Focus on physical cybercrime, not just cybercrime
It is not only the computers but the integral components that the crooks will target. Computer crime is one of the fastest growing crimes in the UK, according to the Association of British Insurers; in 1995, a third of all business claims were related to computer crime. It’s not just the loss of a computer or related equipment that represents the biggest loss; are the costs of business interruption and the loss of important or sensitive data.
There is a simple solution; Prevent thieves from gaining access!
When budgeting for IT security, we must ensure that the expense is appropriate for the value of the IT assets at risk, not only the replacement value but also other losses incurred.
A simple risk analysis can be implemented by calculating the damage to your business as a result of theft or damage to said assets. Create a what-if scenario and be sure to calculate everything from lost business, interruption of services, and compensation to customers, including hiring work or hiring other contractors for damage limitation.
Then take this figure and consider the actual probability of it happening; taking into account the prevailing threats and the current climate.
This information should not be taken lightly and should be used to create an IT security policy document. So in the event of such an incident, there’s a chain of command from top managers down, a contact list with 24-hour phone numbers, and individual responsibilities so there’s no room for ‘I thought! who was doing that!’ Each individual on the IT security policy team should have their own copy and a signed read and understood copy on file.
There should be a list of vendors and supporting systems that includes all identification marks and asset control numbers. This can only be achieved through formal training.
This might be a good time to call your local CPO (crime prevention officer).
Business premises that maintain a large number of computers clearly face a disproportionate risk of crime. If the IT team is spread out or dispersed throughout the facility, it is more difficult to establish a secure perimeter than if ‘IT’ were concentrated in secure pockets.
Let’s take a look at the physical security of the actual building.
No matter how good your entry/exit door locks are, if the door and frame cannot withstand a violent attack, your facility is vulnerable.
Health and Safety and security often don’t mix, for example; The regulations state that when the building is occupied, fire exit doors must be able to be opened quickly in the direction of escape without the use of keys. A perfect escape route for thieves too!
· Fire exit doors should not be overlooked. Regulations state that when the building is occupied, these doors must be able to be opened quickly in the direction of escape without the use of keys. Watch to alarm these doors so that they comply with regulations but notify the appropriate people that access has been made. Perhaps CCTV cameras could also be installed. However, when the premises are empty, these doors can be secured like any other.
If you occupy multi-tenant offices, the security of the communal doors must be taken care of by the owner and the appropriate tenants. No one benefits if this area is considered someone else’s responsibility.
Look out windows, check both sides for potential access points, and look for flat ceilings. Internal grilles should be considered for all accessible windows, don’t overlook skylights.
If there is no reason to use the forklifts after business hours, they should be deactivated at the end of the day. Perhaps taking them to the top and turning them off.
· Talk to your Crime Prevention Officer about installing an intruder alarm system connected to a central monitoring station. This must be installed in accordance with Association of Chiefs of Police (ACPO) policy and Association of British Insurers (ABI) guidelines.
Please note that designated key holders must be able to reach the building within 20 minutes of being notified of the alarm activation. This allows the police to check the premises if no forced entry is apparent. Consider using a reputable key escrow company if you are unable to meet this requirement.
· Keep the number of people capable of arming and disarming the alarm system to an absolute minimum and ensure they are provided with individual ‘pin’ numbers that can be monitored and their activity recorded. This will facilitate better management of the system and minimize internal shenanigans or activity by disgruntled ex-employees.
If employees work during periods of low occupancy, for example overnight or on weekends, it will be necessary to incorporate personal attack buttons into the alarm system. In these circumstances staff should never work alone, always ensure there is more than one person on the premises so that someone can raise the alarm.
Consider checking name signs that might advertise the presence of computers, and never leave computer-related boxes in public view. Empty or not, these cartons inform all passers-by that you have new IT equipment on the premises.
Burglars rarely rely on guesswork when selecting a commercial building to break into. This is not about a ‘walk-in’ crime. Businesses have had new computers stolen the same day they were delivered, not just coincidence or extreme bad luck! It is obvious that intelligence is obtained before the event inside information or poor security measures. It cannot be overemphasized how important it is to control access during office hours as well as when closed.
If possible, restrict access to the building to one entrance/exit, controlling all other access points.
Are reception staff, whether security or receptionist, fully aware of staff who have left, whether voluntarily or not? All personnel must be identifiable. This begins at the reception point where a visitor must be signed in and supervised by an authorized member of staff. It extends to active surveillance of employees, fully aware of the defined procedure for challenging strangers.
If visitors sign in or receive security tags, does anyone verify that they actually leave the premises? Is anyone tasked with a procedure at the end of the day to check the building and make sure no one is hiding in it?
We mentioned at the beginning about creating a perimeter for access control. If that perimeter is breached, take a look at the steps below to help you cut your losses.
· House your IT equipment carefully, away from the perimeter and behind obstacles that slow down and frustrate the intruder, for example, in closed rooms.
· Permanently and prominently mark the property with its full zip code. Heat marking or chemical etching can do this.
Anchor equipment to sturdy furniture and building fixtures with an enclosure unit designed to resist dismantling. Choose a product that has been certified to the 1214 Loss Prevention Standard.
If an enclosure unit is not used, special security screws are available that replace the standard back cover screws and help, to some extent, to prevent quick entry into the computer.
· You can get safes and security cabinets that allow computers to be used during the day and locked at night.
· Smoke generating devices, activated by the intruder alarm system, work to create conditions where intruder penetration is severely hampered.
· Computer alarms that detect tampering can be installed on the units. These are suitable for buildings during office hours or when an on-site response can be generated at night.
· Laptops should be locked up when not in use. Safety instructions should be given to staff for the care of the equipment when it is used outside the office.
· Key Security: Keys to security devices must be kept in the custody of authorized personnel only and must be removed from the premises when left unattended or stored in a locked safe.
Asset Control – Ensure there is an up-to-date inventory so that full details of any equipment that is stolen can be turned over to the police and insurance companies.
Leave a Reply