Seven Physical Security Myths Exposed Artwork

1000 Tech Drive

Welcome to 1000 Tech Drive, your go-to podcast for all things optics and surveillance technology! Each episode, we’ll take you on a journey through industry trends and dive into the innovative products from CBC AMERICA’s Computar and Ganz brands. Our goal? To arm you with valuable insights and practical advice that you can apply directly to your industry applications.

What to Expect:

Product Advice: Discover expert tips and recommendations on selecting and optimizing products for your specific needs.
Technical Data Insights: Simplify complex specifications and performance metrics to help you make informed decisions.
Case Studies: Learn from real-world applications that showcase how businesses across various sectors effectively leverage Computar and Ganz products to enhance efficiency, security, and automation.

Tune in to 100O Tech Drive and stay ahead in the rapidly evolving world of optics and surveillance technology!

All Episodes

1000 Tech Drive

Seven Physical Security Myths Exposed

October 10, 2025 • CBC AMERICA • Season 1 • Episode 9

0:00 | 21:28

In this episode, we dismantle seven stubborn myths that keep organizations vulnerable at the door, on the floor, and across their networks. Instead of accepting cameras, badges, or background checks as a cure-all, the conversation reframes physical security as an integrated, adaptive system—one that’s layered, data-informed, and operationally tested.

You’ll hear why “coverage” isn’t the same as protection, how tailgating thrives despite card readers, and where cyber and physical risks intersect in ways most teams overlook. The host walks through practical countermeasures that actually move the needle: analytics that trigger action (not just alerts), anti‑tailgating controls paired with modern credentials, network segmentation tied to physical events, and governance practices that keep controls effective after day one. The episode also challenges the “we’re too small to be targeted” mindset and the comfort of plans that live only in binders, advocating for drills, after‑action reviews, and continuous improvement as everyday discipline.

Key takeaways include:

Myth vs. reality framing: Why common assumptions fail in real incidents.
Layered defenses: From entry controls to monitoring and response orchestration.
Cyber–physical convergence: Using SIEM correlation and segmentation to close cross‑domain gaps.
Operational rigor: Governance, patching, testing, and behavior patterns over one‑time installs.
Right‑sizing for scale: Risk‑based layering that works for small teams as well as large enterprises.

By the end, you’ll have a practical blueprint to reduce intrusions, accelerate verification, and strengthen investigations—without overspending on tools that don’t change outcomes. This is a concise, actionable guide for security leaders who want results, not myths.

00:00 Speaker 1: Welcome to the Deep Dive. Today, we are tackling something really critical, but honestly,often criminally overlooked when it comes to organizational safety and resilience,and that's physical security. You know, most organizations, they seem to treat it like a checkbox item, like, okay, we bought the gear, set it up, we're done, set it and forget it.

00:18 Speaker 2: Yeah, and that's such a foundational error. It really is. I mean, look at any modern facility today. It's this complex hybrid ecosystem. You've got people, old manual process, and then all these highly networked digital devices all mixed together. And the bad guys, they know this. OH, absolutely. The adversary today gets this complexity. They're not just trying to smash a

00:42 Speaker 2: window anymore. They're blending things like social engineering, exploiting those physical weak spots. And then, crucially, using that physical foothold to pivot right into your network.

00:54 Speaker 1: And I guess the weakest point is often where the policy meets the real world. You know, we have rules about who can go where, but someone props open a delivery door because it's convenient.

01:04 Speaker 2: Exactly. Or, you know, that key card reader. It might be running on a protocol that's like 10 years old and easily cracked. That gap right there between the written policy and the actual day-to-day exceptions and workarounds, that is your biggest vulnerability. You've got these systems designed to work perfectly on paper.

01:23 Speaker 1: Yeah.

01:24 Speaker 2: But they get undermined by control drift, equipment just getting old, and simple human error or convenience.

01:31 Speaker 1: Okay, good.Let's really unpack this then.So our mission for this deep dive is pretty clear.We're going to expose seven persistent myths that we see keeping organizations dangerously vulnerable.Right.And most importantly, we want to replace those myths with specific actionable steps,things you can actually measure and implement starting today.

