Data security in a modern connected enterprise is paramount and security breaches can have major and lasting consequences. Whether you are talking about the loss of Intellectual property (IP), Financials or general business data that may be useful third parties in attacking or targeting your business.
Read more about your legal responsibilities regarding data protection here
There are three key categories for protection:
- Physical – physical equipment e.g. Flash Drives & CDs, computers, server & network infrastructure, phones & other network connectable devices
- Network – the ‘data’ layer, internal network configuring, security groups, User accounts, restriction policies
- Cloud – Services that you have limited control of, e.g. Accounting software, Office 365. You may have a level of administration in terms of creation users and managing permissions, but the important security protocols and procedures are ultimately controlled by the host company
Network and Cloud protection will be covered in later posts. So without further ado, let’s get stuck into Physical protection!
Physical security is often overlooked in favour of more technical threats such as hacking, malware, and cyberespionage, however it is a serious consideration for any organisation. It describes measures designed to ensure the physical protection of IT assets like facilities, equipment, personnel, resources and other properties from damage and unauthorised physical access. This includes protection from fire, flood, natural disasters, burglary, theft, vandalism and terrorism.
Some more frequently occurring physical security risks include:
• individuals stealing information by transferring the data on a flash drive or CD and walking out the door with the removeable media;
• individual obtaining access and installing physical devices in your organisation, e.g. on the network to monitor activity; and
• individuals physically damaging IT assets.
There are a few key things you can do to increase the physical protection of IT assets in your organisation. These include:
• Implement surveillance where possible and practical;
• Restrict access to removable media, server equipment and network equipment. This includes backup storage/devices as it contains all your most valuable data; and
• Implement and enforcement of policies and procedures as outlined below.
Authorised access only
Enforcing authorised access to does not have to be a complex endeavour and there is a simple methodology which can yield some effective results. Using the AAA approach, physical access to IT assets is restricted to only those that require access and are authorised to obtain this access. The three A’s are:
- Access – Restrict access to IT assets, e.g. server and networking equipment to key personnel only. This reduces the number of people that could possibly introduce a security incident. Consider storing the IT asset in a lockable, secure location.
- Authorisation – Ensure that only personnel with the appropriate permissions (authorisation) are able to access the IT asset. This can be achieved by controlling who is able to access the keys or access cards to the secure, lockable location.
- Accounting – Audit the distribution of the access control, e.g. the key or access card, and if possible when access to the IT asset is obtained. This can be achieved by ensuring that the key is signed in and out and access is logged when the IT asset is accessed.
Shutdown unused network access
An often overlooked security consideration is disabling physical access to your network infrastructure. Like putting a lock on the door to your office, disabling unused desk ports and only allow authenticated devices on to the network prevents unwanted visitors from gaining access to protected IT assets.
This does add some management overhead and is generally the reason that this measure is not implemented. While this portion ties in with the network security there is a direct physical security benefit from implementing property network protection and practices.
Leaving your network equipment open for convenience exposes your organisation to the risk of having someone adding IT equipment to your network without your knowledge. For example wireless routers can be added to the network and hidden away under desks allowing people to access your network from outside your office without you even knowing this is occurring.
Office policies can go a long way to mitigating physical security risks. I’ll give you an example: as an IT support technicians often need to go to a site for a variety of reasons. When they visit a site it surprising how simple it is in some circumstances to get access around the office. There have been times where the support technician simply stated that they were from IT and they were provided access to the server room and other IT assets.
Unless you’re a larger organisation or highly secure organisation you are probably not going to have permanent security stationed at your front desk vetting every person that walks through the door. However, a simple policy can be enforced where all staff members from your organisation ensure that appropriate identification is provided by a visitor before being granted access to the requested asset. Staff can be made aware of trained in this policy during an induction or at company meetings. Other policies that can help reduce physical security risks are listed below.
Sign in and sign out policy
Ensure that all visitors that go past the reception desk are recoded in a register, i.e. ‘signed in’ which includes the time in and out, and whom they are visiting.
Recording unique information
As a part of the sig in register, record some unique identifying information such as Drivers Licence Number. It is best to choose an identifier that is difficult to forge.
Scheduling & communication
Relevant areas should be informed of any scheduled work happening in their area. Any work that is occurring without knowledge should be immediately identified and questioned. Again this is something that can staff can be trained in and made aware of.
Guests and visitors (including tradesmen) should be escorted at all times or at least to their designated work areas. Consider what access is provided to tradesmen, ensuring that only essential access is provided.
Clean desk policy
As much as people like to personalise workspaces, everyone should have a clean workspace devoid of identifying and commercially sensitive documents. Notes and documents should be placed in draws and secured every day.