Risk

Why Cybersecurity and Physical Security Need to Work Together

By Michael J. Martin | July 19, 2022 | 1 min read
Cyber security

About the Author

Michael J. Martin
Michael J. Martin
Chief Executive Officer

Michael Martin is a proven leader in the Security Services & Risk Assessment industry. In December 2018, he became CEO of Circadian Risk. In addition, Michael provides direction and guidance for Aerospace & Defense security programs.

Prior to joining Circadian, Michael served as President of Allied Universal’s Canadian Operations from 2016 to December 2018. During that time, he oversaw the tripling of revenues and numerous M&A integrations in both Canada and the Midwest.

Let’s say the access control system at your organization was hacked, and someone without authorization was able to enter a secure area. Is that a cyber attack, or is it a physical one?

It’s obviously both, but which division should handle it: security or cybersecurity?

Cyber security and physical security are often treated as two separate sectors. You can see these silos in the way many companies are structured: there is often a Chief Security Officer (CSO) and a Chief Information Security Officer (CISO), or cyber security is treated as a subset of physical security, with the head of information security reporting to the head of security.

However, with cyber attacks becoming increasingly common, and costing companies an average of $4.24 million per data breach, it’s important that cybersecurity and physical security merge into one department.

Cybersecurity is security

The convergence of cybersecurity and traditional physical security has never been simple, mostly because the skill sets necessary for each discipline are so different. CISOs tend to come from the IT side of the organization while CSOs are often either from the security side, former law enforcement, or former military. It can be hard to find a leader with both the technical skills and the physical security mindset needed to bring the two together.

Despite this, there are many commonalities between cybersecurity and physical security:

  1. Criminals want the same things they’ve always wanted: Back in the old days, criminals robbed banks, because that’s where the money was. Now your organization’s information is worth money to them. Whether they extract that money by selling your information online, or get money from your company by stealing your data and demanding a ransom, criminals are once again going where the money is. No matter how they attack, their mindset is the same.

  2. Human error plays a role in both: You may think of viruses and malware when you think of a cyber attack, but most attacks are much less technical than that. According to the latest Verizon Data Breach Investigation Report, 82% of breaches in 2021 were caused by human error. Social engineering scams target your employees, using old-fashioned confidence tactics to trick workers into giving up passwords, click on malicious links, or use malicious wi-fi networks that then give the criminals access to your data.

  3. Attacks are intertwined: Just as technology has been integrated into our daily lives, cybercrime is simply a part of crime. Criminals may launch a cyberattack through a physical action, like leaving a malware infected USB drive where someone from your organization can find it, or by calling up a worker and pretending to be someone else to get that employee to click on a bad link.

How secure is your organization? Talk to us now about assessing your security.

Best practices for developing a cyber-physical security plan

  1. If you can’t combine the roles of CSO and CISO, make sure the two work together: When developing an action plan for cyber-physical security, you need both the expertise of someone who knows physical security well, and the technical know-how of someone in IT. If these two roles can’t be combined, they must be in lockstep.

  2. List all your threats: Is your Internet of Things (IoS) secure? Do you have remote workers? What is your device policy at work? What about third party vendors with access to your data and networks.

  3. Know how you will handle each scenario: If a pipe bursts in a server room, how will you handle that? Make a plan for each scenario in advance.

  4. Do you have adequate backups? Know when you are backing up your data and who owns those back-ups. In case of a ransomware attack, backups are your lifeline.

  5. Train your people: What are you doing to have your staff trained, engaged, and aware of potential attacks, and errors. Remember: this training should be updated and repeated often. The cyberthreat landscape is constantly changing, and your team should know about new trends when it comes to social engineering.

Are you adequately addressing the physical security risk to your cyber network? Contact us to make a plan for both.


Related Posts

Fighting at work

5 Ways to Limit Political Arguments at Work

Political discourse is important, but not in the workplace.

Read More
Museum security

Prevent Heists With ASIS’s Museum Security Standards

ASIS’s museum security standards are voluntary but important.

Read More
School safety

Why ASIS’s New School Standard is So Important

ASIS’s school safety standard launches in 2024. Here’s how it will change the conversation about...

Read More
Industry news feb

February 2024 — A Landmark School Shooting Ruling is Handed Down

School shootings, explosions and the latest grants from FEMA

Read More
Cloud self hosted

Cloud vs Self-Hosting: Which Should You Choose?

When you’re dealing with physical security, safety and lives are at stake. Do you trust your most...

Read More

Are you ready to improve your organization’s risk management?

See Circadian Risk In Action Now
Schedule FREE Demo