Making Physical Security Part of Cybersecurity Best Practices.
What is Cybersecurity?
Cybersecurity covers a number of different protections for networked systems, programs and devices. Digital attacks can have many goals, but the most common include accessing sensitive information to steal, change, or destroy it; interrupting usability to disturb business practices; and extorting money from users by ransoming sensitive or critical information or by blackmail. Cybersecurity operations can help to prevent risk and mitigate liability by hardening business systems against these attacks. Basic cybersecurity practices include creating strong passwords (and not sharing them), vetting anything downloaded to a business device, and implementing and regularly updating firewalls.
There are numerous avenues for cyber threats, and many organizations are far more vulnerable than they realize. As these threats have increased, physical security has become a critical part of the cybersecurity conversation. Physical and cyber security have long been separate concerns in the security world, often run by separate departments within a business.
Typically, physical security operations were run by professionals with a background in law enforcement, with expertise in maintaining the physical safety of a facility using solutions such as locks, cameras, guards, fencing and alarms. Cybersecurity was the exclusive domain of the IT department, who had responsibility for the computer systems and network. The two departments originally had little overlap in decision making for security procedures. However, it has become clear that this lack of communication can leave attack surfaces open—a vulnerability that has been used to advantage by many hackers in recent years.
What Threats do Data Breaches Cause?
Data breaches happen every day, ranging from the small to the massive. As numerous organizations have discovered over the last few years, leaving your data vulnerable can compromise your business operations and damage your reputation. Here are a few recent real-world examples:
- An application vulnerability on a website belonging to Equifax, a leading U.S. credit bureau, led to a data breach that exposed over 140 million consumers. Read more here.
- The theft of data from a third party HVAC vendor allowed hackers to access Target point-of-sale (POS) computers, collecting the data of 110 million customers. Read more here.
- Hackers took control of a workstation at an industrial plant belonging to Triconex industrial safety technology, halted operations and attempted to reprogram safety technology. Read more here.
- When the ride-sharing service Uber was hacked through a third party server, the company spent significant resources to attempt to conceal the breach. The cover-up was ultimately unsuccessful, hurt their reputation even more than the breach, and consumed significant financial resources. Read more here.
The Netherlands division of Gemalto, an international digital security company, released the following global statistics in 2018:
Physical Security as a Cybersecurity Concern
Physical security is a vitally important business practice, to prevent unauthorized persons from entering your business and causing harm, to protect your intellectual property from corporate espionage, and to mitigate workplace violence, among other concerns. Today, organizations must consider physical security as a primary pillar of cybersecurity. There are three differing perspectives on this reality, each of them paramount to maintaining overall security.
(1) Physical Breaches Can Facilitate Hacking
For many hackers, the easiest way to obtain your data is to access it in the physical world. While strong firewalls and other cybersecurity best practices may thwart hackers outside your business from entering the network, very often hackers will simply find a way into your building and plug into any IP connection – or grab a laptop or server and walk out with it. They may use social engineering to bypass security guards, slip in behind an employee who politely holds the door open for them, tailgate through an access-controlled entrance, or use stolen credentials to get into your facility. Deploying the strongest-possible physical security measures is the best way to mitigate against this danger.
(2) Hacking Can Create Physical Threats
If your IP-connected physical security solutions are not properly hardened to cybersecurity threats, they can be compromised via the network. A hacker outside your building can access your network—through unsecured WiFi networks, a vulnerable Internet of Things (IoT) device, or another weakness—and can disable physical security devices such as surveillance cameras, access control systems or alarms. This can put your organization at risk in a number of ways. Terrorists could enter buildings, putting your personnel in direct danger. In a healthcare facility, criminals or employees, could steal prescription medications from protected storage rooms. Unauthorized individuals could enter restricted areas of critical infrastructure facilities and put themselves or the general population at risk.
(3) Physical Security Devices Can be Used as Attack Surfaces
Any device on the IoT – from a smart fishtank to an elevator system – could be used by hackers as an entry point to the network. The same is true for physical security products from surveillance cameras to WiFi locks. The moment a device is connected to the network, it becomes a potential attack surface for a hacker to use to reach the network, from which they can implant malware, steal data or cause many other sorts of mayhem that disrupts business operations. Every IoT-connected device used in your organization must be properly hardened to prevent this from happening.
Free Article
How Entrance Security is Vital to Your Workplace Violence Policy
The Entrance as a Focal Point
Building and perimeter entrances are key points for physical security, and much of the technology for physical security devices has been developed to protect entrances. Even as new technologies have emerged, they have mostly been a variety of protections for standard swinging doors, which have long been used to enter and exit buildings. The use of doors has typically and traditionally been an architectural decision, with door styles selected for their design aesthetic or user convenience with little consideration for security. Generally, the biggest security concern considered when installing an entrance was compliance with fire codes and other emergency exit guidelines. While it is still important to consider these factors, it has now become necessary to consider the entrance as a main factor in physical and cybersecurity best practices.
