When it comes to protecting your IT assets, it’s important to understand that the physical security perimeter is as important as your network security perimeter. You need to ensure that the systems hosting your business critical data are secured from remote attacks, but what good are those controls if someone can walk in off the street, unplug those systems, and leave with them through the front door?
Just as networks need public areas and restricted areas, so do physical business locations. A good first step is to define and restrict access to sensitive areas. These areas often include the data center (server room), the accounting area, and human resources. Locked doors, key cards, and receptionists are all controls that you can rely on to ensure that your systems and your physical media are kept safe from unauthorized access.
What if a less-than-reputable individual walked into your office area, grabbed a set of files left on your accountant’s desk, and then walked out with those files? Even more frightening is the thought of someone entering your data center and adding a computer or network device that you don’t have any control over. If you have an unmanaged device like this on your network, can you still call it your network?
Although unauthorized access is a concern, you also need to protect your business against environmental threats. A fire, flood, or tornado could be just as damaging to your business as a data breach (if not more so). The unfortunate events of Hurricane Sandy demonstrated the impact that environmental threats can have on business owners. Understanding the environmental threats most likely to your business is critical if you’re to understand which controls you should invest in.
In the article on Risk Management, we discussed the importance of cyber liability insurance. Likewise, you should consider investing in business property insurance as one of your key controls. Recovering from that damage will cost money, and the sooner you can restore your company network, the sooner you can be back in business.
Recovering will also take time, and all SMB owners can attest that there is never enough time, even when the business is running smoothly. While business property insurance can help you replace any systems or network devices damaged by the disaster, recovering the time lost is a different matter entirely. That’s why many business owners take the time to document their disaster recovery plan.
Your disaster recovery plan needs to address both natural disasters and man-made disasters. Although no two disaster recovery plans are alike, they all have the same elements in common:
- Measures to prevent the disaster (where possible)
- Measures to detect when the disaster occurs
- Measures to get the business back online as quickly as possible
One of the best ways to detect when an event occurs is to monitor the health of your systems. A hurricane is national news, but the failure of your data center’s HVAC system is unlikely to even make the community newspaper. Your IT staff should be alerted immediately if components like memory, hard drive space, or CPU usage reach critical levels. Whether a system runs out of disk space or it’s been knocked offline by an attacker, the end result is the same: your customers won’t be able to use it.
Finally, you need to document a secure device disposal process. Never, never, NEVER get rid of a computer without first irrevocably destroying the data stored on that computer’s hard drive. Tools like Darik’s Boot and Nuke (DBAN) are freely available for small shops to securely erase the data from a computer every now and then. For larger organizations, businesses like Possitivity and Redemtech are more than happy to manage that secure disposal process on behalf of SMB owners.
To recap, every business owner should do the following:
- Define and restrict access to sensitive areas
- Document relevant environmental threats
- Consider investing in business property insurance
- Document your disaster recovery plan
- Implement a system to monitor the health of your systems
- Implement a secure device disposal process
Need more information on information security basics for small and medium-sized businesses? Head on over to Infosec Simplified.