Physical Security: Are You Doing Enough?

By Eric Milam ·

My team and I have completed physical security engagements for large, global clients in practically every vertical industry and in locations all around the world – Japan, China, the U.S. and Europe. With permission, we’ve successfully broken into office buildings, warehouses, things under maritime law (with wire fences, too). We’ve used social engineering to gain access to a company’s corporate headquarters, then a conference room, a computer jack, and ultimately, their computer network.

While going through these experiences, we started to notice some common themes pop up. Here are the most critical ones we’ve found to date:

Culture matters. Organizations in certain countries are more susceptible to a physical security breach simply because of the cultural norms. For example, in some Asian cultures it is expected to be respectful and helpful if someone asks a question or if they look to be a superior or just someone of importance. So, showing up in a nice car wearing an expensive suit can result in doors being opened without even a request to see identification. This can create significant security challenges for organizations doing business in that region of the world because employees don’t feel empowered to question someone if it’s thought they don’t belong there.

It’s easy to blend in. All a criminal needs to do is sit outside your corporate headquarters to learn what your employees wear, when they come and go, and other little details that will help them blend into the crowd when entering your building. They will check out all entrances to and exits from the building to determine the path of least resistance. A back door where smokers hang out is an easy access point. All they need to do is look and act the part, and it’s likely one of your nice, well-meaning employees will let them walk right in the door. They either don’t want to be “that guy” who questions someone, or they are motivated by fear. What if it’s the chairman of the board, and they don’t recognize them? Employees are more likely to say nothing than risk speaking up and embarrassing themselves.

Employees are human. We’ve all done it – left our ID badge, mobile device, purse or wallet somewhere – the restroom, the cafeteria or the company gym locker room. This makes it all too easy for someone to pick up and use the information to and access your “secure” facilities, employee accounts and corporate networks within hours.

eBay and Google have it all. Today, it’s almost laughable how easy it can be to duplicate a company’s building access ID badge. A quick online search can result in pictures of employee and contractor badges. And cheap badge printers are readily available for purchase on eBay. So, all someone needs is an afternoon to make a legitimate ID card, and POOF, they’re in your building.

Now that I’ve scared you enough, you’re likely asking, “What can I do about it?” Unfortunately, there is no silver bullet to protecting the physical perimeter of your organization. However, there are a few key steps you can take to minimize the potential for an outsider with malicious intent to gain access to your facilities and, ultimately, your corporate network:

1.  Limit egress and ingress points for employees. By having a single entry, the attack surface is limited and easier to staff with security.
2.  Require badge readers at every single door, even those with a security guard. Since security personnel are only human, there is always the chance for someone to slip by unnoticed.
3.  Restrict designated smoking areas to places that have security guards and/or turnstiles for re-entry. This reduces the possibility that someone could just waltz in behind one of your employees.
4.  Make your employees feel empowered. Encourage them to ask for ID and other details about the person. If the ID looks legitimate, but the employee still feels something isn’t right, encourage them to call it to security’s attention. It’s better to be safe than sorry.
5.  Ensure your technology controls work hand-in-hand with your staff. It’s not just about a criminal gaining access to your building. It’s about what they can do once they have access.