Conducting a physical security risk assessment for buildings and offices

What is a physical security audit?

A security audit is a way for business leaders and managers to test the efficacy of their current cyber and physical security systems. When creating an office security checklist, all relevant parties should be aware of new and existing physical security methods and emerging industry-specific cybersecurity trends to highlight potential flaws and help to improve wider security protocols. 

Examples of common business security vulnerabilities include: 

• Weak or stolen access credentials 

• Poor data storage and management 

• Unpatched software

• Misconfigured firewalls / operating systems 

• Phishing/​malware/​ransomware attacks

Increasingly, the connectivity of physical and cyber security features through advanced hardware and cloud-based software has led to many businesses redeveloping wider security networks, with recent data suggesting that over 90% of organizations utilize some form of cloud-based security.

While the benefits of integrated systems are worth exploring for most modern businesses, security teams must implement legacy and advanced security features so hackers cannot gain access. This is where a thorough security audit will assist, followed by a comprehensive cyber and physical security checklist for businesses to use as a guide. 

The importance of physical security audits for buildings

A physical security audit is essential to understanding the current efficacy of an office or building’s physical security setup. Thorough physical security audits, also known as physical security assessments, highlight areas that effectively mitigate risks or weaknesses that require further attention.

A robust physical security system often contains commercial security cameras, door locks and even manned guards. Still, if one of these elements is not working effectively, it could open the office or building to a physical security breach. 

Whether a small space or an entire facility, businesses should be proactive in ensuring their security solutions are up to scratch with a physical site security audit and checklist, also known as a physical security assessment checklist.

By foregoing a physical security audit, organizations leave themselves open to bad actors to exploit vulnerabilities. Therefore, businesses must undertake a detailed physical security auditing process coupled with a security survey checklist. 

A physical security audit will also help establish the current risk level the office or building faces. Additionally, physical security assessments help identify potential strategies to decrease the existing physical security risk. 

What is involved with a physical security audit?

Internal vulnerability and penetration testing 

Internal vulnerability and penetration testing is a large part of adequate physical security auditing. This is where a relevant employee or an external business acts as a malicious threat or intruder to deduce how easy it is to penetrate certain security systems. Alternatively, an internal computerized system can carry out this test to ensure that the resulting data is impartial and unaffected by human error. 

A successful physical security audit checklist can verify whether existing security strategies are appropriate and compliant with current industry standards and federal regulations. This procedure can also act as a way for internal security teams to address any failures or security vulnerabilities uncovered during testing.

Territorial reinforcement as part of a physical security assessment

When considering how best to implement a site-wide cyber and physical security audit checklist, the primary concern for most businesses will be creating a dedicated internal physical security auditing process. This is where an in-house physical security auditor produces a physical security risk assessment checklist. 

Business leaders should utilize territorial reinforcement during the physical security risk assessment checklist. This process involves a physical security auditor surveying perimeter building infrastructure to ensure the site is marked as private property. Appropriate territorial reinforcement includes fencing, walkways, hedges and signage, but will cover any infrastructure within the site’s boundaries. To further reinforce the perimeter of your site, consider installing commercial security cameras with smart analytics, which can send alerts when an unauthorized person or vehicle is spotted trying to gain entry. Products such as the Pelco Sarix Professional 4 range provide high-definition, advanced imaging alongside AI-enabled analytics for intelligent detection. 

External and internal physical security audits

Physical security audits can be conducted internally or externally, each approach providing its pros and cons. A trained professional cyber or physical security auditor will perform an external audit with no conflicting ties to the company of interest. This approach allows for truly impartial findings and results. 

Conversely, an internal audit will be performed by a vetted employee of the company or through a computerized cyber and physical security risk assessment tool. This method is often preferred during audits that involve handling sensitive, valuable or confidential company and customer data. 

Generally speaking, internal audits are preferred in most cases, as business leaders can adjust certain standards and restraints as they see fit, though this approach is only sometimes entirely impartial. 

How to create an physical security audit checklist for buildings and workplaces

Developing an effective security audit checklist will require companies to understand the underlying functionality of their existing security systems; because of this, no two safety checklists will look alike. 

To begin creating an office building security checklist, administrators must break down their goals for the process into a manageable system. Here’s a general outline of the steps companies should follow to ensure their security audit can provide actionable solutions. 

Outlining security priorities 

To ensure that a cyber and physical security assessment checklist is optimized to help improve operations, every point must be outlined with the company’s primary goals in mind. For example, a financial company handling sensitive customer data will require the core of its security networks to be developed around cyber defenses. At the same time, a retail chain will likely focus more on physical security systems and a physical building security checklist. 

By making these choices before expanding the audit’s scope, the more intricate decisions, such as which varieties of hardware and software should be installed or updated, will be made more evident. 

Identifying key threats and vulnerabilities 

With a clear picture of the intended objectives of the audit, business leaders will be in a much more manageable position to begin identifying any key threats and vulnerabilities currently present, and by locating these possible weaknesses before the audit, the potential for oversights can be reduced. 

