Physical security should be part of your incident response plan


In their efforts to assure the best and strongest cybersecurity measures, I think many organizations need to get back to basics. To effectively mitigate the risks associated with the cyberthreats we face every day (phishing, malware, social engineering, tailgating, etc.), organizations rely on cybersecurity measures to protect their critical networks, systems, and data. But they also rely on physical security measures as a critical protection against intrusion. The goal of physical security is to prevent “hands-on” tampering, theft, or destruction of critical technologies, information systems, or data. If a criminal walks into your office and steals a box full of important client data, this constitutes a breach as surely as if it had happened over your networks. 

Physical security is too often seen as a category separate from cybersecurity, even though they both share the same objectives. A holistic approach to security requires that both of these areas be combined in organizational cyber policies, procedures, and incident response plans. Just as an organization should have practiced, well-documented measures in place for responding to a data breach, it should be well known what the procedure is for handling physical breaches of security.

The CIA triad

Information security is guided by the terms set forth in the CIA triad model: “In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of reliable access to the information by authorized people.” This model is used to help direct and articulate the tenets of an ideal information security program. Physical security aims to prevent disruption to organizational physical assets—especially assets relating to information systems—without limiting their operationality. These measures prevent misuse, damage, unauthorized access, and unauthorized removal from the primary physical location. 

Establishing physical security baselines requires a consistently updated and reviewed log of assets, as well as a mobile device management (MDM) solution that manages and tracks all portable devices. Other methods of physical security include barriers to personnel-only areas, card keys that limit access to information technology to relevant personnel (such as IT departments and upper management), and various detection devices. More sophisticated measures may also include behavior detection to actively seek out potential attackers, depending on the size of the organization and the assets in need of protection. 

Keep in mind that physical security issues are similar to cyber threats in that while your organization is trying to bar potential outsiders, it may be the insider threat that ultimately causes the damage. If a disgruntled employee gains access to the server room and inserts a thumb drive infected with malware, that is a breach of physical security as well as cybersecurity. Social engineering attacks can also be conducted in physical space and may facilitate unauthorized access. Limiting access controls is critical both in physical and cyberspace. Preventing “access creep” requires vigilance and frequent review, especially when employees are terminated. 

A question of mindset

In addition to established, centralized access control and identity management when it comes to authorizing employees to access information systems, integrating physical security and cybersecurity practices must entail a comprehensive and visible implementation method. This includes understanding that cybersecurity is a company-wide initiative that extends far beyond the IT department as well as using physical security to support these practices; thus, everyone needs to participate in ensuring the protection of systems, networks, and data. On the level of personnel, access controls are better managed with a combined approach (especially when a new employee is hired). As the Internet of Things allows remote access that extends far beyond the physical space of the office, security measures must take identity management into account. The physical security of third-party vendors should also be audited regularly.

Combining physical security and cybersecurity protocols is important. Physical security is often treated separately or overlooked altogether in creating an organization’s cyber posture; it deserves to be viewed as a foundational part of any security plan. Keeping track of, and improving upon, physical security measures should be part of standard security assessments. They can even be used to demonstrate to employees how easy it may be to enact social engineering attacks by taking advantage of physical vulnerabilities. Experts agree that holistic approaches to security are always stronger than a segmented protocol. Viewing physical security as an administrative responsibility and prioritizing cybersecurity measures leaves an organization vulnerable to myriad easily preventable attacks and intrusions. 

MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.