SAD BUT TRUE: AN EMPLOYEE drilled periodically on how to identify and report phishing emails may think nothing of holding a door open to an outsider trying to enter the office. People are inherently trusting—and they must be trained not to be.
“The most flawed element in physical security is the human element,” says Heath Adams, CEO of TCM Security, a cybersecurity services provider in Charlotte, N.C. “An organization can have all the correct physical controls in place, but all it takes is one or two friendly individuals to cause those controls to become ineffective.”
Once an outsider with malicious intent gets in, lots can happen. They can plant rogue devices in networks for later access to privileged data or malware that slowly steals intellectual property, says Adams. “Perhaps the attacker is interested in physical files with social security numbers or banking information.”
In its 2022 Data Breach Investigations Report, Verizon estimates a median of 80,000 records is stolen in a breach. It’s a significant drop from 375,000 in 2008, when the company started keeping track, but it isn’t trivial.
Organizations have gotten better at training employees to recognize cyber dangers and report them to IT or cybersecurity teams. Training helps prevent breaches. But to be complete, it must include physical security. Indeed, insiders are responsible for one-fifth (20%) of cyber breaches, according to Verizon. Often, insiders don’t even recognize their role in the breach, and that’s a problem.
Adams recommends internal training and third-party testing by a cybersecurity service provider, which is an opportunity to add margin and customer value.
“Internal training is a great option,” he says. “All new employees should be trained on the organization's physical security policies and what to look for or do in certain situations. All current employees should receive updated training at least annually.”
Penetration testing is also key. “This is a great opportunity to identify flaws specific to that organization and demonstrate firsthand to the employees how those flaws can be leveraged in an attack.”
In a recent test, Adams and an associate used fake names to get into an office. At one point, an employee caught them using a tool to break in a door. The employee accepted the explanation that they were testing the door’s security and left it open for them. “From there, we had an entire office floor to ourselves. We had access to anything we wanted,” Adams recalls.
One caveat when hiring pen testers for your SMB clients: Use qualified individuals with proper documentation and contracts to avoid the fate of two professionals who were arrested in 2020 for performing physical pen testing. (All charges were later dropped.)
PEDRO PEREIRA is a freelance writer in New Hampshire who has covered the IT channel for two decades.