Why you should create a physical security standard for your company
As organisations continue to struggle with the growing number of cyberattacks, the focus on physical security has dwindled, catching many organisations unprepared. While threats such as ransomware, social engineering, unsecured cloud computing configurations, and network vulnerabilities remain important challenges for cybersecurity teams, the threat of an unauthorised person walking into an unlocked office and stealing or accessing IT devices is equally significant and, yet, underestimated. A stolen device or unauthorised access can have far-reaching consequences for businesses and, without proper attention to physical security, it can be difficult to trace the perpetrator or prevent such attacks.
With so many fluctuations between physical premises, hybrid, and remote working, as well as digital transformation supporting these changes, it's not surprising that some organisations haven't evaluated and enhanced their existing physical security measures as they have with cybersecurity. However, the risk is still present, so organisations should act immediately to review and, where necessary, improve their physical security measures to ensure they're protected across all risk factors.
Physical security focuses on designing and implementing measures that prevent unauthorised physical access to an organisation's premises and resources. It's a cornerstone of a comprehensive 'defence in depth' approach to securing an IT environment.
The concept of 'defence in depth' looks at all the ways that security vulnerabilities can be exploited, from hardware and software to human factors. Cybersecurity professionals understand that depending on a single control measure is risky. Layered controls ensure that if one is compromised, it doesn't mean disaster for the entire system. This same methodology should be extended to the entire physical organisation.
Of course, digital protection measures such as antivirus software, secure gateways, firewalls, and virtual private networks (VPNs) remain crucial. And, incorporating advanced digital strategies such as machine learning to monitor for behavioural anomalies, provides an added layer of security. Leadership teams should also assess whether similar approaches have been applied to address any physical vulnerabilities. For example, a combination of manned entry points, locked facilities, cameras, and security alarms offers robust protection. It's unlikely that a physical intrusion will occur simply to steal a laptop. Instead, these malicious actors commonly look for a way to access data or install malware inside the organisation's physical perimeter where some protections may be lacking.
The most devastating and stealthy approaches are often very simple. For example, a threat actor does a quick LinkedIn search and identifies the top sales executive of an organisation. Armed with their name and pretending to have a lunch appointment, they approach the receptionist, asking for directions to that employee's workstation. Once granted access, they could potentially gain entry to server rooms, IT storage areas, or network closets. Without effective physical security measures to stop them, this unaccompanied and unauthorised individual could cause widespread damage. By the time the damage is apparent, the threat actor is long gone.
Organisations don't necessarily have to invest in expensive cameras and alarm systems or employ an army of security personnel. There are a number of basic hygiene measures that they can take immediately to lower their physical security risk without adding significant cost. For example, locking all IT devices, from laptops to USB drives, in a secure storage space so that valuable data on them can't be accessed can prevent a significant number of attacks. This extends to networked printers, which should also be locked away as they can be vulnerable when left in publicly accessible areas. Similarly, network ports and wireless access points should be hidden from plain view and disabled in public areas to prevent unsanctioned access.
Finally, staff should securely erase storage media such as hard drives, USB drives, or any device with on-board storage prior to disposal or re-use in accordance with the NIST 800-88 Revision 1 Secure Deletion and Disposal Standard.
As the boundary between the digital and physical worlds becomes increasingly blurred, adversaries are quick to exploit vulnerabilities wherever they find them. A multi-dimensional, multi-layered defence strategy is critical. By bridging the gap between cyber and physical defence, organisations are better equipped to face an ever-evolving threat landscape.