IT security is just one part of the story!

Purpose of this article

Your startup is working on new technological inventions and your confidential data is stolen. Do you notice this before you recognize your products offered by your competitors?

Or maybe you’re running a business which processes sensitive data in relation to article 9 of the GDPR, for instance in the field of medicine or finance. One day you read in the news, that one hundred thousand records of your company with sensitive data of your customers have been leaked. How does that feel?

Only one thing is certain: data has to be protected!

Vishal Salvi desribes quite clearly the main problem in his article „Künstliche Intelligenz ist die Zukunft der IT-Sicherheit“. Cyber-attacks are becoming more and more complex and even technology-based services are not sufficient. One solution seems to be Artificial Intelligence (AI). Artificial Intelligence and Machine Learning (ML) offer a set of potential advantages against traditional methods of cyber security tracking. They detect anomalies faster and predict risk areas as well as substantiate the cyber security planning.[1].

The author is correct when he writes that the measures, which are described in his article, are an important contribution. But it is worthwhile to also think about other measures. Technical solutions and counteracting social hacking are very important, but physical and environmental security is crucial, too.

The complexity rises, but sometimes it is nonetheless simple

If we have a look at the informative illustration of „information is beautiful“, we can grasp how serious this topic is. Even big players are hacked and millions of data are still published[2].
Now imagine you are using the best technological protecting tools, firewalls, intrusion detection systems and services like SIEM or SOAR[3]. You feel very well protected.

Furthermore, the safety of your employees is very important for you too. Due to the corona pandemic, you would like to protect your employees, because they are your most important resource. Thus, you make home office possible for your personnel. But do you know the circumstances and conditions of the home office and do you actually know what happens in your company?

An engineer of your company could be working from home. At some point he has to go to the bathroom. He does not lock the screen of his computer, since he feels safe at home.

Coincidentally a friend of his son comes across the unlocked monitor and is fascinated of what he sees on the screen. He could take a picture with his smartphone and transfer the sensitive data.

At the same time, there are significantly fewer employees present in your company. But who controls visitors and vendors in your company? I have often made the experience as a visitor, that it would be very easy to acquire information. Even if you have to wait at the reception, you can ask for the next toilet. In most cases you will get the information and you can go through the building without any escort. A look at a screen, a grab in a paper basket or remaining documents in a department printer can provide a customer list or sensitive data. And you will notice that very often, employees will not address you. You do not believe this?

The Bitcom wrote in the article „Angriffsziel deutsche Wirtschaft: mehr als 100 Milliarden Euro Schaden pro Jahr“ that there are still analog attacks. One third of the companies declared, that IT and telecommunication devices were stolen. Sensitive physical documents, machines and components where thieved from every sixth company.[4].

The importance of physical and environmental security

Physical and environmental security is crucial. It is not without reason, that it forms an essential part of the ISO 27001. In the annex we find those controls named „A.11 Physical and environmental security.“[5]

The standard considers that assets such as information and necessary operating material physically exist in the company. For this reason, it is important to control the physical access to these assets and other injurious influences and to furthermore protect the used equipment.[6].

In essence, the matter is to control and protect building access, access to rooms and assets. The protection from destruction for instance through a natural disaster is crucial as well.

Furthermore, not only buildings have to be protected. If an employee travels by car and he takes a break and leaves his car with a laptop or USB stick unattended on the front passenger seat, this could be an invitation for a spontaneous theft. The recommendation „Do not leave equipment or media unattended (for example leaving a USB stick or laptop in a car);“[7] belongs to Control A.11.2.6 – Security of equipment and assets off-premises[8].

Summary and outlook

Occasionally you can get the impression that companies invest a substantial amount of money in technical measures to increase their IT security. But IT security is only one part of the equation. Information security goes beyond IT security. Locking laptops or storage mediums in a safe cabinet or protecting access to buildings or rooms is in general very easy. But the risks and possible damages, which could arise without any protection measures are enormous and severe.

Because of the corona pandemic and the increase in work from home these difficulties have augmented further. According to the current status the utilization of home offices will persist. Many firms already recognize cost benefits.

But employees do not have the necessary awareness and knowledge regarding information security. In addition, the employer does not have the possibility to fully control the circumstances and conditions in home offices. Thus, it is very important to provide awareness-raising measures and information supplementary to technical measures aimed at the reduction of risks and possible damages to the company or third parties. The alleged cost savings stemming from work from home are not in proportion to the costs and penalties which can occur due to lacking protection measures. Please do not wait until you must inform the authority about a data protection breach or until your corporate secrets have been stolen. Better act now!

---

Source References