The Rush to Digitalization Physical security and cybersecurity are two sides of the same coin
By Patrick Hayes
With the proliferation of ransomware attacks and the impact of vulnerabilities like log4j, it is tempting for IT and security profession- als to focus exclusively on detecting threats and hardening systems against cyberattacks. While these are absolutely worthwhile activities, they should be undertaken as part of a comprehensive strategy that encompasses both the physical and cybersecurity worlds.
Why? Because physical and cybersecurity are essentially two sides of the same coin when it comes to preventing and detect- ing threats. Unfortunately, they are often seen as separate efforts, leading to siloed teams, and disconnected policies and processes. For an organization to improve its overall security posture, it needs to pursue the convergence of physical security and cyber- security and build appropriate policies and procedures from that perspective.
A study by the ASIS Foundation assessed the extent to which organizations had converged physical security, cybersecurity and business continuity management (BCM) functions. Only 24% of respondents had converged their physical security and cybersecu- rity functions, and 48% had not converged any of the functions at all. Of those with no convergence, 70% had no plans to do so. This is despite the fact that converged organizations are more resilient and better prepared to identify, prevent, mitigate and re- spond to threats.
WHY CONVERGENCE?
Security is fundamentally about control – controlling the way things are accessed and controlling the way people behave. These controls are meant to prevent or detect activities that are not sup- posed to happen.
Physical security aims to change the way people access com- pany properties, such as data centers, factory floors, warehous- es, offices or anywhere the company conducts business and has assets. Common physical security measures include electronic key cards, closed-circuit television (CCTV) cameras, biomet- ric scanners, motion sensor alarms, security guards and other technologies used to restrict sensitive locations to authorized personnel.
Cybersecurity consists of digital controls that are meant to protect networks, applications and data from attack. A compre- hensive approach incorporates a security mindset into software design, system architecture and measures that address preven- tion, detection and response.
Physical controls can’t keep everyone out, and cybersecurity can’t keep everything safe. But, addressing them holistically can illuminate potential risks. For example, if an employee whose reg- ular work schedule is 9 a.m. to 5 p.m., enters the building late at night (as detected by a key card swipe), logs into the network and begins downloading data (as detected by network monitoring tools), it’s clearly time to revoke his network privileges, dispatch a
12
security guard and conduct an investigation.
This scenario combining anomalous access and unusual be-
havior is exactly why physical security and cybersecurity systems need to converge into a coordinated function. It could have been legitimate for this employee to be in the building late at night, and it could also be legitimate for him to download data. Without convergence, neither physical security or cybersecurity functions would have seen anything wrong, but detecting both activities at the same time highlighted a risk.
MOVING TOWARD CONVERGENCE
So, what can businesses do to ensure their cybersecurity and physical security measures are working together rather than as siloed entities? The first step is the acceptance that physical and cyber infrastructures are interconnected, and that damage to one will have a cascading impact on the other.
From that perspective, business leaders should treat physical and cybersecurity with the same level of care, and construct poli- cies and procedures that overlap when it comes to prevention, de- tection, and response to unauthorized access.
Neither IT nor physical security teams can, or should do this alone, so the business needs an organizational structure that brings these functions together and promotes communication, coordination and collaboration. This requires strong leadership, as well as potentially dismantling a culture that kept these teams competitive and apart.
It’s also vitally important to look at people as a potential at- tack vector. No one wants to believe that their employees will act maliciously, but many of them act thoughtlessly and/or uninten- tionally. From letting a stranger tailgate them into the building to leaving laptops unsecured to clicking on a phishing email, people are vulnerable and fallible. Security awareness training with re- peated reinforcement and testing is a wise investment in reducing the risk of social engineering as an entry point.
The rapid shift to remote work caused by the pandemic has introduced new cybersecurity and physical security risks. For ex- ample, as people work from their home offices, details of their personal lives might be on display in their video backgrounds. The multiple endpoints they use to access enterprise networks may not be under company control.
Converged physical security and cybersecurity may not ad- dress every risk, vulnerability or threat, but having both these functions and experts working together will strengthen them both. It’s not possible to achieve 100% security
while still allowing employees to access the sys-
tems and data they need to perform their jobs.
But convergence is a big step toward the cyber
resilience today’s companies need to operate as
effectively and securely as possible.
Patrick Hayes is the CISO at UncommonX.
MARCH 2022 | SECURITY TODAY
CYBER SECURITY