Clive Madders, CTO, Cyber Tec Security, explores why cyber security and physical security practices are more heavily intertwined than ever before, and why organisations need to define a joint approach in order to maintain a fully secure environment.
One of the key elements of cyber security for a business is the restriction of access to sensitive data and systems. This ‘access control’ ensures minimal entry points for cyber criminals to take advantage of, keeping the company more protected against breaches. This is no different in terms of physical access control, but rather than data and networks, you’re restricting access to premises, offices and physical IT assets.
Most modern offices nowadays are accessible via electronic access control systems, requiring some kind of personal identification to enter. This might be in the form of an ID card to scan, passcodes, or even biometric authentication. Due to these electronic set-ups, these systems are normally connected to the internet, putting them at risk of being breached by hackers.
In 2018, David Tomaschik proved just how easy this could be when he managed to breach Google’s doors, tricking them into opening without the need for an RFID card. Thankfully, Tomaschik was a Google employee and only had good intentions.
Similarly, safety systems like alarms are now also ‘smart’, which have the potential to be quite dangerous if hacked. A disabled fire alarm could put a business’ employees at actual life or death risk, for example. Of course, IP-based physical access control and safety systems have several advantages for a company. When working together, physical security and cyber security can help to streamline alerts and notify the correct people when any issues are identified, speeding up incident response.
The ever-growing collection of IoT devices are continuing to create problems in the physical security space. Since these devices, although connected to the internet, are not like our traditional computers, they are often overlooked by IT and businesses are purchasing them without proper consideration of IT and security best practice.
We use these devices without thinking about the security risks they could pose, but with the sheer amount of data being shared and the interconnectivity of IoT devices, there could be serious repercussions for a business. For example, many IoT devices come with default passwords and if these are not changed, it doesn’t take long for malicious actors to gain access.
These devices also lack the robust security management needed, making it easy for hackers to inject malware and move laterally across the network as IoT devices may well be communicating with other systems, sending alerts and emails. Being secretly inside the network you want to attack is ideal for a bad actor, and IoT devices make this a lot easier. These actors can use the device as a jump box, somewhere to wait undetected, because no one is properly managing it.
IoT is not just a cyber security issue, however, as the likelihood of a successful attack increases if a hacker is able to physically access the devices. Hackers can use exposed communication ports as a way to gain root access and control over a device, which can be catastrophic for a business. Modern physical security is unavoidably tied to cyber security, relying on IoT as smart locks, surveillance cameras and access control pads become standard, and businesses only increase their risks without a properly updated cyber security framework to support these changes.
With an increasing network of connections and assets, the surface area for attacks is growing, and these devices need layered protection, both in the realms of cyber and physical. While securing the perimeter with physical security measures is important, businesses must also look internally and implement cyber security measures in conjunction with this, to best protect the business.
The concept of insider threat for cyber security is equally applicable to physical security. Cyber security best practice is to restrict access privilege for employees in order to minimise the risk of a breach – the general guideline being that employees are only given access to the data or systems required to perform their designated role (including terminating access when an employee leaves the company).
This is no different in terms of physical security, in that employees should only be able to access the buildings, rooms and physical devices that their job role actually requires. Whether ill-intentioned or just negligent, employees have the power to cause serious problems for a business if not given the correct training around cyber and physical security.
Security policies and training can help to clearly educate staff on the rules and regulations of a business, taking into account the specific physical and cyber security measures implemented there. For example, you might provide details about what an employee should do if they find a USB on the floor or why it’s important to lock your screen when walking away from your desk. You may also instruct employees to be vigilant about preventing unwanted intruders on the premises. It’s very easy to hold the door open for someone as you walk into the office without thinking, but this could easily be someone posing as an employee. Then before you know it, they have much easier access to the business’ network, systems and data.
Of course, insider attacks can also be due to a disgruntled employee looking to cause issues, which is why it is important to stay on top of access control and keep your IT team informed of any employment terminations, demotion or suspensions, as these all have potential to lead to revengeful actions taken against the company.
Conclusion
Physical security is no longer a simple case of lock and key. The integration of the Internet of Things has meant that for any modern security solution nowadays, cyber security and physical security can no longer be thought of as mutually exclusive and must work together to offer the best defence for an organisation.
When these approaches are kept wholly separate, the risk of oversight and inefficiency is too great, resulting in an increased likelihood of security vulnerabilities. Businesses can combat this by integrating security policies and security training exercises and meeting recognised standards that cover both aspects of cyber security and physical security. Common frameworks include NIST, CIS, ISO and UK-based Cyber Essentials, all helping businesses to align with critical controls, develop security policies and manage incident response and business continuity.
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
Overlooked in this article and within most organizations is the threat posed by wireless technology and devices. The phones, smart watches and myriad of other devices operating in bluetooth, wifi and cellular bands pose significant data exfiltration threats from both malicious and innocent actors. Detecting and locating these devices is a true physical cybersecurity use case.