How “Nice People” Create Critical Physical Security Gaps

What’s the top physical security challenge for corporate offices:

  • Active shooter?
  • Angry protestors?
  • Disgruntled employees?
  • Terrorism?
  • Armed robbery?

No. The number one thing causing gaps in physical security, according to most security and facilities managers: People being too polite.

Office security is regularly hamstrung by workers swiping their keycard and holding the door for colleagues and strangers. 

“This is tailgating,” explains T.J. McComas. McComas heads a group specializing in physical security for the IBI Group, a leading global architecture and engineering (A/E) firm. Also called piggybacking, “[tailgating] seems totally innocuous, but it is a big deal, and it happens everywhere.”

Studies show that up to 60% of all people entering corporate offices do so without showing credentials or checking in. “I’ve seen it happen in government buildings. I’ve seen it happen in small offices. It happens in my office every day—because people are inherently nice. You want to hold the door open for someone because it’s the nice thing to do. As a consequence, it’s very easy to gain entrance to any number of buildings.”

Building security must not just account for physical threats—the high-caliber bullet, speeding van, pipe bomb, riot—but also for these human factors. In most cases, the biggest threat to building security is not a bad guy with a gun: it’s a nice guy holding the door open.  public sector security

A Hundred Ways Around Security Measures

T.J. McComas is an electrical technologist specializing in life safety and auxiliary systems for the IBI Group. He also sits on the board of the Detroit chapter of ASIS International (the American Society for Industrial Security). But his passion for security is far from purely academic:

“We had an active shooter event just up the street from us here about two years ago,” he explains. “Our building went into lockdown. We got an email later that day saying that we’d had a situation, and explaining the policy we had in place for this sort of thing, to protect us. I became really interested in those documents, as well as the security design that went into them. I’m a U.S. Marine Corps veteran, so safety and security have always been part of my mindset, both personally and for those around me. After that event, I looked at the situation, at the plans and protocols property owners and businesses in the immediate area had in place, and I could see a hundred ways around them. I realized that there was a really acute need for A/E firms that take a holistic view that encompasses security.”

Most architects will make a point of talking to facilities managers and doing a site visit. But does that extend to talking to the security chief and security managers? What about the security guards themselves? The people involved in the day-to-day operation and maintenance? The people who sit and work in those secured areas?  

“95% of A/E firms out there go as far as talking to a facilities engineer and doing a site visit,” McComas has found, “but that’s as far as they go.”

Making Security a Core A/E Service

It is very easy for a well-meaning employee to poke a gaping hole in a security system. Likewise, good architects and engineers, when they fully understand the functional needs and security challenges facing the clients, can design a building where the easiest and friendliest path is also the one that channels everyone through the most secure route.

“This isn’t the fault of the A/E firm, per se,” McComas observes. “Physical security has traditionally been handed off to an integrator—which can be a good practice. If something is outside the realm of your experience and training, you should hand it off. That works well with fields like lightning protection design, where the solution is very independent of how the building operates.”

Security is not like lightning protection. It’s nearly impossible to design an efficient, cost-effective security system if you are working in isolation and after the fact.

“That’s why we think it’s time that A/E firms make this a core area of their expertise. Any A/E firm can put a camera where the client wants the camera.” But that assumes the client has correctly defined the threat and determined the best response. In essence, the A/E firm is assuming the client is a security systems design expert—which is highly unlikely.  

“In my experience,” McComas continues, “not many A/E firms have the knowledge and experience to locate that camera appropriately to get the correct quality of video and correct view. More importantly, I find that few have the knowledge and experience to step back and, instead of asking ‘Where would you like this camera?’ ask ‘What is it you want to see?’”

Treating Security Holistically in Architecture and Design

The “atomization” of security—treating every aspect of security and life safety systems design as separate and non-interacting—is rampant throughout architecture and engineering.

“IT security has taken the foreground in the security realm,” McComas notes. “If you type ‘security consultant’ into Google, you’ll have two or three pages of results before you get to the first one that mentions physical security. But the easiest way to gain access to a computer system is physically. If you are physically in front of that computer, there are hundreds of things you can do in a matter of seconds—plug in a USB drive with a pre-loaded Trojan, clip a vampire tap onto a cable, plug in a hardware keylogger—and that network is completely compromised.”

This is where McComas sees bullet resistant and forced-entry/blast-rated materials playing an increasingly important role for architects. This is especially true for those working with commercial clients who have not traditionally thought of themselves as needing bullet resistant security.

“I’d agree with T.J.,” says Jim Richards, CEO of Total Security Solutions, a leading bullet proof design, fabrication, and installation firm. “Our experience is that corporate clients are so focused on cyber security that they are missing the fact that physical security is part of cyber security. We’ve secured data centers, and I can tell you, it isn’t because anyone thinks a guy is going to bust in there and start shooting computers. It’s because they are taking a comprehensive, 360-degree look at their security, and that includes access control and hardened barriers at various points within their facility.”

Design is More than Walls, Windows, and Doors

“IBI is all about intelligent building design,” McComas clarifies. “I see bullet proof barriers and materials becoming more prevalent in the next 10 to 15 years, just with the way the world is currently. And, increasingly, it isn’t going to be limited to what we’ve seen up until now, asset protection—for cash and documents—and protecting people. With the increase in technology and reliance on information, being able to physically protect the information is going to demand a lot more physical barrier systems and hardened rooms or structures to house them.”

But the most important aspect of any secure building design is the human factor.

“People are inherently nice. You want to hold the door open for someone because it’s the nice thing to do. That’s why, at a minimum, you need to have a written, formal policy and training procedure for your employees.”

And that policy cannot be a static document in a drawer. New hires need to be trained what the policy is. Employees need to be regularly reminded that the policy exists. And that policy needs to be enforced daily and reviewed annually.

“It doesn’t have to be rebuilt from the ground up every single year, but it should be looked at. Threats change, issues happen on a daily basis, the world is a constantly evolving place. If your security program hasn’t been updated since 1995, if your physical security program is lacking, or your training isn’t up to snuff for your employees, you’re going to get hit some day.”

Back to Blog