Skip to content

10 Steps to Mitigate State Threats

10 important steps organisations can take to enhance physical security measure to mitigate state threats

Last Updated 17 February 2022

1. Identify your sensitive information and assets 

All organisational assets and systems that are necessary for the delivery of effective operations, or are of specific organisational value (e.g. commercially sensitive information or classified government material), should be identified. These may be: physical items, data stored or transmitted, personnel with specific knowledge/skills, or crowded places requiring protection. Once identified, suitable mitigation methods can be implemented to address the risk of compromise from hostile actors.

Further guidance can be found on the pages relating to Protect sensitive information and assets from creation to verified destruction. | CPNI  and Protective Security Risk Management | CPNI.

Shredded documents with confidential written on them
Sensitive information and assets, whatever their form, must be appropriately protected from creation through to verified destruction.
Information Effective security risk management requires an organisation to have defined governance and oversight of protective security management systems.

2. Review your Access Control measures

Access control systems and locks can physically control and audit access to sensitive information and key assets. These systems should be integrated with physical barriers to detect and delay a variety of attacks. Taking the time to monitor and review access rights will provide an up-to-date picture of who has access to your site, uncover employees or visitors that no longer require access (physical and IT account access rights can then be removed), and help identify potential hostile actors. 

Pin pad entry to a building
Guidance Automatic Access Control Systems (AACS) provide detection and audit to limit who can go where.

3. Ensure a robust visitor entry and exit process

This will help to prevent unauthorised personnel accessing your site, reducing the risk of illicit access to sensitive assets and information. The implementation of a search and screening procedure could also identify unauthorised devices (e.g. recordable digital media), mitigate against potential sabotage activities and prevent the removal of sensitive information (hardcopy and/or device) by visitors and/or employees.

The focus of CPNI’s search and screening guidance is on detecting explosives and weapons threats, however the principles of designing and delivering search processes can equally be applied to detect items associated with state actor activity. After personnel have passed through any search and screening procedure, those identified as visitor should be escorted where necessary.

Man presenting an entry card
Increase awareness relating to fraudulent documentation and improve the vigilance of your security personnel
X-ray scanner machine
Guidance Organisations may use search and screening measures to detect specific items and materials entering (or leaving) their buildings and sites

4. Consider a zoning policy

State actors may have the capability to gather information and intelligence by the deployment of technical equipment or surveillance. This may include the installation of eavesdropping devices and interception of mobile telephones. A zoning policy could be implemented in particularly sensitive areas within a building to exclude mobile technologies. Sensitive conversations may also be restricted to certain zones, ensuring they are not overheard by unauthorised personnel.

Organisations should also consider working on a “need to know basis”, physically separating general teams from those undertaking work of a particularly sensitive nature. A similar model can be adopted when considering the level of access staff and visitors may have to data stored on IT systems.

Campaign An open approach to international business and engagement to protect your long-term profitability, reputation, and the UK's national security

5. Implement a clear desk policy

Implementing something as simple as a clear desk policy can help to secure sensitive information. Ensuring proportionate policies, standards, guidelines and procedures are in place that are understood and consistently enforced can be a simple but effective way to combat the insider threat risk. 

Guidance Ensuring proportionate policies, standards, guidelines and procedures are in place that are understood and consistently enforced is critical...

6. Consider obscuration products

Obscuration prevents hostile surveillance into a well-lit building, minimising the obstruction to outward visibility, without the need to block windows, or fit opaque shutters.

Frosted glass on the front on an office building
Obscuration prevents hostile surveillance into a well-lit building, minimising the obstruction to outward visibility, without the need to block...

7. Utilise Tamper Indication products & ensure secure destruction

Tamper indication products can provide physical evidence of unauthorised access to a secure area or object. There are a variety of adhesive and mechanical products available that can be installed to enhance the security of a building, room or container in a variety of scenarios; acting as an overt deterrent and method of detecting access to sensitive information.

Sensitive information should also be destroyed correctly, if not, it could be at risk from insider attack, theft, espionage, and accidental loss. CPNI has produced guidance detailing how the destruction of sensitive items should be undertaken via a secure process.

Shredded documents
Information The destruction of sensitive items should be undertaken via a secure process. This section provides those responsible for information assurance...

8. Secure your data when travelling

Organisations should ensure staff are aware that modern cars and other vehicles increasingly make use of external connectivity. Connecting your mobile phone to a car (via USB, Bluetooth or WiFi) can, for example, leads to the phone’s address book data being copied to the vehicle’s system. Consider the potential security implications before connecting your personal and/or work mobile devices to vehicles, particularly hire cars, especially when overseas.

Also consider how sensitive assets and information will be securely stored when travelling. An individual’s communications, hardcopy information and data storage devices in their possession, could be vulnerable to interception or theft by hostile actors.

9. Follow CPNI’s CAPSS Guidance

Cyber Assurance of Physical Security Systems (CAPSS), is about gaining confidence in the "cyber" components of electronic security products which, while robust in the physical security domain, could potentially be compromised by a hacker. CAPSS has been jointly written by NCSC and CPNI leveraging the expertise of both technical authorities. By utilising CAPSS assured products, sites can ensure that their systems are not the "low hanging fruit" within a corporate IT system, allowing a hostile actor to gain entry to the wider corporate network or manipulate and circumvent the physical security systems.

In addition to CAPSS, organisations should ensure staff are aware of the potential vulnerabilities relating to increasingly connected Building Management Systems and Security Systems. Access rights should be regularly reviewed and tightly controlled, with particular attention being paid to remote access (e.g., to allow remote service engineer monitoring or maintenance). All systems should be regularly checked to ensure they are patched.

10. Utilise CPNI’s Catalogue of Security Equipment (CSE)

The CSE is available to help security practitioners identify appropriate physical security equipment, it provides a range of products that have been evaluated against specific CPNI security standards.

CSE Imagery
The Catalogue of Security Equipment (CSE) is available to help security practitioners to identify appropriate physical security equipment. 
Did you find this page useful? YesNo
Thank you for your feedback. If you have any further suggestions on how this information can be made even more useful to improve your experience, feel free to share details below.
Thank you for your feedback. Sorry to hear that you haven't found this information useful. Please help us improve your experience and share how we can make this information more useful for you.