Insider threats to a company's physical security are often thought of as malicious insiders. The reality is that most insider threats are a result of well-intended employees who lack awareness about security practices. It is important to work with a security expert to gauge your security strengths and to determine where gaps exist. TechGuard regularly performs Physical Security Assessments for businesses. One that immediately comes to mind is when one of our TechGuard Cybersecurity Consultants implemented a Physical Security Assessment at a hospital. The assessment began with gathering intel such as the employees' shift changes, how people interacted, etc. Then, posing as a delivery person carrying a large box, our consultant was able to easily gain access into the building.
Upon entrance, our consultant convinced an employee that they were contracted to perform a patch update on their computer. Without question, the employee entered credentials and our consultant was in. During the same exercise, our consultant found an unattended lab coat with a security badge allowing additional access to restricted areas. In addition, our consultant was able to insert a USB into an unattended business hub. Had this been a malicious actor, the results would have been devastating for the hospital. However, it was a proactive exercise that was used as a very effective teaching opportunity for the staff members to learn more about how to properly secure their environment. Often, insider threats are the smiling faces holding open the door for the delivery person who clearly has their hands full.
Negligent Employees as Insider Threats
There are countless scenarios that could compromise the physical security of a company. In addition, most of the vulnerabilities come from well-intended employees who let their guard down. Consider the employee who takes a coffee break while waiting for a fax or copy to be complete. Are your staff members locking their computer screens before they walk away? Think about who has access to your building. Are file cabinets containing private information left unlocked and accessible to the public?
Take a close look at your policies and determine if employees are bringing home files with sensitive data in order to meet deadlines. You may wonder how likely your employees would be to pick up a USB that they found lying around. Are you curious to see if they would plug that USB into one of your computers? How is your company training and testing employees to measure their physical security practices?
In addition to educating employees, improving the bad habits of employees is key in strengthening your security. Sometimes employees avoid policies if they feel the policies impedes their work. Therefore, having the support from top-down will increase employee buy-in and help to change the culture. Implementing best practices for your company's physical security will help to protect your employees from physical threats. Additionally, the best practices will add a layer of protection to preventing a data breach.
Another way to secure your data is to pair up the human resources team and your IT security team to work cohesively to create secure policies to reduce insider threats. For example, ask the human resources team to provide the IT security team leader a heads up if a fellow staff member has been demoted, placed on probation, or given a poor performance review. Sometimes these type of events will set off an employee to deliberately harm the company's data resulting in great losses.
In addition, the human resources team should conduct a thorough background check including social platforms to get a picture of who they are hiring. Also, your organization should use IT controls and audits. Determine if access is granted based on job responsibility requirements. TechGuard can provide a gap analysis to prioritize your vulnerabilities. Then, we can provide remediation recommendations to eliminate the security gaps and to protect from insider threats. Overall, the combination of secure information technology and well-informed employees leads to a secure working environment.
Check out our other blogs on Physical Security:
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.