Improving Your Organization’s Physical Security Posture

By Clifford Strong, CEO of JC Protection LLC | March 17, 2021

Technical security controls such as firewalls and malware protection cannot prevent, or mitigate the impact of, a direct physical attack on your company’s infrastructure. Controls that limit physical access are critically important. The level of physical security required varies depending upon the nature of the business and the extensiveness of the environment, but there are best practices applicable to most organizations.

Secure Points of Entry

Clearly, you would not want unauthorized visitors to have access to restricted areas within your organization, and you have undoubtedly taken steps to secure these areas. But what about the ability of your employees to access certain areas if they do not have a work-related need to do so?

Role-based access control (RBAC) is a cybersecurity best practice that restricts access to computer systems, applications, and networks within an organization to only those employees who require that access to perform their duties. For example, only those employees responsible for handling payroll should have access to payroll systems. RBAC can also be applied to physical access. Consider the controls applicable to government agencies in the United States that have access to criminal justice information systems (CJIS). Federal regulations restrict access to the data on these systems to those who need it, like law enforcement and criminal court personnel. But the regulations go on to limit physical access to computer systems, server rooms, and networks that host or provide access to CJIS data. Anyone with physical access to these resources must be fingerprinted, background-checked, and trained before access is granted. Not only does this include technical personnel who maintain the systems, but it also includes everyone else, like cleaning crew members and facilities maintenance workers. While you may not deem it necessary have your employees fingerprinted, you may want to have their backgrounds checked and limit access to certain areas and facilities using the RBAC principle. The fewer who have access, the lower the risk of insider attack or accidental damage.

Many organizations use proximity badges or key cards to control physical access. These are great if access permissions are kept up to date and if they are deactivated if lost, stolen, or no longer needed. Employees’ access permissions should be reviewed periodically and updated when necessary. If, for example, a facilities maintenance worker who once supported the building where the data center is located is transferred to another building or department, their access to the data center should be removed as soon as possible. If your organization uses more traditional keys, the same principle applies. If your employee tasked with opening the store in the morning moves on to a different role, they may no longer need keys to the front door.

Install Surveillance Cameras

Using video surveillance to capture any unauthorized access or suspicious activity is recommended. Video technology has come a long way in recent years. For about $30, you can purchase a hi-definition, motion-activated camera with two-way audio as well as onboard and online storage. Of course, you get what you pay for, and upgrading to a higher quality camera system with enhanced security features is a good idea. Your IT staff should be able to find the best option after doing some research and taking your needs and environment into consideration. Depending on your organization’s size, you may wish to set up a central location with video monitors to be used by security personnel to detect and respond to suspicious activity.

If you have an on-premises data center, placing enough cameras there to provide full coverage is highly recommended. Insider attacks by disgruntled employees are often extremely destructive. Cameras may allow for early detection, and their recordings would certainly be helpful in court if needed.

Manage Portable Devices

There are extensive guidelines regarding the use of technical controls to secure portable devices like laptops, tablets, and smartphones. Two of them, the use of encryption and the ability to remotely wipe data from the devices, also relate to physical security.

If a device is lost or stolen in a breach of physical security, encryption of the data on the device prevents it from being exposed. It is important, however, to consider the possible ramifications of implementing a blanket policy that requires encryption to be applied to all portable devices within an organization. In 2012, a NASA employee had his agency-owned laptop stolen from his car. In response, the agency quickly created a policy requiring that all agency-owned portable devices be encrypted as soon as possible. This resulted in unintended consequences. Some of the agency’s on-premises research and laboratory facilities used older technology equipment run by laptops with outdated operating systems. These laptops never left their secure rooms and were not connected to the agency’s network, but the policy required that they be encrypted. Unfortunately, many of them were running operating systems that were incompatible with the encryption application. They either had to be wiped and discarded or had to go through a lengthy exemption process to remain in operation. Additionally, laptops only used in conference rooms and secured with cable locks had to be encrypted even though they were no longer “portable.” This meant that every time a new user wanted to utilize the conference room, IT support personnel had to meet the user there and create a local login key to provide access to the laptop. Involving your IT team and other stakeholders in the policy creation process could help you avoid issues like these.

Consider enabling remote data wipe capabilities to delete sensitive data from lost or stolen company-owned laptops, tablets, and smartphones. In the previous scenario, if a remote wipe capability had been available, the agency could have simply erased the unencrypted data from the stolen laptop. Remote wipe functionality is either already built into most newer devices, or is readily available for installation. Remote wipe is not a substitute for encryption. Both are recommended. In order to remotely wipe a device, it has to be online. Thieves can, however, extract data directly from devices without them being online–but if the data is encrypted, extracting it does the thief no good.

Any discussion of portable devices is not complete without addressing your employees’ personally-owned devices. A “bring your own device” (BYOD) policy should be implemented. The policy should address, among other things, whether employees are permitted to directly (via network cable) or wirelessly connect personal devices to company networks. If connection is permitted, does that include access to internal network resources or only to a public wireless connection? The policy should define what devices are approved for connection. Is encryption required? What about malware protection? Employee expectations should be addressed. These would include any potential consequences associated with personal device usage, like the ability of the company to remotely wipe a personal device if necessary. For instance, if an employee installs a company email app on a device, the company may wish to have the ability to wipe the device to protect confidential company data if the device is lost or stolen. The policy could also require training of users who wish to connect personal devices.

Secure Wireless Networks

If your company utilizes wireless networks that broadcast their Service Set Identifiers (SSID), they can be detected by anyone within the range of your wireless access points. This is why wireless network security should be part of your physical security plan. There are attackers who look for wireless access they can use to hack into networks. Smart devices with network access, like certain thermostats, door locks, and cameras, may not be sufficiently secure and may provide gateways hackers can use to access your company’s internal network and systems.

If you have a public Wi-Fi network, make sure it does not provide any pathway to access your internal network. If possible, require visitors to set up accounts and passwords to access visitor Wi-Fi. Encrypt the data on the network to ensure that, if it is intercepted by an attacker monitoring your wireless traffic, things like account login credentials will not be compromised.

Having no visitor wireless, preventing your internal wireless from broadcasting its SSID, and setting up your access points to provide access only to devices within the company’s perimeter are best practices, but are not always practical.  You will need to weigh the risks against the benefits when securing your wireless systems.

Train Your Employees

Train your employees to look for and report suspicious activities. Have a process in place for them to report incidents. Make them aware of the practice of tailgating, whereby potential attackers gain access to secure areas by simply following others through a door before it shuts behind them.

Sometimes attackers will inject themselves into conversations with a group of employees as if they belong there. Once they have made themselves part of the group, they simply follow the employees into access-controlled areas. Unless they feel that their safety is threatened, encourage employees to question suspicious individuals, offering to help them find what they are looking for. In most cases, the person will have a valid reason for being there and will appreciate the offer of assistance, or will simply leave if they were up to no good.

Test Your Plan

There are two ways to determine whether your physical security plan is effective. You can create a test plan for your access controls and other components and perform tests periodically. Lessons learned from these tests will help you to continuously improve your security. The second way to gauge your plan’s effectiveness is to analyze the damage after you suffer a breach. The first method is best.

In Conclusion

Physical security plans should be tailored to your company’s specific needs, but there are best practices applicable in most scenarios. There is no way to eliminate all risk and you can sometimes cause problems for yourself when you don’t take potential consequences into consideration while developing your plan and creating policies. Your employees are often your last and best line of defense. Training and reporting procedures are critically important. Finally, test your plan regularly, learn from the results, and make continuous improvement.

JC Protection LLC is ready to assist with your business’s security needs. Please contact us today.