Back to Office: But what about security?
Things are back to normal, and everyone is returning to their offices. Some are ecstatic for free food, coffee, and gossip, some are disappointed as they have gotten used to working from home comfort, and then there is this security guy who is worried about including physical security in the scope of work he is doing. Nah, I am not complaining; it is a fun challenge, a deviation from securing digital assets and the approach followed. I will talk about some things admin/ security teams should take care of while this change happens.
- The most important thing is: clearly define the physical boundary for your premise. You cannot effectively secure anything until the scope is not clear. An ambiguous scope will only lead to chaos, confusion, and incidents.
- Access should be controlled in this parameter. There should be a unique access card for everyone. Keep separate cards for employees and guests. Log the access records and periodically review them. These controls will help in combating threats like unauthorised access, tailgating etc.
- Define a boundary for the guests as well. Guest should not have access to everything. Have a visitor policy. Make sure no guests visit unannounced, if possible.
- Secure the areas inside your premise based on the sensitivity of the information, be it offices, conference rooms or other working facilities. Not everyone needs access to server rooms. Not everyone needs access to a storage room. But don’t be paranoid, everyone needs access to the cafeteria.
- Implement a clear desk and clear screen policy prohibiting unattended systems. In an office environment, everyone is moving. It increases the chances of attacks like shoulder surfing and eavesdropping. Such attacks can be of serious consequences in a co-working space. But, even if you have dedicated office space, remember a software developer need not know about your finance books for his day-to-day work.
- Make sure to properly secure your network infrastructures like routers, switches, cables etc. from unauthorised access and tampering.
- Take extra care in disposing of assets. Securely dispose of them, be it a malfunctioned router, a crashed hard drive or a printed paper. Make sure to securely wipe and destroy the electronic/ storage equipment and shred the paper before tossing them in the bin. Dumpster Diving is still a prevalent way for attackers to gain information by searching your trash.
Remember these three basic principles of cybersecurity while designing your physical security controls, be it managed by your organisation or a third-party vendor:
Principle of Least Privilege: This principle states that the subjects should be given only those privileges needed to complete their task.
Need-to-Know: This principle states that a user shall only have access to the information their job function requires, regardless of their security clearance level or other approvals.
Separation of Duties: This principle divides critical functions among different staff members to ensure that no single individual has enough information or access privilege to perpetrate damaging fraud.
These are some things admin/ security teams should take care of while resuming physical offices. There can be more controls, but it could be a good starting point. Do let me know if I have missed anything critical.
Thanks for reading :)
