Is Physical Security Testing Still Worth It?

Well, that depends

The PenTest has always been a popular exercise for companies looking to understand their external security posture.

Whether you’re a small startup or a multinational enterprise, regular pen testing is a matter of basic security hygiene. As the saying goes, you can’t protect what you don’t know.

However, over the years, penetration testing has shifted up from physical and infrastructure testing over to the application and cloud layers. Today, very few organizations go so far as to hire an undercover hacker to physically penetrate their headquarters or data centers. (If they did, they may be surprised to learn just how easy it is to access sensitive workstations, equipment, and even plant off-the-shelf surveillance and exfiltration technologies. Silent Breach’s physical and social engineers hold a 95% breach rate.)

There are practical reasons for skipping the physical test. The vast majority of hackers will be working from overseas without any sort of physical access to your facilities. Secondly, remote social engineering techniques like phishing and vishing have become so powerful that few hackers find it necessary to appear onsite. And finally, most organizations have outsourced their physical security long ago to building managers and third-party security firms. And, with the rise of cloud computing, most network and data infrastructure are no longer locally managed, leaving companies to focus on their applications and cloud environment.

However, is this thinking a mistake? Do companies that ignore their physical security eventually pay the price? After all, no matter how secure your application may be, a physical compromise of a workstation or server will topple the proverbial dominos one by one.

Physical Security Today

The line between the physical and digital realms is blurring. Many physical security systems now rely on digital technologies, making them vulnerable to cyberattacks. Key cards, for example, have become an almost universally accepted means of digital identification, baking digital security directly into our physical infrastructure. And this goes both ways. With the rise of hybrid work, our physical reality is now decentralized and accessible across a vast digital attack surface. To secure these systems effectively, cybersecurity professionals must understand both physical and digital threats.

To give one example, insider threats often involve physical access to critical systems and information, can be far more devastating as external cyberattacks. In recent years, Tesla, Boeing, Meta, Apple, and many more have fallen prey to internal hackers who’ve stolen or sabotaged data for personal gain. At SunTrust Bank, to cite one example, a malicious insider sold account information to hackers that compromised over 1 million customers. Physical security testing helps organizations identify vulnerabilities that insiders might exploit.

But by far the most important consequence of physical testing is the effect it has on employees. It’s understood that humans are the weakest link in nearly every organization. We know that security awareness training is the best way to counter social engineering attacks (the first step in most ransomware breaches). By performing physical onsite testing, employees witness first-hand how small actions on their part can make all the difference. A password scribbled on a post-it. A door held open for a friendly looking woman. An unknown USB sitting on your desk when you return from lunch. During our physical penetration tests we’ve used these and similar techniques to compromise seemingly secure networks.

So, is physical security testing still worth it?

It comes down to what your goals are. If you’re a young organization that’s focused is on identifying and mitigating your most pressing vulnerabilities, chances are that physical security is not one of your top threats.

But when the time comes to establish a comprehensive security program, a holistic security approach must combine physical, social, and digital security measures. In order to build an effective and resilient security program, it’s critical to look beyond the data and instill a culture of cybersecurity. And that starts from the ground floor: physical integrity.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.