It might seem odd for cyber security specialists to be talking about physical security issues, but the reality is that the physical security of a business does have an impact on your approach to cyber security.
As part of our risk profiling service, we will ask you about how well your business premises are physically protected and what measures you have in place. Do you have CCTV installed? Can you gain access to the building without a code or key card? Do you have to be buzzed in or are the front doors wide open? All of these things matter when it comes to keeping your digital data safe, particularly in larger businesses. But why?
How Does Physical Security Impact Cyber-Security?
Despite feeling like they are in different worlds a lot of the time, your digital data has to live somewhere in the real world. Even if you utilise cloud-based platforms to run back-ups and provide a degree of separation or protection, your digital data is still sitting on a real-world server somewhere. That means that it is susceptible to all of the same problems that physical assets are within your business. It could be destroyed in a fire, corrupted in a flood or simply picked up and taken away. So despite feeling very separate, physical and cyber security are intimately linked. It’s something a lot of business owners don’t really think about, which is the very reason why it has such a big impact. If you don’t know to protect against it, it’s easy for cyber-criminals to capitalise on.
Physical Gaps Cause Real World Breaches
Many people have this idea in their head of a cyber-criminal as a shadowy man hiding in a bedroom tapping away on a keyboard, screen full of code. Sometimes they’re even wearing a balaclava - just search Google Images for ‘cyber-criminal’ to see what we mean! But in reality, cyber criminals operate from anywhere in the world, at any time and any location. Even your own building. Let us give you an example.
Imagine a tall office building in London, no different from all the others around it, except this one has the name of a well-known bank on its doors and burly men in suits standing guard. A man approaches the doors on Friday afternoon, dressed in a Dominos delivery uniform and holding a pile of pizza boxes. ‘Pizza delivery for floor 9’ he says to the guards, who look him up and down and then buzz him in. The man walks confidently through the building, but instead of heading up to floor 9, he slips into a deserted office.
He puts the top 4 boxes (which are full of pizza) on the table and opens up the fifth box. Inside there is no pizza, but instead a handful of USB drives and a device called a ‘drop box’, which is designed to continuously call his computer at home. Within 5 minutes, he has plugged the drop box into a meeting room LAN port, and dropped a few of the USBs in various places on his way out of the building. By the time he gets back to his headquarters he finds someone has been unable to resist the temptation of a mystery stick and he has gained access to the network. From there he is able to dump the victim’s credentials and hack into one of the bank’s databases, where he can see – and steal - thousands of customer files. All of this, from approach to theft, has taken 20 minutes.
Now, you might think this is a bit fanciful, but it actually happened. The attacker was what we call a ‘white hat hacker’, who was employed by the bank to find holes in their cyber defences and advise them how to fix them. He had watched the building every day for a month, and noticed that floor 9 always ordered pizza on a Friday afternoon. All he had to do was get hold of a uniform (borrowed from a friend), order some pizza of his own and walk right in with his gear. He didn’t actually steal anything, instead he just left a series of messages within the system. He then took the lift up to the CEO and explained what he had done, proving it with his hidden messages. When he was asked ‘how did you do it?’ his reply was simple – ‘no-one questions the pizza guy’.
This little exercise highlights just how important it is to take your businesses physical security into account when planning out your cyber security. You can have the best firewalls in the world, but if someone could just walk in and take your hard drives, it won’t make a difference.