global financial services firm grappled with maintaining accountability for its physical security devices. The lack of a centralized platform to access and manage this data posed a significant challenge, highlighting the importance of maintaining accountability.

Vulnerabilities associated with the cybersecurity of network-connected physical security devices, such as security cameras and mobile phones, are often overlooked.

The organization’s internal audit team identified multiple issues with the lack of program oversight, including the disparate manner in which the camera data was captured, documented, and maintained globally. Cameras lacked regular firmware upgrades; some were end-of-life, and others had outstanding vulnerabilities identified by the manufacturer, but patches were not deployed. Further, it was discovered that this lack of network segmentation created another vulnerability that would have permitted a threat actor to access the corporate network well beyond the video surveillance system.

As a result, the audit team, which maintains the relationship with external regulators, insisted corporate security establish an asset management program to have better visibility and management of their network endpoints. The aim of this program would identify network-connected IT devices, develop essential operating procedures (KOP) associated with onboarding new devices, establish regular patching updates, maintain access rights, and demonstrate program governance throughout the device lifecycle, including decommissioning.

Although network devices must meet a baseline level of cybersecurity just to be onboarded, this organization’s corporate security is also responsible for the ongoing management of its devices and vendor relationships. Their IT department assumes no responsibility for outdated devices, does not provide firmware upgrades, nor does it patch or replace end-of-life end-user devices. To better coordinate tasks with internal partners, a RACI (Responsible, Accountable, Consulted, and Informed) document was developed to better identify roles and responsibilities for all parties.

As the asset management program matured, it leveraged a digital workflow platform utilizing a Configuration Management Database (CMBD) to enter and capture detailed endpoint data to maintain an accurate, up-to-date asset inventory. This ended the legacy practice of maintaining unmanaged decentralized spreadsheets. Compliance with the PKI (Public Key Infrastructure) certificate lifecycle management program was initially challenging; however, embedding an automation feature and schedule into the process provided cybersecurity and efficiency.

Although it took 24 months, the corporate security team, collaborating with internal partners, including various IT teams and the audit department, implemented an asset management program with a robust governance function that continues to receive funding support. The corporate security team now has visibility into the program and can initiate workflow tickets to track issues and manage the device lifecycle. They achieved global standardization, adhering to best practices and following the firm’s device compliance policies, resulting in significant risk reduction associated with cyber breaches.

The use of Apple, Google, and Samsung wallets that support NFC (Near Field Communication) mobile credentials can also be overlooked as a physical security threat. However, when implemented correctly, this mobile technology enables secure, convenient access control. This ever-increasing frictionless experience is driving a cultural change in the corporate environment.

Use Cases

With a new headquarters building set for construction, employees of a large financial institution requested to use their mobile phones for access control, similar to how they use them daily when commuting to and from work. They wanted to experience a seamless transition when entering the workplace through lobby turnstiles and other access-controlled areas in the new building.

Initially, corporate security had no intention of introducing mobile credentials, as they had a poor experience in a controlled pilot program that ended a year earlier, plus they already had an established standard. However, with constant requests from the employee population, including senior executives, they decided to explore this opportunity further.

The deployment of a mobile access control program would have multiple implications and require internal stakeholder meetings to determine requirements, day-one feature sets, and roadmap items to determine functionality. As the corporate security team further analyzed a move away from traditional legacy plastic badges, they were able to make a solid business case to implement the new program. Plastic badges are often embedded with compromised encryption standards. The cost associated with re-badging the population onto a newer card technology that may experience the same fate is cost-prohibitive. A software patch is anticipated to remedy the issue if mobile credentials become compromised

The deployment of a mobile access control program would have multiple implications and require internal stakeholder meetings to determine requirements, day-one feature sets, and roadmap items to determine functionality.

, a less expensive fix. In addition, mobile credentials can be configured to support logical access and various services, including cafeteria, parking, visitor access, etc. Aside from the business applications, corporate security was also able to showcase the sustainability benefits of sunsetting the plastic credential over time.

