When you think of cyber security, what comes to mind? For most it’s software, hackers, and computers in general. According to the FBI, “A cyber incident is a past, ongoing, or threatened intrusion, disruption, or other event that impairs or is likely to impair the confidentiality, integrity, or availability of electronic information, information systems, services, or networks.”
However, a largely neglected part of cyber security is the human component. A significant majority of cyber incidents originate from within the companies themselves, with 80 percent of cyber incidents coming from human interaction. Forty percent of threats, whether they were inadvertent or malicious, come from employees alone. Therefore, it is important to not ignore the physical security practices we know protect brick-and-mortar stores from human theft and instead apply these concepts to cyber security.
It is well known that education and awareness are the first line of defense in physical security — and it’s the same for cyber security. For example, you control and audit keys in a brick-and-mortar store; the same must be done for passwords. You have policy and procedure to prevent people from sharing keys; the same is done for passwords.
This also applies to access, opportunity, and supervision (or the lack thereof). In a brick-and-mortar store, this could be locking the doors, setting the alarm, and storing cash in a safe. For cyber security, it means ensuring ports are blocked, using endpoint software, and locking the server room.
You may read or hear about the “death” of traditional security methods for cyber security. Most of those articles are followed by marketing messages from companies trying to sell their software. In reality, cyber security techniques and traditional security methods are very closely related.
These are the top five cyber security practices and their physical security counterparts:
- Use a firewall = ensure your alarm is on
- Document your cyber security policies = document your loss prevention policies
- Plan for mobile devices = plan how to protect your mobile devices
- Enforce safe password practices = enforce key controls and access standards
- Back up all data on a regular schedule = retain and backup surveillance video according to policy
Many retailers are combining physical security functions with cyber security. Almost all big box retail organizations have a loss prevention professional who is directly responsible for asset protection technology and ensures everyone’s security priorities align with the company’s best interest. Today we have more Internet-connected devices, cameras, speakers, emergency-management systems, and video-management systems than ever before. Loss prevention has a ton of connected devices in the store, and it all must kept safe from hackers, just as a company’s computer network should be.
According to a 2018 report from the Dow Jones, cyber security firm Darktrace Ltd. reported that in 2017 a North American casino suffered a cyber attack via a digitally controlled fish tank. Webcams were instrumental in the massive denial of service attack that brought down Internet hosting giant Dyn Inc. in 2016. In January 2018, the US Department of Defense removed surveillance cameras manufactured by a Chinese company because of their concerns about security. The 2013 breach of Target Corp. was executed through an insecure air-conditioning system.
ORC and Cyber Crime
There is also a great deal of crossover in organized retail crime (ORC) and cyber crime. Today a shoplifter turns booster, then moves to fraud, then easily jumps right into cyber crime. The dark web and the Internet in general have a host of tutorials and manuals on how to commit cyber crime. For example, the darknet has groups like The Shadow Brokers (TSB), which allows people with little to no computer skills to purchase malicious software and instructions on how to deploy it. TSB even offers a subscription-like service to its members for access to new releases of the latest and greatest tools to commit the nefarious actions via computer. Put simply: anyone can search the web to learn how to become a hacker, or they can pay a subscription fee and have someone provide them all the tools.
Cyber crime is a global issue, certainly much larger than any individual retailer. If it hasn’t already, your company will have a cyber incident. Training and awareness are the keys to prevention. As loss prevention professionals, we must remain vigilant and take a balanced approach that focuses on prevention and response to a cyber incident. When an event occurs, you may be called to the table to do the criminal investigation. Forging those partnerships early will help when and if this occurs, and as an expert in physical security, you have a great deal of value to add to the investigation.
All the technology in the world won’t solve human behavior elements in cyber security or physical security. You are already a physical-security expert. You have valuable insight to help your information technology teams better protect the company. Using these examples of the similarities between cyber security and physical security, we can better learn how to use our existing skillsets in an increasingly digital security landscape.
This story was originally featured in the March 2019 print editions of Loss Prevention Magazine. (EDITED verison)