Let’s say the access control system at your organization was hacked, and someone without authorization was able to enter a secure area. Is that a cyber attack, or is it a physical one?

It’s obviously both, but which division should handle it: security or cybersecurity?

Cyber security and physical security are often treated as two separate sectors. You can see these silos in the way many companies are structured: there is often a Chief Security Officer (CSO) and a Chief Information Security Officer (CISO), or cyber security is treated as a subset of physical security, with the head of information security reporting to the head of security.

However, with cyber attacks becoming increasingly common, and costing companies an average of $4.24 million per data breach, it’s important that cybersecurity and physical security merge into one department.

Cybersecurity is security

The convergence of cybersecurity and traditional physical security has never been simple, mostly because the skill sets necessary for each discipline are so different. CISOs tend to come from the IT side of the organization while CSOs are often either from the security side, former law enforcement, or former military. It can be hard to find a leader with both the technical skills and the physical security mindset needed to bring the two together.

Despite this, there are many commonalities between cybersecurity and physical security:

1. Criminals want the same things they’ve always wanted: Back in the old days, criminals robbed banks, because that’s where the money was. Now your organization’s information is worth money to them. Whether they extract that money by selling your information online, or get money from your company by stealing your data and demanding a ransom, criminals are once again going where the money is. No matter how they attack, their mindset is the same.
2. Human error plays a role in both: You may think of viruses and malware when you think of a cyber attack, but most attacks are much less technical than that. According to the latest Verizon Data Breach Investigation Report,82% of breaches in 2021 were caused by human error. Social engineering scams target your employees, using old-fashioned confidence tactics to trick workers into giving up passwords, click on malicious links, or use malicious wi-fi networks that then give the criminals access to your data.
3. Attacks are intertwined: Just as technology has been integrated into our daily lives, cybercrime is simply a part of crime. Criminals may launch a cyberattack through a physical action, like leaving a malware infected USB drive where someone from your organization can find it, or by calling up a worker and pretending to be someone else to get that employee to click on a bad link.

Best practices for developing a cyber-physical security plan

1. If you can’t combine the roles of CSO and CISO, make sure the two work together: When developing an action plan for cyber-physical security, you need both the expertise of someone who knows physical security well, and the technical know-how of someone in IT. If these two roles can’t be combined, they must be in lockstep.
2. List all your threats:Is your Internet of Things (IoS) secure? Do you have remote workers? What is your device policy at work? What about third party vendors with access to your data and networks.
3. Know how you will handle each scenario:If a pipe bursts in a server room, how will you handle that? Make a plan for each scenario in advance.
4. Do you have adequate backups? Know when you are backing up your data and who owns those back-ups. In case of a ransomware attack, backups are your lifeline.
5. Train your people: What are you doing to have your staff trained, engaged, and aware of potential attacks, and errors. Remember: this training should be updated and repeated often. The cyberthreat landscape is constantly changing, and your team should know about new trends when it comes to social engineering.

Republished with permission from Circadian Risk.

Circadian Risk offers services to address the physical security risk to cyber networks.    https://www.circadianrisk.com/resources/blog/why-cybersecurity-and-physical-security-need-to-work-together