By this point in the book, I hope you have gained an appreciation for physical security. If done poorly, it can undermine expensive and effective digital security controls.

That is the main reason we focus on it alongside the human side of security. When the three areas of security—human, physical, and digital—work together, you can have a robust, effective security posture. But if one of those areas is weak or missing, you can never have true security.

In my physical assessments, I often have to agree that, unlike a criminal, I will not remove computer systems that are active or plugged in.

Imagine the huge amounts of money spent protecting your computer at work: the servers that run your applications; the systems that store your client data, files, and emails—everything is physically stored somewhere, even if it's in the cloud. Those computer systems have many layers of digital protection. You need authorization and authentication to log onto them. But if you place a computer in a location with poor physical security, a criminal can pick it up and walk off with it.

It is well known that if an attacker has physical access to a computer, it is only a matter of time before they gain access to the data. And since they have taken the computer, the amount of time they have increases dramatically. They no longer have to compromise the computer in minutes before being detected; they can work on it for weeks or months.

This is why, when I perform an ...