Secure Keys to Areas Where Sensitive Data Is Stored
The Federal Trade Commission (FTC) recommends combining cybersecurity best practices with physical security guidelines, which are essential to protect against insider threats and social engineering. According to the FTC, you should store devices and documents containing personally identifiable information (PII) in a locked file cabinet or room, and use access controls for on-site data centers.
If you keep keys in a desk drawer or on a pegboard, however, that’s not enough to deter someone from gaining unauthorized access to files or devices. Storing keys in a tamper-proof electronic key control system rather than in an easily accessible area reduces your risk of a security breach.
Set up Access Levels
The FTC says to limit cabinet or room key access to employees with a legitimate business need. Employees should return keys as soon as they’re done with them. Storing keys in an electronic key control system allows you to enforce these guidelines by setting up user profiles for various job functions and access privileges. If someone needs a key, they can only access the system if they’re authorized to do so.
If it’s necessary to check out keys to a contractor or vendor, inspect their driver’s license to verify their identity. After checking out the key(s), print a copy of the key receipt and have each party sign. Ensure that the key grants the vendor access only to the areas they need to perform their job. You can also put a time limit on the transaction so you’ll be notified if the vendor has key for longer than they should.
Automate the Audit Trail
To improve employee accountability, it’s best to minimize the level of human involvement in your key control procedures. For example, say your HR manager is in charge of issuing keys to locked filing cabinets containing confidential employee records. The manager maintains a spreadsheet of who has been issued keys and when, but there are a few problems with this method:
- Someone has to remember to update the log.
- It’s easy to manipulate data.
- If a single person is managing multiple keys, they have to manually review the spreadsheet to determine if all keys have been returned on time.
- It relies on a person’s trustworthiness and sound judgment. Someone could issue a key to an unauthorized user or use the key themselves for unauthorized purposes.
The benefit of using an electronic key control system is that it will automatically record data for each system transaction. If a key isn’t returned on time, the system will automatically send a text or email alert to the system administrator or sound an alarm. Additionally, the automatic audit trail gives you a reliable source for investigating the incident, and the accuracy of the data is less likely to be called in to question.
A Stanford University professor found that 85% of data breaches are caused by human error. Securing keys, setting up access levels, and automating the audit trail can all reduce human error, but it's just as important to train employees. That includes educating them on security best practices, such as:
- Familiarize yourself with company security policies.
- Avoid sharing credentials.
- Keep an eye on company devices when traveling.
- Don't lend business keys to someone. Everyone should follow the appropriate key checkout process.
- Return shared keys, devices, or files to the appropriate location as soon as you're done using them.
- Avoid letting someone tailgate into a company facility.
- Carefully evaluate all links before clicking them.
- Immediately report any suspicious activity or behavior you observe.
By investing in training, you'll reduce the likelihood of a security breach. After all, employees are the backbone of your security plan.
Remember: Protecting your data requires a strong focus on cybersecurity, but you can’t afford to neglect physical security. Don't be one of the 57% who does nothing in the face of rising security threats.