Data breaches and other incidents that give criminals unauthorized access to sensitive or proprietary information are a major problem for businesses of all sizes.
Thieves and other unscrupulous individuals illegally acquire private information and sell it to others or mine it for data they can use to set up fraudulent accounts or facilitate other crimes.
Companies without cybersecurity protection that have their sensitive information stolen commonly assume it was a cybercrime committed by hacking into computers over the internet.
However, in many cases, lack of proper physical security was the weak link in the chain leading to the breach in data. Having security features like CCTV cameras and keycard access can go a long way to helping prevent physical security breaches.
Mitigating Data Breaches Using Effective Physical Security
There are several ways thieves and criminal organizations can exploit weaknesses in physical security to illegally gain access to private information and documents.
Often the loss, theft or improper handling of physical documents or electronic devices on which important information is stored is related to problems with physical security.
There are four common issues that typically lead to physical data breaches:
- Social engineering risks
- Theft of portable devices containing sensitive data
- Break-ins at a physical business location
- Improper disposal of items containing sensitive information
To reduce or eliminate data breaches, companies need to understand and address the problems related to each of these four areas
Understanding And Addressing Social Engineering Risks
Social engineering is the use of tricks and deceitful methods to manipulate employees and other people with legitimate access to your company’s information.
Social engineers use charm and manipulation to exploit the kindness and your staff’s eagerness to please to gain unauthorized access to buildings and restricted areas.
Simple gestures such as being courteous enough to hold an entrance door open for someone rushing to get in can enable thieves to enter private property. And oftentimes, once someone breaches the threshold between public and private areas, they are rarely confronted as it’s assumed they belong.
Taking Advantage Of People’s Good Nature
Criminals targeting businesses know most people are generally friendly, kind and courteous.
They take advantage of that to get the information and access they need to steal data, ideas, documents, files or portable technology on which they are stored.
Good-naturedly swiping card keys to give ‘temps’ access to key areas and sharing passwords so they can log on and use computers and other office equipment seems like the right thing to do. But criminals use social engineering like this to manipulate staff and steal, compromise and destroy key items, data and systems.
Protecting Against Social Engineering Attacks
There are no shortage of ways criminals can socially engineer their way into your company. Common examples of social engineering attacks criminals launch include:
Phishing is one of the most common social engineering attacks you may encounter. Attackers will create fake websites or emails that are made to look and sound legitimate to the victim in an effort to extract sensitive information or credentials that the attacker will then use to further attack your business.
Using this tactic, attackers will impersonate someone who would typically have a legitimate reason to access your facility. Common impersonations are repairmen or vendors who are typically seen at many businesses.
Employees often let their guard down at the first sight of an official looking uniform or badge. But these items are easily procured or recreated.
Tailgating is when a person will follow behind someone at a controlled access point who has proper authority. A tailgater will typically feign urgency or carry something to imply they can’t reach their credentials, playing on the desire of legitimate employees to be helpful to their peers.
Training To Deal With Social Engineering Attacks
To strengthen their security posture and reduce exposure to social engineering attacks, individuals and companies can protect themselves by investing in social engineering attack risk prevention awareness and training.
Becoming aware of potential social engineering attacks is one step one for improving
a facility’s physical security. Effective training in social engineering awareness can help prevent falling victim to it.
Learning how to strengthen one’s security posture through interactive training courses, simulated testing and teaching actionable steps for recognizing exposure to potential social engineering attacks and how to stop them, should become part of the business culture.
Theft Of Portable Devices Contain Sensitive Data
Another way criminals gain access to private information is through stealing portable devices on which the data is stored, like laptops, phones, or portable storage drives.
Thieves sometimes get past guards by using social engineering. Once in the facility, they can steal unattended laptops or other portable devices containing sensitive information.
Often these thefts take place when criminals enter a facility using stolen credentials or get through access-controlled entrances by tailgating and slipping in behind employees.
Improving Physical Security
Once cyber criminals enter your facility, protecting your data becomes more difficult. They can easily gain access to your network, steal and use your data, ransom it back, or corrupt your systems and prevent them from working properly.
To prevent this, companies should follow some simple guidelines:
Security personnel shouldn’t let visitors into the facility without confirming they have an appointment or legitimate reason to be there. Never be afraid to verify.
