NEWS ANALYSIS: There are events in today’s society that you simply can’t control or prevent, no matter how much you try. But it is possible to help convince the bad guys to go elsewhere
“I don’t have to run faster than the bear,” one hunter said to another after spotting the animal in the woods, “I just have to run faster than you.”
Yes, I know it’s an old joke that you’ve heard enough times that I don’t really need to quote anything except the punch line. But the fact is, this old joke is also an important lesson about your physical and data security. You don’t have to be perfect; you just have to be better than most others.
The idea of having security that’s good enough to convince the bad guys to look elsewhere is important in terms of data security and physical security. The idea of having good security is more than just putting a lock on the door and an antivirus package on your computer. First, you need to think about the risks your organization is most likely to face, the resources you’re likely to have on hand to deal with the risk and then work from there.
When I write about physical security, no doubt your thoughts immediately turn to a county office building and a conference room full of public employees celebrating a seasonal holiday in California, but in reality, this isn’t the kind threat you can focus on because it is so unpredictable and so inexplicable that it is extremely hard for any organization to defend against.
Instead, you need to consider several types of threats that could impact your security on a more predictable basis, since those are far more likely than the random terrorists, despite how deadly that type of attack may be.
The threats that are more likely to affect you on a day-to-day basis are from other sources. For example, you’re far more likely to be impacted by what’s considered petty theft in most scenarios. This might be the thief who strolls into your conference room while everyone is on lunch break and steals their laptops.
In a retail setting, it might be low-level organized crime, such as a group of a half-dozen thugs who storm your store as a mob and steal everything in sight before running out again. Or it might be the credit card thief who enters your office through an unlocked door and takes a server while the cleaning crew is on another floor.
The challenge for your business is determining what the threats actually are. It’s not a huge leap to figure out that unguarded laptops are ripe for stealing. But what about that server sitting on a table in an office or in a closet down the hall?
While you know about hackers breaking into your network from some foreign country, what about someone sitting in your reception area who has quietly plugged into an Ethernet port there? Or perhaps that person in your reception area is running a man-in-the middle attack on your WiFi router?
But the threats to your organization go beyond the obvious. Ask yourself who would benefit if your company was hampered because someone stole that server from the closet down the hall? How would you prevent a former employee from connecting to your network and downloading your trade secrets?
Less obvious, but perhaps more likely are threats that have little to do with your company’s business. For example, if you have a company with 50 knowledge workers in the office, that’s 50 workers, each with a computer, perhaps two.
That’s a tempting target for someone who might park their van outside a side door and send an accomplice in to steal every computer in sight. It won’t matter that your critical company information is on those computers because they’re not after that. The thieves just want to sell the hardware for a quick fix.
The answer to these concerns is what security experts call “security in depth,” or “defense in depth.” Here’s an example of how that may work, according to one of the top physical security experts in the United States (who unfortunately can’t be quoted). Let’s say you have that server in a room down the hall that I mentioned previously. And let’s assume you have a side door or a loading dock for deliveries.
First, you put a solid door on the room that holds the server. Then you install a lock on the door that requires a pass code to enter. You also include an alarm that sounds if the door is opened without the pass code. That alarm also sounds if someone enters the wrong code more than twice.
Meanwhile, the side door or the door to the loading dock are also equipped with secure locks and they have alarms that go off if someone forces the door, enters the wrong code, or if the door is propped open longer than a set time. Those alarms connect to your security control center, but if nothing happens, then they automatically roll over to the police department.
Out front you still need to have a sleek, trendy reception area with comfortable chairs and a receptionist. The receptionist isn’t an entry-level employee trained to smile, but rather an armed security guard who controls the locks in doors that lead farther into the building, and yes, those doors are also alarmed. Unless someone shows the right ID, or gets past the badge reader, they can’t go in.
Here is the basic idea: While you can’t prevent someone who is truly determined from entering, what you can do is make it inconvenient. If they decide to break into your building anyway, it will take them long enough that the local law enforcement agencies can be summoned. Meanwhile, most normal criminals will go to the office down the street that didn’t take such precautions.
Here’s what you don’t do: You don’t replace the receptionist/security guard with a phone on the desk where someone can just be buzzed in. You don’t put a phone near the loading dock or the side door, either. If people who want in can’t satisfy the security requirements, then they don’t get in.
It pains me to say this, but a locked door and a security guard might well have prevented or discouraged the most recent terrorist attacks, and they certainly would have discouraged or prevented any number of low-level thefts that happen in every big city office building almost all the time. Yes, it’s sad to wish ill on your neighbors, but it’s also important to keep bad things from happening to yourself.
Originally published on eWeek.