Physical security is the protection of people, property, and physical assets from actions and events that could cause damage or loss. Though often overlooked in favour of cybersecurity, physical security is equally important. And, indeed, it has grown into a US$30 billion industry. All the firewalls in the world can’t help you if an attacker removes your storage media from the storage room.
The growing sophistication of physical security through technologies such as artificial intelligence (AI) and the internet of things (IoT) means IT and physical security are becoming more closely connected, and as a result security teams need to be working together to secure both the physical and digital assets.
Why physical security is important
At its core, physical security is about keeping your facilities, people and assets safe from real-world threats. It includes physical deterrence, detection of intruders, and responding to those threats.
While it could be from environmental events, the term is usually applied to keeping people – whether external actors or potential insider threats – from accessing areas or assets they shouldn’t. It could be keeping the public at large out of your HQ, on-site third parties from areas where sensitive work goes on, or your workers from mission-critical areas such as the server room.
Physical attacks could be breaking into a secure data centre, sneaking into restricted areas of a building, or using terminals they have no business accessing. Attackers could steal or damage important IT assets such as servers or storage media, gain access to important terminals for mission critical applications, steal information via USB, or upload malware onto your systems.
Rigorous controls at the outermost perimeter should be able to keep out external threats, while internal measures around access should be able to reduce the likelihood of internal attackers (or at least flag unusual behaviour).
One of the most common errors a company makes when approaching physical security, according to David Kennedy, CEO of penetration testing firm TrustedSec, is to focus on the front door. “They'll put all of the security in the front door; surveillance cameras, security guards, badge access, but what they don't focus on is the entire building of the whole.”
Smoking areas, on-site gym entrances, and even loading bays may be left unguarded, unmonitored and insecure, he says. Turnstiles or similar barriers that have movement sensors on the exits can also easily be opened by putting a hand through to the other side and waving it around.
While the cost of successful digital attacks keeps increasing, physical damage to your assets can be just as harmful. One notorious example of physical security failing saw a Chicago colocation site robbed four times in two years, with robbers taking 20 servers in the fourth break in.
Scope of physical security risks
The pandemic, civil unrest related to the January 6 insurrection, and an increase in gun violence have made CISOs and other executives more concerned about physical security, including the well-being of themselves and their employees. That's according to the 2021 Mid-Year Outlook State of Protective Intelligence Report from the Ontic Center for Protective Intelligence.
The report, which is based on a survey of 300 physical security decision makers, CISOs, CIOs, CTOs, and other IT leaders, emphasises four areas of concern over physical threats:
- Business continuity: Unmanaged and rising physical threats increase corporate risk and potentially could impact business continuity. The report recommends companies invest in physical security to mitigate violent threats.
- A larger threat landscape: Intelligence failures put executives and employees at risk of physical harm or supply chain damage or property theft by insiders. Seventy-one percent of respondents said the physical threat landscape has "dramatically" changed in 2021.
- Lack of unification between physical and cybersecurity: Most respondents (69%) said that unifying cyber- and physical security could have helped avoid incidents that resulted in hard or death at their organisations. This includes having a single platform to identify and communicate threats.
- Unexpected challenges: Compared to an earlier study, some of the key challenges IT and security leaders faced in 2021 were not the ones they expected to have when asked in 2020. Those challenges include regulatory compliance reporting and demonstrating a return on investment in physical security.
Overall, 64% of respondents reported an increase in physical threat activity so far in 2021, while 58% say they feel less prepared to handle physical security for their organisation.
Physical security principles and measures
Physical security largely comes down to a couple of core components: access control and surveillance.
Access control encompasses a large area that includes basic barriers to more sophisticated things such as keypad, ID card or biometrically-restricted doors.
The first line of defence is the building itself--the gates fences, windows, walls, and doors. Locking these, adding deterrents such as barbed wire, warning signage, and visible guards will put off most casual attempts on your locations.
Access control systems are many and varied, and each have their own pros and cons. Simple ID card scanners might be cheap but are easily stolen or forged. Near-field communication (NFC) or radio-frequency identification (RFID) cards make forging harder but not impossible. Embedding NFCs in workers – something that is reportedly becoming a trend in Sweden and drew ire from workers unions in the UK – is also way to reduce the chance of card loss.
“RFID badges are easily cloneable,” warns Kennedy. “Instead, use magnetic strips where you actually have to swipe and maybe use a second form of authorisation like a pin number.”
Biometric security is also a common option to secure both facilities and devices. In theory our unique body identifiers – whether fingerprint, iris, face or even your pulse – are harder to steal or fake than any cards. A report from ABI Research predicts the use of biometrics will only increase in the future. Fingerprint remains the most common method, but ABI suggests it will be augmented with a growth in face, iris and pulse.
“I haven’t seen a whole lot of facial recognition in companies yet, but stay away from biometrics,” says Kennedy. “A lot of people want to move to that but there's a lot of issues.”
Fake fingers can overcome fingerprint readers, photos or masks can be enough to fool facial recognition, and German hacking group Chaos Computer Club found a way to beat iris recognition using only a photo and a contact lens.
Surveillance includes everything from guards on patrol, burglar alarms and CCTV to sound and movement sensors and keeping a log of who went where.
At more high-risk locations, companies can deploy far more sophisticated detectors such as proximity, infrared, image, optical, temperature, smoke and pressure sensors to maintain a holistic view of their facilities.
IoT and AI bring physical security into the digital world
Where typically physical security and digital security used to be entirely separate realms, they are slowly becoming more and more intertwined. Surveillance systems are increasingly connected to the internet, access control systems and monitoring systems are keeping digital logs, while use cases for AI in physical security are become more popular.
Read more on the next page...