A proactive approach to cyber and physical security

Protecting physical security technology against cyber vulnerabilities requires a top-down approach.

NicoElNino / iStock / Getty Images Plus via Getty Images

In a recent survey conducted by Genetec, 36% of respondents globally said they were looking to invest in cybersecurity-related tools to improve their physical security environment in the next 12 months. In the physical security industry, where cybersecurity has not always been top of mind, the survey results demonstrate that respondents are starting to recognize the reality of cyber threats to physical security systems.

The usage of Internet of Things (IoT) devices has benefited organizations’ ability to improve security and monitor activities in large, distributed spaces. However, with the benefits of connectivity, accessibility, mobility and data sharing come the aforementioned cybersecurity risks. Devices such as video surveillance cameras, access control readers and alarm panels can provide an entry point to networks of large and small enterprises via their physical security systems.

Securing these devices is paramount, and new strategies for managing access to physical security devices are critical.

WHAT CAN COMPANIES DO TO MITIGATE CYBERSECURITY THREATS TO THEIR PHYSICAL SECURITY TECHNOLOGY?

Being proactive is the first line of defense. The first consideration for security leaders is looking at the physical security providers an organization uses to determine their level of cybersecurity.

There are several questions security leaders can use to help further identify whether or not service and product providers are taking necessary cybersecurity precautions. For example, are they certified by a third party? Are they SOC2 compliant? Are they ISO 27001 certified? Are they using IT security best practices?

Consider selecting a physical security provider who makes cybersecurity a priority as a top-down approach in all that they do. This will include dedicated cybersecurity teams or departments and partnerships with vendors who share the same level of commitment toward cybersecurity.

Certain cybersecurity measures are hard to implement at scale, for example, such as updating firmware or changing passwords. A company that is committed to cybersecurity can help an organization develop the right cybersecurity posture to scale.

Security leaders should vet their suppliers and partners of IoT devices to ensure they have the maturity and longevity to meet the organization’s cybersecurity needs both now and as the organization grows.

Although a physical security system could be threatened, there are many ways to further mitigate the risk of malicious attacks. Deciding on technologies and solutions requires companies to determine whether the solution is designed with security in mind and has built-in cybersecurity measures. When a product is designed, built, coded and tested with security by default, features such as authentication, authorization, encryption and privacy are built into the system. These measures also ensure only those with set privileges can access specified assets, data and applications.

Some security-by-design considerations include:

Authentication: The process of user authentication is the first level of identity management. This prevents data from getting into the wrong hands. Multi-factor authentication (MFA) validates the identity of the user so only approved users are able to access information.
Authorization: Authorization helps define the access rights of a person or entity. An organization’s administrator can define the rights of different individuals and configure more or less restrictive access privileges depending on their roles and the level of access they are trying to achieve.
Encryption: Encryption protects the confidentiality of a company’s data both in transit and when stored. When data is encrypted, it is rendered unusable unless accessed by authorized users. Encryption can’t be effective without authentication and therefore ensures organizations are sharing data with authorized users.
Privacy by Design: There doesn’t have to be a trade-off when it comes to maximizing privacy and security. Security solutions that offer privacy protection by design allow companies to have more control over their data to meet regulations and securely store that data. A physical security provider can help customers define who has access rights to sensitive video footage without hampering the details required to complete their investigations.

Another consideration that security leaders can take to minimize potential cyber vulnerabilities related to their physical security technology is by considering a hybrid or cloud approach.

Moving physical security to the cloud or using a hybrid approach can potentially further mitigate cybersecurity risks, as a number of modern cloud systems include layers of security designed not only to protect against malicious actors, but also human error. With less hardware and servers to maintain or install, there is less exposure to cybersecurity attacks.

Moving to the cloud can also help security leaders and their organizations share cybersecurity responsibility with the cloud provider. The providers who take advanced cybersecurity precautions often offer the possibility to streamline maintenance and updates — which is crucial to ensuring secure systems.

By using a hybrid or cloud solution, organizations can have access to the latest built-in cybersecurity features and updates, including privacy controls, strong user authentication and various system health monitoring tools. Frequent and automatic updates can help those physical security systems remain protected against security vulnerabilities and stay actively monitored to detect and defend against cyberattacks.

Mathieu Chevalier joined Genetec in 2010 as a software developer, and now plays a vital role in developing both internal and external cybersecurity protocols and strategies to assure the Genetec portfolio is “hardened” against cyber-attacks. Chevalier works closely with all Genetec product development teams to assure the latest cybersecurity measures are in place to protect the company’s software architecture, solutions, and features. Chevalier holds a Bachelor of Computer Engineering degree from the University of Sherbrooke, Québec.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.