This chapter is from the book
This chapter is from the book
This chapter is from the book
Physical Security
Next comes the importance of physical security. Does an organization allow all people to come and go freely into the building? For example, university buildings allow anyone to enter and exit during office hours. There were several reports of panhandlers entering a university building during office hours to steal food and lightweight equipment. In those cases, security wasn’t very tight.
Physical buildings also need security from physical attacks by road traffic, which can be handled by installing barriers, placing guards at the entrance, and so on. Contractors or people claiming to be contractors can be a threat when they drive into the office facility in a large truck loaded with explosives, as happened in the bombing of Oklahoma City’s Alfred P. Murrah Federal Building in 1995. Video surveillance cameras, recorders, and rotating gates or doors help slow the traffic and avoid piggybacking. Advanced controls with biomedical equipment also provide extra security. Data rooms with automatically locking doors and emergency lights on power failures are important to consider.
If an organization has an office in a state like California where there is a greater threat of earthquakes, floods, and heavy rains, proper physical guards need to be in place to ensure safety of the personnel, assets, data, other equipment, and the office building itself. The design of physical security needs to anticipate even things that may happen without warning, such as pandemics like the spread of COVID-19, because using VPN for virtual offices or teleworking will be the norm sooner or later. In these cases, proper digital or physical signatures are necessary for better safety of both the employees and the organization.
Users are a primary contributor to the downfall of security. It doesn’t matter how much cybersecurity is implemented by an organization and how smart the programs employed are if the users aren’t vigilant. This is the basic reason why the first line of defense is always YOU.
It is important that you keep your eyes open at all times to make sure you know what is happening around you and report any suspicious activity. This is known as “if you see something, say something” rule. When an organization employs a person and gives access to that person, they assume that employee is honest and will follow the mutually agreed upon rules. The organization also assumes that the employees follow the rules they read and sign in the NDA. Employees, contractors, and vendors entering the facility have to apply due diligence and not allow piggybacking and misuse of resources and assets.
Everyone has a role to play in security, although the CEO, chief security officer, and information and protection security officers often get the blame when something goes wrong. However, each of us is an equal stakeholder, and we need to practice, advise, and learn every day about unexpected attacks and contribute to help the organization. We should remember that objects/assets (what) have permissions (how), and the users (who) have rights (how). These terms mean we design a secure environment for how assets/objects use permissions or how the objects and assets are used and what rights a user has when accessing a resource—IT or otherwise.
No matter how hard a corporation tries to help with security, users have a limited memory and can only remember a few things on a permanent basis. Therefore, it is very important to train employees regularly about security, including active shooters, terrorist attacks, natural disasters, and fire drills. Training helps people remember what they’ve learned when an attack actually happens. Training also should be enforced with strict rules, and it is important to remove both computer and building access from employees who do not follow the policies of training and retraining.