A common misconception is that an employee would know if a criminal just walked into an organization. Certainly it’s true that it may be easy to tell who is up to no good when they enter a room. But other times, it’s impossible. Criminals can really be sneaky, and they often commit crimes right under the noses of employees. By the time anyone knows what happened, the thief is out the door with whatever he or she came for and likely more.
With all the focus on cybersecurity and the technology to be put into place to mitigate that risk, we often forget that physical security is still important. While certainly it is “all the rage” for criminals to conduct long-distance attacks these days, the old way of walking right in and back out with information still exists and is still quite successful. Perhaps we just don’t hear about it as much anymore because it’s just not what the “cool kids” do. But it’s still important to have physical security procedures in place and that everyone follows them.
As part of these procedures, it’s important to maintain a “clean desk.” Ok, some people prefer organized chaos, but in most cases it’s recommended to keep the chaos that could result in information theft tucked away somewhere. This means maintaining the expectation that employees, whenever possible, are required to secure “Confidential” and “Restricted” documents by keeping their desk areas cleared of items that may be considered a risk for theft by an information thief. This means locking such sensitive documents in secure, designated areas whenever they are away from their desk areas.
This sounds simple, but it can be something that is taken for granted in an office environment. Think about how routine our days can be sometimes. We forget that there may be people who don’t work there roaming about from time to time who may be able to view or take papers off a desk or remember passwords they may see adhered to computer monitors or keyboards or pinned to the cubicle walls.
It only takes a few brief seconds while you’re having water cooler talk for someone to swipe information. Remember how many times you intend to just grab a cup of coffee and 20 minutes later, you’re finally back at your desk. A lot can happen in that short time if you leave information out in the open. “Maintenance workers” walk by to just check on the thermostat. “Pest control” people roam about looking for critters or perhaps an “interviewee” is just passing by your desk. All these people could be imposters out to grab documents and information.
Just taking some time to follow a few steps below can significantly reduce your risk of becoming a victim of a physical security attack:
- Ask all visitors for identification and log it. Write down the entry and exit times, find out where they’re from and what they are supposed to be doing there. The more you know about a person, the less likely they will commit a crime of opportunity.
- If you see someone unfamiliar in the area, ask questions. Find out who they are and what they are supposed to be doing.
- Ensure visitors are escorted at all times. Most of the time, a criminal is only successful when they are left unattended. Sometimes it only takes seconds for damage to be done. Maintain visual contact at all times. Don’t get distracted by a phone call or by checking email on your mobile phone while waiting on the visitor to perform his or her service. An experienced thief will try many ways to distract you.
- Never provide access to any area of a facility based solely on an email message. It’s not difficult to create messages that appear to be legitimate. If you receive such a request in email, place a phone call or pay a personal visit to the person requesting the visitor’s service to confirm before allowing access to any part of the office. Just don’t leave the visitor unattended while you’re finding out.
- Don’t assume that anyone showing up to provide some type of service was really requested. Find out who requested they be there and confirm with that person before allowing access.
- Don’t give visitors access to areas they don’t need to be in. Don’t provide them with keys or access cards that will allow them to get into areas outside where they need to work.
- Be aware of where visitors may be within hearing distance when having confidential conversations. If they are in the area for an extended period of time, have these conversations or meetings in a separate room or area.
- Remember that leaving documents on the printer is a risk. If you print something, immediately get it. Unattended papers on the printer are easy targets for a criminal just passing by.
- Be sure to secure your facility keys and /or access cards. Don’t leave them on your desk unattended.
- Remember not to write down passwords and store them in your work area. Not even stuck under your keyboard should be considered a secure place for these.
- Shred everything that even nominally may be considered sensitive. If you don’t have a shredder nearby, lock them in a bin for a shredding company to get them. Don’t leave them in an unsecured box overnight. Remember that the recycle bin is not a shred bid or secure bin.
- Lastly, think like a criminal before leaving your desk area. Look around to assess what may be a risk for theft and secure it before stepping away.
There really is no standard profile for what a cybercriminal looks like. In many cases, they may be charming, funny, good-looking, short, tall. They may look happy, sad, disgruntled, frustrated, dress sloppily or dapper. One who is experienced in cyber theft knows how to gain trust and manipulate someone in an organization. That is all it will take for them to be successful. Don’t discriminate based on looks or behavior. Treat all visitors the same and you will help keep your organization’s risks lower.