The presence of physical security in the form of gates and guards offers false hope to companies looking to protect their sensitive data. An effective security posture requires much more than physical security and/or legacy preventative controls, such as firewalls and antivirus solutions. It does demand these things, but also requires on-going vigilance and executive-level buy in to create a mature security culture across people, process, and technology functions.
While we tend to think about physical security as barriers, perimeter fencing, visitor registration, or a uniformed patrol, there is much more to it than that. Unlike highly technical solutions, these controls are low-cost, high impact, and should be backed by the development, publication, and enforcement of strong policies and procedures covering their use. Some of these controls are:
USB and Removable Media: Because of their low cost, portability (read: easy concealability!), and the fact no configuration is typically required, USB sticks and removable media are a significant risk to digital assets. This is why the Software Engineering Institute at Carnegie Melon University identified these devices as one of the most common methods of data exfiltration in its analysis of insider threat of intellectual property from organizations.
Mobile Devices: Some call them telephones. Security professionals like us call them highly ubiquitous, high-resolution cameras that just happen to be telephones. Either way, your organization may want to consider implementing policy controls that prohibit the use of mobile devices in sensitive areas to prevent photography of sensitive corporate information, locations, processes, and people.
Clean Desk Policies: “Need-to-know” policies are important both for employees and for third party vendors with access to your organization. Never leave confidential data lying around and available to passersby, especially if you outsource key services after hours.
Clean Whiteboard Policies: Same as above, but with an emphasis on preventing the unauthorized disclosure of formulas, privacy data, and other sensitive information that might be located on whiteboards in places such as research & development labs and executive conference rooms.
Printer or Fax Machine: Usually considered an afterthought by most clients during the delivery of our holistic assessment, simply ensuring sensitive data is removed from a printer or fax machine tray can reduce inadvertent disclosure or worse yet, a crime of opportunity by a potential insider threat acting deliberately.
Shred: We all have office shred machines. But do we use them? When in doubt, shred it out!
File Cabinets and Desk: Basic requirements for staff to lock cabinets and office doors is an added layer of protection in defending your data from theft.
Even if you put additional physical security policies in place, do your employees understand why they should honor them? Educating your team on what constitutes “valuable,” as well as the tactics that may be used to pilfer data, can be a proactive step in fortifying your enterprise against IP and trade secret theft. Sound security measures focusing on access control and monitoring at the perimeter are ultimately futile if they ignore the need for parallel controls on the inside to keep data safe.