Protecting yourself and your organization’s data requires a multifaceted strategy – one that’s layered with both logical and physical security controls to prevent loss of your assets and ensure the safety of your people.
On the physical security side of the equation, it takes more than a padlock and key to ensure top-level security for your on-premises assets and employees. A study by the Infosec Institute noted that companies need multiple layers in their overall physical access and security approach. These layers should include administrative (construction, site location), technical (CCTV, smart cards) and physical controls (intrusion alarms, perimeter security).
However, the study also notes that organizations often overlook tangible physical security. No firewall can stop someone from simply breaking into a data center and stealing hardware or obtaining sensitive data. Further, installing alarms or cameras without having a process to monitor and respond to security events ultimately won’t protect you from a security breach.
If you’re wondering about the strength of your physical security, use these three questions to assess your current situation. While these guidelines may not encompass all aspects of a physical security plan, they can help facilitate your strategic discussions about physical security.
Consider threats from both internal and external sources.
Multiple levels of authentication can help mitigate some threats. Your organization can invest in programmable key fobs that periodically change their access codes or biometric scanners for fingerprint and retina data. You could require soft tokens generated from employee mobile devices. The more levels of authentication required, the tighter your security becomes.
Consider whether specific areas of your building should have heightened controls or more stringent access restrictions.
While your system may be sufficient in the near term, what happens if you experience rapid expansion? There are many factors that could impact the design of your physical security controls, such as:
Business strategy and security can grow together, though it might take a shift in mindset. It’s important to assess risks early on when considering changes, so physical security measures can be integrated into the plan and implemented concurrently.
You might also consider a strategy of colocation – collaborating with a managed hosting services organization to rent out data center space. This is an outsourcing strategy that usually doesn’t require incremental security control implementation. The facility owner will generally cover many of the security costs, and have reporting available so you can monitor how they’re protecting the space.
When entering into colocation agreements, make sure the service provider meets your performance and security needs and does not violate any contractual or regulatory obligations.
On at least an annual basis, review your physical security risk assessment to determine whether your existing controls are sufficient to mitigate risks. Consider creating or leveraging an existing physical security framework program with routine reviews on equipment, audit controls and access.
You could also include physical security controls in internal audit programs to confirm adequate operation. It’s not enough to implement systems, tools and processes to physically guard your organization. They must also be continuously monitored and updated to remain effective.
If you use systems and software specific to your physical security, treat it similarly to other important applications in your environment. Restricted access and change management controls can help prevent an unauthorized configuration change that would allow a malicious actor to bypass your physical security.
Make sure critical assets are up-to-date with system firmware updates. Ensure they contain automatic backups that are ready to use in case of unforeseen losses.
Additional layers of physical security can help protect your people, assets and facilities from a malicious breach. Use the questions we’ve outlined in this article to start a broader discussion about the physical security of your organization. Also, ask yourself periodically if it’s time to improve security for your on-premises assets and employees.