A R T I C L E —

Office Building Security

by Ralph Witherspoon, CPP, CSC

There are more than one million office buildings in the United States, ranging from small one-story buildings, to low-rise office parks, to towering skyscrapers. Increasingly, more and more Americans spend a significant part of their lives working in such buildings. And businesses increasingly house their most important assets — their employees and their sensitive printed and electronic information — in such buildings.

However, just like bank robbers who rob banks because that is where the money is, many criminals go to office buildings to steal, assault, rob, rape and spy because that is where their potential victims — companies or individuals — are located.

This brief article will provide the reader with guidance on some basic issues concerning securing office buildings in America today. It should not be relied on as the sole basis for a complete security plan, and does not contain legal advice. Readers should consult their attorney or security professional for advice about their specific situation.

How Likely a Target is Your Building?

Where you are located and how attractive a target you are perceived to be by criminals and even terrorists will, in large part, determine how likely you are to actually be targeted. And how potential criminals and attackers perceive your building depends, in part, on their assessment of their potential "gain" versus the visible security measures you have. In other words, what is their likelihood of success versus their risk of going to jail? Often an apparently "lucrative" building that is well-protected will be by-passed in favor of the less well-secured building, which may be viewed as "easy."

In a commercial building, security risks come from both outsiders and building and tenant employees, and may include murder, robbery, rape, assault, theft, fraud, commercial espionage, arson, vandalism, bomb threats, workplace violence and (displaced) domestic violence, plus sabotage against the building owner or a tenant, to name but a few. The heavy concentration of people and property, coupled increasingly with "open" floor plans, makes modern office buildings susceptible to these type threats. Plus, the always-present risks of fire, explosion, and natural disasters have to be considered in building design, construction or rehab, and security program development.

Architects, contractors and management responsible for designing or implementing security in any commercial building should first identify the assets (including people) to be protected, along with the likely threats to the facility. For example, in a stand-alone fast food facility, the threat of an armed robbery may be high; it would be less, however, in a two-story office building housing doctors (and possibly drugs); and even less in small office building housing mainly accountants and similar "low-risk" tenants. A survey of all present or potential tenants should be made to ascertain what type of business each is or will be conducting; what significant business assets are present; and which businesses, if any, may constitute an increased risk to both the building and specific tenants from criminals, political activists, etc. A single high-end jewelry store can significantly increase risks. If not yet built, the developer should have a good idea of the type of tenants it hopes to attract.

The building threat assessment should include a review of any known past crimes in the building (if it is built and operating), along with an evaluation of the type and rates of crime in nearby office buildings and in the immediate area. Local law enforcement will usually provide area data. In a dense "downtown" area, several blocks in each direction should be evaluated. In suburban or exurban areas, a 1,000-foot to one-mile radius around the building may be used.

There is, unfortunately, no "cookie-cutter" plan that will secure each and every type of office building. Some security measures can be designed into the building plans and installed during construction or renovation; others will need to be developed, then implemented or installed after tenants have been identified and operations begun. Developers and management of each building will have to identify their specific security needs, starting by conducting a risk assessment.

Security Risk Assessment

A security risk assessment (an exhaustive examination of the existing building and any surrounding property including a review of the building plans and any security processes, policies and procedures) should be conducted. Local laws and codes pertaining to security measures, fire life-safety codes, and building evacuation requirements should also be reviewed. Observations of the building site should be made at various hours of the day and night and also on weekends to determine "customary" activities and traffic patterns. Based on the identified threats, plus any identified gaps or shortcomings in security (vulnerabilities), developer/owner/management can start to develop an overall security plan, including cost-effective counter-measures.

Where management does not have qualified expertise on staff or such staff is not readily available to conduct a security survey due to other commitments, an independent, non-product affiliated security consultant should be retained to assist.

Crime Prevention Through Environmental Design

Many security professionals advocate the use of Crime Prevention Through Environmental Design (CEPTED) principle to reduce crime risks. Multiple studies suggest that most criminals select their targets using a rational (to them) decision-making process that is influenced largely by the criminal's perception of target availability and vulnerability. Most criminals want an "easy" target, and don't want to be identified committing their crime. Accordingly, CEPTD principles are based in part on:

Natural surveillance — reducing "blind spots" and other measures to increase the ability of occupants and casual observers (police on the outside and legitimate visitors inside) to see and monitor persons and activities. This includes sufficient numbers and size windows for visibility in and out, along with low shrubs and high tree canopies so as not to obstruct visibility;
Territorial reinforcement — establishing some sense of "psychological ownership" and responsibility among building tenants and employees so as to increase their vigilance, and the likelihood that they will defend "their" property against incursion by challenging intruders or reporting suspicious acts;
Natural access control — using doors, walls, shrubbery and other natural or manmade obstacles to direct vehicle and pedestrian traffic to limited numbers of controlled access points. Isolated or "risk" areas such as loading or delivery docks should receive special attention, including increased lighting, locking, and observation (patrol, alarm, or when a building security staff is present, closed circuit television (CCTV) — all to deter or prevent unauthorized access to the building while monitoring activities; and
Maintenance and management — owners/operators taking steps to ensure that the building looks well cared-for and crime-free in such areas as lighting, paint, signage and the prompt repair of broken or defaced items. This sends a message to criminals, and others, that someone cares and is "looking out" for and responsible for the building.

