Nonprofit Resources


Physical Security: The Old Man in the Young Man’s Game

In a time when cyber attacks like new ransomware and phishing scams are unleashed almost daily, is physical security still a concern? Although cybersecurity threats are becoming more commonplace, your organization should still consider physical security in conjunction with your cybersecurity controls to minimize the risk of data being stolen or compromised. The most robust cybersecurity measures are useless if a criminal can walk into your office and steal the hardware housing your data. 

Just like its cybersecurity counterpart, a multi-layered approach is best with physical security. For maximum risk mitigation, consider:

  • Access controls
  • Intrusion prevention and detection 
  • Environmental monitoring
  • Policy development
Access Controls 

Baseline physical security for a business should mirror a home. At a minimum this typically starts with a lock and key, the tried and true way to prevent someone from accessing an area. However, there are several inherent concerns with keys when used in a business. 

  • What happens if the keys go missing? What if someone who wants to cause harm to your organization gets them? To ensure access remains restricted, you would need to replace all applicable locks and keys. 
  • How do the keys provide accountability? While keys do provide some layer of control, there is no way to determine who entered a locked room, or when. 

Modern technology has granted us enhanced “locks and keys” to address some of these concerns: access cards and personal identification number (PIN) pads. When an employee leaves your organization or an access card is lost, you can simply remove access within the management console. Similarly, with a PIN pad you can revoke access via that individual’s PIN. 

Access cards and PIN pad systems can also increase visibility and accountability. You can generate reports showing the users, cards, or codes that are enabled as well as activity reports showing use. 

Extend these access control measures to areas where critical data is housed, including on-site locations and off-site facilities such as co-locations or data centers. 

Intrusion Prevention and Detection

Continuing with the home security analogy, the second major physical security control is an alarm to notify you of a break-in. As with a house, you should consider a building-wide alarm for all your organization’s locations to provide peace of mind while you’re away. Many organizations take this a step further and install a separate alarm for the server room and other areas with critical equipment.  

Once the alarms are in place, set up notifications to ensure everyone who needs to know is alerted if there is a potential issue. Establish a process to ensure proper action is taken if someone cannot be reached when the alarm is triggered. A lock and an alarm are only useful if you can quickly identify and respond to a breach.

There’s also a no-cost detection resource available to your organization: your employees. Implement a formal policy that addresses:

  • Who can authorize visitor access
  • Procedures for responding to visitors, including requirements for verification and authorization prior to granting them access to locations or IT assets
  • Who is responsible for reviewing access logs to ensure the activity looks appropriate, spot individuals trying to access restricted areas, and identify access cards or codes that should be disabled 
Environmental Monitoring

Environmental threats are often considered when evaluating physical security controls since natural disasters are just as much cause for concern as human threats. Areas with critical IT equipment should have proper fire suppression systems for electronic assets and be monitored for high temperatures and humidity. 

Just like with an alarm system, proper notification procedures are key. An email notification in the middle of the night will do you no good if your phone is on silent. Ideally, environmental monitoring should be included in the 24/7 monitoring that could reach you at any time. At a minimum, notification to multiple staff members via multiple methods is recommended. Most environmental monitoring systems offer email as well as text message notifications.

Policy and Control Development

Documented policies reduce risk by defining procedures and response actions before an incident occurs. Will employees always lock their workstations if they leave them unattended? Remove the risk by setting conservative inactivity timeout parameters that will automatically lock workstations and servers after 15 minutes of inactivity and require a username and password upon return. 

All staff, including volunteers and contracted employees, with access to secured areas or areas with potential access to confidential information should have signed confidentiality agreements on file. In addition, a clean desk policy can ensure that sensitive information is properly secured when not in use. It can also address how to handle documents after they are no longer needed. Use shred bins that are stored in secure areas or that can be locked, or both.

Many organizations are devoting extensive resources to mitigating cyber threats. While that is vital, especially as cybersecurity threats are becoming increasingly common, it’s important to not overlook physical security. It continues to be an important part of protecting your organization and its electronic assets and data.

Allison Davis Ward

Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.

Leave a Comment