Office visits: physical perimeter care measures
Although working from home has become a highly popular form of working in recent years, the office still exists, as do employees who work exclusively based on allocation. There are obviously critical infrastructures and industrial plants – we still haven’t reached the technological level of automation to allow this type of environment to operate 100% independently. As such, the presence of human professionals in certain places is still crucial.
A common feature in the corporate world and something that, unfortunately, does not always receive its due attention from information security teams is the presence of visitors – whether the guests of employees, potential customers or partners, and so on. Be aware that any one of these visitors could very well be a malicious agent there with the intent to cause damage to the company, either by stealing privileged information or, perhaps, by planting a USB flash drive infected with malware.
In a brochure made available to the public, the United States Federal Bureau of Investigation (FBI) warns about the dangers of visiting corporate environments and mentions a curious case: spies disguised as visitors to an industrial plant used duct tape on their shoes to collect samples of metal alloys from the ground and determine exactly which metal components that company uses to manufacture its aircraft. Never doubt the creativity of malicious agents!
Investing in physical security
To prevent a simple visit from becoming a nightmare, it is crucial to first invest in physical security controls, which include closed-circuit cameras, doors with passwords or biometric identification, an on-site security team, and so on. This makes it more difficult for an unauthorized individual to penetrate a high-security zone – a highly common trick among malicious visitors is to purposely "get lost" in a building.
A clear and strict policy regarding guided tours is vital. This includes establishing the need for prior approval for any outside individuals to enter the company's physical perimeter, prohibiting the use of cameras or recording devices, allowing access only to strictly necessary areas, and so on. It’s a good idea to have a team responsible for "escorting" the tours and ensuring that the purpose of the tour does not exceed the previously agreed upon scope, discussing sensitive issues, and entering restricted areas.
Each employee has a role
Of course, employees must also be made aware of the dangers that a malicious visitor may pose, and thus prevent unauthorized third parties from accessing the corporate environment. Training should also cover restrictions on providing information to visitors, unless employees are duly authorized to do so.