There has been globally a more extensive focus on physical security by Chief Information Security Officers (CISOs). Physical security refers to the protection of people, property, and physical assets from the risk of physical actions and events, such as fire, flood, natural disasters, burglary, theft, vandalism, and terrorism1. With more organizations outsourcing their IT infrastructure and integrating hybrid and remote work, physical and infrastructure security have taken a back seat to various remote work initiatives carried out by organizations. That said, corporate safekeeping and physical security are still critical components enabling organizations to protect their assets, employees, and clients. Corresponding to the findings of the IBM Cost of Data Breach 2020 Report, 10% of all malicious breaches reviewed in the analytical study were caused by a physical security compromise2.
[1] The Importance of Physical Security and Its Implications on Cybersecurity | New Jersey Cybersecurity & Communications Integration Cell (nj.gov)
[2] IBM. https://www.ibm.com/reports/data-breach
As a matter of fact, ensuring physical safety, and endorsing relevant assurances are crucial for maintaining the trust and confidence of stakeholders as well as avoiding legal and financial repercussions.
Nevertheless, the benefits of considering Physical Security are numerous. Physical security related to computer technology should not be perceived as an “out of sight, out of mind” variable. Effective corporate security measures can prevent unauthorized access to confidential information and protect companies against cyber-attacks, fraud, theft, and other criminal activities. With robust security policies and procedures, companies can mitigate potential risks and minimize the impact of cybersecurity breaches. We must not forget that many significant data leaks were the outcome of gaps in physical and infrastructure security.
Physical Security measures such as access controls, surveillance and alarm systems are critical for safeguarding people, property, and equipment. Physical security can deter unauthorized activities, aid in breach detection, and enable a rapid response to cybersecurity incidents.
Moreover, something that should be considered are the assurances that staff have in the safety of their organization. Providing a secure workplace can improve employee morale, increase productivity, and attract top talent. Clients and stakeholders also expect organizations to have adequate cybersecurity measures in place to protect their interests, but failure to do so can damage the organization’s reputation and brand image.
All of this said and consequently, implementing physical security controls is crucial for the administrative and financial well-being of businesses. Hereafter are some physical security best practices that organizations should consider applying. These best practices are inspired by the ISO 27001 standard:
Security Perimeter and Access Controls
Cybersecurity Awareness Training helps to build a culture of information technology security within an organization. When employees understand the importance of protecting sensitive information, they are more likely to take cybersecurity seriously and follow best practices.Organizations should define physical security perimeters where they should implement access-control measures. Access controls can include physical barriers such as locks, security gates, and turnstiles, as well as electronic controls such as key cards, biometric scanners, and access codes
Monitoring
The above-mentioned perimeters should be monitored through surveillance systems such as CCTV cameras, motion sensors, and alarms to help corporations detect in real time unauthorized access, theft, or suspicious activities. Organizations can hire security personnel such as guards, receptionists, and patrollers to maintain a physical presence and deter potential threats. Security personnel can also respond quickly to emergencies and incidents.
Location and Protection
IT infrastructure equipment should be securely sited and effectively protected. Information processing facilities should be protected from power failures and other disruptions caused by breakdowns in supporting utilities
Physical and Environmental Threats
Organizations should ensure to safeguard their assets against physical and environmental threats through the use of environmental controls such as fire suppression systems, heating, ventilation and air conditioning (HVAC) systems, and humidity sensors to protect their resources from naturally-occurring environmental hazards such as fire, floods, water damage, lightning, tornados and extreme temperatures, or man-made dangers such as civil unrest, water leakage from facilities, cabling network security, equipment maintenance, secure disposal or re-use of equipment, etc.
Storage Media
Companies should manage storage media such as disks and USB keys through their life cycle of acquisition, use, transportation, and disposal. In general, these media should be encrypted to prevent access to their contents in the event they are stolen or lost.
Cabling Security
Cables carrying power or data should be protected from interception, interference, or damage. Considering that cable is a shared medium like Ethernet, corporations should make every effort to fortify that network from hackers who are attempting theft of professional services or stealing quality of service tools, and who are trying host spoofing.
Clear Desk and Clear Screen
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. These rules should also apply to remote workers.
Security of Assets Off-Premises
Considering the different risks of working outside the organizations’ premises, companies should also ensure the protection of assets that are located off-site
Equipment Maintenance
Be they physical or virtual, computer systems equipment should be maintained correctly to ensure availability, integrity, and confidentiality of information.
Secure Disposal or Re-use of Equipment
Items of equipment containing storage should be verified to ensure that any sensitive data and licensed software have been removed or securely overwritten prior to disposal or re-use.
Inventory Management
Organizations should implement inventory management policies to keep track of their assets, equipment, and supplies, and prevent loss or theft of confidential information. They can also use asset tags, barcodes, or Radio Frequency Identification (RFID) tags to identify and track their assets.
Incident Response Planning
Incident Response Planning is all about an effective incident response strategy whereby a combination of people, process and technology is documented, tested and trained in the event of a security breach. Its purpose is to prevent data and monetary loss by targeting the resumption of normal operations. Organizations should integrate within their incident response plans proactive measures to deal with physical security incidents such as theft, vandalism, or natural disasters. These plans should include procedures for notifying authorities, evacuating personnel, and restoring operations.
Factual Caution
Physical security encompasses the protection of people, property, and physical assets from actions and events that could cause damage or loss. Even though it is often overlooked in favour of other security security controls, physical security is equally important if not as critical as the other areas of cybersecurity. All the firewalls in the world cannot help you if a cyber-attacker removes your storage media from the storage room.
All the firewalls in the world cannot help you if a cyber-attacker removes your storage media from the storage room.
The growing sophistication of physical security through technologies such as artificial intelligence (AI) and the Internet of Things (IoT) implies IT security and physical security are becoming more closely connected, and as a result, physical security and cybersecurity teams need to be working together to make safe both the physical and digital assets.
Proactive Recommendation for Physical Security
Implementing physical security controls is essential for organizations to protect their assets and personnel from physical and cyber threats. Companies should consider physical security in their risk assessments and accordingly develop physical security and cybersecurity policies and procedures.
Free Resources
US government: Cybersecurity and Physical Security Convergence Action Guide
Special Publication 800-12: An Introduction to Computer Security: The NIST Handbook – Physical And Environmental Security
SANS Institue: Physical Security and Why It Is Important
