When the 2020 global pandemic forced organizations to quickly shift employees from traditional in-office workspaces to decentralized remote or hybrid working environments, employers found themselves focusing on the security of their people, assets, and infrastructure in both physical and remote workspaces. As the pandemic has receded to an endemic, organizations must reassess their physical security posture and cybersecurity measures.
For more than 20 years, the convergence of cyber and physical security has been professed to be the future of security. Within the last decade, Enterprise Security Risk Management (ERSM) has gained attention as the best security model. However, the threat landscape constantly evolves, and organizational changes are not adapting quickly enough to address these security risks. Typically, security is viewed as an inconvenience until it becomes necessary. By integrating security throughout the entire organization, it can be prioritized and given consideration during organizational changes.
The advancement of technology including artificial intelligence/machine learning, 5G, IoT, and quantum and their integration within business environments and access control exploitations must be at the forefront of any organization’s security playbook.
Fully remote or a hybrid of working from home presents challenges for any organization’s physical security team. Flexible work schedules and work environments leave the security team guessing who is or isn’t on site and who is or isn’t supposed to be on site at any time. Access to the office space and remote access to the company network must be clearly defined and managed now more than ever. Authorized access must be limited to times that are truly needed for work performance as opposed to 24/7/365 access for convenience.
The basic cybersecurity measures that organizations must implement to make themselves less of a target to cybercriminals include:
- Multifactor Authentication (MFA) to help limit unauthorized access by requiring a second input of information to complete the request to access authorization, such as biometric verification; entering a code sent to the requestor by email, text, or phone call; or a code generator held by the requestor such as a code generation app on their phone or a USB security key dongle.
- Identity and Access Management (IAM) to further ensure only approved employees and job roles within an organization can access the tools needed to perform their jobs. Using a single sign-on application allows an organization to manage employee apps without needing them to log into each app as an administrator.
- Password Management Systems such as a password vault, password manager, or password locker store usernames and passwords for multiple applications securely and in an encrypted format. Users only need to remember one “master” password or passphrase to gain access to the password for their accounts. Although forced password changes reduce the risk of stolen credentials, they also create a risk because users will more than likely note their updated passwords in writing to better remember them. An effective password management system will reduce this risk.
- Firewalls and Virtual Private Networks (VPNs) can block unwanted or malicious traffic and protect devices and networks from hackers. A VPN can encrypt and anonymize network traffic and protect data.
- Data Backups and Updates conducted regularly will help lessen the risk of damage from ransomware attacks. This includes segmenting and encrypting sensitive data and applying patches in a timely manner as they are released.
Traditional Security Awareness Programs Must Be Revisited
Traditional security awareness training oftentimes consists of requiring employees to watch short video training modules annually. Many of these training modules include a few questions at the end and can be completed in seconds rather than minutes. Human error is a prominent feature in instigating or facilitating cyber breaches. According to the 2022 Verizon Data Breach Investigations Report the human element continues to be a key driver of 82% of breaches. Additionally, malware and stolen credentials are the next step after a social attack gets the bad actor in the door, emphasizing the importance of having a strong security awareness program.
- Organizations should move to a more holistic and persistent approach to security awareness by:
- Revisiting and evaluating security methods to address sophisticated and evolving threats.
- Moving cybersecurity decision-making to business units ensuring all associates become willing participants in the safety and security of themselves and others.
- Creating performance requirements related to cybersecurity risk specifically for C-level executives to prioritize the importance of cybersecurity.
- Establishing cybersecurity-specific board committees to expand active participation in security awareness and cybersecurity to all business units.
Modernize and Adjust Cybersecurity Practices to Better Manage Cyber Risk
According to a public data breach tracker created by the UK. news site The Independent, more than 340 million people have been affected by publicly-related data breaches or leaks in the first quarter of 2023. Of those, 235 million were the usernames and email addresses of Twitter users leaked in January. The next largest leak was the theft of data from 37 million T-Mobile wireless subscribers. According to Verizon, approximately 70% of social engineering breaches originate from phishing exploits, which should be no surprise. The good news is that users are getting better at reporting suspected phishing attempts with a steady increase of 10% in phishing emails reported in the last five years.
Cyber-attacks can compromise physical security too. Once into a network, information can be stolen that may help attackers determine gaps in physical security policies, allowing them to enter the organization’s premises more easily. Access control policies such as the timing of lock and unlock functions as well as the timing of personnel may in certain areas pose a serious threat to the organization.
Security awareness training should also address physical access control as the cornerstone of the security program. Hybrid work models make it extremely difficult to know who should be where and when for not only the security team but also everyone entering the building. Tailgating and piggybacking have always been topics of security awareness training and should continue to be addressed as not safe, and not permissible. Unused network ports should be locked and inaccessible. Multifactor authentication should be added to areas housing main distribution frames (MDFs) and independent distribution frames (IDFs) within the building as well as critical infrastructure such as generators, HVAC, and physical files. Physical access control policies should be reviewed and updated frequently.
It is recommended to have an independent consultant conduct a security assessment every three years. Assessments should ask:
- Is there a Security Management Plan in place?
- Does the Security Management Plan include cybersecurity?
- Are all personnel aware and familiar with existing physical and cyber security measures employed by the organization?
- Are security leaders involved with planned organizational changes and business initiatives?
- What physical and cybersecurity technologies and methods are in place to prevent, detect, and respond to security threats and breaches?
- How does the organization identify, measure, and monitor risks and threats?
- Are all business units integrated with security? Does each business unit actively participate on its own unit in security awareness and threat mitigation?
- What measures are taken to vet third-party vendors and suppliers?
- What policies and procedures are in place for both physical and cybersecurity?
- Is there a security awareness program in place and what does it look like?
To ensure that security and access control demands keep pace with organizational change, deploying a holistic planning approach in conjunction with conducting comprehensive assessments is crucial. By adopting such an approach, organizations can navigate the ever-changing threat landscape to identify potential vulnerabilities, address them proactively, and effectively mitigate risks to safeguard their assets, infrastructure, and sensitive information.
Tim Sutton CPP, PSP, CHPA has more than 30 years of security experience. His expertise includes operational security management and program development, loss prevention, physical security and risk assessments, and technical security systems design and implementation. He has collaborated with clients in diverse sectors including medicinal and adult-use cannabis, healthcare, retail, government, manufacturing, and multi-use properties.
Prior to joining Guidepost Solutions as a Senior Security Consultant, Sutton worked as a director of security for Greenhouse Group and its Grassroots and Herbology banners, responsible for enterprise security risk management in all markets. He authored Security, Emergency Action, and Fleet Safety Plans along with security training and operations manuals.