There Is No Cybersecurity Without Physical Security Best Practices

Years ago, before TCT, I was working at a business where employees left their laptops in several of the conference rooms when leaving for lunch. The conference rooms were right off the main lobby, so that as you walked into the building, you would pass right by the front desk heading left or right to the line of conference rooms.

One day, someone walked in off the street during lunchtime, bypassed the front desk, and went down one side of the row of conference rooms. He scooped up about 8-12 laptops and walked right back out of the side entrance to the building in broad daylight, with a stack of laptops in his arms. A helpful intern even held the door for the thief on his way out.

All of your cybersecurity best practices mean nothing without proper physical security.

Why Is Physical Security Important for Cybersecurity?

At the end of the day, all of the policies and training and logical protections you use for your network environment are fantabulous. But they won’t protect anything if someone can just stroll in, unplug a machine, and walk out the door with the source of your data.

Another very real possibility is that no device is removed, but instead a device is added. If a bad actor gains physical access to your office, they could plug in a wireless network. Their device could sit unnoticed for months. Meanwhile, the bad actor is sitting in your parking lot and accessing your network remotely.

Similarly, someone could plug in a USB drive that scrapes data off of a physical device. Or a USB drive could drop a trojan into your system.

If a bad actor gains physical access to your systems, there are all sorts of possibilities for significant and long term damage to your company.

What Kind of Physical Security Do You Need?

The nature of the scope of your organization will dictate how much physical security, and what kind, you need to implement. For example, if you host all of your servers yourself and you host them in your own facility, physical security is more critical.

To determine the kind of physical security needs you have, do a scoping activity that inventories your physical access points to sensitive information and physical access points (within your control) with logical access to the network. That includes infrastructure equipment, servers, laptops, mobile devices, written information, and any device that connects to your network.

Look at the flow of sensitive information within your organization and determine what needs to be protected. The two may be different. For example, you could have a scaled-back scope related to credit cards, but have a lot of personally identifiable information or corporate intellectual property.

Physical Security Best Practices

Every organization has its own unique set of physical security needs. That said, chances are you’ll need to consider the following best practices for physical security.

Security cameras

Install security cameras at entries and exits, with 90-day footage storage. Cameras should record both the interior and exterior of the building. It’s one thing to be able to see people walking toward the front door — it’s another to be able to see them as they’re actually entering the building.

Door locks

Make sure the locking mechanisms on all your doors are functioning properly. Locks should be protected so that the locking mechanisms can’t be bypassed.

Years ago I did a risk assessment for a medical facility that housed millions of dollars in medical equipment. I was able to bypass their exterior locking mechanism with my car keys.

Consider how your personnel gain entry. Do your staff use physical keys or badges? Your doors have actual physical keys, even if you use badge entry or biometric access. Who has access to those keys? Has anyone left the organization who had those keys? Have the doors been rekeyed after that person left?

Perimeter security

A lot of times, an organization will look at perimeter security and only consider the door entrances as the only way in. But just because you don’t use a window to gain access yourself, that doesn’t mean a thief won’t use it. A sealed window easily becomes a doorway when a brick goes through it.

Also remember that thieves don’t need to gain entry from the ground level. Consider the possibility of roof access.

Part of your perimeter security should include motion sensors inside the building, with an alarm system.

Visitor access

Always know who is in your building. Use visitor logs and visitor badges so that you can keep track of (and identity) everyone who is onsite, at all times. If you have a problem, or an emergency arises, you’ll know exactly who is in the building, besides your personnel.

Make sure visitor badges won’t grant access to sensitive areas of the building. Set expiration dates on the badges so that visitors can’t reuse them. Some badges activate when exposed to air and oxidize. Within 24 hours a red “VOID” label appears.

Employee access

Implement a process for granting and revoking employee access to physical spaces. Physical access permissions need to be updated immediately any time someone joins or leaves your company, or changes roles within the organization.

Depending on the sensitivity level of the information at your facility, use two-factor authentication for granting physical access to sensitive areas — for example, a physical badge plus a biometric scan or PIN entry.

Depending on your business, you may have several offices across a region. The same logic applies to each of your locations, including sales offices. You may have a single sales person working out of their own rented office. If that office has a direct connection to the corporate network, you need to evaluate the protections of that physical space as well.

In many cases, companies treat those sales offices as if they were remote employees — the salespeople only have an internet connection and they connect to the corporate network through VPN, using two-factor authentication similar to other remote employees.

Employee training

Train your personnel thoroughly. Make sure every employee knows what they should and shouldn’t do. For example:

• No computer screen should be visible through a window.
• No passwords should be written down.
• No employee should hold an entry door open for someone.
• Every employee should lock up their computer when not actively using it — even at home.

Provision that training on a new hire’s very first day. Also provision it annually and any time there are relevant changes. Provide quarterly security reminders to your employees as well.

Alongside your security training, create accountability with teeth. Install repercussions in your policies and procedures for failure to comply with your security policies.

Vendors

When you’re dealing with vendors for your hosting, get their security paperwork and review it. Just because a vendor says they’re compliant with a cybersecurity standard, that doesn’t mean they’re actually fulfilling the requirements appropriately. Don’t take any vendor’s word for it — verify it yourself by reading through the details of the controls they have in place against best practices.

If they’re complying with PCI DSS, they need to fulfill Requirement 9, which is physical security. Review their approach to physical security on an annual basis.

Physical Security Is Cybersecurity

Effective cybersecurity inherently includes effective physical security practices. You can’t protect your data if you aren’t doing your due diligence in the physical realm. Never make any assumptions about the state of your physical security — bad actors are clever, and they’ll find creative ways to gain access. Stay one step ahead of them, and train your people to do the same.