Learn what physical risks can impact information security
What Physical Security Means and Why It’s Important
Keeping ourselves and our valuables secure is something humans have worried about for ages. From gates, to castles, to Fort Knox, people have always gone to great lengths to keep what’s valuable to us safely within and what’s potentially harmful to ourselves and our assets outside.
What Is Physical Security?
In the modern era, physical security is closely connected to information security. That’s because workplaces are full of IT systems, intellectual property, and people hurrying or distracted by too much to do. In this environment, physical security is unfortunately often overlooked.
A September 2019 report from Shred-It and the Ponemon Institute, Security of Confidential Documents in the Workplace, reveals that more than half of business managers overlook physical security, noting that their organizations don’t have a process for disposing of paper documents that contain sensitive or confidential information.
MediaPRO’s own 2018 State of Privacy and Security Awareness research found that almost a third of the 1,024 respondents indicated they’d take risky actions regarding access to their organization’s building. This included holding a door open for someone who didn’t present proper identification.
In today’s high-tech environment of web-based threats and complex social engineering ploys to access company data, it’s easy to forget basics like keeping our eyes open, securing doors, and locking up sensitive information.
Cybersecurity is extremely important. But it’s just as important to keep physical security top of mind to protect everyone in the building and the company’s information assets.
What’s at Stake?
First and foremost is employee well-being. Everyone deserves to work in a safe environment, and not to have to worry about personal safety or their possessions being stolen.
But employees are also conduits to an organization’s information. That can include sensitive physical files, labs, data centers, even what winds up in the trash.
Should sensitive company information be compromised, it could lead to theft of trade secrets and intellectual property, monetary harm, competitive disadvantage, productivity loss, reputational impacts or other negative consequences.
Beyond physical items, nearly everyone these days uses a laptop and/or some connected mobile device during their working hours. Any device that accesses a company’s network becomes a means to accessing sensitive data or to planting malicious code. It’s critically important to keep employer-issued and personal devices that access the company network secure to avoid these risks.
What Physical Threats Pose Risks to Information Security?
Several real-world, seemingly innocuous incidents can put the well-being of workers, tangible assets, and information assets at risk.
With the pace and pressures of today’s work environments, it can be easy to overlook inappropriate actions. But everyone needs to stay alert and be on guard for behaviors that are out of the norm. Here are a few examples:
This practice refers to looking over someone’s shoulder to obtain information. That might be on a laptop or in a physical form.
Using a laptop or reading important documents in a crowded environment puts information at risk. With many people milling around, you’re less likely to notice an individual peering over your shoulder, especially if you’re concentrating on what you’re reading.
Shoulder surfing commonly occurs in busy environments, and often happens for no other reason than the observer’s benign curiosity. But there are those who have more harmful intentions. When in public places, keep your screen protected so others can’t read it – or worse, take a photo of it – from behind you.
An age-old human tendency, eavesdropping is the act of someone secretly listening in on a conversation. These days, eavesdropping can bring significant risks to company security.
Performing work out of the office is now common. People travel via mass transit; they meet colleagues for coffee in public places; they take mobile phone calls from pretty much everywhere.
Having business conversations in public places makes it easy for passersby to listen in on discussions (even only one side of them) that could reveal all manner of company-related information. Always be aware of your surroundings and make sure that no one can overhear what’s sensitive.
Even within the workplace, water cooler chat, hallway meetings, or private discussions in open offices can be overheard by unauthorized staff. This may not only generate fodder for the rumor mill, it can reveal information that not everyone should have. When discussing company business, be aware and be discreet.
Unauthorized Physical Access
Unauthorized physical access occurs when a person enters a secure area or a facility without permission. The threat of theft, litigation, property damage, or violence makes this a big security risk.
The sea of plastic access cards that hang from employees’ belt loops and lanyards can seem like overkill. But threats to a company’s data come from more than hackers and cybercriminals. An unexpected delivery or a friendly-looking stranger trying to access your office should be addressed with caution.
Tailgating, which is gaining entry via someone else’s security badge, is one of the most frequent ways unauthorized physical access happens. Most of us are inclined to hold a door for others. It’s common courtesy. Bad actors know that, and can try to take advantage. For example, a stranger may try to “fall in” with a group of employees badging-in after an off-site lunch. Someone waiting in the lobby may casually attempt to follow an employee into the secured part of a building. Or, someone may have their hands full and ask for help opening a door.
Especially in a larger office, staff may be too busy to notice someone new in the environment, or too polite to ask who they are and why they’re there. For instance, intruders disguised as service people would not likely raise suspicion.
But any non-employee entering a secure workspace should be vetted through a central check-in point. Guests need to be escorted and/or given temporary credentials to be conspicuously displayed. Allowing even one person to enter a facility without authorization makes it impossible to keep a facility and the resources within it secure.
Unsecured Mobile Devices
Mobile devices, such as laptops, tablets, cell phones and USB drives are particularly vulnerable to theft. They’re small, light and easy to hide. They’re also readily subject to unauthorized access if left unattended and unsecured. Often employee carelessness is the cause for lost or stolen mobile devices.
According to the 2018 Shred-it State of the Industry Report, 47% of C-Suite executives and 42% of small business owners reported that accidental loss or human error by an employee caused a data breach for their business.
The compromise of even one device can allow unauthorized access and impose risk of harm to an entire company network. If you are in a hurry or get distracted, you could very easily leave your laptop behind accidentally, exposing it to risk of theft or unauthorized access. Stay attentive to all your mobile devices.
How Can You Secure Your Work Area and Resources?
When it comes to physical workplace safety, even small details can make a big difference. Here are a few simple, time-tested practices that will help:
Keep Sensitive Information Out of Plain Sight
Cluttered workspaces make it easy to forget that sensitive information is in the pile. Keep a clean desk.
Ensure sensitive information is out of plain view, and preferably is kept in locked filing cabinets or drawers. This includes retrieving sensitive information from printers in a timely manner and clearing whiteboards after meetings.
Use Secure Trash Bins
Don’t throw away sensitive information in unsecured bins. Dumpster diving is real!
Thieves can and do “dig for gold” in the trash. Instead, use a crosscut shredder to dispose of sensitive documents. Follow company policies for disposing computer media, CDs, and flash drives.
Keep Entrances and Exits Secure
Don’t let unauthorized people follow you through a door, tailgating their way to sensitive information. Don’t prop doors open to run a quick errand or to help coworkers who may be on their way.
If You See Something, Say Something
Watch out for suspicious and unknown people in your work area.
Stay vigilant—if you see people loitering, report them to the security team.
The Role Employees Play
The 2018 Shred-It Report noted that 84% of executives and 51% of small business owners believe employee negligence is one of the biggest information security risks.
Clearly there is a problem, and proper employee security training is vitally important to overcoming it. That must include cyber and physical security.
Everyone in an organization is responsible for keeping the workplace, and the company’s physical and digital assets, safe.
Our Security Awareness TrainingPack contains training content on physical security and other threats designed to keep employees abreast of security best practices of all types.Learn More
Get our most popular resources bundled as a comprehensive guide for those responsible for running security awareness training programs.
Keep security top of mind while your employees are working remotely with our free toolkit. No kidding. Really free.
This guide walks through the steps to take to establish a simulated phishing program and provides phishing program ideas.