IT is understandably focused on beefing up technical security to protect against hackers and other online threats. But there”s another danger out there many businesses are failing to guard against:
Physical security attacks, such as the theft of IT equipment.
Companies may be at an even greater risk of physical security attacks than hackers, since the value of the data plus the value of the equipment itself gives criminals a dual motivation. And many organizations that are focused on stopping sophisticated new hacking techniques may be leaving themselves open to equipment theft.
In addition to break-ins that might occur on the company”s premises, employees also frequently leave the office with devices that contain sensitive data. If those devices are lost or stolen, that information can fall into the wrong hands.
As those physical security threats grow, many security experts are warning companies that they”re as likely to be victimized by a physical theft as they are to fall prey to an electronic intrusion, according to a recent article in the .
Recent physical security breaches
A series of healthcare data breaches that occurred last year shows the danger of physical security attacks:
- A computer was stolen from a locked doctors” office at a California hospital. The PC contained sensitive information about more than 2,500 patients, including names, locations of service and medical record numbers, and possibly treatment histories, birth dates and Social Security numbers for some patients.
- A portable USB drive containing information about 14,000 patients was stolen in a break-in at the home of a hospital employee in Oregon. According to hospital officials, the employee was using the drive to transfer documents from one computer to another and accidentally took the device home in his briefcase.
- A doctor”s personal laptop was stolen from a Massachusetts hospital after it was loaded with information about 3,900 patients. All computers owned by the hospital were encrypted, but the personal laptop wasn”t.
- A laptop used by an employee of a contractor working with a Connecticut hospital was stolen during a home robbery. The machine was unencrypted and contained information about 10,000 patients.
- Six laptops were stolen from the main offices of an Illinois hospital, compromising the personal data of an undisclosed number of patients.
The Wall Street Journal also cites a recent example in which a Wal-Mart affiliate had to inform customers their data had been compromised and reset all user passwords after a computer was either misplaced or stolen from an office.
Here are some of the steps experts recommend to avoid data breaches caused by physical security threats:
1. Lock important doors
Of course, businesses have precautions in place to keep thieves from getting into the building. But adding locks for some rooms and storage cabinets will provide an extra layer of security in case of a malicious insider or if a criminal does get inside. That includes locking the server room and other areas that hold IT equipment.
That doesn”t just mean installing the locks — businesses must make sure that staff members are using them.
2. Train staff on social engineering
Many businesses have tried to make employees aware of online social engineering attacks in which criminals use email or social networking sites to get people to hand over sensitive information or install malware on their computers.
But social engineering can be involved in a physical security attack, too — for example, if a criminal pretends to be an employee from a business partner to gain access to the building. Employees should also be trained to guard against those attacks.
3. Have policies against taking data home
In several of the examples above, IT equipment was stolen or lost after employees took it off of the organization”s premises. Companies help avoid those situations by having rules against putting data on portable devices.
IT can help enforcement of those policies by disabling USB ports for users that don”t need them, and issuing encrypted storage drives for employees with a business need to make data portable.
4. Secure decommissioned equipment
In addition to devices in use by employees, criminals can find a lot of sensitive info on used hard drives that haven’t been properly wiped.
That”s why a good physical security plan should include securely disposing of old IT equipment.
5. Secure workstations
It’s possible for malicious insiders to copy data from their co-workers’ machines while they’re away from their desks. IT can set machines to require a password after a time out, and create policies requiring users who work with sensitive data to lock PCs while they’re away.