Much is made of cyber security incidents, and rightly so. Cyber security attacks are prolific, with ransomware attacks against UK businesses doubling last year. But it isn’t just cyber attacks that a company must worry about. Physical security breaches are common and often linked to cyber security attacks.
Here are some of the most prevalent types of physical security risks and suggestions for preventing them.
Let’s Get Physical Security Breaches
The physical aspect of data security is part of a broader response to protecting your company. According to the Ponemon Institute’s 2020 Cost of a Data Breach Report, 10% of malicious breaches are caused by a physical security compromise. The report also points out that it takes 223 days to identify a physical breach and 69 days to contain it. The consequence is that the average cost of a physical data breach comes in at around £2.8 million, making physical compromises an urgent problem to fix.
Five common physical breaches are:
Problem: Unauthorised Access to Servers
Server rooms are the heart of an organisation’s network. It houses essential business data, sensitive information, and backups and contains expensive hardware. It is also a regulated area, with standards such as ISO27001 security of physical and environmental areas, requiring that server room access is managed and secured. Physical access to servers and other computers is part of a broader information security management system (ISMS).
If a rogue or disgruntled employee or even a stranger can access a server room, they can do much damage. This includes physical damage to the servers, theft of critical equipment, and cyber attacks by setting up remote access to the server and directly installing malware.
Prevention of Unauthorised Access to Servers
- Server rooms should have high-security locks that use integrated access control based on privileged access.
- Biometric-based systems can help prevent physical breaches of server rooms.
- Isolation of different servers and association of granular access rights can also help protect a complete takeover of multiple servers.
- However, these zero-trust and physical access controls must be backed up by Security Awareness Training of system administrators to ensure they don’t share ID cards or entry points with colleagues.
Tailgating, named after the bad behaviour, associated with drivers getting too close to your car, is where social engineering meets the physical world.
The most infamous case(s) of tailgating was documented in the film “Catch Me If You Can.” The film told the story of Frank Abagnale, who spent many years impersonating people and getting into highly restricted places, such as the cockpit of an airplane.
You can read more about tailgating in a MetaCompliance blog post on tailgating, which can be an insidious and clever tactic that results in criminals gaining access to restricted areas in an organisation.
Tailgaters manipulate employees into allowing them into places that are usually restricted. For example, a criminal may pretend to be a contractor and use behaviour such as the tendency to be polite to encourage or even force an employee to open the door to the company.
Prevention of Tailgating:
- Educate your workforce on the dangers of tailgating and how it is used to trick them into opening doors (both virtual and real) for nefarious persons.
- Train your employees on how to tackle suspicious behaviour and ensure they understand how tailgaters manipulate them and take advantage of politeness.
Problem: Documents Left Lying Around
Documents and even post-it notes can contain highly sensitive information that can result in data exposure in the wrong hands. Printers are an example of the danger of physical security breaches. Employees who work remotely may send a document to a printer, intending to pick it up as they pass by the office, only to forget or someone else gets to it first.
A Quocirca report into the print security landscape in 2022 found that 68% of respondents had a data loss associated with a print security issue.
Prevention of Documents Left Lying Around:
- A clean desk policy is essential for reducing data loss due to poor document hygiene. Clean desk policies are also part of standards such as ISO27001.
- Employee education on the importance of a clean desk and how carelessness can result in data loss is essential in managing the risk.
- In addition, technological approaches such as robust user authentication to enable ‘pull printing’ ensure that any document printed is only released when the person who authorised its print-out is there to pick it up.
Problem: Stranger Danger
Unaccounted visitors are neither good for cyber security nor physical security. A Health and Safety Executive (HSE) report on violence at work found that strangers were the offenders in 60% of cases. Physical breaches by strangers can result in a risk to computer systems too. Strangers can steal expensive hardware such as phones and laptops, putting the data on those devices at risk of exposure.
Prevention of Stranger Danger
- Make sure that your workplace has processes and systems in place to reduce the likelihood of a person entering the building.
- Simple things such as ensuring that doors are kept locked is important.
- Swipe card access for employees and a visitor entry system with logged entry and exit is essential for any business.
Problem: Lost/Stolen Employee IDs
Many of the dangers associated with physical breaches rely on access controls. Many companies now use employee IDs associated with a biometric entry. Still, even these are only effective if an employee respects the constraints of the access limits set by the organisation. In other words, employee ID systems depend on an employee using them correctly.
Unfortunately, employees who do not understand the importance of privileged access may offer a colleague the use of their ID or even offer to swipe their fingerprint or other biometric to enable access. Criminals who use social engineering tactics also take advantage of this wish to help others, encouraging employees to let them into restricted areas.
Prevention of Lost/Stolen Employee IDs
- Security Awareness Training in the importance of employee IDs is essential in tackling employee ID and access abuse.
Round-Up of 5 Essential Methods to Prevent Physical Breaches:
- Ensure all employees are trained in the types of physical security breaches.
- Use robust access control systems to server rooms and other restricted areas and limit access on a need-to-know basis.
- Set up processes and systems to monitor movements in and out of the building
- Keep a device inventory. You can use this to cross-check against any potential lost or stolen devices to deal with the consequences of potentially exposed data quickly and within regulatory requirements.
- Ensure that security policies reflect potential physical security breaches. Include the processes needed to handle a physical breach and its consequences.