Cyber Impact
Why physical and IT security are converging
- By Stephen Joseph
- Mar 01, 2016
Today’s retail banks are nothing like they were in your grandfather’s
day. Back then customers conducted all their banking business in a
physical branch. Now, thanks to mobile technology, most customers
rarely step across the threshold, opting instead to bank remotely
from whatever device and location they want. This shift in banking
practices has forced financial institutions to rethink their security measures and go
beyond brick and mortar to include the cyber realm, as well.
In essence, physical security is now converging with IT security. With today’s
technology evolving at blinding speed, this blurring of the boundaries was inevitable.
The goals, however, remain the same: protect assets, mitigate risk and maintain
business continuity. There are a few important differences. With these new
network-based technologies, financial institutions become more agile and responsive
to threats.
Furthermore, these security solutions are easily scalable as the business grows.
But to fully embrace the potential benefits of this converging technology, banks need
to understand how this technology maps into their previous security landscape.
THE CHANGING ROLES OF IT AND PHYSICAL SECURITY
For many years, the IT and physical security departments were two very distinct
entities, both necessary and vital to an organization but with different objectives.
The main focus of IT was to ensure that the enterprise networks were operational,
secure and ready, and that business operations were connected and running
smoothly. The main focus of the corporate security director was to ensure that the
company’s financial assets were protected, brick and mortar facilities were secure
and a security presence was visible to deter potential treats. Until now, it wasn’t
uncommon for these two departments to have very little interaction.
But, that is beginning to change with the growing number of smarter, networkbased
security technology now available on the market. Today the two departments
are sharing common tools and working in concert to mitigate both physical
and cyber threats to the institution.
One of the main drivers behind this change is that the average size of internal
security staff is shrinking. To compensate, corporate security directors have had
to augment their limited security staff with smart technology that can provide
traditional security support while also handling some of the decision making.
Banks have begun programming their intelligent network devices to conduct critical
analysis based on preconfigured embedded functionality, and then make decisions
automatically without having to wait for someone manning a PC to provide
instructions.
A good example of this is network routers that can be programmed and segmented
to detect and route specific network traffic, such as financial transactions,
e-mail or surveillance video, according to preset conditions and priorities. As intelligent
devices for physical security become ever smarter and processing capacity
ever greater, eventually most important decisions and/or processing will be
performed in the field on the endpoint devices connected to the network. This is
known as a distributed or decentralized model. The solution is highly scalable: all
that’s required is a PoE connection to both power and transmit data.
Because IP devices run on the enterprise network and are based on open standards,
they provide a clear advantage over analog technology where systems and sites usually operate as independent silos, which require extra manpower to manage
and retrieve information. These proprietary systems have limited scalability
and don’t easily integrate across locations or with other security technologies, such
as fire detection and access control. As a result, unlike IP-based systems, their investment
value tends to diminish as the institution grows and expands its portfolio
of security tools.
MITIGATING POTENTIAL THREATS
The rise in cyber attacks and their potentially devastating impact on business operations
has led many retail banks to spend more time and money on improving
cyber security programs and implementing best security practices. They’re taking
steps to assess how much they know about potential threats to the institution’s enterprise
network and then taking strategic action to ensure that it is kept as secure
as possible.
Often the first step in assessing threats is to recognize that any enterprise network
and all devices connected to it can leave a door open for a cyber-attack.
Therefore, financial institutions need to be especially diligent when adding any
device to the network. When it comes to deploying a physical security system technology
on the bank’s network, it’s important for corporate security directors to
work closely with IT to evaluate network capacity and vulnerability, understand
corporate security procedures, and follow best practices.
Statistics show that the majority of security breaches stem from human error,
misconfiguration and a lack of processes. So it is critical that not only the retail
banking organization but also the entire vendor supply chain share responsibility
for protecting the network and all its devices and services by adhering to stringent
security protocols.
THE RISE OF IP SURVEILLANCE
One of the more popular physical security devices being deployed across banking
networks today are IP video cameras. From an IT perspective, an IP camera being
used in a security system is a network end-point similar to a desktop computer.
Therefore the security camera should meet certain basic IT security standards
such as having assigned password protection as a first line of defense. As with
any network device, the banking institutions should follow some basic protection
recommendations:
- Perform a risk analysis of the enterprise network: Identify internal and external
threats and vulnerabilities.
- Gain knowledge on system protection and possible threats: Determine what levels
of protection exist and the known weaknesses.
- Secure the network: Create a standard IT security policy that can be audited.
- Review and change factory default settings: Change default usernames and passwords
regularly and frequently.
- Use strong passwords: The strength of a password is a function of length, complexity
and unpredictability.
- Prevent cameras from being directly accessible on the Internet: This feature
should be selectable in the camera configuration during programming.
- Use encrypted connections when possible: This is a method of using security
functionality or devices to encrypt network traffic to and from a device.
- Check security logs frequently: Information should always be logged for later
review and audit.
- Monitor devices on a regular basis: Develop random, periodic testing and confirmation
for all devices on the network.
- Use the latest device firmware available: Always promptly install required security
patches and firmware that correct known vulnerabilities.
Although there will always be potential threats when adopting new technology,
the benefits should be weighed by both IT and physical security to ensure that
every possible step has been taken to seamlessly merge cyber
and physical security programs. Doing so will make it possible
for the institution to become more proactive, collaborative and
successful in mitigating potential risks.
This article originally appeared in the March 2016 issue of Security Today.