In the age of hacking, phishing and social engineering, it’s easy to forget about physical or environmental security. But physical security is unequivocally as important as its logical cybersecurity counterpart.
Physical security threats can be internal or external, man-made or acts of nature. Modern companies should rely on logical cyber and physical security programs in tandem to protect the physical assets of an organization, be it people or hardware. Network firewalls, IPS/IDS systems or DMZ are all worthless if a criminal can walk into your building and steal a drive, or if you lose hardware after an earthquake.
Every organization should mitigate tangible threats in their area, which may include:
- Malicious insiders
- Service or utility interruptions
- Natural disasters
How to Mitigate Physical Security Threats
Some physical threats are more easily mitigated than others. It would be significantly easier to bar entry to a malicious insider by enforcing access control measures — badge swipe door locks, for example — than it is to mitigate against a natural disaster. Much like logical security, no dollar amount can stop these threats entirely, but it is the responsibility of the organization to perform its due diligence to lessen the impact of loss of business continuity.
There are several ways to mitigate risk in the physical space, including adding control mechanisms like:
- Site layout
- Access controls
- Intrusion protection and detection
- Utility redundancy
- Elemental protection
Your organization’s site layout is incredibly important to protect the assets it contains. People and hardware can fall victim to weather, crime, eavesdropping/voyeurism and emergencies if not properly prepared.
A low-profile design can help prevent all of these potential threats. Lower visibility, for example, can be the difference between a criminal breaking into your building or the one next door. The fewer access points, like external doorways, the better. Consider using a keycard system to lock doors and track who accesses each space when. Store equipment containing sensitive information in spaces with no windows and scrutinized access.
Equipment that can remotely access sensitive information should also be physically secure. Years ago, it would have been enough to ensure no computer monitors faced windows on the first floor. In the age of drone imagery, however, this isn’t enough. All windows should have blinds, or all equipment regardless of what floor it’s on should face away from an outside view.
Access controls within your business prevent strangers, vendors and visitors from obtaining access to equipment or information they otherwise shouldn’t have access to.
Proximity cards or card swipes alone could ensure the public is corralled away from accessing sensitive information or assets. Either of these methods will also provide an audit trail, which can be valuable because a malicious insider’s movements inside the facility will be tracked.
Intrusion Protection & Detection
Using secondary security equipment like motion detectors and closed circuit cameras complements the use of key cards. If the key process were subverted, the system would be alerted to a trespasser via motion detection and engage video recording of the event.
Your business can also face threats from larger outside forces that may seem non-threatening, such as participation in the local power grid.
Anyone operating on a local power grid could be subject to a breach if the power goes out due to overuse. Having a backup plan for your utilities can lessen the impact of a threat by keeping your network interruption-free. Businesses that rely on the uptime of their equipment should include power redundancy within their security program so they can remain in operation while the utility company works to restore service.
Natural disasters are also a very real threat to physical security, particularly in areas where tornadoes, landslides, earthquakes and flooding are common. Be prepared:
- When choosing to relocate or open a new office, know the common environmental threats to that specific area.
- Plan your space appropriately so it has the proper safeguards.
- Monitor local weather reports.
- Institute preventative measures if you know a storm is coming.
For example, if your company is located in Tornado Alley, your physical security plan may include thick concrete wall construction in some or all of the building, and one or several rooms with no windows. This will ensure your hardware and employees stay safe in the event of a storm.
Implementing Physical Security
The best place to start identifying the vulnerabilities of your physical space and their impact is with a risk analysis. The analysis will evaluate crime reports, historical weather, natural phenomenon and man-made hazards, which will help your administration prioritize each threat. Defining the threats will help you determine your minimum physical security needs will be.
If your organization is in a coastal area prone to hurricanes and flooding, for example, mitigation against these elements takes priority over mitigating against earthquakes, and requires a different strategy to handle.
Next, you should develop baseline countermeasures. These items will be the minimum physical security features you obtain to avoid any asset loss. This may include features like:
- Elevated floors
- Earthquake-proof server racks
- Mag-locked doors
- Fire suppression system
- Surveillance cameras
It’s important to be diligent in your risk assessment, as these security measures can become costly. In addition, the development of the minimum physical security must also agree with any legalities for the country, state and city. Data retention is often a common legal requirement for organizations, some requiring up to 20 years of retention. You may need to purchase storage equipment or off-site storage to meet these regulations.
Once installed, each mitigation technique or device needs to be tested. If there are any failure points in the test, the physical security program must adapt to include the failures. This includes testing employees on how to react to a particular type of disaster and adjusting training materials accordingly. After testing is complete and the program is fine-tuned, it can be implemented organization-wide. One test is not enough, however; you should schedule regular tests of each security strategy to ensure they are working properly and are up-to-date with legal requirements.
If you have any questions, message us. We’ve got you covered.