General security

The importance of physical security in the workplace

Hashim Shaikh
May 9, 2018 by
Hashim Shaikh

Physical security in detail

Protecting important data, confidential information, networks, software, equipment, facilities, company's assets, and personnel is what physical security is about. There are two factors by which the security can be affected. First attack by nature like a flood, fire, power fluctuation, etc. Though the information will not be misused, it is very hard to retrieve it and may cause permanent loss of data. Second is attack by the malicious party, which includes terrorism, vandalism, and theft. All the organization faces different kinds of physical security threats.

Physical security is very important, but it is usually overlooked by most organizations. It is necessary if you do not want anyone to snatch away your information or destroy it, in case of natural calamity. The reason could be anything, the attacker doing it for personal gain, financial gain, for seeking revenge or you were the vulnerable target available. If this security is not maintained properly, all the safety measures will be useless once the attacker gets through by gaining physical access. Though physical security is proving to be challenging than previous decades as there are more sensitive devices available (like USB drives, laptops, smartphones, tablets, etc.) that enables the stealing of data easy and smooth.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

As mentioned before there are fewer measures used for physical security and no one pays heed to it as attention is mostly on technology-oriented security. This slip-up gives the attacker a chance to exploit data or open ports. They scheme plans of penetrating the network through unauthorized means. Though there are internal threats too, for example, employees that have access to all the areas of the company can steal the assets with ease.

Physical security encouraged by PCI to be implemented in the workplace

PCI (Payment Card Industry) is a security standard which is created to make sure that all the organizations and companies that deals with any cardholder data have secured environment. PCI requirements for physical security are very simple, but it still takes loads of efforts. PCI have 12 requirements for compliance.

  • Install and maintain firewall configuration that provides security for assets of cardholder data. Protecting and securing the stored data.
  • Do no use default vendor passwords and another parameter of security.
  • Encrypt transmission of cardholder data across open networks.
  • Use anti-virus and frequently update their programs to remove any malicious software that can threaten the security of cardholder data environment.
  • Secure systems and applications should be developed and maintained.
  • Access to cardholder data or physical cardholder data is restricted.
  • Those with access should have assigned unique user ID.
  • Track and supervise network access.
  • Regular testing of security systems and processes should take place.
  • A policy must be maintained that addresses information security for all personnel.
  • Use of cameras to monitor vulnerable areas. Classification of media is required to protect sensitive data.
  • Sensitive Authentication Data must be secured.

Physical security encouraged by ISO to be implemented in the workplace

ISO (Information Organization for Standardization) is a code of information security to practice. It consists of several numbers of sections that covers a large range of security issues.

Risk treatment and assessment copes with the fundamentals of security risk analysis. Maintain an organized infrastructure to control how the company implements information security. Assets management includes proper protection of organizational assets and making sure that information is rightly secured. Personnel security management- It is ensuring suitable jobs for employees, contractors, third parties and also preventing them from misusing information processing facilities. The organization should use perimeters and barriers to protect secure areas. Entry controls should give access to authorized people only to important areas. Secure areas should be designed to be able to withstand a natural disaster. Supervise the use of delivery and loading areas and make sure it is carefully carried out in holding areas. Safeguard the equipment and protect it from hazards. Power supplies and cable should be secured. Ensure safe access to information and property.

Advantages of physical security

However, there are many facilities provided for physical security with a good amount of advantages. First is perimeter security that includes mantrap, fences, electric fences, gates and turnstile. Safe locks with keys that are hard to duplicate. Badges are necessary for verifying the identity of any employee. Set up the surveillance and at places that won't expose it or let the attacker tamper with it. Safeguard any vulnerable device and protect the portables. Secure the backups in a safe place where access is not easily gained. In case of explosion, fire or electric-complications, correct control method should be used that might help in saving some of the important things in the workplace. Strong setup may stay adamant and lowers the loss of the majority of assets, data, and equipment.

The great advantage is that criminals or attackers have to bypass through many layers of security to gain their objective. As a result, it gets harder for them to accomplish their mission. There are many methods and equipment that is difficult to scale by an intruder, has a low budget to set it and reduces security threat.

List of things that help to maintain a good and strong physical security

  • Intrusion detector
  • CCTV, smart cards
  • Fire extinguisher
  • Guards
  • Suppression systems
  • Intrusion alarm
  • Motion detectors
  • Physical access
  • Chain link fence
  • RFID tags
  • Barbed wire and much more.

Access control (AC) are accessible to multiple operators; it includes authorization, access approval, multiple identity verifications, authentication, and audit.

Disadvantages

Though there are some loopholes. Some of the methods might harm or injure animals and intruder. The protective fences may get jumped over by the attacker. Validity can be compromised in authentication or by Access control (CA). Smart cards or keys can be stolen and make it easier for the hacker just to find your misplaced USB and have his way with your computer. Today's security systems and installations are highly complex and leave the users to figure out on their own for how to operate it.

There are new updates and development plans in security technology every year, so changing and keeping up with the new tech can be tiring. The thing is there are many available facilities, but employees rarely know how to use it, for example, fire extinguisher are found at every corner of the organization, but there are not many workers that know how to handle it. Each employee in the workplace usually has access cards, but the problem arises when the card is blocked. Sometimes the installations of CCTV cameras are in places that capture bathroom or private areas and hinder the privacy of any employee.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Final thoughts

A company needs administrative, technical, and physical control to run their organization smoothly. Administrative controls include construction, site location, emergency response and technical controls include CCTV, smart cards for access, guards while physical controls consist of intrusion alarms, perimeter security.

Physical security's main objective is to protect the assets and facilities of the organization. So the foremost responsibility of physical security is to safeguard employees since they are an important asset to the company. Their safety is the first priority followed by securing the facilities.

Physical security is usually overlooked when it comes to security. Most companies tend to take care of technical and administrative aspects of security. All the firewalls, intrusion detector system, cryptography, and other security measures would be useless if someone were able to break in and steal the assets or important data.

Hashim Shaikh
Hashim Shaikh

Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: http://justpentest.blogspot.in and his LinkedIn Profile here: https://in.linkedin.com/in/hashim-shaikh-oscp-45b90a48