Toro-Blog-listing

In Conversation with our Physical Security Team

Written by HQ | Oct 2, 2024 12:59:52 PM

As the nights draw in, we coaxed our physical security team in from the cold with the promise of winter treats, and canvassed their opinion on all things security.

Let’s join them as they warm up and share their thoughts on all things Physical Security. 

 

What are the key aspects of physical security that businesses often overlook? 

Gavin: One of the most overlooked aspects is buildings access control, or rather, the lack of it. Businesses, especially those in smarter buildings, generally want to provide freedom of access and movement to their employees. They don't want people to feel burdened by barriers and layers of security control, so in many areas we’re seeing a reversal of where previously we had strong access controls and a good level of manned guarding, to these being cut back for aesthetics and ease of access. Now, it’s often too easy to get into a building and move around freely and we are seeing play out more where businesses are targeted such as protesting. When we conduct penetration tests, we frequently find that we can access a building and even reach certain floors without much resistance. It’s then at the specific offices we find more robust access controls being applied but once you’ve made it inside a building it's a lot easier to use social engineering techniques to get access into the more secured areas, such as an office.  

Justin: There's also the issue of organisations not having proper control over their own security policies. For example, employees are often allowed to wear their name badges outside the building. This can then be exploited for social engineering or access card cloning, where someone might take that visible information to gain approved access into a building or impersonate an employee. 

Then, there's the very common issue of fire doors being propped open or used as exits and entrances by staff, which presents another security gap where intruders can bypass the buildings more robust security controls. We often find people are trading convenience for security, leaving buildings access points vulnerable.  

Jim: That’s a theme we see a lot—convenience over controls and even aesthetics over access. Businesses want sleek, open workspaces that are easy to navigate, but often at the cost of effective security measures that are designed to protect both them and their employers' businesses. 

Nick: It's not just about getting into the building either. Employees become particularly vulnerable the moment they leave the building. They’re carrying laptops, putting in PIN codes, and using their phones in public. These are all opportunities for attackers, especially when employees are less cautious about who’s around them in those moments. 

Gavin: And what’s often missing in risk assessments is this holistic view of the employee’s entire journey to and from work. We should be thinking about the duty of care from the moment an employee leaves home to when they return, but that’s rarely applied in security planning. Most risk assessments focus on what happens inside the building, not the travel between home and work, even though that’s where many vulnerabilities lie. 

Gavin: We’ve heard plenty of news stories about employees leaving confidential information in documented form, on data storage devices or on laptops at bus stops or in public places.  

The problem is that defenders aren’t thinking like attackers. They focus on securing fragmented parts of the overall security spectrum, but they fail to consider the full attacker pathway—the entire journey of an employee from home to work and back again. This piecemeal approach leaves gaps in security that attackers can easily exploit. 

So, security isn't being considered holistically, but in bits and pieces? 

Gavin: Exactly. It’s only being considered in bite-size chunks, and that’s where we find a lot of exposures. When incidents happen, it’s usually because no one has looked at the bigger picture of where the vulnerabilities lie across that whole security pathway. This is where Jim came up with the idea of the security triangle which illustrates the three parts of security being cyber, physical and people. If you fail to consider any one part of the triangle the structure becomes less stable.  

What are the most common physical security incidents you’re seeing today? 

Justin: Tailgating is a big one. It’s probably the most common issue we encounter when we review the security of buildings—people following others into restricted areas without proper authentication. 

Gavin: And that goes back to the larger problem of not thinking holistically about security. If your access controls are weak at the front door, it doesn't matter how tight they are elsewhere.  

What are the new and emerging threats businesses are seeing? 

Nick: There has been increase in protests and businesses do not seem to be fully prepared for the tactic's protesters are now using.  

Gavin: There’s been a noticeable rise in civil unrest. We’ve seen businesses targeted not because they are direct offenders, but by association. For example, museums and public places of interests have been attacked just because they’re hosting an event sponsored by a targeted organisation. There’s also been a significant increase in attacks on banks and investment firms simply because they’re associated with political and global conflicts abroad. It’s something you wouldn’t have seen as often 10 years ago. Before you saw major disruptions to infrastructure, like transport networks, where some activists went beyond peaceful protest to acts designed to cause as much disruption as possible. This still happens but seems less often currently. 

