Physical security is often an afterthought when it comes to protecting IT assets and data. However, theft and unauthorized access of computer hardware happens all too frequently, and the threat is increasing as devices become more portable.

Mainframe computer systems were large and accessed by only a handful of people, so it made sense to lock them away in secure, climate-controlled rooms. Today, virtually every desk in every office has a workstation that’s more powerful than a mainframe. In addition, many small to midsize businesses (SMBs) lack dedicated data center space, housing servers, storage systems and other equipment in a store room or spare cubicle.

The “open” nature of the modern office makes it all too easy for disgruntled employees to gain access to this equipment. Vendors, customers and other third parties may also be able to wander through the facility unchallenged. Bad actors could steal or sabotage equipment or exfiltrate data.

Lost or stolen mobile devices present an even greater threat. According to a report from U.K. think tank Parliament Street, more than 26,000 mobile phones, laptops and other devices were reported lost in the London transport system in 2017. A larger transport system, such as New York City’s, probably sees an even greater number of lost devices. And that doesn’t include the devices left behind in cabs, rideshare vehicles and airplanes.

Many of these devices undoubtedly contain sensitive business information, and users are notoriously lax about security. Few implement even simple measures such as a PIN or passcode, much less encrypt data.

Here are some commonsense ways to improve the physical security of your IT assets:

  • House servers and other gear in a locked room or closet. If no such space is available, invest in IT cabinets that can be locked with a key or passcode. Better yet, host your equipment in a co-location facility that provides locked cages and other physical security controls.
  • Train users to “lock” their workstations when they leave their desks for any length of time. Also, make sure that users exit all apps and log off their desktop computers when they leave for the day. Implement policies requiring users to secure any mobile devices used for business.
  • Invest in an encryption solution to protect data “at rest” on devices and “in transit” via email. Prohibit the use of USB “thumb” drives and flash memory sticks for transporting data — they’re too easily lost or stolen and may contain malware.
  • Sensitive information likely still exists on old hard drives and other devices. If you have a stockpile of unused equipment — even if it’s in a locked storage area — use an overwriting or wiping tool to remove all data. Note, however, that wiping often fails on failed hard drives. Your best option in that instance is to destroy the drive by shredding.
  • For tape drives, perform a full factory reset and verify that no potentially sensitive information still exists on the device. Remove any identifying labels on backup tapes and degauss (de-magnetize) them, or have them shredded along with your old hard drives.

Cybersecurity efforts often focus on firewalls, antimalware tools and other logical protections. However, physical security of IT assets is equally important. Take a look around your office and consider what could happen if a bad actor accessed your server or stole a corporate laptop. If you need assistance, contact ICG for a confidential consultation.