In this episode we explore the importance of physical security to cyber security in Small Organisationes, and how one can affect the other.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Many Small Organisations have traditionally focused on physical security, whilst often ignoring cyber (or information) security, so why should we be talking about physical security in Blog about cyber security especially when Small Organisations have physical security covered? The reason for this is that technology is and has been changing so fast, with impacts that many Small Organisations have not necessarily appreciated.
Physical security is also very different from what it used to be due to advancements in technology, the growth in the use of surveillance technologies, and the vulnerabilities that some technologies create.
What is the problem?
While the focus for many Small Organisations is moving to cyber security, a breach of physical security can be a stepping stone to a cyber-attack or a data breach. Every day laptops and mobile devices are stolen, and while the thieves may not initially realise the value of what they have, they may sell them on to those that do. And let’s not forget that sometimes the goal is to introduce a new device like a keylogger, which would require physical access to a building or certain restricted places.
The shift to remote working has also introduced new physical security concerns, both malicious and accidental, whether at home, in formal shared working environments, or informal ones like coffee shops. This move for even the smallest Organisations out of a fixed office to the coffee shop, airport lounge, hotel and even working from home creates its own challenges. Big Organisations are not the only ones which have had to deal with these challenges, everyone and every organisations is now a work from anywhere organisations to survive not just the Covid-19 pandemic but changes to the world economy.
The challenges are that, if the work from anywhere approach is not backed up by the right set of controls, directors and staff could be leaking or losing data everywhere they go. The risks and threats in a small office are completely controllable compared to those outside the office.
The other challenge is that like any other area of risk management, when it comes to physical security, most people are trustworthy and mean well, however, all the controls that need to be put into place aren’t to stop them stealing assets, but to help them reduce that possible 1% or less, who may want to steal from the organisations.
What Should be protected?
The first thing to think about, regardless of where and whatever environment the organisations operates from is “what should Organisations be ensuring they protect every day?” The answer falls into three categories, what must be protected by law, and what should be protected to ensure the organisations is able to operate as a viable organisations, and lastly any other valuable assets. However, these lists are only a starting point, and mainly focus on the obvious, individual Organisations know their assets better and of what is of value to them.
What must be protected by law, includes:
- The safety of individuals – this seems obvious and, in many ways, Small Organisations are able to care for their staff with personal attention better than many larger Organisations. However, the challenge for Small Organisations is that they lack the resources to take care of everything, and only invest in the essentials, and it has been known that some Small Organisations protect their organisation assets better than their staff. Organisations mustn’t forget that they have a legal obligation to protect not just staff, but anyone on their premises, including visitors and guests.
- Accounting artefacts of the organisation (the length of time these need to be kept varies from country to country) - invoices, receipts, bank statements must be kept for a period of time, just in case the tax authorities have any questions. Obviously, physical and electronic records must be kept and protected for the whole of the required period.
- Personal Data - any personal data that falls within any data protection regime anywhere in the world will have to be protected. We cover this in more detail in an upcoming episode specifically around Data Protection.
- Other things depend on the specialist organisation sector, for example, any organisation dealing in food, drink, drugs, etc, come under different laws on what can be used, and how it will need to be stored.
What must be protected for sustainability (and or implicitly to protect items in the legal section previously mentioned), includes:
- Original source of software and updates - to avoid malware entering the code base.
- Banking credentials – including cheque books, pin numbers, old cards, etc.
- Web server and domain registrar credentials – to ensure that attackers don’t take over the organisation domain name, or security access to it.
- Email credentials – since so much organisation is undertaken via email, interception of email is a common attack point.
- Back-up credentials – sometimes back-ups are less secure than current data, but that shouldn’t the case.
- Server and administrator credentials – these can sometimes provide the keys to the kingdom, so they must be strong and well protected.
- Petty cash box and cheque books - small amounts of petty cash are not always an issue for many Organisations, but the problem is that often these boxes are used to secure a lot of other things that shouldn’t be there, including large amounts of cash and memory sticks with data, backups, etc.
- Keys, including access tokens like proximity fobs or cards to the office and building – all of these physical and logical keys make a difference, and could be the weak link that let’s an attacker in.
- Contact details of customers, partners and other contacts – this used to be a big problem, when someone left to work for a competitor, they would sometimes take a customer list, this may seem less of an issue with the use of social networks like LinkedIn, where contacts are developed, but here it is relationships that should be protected and the data related to the relationships.
- All electronic devices – obviously these include a lot of access to much of the data already mentioned through the use of apps to access the data.
- All confidential printed and electronic data secrets – printed material can be removed from the premises while incorrectly being assumed to be put into confidential waste.
- Intellectual Property – including code, formulae, etc. and as obvious as this is, like the other items in this list, it is still surprising how many small Organisations actually get this wrong.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.