If you thought that cyber security is just about keeping IT networks safe from online hackers, think again. Physical security is just as important.
At the TEISS cyber security summit, FC (or “Freaky Clown”) from ethical hacking company Redacted Firm gave a highly pragmatic overview of the importance of physical security to cyber security.
Some people feel that cyber security starts and finished with the corporate IT network. In these days of smartphones and Bring Your Own Device, this is no longer true.
But security isn’t just about the managing what goes on in hardware. It’s also about stopping people getting physical access to the hardware.
Also of interest: Boosting employee cyber security
FC outlined a series of areas where organisational security is often weak.
- Fences: fences can be too low, have gaps, or have places where nearby structures (signposts, trees) allow people to scale them
- Windows: the fashion for offices built as big glass boxes continues; however any office where someone outside can look in and see documents, or perhaps more seriously observe people logging on to computer systems, is open to a data breach
- CCTV: having security cameras is a great precaution unless they are facing the wrong way, can be tampered with by someone on foot (or even on someone’s shoulders), or have exposed wiring that is easily cut
- Reception areas: these don’t just need to look good- they need to promote security; if there are places that receptionists can’t see then that’s a problem; likewise receptions that are easy to see into can be a problem, especially if they are sometimes left unstaffed (hint: make sure that there are always two people on security duty as it is easy to distract a single person)
- Doors and gates: secure doors and gates are only useful if you can’t walk round them or if worn keypads don’t give the entry codes away!
- Badges are essential – but not just for visitors: if only visitors have them, then any visitor who takes off their badge suddenly looks like a member of staff; and of course badges can be copied, especially if employees wear them openly when they leave their workplace
- Locks: locks can offer protection, but only against honest people (most criminals can unpick locks in a few seconds); and they only work if they are used - security doors that are propped open are a too-common site
- Magnetic locks on doors are harder to pick, but they will only protect your premises if they are on the inside of the door and not the outside (where they can simply be unscrewed)
- Waste paper: confidential documents inadequately shredded and left in insecure locations obviously present a risk, from cleaners, temporary staff and passers-by; how scrupulous are your employees at shredding confidential documents (including those that didn’t print properly)?
- Unlocked cupboards: you have locks on cupboards for a reason; leaving them unlocked is a security risk as well as being a symptom of lazy security thinking
- Insecure disks: if a desk is covered with paper or has a computer that is never locked it represents a security risk as dishonest employees, visitors or intruders may well be able to find information that they find of value
Perhaps the most important part of keeping physically secure is the culture within your organisation. People staffing reception desks need to be aware of the tricks that unscrupulous people will play, and the methods they will use to gain sympathy and unwarranted help. Employees generally need to realise the importance of challenging strangers - and they must feel empowered to do this.
The good work of IT managers and CISOs to protect data can easily be undone if simple, but essential physical security precautions are ignored. Ensuring your security culture embraces physical breaches as well as IT security is the only way to have a chance of keeping safe.