informa
/
Physical Security
Commentary

Why Organizations Can No Longer Ignore a Joint Approach to Cyber and Physical Security

Clive Madders, CTO, Cyber Tec Security, explores why cybersecurity and physical security practices are more heavily intertwined than ever before, and why organizations need to define a joint approach in order to maintain a fully secure environment.

Physical Access Control and Safety Systems
One of the key elements of cybersecurity for a business is the restriction of access to sensitive data and systems. This ‘access control’ ensures minimal entry points for cyber criminals to take advantage of, keeping the company more protected against breaches. This is no different in terms of physical access control, but rather than data and networks, you’re restricting access to premises, offices and physical IT assets.

Most modern offices nowadays are accessible via electronic access control systems, requiring some kind of personal identification to enter. This might be in the form of an ID card to scan, passcodes, or even biometric authentication. Due to these electronic set-ups, these systems are normally connected to the internet, putting them at risk of being breached by hackers.

In 2018, David Tomaschik proved just how easy this could be when he managed to breach Google’s doors, tricking them into opening without the need for an RFID card. Thankfully, Tomaschik was a Google employee and only had good intentions.

Similarly, safety systems like alarms are now also ‘smart’, which have the potential to be quite dangerous if hacked. A disabled fire alarm could put a business’ employees at actual life or death risk, for example. Of course, IP-based physical access control and safety systems have several advantages for a company. When working together, physical security and cybersecurity can help to streamline alerts and notify the correct people when any issues are identified, speeding up incident response.

Internet of Things
The ever-growing collection of IoT devices are continuing to create problems in the physical security space. Since these devices, although connected to the internet, are not like our traditional computers, they are often overlooked by IT and businesses are purchasing them without proper consideration of IT and security best practice.

We use these devices without thinking about the security risks they could pose, but with the sheer amount of data being shared and the interconnectivity of IoT devices, there could be serious repercussions for a business. For example, many IoT devices come with default passwords and if these are not changed, it doesn’t take long for malicious actors to gain access.

These devices also lack the robust security management needed, making it easy for hackers to inject malware and move laterally across the network as IoT devices may well be communicating with other systems, sending alerts and emails. Being secretly inside the network you want to attack is ideal for a bad actor, and IoT devices make this a lot easier. These actors can use the device as a jump box, somewhere to wait undetected, because no one is properly managing it.

IoT is not just a cybersecurity issue, however, as the likelihood of a successful attack increases if a hacker is able to physically access the devices. Hackers can use exposed communication ports as a way to gain root access and control over a device, which can be catastrophic for a business. Modern physical security is unavoidably tied to cybersecurity, relying on IoT as smart locks, surveillance cameras and access control pads become standard, and businesses only increase their risks without a properly updated cybersecurity framework to support these changes.

With an increasing network of connections and assets, the surface area for attacks is growing, and these devices need layered protection, both in the realms of cyber and physical. While securing the perimeter with physical security measures is important, businesses must also look internally and implement cybersecurity measures in conjunction with this, to best protect the business.

The Insider Threat
The concept of insider threat for cybersecurity is equally applicable to physical security. Cybersecurity best practice is to restrict access privilege for employees in order to minimize the risk of a breach – the general guideline being that employees are only given access to the data or systems required to perform their designated role (including terminating access when an employee leaves the company).

This is no different in terms of physical security, in that employees should only be able to access the buildings, rooms and physical devices that their job role actually requires. Whether ill-intentioned or just negligent, employees have the power to cause serious problems for a business if not given the correct training around cyber and physical security.

Security policies and training can help to clearly educate staff on the rules and regulations of a business, taking into account the specific physical and cybersecurity measures implemented there. For example, you might provide details about what an employee should do if they find a USB on the floor or why it’s important to lock your screen when walking away from your desk. You may also instruct employees to be vigilant about preventing unwanted intruders on the premises. It’s very easy to hold the door open for someone as you walk into the office without thinking, but this could easily be someone posing as an employee. Then before you know it, they have much easier access to the business’ network, systems and data.

Of course, insider attacks can also be due to a disgruntled employee looking to cause issues, which is why it is important to stay on top of access control and keep your IT team informed of any employment terminations, demotion or suspensions, as these all have potential to lead to revengeful actions taken against the company.

Conclusion
Physical security is no longer a simple case of lock and key. The integration of the Internet of Things has meant that for any modern security solution nowadays, cybersecurity and physical security can no longer be thought of as mutually exclusive and must work together to offer the best defense for an organization.

When these approaches are kept wholly separate, the risk of oversight and inefficiency is too great, resulting in an increased likelihood of security vulnerabilities. Businesses can combat this by integrating security policies and security training exercises and meeting recognized standards that cover both aspects of cybersecurity and physical security. Common frameworks include NIST, CIS, ISO and UK-based Cyber Essentials, all helping businesses to align with critical controls, develop security policies and manage incident response and business continuity.

Clive Madders is the CTO of Cyber Tec Security.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5