How employee behaviour online could be putting your physical security at risk

With attacks on the rise, cybersecurity remains a hot topic for businesses. But something that isn’t always recognised or talked about is the threat that the digital world can also pose for physical security – from your premises, to your people and your assets.

The line between the online and offline world is blurring and this has opened the door to a raft of new security risks that companies need to stay on top of.

According to Venture Security MD Paul Howe, it’s one of the reasons why it’s so important that IT and facilities teams work together on their security strategies and continually review them alongside the latest threats.

Paul explains: “Traditionally, IT and facilities team may have operated in silos with little crossover or interaction. But as the online threat grows, so too does the offline one, as criminals look to exploit any and all opportunities.

“Information gained online can be used to target property and assets offline. The reverse is also true, whereby stealing physical assets such as computer equipment and smart phones may then give criminal’s access to critical company data. Providing them with even more opportunities to exploit.”

Paul continued: “We know that social media in particular is a popular way for criminals to target employees, to try and gain valuable information. And there are all sorts of social engineering scams around. Employees may unknowingly share something that poses a risk, such as a photo of a set of keys to a new office building, or talking about how they’re excited about heading out for the work Christmas lunch later. Even seemingly harmless photos in the office could give away insights about the company’s security measures, access points and layouts.

“Another area of risk that has opened up is thanks to the shift to remote and hybrid working. Where systems are not entirely secure, or where employees may be using their own laptops and phones, there is a risk they may be more easily hacked and sensitive company information accessed.    

“That’s why we would always recommend that teams work together to ensure any security strategy covers all risks, including those posed by cyberattacks and online behaviour, and that education and awareness forms a core part of those plans.” 

Examples of where cyber security can impact physical security

1. Area of risk - Remote working

 During the various lockdowns, business’ reliance on technology accelerated, with employees needing to work from home. For many, these flexible working patterns have since become the norm, with hybrid working – a mix of home and office based working – becoming increasingly popular.

While this move online succeeded in keeping many businesses afloat, it also created fresh opportunities for enterprising criminals. This is especially true where businesses made the jump to remote working at speed and without strong systems in. Employees, for example, using their own devices and poorly protected (or even unprotected) internet connections.

What we have seen is sophisticated phishing scams starting to circulate, while other groups have sought to take advantage of weaknesses in company firewalls and even hacked home smart devices, to gain access to internal company systems.

2. Area of risk - Cyberattacks

 Cyberthreats are highly prevalent and attackers target any and all types and size of businesses. Indeed, it’s estimated that up to 88% of UK companies have suffered breaches in the last 12 months. Whether it’s a ransomware attack, being hacked, or the use of other malicious code or malicious software, cyber threats can be devastating for any business.

One way cyberattacks can impact physical security is through criminals gaining access to sensitive data or insights about a company that they can then use to their advantage.

Examples here would be floorplans, details about physical security systems, and security guards and their rotas (that could show when the premises are manned and by whom). Alarm and key code information is something else they would love to get their hands on, along with access to surveillance cameras and even access control points.

An online security breach of your business servers has other physical security implications too. With access to internal systems, such as diaries, supplier lists or employee personal information, criminals may be able to gain physical access to your building, for example, by posing as a contractor or employee.

3. Area of risk - Social media

 Along with email phishing attacks, social media is a common tool criminals use to try and scope out a business or gain access to information that is outside of the public domain.

Employees posting internal photos of your office or sharing their movements online can all put the business at potential risk. Over time, these types of notification can alert a criminal to how many people work in your organisation, the office layout, and the types of high value items being stored on site.

Sharing posts about team away days or ‘out for lunch’ updates in real-time can also signal to a criminal that your workplace may be quieter or empty, making it a prime target.

Plus, there is the risk of an employee clicking on a dodgy link that either welcomes in a virus or spyware to the company systems or knocks out their individual machine.

If a criminal does manage to make off with, say, a company laptop, they may be able to use that to gain access to bank accounts and payment details, or even those of customers, causing you a GDPR and reputational nightmare.

What should you do to protect your business?

When it comes to any type of security, assessing the risk, putting the right measures in place to reduce that risk and then regularly assessing their effectiveness is key.

Teams need to work together and also alongside employees, to educate them on the risks and keep awareness high. Consider introducing a social media usage policy too if you don’t already have one.

Take all steps necessary to address your physical security weak spots and seek the advice of an experience security provider, such as ourselves here at Venture Security, to ensure you are fully protected 24hrs a day, 365 days a year.

To find out more about our popular security services, including Manned Guarding, Mobile Security Patrols, Locks & Unlocks Services, and Key holding & Alarm Response, call us on 01264 391 538 or email [email protected]