Never leave visitors unattended on your property.
Report anyone in the facility you don’t recognize to security or ask to see their visitor’s pass.
Never leave confidential or sensitive documents out in the open and visible to prying eyes
Always lock your computer screen when leaving your desk.
Strengthen The Physical Security/Cybersecurity Connection
Putting policies in place to strengthen the physical security/cybersecurity connection and training staff to follow them effectively is vital for preventing thieves from gaining physical access to confidential documents. Some helpful policies include:
Requiring all employees and contractors lock their file cabinets and desks.
Preventing unauthorized access to facilities and areas where sensitive documents are kept.
Create and enforce a ‘Clean Desk’ policy.
Reinforce that securing and protecting paper documents is as important as protecting electronic records.
Temporary employees or contractors should have access to only the files and areas they need to do their jobs.
Automate restrictions on what information can be accessed or printed from certain devices.
Employees or contractors should secure any document containing sensitive information and never leave them in public spaces.
Break-Ins To Physical Locations
Proper physical security policies and training can dramatically improve the security of sensitive information.
A facility’s first line of defense is protecting each entrance using the best possible physical security methods for preventing unauthorized access. Utilizing security cameras and modern access control systems is a basic first step to properly securing your business.
Security entrances can be used with or without guards to control access to a facility.
They are available in a wide variety of designs.
They include waist high and full height electronic gates and turnstiles, revolving doors, emergency doors, optical turnstiles, high security portals and mantraps, emergency doors, revolving doors and turnstiles and other types of access control systems employing the latest facial recognition and biometric technologies.
Making Physical Break-Ins More Difficult
Technologically advanced security entrances make it difficult for even sophisticated criminals to break-in.
Physical security is crucial for cybersecurity. Typically handled by professionals with law enforcement backgrounds and expertise in maintaining facilities’ physical safety using locks, security cameras, guards and alarms, good, constantly upgraded physical security is essential.
As cybercriminals become better able to take advantage of any vulnerability, companies must put more thought and resources into physical security.
Results Of Weak Physical Security
Weak physical security allows break-ins by criminals who can access your proprietary intellectual property and use it for corporate espionage, steal from your business, disrupt and damage your systems and cause data breaches.
Breaking into facilities and directly accessing your network is a way for criminals to get around cybersecurity best practices like strong firewalls. They can then steal data, plant malware to bypass network security measures later, and compromise critical infrastructure.
Improper Disposal Of Items Containing Sensitive Information
Cybercriminals who sneak in your facilities can get access to your most sensitive, confidential data by taking advantage of employees’ improper disposal of items containing sensitive data.
In the healthcare sector, mishandling and loss of electronic devices and paper documents with confidential data is responsible for over 70% of data breaches.
Seeing personnel and customer information in unlocked cabinets, stealing unsecured sensitive documents, slipping into unattended rooms and connecting to your network and stealing confidential data and passwords, are easy when employees aren’t careful.
Improper Sensitive Document Handling And Disposal
A major risk for exposing sensitive documents is when companies don’t have proper procedures in place for disposing of sensitive documents. Lack of education and weak paper document disposal policies often causes data breaches in many companies.
Almost 80% of healthcare managers have accidentally sent emails containing confidential
information to wrong parties and about 70% of them don’t think their company can properly govern paper documents use, protection, and disposal.
That’s scary in an industry reliant on recording patient data on paper documents.
No Stealth Or Sophistication Necessary
With employees so careless with confidential information, cyber criminals don’t need stealth or sophisticated skills to find important documents.
Documents are often left unattended in printing trays or discarded without proper destruction. In the UK, the National Health Service simply dumped their patient records in the town center.
In a recent survey, only 45% of people said their organization disposes of sensitive paper documents safely. Plus, only 46% worked for companies that teach employees proper document disposal methods and only 36% of healthcare managers shred confidential documents after reviewing them.
Some Simple, Effective, Solutions
Intentional or not, employee negligence is a leading cause of data breaches. Organizations can reduce the risk of physical break-ins leading to data breaches if they invest some time and money to train employees to safely handle and dispose of important documents. Balancing cybersecurity needs with the need for physical document security can yield better, more effective, data security solutions. Installing access controls at entrances, proper employee training, and document control and destruction procedures can greatly reduce your chances of someone compromising your physical security.