When one mentions Cybersecurity, the images of a hacker wearing a hoodie sitting in a dark room in front of a computer, or a large server room very often come to mind. While it is true that protection of digital assets is of prime interest here, Cybersecurity also encompasses other areas as well, which also includes the human element (protecting against Social Engineering) and even Physical Security.
With the latter, this typically encompasses all of the brick-and-mortar
space that a business may occupy. It
also includes the inside offices, too.
Depending upon what industry the business is in, security may be lax or
it might be very tight.
For instance, if it is a law firm, it may not be so tight
from the primary means of entrance, but the inside offices will probably be
much tighter, such as using a smart card or a FOB system of sorts.
On the other hand, a nuclear facility or even a Critical
Infrastructure will have much tighter Physical Security. But whatever the situation might be, there
tends to be, at least in Corporate America, much more of a focus on the digital
asset side of Cyber rather than including the physical side. Why is the case, you may be asking? Well, here are some key reasons:
1)
Not understanding the importance of it:
Imagine a retail store that has a brick-and-mortar
presence in different cities and also has a huge online presence, from which it
derives most of its revenue from. Of
course, the business owners are going to pay very close attention to the security
layers that are baked into their online store.
This would include making sure that the source code is as secure as
possible, and all security certificates are installed and are updated when the time
comes to do so. Because of this, there
will be a lot less attention paid to the physical security of the store. True, there will be the usual alarms and CCTV
cameras in place, but will that be enough?
What I am trying to get at is the thinking of business owners here is
the Cyberattacker will be far more attracted to the digital aspects, rather than
the physical aspects. But in today’s
times, this is far from the truth. The
Cyberattacker knows this fact, and are now targeting the physical aspects of
security, using the principles of Social Engineering in order to con employees
into giving out confidential information.
Also, keep in mind that Physical Security is subject to the data privacy
laws as well, and you have to be just as compliant here as you would with the
digital side.
2)
Misunderstanding of linkages:
If a company is very large, like Wal
Mart, then there will be some lines separating the actual E-Commerce front with
the physical stores, as order fulfillment will occur at the warehouse level, not
at the store level. But, if you are small
business owner like me, then the lines will be the same. I have an E-Commerce store in which I sell my
eBooks and newsletters. Any impact here
will be felt on the business overall, because my brand will now have been totally
ruined. The bottom line is that no
matter how large or small your business might be, there will always be a direct
linkage, or connection between your online presence and your physical presence. You need to pay attention to both, and have
the right controls in place. And as my illustration
shows, an impact in one area will have an impact on the other. It’s like a weighing scale that you need to
carefully balance.
3)
The IoT:
This is an acronym that stands for
the “Internet of Things”. Loosely defined,
it is where all of the objects that we interact with are connected together in
both the virtual and physical worlds.
Probably one of the best examples of this are Siri and Cortana. Here, we are using our wireless device to
interact with a personal assistant that exists in the virtual world. While this is certainly advantageous, it has
many security weaknesses as well. For
instance, the network lines of communication are not secure by any means. All of the information that is transmitted is
available in cleartext. So if any
information and data is intercepted by a malicious third party, a lot of damage
can be done in this regard. A good example
of this is an employee using a scanner to order new stock to be placed. Anybody with a network sniffer that is hidden
in their pocket cam intercept the data packets that are being sent back and
forth, and reassemble them later. This
can give valuable insights into the warehouse that is storing these products,
and where the security issues and weaknesses may reside at. The moral of the story here is to make sure
that your lines of communication are encrypted here, as you would for your online
presence here.
4)
Giving great customer service:
In the retail sector, the tendency is
to always to try to bend over backwards to help your customer out, no matter
what the cost might be in the end. We are
motivated to do this in anticipation of getting a nice compliment or even a
raise. But be careful here. A good example of this is the customer
walking in asking in to help them reset their password on their portal at your online
store. But once again, be careful
here. This could be a ploy so that you can
access the databases at the corporate level to reset it. A cunning Cyberattacker will always looking over
your shoulder to see what steps you are taking.
This is technically known “Shadow IT Management”. In this case, you should always tell your
customer that while you do want to help them out, their best bet is to call
tech support to have the password reset.
My Thoughts On This:
As we fast approach now in 2023, I believe that attacks to
physical structures (and not just Critical Infrastructure) will take prevalence. The reason for this is that, and which has
been the theme for this blog is that because we have so much attention paid to
the protection of digital assets, we have totally neglected the protection of our
physical ones.
The Cyberattacker is well aware of this, and this will now
become their prime target because of the sheer ease of penetration into it.
No comments:
Post a Comment