We consistently talk about how to protect your virtual data. However, sometimes we neglect to think our physical security, things like filing cabinets, paperwork on our desks and unwanted guests walking into our offices. Today in the Evolve IT Lab, Lachie and Ben from SOPHOS discuss how you can protect your office from physical security.
Have you done a selfie test lately?
Lachie: Good day, guys and welcome back to the "Evolve IT Lab." My name is Lachie and today we've got a really special guest. We've got Ben from SOPHOS. Welcome, Ben.
Ben: Thanks for having me.
Lachie: Ben is the cybersecurity expert from SOPHOS and today we're going to be discussing physical security, or things like desktops, filing cabinets, people gaining access to your organization. So, Ben is going to discuss that for us, which can be a real risk. Ben, why don't you describe what physical security is?
Ben: So it's not just the means of a door lock, and that's what a lot of people perceive it. It's essentially looking at, say, your policy. Are you allowed to have people tailing you into a building? When you badge in, are they following you? It's filing cabinets that are not locked, it's papers that you keep on your desk, it's post-it notes with your passwords. That kind of thing.
Lachie: Yeah, right. So that certainly opened my eyes when you were telling me about that because I started to think, "Oh, wow. Who is following me into the building? Am I leaving the door open too long? What's happening?" What are the risks if someone does gain access?
Ben: Yeah, well, it's all about penetrating further into the organization. And what can they understand? What can they use for, say, reconnaissance to further attack your organization? If someone really wants to get in, can they, say, use post-it notes like I said earlier? Is there information in a filing cabinet that may be useful to the media? It's these kinds of things that you need to be mindful of.
Lachie: Yeah, wow. Earlier you were telling me about this story about something that happened in Hawaii. Why don't you tell our viewers about that?
Ben: Absolutely. So, there was a test of the Hawaiian Emergency Broadcast System about a month ago. Essentially an alert went out to say, "There's an incoming missile attack." And out of that everyone panicked, and as a media reaction, they went to see the person that triggered the alert for Hawaii. And on that person's desk they had a post-it note that said the Wi-Fi password. It said their user password. You could also see their operating system and the browser that they use. So you can essentially use all of that as pieces of a puzzle to attack someone, especially knowing the operating system and browser.
Lachie: Especially the sort of organization that he would have come from. They could have certainly done some damage, should they have gained access.
Ben: Absolutely, they could have.
Lachie: So, you also had a really cool idea about how some of our viewers can do a similar check to see how much data they'd be giving away should a photo be taken. Why don't you tell them about that?
Ben: Absolutely. So, I like to do the selfie test. So, get to your desk in the morning, make your coffee, and take a selfie. Have a bit of your office in the background and just see what you can identify from those photos. Is there, say, even a shredder spinning in the background, so people know the brand of shredder that you use, or is there passwords, is there documents, can you see the operating system, is your computer locked, that kind of thing. So, just have a bit of fun and see what information you can gain from a selfie.
Lachie: Yeah, right. And I suppose after that you'd be cleaning your desk. You'd be making sure that when you're taking those selfies, none of that sort of stuff's in the background.
Ben: Who knows?
Lachie: Yeah, right. All right, Ben. Well, thank you so much for coming in. And thank you, guys. We'll see you next time.