I recently had the privilege of being invited to the third annual Physical and Cyber Threat Convergence Forum in Phoenix, Arizona. I previously wrote what’s become a very well-read article about this important initiative.
Here comes the next one.
It was initially surprising to discover that many in the information/cyber security sector envy us in the physical security side because our industry is a) generally effective at what we try to do, and b) quite well established with many years of experience. This was surprising to me because the information/cyber side of things always seemed so much more organized and well-funded compared to us. But there you have it, you learn something new every day (or every year…).
Now, since I still fall into the physical security side of things, and as long as this divide still exists (there are some good people working on breaking it down), I thought I’d try to offer my info/cyber-security friends a few insights from my experience in the physical side.
Defining The Problem
People outside the information security sector are usually surprised to learn that the human factor accounts for the overwhelming majority of cyber-attacks. It was certainly surprising for me at first. Systems and programs might be complex and advanced, but humans are still relatively easy to deceive. Duping someone into clicking on a link or downloading a program through various phishing and social engineering tricks is still a simple and effective way to execute any number of cyber-attacks.
OK, so the human factor is the main vulnerability in any company or system. Got it! It was surprising to learn this at first but once you find out about it, there it is. So, what do we do about it?
Well, not much, as it turns out.
Information security experts seem completely obsessed with defining the problem—over and over and over again. Yes, we understand the human factor is the biggest vulnerability. It’s a fact. Got it. Thank you. Why don’t we stop just complaining about it and start developing effective strategies and tactics to prevent and combat it?
The only solutions I keep bumping into are either training or some flavor-of-the-month, flashy silver-bullet product that’s supposed to be the end-all-be-all solution. Training usually takes the form of how to better educate the workforce on cyber-attacks, and how to get people to stop downloading or clicking on stuff. And in the flashy, silver-bullet solution department, AI (in whatever form the term is interpreted) seems to rain supreme.
Well, training and nifty new systems are fine. We employ a good amount of them on the physical side too. And yes, to be fair, training has been shown to be generally effective in lowering click-rates, and AI can indeed provide many solutions. But phishing and social engineering attacks are still so overwhelmingly effective, combating information security attacks by training and trendy new systems alone is about as effective as two farts in a hurricane.
Now, since the main threat comes from people, and the main vulnerability that’s exploited is people, maybe us physical security guys can give you a bit of advice. After all, we’ve been in the people business forever.
Physical security efforts (even if assisted by high-tech systems) are usually directed at people, and largely executed by people. Most of the highest risks we try to mitigate have to do with people and most screening and assessment efforts are attempts to distinguish between people who pose a security risk and people who don’t.
So, here’s where I’m going to go out on a limb and try to suggest a time-tested physical security strategy. Are physical security strategies guaranteed to work for information security? I honestly don’t know. But hear me out first.
On the physical side of things, most companies start out like this:
- You have a small workforce in a small work-space with relatively small physical security concerns. As long as the property containing the work-space is generally controlled and employees are given some form of ID that proves they belong there, and that can grant them access to the work-space (key-card, fob, etc.), you’re pretty much good to go.
- As companies become larger, security concerns tend to follow suit. That’s when companies start upgrading their security systems, revise their security policies and procedures and look into security training.
- As companies become larger still, vulnerabilities and security concerns continue to follow suit. And this is usually when companies start having to employ protective/guard services on top of their existing measures.
So, that’s how it works on the physical side. The limb I’m going out on is the idea that information security might be able to employ this successful strategy too. It seems to me that information security is stuck somewhere in stage 1 or 2, when the need to enter stage 3 is long overdue.
The big question is what in the world are effective information security protective services? And to tell you the truth, I don’t exactly know. All I’m saying is that there seems to be a need to move past the stage of diagnosing the problem over and over again; past the stage of complaining about the problem over and over again; past the stage of just training the workforce over and over again; and past the stage of looking for the next mythical silver-bullet solution over and over again.
Maybe it’s time to think outside the cyber box. Is it really that crazy to consider that time-tested physical security strategies might also work for information security? After all, our goals are quite similar—we protect our assets from external and internal threats. We even define things in much the same ways, with risk and threat mitigation, hostile attacks, security awareness, preventive and reactive measures, access control, Red-Teaming, penetration testing and more.
Of course, it’s not going to look the same, and the implementation of these strategies will be different. You’re not going to see any uniformed information security officers patrolling your work-space. But it seems to me that a layered approach with circles of security, better perimeters, more stringent access control, more external and internal monitoring and a general assertion of control over the assets and their environment is the way to go. And since people (the bad-guys) keep exploiting human vulnerabilities in the system, maybe we should have other people (the good-guys) prevent them from doing so.
Many companies already have well established information security departments, some even equipped with Security Operations Centers (SOCs). Adding more of a human factor to it will probably necessitate bigger budgets (as it does on the physical security side), but what other choice do you have? What’s the point in just repeating a failed strategy, knowing full well that the chances of your assets being targeted through your known vulnerabilities are something like 100%?
Security systems, protocols, training and awareness are necessary but not sufficient measures for achieving this. They’ll work to some extent during stages 1 and 2. But if you have a large enough organization (or just one with large enough security concerns and vulnerabilities), you’re going to need people in the form of professional screeners and gatekeepers to maintain and enforce a security program. Not periodically, not just with remote management, not just with spot-checks, not just in educational sessions, but continuously, in the field, in real time.
It works for physical security, let’s find a way to implement it for information security too.
Get my book, Surveillance Zone now!
Go behind the scenes of corporate surveillance detection & covert special operations. Get a first-person account of actual covert operations I’ve participated in. Learn the secrets of the trade and discover a hidden world that’s all around you.