The Dirty 13: The Most Common Audit Findings in Physical Information Security

Information security audits are designed to identify vulnerabilities, highlight areas for improvement, and ensure compliance with best practices and legal standards. Yet, time and time again, we find organizations stumbling over the same issues—a recurring set of 13 blunders so common we’ve affectionately dubbed them the Dirty 13. These range from physical security oversights to poor cyber hygiene, but one thing unites them: they’re surprisingly easy to fix. Yet, here we are.

In this blog, we’ll break down the Dirty 13, diving into how firms frequently overlook critical physical security controls. Spoiler alert: It’s often the seemingly “low-hanging fruit” that gets ignored, leading to significant risks. Let’s explore why these issues persist and how you can proactively address them before an auditor (or worse, a bad actor) does it for you.

The Overlooked Elephant in the Room: Physical Security Threats

For all the investment in firewalls, encryption, and two-factor authentication, companies often underestimate the importance of physical security. But here’s the reality: a poorly secured building is like locking your computer with a 64-character alphanumeric password while leaving the office door wide open. Physical security is the foundation of any robust information security strategy.

A comprehensive guide to physical security can help business owners understand and implement various security measures to safeguard physical assets, data, and personnel in light of increasing threats.

Here’s the kicker—addressing physical security lapses is relatively straightforward and low-cost. Yet, organizations frequently treat these issues as afterthoughts. Let’s unpack some of the most egregious offenders.

What is Physical Security?

Physical security refers to the measures and controls designed to protect people, property, and assets from tangible threats. Think of it as the bouncer at the club of your organization, ensuring only the right people get in and keeping the troublemakers out. This involves using physical barriers, access control systems, surveillance, and other security measures to prevent unauthorized access, theft, vandalism, and other physical security threats.

Why is this important? Because physical security is the bedrock of any robust security strategy. Without it, all your fancy firewalls and encryption protocols are like a castle made of sand. Physical security examples include everything from locked doors and security guards to advanced physical security technology like biometric scanners and motion-activated cameras. In essence, it’s your first line of defense against potential security breaches.

Physical Security Threats and Risks

Physical security threats and risks can come from a variety of sources, both internal and external. Internally, you might face issues like employee theft, accidents, or even intentional damage. Externally, the threats could range from theft and vandalism to natural disasters. And let’s not forget the more sophisticated risks like cyber-physical attacks, social engineering attacks, and insider threats.

Identifying and assessing these risks is crucial for developing an effective physical security plan. After all, you can’t protect against what you don’t know exists. By understanding the common physical security threats and physical security risks, you can tailor your security measures to address these vulnerabilities head-on.

Lack of Fire Extinguishers (or Fire Extinguishers Past Due for Maintenance)

This one’s a double whammy: it’s not just a safety failure; it’s also a serious Occupational Safety and Health Administration (OSHA) violation. Fire extinguishers are a basic necessity for any workplace, but they’re often missing in critical areas or haven’t seen a maintenance check since dial-up internet was a thing.

Why it’s an issue:

• Legal exposure due to non-compliance with OSHA standards.

• Safety risks for employees, especially in high-risk areas like server rooms.

Quick fix:

• Conduct a fire extinguisher audit.

• Partner with a service provider to ensure annual maintenance and re-certification.

The upside? This fix can be completed in a day and comes with the added bonus of actually preventing fires. Imagine that.

Daisy-Chained Power Strips

Ah, the daisy chain—a favorite pastime of office managers and IT admins alike. Connecting power strips together is like saying, “Hey, I want to burn down this building, but I want to do it creatively.”

Why it’s an issue:

• Fire hazards from overloaded circuits.

• Increased risk of equipment failure due to unstable power.

Quick fix:

• Invest in properly rated power solutions.

• Educate employees on safe power practices.

Pro tip: Label outlets to ensure critical equipment is plugged into surge-protected circuits rather than playing roulette with daisy chains.

Unsafe Equipment Placement

Printers teetering on the edge of desks, monitors in precarious positions, and servers tucked into corners like afterthoughts—all of these scream, “Disaster waiting to happen!”

Why it’s an issue:

• Risk of equipment damage, leading to downtime.

• Increased liability from workplace accidents.

Quick fix:

• Conduct a walkthrough to identify unsafe placements.

• Relocate equipment to stable, secure locations.

Remember: If it looks like it could fall, it probably will—likely during a client visit (or an audit).

Lack of Visitor Logs and Access Control

We’ve seen it time and again: a visitor strolls into an office, wanders around, and no one bats an eye. Worse still, no one even remembers they were there.

