Each week, more businesses are re-opening their offices to employees. With staff re-entering the workplace, there is a long list of things to consider, like making sure there is room for social distancing, hand cleaning stations, and sanitizing common areas. While you are thinking about how to keep staff safe, we recommend a thorough review of the physical security of your building.

Even before the pandemic, physical security vulnerabilities have challenged companies for years. However, as we begin to return to the office, some security experts predict an increase in physical security breaches. Why? Sparsely staffed offices are ideal for attackers to gain access, and moving from remote work to in-person with unfamiliar staff that may be wearing masks could provide an opportunity for a breach. 

Whether your organization is a small shop with ten employees or a multi-million-dollar corporation, if you have data and hardware worth stealing, it is worth protecting. Incorrectly implemented physical security controls or lax training of employees can quite literally open the door to security threats. Any unauthorized person on your premises could perform corporate espionage against confidential data and trade secrets, steal or tamper with expensive hardware, or even sabotage critical manufacturing processes.    

The physical security of your company’s properties consists of three key ingredients:  

1) properly designed physical security controls. 

2) properly implemented security controls.  

3) vigilant employees who are security-conscious.  

These 6 tips will help your company have good physical security hygiene and stay safe from attackers.  

  1.  Implement Security Policies and Training  

Implementing quality security policies will go a long way towards improving security at your office. Begin by providing your employees with regular training on your security policies. If you’re not sure where to start, here are a few suggestions that should be in every security policy:  

  • Each employee must individually badge in every time they enter the building or any secure area, even if a door has been held open for the employee.   
  • Badges must be worn at all times while on company property.  
  • Never prop a door open.  
  • Upon arrival, all guests must report to the front desk, sign in with their government photo ID; receive a guest pass, be escorted at all times while on the premises, and return their badge and sign out upon departure.  
  • Employees should call security or challenge any person without a visible badge and any guest without an escort.  
  • Assign a designated employee or team to review and respond to incident reports resulting from employee submissions or access control system logs and alerts. 
  1. Use the Correct Hardware   

Hardware is often top of mind when considering physical security. If you haven’t already, graduating from locks and keys to a quality badge access control system is an important first step that will allow your business to scale cost-effectively. Imagine if you had to re-key the locks every time you terminated an employee!   

Exterior and high-security area doors need to close automatically and latch securely. Ensure you outfit these areas with quality lighting, security cameras, and badge readers with access logs. It is also important to ask questions like, “Will all the doors unlock if someone pulls the fire alarm?” and “Do my cameras and access control system have battery backups?”   

Most exterior and many interior doors use some combination of electromagnets, electric strike plates, and/or a crash bar to allow occupants to egress easily. Typically, all three of these options will fail-safe, meaning if power is lost or in the event of a fire, the door will unlock, and the occupants will not be trapped. It’s best to avoid hardware like double-cylinder deadbolts, padlocks, or electrically actuated locks without a mechanical override for any normally inhabited area.    

Finally, properly placed motion detectors, fencing, lights, and cameras can act as an excellent deterrent and play a crucial role in incident investigation if something does happen. 

  1. Properly Configure Access Control System   

The programming and setup of your access control system play an essential role. 

  • Do you have rules in place to log badge swipes?   
  • Do all employees have 24-hour access to the building?   
    • Do all employees need 24-hour access to the building? Most employees aren’t going to visit the office at 2 a.m. on the weekend and therefore don’t need access to the building around the clock.   
  • Will security be alerted if a door is left open for an extended period? For example, if someone props it open? 

TIP: Set up rules to send alerts when there are a significant number of rejected badge swipe events, and to detect brute force events.   

  • Are your badges encrypted?  
    • If not, an attacker with a badge cloner (such as a “boscloner”) could easily steal an employee badge to your building and gain access through the front door.  

Finally, an often-overlooked configuration item is the sound (or “beep”) a badge reader makes when swiping a card. Some badge readers are programmed right out of the box to beep the same tone regardless of if a badge is valid or not!  

TIP: Any rejection of a badge should make an audibly distinct “beep”, by using two different pitches (i.e. a high then low sound) or a long single tone.  

  1. Close the (door latch) Gaps  

Too often, when inspecting access control hardware, we discover that the contractors did not properly install the hardware to manufacturer specifications or used incompatible parts. Even when installation is flawless, buildings and doorways can settle over time and introduce small gaps that could present a significant opportunity for an attacker. Because of this, correct hardware installation is critical.  

Common issues we encounter are incorrectly sized door latches and strike plates. In addition, gaps under doors and incorrectly placed and/or configured exit sensors can allow attackers access to your office. If your office has a drop ceiling, it’s even a possibility that an attacker could access your high-security areas by removing ceiling tiles and scaling the wall. This issue is more prominent in shared multi-tenant office spaces.   

  1. Cultivate a Security-Conscious Culture  

As the saying goes, “a lock does no more than keep an honest person, honest.” Fancy badge readers and gadgets are only part of the equation when it comes to keeping your office safe. Your greatest assets are your trusted employees. When you cultivate a security-conscious culture, you promote a vigilant team. There is a misconception that proper security requires everyone to be consistently suspicious of each other, which doesn’t promote a hospitable work environment. However, being security-conscious doesn’t mean you have to promote an unfriendly workplace.    

A common policy at some companies is to prohibit employees from “tailgating,” or holding the door open for others. In theory, this is a great policy. Except many employees ignore the policy if they know the person they enter the office with. Consider this alternative: Instruct employees to only hold the door for someone they directly work with, AND require them to instruct each person entering the office to badge in while the door is held. If they look for that swipe and beep, employees will be much more conscious of who they hold the door for.   

Many companies had high turnover during the pandemic, and it is now commonplace to wear a mask at the office. The combination of new employees and masks makes it much easier for an attacker to slip by unnoticed. Educate your employees on this post-COVID security shift and encourage them to remain aware of unfamiliar faces, especially if they are not wearing a badge.   

Another excellent way to encourage a security-conscious culture is to give out prizes to employees that follow the policies. Consider conducting a drill where you send a security team member around the office without a badge, and have them give out a gift card to the first employee that challenges them.   

  1. Perform Regular Audits   

Performing routine audits of your security system is essential in preventing breaches, non-compliance, and other vulnerabilities. You should regularly test and inspect your access control systems and conduct physical red-team exercises to ensure your training and hardware is effective at keeping your facilities safe.  

Keeping Your Organization Safe   

Physical security is an important part of company culture and ensures your people and assets are safe. That is why CREO offers organizations physical red-team penetration testing and building security analysis which helps to reveal security vulnerabilities. Our physical red-team pentest is an on-site engagement where CREO will covertly attempt to gain access to a building through social engineering employees or physical non-destructive means. This simulates an adversarial attack in a safe manner and allows a company to see the strengths and weaknesses of their policies and their employee’s training.   

CREO also offers physical access control analysis and testing. A CREO employee will be escorted around the premises and analyze and test each access control feature to get a complete picture of the overall building security and risks. If your organization needs physical security solutions or wants to hear more about how you can achieve a secure work environment, contact us today! We would love to discuss physical security and the services we offer to assist our clients.    

Josh Pedroza is a skilled penetration tester and physical, social engineering tester with over four years of pentesting experience and more than seven years in cybersecurity and compliance. He is passionate about identifying areas of improvement in systems, physical infrastructure, and employee training to help boost company security.