Take a moment and think about it. Not just the people who work for you, but everyone who passes through your doors – cleaners, delivery drivers, contractors, IT support, facilities teams, visitors, temporary staff and suppliers. How many of them were inside your building? asks Gavin Wilson, Director of Physical Security and Risk at the consultancy, Toro Solutions.
Most organisations cannot answer that with confidence. They know the number is large and growing, but they do not have a clear, real-time picture of who those people actually are, where they are, or whether they should be there at all. That gap between presence and assurance is where physical security quietly begins to fail.
Risk rarely arrives as something obviously dangerous. It usually looks normal. We are good at spotting someone who clearly does not belong. We are much worse at spotting the person who almost belongs, the one who knows which door to try, who to nod or smile at, and how to move without drawing attention. Familiarity creates trust, and trust is one of the easiest things to exploit in any building.
Across the UK, nearly 60pc of security professionals say the physical threat environment has changed, and more than 40% say their biggest challenge is the lack of usable, timely intelligence. At the same time, around three-quarters of large organisations experience at least one cyber breach each year. These trends are not separate. Physical access is now one of the most common ways that digital and operational risk enters an organisation.
What has changed in the way we work
Most organisations have not suddenly become careless. They are operating in a very different environment. Hybrid working means fewer people are in the same place every day, and mixed-use or shared buildings often provide more accessible environments. Teams are spread across multiple sites and work patterns, and many people no longer know who normally works in their building. At the same time, the number of third-party workers has grown. Cleaners, maintenance teams, IT engineers, catering, security, facilities management, consultants and delivery staff now move through sites that were designed for a much more stable workforce. In practice, this means recognition has become a weak control. If people cannot rely on who looks familiar, then buildings have to rely on who is verified at doors, lifts and secure areas instead.
That makes traditional, trust-based security much harder to rely on. If you do not see the same people every day, it becomes difficult to judge who belongs and who is just passing through.
Buildings themselves have changed too. Shared offices, co-working floors and mixed-use developments mean multiple organisations now use the same entrances, lifts and reception areas. Physical boundaries that used to be obvious are now blurred. Even when access rules exist, the space itself often works against them. Stronger organisations respond by being precise about where their real boundaries are. They decide which doors, floors and rooms matter most, and they put tighter controls and clearer checks there rather than trying to secure everything equally.
At the same time, physical spaces now carry far more digital importance than they once did. Server rooms, network cabinets, operations centres and reception desks are no longer just parts of a building. They are gateways to critical systems. Once someone reaches those spaces, many technical controls designed to keep remote attackers out become far easier to bypass. In practical terms, physical access has become part of the attack surface.
Why physical security matters more than ever
Cyber incidents are now a fact of life for large organisations. What is changing is how often there is a physical element behind them. Someone may watch how staff log in, use an unattended device, plug in a USB stick or access an area where sensitive systems are located.
Yet physical and cyber risks are still usually managed in separate silos. Different teams, different systems and different reporting lines. That separation creates blind spots. In weaker environments, a suspicious door entry is logged and forgotten. A network alert is handled by IT in isolation. In stronger ones, those two signals are automatically questioned together.
What matters now is not just that a badge was used or a door was opened. What matters is whether that behaviour made sense in context. Who it was, where they went, what else was happening at the same time and whether it fitted with normal patterns of activity. When organisations cannot see that full picture, small lapses become big problems.
What the wider risk picture is telling us
Many of the most costly and disruptive incidents do not start loudly. They begin with something ambiguous. A contractor in the wrong place. A door held open. A device accessed without challenge. On their own, these things look minor. Together, they can create the conditions for serious compromise.
Even when financial loss is limited, the downstream impact is real. Investigations, audits, client reassurance, compliance reporting and internal reviews all take time and attention away from the business. Better organisations try to reduce this hidden cost by spotting issues early, while they are still small and easy to contain.
What Toro sees when we look inside organisations
When Toro reviews sites, whether after incidents or during proactive assessments, the pattern is consistent. Controls exist. Passes, cameras, guards, visitor logs and procedures are usually in place. What is missing is connection.
Access data sits in one system. CCTV footage in another. Guard reports somewhere else. IT alerts live in a different world again. No one has a simple way to answer basic questions like who was where, when, and what else was happening at the time.
People make this worse without meaning to. Staff and contractors do not want to be rude or wrong. If someone looks confident and moves with purpose, they are usually allowed through. A polite challenge feels risky, so doubts are ignored. In organisations with a strong security culture, this behaviour is actively changed. People are trained and supported to challenge courteously and consistently, even when it feels uncomfortable. The rule is simple, if you are not sure, you ask.
Incident response plans add another layer. On paper they are often detailed and sensible. In real life they fall apart when information is incomplete, logs are messy and decision rights are unclear. Resilient organisations test this. They run scenarios, walk through confusion and see where delays and misunderstandings appear before a real incident exposes them.
What stronger physical security looks like
Resilient organisations do not try to make mistakes impossible. They focus on making mistakes visible.
They know which entrances, rooms and systems really matter.
They apply stronger controls and monitoring to those areas rather than spreading effort thinly everywhere.
They correlate physical access, CCTV, guard activity and cyber alerts so unusual behaviour stands out early.
They train people to challenge politely but consistently.
They test how incidents are handled under real-world pressure.
Most importantly, they measure how quickly they can spot and contain a problem, not just whether a policy exists.
How Toro can help
Toro’s physical and converged security reviews look at organisations the way an attacker, insider or opportunist would. They examine how people actually move through buildings, how systems really connect, and where everyday behaviour creates risk. By focusing on how people, processes and spaces operate in practice, not just on paper, these assessments give security leaders clear, practical insight into where their exposure lies and how to reduce it.
What this means for security leaders
If you are responsible for security, risk or operations, the question you need to be asking is whether you can see what is really happening across your environment, and whether you can connect the dots between physical behaviour, cyber signals and people risk quickly enough to act.
Achieving that requires more than technology. It requires shared understanding, joined-up reporting and a culture where people feel able to challenge and escalate without fear of being wrong. Organisations that do this well have fewer blind spots, respond faster and are more resilient in the face of an incident.
