Physical security risks can have a significant impact on your organization’s ability to safeguard confidential information, secure locations, and even employees themselves. According to Verizon’s 2018 Data Breach Investigations Report (DBIR), 11% of confirmed data breaches during 2017 involved physical actions. This includes physical theft and loss, with paper documents and laptops the assets most likely to go missing.
Physical security measures and employee awareness guard against potential data breaches and offer additional protections for people and property. As noted in the DBIR, organizations routinely experience physical breaches and theft not only within the workplace but in common areas such as parking lots.
The healthcare industry faces particularly high risk of information theft, according to the DBIR, which states that “laptops and other portable devices, and paper documents consistently go missing from healthcare organizations each year.” These items are usually stolen from work areas (36%) or from employees’ personal vehicles (32%).
Types of Physical Security Risks and Examples of Attacks
Theft and other physical attacks can be parts of larger cybersecurity attacks against organizations. They may be early steps in intelligence-gathering, or precursors that facilitate later stages in a data breach. Here are a few of the ways an attacker can take advantage of physical vulnerabilities, as suggested by ITProPortal and Information Age:
- Going through your company’s trash, looking for sensitive information that can be used in impersonating an employee or another type of social engineering
- Stealing corporate laptops and other devices from hotel rooms or trunks of cars
- Infiltrating your workplace disguised as an employee, delivery worker, janitorial staff, or other service personnel
- Wearing high-visibility clothing to create the impression of a public safety officer or other trusted figure
- Stealing sensitive documents from unlocked desk drawers or filing cabinets
- Copying passwords that have been written and displayed (or poorly hidden) near computers
- Accessing unlocked computers to plant malware, install keyloggers, or steal information or credentials
- “Tailgating” by following an employee through doors into otherwise restricted areas
- Bribing, coercing, or blackmailing employees to divulge sensitive information
When organizations consider their physical security, many “underestimate the ease with which somebody who is motivated can gain access to their premises,” according to Information Age. “Most people assume that they will be able to spot a liar, or a criminal, but this is not the case. Somebody who is friendly, personable, smart and polite is quite capable of talking their way into a number of situations.”
Physical Security Awareness Challenges
Securing your workplace requires multiple layers of physical security, and needs may vary depending on the organization; for example, locations like hospitals — a mixture of public and private spaces — face different physical security challenges than restricted infrastructure sites. Organizations should set appropriate controls, and those with more to lose from a physical security breach should consider evaluating their defenses with on-site penetration testing.
In addition to implementing physical controls, raising user awareness is key. Employees should regularly apply basic best practices, such as keeping screens locked when away from their desks, maintaining clean desk habits, and reporting any strangers seen in restricted areas.
Of course, part of the challenge is that many end users lack the knowledge and training to protect themselves and their organizations. Our 2018 Beyond the Phish® Report — which stresses the need to extend cybersecurity training beyond email-based phishing — explores end-user knowledge across 12 topic areas, including protecting against physical security risks. The physical security risk topics we explore in the report include:
- Understanding and application of physical security safeguards
- How to identify and prevent physical security breaches
Within the physical risks category, our data found that end users in the hospitality industry performed best, with 13% of questions answered incorrectly — a bright spot given the many rooms and areas that need to be secured within hospitality-based businesses. In contrast, end users in the telecommunications industry had the lowest performance, with 20% of questions answered incorrectly. (For data across all 16 industries on this and other cybersecurity topics, download the Beyond the Phish Report.)
Educating Employees About Physical Security
The good news is that the topic of physical security can be easily integrated into your larger security awareness training program. To help employees understand their role in maintaining a safe and secure work environment, educate them on key components of physical security and train them to follow best practices that will help them keep your people, areas, and assets secure. In addition to interactive education, use reinforcement tools like posters, articles, videos, and other security awareness materials to keep physical security top-of-mind for your end users.
As noted by Information Age, “Performing an employee awareness campaign and demonstrating first-hand the ease and danger of physical security breaches is a great way to engage an entire organization.”