You think you’ve done enough to protect your company secrets, as far as technology is concerned? A competent professional designed your intranet system that all your employees use. You know he made the system secure, and each individual employee can only use the part of the system you want him or her to. A professional designed your business website, and any parts that need to be secure are encrypted. All of your employees have been taught how to safely pick passwords and not to share them with any other employees-or even their family members. Each employee who uses a password has to change his password once a month-for the sake of security. How much thought, however, have you given to physical security as far as technology for your business?
Many organizations do not consider physical security as far as technology to be crucial. In one example, a few years ago a New York investment house spent tens of thousands of dollars on computer security measures to prevent break-ins during the day. Someone discovered, however, that the cleaning staff for the firm was propping open the doors to the computer room at night while the floor was being mopped. That could have been an open invitation to some thief to come in and steal computers, printers, facsimile machines, telephones, or any number of other items. In another example, a magazine in San Francisco had more than $100,000 worth of computers stolen over a holiday. The incident happened because an employee had used his electronic key card to unlock the building and disarm the alarm system. Once inside, the employee went to the supply closet and removed the paper log from the alarm system’s printer. It was then easy to steal the computers. Could better security measures have presented the theft?
Many people in business feel physical security as far as technology to be too complicated or too difficult. Indeed, no amount of physical security could have prevented the collapse of many office buildings after the terrorist attack in the United States on September 11, 2001. There would be no way to shield a company from a nuclear attack, if one were to ever come. While such things are impossible to prevent, some organizations had spent money before September 11, 2001 to build and maintain redundant off-site mirror facilities, to maintain business in case a catastrophe ever happened. Those companies that had records in other places, rather than onsite only, were far ahead of those companies that did not.
A security plan that might work for one company might not for another, because each company is different. For that reason, anything stated in an article on physical security for businesses as far as technology must be broadly stated and general. Nevertheless, an article can be a starting point and can present a list of issues to consider.
A company should have a written physical security plan as far as technology, and ideally, the plan should be a part of a written security policy. The policy should be reviewed by a variety of people and should be approved by an organization’s senior management.
The physical security plan should include: descriptions of the physical assets that your company is protecting; descriptions of the physical areas where the assets are located; a description of the security perimeter; or the boundary between the rest of the world and the secured area and any holes in the perimeter; the threats you want to protect against (attacks, accidents, or natural disasters) and their likelihood; your security defenses and ways of improving them; the estimated cost of specific improvements; and the value of the information you are protecting.
You should take great care in formulating the plan, particularly if you are managing an especially critical instillation. Have your plan reviewed by an outside firm that specializes in disaster recovery planning and risk assessment.
You may think a detailed security plan may not be necessary for smaller businesses, some educational institutions, and a home system. Just knowing the threats you might face and the measures you will use to protect them will serve you well in knowing how to provide the best physical security as far as technology.
One example might be that if fire is a possibility, you might want to a fireproof sale for backups, and that can cost as little as $200. You could also contract with an offsite backup provider, which can cost about $20 a month per computer. A lock for a computer can cost $30, and that might be a good investment, if theft is a possibility. If you back up your server but not your personal computer, you might want to make sure people in the organization know that, so they can back up to the file server, not to their personal computers.
You may not see the need for some of these physical security measures for your technology. Ask yourself, however, if anybody other than you has physical access to your computers. What would happen if that person damaged your computers? What would happen if someone who works for your biggest competitor came into your workplace unnoticed? If there were a fire in your building, and the computers were unusable, would the inability to access the systems destroy or cripple your company? If some disaster affected your system, how would you face your angry customers?
You should also have a disaster recover plan, which is a plan for immediately securing temporary computer equipment and loading backups onto new systems-in case your computer or computers are ever stole or damaged.
For the disaster recovery plan, know how to rapidly acquire new equipment in the event of theft, fire, or equipment failure. Test the plan by renting or borrowing a computer system and trying to restore your backups.
Other things you might want to prepare for are the loss of phone service or network connections, whether you can move to another hardware or software system, if your vendor goes out of business or makes undesirable changes, significant absenteeism of your staff, or the death or incapacitation of key personnel.
You should have all your records backed up in some manner. If your computers would be stolen or destroyed, there might be no way to recover your critical records otherwise.
You should also have equipment to protect your computers against unexpected power surges. Computers have been destroyed when a vacuum cleaner was plugged into the same outlet as the computers.
You should have a fire extinguisher close to your computers. Computers often don’t survive a fire, but even when they do, they are often destroyed by the water used to fight the fire.
You should also protect your computers against smoke. Smoke is very damaging to computers. Smoking should not be permitted around computers. Smoke detectors should be in every room with computer or terminal equipment. If your business has a raised floor, place smoke detectors underneath the floor also. If suspended ceilings are present, place smoke detectors above the ceiling tiles.
You should also keep your computer room as dust free as possible and replace or clean your air filters regularly. Get a vacuum for your computers and vacuum behind your computers and your keyboards. Your vacuum cleaner should have a microfilter to keep dust from being blown back into your computer. Dust control is important because dust is abrasive and will slowly destroy the recording head and the media.
There are other possible physical security issues as far as technology that could be considered, even if damage to your equipment might seem less likely because of the issues. For example, to protect your computers against earthquakes, avoid placing computers on high surfaces, such as on top of a file cabinet. Don’t place heavy objects on bookcases or shelves near computers in such a way they could fall on a computer during an earthquake. Consider physically attaching the computer to the surface on which it is resting with bolts, tie-downs, straps or other implements. This can also help prevent theft. In case of an explosion, keep your backups offsite or in blast proof vaults and keep computers away from windows.
This article has not covered every issue concerning physical security as far as technology in business. Hopefully, however, it has provided a starting place for you to think about the issue as far as your business.