Physical Security in Small OrganisationsHot
In this article we explore the importance of physical security to cyber security in small organisations, and how one can affect the other.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
Table of Content
Many small organisations have traditionally focused on physical security at the expense of cyber (or information) security. So why are we writing about physical security in a blog about cyber security, especially when small organisations have physical security covered? The reason for this is that technology is changing so fast that it has impacts on physical security that many small organisations have not necessarily appreciated.
Physical security is also very different today from what it used to be because of technology advances, the increased the use of surveillance technologies, and the vulnerabilities that some technologies create.
What is the problem?
It's important to remember that physical security breaches can be a stepping stone to a cyber-attack or a data breach. Laptops and mobile devices are frequently stolen, and while thieves might not initially realise the value of what they have, they can sell them on to those that do. In addition, criminals looking to introduce a new device like a keylogger will need to gain physical access to a building or certain restricted places.
The shift to more remote working has introduced new physical security concerns, both malicious and accidental. These risks can be present at home, in formal shared working environments, or informal ones like coffee shops. Even for the smallest organisations, moving out of a fixed office to the coffee shop, airport lounge, hotel and even working from home creates new challenges. Big organisations are not the only ones that have had to deal with these challenges, virtually all organisations have become "work from anywhere" organisations, to survive the Covid-19 pandemic and broader changes to the world economy.
If this work from anywhere approach is not backed up by the right set of controls, then directors and staff could be leaking or losing data everywhere they go. The risks and threats to a small office are easily controlled, when compared to risks outside the office.
When it comes to physical security, most people are trustworthy and mean well. However, it is important to put controls into place to address the 1% of less, who want to steal from an organisation.
What should be protected?
The first thing to think about in any location or operation, is what should organisations ensure they are protecting every day?
The answer is three categories: what must be protected by law, what should be protected to ensure the organisation is able to operate; and any other valuable assets. However, these three things are only a starting point. Individual organisations know their own operations and assets best.
Things that must be protected by law include:
- The safety of individuals – this seems obvious and, in many ways, small organisations are able to care for their staff with personal attention better than many larger organisations. However, the challenge for small organisations is that they lack the resources to take care of everything, and only invest in the essentials. It has been known for some small organisations to protect their assets better than their staff. Organisations must not forget that they have a legal obligation to protect not just staff, but anyone on their premises, including visitors and guests.
- Accounting artefacts of the organisation (the length of time these need to be kept varies from country to country) - invoices, receipts and bank statements must be kept for a period of time, in case tax authorities have any questions. Obviously, physical and electronic records must be kept and protected for the whole of the required period.
- Personal data - any personal data that falls within any data protection regime anywhere in the world will have to be protected. We cover this in more detail in an upcoming article specifically around data protection.
- Other things depend on the specialist organisation sector, for example, any organisation dealing in food, drink, drugs, etc, come under different laws on what can be used, and how it will need to be stored.
What must be protected for sustainability (and to protect items in the legal section previously mentioned), includes:
- Original source of software and updates - to avoid malware entering the code base.
- Banking credentials – including cheque books, PIN numbers, old cards, etc.
- Web server and domain registrar credentials – to ensure that attackers don’t take over the organisation domain name, or security access to it.
- Email credentials – since so much organisation is undertaken via email, interception of email is a common attack point.
- Back-up credentials – sometimes back-ups are less secure than current data, but that shouldn’t be the case.
- Server and administrator credentials – these can sometimes provide the keys to the kingdom, so they must be strong and well protected.
- Petty cash box and cheque books - small amounts of petty cash are not always an issue for most organisations, but these boxes are often used to secure other things that shouldn’t be there, such as large amounts of cash and memory sticks with data, backups, etc.
- Keys, including access tokens such as proximity fobs or cards to the office and building – all of these physical and logical keys make a difference, and could be the weak link that lets an attacker in.
