Entities need more than technical security controls to protect their data from cyber security risks.

In our recent performance audit on managing cyber security risks, we reported:

‘At one of the three entities we audited, our security consultants gained initial access to the network through poor physical security controls.

Our security consultants were not prompted for identification at any point when accessing facilities. It was possible to walk from the lifts, past the reception desk, and tailgate employees into the entity's offices. Upon accessing the office, our consultants were able to sit down at employee desks and connect a malicious device to the network.

This facilitated direct access to the entity's internal assets and increased the available ways to target the entity.’

Protecting data from cyber security risks requires all staff in an entity to be aware of the threat of someone following them into their office area. Once someone has gained physical access to an entity’s premises, they can connect their own devices to the network, capture user log on details and/or download advanced security tools, which they can use to access cleartext passwords of user accounts. They could then use those credentials to access sensitive systems and data.

So how can entities address this threat? Here are some thoughts:

• Ensure that physical security controls are addressed in a cyber security framework. The framework should set the overall objectives for managing cyber security and reference the control standards the entity will apply to protect its data and systems. Alongside network security and other technical controls, entities should also have standards for managing physical access to their site(s) and systems.
• Include physical security in security tests. For example, a red team engagement tries to find the quickest method to access an entity’s security mechanisms and compromise its sensitive applications and data. In doing so, it considers the target and resources available, and may attempt social engineering, physical entry, and data exploitation.
• Educate and increase staff awareness of the risks of physical security compromises, and what they should do if they suspect someone has obtained or tried to obtain unauthorised physical access to their site.

Poor physical security can be the weak link in an entity's line of defence against cyber threats. A breach in physical security can start a chain of events that results in data theft, data manipulation and severe effects on reputation.

Entities should take this risk seriously and include it as part of their cyber security program.