printer friendly version

Interconnecting physical and cyber security

Businesses are well-versed on the need for data security. However, there are many ways to obtain sensitive company data – financial data, customer details, product information, and intellectual property – than through company firewalls. As the lines between digital and physical realms blur, the weakest links are to be found where physical and information security meet – links many businesses have not yet thought to identify and secure.

Mel Brooks, Africa Regional President: G4S Africa.

The risk of a physical-cyber threat crossover is substantial: 80% of all digital attacks stem from physical access. For companies that have not yet considered how, or if they need to interconnect their traditionally separate physical and information security strategies, now is a good time.

Blended threats are emerging at government, industry, commercial, corporate and personal levels. The fallout is significant, impacting the integrity and reputation of companies through data and IP loss, exposure of sensitive customer and financial information – all of which compromise the safety and security of people, facilities, assets and business data.

High profile security breaches (http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks) tell the story. Sony Pictures Entertainment was hacked by North Korea, apparently with the help of Sony insiders; an EBay hack in 2014 compromised 145 million customer records when hackers accessed the company’s database ‘using login details from a small number of e-bay employees’; a hack of the Korea Credit Bureau (KCB) by a temporary employee resulted in the theft of 20 million Korean consumers’ bank and credit card details; and, of course, there was the Ashley Madison affair, where hackers threatened to expose the data of 37 million users.

All it takes is a gullible or unaware employee, or a physical or information system (or device) without the right checks and balances to create a business’s worst nightmare.

Do you think you are immune?

Here’s a quick reality check: If you picked up a USB stick with your company logo on it in the parking lot at work, would you hand it to security? Would you think twice about trying to find out who it belonged to yourself?

And here’s an online conversation that should make your chief security officer turn pale: “Don’t you hate it when you have to log into work systems with a password? I keep a list on my desktop. My best one is ‘sillycodfish’. I use it everywhere! I also have to use a security pin – a fresh one is issued to me via SMS every time I access the company network.”

And how about that break-in last year when nothing was taken? Could that odd camera overlooking the CFO’s desk that security could not account for have something to do with the leaked financial data and trades, or the missing funds?

There is even the odd: “Why are we still paying George and why is he still coming to work every day – he resigned last year.”

Identifying weaknesses

These threats are very real. It is important that the CIO and CSO understand the link between physical and cyber security and collaborate to close the gaps. The controls need to be put in place and greater awareness of these controls at management and staff levels is needed.

What these examples make clear is that there are some key areas where weaknesses arise. These include:

• The linkage between HR and access systems – at all key events, from on-boarding to staff exits must be integrated.

• Access granted to temporary or contract staff – even limited access to key systems can create a chink in the organisations’ armour.

• Social media behaviours need to be carefully managed – staff need to be made aware of what, exactly, will represent a security risk.

Threats can come from anywhere: foreign governments; a terror attack; criminals seeking financial or corporate advantage, or wishing to steal intellectual property; an insider, usually via human error or coercion; hacktivists with an agenda; a competitor or someone with a grievance.

With access to physical facilities, devices and/or cyber systems, these people could jam systems or operations, plant a bomb or mess with the plumbing. They could drive out with the CEO’s car or a company server, or install a camera in a strategic position.

If the internal security function or security provider engaged by the business is not aware of the cross-over risks and have not yet put in solutions to mitigate these risks, you may need to reassess your appetite for risk.

Share this article:

Further reading: