By: Dave Bykowski on October 07, 2021
6 Easy Ways To Add Physical Security To Your Cybersecurity Strategy
With data breaches in the news every day, most organizations have shored up their cybersecurity efforts. In spite of that, many have overlooked a key element: physical security.
Even if we have a safe or lockbox for our valuables, we’d never consider leaving the front door to our home unlocked. We want to protect our homes from thieves and people who may wish to do us harm. We know thieves look for easy targets.
This is also true with cybercrime. Your on-site data center may be locked, but that doesn’t eliminate the need for additional layers of security. In the cybersecurity world, we talk about “defense in depth,” which really means layers of protection. The same approach should be taken with physical security.
Digital thieves look for easy targets. If you give the impression that you have things locked down and protected, they will skip to an easier target, unless you have something hugely valuable that is worth making that effort and taking that risk.
As Kelser’s manager of information security and compliance, I have seen physical security and cybersecurity effectively work together to deter cyber criminals. I’ve been involved with digital and physical security of sensitive data for more than 10 years.
I’ve seen incidents where companies have suffered significant losses that could have been avoided by simply locking things up. In one instance, a terminated employee stole client information that was left out on a desk and then used that information to steal clients; a significant financial hit for a small company.
In this article, I’ll explain why physical security should be an important part of your overall cybersecurity plan and outline 6 steps you can take today.
Why Is Physical Security An Important Part Of Cybersecurity?
We’ve all been guilty of having a false sense of security.
In Connecticut, for example, we’ve recently had a rash of vehicle thefts. Interestingly, many of the stolen vehicles were easily accessed by thieves because they were left unlocked and had the keys or key fob in plain sight in the car. That is a perfect example (on a small scale) of how a little bit of physical security can go a long way toward protecting property from thieves.
The same principle applies to protecting data. Your data center may be locked, and you may have great cybersecurity protocols in place, but that in itself doesn’t fully protect you.
Think about the following scenario:
You host a customer tour. It’s a great opportunity to show your customers that their data is safe in your hands. One of the important stops on the tour is your data center. The group is escorted in and out. So far, so good.
During lunch, one of your guests excuses themselves to make a phone call. Instead they go back to the data center claiming to have left something behind. An employee lets the visitor in. Suddenly, your data is at risk. Nothing seems wrong until days later when you notice something is not working right or missing.
People can easily gain access to locked rooms. How can physical security help you keep this from happening?
Making life harder for criminals can often be enough to turn them away. Again, thieves look for the easiest and least detectable way to access their target. This is doubly true for cybercriminals.
Adding simple deterrence measures (like locking your car door) often can be enough to stop a potential threat. And, adding layers of physical security (on top of effective cybersecurity measures) is the best way to minimize threats.
In the example above, (about the customer potentially compromising the security of your data center,) I can think of two things right off the bat that would have minimized the risk:
Tracking who enters and exits restricted areas would provide a hint toward what went wrong. An even better security measure would be cameras that time stamp the video, so you can easily know what time the incident occurred.
Implementing a policy that requires escorts for every visitor at all times is a simple and effective way to limit risk.
Think of it this way: One business hires a security guard. Another erects a fence. A third has security lighting installed. A fourth has signs on windows and doors about their alarm system. A fifth business has all of these safety measures in place. If you are a criminal looking for an easy score, which one are you most likely to choose?
One other tip...don’t forget about auxiliary facilities. Make sure you extend the perimeter of your policies and physical security measures to areas outside your primary building. If you have backup facilities or remote work sites, make sure to include them in all of your security measures.
Some organizations are required to demonstrate their ability to keep data safe. Government contractors, healthcare providers and businesses that process credit cards come immediately to mind.
Companies that access controlled unclassified information are required to have procedures in place to mitigate the risk of a security breach.
Industry-accepted cybersecurity protocols like NIST 800-171 provide a framework for implementing record-keeping and data-handling practices to protect information that is sensitive, but not classified. This standard in particular has a comprehensive list of physical security components that would be beneficial for anyone running a company to consider.
Other compliance frameworks include PCI-DSS (for organizations that process credit card information), and HITRUST (for healthcare organizations).
Whether or not your company is required to comply with NIST 800-171 or another framework, the main points outlined in these documents provide comprehensive methods for securing data. They are worth considering as you evaluate your own physical security plans.
Protect The Supply Chain
In 2018, a government initiative called Deliver Uncompromised introduced the importance of ensuring the protection of the entire military and defense supply chain.
