“In the age of hacking, phishing and social engineering, it’s easy to forget about physical or environmental security. But Physical Security is unequivocally as important as its logical cybersecurity counterpart.
Physical Security threats can be internal or external, man-made or acts of nature. Modern companies should rely on logical cyber and Physical Security programs in tandem to protect the physical assets of an organisation, be it people or hardware. Network firewalls, IPS/IDS systems or DMZ are all worthless if a criminal can walk into your building and steal a drive, or if you lose hardware after an earthquake or other cause by nature.
Every organisation should mitigate tangible threats in their area, which may include:
- Malicious insiders
- Service or utility interruptions
- Natural disasters
Physical Security is not only important for organisations, but for the home as well. We discuss the importance of Physical Security.
Physical Threats And / Or Attack
“Physical Security is important because a physical attack is perhaps the most fundamental kind of attack. The types of actions we’re referring to when we speak of physical attacks can include things such as the following:
- Simply hitting the reset switch or power button
- Using a floppy drive or CD-ROM drive on a machine that does not support good BIOS security
- Damage to or theft of important machine components, especially those that store data
- Theft of an entire machine
In the home environment, physical attacks are both less likely and more difficult to defend against should you be unlucky enough to be the target of burglary or theft. Still, some steps can be taken to prevent such problems.
In the small office, on the other hand, Physical Security is one of the most important concerns. While large corporate installations are typically closed to public entrance and are well guarded both by humans and by various forms of electronic security, the typical small business can afford no such luxuries. Thus, it is especially important for the small business user to focus on Physical Security as an important step in preventing data loss or service interruption.”
“How To Mitigate Physical Security Threats
Some physical threats are more easily mitigated than others. It would be significantly easier to bar entry to a malicious insider by enforcing access control measures — badge swipe door locks, for example — than it is to mitigate against a natural disaster. Much like logical security, no rand amount can stop these threats entirely, but it is the responsibility of the organisation to perform its due diligence to lessen the impact of loss of business continuity.
There are several ways to mitigate risk in the physical space, including adding control mechanisms like:
- Site layout
- Access controls
- Intrusion protection and detection
- Utility redundancy
- Elemental protection
Your organisation’s site layout is incredibly important to protect the assets it contains. People and hardware can fall victim to weather, crime, eavesdropping/voyeurism and emergencies if not properly prepared.
A low-profile design can help prevent all of these potential threats. Lower visibility, for example, can be the difference between a criminal breaking into your building or the one next door. The fewer access points, like external doorways, the better. Consider using a keycard system to lock doors and track who accesses each space when. Store equipment containing sensitive information in spaces with no windows and scrutinized access.
Equipment that can remotely access sensitive information should also be physically secure. Years ago, it would have been enough to ensure no computer monitors faced windows on the first floor. In the age of drone imagery, however, this isn’t enough. All windows should have blinds, or all equipment regardless of what floor it’s on should face away from an outside view.
Access controls within your business prevent strangers, vendors and visitors from obtaining access to equipment or information they otherwise shouldn’t have access to.
Proximity cards or card swipes alone could ensure the public is corralled away from accessing sensitive information or assets. Either of these methods will also provide an audit trail, which can be valuable because a malicious insider’s movements inside the facility will be tracked.
Intrusion Protection & Detection
Using secondary security equipment like motion detectors and closed-circuit cameras complements the use of key cards. If the key process were subverted, the system would be alerted to a trespasser via motion detection and engage video recording of the event.
Your business can also face threats from larger outside forces that may seem non-threatening, such as participation in the local power grid.
Anyone operating on a local power grid could be subject to a breach if the power goes out due to overuse. Having a backup plan for your utilities can lessen the impact of a threat by keeping your network interruption-free. Businesses that rely on the up-time of their equipment should include power redundancy within their security program, so they can remain in operation while the utility company works to restore service.
Natural disasters are also a very real threat to physical security, particularly in areas where tornadoes, landslides, earthquakes and flooding are common. Bear in mind that South Africa may not be subjected to most natural disasters, but some of them have occurred, and, it is best to remain informed and prepared.
- When choosing to relocate or open a new office, know the common environmental threats to that specific area.
- Plan your space appropriately so it has the proper safeguards.
- Monitor local weather reports.
- Institute preventative measures if you know a storm is coming.
Implementing Physical Security
The best place to start identifying the vulnerabilities of your physical space and their impact is with a risk analysis. The analysis will evaluate crime reports, historical weather, natural phenomenon and man-made hazards, which will help your administration prioritise each threat. Defining the threats will help you determine what your minimum Physical Security needs will be.
Next, you should develop baseline countermeasures. These items will be the minimum Physical Security features you obtain to avoid any asset loss.
It’s important to be diligent in your risk assessment, as these security measures can become costly. In addition, the development of the minimum Physical Security must also agree with any legalities for the country. Data retention is often a common legal requirement for organisations. You may need to purchase storage equipment or off-site storage to meet these regulations.
Once installed, each mitigation technique or device needs to be tested. If there are any failure points in the test, the Physical Security program must adapt to include the failures. This includes testing employees on how to react to a particular type of disaster and adjusting training materials accordingly. After testing is complete and the program is fine-tuned, it can be implemented organisation-wide. One test is not enough, however; you should schedule regular tests of each security strategy to ensure they are working properly and are up-to-date with legal requirements.”
All opinions expressed in this article are not the onus of the publisher nor supplier.