Evaluating Office Physical Security

This past week at an MLS (never you mind which one) there was a break-in, and equipment was stolen. It’s happened before at other MLSs and real estate associations and will surely happen again. Businesses – MLSs, associations, brokers, and agents – need to understand the reasonable steps they need to take when it comes to physical security.

But before discussing that, it’s important to understand why physical security is so important. Physical security is about more than the cost of a stolen computer, printer, or fax machine, to be replaced on an insurance company’s dime. Depending on the equipment stolen, the information that has been stored in that equipment, the state the business is located in, and the state of those whose information may have been stolen a physical break-in can result in an information security breach that may require the deeper involvement of law enforcement and breach notification to those whose information might have been affected [See: NAR’s Data Security and Privacy Toolkit]. One needs to understand that any information that has ever been on that computer hard drive – even temporarily while being edited – is quite possibly still on that hard drive. And many modern printers, copiers and fax machines also have hard drives, which store information long after the paper record has been removed. This is why physical security is always a part of Security Audits I conduct – it’s as important, if not more so, then all the computer and network settings put together. So, if you run a business, what do you need to look for when it comes to physical security?

First, look at the building perimeter. Ideally your office building (or home, if you have a home office) should have a door that doesn’t contain large amounts of glass, and windows should be hardened and either sealed or with hardware in place to limit how much they open. All glass on the building exterior should include glass-break sensors, as part of a monitored alarm system. The alarm system should not be turned off and doors unlocked until several employees are present. In a larger business where multiple employees have the alarm code, each should have an individual code for auditing purposes. Ideally, you can deploy inexpensive web cameras (webcams) on key entrances and hallways. Some modern webcams can be set to take pictures only when they detect motion and send snapshots to a remote server. When looking for a web camera, read the reviews to understand how well the one you are considering performs in low light and whether the resolution is enough to provide detail for what you are trying to cover. Test your alarm system with your monitoring company on a regular basis.

Next, ideally you want to have separate visitor and employee areas. That means that your conference room, classrooms, “public” meeting room etc. should not require that visitors pass through areas where employees (other than the receptionist, who should not handle sensitive information) are working. The walls between public and employee areas should be reinforced and go to the physical ceiling (not the drop ceiling). The door between public and employee ares should be a solid-core door and involve a physical key or badge so that visitors do not enter the employee area unaccompanied – even when the receptionist is in the back making coffee. Some organizations have implemented locks that require a number combination be input – I do not recommend these because it’s too easy to “shoulder-surf” someone else’s combination.

Inside the employee area, where there may be sensitive information on paper or in computer equipment, employees should (as a matter of policy) not leave sensitive information on desks or in unlocked file cabinets unattended. There should be cross-cut shredders handy for employees to use to destroy information they do not need to maintain. This next part is crucial: Computers, printers, and fax machines should be bolted or cabled to the office furniture. Laptop cables should be used to secure laptops during the day. Mobile devices – phones and tablets – should either be kept on ones person or locked in a drawer when not in use. Flash memory drives with sensitive information take even greater care to keep physically secure. At the recent break-in, these steps would have gone a long way to preventing equipment theft. Mobile devices especially take lots of extra care. [See: Mobile Device Security: Best Practices and Tools and also Encryption for Real Estate Professionals] Vendors and repair-people who need to work in the employee area should be accompanied. Lastly, if you have offices of higher sensitivity inside the employee area – for example, an HR office – keep those office locked when unattended too.

If you’re scaling this advice down to a home office, it’s easy – just keep your home office door locked, sensitive information off of your office desk and in your file cabinet when you’re not in your office, keep your file cabinets locked when unattended, and your computers and other equipment cabled down. It’s that simple!

What you’re trying to do is to create boxes in boxes or, as we call it in the security industry, defense in depth. Just look at the diagram below – the more layers you have in place, and the better each has been secured, the less likely there will be a physical security breach and the less likely a break-in will have a large impact as the thief is stopped before they get to the sensitive information.

With a little care, you can make significant improvements to your office security and information security. If you’re a Real Estate Association or MLS staff person, your members and subscribers deserve no less as a part of your service. And, if you’re a broker or agent, your clients deserve no less as well. Not everyone who reads this is going to take every step – but the more steps you can take, the better a job you are doing reducing your risk.

About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.