Guide to physical security controls, planning, policies and measures

Physical security planning can feel like a daunting task, and it can be difficult to know where to start. Now, many companies focus their efforts on cybersecurity – after all, modern businesses rely heavily on their data and IT infrastructure for day-to-day activities.

However, physical security plans should be equally high on the agenda. Striking a balance between online and physical security measures helps protect your business from all angles, safeguards your reputation and ensures your employees feel safe in the workplace.

This physical security guide will explain the fundamentals of security, including the most common physical security threats and measures to prevent them. You can also find helpful information on how to make this information work for your company, as well as some tips to get you started on your own physical security plan.

What is physical security?

Before getting into specifics, let’s start with a physical security definition. Simply put, physical security is the protection of your people, property and assets. This includes the physical protection of equipment and tech, including data storage, servers and employee computers.

Physical security is often jokingly referred to as just being ​“guards and gates”, but modern physical security systems consist of multiple elements and measures, for example:

• Site layout and security configuration: where are your weak points? What needs the most protection?
• Visibility of critical areas: including lighting and video cameras
• Access control: from simple locks through to keypads and biometric access
• Perimeter protection: the ​“guards and gates” aspect of physical security
• Intrusion detection: including motion sensors, cameras and tripwire alarms
• Infrastructure protection: including power, fire, network connectivity and water
• Staff training and incident response: do your employees know how to handle an incident, and do you have an emergency response process in place?

As you can see, the physical security examples above are extremely varied, touching on every aspect of a site and its functions. Some physical security plans are determined by environmental factors, such as your site layout, whilst some are behavioral, like staff training. So, to revisit the physical security definition above, successful protection of people, property and assets involves a range of physical security measures.

Common physical security threats, vulnerabilities and risks

Each business’ individual physical security risks will be different, but there are some common types of physical security threats to be aware of.

• Unauthorized entry: this includes tailgating, social engineering, or access via stolen passes or codes. The earliest physical security breaches are, logically, at the first point of entry to your site. If unwanted visitors manage to gain access, then it is only a matter of time before other physical security threats can occur.
• Theft and burglary: businesses own many valuable assets, from equipment, to documents and employee IDs. Some businesses are extremely exposed to physical security risks like theft because of what they store on their premises – for example, jewelry or tech stores. Other businesses store extremely valuable information, like a wealth management firm. Both businesses are prime targets for thieves, even though their assets are very different.
• Vandalism: some businesses are at risk of their property being destroyed or tampered with. This can be linked to a company’s location — for example, if your business is next door to a bar or nightclub, alcohol-related vandalism could be a frequent problem. Vandalism can also be ideologically motivated: for example, when activists cause physical damage to a business’ premises, such as smashing windows or throwing paint.

These are a few high-level types of physical security threats. As you conduct a risk assessment of your own business, you will discover physical security risks specific to your industry and location.

Physical security measures and methods

There are all kinds of physical security measures, but the main types of physical security fall into four broad categories: Deter, Detect, Delay and Respond.

As the diagram shows, the different physical security methods work together in stages. These levels of physical security begin with Deter at the outermost level, working inwards until finally, if all other levels are breached, a Response is needed.

Levels of physical security

Deter – Deterrence physical security measures are focused on keeping intruders out of the secured area. Common methods include tall perimeter fences, barbed wire, clear signs stating that the site has active security, commercial video cameras and access controls. All of these are designed to give a clear message to criminals that trespassing is not only difficult, it is also highly likely that they will be caught.

Detect – Detection works to catch any intruders if they manage to get past the deterrence measures mentioned above. Some criminals might slip in behind an employee — known as tailgating — or they might find a way of scaling barriers. In these cases, a physical security measure that can detect their presence quickly is crucial. These include many types of physical security system that you are probably familiar with. Physical security controls examples include CCTV cameras, motion sensors, intruder alarms and smart alerting technology like AI analytics. If an intruder is spotted quickly, it makes it much easier for security staff to delay them getting any further, and to contact law enforcement if needed.

Delay – You will notice that several physical security systems have multiple roles: they can deter as well as detect. Many of the physical security measures above also effectively delay intruders. Access control systems require credentials to open a locked door, slowing an intruder down and making it easier to apprehend them.

Respond – Having the technology and processes to respond to intruders and take action is crucial for physical security, yet often overlooked. Response physical security measures include communication systems, security guards, designated first responders and processes for locking down a site and alerting law enforcement.

Physical security controls come in a variety of forms — from perimeter fences, to guards and security camera system recorders. Many physical security components have more than one function, and when several methods are combined, they are very effective at preventing or intercepting intruders and criminal activity.

