So many businesses focus their security efforts on the technology: preventing successful phishing attacks, data breaches, intellectual property theft, etc. Unfortunately, those same businesses often overlook the critical role that physical security plays in really locking down enterprise risks. Good physical security – of your systems, workspaces and people – can go a long way to preventing many security incidents.
Don’t let your computers be stolen
At its most simple level, physical security applied to your systems can take the form of locked data centers, and locking cables that prevent laptops and desktops from being stolen. Many data breaches involve lost or stolen computer systems and those are the ones that often will force you to make a disclosure to affected parties under breach notification laws. Most of the time those systems aren’t stolen for what’s on them…they’re stolen so that the device itself can be sold. Think about who has access to your workspaces. Do you have contracted services, like janitorial or maintenance, that are in your offices after normal business hours? What do you know about those people?
I recently spoke with a CISO who had built a great security environment across his corporation. But, as he visited one of his Midwest offices, he was surprised to find no locks on the data center doors, and desktop computers weren’t secured with cables. When he asked the staff on-site why that was, they told him they trust everyone who works there. Why would anyone steal computers from them?
Don’t let unauthorized people into your workspaces
As noted above, it’s critical that you control who has access to your physical plants – offices, warehouses, distribution centers, etc. I’ve seen people talk their way past guards and gates way too easily. Many offices I visit no longer have receptionists, which was traditionally the first line of defense, having been replaced by locked doors and badge readers. But if your employees don’t practice good access control, it’s all for naught. The biggest culprit here is tailgating – one employee badges-in to open a door and multiple people follow her into the office. I met someone who allowed a person to tailgate into her office building, and that person turned out to be an attacker who shot his ex-girlfriend once he was inside.
But those same tailgaters might be there to steal your digital data as well. Last year, a medical devices firm in Massachusetts found a foreign national in their offices after hours trying to hack into their network. He had tailgated in at closing that day as employees rushed out of the office for Labor Day weekend.
Pay attention to changing dynamics of your employees
It was recently revealed that Equifax suffered a different type of breach prior to the one that gained so much notoriety. Several years earlier, a handful of foreign national employees decided to leave the company and start their own credit-reporting agency in the PRC. On their way out the door, it’s alleged that they took with them proprietary software, including proprietary algorithms, as well as customer lists and hard copies of the HR files of other employees they hoped to recruit. Managers can be trained to look for the signs of an employee’s pending departure and can then manage the risks inherent in that accordingly.
Don’t let culture get you down
Many security leaders run into roadblocks thrown on their paths in the form of the culture argument: “Of course we trust our employees, why wouldn’t we?” or “Who would want to steal from us?”. But I guarantee that your HR staff has a stack of cases that would prove to you exactly why you should be taking prudent precautions to secure physical access to your workspace and to your systems.
Physical security and IT security truly go hand-in-hand. By taking some simple steps to lock down all of these environments and train your employees on good physical security practices you can significantly reduce the risk of your business being the next breach story we have to cover at CSOonline.
You can receive more insights into security awareness by signing up for the Security Smart Newsletter. The newsletter is an employee education program designed to help build security awareness by making security reminders and information fun, interesting, and engaging to all your employees; saving you and your organization precious time on your security awareness program. To learn more about the newsletter and the subscription options, please click here!