A holistic approach to security

Here's a thought provoking piece from Mike O'Neil, MD at Optimal Risk, read on below and find out further information at City Security Magazine

As a physical security practitioner can you honestly say that you and your organisation approach security in an integrated way to keep across developing threats?

Or do you stay in your lane and leave the IT department to do their own thing?

Security departments must be more open to dealing with threats holistically rather than through their own historical lens.

One solution is to take an Enterprise Security Risk Management (ESRM)* approach, which according to Brian Allen and Rachelle Loyear in their book, The Enterprise Security Risk Management, is: “the application of fundamental risk principles to manage all security risks – whether related to information, cyber, physical security, asset management, or business continuity – in a comprehensive, holistic, all-encompassing approach”.

This holistic approach is important because it ensures you understand not only how physical vulnerabilities can risk the security of the network, but also how network vulnerabilities could impact your physical security systems. Some of the targeted attacks that interfere with your systems could be in support of a physical attempt to access your network or workstations.

For example, Access Control Systems using RFID readers are at risk of the employees’ cards being cloned via devices readily available on the internet. A cloned card will provide access to all areas of the building that your real employee has. If they are a member of the IT department this could include your server room.

If you Google “watch live security cameras in the UK” you will find a site offering views from over 250 cameras in the UK, as well as views from over 100 countries. In 2018 it was showing live views from three schools in the UK. Hackers will use software such as Angry IP or websites like Shodan to scan for the IP addresses of visible cameras or NVRs. They will often try the manufacturer’s default password first to see if a lazy installer has left this in place. If that does not work hackers will work with specially developed exploit tools to gain access.

Improvements in IT security have resulted in increased reports of hackers attempting physical intrusion to organisations’ facilities to gain access to their networks. There are many variations on this, from straightforward walk-ins to more developed pretext approaches to gain “legitimate” access. Once on site, access to workstations will allow malware or monitoring devices to be placed. Given enough time onsite, (reportedly four hours), a hacker could break into the corporate Wi-Fi.

With the COVID-19 situation, we have seen a huge surge in home working. It is probable that your IT department has ensured colleagues are working through VPNs rather than logging on directly to minimise the danger of their home network being hacked. This is particularly important for those employees who may be working on very sensitive projects. They should also be ensuring that security updates are installed.

There are other security factors which need to be considered with home working such as secure disposal of any documents that may have been printed out. Depending on the sector you operate in, this could involve your price sensitive or secret information going into domestic rubbish. There is also the danger of GDPR breaches either in hard copy or by unauthorised family and friends potentially seeing on-screen information.

Encouraging the right security culture amongst all the workforce is a great way to improve enterprise security. By understanding what is wrong and knowing whom to report it to when they spot it, the effectiveness of the organisation’s overall security stance will be improved. It is important for the security team to be a key part of any induction process and to start introducing the right culture early on. Your marketing department may already be monitoring social media internally or by using an external agency. Liaise with them so they can include certain words or phrases that could give you early warning of developing threats against your organisation.

All of these points are about looking ahead and assessing the events that could happen and not just relying on the traditional security mindset of protecting against what has happened historically. To be truly effective this needs to happen across the enterprise and there is a strong case for this to start in the security department. Reach out to your colleagues in IT to better understand each other’s concerns and mitigation strategies.

I would also advocate developing a risk register that is regularly reviewed and updated. By making this a dynamic and relevant document you will develop a more efficient and prepared organisation.

*If you are interested in learning more about ESRM, visit the ASIS website.

www.asisonline.org/publications–resources/esrm/

Mike O’Neill

Managing Director

Optimal Risk

www.optimalrisk.com