Physical Security

Physical security is equally important as online security in protecting your computers, mobile devices, business and employees against crime and certain other issues. This page covers physically protecting your equipment and data not only from theft, but also from accidental loss, fire, flood and accidental damage. 

The risks

Computer/Mobile Device and Data Theft

If your computers, servers, tablets and smartphones are not suitably physically protected, you will make it easier for criminals to not only steal the devices themselves, but to access and steal the data contained on them – or which can be accessed by them. You will also be leaving them open for infection with various kinds of malware – without the criminal needing online access. In spite of the sophisticated online methods now used by criminals, it is still easier to access your systems and data by physically doing so on your premises, or taking your devices.

If your business premises, home offices or other sites where computer equipment is kept are not adequately secured, the way is left open for criminals to gain access by breaking in.

Criminals also often masquerade as suppliers – for example an IT engineer or utility company representative. It does not take long for criminals to achieve their objectives once you or a colleague have been tricked or distracted. This is a kind of social engineering.

You can find more information on keeping mobile devices safe here.

Physical Damage

Like everything else in a business, computing and communications devices and infrastructures are vulnerable to damage from fire, flood and accidental damage. You should take every precaution to protect them against such eventualities, have a business continuity plan in place, back up all of your data off site and ensure you have adequate business insurance to cover physical losses.

Keep your devices safe

  • Keep doors and windows locked.
  • Keep sensitive hard copy records locked away if possible.
  • Fit an intruder alarm, with unique codes for each employee.
  • Fit bars or shutters to vulnerable windows.
  • Use CCTV to deter intruders and record incidences of criminal activity.
  • Consider using computer locking cables on individual desktop machines and laptops.
  • Keep a fire extinguisher suitable for use with electrical equipment, near your computer.
  • Take care how you dispose of packaging that might advertise that you have new equipment.
  • Consult with your insurance company or local crime prevention officer for additional security advice.

Visitors to your business:

  • Be vigilant about granting access to any visitors, and escort them where appropriate.
  • Vet contractors and support personnel.
  • Restrict access to sensitive areas, such as server rooms or HR records.
  • Encourage staff to challenge unescorted strangers in secure areas.

Additional advice for laptop, tablet & smartphone users

  • Employees should keep mobile devices with them at all times. When unattended – for example in a hotel room or meeting room – they should keep them hidden or physically locked away. They should also be carried in hand baggage on an aircraft or coach.
  • Laptops, tablets and smartphones should never be left on a vehicle seat. Even when the driver is in the vehicle, their device could be vulnerable when stationary (for example, whilst parking or at traffic lights).
  • Employees with tablets and smartphones should do their best not to have them on display when out and about owing to the increasing trend of snatch robberies, sometimes involving physical violence.
  • Ensure your employees use padded bags to carry their laptops and, where feasible, tablets. Many laptops are broken simply by dropping them.

Servers & IT infrastructure

  • Keep servers and network equipment in a locked room and control access to it.
  • Server and networking racks and cabinets can also be protected by individual locks.
  • Disable unused network ports.
  • Locate equipment to minimise risks from fire, flooding and theft.
  • Keep a fire extinguisher suitable for use with electrical equipment, near your IT equipment.

Hard copy records

  • Use lockable filing cabinets.
  • Maintain a strict shredding policy.
  • Have a ‘clear-desk’ policy so that employees lock up sensitive papers when they are not working on them.
  • Encourage users to pick up their documents from printers, faxes, photocopiers and multi-functional devices promptly. Where available, use the secure print feature.

Stolen or lost equipment

  • If you learn that passwords have been stored in a document on a stolen or lost PC or laptop, or the ‘remember this password’ box has been ticked on a website, ensure any passwords are changed as soon as possible after the theft or loss.
  • Notify the police and obtain a crime or loss reference number for tracking and insurance purposes.

Limit the impact of a theft or loss

  • Make a note of all IT equipment serial numbers to enable reporting if stolen.
  • Security mark computers and other high-value items.
  • Keep printed photographic records of all equipment and lock them away safely.
  • Never store passwords on computers.
  • Ensure computer equipment is adequately insured.
  • Back up data (see Backups for more information).

More Information

www.securityforum.org

See Also...