To properly secure your workplace, it’s not enough to have top security equipment and enforcement in place. Many companies only focus on prevention measures, using layers of technology as their protective armor.
However, even the best electronic locks, cameras, alarms, and visitor management systems will not be effective if you don’t have a policy in place that guides people towards the right behaviors and responses to workplace security.
One of the most important parts of your security strategy is keeping your people safe. This requires a policy that is integrated into, not only the physical workspace, but also the unique culture of your company.
To create a strong security program which integrates both prevention and response use the 4 P’s: policy, procedure, plan, and practice.
Your policy should embody the core principles of your security program and layout the mentality your company takes towards security.
This should include any compliance and regulation measures you must follow, such as fire safety requirements. It should also outline any industry specific regulations. If you’re a tech company, this could be any security protocols you must follow regarding the handling of user information. If you work in the manufacturing industry, this could be worker safety regulations.
Beyond external measures, your policy should include your company’s specific governing security rules and do’s and don’ts. This statement should guide your company’s beliefs and mentality towards security, therefore, it should align with your company’s culture and values.
If providing great customer service is one of your values, emphasize your company’s commitment to keeping client’s personal data safe through your security policy. If innovation and creativity are your company’s trademark, focus on the need to create a secure work environment for ideas to flourish and grow.
Finally, it’s important to highlight how important your employees’ cooperation is to a successful security program. Everyone plays a role in keeping the workplace safe.
When drafting your policy, make sure to address:
As your policy contains your core security principles, it only needs to be reviewed once a year.
If your policy is what you believe in, your procedure is how you carry it out. This part of your security program should detail exactly how to carry out your security policy on a day to day basis, including how to report incidents, access control/visitor policies and end of day checklists.
Procedures should be as detailed as possible, informing everyone how they should respond in a given situation. If someone is expecting a visitor, how do they let security know? What information will they need to provide? Does someone have to be responsible for meeting and signing them in at the door?
These are all questions that, if left unanswered, can easily lead to a security gap.
Make sure to identify who is responsible, when this procedure should be used and the steps that should be followed. For example:
Your access control policy should include
Your visitor policy should include:
Your security procedure should be a living document that is continuously audited to account for the discovery of any new gaps, risks or updates in technology. Make sure to inform your employees and staff when an update has been made.
The best way to remain consistent is to keep a record of the dates on which your procedure was last updated and tested within the document.
Keep in mind, no exceptions can be made, even and especially for the executive level. Making even one exception can lead to a more relaxed response to security procedures. To ensure safety measures are taken seriously, it’s imperative that the executive level, not only endorses your security program, but also leads by example.
Your plan outlines the steps to take in the event that an incident does occur. Depending on the specific situation and the team or location involved, you may have different contingency plans in place, however, there are two common questions which must be answered:
The time it takes to resolve an incident is directly related to the time it takes to reach the right decision-maker. There should be one point of contact who is charged with taking ownership of your security policy. This means ensuring the plan is being carried out correctly and providing answers to any security questions.
2. If necessary, where should people be relocated to?
In the event that people need to be evacuated to another part of the building or off site to a secure location, it’s essential that everyone knows where they need to be in an emergency.
Having a clear plan and designated authority in place will help to keep the situation calm and under control.
The final step you need to really drive home your policy, procedure and plan is practice. It’s not enough to have your security program written out. When a situation happens, panic can sometimes cloud people’s response and decision-making ability. That’s why physically going through the steps in an unstressful simulation can prepare people for the real thing.
Practicing allows you to:
Develop a training curriculum to familiarize employees and staff with the skills they need to prevent and handle emergencies. Ensure these learnings stay fresh in people’s minds by running security drills on a bi-annual or yearly basis.
Following the 4 P’s will help you create a strong and effective security program. Once this is in place, it’s important to keep communicating regularly with your people about security. Send out advisories and let them know if policy or procedure changed for any reason. Remind them early and often how vital their participation is in helping keep the company safe.