One of our clients spends enormous sums on IT network security.  But recent thefts have raised concerns about physical security – particularly since this organization is in the business of safeguarding client information assets in facilities in every U.S. state. “We are thinking about conducting a physical security attack and penetration test of designated facilities,” she said.  As a business leader, not a security executive, she was not extensively familiar with these tactics.

One Component in an Integrated Approach to Security Risk Assessment

I explained that physical security penetration tests help you validate adherence to security policies, practices and protocols – and can provide an effective window into prioritizing the security spend and identifying the most critical, tangible and exploitable security threats.  But I cautioned her that a penetration test is only one way to identify system failures that risk security breakdowns – and, in order to provide real value, should be undertaken from a strategic perspective in the context of a wider approach to risk, threat and vulnerability assessment.

Typical Outcomes and Benefits

“What will this test reveal to us?” she wanted to know.  I pointed out that following through on the test’s key findings can help her enterprise:

  • Avoid financial losses, disclosure of sensitive proprietary information and violations of regulatory compliance requirements
  • Safeguard people, property, assets, reputation and sensitive proprietary information
  • Eliminate gaps in security once preventative measures are installed or upgraded 

Factors Determining When and How Often to Conduct Testing

“How often should we test?” she asked.  That answer depends on so many factors: the nature of intrusion risks; the physical size and location of the facility; the sensitivity of operations, assets and information on site; environmental factors unique to the neighborhood and vicinity; the age and maturity of existing physical security, access control and camera technologies protecting the perimeter and key locations; training and awareness levels among security personnel and non-security employees; and monitoring, and communications and incident escalation procedures and other risk security measures.

Methodology and Other Key Issues

Finally, she wanted to know more about our methodology.  I talked about defining the scope during the authorization phase including whether or not damage to locks and fencing would be in scope; the benefits of a covert, non-destructive approach; daytime and nighttime attacks; piggy-backing techniques; social engineering stratagems; post-action reporting and learning; and translating findings into action and improved security risk management outcomes.

What Are Your Experiences in this Arena?

As a client of these services, what is the most important facet of physical security attack and penetration testing? Got any guidance or words of wisdom to share?


You have an established security program. No one could penetrate it. Right?