Insider threats to a company's physical security are often thought of as malicious insiders. The reality is that most insider threats are a result of well-intended employees who lack awareness about security practices. It is important to work with a security expert to gauge your security strengths and to determine where gaps exist. TechGuard regularly performs Physical Security Assessments for businesses. One that immediately comes to mind is when one of our TechGuard Cybersecurity Expert implemented a Physical Security Assessment at a hospital. The assessment began with gathering intel such as the employees' shift changes, how people interacted, etc. Then, posing as a delivery person carrying a large box, our expert was able to easily gain access into the building.
Upon entrance, our expert convinced an employee that they were contracted to perform a patch update on their computer. Without question, the employee entered credentials and our expert was in. During the same exercise, our expert found an unattended lab coat with a security badge allowing additional access to restricted areas. In addition, our expert was able to insert a USB into an unattended business hub. Had this been a malicious actor, the results would have been devastating for the hospital. However, it was a proactive exercise that was used as a very effective teaching opportunity for the staff members to learn more about how to properly secure their environment. Often, insider threats are the smiling faces holding open the door for the delivery person who clearly has their hands full.
Negligent Employees as Insider Threats
There are countless scenarios that could compromise the physical security of a company. In addition, most of the vulnerabilities come from well-intended employees who let their guard down. Consider the employee who takes a coffee break while waiting for a fax or copy to be complete. Are your staff members locking their computer screens before they walk away? Think about who has access to your building. Are file cabinets containing private information left unlocked and accessible to the public?
Take a close look at your policies and determine if employees are bringing home files with sensitive data in order to meet deadlines. You may wonder how likely your employees would be to pick up a USB that they found lying around. Are you curious to see if they would plug that USB into one of your computers? How is your company training and testing employees to measure their physical security practices?
In addition to educating employees, improving the bad habits of employees is key in strengthening your security. Sometimes employees avoid policies if they feel the policies impedes their work. Therefore, having the support from top-down will increase employee buy-in and help to change the culture. Implementing best practices for your company's physical security will help to protect your employees from physical threats. Additionally, the best practices will add a layer of protection to preventing a data breach.
Malicious Insiders
Another way to secure your data is to pair up the human resources team and your IT security team to work cohesively to create secure policies to reduce insider threats. For example, ask the human resources team to provide the IT security team leader a heads up if a fellow staff member has been demoted, placed on probation, or given a poor performance review. Sometimes these type of events will set off an employee to deliberately harm the company's data resulting in great losses.
In addition, the human resources team should conduct a thorough background check including social platforms to get a picture of who they are hiring. Also, your organization should use IT controls and audits. Determine if access is granted based on job responsibility requirements. TechGuard can provide a gap analysis to prioritize your vulnerabilities. Then, we can provide remediation recommendations to eliminate the security gaps and to protect from insider threats. Overall, the combination of secure information technology and well-informed employees leads to a secure working environment.
Check out our other blogs on Physical Security:
What is IT Security worth without Physical Security? Employees should Watch out for Tabnabbing
Your #1 Security Threat - Well-Intended Employees Create a Top-Down Culture
USB Drops: Would your Employees Take the Bait? The Threat Within
Top 5 Security Awareness Training Topics Social Engineering Takes on Many Shapes