Enhancing your cyber defence through a physical security assessment


Physical Security Assessments can be viewed as a penetration test against the physical infrastructure of an organisation. Instead of the assessment of computer networks and services, buildings and physical locations are being assessed.


During this type of assessment the overall physical security of the location of a building, the facilities and the access controls are in scope. Physical security is often overlooked and the consequences of a physical breach can have the same impact as a computer breach.


A common occurrence during a physical breach, is when an unauthorised person walks into a restricted area, gains access to sensitive systems and information, and walks out of the area without being stopped.


Sometimes these individuals manage to get access to server rooms, install remote access devices in the internal network infrastructure or even walk out with storage mediums containing confidential information.


Companies tend to have a number of security controls and mechanisms in place to detect and prohibit access to unauthorised third parties. Common effective security measures involve the use of access control systems, CCTV cameras, security guards, authorised personnel badges, keypads on doors and alarmed doors.


Webpage URL

Find out more about our Cyber Security and Compliance Solutions

Request a Callback

During a Physical Security Assessment all the aforementioned security controls in place are assessed, their effectiveness is tested and their overall performance is evaluated. The assessments can be categorised as non-invasive and invasive, depending on the tasks set forth.


  • Most of the time Physical Security Assessments are non-invasive and involve a walkthrough of a client’s premises accompanied by the staff responsible for the physical security of the establishment. During this non-invasive assessment the aforementioned security controls are evaluated and any potential security issues are pointed out.
  • In the case of invasive Physical Security Assessments, a security consultant attempts to “break-in” to the physical location of the target in scope. They do this by identifying a way to infiltrate the computer network, get access to sensitive information and if it is part of the assessment leave while remaining unnoticed. During this type of security assessment there are different stages involved. Publicly available information is gathered about the target beforehand. Information that can be found on public records, satellite images and social networks are only the starting point. This reconnaissance phase includes the consideration of a number of plausible scenarios for gaining access to the target’s premises, taking into consideration a combined approach to logical and physical security.


Social Engineering is a key element during this type of assessment, as it is often used to gain access to the premises and to sensitive information. Depending on what has been agreed beforehand with the client, the security consultant follows different methods/tactics and take the necessary steps in order to be successful.


Undoubtedly the security consultant will need to be familiar with a number of physical security controls, have experience in Social Engineering tactics and last but not least, have a good understanding of the latest technologies surrounding these types of assessments.


Spending significant amount of money on physical security controls cannot ensure their effectiveness if they are not tested appropriately and preferably on an annual basis. It is not uncommon to find controls in place that can be easily evaded, misconfigured systems that can be bypassed and alternative access routes where security hasn’t been implemented correctly.


Security is an ongoing process and a reoccurring Physical Security Assessment should take into consideration the latest technological advances capable of bypassing the existing controls in place.


Last but not least, the use of the Cloud for storing data doesn’t take the Physical Assessment fully out of scope. Especially, if the premises of the physical infrastructure reside in a data centre which can be visited by anyone. Data theft is still possible if the security controls in the data centre are not properly implemented or followed strictly to the letter.


Consequently, assessing the accessibility and security of the servers in this shared physical environment, should also be considered in scope.


Corporate espionage, untrusted third-parties, malicious insiders, human error or security weaknesses due to the lack of physical security awareness, exposes the physical infrastructure to a number of threats. The physical security of data should be always considered as a critical aspect for every infrastructure and most importantly when it comes to data security.


When it comes to assessing and better safeguarding the physical security of data and critical information, Sysnet’s Physical Security Assessments are invaluable.


Sysnet Global Solutions provides a complete range of information security consultancy and assurance services. A special focus for us is the various Payment Card Industry (PCI) standards.

Where we use pragmatic and risk based solutions to help acquirers, independent sales organisations (ISO’s), global financial institutions, payment service providers and merchants across all industries, in achieving and maintaining their compliance. To learn more about our Consulting solutions or for more information about our services, please email sales@sysnetgs.com.


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at marketing@sysnetgs.com We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms