Can I sleep at night? People's Postcode Lottery put their physical security to the test.

Mark Sandison, Technical Compliance Officer at PPL, knew their cyber and data security measures were solid. But solid isn't the same as tested. So, they asked Waterstons to come in and try to break through their physical security at their Edinburgh office.

"We're always looking to improve and mature where we can," says Mark. "We engaged Waterstons to conduct a physical penetration test. With so much external scrutiny, our safety measures need to keep pace with how our organisation evolves and the threats it faces."

What does a physical penetration test actually involve?

Months of planning. A lot of it invisible to the client.

Simon Evans, Principal Security Consultant at Waterstons, has run more of these than he can count. He's not giving away the playbook, but the short version is: it takes the skills of a determined threat actor, a mystery shopper, and a decent actor, all rolled into one.

"PPL were willing to test themselves and their controls," says Simon. "Without that openness, no penetration test can be truly successful. It's not just about finding gaps. It's about understanding how to close them."

The test combined technical expertise with social engineering. The findings were varied. Every one of them was well-received by senior leaders, which meant decisions got made quickly and improvements followed.

What came out of it?

The test gave PPL's leadership team a clear picture of where their physical security was working well and where it needed attention. It pointed to specific areas for staff training and process improvement, and it gave them the evidence to act.

For PPL, it also fed directly into a longer-term strategy.

"We constantly need to be looking ahead," says Mark. "We're always working several years in advance. Partnering with experts like Waterstons means we can rely on their expertise to make sure we stay current."

PPL are ISO 27001 certified and BS 10012 compliant, and they intend to stay that way. A rolling penetration testing programme, covering both physical and network, is now a core part of how they maintain those standards and meet their responsibilities to players and people alike.

"Working with Waterstons means having trusted, accredited experts in our corner. We make informed decisions based on what they tell us. They understand us, our needs, and what matters most to us."

Thinking about physical penetration testing?

It's one of the most direct ways to find out whether your physical security controls are actually doing their job. Not in theory. In practice.

Get in touch with Simon Evans at simon.evans@waterstons.com