Physical Security Basics: Offices, Server Rooms, and Paperwork Still Matter.
During a social engineering exercise conducted for a Sligo retail group, the consultant walked into the company's head office, said they were from the IT support company, and was directed by the receptionist — without any verification — to the server room to "check on the broadband." The server room was unlocked. The consultant spent twelve minutes in the server room, connected a device to the network switch, and walked out.
Nobody asked for ID. Nobody called the IT provider to verify. Nobody checked whether an appointment had been made.
Physical security is the dimension of business security that gets the least attention in the age of cloud computing and remote access. It is also the dimension that, when it fails, provides an attacker with direct, unmediated access to your most sensitive systems.
Why Physical Security Still Matters
Physical access to a device bypasses most digital security controls. A laptop that requires MFA to log in remotely can have its drive removed and read directly by an attacker with physical access. A server in an unlocked room can have a device plugged directly into the network switch. A filing cabinet left unlocked can provide access to paper records that took years to build.
Physical security is not a legacy concern from an era before cloud computing. It is a parallel attack surface that exists alongside digital controls and is often significantly less well managed.
The Server Room
The server room — or whatever physical space houses the business's core IT infrastructure — is the highest-priority physical security location in most Irish SMEs.
Access control. The server room should be locked. Access should require either a key held by a defined list of individuals, or an electronic access control system that logs access events. The list of people with access should be reviewed and updated when staff change.
Visitor procedure. Any visitor who claims to require access to the server room — IT providers, engineers, contractors — should be verified by calling the organisation they claim to represent on a pre-existing, trusted number, not a number they provide. Access should be supervised — a named member of staff should accompany the visitor and remain present throughout the visit.
Environment. Basic environmental controls — adequate ventilation, no water pipes overhead, fire suppression if warranted by the equipment value — protect against accidental damage as well as the consequences of a physical breach.
Is your server room currently locked? If it has a lock, how many people have a key — and do you know where all the copies are? These questions surface the most common physical security gaps in Irish SMEs within seconds. Book a free 20-minute strategy call — physical security is reviewed as part of our comprehensive SME security assessments.
The Office
Visitor management. A visitor who enters your office without signing in, without being met by a named host, and without wearing a visible visitor identifier has unrestricted access to your physical environment — and everything in it. A sign-in process with a dated log, a named host requirement, and visible visitor identification is a straightforward control that most Irish offices do not have.
Clean desk policy. Documents containing sensitive information left on desks, whiteboards displaying client information, post-it notes with passwords — all are visible to anyone who walks through the office. A clean desk policy requires staff to secure sensitive physical documents at the end of the day and prohibits leaving credentials or sensitive data visible.
Screen locking. Unlocked screens in open-plan offices or in areas accessible to visitors allow any passerby to see or photograph what is on screen. Automatic screen lock after inactivity, reinforced by a cultural expectation that staff lock their screen when leaving their desk, addresses this.
Equipment in public areas. Devices left in reception areas, meeting rooms, or common areas without supervision are vulnerable to physical theft or tampering. A meeting room device — a laptop or tablet used for video calls — that is left on the network with no PIN lock is a specific risk.
Paperwork and Physical Documents
Paper records containing personal data, financial information, or confidential business data represent a physical data security risk that is directly governed by GDPR [^1]. The Data Protection Commission expects organisations to protect personal data in physical form as well as digital form.
Shredding policy. Documents containing personal data, client information, or commercially sensitive content should not go in the general recycling bin. A cross-cut shredder for ad-hoc documents and a confidential waste service for larger volumes are the standard controls.
Secure storage. Paper records requiring longer retention — HR files, client contracts, financial records — should be stored in locked filing cabinets accessible only to those whose role requires access. The key to the cabinet should not be left in the lock or on the top of the cabinet.
Document disposal on departure. When a staff member leaves, physical documents in their possession — notebooks, printed reports, client files — should be recovered and managed appropriately as part of the leaver process.
What Next
Check your server room access control today. Is it locked? Who has a key? Is access logged? These three questions reveal the current state in under five minutes.
Implement a visitor sign-in log and verification procedure. A physical log book at reception. A requirement to call to verify IT provider visits. Visible visitor identification. None of these require investment.
Brief staff on physical security expectations. Clean desk at end of day. Screen lock when leaving a desk. Call to verify before giving anyone access to the server room or IT equipment.
Ready to find out exactly where your business stands? Book a free 20-minute strategy call at www.pragmaticsecurity.ie/book-a-call.
Related Reading
- Social Engineering Beyond Email: Phone, SMS and In-Person Tactics
- Mapping Your Crown Jewels: Identifying the Data and Systems You Must Protect
- Policies That Actually Get Read: Making Security Rules Short and Enforceable
[^1]: Data Protection Commission Ireland — Physical Data Security [^2]: NCSC Ireland — Physical Security Guidance [^3]: An Garda Síochána — National Cyber Crime Bureau
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.
