Cyber and Physical Security: Tied Together at the Hip?
Cyber security and physical security, in terms of best practices, seem worlds apart. But with the invention of smartphones, remote data centers, and laptops as commonplace enterprise and medium business tools, the two different security best practices are slowly overlapping one another.
This new landscape of corporate devices are providing a growing set of challenges for CISOs and CSOs. The increasingly diverse and complex work environments of multinational corporations also contribute to these challenges.
Fifteen years ago, a physical security vulnerability leading to cyber security vulnerability would have required multiple breaches in specified areas. The first line of defense would be the protections in place for an entrance to an office or a branch, and subsequent layers of protection would include human detection and hardware protection like a password-protected PC. This largely centralized approach made it much easier for one of the layers to ensure protection or quickly throw up a red flag.
But today a cyber security vulnerability isn't protected by multiple layers of physical security. Now for example; employee homes, coffee shops, restaurants, et cetera are the new first line of physical defense. And unlike physical workplaces, there's really no physical protection in place.
Think about the physical security risks in a coffee shop. There are many wandering eyes that could see sensitive information like passwords on a phone or tablet, items could be stolen if not properly supervised, and social engineers could be lurking nearby. If you’re a Chief Information Security Officer, I don’t blame you for getting a headache while reading this.
Real-Life Situations Can’t Be Controlled by the Company
Think about the following circumstances as just a few of the terrifying risks of potential cyber security breaches as a result of a lack of physical security awareness:
-
An employee takes their company smartphone to a bar, where they unlock it using their PIN. A person next to them looks over their shoulder, remembers the PIN, and steals the device while the person isn’t looking.
-
After work an employee goes to dinner with friends and leaves their work laptop in their car. The car is broken into and a few hours later the employee reports the stolen laptop to their superior.
-
A seemingly legitimate technician comes to check the company’s servers. An employee sees that the credentials look legitimate, but doesn’t check to see if the appropriate supervisor has scheduled the maintenance because they’re away from their desk. The employee grants access to the server room for the fake technician.
-
A terminated employee steals sensitive information from a colleague's desk when leaving the company
How Do You Cover Your Bases?
How do you ensure the security of your employees who are responsible for company assets? You can train your employees to use consistent best practices to reduce risk in these physical environments. And because physical security and cyber security are more and more dependent on one another, it is imperative that you transition separate thinking into one holistic strategy.
Derek Slater’s Physical and IT Security Convergence: The Basics provides an excellent framework for transitioning physical and information security departments into one.
Your training should be for both potential cyber and physical security risks, as they’re so dependent on one another.
We know a thing or two about effective security training, and have released a specific physical security module to address real-life situations like the ones mentioned above.