Essential Elements of Workplace Security | Visitor Management System

Executive summary

• Every workplace needs to be concerned with physical security.
• Your workplace should have physical barriers from anyone entering your space, perhaps beyond an open reception area.
• A risk assessment is a good place to start if you have not considered your needs recently.

Whether your workplace is large or small, retail, office or manufacturing, workplace security is important. You must protect your people and your physical goods. But workplace vulnerabilities are also a critical element of data security too.

Creating and implementing successful security in the workplace is a complex process. There are multiple threats  that need to be considered and various ways to mitigate them. While the process requires significant forethought, the essential elements to a great security plan are simple to understand. These best practices are the backbone around which all the details are built.

Physical Infrastructure and Deterrents

Perhaps the first security element likely to be implemented is that of physical infrastructure and deterrents. As soon as an organization moves into a location or chooses to build its own facility, leaders start thinking about how the physical structures are going to keep unauthorized people out and discourage crime from occurring.

The kinds of physical structures needed will largely depend on the type of organization and the type of facility in question.

Nearly all organizations, from the smallest offices to the largest factories, start with locked exterior doors. Even those really small businesses who rent coworking space or work out of rented offices should inspect the facility for secure entrances and exits.

At larger organizations that own buildings and grounds, other larger and costlier structures might be necessary.

• Perimeter fences or walls.
• Electronic gates at parking lot entrances/exits (Parking lots and garages are extremely vulnerable areas.)
• Concrete planters and barriers to prevent access to certain areas.

Physical barriers also include areas inside the building.

• Safes for storing cash and other valuables can prevent theft from those who might break into a building, and also prevent theft by those with a legitimate reason to be there, like employees and guests.
• Employee lockers might be provided in certain organizations.
• Expensive electronic equipment, like computer servers, should be stored in locked closets.
• Locked storage areas can be used for all sorts of valuable assets, from specialized equipment to inventory.

Deterrents go beyond locking things up and putting physical barriers between a would-be criminal and the assets being protected, whether people or property. Deterrents are all the small and large things that might discourage a person from taking advantage of a situation.

• posted signs that advertise alarm systems and/or security cameras
• security cameras and alarms systems themselves
• adequate lighting in parking lots, and security lighting in and around buildings
• motion-activated lighting

The effectiveness of active security personnel should not be understated. Highly visible security guards are more effective at deterring crime than cameras alone. Would-be criminals know their likelihood of being caught in the moment are much higher, and therefore they are less likely to attempt anything risky. Security staff also have the benefit of using personal judgment in the moment to react by calling 911, requesting backup, or defusing an escalating situation before it gets any worse.

Access Control and Visitor Management

Access control is the next step beyond physical barriers. Once all the locked doors and controlled entrances/exits are in place, organizations have to determine how to grant access to authorized employees and guests. The best access control systems are convenient to use (i.e. not so cumbersome that employees curse it every time they try to enter the building) and yet are robust enough to prohibit access to those who shouldn’t have it.

In most systems, new employees are issued some form of access credentials. In small offices, this might be as simple as a physical key for a door. In many organizations, employee identification cards serve as keys at electronic locks in and around the building. Some organizations utilize pin numbers or biometric scanners either alone or in combination with ID cards.

These credentials are returned upon the employee leaving the organization. In the occasion that an employee does NOT return their credentials, the locks have to be changed (in the case of physical keys) or the employee’s information will be deactivated in the access control database.

Not only do these credentials serve as a way to prevent access into the building itself, but such systems allow for certain areas to be kept off limits for employees that should not have access.

• Office workers do not need to be in maintenance sheds.
• Access to server closets should only be granted to IT personnel.
• Safes might be protected by both ID credentials and a pin.
• Medical facilities, laboratories or manufacturing plants might not allow office staff into restricted areas unaccompanied for safety reasons.