01:51 Speaker 2: Yeah, the goal here is really to guide you beyond just managing incidents after they happen.That's the expensive reactive way.

01:57 Speaker 1: Always playing catch up.

01:58 Speaker 2: Totally.We want to move you towards building a security program that's, well, continuously tested,properly governed, and always improving.We're talking about turning that static expense into a compounding capability over time.

02:12 Speaker 1: Okay.Love that. Let's jump straight in then. Let's tackle that first big myth around detection, the one that seems to plague like every facility.Myth number one, we have cameras everywhere, so we're covered. I hear this constantly. You see cameras everywhere.And yet every major intrusion video we see online, it starts with a clip from a camera.

02:33 Speaker 1: So if the video is there, why did the breach still happen?

02:36 Speaker 2: Well, because in most setups, that video surveillance, it's basically a passive tool.It's fantastic after the fact for investigation, maybe a minor deterrent.Okay.But if that feed is just recording quietly onto an NVR somewhere, a network video recorder, it's not preventative security.But the real problems are, well, technical things like blind spots, cameras that are useless in low light.

02:56 Speaker 2: Yeah.And the human fact.I mean, it's just impossible to expect an operator to stare intently at, say, 50 screens, two and ever, seven, and catch everything.

03:03 Speaker 1: So basically relying on a person to spot the anomaly in real time, that's just a recipe for failure.Pretty much.The solution, then, it isn't just adding more eyeballs.It's making the system itself smarter.

03:15 Speaker 2: Exactly.The cameras themselves need to become active sensors.They've got to be paired with monitored, real-time alerts, you know, using analytics like line crossing detection or motion sensing or even more advanced object detection.

03:29 Speaker 1: Right.

03:30 Speaker 2: And then you need defined incident response playbooks, like a specific step-by-step reaction that's tied directly to those alerts.If the system flags, say, a person loitering in a restricted zone at 3 a.m.,the system has to force an immediate action,not just record footage for someone to maybe look at on Monday morning.

03:50 Speaker 1: And I guess to make sure those alerts are actually useful, you have to test them constantly.

03:54 Speaker 2: Oh, absolutely.You need periodic coverage tests.You need detailed low-light audits.I mean, think about it.If an alert fires, what's the quality of the image you get? Good point.If the camera feed is just a blurry mess because of glare or darkness,than the whole detection system, the alert, everything.

04:09 Speaker 2: It just fails.

04:10 Speaker 1: Okay, that makes sense.Moving from passive detection to hopefully active prevention,let's hit myth number two, badges stop unauthorized access.

04:21 Speaker 2: Ah, yes.Badges.Well, they only work if everyone actually follows the policy perfectly.And the two most common ways they get bypassed are, one, tailgating,or sometimes called piggybacking.

04:33 Speaker 1: Where someone just follows you through the door.

04:34 Speaker 2: Right.An unauthorized person follows a legitimate badge holder right through, and two, using stolen or worse, cloned credentials.

04:42 Speaker 1: That tailgating thing, that feels like a behavioral issue mostly.But the stolen or cloned card problem, that's often down to outdated tech, isn't it?

04:50 Speaker 2: Oh, it's pure technical debt in many cases.I mean, if you're still relying on those older 125 kilohertz proximity cards, they are incredibly simple and cheap to clone.Really?Yeah, you can buy the kit you need online right now for, like, less than 50 bucks.The technical drift and access control just leaves these gaping holes.

05:08 Speaker 1: Wow.Okay, so how do we close that gap then? What's the fix?

05:11 Speaker 2: Well, the measurable solution here is both physical and technological.Physically, you need to implement anti-controls. Maybe that a proper turnstile or at the very least a localized door alarm that shrieks immediately if two entry events happen too close together.

05:27 Speaker 1: Okay.

05:27 Speaker 2: And then technically, you absolutely have to upgrade your credentials. You've got to move to encrypted smart cards or maybe mobile credentials using secure protocols like Bluetooth low-energy (BLE or NFC.

