Here are two facts from security experts: First, physical access always trumps technical savvy; and second, facilities and maintenance staffers make soft targets.
That's why Eric Cowperthwaite, chief information security officer at Providence Health & Services in the US, recommends developing specific training and awareness programs for building managers, cleaning crews and other facilities workers.
"The key is using multiple delivery tools, including electronic, in-person and paper [presentations]," he says. Providence, for example, distributes trifold brochures, and cards that workers can carry in their wallets. Every month, a half-page security bulletin goes out via e-mail that addresses a new security topic and offers three to five tips on how to recognize a threat and prevent it.
Keep these three things in mind when considering potential threats at your company.
1. Don't assume all is as it should be
If a person is wearing a badge, most employees assume that he is authorized to be there. But crafting a counterfeit badge is well within the talents of your average 10-year-old with a color printer, notes Michael Theis, chief of cyber-counterintelligence at the US National Reconnaissance Office.
IT's response: Security training "should aim to get employees invested in the idea that they need to be curious," Theis says. "If you see someone you don't recognize, ask them who they are."
Darryl Lemecha, CIO at Vertafore, provides the company's security guards and janitorial and building staffs with a list of names and photographs of outside service workers, such as delivery and cleaning people who are authorized to enter the building.
2. Beware big risks in small packages
Incoming letters and packages can easily be tampered with en route, but they are rarely inspected closely upon arriving at a company's mail facility. This can cause big problems, especially for companies like Vertafore, which frequently receives CDs, tapes and other media containing customer data.
IT's response: Vertafore has developed a process of due diligence to make sure that all packages are intact before they're accepted. "We refuse packages that have been damaged in shipping, because customer data may have been lost or tampered with," says Lemecha.
3. Now's the time to change the access codes
Four- and five-digit push-button locks on corridor doors, elevators and even data center doors offer another line of defense against intruders. But all too often, the access codes remain the same for years, experts say. That means anyone who has ever worked in that building can still enter areas that should be off-limits to them.
"The building I'm in has a code on the elevator, and the code hasn't changed since we moved in three years ago," says Chris Blake, workstation administrator at The Benchmark Group. "Everyone who has ever been in this building knows the code, but the building owner has been reluctant to let us change it."
IT's response: Have a regular schedule for changing access codes to secured areas. Also, when employees leave a company, their key cards should be deactivated and their badges confiscated and destroyed.