Imagine someone walking into your corporate office, heading to the nearest computer and plugging in a USB flash drive. Five minutes later, that stranger leaves, along with vast amounts of your organization's most sensitive data in their pocket. Sound like a scene from a movie? It could be, but it also happens in real life.
While cybersecurity threats continue to plague IT departments the world over, organizations in Houston, Texas, and Edinburgh, Scotland, found that economic espionage, facilitated by ineffective physical security, is a very real threat, reports Stratfor. To underscore the size of the problem, the FBI launched a campaign to educate organizations on the dangers of economic espionage, specifically the theft of trade secrets.
Physical Security Is Often Neglected
In the rush to adopt robust cybersecurity programs that rely heavily on IT-specific controls, many firms overlook the importance of physical security. Since criminals look for the path of least resistance to commit a crime, when organizations fail to control access to their office environment, they present a tempting target. While criminals risk the chance of being caught when they enter an organization's physical location, they can avoid detection by employing a number tools and tricks such as wearing a corporate uniform, memorizing a watertight cover story, stealing a valid business ID or using a homemade one.
When Does It Make Sense to Invest in Physical Security?
So while a remote server remains safe from an online attack, with a weak physical security program in place, it's easily accessible from within the organization's offices. Given that finance often faces unrelenting pressure to approve increases in the amount of resources invested in cybersecurity, when does it make sense to redirect attention and invest in physical security?
Here are four questions your organization can ask to determine the effectiveness of its physical security program and whether it deserves an investment.
1. How would a criminal gain access to our office, and what type of damage could they cause?
It's a simple question, but all too often, organizations find gaping holes in their perimeter that remain hidden in plain sight, meaning that no one sees the problem until it's exploited. In addition to stealing data, your organization may face threats from disgruntled former employees intent on sabotage, political activists that disagree with your firm's mission and values or petty criminals in the market for anything they can steal and sell. Understanding the magnitude of the threat can help inform future investment decisions.
2. How do we screen visitors to our office?
While some businesses rely exclusively on building security guards to screen visitors, others depend on a receptionist to capture a visitor's name, business and purpose for the visit. Some businesses require that visitors to their offices produce a government-issued identity and wear an identity tag that displays their photograph. While it's important to balance the need for security with a friendly, welcoming environment, it's possible to screen visitors and do so without alienating them in the process — especially today when most people understand the importance of security. If the screening process appears insufficient, consider adopting technology to better vet visitors.
3. Do employees understand the importance of physical security?
Increasingly, businesses use some form of technology such as card access to prevent unauthorized access, or in some cases, fingerprint and iris scans. However, as a common courtesy, employees may hold secure doors open for others, albeit strangers, allowing them to bypass security and gain access to the organization's facility. Educate employees on why access control exists and how they might inadvertently expose the organization to risk by granting strangers access. Further, consider the benefits of deploying closed-circuit television (CCTV) at entrance and exit points. If a crime takes place, CCTV footage can help track the perpetrator and support subsequent court proceedings.
4. Where does our most sensitive data reside, and who has access to it?
Your organization's intellectual property, in particular its trade secrets, which the World Intellectual Property Organization defines as "any confidential business information which provides an enterprise a competitive edge," deserve special attention. Who has access to your organization's trade secrets? If a stranger or employee, for that matter, attempted to steal them, how would you know? Bottom line: If you can access sensitive data quickly and easily, so can your employees, and potentially, unauthorized third parties.
Using "Red Teams" to Uncover Gaps in Physical Security
Some organizations go as far as engaging a third party to test the effectiveness of their physical security using "red teams." First conceived in the government sector, a red team conducts a covert operation to breach an organization's physical security and report back on their findings.
Regardless of the means employed to test the effectiveness of your firm's physical security, the longer a weakness exists, the greater the probability that someone will exploit it. In today's environment, preventing an attack on your organization's data requires securing doors online and in real life.
Stay up-to-date on the latest human capital management insights for finance leaders: subscribe to our monthly e-newsletter.
To learn more about protecting your organization's information, visit ADP's Trust Center.