Battered by a nearly constant onslaught of attacks and revelations of security breaches, IT businesses and departments have doubled down on securing their organizations’ data. Better password hygiene, data access restrictions and encryption are all fundamental to preventing a data breach. However, physical security is often overlooked.
As InfoSec defends their organizations from attackers whose motivations run the gamut from quick financial gain to disgruntled employees and customers, it’s imperative for IT departments to take a comprehensive approach to securing their organizations.
Overcoming “not my job” syndrome
IT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats. IT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.
Technology professionals needs to get back to basics. While it’s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer. Security must be considered at every step, even when no networked communication is taking place.
This means not only making sure the cabling, power supply and other infrastructure are in place, but also addressing unlocked server rooms, loosely managed inventory and environmental hazards. It can be easy for IT professionals to dismiss physical security as another department’s purview, but only IT has the expertise necessary to identify and assess these sources of risk.
Merging physical and data security
The IT implications of poor physical security practices can be dire – as aptly demonstrated by the late 2014 attack on Sony. In fact, a statement attributed to one of the attackers in various news reports went as far as to claim, “Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in.” Even barring the potential for internal sabotage, it can be extraordinarily difficult for organizations to re-secure their environment once a physical security breach occurs.
Thankfully, IT departments have a variety of tools at their disposal to address both physical and data security. Disk encryption, already widely used in the business world, can be extended to provide greater physical security through the use of a trusted platform module (TPM). Combined with trusted network configurations, IT departments can ensure that data is inaccessible to unauthorized parties, even if a workstation or server is physically compromised.
Additional measures, like keeping server room doors locked, creating and enforcing ID policies, or installing mantraps can dramatically reduce the consequences physical security threats pose. Other software-based approaches, like implementing a mobile device management (MDM) solution, enabling geolocation and disabling unnecessary physical ports on workstations can prevent many common attacks without creating an undue burden on end users. By taking simple steps to reduce physical security loopholes, IT professionals can narrow and better manage their vulnerabilities.
A holistic approach to security
Whether through phishing, impersonation, tailgating or more “traditional” network-based attacks, organizations and their data face a number of serious threats. IT professionals must take a more comprehensive view of their organization’s security landscape, accounting for all potential weaknesses, not just software vulnerabilities. It’s imperative to close off obvious avenues of attack by using security controls already in place – almost every organization has at least some policies around locking doors and verifying employee identities – but many businesses don’t see the importance of these procedures and enforcement tends to be lax.
Despite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access. Organizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder. By unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.