Blending Cyber & Physical Security


More cyber-attacks on public and private organizations occurred last year than in any previous year and we can only expect to continue to see an increase in these attacks and their impact as our world becomes more and more dependent on the internet and cloud-based services. This is not a revelation for anyone paying attention. From the insider threat to supply chain security, now more than ever our common threat vectors have both electronic and physical footprints. With the rise in sophistication of attacks and the amplified vulnerabilities of our increasingly ‘connected’ world, are we capitalizing on the resources and preventative measures of both cyber and physical security programs to mitigate risk effectively?


The industry is heavily focused on and invested in the massive growth in cyber and it’s evolving landscape, and rightly so. While private enterprises have been targeted for many years, we have seen a growing emphasis on the pointed disruption of physical civilian critical infrastructure like the energy grid and even our systems of government. With more state sponsored actors at play, cyber is not just a means to individual monetary gain but also a threat to our national security. As organizational stakeholders grapple with implementing changes to the NISPOM, both IT and physical security must be mindful of NIST’s Risk Management Framework (RMF) process.


As the Internet of Things (IoT) evolves at lightning speed, enabling employees to do more with technology and non-traditional networked or Wi-Fi enabled equipment (i.e. H-VAC), wider collaboration on risk mitigation strategies is required for enhanced protection. The volume of new IoT solutions entering your workplace (regardless of IT security policy) is increasing daily, while the cost of the devices or apps so wildly popular amongst employees, is only decreasing with little or no security enabled. Hackers typically look to exploit the weakest link (i.e., employees, contractors, hardware and systems) to gain entry.


On the surface it may seem appropriate to segregate these departments given their mission focus and skill sets. However, close collaboration between the two departments in addressing security related anomalies can bring multiple benefits and work as a force multiplier. In the event of an IT policy incident that requires investigation, wouldn’t it be relevant for a cyber-security representative to inform the physical security lead and collaborate to determine the full scope of questionable activities? Here are just a few scenarios:


  • An IT policy incident requires investigation and a cyber-security representative informs the physical security lead to collaborate and determine the full scope of questionable activities, both logical and physical access are reviewed.
  • Anomalies in access control indicate that an employee has entered a controlled space recently when no scheduled activity was due to take place. Upon notification by physical security, cyber professionals are able to prevent the potential destruction or loss of Terabytes of core data.
  • Employee has multiple negative interactions with physical security. Physical security then teams with the cyber group to determine possible actions. A brief inquiry into employee’s electronic communications finds that he/she is harboring violent intentions, access to sensitive physical areas and information is suspended, physical security is alerted and other emergency response team members engage.


The reality is that many corporations have entirely disparate organizational structures for their cyber and physical security operations. With so much at risk from the external and internal threat due to the combined logical and physical access employees are granted today, it is really a no brainer to work the two sides together more closely. Facility operations in manufacturing environments for example may not be fully understood by corporate cyber team employees. But the physical security department should have in-depth knowledge of those day-to-day operations, accessibility to sensitive areas and assets by employees, contractors and suppliers. Safeguarding all access types and implementing mutual controls (physical and cyber) for restricted assets is essential to effectively tackle the risks today.


A cyber insurance policy is a great step in the right direction to protecting information systems and data. Although currently only 25% of U.S. companies have purchased policies and the risk on the financial impact of an attack against premium costs are difficult to quantify. DHS SAFETY Act coverage is another way in which companies can enhance their cyber protection while also lowering insurance costs and mitigating liability risks. SCIS is a SAFETY Act Certified company. Learn more about what that means for our customers.