When we think cybersecurity, we think firewalls, antivirus programs, and not sending money to that African prince who needs to transfer a massive amount of money into our bank accounts.
With so much to think about on the digital front, it's easy to forget some of the basic physical precautions we need to take to provide the most comprehensive protection for our data.
Security can be such a broad and overwhelming topic, especially since in this modern age we're not only expected to protect our physical space but our digital space as well.
Making sure we're covered on both fronts can be an exhausting balancing act.
We often think it's easier to break into a network and thus focus our attention on cybersecurity, but if a bad guy can walk in and just pick up a removable hard drive or even just an employee phone list, they don't need to waste the time breaking into the network.
Here's a list of 10 things to consider when you decide it's time to take a long, hard look at your physical security.
- Security cameras: Record everything! Keeping a record of everything that goes on within your business is crucial, especially in the case of a disaster. If something goes missing or you suspect someone has been on the premises with ill intent, you'll need those security tapes to figure out what happened and when.
- Exit-only fire escape doors: It can be easy to overlook your fire escape doors, but a criminal who wants to get in is probably going to try these first as they typically are unmonitored and in out of the way places. Locking these from the outside to prevent people entering through them is a smart solution to stop it from happening.
- Secure entry points: Whether it's a traditional key (which, coincidentally, is pretty difficult to hack) or a card key, entry into your facility should require something to get through. You always lock your house before leaving, why not your business?
- Monitored entry points: Locking your doors isn't enough. Having a person (or several!) in-between the lobby and entry points provides an extra layer of security. A person can sometimes be even more of a deterrent than a lock, as they can identify the criminal to authorities.
- Alarms: It's important to remember that even when you have someone standing (or sitting) between visitors and your internal facilities, this only works during business hours. Unless you have a 24-hour security person, the building is not monitored once you go home. Having an alarm can alert authorities and you in case of a break-in.
- Secure server room: The server room is the heart of your business' data. It needs to have the strongest defenses in your building. If a criminal were to gain access to it, they could wreak all sorts of havoc, some of it irreparable. Consider requiring a different key or key card to enter this room than to enter the facility, just in case.
- Visitor restrooms: This can also be easily overlooked. Having restrooms separate from your facilities eliminates the need to let unauthorized persons enter protected space. Restrooms beyond your secure entry point should be employee-only. If you don't have separate bathrooms for your visitors, at least increase security around the entryways to discourage wandering about.
- Sign-in processes/IDs: It's a good idea to keep track of all your visitors, and if you can afford visitor badges to identify them, even better. You should know everyone that's in close proximity to your computers and servers.
- Exit monitoring: If you have secure entry points, you shouldn’t need any monitoring on your exits, right? Wrong! It's all too easy for someone to slip into an exit behind a careless employee. And if something happens at your entry point, like you miss the criminal entering, you’ll want backup.
- Security education: It is impossible to overstate the importance of educating your employees on security procedures. Teaching them cybersecurity basics is a start, but they also need to know how sign-in/out procedures work, who's allowed on the premises, how to lock their computers when they walk away, and many other things to keep their workplace secure. A smart employee is a safe employee.
These are just a few suggestions on physical security measures you can implement to protect your business.
For companies that work with Protected Health Information, they may even help keep you HIPAA compliant.
Implementing these security features can count towards Physical Security compliance as outlined by HIPAA security standards.
Failure to comply may result in serious fines which can hurt you both in your finances and your reputation, so be sure to keep physical security in mind when auditing for compliance! (It may even be a good idea for non-PHI entities to follow these standards; it can never hurt to be extra secure.)
Find out what works best for you and stick to it. All your carefully placed digital defenses are meaningless if someone can walk into your business and have physical access to sensitive information.
About the author: Amy Zimmerman is a security intern with the Farmington-based technology consulting firm ADNET Technologies.