How physical security augments cybersecurity and closes the circle
Every smart business integrates physical security with cybersecurity for a robust overall security program. Many regulations require it, but it also makes good business sense.
Elements of Physical Security
Just as there are numerous aspects of cybersecurity and information security, there are also many physical components that comprise physical security, whether in an enterprise or a small to mid-size business environment.
Security cameras have become commonplace, not only along the external perimeters of office and warehouse buildings, but also inside the buildings. Depending on the scale of the organization, a security guard or team may monitor the cameras. In other cases, digital or tape recordings are generated, to be reviewed in the event of a suspicious activity or security breach.
Door locks, both exterior and interior, are also elements of physical security. Policy may require that certain doors be kept locked, accessible only by key. Similarly, electronic badge access systems are an important component of physical security at some organizations. Badges may be required to gain entry to certain parts of the building, or to all parts, depending on the extent of controlled access areas within the building. Badges may be required for entrance through exterior doors as well as interior doors.
Garages may require employee passes or badges for entry and exit, and guest or visitor access may be controlled in similar fashion.
Some organizations even use computer locks that physically secure computers to desks to discourage theft.
Security guards are also considered part of the physical security system. In addition to monitoring cameras, they may screen visitors, and may patrol the premises, inside and outside, on a scheduled or unscheduled basis.
Where Physical Security is Critical
The degree of physical security required for a business is often dictated by the nature of the business. For example, a company that manufactures, warehouses, or ships valuable physical merchandise or prescription pharmaceuticals requires a higher level of physical security than a quick printer or dry cleaner.
Robust physical security is also vital to hospitals and healthcare practices who store supplies of controlled substances and expensive medical devices, as well as to financial institutions who accept, store, and dispense cash.
As important as they are in these examples, physical security protocols do not operate in a vacuum. They must be incorporated into an integrated, company-wide security system that also includes information security and cybersecurity in order to complete the security circle. Think of it as circling the wagons against attackers in the wild west; one wagon not integrated into the circle can put the entire wagon train at risk.
HIPAA Rules on Physical Security
The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) outlines requirements for the safety of electronic Protected Health Information, or ePHI. The Security Rule has three distinct parts governing Physical Safeguards, Technical Safeguards, and Administrative Safeguards.
Physical Safeguards are defined as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings from natural and environmental hazards and unauthorized intrusion.”
This simply means that a healthcare practice, hospital, medical center, or other healthcare provider must have physical security in place to protect its ePHI from disaster or theft. Following are a few best practices for meeting this requirement.
- For any device that stores or processes ePHI, access to that device should be restricted to authorized personnel only.
- Those devices should be installed or stationed in areas that cannot be easily accessed by patients or visitors. Consider also locking the devices in place.
- Hard drives, disks, thumb drives and any other devices that store patient information must be destroyed in the proper manner, with a certificate of disposal obtained and kept as a record.
- All devices that store or process ePHI should be inventoried and accounted for periodically. The inventory log should also include the names of employees who have access to each device and the roles they play in processing ePHI.
There are countless other measures to safeguard ePHI, ranging from creating an active culture of privacy in your offices to installing privacy screens on computer monitors.
Sarbanes-Oxley Rules for Physical Security
The Sarbanes-Oxley Act (SOX) governs financial institutions and other organizations who pass financial data through their systems and equipment. SOX requires that internal controls be implemented and audited periodically to prove the physical security of those systems and equipment as well as the security of electronic information.
Physical security measures apply to all IT assets, including all computers, network hardware, and other electronic equipment that collects, stores, or transfers financial data.
As a subset of internal controls, access controls are the physical and electronic security measures that prevent unauthorized users from viewing sensitive financial information.
Access can be controlled through measures such as housing data centers and file servers in secure locations, implementing electronic badge entry and camera surveillance systems, and employing effective password protocols, to name a few.
Just as a hacker may breach cybersecurity by invading the data processing system to access financial data electronically, so can physical security be compromised if a computer is stolen, or a disk or USB storage device is lost. The net effect of both scenarios is that a security breach has occurred, and financial data has been compromised, or worse.
