Host Ally Krings welcomes Stephen Collins, a cybersecurity auditor at Kirkpatrick Price. The discussion focuses on physical security and its critical role in protecting both data and people. Stephen shares insights from his 20+ years in cybersecurity, including his experience with lockpicking and how physical security measures complement digital protections.

What is Physical Security and Why Does It Matter?

Physical security involves safeguarding facilities, equipment, and personnel from physical threats. While businesses increasingly rely on virtual data storage, physical security remains essential for protecting data centers, offices, and employees. Measures like locks, cameras, and fire suppression systems are not just about protecting documents—they’re about ensuring safety for people.

Stephen’s Background and Journey into Physical Security

Stephen explains his career path, starting with cybersecurity management for hospitals and labs, then telecommunications. His interest in physical security began 15 years ago when he learned lockpicking to improve cabinet security for PHI data. This hands-on experience taught him the importance of strong physical controls.

Why Physical Security Still Matters in a Digital World

Despite the shift to cloud and virtual storage, physical security is vital for:

• Data Centers: Preventing unauthorized access to servers.
• Employee Safety: Locks and cameras protect people first, then data.
• Remote Work Risks: Home offices and public spaces introduce new vulnerabilities.

Determining Physical Security Needs

Companies should start with a risk assessment:

• What assets do we have (servers, filing cabinets, sensitive data)?
• What risks exist for data and personnel?
• Which controls (locks, cameras, badge systems) mitigate those risks?

Challenges with Remote Work

Stephen highlights two main areas:

1. Office Buildings: Fewer employees onsite means fewer eyes to spot intruders—making cameras and badge systems more critical.
2. Home Offices: Employees should secure laptops with cable locks, avoid leaving devices unattended in public spaces, and properly dispose of printed documents.

Best Practices for Employees

• Be mindful of printing sensitive documents at home.
• Use cable locks for laptops.
• Stay alert in public spaces like airports and coffee shops.
• Avoid leaving laptops visible in cars.

Physical Security Testing During Audits

Auditors check:

• Camera Systems: Placement, coverage, and retention (typically 90 days).
• Badge Systems: Access controls, logs, and alerts for repeated failed scans. Stephen often tests badge access by asking employees to scan at restricted doors—revealing process gaps when unauthorized access is granted.

Common Findings and Recommendations

• Glass Walls in Data Centers: Creates visibility risks and violates agreements.
• Incomplete Walls: Attackers have crawled over partitions to access secure areas.
• Unmonitored Controls: Cameras and badge systems are useless without active monitoring.

Examples of Strong Physical Security

Stephen praises a client’s new data center with:

• Gated entry and escort-only access.
• Locked doors and cameras throughout.
• Segmented rooms for different business units.

Badge vs. Key Access

Badge systems are preferred because:

• They provide traceability and audit logs.
• Keys can be duplicated without detection.
• Badge systems allow automated alerts and reporting.

Laptop Security

Employees should:

• Avoid leaving laptops in cars.
• Store devices out of sight or in trunks.
• Ideally, leave laptops at home when possible.

Final Thoughts

Physical security is about protecting people first, then data. Companies should:

• Conduct regular risk assessments.
• Continuously monitor controls.
• Educate employees on best practices for both office and remote work.

Stephen concludes by encouraging businesses to seek expert advice before implementing controls to avoid costly redesigns. Visible cameras can deter bad behavior, and proactive planning ensures robust security.