(Post 2 of the Small Business Threats blog series)
When thinking of cybersecurity, it is understandably easy to assume that protective measures are largely technology-focused. After all, many cybersecurity start-ups exist offering various forms of tech intended to help you protect your network. There are firewalls, network monitoring devices, and numerous types of security software. When was the last time you saw an ad for cybesecurity protections that weren’t tech-related? It makes sense to think that it takes technology to protect technology. But that line of thinking is only partly correct.
Yes, there are some essential technologies that are needed to protect your computers, servers, printers, smart devices, and anything else you might have on your network. Without these, all of your devices and the information they hold stand completely defenseless against malware, hackers, and curious techies who would find your exposed devices online. But technological protections are only a third of the equation.
Three types of security controls
Security standards and frameworks used in government, healthcare, the payment card industry, and even the financial sector all prescribe three different categories of security controls to protect information and technology. The first is something everyone these days already seems to be familiar with, technology. The other two might be less obvious, administrative controls (also called operational controls) and physical controls.
Technical safeguards are somewhat self-explanatory. This category of protective measures consists of software and hardware tech designed to provide some sort of security. They consist of everything from setting up non-administrative user accounts to expensive and complex network intrusion detection equipment.
Administrative or operational controls can be thought of as how an organization does business. These are policies, procedures, and standards that are put into place to govern and direct how technology is to be implemented and used.
The final category of controls is what I would like to focus on in this article. These are the physical security controls. This type of controls address the physical security of information and IT assets.
Physical security of technology involves measures to protect against physical threats. These are things like physical damage, theft, and unauthorized physical access. The National Institute of Standards and Technology (NIST) classifies physical threats as being either human, environmental, or natural.
1. Human threats
People are often found to be the primary focus of cybersecurity. The majority of the recommended security controls of all types are designed to stop people or something made by people from causing harm. In terms of physical security, protective measures address two specific types of physical human threats:
- Intentional – These threats consist of people who would intentionally, physically access, steal, or damage systems.
- Unintentional – These threats can be chalked up to carelessness and accidents that cause damage or loss of a resource
Something that many people understand about IT devices is that they don’t work well when exposed to extreme temperatures. If they are too hot or too cold, components inside of these devices start failing and can result in damage to the system and a loss of the resource. Other factors that can negatively affect IT and cause failures are humidity and dirt (particulates in the air). Too much or too little humidity are both bad things for IT. To much dirt can collect inside of devices, clogging up airways needed for proper cooling or causing electrical malfunctions.
Natural threats to IT are often things that we cannot control. They are things like earthquakes, floods, and tornadoes. This type of physical threats also include fires. Natural threats can cause great destruction and there is virtually nothing you can do to predict when they will happen or to prevent them from occurring.
Mitigating Physical Threats
In some cases, it is possible to implement protective measures that can serve to prevent physical loss. These are measures like strong doors and locks, security alarms in areas where IT is stored, security cameras, security lighting, security guards, and so on.
In terms of cybersecurity, fire suppression is also considered a security measure. So is the physical construction of buildings. Facilities designed to withstand disasters such as fire, earthquakes, and floods serve to also protect the technology they house. Air filtration and HVAC systems serve to keep the environment in optimal condition to keep technology running happily.
Cybersecurity Protects the Whole Business
By this point, you might be thinking to yourself that threats to IT assets sound an awful lot like threats to your business as a whole. You’re probably also thinking that the measures prescribed to protect IT assets are the same ones used to protect the organization in other ways. This is absolutely true.
In fact, the recommended physical security controls for cybersecurity serve several functions, depending on the perspective you have when looking at them. From the lens of protecting IT assets, they are prescribed with only that in mind, but they do so much more.
If you are setting up shop in a new facility, or maybe you’re fortunate enough to be building a whole new shop, take a look at physical security recommendations for cybersecurity before you sign that lease or break ground. Does the building you’re considering have design features that would contribute to good security? What type of fire protection does it have? Does it offer control over the temperature, humidity, and air filtration?
If you are working from home, already have a facility that you own or rent, or possibly work out of a van, consider evaluating what you can do to improve the physical security of the IT you depend on. Preventing theft and damage of your IT assets gives the added benefit of preventing the loss of your non-IT assets too.