Physical security control technology

Within the four main types of physical security control categories is an enormous range of physical security tools and cutting-edge technology.

Physical security technologies have evolved in leaps and bounds in recent years, offering advanced protection at accessible price points. Physical security devices now use cloud technology and artificial intelligence for even smarter processing in real time.

Automated physical security components can perform a number of different functions in your overall physical security system. For physical controls, you might want to verify entry and exits with access control technology. You can carry out proactive intrusion detection with video security and access controls that work together as a unified system.

One of the great things about physical security technology is that it is scalable, so you can implement it flexibly. If you are testing physical security technology out, you might start with a small number of cameras, locks, sensors or keypads, and see how they perform. However, for a more robust plan required for properties like municipalities, extensive government cameras, access control and security technology are most likely necessary and should be planned accordingly. When connected to the cloud or a secure network, physical security technology can also collect useful data for audit trails and analysis. It is also useful for demonstrating the merits of your physical security plan to stakeholders.

When scoping out your physical security investment plan, consider how different types of physical security tools will work together. Choosing physical security devices that seamlessly integrate together will make things much easier, especially in the soak testing phase. Many physical security companies now observe universal standards like ONVIF, which enables devices from different manufacturers to integrate much more smoothly than in the past. Other specific standards such as FIPS certified technology should also be taken into account when reviewing your investment plan.

Video security

Video surveillance technology is a core element of many physical security plans today. CCTV has moved on significantly from the days of recording analog signal to tape. So too has internet connectivity – thanks to fast network connections and the cloud, transmitting high-quality video is faster than ever before.

Video security is primarily a Detect form of physical security control. Using a live connection and smart cameras, it is possible to spot suspicious activity in real time. They can also be used to Deter intruders, since the sight of cameras around a premises can discourage criminals from attempting to break in.

There are many different types of security cameras to suit all kinds of requirements and environments, such as city surveillance cameras used for poor lighting conditions. Or, for targeting specific small spaces in a business setting, varifocal lens cameras are best for such environment. Analog cameras are still a cost-effective option for many physical security plans, and whilst the technology is older, in some cases they have advantages over their more current counterparts. HD analog security cameras are a popular choice that offers the best of both worlds: cheaper hardware with high-quality footage.

Internet protocol (IP) cameras use the latest technology to transmit high-quality video over an internet connection via ethernet security camera cables. These cameras have many smart features, such as motion detection and anti-tampering. This means that you not only receive data about what is going on around your site, you also have information about the cameras themselves. IP cameras come in many different models, depending on the footage you need to record.

As the name suggests, fixed IP cameras have a fixed viewpoint. This might sound limiting, but most cameras only need to focus on one key area at a time. Fixed IP cameras are a great choice for indoor and outdoor use, and there are models for both. These cameras can handle a range of lighting conditions. Available in both bullet cameras or dome camera formats, these cameras can handle wall-to-wall and floor-to-ceiling coverage. This also makes them suitable security choices as elevator cameras. Some models are specifically designed to be vandal-resistant, if this is a physical security risk.

If 360-degree views are what you need, then pan-tilt-zoom (PTZ) security cameras are the perfect choice. These give you ultimate control over what you can see in a certain area. They are made to be versatile in a range of lighting conditions, with long-distance views. Look for low latency cameras, which deliver footage with minimal delays.

If you want 360-degree views around the clock, panoramic IP cameras are a great option. They constantly record from all angles. If there are areas where you need maximum visibility, these could be a great choice for your physical security plan.

Some environments are more challenging and require a specialized solution. For industries such as oil and gas plants, there are ruggedized cameras which can resist blasts and extreme temperatures. Ruggedized cameras are also useful in extreme outdoor conditions, for example at busy ports where water and humidity can affect equipment.

Access control

Access control technology is another cornerstone of physical security systems. Like video security, access control systems give you an overview of who is entering and exiting your premises. It also gives you physical controls to keep certain people out and authorize people to enter. Access control systems can help Detect and Delay intruders from entering. They can also Deter intruders by making it too difficult to attempt entry. As with security cameras, there are many different types of access control devices.

Keyless access control relies on modern methods of authentication to authorize entry. One example of this is mobile access control. Now, employees can use their smartphones to verify themselves. As well as being easy to use, keyless access control removes the risk of lost or duplicated keys and keycards.

Many access control units now also include two-way video. This provides an added layer of verification, so that authorized individuals can check who is attempting to enter. All these types of physical security devices have the added benefit of using smart technology that connects to either the cloud, or to a web interface. This allows you to monitor and control your entry points, and also provides you with valuable data.