Whether your organization makes the smallest semiconductor chip or is responsible for the fully assembled final product (airplane, ship, etc.), there are risks at every step in the process.
The attacks having the biggest impact right now are supply chain attacks; some of these are digital in nature and others are physical.
Although it sounds like something out of a spy novel, there are absolutely cases in which counterfeit motherboards have gotten into equipment that has made its way into government systems. Bad actors want to infiltrate the top military technologies.
Whether you make digital components or not, you want to ensure that any item you produce (especially if government-related) is physically protected at all stages.
Layering physical security and cybersecurity measures is the most effective way to minimize risk.
6 Easy Ways To Strengthen Physical Security
Physical security is an easy (and relatively inexpensive) way to add depth to your cybersecurity plan. Not all solutions are right for every business (for reasons including the size of the business, the nature of the product, and the cost of the solution). The key is to take appropriate measures that make sense for your organization. Here are some simple things to consider:
1. Sign In/Out
Know who is in your building at all times. This can be accomplished with a simple written log. You want to know the name of the visitor, the company they represent, the reason for the visit, and which of your employees will meet with them. Visitors should check out when they leave. You want to know that everyone inside your building at any given moment belongs there.
Consider an easily recognizable badge system for quick visual verification that the person you see in the hall belongs there or that the person trying to access a restricted area doesn’t belong there.
As mentioned previously, establishing policies (regarding visitors, fire/medical emergencies, and myriad other potential risks) can be an easy and inexpensive way to create another layer of security. Make sure these policies are communicated, monitored, tested and updated regularly.
One example of a policy might pertain to computer equipment and include simple but effective guidance such as:
- lock screens when away from computers
- secure equipment (including flash drives)
- don’t use company devices with non-company systems
- collect laptops, external hard drives, badges, access keys/keycards upon employee termination
Certain service-oriented companies like fast-food restaurants or gas stations that are open 24 hours might not be able to physically lock their doors. Nevertheless, there should be restricted areas even within these businesses that are off limits to everyone except the people who need to be there. Make sure these areas are locked at all times. Whether you decide to use physical locks, badge access or biometrics, make sure these areas are secured.
Whether the issue is shoplifting, behavior of students on the bus or cybercrime, cameras have been shown to be an effective deterrent.
Put some cameras in visible locations and check the footage regularly for unusual activity! If an employee is accessing a restricted area after hours on a consistent basis, that might be worth checking on.
If the camera is set up with a time/date stamp and can verify identity via a badge swipe, you can avoid simple breaches like a person using someone else’s badge.
Camera footage is good not only for visual verification, but also in the event of legal remediation. Smart cameras with password access to the footage make it impossible to erase the footage.
Some systems offer a combination of cameras: one outside access door, and one with a motion sensor, light-activated camera inside the door. Some can even alert you if the camera goes offline.
Don’t rely on a camera system that can be easily deactivated or stolen. If you are going to invest in this technology, make sure you are investing in one that will pay dividends when you need it. Don’t forget, sometimes the greatest threat can come from within the organization.
6. Guest Wi-Fi
One of the most cost-effective ways to up your security game is to provide a password-protected guest Wi-Fi network.
For most companies with an employee Wi-Fi network, it likely will cost nothing to use the same device(s) to separate out a guest Wi-Fi network. Nearly all relatively modern wireless routers have this capability; if yours doesn’t, it may be missing other things and it might be time to upgrade your router.
Ready To Find Out How Physical Security Can Add Layers to Your Cybersecurity Plan?
In the past, small companies often thought cyber criminals were more interested in large, high-tech businesses. According to the U.S. Small Business Administration that is not the case: “Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses.”
Many times protections can come from things as simple as advertising that you have an alarm system in place or an 8-foot tall fence surrounding the building or cameras monitoring entrances and exits. All of these things make gaining access look more difficult and can dissuade people who want to do harm.
Nobody would implement the same security measures for protecting a computer mouse on an employee’s desk as for our data center. The key is to use reasonable means for protecting data and equipment of varying values.
Every business should regularly review the greatest risks to business survival or success (financial or otherwise). Those things that have the greatest potential to impact the business negatively should be the ones under highest protection, whether they are IT assets, physical assets, pieces of machinery, or inventory.
While it is impossible to completely eliminate all risk, simple actions can mitigate the risk to a manageable level. Invest at the appropriate level for your business risk.
Something as simple as not storing your spare paper towels in the IT server closet, for example, can be an effective deterrent.
For more ideas about enhancing physical security, check out this article: What Does Good Physical Security Look Like?