Let’s Get Physical with Security Requirements

Not every criminal illegally entering a business is looking to steal cash, equipment, or merchandise; some are looking to take something a bit more ephemeral. This scenario is particularly true for organizations, such as offices, insurance offices, or law firms not traditionally targeted by your everyday, run-of-the-mill burglar. The threat actors are out for information, giving them access to the organization’s network, which can lead to serious damage.

Adding to the problem is that as organizations continue to struggle with the growing number of cyberattacks, the focus on physical security has dwindled, catching many organizations unprepared.

While threats such as ransomware, social engineering, unsecured cloud computing configurations, and network vulnerabilities remain important challenges for cybersecurity teams, the threat of an unauthorized person walking into an unlocked office and stealing or accessing IT devices is equally significant and yet, underestimated.

A stolen device or unauthorized access can have far-reaching consequences for businesses. Without proper attention to physical security, tracing the perpetrator or preventing such attacks can be difficult.

Keeping Up with the Times

With so many fluctuations between physical premises, hybrid, remote working, and digital transformation supporting these changes, it’s not surprising that some organizations haven’t evaluated and enhanced their existing physical security measures as they have with cybersecurity. However, the risk is still present, so organizations should act immediately to review and, where necessary, improve their physical security measures to ensure they’re protected across all risk factors.

Physical security focuses on designing and implementing measures that prevent unauthorized physical access to an organization’s premises and resources. It’s a cornerstone of a comprehensive ‘defense in depth’ approach to securing an IT environment.

A Solid Defense Starts at the Front Door

The concept of ‘defense in depth’ looks at how security vulnerabilities can be exploited, from hardware and software to human factors. Cybersecurity professionals understand that depending on a single control measure is risky. Layered controls ensure that if one is compromised, it doesn’t mean disaster for the entire system. This mentality should extend to the entire physical organization.

Of course, digital protection measures such as antivirus software, secure gateways, firewalls, and virtual private networks (VPNs) remain crucial. Incorporating advanced digital strategies such as machine learning to monitor for behavioral anomalies provides an added layer of security.

Leadership teams should also assess whether similar approaches have been applied to address any physical vulnerabilities. For example, a combination of manned entry points, locked facilities, cameras, and security alarms offers robust protection. It’s unlikely that a physical intrusion will occur simply to steal a laptop. Instead, these malicious actors commonly look for a way to access data or install malware inside the organization’s physical perimeter, where some protections may be lacking.

Identify threats, vulnerabilities, and cybersecurity risks with Trustwave's Penetration Testing.

Bad Guys Like to Keep it Simple

The most devastating and stealthy approaches are often very simple. For example, a threat actor does a quick LinkedIn search and identifies the top sales executive of an organization. Armed with their name and pretending to have a lunch appointment, they approach the receptionist, asking for directions to that employee’s workstation.

Once granted access, they could potentially gain entry to server rooms, IT storage areas, or network closets. Without effective physical security measures to stop them, this unaccompanied and unauthorized individual could cause widespread damage. By the time the damage is apparent, the threat actor is long gone.

The Magical Usefulness of Locks

Organizations don’t necessarily have to invest in expensive cameras and alarm systems or employ an army of security personnel. They can take several basic hygiene measures immediately to lower their physical security risk without adding significant cost.

For example, locking all IT devices, from laptops to USB drives, in a secure storage space so that valuable data can’t be accessed can prevent many attacks. This extends to networked printers, which should be locked away as they can be vulnerable when left in publicly accessible areas. Similarly, network ports and wireless access points should be hidden from plain view and disabled in public areas to prevent unsanctioned access.

Finally, staff should securely erase storage media such as hard drives, USB drives, or any device with onboard storage before disposal or re-use by the NIST 800-88 Revision 1 Secure Deletion and Disposal Standard.

As the boundary between the digital and physical worlds becomes increasingly blurred, adversaries quickly exploit vulnerabilities wherever they find them. A multi-dimensional, multi-layered defense strategy is critical. By bridging the gap between cyber and physical defense, organizations are better equipped to face an ever-evolving threat landscape.

A version of this article originally appeared in Security Brief Australia.