Why physical security is part of cybersecurity
Posted on June 26, 2019 by Louise Howland
With so much of the cybersecurity discourse focusing on the “cyber” aspect of the security, it’s easy to get tunnel vision. Installing antivirus and a firewall is just one layer of business data security. The human firewall is another, and the third is physical security.
What is physical computer security?
Physical security protects your data by preventing people from literally getting their hands on it. It includes your CCTV, locks, fences and other means of limited physical access to your business and your business’s data.
All the firewalls in the world won’t save you from someone walking out with your server. In 2015, a thief forced their way into the server room of children’s charity Plan UK. They stole 5 servers containing information on 90,000 supporters, including names, addresses, contact details, bank account numbers.
Physical security also protects your business from damage to your systems that are sabotaged using USBs and other peripherals infected with viruses.
What are the primary threats to physical security?
The level of threat to your physical security depends on the size of your business. Smaller businesses have smaller teams. It’s harder for a thief to sneak in and pass as an employee when everyone knows each other.
On the other hand, smaller operations may lack the budget for sophisticated physical security measures. This makes them vulnerable to break into when everyone’s gone home.
Threats to small businesses
Small businesses often suffer from the limits of their budget. According to a recent survey, 50% of IT decision-makers are hamstrung by their budget. This means that server room (or server cupboard) security is limited to a locked office door.
Small businesses are also less likely to have dedicated security policies or personnel on site. There is less consideration given to the level or quality of the security the business has. If the Office Manager is tasked with ordering security key fobs, are they able to understand which security solution is best for the business?
Threats to large businesses
Bigger businesses have bigger problems. Large sites have more points of access, which puts more strain on security budgets. Size also increases the complexity of bureaucratic systems. This makes it easier for thieves to acquire access passes and security badges.
Once inside, the faceless nature of large businesses allows thieves to hide in plain sight. If you unlock a security door and a friendly-looking employee asks you to hold the door, would you challenge them? Unlikely. “Thieves are kept out by external defences, they couldn’t have possibly got all the way to this quiet corridor of the 14th floor… “
Threats to any business
The goal of many data thieves is your server room. It’s the most likely place to find a cache of valuable data. As such, your server security policies need to be up to date and actively enforced.
You shouldn’t “solve” heating/cooling problems by opening doors or taking the siding off the firewall racks. This exposes your entire data centre to threats from both authorised and unauthorised people.
You need to keep the rest of your hardware in mind, too. Physical security protects your computers from being stolen or sabotaged. Every piece of technology that’s connected to your network is a potential access point.
Physical security countermeasures
If you rely on physical defences such as gates, mantraps or fences, consider how they might be circumvented. Can they be climbed over/under? Can you climb a nearby tree and hop over the fence? Is there another access point altogether that gets around it?
If you’re moving to a new office, make sure you have an up to date floor plan that includes all possible access points. When the outer defences are taken care of, you can turn to internal security and personnel access management.
These are items your personnel carry to authenticate themselves for access to your facilities or assets. Swipe cards are the most basic form of a physical security token. These ID cards have an embedded magnetic strip holding identification data that is swiped to be read by an access control system.
Swipe cards are cheap and readily available. They can be coded to only open specific doors or systems meaning that only people who carry them can gain access. However, their benefits are also their weaknesses.
Being cheap, swipe cards are fragile and vulnerable. The magnetic strips wear out rather quickly and the plastic can snap. They also use technology that is very old. This makes them extremely vulnerable to being copied or faked. They can also be stolen.
RFID stands for Radio Frequency Identification. You might know it as a fob or maybe a “beeper” (because it beeps). These unpowered devices communicate wirelessly with access systems to enable access. The idea is that a door is locked electronically. Its access point emits a radio signal that causes the fob to respond. When the access point detects that fob, it unlocks.
They’re useful because, like swipe cards, they can be used by anyone in the business without setup. This is great for businesses with a high turnover. They’re also secure because you have to be within 6 inches of an access point to use it.
However, just like swipe cards, they can be cloned. The technology to do this has evolved from devices the size of a backpack to devices the size of an iPhone. Once cloned, a thief can access what you can access without your knowledge.
Smart access tokens
Smart tokens encrypt their data. This makes them much harder to clone or copy. They must be encoded to work with specific systems, which means they aren’t as universal as swipe cards or RFIDs, but undoubtedly safer. However, more technology means more money. They are more expensive to buy and harder to replace.
Personal security access devices have one universal problem: human error. If you choose to put physical security into the hands of your staff, it’s vital that they are trained on the correct use and practice of these devices.
Swipe cards and key fobs can be lost, stolen, cloned or forgotten. If this is a concern for your business, you may need to change your approach to physical security. Instead of giving your people the responsibility of security, you can manage it yourself.
From the receptionist on the front desk to an entire department of security specialists, one way to increase your physical security is to have people decide who to let in. If you have a large site, they can be supported by CCTV and intercoms. This has the benefit of giving you more control and accountability for who has access.
There are downsides, of course. In addition to having to pay people, you also need to dedicate space somewhere on your property for a guarded threshold and channel all staff and visitor footfall through it.
This solution also still includes the human factor. According to a study in 2018, 51% of small business owners admit that employee negligence is one of their biggest information security risks. Humans can also be manipulated into letting in thieves and hackers.
Biometric scanners cut out the human element altogether. You have a bank of your personnel’s fingerprint, retinal image or voice sound and open doors if a matching set is presented. Using our bodies as keys makes these systems very secure and extraordinarily hard to beat.
There is obviously a high price for this technology, but you also have to consider that fact that you have to keep people’s biometric data secure.
Considerations for your business’s physical security
How do you know what’s right for your business? There are so many physical security options out there and they need to fit with both your business needs, but also the rest of your cybersecurity framework.
1. Weigh up your risk
Firstly, you need to know what you need to protect and what losing it will cost. By understanding which areas need the greatest protection, you can better understand what type of security you need and better prioritise how you spend your security budget.
If data is your primary concern, focus on protecting your data access points. If products and materials are more important, make sure you invest in gates and locks. Create a priority list of business-critical assets to determine the risk. From there, you can allocate your budget.
2. Find out what’s out there
Physical security, like cybersecurity is not one size fits all. It’s important to shop around and discover the options available. Depending on your needs, your physical/cybersecurity budget split might not be 50/50. Security tech is advancing all the time, so make sure you’re up to date with the latest innovations.
If you’re unsure, seek out a specialist who can guide you through your options. If you’re updating your physical security, consider the impact it will have on your staff. You may need to give them training.
3. Determine the ROI
By increasing your understanding of how physical security supports your company’s growth and stability, you’ll be better inclined to set a budget that meets your needs.
Security is an investment, not an expense. What you pay now will protect you from the financial losses of theft.
Being security compliant also shields you from government fines. It builds a greater level of confidence in clients, suppliers, and stakeholders. Some security measures can even improve employee productivity by helping them feel safe at work.
That being said, remember the first point: weigh up your risk. There’s no point investing money in buying and maintaining elaborate security you don’t need.
Physical security is just one part of your overall business security. It will protect your data, your assets and your people. But investing too much, too little or unwisely in physical security can hold your business back. So it’s important to get it right.
As part of our cybersecurity service, we take a 360° view of your operation to determine where your security needs help and how it can be improved.