It’s important to develop a tailored physical security strategy to protect your assets.
Many of our blogs are related to cybersecurity, but security in the physical world is just as important. Like cybersecurity, learning how to thwart a variety of physical threats and minimize vulnerabilities is important to protecting tangible assets from unauthorized access.
Physical security is one of the most historically fundamental aspects of protection against intruders, but it’s often one of the most overlooked areas when it comes to securing data resources. Physical intruders target assets in a variety of settings including homes, apartments, office buildings, and stores. For example, in 2006, personal data, including over 25 million social security numbers, of US veterans and military personnel were unexpectedly taken from a Veterans Affairs employee’s house.
Physical security is important at the corporate, government, and residential levels. Though this may be true, the level of physical security at home may be different than at work. The amount of resources invested into physical security also likely depends on the value of the assets worth protecting. For example, a discounted clothing retail store would probably have less physical security than the building where a multimillion-dollar corporation houses its lucrative proprietary technology.
In other words, physical security cannot be approached from a “one-size-fits-all” way of thinking. Understanding the potential threats and physical security needs of each property will help develop a tailored defensive strategy that actively protects assets. Chris Foster, GRA Quantum’s Director of Global Vulnerability Management, stresses that “You are only as strong as your weakest link when it comes to securing company assets. If you do not have budgets in place for physical security and employee security awareness, you are missing major components to an adequate corporate security policy.” Indeed, Foster notes that GRA Quantum gains entry approximately 95 percent of the time when conducting site security assessments.
Once physical access is achieved, an attacker has an easier time obtaining sensitive information. Physical security is multifaceted and includes external and internal layers of defense; these components must work together to create a comprehensive security package.
Physical Barriers
Physical barriers help to prevent attacks—or at least delay them—and they can either be natural or structural. Learning how to utilize both types of physical barriers helps to limit exposure to threats. Natural barriers are defenses that are part of the landscape in which the property resides. An example of a natural barrier would be a body of water that separates a property from the mainland. A body of water doesn’t fully protect a property from infiltration as intruders could still access it by boat or scuba diving. However, the resources needed to reach the property become more complex, which may deter less-motivated intruders from attempting to break in. On the other hand, an example of an open external landscape would be a desert with little to no obstructions like shrubs or boulders. This open external landscape means that there are fewer places for potential intruders to hide and use to their advantage as they approach the property.
In a variety of instances, access to natural barriers may not be available. For example, an office building in an urban environment might not have access to natural barriers like a body of water or desert. In these instances, structural barriers reign supreme. Structural barriers may combine a mix of gates, fences, and secure doors. The construction and maintenance of structural barriers range in defensive strength and cost effectiveness. Fences sit near the low end of the cost spectrum as the materials can be bought and replaced cheaply. In addition to or alternatively, gates can be used as a protective barrier since they help control who enters and leaves the property. The accessibility of gates varies as some are manned by guards while others require an access card for entrance. As an easy upgrade in physical security, barbed wire can be added along the edges of the fences and/or gates. Furthermore, physical barriers can also serve as a psychological deterrent. When coupled with warning signs, physical barriers help to define the perimeter to outside parties and decrease the possibility of unauthorized access.
Surveillance
In the context of physical security, surveillance helps to monitor spaces and identify breaches. Depending on the security needs of a property, surveillance can include a combination of alarms and video cameras.
Alarms can be used across many layers of the security plan of a property. These systems enhance the protection of a property by calling attention to an intruder somewhere on the perimeter. Alarms can decrease the need for a large number of guards across the perimeter since the system can detect and warn about approaching intruders. Alarms are a strong enhancement to a security plan; however, they generally cannot be used as a standalone plan they don’t provide actual physical barriers.
To complement the alarm system, video surveillance can be used to visually monitor the perimeter. Video surveillance is especially helpful for physical security since it functions as both a deterrent and a method of review. As a deterrent, video surveillance reduces the chance of trespassing as individuals do not know if they are being actively watched. If individuals still proceed in their attempt to trespass, they may trip an alarm. If an alarm is tripped, guards can switch to nearby surveillance cameras to track the intruder. On the other hand, let’s say an intruder doesn’t trip the alarm and enters the building undetected, but once inside he’s caught. If this happens, video surveillance can be used as a tool to review how the intruder avoided the current physical security plan. Chris Foster says, “Lock picks and RFID cloning are very much mainstream now, and devices are cheap enough for anyone to obtain. Camera placement is key to identify malicious actions and having personnel to respond to suspicious activities. These offer not only a deterrent but also provide evidence in case of a compromise.” Additionally, video surveillance can be used as evidence to arrest and prosecute the intruder.
Internal Physical Security
A physical security strategy should not just encompass the more obvious forms like barriers and surveillance; a physical security strategy should also extend to company practices and human capital. In 2006, Idaho Power hired someone to recycle over 200 of their hard drives that unknowingly contained employee information and memos discussing proprietary company information. Of those hard drives, over 80 were sold on eBay to undisclosed parties. Situations like this can be avoided by developing and maintaining methodical, layered physical security practices that work to minimize external exposure and leaks. In the instance above, Idaho Power should’ve had a standardized company procedure that securely wiped equipment before being recycled or disposed. This practice is essential to avoiding sensitive data falling into the wrong hands.
No matter the location, physical security strategies should be practiced wherever a valuable asset resides. Computers should be protected by keeping them within sight and locking them down before stepping away. Ultimately, though, the effectiveness of these practices comes down to employee training and awareness. Employees at all levels need to understand their role in security and the malicious methods intruders exploit to gain access to a building. Chris Foster says social engineering tactics, such as blending into crowds or carrying in boxes to be helpful, are some of the most successful entry points for an attacker. In 2005, the University of California at Berkley experienced the theft of a campus laptop that contained the names and social security numbers of mostly graduate students and applicants when an unauthorized individual entered a restricted office. With this in mind, remembering to secure your area before leaving minimizes the chance of a physical breach. And before leaving work, take simple precautions by locking down items at your work station(s) and computer(s). Furthermore, make sure to ask before taking sensitive information home. If you are authorized to take sensitive information outside the office, make sure to keep these items out of plain sight, especially when in highly visible locations. The bottom line: Be proactive and don’t leave sensitive information lying around unprotected.
Staying (Physically) Secure
Physical security is the initial layer of defense against outside intruders and includes external and internal functions that should work in tandem to decrease the likelihood of intrusion. Regular site security assessments and employee trainings should be used to strengthen defense and raise employee awareness about the very real threats that could be lurking around corners.
As mentioned before, physical security is often one of the most overlooked areas when it comes to securing data resources. Knowing how to effectively develop and manage the protection of a property helps to keep assets safe from outside intruders.