Little wonder that there is a growing awareness among security professionals of the ‘blended’ threat.
There was the JP Morgan Chase hack, which affected more than 83 million households and businesses, the attack on eBay when hackers stole personal records of 233 million users, and the Ashley Madison scandal, reportedly affecting 37 million people, to name just three. It is reasonable to assume that hacking is the major cause of information loss.
However, a poll conducted by the BSI found that rogue employees continue to pose the biggest threat to information security through the theft of information and data through an organisations people and trusted partners. It’s otherwise known as the insider threat.
Although hacking poses a major threat to our information security with many internet experts agreeing that cyber attacks are likely to increase in the next decade, it is only one of the routes for information loss.
In truth, every employee and visitor poses a potential threat to our information. To spark the thought process on the issue, here’s a top-down list of the potential sources of a data leake: from directors in the boardroom to admin, sales, engineering, the newest apprentice or any trusted partner, supplier, professional advisor and client.
‘Loose lips sink ships’
Information loss can occur through careless talk – ‘loose lips sink ships’ to use the WWII slogan – misuse of social media, through negligence or misuse when using storing and transferring data or as a result of a malicious, willful or deliberate act of a trusted person,” for reasons such as fame, greed, capability, divided loyalty or delusion” (Bellovin, S (2008:7).
Methods could include eavesdropping, removal of company IT equipment or hard copy data, photocopying, downloading to USB or personal devices, illicit email, photographs on mobile phones digital camera etcetera.
As Tyson, D (2007) reminds us, information was traditionally paper-based and generally stored in desks and filling cabinets. Now it is predominantly stored and managed electronically.
In my own business, as with most companies today, our information – client lists, sales targets, financials, employee and supplier details, etcetera – exists in both hard and electronic formats, rendering it vulnerable to both physical and cyber threats.
Our employees use the information on a daily basis to make informed decisions which influence our commercial success, making it a valuable asset, which requires protection from accidental or deliberate loss during transmission when processed or stored.
The most important physical method to mitigate information loss is a personnel security policy, as people will always be the weakest link in security by either negligence or desire. According to the HMG Security Policy Framework (April 2012: 31), “personnel security is applied to provide assurance as to the trustworthiness, integrity and reliability of employees, contractors and temporary staff”.
A number of publications provide guidance on implementing a personnel security policy, such as Holistic Management of Employee Risk, HoMER produced by CPNI and PW Consulting (2012). Aside from pre-employment vetting, personnel security covers ongoing screening, staff assessment and security awareness training to ensure employees are conversant with security threats.
Information security policy
Risks can be reduced by following a tidy desk policy, proper use of social media and correct handling and storage of information or devices. The production of an information security policy provides instruction on safe use, handling, storage and destruction of sensitive information.
Visitor management and controlling access to information is vital. In simplistic terms, this may be nothing more than signing visitors in and accompanying them at all times. It is also about ensuring places where data is stored are locked and hard copy files are locked away. PCs should not left on and users should log out when away from their desk.
Alternatively, a physical assess control system (ACS) is an effective way of limiting access to, from and around a facility and can provide valuable management information on who is in your facility, where they are allowed to be, and when they are allowed to be there. When backed up by video surveillance, ACS becomes a valuable tool for management, providing an organisation with the ability to see and subsequently investigate events.
Clearly, the physical security of buildings in terms of locks, bars and shutters is essential in regards to security elements today, as is an appropriately graded burglar alarm.
Equally, securing data physically on the move is essential. Employees need to consider security while transporting IT devices or information in vehicles. Car alarms, secure storage or devices hidden from view are all simple, effective physical security methods at home or in the field. Enforcement and response are also areas of responsibility in the physical security world.
In conclusion, where it comes to delineations and responsibilities, Fowler, D (2009) asks: “Whose responsibility is it when an intruder walks out the door with assets that he could access from a machine remotely?”
Blended threats to physical and logical systems require both physical and logical methods of defence – the converged approach. Arguably, if it exists in the physical world, it is the responsibility of physical security.
Conversely, if it exists in cyber space as is the case with the hacker threat, then IT assumes responsibility. This can include logical or cyber security components such as access authentication and authorisation controls, anti-virus and content-filtering systems, firewalls and network defences. Clearly, mitigating the risk requires the liaison and cooperation of those with the appropriate skill sets in each discipline.
References
Institute of Directors, IoD, (2005) Information Security Published by the Institute of Directors.
Tyson. D, (2007) Security Convergence, Managing Enterprise Security Risk, Elsvier, Butterworth-Heinemann Publications.