Gavin: We’re also noticing an increase in violent attacks on the public. These aren’t always just random acts of violence but sometimes attributed to broader societal unrest. We've seen rising tensions around immigration, cost of living, and other social issues. For example, we've seen a surge in incidents like shoplifting, abuse towards staff in retail spaces, and even more aggressive actions targeting hospitals and public services. 

Jim: Do you think there’s been a shift in the way protests are organised? In the past, you’d expect a rally or a large gathering, but now it seems to have become more militant and unpredictable. 

Nick: Yes, definitely. After 9/11, people became more aware of terrorist tactics, and those methods seem to have filtered down into protest groups. We’re seeing more leaderless activism, where individuals take it upon themselves to escalate their actions, using increasingly disruptive tactics. Perhaps it's a sense of competition—trying to one-up the last protest—that leads to more extreme behaviour. 

Gavin: Social media plays a role in this, too. There’s a lot of misinformation and disinformation circulating online, which can encourage people to take more drastic actions. In some cases, they’re being incited to commit crimes or acts of vandalism. While some of these may not be direct physical threats, they lead to physical security problems when something or someone gets targeted. 

Jim: Are we becoming desensitised to these kinds of disruptions? It seems like groups must work harder to make an impact because we’re used to protest and disruption. 

Gavin: That’s a valid point. The more accustomed we become to these kinds of actions, the harder protestors or attackers must push to make their message heard. This escalation makes the physical threat far greater than before. 

You’ve mentioned that these disruptions sometimes lead to physical security incidents. How are businesses handling these changes? 

Gavin: The truth is many organisations aren’t prepared for this level of unrest. And it’s not just external threats—insider threats seem to be on the rise also. While most insider incidents are accidental, there’s a growing concern around how misinformation or access to certain platforms could lead to deliberate attacks within an organisation.  

So, we’re seeing a convergence of cyber threats with physical security risks? 

Gavin: Exactly. Cyber threats are increasingly bleeding into the physical world. Attacks on infrastructure, whether through hacking or direct physical sabotage, are becoming more common and present in mainstream media. For example, in conflict zones, cyber-attacks are leading to real-world harm. It’s something we’re seeing more of, and it’s a significant concern for the future. 

Justin, you mention tailgating what would you say is the best way for people to stay more vigilant about security or avoid these kinds of issues? 

Justin: More training. I’d say one of the key things is behavioural detection—being able to spot tailgaters, recognising potential threats, or noticing someone who just shouldn’t be in the building. It boils down to businesses having policies in place such as having ID cards on display - basically creating a more security-focused culture. 

Gavin: It’s really about putting risk management into practice. 

Jim: Exactly. It’s like that old saying—if you’re going to use a tourniquet, if you are going to apply one then apply two. The same concept applies to tailgating —if you’re concerned enough to have access controls, you should double up. 

If you’ve got one security measure—let’s, say you’ve got barriers —you should have a second layer too. Having two layers, reduces the likelihood of a tailgater getting in. It's simply following the principles of protection in depth.  

Gavin: The frustration here is that the technology exists—things like facial recognition or biometrics that could help with security without making it harder for people to get into the office. But, because of data protection regulations, these technologies aren’t used as much as they could be. Some companies are starting to be smarter about it, using multiple modes of authentication, but that’s still pretty rare. In reality, it’s all about protecting what matters most to the business. But often, businesses focus on making things convenient—you know, smarter ways of working—rather than prioritising security. That mindset is something we see impacting how buildings are secured too. 

Jim : It’s a constant trade-off. Take tailgating, for example—we could do all sorts of things to prevent it. We could implement airlock systems, like in high-security areas where you have to scan yourself in, wait, then scan again. But if you’ve got thousands of people coming back from lunch at the same time, they won’t want to wait for that. 

Justin:  Another issue is aesthetics. If I had a major tailgating problem, I’d be perfectly fine installing a turnstile system—you know, the ones with the cages that stop people from just walking through. But a lot of businesses won’t opt for that. They don’t always choose the most secure option; they go for what looks the best. 

Jim: They’re choosing aesthetics over access control, and that’s where problems arise. We are seeing more aesthetically pleasing access control barriers and technology, so the industry seems to be taking note.  

Nick: It’s the same with homes, isn’t it? You don’t put steel doors and shutters on your house because you want it to look nice. It’s always about finding a happy medium. 

