In cyber security we focus on cybercrime as our main threat. But to protect our organization’s data, we also need to understand physical threats. It is a relatively low-risk venture for someone halfway around the world to send out malware and hope it penetrates critical systems. But with the presence of both high-value information and a determined adversary, you have to be ready for traditional espionage techniques as well as the most advanced digital tools.

Old-fashioned black-bag jobs are not out of the picture, as one CEO learned in 2017 when he returned to his office after a company celebration. Moles are also still used, and disgruntled employees may be approached by hostile actors.

As a cyber professional, such physical attacks will not be your sole responsibility. But by working with other departments you can play a central role in preventing them. In fact, as in conventional cyber security, identifying and tagging critical data is the most important step. Then you can limit access to and usage of that data, and then flag and trace unusual usage patterns.

It may be tempting to focus on high-risk areas—for instance an employee taking a laptop on a business trip to a foreign country. But as in all areas of cybercrime, hostile actors look for weak points (and may just as likely to attempt physical access to that employee’s data when he is at a conference in Las Vegas). Critical data must be protected no matter its location. And just as you identified your critical data, seek out and identify weak points in all areas of your security infrastructure.

In cyber security we focus on cybercrime as our main threat. But to protect our organization’s data, we also need to understand physical threats. It is a relatively low-risk venture for someone halfway around the world to send out malware and hope it penetrates critical systems. But with the presence of both high-value information and a determined adversary, you have to be ready for traditional espionage techniques as well as the most advanced digital tools.

Old-fashioned black-bag jobs are not out of the picture, as one CEO learned in 2017 when he returned to his office after a company celebration. Moles are also still used, and disgruntled employees may be approached by hostile actors.

As a cyber professional, such physical attacks will not be your sole responsibility. But by working with other departments you can play a central role in preventing them. In fact, as in conventional cyber security, identifying and tagging critical data is the most important step. Then you can limit access to and usage of that data, and then flag and trace unusual usage patterns.

It may be tempting to focus on high-risk areas—for instance an employee taking a laptop on a business trip to a foreign country. But as in all areas of cybercrime, hostile actors look for weak points (and may just as likely to attempt physical access to that employee’s data when he is at a conference in Las Vegas). Critical data must be protected no matter its location. And just as you identified your critical data, seek out and identify weak points in all areas of your security infrastructure.