Cyber security discussions focus overwhelmingly on digital threats: malware, phishing, network intrusions. Physical security — the control of who can physically access your premises, devices, and information — receives comparatively little attention. Yet physical access frequently bypasses digital controls entirely. A laptop left unattended and unlocked in a meeting room is compromised in seconds regardless of how strong its password is. A server room left unlocked allows an attacker to physically remove storage, connect a rogue device to the network, or install a hardware keylogger. A document left visible on a desk discloses its contents to anyone who walks past.
This post covers the physical security basics that every small business should have in place — not as a separate programme from cyber security, but as an integrated part of it.
Device Security in Physical Spaces
Lock Your Screen When You Leave Your Desk
An unattended, unlocked computer screen is a physical access vulnerability. Anyone who walks past — a visitor, a contractor, a member of staff who shouldn't have access to what's on screen — can read what's displayed, access open applications, and interact with the system. The habit of locking the screen when leaving a desk (Windows key + L on Windows; Control + Command + Q on macOS) takes less than a second and eliminates this risk entirely.
Configure automatic screen lock: if the computer is idle for more than five minutes, it should lock automatically. This catches the times when someone forgets. Both Windows and macOS group policies can enforce this setting across all managed devices.
Don't Leave Devices Unattended in Public
Laptops left unattended in coffee shops, hotel lobbies, or conference venues are theft targets. Beyond the financial cost of replacing the hardware, a stolen laptop contains all the data on it — potentially including client files, credentials saved in browsers, locally stored emails, and access to any cloud services the laptop was authenticated to. Full-disk encryption (BitLocker on Windows, FileVault on macOS) ensures that the data on a stolen laptop is inaccessible without the decryption key, but it cannot protect services the laptop was already authenticated to at the time of theft.
Physical Security for Servers and Networking Equipment
Servers, network switches, and the router that connects your business to the internet should be in a physically secured location — ideally a locked room or secure cabinet that is not accessible to visitors or general staff. A network switch that someone can physically access can have a device plugged into it that intercepts network traffic or provides a backdoor into your network. A server that can be physically accessed by an attacker can have its storage removed, a boot device attached, or its configuration changed.
For small businesses that don't have a dedicated server room, a locked cabinet in an office that is secured at the end of the working day provides a proportionate level of physical security for networking equipment.
Visitor Management and Tailgating
Tailgating — following an authorised person through a secure door without independently authenticating — is one of the most common physical security bypasses. In a small business with a friendly culture, holding the door for someone behind you is instinctive. It's also a reliable technique used by social engineers to gain physical access to premises.
Staff should be aware that it is appropriate — and expected — to politely ask unknown individuals entering the premises to sign in, or to confirm they have an appointment. This is not unfriendly; it is a reasonable security control that protects everyone in the building. Prominent visitor sign-in processes provide both a record of who has been on the premises and a visual cue to staff that access is controlled.
Visitors should not be left unattended in areas where they could access unattended computers, server rooms, or sensitive documents. This is a simple procedural control that requires no technology.
Clean Desk Policy
A clean desk policy requires that sensitive information is not left visible or accessible at an unattended workstation. This means:
- Documents containing personal or confidential data should not be left on desks at the end of the working day or when the desk is unattended for extended periods.
- Passwords should not be written on sticky notes attached to monitors or kept in unlocked desk drawers — they should be in a password manager.
- Screens should be locked when leaving the desk, as above.
- Whiteboards used for sensitive discussions should be erased after the meeting.
- Printers should be checked: documents left in output trays are readable by anyone who passes.
In open-plan offices or shared workspaces, the clean desk standard is particularly important because the number of people with visual access to any desk is much higher than in a private office.
Secure Disposal of Physical Media
Old hard drives, USB sticks, printed documents containing personal data, and retired mobile devices all require secure disposal. Deleting files from a hard drive does not make them unrecoverable — standard deletion simply removes the pointer to the data, not the data itself. Hard drives and SSDs being disposed of should be either securely wiped (using tools that overwrite the entire drive multiple times) or physically destroyed.
Printed documents containing personal data, financial records, or commercially sensitive information should be shredded — at minimum with a cross-cut shredder — before disposal. Strip-cut shredded documents can be reassembled with patience; cross-cut cannot. Under UK GDPR, personal data must be disposed of securely and verifiably.
The Human Dimension of Physical Security
Physical security ultimately depends on the behaviour of every person in and around your premises. It cannot be fully automated or enforced by technology alone. The most effective physical security in a small business is a culture in which staff understand why these controls matter, feel comfortable asking visitors to sign in, and habitually lock their screens. That culture is built through clear policies, regular communication, and leadership that models the behaviours it expects.
Further Reading
Physical and Digital Security, Integrated
Physical access to your premises and devices can introduce threats that digital monitoring alone might miss — a rogue device connected to the network, a USB drive inserted into a server, a laptop brought in by a visitor. SOC in a Box's network monitoring detects the anomalous traffic and device connections that result from physical security incidents, providing visibility that bridges the gap between the physical and digital worlds.
Book a scoping call