In a world where cybersecurity dominates the headlines and conjures up controversy every hour, it is clear to see how other elements of security can be overlooked. Unfortunately, in the age of social engineering, hacking, phishing and so on, physical security is being undermined by its more popular cyber counterpart. However, business must remember that physical security is unequivocally just as important when protecting employees, assets and data.
These days, businesses are focusing more and more on technology-oriented security counter-measures including firewalls, cryptographs, Intrusion Detection Systems (IDS) and overall network security. Whilst getting caught up with the fanfare and alarmism around cybersecurity, physical security has arguably fallen to the wayside, becoming an afterthought despite the fact that a mis-step here can be just as damaging as any hack or breach. Indeed, any amount of cyber protection could easily be rendered useless if an attacker is able to simply gain access to an office and its devices and do as they please.
What Can Happen?
Physical or protective security focuses on protecting personnel, software, hardware, networks and data from physical actions or events that may cause significant loss or damage to an organisation. These tangible threats can include:
- Malicious insider threat;
- Service or utility interruptions;
- Lost or stolen devices;
- Natural disasters; and
Over the past few decades, physical security has becoming increasingly difficult to address, especially as it blends more thoroughly with technology. Consider the proliferation of mobile work devices such as laptops, USB drives, tablets and so on; meaning an entire business could be compromised from a staff member simply losing a device or having one stolen. Indeed, physical security is becoming more vulnerable as technology becomes more complex.
In 2014, Coca-Cola faced a class action after several laptops were stolen, compromising the information of at least 74,000 employees, suppliers and contractors. In December last year, Australian telecommunications company Vocus made headlines when a man filmed himself entering the foyer of one if its data centres based in New Zealand as both the front gate and lobby had broken locks. In 2008, the U.S. Department of Defence network was compromised when an employee who had found a USB, then inserted it into a government laptop. The USB was loaded with malware that then spread, undetected, throughout the Department’s classified and unclassified systems, sending data back to remote servers elsewhere and leading to a Pentagon operation known as Buckshot Yankee.
Physical security threats are diverse: they can be man-made or acts of nature, internal or external, intentional or accidental. Attackers can enter secure areas through tailgating, stealing or hacking access control cards, or simply breaking through doors. All the cybersecurity measures in the world can be rendered worthless if someone can walk into your building and steal a drive, if an employee is careless or if you lose hardware after a natural disaster.
What Can Businesses Do?
In this environment, organisations are faced with the daunting task of safeguarding their data, personnel, equipment, facilities, systems and company assets. In tackling such a task, companies must have a layered approach to their physical security strategies, essentially ensuring attackers must bypass multiple, unique layers before reaching their objective.
These systems can include, among many others:
- Physical Intrusion Detection Systems (PIDS) and motion detectors
- Alarms and locking systems
- RFID systems and cable locks on remote company devices
- Personnel emergency responses
- Power back-ups
- Security staff
There are key areas of physical security that must be assessed when a company is looking to mitigate their risks.
Site layout is essential in protecting your company from weather, crime, voyeurism and other emergencies. Companies can choose low-profile designs to attract less attention, or they can focus on having fewer access points or introducing keycard systems to secure and track entry into the building.
Layout can also come down to having sufficient lighting inside and around your building and adhering to strict lock-up procedures for an office. While this all may seem like common sense, its simplicity can often mean this area is gravely unprioritized.
Introducing access controls that limit the accessibility of equipment and information is an important step in ensuring strangers, vendors, visitors and staff are unable to get their hands on anything they’re not supposed to. These types of controls can help quarantine breaches and ensure minimal impact. They can also effectively create an audit trail that can track malicious movement and locate its source.
Intrusion Protection & Detection
Often the first line of defence, equipment such as motion detectors and CCTV cameras can be an effective deterrent for physical attacks whilst also enabling a business to be alerted and respond more efficiently to trespassers.
Prioritising Physical Security Once Again
When considering physical security, a company must conduct a risk analysis catered to their unique responsibilities and requirements. This could involve evaluating crime statistics, conducting area background checks, assessing historical weather and so on, enabling your company to define and prioritise threats and develop appropriate responses. The products of a risk analysis must also be tested thoroughly and repetitively. To fine-tune physical security, measures need to be adopted company-wide, failure points must be rooted out and adapted, and employees should be trained on how to react to threats.
Managing physical security often comes down to understanding your company and its vulnerabilities and taking simple, yet effective, measures to safeguard them. Organisations have a responsibility to perform their due-diligence to locate the threats facing them and implement effective physical and cybersecurity systems to mitigate the risks.
Essentially, businesses can no longer undermine their physical security needs simply because it does not instil as much fear or create such a commotion as its cyber sibling. Companies must understand the critical role that physical security plays in their operations, and act accordingly.
Author: Elsa Chapple, Agilient Consultant