Imagine this if you will:
An employee is teleworking on some critical corporate business and financial information. Some hours later, the employee takes a break to go to the grocery store. The laptop and the files are left on the dining room table. Twenty minutes later, an intruder slides in through the unlocked back door. The alarm system had not been set. The intruder notices the documents and equipment and leaves with them. The employee promptly reports the theft to their boss and to police but the damage is done. A day later, the corporate security IT Department notices that the weak password has been breached and sensitive corporate information has been compromised.
What went wrong? Unfortunately, this scenario is not far from reality. The two key elements of information security, cybersecurity and physical security, converge in a situation that was entirely preventable.
With COVID-19 impacting businesses, organizations, and governments around the world, they have either been implementing well-developed business continuity plans or have been responding as best they can to mitigate losses to revenue and to their available workforce. Increasingly, the workplace has become more de-centralized as workers perform their duties while physically distanced from each other. Working from home is increasing the reliance on online platforms for everything from strategy and financial planning to project work. Electronic means to communicate effectively via email, voice, and video depend on the confidentiality, integrity, and availability of the chosen systems. Cybersecurity is on everyone’s mind as a critical factor in business and economic resilience yet it is just one piece of information security.
Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.¹ Some key categories include protecting applications and networks as well as the electronic storage of data and operational security, which consists of the processes and decisions for protecting data as an asset. Operational security also includes ensuring that information related to personnel movements, schedules and locations is protected and that conversations over digital means or in meetings are not intercepted.
The loss of intellectual property and trade secrets in Canada alone amounts to tens of billions of dollars annually whereas in the United States this figure reaches into the hundreds of billions of dollars. Protecting against such losses requires a comprehensive security program that avoids weak links by capitalizing on the convergence of physical, electronic and cyber security activities in a holistic manner. For example, a sophisticated cybersecurity program cannot protect information that might be stolen by authorized users or through the use of hidden cameras, wireless microphones, GPS trackers, radiofrequency sources, wiretaps or bugs.
An organization’s efforts to protect its critical information rests on the layered defences of its entire security program. Physical security protects the approaches to and the infrastructure holding the information and computer assets and is underpinned by comprehensive threat and risk assessments, site surveys, and security engineering and design supported by policies and procedures that address access control, personnel vetting, and security incident response capabilities.
Finally, one of the keys to successfully protecting an organization’s information is to instill a security culture and security mindset at home and at work. Security awareness training comprises part of a holistic security program where everyone must be involved, from CEO to the newest worker.
With this in mind, the employee in the previous scenario would have physically locked and secured the documents and the laptop, employed a strong password, would have locked the back door and engaged the alarm system prior to leaving.
As the business world transitions to more teleworking and organizations re-examine their workflows and processes, the time is right to also review security practices to ensure that physical, electronic and cyber security activities are aligned into a truly converged security program.
Presidia Security Consulting, a member of the ADGA Group of Companies, has extensive experience conducting comprehensive security program reviews, including information security protection for large government departments and private businesses. Should you require further information or assistance we can be reached at firstname.lastname@example.org.
The author, Frédéric Maurette, is Presidia Security Consulting Inc.’s Principal – Quebec Region. He can be reached at email@example.com.