Analytics and artificial intelligence

Physical security technologies can log large quantities of data around the clock. Now, this information can be enhanced with smart analytics. Analytics powered by artificial intelligence (AI) can process all this data and provide helpful digests for your security team, saving them valuable time and helping them to make faster, better informed decisions. Many types of physical security technology now have AI analytics included as part of their core functionality; however there are many options available on the market for a more tailored setup.

Analytics platforms and capabilities are extremely varied and there are now solutions for many different physical security tools. For example, smart video analytics can identify relevant activity such as people and vehicles, whilst also filtering out false alerts that can waste employees’ time. Analytics can also compile summaries of incidents and generate reports of the data you want to investigate, whether this is the number of alerts over a time period, or the performance of your physical security device.

This digested data is highly valuable for business operations and compliance. Many companies have physical security policies which require comprehensive reporting and audit trails. Analytics can help provide this information in an accessible format, as well as making the overall compliance process easier and more efficient for security staff. Activity and performance data offer valuable insights for operations; by looking at how your physical security plan is working over time, you are much better informed on how to improve it.

Methods to identify physical security threats

The best way to uncover any potential weak spots is to conduct a thorough risk assessment. Stress testing physical security rigorously will reveal where your main challenges are. This in turn directs you on priority areas for your physical security investment plan. You can conduct this risk assessment yourself, or you can consult a specialist physical security company to do it for you.

Physical security failures are not always the direct result of a poor physical security system. Sometimes, even with many of the right physical security measures, problems can arise because of weaknesses or challenges in other business areas. Some of these challenges are not immediately obvious, but will require stress testing or investigations to reveal them.

Examples of physical security challenges

Budget shortages prevent many businesses from making an appropriate physical security investment. However, failing to budget for an adequate physical security system can lead to physical security failures over time. Some physical security measures can strain a budget more than others; for example, hiring security guards can be costly, especially if many are needed to guard a site for long periods of time. In addition, more advanced physical security hardware, such as top-of-the-line video cameras and access systems, will inevitably be more expensive. However, not having those measures in place can expose a business to a range of physical security threats, which can be just as costly.

Staff shortages can also put pressure on physical security systems. Even with the most advanced physical security technology in place, businesses still need personnel to oversee larger systems and make decisions about how and when to take action. In the wake of the coronavirus pandemic, many businesses suffered from recruitment shortages. Not having enough people to implement your physical security plan can put a strain on morale and cause operational issues. Even if you can recruit new staff members, if they are not sufficiently trained in the physical security technology you use, or your company’s physical security policies, then this can also create bottlenecks that leave you exposed to risk.

Physical security technology enhances business security, but if it is not properly integrated into a larger physical security system, it can bring problems rather than benefits. A key factor to bear in mind is how your physical security devices interface, and how they feed information back into your physical security system. If your devices are not compatible, or they are not properly integrated, critical information might be missed. One way to minimize the likelihood of this happening is to use devices that comply with ONVIF camera physical security standards. ONVIF is a set of standards specifically designed to enable many different types of physical security technology to interface seamlessly, regardless of manufacturer. For more advice on how to integrate technology into your physical security system, go to the section in this guide on physical security planning.

When securing a wide business network, physical security management can be a logistical challenge. Having a number of connected sites to secure involves keeping track of many moving parts all at once. If you are struggling with any of the challenges above, managing multiple sites will only compound these issues. No two sites are exactly the same, so as well as implementing a company-wide physical security policy, your plan must also be flexible enough to accommodate each site’s individual physical security threats and vulnerabilities.

Physical security planning

Drawing up physical security plans requires input from around your business. Physical security measures do not take place in a vacuum — they affect every aspect of your day-to-day operations. You will see that many physical security examples in the guide below also feed into your company’s finances, regulatory status and operations. A good practice for physical security planning is well researched, holistic and encompasses all your departments and functions. In the following 5‑step guide, you will learn how to apply physical security best practices at every stage of your physical security plan, from risk assessment to implementation.

1. Conducting a risk assessment

You cannot approve any physical security investment without first knowing which physical security measures are needed. This is why a thorough risk assessment is an invaluable asset — once you have it, you can return to it, add to it and use it to adapt your physical security systems over time.

It might be overwhelming trying to work out where to begin. If you do not have the know-how or bandwidth to do this yourself, there are many physical security companies who specialize in risk assessments and penetration testing. You can also take on a physical security company to consult on the process, guiding you on how to carry it out effectively.

Begin by considering your most common physical security threats and vulnerabilities. Using the Deter-Detect-Delay-Respond categories above, think about which physical security breaches might happen in your business at each stage. The most obvious starting point is identifying any unprotected points of entry, as well as any areas of interest or high value.

