Many of the precautions businesses need to protect their data involve sophisticated, high-tech safeguards, such as antivirus software or virtual disaster recovery solutions. While these are important, it’s also critical that businesses don’t forget the actual, physical security of the devices and infrastructure that store and transmit their data. While not as sexy as high-tech safeguards, these low-tech precautions are essential components of any business’s cybersecurity strategy.
1. Door Locks
When you think of a data breach, it’s likely that you picture nefarious hacker types stealing data through technical ingenuity. But someone walking into an office and stealing, say, a laptop that contains customer information, constitutes a data breach as well—an event that’s much more costly than the value of the stolen hardware. Locks on office doors should always be utilized—especially when the offices contain hardware storing sensitive data. The main office door should remain locked when no one is present. And employees should transport devices securely in the trunk of their cars, and refrain from leaving devices visible within the cabin of the car.
2. Separate Room for Key Hardware
On a related note, it’s best for key infrastructure hardware, such as servers, switches, and firewalls, to remain locked in a separate room, such as a server closet. The reason for this is that while these devices, if implemented correctly, are well equipped to repel any digital attack, they are not automatically set up to repel a physical attack. A criminal with minimal technical know-how could extract data from a server or disable a firewall, if they gain physical access to the equipment. This is why critical technical infrastructure devices should be kept in a separate room under lock and key, and the number of individuals with access to the key should be limited.
3. Don’t Leave Devices Unattended
This tip is both harder to follow and more important than many might believe. We helped with a case where, on a normal workday, a front desk employee left a laptop unattended briefly—and a thief walked into the office and stole it. Thankfully, safeguards were put in place to wipe the laptop remotely, to keep any data out of the thief’s hands. Still, an even better safeguard is to make sure that portable devices like laptops should remain under supervision or locked away at all times.
4. Think About Screens
If you have staff who interact with sensitive data on their computer screens regularly, it’s important to think through how visible those screens are to unauthorized parties – such as customers or other visitors in the office. If the staff member in question has her own office and her screen is facing away from the door, the risk of data breach is low. However, if a staff member works in, say, a reception area, the risk might be high. This is a particular issue for medical practices, whose reception staff often deals with protected health information (PHI) and thus can be in breach of HIPAA if passersby can see the information on their monitor screens. In these cases, organizations can invest in privacy screens for these computers. Privacy screens can be placed over a monitor screen to allow visibility only to someone looking directly at the screen, making the contents dark to anyone viewing it at an angle.
5. Employee Training
This one ends up in practically all of our lists of tips for cybersecurity – for good reason. Your company could have all the latest technical safeguards against cyberattack and still be at high risk with untrained employees who don’t know, say, how to spot fraudulent emails. It’s important, also, that organizations train staff on physical security, especially if you have a BYOD (bring your own device) policy in place. Employees need training on how to keep the devices they are using to access company data from ending up in the wrong hands.
Again, with all the necessary effort that goes into putting high-tech safeguards in place, it can be easy to forget physical security measures. A comprehensive cybersecurity strategy, though, includes these decidedly low-tech considerations. Have questions, or want an assessment of your technology’s physical security? Contact us today.