- Contact details of customers, partners and other contacts – a very common problem used to be when someone left to work for a competitor, and would take a customer list. This may seem less of an issue with the use of social networks like LinkedIn, where contacts are developed, but here it is relationships that should be protected and the data related to those relationships.
- All electronic devices – obviously these include access to much of the data already mentioned through apps.
- All confidential printed and electronic data secrets – printed material can be removed from the premises while incorrectly being assumed to have been put into confidential waste.
- Intellectual Property – including code, formulae, etc. As obvious as this is, like the other items in this list, it is still surprising how many small organisations get this wrong.
Many of these items may be obvious to some organisations and completely new to others; it just depends on your own experiences and industry.
Let's take a look at the various issues in different environments Small Organisations may operate in.
A. Physical Security in a traditional Office
The variations of these types of environments include the following, and each presents different challenges and responses:
- Single site, single building, single office, sole occupier – this is often the easiest to maintain when it comes to physical security because as sole occupier the Business can usually operate on any set-up it needs within the confines of the occupancy agreement
- Multiple occupants, own lockable entrance – this set-up can be straight forward to maintain during office hours if there is a reception desk to restrict strays from entering the office space. Security outside of office hours will depend on the overall access available to the building by other occupants and the quality of the locks, who else has duplicate keys to the office, etc.
- Shared facilities and entrance – this type of set up can be where a single floor may be separated into several parts, but the access to each business may not necessarily be locked. These are often open planned settings with security staff who will patrol all areas outside of office hours. The challenge in these can be that outside of office hours anyone from other businesses can walk in apart from just the security staff
- Shared offices – are often the most difficult to secure, as anyone who shouldn’t be there can often claim to be a guest of the other business occupant, and go unnoticed.
Most common areas to consider in Office Environments
A common assumption that many people make is that just because something is easier to secure, doesn’t' mean that is it secure. Or, that just because something is harder to secure, that it is completely insecure. Businesses should focus on some basic common areas, and the assets that need to be protected.
- Access to entrances and blocked off areas - by making sure that office furniture and barriers are used so that everyone has to follow a defined path from an entrance point with a reception to get to each area that is deeper within the office environment. Forcing everyone to come in through defined points is important to monitor who is going in and out, as well as keeping those who should get any further without a good reason
- Visitors – identifying and recording who came in and left the area is important not just from a health and safety perspective but also for investigation purposes if it later transpires that something went missing during a certain time period
- Lockable storage – for personal items as well as for all paper records that need to be stored. This is also important when a business has a “Clean-desk Policy”, where nothing can be left on a desk at the end of the day. Such policies have proved very important in some businesses in reducing loss of documents and other assets. Alongside the Clean-desk Policy is a policy on disposing confidential material. Although many businesses may have shredding facilities, the quality of the shredding may need to be considered
- Tech storage – including server and network cabinets to protect all electronic devices and systems
- Maintenance & cleaners – this is an interesting one. We all see in so many movie scenarios where someone dresses up as a cleaner, maintenance work or security staff and gets into a building to steal something. However, nobody ever questions any of these staff, as they are supposedly allowed to be there. To reduce the risks posed, the above two points are vital.
Often Overlooked issues in Office Environments
In many businesses, once physical security controls have been set, there is often an assumed relaxation of control. However, it is often this assumption that the business is now secure that may lead to lapses that result in breaches and losses, including some of the following:
- Removable assets – when there is a sense of security in an environment, people often go off guard and forget to ensure the protection of removeable assets. Although staff shouldn’t be completely paranoid all of the time about everything, they should all ensure that they understand that any removeable assets that can go missing should be afforded additional care at all times
- Paper documents – anything that is confidential remains confidential at all times, whether one leaves their desk for 5 minutes or lunchtime or to go to a meeting. Accessible lockable storage is important to ensure that everyone can act on their responsibilities seriously
- Keys - lockable key cupboards should not only be locked to protect someone stealing any keys but also to stop anyone taking an imprint of a key without being noticed.
- Old technology devices – often these contain data whether it is emails, files, personal photos, etc. or configuration settings used by the business. Old devices and technologies must be disposed of correctly so that no useful or useable data remains on them
- Leaving keys in the lock of cabinets, server racks – this may happen when someone goes to get a cup of tea or go to the toilet, or take a break. But it does create a big vulnerability
- Auditing the Clean-desk and disposal of confidential waste, and other policies – sometimes small businesses will audit their information security policies and processes but not their physical security ones
- A physical security response plan – it is important to have an incident response plan for a breach in physical security, in much the same way there is one for a cyber incident. If there is a break in over the weekend, is there a mechanism for a keyholder to be notified? Does triggering the alarm call a reporting centre or a key individual, or individuals in sequence? Is there a defined process with all the information to call the police, insurance firm, landlord and other stakeholders? Is a locksmith or glazier required?
By focusing on controls that can make a difference to physical security beyond the obvious, ensures that the physical security controls in place are robust.
Other Technology Impacts of Office Environments
There are many different impacts of current technology on the office environment, these include:
- Office surveillance technology – many Small Business surveillance technologies are often purchased on the basis of lowest possible price, rather than built in security controls. Consequently, many may come with unresolved previously known vulnerabilities or bugs, or with firmware that will never be updated, or lack of controls of where the data can be saved. Further, they may also have ongoing maintenance contract fees to make use of the device or system. These are a major way into networks that may previously have been relatively secure, by criminals who can use Google like search engines to identify each one that connects to the internet. Although, a typical business may install anything from a few to tens of such devices, it only takes one to compromise the whole network and everything on it. Surveillance or security technologies must be purchased on their cyber security capabilities and controls, not on price or other gimmicky criteria
- Location transmission devices – today there are so many devices that transmit their location, as the default functionality is built into so many more devices than it ever was. However, even where it is not built in, an IP address gives away a location, and that as 5G is adopted on many devices, the location identification via 5G is more accurate. So, there are GPS, and 5G services that will help identify exactly where any device is. The impact of this can be to identify where surveillance equipment is and where staff are, the daily patterns and movements on a daily basis
- Magnetic door locks and fire regulations has resulted in a situation of opening all the door locks by triggering the fire alarm, allowing opportunist thieves to quickly run in during the confusion.
B. Working in Uncertain or Unknown Environments
The variations of these types of environments include the following and the challenges and responses are similar across most of them, and include:
- Coffee Shops - most people often know that these spaces are not necessarily secure, but still they take chances
- Airport lounges – people are used to trusting airport lounges on the basis that they are secured areas. But every airport in the world experiences theft and lost devices and luggage
- Hotels - the difference with hotels is that they create a false sense of security in that we leave our belongings in the room on the assumption that no one will have access to it
- Shared working environments - similarly to hotels, office lounge clubs with shared work spaces create a false sense of security, that everyone around the areas is trustworthy.
Many people use these environments as a second office, as they spend so much time on the road, but each presents its own set of security challenges.
Most Common Issues to Consider in Unknown Environments
In many cases, the biggest issue is that as humans we are very trusting in most circumstances and like to enjoy a given level of trust. This is often based on our preconceptions of what trustworthy environments and people look like, rather than anything accurate or rational.
- Using free Wi-Fi - it seems everyone loves free Wi-Fi and they don’t seem to be able to get enough of it. These uncertain and unknown environments seem to provide it in abundance, as do the criminals. Free Wi-Fi is the single most riskiest data leakage activity any employee can undertake outside of their office. Using a commercial level VPN can help protect against such risks, but they cost extra
- “Can you watch my stuff” - asking someone else in the vicinity to ‘watch your stuff’ so you don’t lose your table while you pop to the toilet, is incredibly risky. This goes back to our desire to trust; we want to leave someone to watch over our things and so we arbitrarily pick someone on whom we will place our trust. Whether that person sat close intentionally or has an opportunistic tendency to take something of use is never in our minds. Often people are in a lose-lose situation, leaving all their things on the table means that any single thing of value can be taken, or viewed, but packing everything up so that it cannot be seen or viewed makes it easier for a criminal to just take the whole bag
- Device theft and bag theft by opportunists - this can and does happen in all of these uncertain or unknown environments. Such environments are key places for criminals to make the best use of these types of opportunities.
Of these common issues, the technology ones are the easiest to deal with before leaving the office, and they include using travelling laptops which may only have bare-bones applications, data and access, but still protected that if it is stolen or lost, all that is missing is the physical value of the devices rather than the data on it. Preparing the use of VPN on all devices is also a simple approach to ensuring that mobile devices can check email wherever staff have to go and not worry about network coverage.
Least Obvious Issues to Consider in Unknown Environments
Sometimes even with the right awareness and technology in place, things can still go wrong.
- USB device-based attacks - someone could quickly plug in a USB memory stick while you are away from your device and install malware. Or, a trusted contact shares a file on a USB stick, which installs malware unknown to either party
- Shoulder surfers – these people watch others type in their passwords or even recording your hands while pretending to be using their smartphone.
Again, there are technical controls that can help avoid these types of risks. With USB attacks, if the user is not logged-in to the device with admin access, it will be harder to install anything. But also, as mentioned earlier, if the device doesn’t have anything useful on it and it is wiped clean when it goes back to the office, there will be nothing to worry about. To deal with shoulder surfers, using two-factor authentication should reduce any risks to account access.
Other Technology Impacts of Unknown Environments
These are also related to trust, or the lack of it, in these environments.
- CCTV - security cameras can capture usernames and passwords that are typed in to access devices. No-one can be certain that the positioning of cameras or the use of hidden cameras are not there to capture such data. Or that the environment’s CCTV system can withstand an attack to record and capture such data without being noticed by the environments controls
- Protection of payment cards – the use of touch payment systems has been a time-saver for many shoppers, but such payment devices are mobile and can be hidden in a way that by passing by a wallet will enable a payment. These payment devices are readily available and can be adapted so that they can receive payment without actually touching a card.
Two-factor authentication can greatly reduce any possibility of the use of stolen user credentials. Protecting against touch and pay fraud can be eliminated by using wallets that are made with materials that effectively create a faraday cage around the wallet. Such protective wallets are readily available on the internet.
C. Working from Home
The home environment is often considered to be the safest and trustworthy, because we believe that we control the whole environment. Whilst this assumption is partly true, people often allow actions and activities which may inadvertently compromise the trust and security of their home.
The home office, a desk in the corner or a commandeered dining table has become a day-to-day reality of many people working from home, whether by choice, or forced upon them due to the pandemic. Burglary is always a concern, but there are also accidental and opportunistic threats, as many people do not live alone. Typical environments include:
- Self-contained single person unit – these can be anything from a single bedsit in a house or large apartment in a block of flats. Such places often have a single entrance where everyone has a shared key, a door entry system and possibly no control as to who tries to enter or break-in to any room once a visitor has entered the building. Internet access while being only used by the sole occupier will still mean Wi-Fi signals can be picked up in surrounding areas outside of the contained unit by anyone with the appropriate equipment and wanting to do so. As a single occupancy unit, any technology used will all be determined by that person, and can be added or removed at will as required
- Shared apartment or home – by their very nature these usually start out with friends but then end up with strangers when a friend moves on. The security relies entirely on trust of those in the shared accommodation and where there is a lack of trust valuables and devices will be locked. In these environments, if anything is noticeably missing the lack of trust causes friction and can lead to complete lockdown. However, while a flat-mate may spy on another flat-mate and nothing is taken, there will still appear to be trust even though the party being spied upon does not know it. These are the circumstances that technology can help either party to achieve what they want to – the trusting party to secure their technology, or the spying party to spy unnoticed. Internet access will be shared anyone with a little bit of technical expertise can spy on other occupants. Further, any Wi-Fi signals can be picked up by anyone outside the occupied unit. In these types of environments, any occupant is able to install any device they want on the basis that they feel that they are not answerable to anyone else - regardless of how vulnerable the device may be. And consequently, any vulnerable device may also be the hardest thing to convince another occupant about
