Why physical security should not be neglected over cyber security

January 24, 2020

Why leveraging technology to meet risk management goals while facilitating business processes is best practice for meeting both regulatory requirements and user and client obligations.

In our role as a risk and crisis management consultancy, NYA, a GardaWorld company, is increasingly asked about the vulnerabilities of our clients’ cybersecurity architecture. Often, the conversation is led by the CIO, asking us to focus on the technological security packages that they have designed and implemented to preserve their information. It is worth remembering that when we consider information security, we are concerned with the confidentiality, integrity, and accessibility of data. Often, having conducted a technological review of an organization’s systems, we can give positive feedback: appropriate network protections are in place, and employee training is being done—so the client will congratulate themselves on a job well done. However, when we then indicate that our consultant was able to simply wander into the server room due to a lack of access control, thus rendering most of the CIO’s carefully designed security architecture useless, the reaction becomes more muted.

For some time, to avoid the complicated question of how physical security complements cybersecurity, organizations have sought to shift their vulnerabilities and exposure solely into the cyber domain, and silo responsibility for security into the IT department. This has been achieved predominantly through the use of cloud-based storage systems, reducing the reliance on physical IT architecture, thereby reducing the need to understand physical security protection. Unfortunately, this approach fails to account for a number of key considerations.

Leveraging technology to meet risk management goals while facilitating business processes is best practice for meeting both regulatory requirements and user and client obligations. Contracting cloud-based software does not reduce the need for physical IT infrastructure—it simply moves that hardware requirement down the supply chain. Your cloud service provider still requires the physical hardware that your organization decided to forego. Therefore, physical security protection measures are a necessity for this location, or your data is still at risk. When we consider that one of the key impacts of a large data breach is the reputation of an organization, attempting to argue in the midst of a crisis that actually it is not you, but your cloud service provider, who is at fault for the loss of your customer’s sensitive information is unlikely to prove a successful crisis communications strategy.

Due diligence on the physical protection measures used by these providers is therefore critical.

Cloud-based software solutions still require hardware for access, distributed across the organization to various users. With the trend toward increasingly mobile workforces, the physical security protection measures around the premises where laptops, phones, and any other company devices that are linked to an organization’s information are held are still of critical importance.

Organizations need to understand the threats they face in order to design a physical protection system that seeks to deter, detect, delay and respond to intruders. Breaches perpetrated from an insider tend to be more damaging, and therefore, physical protection measure is particularly important to mitigate against this threat. Current or disgruntled ex-employees, who are privy to your security policies and, more importantly, your ability to implement such policies, mean they are better placed to pose a significant threat. For example, upon the termination of employment, there is often a disconnect between HR departments and IT. There is also often a disconnect between the organization and any third party facilities management companies. Employees have been known to gain access to an office via third party security contractors who are familiar with and have access to employee sites and systems, but who have not been made aware of their termination, thus rendering any existing access control measures redundant.

It is also important to view external threats through the optic of physical security. External threats are often associated with traditional cyber-attacks, ranging from low-level script kiddie attacks to complex and sophisticated cyberattacks perpetrated by organized crime groups. However, we have supported clients whose information security has been compromised without any indication that the incident was perpetrated by traditional external cyber means, but rather by lax physical security controls have resulted in practices such as tailgating.

Tailgating highlights the importance of adopting a security conscious culture. In the United States, tailgating is understood to present physical security threats, including active shooter incidents. However, a more discreet tailgater may use this as an opportunity to gain access to the building in an attempt to steal confidential information. Increasing awareness of these implications, through initiatives like staff training, help to reduce an organizations vulnerability.

Ultimately, despite the general move to cloud-based and virtual environments the requirement for physical security has not gone away. The convergence of information and physical security mean that organisations must consider the link between the two security domains. Comprehensive corporate reviews that evaluate both physical and information security can highlight these potential vulnerabilities that are too often overlooked. This, in turn, empowers organizations to better protect all assets.

Discover how our Security Services can support and enhance your daily business operations. Contact GardaWorld today.