The Pandemic, Risk and Evolving Security Trends

For millennia, humans have coexisted with nature’s harsher elements, sometimes with annoying but usually non-fatal responses, like allergic reactions to pollens and spores. And while virus and bacteria outbreaks can have a much more significant and dangerous impact, humanity has largely managed to survive them, but pandemics do leave their mark. According to the Centers for Disease Control, there have been five major pandemics, including COVID-19, in the last 100 years of varying severity.  Central to the planning and response of these pandemics has been controlling virus transmission.

COVID-19[i] is most like the 1918 H1N1 Spanish Flu, but in the century between the two, our ability to respond and mitigate a pandemic has dramatically increased. In no small measure, this is possible due to security planning and technologies that manufacturers have developed and corporations use. The pandemic, cybersecurity issues affecting security system deployments, artificial intelligence and other emerging technologies, and remote work strategies with a new focus on the employee experience in the workplace are just a few of the influences impacting the new workplace reality.

Access Control – The New Old Idea

The idea of “touchless” access control is not new. Steve Van Till, Brivo CEO, states, “Access control has always been touchless…”[ii] meaning that the access credentials didn’t touch the card reader.  Before COVID-19, however, the touchless concept was being expanded to a “frictionless” model, often driven by facilities planners whose focus on an updated workplace employee experience includes a belief that employees should be able to traverse through security barriers unimpeded. COVID screening and other practices don’t change the frictionless principle but do introduce new opportunities to enrich the employee experience while improving workplace safety. For example, some firms still using proximity technology have balked at converting to contactless smartcards due to cost concerns, viewing the new technology as just one type of card versus another, albeit secure. However, mobile phones are also being frequently adopted that happen to support a COVID no-touch program. Likewise, the accelerated development of touchless biometric technologies, especially those that can be combined with elevated skin temperature screening, are not likely to disappear anytime soon. The broader availability of touchless biometrics and smartphone credentials provides facility and security planners with more options than ever before, while also having to strike a delicate balance with mounting privacy concerns and protection laws as has become the case for facial biometrics.

It is easy to imagine an employee with a credentialed smartphone in their pocket, walking into their main lobby, passing through a channeled walkway monitored by a thermal camera for elevated skin temperature screening.  Perhaps a contactless biometric device confirms the person’s identity (2FA), after which the person passes through a high-speed/no-touch turnstile, or maybe an automatic opening door, monitored by an AI camera to spot tailgating. The employee’s presence is tallied to a workplace digital counter for occupancy load management. Many companies, not ever intending to implement thermal cameras, have incorporated them into their programs, while other technologies such as smart credentials have been accelerated into adoption.

Video Surveillance and Artificial Intelligence - The Conundrum

No recent security technology has garnered more hype and generated legal concerns like video artificial intelligence. The potential utility of video AI is immense as it may be useful for positive personal identification, suspicious behavior recognition, facemask and distancing alerting and pattern recognition. AI development for security purposes also has crossover benefits for business processes. Legal risk avoidance will likely curb some security-AI corporate adoption, notwithstanding that much of the privacy legislation deals with informed consent. In part, there is potential for ethical AI is to anonymize personal data so that AI-enabled decisions are meaningful without trespassing into privacy concerns. For instance, the future of AI for shoplifting applications can help to support retail loss prevention by recognizing suspicious behavior patterns but giving no indication of a person’s demographic features, such as race, age, or sex. Through this potential technology and using video surveillance to review the scene, loss prevention staff can confirm that the incident occurred and can then initiate an appropriate response.

A nascent integration trend involving AI development has intriguing potential by integrating AI with security robotics and drones. Augmenting security staff with robots and drones isn’t new, although there has been limited penetration into the end-user space.  Drones and robots, however, are becoming an everyday norm in other business areas. A Gartner report predicts that 77% of retailers will deploy a form of AI before the end of the year, and the top two global retailers will incorporate robotics into their business operations by 2025.[iii] Commercial drones have flown under the radar, but their deployment is surprisingly extensive. Drone uses include aerial surveillance for crime interdictions, LiDAR spatial mapping, medical deliveries, broadcast communications and environmental management. AI integration with both security robots and drones permits high functionality while allowing a greater degree of independence from human operation and control.

It’s easy to see that AI, robots and drones have a future in the security field. They can perform monotonous tasks with consistent diligence and effectiveness, and if robots had been at a more advanced development and market stage prior to the onset of the pandemic, perhaps their use to support an organization’s pandemic response could have been realized as this pandemic tested weak elements in our supply chains. For instance, a LiDAR-equipped robot could effortlessly perform real-time spatial occupancy counts, determine that space may become too dense and notify facilities of the issue. The emergence of fully articulating robots that can open doors, ride elevators, and perform other tasks demonstrates their improving capability factor. A drone equipped with standard video, LiDAR and thermal imagining also considerably widens security capabilities and outcomes. From a cost-benefit standpoint, early estimates indicate that the increase in the prevalence of robotics across verticals like healthcare, distribution, and manufacturing could drive down the costs of robotics overall. If this trend continues in the security space, robots might become a competitive alternative to human labor.