Why it’s an issue:

• No record of who’s in your building (or why).

• Unauthorized access to sensitive areas, which can be mitigated by physical access control systems that restrict access to authorized personnel and protect against intruders.

Quick fix:

• Implement a sign-in/sign-out system (digital or manual).

• Train staff on how to challenge unauthorized individuals tactfully and effectively.

Practice scenarios during team meetings: “Excuse me, can I help you?” is an excellent opener.

Insecure Shipping and Receiving Areas

Shipping and receiving areas are often the Achilles’ heel of physical security. Open loading docks and unmonitored packages are practically begging to be exploited.

Why it’s an issue:

• Untracked entry points for unauthorized personnel.

• Exposure of sensitive shipments to theft or tampering.

Quick fix:

• Restrict access to these areas.

• Install cameras and require personnel to log received packages.

Unlocked Screens

Leaving your screen unlocked is the digital equivalent of leaving your car keys in the ignition. It’s shockingly common and entirely preventable.

Why it’s an issue:

• Easy access to sensitive systems and data.

• Insider threats become low-effort breaches.

Quick fix:

• Encourage employees to lock screens when stepping away.

• Gamify the process: Implement fun “violations” for employees caught leaving screens unlocked.

Nothing says accountability like a goofy trophy for “Most Unlocked Screens” on someone’s desk.

Passwords on Sticky Notes

Sticky notes: Great for grocery lists, terrible for passwords. Yet we still see Post-its stuck to monitors and keyboards like digital skeleton keys waiting for the wrong hands.

Why it’s an issue:

• Exposes credentials to anyone passing by.

Quick fix:

• Promote the use of password managers.

• Conduct periodic checks to root out sticky note culprits.

While you’re at it, create a “Password Hall of Shame” for the worst offenders (anonymized, of course).

Sensitive Information on Whiteboards

It’s not uncommon to walk into a meeting room and see passwords, strategy plans, or client data scribbled across whiteboards in plain sight.

Why it’s an issue:

• Exposes confidential information to unauthorized visitors or staff.

Quick fix:

• Erase whiteboards immediately after meetings.

• Install whiteboard covers or use digital collaboration tools.

If you’re using a physical board, remember: it’s not a brainstorming space; it’s a potential liability.

Access Control

Access control is a cornerstone of physical security, regulating who can enter or access different parts of your facility. Think of it as the velvet rope at an exclusive event, only letting in those with the right credentials. Access control systems can range from keycard systems and biometric scanners to PIN codes and good old-fashioned security guards.

These systems are essential for controlling access to sensitive areas like data centers, server rooms, and places housing expensive equipment. But access control isn’t just about keeping people out; it’s also about tracking and monitoring who’s coming and going. This way, you have a clear record of who accessed what and when, adding an extra layer of accountability to your security strategy.

Surveillance and Monitoring

Surveillance and monitoring are the eyes and ears of your physical security system. They provide real-time monitoring and recording of activities within and around your facility. Surveillance systems can include everything from CCTV cameras and IP cameras to motion-activated cameras and pan-tilt-zoom (PTZ) cameras.

These systems are invaluable for detecting and deterring unauthorized access, as well as investigating security incidents. And when integrated with access control systems and alarm systems, they offer a comprehensive security solution that’s hard to beat. So, whether it’s catching a would-be intruder or simply keeping an eye on daily operations, surveillance and monitoring are essential components of any robust physical security plan.

Why These Physical Security Measures Issues Persist

So why do organizations keep missing these “low-hanging fruit” issues? The answer often lies in complacency and prioritization. Physical security feels mundane compared to the flashiness of the latest cybersecurity buzzwords. But here’s the thing: all the tech in the world won’t save you if someone can walk in, steal a laptop, and waltz out unnoticed.

It's crucial to have a comprehensive emergency response plan that outlines procedures to handle various physical threats, such as natural disasters and security breaches.

Conclusion: Cleaning Up the Dirty 13 Physical Security Risks

Addressing the Dirty 13 isn’t rocket science; it’s about paying attention to the basics and empowering your team to take ownership of their environment. Start by conducting regular audits and creating a culture of awareness.

And if you’re reading this thinking, “We’re guilty of at least half of these,” don’t panic. Use this list as a starting point to tighten up your physical and procedural security. Remember: the easiest fixes often yield the biggest returns—both in security and peace of mind.

So, what’s stopping you from tackling these low-hanging fruit? Because if you don’t, the next auditor—or worse, a bad actor—definitely will.