Protecting Sensitive Data with Physical Security
By Rowan Barry
Mar 09, 2016
Towards the end of last year, there was probably nothing less covered media wise than the cyber breach suffered by TalkTalk. It struck fear into companies of all sizes, with the realisation that such attacks are not limited to any one type of organisation.
Indeed, any business that uses any form of IT based or online data storage and management system will be exposed to the dangers of hackers, who on a daily basis are discovering new in-roads through network security.
How Does Traditional Security Protect Against Cyber Breaches?
You may be wondering what any of this can have to do with traditional security, and why as providers of physical and electronic security we have brought up the subject of cyber breaches. The reason is this: we believe businesses are paying a much enhanced level of attention to cyber security in light of the recent media stories, however by the same token they should be paying equal attention to physical security measures, not least because compliance calls for it in many respects.
The Issue of Compliance
As a business, there are numerous measures of compliance that need to be adhered to. One is the Data Protection Act 1998, which is something we have discussed in a previous post. As we mentioned, Principle 7 of the Data Protection Act states that, ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
Which basically means it is clear that protecting data extends beyond network control to physical security measures.
And then there is the issue of insurance compliance. In both instances there is a need to show you have taken adequate and reasonable steps to protect your data in as many ways as possible.
So what are the traditional security measures it is necessary to follow?
Keys and Codes: When a member of staff leaves, if they have been a key holder then you will need to make sure that the keys are returned and accounted for. Alarm codes should be changed if access had been granted, and any security access fobs or cards deactivated. When issuing keys to new personnel, do so with a set of strict rules as to their use and security. This should include all types of keys, for example to drawers, filing cabinets, cupboards, safes and internal doors as well as external doors.
Records Storage and Disposal: Sensitive data that could lead to a cyber breach, such as records containing account details or personal information, must be stored securely. Locked storage rooms with high quality security doors, grilles and window bars, together with restricted access via an access control system and CCTV monitoring, will assist with this. Disposal of spent records should be carried out using a secure shredding service via a verified provider.
Computer Equipment: As well as taking steps to secure network based in-roads to your data via firewalls, password management, email encryption and good training, invest in physical steps to secure access to IT equipment. Site equipment out of view, preferably on higher floors or at least in an area with an exterior wall that has no windows or doors. Mark all IT equipment (SmartWater is recommended) and visibly advertise the fact that you have done so.
Your Overall Objectives
Your overall objective is of course to prevent a cyber security breach, but your secondary goal is to be able to demonstrate that you have taken reasonable steps to do so, which is something the Information Commissioner’s Office (ICO) and your insurers will demand to see evidence of in the event of an incident.
When considering your strategy for protecting your business against a cyber attack, always include traditional security measures in your plan. There is more than one way into a network.
For advice on protecting your business against data thieves using traditional security measures, get in touch with Barry Bros Security. Our experts are familiar with the provisions of the Data Protection Act and insurance requirements and will be able to advise you accordingly.