Cyber security is a well-known concern of individuals, companies, and governments. Many organizations hire specialized personnel and put in place elaborate systems to ensure that their information networks are safe from intrusions, viruses, and other cyber threats. However, it is common for managers and planners to fail to see the critical role that physical security plays in safeguarding these systems.
There have been many incidents that highlight the need for proper physical security in any cyber security plan. In fact, almost a third of the disclosed security breaches in 2009 involved missing or stolen physical equipment. For instance, one of the largest government data breaches of all time occurred when a Veteran’s Affairs laptop containing the records of over 20 million people was lost. There has also been a spate of missing/stolen laptops, computers, and other hardware at critically important facilities such as the Los Alamos National Laboratory. These incidents underscore the importance of utilizing physical security techniques to complement cyber security protection plans.
This article will highlight 10 simple tips that individuals and organizations can use to boost the physical security of their information systems. By no means is this list comprehensive, but it will provide some basic building blocks for a comprehensive security plan.
1. Basic Physical Security
Any good plan starts with the fundamentals, and an effective physical security system will start with basic practices. This means ensuring that windows and doors are locked and secure. Moreover, entry points should have mechanisms and/or personnel in place to control who enters and leaves the premises. Cameras, both internally and externally, can help deter intruders and assist in an investigation if an intrusion does occur. Organizations should also consider installing alarm systems and/or contracting with security companies or consultants.
2. Control Access
It is also a good idea to control, compartmentalize, and limit access to information systems. After all, a large percentage of security breaches and thefts are perpetuated by employees themselves. Sensitive devices, programs, and permissions should only be accessed by management and those individuals whose job it is work with and maintain these systems. Employees should also be trained to log off or shut down equipment when they are not using it. Moreover, companies should establish a log in order to record when individuals accessed particular pieces of equipment. If an irregularity occurs, these logs can help quickly narrow the scope of a managerial investigation.
3. Secure Hardware
Even though companies may take sufficient steps to ensure that unauthorized persons are unable to enter, there is always the possibility of an intruder penetrating even the best defenses. That is why companies should ensure that hardware is locked down to the floor or heavy furniture. This will prevent thieves or intruders from easily carrying off equipment.
4. Lock up Server Room and Vulnerable Devices
Servers and other vulnerable devices can grant a user access to an entire network. In the hands of a hacker, access to this equipment can result in catastrophic consequences. As such, devices such as these should be stored in a locked room that is separate from the workspace has a whole. Access to this room should also be controlled and limited to the employees and managers who regularly use, maintain, and monitor this equipment.
5. Loose Laptops
Some of the most extensive breaches of computer data have involved lost or stolen laptops. Firms should try to limit, to the extent possible, the number of computers that leave the office. If transporting a laptop is necessary, organizations should purge sensitive data that is not needed for the trip. It might even be a good idea for business to designate travel laptops expressly for this purpose. Moreover, personnel transporting such equipment should receive training on how to securely transport sensitive items.
6. Flash Drives, Externals, and other Portable Storage
As with laptops, the use of flash drives, external hard drives, and other portable devices should be restricted to the extent possible. There have been many security breaches that have resulted from the proliferation of flash drives containing sensitive information. Organizations should also develop systems to track the possession of these devices and train employees how to handle them properly. When not in use, flash drives and other portables should be locked up. Some organizations may want to consider removing the drives that support these portable devices entirely.
7. Damage Protection
Another common sense tip to protecting critical information systems involves ensuring that information hardware is protected from physical damage. This means that equipment is plugged into surge protectors or an uninterruptible power supply.
Employees should understand how to handle hardware in a manner that will not damage sensitive items or components. For example, they should not handle liquids around computing equipment and should not have wires running where they can be tripped on and suddenly pulled out.
8. Back up and Put Away
Most computer users understand the importance of backing up information. After all, it is not uncommon for data to suddenly be erased because of some glitch or malfunction. However, many people store their backup drives in the same building as the rest of their information. If a break-in or fire were to occur, then the system along with the backups could both be lost. As such, backup storage should be stored separately from the system that is being backed up.
9. Integrate Cyber and Physical Security
It is common practice for organizations to have separate physical and cyber security units. However, it is critical that practitioners of these two fields work together in order to coordinate best practices for security. After all, a physical security breach can have massive ramifications on an organization’s cyber security framework. Some organizations have a single head of security that is in charge of both cyber and physical security operations.
10. Do not forget the printers and paper
When designing physical security systems, organizations should be mindful of their printers and paper disposal. Many printers retain a memory that can be accessed for some time afterwards. As such, organizations should ensure that these items are as secure as the rest of their equipment. Similarly, physical paper documents can contain important information that could put cyber systems at risk. That is why organizations should establish a procedure to properly dispose of paper documents through a shredder or incinerator.