Protecting a company's assets is getting far more complicated. Physical security professionals have to worry about much more than protecting physical assets, they also have a critical role in protecting electronic assets as well. I just read an interesting article from CNN about the cost of cybercrime. Here's the gist:
A few years ago a disgruntled employee for a large multinational automotive firm left the company -- but when he walked out the door, he also walked out with plans for a new car model under development on a cheap USB drive.
When the plans were leaked, the cost to the company was an estimated $1 billion in lost sales and increased research and development costs.
Yep, you read that right: $1,000,000,000. All on a single thumb drive.
When Wikileaks story came out, I talked to several security professionals about the role of physical security practitioners in this increasingly IT world in this SDN article.
“First and foremost these recent events should be a wake-up call for organizations to make sure they understand where their data is, what is sensitive data, and who has access to it,” said Steve Salinas, product marketing manager of the forensic business unit for Guidance Software, a provider of digital investigations.
And security professionals must remain vigilant about employee behavior. Is someone coming in on weekends when they've never done that? Is an employee exhibiting strange behavior? Strong collaboration throughout an organization is really the key. Human resources needs to talk to security about possible "disgruntled" employees and security needs to talk to IT about it, too. Is there a correlation between their physical behavior and their electronic behavior?
Policy is also important. In this same SDN article, Jon Oltsik, principal analyst for Enterprise Strategy Group, a full-service IT analyst and business strategy firm, said companies should use the principle of least privileges, meaning only those who need access to certain information have it, but those who don’t need it, don’t have access. Here's more:
It’s also important for a company to limit the number of people who have access to critical information. Then, once those privileges are determined, organizations should monitor what employees are doing with the information. Are they saving information to laptops unnecessarily? Are they transferring information to thumb drives? It’s also important to set up controls. For example, a company should set up controls that employees can’t email certain types of files to email addresses outside of the company or only approved USB drives can be inserted and used to transfer information on company computers.
Does your company have these types of controls in place?