Ransomware, phishing and AI-enabled fraud are dominating boardroom conversations, and rightly so. The scale and speed of cyber threats mean many organisations are investing heavily in digital defences. But in strengthening one line of protection, are businesses unintentionally weakening another?
As funding and leadership attention concentrate on cyber risk, physical security can slip down the agenda. Yet threats to people, premises and operations, from violence and crime to terrorism and geopolitical instability, have not receded. In many cases, they have become more fragmented, less predictable and harder to contain once they unfold.
For senior leaders, this is not a choice between cyber and physical security. The real challenge is avoiding strategic imbalance. Over-prioritising one risk can create dangerous blind spots in the other. Resilience depends on striking the right balance, aligning protection against both digital and physical threats with the organisation’s risk profile and available resources.
Physical Threats are Shifting
Recent events illustrate how physical risk now manifests with little warning and often outside traditional “high-risk” environments.
The attack at Bondi Beach in Sydney, on 14 December 2025, killing and injuring civilians, was in a location widely perceived as safe. The incident reinforces a critical reality for organisations with mobile or internationally based staff: employees do not need to be in conflict zones to be exposed to extreme physical harm.
On the other side of the world, the UK government’s introduction of the Terrorism (Protection of Premises) Act 2025 (Martyn’s Law) reflects a recognition that physical security in publicly accessible spaces has become a national resilience issue rather than a niche operational concern. The legislation imposes clearer duties on organisations to assess risk, plan responses, and implement proportionate protective measures. (Source: Terrorism (Protection of Premises) Act 2025: Overarching Factsheet).
At the same time, UK security services have publicly warned of hostile state activity on British soil, including surveillance, intimidation, and targeted operations linked to foreign intelligence services. These threats are less visible than cyberattacks, but they pose tangible risks to organisations operating in sensitive sectors or employing individuals with strategic access. (Source: https://commonslibrary.parliament.uk/research-briefings/cbp-10417/ ).
Considerations for Board Level
- Physical threats are no longer confined to “high-risk” geographies
- Public, corporate, and travel environments can shift from low-risk to high-impact rapidly
- Duty of Care expectations are rising, not falling
Physical security failures increasingly carry both strategic and operational consequences.
The Quiet Cost of Everyday Physical Security Failures
Not all physical security risks are headline-grabbing. Many of the most damaging issues are routine, cumulative, and under-reported. UK business crime statistics consistently show that burglary, theft, vandalism, and unauthorised access remain among the most common threats to organisations, particularly small to medium-sized enterprises. Tailgating, weak access controls, and poor site discipline continue to enable internal and external breaches. (Source: https://www.gov.uk/government/collections/crime-against-businesses).
Meanwhile, workplace violence and aggression, especially in public-facing sectors, have risen steadily. These incidents rarely make national news, but they drive increased absenteeism, staff turnover, and insurance claims, leading to increased costs and potential reputational damage. The strategic problem is perception: because these risks feel familiar, they are often treated as “background noise”. Yet the combined impact can be as disruptive as a major cyber incident and far more visible to employees.
Global Mobility: Physical Risk, Strategic Exposure
For organisations with international mobile workforces, physical security risk multiplies.
Surveys of UK business travellers consistently show that crime, personal safety, political instability, and disruption now rank above health or logistical concerns when employees assess travel risk. (Source: https://www.gov.uk/government/publications/business-travel-survey-2025).
Geopolitical instability, organised crime, and environmental disruption can rapidly affect travel routes, accommodation safety, and emergency response capability. In some regions, employees face elevated risks of robbery, kidnapping and detention, even on short, routine trips. Changes in border enforcement and heightened screening regimes add further complexity. Travel disruption is no longer just an inconvenience; it can strand staff, expose them to legal risk, and force senior leaders into crisis decisions with limited information.
Cybersecurity tools cannot extract an employee from a volatile environment. Physical risk planning must exist before travel begins.
What This Means for Senior Leaders
- Duty of care extends beyond the office and beyond country borders
- Travel risk failures escalate quickly to executive-level crises
- Employee willingness to travel is now directly linked to perceived safety
- Poor preparation exposes organisations to legal, moral, and reputational risk
Physical Security is a Strategic Issue
Organisations underestimate the strategic implications when physical security is viewed purely as a facilities or operational responsibility.
Workforce Confidence and Retention
Staff need to feel safe and secure when going about their work, whether at the site, at events, or while travelling. Otherwise, they are less engaged and less willing to represent the organisation internationally. Over time, this erodes talent retention and limits strategic reach.
Reputation and Trust
How an organisation implements duty of care for its people is an expectation seen by clients, partners, and regulators. A single poorly managed physical incident can undo years of brand trust.
Regulatory and Legal Exposure
Legislation such as Martyn’s Law signals a clear shift: organisations are expected to anticipate physical risk rather than simply respond to it.
Operational Resilience
Physical incidents disrupt operations just as effectively as cyber-attacks. Office closures, travel suspensions, or employee harm can halt critical activity overnight.
Rebalancing the Security Lens
The solution is not to reduce cyber investment but to rebalance attention and governance.
Organisations with mature security postures should consider:
- Integrating physical security into enterprise risk management frameworks
- Aligning cyber, physical, and people risk under shared senior oversight
- Using intelligence-led assessments for premises, events, and travel
- Preparing employees for real-world scenarios, not just digital threats
- Maintaining clear executive accountability for physical risk decisions
Board-Level Call-Out: The Strategic Question
“If a serious physical incident occurred tomorrow on your premises or involving your people overseas, would you be confident explaining your preparedness to regulators, employees, and to the board?”
Conclusion: Don’t Dismiss the Physical Risks
Cybersecurity will continue to dominate headlines. But taking our eye off physical security is a strategic miscalculation. In a world of unpredictable violence, geopolitical instability, and rising duty-of-care expectations, organisations that fail to protect people in the physical world will struggle to maintain resilience, trust, and long-term performance.
For senior leaders, the message is clear: physical security is not a legacy concern; it is a present day and escalating strategic risk.
To find out more about how Inverroy can help support your security risk management please contact us at enquiries@inverroy.com