top of page

Physical Security vs Cyber Security - Why you need both to make it work

Physical Security is an important component of the integrity and security posture of any organisation. The protection of property, people and physical assets from actions or events that can cause loss or damage.

This article has been written by EMSOU and seeks to promote good cyber security among businesses and the public. If you require any further assistance or guidance please contact the EMSOU Protect Team or your local Force Protect Team.


An organisation could have all the correct firewalls, procedures and technology in place to prevent a cyber-attack, but if someone can just walk in off the street and compromise the devices then these digital precautions could be worthless. What do we need to consider when it comes to physical security? Access Control, Surveillance/monitoring and Testing.

Access Control

Access control can be implemented to restrict access to areas to certain personnel. This could range from Door Access systems, manned receptions, locked rooms, security fences and ensuring cabinets are locked.

When looking to implement Access Control into a property or network, it is important to consider a few points. Is it better to have a very secure perimeter with free movement inside or a less secure perimeter and address each individual area of risk?

  • Which rooms are sensitive or critical to operations? 

  • What controls can be used to protect these locations? 

  • Which areas need the highest level of access control?

With these points we can start to plan out a method of Access Control best suited to the organisation. If we take an example of a highly sensitive data storage server. These devices would need greater security than say a cleaning cupboard. So for this room we could look at location of the server room, making it centralised to the building with no external entry/exit reducing the methods of gaining access to this room.


What is meant by surveillance? The personnel and resources used within the business that monitors activity of real-world locations and facilities.

For example use of notification systems or security patrols. Surveillance is very important for physical security, in both prevention and post incident recovery and as a deterrent.

CCTV systems are probably the most common form of surveillance and monitoring. They allow the ability to record activity of a combination of areas. These images can be used for capturing criminal behaviour, identifying the location of missing assets and identifying suspicious behaviour.

Although Surveillance is commonly understood as CCTV there are other means. The use of log files on networks can track activity and display events in chronological order. Ensuring logs are enabled within systems can tell you who has done certain actions and when. This can be invaluable in recovery and detection after an incident.


Physical security is a preventive step, it can be measured in how well a company can identify, respond and contain a threat.

Testing is extremely important to this, as it allows for close to real world situations. It allows for adaptations to plans if they do not work correctly in practice.

It also gives the ability to practice them for an actual event. These policies should be practiced regularly to minimise the likelihood of mistakes.

One final element of physical security is the organisations culture. The wearing of ID badges when in the building, accompanying visitors in sensitive areas, signing in and out of visitors should be accepted as the norm in organisations of size.

Regular reviews and communication of the security steps adopted by the organisation and a culture where the polite challenge of a stranger in the building should be encouraged.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page