Three Key Considerations for Building Threat Assessments
Three-quarters of executives are planning to increase spending across data analytics, process automation, and technology to help them detect and monitor threats, according to PwC’s 2022 Global Risk Survey.
A comprehensive threat assessment can help businesses identify vulnerabilities in their security before an incursion takes place that could potentially harm people, property, or operations. A threat assessment evaluates the adequacy of existing security technologies such as video, access control, or intrusion detection systems.
To create a dependable and secure system for your building and its occupants, consider taking the following three steps: audit your security systems, find the right people to effectively implement new technologies, and give occupants more insight into their building’s security systems.
Step 1: Audit your Security Systems
A thorough audit is essential to understand a building’s current security technologies, how they’re being used and which of them may need to be replaced or updated. To conduct a full 360-degree assessment, it may be helpful for the security team to bring together the building manager and someone who uses the building regularly—such as an HR manager or occupant who observes people’s behavior within the building—to learn from each other about how they typically interact with the building and common security issues.
Additionally, independent assessments are critical in making sure all risks are being mitigated. The assessment or review should come from a building’s cybersecurity team, as well as through third party testing—this collaboration should be a partnership.
As you approach each task, note that many current security systems are based on older technologies, when most industry standards were first established. It’s important to familiarize yourself with today’s standards, such as ISA99, Industrial Automation and Control Systems Security; the European Union’s General Data Protection Regulation; or the Building Security in Maturity Model before conducting the audit to understand more accurately what’s needed.
Step 2: Find the Right People to Effectively Implement Technologies
Building owners and operators understand that updating to the latest technologies can be costly; however, it’s important to weigh the risks if you don’t make proper updates to determine the true ROI. Assessing each building’s systems may require a different threat expertise.
To create the optimum security system for your building, facility managers must gather the right teams together and trust and collaborate with them to fully evaluate potential threats. For cybersecurity threats specifically, facility managers should create a team with people familiar with IT/cybersecurity technology as well as those familiar with the physical building.
Step 3: Give people more insight into their building’s security
Many organizations miss the mark when it comes to communicating the right level of information regarding security policies to building occupants—how they operate and what they’re intended to protect. For example, occupants should know that holding the door open for someone, while well-intentioned, can welcome an intruder into the building.
In fact, many security incidents occur from occupants’ mistakes, such as propping doors open or using access cards in the wrong locations, which can notify the security team of a potential threat but instead be an inefficient use of time for the security team because they have to investigate the alert.
Facility managers must gather the right teams together and trust and collaborate with them to fully evaluate potential threats.
When it comes to cybersecurity, many threats are stopped by robust cyber controls that prevent individuals or organizations from penetrating a company’s infrastructure. For example, Denial-of-Service (DoS) attacks, ransomware, or phishing all rely on an external threat making it through the digital wall and extracting data.
Many cybersecurity teams focus their efforts on stopping threats at that barrier, or firewall, to keep the company safe. However, the majority of high-risk threats assume some level of access. An attacker may have access to a computer within a company’s network, or can access a computer with administrative privileges. It’s not just about who has the best virus anymore. It’s about the keyboard: where is it, how is it connected, and who can type on it?
Threat assessment is important to fully evaluate potential harm to people and property, determine the level of risk these elements are exposed to, and recommend the appropriate level of protection to decision-makers.
When analyzing potential threat exposure, building owners and operators should first align on a strategy to minimize potential incursions, comply with current regulations, and implement 24/7 threat monitoring and reporting. With today’s business climate and the types of threats constantly evolving, having real-time insight into threats can tangibly move the needle in improving a company’s overall reputation and outlook.
Greg Tomasko is the applications engineer leader at Honeywell Security.
© Greg Tomasko