GUEST ESSAY: As cyber risks rise in 2020, as they surely will, dont overlook physical security

Physical security is the protection of personnel and IT infrastructure (such as hardware, software, and data) from physical actions and events that could cause severe damage to an organization. This includes protection from natural disasters, theft, vandalism, and terrorism.

Related: Good to know about IoT

Physical security is often a second thought when it comes to information security. Despite this, physical security must be implemented correctly to prevent attackers from gaining physical access and taking whatever they desire.

This could include expensive hardware, or access to sensitive user and/or enterprise security information. All the encryption, firewalls, cryptography, SCADA systems, and other IT security measures would be useless if that were to occur.

Traditional examples of physical security include junction boxes, feeder pillars, and CCTV security cameras. But the challenges of implementing physical security are much more problematic than they were previously. Laptops, USB drives, and smartphones can all store sensitive data that can be stolen or lost. Organizations have the daunting task of trying to safeguard data and equipment that may contain sensitive information about users.

Companies could face civil or criminal penalties for negligence for not using proper security controls, especially in light of the new General Data Protection Regulation (GDPR). The internet of things (IoT) is widening the sphere of physical security as smart devices connected to business systems via the internet may be located outside of established secure perimeters.

Muthukrishnan

Access control, surveillance, and testing are the three major components that comprise the physical security of a system. Access control is the restricting of access to a system. There are several types of access control methods used. Two of the widely used methods are mechanical access control systems and electronic access control systems.

Surveillance includes monitoring and detecting intruders into the network. The list of intruders can be bought to the knowledge of enterprise through notification systems such as an alarm. The third component testing, must be done to check if the measures taken are correct and reliable.

Physical security is undoubtedly as important as cybersecurity. Analysis should be performed to identify the vulnerable parts of the network. The study should include an envelope of crime reports, natural calamities, weather conditions, and the movement of intruders. These analyses are then forwarded to the administrative control, are prioritized, and then preventive measures can be taken.

The next implementation method is to develop countermeasures to avoid loss of assets. Some of the countermeasures that can be considered are CCTV, alarms, firewalls, exterior lighting, fences, and locks. These barriers should be layered together to significantly reduce the probability of an intruder physically entering the system.

For small scale enterprises, the data center is the most critical part of their IT infrastructure; therefore, guarding and monitoring that space is very crucial. Certain pre-emptive measures should be taken into considerations to provide security to the data. One such measure is to authenticate the users who can access the server. Physical security gates may also help ensure access is only granted to those with sufficient privileges.

Related: The case for quantifying cyber risks

The most important factor that should be taken into account is a security risk assessment. If risks are not properly assessed, providing security becomes tedious. Once a criterion for assessment is formed, a sequence of tests must be done to check the level of security. If the results are not as expected, corrective measures should be performed to ensure that the sufficient security benchmark is reached.

Most organizations tend to focus on more technical aspects of security countermeasures. But remember: all the network intrusion detection systems and firewalls are entirely useless if someone can get to the equipment and steal data or the device.

About the essayist: Vidya Muthukrishnan is an Assistant Professor in the Department of Instrumentation and Control Engineering at the Sri Krishna College of Technology. She has completed her B.Tech Electronics and Instrumentation from SASTRA University and M.Tech in Biomedical Engineering from VIT University Vellore.