When IT pros hear “security,” they most likely think about protecting data from cyberattacks. But it’s also important to pay attention to the physical security of sensitive information.
That was the message in a recent presentation given by security experts Rafal Los and Shane MacDougall at the recent Black Hat Europe conference in Amsterdam.
Security can be breached in a lot of ways, the presenters said. That includes hacking attacks and electronic thefts of data, of course, but also the physical theft of IT equipment from the office or even the homes of some employees and executives.
Too many organizations put so much focus on preventing the latest sophisticated hacking techniques that they may neglect to protect against those and other physical attacks.
Los and MacDougall recommend companies take physical security into account when conducting risk assessments. IT departments should make a comprehensive list of where sensitive data is held, including both physical and network locations, as well the various ways that information could be stolen.
Here’s a checklist of some important physical security precautions IT departments should make sure they’re taking:
1. Lock the server room – In most companies, the server room door is already equipped with a decent lock — but it’s up to the IT manager to make sure that staffers are actually using it.
2. Secure decommissioned equipment – Criminals can find a lot of sensitive info on used hard drives that haven’t been properly wiped. A good physical security plan should include securely disposing of old IT equipment.
3. Make sure vulnerable devices are locked up as well – In addition to the server room, vulnerable access points, such as network hubs, may be located elsewhere. Move those into the locked server room, or keep them in a locked closet or other secure area.
4. Secure workstations – It’s possible for malicious insiders to copy data from their co-workers’ machines while they’re away from their desks. IT can set machines to require a password after a time out, and create policies requiring users who work with sensitive data to lock PCs while they’re away.
5. Lock up portable devices – Many employees use their laptops as their primary desk computers. For those who don’t take the machines home at night, consider supplying them with a cable lock to attach them securely to their desks.