05:39 Speaker 1: Stuff in our phones.

05:40 Speaker 2: Exactly. And just as important, culturally, you have to enforce rigorous, no-piggybacking awareness, make it clear that security is actually everyone's job.

05:49 Speaker 1: Okay, this next one. This is where things get really complex, I think, and so vital for overall resilience.Myth number three.Cybersecurity is totally separate from physical security.

06:00 Speaker 2: Ah, this misconception is just devastating, honestly, because modern attacks always blend these domains, always.Just think about the pieces of your physical security system, your cameras, your badge readers, the door locks, even building management systems.

06:13 Speaker 1: They're all on the network now.

06:14 Speaker 2: They're all networked IoT devices.Yeah.Every single one is a node sitting right there on your corporate network.

06:20 Speaker 1: And the second those devices are networked, bam, they become potential pivot points.

06:25 Speaker 2: Right.

06:25 Speaker 1: You're only as secure as your weakest network connected link.

06:29 Speaker 2: Precisely.

06:29 Speaker 1: And I bet the camera network is often the most neglected one.

06:32 Speaker 2: You hit the nail on the head.If a sophisticated attacker finds, say, a zero-day vulnerability in an IP camera, or maybe more commonly,they just get access to the credential system because the server room itself wasn't physically secure.

06:46 Speaker 1: Uh-oh.

06:46 Speaker 2: They're inside.Remember that huge retail breach a few years back? Started through the networked HVAC controls.

06:53 Speaker 1: I do remember that.Wow.Yeah.

06:55 Speaker 2: So weak physical security in your data center.It completely undermines that million-dollar network firewall setup you might have.

07:02 Speaker 1: So what does zero trust actually look like when you apply it to a physical system? We usually hear that term talked about with laptops and servers.

07:10 Speaker 2: Yeah, that's a good question. When we talk about applying zero-trust principles here, we basically mean treating every single device, every user, every connection as potentially hostile, even if it's already inside your network perimeter.

07:23 Speaker 1: Okay.

07:23 Speaker 2: So you absolutely must segment your camera network and your access control systems, keep them separate from the main corporate LAN, apply proper network authentication, and crucially, the principle of least privilege to them.

07:37 Speaker 1: Meaning?

07:37 Speaker 2: Meaning if a camera only needs to send video to the video management system, it should absolutely not be able to talk to, say, the HR database.

07:46 Speaker 1: That makes total sense.And that means monitoring the traffic from these physical systems becomes mandatory, right?

07:50 Speaker 2: Absolutely essential.Yeah.You need to be looking for rogue devices trying to connect on site.And critically, you need to integrate the logs from your VMS and your physical access control systems, your PASIS, with your IT team's SIEM.

08:04 Speaker 1: The security information and event management system?Right.

08:07 Speaker 2: That integration is what gives you the holistic cross-domain view you need to actually spot these blended cyber-physical attacks in progress.

08:15 Speaker 1: Okay, let's pivot for a second to maybe the smaller organizations out there.Myth number four.We're small.Nobody's going to target us.

08:24 Speaker 2: Oh, this is such a lethal fantasy.Small to midsize organizations, SMEs, they're attractive targets precisely because they often assume they're invisible.And because of that assumption, they tend to have weaker controls.

08:36 Speaker 1: So they're easier targets.

08:38 Speaker 2: Exactly.They face risks like opportunistic theft, laptops, maybe some intellectual property or vandalism.Or, and this is increasingly common, they get targeted not for their own sake,but as an easy-to-exploit weak link in a bigger supply chain attack aimed at a major client they work with.

08:54 Speaker 1: Ah, so even if you're just like a 20-person engineering firm,if you happen to hold the blueprints for a huge aerospace client...

09:00 Speaker 2: You're a target, precisely.The fix here, it starts with a brutally honest basic risk assessment.You've got to identify your crown jewels, maybe a sensitive labs, the server rooms where you store your IP.Right.And then prioritize layered controls specifically for those few high-value areas.Don't try to secure the entire building like Fort Knox if you don't need to.

09:19 Speaker 1: Focus the resources.

