How integrating physical and information security mitigates risks

The night watchman and the IT security guy rarely work together even though their jobs, at the core, are similar: to protect the company. At many organizations, physical and information security remain separate entities by happenstance and by history. By integrating the two, however, companies can better protect the assets, employees and valuable data that keep the business going.

The integration is a first step towards assessing the overall corporate risks that threaten a company. Yet enacting a plan that conceives security as a cohesive, whole means overcoming entrenched resistance to integrating physical and information security, says Jonathan Ross, president and CEO of Austin Recovery, a drug and alcohol treatment center that recently finished such an integration.

Austin Recovery rolled out RedCloud's physical access control systems to secure the campus buildings and doors, linking the technology with its internal human resources directories. Austin Recovery employees with the proper authorization can control the RedCloud system through a secure Web interface.

The security lessons Austin Recovery learned during the integration can show corporate enterprises better ways to lock down information and protect employees and customers.

Realize You Need Help

Rehabilitation centers, like other health care organizations, must comply with Health Information Protection and Portability Act (HIPPA) and other regulations intended to protect personal and medical information, and Austin Recovery works hard at this. Yet the general atmosphere there sometimes collides with the sense among security professionals that data, systems and the physical facility can be better battened down, Ross says. "The helping professions are a challenge. There's a sense things should be open."

As we should know by now, many industries allow too much openness, or at least a habit of leaving holes unplugged. Companies in retail, financial services, oil and gas, hospitality, food service, manufacturing and elsewhere suffered a combined 855 data breaches in 2011, according to Verizon, which works with enforcement agencies in four countries to produce an annual report on breaches.

About 10 percent of these data incidents also involved a physical breach, such as getting physical access to a device or system with sensitive information or swapping legitimate access codes for fake ones, to gain entrance to an office or machine.

Keeping physical and information security separate, as so many companies do, can create gaps between the two entities that let intrusions go unnoticed, says Michael Assante, president and CEO of the National Board of Information Security Examiners, a research organization that focuses on professional development of security specialists. The separation can also lead to ineffective response once an incident is discovered, he says.

Assante was previously chief security officer at the North American Electric Reliability Corp., which monitors the performance of the electrical grid. He oversaw implementation of security standards across the electricity grid. Security teams that combine physical and information staff can apply a variety of investigative techniques to find problems sooner, he says. "It is critical that we consider how best to remove the vulnerabilities that are presented by silos."

It doesn't help that executives sometimes overestimate their security prowess. Forty-three percent of 9,600 business and IT executives called themselves security "frontrunners," according to the latest annual global security survey by PricewaterhouseCoopers and CSO magazine, a sister publication of CIO.

However, when researchers probed further, asking questions such as whether the executive had reviewed the corporate security policy in the past year and whether, if the company had a recent breach, the cause was understood, just 13 percent actually qualified as frontrunners.

Study your vulnerabilities

At Austin Recovery, one concern was that former employees, friends, family or other outsiders could get into the center through unwatched, unlocked doors or by printing fake name tags. They could interact with vulnerable residents or bring contraband inside, Ross says. In the past, for example, employees had stolen detoxification medications a few times, he says.

Sometimes 12-step volunteers who weren't cleared to see residents would enter the facility anyway. Angry men have also tried to get in to find their wives or girlfriends in treatment, potentially jeopardizing the safety of other patients, he says.

Now the new system protects better. Without the right credentials programmed into their badges, employees cannot print, copy or fax information. This helps cut down on the risks of not complying with certain HIPPA regulations. "We have a log of everyone who prints and what they print," Ross says.

Physically, the facilities are better fortified as well. Ross recalls that recently "an aggressive person" whom Austin Recovery had fired was threatening to come back. The IT manager locked down the front door, which automatically required employees to swipe their badge cards to get in and other visitors to use the outside intercom. The threat turned out to be empty, Ross says, but he felt better able to protect employees and patients because of the new technology.

"It's not keeping clients in, but keeping unauthorized people out," he says.

Plan for Pushback

Getting employees to use the new technology and adhere to new processes can be a slog, Assante says. Work habits are ingrained and even blending the two cultures of physical and information security staffs can be challenging, he says. CIOs and other IT leaders should identify as many opportunities as possible for the physical security staff to work alongside the IT counterparts. Assigning a cross-discipline team to conduct an integrated security assessment as "a great starting point," he says.

Retraining employees to change work routines was the more pressing problem for Austin Recovery. Ross approached the change in simple phases, first requiring employees to wear coded name badges, then setting new rules for who could use which doors when. In e-mail and frequent meetings, managers spelled out why the new policies are important -- safety, less risk, better compliance with regulations - and repeated many times that employees must comply.

"It was a long implementation because of cultural issues," he says, but taking it slow made the changes stick. "You can't just announce one day, 'If you don't do this, you're going to get in trouble,'" he says. "You have to get them to understand why it's so important."

Kim Nash is a senior editor for CIO Magazine. Follow her on Twitter @knash99.Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kim S. Nash

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts