Physical security
Companies often overlook the physical security of servers, computers and network devices.
If someone can steal a server, then the operation of the company will be severely disrupted. Assuming you have working backups, obtaining suitable hardware and restoring from backup is going to take days at a minimum. The thief can break into a stolen server at their leisure, by either removing the disks and reading them from another machine or using a password cracker.
The theft of a workstation is more likely, especially a laptop. Company laptops often contain data that might be useful to a competitor or just damaging if it falls into the wrong hands. Handheld devices and smartphones are at the most significant risk of theft. These contain email and contacts which are subject to misuse. The loss of customer data would also fall foul of GDPR and could result in costly legal action.
These are all obvious risks, but there are many more to consider
- Is physical access to IT equipment controlled?
- Are equipment cabinets locked and keys kept securely?
- Can the cases of computers be locked against theft of hardware?
- Are machines encrypted? Passwords won’t keep data safe.
- Can a thief copy data to a USB device?
- Could someone access the wired network with their laptop?
- Allowing non-company equipment access to the network could introduce a virus.
- Could someone boot a PC using a compact disk, floppy or USB key to access data?
- Is small or lightweight hardware like laptops, computers and printers physically locked down?
- Are phone extensions vulnerable to making unauthorised calls or dialling premium numbers?
- Does the company have a procedure for tracking company hardware and software?
- Can handheld devices be remotely wiped if lost or stolen?
- Rack-mounted equipment is more secure than desk mounted.