09:21 Speaker 2: Focus the resources.And look, if internal budgets are tight and you can't afford a full in-house security team, leverage managed or hosted security services for that continuous oversight.Just don't rely on being invisible.Rely on actually being secure.

09:35 Speaker 1: Okay.Good advice.Now, let's move into the people in process side of things, starting with myth number five.Background checks eliminate insider risk.

09:43 Speaker 2: Right.Background checks.Yeah.They're just a snapshot.A one-time snapshot taken usually on the employee's first day.That's the baseline, sure.

09:51 Speaker 1: But that's it?

09:51 Speaker 2: That's it.They do absolutely nothing to mitigate the risk posed by trusted individuals whose maybe motivations or financial circumstances or even loyalties might change over time.Most serious insider incidents involve long-term trusted employees, people you'd never suspect.

10:07 Speaker 1: Wow.So relying just on that initial background check, it's like using a seatbelt that only locks once when you first get in the car and then never again.

10:15 Speaker 2: That's a great analogy, yeah.

10:16 Speaker 1: So what are the continuous daily measures that can actually manage this human risk factor?

10:22 Speaker 2: Okay, first, you absolutely need role-based access control built on the principle of least privilege.

10:28 Speaker 1: Meaning people only get access to what they absolutely need for their specific job.

10:33 Speaker 2: Exactly.And that access needs periodic, formal review, at least quarterly, I'd say.Yeah.Second for really high actions think accessing evidence rooms or highly sensitive data vaults you must enforce the two rule No exceptions Okay But probably the most powerful tool here is actually monitoring behavior for anomalies

10:53 Speaker 1: What kind of behavior flags should organizations be looking for then?

10:57 Speaker 2: Well, we look for things that are out of the ordinary.Unusual after-hours access attempts that don't really align with someone's job function,repeated door alarms from the same high security area, or maybe someone rapidly moving between different secure zones, zone hopping.These kinds of behavioral indicators, especially if you can maybe correlate them with HR data

11:16 Speaker 2: or other contexts, those are the critical flags that security teams absolutely must be watching for.

11:21 Speaker 1: Okay.Moving to myth number six.This feels like the operational killer.Once we install it, we're done.The set it and forget it returns.

11:30 Speaker 2: Oh, this is the absolute death knell of resilience.Physical security inherently, naturally, suffers from control drift.Things just degrade over time.

11:39 Speaker 1: How so?

11:40 Speaker 2: Well, equipment fails.Cables get frayed.Firmware expires.Those battery backups die silently.Doors get propped open because someone finds using the key card annoying.Systems just become obsolete.It is literally the definition of the opposite of set and forget.

11:56 Speaker 1: Yeah, I can easily imagine a facilities manager maybe skipping a critical firmware update on a door readerbecause, well, it means taking that door offline for 15 minutes,and that causes a minor disruption.

12:05 Speaker 2: Right, but that minor disruption can turn into a massive vulnerability down the line.

12:10 Speaker 1: So the cost of skipping the maintenance is always higher.

12:13 Speaker 2: Always.The solution here is constant measured engagement,and it has to be driven by proper governance.You need a formal, mandatory cadence.Things like quarterly control reviews,where you physically check the state of the locks, the readers, the cameras,and comprehensive risk assessments done annually.

12:30 Speaker 1: And testing, I assume.

12:31 Speaker 2: Crucially, you must actively test your controls.Run red team exercises, have blue teams defend, try to tailgate, try to breach a supposedly secure area, see what happens.

12:41 Speaker 1: That active testing really validates if the system works in practice, not just on paper.

12:47 Speaker 2: It absolutely does.And alongside that, you must have proactive lifecycle management.Firmware updates, security patching things are non-negotiable for all physical security components.I mean, think about it.

12:58 Speaker 1: Yeah.

12:59 Speaker 2: You wouldn't let a critical server run Windows XP anymore.

13:01 Speaker 1: Yeah.God, no.

13:03 Speaker 2: So why are you letting a network-connected camera run on firmware that's 10 years old?