As part of access control planning, organizations need to plan for guests. Visitors arrive at every organization in the shape of prospective employees, clients, vendors, family and friends of employees, delivery personnel and more. A good visitor management system is vital for granting visitors access to the building while ensuring they do not go where they shouldn’t. It will create records for when the visitor was in the building, who they were meeting/seeing, and when they leave.

Great visitor management includes having a designated visitor entrance where all visitors can stop and take the time to register. Visitor badges or IDs issued to guests can have minimum access associated with them. Perhaps visitors cannot unlock any doors or areas and must be accompanied by a staff person at all times. In other organizations, visitor cards might have the ability to unlock main doors to common areas, and nothing further.

Requiring visitors – and employees – to register or sign in electronically has many advantages:

• Records of who is in the building at all times (especially helpful in the case of emergency or crime)
• If exit control is also used, a record of when people left the building may be available.
• Records may be available for restricted areas.
• Guests and employees who know their presence is being recorded are less likely to attempt criminal behavior.

Incidentally, access control is also the primary way in which electronic information is safeguarded. IT personnel use logins and passwords and the principle of least privilege to prevent both employees and visitors from accessing sensitive information electronically. Without the proper credentials, people can’t get administrative privileges on computer systems that could wreak havoc with the organization, nor can they see records that are not relevant to their work.

Risk Assessment and Response

Before many organizations even start to put basic physical barriers and access control in place, they may first do a risk assessment. Assessing risk is the act of brainstorming and researching what the risks are for a particular organization and how likely they are to occur.

Every organization has a different risk profile. A small accounting firm serving only a few clients may not worry much about losing money or equipment in a physical break-in, but instead prioritize securing the personal information of its clients. This same firm may, in a different vein, be concerned for the physical safety of its employees getting to and from the building if parking is some distance away and requires a walk through a dark area.

On the other hand, a large manufacturer will have a laundry list of things to take into consideration. A not-at-all exhaustive list for them to consider may include:

• Providing for the safety of employees and visitors on the factory floor.
• Protecting inventory from theft or vandalism.
• Preventing unauthorized people from entering restricted areas.
• Safeguarding patented processes and materials in development from prying eyes.
• Securing parking lots and loading docks.
• Preparing for accidents or natural disasters that may occur and how to respond to them.

Every organization should consider risks in a number of different arenas and then determine the probability, criticality and vulnerability surrounding that risk. (A risk matrix can help.) Some risks to consider:

• Theft – what is most at risk for theft and where is theft most likely to occur?
• Injury – are there tripping hazards, hazardous materials, dangerous areas?
• Natural disaster – what kinds are prevalent/possible in the area?
• Intellectual property theft – what is information could be valuable to competitors and others?
• Violence – what industry are you in? Does it work with volatile people, or do you make enemies? (Examples: the medical industry, a law firm.)
• Location – what is the neighborhood like? Is there a lot of crime in the area?

Good risk assessment is not a one-and-done occurrence; it should occur once per year as a minimum and be an ongoing process when new issues arise and changes are made in the organization. There is also a necessity for “boots on the ground” observation of what is actually occurring within an organization to discover where the security holes are.

Once risk assessment is completed, the next element of security is the act of planning for and responding to these risks. This can take as many or more forms as there are possible risks, but the responses typically fall into the categories outlined here.

For instance, during an assessment, someone might discover that there is a faulty lock on a door, or a door that does not have a lock but should. This invokes both physical barriers and access control.

The same risk assessment might determine that the most likely natural disaster to occur in an area is a wildfire, or the combustion of flammable material on site. Some possible interventions would include

• Physical infrastructure - the purchase and installation of fireproof equipment, fire safes and fire extinguishers
• Security protocols - developing an evacuation and communication plan, accounting for guests in the building, creating a plan for regrouping after a catastrophe
• Communication and training - training employees on how to use the new equipment and evacuate

Security Protocols and Policy

While some responses to a risk assessment will primarily involve adding physical infrastructure, it may be even more likely that the necessary response will be the development of new security protocols and policies.

