“With the number of cyberattacks increasing
around the world, it is becoming clear that the
public sector needs to implement effective
cybersecurity improvements to their IT networks.” By Justin Himelberger
Reducing the Risk of Cyberattacks on Public-Sector Security Systems
Cybersecurity
Recent statistics highlight the rise of cyberattacks in the public sector. In its latest Internet Crime Report, the FBI stated that they received nearly 2,500 ransomware complaints in 2020. And the Identity Theft Resource Center reports that, as of Sep- tember 2021, the year-to-date total number of data compro- mises related to cyberattacks was already 27% higher than for all of 2020. For the public sector, cybersecurity has become a top priority.
IT teams at all levels of government are understandably concerned about how vulnerable their networks are to these disruptive and cost- ly cyberattacks. But government organizations aren’t the only targets. The K-12 Cybersecurity Resource Center 2020 Year in Review Report found that K-12 schools experienced more than 400 cyber incidents in 2020, up 18% from the previous year.
For organizations in the public sector—including governments and schools—the question is how to reduce the risk of cyberattacks. The first step in addressing the situation is determining how cyber- criminals are gaining access.
Understanding Network Vulnerabilities
There are several ways that cybercriminals can gain access to an orga- nization’s network. An employee can click on a link in a phishing email. A default application password can remain unchanged. Or a network-connected device can be inadequately protected. It’s impor- tant to remember that these devices include elements in a physical security system. Cameras as well as door controllers and their moni- toring systems can all pose cybersecurity risks.
Unfortunately, the risks associated with under-protected network devices has increased during the COVID-19 pandemic. As millions of people began working from home, organizations faced new chal- lenges around protecting their spaces. According to Morgan Wright, a Center for Digital Government (CDG) Senior Fellow, “When fewer people are working in buildings, organizations need more technology to maintain physical protection.”
Many organizations deployed additional cameras and other tech- nology to keep an eye on their environments and assets and also implemented measures to protect the devices themselves. But, while their goal was greater security, their focus was frequently limited. Said Wright, “When it comes to protecting physical security devices, too often the worry is about damage or theft, not that they can be used as an entry point from ransomware.”
Organizations in the public sector need to think about how they deploy physical protection technologies so that they can better con- trol access to sensitive and restricted areas and, at the same time, increase the cybersecurity of their networks. They need to look at deploying new technologies, establishing new staff roles, and imple- menting new practices that will strengthen both physical and cyber- security.
Risks Associated with Security Devices
Physical security devices are purpose-built to help keep people, assets, and environments safe. In the face of rising cybercrime, organizations have to expand their view of security. Most cyberattacks are not intend- ed to compromise physical safety. Instead, they target applications, files, and data managed by IT departments. An attack that originates in a camera can find its way through an organization’s network to block access to critical applications, lock and hold files for ransom, or steal personal data from employees, students, program clients, and residents.
One major challenge is that many public sector organizations con- tinue to use older model cameras and door controllers. With their limited security capabilities, these devices, especially cameras, can present significant risk. Organizations in the public sector tend to replace these devices only when absolutely necessary or when their capital costs can be fully amortized. These are not effective strategies.
According to Wright, “Today’s hackers know that certain security devices are easy to take over and use as an entry point to a connected network. This means that security cameras and access control sys- tems need to be considered critical network devices. They need to receive a high level of protection and monitoring for both operations and cybersecurity.”
The good news is that the public sector is beginning to realize how internet-connected security cameras and door controllers can give hackers easy access to their networks. At the same time, IT depart- ments are becoming increasingly aware of the risks that inadequately protected devices can pose when connected to their networks. The problem is that historically, IT has had limited visibility and control over an organization’s security devices.
Unifying Physical Security and Cybersecurity
Currently, many organizations in the public sector approach physical security and IT as separate. But the growing cyber risks that physical security technologies can present mean that this needs to change.
In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) recommends joining IT and physical security into a single, integrated team. As a single team, they can better focus on developing a comprehensive security program that is based on a common under- standing of risk, responsibilities, strategies, and practices. Wright agrees with this recommendation, saying “Physical security needs to be integrated into the network security team and not viewed as an ancillary function.”
According to CISA, there are several benefits to this approach. First, it would provide a more holistic view of security threats across the organization, which can lead to improved information sharing and threat response preparation. In addition, by implementing uni- fied policies and shared practices, organizations would be able to achieve greater flexibility and resilience.
34 campuslifesecurity.com | MAY/JUNE 2022