In traditional physical security as well as fire prevention there is a KPI that deals with the time it takes for an attacker to bypass the system or in the case of fire prevention, how long a device can withstand fire, for example a 2-hour fire-rated door.
This KPI can effectively be split into 3 categories.
- Deterrent / Proactive Security Measure- designed to dissuade a potential attacker from carrying out their attack.
Examples include:
- A sign indicating a surveillance or alarm system.
- A tall gate or fence with barbed wire
- A metal detector or package scanner
2. Active / Reactive Security Measures – these are designed to slow or prevent the attack if the deterrents were not enough.
Examples include:
- A strong lock that increases the time required to break in
- A security guard
- Alarm system
3. Recovery methods – this is used if the deterrent and active security measures fail.
Examples include:
- CCTV footage
- Insurance policy
Let's take the example of a bank. A bank may have a vault with a strong lock and 2 keys required for its operation. The 2 keys stand as a deterrent to insider threat, where two employees would be required to conspire to steal from the bank. The 2 keys also prevent a thief from having to obtain 1 key, obtaining 2 keys creates an additional challenge, which requires additional time and planning. The strong lock and vault material are intended to slow a brute force attack against, allowing time for security or the police to show up. The alarm system acts as an early warning device to notify the authorities of suspicious activity. The CCTV system provides evidence that an attack took place, allowing the authorities to investigate and potentially catch the thieves. If all else fails, the CCTV footage can also provide information to management on how to better protect against these attacks in the future and to provide evidence for the insurance company to file a claim against incurred losses.
In this example I go over a strategy that a bank may take, however even most small business take many of these safeguards to protect their physical location. All business will have a lock on the door, most will have some kind of metal gate, designed to be an additional deterrent as well as to help minimize damage during attacks like vandalism. Most businesses will also have an alarm system that will connect to a central station for monitoring. An increasing number of businesses rely on CCTV footage, often with footage that will be archived to the cloud. Lastly, businesses will rely on an insurance policy to help cover the risk that they can't afford to sustain.
So if businesses are willing to make all of these efforts to safeguard their physical property, why do many business owners assume that simply having anti-virus software on their devices is sufficient to protect their data?