When discussing Cybersecurity, topics usually range from ensuring endpoints are secure, to discussing the latest malware attacks. However, there are some topics that are equally as important, but are often left out of the discussion. One of these topics is physical security. The security of your data and technology is only as secure as the locks on your doors. Let me explain.

The most simple example involves trying to remember a new password. Instead of memorizing it, you write it down on a sticky note and leave it on your desk. You have now violated what is called the “clean desk policy”, which states that you should avoid leaving sensitive information out in the open; even in areas you consider secure. All an attacker would need to access your account is the contents of the sticky note and your email address.

The bad actor may not even be a coworker. It could be anyone who has access to the building, whether they are supposed to or not. For example, a bad-actor may spot another weak point in physical security and leverage it to access your sticky note, machine, or other sensitive information. The weak point could be as simple as a propped open or unlocked door. If online pranks have proved anything, it's that you can get into almost anywhere if you have a high-vis vest and clipboard. It’s key to ensure that the people who access your building are who they say they are and have the proper keys/identification to gain access to the building.

Many businesses have successfully employed “man traps”, systems containing two or more doors that require two or more keys for employees to enter the building. For example, the first door could require a physical key-card, while the second door could require a finger print. Furthermore, once the first door is passed, it locks behind the person, trapping the bad-actor who most likely didn’t plan on meeting a second requirement. The options for systems such as this are endless, and are based on three basic types of keys:

Something you have: key, key-card, phone
Something you are: fingerprint, retina-scan, facial-recognition
Something you know: number-pads, passphrases

Bad-actors who are motivated enough will not rule out breaking in through sheer force. There have been numerous cases of after-hour break-ins at data centers by hackers wishing to access sensitive information. The same could happen to any well-established business holding information. Avoiding these types of attacks can be done through:

Prevention: strong locks, gates, guards
Deterrents: cameras, alarms, sensors, lighting

Leveraging each of these as much as possible will not make break-ins completely impossible, but will make them extremely difficult or simply not worth it.

Another common technique used by companies to add extra layers of internal security are Sensitive Compartmented Information Facilities (SCIF). These rooms (figure 1) are designed to hold sensitive meetings or systems, and are often designed to help prevent snooping via radio surveillance. They can either be built into an existing building or, as is more common, deployed to remote/offsite areas. Given this, they are more commonly found in government and military operations, but still have their uses for companies handling extremely sensitive information.

Physical security is extremely important, and should never be left out of a strong cybersecurity plan. Not all implementations will look the same–your business may not require the levels of security provided by a SCIF. Instead, some cameras, strong locks, and proper authentication may be enough to keep your business secure.

For help improving the physical security of your business or for more information, contact us at skbinfo@skbcyber.com.