Cybersecurity is undoubtedly at the top of the list when you think of security risks for your financial institution. Because cybersecurity, and mitigation of related risks, is extremely important in protecting confidential and sensitive information, intellectual property, corporate data, and systems. But, it’s also important to keep physical security in mind as well, as it plays a key role in ensuring the physical safety of your business and employees.
Think of physical security as the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to a financial institution. Your main objective is to maintain physical security in order to safeguard your company’s employees and assets.
However, physical security is often overlooked, and its importance underestimated. Plus, physical security breaches can be carried out with little to no technical knowledge on the attacker’s behalf.
It’s important to take time to understand the types of physical security risks, rate the severity of the risks, and address ways to both mitigate and respond, if needed. Remember, having a security risk assessment in place is crucial. This link includes some useful information regarding security risk assessments and finding a balance between risk and controls.
Different categories of physical security risks include:
- Theft and Burglary
- Theft of Documents
- Unaccounted Visitors
- Stolen Identification
- Social Engineering
- Natural Disasters
9 Ways to Mitigate Physical Security Risks:
- Keep data centers safe by installing surveillance systems, alarm panels, and access control systems on all critical doors and entry ways. You will want to ensure these systems are properly monitored and documented weekly and monthly audits are performed to help mitigate gaps in video. Also ensure access and codes for terminated employees have been removed. Install access control on all server room doors as well as other doors where personally identifiable information (PII) is stored.
- Ensure you have adequate lighting at all times, 24/7. It is a good idea to have lighting surveys performed, as well as assess the lighting after hours on a monthly schedule to ensure all high-risk areas are properly lighted.
- Develop a clean desk policy and enforce it. Perform random audits that include nightly walk-throughs checking to make sure all desks drawers and filing cabinets that contain sensitive information are properly locked. Also check to make sure all shred items have been placed in the proper shred bins and that the bins remain locked and the key to the bin is properly secured. Check for passwords that are written down and hidden in places such as under keyboards and mouse pads.
- Do not write down usernames and passwords and keep at your workstation.
- Do not allow unknown individuals to piggyback and access secured areas as you enter. Do not be afraid to ask someone to see their company ID or ask them to please use their access badge to enter secured areas. If the individual doesn’t have the correct access badge or ID, direct them to the front desk or concierge for assistance.
- Install locks on file cabinets and desk drawers. Make sure those locks are properly used when away from your office or desk.
- Perform annual security awareness training that includes personal identifiable information training and how to properly protect it from physical harm or loss.
- Do not print PII to local or public printers.
- Have a Business Continuity Plan in place. Be sure this plan is thorough and tested regularly. Here is a resource with some insightful information.
In addition, always be aware of your surroundings, as well as the people around you and your interactions both on a business level and a personal level. If you see something suspicious, report it. Make sure to have a Physical Security Policy and procedures in place that will help assist you in the proper protocol for protecting employees and assets.
Your financial institution may want to cover aspects of physical security in your IT Management policies. It’s a good idea to review policies and procedures at least annually or as security risks evolve.
Cybersecurity will always be vital, but it is also important to remember how crucial physical security is for a financial institution’s overall security and compliance efforts.