Often the same workforce members who are responsible for physical security and safety at organizations are also responsible for information and IT security. And even more often, those responsible for physical security and safety are also a member of the Information and IT Security team, which is usually quite beneficial!
Certainly, physical security is necessary to preserve personal privacy and to safeguard IT components and print information. However, often business leaders, executives and members of the Board may not understand this, and may question a submitted budget which includes personnel, time requirements, and hard dollar costs for related activities and products. It is often very helpful to provide them with a real-life example to justify your requests for the resources you need.
Here are a few points for which executives and managers may not be aware, that should be explained to them, within the context of their own unique business ecosystem.
It is a critical key component is to ensure that the actions triggered by the physical security systems do not put humans and other living things at physical risk. And regarding security and privacy, physical safety/security implementations should not destroy mission critical information, in physical or digital forms, when activated (e.g., using fire alarms that spray water in a room with computers and servers within them) but use a different type of fire suppression substance that will limit damage to objects in the room. Another key component for preserving privacy is to not implement surveillance cameras that are pointing in areas where privacy is expected, such as in locker rooms, restrooms, fitting rooms, etc. Or, perhaps to only activate them during a physical safety emergency, such as a fire, earthquake, etc., to help locate where all people in the facilities are located, while following cybersecurity and privacy policies and procedures to ensure only those with authorized access can view and hear such livestreams and recordings.
Here is an actual situation I experienced at a conference where I was a keynote speaker, as well as where I was a guest for 7 days, a few years ago in Singapore. The event was held within a medical tourism, 5-star hotel’s conference center.
I checked out of the hotel and was sitting in the lobby doing some work before my ride to the airport picked me up; I had 5 hours to wait. Suddenly a deafeningly loud alarm went off, and a recorded announcement came over the loud speaker.
"Ladies and gentlemen, the fire alarm has just been activated. Please do not be alarmed and stand by for further information."
During the announcement huge steel doors were quickly lowering and blocking all the doors preventing exit out of the hotel from the lobby. Similar steel doors also were lowered blocking exit from all other exit points for the hotel.
Think about it; a fire alarm goes off, and steel doors are quickly lowered blocking all exits. Most people started panicking and were visibly, physically distressed! This continued for 30 minutes. The alarm continued, and the recorded loud-speaker announcement continued to intermittently play.
Finally, the alarm stopped, and an actual live human voice came on the loud speaker and announced, while the steel doors were slowly raising (and many people were pushing each other to exit), “Ladies and gentlemen. May I have your attention, please! The fire is under control. There is no longer a danger. Thank you.”
Of course this created more questions, and provided no answers! Why is this a good idea to lock all the inhabitants into a hotel that has just had the fire alarm triggered?
Here are some key points I ultimately learned after questioning various staff members, while still waiting for my ride to pick me up:
-
The building was designed to lower the steel doors for any type of emergency.
-
The hotel staff’s explanation was that they did not want to have anyone entering the building under such circumstances.
-
The fire was in the kitchen, which was adjacent to the lobby. So, I, and all others in the lobby, smelled the smoke the entire time. Which was a bit (to say the least) distressing given there was no way to leave the building.
-
No steel doors, or other barriers, were implemented anywhere else within the building; they were only at the exterior exit points from the hotel building.
-
I was told this was done to 1) not ruin the aesthetics of glamour throughout the hotel facilities, 2) not “unnecessarily alarm” inhabitants by thinking such danger events were event possible that such doors were needed, and 3) save money for the overall cost of the facility. These are the actual reasons they explained to me…after the emergency was over.
-
However, when the alarms went off, everyone in the high-rise hotel had rushed to and crowded around the exits. There may have been injuries during this time.
In this situation, the implementation of the steel security doors only at the exits, which lowered for every type of emergency, and that the hotel workers could not raise due to the way the controls for the steel doors were implemented, created a chaotic situation. People were panicked, pushing, and from not being “alarmed.”
Also, not having the steel doors implemented in additional locations throughout the building, were at odds with the safety of the occupants for other types of physical threats situations.
If the steel doors used in such emergencies had also been implemented throughout the facilities, within specific areas of the building to limit overcrowding in just a few areas, and supported by implemented policies, procedures and other applicable hardware and software components to ensure all humans and other living things were evacuated before the steel doors were deployed in a physical safety situation, and more employees given the capabilities to open the steel doors, when necessary such as for a fire, the building designs and physical systems, as well as procedures, would have been significantly more complementary.
Many more lessons were learned. This is a perfect case study for a course, and an exercise to test disaster recovery plans.