The Internet of Things and Physical Device Security
Physical security is also a factor in IoT—the hyper-connected Internet of Things where your smartphone can control the tiny computers in your air conditioning system and your house lights. Where the small computer in your refrigerator monitors water quality and automatically orders a new filter from the manufacturer. Where your computerized oven can be turned on remotely to preheat while you drive home.
Typically, manufacturers of appliances and other IoT devices do not build robust security into the tiny computers that enhance their products. In just one example of what can happen to IoT devices with poor security, in October 2016, a hacker found a vulnerability in a specific security camera model. Through nearly 300,000 networked video recorders, an attack was launched on multiple social network websites, disabling Twitter and other high-profile platforms for almost two hours. (No doubt the Earth rocked on its axis.)
Hollywood has even made movies about highly automated, computer-controlled smart houses, and bad actors who hack into them to kidnap the occupants for ransom or do other harm. The idea makes for some scary entertainment—particularly because it could actually happen.
Following are a few other reasons IoT devices can pose a security risk:
- IoT devices can be installed in remote or unstaffed locations, where physical access to them is virtually unrestricted.
- Devices that are small in size can be more easily concealed, and thus easier to steal.
- Depending on the manufacturer’s specifications, the compromise of one IoT device may enable similar devices to be compromised in the same manner.
- Compromising one IoT device may give a hacker access to the IoT network of devices.
- Many appliances remain in use for years, without automatic updates to the integrated computers within, making them easier to compromise as time elapses.
In addition, test points and administrative ports may provide ways into a device; closing those ports prior to shipping can harden security. Tamper-resistant packaging and special seals can protect devices during shipment and indicate if compromise has occurred in route to the point of sale or delivery destination. There are other means of strengthening the physical security of these connected devices, as well.
How to Test Your Physical Security
As we have seen, physical security plays a vital role in the protection of an organization’s information and digital assets, and therefore in its overall security program.
Because of its importance, physical security must be tested periodically to confirm its effectiveness and scope, address vulnerabilities, and reduce the risk of a security breach.
A Security Risk Assessment, typically conducted by an experienced, credentialed third party, will implement this testing by incorporating a thorough review of physical security. The review will be aimed at discovering vulnerabilities in physical security and correcting them.
This review should include:
- A walk-through and evaluation of physical security controls, including related policies and procedures, and the actual controls.
- An inspection of doors, locks, physical access screens, wands, badges, cameras, alarms and similar elements.
- Verification of access logs and access policies and procedures that govern physical security.
- Review of key and badge inventories and assignments.
- Evaluation and documentation of how physical security processes integrate with information and cybersecurity processes in the organization.
The resulting findings should be presented in a detailed report that also includes actionable recommendations for remediating vulnerabilities, ranked by severity and priority.
The Security Risk Assessment will also review and evaluate many other aspects of information security, and is an appropriate tool for any organization seeking to effectively secure its information assets and data systems—and in doing so protect stakeholders and their brands.
The security risk assessment should be conducted periodically, ideally annually, to ensure that the overall security program remains robust and effective and that program documentation is updated as needed. The 24By7Security team includes an in-depth review of your physical security safeguards while performing your annual Security Risk Assessment.
Physical security is more than a padlocked door or a guard at the gate. It incorporates every physical or tangible security tool throughout the business, from electronic keycards and screening wands to computer locks and security cameras.
The degree to which an organization incorporates robust physical security into its overall security program depends frequently on the nature of the business and the goods or services provided. Some industries are required by regulation to implement physical security for their assets. Both HIPAA and Sarbanes-Oxley have requirements for physical security designed expressly to prevent electronic health and financial information from being compromised or stolen. Other regulations also specify physical security requirements. In addition, the interconnectedness of devices and appliances in the Internet of Things presents physical security challenges throughout the supply chain, from manufacturing to warehousing to distribution.
Whether to meet regulatory requirements or to operate according to best security practices, organizations large and small periodically test their physical security measures in order to secure their information assets and protect stakeholders. It’s just smart business.