Analecta Cyber Company Blog: When a Locked Door Isn’t Enough: Controlling Physical Access to Information Systems


When a Locked Door Isn’t Enough: Controlling Physical Access to Information Systems

being secure enough - dog in front door graphic Controlling physical access to information system banner - Analecta LLC graphic It is vital to keep attackers from finding ways to access your data remotely, but it is equally important to keep them from exfiltrating data through direct physical access. Physical security should safeguard your equipment, resources and other assets to ensure that only authorized personnel have access to those company assets.

Layered approach to physical security

Physical security requires more than putting a lock on the front door of your organization and calling it good. Focusing on a single point of failure or weakness will not protect your organization from someone gaining unauthorized physical access to your systems. Instead, consider a layered approach where each layer of security control complements the rest to build a more secure overall posture.

One way to apply layered physical security measures is to start from the outside and work your way in. For a larger facility, this may include security considerations for an office park campus, parking lots, individual buildings, lobby and common areas and interior rooms.

Building protection

Using the outside-in approach, the first place to secure is your campus and individual building. Your specific needs will depend on the type of organization you have. Retail establishments will want to make ease-of-access a primary consideration, while those in other fields may need more controlled access.
  • Include security cameras in your physical security plan.
  • Have camera feeds monitored or reviewed. This can be accomplished by security professionals on-site or subcontracted from a security company at a different location.
  • If the security feeds are only recorded for later review, it is a good idea to have personnel watching the main entrance to your business.
  • Many government or military organizations may have a need for armed guards at the door of a building, however, most small and medium-sized businesses do not typically share that need.
  • A well-positioned receptionist can greet visitors at the door and arrange for non-employees to meet their appropriate point-of-contact without allowing them the freedom to roam about the offices unsupervised.
  • The receptionist is strategically placed to maintain visitor access records of individuals that visit your company and wish to gain access to non-publicly available spaces.
  • The entryway or reception area can still be large and inviting, yet provide an element of security to deter those wishing to gain unnoticed physical access to your systems.
  • Visitor logs and/or badging should be accompanied with an escort when a visitor is in non-public areas.
NIST guidance recommends that visitor access records include the following information:
  • Visitor name and signature
  • Forms of identification presented
  • Date and entry/departure times
  • Purpose of visit
  • Name and organization of persons visited

being secure enough - dog in front door graphic

Being Secure Enough

I recently met with one of our Managed Service Provider clients at their office. The small business was located in an historic home that had been converted into commercial use - something common in smaller towns across Maryland. The company’s front door had a decorative leaded glass design.

We had an in depth discussion about how security isn't a binary "yes" or "no" and it's not implemented with a "silver bullet" tool. Security is improved over time by implementing a system of checks and balances to reduce a company's risks.

One of the business managers brought to light a nagging question. “It has been our experience with security firms that there is always something more that we need to be ‘secure.’"

"Can we ever be ‘secure enough?’”

"Take for example the building we are in," I asked the owner. "I'm guessing you lock the doors at night to safeguard the company assets?"

"Of course we do," he replied.

"Have you considered that someone can simply press against the glass of that door and unlock the deadbolt? But that's why you use an alarm system, too."

Modern business requires careful consideration of what data needs to be protected, how it will be protected and the other tools and capabilities that work together to ensure that the protection is working.

Security is a system of risk mitigation measures, to achieve a business goal. It isn’t an absolute.

We’ve developed our cyber risk assessment using the NIST Cybersecurity Framework to review every aspect of your cybersecurity program and help you understand and articulate the risk and mitigations as they exist. Every business owner has a different tolerance to risk, and that tolerance needs to be a key element of their security decisions.

That’s what Analacta Cyber does. We make sure you are aware of the risks and help you make wise decisions about how to address those risks in an ever changing field with new threats all the time.

Dave Hawkins, Manager and Cofounder of Analecta Cyber

Server room protection

Your on-site server room is the heart of your business. This is the temperature-controlled, buzzing room where fan-cooled machines are running 24/7/365 and restricted access is a no brainer.
  • Protect your server rooms and telecommunications closets with access control devices that require access cards, badges or biometric devices.
  • Not only do these devices restrict access to physical spaces, but the underlying control system maintains logs of when each user accessed a specific card reader.
  • Review logs regularly to look for anomalies, not just once an issue has been identified.
  • Within the server rooms and telecommunications closets, protect cabling with conduit or cable trays, lock wiring closets and disconnect or lock spare jacks.
  • Place tamper-evident tape on devices as a deterrent and a safeguard.
  • Implement additional surveillance video monitoring for any areas where there is a concentration of information system components. 

Desktop/laptop protection

Physical security also needs to be applied to laptops and desktop computers. 
  • Restrict access to the devices by requiring computers to be locked when not being used. Many companies have a strict lock-screen policy where computers must be locked when the user steps away even for a moment.
  • Use RSA tokens, SMS text codes and similar devices to incorporate multi-factor authentication to ensure only the authorized person has access to a device, a specific account or high-profile data.
  • Laptop locks and cables are affordable and easy to implement across your organization. For smaller devices, locking them away in a file cabinet or safe will keep them out of unwanted hands.
  • Removable drives and devices should be disabled. We recommend disabling host machine ports and alerting users to not plug in personal devices.

User awareness is key

Physical security is more effective when your employees understand why the security measures are in place. Visit these Analecta NIST Cybersecurity Framework blog articles to help educate your employees on the importance of physical security and cybersecurity as a whole.
Physical security is but one aspect of the cybersecurity picture. For more information on how to better incorporate physical security considerations into your cybersecurity plan or if you have any cybersecurity questions, email us at or visit our Cybersecurity website.

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives.

No comments :

Post a Comment