Security measures to protect ourselves from situations such as cyberattacks, ransomware, hacks and identity theft are very important. On top of the costs associated with getting IT professionals involved to recover your data, there is also your valuable time spent on making countless calls to banks, credit card companies and credit reporting agencies. Putting a freeze on your credit is not always free, and can be cumbersome when right afterwards you need to take out a loan to replace an aging vehicle, not to mention what the ramifications to your credit score could be. Recall the recent leak of Equifax data?
Ever since the UN and world leaders declared cybersecurity a growing threat, many end users have made a more concerted effort to keep operating systems up to date, install antivirus software and pay attention to the sender and attachments in emails. Additionally, many IT teams have worked to educate their end users on these cybersecurity best practices.
But What About Being Old Fashioned?
However, there’s one security topic that I believe does not get covered that greatly, and that is physical security. Having worked in a datacenter environment before, I have been through the process of audits, whether SOC compliance, PCI, etc. In each audit, many of the questions are, “Who has access to what, and at what level access do they have?”
This includes physical access to equipment, in addition to permission levels.
For instance, let’s say you are a small company that has a simple server cabinet. Does that cabinet stay locked when not being worked in? Who has keys to that cabinet? Where are the keys kept, and how is it decided who has access to that key?
You should have a document created and on file that gets updated when changes are made. If you are ever subjected to an audit from an external entity, having all the documentation up front will help you pass the audit quickly. Failing a required audit is demanding and you will have to create new documentation that the audit company must approve and sign off on before you can move forward. Very, very time consuming.
Has the thought of a night crew staff member or contracted cleaning company bothering to peek into the server cabinet ever pop into your mind? That simple overlook can cost you. We can never judge a person’s skills by their job title. Many reports show that the biggest security threats faced are not from outsiders trying to gain access into your data, rather insiders gathering and exploiting your data. Think back to Edward Snowden. Make sure you know who has access and consider limiting it to the necessaries, unless the person’s key role in the company is to completely mange the environment, such as your IT security engineer team.
Access Control Considerations, Both Digital and Physical
Whether it be camera systems, biometric and badge systems, firewalls, telecom room, power room, etc., you should also carefully consider your levels of access control to ensure that more than one person has access to each. Limiting access to one person means a single point of failure. What if that person makes a mistake, unknowingly, and heads home for the night and does not answer their phones? There should be a second person with the same physical access to alleviate this single point of failure.
And you need a way to track this in case of an audit. Consider creating documents that state these policies with the employees and employer signatures, or building control systems that keep logs of any changes of access level and access to systems.
Most businesses have trusted, long-time employees that assist with servers from time to time. They may, for instance, be tasked with creating a user and email account for a new employee. Just how much access does that employee really need to perform this task? And does that employee need that level of access indefinitely? After adding in the new employee into the system, unless revoked manually or by expiration of access, that same employee has the key to do whatever they want.
This could even mean full access to your company data. How is your data folder structure set up? Is there a compliance folder, HR folder or management folder? Who should be able to see the documents in this folder? Do you know for a fact that the people who should have access, whether it be read or write, are the only ones? Again, having a document of employees, functional roles and access control lists will come in handy with an audit, as well as peace of mind with security. With this, you can ensure that the employee that has worked with you for years and occasionally assists with adding new employees into the systems or password resets cannot also view your sensitive data that you feel they shouldn’t have access to. Hello, HIPAA!
The main point to take away from this is cybersecurity is not the only threat to your data. You need to know who has the keys to your castle and how many keys they have in their pockets. You can always reach out to us for assistance on setting this up and performing a basic assessment to see how you would pass or fail in a real audit.