7 Reasons Digital Security Means Physical Security
In our previous installment, we discussed ways to prevent a hack. In this post we look at what we can do to stop hackers in the first place. Cyber crime is rising at an alarming rate. But that doesn't mean crooks have given up on good old-fashioned, offline skullduggery. Combine the two and they can get away with particularly spectacular heists.
Take the attack on Sony Pictures, for example. When news emerged that Sony was hacked in 2014, it created headlines around the world. Not only were embarrassing emails leaked about famous stars, but the extent and audacity of the hack got cyber security personnel eye brows raised and chins wagging from Los Angeles to Tokyo.
Add to all this, the involvement of a group of hackers with the colourful name of the Guardians of the Peace (with alleged links to the North Korean government), and the hack was guaranteed its place in the hacking community’s hall of fame.
To security experts, however, one of the biggest issues arising from the incident was the degree to which insiders were involved in the hack. It has been hotly debated ever since, with expert views ranging from no involvement to full responsibility.
Either way, it was a reminder that online security alone will not adequately protect IT infrastructure.
The point was further underlined just last November when UK mobile network operator Three announced it had suffered a breach of its database of customers eligible for a phone upgrade thanks to the unauthorised use of legitimate login details, and that it was seeing higher levels of burglaries of retail stores. Three men, all from the UK, were subsequently arrested.
So what can organisations do to make themselves less vulnerable to physical security breaches. Let’s take lessons from the experts: The builders of medieval castles. Their approach was simple: the least important assets get the lowest protection; the highest, the most.
The “expendable” serfs lived outside the walls, susceptible to marauders and others of ill intent. The lord’s “key management team” were kept safely behind moats and walls while the lord himself, his family and his most valuable possessions would be in a tower called the keep, the most impregnable part of the entity.
Today’s organizations also have to make judgements about what is most valuable to them and what needs the most protection. Here are some suggestions for protecting your organization:
1) Secure the premises
The first point of physical control is access to the organisation’s premises. This can be controlled by pass cards and guards on front desks through contactless card or PIN activated locks to sophisticated biometric systems. The level of protection should mirror the value of the assets accessible.
Servers and back ups are the crown jewels. This is where the organisations’ most sensitive and valuable data resides so uncontrolled access to these risks disaster for the whole organisation.
2) Lock and key
The most basic measure is a lock and key and a policy to ensure that only those who need to have a key to the lock, have one. And that they use it each time they enter and leave what is effectively “the keep”. And keeping access lists up to date is paramount.
Also very high up the list of priorities are hubs and routers. These are points at which wrongdoers have opportunities to tap into and intercept data and should also be as much as possible in the keep, the place with the highest security. If for any reason that cannot be, they should at least be under their own lock and key and not feely accessible.
3) Tether where necessary
Then comes the protection of lesser assets such as terminals. How much of lesser importance they are may be debatable, as they will often store valuable data locally, such as stored log-on credentials, that can then be used to gain access to the more important assets. Portable devices such as laptops are particularly vulnerable as a thief can just walk out with them. Consider tethering them with cable locks.
4) Switch off
Also, terminals left on, but unused, are a security threat, especially if they are in areas where strangers have easier access such as front desks or in lobbies. Use reasonable time out settings. Restrict access to removable storage media and USB and other ports. And consider removing terminals from unused desks or even while employees are away for prolonged periods such as business trips or vacations.
5) Garbage safety
Disposal of old equipment is another potential security weak spot. Deleting data is not destroying it. Options range from overwriting to physical destruction.
6) Printer control
And don’t forget the printer room. Often people print out batches of data and do not collect them immediately, especially if print areas are far from their desks. Consider controlling access maybe through a PIN code activated system. And think about putting shredders in the room so accidental duplications can be destroyed then and there.
7) A photo is worth a thousand words
Cameras, security alarm systems, security personnel and logging of visitors should provide additional cover.
At the end of the day, all these measures are really just as good as an organisation's policy decision (and subsequent policing) about who should be allowed on their premises, and who should not.
Generally, organisations like to be as open as possible because it helps the exchange of information that is key to success, but that comes at a risk to security. An approach advocated by some experts, however, is to start out with a default setting of denying access rather than allowing it.
As data crime becomes more widespread this may be an approach that becomes more common. For some organizations that may be in anticipation of a disaster; for others a reaction to one. The choice is theirs.All posts in this series: