In this article we explore the importance of physical security to cyber security in small organisations, and how one can affect the other.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
Many small organisations have traditionally focused on physical security at the expense of cyber (or information) security. So why are we writing about physical security in a blog about cyber security, especially when small organisations have physical security covered? The reason for this is that technology is changing so fast that it has impacts on physical security that many small organisations have not necessarily appreciated.
Physical security is also very different today from what it used to be because of technology advances, the increased the use of surveillance technologies, and the vulnerabilities that some technologies create.
What is the problem?
It's important to remember that physical security breaches can be a stepping stone to a cyber-attack or a data breach. Laptops and mobile devices are frequently stolen, and while thieves might not initially realise the value of what they have, they can sell them on to those that do. In addition, criminals looking to introduce a new device like a keylogger will need to gain physical access to a building or certain restricted places.
The shift to more remote working has introduced new physical security concerns, both malicious and accidental. These risks can be present at home, in formal shared working environments, or informal ones like coffee shops. Even for the smallest organisations, moving out of a fixed office to the coffee shop, airport lounge, hotel and even working from home creates new challenges. Big organisations are not the only ones that have had to deal with these challenges, virtually all organisations have become "work from anywhere" organisations, to survive the Covid-19 pandemic and broader changes to the world economy.
If this work from anywhere approach is not backed up by the right set of controls, then directors and staff could be leaking or losing data everywhere they go. The risks and threats to a small office are easily controlled, when compared to risks outside the office.
When it comes to physical security, most people are trustworthy and mean well. However, it is important to put controls into place to address the 1% of less, who want to steal from an organisation.
What should be protected?
The first thing to think about in any location or operation, is what should organisations ensure they are protecting every day?
The answer is three categories: what must be protected by law, what should be protected to ensure the organisation is able to operate; and any other valuable assets. However, these three things are only a starting point. Individual organisations know their own operations and assets best.
Things that must be protected by law include:
- The safety of individuals – this seems obvious and, in many ways, small organisations are able to care for their staff with personal attention better than many larger organisations. However, the challenge for small organisations is that they lack the resources to take care of everything, and only invest in the essentials. It has been known for some small organisations to protect their assets better than their staff. Organisations must not forget that they have a legal obligation to protect not just staff, but anyone on their premises, including visitors and guests.
- Accounting artefacts of the organisation (the length of time these need to be kept varies from country to country) - invoices, receipts and bank statements must be kept for a period of time, in case tax authorities have any questions. Obviously, physical and electronic records must be kept and protected for the whole of the required period.
- Personal data - any personal data that falls within any data protection regime anywhere in the world will have to be protected. We cover this in more detail in an upcoming article specifically around data protection.
- Other things depend on the specialist organisation sector, for example, any organisation dealing in food, drink, drugs, etc, come under different laws on what can be used, and how it will need to be stored.
What must be protected for sustainability (and to protect items in the legal section previously mentioned), includes:
- Original source of software and updates - to avoid malware entering the code base.
- Banking credentials – including cheque books, PIN numbers, old cards, etc.
- Web server and domain registrar credentials – to ensure that attackers don’t take over the organisation domain name, or security access to it.
- Email credentials – since so much organisation is undertaken via email, interception of email is a common attack point.
- Back-up credentials – sometimes back-ups are less secure than current data, but that shouldn’t be the case.
- Server and administrator credentials – these can sometimes provide the keys to the kingdom, so they must be strong and well protected.
- Petty cash box and cheque books - small amounts of petty cash are not always an issue for most organisations, but these boxes are often used to secure other things that shouldn’t be there, such as large amounts of cash and memory sticks with data, backups, etc.
- Keys, including access tokens such as proximity fobs or cards to the office and building – all of these physical and logical keys make a difference, and could be the weak link that lets an attacker in.
- Contact details of customers, partners and other contacts – a very common problem used to be when someone left to work for a competitor, and would take a customer list. This may seem less of an issue with the use of social networks like LinkedIn, where contacts are developed, but here it is relationships that should be protected and the data related to those relationships.
- All electronic devices – obviously these include access to much of the data already mentioned through apps.
- All confidential printed and electronic data secrets – printed material can be removed from the premises while incorrectly being assumed to have been put into confidential waste.
- Intellectual Property – including code, formulae, etc. As obvious as this is, like the other items in this list, it is still surprising how many small organisations get this wrong.
Many of these items may be obvious to some organisations and completely new to others; it just depends on your own experiences and industry.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.
Actions and Activities
Now, on SaRB for SMOs:
- Help us to help you by completing our short poll on this topic (only available when article is published).
- Let us know which FAQs you would like us to answer.
Later, in your Organisation:
- Complete Board level Policy Review
- Update Policy
- Present to the Board for Agreement
Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.
Virtually Informed Resources:
- Glossary - at the top of this blog article (link to items).
- Infographics (Downloadable in the week of publication).
- Download Items - Policy Templates, etc. (Downloadable in the week of publication).
- FAQ’s (Available soon).
- Blog articles (link to items )
- How To articles (links only available to Premium subscribers).
- Other content (available soon)
- Ponemon Institute Survey
- Other Survey information
Images from https://www.pixabay.com.