When you think of cybersecurity, what comes to mind? Firewalls, password managers, encryption? With all this software and hardware, it's easy to overlook a critical aspect: physical security! 

This means the safety of your devices and systems from theft, damage, or tampering. In the pre-digital age, physical security was simply referred to as "security." 

Whether you own a small business or manage IT at a corporation, protecting your systems from physical threats is as important as guarding against digital ones. In today’s world of hybrid and remote work, you must consider security beyond the walls of your office.  

A stolen laptop, an unlocked office, or a tampered USB stick can create a doorway into your systems. In many cases, physical access can overcome software protections because attackers aren't trying to access your systems through the web but in person. 

By examining how physical vulnerabilities can lead to tech compromises, you can learn how to reduce your company's risk.

Physical threats to your business you should consider

1. Physical surveillance 

Cybercriminals aren’t pixels; they’re in-the-flesh people. And before launching an attack, they might engage in physical surveillance to gather intelligence about your business. 

This includes watching who comes and goes, observing habits at work, or eavesdropping on conversations in public areas. Cyber experts have a term for this – human intelligence, or HUMINT. HUMINT can be used in everything from crafting spearphishing emails to breaking and entering. 

What to do: 

• Install visible cameras around entrances and sensitive areas. 

• Use badges or ID checks to limit access. 

• Train employees to report unfamiliar individuals or suspicious behavior – don't let unknown people in!    

2. Hardware tampering and unauthorized access 

Criminals don’t always need to hack your network. They might simply walk in and access an unlocked, unattended computer! 

Even plugging in a malicious USB device can give them a foothold. Laptops, desktop computers, printers, servers...any of these can become entry points if not properly secured. 

What to do: 

• Require workers to shut down or lock devices when not in use.

• Require long, complex, and unique passwords and consider using a password manager at your business.

• Block USB devices and other removable devices by default.

• Lock server rooms and network equipment cabinets.   

3. Insider threats 

Not all attacks come from outsiders. The danger can come from within, especially if they might have a bone to pick or a chance to pocket extra cash. 

Disgruntled employees and contractors can pose a risk to your systems and data. Even well-meaning staff can make mistakes that can lead to security issues.  

What to do: 

• Use the "principle of least privilege" (PoLP): give workers access only to the information they need. 

• Only allow authorized employees to have access to server rooms or networking devices. 

• Monitor activity with audit logs – user behavior analytics (UBA) tools are also useful. 

• Conduct regular training focused on insider threats and other cybersecurity topics – and celebrate Cybersecurity Awareness Month with us every October! 4. Keep software, devices, and systems updated 

• Cybercriminals exploit known security flaws in outdated software. Ensure your operating systems, applications, plugins, and drivers are always up to date. We recommend that you enable automatic updates whenever possible. It's worth the time it takes to update.  

4. Social engineering 

Social engineering is a common tactic with hackers, but it can also be used in the real world. Physical social engineering might involve tricks like "tailgating" into a secure building – a person holds two cups of coffee and asks a passerby to let them in, for example. It could involve planting a virus-filled USB drive where an employee might plug it in to see what’s on it. 

Social engineering plays on our natural urges of curiosity and helpfulness, as well as everyone's capability to make simple mistakes. Unfortunately, it's pretty effective! 

What to do: 

• Restrict access to areas by using keycards, codes, or biometrics. 

• Teach employees never plug in unknown devices like USBs or SD cards. 

• Implement a visitor escort policy in sensitive areas, and teach your staff to keep their desks clean of sensitive material – devices shouldn’t be left unlocked and unattended. 

• "If you see something, say something” is a great motto to have to help keep your office secure.  

Don’t forget remote and hybrid workers 

In hybrid work environments, your company's perimeter is blurred – employees now access systems from home offices, coffee shops, or coworking spaces, and the use of personal devices increases.  

Tips for remote and hybrid workers: 

• Make sure your remote staff is trained on security topics, like using strong passwords and MFA, as much as your in-person staff 

• Provide company-owned devices with encryption for remote staff. 

• Teach workers to store devices securely, especially when traveling.  

• Educate remote workers about “shoulder surfing” and being aware what other people might be able to see on their devices or phones in public.  

• Invest in mobile device management to manage the devices remote workers use.

Secure the physical to protect the digital 

Cybersecurity is about software, sure, but it's also about who touches your hardware, sees your screens, and walks through your doors. Taking physical security seriously will improve your defenses in both the real world and the digital one. To learn more about becoming resilient, sign up for our newsletter! Small businesses that want to boost their security should look into our CyberSecure My Business program, which was crafted with smaller operations in mind!