October is Cyber Security Awareness Month, which serves as a poignant reminder of the digital threats facing us every day we use our phones, computers, and smart home tech. Amidst the invisible connectivity of WiFi networks and cloud infrastructure lurks a security element that is far too frequently overlooked: the physical barriers that safeguard us.
For Cambridge’s thriving community of startups, scale-ups, and established networks of businesses, the intersection of physical and cyber security must be remembered, particularly as cybercrime continues to run rampant across the web.
The modern threat landscape is far more complex and sophisticated than a hacker, acting alone, trying to infiltrate a siloed business network. Many of today’s cybercriminals are part of intricate, difficult-to-trace crime networks, who are adept at even the most undetectable social engineering tactics that can deceive even the most switched-on of individuals. This has proliferated to the point where cyber attacks can be executed with the help of physical reconnaissance and seemingly innocuous activity on business sites.
Protect Your Physical Perimeters
As businesses continue to embrace flexible working models, the security of physical offices, particularly when empty or under-utilised, becomes a critical weak point cybercriminals can exploit. This means that a fully robust defense around your physical business perimeters is more essential than ever.
As physical barrier supplier and vacant property protection expert Maltaward eloquently notes, “a combination of perimeter security (concrete barriers, security fencing) and access control (steel security doors, window shutters) is crucial…” highlighting how empty premises can be exploited if not properly safeguarded. Even the most unsuspecting of personnel gaining access, who may be masquerarding as a worker or contractor, can gain access and kickstart a devastating cyber attack that could damage a business irreparably.
So how likely are these types of calculated attacks that compromise both physical and digital security to happen?
Physical Security Vulnerabilities: Where the Digital Defence Fails
Consider yourself as an average startup business owner. You may be well aware of the infrastructure you need to get your business off the ground: a spacious and secure office space, internet connectivity, business phone lines, servers, and laptops, not to mention any physical inventory or collateral if you sell products.
The integration of robust software, firewalls, multi-factor authentication (MFA), encryption, SSL certificates and more can fortify your online operations, protecting them from a substantial amount of cyber threats. However, all of that may prove ineffective if you or your team leave laptops unlocked during breaks, fail to lock secure doors in between rooms, or don’t safeguard servers or inventory properly.
Even established companies with well-established processes, safeguards and infrastructure nationwide, such as Marks and Spencer, and the Co-Op, among others, have been subjected to sophisticated cyber attacks this year alone.
Anybody who is granted access to your premises, even if they display ‘evidence’ of clearance, may be a bigger risk to your business than you realise. Without being too alarmist, if an opportunistic malicious actor gains physical access to an unlocked workstation, and installs malware via USB devices, copies sensitive data or plants devices that infiltrates networks, your security measures have already effectively been bypassed.
As a result, your business activities, finances, and intellectual property may be unknowingly falling into the hands of dangerous cybercriminals seeking to exploit your systems and, by extension, those of your wider network.
Other physical threats include (but are not limited to):
- Physical surveillance on your premises: Where unsuspecting watchers-on may be observing who is coming and going, eavesdropping on conversations in public areas, or using forged ID badges to gain access to entrances or common areas. This usually precedes a calculated attack which involves breaching physical perimeters.
- Disgruntled ex-employees: Such individuals may pose a risk to your incumbent systems or data. Even well-meaning staff can make important security mistakes (especially if they’re not that technically proficient). They may share files with unknown senders under the auspices that they are legitimate.
- Social engineering attacks: These are common and could include tailgating employees into secure car parks or buildings or waiting for the right time to enter a restricted room by playing on your innate urges of helpfulness or curiosity.
These physical security issues can be exploited in a matter of minutes, even if your intentions are well-meaning, thus posing your cyber security posture at risk. Recent statistics suggest that UK SMEs are facing an increasing number of cyber attacks, costing an average of £7,960 per incident.
This is why it’s vital to ensure top-tier cyber defence mechanisms.
Essential Tips for Business Cyber Readiness
- Install visible, high-quality CCTV cameras around sensitive or high-risk areas.
- Restrict access to key areas by using secure ID badges or cards.
- Block USB devices and other removable hardware by default, and only validate with administrator approval.
- Mandate strong, long, complex and unique password policies and consider using password management software across your business.
- Enforce strict shut down and lock policies for any devices not in use, even if they take a comfort break.
- Provide company-owned devices with encryption and mobile management for remote staff.
- Keep server rooms locked when not in use, and ensure any network equipment is exclusively accessed by approved, authorised personnel.
- Use the ‘principle of least privilege’ (POLP) to ensure workers only have access to the information that they strictly need.
- Keep software, hardware, drivers, plugins, and applications updated and patched across the board.
- Conduct regular security awareness training on insider threats and other important cyber security measures.
This Cyber Security Awareness Month, as we focus on protecting our digital assets, let's not forget the physical foundations upon which our cyber security rests. For Cambridge's innovative businesses, the integration of physical and cyber security isn't just about preventing breaches, but about building resilient organisations capable of thriving in an increasingly complex and unpredictable world that’s growing ever-more influenced and enabled by technology.