In the age of hacking, phishing, and social engineering, it’s easy to forget about physical or environmental security. But physical security is as important as its logical cybersecurity counterpart.
Protecting employee safety, essential data, confidential information, networks, software, equipment, facilities, and company assets is what physical security is about.
You’ve read about the need for Anti-malware protection, security awareness training, offsite backups, and sensitive file encryption. While critical, none of this protection matter if an unauthorized person can walk into your office and access your computers, network or sensitive physical files. It only takes a few minutes to copy documents to a thumb drive or take pictures of papers sitting out on a desk.
Video Surveillance. Do you have the coverage you need? Are all of your outside entranceways properly covered? What about the walkways and parking lots? What about indoor coverage? If your business has property that belongs to your clients be sure your coverage includes work areas for liability. As an example, here at ICS all client-owned equipment (Servers, PCs, Laptops, etc) are services on our Tech Bench and under 24/7 surveillance.
Just like your backups, be sure to periodically test your recordings. NVRs (Network Video Recorders) are under heavy load from the continual recording and have a higher failure rate than PCs. Be sure to look at both day and night time recordings, not all cameras handle very bright or low light conditions well. Don’t wait until an incident occurs to check!
Verify you have the appropriate number of days being saved; ICS recommends a minimum of 30.
And just like a PC, make sure your recording unit and all cameras are being patched with the latest software and firmware.
Consider using electronic access control. Common solutions like a badge reader are more cost-effective now than ever before. Use these devices to provide access and track who enters your facility and rooms containing sensitive date within your facility. Access control systems can be tied in with surveillance to further control and provide critical information in the event of a physical breach.
Keep a log of keys to your buildings. Make it a part of your employee onboarding and offboarding procedure to track who has keys to your facility and audit these logs periodically.
Have a guest sign-in sheet. Keep a log of any nonemployees in your building, including family and friends! Make sure everyone signs in when they walk into your building and they wear a Visitor Badge so your employees can easily identify them. Depending on the sensitivity of your data, having an escort at all times may be required by compliance.
Have a clean desk policy. No, we do not mean for sanitary purposes. Are your employees locking up important documents at night or when they leave for lunch or are they just putting them in a pile on their desk under a folder? Locking up important documents is important when working in an office space with significant foot traffic. You never know who could be walking by at any given time.
Do your employees keep sticky notes on their desktop or under keyboards with those tricky passwords that they can’t remember? Although someone might not know what that password is for, it won’t take them long to figure it out and many employees re-use passwords.
Have a clean screen policy. Do your computer screens lock after a certain amount of time? We are all guilty of leaving our computers unlocked when running to the bathroom or going to fill up our water bottles. But then you get sidetracked – an employee stops to ask you a question or your cell phone rings, and you take a call – all while your computer is sitting there open, giving anyone who walked by access to your important and sometimes confidential files and documents.
Locate sensitive files centrally. Where are your servers located? Where are you storing your important documents? By a window or maybe a high-traffic door? Important documents should be kept in a common area under surveillance or behind a locked door, preferably with an access control system to keep track of who is going in and out of that specific area.
Purge sensitive information appropriately. Servers, computers, laptops, copiers, backup media, thumb drives, tablets, and phones. Sensitive information can live on many devices, be sure all digital media is destroyed properly. Consider obtaining a Certificate of Destruction from a reputable recycling center for all old hard drives. Likewise, be sure to shred any sensitive paperwork.
Are you moving or building out new office space?
Set aside time to evaluate crime reports, historical weather & natural disasters, visibility and any man-made hazards. Defining potential threats will help you determine your minimum physical security controls. A low-profile security design can help mitigate potential threats. Lower visibility, for example, can be the difference between a criminal breaking into your building or the one next door.