Don’t Forget the Physical When Thinking About Security
In a previous blog post, we talked about the difference between cyber security and information security. Basically, while cyber security is focused on the digital, information security is a broader concept that focuses on data in any form. Let’s take a look at some of your physical assets and ways to protect these assets.
Security Begins at the Door
Theft isn’t restricted to after-hours. Consider all the people who might enter your office – maintenance workers, delivery personnel, interviewees, inspectors, vending machine stockers, and more. In addition, there are people who have no business being in your office but are let in by someone who ‘tailgates’ behind a badge holder. This is a particularly insidious tactic as it preys on a person’s natural tendency to be helpful. There is social pressure to be polite and closing a door in someone’s face is rude, so many people can’t bring themselves to do it. The ‘high-vis’ effect is another tactic: an individual in a high-vis jacket, who looks like they know where they are going, tends not to be challenged since there is automatic authority imbued within the reflective vest.
In the same way you might run a fire drill or simulate a phishing scam, you should execute drills that help prevent a breach of your premises. Companies are increasingly asking penetration testing providers to check out their physical defences during a simulated targeted attack. Frequently, this includes an element of physical social engineering to gain access to the premises to plant malicious devices or retrieve sensitive information.
What’s In Those File Cabinets?
Have you digitized your paper records? If so, now is the time to get rid of the hard copies. Invest in either a high-quality, high-volume shredder or enlist a firm that specializes in document destruction services. Many disposal firms will come to you and shred on-site or will provide you with a certificate of destruction, for greater peace of mind.
You may experience theft by an employee but, more likely, your portable equipment such as laptops are more likely to be stolen by a visitor or vendor with access. Laptop locks can be a simple solution that secures the device to something large and ‘less liftable’. Equipment such as servers should be protected behind locked doors. Employees should be instructed to keep portable drives under lock and key.
Your security policy should reiterate the importance of portable device protection – including an employee’s personal devices that may have access to your network. Don’t assume that employees know best practices – tell them and remind them periodically.
As you think about your physical computing assets, don’t forget those that you retire. Simply putting electronics in the garbage is not a solution. Recycling electronics without first removing data is also not a wise step. All data from drives should be completely wiped prior to disposal. You can find many clever, potentially fun, and often dangerous ways of destroying hard drives online. But save yourself time – and maybe a limb – and take a two-for-one approach by contracting with the same firm that will destroy your paper records. Many document destruction firms also provide a service to destroy hard drives and other media.
Maintaining the Temperature
Protecting desktop computers, servers, and mobile devices is an obvious need and the focus of most security efforts. But other hardware plays a big part in the running of many organizations. Fire control and temperature maintenance systems and power supplies are examples of hardware to be secured. These types of assets are very critical in the healthcare field, in particular, due to the need to keep medications protected and intensive care and surgical units operating. Physical security information management platforms can help by integrating multiple unconnected devices and controlling them through one interface.
The headlines today are filled with news of cyber security breaches. As you take steps to ensure cyber safety, don’t forget the physical assets in your organization that require protecting as well.