Gavin: In some countries and regions, the locks and doors are generally security rated at a higher level to others. Homeowners will usually improve their security once an incident has occurred. This isn't dissimilar to many businesses.  

Gavin:When it comes to security, there are three core principles being Protection in depth: Having layers of defence or protection, Balanced protection: Ensuring that all components, such as door frames and locks, are equally strong and minimum consequence of component failure. So, if one component fails, you've got something else that kind of goes back to protection and depth- going back to Jim’s point.  

And a lot of these things are just being pushed to one side because people just want their premises to look nice and they just don't want security. It’s a real frustration for us because then an incident happens, and you're having to go back and retrofit at greater cost. 

These principles are often neglected in favour of aesthetics, which leads to vulnerabilities and higher costs later when trying to secure the property. 

Jim:People spend a lot of money on their homes and valuables like cars, yet they often rely on basic security measures, like a single set of gates and standard car security. 

Gavin, you mentioned earlier that it's about applying risk management principles. Can you expand on that? How do you balance what can be protected versus what must be protected? 

Gavin:It comes down to understanding that we can’t protect everything, but we have to prioritise what’s most important. Our most valuable asset is ourselves and loved ones- people. All those material possessions mean nothing if we’re not around to use them. We generally put a lot of effort into looking our possessions because we have to work hard to get them- but often don't think about securing them once we have them.  

When we undertake a security review, we assess vulnerable areas that will give a threat actor access to these possessions we car so much about. If your most important possession is your documents—like the deeds to your home, marriage certificates, or passports—then they should be stored securely within your home. But how many people leave such critical documents in non-fireproof binders or a cupboard? If there’s a fire, they would lose them. These documents should be in a fireproof safe or lockable container. 

Gavin: Another thing is car theft for instance, if someone owns a £100,000 Range Rover, they should protect it by keeping it in a garage or under a covered port with CCTV. However, many don’t take such precautions, which makes them more vulnerable to theft. 

Justin:A simple solution to prevent car theft, especially with keyless cars, is to use a Faraday bag to block the signal from the car key. Yet, this is often overlooked in property security reviews, despite it being an effective way to prevent a significant number of car thefts. 

Nick:Most people who experience car theft don't realise how it happens. Thieves can easily boost the signal from the car key to unlock and start the car, bypassing traditional security measures like CCTV. Using a Faraday bag would prevent this. 

What other risk controls would you recommend for people working from home? Especially with so many now adopting remote work? 

Gavin: The first control, and it's a simple one, is using headphones during sensitive conversations and perhaps a privacy screen where you are in view of windows. These are basic things that can make a big difference. For example, if someone breaks into your home, they’ll may try to figure out where you work and set up covert surveillance devices, like covert cameras or audio recorders. So, sorting out your information security setup is key. But beyond that, it really depends on the individual. Could they be a target? 

Jim: That’s a good point. It’s also about assessing the risk, and sometimes the simplest things make a difference—like having an alarm system or a monitored CCTV setup at home. It's also important to lock away your devices when they’re not in use. We've seen incidents where executives have had cyber breaches because they allowed family members, like their kids, to use their work laptops. It’s these small vulnerabilities that often get overlooked. 

What physical security measures should be applied at home in addition to these? 

Gavin: It starts with the brilliant basics, honestly. Like, how do you lock away your work devices when not using them? Do you have a proper home security alarm system in place? We’ve seen high-profile cases where people leave their homes vulnerable, and that’s all it takes for an attacker to get in. Also, some people leave confidential information and work devices out in the open where they can be seen from outside, and that’s a big vulnerability.  

Nick: It’s all about balancing convenience with security. People often leave their car keys by the door or don’t fully lock up their house just because they’re only stepping out for a few minutes. But these are exactly the types of habits attackers count on. They’ll boost your car signal or just walk in because the front doors on the latch. It doesn’t matter how advanced your home security system is if you don’t lock the door. 

Gavin: Exactly. And we used to have a stronger sense of community, like neighbourhood watch where people looked out for each other. But nowadays, everyone’s siloed into their own homes and glued to their screens, whether it’s for work or personal use. If no one’s watching the street or keeping an eye on things, it’s easier for an attacker to move unnoticed. 

Jim: That’s a key point. Working from home means we’re all looking at screens and not paying attention to our surroundings. It’s just like when you walk down the street staring at your phone—you're an easier target. Attackers will always go for the weakest link. If your home looks empty or vulnerable, it could be targeted, even if you’re inside working. 

