Cyber attacks have cost organisations hundreds of millions of pounds. That’s not the entire cost of all cyber attackers, that can be from one attack – like the 2016 attack on British banks by Russian hackers that took £650 million. As a whole, cyber crime cost British businesses £29.1 billion in 2016, and 2.9 million companies were hit – that’s 23% of UK businesses.
Cyber-security is a growing threat, but even if people are completely up to date with the latest ways to stop hackers getting through to their systems digitally – they are still at risk if they ignore physical security. This is especially true of companies that have more than 250 employees – 71% of them were the victim of some kind of cyber attack in 2016.
With such a huge cost associated with cyber crime, are people worried about physical security as much? Companies know that they are likely to be the victim of a cyber attack, but the idea of someone coming in and physically stealing from an office seems… old fashioned. As long as basic security is in place, it seems to make much more financial sense to invest in cyber security than it does to invest in physical security.
Cyber Security Needs Physical Security
The truth is, you have to invest in both. Unless you have a top grade physical security system, it’s much easier to hack a door than it is to hack a server remotely. If someone gains physical entry to your building and steals your stacks and hard drives, they can crack them at their leisure, gaining access to your company information, data, schematics and even passwords and banking information.
Businesses are spending millions updating their data security systems, but they might not even consider putting concrete bollards in front of their buildings. No matter how good your cyber security is, it’s not going to stop a car running into your building and criminals staging a smash-and-grab raid.
On a more basic level, there’s no point in having top-flight cyber security if you’re still using a door with a combination code mechanism that can be easily hacked or broken into. Some businesses don’t even consider the strength of their security doors or locking mechanisms.
Physical Access Control
Server stacks that contain sensitive information must also be well contained, with additional levels of security than just a physical lock that people can gain access to the same way employees can get into the building. Even digital keys can still be stolen for entry into the building – so there needs to be another level of security within the building to protect your data.
Another thing that people don’t take into consideration is the way that their own services connect to a cloud server. Many SCADA and internet satellite systems are already authenticated onto a network with full access, and they can be used to access any device on the network. Satellites are often set up in remote areas or on roofs, and are completely unsecured, although they can provide cyber criminals with direct access to your most secure systems.
Firms are not just vulnerable to cyber attacks in the digital realm, they are vulnerable to them in the real world. As hackers seem to exist on the Internet, it is easy to forget that they walk around just like we do. By not being aware of physical points of entry and access to digital systems, companies are leaving themselves wide open to cyber attack.
CCTV Security Camera Systems
CCTV monitoring and digital key cards are very important in the modern office. Cyber attacks in the physical world don’t just involve stealing computers – they can also be implanting devices that copy data, piggyback signals or even copy the keystrokes of everything that someone types, so that documents, information, and passwords can be recorded and collected at a later date. Being able to monitor and question suspicious behavior will keep things safe.
Simple things, like physically locking down workstations and laptops can act as a deterrent – as people will have to spend time taking a device apart rather than just being able to take it. Combined with CCTV and a logged entry system – people will likely back away. When the office is unattended, even if there is a lock on the door – sensitive documents need to be locked away – and paper records need to be shredded when they are no longer needed.
Access Control Systems
There is always the risk of employees being the people who are responsible for the data leak. Maybe they have been approached, or are just disgruntled. Think about how someone within a company could steal information. On the cyber security front – people at a lower level are not given access to high-level systems – but those same people often have the run of an office building.
Are there multiple levels of physical security within the company? If a low-level employee wanted to steal some hard drives or place a keystroke tracker on a superior’s computer – what physical barriers would stop them? Once people are inside the workplace, computers are placed under desks, or in rooms with much less security on them than it takes to get into the building. Physical access needs to be secured just as much as digital access does.
Fire Suppression Systems
Something as simple as glazing and office positioning may also need to be taken into account. All of the security measures in the world could be taken, but someone with a clear view and a telephoto lens can see passwords being entered into a physical keyboard, and then access the system remotely. Banks give people physical devices that generate new passwords every time they log in – for sensitive personnel, it makes sense to give them the same option to have constantly updated passwords.
The links between computers and physical systems also need to be constantly monitored. Systems that run things like elevators need to run autonomously, be protected and also be standalone systems without an easy way to be accessed from cyber attack. Physical systems that are vulnerable to cyber attack provide their own forms of worry.
If an up-to-date security system, with keypads, CCTV, fire system and other precautions is vulnerable to cyber attack, then those systems need to be checked. Having someone outside the company being able to trap a CEO in an elevator by following their progress on CCTV, then setting off a fire alarm to get everyone else out of the office is a possibility.
A modern fire system will also be able to tell where the fire is coming from, how hot it is and to make sure that it isn’t a system malfunction. If someone does manage to gain physical access, if you have an old system – they can simply set off one alarm or sensor and the whole building will start to evacuate – allowing them to have the run of your workplace.
Why Physical Security is more Important than Ever
It’s more important than ever to protect against cyber attacks. It’s not like the pre-internet era, where we could imagine a thief breaking into an office to steal sensitive documents and equipment. Now identities can be stolen. There were 388,858 instances of Ransomware attacks in 2016 – which cost £7.36 billion. This is where a threat is made to publish, restrict access or destroy a company’s data unless a fee is paid.
Although it’s easy to think that this is something that is only done over the Internet – codes have to be taken from somewhere to get access in the first place. That can be a piece of code opened in an email or social media post – but it can just as easily be a remote hack because someone has physically stolen a password. With everyone paying attention to the cyber threat, they ignore the physical threat – and still fall victim to the cyber attack.
Ransomware is now such big business that ‘firms’ such as Cerber and Locky now even have customer service telling people how to pay off their ransom with cyber currency and also offer them immunity from further attacks – essentially a protection racket. They are also renting out their ransomware to low-level criminals and get a percentage of what they take. Cyber criminals are now teaming up with street level physical criminals. If crime is bridging the gap between the digital and physical world, then security needs to bridge that gap too.
There are solutions. A modern security firm will be aware of these risks and will be able to provide solutions. They could be as simple as a concrete bollard, or as complex as a security system that has its own secured remote server, which is secured against hacks over the Internet and is virtually impossible to hack in real life. The best way to protect against cyber-attack is to make sure that online security is constantly monitored and updated to meet new threats – and that physical security is constantly monitored and updated in the same way.
Source: Minerva Security