The entrances to your building are very much like port 80 on a firewall: you have to have them open for people to enter and leave, but in the same way a firewall monitors the network traffic passing through port 80, you need to control who comes in and out of your premises. Main entrances are often well guarded with external camera coverage, a reception desk and sign-in requirements for visitors. But what about side doors, particularly those used for taking a smoking break? A common tactic for entering a secured building unseen is to hang out in the smoking area and wait to be let in by an unsuspecting employee. All entrances should have some form of access control and CCTV coverage where possible, as they are often left unlocked as a convenience to the next member of staff.
There should also be some form of surveillance of the office car park. Employees often assume the car park is secure and leave cars unlocked with badges or other sign-in credentials and office documents inside. They need protecting as do other external resources. Generators, for example, need to be securely caged. It is a key piece of equipment in your business continuity and disaster recovery plans. You don't want anyone to be able to tamper with it or cut the power as part of a denial-of-service attack or as a diversionary tactic to gain entrance to the building, where someone could then have an opportunity to steal valuable data.
Making sure your physical defences are in place is only one aspect of physical security. Physical security threats need to be addressed with behaviour-based strategies. Technology makes it simpler than ever for a hacker to pose as someone with a legitimate need for access. It's easy to just pop into a copy shop and produce a business decal for a vehicle or jacket that looks genuine, for example. As part of their social engineering preparation, hackers will have prepared answers to obvious questions from guards and other staff. They can often find out who will and won't be in the office on certain days by searching through social networking sites such as Facebook and Twitter and so can sound very convincing, referring to real people and corporate events.
At Christmas, more than ever, the arrival of any unexpected personnel or services, such as plant care, waste removal and cleaning services, should be treated with immediate suspicion. Nobody should be allowed access without being signed in by an authorised employee, no matter what he or she says or claims. Preferably security will be able to confirm with suppliers any changes to their normal personnel and hours of service prior to the holiday period so guards will know who and what to expect.
This is the kind of behaviour companies need to inject into their corporate culture as security is ultimately rooted in employees' behaviour. A survey by Cisco Systems Inc. last year that looked at how behaviour (not technology) affected the risk and security of data found many employees still breach security rules. A Deloitte Inc. survey of more than 100 companies found 75% cited human error as the leading cause of security failures.
The statistics show that a lot needs to be done still to change people's approach to protecting their work environment. One tactic could be to publish a monthly newsletter on current security threats and issues, reporting security metrics showing the cost benefits of improved security. For example, put a monetary value on fewer incidents or shorter recovery times. Important security memos should go out under the CEO's name, and other top executives should attend security Q&A meetings. You may also want to consider Red Team testing your building's security, using both cyber and physical means to covertly gain access to a company's critical systems and find out where any security gaps lie.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.