Whether your workplace is large or small, retail, office or manufacturing, workplace security is important. You must protect your people and your physical goods. But workplace vulnerabilities are also a critical element of data security too.
Creating and implementing successful security in the workplace is a complex process. There are multiple threats that need to be considered and various ways to mitigate them. While the process requires significant forethought, the essential elements to a great security plan are simple to understand. These best practices are the backbone around which all the details are built.
Perhaps the first security element likely to be implemented is that of physical infrastructure and deterrents. As soon as an organization moves into a location or chooses to build its own facility, leaders start thinking about how the physical structures are going to keep unauthorized people out and discourage crime from occurring.
The kinds of physical structures needed will largely depend on the type of organization and the type of facility in question.
Nearly all organizations, from the smallest offices to the largest factories, start with locked exterior doors. Even those really small businesses who rent coworking space or work out of rented offices should inspect the facility for secure entrances and exits.
At larger organizations that own buildings and grounds, other larger and costlier structures might be necessary.
Physical barriers also include areas inside the building.
Deterrents go beyond locking things up and putting physical barriers between a would-be criminal and the assets being protected, whether people or property. Deterrents are all the small and large things that might discourage a person from taking advantage of a situation.
The effectiveness of active security personnel should not be understated. Highly visible security guards are more effective at deterring crime than cameras alone. Would-be criminals know their likelihood of being caught in the moment are much higher, and therefore they are less likely to attempt anything risky. Security staff also have the benefit of using personal judgment in the moment to react by calling 911, requesting backup, or defusing an escalating situation before it gets any worse.
Access control is the next step beyond physical barriers. Once all the locked doors and controlled entrances/exits are in place, organizations have to determine how to grant access to authorized employees and guests. The best access control systems are convenient to use (i.e. not so cumbersome that employees curse it every time they try to enter the building) and yet are robust enough to prohibit access to those who shouldn’t have it.
In most systems, new employees are issued some form of access credentials. In small offices, this might be as simple as a physical key for a door. In many organizations, employee identification cards serve as keys at electronic locks in and around the building. Some organizations utilize pin numbers or biometric scanners either alone or in combination with ID cards.
These credentials are returned upon the employee leaving the organization. In the occasion that an employee does NOT return their credentials, the locks have to be changed (in the case of physical keys) or the employee’s information will be deactivated in the access control database.
Not only do these credentials serve as a way to prevent access into the building itself, but such systems allow for certain areas to be kept off limits for employees that should not have access.
As part of access control planning, organizations need to plan for guests. Visitors arrive at every organization in the shape of prospective employees, clients, vendors, family and friends of employees, delivery personnel and more. A good visitor management system is vital for granting visitors access to the building while ensuring they do not go where they shouldn’t. It will create records for when the visitor was in the building, who they were meeting/seeing, and when they leave.
Great visitor management includes having a designated visitor entrance where all visitors can stop and take the time to register. Visitor badges or IDs issued to guests can have minimum access associated with them. Perhaps visitors cannot unlock any doors or areas and must be accompanied by a staff person at all times. In other organizations, visitor cards might have the ability to unlock main doors to common areas, and nothing further.
Requiring visitors – and employees – to register or sign in electronically has many advantages:
Incidentally, access control is also the primary way in which electronic information is safeguarded. IT personnel use logins and passwords and the principle of least privilege to prevent both employees and visitors from accessing sensitive information electronically. Without the proper credentials, people can’t get administrative privileges on computer systems that could wreak havoc with the organization, nor can they see records that are not relevant to their work.
Before many organizations even start to put basic physical barriers and access control in place, they may first do a risk assessment. Assessing risk is the act of brainstorming and researching what the risks are for a particular organization and how likely they are to occur.
Every organization has a different risk profile. A small accounting firm serving only a few clients may not worry much about losing money or equipment in a physical break-in, but instead prioritize securing the personal information of its clients. This same firm may, in a different vein, be concerned for the physical safety of its employees getting to and from the building if parking is some distance away and requires a walk through a dark area.
On the other hand, a large manufacturer will have a laundry list of things to take into consideration. A not-at-all exhaustive list for them to consider may include:
Every organization should consider risks in a number of different arenas and then determine the probability, criticality and vulnerability surrounding that risk. (A risk matrix can help.) Some risks to consider:
Good risk assessment is not a one-and-done occurrence; it should occur once per year as a minimum and be an ongoing process when new issues arise and changes are made in the organization. There is also a necessity for “boots on the ground” observation of what is actually occurring within an organization to discover where the security holes are.
Once risk assessment is completed, the next element of security is the act of planning for and responding to these risks. This can take as many or more forms as there are possible risks, but the responses typically fall into the categories outlined here.
For instance, during an assessment, someone might discover that there is a faulty lock on a door, or a door that does not have a lock but should. This invokes both physical barriers and access control.
The same risk assessment might determine that the most likely natural disaster to occur in an area is a wildfire, or the combustion of flammable material on site. Some possible interventions would include
While some responses to a risk assessment will primarily involve adding physical infrastructure, it may be even more likely that the necessary response will be the development of new security protocols and policies.
A security protocol is a planned strategy either to prevent or to respond to a security threat. The easiest way to describe this is through examples.
Possible security policies:
As you can see, there are myriad policies that can be enacted and developed around everyday occurrences. There should also be policies developed for the less likely but more devastating possibilities that could occur. Some of these policies might include:
Other policies might also be about reviewing and evaluating current policy. This might include:
The final element of workplace security is perhaps the most essential element of all. No amount of physical infrastructure, access control, risk assessment or security planning can keep an organization secure if the employees are not on board.
Cultivating a culture of security is the process of communicating security protocols and expectations to employees. This involves sharing information, training people on safety procedures, showing them where safety equipment is located and generally including them and rewarding them for being security-minded.
Unfortunately, some of the biggest security breaches happen for the simplest and smallest reasons.
There are many ways to instill a security culture in an organization. The following ideas are credited to TechBeacon, with some tweaking to make them more relevant to general security instead of only IT.
These communication efforts, plus appropriate training so employees understand the policies and can actually implement the skills required of them, help make security a team effort across the entire organization.
Taking these essential elements of physical infrastructure, access control, risk assessment, security planning and communication, each organization can tailor security to their individual needs. There are numerous ways to explore and evaluate security through the lens of this framework.
If you don’t already have a security infrastructure and communication plan in place, it is not going to happen overnight. Taking the time to follow these best practices to educate people on security - what needs to be done and what should NOT be done – and implementing solutions as they are developed will have you on the path to a safer work environment.
Link to previous article about primary threats to security.