How Secure Is Your Physical Office Space?

Posted on November 26, 2019September 9, 2020

Data and IT Security goes well beyond cyberspace. The security of your physical office space may also be at risk. A successful physical breach by an outsider could produce unauthorized access to packages, equipment, documents, as well as threats of theft and employee safety.

AAFCPAs has outlined for your considerations some best practice recommendations to help secure your organization’s physical location(s).

Piggybacking

Piggybacking, or the close following of an employee through company entrances, is a risk to physical office spaces during business hours. Employees often allow visitors to roam the space without supervision, assuming that they are a new employee or there for another approved purpose, such as building maintenance.

Once intruders gain discrete access to your office, they could steal equipment or install devices on your network, which would then allow them to access your systems remotely after the fact.

RFID Badge Cloning

Employees should always keep their badges with them, and should shield them when in small spaces, such as elevators. Shielding will make it more difficult for intruders to clone badges. RFID badge cloning can be achieved from anywhere between a few inches and several feet away. Badges may be shielded using RFID blocking wallets or aluminum foil, but these will only shield some badges. For more comprehensive protection, AAFCPAs recommends the use of radio frequency shielding bags, which block cell signals, Wi-Fi, satellite, and Bluetooth frequencies.

Parking Lots

AAFCPAs advises clients to evaluate risks posed by view obstructions, such as overgrown shrubs or poor exterior lighting.

Building Entrances

Clients are urged to ensure that all doors and windows have working locks that are always secured outside of business hours—and during business hours if they provide access to restricted areas. This includes securing windows above the ground floor, which may be breached by someone with a ladder, a tree, or other means of elevation.

AAFCPAs advises clients to assess which areas are secure. For example, the doors to the reception area or conference rooms may not require badge access or other security measures. These areas are not secured from intruders.

What Are Countermeasures/Prevention Techniques?

In order to lessen the odds of a physical breach for your network and increase the environmental security for your employees, AAFCPAs recommends the following internal and external countermeasures.

Physical Security Assessment

AAFCPAs’ IT & cyber security team can assess the physical security of your organization based on common, potential external and internal vulnerabilities. Once the assessment is complete, the team will provide photos and other documentation with clear suggestions for improvement on the inside and outside of the building. Physical breach attempts are part of the physical security assessment. These attempts will be made by incognito members of AAFCPAs’ security team.

In addition to assessing vulnerable points of entry, the attempted breach will put your organization’s existing security measures and employee awareness to the test. Strategies used to gain physical access may include: piggybacking or shuffling in discretely behind an authorized employee; cloning employee badges; and breaching secondary (e.g. service) entrances without being observed.

If a physical breach is successful, our security experts will then further evaluate the availability of sensitive data and the trust levels of employees. This may include searching for: unattended and unlocked computers; monitors in public areas with sensitive information displayed; physical network jacks left unprotected; and/or documents left in a printer, on/in desks, or in unsecured employee mailboxes.

Employee Education and Vigilance

Regardless of the many safety measures in place, employees may still allow for cracks in your physical security shield. AAFCPAs recommends clients conduct annual employee education programs to ensure your team remains vigilant. Some best practices include:

Clean Desk Policy – Employees should remain vigilant about what is accessible/visible on their desk, such as client information, account passwords, or other sensitive data.
Locked Workstations – Employees should be expected and reminded to lock their computers/workstations when they leave their desks.
See something, say something – Employee should be encouraged to greet all unfamiliar faces and offer assistance, as well as ask why they are there. This gives employees an opportunity to introduce themselves to a colleague they may not have met. As an additional precaution, AAFCPAs suggests that management implement photo IDs for employees and badges for all visitors.

Your best line of defense in protecting your organization from physical intrusions is regular security assessments and continued employee education. AAFCPAs advises clients to remain vigilant, assess your security risks regularly, and conduct annual physical security assessments.

To schedule a cybersecurity assessment, or for specific advice on how to best protect your organization against the exploitation of physical vulnerabilities, please contact James Jumes at 774.512.4062, jjumes@nullaafcpa.com; Mr. Anderson at manderson@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

James Jumes, MBA, M.Ed.

James joined AAFCPAs in 2013 to lead the firm’s Business Process & IT Consulting practice. He leads a team of senior technologist in the delivery of solutions related to business intelligence & productivity, information risk management and cybersecurity, and special IT attestations, compliance, and certifications. His goal is to strengthen the links between people, process, and technology, which increases productivity and drives business growth. James has more than 30 years of experience working with information technology …

Mr. Anderson, MCSE, CCNP, CISSP, CEH

Mr. Anderson is a “white hat” ethical security hacker and business continuity advisor with extensive experience in the development & implementation of security-focused audit and control programs. He is highly sought-after for his expertise in Cyber Security & Technology Assessments, including: security architecture reviews; penetration/vulnerability testing; business resiliency, disaster recovery and other remediation strategies; hardware system selection and configuration; cloud application security reviews; and wireless security assessments. Mr. Anderson has a deep understanding of industry standards and …

Related Insights

Safeguarding Against Holiday Season Phishing and Cyber Threats

AAFCPAs would like to remind clients that the period between Thanksgiving and New Year’s is a prime time for phishing and other malicious cyberattacks. Cybercriminals take advantage of increased internet shopping, debit/credit card use, and the influx of holiday offers to deceive individuals into disclosing sensitive information. Now more than ever, vigilance is required in […]

Shift in EEC Funding Model Requires Business Process Assessment

Effective October 1, 2024, the Massachusetts Department of Early Education and Care (EEC) shifted its contract reimbursement from a primarily unit-rate model to a mix of unit-rate and cost-reimbursable contracts. Under the new contracts, childcare seats will be reimbursed on a unit-rate basis while administrative and supportive services will be funded through cost reimbursement contracts. […]

Cost Center Coding Strategies for Effective Grant Reporting

For complex human and social services providers, managing grants and ensuring compliance can often feel like navigating a labyrinth. One effective strategy to simplify this process is through cost center coding. AAFCPAs provides the following detailed guidance on how to leverage cost center coding to streamline grant reporting and maintain compliance. Design Your Cost Centers […]