Cybersecurity has often been called a game of chess – but in many ways, it’s more like a game of Risk, where players allocate their resources at particular network points (i.e. fortify Greenland or Kamchatka) and prepare for intrusion and infiltration with complex global and local strategies. The hackers are out there – and cybersecurity is becoming a major challenge for companies. So what do you do to circle the wagons?
One key part of cybersecurity that’s often overlooked is physical security. Physical facility and site security prevent some of those human problems where data breaches and active threats have more to do with people than they do with computers.
We’ve separated this list of key physical security best practices into two groups – perimeter solutions and social engineering – because we feel like these are two pillars of a good strategy to keep both companies and their networks protected.
Cybersecurity experts will often warn you that exposed ports mean vulnerabilities. In terms of physical security, this means guarding your ethernet cabling or other network hardware (or gluing your USB ports!) You can also install sophisticated port monitoring software that will show if someone is physically hacking into a network through, say, a USB port or an untended (or partially decommissioned) workstation.
Another key part of perimeter physical security is the turnstile. Step one – build the turnstile. Step two – make sure no one piggybacks on the turnstile! Companies that have trained everyone to prevent piggybacking are far more secure because those aggressive outside actors can’t get physical access to the interior of a site. Now, if they slip past, there are other best practices for that….
Clean Desk Policies
This is often a major part of the physical site strategy. With a clean desk policy, if someone does breach the perimeter, they won’t see as much. Leaving sensitive documents lying around or failing to implement a screensaver could be the difference between good site protection and a massive data breach.
Physical security can also utilize the same principle behind browser isolation, or, for that matter, cold wallets. Simply put, hardware and processes that are disconnected from the global Internet are exponentially harder to hack. Always-on, always-connected systems are often weakest link points.
One way to put this into perspective is to look at how this works in the world of cryptocurrency. Traders are very often told to make the transaction through a connected exchange, then immediately take the digital assets from the hot wallet and put them into a cold wallet – an unconnected device. That’s to keep them safe from prying fingers. The same principle can help you to protect key data inside a network – and it can apply to physical site security as well, in a thousand ways.
Social Engineering Protections
Now, this second half of your physical security game plan should, in some ways, be a little more robust. Many hackers are taking social engineering approaches, trying to trick your people into allowing active interior threats to proliferate inside of the business architecture
Don’t Talk to Strangers
In many ways, this generation of people (and by extension, employees) have been raised to overshare. We’re taught to be proud of what we do and plaster it everywhere, from LinkedIn to Facebook, to other parts of the web. But this information can easily be gleaned by black hat fraudsters who will call you up pretending to be someone else – they’ll use your own data against you! Many of us will forget that all of this personal stuff is accessible and think that if somebody knows where we are and what we do and everything else, that’s verification. It’s not! Oversharing is a key problem and something that can feature in your physical security best practices training.
Work Your Game Theory
No one wants to be the weakest link – so one way to prevent active threat potential is to do a lot of role-playing. Show your people how hackers and phishers get access through social engineering. Role-play scenarios where they’re getting calls from imposters, and see how they react. In a lot of cases, it just takes some practice for people to learn to distrust messaging or communications that could harbor a Trojan horse.
Modernize Caller ID
Caller ID is a particular problem that’s based on rapid innovation. Here’s what we mean. Twenty years ago, caller ID was state-of-the-art. It was easy to see who was calling you, because caller ID took the phone number, and put it with the right name.
This is no longer true in the sense that spoofing is now abundantly possible. When you see a caller ID name, you can’t trust that it is who it says it is, and so it’s necessary to go beyond caller ID to the next level. That might feature multi-factor authentication, or it might require biometrics. It might just require people to ask each other in-depth questions or require some shibboleth to make sure that they know who they’re talking to. Another corollary principle is to never use an incoming call for verification because you just don’t know where it’s coming from!
As key security experts point out, the applicable saying used to be: “trust, but verify.” Now it’s all verification and no trust. Just look at the emergence of deepfakes and the prolific use of spoofing in social engineering attacks. You have to start from the basis that someone is unverified and move toward key verification techniques. In the tech world, it’s guilty until proven innocent – anything else invites attack.
These important approaches to both perimeter protection and social engineering defenses constitute some of the best cybersecurity advice that today’s businesses can receive. Implement them to give your defenses a boost.