3 minute read
Get physical to get cyber protected
Have you considered physical, technical, and manned security in relation to cyber security? For most local authorities and public bodies, the answer is likely to be no.
The physical element of protecting data has been recognised by UK Government recently with the launch of a consultation on proposed regulations relating to the security of data centres. While local authorities and public bodies might not be classed as data centres themselves, they may use one, and this proposed regulation highlights the increasingly recognised need to protect against disruption to data from cyber attacks but also from physical threats.
Physical security (i.e. fences, gates, barriers, doors, locks and windows), technical security (i.e. CCTV and access control) and manned security (i.e. security personnel) are not routinely thought of as relating to cyber security, but they should all be integrated under one umbrella alongside data and cyber security and overseen by someone such as the Chief Executive.
At the Subrosa Group, one of the services we offer is to advise and assess integrated security solutions, which means looking at data and cyber security in conjunction with technical, physical, and manned security. Protecting data starts right at the roadside with perimeters and access control. You must have all the elements to have a holistic approach which we call defence in depth. The more barriers you have in place before you get to a critical asset, such as a server, the better.
If you have strong cyber security, but your technical, physical, and manned security is weak then someone could come in and put a USB stick into a computer and get the same rewards as if they hack you. A devasting attack on energy company Aramco, which is believed to have partially wiped out or destroyed 35,000 computers, has been reported as being caused by an infected USB stick. While USB sticks are less widely used now, it is still important to consider who has access to what. These days bring your own device is more of a concern, making it important to know who is accessing your networks and to ensure you provide separate guest log ins and a segregated network for employees’ personal devices.
Also important is for all staff to be trained in cyber security, including security personnel. The person on the gate might be emailed a list of who is attending the site that day. If someone understands that this happens every day and wants to send some targeted malware out, they could send an email which looks like the daily list of people to the gate controller. An untrained staff member is more likely to open a suspicious email than one who is aware of the risks and can spot the signs.
Let me finish with this thought: when did your organisation last have an independent audit carried out on its integrated security solutions, if ever? The Cyber Centre of Excellence can put you in touch with us at the Subrosa Group. We start with a risk assessment, carry out a full security audit, write a report and provide a to-do list to help bring you up to the right standard. Ultimately, integrating physical, technical, and manned security with data and cyber security is the most cost-effective solution and provides the best protection.
Niall Burns is the Chief Executive Officer at Subrosa Group, a specialist risk mitigation, business intelligence and loss prevention company. He also sits on the Advisory Board of the Cyber Centre of Excellence (CCoE), an organisation set up to act as a one-stop-shop to assist local government members through their cyber security journey.
For more information, please contact the CCoE at enquiries@ccoe.org.uk.
