Information security is often thought to be very technical in nature and a lot times it is. After all technology is exciting and many people prefer to focus on firewalls, intrusion prevention systems and other state of the art technologies. Physical security is an essential often neglected aspect of information security and it is every bit as important as the more technical aspects. If you neglect implementing adequate physical security measures all of your other efforts can be in vain.
The following are the primary business risks if you fail to implement adequate physical security measures:
- Disclosure of sensitive business information
- Theft of your business assets
- Financial loss for replacing assets
- Loss of ability to use data that may be critical for sustaining ongoing operations (if no backups are available)
- Negative publicity if the event is disclosed
So now that you agree it is important what do you need to do? One of the first steps should be to perform a risk assessment so you can document and prioritize based on business risk. This helps you focus your efforts and decide how much you are willing to spend to mitigate certain risks. I will provide a sample risk assessment at a later date to serve as a template but for now here are items to consider when implementing physical security.
Physical Security Things to Do At Your Business
- Control access to your business facility to only allow authorized personnel inside. At the minimum this should mean securing your business at least as much as you do your home. Locked doors, security systems, and or more advanced control mechanisms like building control devices.
- Secure rooms with computer servers and networking equipment in it with an additional level of security. Ideally physical access to these systems should be restricted to individuals that need to access them. In addition, a simple guest log in book is a good way to document who is accessing a security controlled room (of course badge access control is even better but it is all based on your cost/risk tolerance).
- Consider using a camera/DVR based security system. I have not yet purchased one but for under 400$ I am looking to get one very soon likely the Defender SN500. This set looks quite nice and is very cost effective for the additional protection it provides.
- Utilize cable locks for your desktops, laptops, projectors and network equipment. Physical theft is the greatest threat to these assets so lock it down to get a little more secure.
- Lock up sensitive physical files in drawers or cabinets and do the same with portable electronic media such as USB devices or cd/dvds.
- Make sure you follow our backup tips to ensure you do not lose critical data in the event of an environmental disaster such as a fire or flood.
Physical Security Things to Do on the Go
Laptop thefts are the biggest risk to your business assets while in transit. Follow these tips to make sure you minimize your likelihood of becoming a victim of laptop theft.
- Place your laptop in your trunk immediately when leaving work for the day. A majority of laptops stolen from vehicles are stolen because they are visible tempting targets to thieves.
- Never leave your laptop unattended when it is not locked up. Keep an eye on it at all times much like you would a small child playing in the yard.
- Consider utilizing a laptop recovery service if you will be storing sensitive information on your machine.
- When traveling on a plane never check a laptop always carry it on yourself.
- If you are in a hotel room the best option is to lock your laptop in the in room safe. Next best options include using a cable lock to secure it to some furniture or shelving in the room. A last resort option is to use the do not disturb sign and hide it as best you can as recommended in these tips from Microsoft.
- If you have to step away for even just a moment ask a trusted person to keep an eye on it for you. If there is no one available take it with you.
In summary, do not neglect physical security as part of your information security program. Doing so will leave you with a false sense of security and an incomplete protection program.