Businesses today need to focus equally on physical, personnel and cyber security in order to mitigate risk in the face of growing criminal focus on enterprise data, says UK-based security expert Chris Phillips.
All businesses should take a holistic approach to security. They should have security strategies and policies in place that are impact-driven, threat-informed and vulnerability-focused, ensuring that all three disciplines of security i.e. physical, personnel and information are given equal priority.
Phillips, founder and Managing Director of the International Protect and Prepare Security Office (IPPSO), says his work in security consulting and penetration testing indicates that most businesses are vulnerable in some areas.
“In physical penetration testing exercises, I am usually able to walk right into business premises without proper authorisation, and I frequently manage to get my hands on sensitive data,” he says. “People leave cheque books and spreadsheets on desks and in drawers. In one case, I was able to walk around a bank building taking photos of all their loan accounts, in front of people.”
Phillips notes that few companies pay equal attention to all three areas of security. “But if they focus on one area and neglect the others, their overall security is still compromised.”
He cites examples of cases in the UK recently, where banks had focused on their IT security, but these measures were breached when fraudsters walked into bank premises and attached keystroke loggers to the PCs in the branches.
A major security threat that enterprises tend to overlook, he says, is the insider threat. “People pose the biggest risk to enterprise security. Too often, risk assessments are not carried out on all staff. Enterprises may do background checks on new executives, but do they know the backgrounds of security and cleaning staff, who may be outsourced service providers and who can have free access throughout the premises?”
“You may find that new staff are given full access to enterprise data before in-depth background checks are carried out. In some cases, existing employees may be paid or threatened by crime syndicates to seek out certain data. Now, cybercrime is a fast-growing, lucrative and highly organised activity – enterprises cannot be too careful,” he says.
HR can play an important role in the overall enterprise security strategy, says Phillips. “HR needs to conduct thorough background checks on all employees, run risk assessments, and be alert to suspicious behaviour,” he says. This behaviour might include apparently innocuous activities, such as often working late.
In a new threat environment, management needs to play the biggest role in coordinating and monitoring a security strategy that encompasses physical, cyber and personnel security, Phillips says. “Now, security needs to be approached in a holistic manner and driven from board level, because the risks to business now extend beyond financial losses to reputational damage that could cripple a business.”