Physical Security on the Job

By Diane M. Calabrese / Published June 2023

Secluded and dark, with lots of places for a dangerous individual to hide…A setting like that has the makings of a crime scene. But this is 2023, and security cameras and motion detectors that illuminate unlighted spaces can improve physical security in any setting. One contractor who spoke with us explains that he’s fortunate to work in a very safe area with plentiful security cameras and numerous companies and people around.

     For companies devising their own physical security plans, though, the plot enhancers of a crime novel serve as a good starting point, and that first step is situational awareness.

     Each job site is different. Each facility location is unique. Some jobs require contractors to work at night or in parts of communities where there’s a high likelihood of theft or assault. Some facilities of manufacturers and distributors are anchored in higher crime areas.

     In fact, members of our industry experienced smash-and-grab robberies before they became as ubiquitous as they are now. So common are such crimes in many cities that the thieves no longer try to conceal their deeds, but instead simply walk through stores and steal by filling bags.

     As difficult as times are, that’s no reason to become the equivalent of a future victim in a crime story—that is, abandoning caution and throwing prevention to fates and walking down a dark, suspect corridor deep in the night. But with no plan for physical security, that’s exactly what’s being done: taking a chance.

     Physical security encompasses efforts to prevent theft and—should prevention fail—to protect facilities and jobsites from intruders. The intruders might be thieves, assailants, or anyone aiming to engage in criminal activity. Protection of assets—people, equipment, vehicles, structures, information—begins with preventing unauthorized individuals from gaining access to a place.

     A plan for robust physical security generally begins with a structured risk assessment. Identify assets (to be protected). Identify threats to the assets. Identify vulnerabilities. Then, make a plan to eliminate vulnerabilities or at least mitigate them. 

     The easiest way to ferret out vulnerabilities is to think like a criminal. Weak locks, large windows, poor lighting, remote location, no alarms, etc. are the sorts of things intruders try to find. 

     Many intruders of facilities will do a thorough analysis of the layout and security before a crime. So a risk assessment should include being aware of individuals who seem to be “casing” the facility, as criminologists would describe it.

     In today’s world, intruders may be thieves, but they may also be violent actors, terrorists, or saboteurs. It’s a complicated world, and anyone with a business will not be able to cordon off a separate space. What’s in the world will spill over, and every business will be affected. 

     Access control is a fundamental element of deterrence. Yet in the spirit of goodwill, many business owners neglect it during business hours, thinking more in terms of after-hours security.

     Ensuring that only authorized personnel are on jobsites or in facilities is important. Those with malicious intent often gain access by mingling with employees who are not alert to strangers. 

     Businesses must be welcoming, but they should have some sort of check on who enters the premises. Storefront employees should be trained to recognize suspicious or unusual behavior among potential customers, for instance. 

     As a corollary, physical security of information also requires authorized access. Companies that do not have stringent security measures in place on electronic devices, what can be accessed and by whom, issue an open invitation to hackers.

     Occasionally, physical security collapses not because of an intentional intruder but because of an accidental one. When identifying vulnerabilities, be sure to consider weaknesses in structures. 

     Simple things such as having a physical barrier (large concrete planters) between a parking area and the building tamps down the possibility of someone driving into the storefront. And highly visible temporary barriers around contractor jobsites near roads do the same.

     The adage about building a better mouse trap and the cleverer mice that result applies to physical security. There’s nothing static about the identification of vulnerabilities or the development of ways to reduce them. 

     Security guards help in many settings. They must be hired with care. Hiring with care is a good way to augment physical security in general. Access control has little value if a would-be thief or vandal is on the payroll. Similarly, when hiring contractors or working with new vendors, check their credentials. 

     Often when there’s a security incident, such as a break-in, it’s not a standalone. Criminals frequently target a succession of businesses in the same area, so any incident, however small, should be reported to law enforcement. The reporting allows police to compile maps and communicate about where crimes are occurring. 

     Local business associations can invite law enforcement representatives to speak and present recommendations on how to strengthen physical security. This can be done at the national association level, too. But at the local level, it’s a good way to get information about patterns of crime in a region and strategies for disrupting them.

     Don’t make it easy for the “bad guys.” That’s the essence of physical security. Yes, the “mice” will get wiser, but make them work at it.

     Lighting, motion detectors, alarms, cameras, and security guards all help. Varying the position of lights, alarms, and cameras helps, too.

     Lock up everything possible. Have good locks. Consider changing locks after employees who left for cause depart. 

     Consider double protection for the most valuable parts of a business. Safes still have a place. PCs should be locked in an office as well as a building. 

     Finally, realize that not every breakdown in physical security is a noticeable one. From items walking quietly out the door to embezzlement, threats come in many ways.

     Keeping inventory up to date may sound prosaic, but a loose inventory system does not enhance security because a business owner might not realize for some time that items are missing. 

Emergency Preparedness

     When OSHA [Occupational Safety and Health Administration] considers physical security, it does so under the broader scope of workplace emergency. OSHA considers a workplace emergency any event that threatens workers, customers, or the public. The event may stop operations and cause physical damage or environmental hazards. 

     Human-caused (a breakdown in physical security) or natural (hurricanes, tornadoes, floods, wildfires, etc.) or in between (e.g., chemical spills, disease outbreaks, explosions), a workplace emergency is something for which employers are expected to prepare.

     A document from OSHA, Emergency Preparedness and Response: Getting Started (https://www.osha.gov/emergency-preparedness/getting-started) is a useful tool to use when assessing areas of vulnerability at a business. Run through the list of readiness topics, such as medical and first aid and fire protection, and find the OSHA standard(s) that apply listed by number and title. 

     The guide also reminds businesses that there may be additional standards that apply to emergency planning requirements. For instance, OSHA advises that employers should be familiar with consensus standards of the National Fire Protection Association (NFPA) and the American National Standards Institute (ANSI). 

     As the OSHA guide notes, NFPA consensus standards affect almost every place of business. (See more at NFPA.org.) Tapping assistance from local fire officials when assessing risk on a site can be a good (and usually free) approach.

     Not all types of employers are required by OSHA to have an emergency action plan (EAP), but an EAP is recommended for all employers. 

     Having an EAP ensures that employees know what their responsibilities are in an emergency of any kind. It reduces confusion should an event occur. The EAP also facilitates training of employees. 

     An EAP (mandated or voluntary) should include how an emergency should be reported (and information about it disseminated). If there is an intruder, how will that information be conveyed discreetly to those elsewhere in the building and to authorities? The EAP should also include both emergency routes to exits and safe/refuge areas, and it should include a meeting place for those who leave the building so that a tally of those still inside can be made.

     Large facilities must have posted maps of evacuation and exit routes. If there are processes that should be shut down to reduce risk when a natural disaster threatens, assignments to the responsible parties should be clear.

     In the not-distant past, an EAP was developed with natural disasters in mind. Now, it applies equally to intruders who have entered a place to do harm.

     Training workers is part of an EAP. Drills are important. Maintenance is also part of the EAP. Emergency medical kits and communication tools must be kept up to date.

     And when making an EAP, be sure to make prior accommodation for any employees who will require assistance in taking refuge or exiting a building. EAP training should be part of training for new hires. 

     The better employees understand their roles in an emergency, the more likely they are to assume responsibilities, engage, and remain calm. In any emergency—from a physical security threat to a natural disaster—level-headedness is necessary to do what can be done to keep people safe.