- Gareth Shaw, Founder of Pera Prometheus Consulting Ltd
Table of Contents
Key Takeaway Points
- Physical security remains critical, even with the spotlight on cyber threats, as both are deeply interconnected
- The National Protective Security Authority (NPSA) provides essential guidance to help businesses tackle modern physical security challenges.
- Utilising a security framework and guidance provided by NPSA can contribute to the overall safeguarding of your business.
- The threat landscape has changed in recent years and the emergence of the ‘insider threat’ is now a major issue for business to consider and deal with.
- Is a certification approach, similar to Defence Cyber Certification (DCC), a way forward for Physical Security?
- Pera Prometheus services can support businesses in aligning with NPSA standards and building a resilient security framework.
Why Physical Security Still Matters?
It’s easy to get caught up in the furore of cybersecurity which, in light of recent media updates seems to be at the forefront of everyone’s attention.
However, physical security is just as crucial, and businesses should bear in mind that the two areas are very much intertwined and should be considered together as part of a holistic approach to business resilience, alongside of other elements. Physical security is the backbone of keeping businesses, people, and assets safe, from securing office buildings to protecting sensitive equipment and products.
Like Cyber Security, Physical security is a complex area, and it is not within the scope of this blog to cover it in its entirety. Consequently, this blog will focus on key issues and provide signposts to how the National Protective Security Authority (NPSA) offers practical guidance to tackle them. Let’s explore!
What is Physical Security?
Physical security is all about protecting your high-value, tangible, assets like buildings, equipment, products, information (Yes – hard copy documentation still exist) and people from physical threats such as theft, vandalism/sabotage, espionage (State to State or Commercial) or terrorism.
Adopting an appropriate physical security posture is key to protecting the business from reputational damage in the case of a security breach. The range and types of security equipment which can be deployed is vast.
Who Are the NPSA?
The National Protective Security Authority (NPSA) is the UK’s leading expert on physical and personnel security, operating under MI5’s wing. It was launched in 2023 as the successor to the Centre for the Protection of National Infrastructure (CPNI) with a mission to bolster the UK’s resilience against national security threats like terrorism, espionage, and sabotage. They are the UK government’s ‘go-to’ for helping businesses, public bodies, and critical industries to stay secure.
The NPSA provides free, practical guidance and tools to protect against physical and personnel (insider) threats. From securing buildings, vetting staff and assessing security-culture maturity, their resources are designed to help organisations spot risks and build robust defences. Think of them as a trusted advisor, offering clear, actionable steps to keep your business safe. Their tools are accessible and free, making security achievable for all. Whether you’re a small retailer or a Defence contractor, by tapping into NPSA’s tools, businesses can navigate today’s complex threats with confidence, ensuring they are best prepared for any unforeseen security threats.
Read more: Insider Threats
NPSA’s Guidance
The NPSA offers a clear roadmap to tackle these challenges, focusing on three key areas: Physical Security, Personnel and People Security, and Incident Management.
Physical Security
Physical security is about safeguarding your buildings, equipment, and people. The NPSA’s Physical Security guidance emphasises on protecting valuable assets e.g. property, equipment, or people by using multiple layers of protection, such as locks, CCTV cameras, alarms, and guards. Each layer works together, but the idea is that if one layer fails (say, a camera stops working) the other layers still keep the asset safe, so the whole system stays strong (is resilient) even if one part is compromised.
Some of the key NPSA guidance are:
- Protective Security Management Systems (PSeMS): This management framework, designed for use by senior leadership teams and security managers, helps businesses build and manage a holistic security strategy, from risk assessments to staff training.
- Protective Security Risk Management (PSRM): This introduces a model highlighting key steps to be taken, considering the wider process of PSRM to assess the risks specific to your business and prioritising their mitigation. This approach serves to inform the business’ risk register and is an important tool for senior leaders.
- Cyber Assurance of Physical Security Systems (CAPSS): CAPSS is a joint initiative between NPSA and the NCSC providing a mechanism by which a business may gain a good level of confidence, that the software and hardware security solutions they have in place, or are considering purchasing, have strong and effective cyber mitigations at the core of their development and operation.
These are some aspects of the physical security guidance provided by the NPSA. Business can also conduct physical penetration testing to validate implemented controls and identify gaps in their security.
Physical Penetration Testing
Physical penetration testing is a proactive security assessment where experts like Pera Prometheus simulate real-world attacks to evaluate the effectiveness of a business’s physical security measures. Physical security measures may include locks, alarms, CCTV, access controls etc. By attempting to bypass these defences, mimicking tactics like tailgating, lock-picking, or exploiting unguarded entries, an assessor will identify vulnerabilities that could be exploited by real-world intruders or malicious actors.
A physical penetration test assesses layered security systems to evidence their effectiveness and identify where a single failure may compromise the whole business’s operational safety and security. This process helps businesses strengthen their physical defences, aligning with the NPSA’s PSeMS approach and build resilience against physical threats, thereby safeguarding assets, people, and operations.
Personnel and People Security
Personnel and People Security involves the development of a set of clear policies and actions designed to strengthen a business’s security. These policies are for staff to follow and use as part of their normal business operations.
The intention is to reduce the risk of employees or insiders misusing their access to harm the organisation, turning personnel (and sometimes the public) into assets, not liabilities, who help identify and stop security threats, and catching or deterring external attackers who may wish to disrupt or interfere with operational activities. The NPSA’s Personnel and People Security guidance stresses vetting employees and contractors should take place as part of protecting against insider threats.
The Assessing Personnel Security Maturity tool helps evaluate the effectiveness of your personnel security programme, policies, procedures and identifies areas needed for improvement, to develop organisational resilience to insider risk and external threat.
Incident Management
No matter how robust your defences are, incidents can happen. The NPSA’s Incident Management guidance helps businesses prepare for and handle disruptions such as security breaches or terrorist incidents, with the aim of minimising harm to the business and ensuring a swift recovery.
It provides guidance to help businesses develop robust incident management plans, focusing on three distinct phases: preparation (planning and training to anticipate risks), response (acting quickly to manage the incident and protect people and assets), and recovery (restoring normal operations and learning from the event). This includes creating response plans, training staff, and learning from past incidents to improve and build resilience on operational security.
The Future of Physical Security: Is a Certification Scheme the Answer?
Should the future of physical security involve formal certifications?
Given recent advancements by IASME in the development of the Defence Cyber Certification (DCC), a parallel certification for physical security could significantly enhance standardisation and industry-wide security resilience. It would certainly reduce the costs, in terms of time and effort, required to undertake due diligence assessments of another business’ physical security arrangements with whom you needed to collaborate.
Pera Prometheus is certainly keeping a watchful eye towards this advancement, do you think this a necessary step forward?
Until such guidance surfaces, businesses should lean on NPSA’s existing tools and frameworks, like PSeMS and PSRM, to build resilience. The path ahead lies in integrating physical and cyber security, training staff, and maintaining agility to respond to emerging threats in a fast-changing threat landscape.
Where Can Pera Prometheus Add Value?
Navigating the physical security realm and applying NPSA recommendations and best practice can feel overwhelming, especially with complex supply chains and evolving threats.
That’s where Pera Prometheus steps in. Our team specialises in helping businesses align with NPSA guidance, from conducting risk assessments, physical penetration testing, building policies and conducting training. We work with businesses to create a tailored security strategy that protects assets, people, and reputation.
Ready to take your security to the next level? Contact Pera Prometheus at for a consultation. Let’s build a safer future together.
