Everyone knows that electronics aren’t cheap. Every business of any size should be constantly aware of the physical threats to their information technology. Different risks exist for different organization types and locations. A small private office has a smaller risk of device theft than a credit union, café, or other businesses with a large volume of public transport. A rural potato farming center also has a much smaller risk of theft than a barbershop on a busy main street.
Regardless of size and location, every small business owner should look to secure their most critical devices from easy theft. Following the strategy of Defense in Depth, we must assume that there will be a case where an intruder breaks through the first few physical security controls and manages to get into the vicinity of critical assets. If the intruder can simply pick up a desktop tower or laptop and walk off with it, they can then deconstruct the device and extract its components to look for data.
A cable lock, the most popular variant being the Kensington Security Lock, is a control that aims to make an attacker’s job harder in case they do manage to get their hands on company computers. The lock plugs into a dedicated port on the computer in question, then attaches itself to a sturdy anchor point. While this control will not fully stop theft, it makes an attacker’s job much harder by requiring them to stop and try to unlock the device. While the attacker is doing this, incident response and law enforcement can be brought into play and potentially apprehend the attacker before they can disconnect the lock.
There are a variety of different cable locks that can be purchased. If you wish to implement them in your organization, ensure that you carefully study your devices and their available ports to find the lock design that best fits your device models. Many organizations may find it difficult to justify the cost of this control. This is understandable, and this framework does not expect you to purchase individual cable locks for every device. However, to meet compliance with this framework, you must implement cable locks on any devices that are physically deployed in an area with a large volume of public access. Lobby computers and kiosk machines are instant candidates. Deploying cable locks on all rack mounted servers and networking equipment is also required. Office workstations and other non-public devices are left up to the discretion of the business owner, however I still highly recommend cable locks for them in order to protect against insider threats and keep with zero trust principles.