Why physical security and cybersecurity should go hand-in-hand

When thinking of a building a robust cybersecurity strategy, stringent technical controls may naturally be the first thing to spring to mind for security teams. While these are of course vital to a strong defence, organisations must consider how they are using a combination of people, process and controls.

Physical security and cybersecurity are closely intertwined and the lines between the two are becoming more blurred. In the absence of basic physical controls, cybercriminals may find an opportunity to more easily gain access to critical organisational data.

For instance, if an employee takes their company laptop to a cafe and connects to an insecure public WiFi network, there may be an opportunistic cybecrimal who has in fact set up this network in order to steal passwords, snoop for confidential company data or infect the device with malware – all actions which could in turn lead to catastrophic data loss for the organisation in question.

Similarly, a disgruntled and recently terminated employee could easily take sensitive information from a colleague’s desk when leaving the company if the person doesn’t maintain clean desk habits and keep their screen locked when away from a work station.

Many organisations find it hard to believe but adopting basic physical security best practices can reinforce existing cybersecurity measures. This is critical as cyberthreats are rapidly growing in scale and complexity. According to recent Proofpoint research, 47 per cent of Emirati security leaders reported having to deal with a material loss of sensitive data in the past 12 months and 75 per cent of feel at risk of experiencing a material cyberattack in the next 12 months.

So how can organisations shore up their cyber defences with the help of physical security protocols?

Risky employee actions in the UAE

One of the simplest and most effective ways to avoid falling prey to some of the above breaches is to encourage employees to cultivate basic physical security measures to safeguard information. This could be locking up items that aren’t in use, even for just a few minutes, to prevent unauthorised access. Or even to exercise more caution on the office premises – for example, not allowing unauthorised individuals access to the building. They may be posing as a freelancer, contractor or supplier, but could be a criminal looking to siphon organisational data if granted access.

Unfortunately, many employees in the Middle East are demonstrating risky behaviours that could lead to a successful cyberattack. For example, more than half (51 per cent) of employees in the UAE admit to connecting to home or public wi-fi networks, without knowing if they are secure. In addition, 17 per cent admit to sharing their corporate devices with family and friends.

The issue of device sharing brings us into the relatively novel, but very much existing challenge of bring your own device (BYOD). Proofpoint research shows that as many as 91 per cent of UAE employees admit to using their own devices for work-related purposes. Many organisations use a BYOD policy to enable staff to use their personal laptops and smartphones for work.

However, the use of personal devices could challenge an organisation’s ability to secure the network environment. Therefore, a BYOD policy must be fully defined to protect corporate data from theft.

This means that all BYOD policies should be transparent so that users can fully understand what must be installed and configured to bring their devices to work. This includes remotely connecting to the network from their devices. Users must also be allowed to connect to network resources only if they have a minimum supported operating system and use only a designated list of device manufacturers. This requirement prevents attacks from hidden malware and outdated operating systems.

Educating employees

Educating employees about physical security may seem like a daunting exercise for organisations however the good news is that the topic of physical security can be easily integrated into a company’s larger security awareness training program. Unfortunately, only 64 per cent of organisations in the UAE with a security awareness program train their entire workforce, and only 40 per cent conduct phishing simulations – both critical components to building an effective security awareness programme.

Employees must be made to understand the critical role they play in maintaining a safe and secure work environment. Most employees suffer security awareness gaps and even basic cyberthreats are still not well understood. Proofpoint’s research showed that more than a third of survey respondents could not define relatively universal terms such as ‘malware,’ ‘phishing’ and ‘ransomware.’

Regular training and education on the key components of physical security and best practices to keep assets secure is essential to bridge this gap. Companies can also use reinforcement tools like posters, articles, videos and other security awareness materials to ensure that physical security is top-of-mind for end users.

Equally, organisational leadership must stop viewing cybersecurity as an IT problem. Physical security and cybersecurity must be seen as dependent on one another and vital to build a holistic cyber defence strategy.

Elias Samarani is the systems engineering manager – Middle East at Proofpoint

Also read: Insights: Exploring career paths in the evolving physical security industry