Many businesses spend vast amounts of time and money — and rightly so —focused on firewalls and encryption software to protect their IT systems and data. However, physical security is often overlooked in the debate over cybersecurity. It can be just as crucial, though, especially for small businesses that do not have as many resources as larger firms to devote to security personnel and tools.
Physical security helps companies protect assets, including IT infrastructure and servers, that make their businesses run and that store sensitive and critical data. Physical security encompasses measures and tools like gates, alarms and video surveillance cameras, but also includes another central element: an organization’s personnel. Crucially, business and IT leaders need to foster a culture of security in addition to investing in technology to protect the organization, according to security experts.
The Department of Homeland Security and the National Cyber Security Alliance (NCSA), a public-private partnership, have for the past 13 years been using October to annually mark National Cyber Security Awareness Month. The second week is focused on what organizations can do to create a culture of cybersecurity in the workplace.
Here are some strategies small businesses can follow to enhance physical security and make sure their data and IT infrastructure remains secure.
An organization’s employees are its first line of defense, according to Malcolm Harkins, a security industry veteran and chief security and trust officer at Cylance, a cybersecurity firm focused on proactive defense.
Harkins says that companies should start improving their security “by building security awareness and instilling a culture of commitment by creating a great place to work.”
“If you do this, your employees are less likely to get disgruntled and will, in turn, not want to harm the company,” he wrote in an op-ed piece for CBS Boston. “Train employees on security awareness, such as locking and encrypting their systems, choosing safe passwords and only sharing confidential information with those who need to know.”
In addition to having a staff member in a building’s lobby monitoring who gets access to a company’s offices, security technology expert Robert Covington, the founder and president of togoCIO, writes in Computerworld that “systems requiring a proximity card for entry are now quite common, and with good reason.”
Such systems are important and should be used more than they are, he says, because they “provide tight granularity of access control for individual doors and a detailed audit trail.”
Yet, as Covington notes, badges or badge data can be stolen by thieves or malicious actors. Ralph Goldman, a security industry veteran and lead writer for the Lock Blog, tells CIO that wireless communication technology is now enabling businesses to deploy “smart locks” that can let firms add barriers to doors and unlock the doors remotely via wireless protocols.
Covington notes that video surveillance cameras “are very inexpensive today, and yet they can do double duty, not only detecting possible threats in progress, but allowing for forensic review of incidents. What a bargain!”
Surprisingly, he says, few companies use them — and many that do ignore them. “Cameras should be installed at all entry points to a facility, and in key areas such as data centers and telecom closets,” he says. “The video should be recorded and retained, with a live monitor placed on the desk of someone who can keep an eye on it.”
Despite all of these measures, intrusion detection systems and alarms are also key elements of physical security. “Monitored alarms will help to drive away intruders – and ensure that staff or the police will be on their way if the alarm persists,” SmallBusiness.co.uk notes. “Consult a registered alarm specialist to find, install and maintain the ideal system for you.”
Covington notes that many small offices often share a common wall with other tenants in multitenant buildings. “You don't have to watch many home improvement shows to realize just how easy it is to get through drywall,” he says. “You need an intrusion system, and you need one supporting unique codes for each individual for audit trail purposes.”
For many small businesses, their data center is a server or rack of servers in a closet or small room. Guarding and monitoring access to that physical space is essential to maintaining data security — and potentially the operations of the business if the servers are tampered with or destroyed.
“Security gates can be installed in a doorway in order to prevent access to the server room. These gates are easy to use and can be opened completely, providing unrestricted access to the room when needed,” notes Quantum Security Gates, a security gate vendor. “However, their strong construction and secure locks keep intruders out when they are locked.”
Physical security gates can also provide ventilation to server rooms — an advantage over a locked door. Gates can also be installed behind a locked door, Quantum notes.
“Some companies do not consider securing their server rooms due to cost concerns. This is not a smart strategy,” reports Quantum. “While installing security gates does come with a cost, this cost pales in comparison to the tremendous cost that could occur if the server room is broken into. Also, the potential hassles of replacing the information, programs and down time to operate your business.”
Quantum notes that some employees may not have the security clearance required to access the server room. In addition to workers, there are often visitors, clients and other people walking through offices.
“Protecting your server room from these people is important,” the firm adds. “It’s also important to remember that, in many office break-ins, criminals look for electronics and confidential information first. Therefore, it’s a good idea to not label your server room as such and, of course, to ensure that it’s protected by physical security gates.”