• United States




Information security – let’s get physical

Nov 13, 20175 mins
Data and Information SecurityPhysical SecurityTechnology Industry

If we fail to leverage the combined power of both logical and physical security, we cannot possibly expect to fully secure any organization.

facial recognition - biometric security identification
Credit: Thinkstock

In the past few months, I have visited a variety of medical facilities, some as a risk management professional, and others as a patient. While I am confident that these practices had implemented a variety of data security measures, in almost all cases, their physical security suffered from obvious challenges, even based on casual observation. Examples of issues included lack or surveillance cameras, unprotected medical records, and unlocked doors controlling sensitive areas.

I suppose in once sense this is not surprising. With major incidents involving malware, ransomware, and network intrusions making the national news weekly, organizations are understandably focused on data security. Unfortunately, some of these same organizations have not kept up with advances in physical security and in some cases I suspect they have regressed.

The consequences of a breach in physical security can be at least as devastating as a data security lapse, and in some cases, far worse. One recent example, the theft of critical information from the National Security Agency (NSA), has had far-reaching consequences. While details of this incident are still sketchy, sources at the NSA have said that the theft resulted from an insider with sensitive access simply walking out with a USB drive loaded with data. The exploits stolen have been involved in many well-known network security incidents, including WannaCry, NetPetya, and most recently, Bad Rabbit.

Despite the tendency to consider physical and logical security to be different disciplines, it is increasingly clear that integrating the two can be very advantageous. In her article for CIO, How Integrating Physical and Information Security Mitigates Risks, Kim Nash states the case for integration quite well: “At many organizations, physical and information security remain separate entities by happenstance and by history. By integrating the two, however, companies can better protect the assets, employees and valuable data that keep the business going.”

Consider some examples of how physical and logical security incidents can be closely related:

  • While many aspects of an organization’s network are contained within their physical walls, the signal for the wireless network used by virtually every company today go well beyond those walls. A bad actor, sitting in a car in the company’s parking lot, can use various vulnerabilities to penetrate the network. With the recent discovery of Krack WPA2 vulnerability, this is even more troubling. Even more fundamentally, someone, such as a contractor, repair technician, or authorized visitor, can simply plug a laptop into a physical network port, many of which are active even when note used, and have full network access.
  • A bad actor can often obtain a password, just by calling a company’s help desk, and pretending to be a valid user.
  • Access can be obtained to a facility controlled by a badge access system by using easily obtained hardware components costing $10, as demonstrated at Black Hat in 2015.
  • Many data theft incidents happen each year because of lost or stolen devices. A software company I worked with a few years ago had a significant loss of customer information, because three employees, visiting a customer site together, ate together at a restaurant, with their laptops in the trunk of a rental car. Based on video recordings, a thief, who apparently realized that the car was a rental, took the three laptops out of the trunk unseen, in less than a minute.

If we are to have a chance of securing an organization, we must think holistically about security. This involves integrating the physical and networks security functions of an organization, by having those employees involved in each area working in tandem to address issues. In my experience, achieving this integration is quite difficult in many organizations. The training and experience by the individuals in each discipline are often quite compartmentalized, with an organizational structure that promotes this separation. To succeed, we must begin to break down this compartmentalization. Some suggestions for achieving this include:

Combined management

One option that can be used to ensure that the physical and data sides work together is to put both under a single management structure. The Chief Security Officer (CSO) can be a practical role under which to combine these.

Joint assessments

When assessing a facility for security concerns, include both physical and network security personnel. They will each spot issues within their own disciplines, and in the process, help to educate those in the other discipline.

Cross-functional internships

One approach that can be helpful is to have a physical security professional spend time with the information security team, and vice versa. This not only helps to educate professionals on both sides, it also helps to appreciate the challenges the others face.

Use a performance-based approach for each

In the information security discipline, we are accustomed to capturing and using metrics to identify successes and gaps in the program. The physical discipline is not nearly as likely to take a measured approach. In their publication Physical Security and Why It Is Important ,the SANS Institute sums it up well: “Data can be used to make informed decisions to lower risk in the most cost-effective method. Without these metrics, the security program will not be able to effectively manage security controls.”

Bottom line – securing an organization in today’s environment is extremely difficult as it is. If we fail to leverage the combined power of both logical and physical security, we cannot possibly succeed. If we can successfully break down barriers and combine them, the implications for security improvements are huge.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author