How Secure Is Your Physical Office Space?

Data and IT Security goes well beyond cyberspace. The security of your physical office space may also be at risk. A successful physical breach by an outsider could produce unauthorized access to packages, equipment, documents, as well as threats of theft and employee safety.

AAFCPAs has outlined for your considerations some best practice recommendations to help secure your organization’s physical location(s).


Piggybacking, or the close following of an employee through company entrances, is a risk to physical office spaces during business hours. Employees often allow visitors to roam the space without supervision, assuming that they are a new employee or there for another approved purpose, such as building maintenance.

Once intruders gain discrete access to your office, they could steal equipment or install devices on your network, which would then allow them to access your systems remotely after the fact.
Best Practices for Redeucing IT & Cyber Risks - eBook

RFID Badge Cloning

Employees should always keep their badges with them, and should shield them when in small spaces, such as elevators. Shielding will make it more difficult for intruders to clone badges. RFID badge cloning can be achieved from anywhere between a few inches and several feet away. Badges may be shielded using RFID blocking wallets or aluminum foil, but these will only shield some badges.  For more comprehensive protection, AAFCPAs recommends the use of radio frequency shielding bags, which block cell signals, Wi-Fi, satellite, and Bluetooth frequencies.

Parking Lots

AAFCPAs advises clients to evaluate risks posed by view obstructions, such as overgrown shrubs or poor exterior lighting.

Building Entrances

Clients are urged to ensure that all doors and windows have working locks that are always secured outside of business hours—and during business hours if they provide access to restricted areas. This includes securing windows above the ground floor, which may be breached by someone with a ladder, a tree, or other means of elevation.

AAFCPAs advises clients to assess which areas are secure. For example, the doors to the reception area or conference rooms may not require badge access or other security measures. These areas are not secured from intruders.

What Are Countermeasures/Prevention Techniques?

In order to lessen the odds of a physical breach for your network and increase the environmental security for your employees, AAFCPAs recommends the following internal and external countermeasures.

Physical Security Assessment

AAFCPAs’ IT & cyber security team can assess the physical security of your organization based on common, potential external and internal vulnerabilities. Once the assessment is complete, the team will provide photos and other documentation with clear suggestions for improvement on the inside and outside of the building. Physical breach attempts are part of the physical security assessment. These attempts will be made by incognito members of AAFCPAs’ security team.

In addition to assessing vulnerable points of entry, the attempted breach will put your organization’s existing security measures and employee awareness to the test. Strategies used to gain physical access may include: piggybacking or shuffling in discretely behind an authorized employee; cloning employee badges; and breaching secondary (e.g. service) entrances without being observed.

If a physical breach is successful, our security experts will then further evaluate the availability of sensitive data and the trust levels of employees. This may include searching for: unattended and unlocked computers; monitors in public areas with sensitive information displayed; physical network jacks left unprotected; and/or documents left in a printer, on/in desks, or in unsecured employee mailboxes.

Employee Education and Vigilance

Regardless of the many safety measures in place, employees may still allow for cracks in your physical security shield. AAFCPAs recommends clients conduct annual employee education programs to ensure your team remains vigilant. Some best practices include:

  • Clean Desk Policy – Employees should remain vigilant about what is accessible/visible on their desk, such as client information, account passwords, or other sensitive data.
  • Locked Workstations – Employees should be expected and reminded to lock their computers/workstations when they leave their desks.
  • See something, say something – Employee should be encouraged to greet all unfamiliar faces and offer assistance, as well as ask why they are there. This gives employees an opportunity to introduce themselves to a colleague they may not have met. As an additional precaution, AAFCPAs suggests that management implement photo IDs for employees and badges for all visitors.

Your best line of defense in protecting your organization from physical intrusions is regular security assessments and continued employee education. AAFCPAs advises clients to remain vigilant, assess your security risks regularly, and conduct annual physical security assessments.

To schedule a cybersecurity assessment, or for specific advice on how to best protect your organization against the exploitation of physical vulnerabilities, please contact James Jumes at 774.512.4062,; Mr. Anderson at; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Mr Anderson - Ethical Security Hacker
Mr. Anderson is a “white hat” ethical security hacker and business continuity advisor with extensive experience in the development & implementation of security-focused audit and control programs.   He is highly sought-after for his expertise in: security architecture reviews; penetration/vulnerability testing; business resiliency, disaster recovery and other remediation strategies; hardware system selection and configuration; cloud application security reviews; and wireless security assessments. Mr. Anderson has a deep understanding of industry standards and extensive experience with internal controls evaluation, COSO, COBIT, ITIL, ITGCC, GLBA audits, and ISO, SOX 404 compliance requirements, including all phases of planning, evaluation, documentation, testing and remediation.