Designing Physical Security Awareness Training
May 25, 2018
There’s nothing more embarrassing than a physical security breach.
Whether it’s a company laptop left in a car or files stolen from the office, a physical security breach is really bad news.
But how often is your staff reminded of their responsibilities? And how much thought went into the training?
We get it. There are so many other things to worry about, a lot of the time physical security awareness training is bumped right down to the bottom of the priority list.
But with data protection authorities all over the world starting to find their teeth, it might be a good time to rethink your approach.
People: Asset or Liability?
The thing about physical security is that it’s heavily people dependent.
Unlike cyber-attacks, which can easily go unnoticed, physical security breaches nearly always require some serious human error. And whether that’s an unlocked door or a failure to check visitors’ IDs, it’s ultimately the result of negligence or misunderstanding.
But the thing is, it doesn’t have to be that way.
Just as people have the power to make mistakes, they also have the power to prevent or interrupt what could otherwise be a catastrophic security breach.
If you allocate the time and resources necessary to develop a truly valuable physical security awareness training program, you can easily turn your biggest security liability into a real strength.
Content is King
First off, let’s get the obvious out of the way. When it comes to training, the information being conveyed is easily the most important thing to get right.
Here are some of the things we think absolutely must be included in your program:
1) Locking doors/desks/filing cabinets
This is as basic as it gets. Any room, drawer, or cabinet that contains sensitive data or equipment should be secured. Any time your staff walk away from their desks, they should be locking everything on and around their desks.
And we know you know this. Everybody does.
The problem is that busy people aren’t thinking about security by default, they’re thinking about their work. Your job is to make staff adopt these practices as habits and to do that you’ll need to remind them regularly.
2) Crossover with Cybersecurity
While we’re on the subject of locking things, your staff should also remember to lock or turn off their computer whenever they walk away from it. This isn’t really a physical security concern, but since you’re asking people to lock everything when they walk away from their desks it makes sense to mention this point at the same time.
It’s worth remembering that not everybody will intuitively understand why it’s important to lock their computer. For this reason, explaining why an unlocked terminal is a vulnerability may help to hammer the point home.
3) Device and Data Security
Another big one.
It seems difficult to comprehend, but a truly staggering number of laptops are lost and stolen each year from airports, trains, parked cars, and cafes.
The point to drive home here is the real cost of losing equipment, beyond simply the cost of replacements. As we mentioned earlier, data protection authorities in the U.S. and Europe are starting to gain some real power, and organizations will be finding out in the next few years exactly what that means.
Large organizations could face multi-million dollar fines if found to be negligent. Explain this, and politely ask your staff to keep equipment with them at all times when traveling.
Make it Relatable
We’ve alluded to this already, but it’s worth repeating.
You can’t simply tell people what to do, and expect them to do it. Security is a habit, not a task, and a single annual reminder isn’t enough to keep it at the forefront of peoples’ minds. To get around this, you’ll need to make your training program interesting, and include content that’s directly relevant to your staff.
For instance, telling people to lock their desks is good advice, but probably won’t work. Explaining that three colleagues have had items stolen from their desks in the past six months is far more likely to change behaviors.
Likewise, explaining that leaving terminals unlocked might allow attackers to install keyloggers is true, but most people won’t understand the implications. Going further to explain that their accounts could be compromised and that their most personal records could be stolen, however, is very relatable.
Throughout your training program, always try to bring things back to the individual level. Think about what you want them to do, and then look for highly personal and relatable reasons for doing those things. It’s not that people are inherently selfish, it’s just that in an increasingly complex and busy work environment, you need to engage peoples’ emotions if you want to be remembered.
Rehearse and Reinforce
In our opinion, the absolute worst thing about most physical security awareness training programs is that they’re purely an annual event. Most of the time, organizations require their employees to complete a five-minute e-learning course once per year… and that’s it.
This might allow you to meet regulatory requirements, but in terms of changing behaviors, it’s a total waste of time.
If you want people to really absorb the information you’re providing, you need to make sure they understand what they’re being told, and you need to reinforce the key messages constantly. Send out frequent email reminders, perform ongoing training, put posters up, put stickers on mobile equipment… almost anything you can think of to keep security at the forefront of peoples’ minds will make them more likely to act sensibly.
And while you’re at it, don’t forget to rehearse on a regular basis. Not all procedures will lend themselves to rehearsal, but for routine tasks like locking and unlocking buildings, it is well worth taking the time to make sure the documented procedures are being followed.
Test, Test, Test
Ultimately, there’s only one way to know for sure that security protocols are being observed, and that’s to test them.
Have someone who won’t be recognized (usually a hired professional) try to talk their way into your buildings. Once there, they can check whether doors are locked, seek out abandoned desks, and generally try to make a nuisance of themselves.
If your staff has internalized the lessons learned from their training, this would-be invader will have little or no luck. If they aren’t refused access to the building, they at least won’t find much to do once inside.
If on the other hand, your staff has not remembered their training, you’ll soon understand what an attacker can do if able to access your facility.
Either way, this is extremely valuable information.