While most IT security focuses on technology, network connectivity, firewalls, antivirus, and patching, you cannot overlook the importance of physical security. It doesn’t mean that you should hire bodyguards or enroll in martial arts classes, but it does mean that your staff travelling with company IT resources should be aware of their surroundings and take basic precautions to safeguard the equipment and data in their care. Here are some of these basic physical security best practices.
Users should maintain situational awareness of their surroundings at all times and pay attention to potential threats. They should not talk loudly on the phone or with colleagues about sensitive topics when others are within earshot. They should not pull out their phone and pay more attention to it than to walking down the street or standing at a train platform. They should not set up their laptop where someone can easily grab it and run off, and they should not travel alone in ‘sketchy’ areas.
There will be times when users cannot maintain direct physical control of IT resources, such as when their laptop goes through the X-ray machine at the airport. But they can maintain visual contact with their equipment and ensure that they are not letting their laptop go through the X-ray machine until they are able to go through the metal detector too. Users should also ensure that any portable media that is not directly connected to their computer and within sight is either in their pocket, or put away out of sight in their bag, which must remain within their control. It only takes a second for someone to grab a USB key and walk off with it. Don’t provide anyone with the opportunity to grab something of yours while you are not looking.
Accidents will happen. Thefts occur too. By encrypting all data on all portable storage and laptop hard drives, when something does grow wings and flies away, at least the sensitive data stored on the hardware will not be readily accessible to the new ‘owner.’ Make sure you use strong encryption, a very strong password, and you don’t leave the password written down on a Post-It note that flies away with the stolen goods!
A clean desk is a sign of a security-minded person. If you don’t want the cleaning crew, visitors or co-workers to see what they should not, then don’t leave sensitive information on the desk. If you’re away from the PC, lock the screen, and if you have data on a whiteboard erase it before you leave or cover it so that it’s not visible to anyone outside your office and prying eyes.
Lock it up
Sensitive documents, DVDs, portable drives, and USB keys should be locked in your desk at the end of the day. Your laptop bag should be locked in your trunk when you must travel with it, and MUST leave it in the car. Avoid doing so when it’s very hot… you don’t want to cook your laptop. When renting cars, make sure they come with a trunk so you can put things away out of sight. In a hotel, use a cable lock to ensure that your laptop is secure when you are using it and have left the room for dinner or time in the gym. The hotel’s cleaning service may be extremely honest and trustworthy, but we’ve all see them leave the doors to rooms they are cleaning wide open, and it only takes a second to jump in, grab the laptop, and jump back out.
While those really cool bags with the company logo look really cool, they also advertise who you work for and what is in the bag. The same goes for logo wear. When travelling, try to avoid wearing clothes or using bags with the logo of your company so that you are not calling attention to yourself. Sure, everyone will know what you have in your back pack, but without a logo you could be as much a student as a high-end consultant for a big name company.
Most physical security involves common sense, situational awareness, and reducing the risk. Stay alert and don’t part with your laptop or files or memory sticks unless you really have to. Even then you can take precautions. Better safe than sorry.