Add to collection(s) Add to saved
  1. Social Science

What's the best cyber defense? Physical and logical security

What’s the best cyber defense?
Physical and logical security
MacDonnell Ulsch, CEO and Chief Analyst, ZeroPoint
Risk Research LLC
Danny Miller, Principal and National Practice Leader,
Grant Thornton LLP Cybersecurity and Privacy Practice
Whether it’s legislated or mandated,
managing cyber risk is one of the most
important initiatives companies will
undertake. And one of the most common
mistakes they can make is failing to
integrate physical security and logical
security to create a secure culture.
Ask any IT professional to define
security, and he or she will probably answer
with references to safety nets like firewalls,
passwords, antimalware and encryption.
Ask the same question of a security guard
at a building’s front entrance, and you’ll
hear about gates with retractable wings,
and locks and passes. An executive will
answer the same question yet another way,
with a view of the company’s culture and
industry, while the average employee’s
answer is apt to be focused with a more
individual lens. But the answer should be
the same from everyone.
It’s no wonder that information
breaches continue to escalate, both in
frequency and in severity. As the decades
march on and companies amass more
digital complexity with growing data stores
fed by our personal data consumption,
social media exposure and mobile devices,
the risks are expanding and intensifying.
Link the word “cyber” to crime, strike,
attack, disruption, fraud, theft and
disinformation, and your understanding —
or fear — of exposure grows exponentially.
For many companies, security isn’t
holding up to incessant attack. Personal
information is targeted, as are intellectual
property and trade secrets. Cyber attacks
are launched from a long list of nationstates, organized crime networks, and
other loosely coordinated organizations
with a long list of motives — not to
mention the talented and often very young
attention-seekers. Some estimates place
the loss of intellectual property and trade
secrets at billions per year globally.
When security fails
Consider the global company that has
physical security reporting into facilities
or into corporate real estate. Physical
security gets outsourced to a third-party
company. Physical security stops at the
front door and that small zone separating
employees from visitors. Then there’s
logical security. The focus here is most
often on creating a hard electronic
perimeter. This approach is often
reflected in IT security budgets, where a
disproportionate level of investment can
be made in reinforcing that perimeter.
Unfortunately, smart adversaries assess
company vulnerabilities and exploit them
by playing physical and logical security
against each other. Here’s how: If the
electronic perimeter is hardened, don’t try
to break it. There are easier ways to get
inside. When physical security and logical
security lack tight integration, it is easier
to breach both securities and gain access to
the very information both groups believe
they are adequately protecting.
When the electronic perimeter is hard,
the adversaries will try to slip through
the physical perimeter. Using social
engineering techniques, the physical
perimeter can be breached by simple
manipulation. Sometimes that means
getting an employee to hold open an
otherwise secured door.
Once inside the perimeter, the real
work of the intruder begins: The hunt
for personal information or intellectual
property and trade secrets. A key
vulnerability in many companies is the
help desk. Trained to be cooperative,
these workers are selected because they
are often polite and incented to help their
co-workers. What they are usually not
is security savvy or aware of those who
may be seeking unauthorized access to
company systems.
One dangerous assumption is that
anyone calling the help desk from inside
the company is authorized. The same
intruder who socially engineered himself
or herself into the building will often
gain access to the company’s information
system by contacting the help desk. Sitting
at an employee’s desk, the social engineer
often has numerous indicators of identity
within reach: business cards, employee
contact list, paper files and even mobile
devices that offer the keys to identity.
Then the intruder simply calls the
help desk, complaining that the system is
What’s the best cyber defense? Physical and logical security
locked, saying he or she has an imminent
conference call and a client is awaiting
the delivery of a webinar. These messages
defocus the help desk from identity
confirmation and create a rush to connect
the social engineer to the system. The
basic, and erroneous, assumption is to
trust anyone inside.
When physical and logical security are
out of sync, you are vulnerable. Once you
realize it, though, it’s too late. The damage
is done and the fallout assured.
Unfortunately, it gets worse. While the
problem exists within so many companies,
it penetrates the extended enterprise in
both outsourcing and offshoring. In fact,
the greater likelihood is that a third party
will be instrumental in a breach. These
outsourcing and offshore partners often
lack the rigorous integrated security
and a control framework applied by
the principal party. Many companies
fail to hold third parties accountable for
integrating physical and logical security.
