Top 10 Considerations for Assessing Cybersecurity Risks (GSX+ 2020)
September 22, 2020

Is your physical security system protected against cybersecurity risks? You can reduce the risk that your system’s vulnerabilities will be exploited with these 10 considerations discussed at the 2020 GSX+ virtual tradeshow.

1. What are your security requirements?

If you’re investing in a new physical security system, understand what your requirements are first. The installation team can’t read your mind, so figure out what your expectations are ahead of time. This also applies if you’re looking at upgrading your existing physical security measures.

Melissa Mack, regional security manager at Willis Towers Watson, recommends starting with a complete inventory of your physical security system so you understand what you have, where your potential exposures are and where you need to make strategic upgrades.

“From there, you can meet with your key stakeholders,” Mack says of the inventory. “A two-pronged approach is to understand what your risk or exposure is. Come up with a strategic plan for understanding exactly what the risks are by your business leadership, by all the key stakeholders and collectively agree on that. From there, you can identify what the requirements are to secure the physical security system you have and any components you want to add into that system.”

It’s key to bring in IT at this stage, adds Laneisha Hayes, CEO of Zenotek Security Solutions.

2. Did your system start secure?

With security products, it’s crucial to validate the supply chain and the security of the products themselves, notes panel moderator Dave Tyson, managing partner, CISO Insights at Apollo Information Systems.

“When we purchase things, we’re often drawn to the least expensive, the best deal or other things,” Tyson says. “Do you know where it comes from? Is the vendor qualified to install it? Some people even think about the assurance level that something has been tested. Has it been proven secure? Is there potentially a backdoor in it?”

For government facilities, compliance requirements often dictate the answers to some of these questions, says Karen Frank, senior director and head of global security services at Pratt & Whitney. For other facility types, you may find it helpful to start with government compliance requirements and then scale back if needed, Mack says.

3. Was it installed with a secured design?

Security technologies need to be installed with secure architecture, and facilities managers who oversee security measures need to understand that architecture. Don’t just leave it up to the vendor.

“You can’t assume that an integrator or reseller should have copies of all your documentation, Frank says.  “Vendors change or get sold. Acquisitions occur. Those organic, over-time changes are probably one of the biggest pain points in trying to have an overall system design and manage that risk from an infrastructure perspective.”

The design should be well-documented, and your documentation should be updated every time you add something to the system, Mack says.

4. Have the integration points been considered?

Integrating more components from different sources creates more vulnerabilities, Mack says. “Sometimes you need to dial back technology,” she adds. “Adding different APIs or integrating other components into your physical security systems, or even putting physical security devices on your internal network—if that’s going to create additional risk, but the value is not there for that additional component, sometimes you have to step back and advise your business that that’s not the best thing going forward.”

5. Was the system tested for security before going live?

Testing is crucial, Tyson notes. Your system should be tested the first time you install it and again on an annualized basis.

“I’ve seen people leave it to IT and say ‘Oh, they’ll take care of it,’” Hayes says. “Are you sure? Why don’t you have a documented process for that? On this day at this time, I need you to test this for me.”

Also be sure that the person doing the testing knows what they’re doing, Tyson adds. Having that expertise available is a critical piece of the puzzle.

6. Are all the basics covered?

Sometimes the simplest things can be vulnerabilities, Tyson explains: “Who’s got access to this stuff? Are the lockouts complete? Are the default passwords deleted? Is training included? Know who’s got access in an emergency.”

Integrators often leave backdoor openings so they can come in and fix things, Tyson says. You need to know who has access to the backdoor. One way you can keep that vulnerability safe is to require onsite work by your vendor and integrator rather than allowing remote access, Frank adds. “That itself can drive security where remote capability is disabled. You know who’s trying to get in because they have to do it there,” Frank says.

[Related: Why It’s Time to Converge Physical Security and Cybersecurity]

Training is also a basic step that’s sometimes overlooked, Hayes adds. Your team members need to be trained regularly so they can deescalate security issues rather than letting them go unchecked. “Advocate more that training is included in the budget,” Hayes says. “Not just one and done – maybe a yearly training on updates.”

7. How will you know if the system is violated?

Do you know what normal looks like for your security system? How will you know if it’s been hacked or otherwise exploited? Training is the key, explains Frank—your staff needs to know how to detect anomalies.

8. Who will monitor the system for variance?

Someone needs to monitor your physical security systems for violations, Tyson says. It might be under IT’s umbrella, especially if your systems are on the network they manage. It might be your staff. In either case, you need to have clear plans for what to do in case of attacks or threats, and whoever is responsible needs to understand how to escalate issues.

9. How will the system be maintained?

Who will patch and update your system when the time comes? Have you thought about what the end of your security system’s life looks like? Secure disposal at end-of-life is a big issue for physical security devices, especially any devices that store information. As Hayes notes, “You can’t just throw it in the trash.” Reach out to a company that specializes in destroying devices securely.

10. Use security intelligence to understand your adversary’s approach.

Put yourself in a hacker’s shoes. If you wanted to compromise your systems, where would you start? Is it possible for a disgruntled employee to exploit your system and cause trouble? The more you understand about how to cause problems with your security system, the better prepared you’ll be to shore up the system to prevent those attacks.

“Understand your systems and what’s new in the industry about the vulnerability of those systems,” Frank advises. “Know the systems you have and work with your peers to understand. When something happens to someone else, go back and read about how that happened to them. Could it happen to your system? Could someone make their own duplicate secondary badge? Could someone compromise your systems?”

More GSX+ 2020 Coverage:

 

Profile picture for user Janelle Penny
About the author
Janelle Penny | Editor-in-Chief at BUILDINGS

Janelle Penny has more than a decade of experience in journalism, with a special emphasis on covering facilities management. She aims to deliver practical, actionable content for facilities professionals.