Why is physical security important for information protection?


Information security is focused on keeping your data and information safe from theft, corruption or distortion. In our digital world, where cyber criminals can grind a business to a halt with an email, it is logical to focus on digital barriers, such as firewalls and two-factor authentication.

But digital threats are not the only ones that pose a risk to your information.

Physical attacks can be just as damaging. Indeed, according to 2020’s Cost of a Data Breach Report published by IBM, 10% of malicious breaches recorded in the study were the result of a physical security compromise, costing an average of $4.36 million. It is for this reason that information security management systems, such as ISO 27001, dedicate their risk controls to both digital and physical security.

Physical security doesn’t just pose a risk to large businesses either. It is also a weakness that is particularly easy to exploit in smaller organisations, as they often have less money to invest in physical protection and fewer personnel who can be dedicated to security.

The new working models of hybrid working, or permanent home working, have also made physical security an increased issue for more businesses. Home workspaces are likely to be significantly less secure than an office or other workplace, making it easier for criminals to gain access to devices. The travel and transportation of these devices to and from the workplace also opens up more opportunities for those with malicious intent.

With this in mind, let’s take a closer look at the risks posed by physical insecurity and what organisations can do to reduce them.

What’s at risk of physical attack?

Every organisation has physical assets or facilities that can give criminals access to your information. This includes:

  • Laptops
  • Desktops
  • Mobile phones
  • Removeable media such as USBs
  • Paperwork
  • Server rooms
  • Delivery/unloading areas

Everything in this list is vulnerable should the wrong person gain access. For instance, if your server room is accessed, malware could be directly uploaded or remote access set up. Alternatively, hard drives could be damaged to cause data loss.

Gaining access to this equipment or facilities can be done in a number of ways.

For instance, a criminal could gain access via open delivery areas or by tailgating your other employees. This is where a criminal gets into the building by approaching your staff as they are about to enter. Equipment can also be stolen or lost while an employee is travelling, something that will grow as a risk as more staff return to work on a hybrid basis.

Offices that do not operate a clean desk policy also make it easier for information to be stolen by an opportunist. Access to sensitive information can also be gained if a criminal is able to enter the facilities in which paperwork or other equipment is shredded or disposed of.

Finally, it may not necessarily be a criminal who damages your equipment and facilities. Fires and flooding can also severely damage your assets and create debilitating data loss.

Increasing your physical security

If you want to increase physical security to protect your assets and facilities, you may like to think about the following:

  • Creating a clean desk policy: it is often convenient for workers to leave papers lying on their desks, but if these papers contain sensitive or confidential information, their contents can easily be stolen if someone gains access to them. A clean desk policy ensures that key papers are put away at the end of the day and that papers are shredded once they are no longer being used.
  • Training: your staff are often on the frontline when it comes to deterring a physical attack. Training on social engineering and tailgating is therefore extremely useful. Make sure you also communicate the importance of locking computers when they are not in use.
  • Identify your workers: depending on your budget and security risk, this can be as simple as creating unique ID badges or passcards, or the implementation of biometric scanners. This reduces the likelihood of tailgating, and if passcodes or scanners are used, you can restrict access to sensitive areas such as the server room.
  • Have a robust back-up protocol: back-ups won’t stop information being lost in the first place, but if equipment is damaged or lost, information can then be quickly restored. You may want to think about doing this on a cloud, which cannot be physically damaged.
  • Install cameras and alarms: security cameras can be installed outside vulnerable areas such as outside the server room, reception area and delivery space. Alarms can also be useful, particularly if someone at the company or the police is alerted if the alarm is not switched off.
  • Install gates and doors: server rooms should always be secured with a locked door. The level of protection you put on this door will depend on your budget and risk level. Gated entry into the building can also help to stop tailgating, as will specially designed anti-tailgating doors, which only allow the access of one pass-holding employee at a time.
  • Encryption and access control: ensure that staff encrypt sensitive and confidential material, including that saved on removeable devices and information sent via email. This adds another level of security to your information if access to the device is gained. Ensure that passwords are strong too and that access to sensitive or confidential information is only granted to those who need it.
  • Create a culture of security: integrate physical and digital security into every aspect of your business’ operations with an information management system such as ISO 27001. Designed by global experts, ISO 27001 has 114 risk controls that cover risk from every angle, helping you to create the processes you need to maintain information security, no matter the size of your organisation.


If you would like to learn more about information security, you may like to take a look at our article on the 144 controls of ISO 27001 or watch our on-demand webinar on the same subject.

Sign up to get the latest in your inbox

    • Email address

About the author

  • Name:

    Claire Price

  • Company:

    Content Marketing Executive

  • Bio:

    Claire worked for Citation ISO Certification between 2020 and 2022 writing creative and informative content on ISO certification and consultation to help businesses reach their potential.


QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only