Cybersecurity gets all the buzz lately, but there's another equally important component of enterprise security: physical security, sometimes called facilities security. We're talking about the devices that safeguard a facility or location, including cameras, microphones, motion sensors, automated locks and keycard systems.
The state of cybersecurity and physical security convergence
In midsize to large organizations, there's an organizational distinction between physical security and cybersecurity. Physical security is handled by the facilities team, while cybersecurity has its own group. The two departments often don't converge -- the CISO reports to the CEO or CIO, while the facilities team reports to the COO. A recent Nemertes Research study found that physical security and cybersecurity came together at any level in only 10.3% of organizations.
This gap between cybersecurity and physical security convergence is dangerous. As physical security becomes increasingly dependent on intelligent devices, it's the cybersecurity team that develops the best practices and policies for managing and securing them. But these policies may never make it over to the facilities team.
Separate oversight isn't the only difference. Physical security best practices often lag behind cybersecurity best practices, largely due to the slower emergence of intelligence and networking within the physical security infrastructure. Take security cameras, for example. Not long ago, they were self-contained analog devices that recorded images on videotape. Today, they're digital devices often connected to the enterprise network, communicating with storage arrays and other devices using TCP/IP. In fact, a recent Nemertes IoT study found 86.3% of participants reported they used networked intelligent devices for physical security in 2021.
It's often jaw-droppingly easy for an unauthorized user to log in to a device such as a security camera. Access may not be password-protected, or the password may not have been reset from the well-known default. Attackers can then capture all kinds of information, including the looks and whereabouts of enterprise employees, clients and visitors. This vulnerability stems from two main reasons: The devices themselves aren't architected to be managed securely, or the physical security team isn't using best practices to secure the devices. Sometimes, it's both.
Fortunately, the situation appears to be improving. As physical security devices get smarter and more connected, cybersecurity teams are increasingly aware of them. Moreover, a key attribute -- identity -- is now underpinning the initiatives that govern both physical security and cybersecurity. With this approach, both physical security and cybersecurity architectures must successfully validate the identity of an individual before determining whether they have permission to access an application or system. Identity is a cornerstone of zero trust, and it's also an essential ingredient of a successful physical security strategy. In fact, for many organizations, it's this process -- redefining and strengthening an identity infrastructure -- that provides the spark that brings physical and cybersecurity teams together.
Cybersecurity and physical security best practices
This points to one of the best practices for converged physical security and cybersecurity: Get the facilities and cybersecurity teams together on a regular basis. Weekly is ideal, but monthly is better than never. The agendas for these meetings should initially focus on sharing information about the current state and architecture of each area, including the number of firewalls, keycards, cameras and authorized users; how they are connected and managed; and how they are protected. Meetings can then move on to discussions of current initiatives, such as implementing zero trust.
Next, ensure all cybersecurity policies are followed by employees overseeing physical devices. For instance, if a policy calls for admin accounts to any networked device -- such as a laptop, router or firewall -- to require multifactor authentication (MFA), that guideline should also apply to admin accounts for key systems, security cameras and the like. If a device can't meet the policy due to design constraints, such as lack of support for MFA, it's time to upgrade the physical security devices.
Also, standardize on authoritative sources of information wherever possible. For example, user identities must be consistent, whether associated with entry to a room or access to an application, cloud service or device. In other words, avoid disconnected databases, one for physical security and a different one for cybersecurity -- or, worse, multiple databases for each.
Similarly, asset management systems should capture cybersecurity and IT assets, as well as physical security assets. Ideally, these asset management systems should be automated so the information is always updated, rather than relying on manual input.
Finally, deploy security systems that integrate information from both physical security and cybersecurity. Behavioral threat analysis systems, for example, should determine both the physical location of employees and the systems they are accessing at the moment, as well as what they are doing with the systems. This provides the groundwork to automatically detect anomalies that might be indicative of a breach. Imagine employee Jane appears at her desk in New York and is accessing applications that are consistent with her profile as an accounting analyst. Suddenly, the system detects she's using her keycard to enter the manufacturing plant in Los Angeles. Clearly, these things can't be happening simultaneously; one or the other is indicative of a breach. It's imperative to deploy systems that can analyze data from both the cybersecurity and physical security infrastructure.
The wild card: Biosecurity
Physical security and cybersecurity convergence best practices may require massive changes in policies and processes, but the emergence of biosecurity highlights why it's a good reason to implement them now.
Biosecurity is the discipline of keeping facilities secure from not just malware and bad actors, but also toxic chemicals and biohazards, such as colds and viruses. Biosecurity entails implementing a range of sensors and detectors to determine air quality and the presence of environmental toxins. It also covers some of the newer devices and technologies companies are beginning to implement, such as sanitizing robots, body temperature readers and ultraviolet C sanitizers. Finally, biosecurity encompasses HIPAA and its stringent regulations: Health information can never be associated with an individual's identity, whether intentional or otherwise.
In a recent Nemertes study, 34.9% of companies said they were planning to install sanitizer robots, and another 33.5% said they planned to install temperature scanners. As these technologies become more mainstream, they will require the same treatment as other physical security devices. They need to be protected under the umbrella of cybersecurity best practices and policies.
The faster an organization works to consolidate physical security and cybersecurity, the better prepared it will be to address biosecurity and its effects.
In sum, physical security and cybersecurity convergence best practices are the following:
- Make sure teams meet regularly to share architectures, roadmaps, strategies and initiatives.
- Ensure cybersecurity policies are applied to physical and biosecurity devices.
- Standardize on authoritative sources of information for devices, systems and users.
- Deploy systems that integrate information from all areas: cybersecurity, physical security and, where applicable, biosecurity.
- Implement best practices promptly. Biosecurity is the next big wave of technology that will need to be integrated.