Physical and Cyber Security: Be Sure to Consider Your Liability when Mitigating Risks

A few years ago, a New Jersey teenager sneaked out of his home in the middle of the night and made himself famous overnight. He crawled through a hole in the perimeter fenceline, and made it past a sleeping security officer to go all the way up to the 104th floor of 1 World Trade Center. At the top of the building, he took selfies for two hours and posted them on social media. If that young man had been interested in stealing, committing arson, or breaching the company’s IT systems, the situation would have been disastrous. As might be expected, the security officer was fired, the contract security company was under review, and overall security of the building was scrutinized. Unfortunately, security breaches like this happen every day, although not always at such a high profile, and not always reported.

Today's Cyber and Physical Attacks are Faster and More Devastating

Social EngineeringThe nature of business risks and a company’s liability has changed and expanded in recent years. In the past, you might have worried about losing share to a competitor, or about a price increase on a key raw material. Today, the list of potential risks is longer, and includes attacks that often blur the line between cyber and physical breaches and can happen faster and can be more dangerous to your organization.

As an example, one of the most common ways that hackers breach a company’s network is by breaking into a facility and stealing a laptop or other equipment that holds sensitive company information. Another common technique by hackers is to use “social engineering” to get past security and to plug into a network on an IP phone or other port. That was the case when Jayson E. Street, a social engineer, talked a bank teller into allowing him to plug in his USB into the bank’s computer system, which gave him access to the bank manager assistant’s user ID, password, and smart card.

When a physical security system is breached, it can lead to data breaches of epic proportions. This can negatively impact not only your company’s short-term profitability, but also basic business continuity.

regulations.jpgMost Industry and Government Regulations Mandate "Entry/Access Control"

Even more, not properly securing your entrances could hold your enterprise in violation of federal regulations. The passing of Homeland Security legislation to protect critical infrastructure has affected industries such as Manufacturing, Energy, Transportation, Technology, and others. On the data and IT side, laws and regulations such as HIPAA, HITRUST, PCI Data Security Standard, NERC CIP, FERC, FISMA, ISO, FDA, TAPPA all aim to protect data. Whether it’s physical security or cybersecurity – all regulations mandate some form of physical controls that address unauthorized entry and access control into a facility or campus.

Mitigating Risk at the Entry Begins with Security Entrances

In the past, many companies have relied upon well-trained and professional security officers to secure entrances. However, hackers have figured out that using social engineering is often easiest - read this incredible blog on how a pen tester successfully breached a facility. This new approach is proving that people themselves can be the “weakest link” in a physical security plan, so what can you do?

Physical security entrances are designed to prevent unauthorized entry

To thwart such attacks you need something that can’t be fooled or tricked, and will support security officers – enter security entrances, such as turnstiles and security doors. When integrated with access control systems, they reliably deter, detect and certain types can even prevent unauthorized entry without supervision. Aside from this they also enable accurate monitoring of who is in the building at all times.

Security entrances work well against lone actors and organized hacker groups. They enable access to authorized individuals who need to be in your facility while keeping unwanted visitors, including those who are intent to steal your data, out of your facility.

They come in a wide range of assurance levels, as well. For example, they can take the form of waist high turnstiles for controlling high volumes of traffic, to full height turnstiles, to optical turnstiles, to security revolving doors and mantrap portals that make it close to impossible to tailgate into your facility, with sensors that recognize shapes, size and volume and stop entry.

How Security Entrances Reduce Overall Liability

More than ever, keeping unauthorized people out of your facility is vitally important to protect your network and your company’s data. An unsecured entrance (swing door) could leave your company open to a security or data breach, and your organization could be held liable in the aftermath, leading to crippling liability judgments, loss of reputation, work interruptions, and even the removal of your leadership team. In the end, it could be up to a court of law to determine if you did all you could to prevent intrusion.

When mitigating risk in your physical and cyber security planning, remember that security entrances reduce your liability by demonstrating a plausible degree of effort to prevent infiltration. They protect the personal safety and security of staff, visitors, and anyone else in your facility, as well as your organization’s IT and computer systems and data.

Mitigating Risk with Security Entrances

Greg Schreiber
Greg Schreiber has been with the company a total of 24 years and currently is the Senior Vice President of Sales. Greg’s career spans over 29 years in the security entrance and door industry in a variety of sales management roles, including National Sales Manager and VP of Sales, after the acquisition of Tomsed Corporation. Greg has successfully steered the North American and Latin American sales teams to produce double-digit sales growth in each of the last 4 years. A native of Pittsburgh, Greg graduated from the University of Toledo with a degree in Business Administration and currently lives in Venetia, PA.