Interconnecting physical and cyber security

February 2016 Information Security, Integrated Solutions

Businesses are well-versed on the need for data security. However, there are many ways to obtain sensitive company data – financial data, customer details, product information, and intellectual property – than through company firewalls. As the lines between digital and physical realms blur, the weakest links are to be found where physical and information security meet – links many businesses have not yet thought to identify and secure.

Mel Brooks, Africa Regional President: 
G4S Africa.
Mel Brooks, Africa Regional President: G4S Africa.

The risk of a physical-cyber threat crossover is substantial: 80% of all digital attacks stem from physical access. For companies that have not yet considered how, or if they need to interconnect their traditionally separate physical and information security strategies, now is a good time.

Blended threats are emerging at government, industry, commercial, corporate and personal levels. The fallout is significant, impacting the integrity and reputation of companies through data and IP loss, exposure of sensitive customer and financial information – all of which compromise the safety and security of people, facilities, assets and business data.

High profile security breaches (http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks) tell the story. Sony Pictures Entertainment was hacked by North Korea, apparently with the help of Sony insiders; an EBay hack in 2014 compromised 145 million customer records when hackers accessed the company’s database ‘using login details from a small number of e-bay employees’; a hack of the Korea Credit Bureau (KCB) by a temporary employee resulted in the theft of 20 million Korean consumers’ bank and credit card details; and, of course, there was the Ashley Madison affair, where hackers threatened to expose the data of 37 million users.

All it takes is a gullible or unaware employee, or a physical or information system (or device) without the right checks and balances to create a business’s worst nightmare.

Do you think you are immune?

Here’s a quick reality check: If you picked up a USB stick with your company logo on it in the parking lot at work, would you hand it to security? Would you think twice about trying to find out who it belonged to yourself?

And here’s an online conversation that should make your chief security officer turn pale: “Don’t you hate it when you have to log into work systems with a password? I keep a list on my desktop. My best one is ‘sillycodfish’. I use it everywhere! I also have to use a security pin – a fresh one is issued to me via SMS every time I access the company network.”

And how about that break-in last year when nothing was taken? Could that odd camera overlooking the CFO’s desk that security could not account for have something to do with the leaked financial data and trades, or the missing funds?

There is even the odd: “Why are we still paying George and why is he still coming to work every day – he resigned last year.”

Identifying weaknesses

These threats are very real. It is important that the CIO and CSO understand the link between physical and cyber security and collaborate to close the gaps. The controls need to be put in place and greater awareness of these controls at management and staff levels is needed.

What these examples make clear is that there are some key areas where weaknesses arise. These include:

• The linkage between HR and access systems – at all key events, from on-boarding to staff exits must be integrated.

• Access granted to temporary or contract staff – even limited access to key systems can create a chink in the organisations’ armour.

• Social media behaviours need to be carefully managed – staff need to be made aware of what, exactly, will represent a security risk.

Threats can come from anywhere: foreign governments; a terror attack; criminals seeking financial or corporate advantage, or wishing to steal intellectual property; an insider, usually via human error or coercion; hacktivists with an agenda; a competitor or someone with a grievance.

With access to physical facilities, devices and/or cyber systems, these people could jam systems or operations, plant a bomb or mess with the plumbing. They could drive out with the CEO’s car or a company server, or install a camera in a strategic position.

If the internal security function or security provider engaged by the business is not aware of the cross-over risks and have not yet put in solutions to mitigate these risks, you may need to reassess your appetite for risk.

For more information contact G4S Cash Solutions (SA), +27 (0)11 709 8003, wendy.hardy@za.g4s.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Deception technology crucial to unmasking data theft
Information Security Risk Management & Resilience
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Risk Management & Resilience Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
Future trends for electronic safety and security in mining
Fang Fences & Guards Mining (Industry) Integrated Solutions AI & Data Analytics
The mining industry is ever evolving, driven by technological advancements and the growing need for enhanced safety and security measures, with significant innovation seen in turnkey electronic security for mining operations.

Read more...
Unlocking enhanced security for mining
Mining (Industry) Integrated Solutions
In the dynamic landscape of African mining, security remains of paramount concern as threats evolve and challenges persist, and mining companies seek innovative solutions to safeguard their operations, assets, and personnel.

Read more...
A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Navigating South Africa's cybersecurity regulations
Sophos Information Security Infrastructure
[Sponsored] Data privacy and compliance are not just buzzwords; they are essential components of a robust cybersecurity strategy that cannot be ignored. Understanding and adhering to local data protection laws and regulations becomes paramount.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...