Physical security is often overlooked in the information security industry because of the huge growth that we’ve seen in cyber attacks. However, physical security still poses many risks to a company that need to be addressed. A study by Shred It and Ponemon institute found that 68% of organizations suffered a data breach in the last 12 months and of that 71% of breaches in the healthcare sector were caused by loss of stolen paper documents or devices. Furthermore, a joint study by Michigan State University and John Hopkins University found that 53% of data breaches were caused by internal factors like unauthorized access or improper disposal, not hackers. Given statistics like this you would think that the physical security of assets would be a high priority among companies, unfortunately this is not always the case. Research by a cloud security firm Morphean states that 77% of IT managers stated that physical security isn’t optimized in their companies. From a security perspective it doesn’t really matter whether the breach is because of internal factors or external factors, the point is to ensure that all assets within the company are protected and handled in the right way. Here, I will discuss some of the key physical security risks you want to look out for and some of the best controls to mitigate these risk in your company:
Physical Security Risks
Unauthorized Access: Simply put this means people having access to your physical facilities and areas within your company that they should not have access to. This is important for many reasons, once someone has access to your facilities it opens the doors to many different types of problems. They may be able to impersonate an employee and ask other people confidential information about your company, steal documents that have important information on them, steal ID cards that give access to other areas of the company and all sorts of other things that will cause you problems.
Improper Disposure: When any document that has confidential information is no longer used, it needs to be disposed of in a secure way. Many people that have a vested interest in stealing information from a company will try to steal documents that are not properly disposed of. This is commonly referred to as dumpster diving, which is the practice of going into trash cans and dumpsters to find documents that hold important information. This is a very real problem that causes data breaches in companies. Interestingly enough, it also a great source of money, there are some people that use this a full time profession.
Theft of Documents and Devices: Another important physical security risk is stealing documents or devices that have company information on it. This can be mobile phones, laptops, servers, meeting notes, employee documents and more. All of these things can have sensitive information for the company and they need to be protected.
Unaccounted Visitors: You want to have an accurate account of who was at your locations at any given point of time. This way if something does happen you will know who was there. It also helps to ensure that all visitors have to be verified before being let onto the property.
Workplace Violence: People are a company’s most important asset and should be protected above all. This means having the proper controls in place to prevent violence towards employees from external threats as well as internal threats such as sexual harassment, higher level staff abusing their authority or threats of physical violence.
Biohazards: This includes emergency situations like fires, earthquakes and any other hazard that poses a risk to employees. There should be plans of action for all major events relevant to your business and area to ensure employee safety and minimize business impact.
Common Physical Security Controls
Access Controls: This includes things like smart cards and biometric checkpoints that only allowed authorized personnel into a restricted area. Usually this a combination of carrying a smart card along with having to pass a retinal or face scan. This is a common way to prevent people from wandering into areas that they shouldn’t have access to.
Fenced Walls, Razor (Barbed Wire): This is a good layer of physical security that not only marks the perimeter of the area but keeps people from easily entering the area. Scaling the wall/fence is prevented by the wire on top.
Surveillance Cameras and Sensors: This can record and track movements in highly secure areas or areas surrounding important parts of your company.
Security Guards and Guard Dogs: This adds human intelligence to your physical security and are usually used to patrol an area, monitor cameras and verify people’s ID before allowing them into certain areas.
Security Lighting: It’s important to have good lighting all around your building. Firstly, it allows you to see better on security cameras but it also enables security personnel to see better during patrols and discourages people from sneaking around those areas.
Locks: This refers to traditional locks that are used on doors but also to locks used on laptops, desktops and servers to ensure they can’t be removed easily. This helps to make sure only the proper individuals can access machines that have important company information. Many cloud providers keep their servers physical isolated from others and only certain personnel are given the keys to open those cages and access the server.
Smoke Detectors and Fire Fighting Systems: These detect and respond to fire within a building. This is important for protecting human life as well as important systems within the company.
Paper Shredders and Secure Bins: Your workspace should have paper shredders so that once documents with important information is no longer needed it can be shredded and no one will be able to put that paper back together again. Also, there are bins you can buy that allow you to put things in but not take things back out, these garbage bins are considered “secure” because it protects against dumpster diving.
Visible Signs: Well placed signs that let people know that certain areas are under surveillance, being patrolled, have guard dogs or similar can act as a deterrent to outsiders.
Annual Security Assessments: Similar to a Penetration Test for Cybersecurity you can perform physical security assessments. You can choose to do a regular assessment where the company simply looks at your facility and identifies areas of weakness for you to improve. Some companies go further and will attempt to gain unauthorized access to your company to see how easy it would be for someone else to do the same. Performing these regularly, at least once per year is a good practice for staying up to date.
Emergency Plans: It’s important to plan for emergencies to ensure you minimize any damages. Common plans you want to have are for fires, natural disasters, common health issues like a heart attack and armed shooters. These plans should clearly outline what steps should be taken, who is responsible for what and where people should go during that situation. It’s also important that you make the resources for these plans easily accessible, for example there should be first aid kits readily available for employees in case of emergency. It’s also important that employees are readily trained on these plans to ensure they can act effectively during those emergencies, it’s not good enough to simply have it written on a piece of paper.
Strong Policies and Training: Your company employee guidelines should include strict policies that outline acceptable behaviour and the consequences that can follow if the behaviour is violated. Some common things that should be addressed are the use of drugs or alcohol, using weapons, bullying and harassment. Once those are established it’s important to train employees on this during their onboarding, throughout their employment and to make that information readily available. By having clear rules, you can eliminate many workplace issues before they begin.
Physical Security is the first element of an organization’s security and is directly responsible for ensuring the safety of it’s employees. Unfortunately I don’t think it gets as much attention as the cyber elements, which may cause the organization more financial losses. However, that doesn’t mean it should be neglected and it’s important to be aware of the options you have to protect your business from these types of threats. The national security council did a study on workplace violence and found that there were 20,790 injuries and 453 fatalities in 2018, this is definitely a real risk that needs to be addressed. Here you can find a list of statistics around workplace safety and violence.