How often does your organization assess your physical risk? Annually? Every six months?
Now, how often do you assess your cyber risk? Probably on an ongoing basis, right?
Cybersecurity experts recommend that risk be formally assessed on at least an annual basis, but due to the fast-evolving tactics used by cyber criminals and the high financial stakes, organizations should monitor cyber risk much more often, ideally continually.
What if I told you physical security should do the same?
Cybersecurity and risk
The average cost of a data breach in 2023 is $4.45 million. The longer a breach goes undetected, the more it will cost, so companies are particularly invested in detecting suspicious activity quickly. More than half of companies surveyed by IBM are planning to increase their cybersecurity spending this year as the result of a breach.
The financial and reputational repercussions of a data breach or attack, as well as data privacy regulations like GDPR mean that many of the teams assessing cybersecurity are constantly scanning for new threats and trying to understand the probability of risks. Many of the cybersecurity tools in the tech stack are specifically developed to assess risk, often in real time or on a continuous basis.
Why aren’t we doing the same thing with physical risk?
Physical risk is just as serious as cyber risk
I’ve heard people say that physical risk is not as serious as cyber risk, but there are plenty of physical risk scenarios on par with the threat of a cyber attack. The prototype of a product you’re developing might be stolen and sold to a competitor. Your CEO might be kidnapped. An active shooter might enter your building.
All of these scenarios come with significant physical, financial, and reputational risk, and can have a huge impact on your company. Also, just as cyber risk evolves, so does physical risk. Certain trends are worth monitoring, as are the changing tools, tactics, and procedures (TTP) of the criminals most likely to target your business.
Why doesn’t the physical security industry analyze risk the way the cybersecurity industry does?
Most physical security experts don’t truly understand risk. They’ve spent their entire careers focused on physical security, but not on risk analysis. There is a huge difference between security and risk.
Physical security focuses on the response to a threat. As the precursor to policing, security has always been reactive. Security officers were employed to respond to threats and protect assets. While risk was assumed, it was never analyzed. This began to change in the 1990s when active shooters started to ramp up, but most physical security experts have not been trained in risk management. In fact, the term “enterprise security risk management” was only coined in the late 2010s.
Risk is concerned with proactively identifying and preventing threats. This means foreseeable threats are analyzed to determine which are most likely. Cybersecurity experts need to understand risk. Unlike physical security experts, cybersecurity professionals can’t see their attacker approaching. For this reason, they analyze foreseeable risk to understand what is most likely.
How often should you assess physical risk?
If you can reasonably imagine something happening, it’s foreseeable. If it’s likely to happen, it’s probable. If you’re ignoring something that can happen because it hasn’t happened at your site before, you’re opening yourself up to risk.
We should take a page from the cybersecurity playbook, and be proactive about risk analysis, and that means evaluating your site’s risk every day. Daily risk assessments may sound like a tall order if you’re used to annual risk assessments, but it’s not — if you’re using digital solutions, your officers can assess risk on their rounds. They’re already on patrol, and can easily use a tablet to assess physical risk by using a checklist and taking photos of potential risks.
How to do daily risk assessments
Circadian Risk’s platform makes it easy to do daily risk assessments. Our mobile app generates automatic reports from the data you capture during your inspection. There’s virtually no writing to do, and you can cut your report time by 80%.
It’s the only solution that lets you:
Create effective, comprehensive reports in record time
Tag every vulnerability, risk, and compliance issue on the premises
Track and assign improvements with a detailed corrective action plan
Analyze risk over time
Circadian Risk can help you keep your clients safe—and more affordably than any other method. Find out more about our solution.