Industrial security - June 2019
13 June 2019
A stark reminder from Mike Hurst, that while all eyes seem to be looking at cyber security, physical security threats are still a very real danger.
FOR THOSE of you of a certain age, when I say “Let’s get Physical” may be taken to back to the video of the 1981 classic by Olivia Newton John which, while it may have a certain appeal, unsurprisingly has very little relevance to the security world. This article is less a tribute to Ms John but really a warning not to ignore the fact that physical security threats that, despite the growing awareness of cyber security, still exist.
With the vary many attacks, hacks, data losses, phishing emails et cetera we have seen in recent years, cyber security has, quite naturally come to the fore and perhaps because it is still emerging and developing and most people have little understanding of it, has acquired a certain mystique that the ‘gates, guards and guns’ part of the industry lacks. Whilst sometimes the perpetrators of these attacks will be solitary, loners, operating from their bedrooms, many/most are the work of serious organised crime gangs and hostile nation states.
This is not to say that we as security professionals, should switch away from these threats, but in today’s VUCA (Vulnerable, Uncertain, Complex and Ambiguous) climate the threats to our business and institutions are not always simple and linear.
If you lead a corporate security team today, the range of areas that you may be dealing with or at least be involved with are disparate and wide ranging: electronic security (CCTV, access control etc); insider threat; compliance; travel security; lone workers; duty of care; reputational risk; health and safety; fire risks; intellectual property; supply chain; information security and may others. Additionally, the attacks are often blended together. Someone tailgating a physical access control barrier could gain entry to an office when they may get find a terminal which is still logged in or where a staff member has their username and password on a post-it note on their desk. The theft of unencrypted laptop or smartphone can grant access to a system. Breaking into a system could allow physical access into a premises. Failure to spot a change in a colleague’s behaviour may lead to a disaffected employee taking action that could affect adversely the business. I’m sure that you can think or many other examples.
ASIS International is very much focussed on Enterprise Security Risk Management (ESRM) which is a security program management approach that links security activities to an enterprise's mission and business goals through risk management methods. Whilst this holistic approach is vital to the enhancement of the role of the security professional and the security profession, the solution to many threats involves a converged use of cyber, physical and systems.
In fact, as part of its ongoing efforts to identify and document changing practices in the security field, the ASIS Foundation has launched a major study into the ways organizations are converging their physical security, cybersecurity, and business continuity functions.
With the study set for release at Global Security Exchange (GSX) in Chicago this 8-12 September, the Foundation has distributed a survey to senior security professionals at organizations in the United States, Europe and India. The survey seeks to determine:
To what extent have companies converged departments or functions?
What have been the benefits and drawbacks of various structures (convergence, partial convergence, distinct units)?
What lessons can be learned from these companies’ experiences?
Are there differences in convergence based on geographic region, size, industry, or type of organisation (e.g. public, private, non-profit)?
The study will provide valuable benchmarking information and sound practices that organisations can use in critical policy decision making.
I look forward to reporting the results of this survey but until then, my strong suggestions would be to look at risks with an open mind and whilst staying aware of emerging threats, don’t exclude the more traditional dangers.
Mike Hurst CPP is vice chairman of the ASIS UK Chapter and a member of its European Advisory and Leadership and Management Practices Council. For more information, visit www.asis.org.uk