Physical security has many holes to be plugged

Cybersecurity makes all the headlines these days but there are plenty of predators looking to scam unsuspecting employees at the physical plant.

“I can get into any facility in less than five minutes with the right tools,” says Sean Ahrens, global practice leader at AON Global Risk Consulting. That’s sobering news for security professionals charged with protecting vital data centers and warehouses. Fortunately, sensitive facilities can improve by calling on the advice of AON and other specialized firms.

“There’s a movement away from unmanned data centers and similar critical facilities,” explains Ahrens. “Most security efforts focus on preventing digital attacks since those represent the majority of attacks. That means that physical security often becomes a failure point,” he added. The most common failures Ahrens sees happen are via operations and human mistakes.

“The Holy Grail of security assessment is to gain access to a facility by non-destructive means. In security consulting projects, we have often been successful in obtaining access. For example, we had one of our staff gain access to a secure facility through a loading dock and they were almost granted a security card,” Ahrens explains.

In several cases, AON security consultants have obtained copies of secure facility blueprints from municipal offices. That approach shows that a determined aggressor’s attack may be informed by detailed technical and architectural information.

“Our reports typically include photos of secure assets and video records demonstrating how access was gained. These records accompany our reports to aid companies in improving their security,” he added. Continuous improvement is required in order to maintain a secure facility against constantly evolving threats. Regular physical patrols are an important way to detect security flaws and events. Broken glass, damaged locks and other changes are warning signs that an intrusion is underway.

 “Ultimately, security professionals and our clients need to realize that it is impossible to prevent all attacks. Instead, we focus on delaying an attack and deterring an attack. The more time an attacker takes to carry out their attack, the more time we have to detect their presence, call law enforcement and deploy other measures,” Ahrens explains.

Physical security failures and breaches are not limited to criminal masterminds: operational failures are highly important. “Weak discipline over security badges and allowing another person to piggy back through a secure entrance is a chronic failure,” says Lee Kirby, chief technology officer at the Uptime Institute, a Seattle-based organization that provides IT certification, consulting and advisory services. “If an organization allows ‘piggy back’ access, that is a signal about other failures.

“Many times, organizations put security tools and technology in place and hope that the supporting processes will materialize. This approach rarely works well,” Kirby added. “A comprehensive approach such as the Uptime Institute’s Management & Operations (M&O) Stamp of Approval is an excellent way to ensure that an organization has the processes and operations in place to achieve high-quality security,” he commented.

CenturyLink and UBS are two leading companies that have adopted the M&O standard for some of their operations. The Stamp of Approval issued by Uptime is valid for two years so organizations have an added incentive to stay on top of best practices.

“Managers have an important role to play in all aspects of security practices. For example, is there a practice in place to screen and evaluate third-party staff such as maintenance crews and those who service power generators? Those third parties are often forgotten in management plans and that poses a security risk. In addition, managers need to ensure that every person in the facility is trained on security versus focusing on IT staff alone,” Kirby added.

Delivering physical security improvement also requires an understanding of a facility’s setting. “We had an Ohio customer who felt their location was secure due to its location in an access controlled industrial park. They decided to enhance their site security through the addition of ‘no climb’ fencing after we presented additional data on local vandalism and other incidents,” says Chris Curtis, senior vice president at Compass Datacenters.