Physical Device Security is Essential for Cyber Security. Here’s Why.
While it may be easy to maintain a loose, decentralized security policy in smaller startups or organiations with few employees, creating and maintaining an explicit physical security policy for all devices that use your network will become increasingly critical as your business or organization grows.
Physical device security is often overlooked, especially in small-to-medium businesses (or SMBs). Even SMBs with good digital security programs or policies in place may forget about physical security, as they’re more focused on product development, sales growth, and other issues, and are inclined to think, “I’ll worry about the physical security later on.”
Essential IT processes fall off the radar during phases of rapid growth, leaving your organization uniquely vulnerable to cyber attack just when it’s most important that you be protected and allowed the space you need to grow.
The truth is, physical security policies are essential. Here’s why:
Physical Security Policies Keep You Covered
We always say that the best offense is a good defense. Implementing physical security procedures that are spelled out explicitly, updated regularly, and seen and understood by all employees will help to ensure the safety and security of the data being used within their line of business applications.
While firewalls, cyber security policies, updated data backup, and other digital security steps can help to protect you, there’s nothing more important than those first steps in physical security that you can start right off the bat, no matter how big or small your organization is or will be.
Ensuring that your physical security policies are in line with popular industry compliance standards not only protects individual data, but also the investment in time, money, and intellectual labor made by you and your employees. It will leave business partners, vendors, and your customers or clients more at ease knowing that they are working with a business that keeps their confidential information safe.
Physical Security Policies & Procedures for SMEs
The simple truth is, there is no organization today that isn’t at risk of a security breach. Hackers and scammers, who use tools that range from ransomware infections via seemingly innocent emails or social engineering, will stop at nothing to profit off the damage and destruction they can cause to your business.
To help you avoid being the next victim, we’ve created a quick list of policies and procedures to help your business or organization keep in line with what are considered best-practice physical security standards.
Perform Regular Audits of the State of Your Physical Security
Does your business currently track and manage the physical security of all devices that utilize your network? How are you tracking the devices used by employees, vendors, or visitors when they arrive at your office? All organizations should be sure to maintain a detailed log of activities, including the coming and going of visitors or vendors, any time outside devices are utilizing your organization’s network, and what they were used for. This log should be available upon demand.
The upside here is that we don’t have to recommend keeping tedious notes by-hand in a notebook. There are many apps or digital services available to help you keep tabs on these activities. Advanced 3rd-party applications will give your IT team the ability to set up alerts whenever policies are broken, without them having to spend important worktime just going over notes.
There are several different options, depending on the size of your organization and the detail of your records. Some smaller organizations have been known to get by simply using Excel sheets, while others require more in-depth analytics.
Regardless of the route you take, these tips should help you focus on what your organization needs to track, monitor, and audit on a regular basis:
- Identification – Require badges or name-tags that identify employees, vendors, and visitors.
- Asset Tracking – When any new IT asset is purchased, the specs (serial number, make, and model) should always be recorded.
- Asset Deployment – IT staff should always know who has an organization’s IT asset and where/how it is being used.
- Physical Access – No one who is not working within the IT department should have access to any room in which IT equipment is stored.
- Consider Video Surveillance – Do you maintain a server closet or specific office where IT equipment is stored? Look into CCTV or some sort of video surveillance that faces the equipment, as well as one at the door that will catch anyone who enters the room.
What About Offsite Use of Company Equipment?
It’s not enough to be concerned with physical security only within your building. Everything from the tiniest startup to huge multinational enterprises may have employees who either work remotely from home or work offsite in general using smartphones, tablets, laptops, and other devices that utilize and store essential organizational data.
How can your IT staff ensure the security of these devices when they aren’t located within the traditional office setting?
Some simple solutions are easy to implement, although large organizations may find themselves needing to depend on 3rd-party apps. Let’s take a look at how to ensure device security offsite.
Securing Smartphones, Tablets, and Laptops
Smartphone security is essentially the most basic, as most smartphone users tend to ‘lock’ their phones using a personal code to secure the device. For many of these phones, too many incorrect entry attempts will result in the phone erasing all of its own data in response, leaving any hacker trying to ‘break in’ with little more than an empty brick.
However, security for laptops or tablets is a bit more complex. One popular solution we’re seeing many IT departments use is called the Prey Project. If a laptop, tablet, or mobile device is stolen and the security code is breached, the Prey Project helps to recover the devices thanks to a small, lightweight agent that will track and monitor the whereabouts of the device, generally using GPS signals.
The Prey Project gives organization the ability to remotely lock the screen or even to take a photo using the device’s camera. Geolocation features (which are generally installed by default on all mobile devices) can be used to find the device as well.
Other Possible Tactics
Just about every digital device sold today comes with certain baked-in data encryption features that can be utilized as a great first step in physical security.
For example, devices running Windows can utilize the BitLocker security feature to encrypt the hard drive of a laptop. Users would have to enter the BitLocker password to continue booting into the laptops operating system.
If your organization primarily utilizes laptops as far as offsite mobile devices, considering buying a laptop lock for each device. As employees travel from one location to another, they are required to ‘lock’ the laptop onto the desk they’re using. This makes it more difficult for the device to be stolen if the employee happens to turn their back or even walk away from the desk. These locks are especially valuable if employees regularly use public locations such as train stations, airports, or coffee shops for work time.
Tying it All Together
A physical security breach could cost you far more than just the monetary value of the IT assets stolen or compromised. These sorts of breaches have been known to make national news, leaving your organization irreparably harmed and causing potential clients to shy away from doing business with you in the future. Begin training your employees on basic physical security practices today. Make sure they’re aware of the impact of a security breach, and acknowledge and entertain their feedback. Your IT department will be served well by working with the employees they are enforcing security policies for, rather than feeling they have to work against them.
Whether you’re a small startup looking to set up your network from scratch or a large enterprise interested in specialized industry requirements for essential data backup, BACS is here to help. Based out of the San Francisco Bay Area, we work with clients nationwide to provide everything from Managed IT to Security Services to Business Technology services like VOiP and more. Reach us by phone at (650) 887-4601 or contact us online at any time.