By Yana Yelina, Tech Journalist, EffectiveSoft
Nowadays, none of the enterprises is immune to cyberattacks, data breaches, malware, and other types of damage. As a result, news about information leakage in different types of organizations is continuously cropping up in the mass media.
Taking into account the fact that cyberattacks are becoming more sophisticated, enterprises tend to spend much money on employing high-quality software or linguistic tools to protect corporate info, clients’ personal data, intellectual property, etc. Thus, according to one survey, in 2015, about 20% of worldwide companies allocated a cybersecurity budget at the amount of $1-4.9 million. Beyond that, the cybersecurity market is expected to reach $170 billion by 2020.
Nevertheless, cybersecurity is not the only problem organizations should handle to avoid considerable losses from insider and outsider threats…
Physical security
This type of security entails the protection of personnel, hardware, software, networks, and data from physical actions that are sometimes taken with brute force.
Physical security is often a second thought when it comes to information security and it is overlooked as organizations concentrate their efforts on combating cybercriminals with the help of trusted software developers. But it’s a must to remember that sensitive data may be easily stolen by outsiders and insiders from laptops, USB drives, tablets, flash drives, or smartphones. Malefactors can get an entry to secured areas through tailgating, hacking into access control smart cards or breaking in through doors.
It may seem surprising, but the below-listed examples show that insider threats are becoming really numerous and should be addressed in a proper way.
1) At a major US bank, a contract janitor and two co-conspirators stole a number of customer accounts and personally identifiable information from hard-copy documents. The criminals then used the data to steal the identities of over 250 people: they opened credit cards, submitted online change-of-address requests and, as a result, the victims did not get bank notifications about fraudulent activities. That case cost the organization $200,000.
2) The UBS PaineWebber incident shows that sometimes attackers don’t set a goal to steal data, they just want to damage. The example is Roger Duronio who planted a “logic bomb” that disabled 2,000 servers around the country in UBS PaineWebber offices. As a result, the company didn’t manage to make trades for several weeks and then reported to spend $3.1 million to recuperate from the attacks.
3) An insider stole trade-secret drawings within his organization and sold them to a rival, inflicting a $100-million loss. However, after losing a lawsuit, the company that received the stolen documents was forced to declare bankruptcy.
Security and protection systems
One security professional is not able to cover the whole range of physical security, that’s why it’s reasonable to plan a separate security program and address the 3 important components: access control, surveillance, and training.
First, physical sites should be protected by fencing, locks, access control cards, biometric access control systems, and fire suppression systems. Second, the company locations should be monitored via surveillance cameras and different kinds of notification systems: physical intrusion detection systems (IDSs), alarm systems, closed-circuit television (CCTV), heat sensors and smoke detectors. Third, it’s indispensable to raise awareness among the employees, delivering valuable info on disaster recovery policies, as well as on physical attack prevention and response procedures.
Security management software
Like in the case of cyberattacks and intellectual capital protection, here an ideal variant is the implementation of specific enterprise software to control and manage staff and guest access to specific areas in a given physical facility to avoid insecure attendance.
To maintain such complete control, the software is to include certain subsystems and management tools:
1) Data Manager
The era of physical locks and keys has ended with no hope of a return. For now, electronic access cards that interact with intelligently controlled devices represent one of the most secure building options. Such systems give business owners a high degree of control over physical facility attendance.
The embedded Data Manager tool can be used to track employees’ electronic entries, assign cardholders to certain user groups depending on the access area and time.
The tool also allows recording cardholders’ locations and shows at what time and at which door the user was granted or denied access. To prevent data loss in case of system failures, controllers should be synchronized with the central database.
2) Security Manager
Any type of interaction with the system should be also tracked. That’s why it’s vital to use a special tool to control cardholders’ actions: logins, addition records, different kinds of editing, deletion, and more.
3) Hardware Manager
To avoid damage caused by malefactors, it also seems logical to use a hardware management tool to configure diverse hardware, such as controllers, doors with door panels and door readers, etc. Such a tool allows running all the needed reports; it is easy to implement and integrate, that’s why Hardware Manager can be effectively used by companies of all stripes and colors.
To fulfill its function of an insider and outsider threats/attacks tracker and show all its possibilities (including reports delivery), the above-mentioned software has to be correctly integrated into the enterprise control system, as shown in this case study, and if needed to go through a proper customization process.
Conclusion
The article touched slightly upon the problem of physical security enterprises constantly face. With the development of new sophisticated techniques, both cyber and physical attackers feel free to conduct illegal deceitful activities to pursue their own aims, that’s why a response should be also refined and effective.
About The Author
Yana Yelina graduated from Minsk State Linguistic University with a bachelor’s degree in Translation/Interpretation (English, Spanish, and Italian) and Public Relations. After that, she has worked as a copywriter/journalist for a number of Belarusian companies. At EffectiveSoft Yana holds a position of a Tech Journalist and writes about modern technologies, covering software development practices in a broad array of business domains: trading and finance, e-commerce, education, healthcare, logistics, etc. Yana can be reached online at [email protected] or http://www.effectivesoft.com. You can also connect with her on LinkedIn or Twitter.