With so many high-profile digital attacks over the past year against trusted entities like the IRS, Experian and CVS Online Photo Center, it’s no surprise that security breaches are top-of-mind for organizations. As we near the end of 2015, cyber threats continue to permeate the news, stirring reasonable fears among consumers and underscoring the need for companies to step up their games to better protect themselves and their customers’ personal information.
Organizations are under increasing pressure to prepare for and protect against ever-evolving and more sophisticated threats. Anxieties, particularly over cyber threats, will continue to proliferate, and perhaps with good reason: in 2015, the number of detected information security incidents rose 38 percent from 2014. But managing cyber risks is just one important piece of the larger, enterprise security puzzle.
Time and again we see companies neglecting to protect themselves at the most basic, key levels – on both the physical and digital sides – leaving dangerous gaps in coverage to be exploited farther down the complexity chain.
Often exposures begin simply with a poor control of assets – including laptops, printers, keys, portable media or even physical documents – and go unseen because of limited audit trails for physical access to facilities. Despite available technology to help automate the process of tracking unauthorized access, organizations are still using antiquated tools like paper logs. And the most neglected danger for many companies is that, while it seems counterintuitive, even the use of passwords leaves them exposed.
There are countless ways to improve security with strong authentication solutions, such as one time validations, biometrics or certificate-based authentication, yet “123456” is still the most-used password. Such shortfalls may very well have contributed to the 55 percent of cyber attacks that were executed in 2014 not by outsiders, but by “insiders” – actors with internal access to an organization’s systems.
Other overlooked vulnerabilities include the use of coarse grained authorization for employees, third-parties and contractors, which cedes control of underlying data and services and enables intruders or hackers to take a more privileged position on the network and puts them at an advantage against a company’s IT department.
A share-first mentality makes organizations even more vulnerable. The new generation of employees is programmed by habit to send data and share with peers, clients and themselves (at home) in order to get their jobs done. Despite the best of intentions, these activities disrupt every core tenant of security perimeters and have resulted in numerous data breaches across every industry.
Businesses also tend to be especially naïve when it comes to social media. Companies often mismanage their public accounts, expose intimate details about their physical locations and open huge doors right through their digital defenses.
It is more important than ever that organizations make basic security training a core job function and run routine exercises to test their employees’ comprehension. There are hundreds of scams, phishing attempts and malicious traps out there to which even the best, most well-meaning staff members can fall pray.
Organizations expose themselves when they neglect hidden, yet fundamental, threats. But they are at an even greater disadvantage when they approach their risk management in exclusive cyber and physical silos. One common thread we tend to see in today’s most sophisticated cyber attacks is some element of physical breach, and usually at a basic level.
Digital and physical threats have converged in recent years, exposing businesses to new security risks daily. Take for example a German steel mill where hackers manipulated and disrupted its control systems so that a blast furnace could not shut down properly resulting serious damages. This example demonstrates how even our embedded security devices (when connected to the Internet) are major targets for hackers and can result in not only digital, but physical damages as well.
In the past, companies have relied on several different service providers to address their cyber and physical security needs. But communications breakdowns between providers result in inefficiencies that leave new gaps in coverage. Integrating physical and digital monitoring and response expands the benefits of security investments for every organization. An awareness of basic, hidden vulnerabilities and a converged security approach opens doors to new, proactive models for threat identification. From loss prevention to emergency response, the most forward looking organizations will use convergence to rapidly improve their response to risks in real time.
About the author: Darren McCue is President of Dunbar Security Solutions, where he has led the integration of Dunbar’s Cybersecurity, Security Solutions and Protective Services businesses and is responsible for strategically growing the division. For over 20 years, he has spearheaded growth for businesses across a variety of industries, including security, healthcare and technology.
Christopher Ensey, COO of Dunbar Security Solutions, also contributed to this article.