Risky Business: Lax Physical Security

For the most part, physical security measures are relatively low-tech safeguards that can pay big dividends with regard to protection of people, places, and systems. Then why do so many organizations and employees overlook these measures or take them for granted?

As discussed in our Five Cyber Security Resolutions to Keep in 2015 post, physical security is tightly linked to cyber security. How? Consider the ramifications of a server room door being left ajar. Or what might happen if an imposter posing as a maintenance worker gained access to critical systems. Security awareness and training can prevent these types of actions from happening — and the breaches that could occur as a result.

According to Trustwave’s 2014 State of Risk Report, only 64% of organizations use a full suite of physical access controls such as card readers, receptionists, security guards, and visitor logs. More than 30% of organizations are only partially protected, while 5% admit to using no physical access controls at all.

Which group are you in? If you’re not fully protected, you’re gambling not only with the security of your networks, assets, and intellectual property but with the safety of your employees. You’re also taking a high-stakes risk with your reputation. Should a breach happen within your organization and it come to light that basic physical safeguards were not in place, senior managers and C-level executives are likely to face significant scrutiny and costly ramifications.

Three Physical Security Practices to Implement Today

The Trustwave report is eye-opening simply because physical security is a bit of a no-brainer. But it’s clear that there are plenty of organizations that don’t get it. For example, though the vast majority — 68% — of those surveyed for the report claim to be fully protecting high-security zones that house sensitive data, 27% said they only use some controls, and 5% stated they are not using any physical controls in these areas. To be frank, those in the 32% are being terribly irresponsible.

If you are being lax about controls, you are putting your business at risk. As the Trustwave report corroborates, physical safeguards aren’t just for prevention; proactive measures like surveillance footage and access logs can also aid in investigations following a security incident.

Our Physical Security interactive training module is designed to help your employees understand their roles in maintaining a safe, secure workplace. Here are three simple, effective practices to require of your employees today:

• Never share access credentials – Employees should never lend their access badges, key fobs, or security tokens to coworkers or outsiders. Credentials, log-ins, and passwords must maintain a one-to-one ratio in order for audit trails and access logs to be effective and useful.  
• Be strict about the security of business areas – Other than open-access, public spaces — like lobbies — virtually every part of a workplace is a restricted area. Individuals should not be given undocumented access or wander unescorted through hallways and offices. With highly restricted areas — like server rooms and research labs — it’s critical that access be limited to as few individuals as possible and that employees take extra measures to ensure doors remain locked and that unapproved individuals are denied entry.  
• Be vigilant about devices and data – With mobile devices, your organization’s data and systems are on the move. Your employees need to ensure that smartphones, tablets, and laptops are secured at all times. It takes just a moment for a thief to snatch up a device left unattended in public. Security is important in the workplace as well; all devices should be password-protected, and computers and systems should be locked when not in use. These measures help prevent unauthorized access to confidential data and systems.
   

Did you read about the launch of our new Security Essentials interactive training module? It educates employees about a range of cyber security best practices, including physical safeguards.