This blog has been updated January 2023 and continues our cyber security user awareness campaign, all of which can be viewed here:
Organizations are becoming increasingly aware of online security threats. In fact, a recent survey found that 89 percent of all desktops and 80 percent of all laptops are equipped with some type of antivirus software. While businesses may not want to disclose whether or not they’re protected from online threats, having an antivirus on a company machine is practically a given.
However, physical security is an often-ignored challenge for many businesses, especially as some employees have returned to work in the office. Since many businesses are constantly warned of threats caused by poor device and network security, protecting their actual office has fallen to the wayside.
Malicious actors, or people who want to steal valuable company assets, will exploit any method to gain access to valuable information – whether it’s taking advantage of social norms, office security, or IoT devices, they will always try to find a way. Here are ten security risks to be aware of to help you guard against the most common risks in your office.
Many workplaces incorporate some kind of access control in their offices – whether it’s locking the door outside of normal business hours or requiring that all employees use an ID card to unlock the door. However, these measures can be thwarted by a practice called tailgating.
When malicious actors use tailgating, they take advantage of politeness by letting an authorized employee unlock the door and expecting the employee to hold the door for them. The risk of tailgating can be minimized by installing anti-tailgating doors that utilize RFID or turnstiles to make sure everyone swipes before entering, or by training employees not to hold the door for people they don’t recognize. If an employee accidentally lets an unfamiliar person through, they should report the event to security personnel for screening.
Chances are, your office has paper documents scattered about – whether they’re on desks, in the printer bay, or in the recycling bin. These carelessly stored documents can be the golden ticket for a malicious actor. All they need to do is take the document, take a photo, or memorize a few important details on the document to access confidential company information.
Mitigate this risk using a number of organizational policies. A clear desk policy will ensure that your documents are put away whenever an employee leaves their working space. Printer authentication will ensure documents aren’t sitting in the printing bay. And shredding important documents will prevent malicious individuals from lifting documents from the garbage.
If you leave your laptop open and unlocked, it’s easy for a malicious actor to simply swing by and look through your personal documents. To avoid this, set a timer that will lock all company computers after five minutes of inactivity, and require a password to reenter the computer. You should also encourage employees to close their laptop every time they leave their workspace.
Devices can be taken out of commission for a few reasons. Maybe they need repairs, or maybe they’re just not powerful enough to keep up with modern demands. However, if a thief can learn where these devices are stored, they are often able to take a device without being noticed for days at a time. That’s more than enough opportunity for them to gain access to the data inside.
To resolve this issue, make sure that your IT team securely stores or destroys old work computers, phones, and other devices, paying special attention to ensuring that information on the hard drive is completely inaccessible.
For skilled social engineers, it’s not difficult to gain access to an office for less than $20. All they need to do is buy a discounted pizza delivery outfit from a thrift store, pick up a few inexpensive pizzas, and knock on a door. They’ll likely be allowed access by an employee who doesn’t even ask who they are – they only ask who is getting the pizza.
This trick can be played out in a million different ways – but the best way to thwart this attempt is to educate employees and enhance your physical security. Make sure that all visitors are checking in with front-desk receptionists or security personnel and tell your employees to direct all unknown people to the main entrance for screening.
IDs are a great way to keep your workplace secure, but physical IDs can be stolen. If you don’t have a contingency plan for stolen IDs, your office security plan will quickly fall apart. Educate your employees on the importance of protecting their IDs, and make sure they never share an ID with another employee. If employees are losing cards on a regular basis, offer them a belt clip or similar device to help them keep the ID on their person.
When an ID goes missing, employees should be encouraged to report the missing ID as soon as they can. When a missing card is reported, the previous ID should be deactivated while a new one is made for the employee.
Who doesn’t love a good mystery? Well, if that mystery is packaged in the form of an abandoned USB drive, your security team surely won’t like it. Since hackers understand the power of curiosity, they may leave USBs or similar storage devices in areas that are frequented by members of your office – such as local coffee shops or parking lots.
When an employee plugs the USB into their device to learn what’s inside, they may not notice anything at first. However, the USB may install sly malware like a keylogger or spyware, or even open your business up to an immediate breach. To prevent this, make sure employees know that unknown storage devices do not belong anywhere near their computer. If they’re dying of curiosity, they should ask IT first.
Even if your employees know about the malicious USB trick, do they know how dangerous unauthorized IoT devices can be? Something as insignificant as a USB-connected mug warmer or desk fan can easily be compromised upon manufacture, or otherwise compromised during a breach. To avoid any problems with IoT devices, ask employees to check in with IT before they use any personal IoT solutions.
If an employee wants to download an unauthorized program – whether it’s for fun or productivity – they may open your network up to a range of malware and security threats. While the IT team will gather business requirements, the IT security team will create and maintain the list of approved business applications. These approved business applications will be whitelisted to prevent any other applications from being downloaded by the users.
Keyloggers often go unnoticed, especially if they are installed in person. While it’s unlikely that a thief would sneak into your office only to install a keylogger, you could have an entrenched keylogger installed on your machine by a fly-by-night third-party repair company. If employees complain that there’s a lag when they type, or if they’re sharp enough to notice that there is a strange background process running, keyloggers may be the culprit.
If an employee believes they’ve fallen victim to a keylogger or similar type of spyware, they should report it to their IT security team immediately. Make sure that your current antivirus solution has anti-keylogging capabilities and ensure that his or her device is up to date.
While many security threats originate online, organizations need to be acutely aware of threats that commonly occur within the four walls of their office. Often, these solutions require extensive, regular employee training as well as a vigilant IT team. However, it all begins by taking inventory of both online and offline security measures. If your business takes both physical and virtual security seriously, they will be protected against a range of dangerous threats.
Secure your Microsoft Modern Workplace with 24x7 specialist support, security awareness, and threat monitoring.
Secure your Microsoft Modern Workplace with 24x7 specialist support, security awareness, and threat monitoring.
