Threats to your data come in all forms. Companies should have network and infrastructure security in place. But few consider physical security. How many times on television shows do you see a character slyly stick an external hard drive into a computer and download critical information just in time to escape? This isn’t all that much of an over-dramatization. Pricewaterhouse Coopers, Carnegie Mellon University, CSO magazine and the U.S. Secret Service reported that “Only 49% of companies have a plan to address and respond to insider security threats — even though 32% of the same companies agree that crimes perpetrated by insiders are more costly and damaging than those committed by outsiders.”
The following advice from an article on computerworld.com is a good reminder of why physical security measures shouldn’t be ignored. As the author, Robert C. Covington states, “If insiders can walk into your data center and grab a removable hard drive, they have no need to break into your servers.”
The open lobby
Companies with open lobbies often rely on a receptionist to be the gatekeeper, but receptionists can get busy and distracted. A few weeks ago, I visited a company with an open lobby. Had the receptionist been distracted, and with the few people walking in the halls, I could have easily made it through the building to the unlocked data center. A locked door between the lobby and inside of a facility is very important.
The unlocked data center
Someone with physical access to a system can do many things that a network intruder could not. I helped a church blank the local admin password on a PC this week, something I could only do with hands-on access to the system. If you have a data center of any size, it needs to be securely locked, with access restricted to those with a need to be there.
Poorly secured doors
Systems requiring a proximity card for entry are now quite common, and with good reason. They provide tight granularity of access control for individual doors and a detailed audit trail. They are important, and should be used more than they are. That being said, they are not the answer to tight access control that many think, given the ease with which access information can be captured and used by bad actors. One of my customers recently described an audit by a major corporate customer that included an attempt to capture badge data using inexpensive, off-the-shelf hardware and software. The auditor arrived 30 minutes early and rode up and down the elevators with arriving employees. After 30 minutes, the auditor had captured enough data to easily enter almost any office in the building.
Lack of surveillance
Cameras are very inexpensive today, and yet they can do double duty, not only detecting possible threats in progress, but allowing for forensic review of incidents. What a bargain! And yet, surprisingly few companies use them, and many that do, install and ignore them. Cameras should be installed at all entry points to a facility, and in key areas such as data centers and telecom closets. The video should be recorded and retained, with a live monitor placed on the desk of someone who can keep an eye on it.
Inadequate intruder detection
The good news is that intrusion alarms are in very common use today. There is much opportunity for improvement, however. Many smaller offices in multitenant buildings do not bother with them, because a guard is often present in the lobby. If you refer to the badge paragraph above, you will realize just how easy it can be for someone to get into such a building. Further, these offices often share a common wall with other tenants. You don’t have to watch many home improvement shows to realize just how easy it is to get through drywall. You need an intrusion system, and you need one supporting unique codes for each individual for audit trail purposes.
The bottom line: It is appropriate to pay attention to logical security threats, but overlook physical security at your own peril.
There’s no denying that network breaches and cyber attacks are top of mind for companies. But please don’t overlook dumpster divers looking for manuals or lists, disgruntled employees, or just overall easy access into areas of highly sensitive data. Corporate Technologies Group has helped many clients with all aspects of their information security.