Common Points of Failure and Strategies to Mitigate Physical Security Deficiencies

calendar Oct 24, 2025 / · 4 min read · physical security access control vulnerability study information security security management risk mitigation facility protection  ·
Share on: linkedin copy

Common Points of Failure and Strategies to Mitigate Physical Security Deficiencies

Layered Defense Approach

The nature of physical security ought to be like concentric rings or layers of defense with requirements for access that gets more difficult the closer one get to the center of the rings as described by Peltier (2013). The reason for the rings of security is evident because the security team takes some precautions to protect the organization.

Vulnerability Assessment

A vulnerability study is usually conducted to understand what the physical security requirements are at what gaps or weaknesses exists as described by Fennelly (2012). The study is a comprehensive evaluation of all existing physical security measures, access controls and operational characteristics that affect the facility's capacity to detect, deter, delay or respond to a threat. The study also includes physical systems, policy, procedures, and success and failure statistics to the response to threats. A vulnerability study is a simple way to identify common points of failure and strategies to mitigate any deficiencies found during the study.

Access Control Implementation

Access control includes protecting valuable items and the understanding of what people, data and items(s) receive access. Access controls are used for physical spaces and information as Peltier (2013) points out. Access controls as described by Layton (2016) is essential to information security strategy. Access controls support core security principles of confidentiality, integrity, and availability (CIA) by users having to identify themselves and confirm a user possess the credentials, rights, and privileges to access a system and its information.

Security System Limitations

The study, of the office, may not have been set-up for proper security monitoring. Physical security is not 100% defeat proof as described by Fennelly (2012). Physical security and access controls can be designed to eliminate most threats, but will always have a weak link. Fennelly (2012) describes an example of an alarm system. The alarm system provides a minimum amount of security. The alarm going off may or may not stop intruders but once the alarm is sounded the defense system alarm is upgraded by calling out the police for backup assistance. The alarm system is put in place as a counter measure but is not fail proof and automatically calls the police as a countermeasure to mitigate the person(s) who set the alarm off.

Current Office Security Measures

In our office, the front entrance has a turnstile where an employee badge will need to be swiped or visitors will have to pass through id verification at the front security desk before receiving a temporary badge. This turnstile would be the final ring of security for getting into the building. All visitors are required to be escorted in the building. All these physical security checks do lower the risk entry of unauthorized people. A policy called the Badge Safeguarding Use policy requires that all team member wear a badge at all times and if they do not have a badge visible they are to be reported to the security desk.

Multi-Layer Entry Controls

An example physical security is all employees have a badge for access control to all areas of the office. When entering the employee parking lot one uses the swipe of the employee badge, as an access control to get into the car park. After exiting one's car, one is presented to another access control and needs to swipe the badge again and enter a code to get into the office one at a time through a revolving door. This revolving door is to avoid any tailgating when coming into the office from the parking lot. These checks all work well for lowering the risk of bad actors entering the office.

Identified Security Breach

A few weeks ago we had a security breach in the parking lot. There is a clear risk in our physical security model. We had team members car stolen. To get out of the building parking lot no access control or badge is needed, the gate just opens, and there are no guards on duty to verify anyone leaving just a security camera. People walked into the parking lot, broke into the car and drove out the gate. A deficiency in access control is missing on exiting the car park. On exit one should be required to badge out or even have a security guard checking for a valid badge.

References

Posts in this series