Monday, November 27, 2017

Combine Cybersecurity With These Four Physical Security Tips

Office worker searching confidential information
Earlier this year, the ransomware virus Wanna Cry encrypted more than 200,000 computers across the world. The Equifax data breach put 145.5 million Americans’ personal information at risk because an employee failed to apply a security patch. With high-profile incidents such as these, it’s easy to see why cybersecurity spends so much time in the headlines. While cybersecurity is important to protect your organization against a data breach, make sure you don’t overlook physical security — specifically key control. Follow these four tips to increase physical protection for your data.

Secure Keys to Areas Where Sensitive Data Is Stored


The Federal Trade Commission (FTC) recommends combining cybersecurity best practices with physical security guidelines, which are essential to protect against insider threats and social engineering. According to the FTC, you should store devices and documents containing personally identifiable information (PII) in a locked file cabinet or room, and use access controls for on-site data centers.

If you keep keys in a desk drawer or on a pegboard, however, that’s not enough to deter someone from gaining unauthorized access to files or devices. Storing keys in a tamper-proof electronic key control system rather than in an easily accessible area reduces your risk of a security breach.

Set up Access Levels


The FTC says to limit cabinet or room key access to employees with a legitimate business need. Employees should return keys as soon as they’re done with them.

Storing keys in an electronic key control system allows you to enforce these guidelines by setting up user profiles for various job functions and access privileges. If someone needs a key, they can only access the system if they’re authorized to do so.

Automate the Audit Trail


To improve employee accountability, it’s best to minimize the level of human involvement in your key control procedures. For example, say that your HR manager is in charge of issuing keys to locked filing cabinets containing confidential employee records. The manager maintains a spreadsheet of who has been issued keys and when, but there are a few problems with this method:

  • Someone has to remember to update the log.
  • It’s easy to manipulate data.
  • If a single person is managing multiple keys, they have to manually review the spreadsheet to determine if all keys have been returned on time.
  • It relies on a person’s trustworthiness and sound judgment. Someone could issue a key to an unauthorized user or use the key themselves for unauthorized purposes.

The benefit of using an electronic key control system is that it will automatically record data for each system transaction. If a key isn’t returned on time, the system will automatically send a text or email alert to the system administrator or sound an alarm. Additionally, the automatic audit trail gives you a reliable source for investigating the incident, and the accuracy of the data is less likely to be called in to question.

Be Cautious When Giving Vendors Keys


If it’s necessary to check out keys to a contractor or vendor, inspect their driver’s license to verify their identity. After checking out the key(s), print a copy of the key receipt and have each party sign. Ensure that the key grants the vendor access only to the areas they need to perform their job. You can also put a time limit on the transaction so you’ll be notified if the vendor has key for longer than they should.

Protecting your data requires a strong focus on cybersecurity, but you can’t afford to neglect security. For more tips, check our post “The Four Layers of Physical Security.”

No comments:

Post a Comment