Physical security is just as important as cybersecurity. Physical security not only stands alone as critical for organizations, but it also plays an important role in cybersecurity. In cybersecurity, we use the CIA triad – Confidentiality, Integrity, and Availability. Unauthorized physical access can allow a threat to compromise any of these areas. This article will define and contrast physical and cybersecurity.
"We must understand in what ways we are a target and the type of attacker who might want to attack us"
Physical security is protecting an organization from threats that manifest locally and physically. These types of threats can be burglars who defeat your security to gain illegal access to commit a felony. But we also need to be aware of other threats, such as car bombs, active shooters, etc.
Each type of industry has specific physical threats. If you’re running a hospital, your threats are active shooters, fights in the Emergency Room, or even having a helicopter crash on your helipad. A nuclear facility will have drastically different threats – the controls needed may also be a lot different.
Our physical controls are very important – we must have appropriate locks, cameras, bollards, and security guards. Our locks might be a physical key. But more often it is an RFID badge, which we can log and audit. Cameras can be monitored real-time, or they just might record activity after a positive motion sensor event. Bollards can be expensive; however, they might just be worth the investment if our threats include driving a van full of explosives through our front door.
Cybersecurity is addressing threats that can happen over digital means – the Internet or your organization’s computer network. These threats manifest as ransomware, hacking into devices to steal data, modifying data, and taking down your network or your website.
Again, every industry will face different cybersecurity threats. A hospital is very susceptible to ransomware – holding your data for ransom. A bank is always at risk of man-in-the-middle attacks – breaching that secure channel between your browser and the bank’s web server to gather sensitive financial data.
The controls we use in Cybersecurity include encryption, authentication, and access control. We protect the data as it necessarily traverses the public Internet. We ensure the person viewing the data has been properly authenticated, and that identity only has access to what they should have access to. These principles are fundamental to cybersecurity, and they are very similar to those physical access controls.
Physical security and cybersecurity truly intersect in some meaningful ways. As mentioned, the CIA triad in cybersecurity addresses availability. If your servers are stolen, that is an availability problem that both cybersecurity and Physical security work to prevent. And if your servers are not physically secure, then encryption may be required to keep the data thief from accessing the data on the hard drives.
If you are running your organization’s IT infrastructure, you likely do so from within a Datacenter. The value of a data center is, in part, the physical security controls in place. These controls include fire suppression, multi-factor access control often to include biometric authentication, locks, cameras, etc. It is critical from the cybersecurity aspect to ensure those physical security controls are in place, so the data drives are not stolen, or the physical servers are not tampered with.
Photography and/or videography are further concerns that we must address both from a cybersecurity and physical security perspective. In healthcare, we have to protect our patient’s privacy. That includes trying to prevent people from posting images of our patients on social media. From the physical security side, we might be called to respond to someone who refuses to stop recording images or videos. This puts our physical security agents in a tough situation—we want to give great customer service and make sure our quality of care is world-class. However, we must also protect the privacy of other patients and our staff. This situation is a great example of why we need very clear policies as well as procedures or standard work.
The Internet of Things (IoT) is another area where physical and cybersecurity overlap. Our IP cameras might be remotely available, for management or viewing. We must ensure those devices are kept up to date with firmware patches. We must also make sure we change the default passwords and that those devices are securely architected within the organization’s network.
It is critical to understand first what your threats are, and then what security controls should be in place to minimize these threats. We must understand which cybersecurity and/or physical security control to apply when, and where.
The most critical skill we can have, whether that’s physical or cybersecurity, is situational awareness. We must be aware of our surroundings—from the physical side we need to understand ingress/egress routes—we also have to understand what is normal, so that we can identify what is not normal. From the cybersecurity side, our baseline of normal device activity is critical. If we can solidify normal behavior, we can flag on anything that is outside of normal. And that capability is often critical, both from the physical and cybersecurity side, in identifying threats in action.
For the cybersecurity side, we must understand in what ways we are a target and the type of attacker who might want to attack us. In Healthcare, our medical record is by far the most valuable data. The most recent data indicates that a healthcare/medical record is worth about $350 per record. The second most valuable data record is the credit card, valued on the black market at about $2.50 per card. The reason for that is that you can’t really change your medical record, and that record has the most sensitive information about you, not just your date of birth and Social Security Number, but also your record of medical treatment and diagnoses.
Physical Security and Cybersecurity are cousins. Each of these disciplines requires the understanding of relevant threats, the controls needed to mitigate these threats, and the ability to offer improvements to the organization. These recommendations must include real examples where security was breached and led to a negative impact on the organizations. By truly understanding the difference and the similarities, physical security and cybersecurity professionals can work together to ensure the organization reduces its overall business risk to a minimal level.