In the not-so-distant past, data security involved keeping paper files under lock and key or ensuring physical servers were inaccessible to anyone without the proper security clearance. As data moved to the cloud, security solutions evolved from security guards, cameras, and padlocks to endpoint detection and response software, advanced email protection, and SIEM, with physical security taking a backseat to cybersecurity. However, the two are deeply intertwined and strategies for both must be in place to protect your data effectively.
Cyberattacks tend to be complex, with bad actors using multiple strategies to break in, move around your environment, and extract data. These attack vectors may involve a combination of physical and digital attacks, which is why cybersecurity programs need to be comprehensive to be effective. If you lock all the doors, but leave a window open, the burglar will still get in. Too often, physical security is an afterthought for companies and that gap becomes an open window that allows bad actors — or disgruntled employees — to get in.
Here’s why companies need to include physical security measures as part of their overall security strategy.
Though many companies have minimized their physical footprint in recent years, every company still has one. This can include obvious physical spaces like offices, warehouses, manufacturing plants, and distribution centers, as well as all the devices within, including printers, copiers, manufacturing equipment, smart TVs, security cameras, and IoT devices. Some companies in highly regulated industries will even have on-premises data centers and servers that need protection or employee keycards that grant them access to secure areas.
But even fully remote companies without office space, equipment, and servers have a physical footprint. If any employee — or more likely, every employee — is using at least one physical device to access digitally stored data, that device is part of your physical footprint. Company-distributed and personal laptops, mobile devices, and hard drives that are connected to a company’s network are all access points to your data. Even USBs, which many organizations have banned, can cause significant damage if they get into the wrong hands. A compromise to any of these access points can lead to a data breach, stolen intellectual property, espionage, or ransomware attacks. Without a physical security plan in place, you are leaving yourself open to attack.
When you think of physical security threats, you may be picturing a bandit in a knit cap tiptoeing into your office at night to steal documents or plug a USB into your server. While this image sounds dated, it remains a real threat for some companies. For others, physical attacks look a little different and involve social engineering, stumbling upon an abandoned laptop at a coffee house, or exfiltrating data after a bad performance review. Here are a few examples of how a criminal might use your physical devices or space to break into your digital environment.
Every cyberattack begins with a bad actor breaking into your environment without authorization. While some attacks start by exploiting a known vulnerability or sending a phishing email, others start with a bad actor entering your physical space or physically handling a device. For instance, tailgating occurs when a bad actor follows an employee into an office space and piggybacks off their keycard. In some cases, attackers enter an office with a stolen or compromised keycard or key code. Others pose as repair persons or delivery personnel, and some attacks simply start with breaking and entering. Regardless of how a criminal enters your space, once they are in, they have access to computers, phones, servers, IoT devices, printers, and any other connected devices in your space that might allow them to access your data.
Many physical breaches are crimes of convenience, wherein a criminal finds and steals a device for a quick profit. While devices are expensive to replace, theft also opens the door for data theft if the original criminal or the person they sell the device to uses it to hack into your environment. For instance, in May of 2018, a laptop was stolen from a locked vehicle in Ottawa that contained the personal health information of 33,661 Canadians, including patients’ names, birthdays, and medical history.
Other robberies—such as stealing laptops, phones, paper documents, USBs, hard drives, or larger office devices—are more intentional with someone swiping the physical equipment to break into your digital environment more easily.
Unfortunately, some of the most common types of physical attacks are insider threats. The 2023 Insider Threat Report from Cybersecurity Insiders found that 74% of organizations say insider attacks have become more frequent. Disgruntled employees, contractors, or even business partners who have access to company data and systems can easily exfiltrate sensitive information or intellectual property to sell for a profit or use to disrupt operations at your company.
In May 2023, two former Tesla employees shared confidential company information with a German news outlet that included the personal data of almost 76,000 current and former employees. Before that, in 2022, a former research scientist at Yahoo stole the company’s intellectual property after receiving a job offer from a competitor.
Companies need to ensure devices, spaces, and networks are properly secured and monitored for this type of activity, and keycards are turned off as soon as employees have been terminated.
Finally, some bad actors load up USBs with malicious code and enter office spaces to drop the USB on an unsuspecting employee’s desk. When the employee plugs in the USB, the bad actor gains access to the device and connected network.
Whether it’s via a USB, a stolen device, or an office device, once bad actors enter your environment, they can launch any number of cyberattacks, including:
Physical devices and spaces are a threat to your company because they open you to attack. But there’s another very good reason to protect them. Regulations like HIPAA, GDPR, CCPA, CMMC, and more require organizations to have a documented strategy for securing physical assets as well as documentation on how they’ve implemented said strategy. Companies that don’t comply with these regulations could face hefty fines, negative publicity, and serious investigations, which only increase the impact of a breach.
Some of these requirements are more robust than others and there is crossover among various standards, but they require thought and effort to implement and therefore need to be considered in your cybersecurity strategy. Fortunately, because physical data security standards have been in place much longer than security standards for things like cloud storage, they have also been tested and refined over time, so they are effective and can potentially be easier to implement as guidance is much clearer.
For all these reasons and more, it’s important to incorporate physical security into your overall cybersecurity strategy. Companies need visibility and detection tools. They must also implement appropriate identity and access management protocols for both their physical and digital spaces. This includes the use of security cameras, digital passcodes, and key card readers, as well as restricting access to buildings, floors, or rooms where sensitive data is stored. Without implementing the appropriate physical security measures, businesses open themselves to fines, negative publicity, and costly data breaches.
To learn more about how to develop a more comprehensive cybersecurity strategy, contact the experts at SolCyber, the first-of-its-kind outsourced security partner. With our 24/7 detection and response services and Foundational Coverage, businesses can ensure their physical and digital environments are protected against threats. Reach out today.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
