How Good Is Your Physical Security?

Even well-planned, well-financed, and well-intentioned projects have a tendency to under-estimate the importance of physical security.

A graphic of a concentric castle used to illustrate layers of physical security provided by evertas professional services

We’ve spent years reviewing the cyber and crypto security of operations of our clients, and one thing that always stands out to us is that, even relatively well-planned, well-financed, and well-intentioned projects have a tendency to under-estimate the importance of physical security.

The fundamentals of physical security have not changed in some time. Take a look at a picture of a castle and you’ll see some familiar concepts: layered security (a flat piece of land across which people can’t advance without being seen; a moat, an outer ring wall, a sally-port, an inner ring wall, another sally-port, a yard, and then internal fortifications, etc.), a Zero-Trust environment in which all who enter are treated as potential adversaries, etc.

Yet we’ve seen crypto projects whose members manually handle key materials – the ones stored on media inside a woefully inappropriate type of safe, without physical security, without basic segregation of duties…

Don’t Wing It With Physical Security

Physical security is a set of disciplines that are developed over time. It takes years, or even decades, to build the experience to know just how to look at something and understand its physical vulnerabilities.

Check Your Assumptions– Then, Check Them Again

How would your current physical security regime stand up? We’ve done physical security assessments in Class A office buildings in large cities. First, we “stole” servers from a financial services company’s server room, then, while we were each holding one of the very stolen servers we intended to leave the building with, we stood in the lobby — in plain view of half a dozen building security guards — having an animated conversation. As we left, one security guard held the door open for us.

Don’t just assume your “security guards” know what they’re doing. Having guards as security theater does play a role — you just need to understand what that role is and account for it in your physical security plan. A plan that counted on those guys to protect those servers would fail.

Similarly, consider your security gear. Your alarms, your safes … if you don’t know the TL rating of your safe — or if you bought your safe on Amazon — you probably don’t have a great safe.

Got a metal door? Have you tested the frame? Are the walls that door guards similarly reenforced, or are they sheetrock over studs? What about the floor below, and the drop ceiling above the door? People trying to enter seek the path of least resistance. Question everything.

Use a Checklist

Professionals begin to assess a space well before they try to break in. Before you even start looking at the strength of your walls, doors, floors, windows, and locks, take a look at your physical location, and answer some really general questions:

  • Is this urban, suburban, rural?
  • What is the lighting like?
  • Have you got foliage, landscaping, or other buildings like sheds?
  • What is the access like
    • For you
    • For visitors
    • To your place
    • To the highway?
  • What are the local Police, Fire, EMT, private security services?
    • What’s their response time?
    • Do you know them? Do they know you?
  • Telephone/Internet services
    • How do you connect?
    • Wired/wireless?
    • What’s the cellular service quality?
  • Electricity services Then, use similar checklists for each area of the building you’re assessing.

At Evertas, every member of our Professional Services Physical Security team has decades of experience protecting people (including US presidents, senators, representatives and other dignitaries) and property, with more than a decade of safeguarding more than $10bn of cryptocurrency. Recent engagements include protective details and physical security assessment for ultra-high net worth individuals and their families, in and around the cryptoasset space.

To talk to us about starting a physical security risk assessment, use the contact form on this page .