- Family home – these are always completely open to all occupants, except in rare occasions where a room may be out of bounds to children due to expensive equipment being in the room. Often because there are always people around, it is likely that front and back doors may be left open at times for longer than they should do without concerns that anyone would walk in without being noticed. In a family home, due to the level of trust, things can go missing without affecting trust where rooms start getting locked by the family or other occupants. Again, internet access is shared and anyone with any expertise and access to the router can alter its settings without the others noticing what has happened. The technology devices in family homes are often controlled by one adult until the children are old enough to add devices themselves, at which point it can get out of control
- Separate lockable room, out-building or shed – when working from home this is possibly the most easiest to secure. Having a separate internet connection and only using wired access makes this type of environment secure, but it also depends on where the out-building or shed is – meaning, that if it is too far away from the main house, it could be targeted and successfully compromised without anyone knowing. The technology devices protecting the environment like CCTV cameras and alarm systems are likely to be under the control of one person and monitored by that same person.
When it comes to the different home units, the securest are likely to be single person units or lockable areas, as more people may bring in greater security uncertainty into the environment, mainly due to a lack of equal share responsibility of all occupants, rather than other occupants being inherently untrustworthy.
Most Common Issues to Consider in Home Environments
As with the other environments, the most common issues in this environment arise out of misplaced trust or lack of some obvious security controls that can easily be implemented.
- Guests and visitors – other members of the household may invite guests they trust, but the trust is misplaced. This can lead to hard copy paper information going missing, or small technology devices going missing from common areas, on the one end, through to photo’s being taken of information, screen-shots, recorded conversations, etc. on the other
- Privacy – this includes privacy of conversations as well as all other open observable communication like video calls and meetings, who was in those meetings, what was said, etc.
- The default login on family devices is as an Admin – others within the family household (especially children) may have a personal logon onto the same computer and get tricked into installing malware while looking for free games and via various online activities. While the default login is as an Admin account holder, the user can install all the software they want, and equally, while the malware is operating under the Admin login, it too can install all the additional malware it wants
- Family member’s bring infected devices onto the network – even when family members have their own devices, as long as they have Admin access, they are able to install all the software they don’t want to pay for, as well as malware as hidden elements in pirated software.
These common issues are very easy to deal with by implementing some basic security controls for each device, from providing all users with non-admin accounts, through to the set-up for home working.
Least Obvious Issues to Consider in Home Environments
While many people may be aware of the common issues of working from home (even if they don’t always know what to do about them) sometimes it may be the less obvious issues that they are caught out by. These include:
- The secure storage of backup and recovery information – access to back-up data is important for many reasons. Whether it is because the Business uses cloud services for all data, where data is automatically backed up to the cloud or that there are no other reliable back-ups. In recent months we have seen how even cloud back-up services can go down for days or even weeks. In December 2020 several Google services were inaccessible for over a day for many people, the Blackberry email service that went down many years ago, was down for around two weeks. In today’s world businesses cannot afford not to have access to their data, and should make arrangements to have data both in the cloud and locally (at home) as necessary. This does not mean access to all data, all of the time, but just the right recent data that is currently in use
- Increased use of video conferencing – whereas a few years ago many Businesses got used to covering up their webcams and microphones, with so many people now using webcams for video conferencing the whole day, this is no longer the case. Now webcams and microphones are likely to be on all day, and perhaps even all night, making it easier to be spied upon
- Trust in new devices and technologies – the research in the use of camera doorbells has demonstrated how these devices are developed with very little security built in by default. These vulnerabilities make it easier for attackers to either pick up unencrypted Wi-Fi communication, or remotely compromise the device due to other vulnerabilities. The goal for any attacker will be to compromise the whole network, and not just the vulnerable device. So, whether it is the device, all devices and the router, the chances are that any vulnerable device will lead the compromise of most if not all devices on the network
- Secure lockable storage for printed and handwritten material – if staff are expected to hold confidential or sensitive data at home, they should also have secure lockable storage for it
- Secure deletion and removal of hard copy data – in an office environment there may be shredding machines or disposal services, these should be provided to staff working from home too, to avoid any leakages
- Encryption of removable USB storage devices – whether these are back-up portable hard drives or memory sticks, all copying of data should be encrypted by default.
