← Blog / Assessment
11 Security Gaps We Find in Almost Every Building Walk
WorldSafe Staff
March 2026
6 min read
Assessment
Physical Security
Best Practices
TL;DR
- The same physical security gaps show up in nearly every facility, regardless of industry or budget.
- The most common are propped doors, camera blind spots at transition points, stale badge access, and response plans only one person knows.
- Most are inexpensive to fix. What they require is someone who knows to look for them.
After hundreds of site assessments across healthcare facilities, corporate campuses, faith communities, and industrial operations, certain vulnerabilities show up with striking consistency. Not occasionally — almost every time. These aren't exotic attack vectors or sophisticated threats. They're gaps that exist because no one was looking for them, or because the fix never made it off the to-do list.
Here are the eleven we find most reliably. If your organization has addressed all of them, you're ahead of the curve. If even a few sound familiar, it's worth a closer look.
1. Propped doors that no one notices
The single most common finding across every industry we work in. A door that's supposed to be secured gets propped open — by a delivery person, a smoker, someone who forgot their badge. The prop gets removed, but the habit persists. We've walked into server rooms, medication storage areas, and executive floors through propped doors that staff walked past dozens of times a day without registering as a problem.
The fix isn't just an alarm on the door. It's a culture that treats an open door as an incident, not an inconvenience.
2. Camera blind spots at critical transition points
Cameras cover the parking lot. Cameras cover the lobby. Nobody covered the stairwell between the second and third floor, or the corridor between the loading dock and the warehouse floor. Threat actors move through transition points, not monitored zones. We map every blind spot and show you exactly what isn't being watched.
3. Visitor credentialing that hasn't been updated in years
The visitor log exists. The process was designed five years ago. Since then, the organization has moved buildings, changed staff, added contractors, and shifted to hybrid work — and the visitor credentialing process reflects none of it. In healthcare settings, we regularly find visitor protocols that haven't accounted for after-hours access or vendor relationships established years after the original security program was written.
4. Access control badges that aren't deactivated
Former employees. Vendors whose contracts ended. Temporary staff from two years ago. Badge access lists accumulate over time, and routine deactivation processes either don't exist or aren't being followed. In one engagement, we found 47 active badges belonging to people who no longer worked at the organization.
5. Response plans that only one person knows
The plan exists. It was written by the security director three years ago. That person left eighteen months ago. The plan is in a binder somewhere. The current team has never read it, has never drilled it, and couldn't locate it under pressure. This is not a hypothetical — we encounter it regularly.
6. Shared credentials for access systems
One PIN for the loading dock. One code for the after-hours entrance that everyone in the department has memorized. Shared credentials eliminate accountability and make it impossible to trace who accessed what when. They're also remarkably common in organizations that otherwise have sophisticated security programs.
7. No protocol for challenging unfamiliar faces
Your staff knows they're supposed to badge in. What happens when someone follows them through the door? What happens when an unfamiliar person walks through the lobby with purpose and confidence? In most organizations, nothing happens. Nobody challenges them. We've walked through controlled access areas in business attire carrying equipment, unchallenged, in facilities where the staff would have described their security culture as strong.
8. Emergency communication that depends on a single channel
The intercom system. Or the phone tree. Or the mass notification app that three people know how to use. If your emergency communication plan depends on a single channel, it has a single point of failure. We find this in organizations of every size and sophistication.
9. Financial exposure that's never been quantified
Leadership knows there are gaps. They don't know what those gaps cost if exploited. Without a financial frame, security investment decisions get made based on gut feel rather than risk calculus. Every finding in a WorldSafe assessment comes with a financial exposure estimate — because knowing what a gap costs changes how seriously it gets treated.
10. Regulatory compliance that's documented but not practiced
The compliance requirement is met on paper. The procedure exists. Nobody has tested whether staff can execute the procedure under actual conditions. In regulated industries — healthcare, energy, financial services — we consistently find a gap between what the compliance documentation says and what actually happens on the floor.
11. No post-incident review process
Something happened — a breach, a threat, a near-miss. It was handled. Then everyone moved on. There was no structured review, no root cause analysis, no update to the response plan. The same gap that allowed the incident exists at the next facility, or will exist again next year when staffing changes.
Security programs fail most often not because of what organizations don't know — but because of what they know and haven't fixed.
None of these gaps are difficult to close. Most can be addressed without significant capital expenditure. What they require is someone who knows to look for them, and an organization willing to act on what they find.
If any of these sound familiar in your facility, that's exactly what a WorldSafe assessment is designed to address.
How many of these does your facility have?
A WorldSafe assessment finds every gap, scores it by severity and financial exposure, and gives you a prioritized remediation roadmap. Start with a consultation.
Book an assessment