Gavin: And that’s why it’s important to focus on the brilliant basics. We can write down a whole list of things you should do, but if it’s more than a handful of items, people tend to forget. It’s about making those brilliant basic security habits part of your everyday life. 

Jim: Right. For example, we tell people to lock up their house like they're going on holiday, even if they’re just popping out for ten minutes to grab some milk. Close the windows, lock the doors—don’t just pull it to. But, let’s be honest, that doesn't always happen. I know I’ve been guilty of it myself. 

Gavin: It's a mindset shift. If we can instil those habits, people will start locking their homes properly and not leaving themselves exposed. 

Jim: Absolutely. And that’s where physical security integrates with cybersecurity. You can spend millions on a cyber setup, but if someone can just walk into your house and take your laptop or tap into your network, it’s all for nothing. 

Gavin: And let’s not forget, a lot of this comes down to how cybersecurity and physical security teams work together. At Toro, we’re constantly sharing insights, learning from each other’s fields of expertise. It takes change management to get these two disciplines to mesh well. 

How do you find getting these two fields to collaborate? 

Gavin: It’s an interesting challenge, and it comes down to how physical security and cybersecurity are seen as very different disciplines. What we’ve found—and this is from feedback we’ve had from clients—is that the biggest hurdle is change management. Cybersecurity teams often view themselves as highly technical, dealing with acronyms and complex systems, while physical security teams are more focused on tangible, real-world issues like protecting people and physical assets. The two sides don’t always speak the same language. At Toro, we’ve been able to get this right because we constantly engage with one another, sharing knowledge, incidents, and vulnerabilities. It’s about collaboration and making sure both teams—physical security and cybersecurity—work cohesively to deliver a comprehensive solution. 

Justin: That convergence of the two—physical and cyber—needs regular communication and a shared understanding. I mean, cybersecurity isn’t just about securing devices and networks; it’s also about controlling access to those systems. For instance, how easy is it for someone to physically access your cables or network hardware? If you’ve got poor physical security, it could undo all the sophisticated cybersecurity systems you have in place. 

Jim: That’s a really good point. Take, for example, installing a new system in a building. If someone can just walk in and tamper with your network cables, or clip on a device like a pineapple that can steal data, then all your cyber defences become meaningless. It’s a vulnerability that ties directly into how secure your physical space is. 

Would you say physical security is just as important as cybersecurity, especially when it comes to preventing data breaches or unauthorised access? 

Jim: Definitely. In fact, they are inseparable. Think about it—if one of your employees leaves their laptop powered on and unlocked on the back seat of their car every day, all the millions you’ve spent on cybersecurity could be compromised by that simple routine. Attackers only need a small window to exploit predictable behaviours. We had a case where a routine like that allowed someone to get hold of a device, which led to a breach. Physical security isn't just about locking doors; it's about thinking ahead, staying unpredictable, and ensuring that physical measures support cyber protections. 

Gavin: Exactly. And in many cases, the biggest threat actor will use whatever tool they can—physical access, cyber vulnerabilities, even social engineering. We need to accept this reality and constantly refine our approach. That's why at Toro, we make it a point to have frequent discussions and meetings where we talk about different skill sets, incidents, and solutions. It’s about keeping pace with the evolving threat landscape. 

Is that what clients often struggle with—bringing the physical and cyber teams together? 

Gavin: Yes, it is. And it’s really about overcoming the perception that one side is more important or more complex than the other. The truth is, both physical and cyber defences are crucial, and they must work together. The biggest issue we see is that the two teams don’t always understand each other's roles or the impact they have on overall security. 

Is there a way you recommend organisations bridge that gap between physical and cybersecurity teams? 

Gavin: It starts with regular communication and knowledge sharing. Organisations need to create a culture where both teams are not just working in their silos but actively engaging with each other. Information and cyber standards are now including physical security requirements, such as access control, which is helping to bridge the cyber physical gap. Both teams need to have a good understanding of information security since this is a key part of both skill sets. At Toro, we make sure our teams are constantly feeding each other information—whether it’s about incidents, vulnerabilities, or solutions. It’s about breaking down those walls and ensuring that both physical and cyber security are seen as interconnected, not separate entities. 

If you would like to speak to any of the team about any points raised please get in touch.