Online
Australian Government. (2010) The Insider Threat to Business. [Online] Available at http://www.tisn.gov.au/Documents/The+Insider+Threat+to+Business.pdf [Accessed on 28th January 2015]
CPNI and PW. (2012). Holistic Management of Employee Risk HoMER [Online] Available at http://www.cpni.gov.uk/documents/publications/2012/2012021-homer.pdf?epslanguage=en-gb [Accessed on 28th January 2015]
Fowler, D. (2009) Getting Physical and Logical. SC Magazine [Online] Available at http://www.scmagazine.com/getting-physicaland-logical/article/158021/ [Accessed on 27th January 2015]
Smith J. DCE (2013). Personnel Security. [ONLINE] Available at: http://www.cfoa.org.uk/download/32522. [Accessed 20th March 13].
Rahman. S and Donahue. S, (2010) Convergence of Corporate and Information Security, volume7, number one. [Online] Available at http://arxiv.org/ftp/arxiv/papers/1002/1002.1950.pdf [Accessed on 27th January 2015)
Bibliography
Bellovin, S.M., et al. (2008 :7). Insider attack and Cyber Security- Beyond the Hacker, series Advances in Security Volume 39, ISBN 987-0-387-77322-3. Springer Science + Business Media LLC
NYT (2014) [Online] Available at http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/?_r=1 [Accessed on 17th January 2015]
Pew (2014) [Online] Available at http://www.pewinternet.org/2014/10/29/cyber-attacks-likely-to-increase/ [Accessed on 17th January 2015]
Sony Hacking, Scandal Weisman. A, (2014) [Online] Available at http://uk.businessinsider.com/sony-cyber-hack-timeline-2014-12 [Accessed on 17th January 2015]
Sullivan. V, (2014) [Online] http://www.cbronline.com/news/rogue-employees-biggest-threat-to-information-security-4263652 [Accessed on 17th January 2015]
AESRM (2007). The Convergence of Physical and Information Security in the Context of Enterprise Risk Management, AESRM Deloitte [Online] Available at http://ddata.over-blog.com/xxxyyy/0/32/13/25/aesrm-convergence-in-erm.pdf [Accessed on 16th June 2013]
Garza. G, (2011) Examples of Logical Security, Brighthub. [Online] Available at http://www.brighthub.com/computing/enterprise-security/articles/106207.aspx [Accessed on 28th January 2015]
Information Commissioners Office IOC [Online] Available at https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/ [Accessed on 28th January 2015]
Nash. K, (2012) How Integrating Physical and Information Security Mitigates Risks, CIO [Online] Available at http://www.cio.com/article/2392576/security0/how-integrating-physical-and-information-security-mitigates-risks.html [Accessed on 28 th January 2015]
NIST (2006) Computer Security, Information Security Handbook, a guide for managers. Special publication 800-27 Rev A [Online] available at http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf [Accessed on 27th January 2015]
Slater D. (November 2011). What is a CSO, Increasingly, Chief Security Officer means what it sounds like: The CSO is the executive responsible for the organization’s entire security posture, both physical and digital. CSO Online [Online] available at http://www.csoonline.com/article/221739/what-is-a-chief-security-officer- {Accessed on 28th January 2015]
State of Arkansas – Office of Information Technology [Online] Available at http://www.dis.arkansas.gov/policiesStandards/Documents/PhyLogGuidelines.pdf [Accessed on 28th January 2015]
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
ifsecglobal Interesting. ‘co-operation + liaison’ as you say, key. We also need common risk reporting processes + ESRM Mitie_TSM citicus
This is all very interesting and I hope is making colleagues think about their own responsibilities here. Recently I heard a fascinating talk about Building Information Modelling level 2 in which the speaker indicated to the audience the necessity of physical security systems being designed in a digital format in 2016 for publically funded building projects. He went on to say that the cyber security of the data which make up any plans was the responsibilty of the physical security manager. I think this will be a real challenge and I would urge physical security colleagues who find themselves responsible… Read more »
wow! reallly its an excellent blog,your post is very neat and understandable manner i will except more post like this thanks and regards.<a href=”http://hadooptraininginhyderabad.co.in/data-scientist-course-in-hyderabad/”>Data Scientist Course in Hyderabad</a>
Data Analytics is a new arena. Across the globe, different industries face a dearth of Data Scientists, and it will continue for another couple of years.With training in Big Data, you can create a niche for yourself in this arena
physical security for it department good and useful stuff provided in your blog http://hadooptraininginhyderabad.co.in/
It is an open source software project that helps in the distribution processing of large data sets in different commodity servers.
Great deal you’ve type the own coding.Keep it well and then generate the useful solution content.
https://www.gangboard.com/etl-training/informatica-training
https://www.gangboard.com/app-programming-scripting-training/angularjs-training
the primary threats to physical security include the following: inadvertent acts – potential acts of human error or failure, potential deviations in the quality of service by service providers, and power irregularities; deliberate acts – acts of espionage or trespass, acts of information extortion, acts of sabotage.
Thank you for your guide to with upgrade information
https://onlineitguru.com/data-science-course.html