Management, compliance & auditing

IT Security Policies Should Include a Physical Security Policy

Dan Virgillito
October 7, 2014 by
Dan Virgillito

We live in a world that's becoming ever more dependent on the various digital products at our disposal. From the average man on the street making purchases on his phone to huge multinational companies taking hundreds of thousands of dollars in payments from wide and varied customer bases, technology has become an indispensable facet of modern living.

The proliferation of devices has undeniably made shopping, communication and organisation easier than ever before, but what are the implications for those concerned with security?

Our dependence on computers has resulted in huge amounts of very sensitive, very valuable information being stored in, physically speaking, increasingly small packages.

Obviously, digital based security has increased along with the popularity of digital based products, but a comprehensive IT security policy isn't enough if you want to sleep easy…you're also going to need a thorough physical security policy.

Why is a Physical Security Policy Important for Organisations?

There's a strong focus on corporate security measures in the modern world, which all too often detracts from still necessary physical security policies. Even the most robust firewalls and password protection can't account for physical threats or human error, risks that are often overlooked or forgotten.

If you're slightly confused as to what physical security policy implies, think about it on a more personal level. How much of your personal data do you have stored in your phone? How important is that data to you? Which of your bank accounts, card details, financial assets or the personal information of you or your contacts would someone be able to obtain if they had full access to its memory?

Most organizations and employees never consider the possible implications of someone getting their hands on this data as they place faith in the device manufacturer's security system. These systems may stop someone from hacking your device and downloading the data remotely, but what if you accidentally leave the device in a public place or if it is stolen from you so that these files can be retrieved by a person? It's the risk of theft and loss that a good physical security policy attempts to curtail.

You may think that such thefts take place simply for the financial gain of selling the device. If financial gain is the aim, then there is far more to be earned in selling information and fraudulently using bank details that can be obtained. The risk may be small, but shouldn't be overlooked. Even the most well-meaning employee can cause a problem.

Take for instance a very embarrassing situation caused by a forgetful British civil servant. In 2008 a British government worker left a file of top secret files on the seat of a train, leaving the latest information on terrorist organisations for any passer-by to simply pick up. It's probably a good thing that the files left on the train were found by a person who turned them in. It's also a blessing that these were in paper form. If a hard drive or laptop were misplaced, the volume of information could have been far larger than a binder full of papers.

We'd love to say that this occurrence is a one off, something that never happens and that corporate security policies are enough to secure confidential information. Unfortunately, we couldn't keep a clear conscience if we were to offer that wonderful piece of false hope.

Coca Cola is one of the largest and most recognised brands in the world and employs over 700,000 people. You'd think that keeping the details and information of its employees and customers would be of paramount importance, so much so that only an Ocean's 11 style heist would be able to pry such sensitive data from their grasp. Unfortunately, it seems as though a simple theft of a few unencrypted laptops resulted in the loss of sensitive information for around 74,000 North American based employees.

It's pretty obvious that a comprehensive physical security policy is necessary regardless of how strong your encryption (that is, if you use encryption processes, unlike Coca Cola!) or firewalls are. You're never going to fully eradicate the risk of theft and human error by focusing too heavily on digital side security; you'll still be at risk from physical security threats.

Measures to Increase your Physical Security Policy

So, what exactly can you do to improve your company's physical security policy? This will of course differ depending on the size of your company and the nature of the data stored. Physical security can range from simple locks and sturdy doors to adapting the local landscape and adding 24 hour armed personnel. Below you'll find a number of general steps to increase the effectiveness of your physical security policy.

Server Security

If your company is large enough to warrant having dedicated servers, their protection should be of paramount importance. If someone were able to gain access to your server room, then they have the opportunity to access all of your information.

Locked Door - Secure room

Be certain that there is a security door of sturdy construction to enter the server room. You could have the best lock in the world, but if the door is easily broken, the lock will prove nothing more than a minor hindrance to the committed thief.

Access Cards or Security Codes

If you're spending good money on providing a secure server room with an expensive security door, you're going to want to make sure that your locks are in order. Only authorised personnel should be given access to the server room. The most efficient way to ensure that this is the case is to use access cards (which will also let you track who goes in and out of the room), or a regularly changed security code. If your data is really that important, you could also add biometrics to the mix with something like a fingerprint scanner on the door.


Surveillance cameras often work better as a deterrent and discourage opportunistic thieves from breaking in. They will also give valuable evidence if someone with access to the room abuses their position. If you couple this with the logging of who goes in and out, your server room should be far more secure.

Alarms for Unauthorised Access

Just in case the worst happens and there is a break in, you want it to be apparent as soon as possible. Alarms will not only alert the authorities or security on site, but will also rattle the criminal or adversary, forcing them to rush or perhaps even abandon their attempt.

Laptop/Desktop Security

Learning our lessons from Coca Cola's mistakes we all now know how damaging one laptop or device can be if stolen. These next few measures should be of the utmost importance for organisations of any size, as relatively small devices like these can be easily stolen.

Disable USBs and CD Drive

Disabling any means in which data can be transferred from the device in question is a great way to secure your computers. In disabling the methods that can be used to transfer data without any wireless connection, you greatly increase the risk of your device showing up in online security tracking devices.

Remove Unused Computers from Network

If there's an unused computer in the office, make sure it is at the very least not connected to the network and, if possible, placed into a secure room. This way you'll stop anyone from being able to access the network through the unmanned machine.

Special Secure Room for Unused Machines

As we've just mentioned unused machines should be disconnected from the network. You would want to store all unused machines in a secure room to which you're able to monitor access. The machine may not be connected to the network, but there is still the risk of confidential files being stored on the hard drive.

Desktop/Laptop Security Cables

To stop anyone from simply lifting a desktop or laptop from its workstation and exiting the building, we'd recommend purchasing security cables. If you're unfamiliar with the concept, security cables will basically ensure that the machine stays secured to the workstation, making it far more difficult to remove.

Separate Storage Rooms

If you are using a secure room to store unused machines, ensure that it is a room separate to your server room. The last thing you want is to offer one location where a would-be thief could gain access to expensive equipment as well as all of the information they'd need. Be smart and don't create a one stop shop for all of your company's information.

Employee Awareness

Employee awareness is undoubtedly the single most important aspect for you to consider. If your employees are not aware of what areas are supposed to be secure, who in the building has access to which areas, or why it's so important to maintain this high level of security, then a lot of your efforts could end up in vain. It does sound a little exaggerated, but to put things in perspective, check out this social engineering experiment conducted by Kingston city council where a stranger was able to gain access to what was supposed to be a secure server room by asking the staff where it was. If the staff were aware that this was a huge security risk, we doubt that he would have got anywhere near to the room.

Over to You

Physical security policies have always been important for any company, regardless of their industry or directives. Just because technology is advancing at an incredible rate does not mean that the risks of yesteryear are no longer worth considering.

Even with the most sophisticated digital and online security measures, a company can suffer huge losses by neglecting more traditional security issues. Therefore, corporations should make sure that the physical security policy of their company receives as much attention as that of their digital based IT counterpart.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.