Cyber vs Physical Security: Shouldn’t we take cybersecurity and data privacy as seriously as physical security? WE NEED BOTH!
By Ron Zochalski, CTO & CISO, Lake County Government
I have the current rare responsibility of leading building technology and infrastructure security, computer systems, and cybersecurity for county government courts and detention facilities. In other words, anything connected to some type of computer or PLC. I have the benefit of seeing technology in both areas. Obviously, there is risk associated with both. The Physical security typically gets higher priority because of the potential human loss involved vs data and the associated monetary loss from ransomware and extortion from leveraging stolen incriminating data. The Data Security and the Physical Security both have the same weakness in common, the human element! The human element comprises 74% of data breaches, according to the 2023 Verizon DBIR report. So why does cyber security get less of a priority?
The confusing thing for me is why Cybersecurity is not currently given at least equal priority as Physical security. How can we protect human life if we lose the means to protect the private information to protect human life and make better decisions? Isn’t that what technology was supposed to help us with? Make life better, not complicate it?
In my mind, data breaches are falling in the same situation as disaster recovery did decades ago. No one takes a loss seriously until something big happens and it happens to them. It’s considered too costly to pay for a “what if” scenario that may not happen.
There has been more awareness created regarding cyber risks in the past seven years than ever and nothing has changed except that we are losing more money. According to IBM’s Cost of a Data Breach 2022 report, a single data breach on a company costs an average of $9.44 million in the U.S. in 2022. Cybercrime is expected to reach $10.5 trillion by 2025; estimates vary. That number is probably understated because of the true lack of transparency due to the embarrassment that the cyber hygiene or basics were not done.
What I would like to do is show the security with building technology, infrastructure and perimeter security needs to be done with our private data.
The Zero Trust model, introduced in 2010 by John Kindervag, gained traction until May 12, 2021. President Joe Biden signs Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” pushing government and corporations to adopt zero-trust cybersecurity principles and adjust their network architectures accordingly.
Physical security has been improved ever since 9/11/2001 with perimeter security redesigns to protect from vehicular bombs, which included things like fixed bollards, updates to video surveillance that included facial recognition in some areas, more secure building access, improved badge readers, full body scanners, etc. Physical security has always had a Zero Trust approach.
We all know data is being breached, quite frankly, because it is profitable. We can learn from layered physical security measures that work and apply them to our important data. Who hasn’t had to do active shooter training multiple times? Have you had data breach training multiple times?
In my mind, data breaches are falling in the same situation as disaster recovery did decades ago. No one takes a loss seriously until something big happens and it happens to them. It’s considered too costly to pay for a “what if” scenario that may not happen. I guess that same thinking applied to the recent Titan submersible regarding the following safety certifications. I would hope 5 lives would have been saved had the proper safety processes and certifications been obtained.
The four zero trust design principles of Define business outcomes (What is the business trying to achieve? so security does not become an inhibitor), Design from the inside out (what needs to be protected), Determine who needs access (what resources does someone need to get the job done) and finally inspect and log all traffic.
I will cover a design principle and show how it should apply to both physical security and data security and how priorities need to be the same from a county government court and facility perspective:
Determine who needs access:
Physical Security – Employees have security badges for certain doors and access to only portions of the building based on their job function. When a badge reader is used to enter or exit a door, employee name, time and date are saved and show this data in real time. The front entrance is a manned security checkpoint. ID’s are checked and verified. Certain items are prohibited in the building and checked for. General public purses, wallets, keys, and briefcases/bags are scanned through a baggage scanner, then they walk through a metal detector. If the metal detector goes off, they are scanned with a wand also, just like at the airport. If going to court, they are instructed to go check in upstairs with another security desk and told to sit and wait until called.
Once they are called, they are instructed to go through another metal detector and scan with a wand again if needed. Personnel monitors security cameras inside and outside the building 24/7. Armed bailiffs are in the courtrooms. HR does employee vetting through Homeland Security and other background checks. Perimeter security is being updated. This is Zero Trust.
Cyber Security – We see a much different picture. Unpatched software with vulnerabilities that were reported almost 10 years ago, 84% of companies have high risk vulnerabilities on external networks, login credentials are being compromised by phishing, not knowing who is on your network and who has access to what information, lateral movement capability with little network segmentation and the list goes on. News media reports of never-before-seen tactics, yet they are the same even after an executive order in 2021 goes into effect. See the difference?
If you ever have a chance to see an access card system in action, where the system records an employee name, date and time stamp every time a door is entered or exited in real time, you start to wonder why all system access was not set up this way in the first place. Instead, the thought was let’s connect everything and hope no one thinks of something malicious to do. It used to be very expensive to connect computers to each other before the Internet.
Let’s get smarter and stop the money bleeding.