Parking and Adjacent Spaces

Special attention should be given to any underground, adjacent, or attached parking spaces, surface lots or garages. These are frequent targets of criminals committing theft from and of automobiles, plus robbery, rape, and car-jacking (all sources of lawsuits against building developers, owners and operators). Good lighting will deter many criminals. See related article: Parking Lot and Garage Security.

Access Control

Because most security incidents occur inside a building, special attention should be given to controlling building access. While tenants and visitors require access, freedom of access to buildings and particular offices in them is also very important to criminals. The nature and level of access control (along with visible security measures such as CCTV cameras in office building lobbies, hallways and garages) also establish the building's security culture or "image," which is important in deterring some criminals.

In cases of small office buildings, management frequently leaves the doors open for tenants and visitors. If the risks are relatively low, this may be acceptable during the office-day. Locks on all exterior doors that are closed and locked at night should always be of high-security commercial grade, with their exterior hinges "pinned" or welded to prevent removal. Because the perimeter access points to the building are not well controlled, interior doors to individual offices should also be of high security materials and locking devices. Don't forget the frames in which the doors are set, as the doors are no stronger than their weakest part.

As an alternative in buildings with only a few tenant employees, general building access might be controlled with each employee having a key, or a card-key operating a simple front and back door electronic access system. Visitors and delivery persons would have to use a building directory intercom to seek admittance. Depending on the system, tenants would then remotely "buzz" visitors in (convenient, but not very secure), or be required to physically go to the lobby or entry door to admit visitors.

Where stricter access control is necessary, buildings might use a receptionist or security officer (proprietary or contract guard company) to screen all visitors and employees. Where there are more than 75 employees or there is high turnover in employees, then use of a building or tenant issued photo ID card for visual screening is recommended. An alternative, especially in larger buildings or those with higher risk, is use of an electronic card access control system by all tenants. When card access systems are used, employees/tenants can be processed automatically through one or more access-lines, while visitors can be directed to a special line for screening and bag search (if desired or required). Temporary (time expiring) badges could be issued to visitors who have been "approved" by tenants, or for access to "public" offices.

Note that most mid to large office buildings (five or more stories) will require a combination of technology and manpower to adequately address their security needs. Systems and hardware alone will not accomplish the entire task, and neither do guards. Integrating both into a comprehensive security plan is frequently required.

Special attention should be given in all buildings to "common areas" such as lobbies and hallways. Because they are often used to facilitate thefts or sexual assaults, both men and women's restrooms should have lockable doors requiring key access.

Attacking the Building

Malicious vandalism and major damage by disgruntled building or tenant employees might be directed against the building itself, rather than directly against the tenants or their property. Management should secure access to the building ventilation system and electrical and telephone rooms, including any access points on the individual floors. Accessible utilities (water, power and gas) on the property but outside the building should also be secured. Openings permitting access to the building from the roof should be secured against entry from the outside if the roof is accessible from nearby (within 15 feet) buildings or trees.

Emergency Planning

Every office building should have an emergency plan that mitigates the impact of any security breach or other disaster. Special attention should be given to developing and practicing building evacuation plans. While evacuation drills for fire and bomb threats are inconvenient, they are critical to life-safety and should be performed at least once each year. Building tenants and employees are constantly changing. They are less likely to panic in an emergency if they have gained confidence by practicing evacuations and know what to do. And lives will be saved!

Periodic Review

Finally, whatever security plan is developed and implemented, it should be periodically reviewed to ensure that it is in fact operating the way it was originally designed by the developer, architect and operator, and that it continues to adequately address the changing threats to the building and its tenants. If management does not have the in-house capability to do so, a non-product affiliated security consultant should be retained to assist with the security review or audit, and to provide an independent, un-biased viewpoint.

Today it is not enough just to be prepared for office building emergencies. In the wake of September 11th, building tenants, employees and visitors are seeking a sense of order and predictability in their workplace and security against criminals and other controllable threats. This requires a comprehensive and continuous approach to security by building developers and management, from the design phase through daily operation.

Disclaimer:

This article is based on generally accepted security principles, and on data gathered from what are believed to be reliable sources. This article is written for general information purposes only and is not intended to be, and should not be used as, a primary source for making security decisions. Each situation is or can be unique. The author is not an attorney, is not engaged in the practice of law, and is not rendering legal advice. Readers requiring advice about specific security problems or concerns should consult directly with a security professional. The author of this article shall have no liability to any person or entity with respect to any loss, liability, or damage alleged to have been caused by the use or application of any information in this article, nor information contained on this or any linked or related web site.