Antivirus won’t stop a physical attack. While many businesses are starting to wake up to the cyber risks posed by phishing and malware, it is essential that physical security is not neglected. Without appropriate protection measures in place, your business is left vulnerable to physical threats.
In this article, we’ll look at the most common physical security risks to companies - and how to protect your business against them.
Most workplaces are secured by some type of access control, whether a locked door or a swipe-card access point. These physical security measures are, unfortunately, easily overcome by a determined attacker.
Tailgating is when an unauthorised person follows an authorised person into a secure area.
This will naturally happen as multiple people pass through doors, and only the front has to present identification or a swipe card. The people following behind will simply follow through - making it easy for any unauthorised person to get in without any difficulty.
Fortunately, tailgating can be limited with the right physical security measures. If you’re willing to make the investment, anti-tailgating doors make tailgating virtually impossible. Installing them can prove expensive, but they are something you could consider if you are planning to move to a new office location.
Another way to reduce tailgating is by providing physical security training for your employees. This is somewhat less reliable - but a lot cheaper. It involves raising awareness among employees and providing them with a rigid physical security policy, including guidance such as not holding doors open to people they don’t recognise. You should also encourage employees to actively report any tailgating attempts they witness to security personnel.
Your office is likely to have papers and documents lying around in many places, from desks to printer stations. Sensitive documents can easily become unaccounted for - and fall into the wrong hands. Even if they are not taken from the office, a visitor could see information that you wouldn’t want them to see.
One of the best ways to prevent the theft or accidental revelation of documents and sensitive information is to institute a clear-desk policy. A clear-desk policy, which means ensuring that all desks are cleared and all documents are put away at the end of the workday, makes it less likely that sensitive documents are left in vulnerable locations. You should also ensure that your employees shred all sensitive documents they hold after they no longer need them.
In order to prevent the theft of documents, it is also essential to institute access control and prevent unaccounted visitors from entering your workplace.
If you don’t know who is or was in your workplace at a specific time, it is impossible to keep a high level of physical security. Unaccounted visitors pose a serious risk, as you will not be able to know if they were present if an incident occurs.
Access control with swipe-card-access or ID doors is essential for business security, but you should also ensure that all visitors are accounted for by supplying them with visitor passes. This way, you will always be able to know if a person within your promises is authorised to be there - and also have a log of entry to later verify when a person was within your premises.
Of course, you do have to be careful that everyone is actually using verification that they are authorised to use.
An access control system only works if everyone uses their own identification. If people are going in and out of your promises using someone else’s identification, the result is the same as if you had no access control at all.
Employees need to be educated on the importance of protecting their IDs or access cards. Without training, employees will often share or lend each other their cards, making it hard to properly monitor access. Employees may also be careless with their IDs unless the importance of protecting them is demonstrated.
Finally, we’ll look at social engineering - one of the most challenging physical security vulnerabilities to overcome.
Social engineering attacks can come in a huge variety of different forms. This is one of the reasons why it is so difficult to combat. Social engineering attacks rely on manipulating your employees, often using information that they have managed to gain to impersonate someone else, or abusing basic human empathy to gain access to secure areas and networks.
For example, one of the most common social engineering attacks is the ‘coffee trick’. This method is essentially a more sophisticated version of tailgating: it involves a person holding a cup of coffee in each hand walking towards an office door. An unsuspecting employee who is passing through the door or nearby will hold the door open out of courtesy - thus letting in an unauthorised person into the premises.
While there is no simple way to overcome all social engineering threats, the first step towards combating social engineering is to make a thorough physical security risk assessment and consider how someone could get through the protections that are in place. Raising awareness about social engineering among your employees is also key, as understanding the risks that social engineering can pose will help your employees be more alert to any suspicious activity or contacts.
While the appropriate physical measures are necessary for protecting your business, in the end, it is not going to be security barriers or anti-tailgating doors that keep your business safe.
Raising awareness about physical security among your employees and encouraging them to take an active stance in defending their workplace is the most effective way to combat the whole spectrum of physical security threats.
With uLearn, usecure's automated security awareness training platform, you're able to test what your users know about 'Physical Security', and then launch computer-based training that reduces their risk and strengthens their behaviour over time.
Explore our video and interactive training courses today and start measuring your organisation's human cyber risk on a number of core security topics.
Try our 'Removable Media' course