Here at Staebler, we've talked before about cyber security and the importance of locking down your digital assets. Off-site backups, encryption, and password/access hygiene are all important digital elements of a strong cyber security plan. Today though, we're going to take a step back and think about cyber security in a more concrete sense. Concrete as in physical.
How does physical security intersect with cyber security?
When you think about cyber security, it's easy to focus on the digital, on all of those invaluable 1s and 0s that make up your business. But every bit of data has a physical end point somewhere. It has to be stored on a server, available on a readable device somewhere, transferred between those points, and so on.
Take this blog. It's a collection of 1s and 0s like everything else on the internet, but more than likely you're reading it on a phone or PC (unless maybe you're psychically manifesting it somehow, which while flattering, seems like a bit of a waste of such talents). Let's say someone wanted to snoop on what you were reading right now, there are several different ways they could do it. They could run intrusive programs to get into your PC, look at your history, log your keystrokes to discover what you've searched, they could try and piggyback on your IP, or maybe run a man-in-the-middle attack on your WIFI and intercept the data.
Or, they could look over your shoulder.
This is the part that is easy to overlook when you think about cyber security. Your network is only as secure as your weakest point, and it's very possible that weakest point is a physical location or liability. When you're protecting your data, you have to think about every potential point of entry.
Unfortunately, the most common weak points when it comes to physical data security are simple human foibles. The absolute classic being the lost, or poorly secured, phone.
We all live and die by our cell phones these days, and if you work in a professional setting it's almost a guarantee you use your phone for work. Depending on what you do and how you use your phone, this could mean all kinds of liability. From a simple shakedown of your contact list (used to score internal numbers, identify targets, impersonate people with credentials and build more convincing frauds) to your email account that contains sensitive information (uh oh), you probably have something vulnerable on your phone. A lost phone can even be a great opportunity for an attacker to assume your identity. Think like a con man or fraudster trying to find a wedge to pry into a business – it doesn't get much better than being able to access internal mail or even send off a few quick messages under a trusted name (yours). One misplaced phone can do a lot of damage.
Of course this can be prevented with reasonable password or biometric protection. If the idle screen on your phone is secured with a password lock or thumbprint, all the data on it will remain encrypted and useless. But only if you have that protection activated! This is where those good old human foibles get us again. Many of us understand the value of phone security, but don't enjoy the extra hassle of having to input a 5 digit pass code or press our thumb up against a pad for two seconds just to respond to a quick text.
Or let's think about the office: Let's say you've done your homework and your IT department is on the ball. They've implemented a number of measures designed to beef up security, including mandatory password locks on all work PCs and accounts. They've even gone the extra distance of insisting on strong passwords with multiple characters and a mix of letters, upper/lowercase text, and numbers.
All of that is fantastic... right up to the point where your employees start placing post-it notes with passwords on their PCs because they're too complicated to remember. Then it's open season.
Think it can't happen to your business? Do you remember the Hawaii false missile alert in January that led thousands to mistakenly believe they were about to become the victims of a nuclear blast? To say the whole affair was an embarrassment for the Hawaii Emergency Management Agency is an understatement, but, if you can believe it, things only got worse when they attempted a little damage control. In an effort to explain how the mistake happened, the agency posted photos of their working environment and systems, including a look at their monitoring station with a login and password reminder stuck in plain view to the monitor. Not a great look! Things got even worse when internet sleuths broke down the picture for other goofs, such as a readable and easy to replicate security pass, internal email addresses visible on a monitor, and more.
If a major agency already on the back-heel of a disaster can stumble into so many security blunders at once, chances are we all can. All it takes is the slightest bit of thoughtlessness to expose your system security, no matter how carefully you've protected the digital end of things. Think of it like installing a heavy duty steel door in a dry wall home. Yes, the door is really secure and nobody is getting in that way, but that dry wall is one good boot away from becoming an open pathway!
So if most physical security flaws are the result of human error, what can we do about them? Well, we can shore up the most obvious weak points.
Secure the physical location of your computers. Think about the way your office or business is set up. Are there any computers that are publicly accessible? A front desk that is frequently empty? An office that is accessible from a rarely used secondary entrance? Even if these PCs are password protected, they should not be left exposed. If tech savvy thieves can install a debit card skimmer in a fully staffed gas station in mere seconds, what do you think they can do with an unmonitored PC? No sensitive information should be left in a place that is frequently unattended or publicly accessible.
Educate your staff on the importance of smart cyber security. Make sure they are aware of the risks of transporting sensitive information on their phones, laptops, or USB drives. A little training on common security risks, social engineering cons, and general awareness can go a long way to preventing the most obvious, and easy to commit, mistakes.
The same goes for remote employees who travel frequently. Make sure they are taking security seriously in their own homes and keeping their systems safe. For staff that need to travel with a laptop, consider supplying a company laptop set up by the IT department to include password protection and anti-theft apps. This way you have at least some assurance that your business' valuable information won't just be in the wind of that laptop is left in an airport or misplaced on the subway.
These are good first steps, but you'll definitely want to expand on them. As with every kind of security though, there are no guaranteed ways to fully insulate you from every kind of threat. But you can tilt the odds in your favour. One way to do that is with a cyber liability insurance policy that will help protect your business in the unfortunate scenario of a data breech. Depending on the type of policy you choose, this protection can include things like the cost of notifying customers of the situation, investigating how the breech occurred, legal liability for lost data, and crisis management – a huge help when you need it the most. Obviously it's better if you can avoid exposure altogether, but with cyber liability insurance, you at least have a last line of defence you can depend on.
Start thinking ahead now and anticipate the ways that cyber and physical security will overlap for your business in the future. The better you plan today, the more secure your tomorrow will be.