Creating and maintaining a fairly secure network can cost a
lot of money. Buying firewalls, intrusion detection systems, and antivirus and
antispam software doesn’t come cheap! And don’t forget about training
administrators how to operate and configure those systems and others in a
secure manner—all the security devices in the world won’t help your organization if your
admins don’t know how to properly use them.

But for most companies, the benefits gained in network
productivity, increased public confidence, and the lack of legal fees help
maximize the return on investment (ROI) for these costs. However, even with all
of these devices and software in place and properly functioning, there are
still areas of improvement that can mean an even bigger ROI—specifically,
physical security.

Don’t overlook physical security

Many organizations spend thousands of dollars on the right
devices and software, only to forget about securing the actual building that
houses them. Remember: Even if no one can steal or corrupt your data over the
network, they may still be able to walk out your front door with it.

Don’t neglect physical security in your attempts to lock
down data. For example, many companies have no established policy or defined
best practices when it comes to bringing in personal laptops or storage devices,
both of which makes it easy to siphon off data from your network. Let’s look at
some other areas of physical security that require your attention.

Develop an entrance and exit policy

Take steps to establish a well-defined entrance and exit
policy. It should spell out exactly which electronic devices people can bring
into the building, exactly where in your building people can use those devices—and
where they can’t.

If your organization doesn’t have such a policy, you need to
develop one and distribute it to employees and business partners. Make sure it
lists permitted devices, and outline how one would gain approval to bring such
devices into the building.

Don’t worry about being too specific about allowed devices—technology
evolves faster than any policy. Rather than putting yourself in the position of
having to constantly update the policy, address general types of devices instead.

Lock down your equipment—literally

Developing an entrance and exit policy offers a good
opportunity to consider how you secure the devices you already have. For
example, have you installed locks on workstations and servers to prevent the
theft of hard drives? Do you have cable locks for laptops so they don’t walk
out the building?

Laptops definitely aren’t cheap, and they can store an
enormous amount of data. Recent laptops
thefts in the news have disclosed just how vulnerable and unprotected most
of these devices truly are.

For about $15, you can secure these portable workstations
and make sure they remain a part of your business inventory. Think about it: When
was the last time you read in the news that someone cut a security cable to
steal a laptop? That’s why I recommend buying one today for every laptop the
company owns.

Final thoughts

Don’t become a security statistic by allowing your data to just
walk out the front door. Put some policy and procedures in place—and enforce
them.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network
administrator and a network security administrator for the U.S. Secret Service
and the Defense Information Systems Agency. He is currently the director of
operations for the Southern Theater Network Operations and Security Center.