Protect your assets

THE EMERGENCE of the vehicle as a weapon (VAW) as a deadly terrorist attack method has led high-security site operators to consider hostile vehicle mitigation measures to avert against vehicle-borne attacks.

The obvious preference is to send all traffic through a single funnel. But customer experience and staff ease may demand a multi-funnel solution with its consequent challenge of cost, staff and risk management.

Site operators are therefore looking to harden their perimeter security with automatic bollards, barriers or turnstiles, speed gates and automatic number plate recognition systems. This ensures that only authorised personnel are on site.

Cameras may also help at the perimeter, and I see increasing use of drone technology and sophisticated object-recognition motion-detection algorithms to identify suspicious behaviours and send alerts to security guards.

Sadly, VAW isn’t the only threat. As the Manchester Arena bombing at an Ariana Grande concert in May 2017 illustrated, events where thousands of fans gather, all with their smart phones, and lots of international media present represent a ‘terrorist playground’ where global publicity for their cause can be gained.

And the WannaCry ransomware attack two years ago affected 230,000 computers in over 150 countries in just one day that were exposed through a vulnerable SMB port.

Organisations from FedEx to the Universitéde Montréal, from Boeing to Honda, Russian Railways to Telefonica to the UK’s National Health Service were hit.

That’s why the word ‘cyber’ is on the lips of every client I see at the moment – and normally in fearful tones.

Data theft

No surprise when theft of data and disruption to business continuity is so threatening and can lead to irrecoverable damage to corporate reputations and massive drops in share value.

In April, the BBC reported research from the insurer Hiscox that 55% of large firms across seven of the largest economies had been subject to a cyber attack in 2019 compared with just 40% the year before. Another report suggests 81% of large firms are subject to at least one attack a year.

Yet most businesses admit they are poorly prepared and almost 75% of firms are ranked as ‘novices’ in terms of cyber readiness.

The threat is nothing new. Back in 2013 a directive from the NIS, focused on protecting critical infrastructure across Europe, said: “Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities.”

With the average cost of a security breach to a large organisation ranging between £600,000 and £1.15m, it’s no wonder the cyber risk frightens CEOs so much.

The trouble is hackers can exploit the disparate systems on their networks, often through remote access granted by the organisations to third parties precisely to manage the risk.

Similarly, some manufacturers of security equipment who are expected to provide the solution, may increasingly be part of the problem!

I’ve declared helping organisations to counter the cyber threat Gallagher Security’s number one priority as a long-term CPNI-approved supplier to the Home Office and critical national infrastructure clients such as the National Grid.

They should know what works as the cost of a power outage on the Grid is £1m per minute so they have to be absolutely sure of their cyber resilience and that everything they plug on to their network is secure.

That’s a real challenge in an era where kettles and other household appliances are becoming increasingly wifi-connected, so a hacker switching them all on at the same time could bring down the Grid.

Cyber resilience

Look at the hullabaloo over the leak about the UK Government’s discussions into allowing Chinese giant Huawei involvement in 5G.

So, insist on compliance with the various global Government standards – such as the UK’s Cyber Assurance Products, the US’s FIPS and Australia’s Type 1A – where genuine cyber resilience will be found.

This way, as the threat landscape evolves, so will the encryption standards to resist concerted cyber attacks. It is essential also that you keep application software and your Windows environment bang up to date for the same reason.

In the UK, for instance, only a handful of the 40 or so manufacturers will offer this level of standards compliance and cyber resilience.

SMEs, where typically there is a lower level of cyber knowledge, expertise and resources, still require confidence in the resilience of what goes on their network and that it will still be cyber safe in the future so that their security investment is future-proofed.

Ensure that personal data fields reside on a secure and encrypted sequel database with a single random system-generated key code to ‘unlock’ the database, owned by the company and not any security consultants.

Minimise the data that you keep and constantly remove inactive cardholders to ensure a ‘Single Source of Truth’, integrated with the organisation’s HR system.

GDPR has been in force for a year now to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy.

Non-compliant organisations face heavy fines, which could be as high as 4% of annual turnover.

To illustrate the `teeth’ of this, consider the fact that when the Talk Talk cyber breach occurred in October 2015, affecting nearly 157,000 customers, they were fined a record £400,000 by the Information Commissioner’s Office, just shy of the potential maximum £500,000 fine.

Under GDPR, if that attack happened again, they would face a potential penalty of up to £71m.

So, pre-register all visitors to your site, ensure they view and acknowledge your GDPR policy and give their consent for the data you collect, then automatically erase the visitor data once they have left.

Keep tight control of user privileges on your corporate network and enforce a robust password policy.

Protect against any tampering of access control card readers by ensuring all readers are fully monitored, with electronics potted and protected and full end-to-end encryption with 256-bit Elliptic-Curve Cryptography (ECC).

If unique keys are shared between controller and reader, then a substitute reader will not be recognised and simply will not function.

The most secure card technology to use is Mifare DESFire EV2. However, a better and more cyber-secure way may be to scrap card technology all together and go for mobile credentials.

Access control

The smart phone with Bluetooth wireless technology is revolutionising access control and negating the need to issue cards.

No one leaves home without their smart phone these days. The same mobile device can be used across multiple sites, with fast remote secure and simple provisioning of each device.

We have been developed our mobile credentials system in conjunction with Nok Nok Labs, the same people behind Fast ID Online or the FIDO alliance, which is what’s used by the banks and systems like ApplePay for payments, so it’s very secure.

We’re ensuring our access products support either PIN, fingerprint or iris biometric authentication, when this is offered by users’ phones. We’re even working with FitBit to put it into their and other smart watches.

FIDO is an open standard alliance – with Microsoft, Google, Paypal, Samsung, Intel, Visa and the UK Cabinet Office among others as members – recognised globally as the future of logical and physical access authentication.

Access credentials are issued to mobile phones using the FIDO Universal Authentication Framework (UAF) protocol, which allows each user to select their preferred method of secondary authentication.

Unlike other methods, the FIDO UAF protocol does not require the authenticating system to store user biometric or PIN information, so this information never leaves a user’s personal device, either during enrolment or ongoing authentication.

So, secure two-step enrolment and scheduled two-factor authentication with the user’s finger or face ensure absolute security with no personally identifiable information left in the cloud.

This is security by default and what I like to call ‘baked-in’ security, which is how we like to work at Gallagher.

We reinvest 15 to 20% of revenue into research and development, which represents almost one tenth of our workforce globally, and we are committed to two major software releases a year.

Richard Huison is regional manager of Gallagher Security (Europe). For more information, visit www.security.gallagher.com