Kathy Vogler, Communications Manager, Expedient Technology Solutions

I’ve lived most of my life in a relatively secure and crime free area.  I’m fortunate that my first real experience with personal property theft didn’t happen until 2010 when a trailer was stolen from our barn area.  This was completely shocking for us, at that time we didn’t lock anything including the house.  We have dogs, we have motion lights, we don’t take risky actions and there is no crime.  Well, those days are sure in the rear-view mirror, aren’t they! Everything seems to be fair game these days. The new normal must fall on the side of zero trust.  This isn’t just important to combat cybercrime, it’s for everything.  Businesses need to take physical security seriously.

“I get hired by companies to hack into their systems and break into their physical facilities to find security holes.”~ Kevin Mitnick, 1995 convicted hacker, owner of Mitnick Security Consulting LLC

Physical security is the protection of people, property and physical assets in a fashion similar to steps used by law enforcement. And while the Achilles heel to security will always be the human factor, security experts agree that the three most important components of a physical security plan are access control, surveillance, and security testing. 

Access Control at a high level is about restricting access to a resource and may even be part of your regulatory compliance requirements.  Physical access control limits access and often uses a proximity card or fob, password, PIN or biometrics to unlock the door. For example, an organization may employ an electronic control system that relies on user credentials, access card readers, intercom, auditing and reporting to track which employees have access to a restricted area. This system may incorporate an access control panel that can restrict entry to individual rooms and buildings, as well as sound alarms, initiate lockdown procedures and prevent unauthorized access.

Access Control has five main components:

Surveillance is most often done by video cameras using a video management system.  The surveillance could start at the outer edge of your perimeter to monitor your facility and parking lots to secure your outdoor areas.  These control systems ensure that you will know who enters your facility and when. Your camera systems serve two purposes; dissuasion when a potential thief knows they will be recorded which may prevent the criminal act and if anything does happen you will have a recording of it.  IP cameras are standard and no longer require specialized equipment to handle them.  A simple computer system connected wirelessly can record.  You may even consider adding night vision. Real time alert offerings can send snap shots or video alerts directly to your phone. 

Security Testing or physical penetration testing to assess the ability of the current physical security controls to prevent penetration by the bad guys and the testing of these systems on a regular cadence to ensure their efficacy.  Many cybersecurity breaches occur when attackers find they can take advantage of one or more physical security flaw.  Flaws are as simple as no one monitoring the video feed or through devices that are easy to disarm or avoid.

Armed guards and strong security policies are useless if the bad guys can infiltrate by verbal deception or piggyback techniques to access your facility.  Effective staff training, procedures and personal controls like visitor records are important.  You test your employees by sending phishing emails to see if they will click, you should also test to see if your staff will allow anyone who says they have a reason to be in your facility access.  In large organizations where people don’t know everyone, it’s as easy as slipping in the door alongside someone who has authenticated.  The goal of the bad guy might be to steal property, harm your employees or plug code into a USB port of an open printer that is attached to your network.  Any action like this can cause serious disruption to your operations, ruin your company’s reputation, or steal intellectual property.

Zero Trust “Never Trust, Always Verify”

If the bad guys enter your front door, you should not automatically give them access to everything inside.  How long can an intruder wander around your facility before they are detected or before anyone questions them?  Will the bad guy find sensitive information laying on desks or on the copier? Are there unlocked screens at workstations, accessible phones or open USB ports? There are hundreds of things a bad guy can do in a matter of minutes; plug in a USB with malicious code, clip a vampire tap on a cable, plug in a hardwired keylogger and you are completely compromised.

With a Zero Trust approach to your security including physical security, you can limit access and require further permissions. 

That said, and regardless of you hosting your own or outsourcing this, the interaction of every aspect of security and safety systems is most prevalent at the heart of your data and requires a comprehensive 360-degree review.  Your physical data center (on-prem or in the cloud) represents the epicenter of your customers’ and your company data and should be consistently controlled with security standards including monitoring and securing all environmental elements such as power, cooling and fire suppression.  Your data center should be the primary defense against cyber theft and any disaster that requires business continuity. Trained and experienced people keep physical and digital security systems running effectively.  Employee background checks, security and compliance training, regular access reviews, annual penetration testing against your physical infrastructure, and regular patching schedules for all systems are key.  If you outsource, are your third-party data center providers keeping your data safe? In addition to safeguarding infrastructure, do they have a plan for an active shooter?  Do they have a plan that includes hardened barriers at strategic points in the facility?

The world evolves and the only constant is change. Physical security and cybersecurity have the same weak link that is the human element.  It’s been said that “nice people create critical physical gaps.” Studies show that up to 60% of all people entering corporate offices do so without authentication.  Awareness and response training of your employees (not just the new employees) can go a long way to keeping your people, property, and physical assets safe.

I’m not really ready for Zero Trust at home, but we do lock the doors now.