Physical Security IS Data Security
Our COO, David Bitton, wrote an article this month, titled “Physical Security IS Data Security” for the trade publication LP (LossPrevention) Magazine. Digital security is (or should be) firmly within the domain of those who have the education and qualification, but that doesn’t mean “physical security” should be relegated to the bottom of the list. David looks at some areas where data security becomes both a digital and physical effort.
According to the online technology dictionary Techopedia.com, “data security” is defined as the “protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites.” Note the qualifier word, “digital”.
Data security is characterized in the second part of the Techopedia definition as an element of information technology: “data security is an essential aspect of IT for organizations of every size and type.”
Don’t become another data breach statistic. Get our FREE Special Report, Data Security: Data Loss Prevention Best Practices and Proven Policies to Combat Data Breaches right now!
This emphasis on tech/digital/IT when it comes to data security comes as no surprise, and it isn’t really erroneous. Not in the modern era where cyber attacks that occur on global scale regularly hobble military organizations, governments, and universities; even the public power grid has been attacked by hackers. Private companies that experience data breaches lose millions, and when and if they do emerge intact, their reputations are damaged, often beyond repair.
Clearly, digital security is (or should be) firmly within the domain of those who have the education and qualification, but that doesn’t mean “physical security” should be relegated to the bottom of the list. With that in mind, here are the most prominent areas where data security becomes a digital and physical effort.
The Data Center
The “data center” can take the form of a large basement room filled with rack-mount equipment or a small closet in the back of the store with servers and routers placed on the shelves. In any case, it needs to be securely locked with access restricted. Card-based entry, key codes and even biometrics with an authentication system for audit trails may make sense for some operations. There’s an old saying: the best lock in the world is useless if it’s not used. Strong, unambiguous, and vigorously enforced security policies around access to server rooms is crucial.
Anyone with physical access to the servers, routers, cables and other equipment is capable of doing enormous damage, such as in 2006 when a burglar broke into an insurance company’s offices and stole a server, laptops and other items; the server contained personal information, including social security numbers of over 900,000 people. The thief was arrested some time later, after he tried to extort the insurance company.
When work-issued laptops and phones are stolen, it usually happens outside of the office, and there are a number of methods (both preventative and reactive) for remotely protecting the data and network access.
However, with regards to the physical protection of the mobile devices that haven’t been stolen, that’s a whole different story. Think of a laptop, tablet, or even a desktop workstation as it sits in a typical retail, restaurant or warehouse back-office environment. It doesn’t have to be a mobile device; any computer that stores data and has network access is a target.
Even printers are a risk factor, since many have on-device memory that stores versions of documents that were printed out.
Hackers can use social engineering tactics to overcome security measures and gain access to office areas. Once a malicious hacker has gained entry onto the premises, if they have intent to steal data, they’ll most likely be very happy due to the prevalence of unsecured personal computing devices around a typical work area.
Armed with nothing but a thumb drive, a hacker can compromise a laptop in minutes. They don’t even have to actually steal the laptop. Work-issued devices can be chock-full of the latest in anti-virus software and the strongest customized firewalls and data security controls, mostly intended to stop attacks that come via email, web browsing, or careless WiFi use. But the data inside is still vulnerable—if not properly secured physically.
The key to mitigating this particular risk is through deterrence via surveillance. CCTV integrated into the security system will deter—people will think twice about tampering with a device if a surveillance camera is visible and in use. From a forensic standpoint, the footage will serve as evidence and help in an investigation and prosecution.
Video surveillance should cover more than the point of sale, cash rooms and inventory. Equipment is inexpensive enough to the point where a camera should be installed everywhere an entry point exists, and as noted previously, around data centers and router closets.
In today’s dynamic data security landscape, current and emerging threats constantly challenge businesses and organizations; at the same time, new and powerful technologies emerge to counter these threats. LP and security personnel need to broaden their focus beyond digital and into the physical to address all data vulnerabilities.
LP Magazine is a high-quality, contemporary magazine dedicated to providing in-depth, timely articles of high interest to loss prevention professionals, security and retail management.