Cyber risk has time and time again been identified as one of the top risks facing organisations, irrespective of their size or industry sector.
However, widespread recognition has done little to the management of such threats, which often lack a cohesive strategic focus. Now is the time to consider dismantling the barriers that often exist between IT and physical security teams, so that evolving cyber risks can be tackled more effectively.
Recent research reinforces the need for a dual focus and the alignment of physical and technology security efforts. For example, Verizon's 2012 data breach investigations report found that ten per cent of breaches involve some form of physical attack, while a further five per cent result from ‘privilege misuse'.
The report also found that physical tampering was ranked as the second most dangerous threat action used in single-action breaches, after the ‘exploitation of default or guessable credentials'. Other surveys have produced similar findings, with physical theft of computers by outsiders remaining a common cause of breaches.
In 2009, the US National Nuclear Security Administration (NNSA) criticised Los Alamos National Security (LANS), the contractor responsible for security at the Los Alamos National Laboratory, for its apparent mishandling of computer thefts from the facility's weapons laboratory.
The NNSA found that the lab "had made great strides in improving the robustness of cyber security implementation". However, the report highlighted the risks of dealing with cyber security in isolation, where the theft of computers were treated as a standalone ‘property management issue', which uncovered "several property management, accountability, incident reporting and cyber security concerns".
The failings did not stop there. Some 13 computers had been stolen or lost in the previous 12 months, and 67 computers were ‘missing', according to LANS' reports.
“The magnitude of exposure and risk to the laboratory is at best unclear as little data on these losses has been collected or pursued given their treatment as property management issues as well,” said NNSA in its report.
Such incidents highlight the need to integrate cyber security risks with better physical security management. Historically, mainframe computers were locked away in computer rooms, only accessible through dumb terminals. However, as technology has become more affordable and distributed, there has been little reintegration of physical and cyber security.
Organisations need to recognise that an IT security breach is often tied up with a general security breach. In my experience, in a large per cent of cases where an organisation has suffered a cyber incident, there has also been a breach of physical security that has been used to identify a technical weakness. Such failings may have seen passwords written down, simplistic or shared passwords, social engineering or direct access.
To tackle these challenges, there needs to be greater interaction between IT security and physical security teams. A starting point is to develop a culture where both teams share the same view of security – that a cyber breach may expose failings in the physical security of the premises, while increased cyber risk may require more restricted physical access to certain parts of the building and office equipment.
Investigations into either physical or cyber breaches also need to involve both parties, as weaknesses in one area of security can have serious repercussions for the other. Any response should, therefore, involve both sets of security expertise.
Effective leadership is also crucial. The best people to monitor whether staff follow the integrated security approach are those at middle-management level, who will have a better understanding of the operational issues, and will see at first-hand where flaws in security – and procedure – may occur.
Department heads and the board can then implement any over-arching changes that need to be made and ensure that they are communicated from the top-down.
More technology may not always be the answer. If a breach has occurred – or is likely to occur - then adding additional software or hardware may take time and there is no guarantee that employees will install this correctly.
Also, the original breach may have been caused by physical tampering or theft and would require an investigation and response from the physical security team and possibly HR.
Having third-party local expertise to hand as a ‘first responder' can be useful. However, the in-house IT security and physical security teams should also be an integral part of this process. This will ensure all procedures and controls are regularly tested and further reinforced with staff security workshops.
A key element in effective security management is better incident reporting, but weak alignment between the IT and physical security functions could limit its effectiveness. Commonly, IT security staff will report incidents upwards to the CIO, who will then escalate it to the rest of the board. However, physical security experts will report their findings to the facilities management team, who will then report to the CFO and up to the board.
As a result, there can be two different sets of information and two very different paths. Worse still, the same incident could be potentially rated very differently as to the risk posed to the organisation. To address such issues, both groups of security professionals must share the same culture and view of the impact of physical security on IT systems.
Closer cooperation and information-sharing between IT security and physical security teams is essential for tackling cyber risks.
However, the failure to integrate these functions effectively could see significant reputational and financial damage being caused to organisations, as the threat from cyber crime and data breaches escalate.
Martin Baldock is a managing director at Stroz Friedberg