13:07 Speaker 1: Fair point.Okay.Finally, myth number seven.Emergency plans exist in a binder somewhere.People will know what to do when something happens.

13:15 Speaker 2: Oh, the binder on the shelf.Plans that only live on paper.They fail instantly during a real crisis.Instantly.When adrenaline hits, people default to muscle memory and ingrained training.

13:27 Speaker 1: Not reading a manual.

13:28 Speaker 2: Exactly, not fumbling for a binder.And we see failures in the simplest things.The mass notification system hasn't actually been tested end-to-end in two years.The emergency contact lists are stale.Key roles and responsibilities are unclear.

13:42 Speaker 1: So how do you build that essential muscle memory then so people react correctly under pressure?

13:47 Speaker 2: Drills, regular mandatory drills, evacuation drills, shelter-in-place, active threat scenarios,whatever is relevant to your risks.And importantly, follow every drill with a detailed after-action review.

13:57 Speaker 1: To learn from it.

13:58 Speaker 2: That review process is the learning mechanism.Also, keep procedures digital and easily accessible.Quick reference job aids posted right there at critical security posts or reception desks.And, crucially, you must validate your mass notification and PA systems frequently. And coordinate those tests with your local first responders so they know your layout and how you communicate internally.

14:21 Speaker 2: What's fascinating here, when you look at all seven of these myths,every single one is rooted in basically one fundamental failure.Security breaks down in the seams.

14:31 Speaker 1: The seams?

14:32 Speaker 2: Yeah, the gaps between things, between devices, between policies,and, crucially, between the different groups of people involved,the IT folks, the facilities managers, the security policy writers.They're often not talking the same language or working together closely enough.

14:46 Speaker 1: Okay, so we've basically established that manual oversight, working in silos,and relying on static, unmonitored technology, it just fails.It's bound to fail.So closing those seams, as you put it, requires shifting away from just buying isolated point solutions, a camera here, a reader there, and towards building a truly integrated, continuously managed program underpinned by technology.

15:09 Speaker 2: That's the conceptual shift, exactly.We need an integrated technology stack, one that can take all that raw data coming in and synthesize it into actual, actionable intelligence,moving us way beyond just passive recording, which we hit in myth one, and beyond relying on manual analysis, which fails under myth six.

15:27 Speaker 1: Okay, let's talk about the core technology pillars then that actually enable this leap, starting with making those cameras truly intelligent.Why isn't just recording video to a server good enough anymore?

15:36 Speaker 2: Well, that traditional server-side analytics model, it often suffers from latency issues, network strain, you know, bottlenecks.To really beat passive detection and, importantly, alert fatigue, where operators just get overwhelmed with false alarms, you really have to utilize edge AI intelligence.And that means the smart processing, the thinking, happens right at the camera or maybe in an intelligent box located very close to the camera.

15:58 Speaker 1: Ah, okay. So this allows the system to filter out the noise immediately right at the source, giving the human operator fewer but much higher quality alerts to deal with. Exactly right. And solutions like, for instance, the GANs AI box, they specifically designed to act as an intelligent add.

16:16 Speaker 2: an extension for pretty much any existing IP camera system you might already have.

16:21 Speaker 1: So you don't necessarily have to rip and replace all your cameras.

16:23 Speaker 2: Not necessarily. It uses deep learning models right there at the edge to do the heavy lifting, things like accurate object classification,person versus car versus animal, license plate recognition,or even checking if someone's wearing required PPE, like a hard hat.This edge processing turns that raw, noisy video stream into prioritized, genuinely actionable alerts.

16:46 Speaker 1: Okay, so that means we can finally solve that massive problem of false alarms.You know, the wind blowing a tree branch across the camera view isn't flagged as a critical intrusion anymore.Correct.

16:54 Speaker 2: And by dramatically reducing those false alarms using AI,you significantly boost the precision of your alerts,which, going back, directly combats that control drift we talked about in Myth 6, because people start trusting the alerts again.

17:09 Speaker 1: Okay, so once you have these smart, reliable alerts being generated at the edge, you need the second pillar, which you mentioned is centralized orchestration.