Several of these less obvious considerations are easily dealt with and are usually provided for by an employer and not necessarily controls that home users have readily available around the house. However, awareness and good practice always make a big difference.
Other Technology Impacts of Home Environments
Today’s home environment can easily have a greater number of connected devices onto the network than a Small Business employing 30-40 people would have had a few years ago. This is partly because personal devices, home appliances, home surveillance and other smart home technologies have grown in usage.
- Effects of a compromised router. Since access is shared with all users at home, a compromised router could redirect DNS web browser requests to malicious or fake websites. Routers are a target for attackers, and not all home routers have come secure by default. Furthermore, when there are updates to the firmware, users don’t know how to check that these need to be applied, consequently they often go unpatched
- Eavesdropping by SMART devices. Speakers, for example, are in wider usage now and could be set to secretly record audio, capturing private conversations. Similarly, there are pet cams, baby cams, and similar surveillance devices that supposedly provide some comfort of knowing what life is like for whoever or whatever needs a watchful eye. But many of these devices are also sending out unencrypted signals so that their images and data can be viewed by anyone nearby with a device that is able to pick up the signals. The data can be very telling of the movements of people in their home
- Further unintended consequences of “SMART” technologies include over sharing or syncing of calendars, contacts, even business emails with other SMART devices within the household. But they do extend beyond that, including functionality that can send out emails, or connect to social media accounts, or messaging, or even talk to other devices because they are programmed to find other devices from the vendor, not because the user has agreed that the device should connect
- Use of the device to attack others – the largest distributed denial of service (DDoS) attack against the internet infrastructure that brought down several cloud services was performed by an attacker taking control of a single vendor’s CCTV cameras and using it to overload a specific part of the internet. This attack was obviously noticed and dealt with so that it is unlikely to happen again any time too soon, but the target could easily have been anyone or anything else. The impacts are wide, not only is an attacker able to use someone else’s bandwidth to attack a third party, but they are also able to use and leverage that device to do many other things mentioned earlier.
These impacts can be dealt with by buying devices on the basis of required security functionality with built in cyber security controls, and locking down each device installed on the network.
At the heart of security of everything in a work from home environment is trust. This means trust of the people in the home, guests and visitors, and very importantly every device that is permitted to connect to the trusted correctly configured router. Unfortunately, not everyone is able to say that they are able to trust every device based on proven assessments, rather than assumptions.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.
Actions and Activities
Now, on SaRB for SMOs:
- Help us to help you by completing our short poll on this topic (only available when article is published).
- Let us know which FAQs you would like us to answer.
Later, in your Organisation:
- Complete Board level Policy Review
- Update Policy
- Present to the Board for Agreement
Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.
Virtually Informed Resources:
- Glossary - at the top of this blog article (link to items).
- Infographics (Downloadable in the week of publication).
- Download Items - Policy Templates, etc. (Downloadable in the week of publication).
- FAQ’s (Available soon).
- Blog articles (link to items )
- How To articles (links only available to Premium subscribers).
- Other content (available soon)
- Ponemon Institute Survey
- Other Survey information
Images from https://www.pixabay.com.