Chief security officers (CSOs) too often view their roles through two lenses: cybersecurity and physical security. Policies and programs for physical security systems differ significantly from those for cybersecurity.
CSOs know that cyber breaches can be prevented by protecting assets and facilities. However, this logic works in reverse. IBM recently conducted a study that showed that cyber breaches cost more than $4M per incident in 2022.
This data is combined with Palo Alto Networks data that shows IP cameras are among the most vulnerable enterprise devices. CSOs must focus on cybersecurity and physical security.
Cybersecurity to Enterprise Security
Organizations can reap the benefits of applying cybersecurity best practices to their physical security systems. This includes increased security and operational efficiency as well as cost savings. Siloing an organization’s cybersecurity and physical security creates more risk.
Consider, for instance, the security of IoT devices and networked edges. Many enterprises have strict policies and compliance requirements regarding end-point devices, servers, and other business operations.
When a new computer or program is connected to the network, strict cybersecurity guidelines are followed. These include frequent firmware and software updates, strong password rotation and creation, backups, and other basic cybersecurity practices.
These are standard practices in almost all businesses. However, many enterprises don’t extend the same policies to edge devices that are part of their physical security networks.
Cybercriminals could potentially use thousands of vulnerable entry points to compromise an enterprise’s physical security system. Unless an exemption is granted, all physical security devices must be secured and maintained according to corporate governance policies.
Companies are less skilled at protecting peripheral IoT devices than they are at protecting physical spaces and the network. This fact can harm an organization’s cybersecurity and physical security posture.
A vulnerability in a physical security system is discovered to cause a cybersecurity breach. The system has not been adequately maintained with firmware updates or password rotations. Cyber insurance claims could be denied in this case.
If a lousy actor exploits a network by using a default password, out-of-date firmware is traced back to a physical security device or other means of securing it. The responsibility for the breach could fall on the entire enterprise. This breach could cost millions of dollars, not counting the loss of trust and reputation.
Comprehensive coverage is becoming more difficult to find as cybersecurity insurance claims increase. The premiums are increasing, the documentation requirements have increased, and organizations now have less protection than they did in the past.
Cyber insurance policies should be renewed annually and will soon consider the changing IoT and physical security landscapes when making policy decisions. Cybersecurity insurance should not be used as an excuse to neglect proper cyber hygiene.
It is up to the enterprise to develop and implement proper security protocols to protect digital and physical assets. It isn’t easy to create and implement such policies on a large scale. Networked door locks and security camera systems have processors and operating firmware.
This requires tracking, management, and updating to ensure cyber hygiene. Large enterprises can have hundreds to thousands more of these devices than the computers and servers that most CSOs are used to managing.
Even the most skilled security personnel will find it challenging to maintain cyber hygiene for thousands of devices. Many automated solutions exist to manage, secure, update, protect, and enforce device password compliance.
IoT security platforms that are innovative and scalable provide device classification, vulnerability scanning, remediation, and repatriation at scale. This allows organizations to identify and resolve cybersecurity vulnerabilities quickly.
For example, certificate-based network access control (NAC) is crucial to keep the right IoT devices online. Security teams would need to verify and update each device certificate manually. This would be too time-consuming. Automated device certificate managers do the central management of all device certificates.
The technology can validate certificate existence, age, and validity with a single click. It also manages certificates across virtually all IoT devices and security devices.
This is also true for firmware updates. It is a necessary cyber-hygiene procedure that often gets overlooked. Doing this manually can be tedious and complicated, especially if you have multiple devices from different vendors.
Automated device firmware managers identify connected IoT devices that require firmware updates. If necessary, they will update the firmware automatically. The firmware is constantly updated from a trustworthy source using “chain-of trust” security methods.
Finally, enterprise-wide and default passwords are the easiest ways to hack any IoT device. Employees should have passwords for their computers. Physical security devices shouldn’t be exempt. Innovative password management technology offers an automated way to ensure that all devices comply with strict password policies.
This solution ensures that IoT devices do not use default or shared passwords. These passwords are known to be a vulnerability to cyberattacks. Automated password verification also ensures compliance with various standards, such as PCI, NERC, and NIST. This helps ensure lenient password standards do not compromise surveillance networks.
Trending discussions about cybersecurity breaches are also essential to be aware of. Gartner predicts that 75% to 75% of CEOs could be held personally responsible for cyber-physical security incidents in 2024.
This should be alarming for all C-suites in all organizations and businesses. It should also concern all security professionals. Excuses about overburdened operations, budgets, technical knowledge, ignorance, or lack thereof will not suffice anymore. Your CEO’s neck is at stake, and you must protect it.
This incentive is a compelling one to address the longstanding and new challenges CSOs/CISOs face to improve security professional security and enterprise network security.
There is IoT security technology that can automate the task of CSOs. They can apply cybersecurity policies to physical security devices in large enterprises.
This holistic security approach combines cyber and physical security. Cyber security is protected by physical security and vice versa.
This results in lower costs and operational efficiency, less exposure to personal and organizational liabilities, fewer cyber breaches, fewer disruptions of physical security operations, and compliance with cybersecurity insurance requirements.