Too often we hear people say things like, “Oh, I don’t know anything about security because I’m not technical.” We hear family members use their lack of computer savvy as a reason for poor security choices. Our friends look at us with glazed eyes whenever we mention “information security” or “security awareness” because, to them, it sounds like we’re going to start spewing technical jargon. Too many people hear ‘security’ and instantly shy away from it for fear that they won’t understand it.
Maybe you even find yourself thinking from time to time, “I could never understand all of that. I’ll let someone else worry about it.” Maybe it’s daunting to set up a secure wireless network or think about installing a firewall when you’re not entirely sure how they work.
But guess what? Security is much more than technical controls. While there are highly complicated technical aspects to securing networks and protecting data, there are many other components to strong security that don’t involve technical savvy at all! Security is something that everyone can play a role in, even without knowing the ins and outs of the internet or how computers work.
When we look at the three domains of security – cyber, human and physical – we can see many examples of nontechnical security awareness in each. We know to backup our personal digital files and not to click on phishing links in the cyber domain; we stay on the lookout for social engineers and pretexting scams in the human domain; but the physical domain is chock-full of so many great nontechnical lessons (Clean desks! Shredding! Situational awareness! Locked Doors!) that we’re going to have to look at several of them in more detail.
By focusing on nontechnical and physical security, your security awareness will greatly improve.
What is Physical Security?
The physical domain is often overlooked because many people think “physical security” means security guards and cameras. With an emphasis on technical controls, many people tend to neglect physical concerns to their own detriment. Physical security encompasses a wide range of scenarios in all three of our security lives. To raise awareness, ask yourself the questions listed under each domain:
The professional life area is all about your work and/or your organization. It’s important everyone knows how to report a cyber security incident and that everyone follows company policy and security controls. We want to protect not only our employees’ data but also that of our customers. We want to keep our networks and systems clear of malware and criminal hackers, thereby maintaining the integrity and confidentiality of the data we have.
Who has access to your building?
Who has access to areas in which sensitive data is kept?
How do you control who has access?
Do you keep a clean desk?
How do you protect computer screens on site?
How do you store/transport hard copies of sensitive data?
Do you know and follow shredding policies at work?
The personal life area is about you and your family. You want to protect your kids from the dangers of the internet, from falling for phishing scams or clicking on malware links. You want to keep your home networks safe from the bad guys and backup all those vacation photos and that novel you’re writing. You want to make sure everyone in your family is conscious of how much information (and which information!) they share online.
Who has access to your home?
How secure are the doors and windows of your home?
How do you protect physical sensitive documents (medical, financial, etc.)?
Where do you store physical backups of important data?
Do you shred sensitive documents before tossing them?
Does your family have a disaster recovery plan?
The mobile life area is all about the information kept and shared with your mobile devices, whether they’re laptops, smart phones or tablets. Many of us use mobile devices for personal and professional data and must remember that these devices should be protected like every other computing device. Our lives have become so tied to our mobile devices that if we lose one or the data that is on it, it could be detrimental not only to us personally but to our families, our friends, our colleagues and our companies.
Who has access to your mobile devices?
Do you use lockscreens on all of your mobile devices to prevent unauthorized access?
What do you do in the case of a lost mobile device?
How do you protect mobile devices while traveling?
Are you alert to who can read your screen when you’re using your device?