17:17 Speaker 2: Yes, centralized orchestration.This is essentially the command center, the place that pulls together all those disparate feeds and signals from your various security systems.Okay.Precisely.And that is the role of a modern video management system, or VMS. This is where all the physical systems come together and unify.

17:34 Speaker 2: A robust system, like Ganz CORTROL VMS, for example, acts as that scalable, real-time command center.

17:41 Speaker 1: So when the AI Box detects, say, a tailgating attempt, or the access control system reports a door being forced open...

17:48 Speaker 2: The VMS is the platform that orchestrates the immediate response.It correlates that data, allows an operator to visually verify the incident instantly,and then automatically triggers the predefined response playbook you've set up.

18:00 Speaker 1: And this orchestration capability, this directly addresses that cyber-physical myth, myth three, right? By bringing all the security domains, video access alarms into one single pane of glass for monitoring and response.

18:12 Speaker 2: It absolutely does. It unifies not just cameras and the video analytics coming from the AI Box,but also integrates with access control systems, LPR databases, maybe other IoT sensors you have deployed.And whether you're running a smaller facility or need huge enterprise-level management for potentially unlimited channels,

18:32 Speaker 2: a unified VMS provides that crucial audit trail and enables the immediate coordinated response that's absolutely necessary for genuine resilience.

18:40 Speaker 1: Okay, makes sense.And then finally, the third pillar you touched on was reliability.If this technology stack is now so central to the whole security strategy, the evidence it captures has to be rock solid, right? Absolutely.

18:51 Speaker 2: Treating this whole stack cameras, AI boxes, VMS, recorders as critical infrastructure is key.It's not just optional IT gear anymore.

18:59 Speaker 1: So what does that mean in practice?

19:01 Speaker 2: Well, it means deploying reliable recording devices, NVRs or DVRs, with features like rate options for storage redundancy,ensuring you have rigorous time synchronization using protocols like NTP across all devices that's critical for investigations.

19:16 Speaker 1: Ah, so all the timestamps match up.

19:18 Speaker 2: Precisely.And maintaining clear chain of custody procedures for any video evidence that gets exported.When security footage is needed, whether it's for legal proceedings or just internal investigations,it absolutely must be admissible, verifiable evidence. No questions asked.So we connect all this back to the bigger picture.

19:37 Speaker 2: Resilience.real security resilience.It isn't something you can just buy as a single product off the shelf.It really stems from having layered controls,implementing continuous governance that actively fights that natural control drift.Yeah.And achieving that tight, seamless integration of your physical and cyber measures

19:53 Speaker 2: using intelligent, orchestrated technology like we've discussed.

19:57 Speaker 1: And the payoff here, it isn't just about having, you know, better tech for its own sake.It's about measurable operational resilience.It means dramatically faster detection times, much stronger audit trails for compliance and investigations, and ultimately a significantly lower total cost of ownership.

20:16 Speaker 1: Right.Mostly achieved by slashing those false alarms and eliminating the huge burden of endless hours spent manually reviewing video footage.

20:24 Speaker 2: Exactly.That transition moving away from those static, dangerous myths we busted towards achieving continuously compounding capability.It really requires that integrated solution working together.You need high-quality cameras for clarity, something like the GANZ AI Box for adding context and crushing false alarms,

20:41 Speaker 2: and then a system like GANZ CORTROL VMS providing that centralized, real-time orchestration and response.

20:47 Speaker 1: Okay, so here's our final thought for you, the listener, to chew on as you think about your own security posture.Don't just settle for counting how many incidents you had last month.That's looking backwards. Instead, start tracking key performance indicators, KPIs, that actually measure your efficiency and effectiveness.

21:02 Speaker 1: Things like your mean time to verify an alert, how fast can you confirm if it's real? Or your alert precision, what percentage of your alerts are actually actionable? So the question to ask yourself is, how can you shift your security program starting today to ensure it is fully observable, easily automatable wherever possible,

21:20 Speaker 1: and set up for continuous improvement?Because that pursuit of measurable performance, that's where real sustainable resilience truly lives.