EVP and CIO of Werner Enterprises.
In the digital age, business professionals and consumers are well aware of cybersecurity breach risks. According to data from Verizon’s Data Breach and Investigations Report, there were 5,199 confirmed data breaches in 2023, and major incidents in the transportation industry like Maersk (2017) and, more recently, Estes Express (2023) exemplify the genuine implications a breach can have surrounding private data.
Considering these incidents, many companies have bolstered their cybersecurity posture. That said, none of our tech stacks are perfect, and continuous monitoring is required to maintain systems integrity. While most of us are used to running phishing tests and hosting lunch and learns on cybersecurity best practices, amid these efforts, we shouldn’t forget that physical security is equally important. In 2022 alone, companies lost more than $1 trillion in revenue due to internal and external physical security incidents.
Understanding Physical Cybersecurity Testing
Often referred to as social engineering testing or physical pen testing, physical cybersecurity testing assesses an organization’s physical and social security measures through simulated attacks. The goal is to identify physical areas of weakness before they lead to an issue. Some examples of testing scenarios include:
• Building Access: Though many organizations have systems to restrict access to their buildings, such as card swipe entry systems or building access codes, these tactics are not a perfect solution. A physical test will check for factors such as broken readers or locks and how often employees will allow others into buildings without confirming they should have access to that building. This practice is called “piggybacking” and plays on the inherent kindness of people who will hold a door open for someone with their hands full, for example.
• Vehicle Theft: Anyone can forget to lock their car door one day. Without proper parking lot security, such as vehicle barriers, access gates and surveillance cameras, someone could break in and steal a computer or cell phone and potentially gain access to company data through the device.
• Digital Dumpster Diving: Sometimes, we forget that files or equipment we may not need anymore might contain sensitive information. A physical test will check for improper disposal of confidential data, such as an old hard drive that wasn’t wiped clean.
• Social Engineering Attacks: Again, these play on people’s inherent helpful or kind nature and are used to trick workers into giving out private information, allowing hackers to get into company systems. These tricks often play on trust, making people do things they shouldn’t, like sharing passwords, which can lead to stolen data or money loss.
Physical pen testing involves checking surveillance setups, seeing if employees might accidentally share private information and trying to get in through places like air ducts or pipes.
While these tests might seem over the top, they’re key for finding risks early and fixing weak spots before they become a problem.
The Real-World Implications Of Neglecting Physical Cybersecurity
In addition to preventing overall risks of a data breach or cyberattack, physical pen testing is required to meet specific industry regulations like GDPR (General Data Protection Regulation), PCI DSS (Payment Card Industry Data Security Standard) and HIPAA (Health Insurance Portability and Accountability Act) and is recommended for SOC II. These regulations mandate the protection of physical assets and sensitive data, and physical pen testing helps organizations demonstrate their compliance.
Outside of compliance, a breach risks valuable, sensitive data and can lead to reputation damage and operational disruptions that are often very costly. According to IBM, the global average data breach cost in 2023 was $4.45 million.
Today’s businesses must recognize that cybersecurity extends beyond protecting their networks, endpoints and applications. Physical security is equally as important when evaluating attack vectors. Physical pen testing is an indispensable tool for safeguarding digital assets and overall business operations.
It’s imperative that leaders equip employees with the skills to recognize various forms of social engineering and to effectively counteract them. At Werner, we prioritize this by conducting red team tests to comprehensively assess our vulnerabilities, leveraging the outcomes as case studies for our staff.
We consistently talk about the significance of adherence to security protocols, particularly regarding building access, emphasizing the importance of badge authentication for every employee. Ultimately, our goal is to instill in our team members the confidence to prioritize security by fostering a culture where it is encouraged to seek verification, even from familiar figures such as the CEO or long-time colleagues, as a standard best practice.
Tech business leaders not already engaging in this practice must regularly implement physical pen testing as a proactive step toward ensuring a comprehensive security system for their organizations. The best approach to cybersecurity is one that takes a 360° view.
Hackers and social engineers are experts at finding and exploiting weaknesses, both in our digital defenses and human behaviors. While their tactics can be sophisticated, it’s vital for us to remain vigilant. They know exactly how to manipulate systems and people to their advantage, highlighting the need for us to stay informed and cautious to protect our information.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?