What you can do
A few best practices will start you down
the road to building a secure culture:
• Integrate your physical and logical
security builds, giving equal status to
both. They have equal bearing on risk.
• Building a culture takes time and
money. It doesn’t happen overnight,
and it isn’t free. Remember, the cost of
building an integrated culture of security
is less than the cost of risk impact.
• Decide what needs to be protected on
the basis of its value and any regulatory
requirements. Create a classification
management system based on value.
1
•
•
•
•
•
Not every piece of information must
be protected.
Place the management of physical and
logical security into one organization.
If this can’t be done, make certain
that the heads of these groups meet
frequently and resolve outstanding
issues that interfere with information
integrity. Cross-train each group so
that every member of the security
team understands the roles and
responsibility of their own and the
other group.
Hold third parties accountable. Make
sure physical and logical security
integration is the hallmark of managing
the risks in your business associate
contracts.1
Create a strong sense of security
awareness throughout your enterprise.
Make sure that hot spots such as your
help desk are trained in the virtues of
“Trust but verify.”
If appropriate, create secure zones in
the environment.
Just as no one serum alone will defeat
the wide range of threats to human health,
no singular silver bullet for information
defense exists. Managing cyber risk in
a hostile world requires a diversified
approach. Awareness, from the board
of directors to entry-level employees, is
critical. Measuring your organization’s
level of integration between physical and
logical security is one of the most effective
barometers of risk identification and
mitigation of any enterprise in any region
of the world. Once you know that metric,
you can build your plan for improving it.
he concept of Risk-Reinforced Service Level Agreements™, created by ZeroPoint Risk Research LLC, in managing third-party
T
risk is based on the foundation of physical and logical security integration. The Risk-Reinforced Service Level Agreement includes
a detailed risk assessment based on security, privacy, threat/risk analysis, compliance, enforcement, audit and foreign corrupt
practices management.
For more information, contact:
Danny Miller
Principal and National Cybersecurity & Privacy
Practice Leader
Grant Thornton LLP
T 215.376.6010
E danny.miller@us.gt.com
MacDonnell Ulsch
CEO and Chief Analyst
ZeroPoint Risk Research LLC
T 617.517.0063
E don.ulsch@ZeroPointRisk.com
About ZeroPoint Risk Research LLC
ZeroPoint Risk Research LLC conducts pre-breach operational
risk analyses, and investigates breaches of intellectual
property, trade secrets, regulated data, and compromised
corporate brands targeted by organized crime, nation-state
espionage, enterprise insiders and cyber hackers.
About Grant Thornton LLP
The people in the independent firms of Grant Thornton
International Ltd provide personalized attention and the highest
quality service to public and private clients in more than 100
countries. Grant Thornton LLP is the U.S. member firm of
Grant Thornton International Ltd, one of the six global audit, tax
and advisory organizations. Grant Thornton International Ltd
and its member firms are not a worldwide partnership, as each
member firm is a separate and distinct legal entity. In the U.S.,
visit Grant Thornton LLP at www.GrantThornton.com.
Content in this publication is not intended to answer specific
questions or suggest suitability of action in a particular case.
For additional information on the issues discussed, consult a
Grant Thornton client service partner.
© Grant Thornton LLP
All rights reserved
U.S. member firm of Grant Thornton International Ltd
Related documents
Audit, tax, consulting and corporate finance are
Audit, tax, consulting and corporate finance are
Rio+20 Business Focus: Grant Thornton outlines strategy to boost
Rio+20 Business Focus: Grant Thornton outlines strategy to boost
Alberta increases personal and corporate tax rates
Alberta increases personal and corporate tax rates
Wilder intro
Wilder intro
District 205 * Senior Project * Form 1
District 205 * Senior Project * Form 1
ITAA AGM March 2011
ITAA AGM March 2011
Somerville Public Schools - Somerville Public School District
Somerville Public Schools - Somerville Public School District
At full throttle - Dublin Institute of Technology
At full throttle - Dublin Institute of Technology
powerpoint - Flintshire Business Week
powerpoint - Flintshire Business Week
The not-so-thin “thin-capitalization” rules
The not-so-thin “thin-capitalization” rules
P - nasact
P - nasact
Valuing the business
Valuing the business
Download