Installing standard swing doors at any location in a facility presents risk, as their design does not prevent unauthorized intrusions. Once a swing door is open, even if it has been unlocked using authorized credentials, an unlimited number of individuals can enter. What is often considered basic politeness—holding the door for the person behind you—can in fact be an enormous security risk. Unless there is a guard at the door, there is no prevention for tailgating (additional people following someone through the door), and even a guard can be easily misled using the process of social engineering to allow an authorized individual to enter. Worse, unless it has special alarms, a door can be propped open and left that way indefinitely.
Once a cybercriminal is inside your facility, you have lost most of the battle to protect your data. At that point it is quick and simple for them to plug into an IP port, access your network, and perform whatever actions they want. If they walk in and out without having been noticed, you may not even know that there has been a breach until data turns up corrupted, operations cease to function properly, or the stolen data is utilized or ransomed back to you – at which point the damages only multiply.
Security Entrances Can Protect Your Business from Cyber Threats
You can protect your business against cyber threats by installing security entrances at entry and exit points of your facility, at the perimeter and at internal access points. Security entrances are available in a variety of configurations and can help to protect your business from unauthorized entry that can seriously increase your risk for cyber attacks. It is in your business’ best interests to consider security entrances as a part of implementing cybersecurity best practices.
Only a security entrance can fully prevent tailgating and also verify that the individual who is entering matches the credentials that have been presented. This can dramatically reduce the need for security staff at the entrances and exits to your facility, while at the same time reducing your exposure to risk from cyber criminals.
Four Categories of Security Entrances
To protect your facility from cyber threats at the entrance, there are a number of different types of physical security entrances that can provide the security you need. Tripod and full height turnstiles, optical turnstiles, security revolving doors and mantrap portals can all protect your business, but you may prefer to get some guidance to help determine which security entrance is right for you. Consider the four categories of security entrance solutions:
Tripod Turnstiles Crowd Control - Level 1
Tripod turnstiles fall into this category. They are often deployed in order to control large crowds entering or exiting a secure area. They do not possess detection sensors and are always paired with manned security.
Read more
Full Height Turnstiles Deterrent - Level 2
Full height turnstiles are considered a deterrent. They are used most often as a first layer of security, outdoors and the fence line and adjacent to parking lots. These will prevent most tailgating, though they can’t eliminate it completely.
Read moreOptical Turnstiles Detection - Level 3
Optical turnstiles are capable of detecting tailgating attempts and notifying nearby staff. While they will sound an alert, they are not capable of preventing tailgating attempts, and so require a guard presence in order to actually stop tailgaters.
Read moreSecurity Revolving Doors and Mantrap Portals Prevention - Level 4
Security revolving doors and mantrap portals fall in this category, which provide true tailgating prevention. They include full height barriers and sensors to ensure that only one person travels through the door at a time. In addition, they can be integrated with biometrics to ensure that the person passing through matches the credentials presented.
Read more
Free Whitepaper:
Learn how each type of security entrance affects your company in terms of capital cost, guard supervision, throughput, ROI and more.
Cybersecurity Best Practices for Security Entrances
As discussed above, any device on the IoT could potentially present an attack surface for hackers to enter the network. For that reason it is important to take all possible measures to harden your networked security entrances against hacking. There are several protocols you can easily implement to accomplish this.
- Performing third-party penetration testing is essential across your digital networks, and security entrances should be included in the process. It’s recommended that this testing be conducted on a regular basis, as hackers are constantly updating their tactics.
- Lock down the control panel to authorized users only, and lock it away entirely at the end of the day so that it is out of the hands of anyone looking to get inside.
- Make sure that physical and cybersecurity personnel are in communication and agreement as to both physical security protocols and cyber security updates.
- Limit the number of users that have access to the security system, including entrance operation.
To learn about each of these best practices, click here to read a blog post on the topic.
Conclusion
The boundaries between physical security and cybersecurity are disappearing, as each is an essential component of the other. Savvy cyber criminals know how to leverage physical security solutions in a number of ways to access data, steal intellectual property and otherwise cause harm to an organization. The risks can be catastrophic, and as the sophistication of attacks continues to grow, so the importance of addressing this area of security cannot be overstated.
Security entrances offer a unique level of protection as they not only address the threat of tailgating presented by standard swinging doors, but also can be outfitted with technology to verify the identity of every individual entering a facility. A few types require staff supervision, but they cannot be compromised in the way that a security guard can through social engineering.
Cybersecurity is an unfortunate reality for today’s business. Deploying security entrances throughout your facility can help to ensure that your business data stays safe and protected, and that your risks are mitigated. For more information on physical security entrances for cybersecurity, please contact us at [email protected] or request a free on-site consultation.