What comes to mind when you hear the term physical security? Most probably technologies such as CCTV and access control; the devices designed to ensure a perimeter’s protection and to only allow authorised personnel access into certain areas. And what about cybersecurity? This is a term we have now become accustomed to hearing on an almost daily basis. It is no longer a surprise to read headlines regarding various threat actors, from bedroom hackers to state-sponsored attackers, targeting our retail outlets, banks, and even our power grids, stealing data and holding firms to ransom. So how are the two connected?
Simply put, as CCTV and access control devices have become increasingly connected, evolving from a ‘closed-circuit’ system to an IP enabled solution connected to an IT network, cybercriminals have discovered they can utilise vulnerabilities in such technologies to gain access to a business’s data, its ‘cyber’ network. Yet there are clear business benefits when connecting physical security technology to an IT network. The rapid progression of IP technology has meant the CCTV camera has evolved into a device that can collect and share vast amounts of data. This can be used for security purposes, such as loitering detection and suicide prevention; and for business intelligence, such as queue monitoring or managing staff more efficiently.
However, this increased connectivity has created some confusion regarding where the responsibility lies if a data breach occurs. Is it with the equipment manufacturer; the installer; or the end user utilising the technology? In response to this increasingly converged landscape and the explosion of data, new legislation has been drafted, the EU General Data Protection Regulation (GDPR), to overhaul how businesses process and handle data. As the gap between physical security and cybersecurity diminishes, it is clear businesses must now consider physical and cybersecurity in combination to effectively secure personal data.
GDPR and the supply chain
By May 2018, companies across Europe will now be required under GDPR to ensure they meet its standards, or face potential fines of up to €20m, or 4 per cent of the company’s annual turnover, whichever is greater. Time is running out; firms must now ensure they aren’t only promoting security best-practice within their own walls. They should also undertake the necessary due-diligence to ensure their suppliers are doing the same. This is essential as the issue of supply chain security is a complicated one…
For example, imagine a scenario where a criminal gains access to an organisation’s network via a vulnerability introduced by surveillance equipment; this weakness is exacerbated when the end user decides to enable remote access to their video. Beyond the attacker, whose responsibility is the breach? Would it be the manufacturer of the surveillance equipment, the integrator or the end-user’s IT department? Ultimately, all parties share responsibility and have something to lose, including reputational damage. That said, the heavy fines set to be imposed by the impending GDPR would fall at the feet of the end user.
That is why it is so important for physical and cybersecurity to be considered together as part of an all-encompassing approach to security. This allows the full picture to become clear and the previously described scenario can be mitigated. Joined-up thinking in all parts of the solution and at every point in the supply chain plays a part in whether a business remains secure or not. This must extend to every stage, from the choice of surveillance equipment, its supplier and the installer; through to the involvement of a company’s IT department to ensure security at all network levels.
The importance of education
As physical and cybersecurity converge, the importance of staff education also becomes even more critical. The hack that led to the theft of 110 million Target customers’ financial data occurred following a spear-fishing attack which granted attackers access to an internet-connected heating/ventilation system. This spear-phishing attack, which involved an email riddled with malicious code sent to a member of staff, could have been prevented if workers had been given the necessary training on how to identify suspicious emails.
Even with the best of intentions, the equipment a solutions provider installs on a network could sometimes make it vulnerable. It is often said that a company is only as secure as its weakest link; security training is therefore critical in order to empower staff to operate and react effectively to certain threats. Employees need to learn how to identify a suspicious email or a malicious attachment, as they are often a company’s first line of defence. If they aren’t aware of security best-practice, a breach at some stage will be inevitable.
Any business looking to install IP-based CCTV technology must ensure its supplier and systems integrator has also had the required training to understand the potential ramifications of introducing vulnerabilities into the network, and have a dedicated strategy and process in place to deal with these. A key indicator of installer awareness is if the firm has achieved cybersecurity certifications, such as Cyber Essentials Plus. Only through a fully collaborative approach with manufacturers, integrators and end users working in unison, will the gaps between technology, compliance and security be adequately filled.
Once the processes of communication between all parties are in place, upskilling of staff and sharing security knowledge will be key. Whether achieved through industry accreditation such as Cyber Essentials Plus, or the appointment of a Data Protection Officer as stipulated in the GDPR, use of these resources will be vital in understanding the measures required to mitigate risk and how to effectively communicate these across the supply chain.
The world is becoming increasingly connected. Technologies are communicating with each other, utilising data to help companies operate more intelligently and efficiently. This communication must be replicated between businesses, departments, and employees. Only then can we hope to effectively manage the risks created by the convergence of physical and cybersecurity.
Nigel Peers, Senior Consultant, NW Systems Group
Image source: Shutterstock/KAMONRAT