Physical Security: The Missing Piece From Your Cyber Security Puzzle
24 October 2017 00:00
One of the most common types of security breaches comes from the physical data theft of company computers, devices and even the old stack of paper files. So how can you ensure you're not missing this piece of the puzzle?
What does physical security have to do with cyber security?
When thinking of cyber security, you might picture endless forms of technologies, processes and protocols fighting to keep our sensitive data away from the hands of online crooks. But thinking of cyber security as just a technological form of protection is exactly where many businesses are going wrong.
After all, one of the most common types of security breaches comes from the physical data theft of company computers, laptops, portable devices, electronic media and even the old stack of paper files.
Physical security is very much the missing piece of many cyber security efforts.
And if you’re thinking about security guards and CCTV surveillance as all the steps you need for protection, then the risk of physical data theft will remain a major concern - not least due to the fact that these threats often stem from inside the business.
Intentional employee theft is a well-known repercussion during the run-up or sudden aftermath of an employee's position being terminated. Partner that with the unintentional side of an employee demonstrating a simple lack of security awareness, then your business is faced with a full circle of potential insider threats.
One company (Biscom) has researched the physical data loss associated with employee-related cyber security breaches, finding that:
- 85% of employees admit to taking company documents and information they had created;
- 30% of employees admit to taking company documents and information they had not personally created.
So how can a business ensure physical security?
#1 Implement Access Control
Let’s start with the outside. Keeping external threats as exactly that is one of the most effective ways of ensuring your company’s physical security. Don’t just rely on the old lock and key approach of controlling who gets in and out - access control cards are much more effective.
Put it this way, someone wanting to duplicate an access control card is going to have a hefty chunk of work cut out for them in comparison to visiting the key cutters just down the road. Further to that, any person you might want to remove access privileges from is now a task that can be done instantly - without changing locks or entry codes.
#2 Use Photo ID
Another one to stop the external bad actors, including employee photos on ID cards is a great added layer of physical security for your business’s access cards. You’re now able to challenge potential ‘employees’ who have forgotten their cars, with visual identification.
This is especially important when it comes to social engineering techniques. Unauthorised individuals can attempt to gain access when knowing some personal details of the person they’re impersonating - such as department, job role or naming senior management. With photo ID, they’ll have a tougher time conning their way through.
#3 Don’t forget about your visitors
We don’t just mean make your contractors a cup of tea every now and then - we mean that visitors to your business can pose a physical security risk when left unsupervised around your offices. But instead of following them around, uncomfortably watching every move they make, there’s a much simpler (and less creepy) method of security.
Make sure that all visitors sign in/out when arriving and leaving. Also, issue them with a photo pass and lanyard. Many businesses now adopt a colour code scheme for visitors, such as a red lanyard for general visitors, a green lanyard for contractors and so on. Ensure that your staff know which colours represent which type of visitor, so they can flag a potential risk.
#4 Lockdown workstations and laptops
It’s normal for employees to leave PC tabs or laptops open when going to the toilet or going out for lunch, especially with automatic sleep timers being set up. But these potential sleep timers (if enabled at all) can take a good few minutes to kick in - giving both bad internal and external threats an opportunity to access the computer or device without needing any credentials.
Picturing someone rushing to physically access your device before they’re shut out might sound like a scene from a low-budget Mission Impossible-esque movie, but data has been compromised this way in the past - especially from high-level execs.
This step very much revolves around reinforcing a security message where end users realise the potential risks their actions can cause. Try sticking up some security awareness posters (we've got some free ones for you to download instantly here - including a physical security message for your employees).
#5 Secure your devices AND your paper records
With all the storage and cloud services they’ll ever need, employees can often claim to have no physical forms of data in their possession. This is often a misunderstanding as many members of staff aren’t effectively informed of exactly what sensitive data can consist of.
All physical forms of unwanted or unneeded data should be shredded - no matter how minuscule that information might seem. It’s important to conceal any papers still being used, locking them away tightly with laptops and devices.
#6 Make steps towards a security-minded culture
The general notion of each of these steps is that employees need to be informed and educated on both cyber security risks and physical security risks. It goes without saying that, failing this, end users will continue to be a vulnerable gateway to your company’s and client’s sensitive data. But don't fret! More and more businesses are now taking up security awareness training with a focus on the physical aspects of security, especially with the rise of data theft from ex-employees.
Here's how you can start making steps today
Setting up your poster campaign is a good and simple first step you can take, but they're only a minuscule effort of raising awareness for your end users. Implementing a security awareness training programme is a must for today's increasingly technologically-focused workplaces.
Get a first-hand look at how a security awareness programme can educate your users on physical security risks and give you that much-needed added layer of protection. Gain instant access to the free trial version of the usecure training platform here. This comprehensive cloud-based tool raises the security awareness of your end users with easy-to-retain bite-sized modules, focusing on the inevitable threats they'll encounter (want more info? Visit our uLearn page)