Only 49% of U.S. Businesses Have a Plan to Address Security Threats
Despite Identified Threats, Less Than Half of U.S. Businesses Have a Plan to Address Visitor and Insider Security Threats
As recently as 2000, the mention of security in the business, healthcare and college campus realms conjured images of alarm systems, badge readers and locked doors. Today, logical security in these settings is the rule of thumb, meaning threat management, breach detection, intrusion prevention, visitor management and employee safety. Americans today face threats both nationally and internationally, and logical security has never been more important. Surprisingly, basic point-of-entry and visitor management services are often an afterthought in a facility’s security plan.
In the world of Certified Information Systems Security Professional (CISSP) certification, physical and environmental security has always been among the nine domains. In 2015, however, physical security was combined with another domain, which showcases that its importance is declining among some security experts, when in fact it remains a vital element to a comprehensive security plan and overlooking its importance is just plain dangerous.
The potential for physical theft in any building is real – most facilities have much to lose, whether the thefts involve information, manuals, phone lists, laptops or other office equipment.
The insider threat is another important area of focus. Without a comprehensive, physical security plan with visitor management and employee access systems in place, you could have an employee, vendor or contractor accessing and stealing your information for financial gain. While these types of thefts often involve a systems breach, they can easily involve physical security lapses, once theft-minded individuals are granted access to your building.
A study sponsored by Pricewaterhouse Coopers, The CERT® Division of the Software Engineering Institute at Carnegie Mellon University and CSO magazine titled The 2014 U.S. State of Cybercrime Survey found that that only 49 percent of companies have a plan to address and respond to insider security threats, despite the fact that 32 percent of those same companies confirm that crimes perpetrated by insiders are more costly and damaging than those committed by outsiders. When you think about it, it is probably easier for insiders to access your data center and steal a removable hard drive than it is for hackers to break into your servers and steal data.
Physical security that begins in the lobby, combined with an employee access management program, is vital to protecting your valuable data. Many of the key elements of physical security are put in place in order to protect your employees as well.
Taking into consideration the lagging focus on physical security in so many vulnerable businesses and campuses, these are some key exposures in the physical/environmental domain.
The unattended entrance/lobby
There is no reason that anyone should be able to enter a company, hospital or college campus and head straight into the facility unrecorded and unimpeded. Companies with unattended lobbies sometimes rely on a receptionist and a sign-in book to log visitors in; but a single receptionist can be easily distracted. If you have ever walked into a busy office building where the receptionist is busy or distracted by other visitors, you could see for yourself how easy it would be to enter the facility’s inner offices undetected and even access private offices or an unlocked data center.
A visitor access management system like iVisitor by Veristream offers an affordable, secure answer to lobby security. All visitors are screened through their driver’s license or a business card and, if they pass the established security criteria, are issued a temporary visitor’s badge that can prevent them from accessing specified areas of the company that are off-limits. A locked door between the lobby and building interior makes it impossible for intruders to bypass the visitor management check-in process.
Although they are inexpensive, security cameras provide critical backup for access and visitor control systems. Security cameras can detect possible threats in progress and allow for forensic review of incidents. However, surprisingly few companies use surveillance cameras, and many companies that do install and ignore them. Cameras should be installed at all entry points to a facility in key areas such as data centers, office areas and utility closets. Videos should be recorded and retained and a live monitor should be installed on the desk of an active observer.
Any facility that is vulnerable to intruder threats or thefts by visitors or employees must pay attention to logical security and physical security systems for the safety of your employees and your data.