Next, see if your company has records of any previous physical security breaches. Your insurance will have records of past claims, and prior physical security management might have kept a log of past incidents. This is also the point at which you should liaise with stakeholders and different departments; the risk assessment stage is when expectations are set, and when teams’ cooperation is required for the overall success of your project. Do not overlook any department: from senior management to physical security in IT, every team will have something to contribute.

Really investigate your site. Leave no stone unturned, and consider that not all physical security measures require cameras, locks or guards. For example, poorly-lit areas might need cameras, but simply improving the lighting conditions will make an enormous difference to how attractive that area would be to criminals. Also look at high-traffic and low-traffic areas; both are prone to intrusion, since criminals can slip by unnoticed in a crowd, or when nobody is around. These are areas where detecting and delaying intruders will be the most important.

Finally, armed with this information, you can start to map out where to position physical security components and redundancy networks. A redundancy network is crucial as any physical security control is at risk of not working. In these cases, a backup network will protect you from any physical security threats.

2. Review your operations and resources

All the information you have gained from your risk assessment will help you to ascertain the physical security controls you can purchase and implement. The scale of your project will depend on the resources that are already available. For example, if you plan to install extra IP cameras over analog cameras and smart access controls, you will first need to check if you have sufficient internet bandwidth to handle streaming all this information. You will also need to check you have enough server space to store all the data these physical security devices will generate.

There is then the question of whether you choose to monitor your security in-house, or whether you plan to outsource it to a physical security company. One basic consideration is space — do you have enough space on-site for a security operations center (SOC)? You will also need to consider whether your existing team can handle additional information streams from more devices, or whether you would need to recruit more staff. Outsourcing this function can relieve some of the operational pressure, but depending on your industry, you must check whether physical security policies and compliance require you to keep data confidential.

This is the stage to brainstorm what physical security tools you want, what you need immediately, and what your physical security plans are for the mid to long term. With a thorough plan in place, it will be much easier for you to work with stakeholders on financial approval.

3. Commercial and operational approval

At this point, you will submit your plan for business approval. The key objective during this phase is to agree on a financially viable plan that does not compromise on physical security and leave you open to risk.

As stakeholders and other interested parties scrutinize your plan and suggest changes, ensure you draw up a new risk matrix for each iteration. This way you can refer back to previous versions to check that no physical security threats go under the radar. Documenting every stage in writing will make sure that you and your stakeholders are on the same page, so that further down the line there is accountability for how your physical security systems perform.

Be prepared for a situation where you will have to compromise. In these circumstances, review the areas where you cannot devote as many resources as you would like and see if there is a workaround. For example, a seemingly vulnerable dark area might not require specialist thermal cameras if the lighting conditions are improved. Or, perhaps instead of hiring a large team of operators to field alarms, you could see if your current team can handle the extra workload with the help of smart analytics.

4. Implementing physical security policies and setup

With stakeholder backing, your physical security plan is finally ready for implementation. This is the stage where processes are mapped out in greater detail, along with protocols and internal physical security policies.

At this point, you will want to finalize the Respond aspects of your physical security system. Establish points of contact for incident response, such as who is responsible for threat verification and when to call law enforcement. This is also when to confirm finer details such as how to manage out-of-hours monitoring, and when to arm and disarm your site.

This is also when to confirm KPIs and to approve all stakeholder expectations in writing. Once your physical security measures are up and running, meet with stakeholders to explain how you will meet their expectations, and how the ​“settling in” process will work. In the first few months, set up check-in calls with stakeholders to keep them apprised of how physical security threats are being managed, and how your plan is working.

5. Physical security best practices

As your physical security system beds in and grows over time, there are some physical security best practices it is wise to maintain. The cornerstone of your evolving plan should be accountability: who is responsible for every aspect of your company’s physical security. To this end, create a physical security guide or playbook, which everyone can refer to, and which can adapt along with your site.

Your playbook should detail physical security examples such as:

• A list of all the components you use (e.g. cameras, keypads and passcodes)
• A corresponding list of all your device configurations
• Agreed objectives and how to implement them
• Redundancy network protocols and configurations
• Physical security policies for regular testing and maintenance
• Any local, national or international physical security standards or regulations you follow, along with dates for renewal

Having a guide like this not only keeps all parties on the same page, it is also a great resource for any new hires. By keeping all your core information together, you will not leave yourself open to any physical security risks, nor to compliance issues.

Final thoughts on physical security

Physical security is fundamental to your business’ success. With the right physical security measures in place, it need not be expensive or difficult to maintain. The best way to guarantee a safe and secure workplace is to carefully observe exactly what your company needs, and then to find the right physical security tools, technology and methods for the job.