Physical security is the first wall an adversary has to get through before they can mess with your data. If someone can walk up to a server, plug in a USB drive, or peek at an unlocked laptop, all the firewalls and encryption in the world won't save you. This topic is about the people-side rules and the physical devices that keep attackers out of buildings, rooms, and workstations in the first place.
Managerial Controls for Physical Security
Managerial controls are the policies, rules, and training programs an organization puts in place to guide how people behave. They don't involve hardware or code. They shape habits. Two big ones show up here: security awareness training and workstation security policies.
Employee Security Awareness Training
People are usually the weakest link in physical security. A locked door doesn't help if an employee holds it open for a stranger carrying coffee. That's why organizations run regular security awareness training to teach employees what to watch for and how to act.
Training usually covers three big behaviors:
- Detecting social engineering attempts like phishing. Social engineering is when an attacker tricks a person into giving up access or information. Phishing emails (fake messages pretending to be from your bank, IT department, or boss) are the most common version. Training teaches employees to spot red flags like urgent language, weird sender addresses, and suspicious links.
- Not badging other people into restricted areas. This is called tailgating or piggybacking. Someone follows you through a secure door before it closes, often acting friendly or carrying a box so you feel rude stopping them. Training drills into employees that every person needs to badge in themselves, no exceptions.
- Preventing device theft. Laptops, phones, and external drives walk off all the time, especially from coffee shops, conference rooms, and unattended desks. Employees learn to lock devices in drawers, use cable locks, and never leave equipment in a car.
The point of training isn't to scare people. It's to make secure behavior automatic, so the receptionist actually questions the "delivery guy" who can't produce an ID.
Workstation Security Policy
A workstation security policy is a written set of rules that spells out how employees must protect their physical work area. Not every desk needs the same level of protection. A cashier's register handles different data than a doctor's terminal pulling up patient records, so policies often have tiers based on data sensitivity.
Common requirements include:
- Locking devices before walking away. Hitting Windows + L (or Control + Command + Q on a Mac) takes one second and stops anyone from sitting down at your computer while you grab lunch.
- Clean desk policy. Before leaving the workstation, employees clear away sensitive documents, sticky notes with passwords, USB drives, and anything else an attacker could photograph or pocket. If it's confidential, it goes in a locked drawer or shredder.
- Privacy screen filters. These are thin plastic overlays that make a monitor look black unless you're sitting directly in front of it. They block shoulder surfing, which is when someone glances at your screen from the side to steal info. Useful on planes, in open offices, and at reception desks.
- Surge protectors and UPS units. Connecting devices to a surge protector prevents damage from power spikes. A UPS goes further by providing battery backup, which keeps the machine running through short outages. More on UPS below.
Mitigation Strategies for Physical Vulnerabilities
When a cyber defender looks at a physical vulnerability, they work through a simple thought process: how could an adversary exploit this, and what control could prevent, detect, or correct the attack? Prevent stops it from happening, detect catches it while or after it happens, and correct fixes the damage. Most real-world security setups layer all three.
The controls below are the ones you need to know.
Perimeter Controls: Fencing, Gates, and Bollards
Before an attacker can touch a building, they have to get near it. Outer-layer controls slow them down or push them away entirely.
- Fencing marks the boundary of the property and forces intruders to climb or cut through.
- Gates control vehicle and foot traffic at entry points, usually with a guard or badge reader.
- Bollards are those short, sturdy posts you see in front of storefronts and government buildings. They stop a vehicle from being driven through the front wall, which is a real concern for data centers and government facilities.
These are mostly deterrents. A determined attacker can climb a fence, but most won't bother if an easier target exists nearby.
Locks on Doors, Cabinets, and Computers
Locks are the classic preventive control. They show up in three places that matter:
- Door locks keep people out of rooms they shouldn't enter, like server closets, network equipment rooms, and executive offices.
- Server cabinet locks protect the racks of servers themselves. Even if someone gets into the server room, a locked cabinet stops them from pulling a hard drive.
- Computer locks include cable locks (a metal cable that tethers a laptop to a desk) and locking ports that physically block USB or network jacks.
Card Readers
A card reader is the badge scanner mounted next to a secure door. Employees tap or swipe their badge, the reader checks if that badge has permission, and the door unlocks if it does. Two reasons card readers matter:
- They deny access to unauthorized badges. A stolen or expired badge stops working as soon as IT disables it in the system.
- They create a log of who entered which door at what time. If something gets stolen from the server room at 2 a.m., the access log shows whose badge was used, which is huge for investigations.
Access Control Vestibules and Turnstiles
These two controls solve the tailgating problem.
An access control vestibule (sometimes called a mantrap) is a small room with two doors. You badge in through the first door, it closes behind you, and only then does the second door unlock. Because only one person fits comfortably, it's nearly impossible to sneak someone in behind you.
A turnstile is the rotating arm or full-height gate you might see in subway stations or office lobbies. It only lets one person through per badge swipe.
Both stop an authorized person from accidentally (or intentionally) letting an unauthorized person tag along.
