Holistic security measures will improve response and recovery
With the continued growth of the Internet of Things (IoT), Gartner forecast that 20.4 billion connected devices will be in use globally by 2020.
In turn, the explosion of IoT devices comes with the risk of equipment being more vulnerable to security breaches than ever. The unknown (and even known) dangers of connectivity and IoT makes it easy to concentrate all efforts on cyber security. However, the risks and rewards directly relate to how security is understood and managed.
Many experts say the answer is to integrate physical and cyber security systems. G. Mark Hardy, president of National Security Corporation (US) believes that “by managing security holistically, companies improve coordinated response and recovery”. Despite these benefits, most organisations approach cyber risks re-actively whilst skimping on physical security to reduce costs and enhance profits. By doing so, it creates extraordinary risks not only for the organisation directly but for everyone involved.
It has been found that a lack of oversight and corporate leadership can exacerbate this problem. A 2017 report produced by the International Data Association (IDC) surveyed 600 global organisations with more than 500 employees showed that 75% of firms didn’t have a managed incident response plan, even though more than half of organisations experienced 10 or more security incidents or alerts each week. The same survey found that only 37% of firms have an incident-response process that includes reporting any security breach to their board.
The benefits of combining physical and cyber security
The statistics are particularly concerning as the benefits of combining physical and cyber security have been evident for a long time. This can be seen within the healthcare industry, where the National eHealth Security and Access Framework has been developed as a control mechanism to increase certainty that health information is created and accessed in a secure and trustworthy manner. These robust security practices are required to both meet legal obligations and to protect personal health information. Whilst for credit card merchants, the Payment Card Industry Data Security Standard (PCI DSS) defined physical security expectations for cardholder data as early as 2004.
Mr Lee, a former cyber warfare operations officer, further adds that while he believes in combining physical and cybersecurity data, it’s important to recognise they are also separate threat models. “There needs to be an awakening that almost every company is an industrial company,” he says, noting that organisations without three-to-five year board level industrial security strategies, risk everything from safety to intellectual property. “As we connect more and more with IoT, we’re opening up risks”.
To succeed within the fast-paced IoT world, organisations need to hold boards and top managers accountable to be informed on physical as well as cyber and industrial security. If you’re manufacturing a consumer product, don’t risk your company by failing to invest in security protocols that not only protect your organisation, but also the public.
The aim is to always be at the forefront by thinking ahead and being aware of all security risks and issues. Gone are the days of being reactive to cybersecurity threats and not having enough emphasis on physical security measures.
How holistic is your organisation’s approach to security? Is it in focus?