More than locks and keys: Physical security considerations

If you’re still using padlocks and keys to secure your sensitive hardware, ask yourself if it’s time to add additional layers to your system.

Tags: Fraud protection, Risk mitigation, Cybersecurity
Published: August 09, 2018

Protecting yourself and your organization’s data requires a multifaceted strategy – one that’s layered with both logical and physical security controls to prevent loss of your assets and ensure the safety of your people.

On the physical security side of the equation, it takes more than a padlock and key to ensure top-level security for your on-premises assets and employees. A study by the Infosec Institute noted that companies need multiple layers in their overall physical access and security approach. These layers should include administrative (construction, site location), technical (CCTV, smart cards) and physical controls (intrusion alarms, perimeter security).

However, the study also notes that organizations often overlook tangible physical security. No firewall can stop someone from simply breaking into a data center and stealing hardware or obtaining sensitive data. Further, installing alarms or cameras without having a process to monitor and respond to security events ultimately won’t protect you from a security breach.

If you’re wondering about the strength of your physical security, use these three questions to assess your current situation. While these guidelines may not encompass all aspects of a physical security plan, they can help facilitate your strategic discussions about physical security.


1. Is my organization protected against threats by malicious actors?

Consider threats from both internal and external sources.

  • Internal: Bad faith employees and on-site contractors can use their existing authorizations to inappropriately access sensitive data.
  • External: Visitors or guests could take any number of dangerous actions, from stealing a keycard or standard key from an employee, piggybacking through a secure door, breaking in after hours or creating fake badges. These are only some of the actions you want to guard against.

Multiple levels of authentication can help mitigate some threats. Your organization can invest in programmable key fobs that periodically change their access codes or biometric scanners for fingerprint and retina data. You could require soft tokens generated from employee mobile devices. The more levels of authentication required, the tighter your security becomes.

Consider whether specific areas of your building should have heightened controls or more stringent access restrictions.

  • Evaluate the risks presented by unauthorized access to an area containing inventory, manufacturing, intellectual property, central servers and other key assets to your organization.
  • Ensure you have a documented list of those with access to different buildings, floors or rooms. Have a process in place for keeping the list updated.
  • Train employees to understand the importance of keeping their area secure. Each employee has a role to play in preventing physical access breaches and responding in an organized and timely manner.

2. Is my current physical security system scalable if my business grows?

While your system may be sufficient in the near term, what happens if you experience rapid expansion? There are many factors that could impact the design of your physical security controls, such as:

  • Opening a new data center
  • Hiring more employees
  • Moving operations to a new, or additional location
  • Entering a new business or industry
  • Adhering to changing regulatory obligations

Business strategy and security can grow together, though it might take a shift in mindset. It’s important to assess risks early on when considering changes, so physical security measures can be integrated into the plan and implemented concurrently.

You might also consider a strategy of colocation – collaborating with a managed hosting services organization to rent out data center space. This is an outsourcing strategy that usually doesn’t require incremental security control implementation. The facility owner will generally cover many of the security costs, and have reporting available so you can monitor how they’re protecting the space.

When entering into colocation agreements, make sure the service provider meets your performance and security needs and does not violate any contractual or regulatory obligations.


3. Does my security system receive regular updates and audits?

On at least an annual basis, review your physical security risk assessment to determine whether your existing controls are sufficient to mitigate risks. Consider creating or leveraging an existing physical security framework program with routine reviews on equipment, audit controls and access.

You could also include physical security controls in internal audit programs to confirm adequate operation. It’s not enough to implement systems, tools and processes to physically guard your organization. They must also be continuously monitored and updated to remain effective.

If you use systems and software specific to your physical security, treat it similarly to other important applications in your environment. Restricted access and change management controls can help prevent an unauthorized configuration change that would allow a malicious actor to bypass your physical security.

Make sure critical assets are up-to-date with system firmware updates. Ensure they contain automatic backups that are ready to use in case of unforeseen losses.


A physical security analysis is not a one-time event

Additional layers of physical security can help protect your people, assets and facilities from a malicious breach. Use the questions we’ve outlined in this article to start a broader discussion about the physical security of your organization. Also, ask yourself periodically if it’s time to improve security for your on-premises assets and employees.


©2018 U.S. Bank. Member FDIC.