We all know better than to leave the door to our home or car unlocked. These days it doesn't matter where you live—bad guys are out there waiting to pounce on any opportunity.
And yet at the same time, we often overlook the same basic physical security precautions at our place of business. We implement passwords and firewalls to protect important data, networks, and systems, but we leave the back door propped open for the delivery guy. Huh?!
Proactively secure your critical infrastructure — even in a low-tech, affordable way — by prioritizing physical security as much as that of your networks and applications.
Securing physical and intellectual property from dangerous actors typically involves several security layers:
Nevertheless, the need to identify security risks, analyze those risks, and develop practices to ensure the integrity of computers, networks, and systems, is ongoing. It requires a combined approach to merging both physical and logical security approaches.
Critical Infrastructure Vulnerabilities
Even the most dramatically encoded system or network could be vulnerable to attack if physical security isn't up to snuff. Possible openings for bad actors include:
Physical exposure. Security devices may be installed outdoors or close to perimeters where they would be accessible to attack.
Compartmentalization of security. The business may have one team patrolling the perimeter and monitoring the premises, but a separate staff overseeing the IT network.
Human fallibility. No matter how well informed and prepared the cyber and physical security forces may be at an organization, there are many other players involved — from the C-suite to the frontline employee — who may not have the same depth of knowledge.
Market realities. The security equipment market is fragmented, with many small players that are ill-equipped to adopt new solutions that meet the physical need and simultaneously address emerging cyber threats.
External partners. No organization is an island unto itself. Businesses work with a range of clients, external vendors, and suppliers. These necessary partners may have different security standards, which could make your organization vulnerable. Consider the Target breach in which hackers stole financial information on more than 110 million customers via an attack on the third-party provider for the heating/ventilation/air conditioning (HVAC) system. It's just as likely a bad actor, knowing the HVAC vendor, might simply impersonate an employee of that company to access the network onsite.
Whether it's stealing and selling personally identifying information, corporate espionage, holding a network ransom, or shutting down a system, intruders may use physical access points to commit their cyber crimes.
Watch us access a Midwest power company's site — where at one point our team just walked through an open door!
Common criminals have a number of ways to penetrate critical infrastructure. Along with the obvious intrusion through a fence or gate, they might also neutralize alerts by saturating alarms from a smart fence, stream false footage to a guards' monitor or create faked access cards.
Once onsite, they could take advantage of employee complacency (e.g. leaving a password on a post-it note on a laptop) to gain easy access to the network and proprietary information. There are, though, several steps you can take to secure critical infrastructure by further prioritizing physical security.
Expand skill sets. Information technology isn't the typical skill set of traditional security managers, consultants, installers, and manufacturers. At the same time, IT is less knowledgeable of the demands of physical security. This lack of skills and lack of awareness can undermine even the best intentions to work together.
Physical and logical teams need to understand the full potential for theft, both physical and cyber theft, as well as best practices for both IT and physical security, and how to apply these consistently across departments.
As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. — Scott Borg, Director of the U.S. Cyber Consequences Unit
Present a unified front. The staff responsible for securing the physical side of things and the IT team should build a shared awareness of each other's protocols. Several steps can help these entities to work more effectively together.
Educate all employees. While physical security is more intuitive — we lock the doors, but fail to use effective passwords — it remains important to educate your entire team about risks and preventative actions.
Your team needs to not only act to insure security of information and networks, but also be aware of all a physical intruder could accomplish. The best firewalls, after all, won't do much to stop brazen hackers once they've breached the physical walls of the building.
Develop security standards that make employees reconsider an "it won't happen to us" mentality. Provide security training that addresses common mistakes:
Foster a culture that is aware and proactive by reinforcing positive behaviors. Offering rewards and positive feedback to show employees their security efforts are appreciated can help gain buy-in while better protecting your physical and information assets.
Know your employees. Internal actors remain one of the weakest links in security with the average organization experiencing 9.3 internal threats per month. Being proactive with securing your critical infrastructure begins at the hiring phase. Do background checks and verify references. Then, once the individual is hired, be sure that both IT and physical security teams can identify individual employee's movements within the business as well as their data access and computer and mobile device usage.
Try to also be aware which employees may be disgruntled over a policy change or being passed over for a promotion. Know also that employees terminated for cause or as a part of a reduction in force, can pose a serious risk. They might delete important files or emails, lock administrators out of admin accounts by changing passwords or take sensitive data with them when they leave. They are also aware of security procedures and facility layout that might be useful in physically accessing your site.
Know thy enemy. Stay informed regarding threats in your industry and the ever-evolving ingenuity of cyber criminals. Taking the time to institute and implement a strong physical security plan to protect cybersecurity infrastructure is not enough. Protecting is only part of the equation. Consider also how your organization will detect threats, respond to an attack, and recover efficiently.
For this to be truly effective, your plan needs to be continually evolving. Cybercriminals are not resting on their laurels. They are constantly finding new entry points and leveraging fresh vulnerabilities. Be informed about what is happening out there — let someone's else's publicized breach serve as a cautionary tale that drives action and enhanced security awareness at your organization.
Audit current security. Evaluate the company's security policies and employee awareness. Sometimes existing security and IT personnel can be too close to the situation and overly confident that they have thought of every possible threat and vulnerability.
RedTeam Security Consulting can help your business obtain a realistic assessment of threats to your technology (networks, applications, routers, switches, appliances, etc.), people (staff, independent contractors, departments, business partners, etc.), and physical presence (offices, warehouses, substations, data centers, buildings, etc.). Our highly-trained security consultants will identify physical, hardware, software, and human vulnerabilities. Plus, we don't stop there. We'll also help you address and fix all identified security weaknesses.