Common security threats include ransomware and malware attacks, of which 90% of all organizations were impacted during 2022, phishing attacks, malicious insiders and employee negligence, with these vulnerabilities having the potential to affect integrated cyber and physical security systems in unison. 

Evaluating current cyber and physical security checklists 

In many cases, business leaders will find improving existing security systems much more cost-effective and easier to implement alongside company policy than installing new hardware and drawing up novel security protocols. To do this, existing office building security features must be reasonably evaluated. 

Evaluating, in this case, means looking into the deeper mechanisms of each security feature and considering how optimized these functions are in terms of the wider security network. For example, an office may have an extensive CCTV network, but recorded footage may be difficult to locate in an outdated video management platform. Additionally, security cameras may offer cloud-based remote viewing functionality but lack appropriate encryption when communicating with off-site smart devices. 

By evaluating these processes and determining whether an existing office building safety checklist has covered them, security teams can focus newly designed office building security checklists around essential tasks to improve the auditing process’s efficiency and efficacy. 

Conducting an internal physical security risk assessment

Once the appropriate prep work has been completed, teams will be ready to begin carrying out the bulk of the work. The finer details of this process will depend heavily on the businesses in question, though a basic outline that applies to most modern organizations will consider the following essential processes. 

Policy and procedure overview

Review all security systems as part of the physical security audit and assessments. This applies to the access control system, manned guards, security cameras and other physical security solutions. This review will highlight any potential security gaps and the efficacy of these solutions, and a physical security audit specialist will be able to advise on any recommendations to enhance the security setup. 

Facility inspection

A site inspection will need to be ticked off the physical security assessment checklist. The auditor will need to inspect the construction of the building, the layout and lighting to understand if there are any aspects of the property that a lousy actor can exploit.

Testing the security systems

It’s all good to have various commercial security systems, but it only matters if they are working to mitigate security risks effectively. It is important to routinely evaluate and maintain these systems as part of the physical security checklist to ensure they serve their purpose effectively and help safeguard the facility.

Staff training

The final step in the physical security audit process is ensuring staff understand and detect any bad actors and their activities. By training the workforce, businesses ensure their workers can spot and alert potential threats to the security team so physical security is not negatively affected.

Conducting an internal cybersecurity audit

Creating a configuration scan 

This process involves using cybersecurity risk assessment software developed to check how every network and computerized system within the organization is configured, including the setup parameters and configurations currently in place. The program will automatically check for vulnerabilities hackers can exploit to steal data or access now-installed security hardware. 

Performing an internal vulnerability scan 

With the data collected from a configuration scan, a more focused internal vulnerability scan can be performed to help highlight the specific flaws present in each system and provide recommendations on how to fix them. Rather than looking at how the wider network of security features is configured, this process will be performed on each component individually. 

Compiling a phishing test 

Phishing and other related social engineering threats affect over 80% of businesses annually, with scammers targeting employees via well-disguised emails and internet links. Mandatory phishing awareness training and compulsory tests should be performed to protect companies from these cyber threats. 

Alongside implementing software filters to help reduce the number of scam emails received by employees, a thorough security audit will include simulated phishing attacks, which can be used to evaluate how susceptible employees are to social engineering to prevent future breaches.

Developing firewall logs 

A firewall is a hardware or software system to prevent unauthorized access to or from a private computer network. These systems are essential to any cyber security configuration as by installing firewalls, all data traveling through the network will be automatically vetted for potential threats. 

Creating a physical security safety checklist

A thorough office security checklist takes a 360-degree view of potential threats and vulnerabilities. The processes detailed above will provide businesses with a solid cybersecurity foundation, which can help promote physical security by ensuring that all staff are protected by on-site hardware. 

However, security teams should also have well-planned and tested physical security checklists in place to inform employees and visitors of potential workplace hazards and emergency plans. A building safety checklist will form part of a larger office security checklist, detailing any structural risks and health and safety issues to prevent. An office safety checklist covers employee and client safety but considers larger vulnerabilities such as fire, flooding and intrusion. 

The following factors should be considered to develop an effective physical security or office safety checklist. 

Office physical security checklist

• Ensure the building is in good working order – An important part of your physical security audit checklist is to inspect your building, which includes checking the building’s structure, layout and lighting to identify anything that can negatively impact the site’s physical security. Consider the following:

  • Are the doors and windows in good condition?

  • Is there sufficient lighting throughout the building?

  • Is the exterior of the property well maintained?

  • Are there any blind spots or weaknesses in or around the building that can be exploited?

• Locate hazardous areas – The specifics of this process will differ between industries. However, the main principles are to ensure that appropriate signage is in place around dangerous machinery/​workspaces/​equipment and that relevant PPE is provided and worn if needed. Considerations should also be made for adverse weather, such as ice, rain and strong winds. 

