Make sure your security strategy addresses physical risks

Many organizations spend thousands of dollars on the right devices and software—only to forget about securing the actual building that houses them. Don't become a security statistic by allowing your data to just walk out the front door. Mike Mullins offers some tips for beefing up physical security in your organization.

Creating and maintaining a fairly secure network can cost a lot of money. Buying firewalls, intrusion detection systems, and antivirus and antispam software doesn't come cheap! And don't forget about training administrators how to operate and configure those systems and others in a secure manner—all the security devices in the world won't help your organization if your admins don't know how to properly use them.

But for most companies, the benefits gained in network productivity, increased public confidence, and the lack of legal fees help maximize the return on investment (ROI) for these costs. However, even with all of these devices and software in place and properly functioning, there are still areas of improvement that can mean an even bigger ROI—specifically, physical security.

Don't overlook physical security

Many organizations spend thousands of dollars on the right devices and software, only to forget about securing the actual building that houses them. Remember: Even if no one can steal or corrupt your data over the network, they may still be able to walk out your front door with it.

Don't neglect physical security in your attempts to lock down data. For example, many companies have no established policy or defined best practices when it comes to bringing in personal laptops or storage devices, both of which makes it easy to siphon off data from your network. Let's look at some other areas of physical security that require your attention.

Develop an entrance and exit policy

Take steps to establish a well-defined entrance and exit policy. It should spell out exactly which electronic devices people can bring into the building, exactly where in your building people can use those devices—and where they can't.

If your organization doesn't have such a policy, you need to develop one and distribute it to employees and business partners. Make sure it lists permitted devices, and outline how one would gain approval to bring such devices into the building.

Don't worry about being too specific about allowed devices—technology evolves faster than any policy. Rather than putting yourself in the position of having to constantly update the policy, address general types of devices instead.

Lock down your equipment—literally

Developing an entrance and exit policy offers a good opportunity to consider how you secure the devices you already have. For example, have you installed locks on workstations and servers to prevent the theft of hard drives? Do you have cable locks for laptops so they don't walk out the building?

Laptops definitely aren't cheap, and they can store an enormous amount of data. Recent laptops thefts in the news have disclosed just how vulnerable and unprotected most of these devices truly are.

For about $15, you can secure these portable workstations and make sure they remain a part of your business inventory. Think about it: When was the last time you read in the news that someone cut a security cable to steal a laptop? That's why I recommend buying one today for every laptop the company owns.

Final thoughts

Don't become a security statistic by allowing your data to just walk out the front door. Put some policy and procedures in place—and enforce them.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.