Businesses with troves of sensitive information, like those in the healthcare or financial sectors, are often worried whether their digital assets are secure. And rightfully so. Publicly reported cases of data compromises spiked 114% in the second quarter of 2023, according to the Identity Theft Resource Center (ITRC), with healthcare and financial services representing the most-targeted verticals.
But even the strongest cybersecurity plan can be thwarted if a bad actor can just walk into your building and log into one of your computers. It’s a real threat and physical security should always be your company’s first line of defense.
“If criminals can get into your building, get something plugged in, and get out of there without detection, they can do serious damage from home without ever needing to hack into your network,” said Justin Whitehead, Digital Silence’s Founder and CEO, who is also a seasoned physical security expert and tester.
“That’s why it’s so scary when organizations just overlook physical security, because it only takes a couple of minutes of being inside for the bad guys to steal your data.”
Justin offered some novel ways bad actors can slip past your company’s front desk as well as helpful tips to bolster your office’s physical security.
Prepare for the unexpected
Your company may have a robust policy and procedures in place for building access, using keycards and ID badges, for example. But how consistently is that policy followed regarding building visitors, and especially during off-peak hours or unique situations? Like moving day, for instance?
That’s a situation Justin encountered when he was testing the physical security of a financial institution. He and his team saw boxes being moved out of the location, then approached the building and told the first employee he saw that he’s good friends with the company’s chief security officer and they had asked for a hand lifting some boxes. The employee at the door believed the story and let Justin’s team in.
Once inside, Justin’s testing team not only had access to physical files and papers, but he set up an attack that a bad actor might attempt. He left several USB drives (that could be loaded with malicious code) in file cabinets, playing the odds that at least one curious worker would plug a USB drive into their laptop. Malicious code can scrape all your company’s passwords, or provide for remote access.
That’s all it takes. Which leads us to…
Beware of flash drives
It’s easy to say “don’t trust any USB drive that isn’t yours.” But what if you came across one labeled “Q4 RIFs” or “2024 bonuses” in the break room. Your curiosity about an impending layoff or financial windfall might be hard to resist.
If you know your building’s front door isn’t 100% secure, you then know it’s possible that people who don’t work for your company can get into the building. If they do, they can set up a trap for you to fall through, which can expose sensitive, confidential, and valuable data. So again: don’t trust a USB drive if you don’t know where it came from.
Is that really your ID?
Even if your company has an ID policy, physical hackers can get around it. They will often look for excited new employees posting about their hire on social media, like LinkedIn. With access to a new employee’s name, title, and photo, they can clone an ID badge.
Justin exploited this means of access for a healthcare client test. He posed as a new IT worker. Because he was “just hired,” many of the employees he encountered didn’t second-guess his ID badge and let him conduct his “test” — plugging in a USB drive to make sure each computer’s antivirus software was up to date. In reality, it could have been a malicious code designed to scrape passwords. In this scenario, even the CEO failed this physical security test.
A side note on passwords
While these physical security tests exposed how easily passwords can be extracted if bad actors have building access, that doesn’t mean it’s a given that sensitive data is the next thing to be stolen. Companies that utilize multi-factor authentication will have an additional line of defense in a stolen password situation.
Make policies uniform, with no exceptions
Often, Justin says, companies have strong security at their front doors, but the same policies aren’t followed for the door to the smoking area, or the loading dock. Even though it can be a pain for maintenance workers hauling multiple loads of trash a day, or workers taking a quick outside break without their keycard, doors need to stay shut and anyone coming in an open door needs to have credentials.
If you see something, say something
This brings us to Justin’s final point: Often it’s human nature to trust someone’s word or avoid confrontation. But someone in your organization needs to be the one to speak up when it appears something isn’t right.
For example, if your building is being renovated and you notice the construction crew has four workers today when it only had three yesterday; someone needs to ask the foreperson why. Who is this new person? Why are they only here today?
Another example: Many companies have policies against workers tailgating another to get through a secure door. Even if the person behind you is flashing an ID badge, it could be a fake (and they could even use a phone to make a “beep” sound to convince you they keyed in their badge while you were holding the door open). If you see someone new coming into your building, even if they appear to have credentials, say something to confirm.
If you have questions about your company’s physical security, Digital Silence can answer them and provide a wide range of advisory services. Contact us today to learn how we can help you.