Disabling USB Ports
USB ports are a huge attack surface. A bad actor can plug in a flash drive loaded with malware, or use a device like a "USB Rubber Ducky" that pretends to be a keyboard and types out malicious commands in seconds. Many organizations disable USB ports entirely through system settings, or physically block them with port blockers. Employees who need to transfer files use approved cloud storage or pre-screened drives instead.
Uninterruptible Power Supplies and Generators
Power loss is a physical threat too. A sudden outage can corrupt data, crash servers mid-transaction, and lock employees out of systems during an emergency, which is exactly when an attacker might strike.
- An uninterruptible power supply (UPS) is a battery backup that sits between the wall outlet and a device. When power cuts out, the UPS keeps the device running for a few minutes, long enough to save work and shut down properly. Hospitals, banks, and data centers rely on them.
- Power generators scale this up to a whole building or set of critical systems. Generators run on diesel or natural gas and can keep things running for hours or days during longer outages.
The difference: a UPS buys you minutes, a generator buys you days. Most serious facilities use both. The UPS bridges the gap between the outage and the generator kicking on.
Prioritizing Which Controls to Implement
Organizations can't afford every control everywhere. They have to make choices, and they do it by weighing two things: the severity of the risk and the cost of the mitigation.
A small dental office probably doesn't need bollards and a vestibule. The risk of a vehicle ramming the front door is low, and the cost of bollards is high relative to the office's budget. But that same office definitely needs door locks, a clean desk policy, and a UPS on the computer holding patient records, because the risk to patient data is high and those controls are cheap.
A federal data center is the opposite. The data is critical, the threats are sophisticated, and the budget is large, so fencing, bollards, vestibules, card readers, disabled USB ports, generators, and full-time guards are all worth it.
The general rule: match the mitigation to the risk. Spend more to protect high-value assets, and don't waste money on overkill controls for low-risk situations. This balancing act is what cybersecurity professionals do every day when they design a physical security plan.
Vocabulary
The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.Term | Definition |
|---|---|
access control vestibules | Secure entryways with multiple doors that prevent unauthorized individuals from entering a restricted area by ensuring only one door opens at a time. |
adversary | An individual or entity that attempts to exploit vulnerabilities in systems, applications, or data to cause harm, steal information, or disrupt operations. |
badging | The practice of using access credentials or badges to enter restricted areas; unauthorized badging refers to allowing others to enter without their own credentials. |
bollards | Short, sturdy posts installed around a building to prevent vehicles from accessing restricted areas and deter physical attacks. |
card readers | Devices that read employee badges to control access, record entry times, and deny access to unauthorized individuals. |
clean desk policy | A security practice requiring employees to remove sensitive documents and materials from their workstations before leaving them unattended. |
device theft | The unauthorized taking of computing devices or equipment that may contain sensitive organizational or personal data. |
employee badges | Credentials used to identify authorized personnel and grant them access to restricted areas. |
employee security awareness training | Educational programs that teach employees how to recognize security threats and contribute to organizational security through proper practices. |
fencing | A physical barrier installed around a building to deter unauthorized access and control entry points. |
gates | Controlled entry points in physical barriers that can be opened or closed to regulate access to a facility. |
lock | Physical security devices that prevent unauthorized access to doors, server cabinets, and computers. |
managerial controls | Security measures that provide rules, guidelines, policies, and procedures to specify what security should be in place, including password policies and incident response plans. |
mitigation strategies | Actions and controls implemented to reduce, prevent, or manage the impact of security risks and vulnerabilities. |
phishing | A social engineering attack that uses deceptive communications (typically emails) to trick users into revealing sensitive information or credentials. |
physical security | Measures and controls designed to protect physical spaces, assets, and facilities from unauthorized access and threats. |
physical vulnerabilities | Weaknesses in physical security that allow unauthorized access to devices, systems, or sensitive information in physical spaces. |
power generators | Large-scale backup power systems that provide electricity to buildings or critical devices during power outages. |
privacy screen filter | A physical barrier or filter applied to a display screen to prevent unauthorized viewing of information from angles other than directly in front of the screen. |
security control | Measures or safeguards implemented to reduce the likelihood or impact of a risk. |
social engineering attacks | Attacks that employ psychological tactics to manipulate users into revealing sensitive information, downloading malicious files, or clicking on malicious links. |
surge protector | A device that protects electronic equipment from voltage spikes and power surges that could damage or destroy the devices. |
turnstiles | Physical barriers that allow only one person to pass through at a time, preventing unauthorized individuals from following authorized personnel into restricted areas. |
uninterruptible power supply | A backup power system that provides emergency power to devices during power outages to prevent data loss and allow safe shutdown. |
uninterruptible power supply (UPS) | A backup power source that provides electricity to devices during a power outage to maintain system operation. |
USB ports | Connection points on computers that can be disabled to prevent external drives from being connected and loading malware. |
vulnerability | Weaknesses or flaws in systems, applications, or configurations that can be exploited by attackers to compromise security. |
workstation security policy | An organizational policy that establishes measures and requirements to protect physical workplaces and the devices and information located there. |