Physical Security

 Many information security experts neglect physical security or take it for granted.  This defies common sense.  You can lock down every user account and process, run antivirus, intrusion prevention, firewall and antispyware software on your server, but if someone can walk into your business, pick it up and leave, then how secure is it?

Every business should have good locks and security doors.  The number of keys that are floating around should be limited.  Identity based access control is better, but it can be pricey.  And there is no excuse for not having security cameras and a monitoring system.  Why do so many small businesses wait until they are robbed before they install an alarm system?

Physical security should also take into account how people work.  When a client calls in an order, do your employees write it down on a piece of paper?  Does that include credit card information?  How about client records or patient charts?  Are they stored in an unlocked filing cabinet in a common area?  Do employees ever take these records home to work on them?

Here's an example.  I conducted a security audit at a small financial firm a few years ago.  I tested this and scanned that.  And then I asked them about how they work.  There was one employee who didn't like to read reports on his monitor.  So he printed everything out and read it.  But that was OK because they shredded everything.

Or was it?  I walked over to the shredder.  It turns out that if you print a spreadsheet landscape and then shred it you end up with nice little strips of paper, each one containing roughly a row of the spreadsheet.  We went out an bought a cross-cut shredder that afternoon.

Don't overlook physical security.  You might end up getting (a paper) cut.