Mention cybersecurity and immediate thoughts turn to technical controls such as firewalls, endpoint detection and patching systems. While these and other technical controls certainly are necessary, they must work in tandem with administrative and physical controls in order to form a mature risk mitigation program. This month, we will explore some of the physical aspects of cyber risk management, which inherently relies upon on-site security personnel and employee training for proper execution.
Locked and Loaded
Your computers are loaded with corporate secrets and personal data. They should also be locked. There is a lot more to this concept than having employees “lock” their screens when they are away from their desks. Companies and individuals have a responsibility to implement physical controls to protect IT assets against intentional theft or destruction. Doing so involves both traditional controls that apply to the corporation as a whole, such as deploying perimeter security around office buildings, to more specific controls that focus on the actual computers, peripherals and storage media. Examples of cyber-specific considerations include implementing restricted space controls for telecommunications and network equipment rooms. These can range from requiring escorted access with logged keypads, to installing security cameras, to using interior hinged doors. Employee workstations also can be protected by using case locks to prevent the theft of hard drives, and cable locks to prevent laptops from walking. Removable media, such as backup drives and thumb drives, as well as mobile devices, should be locked in drawers or safes when not in use.
Businesses also should consider the wide range of people outside of the company who might have unfettered access to corporate computers. Think twice before allowing guests to sit in an empty office with a computer. Think three times before allowing an outside cleaning crew unescorted access throughout your company at night.
Lost and Found
A large number of physical computer incidents are not based on intentional theft, but instead result from unintentional loss. Consider the Fortune 50 company that decided to physically store some of its computer tapes at a third-party secure, remote location. The tapes at issue (numbering around 130) contained the personal information of roughly half a million of the company’s former and current employees. The storage facility hired a transportation company to get the tapes but, unfortunately, the box never arrived at its final destination. Instead, the tapes literally fell out of the back of the van. The good news is the tapes were found. The bad news is that nobody knows who found them, and the tapes were never returned. The worse news is that this single event led to over $6 million in mitigation expenses.
Out of Control
Reconsider your actions if you are about to place a laptop in checked airline baggage, if you plan to leave your laptop in a foreign hotel room safe (yes, they have the key!), or if you keep a thumb drive in your car’s glove compartment. A couple of years ago, a dermatologist’s office was fined $150,000 after an unencrypted thumb drive containing patient information was stolen from an employee’s car. Similarly, selling or donating used computers, printers and photocopiers could result in a significant loss of sensitive data. A single mistake in end-of-life disposal practices can lead to big problems.
One Man’s Trash
Of course, the concept of data security extends well beyond protecting digital media. Plenty of printers and copy machines are working overtime to produce hard copies of sensitive data. Some of these items are left sitting in the printer tray too long and mysteriously vanish. At other times, documents are abandoned and essentially tossed onto the street for anybody and everybody to take. The term “dumpster diving” refers to the fact that individuals actually do go through garbage bins. A small pharmacy recently paid a $125,000 fine and had to submit a corrective action plan to the federal government after it threw documents containing protected health information into a dumpster.
We have all heard the expression “possession is nine-tenths of the law.” Well, possession may be nine-tenths of physical cybersecurity too. Networks and information must be physically guarded commensurate with their value and, in some cases, are subject to additional legal requirements. Still, theft and losses inevitably will occur. As a result, I would be remiss if I didn’t add that regardless of your physical controls, it is always best to ensure that sensitive data is encrypted and that essential back-ups are maintained securely offsite. Physical, administrative and technical controls only work when they work together.