As a forward-thinking organization, implementing mobile access provides an opportunity to make a lasting impression on visitors. Through the lens of a multistakeholder initiative, a digital experience can benefit both the organization and the guest experience. When considering a Visitor Management System (VMS), the organization formed a steering committee to champion and drive successful outcomes across the organization through a working group to ensure the best way to implement innovative ideas and solve end-user problems or improve existing processes. This organizational project structure enabled transformational and cultural change. In this instance, migrating away from basic guest name, time, and business purpose capture to a complete digital experience.

For example, permitting the employee to register guest information directly through a host self-service portal reduces tasks assigned to security staff, allowing them to focus on more meaningful work. It also allows registered names to be automatically cross-checked against a "Do Not Admit” database to reduce risks associated with potentially volatile persons from re-entering the facility. Other notification features include integrations with enterprise applications, including Slack, Teams, and Outlook, that notify a host their guest is waiting in the lobby to be collected. Various workflows were developed based on visitor types and determined whether escorts were required for a highly individualized VIP white glove service.

Making a Positive First Impression

Forwarding an invitation may be the first touchpoint a guest receives from the organization. This presents an incredible opportunity to promote corporate branding and create an unforgettable guest experience. The guest registration delivered via email allows users to open and check in on their mobile device, pulling up a QR code. Aside from displaying meeting times, attendees, and location, the application could link to other apps like rideshare, weather, on-campus wayfinding for meeting locations, café, restrooms, etc.

The mobile solution allows guests to complete the required training before accessing the site and signing non-disclosure and consent forms. The visitor can also review building security and safety procedures directly through links embedded within the mobile invitation. Corporate security teams are leveraging the visitor mobile credential to forward mass notification messages in case of a building emergency.

Upon the conclusion of the visit, a brief survey is distributed to guests, asking about their experiences to determine opportunities for improvement or to understand if they had a pleasant experience that would positively reflect on the organization. This information provides valuable feedback, particularly for guest services.

Operationally, security and guest services can monitor data in real-time to understand global occupancy and identify guests whose security and safety they are responsible for while on company property. The aggregated data can be assessed to identify trends and allow for predictive staffing plans to prepare for an increase or decrease in occupancy volumes.

To date, the introduction of mobile credentials at the institution’s new headquarters has had a positive response from employees, visitors, internal business groups, and corporate security team members. A global training program is underway to ensure users are fully trained on the application and understand where to communicate issues should they require assistance. Due to privacy regulations in various countries, data collection and retention may differ across the enterprise. With that said, a global rollout with additional features is scheduled for later this year.

Although there is no prescriptive solution to mitigate all forms of physical security risks in the corporate environment, a security program can be deployed in alignment with the organization’s risk appetite with adequate planning. A layered approach starting at the perimeter and moving inward, incorporating a defense-in-depth strategy with various detection zones, aids the organization in its risk reduction efforts. Referencing industry-accepted frameworks anchored in asset protection principles, including operational, technology, and physical security elements, guides the practitioner to ensure a comprehensive program is incorporated into the design.


About the Author

Cathal J. Walsh | Vice President and Chief Security OfficerVice President and Chief Security Officer Guidepost Solutions

Cathal J. Walsh has more than 20 years of security management experience within large multinational organizations and private risk management advisory firms. With his deep industry knowledge of physical and cyber security, fraud, investigations, and crisis management, he delivers solutions that align each discipline with the client’s overall corporate strategy, govern the regulated environment, and address evolving industry risks. At Guidepost Solutions, Walsh advises C-suite executives, boards, and heads of security with strategic guidance to address their most critical physical security and risk management matters. In addition, he serves as the firm's chief security officer overseeing its security strategy and operations. Prior to joining Guidepost, he was a vice president within the chief security office at a global financial institution, where he led the firm-wide global corporate security strategy program encompassing security systems, investigations, travel security, threat assessments, cybersecurity and executive protection.

About the Author

John Bekisz | associate vice president of physical security at Guidepost Solutions.

John Bekisz is an associate vice president of physical security at Guidepost Solutions. He has extensive experience in security design, engineering, consulting, and project management. Practicing holistic security consulting and design, Mr. Bekisz’s consultations and recommendations consider operations, physical, electronic, and cyber vectors to guide and support clients through mitigation selection, development, and implementation of their security programs and projects. Mr. Bekisz is a certified Physical Security Professional by ASIS International. He is a member of the ASIS International North American Board of Directors and teaches a semiannual course on video