blog hero2x
Data Security & Privacy

Getting Physical: Real World Threats to Your IT Environment

By Josh Young Dec 13, 2016

getting physical real world threats to your it environment

According to British insurance company Lloyd's, cyber attacks cost as much as $400 billion each year. Which it makes it unsurprising that businesses spent more than $75 billion worldwide on cybersecurity products and services in 2015.

With so much effort being put into preventing and frustrating cyberattacks, many businesses are overlooking real-world attacks that can be equally damaging and in many cases, easier to commit.

A sound IT security policy covers both virtual and real-world threats. Read: Best Practices for Protecting Customer Data from Cyberattacks to learn how to better protect company data.

What Physical Threats Should You Be Wary Of?


A social engineering attack, baiting attacks convince your employees to unknowingly cooperate with the compromising of your security for a potential good or item. For example, an employee might receive a "promotional" USB drive or CD via the mail that offers something beneficial, such as free music, but is actually loaded with malware.

As part of a social experiment, CompTIA, a non-profit trade association, left 200 USB flash drives in public spaces across four major cities. On average, 20 percent of these unbranded flash drives were picked up and plugged into a device. Even worse, these people then began to open files, click on unfamiliar web links, and send messages to email addresses contained on these drives.

By taking advantage of this strategy, hackers and criminals can easily gain access to your network without ever directly assaulting your systems.


Tailgaiting, or piggybacking, is a time-honored strategy for gaining access to secured areas without proper authorization. Simply put, the unauthorized person merely follows closely behind an authorized employee as they open doors or access restricted elevators.

You may require keys or access cards to enter your building or server room; however, if your employees hold the door open to strangers out of common courtesy, you might as well leave these areas unlocked.


With the rise of bring your own device (BYOD) programs and the Internet of Things (IoT), the number of web-connected gadgets that your business uses will only increase. And each of these new pieces of equipment offers a new entry point for the innovative hacker or thief.

Research performed by Enterprise Management Associates, Inc. (EMA) found that 58 percent of today's workforce stores confidential information on mobile devices -- either their own or company provided. The same study also found that 30 percent of these employees "frequently" leave these devices in vehicles unattended.

Considering that 34 percent of smartphone users in the United States take no action to lock or protect the information contained on their phone, you should probably be concerned.


These threats cover any act of "mother nature" -- floods, fires, earthquakes -- that could disrupt your business or network operations. On average, natural disasters cause roughly 35 percent of unplanned downtime, costing small-, medium-, and large-sized businesses $8,000; $74,000; and $700,000 respectively for each hour that IT systems are offline. And the Federal Emergency Management Agency (FEMA) reports that nearly 40 percent of companies never reopen after a disaster.

Obviously, there is no way for your company to prevent one of these events from occurring, but you can definitely mitigate their impact with a sound disaster recovery plan.

What Can You Do to Better Protect Your Business?

Access control

Limit who can enter your building unsupervised. Employ physical barriers -- locks, key cards, biometric scans -- to harden the security of your facilities. Don't leave outside vendors unattended.

If you have a BYOD program in place, establish a security policy that includes password protection and device locator programs.


At minimum, install cameras and surveillance equipment at all entrances for your facility as well as for any critical areas (e.g., server rooms). Not only does this equipment help to simplify monitoring, but it also provides forensic evidence that can be used for investigations if an incident occurs.


Establish unambiguous security policies that outline expected behavior for employees regarding the use of equipment. Provide your staff with regular security awareness training so that they can recognize and avoid potential security risks. Regularly communicate with your workforce about trending threats and common social engineering strategies.


Routinely test the effectiveness of your security measures and disaster recovery plans. Have either your own IT security staff or outside consultants conduct penetration tests on your facilities and attempt mock social engineering attacks on your employees.

The Next Step

While a comprehensive cyber-security plan is a must for any business, savvy criminals and scammers can and will try to find backdoor access to your critical systems. To counteract this threat, your security efforts need to be as exhaustive and innovative as they are vigilant.

To learn more about our security awareness courses, you can fill out the form on the right to request a demo.

Workplace Answers &
Click 4 Compliance Join Forces

We’ve created the world’s most comprehensive and engaging online compliance training library for companies around the globe.

Learn more View courses

We're sorry this resource is no longer available, we've redirected you to our Resource center.