As organisations brace themselves for another year of heightened cyber security threats, evidence that businesses are stepping up their focus on tackling vulnerabilities caused by disparate IT, building and physical security teams remains scant. There is an urgent need for stronger security alignment. According to some experts, a significant proportion of cyber incident cases already involve a breach of physical security, with examples of hackers gaining access to primary user data and other sensitive information via poorly configured building control systems.
We discuss some of the issues with CISSP-ISSMP certified Martin Baldock, a managing director of Stroz Friedberg and its UK lead on security risk consulting.
Why has the widespread recognition of cyber attacks as one of the top risks facing organisations had limited impact on the effective management of such threats?
It is only recently that we have started to see significant technology convergence, a trend that is set to accelerate. Historically, computer security was the responsibility of the IT department, with building security within the estates or facilities management brief. However, as technology now reaches into every corner of an organisation, services previously seen as 'non-IT', such as CCTV, HVAC and telephony, could now prove greater risks than, say, a desktop PC. We are seeing more and more cases where an IT security breach is intrinsically linked to a general security incident. Organisations should, therefore, take steps to develop security strategies that can offer the right level of resilience and response.
Whose responsibility is it?
The day-to-day operational control of such systems is unlikely to change in the short to medium term, but the approach to developing safeguards against cyber threats must be better co-ordinated. While each organisation is likely to tackle this differently, it is important to create an environment that recognises the need for change. CIOs and CSOs are ideally positioned to bring existing functional teams together, to take a fresh look at the management of cyber risks.
What are the drivers for dismantling the barriers which often exist between IT and physical security?
Technology convergence, alongside the sheer number of technology devices that now permeate the workplace, have come together to create a perfect storm of vulnerabilities. This has resulted in new avenues for cyber criminals to exploit, which means the risks have also grown exponentially.
For example, research by US telecoms group Verizon found that 10 per cent of breaches involve some form of physical attack, while a further 5 per cent result from 'privilege misuse'. Physical tampering was ranked as the second most dangerous threat action used in single-action breaches, after the 'exploitation of default or guessable credentials'.
What impact has the weak alignment between IT and physical security had on developing an integrated cyber threat response strategy?
In the event of a security incident, without a cohesive strategy, it is likely two different sets of information will follow two very different paths. This could see the same incident rated very differently, as to the risk posed to the organisation. To address such issues, all security professionals must share the same culture and view on physical security and its impact on IT systems.
A key element in effective security management is incident reporting, but without strong alignment between the IT and physical security functions, effectiveness is likely to suffer. Commonly, IT security staff will report incidents upwards to the CIO, who will then escalate it to the rest of the board. However, physical security experts will report their findings to the facilities management team, who often report to the CFO.
What practical steps should organisations take to align their IT and physical security strategy?
There must be greater interaction between IT security and physical security teams. This should start with the development of a culture where both teams share the same view of security – that a cyber breach may expose failings in the physical security of the premises, while increased cyber risk may require more restricted physical access to certain parts of the building and office equipment. Investigations into either physical or cyber breaches also need to involve both parties, as weaknesses in one area of security can have serious repercussions for the other. Any response should, therefore, involve all security expertise.
Effective leadership is essential and the individuals in the best position to monitor whether staff follow the integrated security approach are those at middle-management level. They will have a better understanding of the operational issues and will see at first-hand where flaws in security – and procedure – may occur. Department heads and the board can then implement any over-arching changes that need to be made and ensure that they are communicated from the top-down.