Many organizational computer security policies include instructions for employees to never leave their computers unattended, or to make sure they are locked before walking away. When unplanned emergencies arise, possibly due to earthquakes, fires, active shooter scenarios, or even rioters—focus quickly shifts to personal safety, and workspace security is usually an afterthought.
As we consider the lessons learned from recent events that have been covered extensively in the news media, now is the time to assess your environment. How secure are your physical assets from unwelcome physical intruders?
As a certified Cybersecurity Professional with CampusGuard, some of our Social Engineering engagements involve methods of gaining access to buildings and workspaces in order to identify and exploit physical security risks. Based on our extensive experience, here are a few suggestions on how you can implement additional physical security into your workplace.
1. Badge and verify. Every employee should have a badge identifying who they are and what they have physical access to. When visitors come into the building they should be verified and have a visitor badge and escort, no matter who they say they are or how hurried they are. Examples of techniques commonly used is to pretend to be a maintenance worker or someone giving a surprise inspection. The intruder may provide convincing information and mention all the right names, but don’t let them hurry you into making a quick decision. Verify through the proper channels.
Control how your employees get in and out of the building. Each employee should have to “badge in.” Revolving turnstile security doors, which only allow one person at a time, are a great way to limit tailgating (a technique where a person follows in behind you), but make sure there are plenty of egress routes in case of emergencies. When such emergencies arise and a building is being evacuated, consider designating safety officers to be posted near each exit to monitor the flow of traffic out and to ensure people are not trying to use that way to re-enter the building.
2. Securing equipment. Laptop security locks are a simple way to secure personal equipment from being taken. To restrict unwanted devices connecting to your network, enable port restrictions and detection of rogue devices. Also, ensure that sensitive systems are secured behind locked reinforced doors with limited assess. Most importantly, make sure your organization has an accurate asset tracking system. You won’t be able to identify what’s missing if you never knew you had it in the first place.
3. Securing data. Locking your system when stepping away will limit malicious users from accessing your personal files. Account lockouts should be enforced by a Group Policy Object (GPO) by your IT management. Modern operating systems can employ settings to lock your computer when you step away by setting up a connection between your mobile device and computer. It will lock your computer once your device is out of Bluetooth range. There are also certain proximity cards that can do the same thing. Enforce multi-factor authentication utilizing a user name and password along with something you know, have, or are, and make sure highly sensitive data is encrypted with limited access.
Following these few tips will help limit possible breaches but will not completely stop them. Always make sure you have an incident response plan in place for when they do occur. And take the time to test the incident response plan at least annually. As the quote attributed to Benjamin Franklin states: “If you fail to plan, you are planning to fail.”
Here’s some feedback from the Manager of our RedLens InfoSec team:
CW: David has pointed out some good points to help shore up physical security in the workplace. Should an intruder get past your defenses, it may be pretty noticeable if a computer was missing, or other equipment has been stolen. But what about things that intruders leave behind? Do you have detections in place that would notify you that a rogue system was placed on the network by someone that bypassed your physical security controls? Could you detect a key logger? Are your employees trained to never plug a USB drive in that they find on a desk? When the RedLens InfoSec team performs physical security assessments, it’s normally not a case of IF we gain access, but WHEN we gain physical access to the workplace. Keeping us or a malicious intruder out is obviously the first goal, but have contingency plans and detection capabilities should your controls fail at any given point.
If you would like an evaluation of your security posture, CampusGuard would be more than happy to help. Our customers have come to rely on their dedicated CampusGuard team to provide reliable, accurate, and timely support for all their cybersecurity needs. Please contact us to learn more.