Too often, chief security officers (CSOs) look at their role through two separate lenses: physical security and cybersecurity. The policies and programs for physical security systems differ drastically from those required for cybersecurity.
And, yes, most CSOs are aware that protecting physical facilities and assets helps prevent cyber breaches, and this logic also works inversely. A recent study by IBM shows that in 2022 the cost of a cyber breach is now over $4M per incident; combine that with data from Palo Alto Networks showing that IP cameras are the most vulnerable enterprise devices, and it’s clear that CSOs have an imperative to focus on both physical and cybersecurity.
Applying the proper cybersecurity practices to physical security systems provides organizations a host of new benefits, including increased overall security with enhanced operational and cost efficiencies. Siloing an organization’s cybersecurity and physical security only creates more risk.
Take, for example, the securing of IoT and networked edge devices. Most enterprises have strict corporate policies and compliance requirements for end-point devices and servers. Every time a new computer or software is connected to the network, strict cyber-hygiene guidelines follow, including frequent software and firmware updates, strong password creation and rotation, backups, and other simple cybersecurity practices.
These practices are a mainstay across almost all enterprises, but unfortunately, most enterprises do not extend these same policies and practices to edge devices residing on physical security networks. Given that today’s physical security systems are made up of thousands of edge and IoT devices, cybercriminals can potentially utilize thousands of vulnerable entry points to compromise an enterprise. Unless an explicit exemption is given, all physical security devices should be maintained and secured according to corporate governance policies.
Truth be told, companies are less adept at securing peripheral IoT devices than they are at securing physical spaces or the network itself. Not only does this fact impact an organization’s cyber and physical security posture, it could also impact its cybersecurity insurance policy.
If a vulnerable physical security system is found to be the source of a cybersecurity breach and is not maintained appropriately with firmware updates and password rotations, cyber insurance claims can potentially be denied. This means if a bad actor exploited a network using a default password or out-of-date firmware traced to a physical security device, the burden of responsibility might lie solely on the enterprise. The cost of such a breach could be well into the millions, not including excluding the cost of lost stakeholder trust and reputation.
As cybersecurity insurance claims rise, comprehensive coverage has become harder to obtain. Premiums are rising, documentation requirements have exploded, and organizations have less protection than in the past.
Cyber insurance policies must be renewed yearly and will soon likely account for the changing physical security and IoT landscape in making policy decisions. That is why cybersecurity insurance should not be relied on as a reason to skimp on proper cyber-hygiene practices. It is up to the enterprise to adopt and create proper security protocols to protect its digital and physical assets.
One challenge in creating and deploying such policies is that they must be done at an enormous scale. Today, networked door locks and security cameras incorporate processors and operational firmware that needs to be tracked, managed, and updated to maintain proper cyber hygiene. It is not uncommon for large enterprises to have hundreds to thousands of these devices, far surpassing the number of computers and servers most CSOs are accustomed to managing.
Maintaining the cyber-hygiene for potentially thousands of devices is virtually impossible for even the most experienced security teams. Luckily, many automated solutions are available to help manage, secure, update firmware, ensure device password compliance, and provide IoT device certificates at scale.
Innovative IoT security platforms provide vulnerability scanning, device classification, remediation, and repatriation at scale, allowing organizations to quickly identify and fix cybersecurity vulnerabilities within minutes, not months.
For example, certificate-based network access control (NAC) is critical to keeping the right IoT devices online. It would take an inordinate amount of time for security teams to manually verify and update every certificate for every networked device. Automated device certificate managers deliver centralized life cycle management for 802.1x, TLS, and OPC-UA certificates for all devices. With a click of a button, the technology validates certificate presence, age, and validity and updates and manages certificates on virtually any number of IoT and security devices anywhere.
The same is true of device firmware updates. Updating a device’s firmware is an important cyber-hygiene practice that often goes overlooked since doing so manually is a tedious, manual, and complex effort, especially when an organization has deployed different devices from multiple vendors. An automated device firmware manager identifies which connected IoT devices require firmware updates and will automatically update the firmware if necessary. Secure “chain-of-trust” methods ensure that the firmware being updated is from a trusted, uncorrupted source.
Lastly, default and enterprise-wide passwords provide the simplest path to hacking any IoT device. And just as employees have passwords for their computers, physical security devices should not be exempt. Innovative password management technology provides a viable, automated approach to verify that strict password policies and compliance requirements are being met for all distributed devices.
Such a solution verifies IoT devices are not using default or commonly used passwords, which are a proven network vulnerability to cyberattacks. Furthermore, automated password verification helps ensure compliance with many standards, including PCI, NERC, NIST, etc., ensuring that surveillance networks cannot be compromised because of lenient password standards.
It is also important to note trending discussions on the liabilities associated with cybersecurity breaches. In fact, Gartner predicts that 75% of CEOs will be personally liable for cyber-physical security incidents by 2024.
This is cause for concern in C-suites across all businesses and organizations that should also be resonating loudly within all professional security circles. Excuses related to overburdened operations and budgets, lack of technical know-how, and/or ignorance of the law will simply not be sufficient anymore — not when your CEO’s neck is on the line and you’re responsible for protecting it.
This is a new and compelling incentive to resolve the longstanding and emerging challenges CSOs and CISOs face to better secure professional security and enterprise networks.
The good news is that there are automated IoT security technologies that do the very thing that CSOs wish they could do but are unable to — apply an enterprise’s cybersecurity policies to physical security devices at scale.
These automated security solutions help tangibly merge cyber and physical security, providing a holistic approach to security wherein physical security protects cyber assets and vice versa. This leads to improved costs and operational efficiencies, reduced exposure to organizational and personal liabilities, reduced cyber breaches, fewer disruptions to physical security operations, compliance with cybersecurity insurance requirements, and more.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.