A Stolen Laptop and 20 Million IDs Stolen: Tips to Protect Your Cyber Security with Physical Security
No doubt, you’re worried about cyber-security. We all are. Just consider: In 2018, billions of people had their data compromised. But in our completely justified worry about malware, firewalls, encryption, passwords and all the complexities of cyberspace, we’re not thinking enough about something basic: the physical security of data in actual space.
That means all the many physical devices that hold our most sensitive information: servers, data sticks, computers, tablets, printers. How safe are yours? Are you sure?
While many data breaches are carried out via clever code enabled by distant hackers, a significant number of incidents remain quite analog: People just steal the machines. Really.
Here are just a few examples:
- About a year ago, a coordinated group of thieves broke into several Icelandic data centers and stole 600 servers designed to “mine,” that is create, bitcoin, the cryptocurrency. They also allegedly took 600 graphics cards, 100 processors, 100 power supplies, 100 motherboards and 100 sets of computer memory. The investigation is ongoing.
- In 2017, a Canadian computer retailer, NCIX, went bankrupt. It failed to wipe its servers before they were sold. The 15 years’ worth of customer data ended up for sale on Craigslist.
- In 2015, a British charity, PlanUK reported that five servers had been stolen from its London offices. The hardware contained the bank details of approximately 90,000 supporters of the family charity, and the charity had to reach out to all of them.
- In 2009, the Department of Veteran’s Affairs paid $20 million in damages after an employee laptop containing data on more than 26 million veterans was stolen from a VA office.
Where Physical Security Can Fill the Breach
And crime vectors can be more complex and less obvious: Without perimeter security — a guard in the lobby or perimeter video surveillance — sensitive data may be stolen in a discreet manner. For instance, one consultant showed that just by jumping on an elevator next to an employee with an access card, an off-the-shelf device could skim card passwords, even customer data, during a quick ride up.
With the physical access that such cards can provide, hackers can do much more extensive damage: They can install ransomware or a backdoor to access your system without you knowing, steal your financial credentials or account credentials, and send out spam email in your name. That’s the bad news.
The good news is that businesses can guard their IT infrastructure with a few simple measures. You don’t have to be a tech wizard to plan and implement these strategies.
And experts say it’s especially important for firms to think about the physical security of their data if your company does not have a security chief or elaborate security tools. Luckily even basic, out-of-the-box approaches can make a difference. Here are the ones most commonly recommended by security experts:
Empower Employees to Act on Their Instincts
A 2017 study shows that careless employees are the number one cause of security breaches, whether cyber or analog. Experts say the problem isn’t so much malice, as ignorance. Figure out organizational blind spots, then hold employee training sessions to address them.
Start with access control. This includes protocols for when front-desk/first-touch folks are out to lunch and on break. What’s the overlap for manning your lobby? Who gets coffee when? If someone looks VIP or acts VIP, process them the same way. Be especially vigilant for door-opportunists, those who follow a legitimate employee through a keycard door. The experts say, manners are secondary to security in this case.
Within the office space, prep employees on what type of behavior is suspicious – an unknown, unaccompanied person in a restricted area, for example. Empower employees to challenge people or to surreptitiously alert security.
Another common theme in employee training is the critical need for up-to-date hardware and strong encryption. It starts with a laptop or desktop password – credentials should be unique, changed routinely (on a schedule) and enabled with two-factor authentication. Two-factor ensures that even if a device is taken, a separate device is typically needed to complete the login process, reducing the likelihood of data being successfully stolen.
Invest in Perimeter Security Early On
Robust video surveillance is a must. In some cases, just the presence of a physical camera system can deter hackers. Having video surveillance guarding your perimeter creates situational awareness. When coupled with video analytics, video surveillance systems allow you to effectively monitor large areas with limited manpower. If your campus gets high vehicular traffic, invest in license plate reading technology, so you can monitor for aberrant activity.
A video system can provide an overview of your entire physical campus. If possible, make the video system separate from your larger computer network. In this era of the “Internet of Things,” you don’t want to make it easy to hack Wi-Fi-enabled cameras, experts say. And, if something does happen, video can still help police investigators and prosecutors investigate the crime and be used for evidentiary purposes. For instance, the Iceland cryptocurrency heist last was discovered by a video feed.
In addition, increase the effectiveness of your surveillance systems by placing them where they’re useful, not just where you’re limited to power or communications lines. Trailer-based or autonomously powered video surveillance systems allow you to watch parking lots and campus blind-spots, so you have a forensic picture from entry to exit.
Keep Track of Company Devices
Who has what? Have any computers or tablets gone missing? Set up a system. It can be as simple as “check out” log for various devices. When tablets, data sticks and the like aren’t being used, they should be locked up.
Make sure each employee, if appropriate, has access to their own work-issued device. Sharing devices is an easy way to lose track, and it is much harder to ensure compliance for updating personal devices.
If you want more insurance, look into a mobile device management system that enables you to lock down and wipe the disk of a laptop or other device that is stolen or lost. Or, designate a few “travel” laptops or tablets that can be loaded with data necessary for a trip. Upon return to the office, the traveler device can be wiped and readied for the next excursion.
Autonomous Physical Security Allows You to Focus on Your Data Center
Autonomy is key. Whether it’s the continuous updates that don’t rely on in-house expertise or the siloed nature of autonomous physical security, it’s the name of the game. Physical security systems that operate independently of the network infrastructure your servers run on is critical in the event of a breach. If your IT infrastructure is compromised, your physical security system won’t be; this will allow you to keep employees safe and collect evidence in the event of a system-wide attack. Since you never know the intentions of a malefactor, this is an important precaution.
Dedicate resources to physically securing your Data Center. Again, it sounds obvious, but lock the door! Make sure the physical place where your most sensitive data lives is secured, because it takes just one drugstore USB stick. Anchor servers to the floor, or heavy furniture. Install indoor video surveillance and a smart alarm. Look into intruder alert systems.
Some Great Resources
You need a combination of simple tech updates, manpower, organization and vigilance. These are basic first steps that will help keep you above water in the majority of cases. If appropriate to your business, there are plenty of guides to more extensive physical security – things like blast walls, retractable crash barriers and bomb detection. Check out more comprehensive lists here, here and here.