This case study looks at the possible risks of allowing unauthorised personnel to access restricted areas and failing to follow an agency’s physical security plan and procedures.

Themes covered include:

  • requesting authorisation from unauthorised personnel
  • evaluating the risk of frequent visitors
  • securing building entry and exit points
  • adhering to an agency’s physical security plan and procedures.

Scenario – what happened

Andrew is a disgruntled contractor formerly employed by a large government agency. 

Andrew decides equipment and tools are owed to him for what he perceives to be mistreatment by his former employer. 

He decides to go to the agency and personally retrieve what he’s owed.

He enters the agency’s reception in work overalls and is let through the access-controlled door by the receptionist, despite not having an ID or access card. 

Entry to the building by contractors is not uncommon in this agency, with dozens of contractors entering and exiting the building daily. 

Once inside, Andrew walks, unchecked, through two access-controlled doors. He simply asks employees walking by to let him through the doors using their access cards and they do.

At no point does anyone request validation of his identity or ask him why he needs to access the restricted areas. 

Pretty soon, Andrew has found the equipment and tools he is looking for, takes them and leaves the building using an unsecured basement exit. Some of the equipment and tools he has taken store protectively marked information.

Lessons learned – what should have happened

Agency staff made several important security errors in this scenario.

They should have:

  • requested authorisation from Andrew

Agencies should have physical barriers between zones to prevent unauthorised access. It should not be possible to access the main office area from a public space (for example, reception) without authorisation.

  • evaluated the risk of frequent visitors

Agencies should evaluate different risks to their facilities. In the above example, the frequency of external contractors and visitors should result in tighter controls being implemented to prevent unauthorised access.  

If visitors are not escorted then access control systems should validate identities through using authentication measures such as keys and ID cards, pin numbers or codes and biometrics. 

  • secured building entry and exit points

Agencies should ensure all building entry and exit points are secured to prevent unauthorised access.

  • adhered to the agency’s physical security plan and procedures

Agencies must implement the correct physical security plans, procedures and processes, but if they are not adhered to by personnel then they become redundant. 

Agencies are responsible for creating and fostering an ongoing security culture in which both security and non-security staff question suspicious activity, request proof of valid identification and, if relevant, request to see the appropriate credentials.  

Agencies must develop ongoing security awareness methods to ensure that all staff understand and comply with protective security regulations.