A security protocol is a planned strategy either to prevent or to respond to a security threat. The easiest way to describe this is through examples.

Possible security policies:

• Visitors are never left unattended except in restrooms.
• Two employees must be present whenever the safe is opened and/or money is being taken for deposit to the bank.
• Banks often have a policy that employees must take two consecutive weeks of vacation because if an employee is embezzling, it will become apparent in that time.
• Employees will always use their credentials when entering the building.
• Security cameras will monitor all exits and entrances.
• All security recordings will be kept for 12 months.
• Former employees will be removed from the access control system within two business days.

As you can see, there are myriad policies that can be enacted and developed around everyday occurrences. There should also be policies developed for the less likely but more devastating possibilities that could occur. Some of these policies might include:

• Appropriate response plans for various natural disasters – earthquake, fire, flood, etc.
• Plans for preventing workplace violence, which may include having security present when an employee is fired, and flagging troublesome ex-employees, clients and others in the visitor management system.
• Response plans for workplace violence – what to do in case a person gets physically violent in any way.
• Enact plans for what to do if a person is discovered in the act of theft – are they confronted, which may lead to an altercation, or is the information simply recorded and the authorities are called?
• Outline the processes for reporting theft and other illegal activities.

Other policies might also be about reviewing and evaluating current policy. This might include:

• Risk assessment will occur, at minimum, once every twelve months.
• When risk assessment happens, a team of four people will walk the premises and test every door.
• Another team will evaluate the access control system.
• Still another team will spend time observing what is actually occurring.

Communication and Training

The final element of workplace security is perhaps the most essential element of all. No amount of physical infrastructure, access control, risk assessment or security planning can keep an organization secure if the employees are not on board.

Cultivating a culture of security is the process of communicating security protocols and expectations to employees. This involves sharing information, training people on safety procedures, showing them where safety equipment is located and generally including them and rewarding them for being security-minded.

Unfortunately, some of the biggest security breaches happen for the simplest and smallest reasons.

• An employee holds the door open for someone without credentials.
• A workstation filled with sensitive material is left unattended, but still logged in.
• An employee doesn’t feel safe around her ex-boyfriend, but doesn’t share that information with anyone. When he shows up at her workplace, no one is concerned.

There are many ways to instill a security culture in an organization. The following ideas are credited to TechBeacon, with some tweaking to make them more relevant to general security instead of only IT.

1. Help people recognize that security belongs to everyone. It is everyone’s responsibility to think about security. If anyone from the top executives to the janitor thinks security is not part of their job, they need to be guided to understand that it actually is.
2. Focus on awareness. Give everyone a basic understanding of what is expected as far as security goes. Those policies and procedures outlined by the security task force need to be shared with everyone.
3. Follow a secure development life cycle. This one is less applicable to physical security than the other steps, but not as much as you might think. For starters, your organization likely has IT development that needs to have this as part of their process. As a general security rule, it might describe the cycle of risk assessment, policy evaluation or of employee credential installation and de-commissioning.
4. Reward good security behavior. Especially when a new policy is enacted, make it a point to call out and recognize those doing the right thing. It is necessary to reinforce the good behavior and the importance of why it is being done.
5. Make security fun and engaging. Think about ways to make it less of a drudge. Follow the annual fire drill with a company picnic in the parking lot, for example.

These communication efforts, plus appropriate training so employees understand the policies and can actually implement the skills required of them, help make security a team effort across the entire organization.

Summary - One Step at a Time

Taking these essential elements of physical infrastructure, access control, risk assessment, security planning, and communication, each organization can tailor security to their individual needs. There are numerous ways to explore and evaluate security through the lens of this framework.

If you don’t already have a security infrastructure and communication plan in place, it is not going to happen overnight. Taking the time to follow these best practices to educate people on security - what needs to be done and what should NOT be done – and implementing solutions as they are developed will have you on the path to a safer work environment.

Link to previous article about primary threats to security.