October 25, 2019
October is National Cybersecurity Awareness month. While the occasion gives security teams an opportunity to engage with non-security employees in their organization and remind them about the importance of security awareness, far too many will overlook a critical component of security culture: physical security.
Physical security measures are critical to protecting important data, confidential information, networks, software, equipment, facilities, company’s assets, and personnel. Protecting sensitive data within corporate walls often starts simply at the front door. With the wrong people inside a facility, any number of breaches can occur. You can deploy all of the firewalls you want, but if an attacker is allowed to walk into your office, all bets are off.
Security awareness programs often focus on educating end users how to recognize phishing emails and other methods of cyberattack. But William Sako, vice president of security risk consulting of Telgian, a global fire, life safety and security firm, notes there is so much more to building a culture of security in an organization.
We spoke to Sako for his input on building a culture of security with physical risk in mind.
ISCNews: What kinds of issues should security leaders educate employees about when it comes to physical security risks at work?
William Sako: Security leaders need to educate the employees of an organization about the potential risks and threats they might encounter at the workplace and what they should do in various situations to keep themselves “out of harm’s way.” The employees need to be educated on what they should do in various emergency events, such as active shooter, fire alarm, security incident, building lockdown, severe weather, hazard material spill, power disruption or outage, natural disaster or civil unrest.
The employees must be educated to understand what primary actions they should take for each emergency event until they are given special additional instructions by management. Those actions may include evacuation, shelter-in-place, run-hide-fight and so on. The employee must not only understand what they should do when an emergency incident occurs, but also what they should do afterward, how they will be given additional instructions, muster locations and so on.
ISCN: What are some best practices for developing a “security culture” that aims to get users to understand both physical and cyber security?
WS: Provide a balanced security program. A balance of good physical protective design and zones of protection, state-of-the-art security systems and equipment, and a high quality security force armed with good policy, procedures and training.
Communicate frequently and educate the organization’s people via newsletters, webinars and email messages to inform them about security vulnerabilities, responses and the principle that every employee has a role in security. Ultimately, they are responsible for maintaining a safe workplace and safeguarding company assets and the people around them.
Recognize that security is “dynamic” as opposed to static and the risk environment is constantly changing. As a result, security must be designed to be very flexible so that it can be ratcheted up or down in direct response to day-to-day threats and risks. Security is based on behavioral sciences as opposed to other safety disciplines, such as fire, which are based on physical sciences.
ISCN: What should security leaders keep in mind when designing policies around physical security?
First, it is important that security leaders understand the differences between a security policy and a security procedure. Quite often we find that security policies that are written are actually security procedures. A security policy is a statement of intent while a security procedure or protocol is the actions needed to implement the policy. Both the security policies and procedures should be clearly and concisely written so that their application and meaning are understood.
As an example, a security policy for a large heath care institution might be to use standardized Emergency Codes to create a uniform approach to the coordination of emergency events at all of the institution’s facilities. So the policy may read “The institution’s standardized emergency code policy is applicable to all facilities owned and/or operated by the institution” and then it could go on to state that “the emergency codes shall be defined to coordinate response strategies and shall be integrated into emergency response procedures and Functional Annexes to coordinate response efforts at a localized level with the ability for expansion to other institution facilities, as needed.” It could then go on to describe the purpose and use of each standardized emergency code.
The procedures would then describe how to accomplish and fulfill the institution’s standardized Emergency Code policy at each individual facility. An example of a procedure might be “each facility shall develop site-specific functional annexes that outline severe weather procedures. These functional annexes shall be designed specifically for each of the institution’s facilities based on the site’s layout and organizational structure.” Another procedure could provide an outline “of the elements and actions needed to create a site-specific functional annex that outlines severe weather procedures.”
Security policies and their supporting procedures are essentially a “work in progress” because they will require review and modification on an annual basis to keep pace with changing threats and risks. It is important that security leaders maintain an audit trail to understand the original intent of each policy and procedure. ISO 9000 is an excellent process and methodology of maintaining security policies and procedures as “living documents.”