The more involved type of security study, often called a threat vulnerability risk assessment (RVRA), will typically describe the vulnerabilities uncovered and ways to mitigate them, and offer a prioritization so that the organization can fiscally manage its security improvements, according to Sean Ahrens, security practice leader for Aon Global Risk Consulting. He mentions security studies that discovered such potential vulnerabilities as a flood risk to a building, the location of a facility right on an airport's approach path, and the fact that a data center was built over a railroad that might carry industrial chemicals.
Many experts could write a book about the most common security vulnerabilities they tend to see during inspections (and some have). Mitchell says it's always the simple stuff. A facility, he notes, can have an impressive security system that a single employee bypasses in an instant because he lets someone in on his access card. "You can defeat anything if you don't have the behaviors right."
The places in any worksite that statistically attract the most lawsuits are the least glamorous, he says: parking lots and parking garages. And in the event of trouble, the building owner does not have the luxury of saying, "That parking garage is contracted out." Says Mitchell, "The law doesn't care. That is your property. You own it and you're responsible, and when one of the employees gets raped on level two when going home or beaten up by her ex, that's your responsibility."
During security inspections, Doss starts at a facility's outer perimeter then moves inside. "I go to the property line and I'll take a look at it from an attacker's point of view," he says. "I'll start looking at things like a facility's fencing, the lighting."
Lighting is a frequent problem, he says, and a lighting survey may be needed. Lights may be out, or they may be turned off to save energy, or there may not enough lighting or the proper lighting for good video surveillance. "Lighting is security, but it also protects against liability," Doss says. A facility with poor lighting, where someone is robbed or raped as she goes out to her car, can be found negligent and conceivably face a large settlement, he says.
During an inspection, Doss starts working his way toward the building envelope — walls, roof, floors, doors. "Do we have quality doors installed, or are our doors glass? A lot of buildings like the look of glass, but it's often the weakest part of the building envelope — if it's not reinforced or doesn't have a security film installed on it — because you can throw a large rock through it. I'd look at the construction and how difficult it would be to break through."
To demonstrate facility vulnerability, Ahrens says his firm has built a $50 device from plans on the Internet that allows it to get by the majority of access control systems. So what is a facility manager to do? The most cost effective solution to that problem, Ahrens says, is to add a second method of access, a keypad, so that employees need to provide a card as well as punch in a PIN code.
There are decidedly low-tech ways of gaining entrance to virtually any building, he says. "I wait and stay about 18 feet away from a person walking in and then I say, 'Hey, hold the door for me,' and then I'm in. Or I take my (fake) drawings and my hardhat and off I go."
Security Audits Build a Baseline of Knowledge
Common Security Vulnerabilities in Facilities
