When it comes to securing your physical premises, following best practices isn’t just a recommendation—it’s a necessity. Whether you manage a small office or a sprawling industrial complex, ensuring physical security is about more than just cameras and locks. It’s about building a comprehensive security posture that helps you identify and address vulnerabilities before they become risks.
Before we begin, we want to share a story of a recent physical security assessment.
Our goal was to break into a large high security data center.
For most people, I like to explain why, because it’s not so intuitive why we would do this.
Our customer had spent millions on badge readers, full-time security staff, high security fencing, security lighting, biometrics, you name it.
So it’s a fair question to ask, was it working?
Back to our goal, can a motivated attacker, actually get in?
We started by doing remote recon. Looking at satellite images, pulling up county records for zoning and building permits, and Linkedin and Facebook recon for folks who worked in the building.
By then, we had an okay understanding of the perimeter, some internal floor plan layouts and a list of folks who worked in the building. We also had an idea of the badge system that was used. From the Google Street View, we could see the badge reader style and brand for the secure parking lot.
We showed up after a week or so of prep. We found the biggest rental vehicle we could get our hands on to fit our team and equipment. Our equipment consisted of laptops, long range wifi antennas, badge cloners and a handful of physical security tools (picks, shims and under the door tools).
We found a spot to park behind a few trees and just far enough to not be obvious to anyone outside the building that we’re doing surveillance.
The first day creeped by, but by the end, we had a plan.
We’d send the youngest looking person on the team into the building in the guise of a student, trying to meet with an engineering manager we knew worked at the building. Once inside, the “student” would attempt to plug a device into the network, that would call back to our command and control server.
Fake resume in hand, our physical assessor walked up to the building, buzzed security and waited. A minute later, the security guard asks what he wanted.
“Uh, I’m a student. I’m hoping to drop my resume off with John Keats, the engineering manager I met at a job fair last week”
The security guard stood his ground. “Sorry, no walk ins here, you’ll have to go through the web site”
As our “student” walked away from the building in defeat, someone was walking up to the building to show up for work in the morning.
This new unwitting participant in the exercise, had his badge around his neck.
Bingo.
“Hey! I was hoping I could drop a resume off with you” our student says. As he pulls his back pack off, he keeps it right in front of our victims badge.
The interaction is short and sweet, and our student speed walks around the block into the waiting car.
We pulled the badge reader out of the back pack, and sure enough, the backpack held in front of the badge grabbed the badge credentials. Now we had a key.
Long story short, that badge gave us after hours access to the building, and the physical security kiosk didn’t monitor the side entrance to the building, where our badge works.
We were in.
This audit checklist is designed to guide you through a thorough review of your site’s security based on leading standards from organizations like ASIS International, ISO, NFPA, and BOMA. Let’s break it down into actionable steps, making sure you can spot weak spots and implement fixes without drowning in paperwork.
Your perimeter is the first line of defense. It’s easy to overlook, but a quick walk around your facility can reveal vulnerabilities. Are your walls, fences, and gates in good shape? Do they provide full coverage, or are there weak points?
Surveillance is crucial for early detection of intrusions. Regular inspect properly placed cameras and motion sensors.
Access control measures, like locks and badge readers, need more than just a one-time installation. They require ongoing care and attention. Is every entrance and exit under proper control?
Proper lighting is more than a deterrent for crime—it also improves overall safety. Walk your fence lines, parking lots, walkways, and loading docks at night. Are they well-lit?
Your fire detection and suppression systems protect lives and property. They need regular inspections and testing.
Your power and internet connections should be stable and secure. It’s not just about keeping the lights on—it’s about preventing service interruptions that could impact security systems.
If your business has areas where sensitive data is stored, such as server rooms or document storage, these areas need extra attention.
It’s easy to focus on the big things and forget that day-to-day security practices matter just as much. Make sure employees are securing desks, offices, and common areas.
Your security systems are only as strong as the people operating them. Make sure your team is well-trained and knows what to do in case of emergencies.
You don’t have to wait for a breach to happen before you take action. Use this checklist as part of a regular audit routine—quarterly at the least—and take the necessary steps to fix issues as soon as they’re spotted.
By building a habit of reviewing your physical security, you’re not just protecting your assets—you’re safeguarding the trust of your customers, employees, and stakeholders.
Start today. Walk the perimeter. Check your lights. Test your alarms. And keep your facility secure.