Data Security (Inc. Data Loss Prevention), Cyber Security, Privacy, Website Security, Email Security, Malware/Viruses, Open Source Intelligence, Cyber Security/Product Training

Physical

Details
Physical security, mainly social engineering, is one of the most vulnerable parts of a company. Why? Social engineering preys on people, not technology. No matter how fantastic your network security is, your employees can still be exploited because people do not come with antimalware scanners. People are brought up to be helpful, and this is why they can be exploited. Only cyber-security awareness training can help circumvent social engineering. Some more advanced attacks may combine physical elements with online attacks.

Clean desk policy
These days, this is somewhat less important since a lot of staff are remote. In the old days, it was important, and some firms even sent security to audit desks and look at papers or devices. If you are at an office, ensure all documents are shredded or put in a locked drawer before you leave. Portable devices should be locked away or taken with you. The same can apply to your house if you share it with others.

Shred documents
Dumpster diving is when someone goes through your rubbish in an attempt to find confidential records. Bank statements, employee records, and more can be used to eke out vulnerability within networks as well as identity theft. Get a shredder; don’t strip cut or outsource shredding to a contractor.

Protect your servers
If you have a server room, make sure it’s secure by having a strong lock. If you can afford it, use biometric security or a smart card for access. Aim for two hurdles before anyone can get near your server room door. It’s also important to think about its location – is it, for example, close to a river, in a basement or near a kitchen? Such factors increase the chance of flooding.

Put removable media in a safe
USB drives, external hard drives, hard drives, CDs, DVDs, floppy discs, tapes and so on should be stored in a safe and encrypted; you should never leave them on your desk since there, they can be swooped up in seconds.

Destroy removable media, laptops and computers
Before disposing of removable media, laptops, hard drives, or desktop computers, ensure the data is purged, either by shredding the device physically or overwriting the data before it leaves your hand. Formatting is not sufficient as this doesn't always remove the data.

Keep ports, routers, hubs and switches out of sight
Open ports scream out, ‘Plug something into me,’ and for a hacker, it’s a great start. Any port of any sort can be used to connect to your company network. Ensure all ports and network devices are hidden and under lock and key. A lockable comms cupboard is a good start because it is high up on the wall.

Password-protect the BIOS (basic input/output system)
The BIOS is like a micro basic operating system that sits on a computer's motherboard and lets everything communicate within the computer. It is a good idea to password-protect the BIOS to stop people from changing settings like the boot-up device.

Question/ID all visitors
Social engineers can easily appear as anyone. Don a fluorescent jacket, and people think you are the ultimate authority. Just because someone turns up at your office with paperwork, tools and a fluorescent jacket doesn’t mean they are genuine. Ask for identification, check the entry logs, and call the person who booked him or her.

Lock PC and laptops
Lock your computers down using a computer-locking kit. This stops/slows down any attempted thefts. The same applies to laptops; a laptop docking station will also do. A thief with giant bolt cutters will probably be able to get through the cables, but every little thing helps. In the meantime, someone might notice and apprehend them. Unfortunately, in 2025, lock slots on laptops and tablets are not too common.

Lock your door
Never have an open-door policy, as anyone can simply walk in the door and steal what he or she likes. An RFID card is an excellent idea, but never put the company's name on it; if it's stolen, nobody will know where it came from. 2FA can be added to such cards, as well. It’s also a good idea to install CCTV at key entrances and exits along with an extra authentication at server and comm rooms.

Be careful on the phone
Another method of social engineering is by phone. Again, this preys on the helpfulness of people, and only training can solve the problem. Someone might call up and pose as a senior manager’s assistant. A hypothetical script could run something like: ‘Hi, my name is Christine, and I was wondering if you can help. My boss, David, the managing director, is on holiday, and he has asked me to reset his account password. It’s for a critical shareholders report tomorrow, and I will get in trouble if I fail.’ Seniority and a sense of urgency are part of the spiel, and this is why it works. Before giving anything out, ask for a name, email address and phone number, and then check the story.
© Copyright 2012-2026 DataSecurityExpert.co.uk

Sorry, this website uses features that your browser doesn't support. Upgrade to a newer version of Firefox, Chrome, Safari, or Edge and you'll be all set.