A guide to physical risk assessments

Security is tricky because even with a strong defense system in place, you can never fully prepare for the unexpected.  

The good news is that risk assessments can help prevent your team or company from being completely blindsided.

Risk assessments are an important prerequisite for effective risk management. Companies and communities of all types should hire a professional team to conduct risk assessments and produce recommendations, so that they are in a good position to respond to the unexpected.

    

Table of contents

• What is a risk assessment?
• Goals of a risk assessment
• Why are risk assessments important?
• How often should they be completed?
• Example of physical security assessment
• What to expect from a risk assessment?
• Reasons to conduct a physical security assessment

    

What is a risk assessment?

A physical security risk assessment (or security site assessment) is a comprehensive evaluation that identifies, evaluates, and prioritizes potential vulnerabilities to various assets. Risks that could affect those vulnerabilities are also identified and ranked.

    

Goals of a risk assessment

The primary purpose of a risk assessment is to inform decision-makers about vulnerabilities within the property, allowing them to take pre-emptive defensive measures and prepare appropriate risk responses.

Security risk assessments may also highlight where employees or residents need additional training in order to minimize weaknesses.

A strong physical security risk assessment will consider many variables, including how to protect from external threats, natural disasters, and internal trouble.

    

Why are risk assessments important?

Over the past 5 years, 60% of companies have encountered breaches in their physical security measures, reports Gardaworld Security.

This means that the majority of properties can expect some type of security incident to occur. Being prepared for break-ins or thefts can save a company thousands of dollars, minimize interruptions to operations, and prevent the crime from occurring again.  

Conversely, being unprepared for a physical security incident can lead to lost clients, poor reputation, and increased insurance premiums, among other things.

The costs of proactive risk assessments are minimal when compared to the damage caused by an attack. Plus, the associated benefits offset upfront costs.

It’s also crucial to keep in mind that physical security almost always aligns with other security domains, namely cybersecurity, and a weakness in one area can expose other domains.  

Assessing risks plays a central role in customizing security measures to specific requirements. Assessments are imperative not only to ensure safety today, but also to adapt to evolving threats that could hit later on.

    

How often should they be completed?

It’s recommended that security risk assessments be conducted at least once a year. But you may consider scheduling an additional assessment if:

• A major security breach has just occurred
• Your company has moved to a new location
• Relevant changes to safety legislation have occurred
• There has been a major internal change, such as new personnel or renovations   

    

Example of physical security assessment

Though this is a very general example, the chart below gives you an idea of what a physical security risk assessment addresses.  

THREAT	VULNERABILITY	ASSET AND CONSEQUENCES	RISK	SOLUTION
*Unauthorized entry *Tailgating	*No security guards or entry card checks at main entrance	*Unauthorized access to secure areas *Property theft	*High *Loss can be anywhere from $5,000 – 20,000+	*Hire security *Install access control system
*Theft *After-hours break-in	*Weak door and/or window locks *Poor lighting	*Physical assets (laptops, safes, other tech)	*Moderate	*Upgrade locks *Install alarms *Install exterior lighting
*Fire -accidental or arson	*No smoke detectors or sprinklers in server/storage areas	*Equipment and critical documents destroyed	*High *Potential loss of $100,000+	*Install fire alarms and sprinkler systems
*Natural disaster	*Building not earthquake-resistant *Susceptible to flooding	*Injury to personnel *Damage to building	*Low to moderate, depending on location	*Conduct regular drills
*Accidental damage	*Old plumbing *Poor employee/ guest/resident conduct	*Damage to equipment or property	*Low to moderate	*Sensors *Surveillance cameras

    

What to expect from a risk assessment?

PurpleSec, a trusted cybersecurity company, identifies 8 steps involved in conducting a security risk assessment:

    

1. Take inventory of assets

The first step in any effective assessment is to generate a complete map of potentially vulnerable assets.

This map should go beyond hardware. You’ll want to include applications, people, and anything else that could be targeted.

    

2. Identify security threats and vulnerabilities

This step can be divided into three smaller ones. The outer, middle and inner security layers need to be examined.

The outer perimeter includes the area outside of the facility or building, and may extend to the surrounding neighborhood.

The middle perimeter includes elements like parking areas, lighting, outdoor cameras, windows, and exterior doors.

The inner perimeter consists of access control points, hallways, stairwells, lobbies, etc.

All of these areas will be examined, and vulnerabilities will be documented.

    

  

3. Prioritize risks

Next, it’s important to determine what risks may reasonably impact the company or community. This can include things like disgruntled ex-employees, high crime rates in the area, or natural disasters.

Vulnerability and security threat assessments will invariably identify more risks than you can address at once. Therefore, you have to select the most relevant items.

One effective way to tackle this is to use a risk matrix. The risk matrix compares various levels of probability against the severity of damage from a successful attack.

    

4. Develop security controls

Now it’s time to figure out how to reduce harm or prevent incidents from occurring. Options include physical security controls (biometrics, fob access, security cameras, and security guards), administrative security controls (corporate security policies, practices and workflows) and technical security controls (technological resources including software tools like firewalls, encryption and antivirus programs).

Each of these controls can be further divided by function (detection, prevention or correction).

    

5. Map out action plans

In this part of the process, a plan is created based on the information regarding risks, vulnerabilities, and controls.

The plan will likely include basic, high-level steps for each remediation process and associated costs.

If there are several options for a given vulnerability, you should perform a cost/benefit analysis to make the best choice.

Note that costs are not limited to monetary expenditures; they can also include the time it takes to implement a solution, or the disruption to the business.

6. Review recommendations

Take time to review the recommendations. The report should help you understand which solutions are easy and cost-efficient, which ones provide the most value, and which ones are absolutely critical to compliance and liability concerns.

There’s a lot of information to consume in the report, but the company that produced it should walk you through all of it.

The report may contain recommendations for different vendors or contractors to make the upgrades, or certified experts who have a strong track record.

    

7. Implement recommendations

Once you have selected actionable items that fit with your budget and abilities, you can put them into action.

    

8. Evaluate effectiveness

After the changes have been made, ensure that you track the impact or results. Has the solution made a difference?  Or perhaps the goal was to prevent anything from changing.

Either way, you will sometimes need to make adjustments or modifications in order to get the best results.

    

Reasons to conduct a physical security assessment

As noted earlier, the costs associated with physical security risk assessments outweigh what it will cost to recover from theft, vandalism, or other security incidents.

But the benefits extend beyond cost savings.

    

Stay ahead of new threats

Technological advancements can be used for good and for evil. Criminals will take advantage of new technology to execute more sophisticated attacks. On the other hand, you can also employ new technologies to prevent bad actors from even attempting to do something malicious on your property.  

    

Reduce costs associated with incidents

The cost of a physical security incident can vary depending on several factors, including the severity of the incident, the location, assets and people impacted, and the type of business.

Total costs can range anywhere from a few thousand dollars up to a million dollars. However, the estimated average cost of addressing a physical security breach is approximately $100,000.

Conversely, an assessment may cost anywhere from $2,000 to $20,000 for a large facility.

    

Legal requirements

Regulatory compliance in some industries will require routine physical security assessments. Failing to do so could be costly. Even if there are no legal requirements, assessments are generally considered a best practice.  

    

Conclusion

Physical security risk assessments are essential for effective risk management. By having a professional conduct an annual assessment, you put your company or community in a good position to proactively prepare for common and unexpected threats.