The Role That Physical Security Plays in Your Business’s Security System

Physical Security and Its Importance

What is Physical Security?

Physical security is typically thought of secondly when it comes to information security. Physical security has administrative and technical elements, so it is typically overlooked since many organizations focus on other security measures to prevent attempts at hacking. Hacking into network systems isn’t the only manner that important information can be stolen or used against a business. Physical security has to be implemented properly in order to stop attackers from getting physical access and taking whatever they want. Any firewall, cryptography or other security measures would be totally useless if that happened. 

The challenges of implementing physical security are a lot more problematic now than they used to be. Devices like laptops, USB drives, tablets, flash drives, and smartphones all store sensitive data that can be stolen or lost. Businesses have to try to safeguard equipment, data, people, facilities, systems, and company assets. The business could potentially face criminal or civil penalties for not using the right security controls. The objective of physical security is to safeguard information, equipment, personnel, IT infrastructure, facilities, and all other assets of the company. Strategies used to protect the company’s assets need to have more of a layered approach. It is more difficult for an attacker to obtain their objective when several layers need to be bypassed in order to access a resource.

Introduction

For organizations, physical security has become more and more difficult for businesses. Computer environments and technology now allow for more compromises to happen because of more vulnerabilities. Information is able to be stolen from USB hard drives, smartphones, laptops, and tablets due to mobile access and portability. Computers, when first invented were large, mainframe, and only used by a few people, left secured in locked rooms. Now, computers are everywhere you go. 

Typically in the form of a laptop, tablet, or smartphone; even a watch if you think about it. It has become tough to protect data, networks, and systems since people are able to take their computers out of the facilities. Sabotage, vandalism, accidents, fraud, and theft are driving up costs for businesses because the environments are becoming more dynamic and complex. As technology increases and becomes more complex with more vulnerabilities, physical security becomes more difficult to manage. 

The physical element of security is typically overlooked. Theft of hardware or vandalism could potentially take place when working with administrative and technical controls. Often, businesses focus on administrative and technical controls which causes breaches to not be discovered immediately. When people look at information security, they draw up how someone could possibly infiltrate the network by using unauthorized methods through wireless, software exploits, or open ports. Professionals in the Security industry with physical security in consideration are concerned by the physical entrance of a building or environment and the potential damages that they might cause. 

Examples of Some Threats Physical Security Protects Against

-Unauthorized access into areas 

-Theft of Mobile Devices 

Attackers are able to enter into secured areas by tailgating, hacking into access control smart cards, or breaking into doors. 

Examples of Threat Defenses 

-Physical Intrusion Detection Systems

-Alarm Systems

-Man Traps

Laptops, USB drives, and tablets are often targeted because of their portability. 

Examples of Control That Could Help Stop Theft

–Use of RFID Systems

-Cable Locks 

Physical security has to plan how to protect employee’s lives and facilities. Priority number one of physical security should be to ensure that everyone within the facility is safe. The second priority is to secure company assets and restore IT operations if an accident or natural disaster were to occur. 

Putting Together a Physical Security Plan 

In order to control the physical environment adequately, a plan must be in place. The business has to create a team that has to design a physical security program when planning for security. Then the physical security team should continuously improve the program using the “defense in depth” method. 

Defense in depth is a concept that is used in securing assets as well as protecting life through multiple layers of security. Say an attacker compromises one layer, he or she will still have to push through additional layers to take an asset. For example, let’s say you have a computer that an attacker wants access to. The computer is located inside a locked room within a building. The building has access control in place, and there is a fence with a security guard outside. If the adversary simply needed to climb the fence in order to get the data, then only one level of security is in place to stop someone from intruding.

If security guards are then added, then access control, this would make breaking in more challenging for the person trying to break in. Additionally, logging on to computers and servers should need a smart card or token in addition to a password or pin in order to access data. These types of security measures all working together equate to several layers of security. 

Physical Security Controls

Administrative, technical, and physical controls are resources managed and protected by physical security. Access control systems, auditing systems, and intrusion detection systems are examples of technical controls. A few examples of administrative controls are facility design, site location, building construction, emergency response, and employee controls. Physical control examples include kinds of building materials, perimeter security including fencing and locks and guards. The controls for securing the environment are deterrence, denial, detection, then delay. Attempts to gain physical resources should be averted through the use of fences, gates, and guards around the perimeter. 

Administrative Controls 

Facility and Site Considerations 

Every site should have automated controls put in place in order to protect the physical environment. The first line of defense has to be administrative, technical, and physical controls. The last line of defense hast to always be employees. Limiting people’s interaction with attackers reduces the risk of getting injured. These controls have to be at the very center when applying and sustaining physical security to protect individuals.

Facility Plans 

The facility plan uses critical path analysis which is an approach that systematically identifies relationships between operations, processes, and applications. An example would be a business web server that needs to access the internet, power, computer hardware, climate control, and storage location. 

Location Site

Geographical location, size, and price are factors that require a lot of thinking when purchasing a site location. Security should always be the biggest priority when choosing a location. Buying either a new facility or an existing location also has to be taken into consideration. Facility physical security involves much situational awareness. It’s important to consider looting, vandalism, riots, and break-ins. Some other things to consider are visibility, signs, or neighbors. Accessibility to the site is important. Considering road access, traffic, freeways, and airports are important specs. Building facilities susceptible to these accounts should be avoided. Areas prevalent in natural disasters aren’t ideal site locations. These threats can’t be avoided, however, because natural disasters are unpredictable. The IT staff, emergency personnel, management, and disaster recovery plans contained within your business continuity plan is the plan that lists the overarching details necessary to recover from a tragedy.  

Prior to constructing your site, building, IT infrastructure, system, or any other items, security requirements have to be understood. Some of the security issues that need extenuation planning include emergency evacuation, unauthorized entry, entry and exit direction, alarm usage, and conductivity. The methods and construction materials used to construct the facility need to meet or exceed safety measures and building codes. 

In different areas, wall design has to adhere to the minimum fire ratings required in different areas. The kind of combustible material that is used and reinforced for security obligations such as protecting server rooms or areas with critical IT equipment must have met code standards. The same principals apply to doors, and door design looks at the placement, how doors withstand forced entry, will it be monitored by the alarm system, direction the door opens, hinge durability, locks needed, and glass requirements.

Prevention of Environmental Crime

Crime Prevention Through Environmental Design (CPTED) tries to reduce crime by using facility construction, environmental elements, and procedures in order to change human behavior. The design model has gotten better due to necessity since crime types and surroundings have changed. For example, now more malicious people can pretend to be talking on their cell phone while conducting video surveillance. Predators can hack into wireless networks and create a denial of service attacks. CPTED is utilized in the development of neighborhoods, cities, and physical security programs. Lighting, landscaping, road placement, entrances, site layouts, and traffic circulation patterns are all tackled by CPTED.

Data Security 

Server rooms and data centers that house IT or communications equipment have to be off-limits to unauthorized people. Rooms have to be locked down to prevent attacks of any kind. The rooms should be protected and have limited access to those employees that need access for job responsibilities. The more human-incompatible the rooms are, the less likely attacks happen. 

Physical Controls

Physical access controls are necessary to control, monitor, and manage access. Building sections are categorized by restricted, private, or public. Other access control levels are needed to restrict zones that each employee might enter based on their role. Several mechanisms can be put in place to enable control and isolation access privileges in facilities.

Securing the Perimeter 

Having gates, fences, mantraps, and turnstiles pit in place outside of the facility create an extra layer of security before accessing the building. Fences are a clear boundary between private and public areas. Materials used for fences differ in strength and type. Protected assets change the necessary security levels of the fences. Different types of fences include electrically charged, barbed wire, heat, motion, or laser detection, concrete and painted strips on the ground

RFID and Proximity Readers 

Access control systems utilize proximity sensors to scan cards and determine if it has authorized access to enter the facility or not. Access control systems are very useful. They evaluate permissions stored in the chip sent via radio frequency identification (RFID). This technology utilizes transmitters (sending) and responders (receiving).

CCTV and Intrusion Detection 

If the equipment is relocated without any approval, intrusion detection systems (IDSs) can monitor and alert of unauthorized entries. IDSs are absolutely essential to security since the systems can send out a warning if something specific happens or if access was attempted at a strange time. 

Closed-circuit television or surveillance systems use cameras and recording equipment to provide protection visually. Where cameras monitor, having light in the correct areas is integral. It may be too dim for the camera to capture decent video needed to prosecute or identify a person of interest without the right amount of light. Cameras can be a fixed lens (not movable) or a zoom lens (adjustable). 

Auditing Physical Access 

Auditing physical access control systems require the use of audit trails and logs to find where and when someone gained false entry into the facility or tried to break-in. The kind of software and auditing tools are detectives, not preventative. Monitoring consistently is important.

Life and Environmental Safety 

Protecting human life is the most important part of physical security. Physical Security has to be taken seriously in facilities. To prevent injuries to employees and protect basic environmental elements at a site location should be the first thing on everyone’s list in a physical security program.

Privacy and Legal Requirements

Your business should always address employee safety in its security policy. Businesses must abide by laws and regulations that control the industry and jurisdiction. The company should practice due diligence to protect lives, always. If it is not enforced by organizations, civil and criminal lawsuits could potentially be filed.

Protection of Privacy 

Personal identifiable information (PII) are specific details about individuals that include: name, social security number, phone number, address, age, religion, and race. Financial, medical and criminal records are also considered PII info. Businesses have a legal obligation to protect any PII information and shouldn’t be taken without consent or for company profit.  

Legal Requirements 

All businesses have imposed legal requirements. Jurisdictions and industries choose the basic foundations of which organizations are responsible. HR and legal departments are required to ensure that the company is always abiding by laws and regulations. This includes safety guidelines, hiring limitations, classified information handling and software license use. Remaining compliant is absolutely key in sustaining a physical security plan. 

Overall, physical security depends on planning in order to be able to protect your business and it’s unique needs. How you determine to prioritize how your business’s resources are spent is by collecting data and collecting key physical security performance indicators. Physical security, while not always the first thought when thinking of security, most businesses generally focus on the technical aspects of security.