Policies and communications checklist

• Review office or building security policies – By reviewing the current security policies, businesses can better understand gaps within the written policy and if it can be built upon to deal with emerging threats. To help with this, ask yourself:

  • What is the scope of your security review for your organization, business unit or team?

  • Are there any existing security policies and protocols in place? If yes, are they up-to-date? 

  • Are there any conflicts between the different security policies?

• Understand industry rules and regulations – All industries have rules and regulations designed to protect staff and visitors. Business leaders must ensure that all staff are appropriately trained, aware of these rules, and informed of any changes.

• Create and update emergency plans – Draw up clear plans for employees to follow in an emergency (natural disasters, break-ins, fires, etc.) and ensure that emergency numbers are easily accessible. It also helps to have a clear chain of command in an emergency, so department managers and security staff should decide upon this.

• Implement a review period – While many aspects of a building safety checklist will remain unchanged over time, the process must be reviewed regularly to ensure that any changes within the office are accounted for. These office building security checklist reviews should occur at predetermined intervals, for example, every six ‑months or at least once yearly. 

Security systems checklist

• Compile a full security hardware and software audit – Considering hazards, industry regulations and emergency plans, now is the time to review the security hardware you currently have to mitigate these risks and comply with rules. Your access control technology, video security network, and any other security technology, on and offsite, should be considered in your physical security assessments and checklist. Ask yourself: 

  • Is your technology fit for purpose and is it still up-to-date? 

  • Have your requirements changed, and now you need different functionality from your hardware? 

  • Will your site change for safety reasons, meaning you must change your camera or access control layout? 

  • Do all the required individuals have the correct access permissions and how are they administered?

  • Are there any weaknesses in the access control or video security systems? Have any past events brought up a vulnerability within one of your systems? 

Speaking with a security expert about the technology and implementation available can help you gain a fuller understanding of the options available. 

Physical security audit considerations by industry 

A physical security audit can differ depending on the business’s industry. The methods and observations that an auditor or the internal team undertakes will vary as the needs and requirements of organizations in different markets will mean a different approach to physical security assessments.

Office and commercial spaces

In office and commercial sites, particular focus should be placed on the access control system and the video security solution. For example, the access control system will need to be tested to ensure that it works properly, granting access to those authorized to enter the building and denying access to those not permitted to enter the premises. As office and commercial spaces see a very high daily footfall, the system must be reliable so as not to disrupt the day’s normal business operations.

The video security operation will need to be assessed, too. Staff need to be trained to operate the system to help safeguard the office building or store. The security cameras must provide the situational awareness that the security team needs to detect and respond to security threats. Given that commercial spaces tend to expand, it’s also worth considering that the video security solution installed can scale up and integrate with wider systems and software. Pelco’s open platform solutions are ideal for small and large facilities planning for future growth in mind for their facility. 

Real estate

Similar to an office security audit, in a real estate physical security audit, the focus should be on securing the premises from those unauthorized to enter. An effective access control system will enable the organization to secure the facility and only grant entry to those authorized. A key consideration will be to ensure the allocation of access permissions is seamless, meaning temporary visitors, like guests, couriers or contractors, can easily access the building. 

Oil and gas

Auditors within the oil and gas industry will seek to ensure workers’ safety and that the equipment being used at these hazardous sites is being properly maintained. Outlining a thorough emergency and preparedness plan in the event of an emergency will be a key consideration during the physical security audit, as will be the video security setup. 

Security cameras at oil and gas sites are a key tool for security teams to monitor events on their sites and ensure the safety of the workforce. As a result, these security cameras need to be rugged, meet stringent explosion-proof requirements and reliably deliver footage day and night without fail. Pelco’s range of explosion-proof cameras is purpose-built to handle such challenges and be the most reliable pair of eyes when needed.

Airports

Airports require a comprehensive physical security audit, given the extensive interior and exterior spaces that require safeguarding. With this in mind, the video security solution that the airport has in place will need to undergo a rigorous examination to ensure it is still up to scratch and provide the airport security team with the awareness they need to safeguard the airport. Airports security cameras are rugged enough to handle outdoor conditions and reliable to ensure they provide clear footage of spaces in and around an airport, such as the Pelco Spectra Enhanced series. 

The emergency response plans must also be vetted to ensure the airport can safeguard travelers and employees during an emergency. Airports are famous for their chokepoints and narrow hallways, so the security team must understand where there may be a weakness in their emergency plans during an evacuation. For example, during an evacuation from the airport, travelers must be able to reach their nearest emergency exit easily and quickly without finding themselves stuck in a crowd navigating a narrow area of a terminal building. 

Get your physical security assessment in order

The key to developing a practical office building security checklist lies in implementing regular and consistent assessments of all critical security systems and ensuring that staff understand how each component communicates as part of the integrated network.

Security teams must present a clearly outlined auditing system that promotes accountability at all levels. By committing to this process and drawing up a defensive plan, office security systems can grow stronger with each update.