 Security concerns regarding data from physical security systems have increasingly become a planning matter when designing systems. AI, drones, and robots, coupled with corporate clouds or as-a-service hosting can trip alarms with IT, legal, and HR stakeholders. Questions like, “Where does the data go?” “Who has access to the data?” and “What regulatory issues are we concerned with?” naturally arise. The issue is complicated when third-party managed services are included. While these concerns can usually be successfully navigated, companies who have or will adopt some of these emerging technologies need to be thoughtful and purposeful in their approach. Partnering with key stakeholders and integration specialists is essential.

AI and Data Analytics

In addition to responding to the drastic impacts caused by the pandemic, workplace violence prevention has continued to remain a focus for businesses across industries. For many years, workplace violence prevention and detection were a combination of training and awareness coupled with a reporting mechanism to curtail potential incidents. The pandemic has only complicated the security leader’s workplace violence programs. Screening for elevated skin temperature and the resulting employee entrance queues can exacerbate latent employee frustrations.

AI works with data that needs to be relevant to train the AI with a large sample to enable predictive analytics. Some AI software companies are developing user and entity behavior analytics (UEBA) that use various internal and external sources to predict the likelihood of workplace violence by an individual. UEBA requires integrating IT assets and a user’s unusual behavior with internal and publicly available sources. While information security teams may detect unusual behavior, the corporate security and human resources teams are responsible for managing the possible threat. Security technology manufacturers have varying views about incorporating AI natively into their products[iv], but integrating AI into various security situational awareness platforms is not difficult for an integration specialist. As companies integrate AI and data analytics into their cyber and physical security programs, the outcomes will continually progress towards the intended results.

Physical and Cybersecurity Convergence Redux

For some companies, physical and cybersecurity have collided as much as they’ve collaborated. Security systems became another dimension for IT operators to potentially manage when physical security manufacturers adopted TCP/IP standards, something that IT leaders didn’t necessarily welcome. Disconnects have ranged from, “It isn’t a business-critical system, so you or your integrator have to manage it,” to “We require a full application and device security assessment before we will host it, and it’s going on a separate network with no enterprise services.” Physical security systems continue to integrate with other corporate systems, including identity management, single sign-on, and now service management and network security applications. Cyber and IT convergence for physical security systems are moving toward standardized IT service management programs, meaning that IT supports the planning and hosting management of physical security systems and even stipulates some of the standards that the application and data must conform to.

Enterprise Risk Management (ERM) programs are expanding to often include a cyber-risk committee reporting to the Board of Directors. In many cases, the Board assumes that this includes physical security. Converging cyber and physical security at a Board committee level and coordinating the CSO and CISO protection programs under a common framework should become a standard ERM practice for the large enterprise. The company gains the benefit of holistic threat management with intra-team communication and collaboration. Converging cyber and physical security at a vision and operational level is essential to dealing with the rapidly evolving threat landscape that companies face today as organizational threats are increasingly complex and span cyber and physical security domains.

For example, a network-sniffing drone launched towards a corporate headquarters should initiate a coordinated response by both departments. Likewise, Industrial and Internet of Things (IIoT and IoT) touch both domains since a successful cyber-attack to an IIoT infrastructure, like an organization’s building management systems, requires law enforcement coordination and possible relocation to alternative facilities supported by security. IoT is inherently insecure, yet the advantages to cyber and physical security situational awareness represent an opportunity too significant to ignore. IIoT and IoT are examples of the compelling benefits that cyber and physical convergence at an ERM level can provide, including a more secure enterprise, improved efficiencies, and increased flexibility. Additionally, shared evolving threat information prompts an enhanced risk assessment, factoring in a broad and dynamic range of concerns and enabling a mutually coordinated response.

There is one other spin-off benefit – trust. Cyber and physical security leaders will sometimes criticize systems, pointing to an unacceptable mutual mistrust. Regardless of what generates the wariness, the fact that two equally mission-critical departments are habitually in conflict is a root problem to the organization. The convergence trend at a risk management framework level, coupled with shared threat management and resolution is often an excellent start to harmonizing relationships, achieving operational alignment, resulting in improved risk and threat management with little to no incremental costs.

The Takeaways

The pandemic served to accelerate technology trends already gaining momentum.  Their adoption into an enterprise should substantially improve the security program by bringing cost-effective, reliable solutions valuable to both the physical and cybersecurity departments. Manufacturers and the emerging technology supply chain will be able to provide these systems as scale efficiencies and corresponding expense savings are realized in other areas. AI and data will continue to evolve, with greater efforts to ensure data privacy and compliance issues are factored into their adoption. Lastly, cyber and physical convergence should continue its course with AI integration serving two masters, providing better functional alignment, and Board-level oversight. The security world is dynamic, and if we thought it was fast before, well, hang on tight because we just hit the high-speed lane.

About the authors: