The Key to Cyber Prevention

Look around at the headlines across various major media outlets today and you’ll notice a trend: digital hacks and cyber threats abound.

Whether it’s email hacking, WikiLeaks, the United States Presidential Election, or celebrity-targeted social media intrusion, digital fortresses are being pierced as cybercrime spans across economics, domestic politics, and even foreign relations. What seemingly started with the Sony hacks of 2014 has turned into a worldwide epidemic, throwing spheres of influence and balances of power out of whack.

When coming across these various headlines, it’s our job at Marina Security Services to wonder, “why hasn’t security kept pace with the speed at which cyber attacks occur?” Put another way, “what will it take to stop these hackers before they even begin?”

Answering these questions isn’t easy: these are questions that have plagued businesses and governments since security systems and related peripheral devices originally made the jump to IP.

However, the solution may lie in an area where you’d least expect it: your access control. From a strategic standpoint, companies must unify their physical and cybersecurity strategies so that access control is aligned as a rules-based extension of identity management.

Overlooked Aspects of Cybersecurity

Physical attacks on IT infrastructures have been identified as one of the most overlooked aspects of IT security.

In fact, a report published by the Government Accountability Office (GAO) in December 2014 found that the Interagency Security Committee, the entity responsible for developing the standards for federal facilities security, had not properly addressed or identified the risk of cyber threats to building and access control systems as part of its Design Basis Threat report.

This is a chilling admission. Perhaps even more chilling, many cyber attacks are facilitated by insider physical intrusion, where individuals in the organization with authorized physical access to secure assets carry out the attacks unnoticed.

Upon closer look, many of these instances and situations are the result of individuals being inappropriately provisioned access to resources that are not commensurate with their job titles.

Risk Mitigation and Beyond

While public and governmental offices must currently adhere to security standards enforced by Sarbanes-Oxley and FISCAM, what we propose takes it a step further. Instead of limiting, say, an individual’s access to a certain password or account information, companies must similarly consider reinforcing the physical security around their offices and data centers using a rules-based framework.

Tactically, the objective should be to prevent penetration and provide authorized access through layers of security levels throughout your security infrastructure.

This will require a mapping exercise, where certain roles, job titles, and associated privileges are mapped to the associated physical assets and locations around your office, data center, or company headquarters that are most appropriate and applicable to these job titles. With this information stored in your identity management systems, proximity or magnetic access cards can be programmed to automatically prevent access to high-risk areas, such as servers hosting financial data and databases storing sensitive account information.

Commitment at All Levels

While this is just one way to begin, oftentimes simply beginning generates enough energy to build top-down company motivation and commitment to better security standards. For these programs to work successfully, they must command the authority and priority of your company’s executives while also commanding the same priority and investment from mid-management.

This isn’t an overnight solution: it’s one that works incrementally and yields compounding results. In fact, the results of fraud prevention are often invisible, and the impact marginal. However, the negative effects on the other side are disproportionate: loss of confidential company data, plummeting returns on shares, and damaged stakeholder and community trust. The choice is yours.