7 min read

The Convergence of Physical and Cybersecurity

Featured Image

Companies must coordinate with physical security and IT teams to keep staff and assets safe.

As the world grows more and more connected and countless items in our everyday lives talk to the internet, keeping cybersecurity top of mind is a necessity. Moreover, incidents in cybersecurity are often tied to errors and oversights relating to physical security. It’s crucial to consider both in order to keep staff and assets secure at all times. By coordinating efforts between teams and developing processes for physical and cybersecurity, businesses can better secure and monitor their premises, data, and physical assets. 

What is it?

Convergence refers to an effort to bring together traditionally separate systems and teams monitoring physical security and cybersecurity. While these two types of security undoubtedly impact one another, most organizations have kept teams separate and siloed. 

Now that the technology behind these two systems is deeply intertwined, joining efforts to collaborate and create a joint process to oversee all types of security is crucial. Organizations must bring cybersecurity and physical security teams together to work as one in order to prevent security breaches of any kind. 

Why is convergence important?

As of August 2019, there were over 26 billion devices on the Internet of Things (IoT), or devices connecting to the internet. Experts expect 75 billion IoT devices by 2025. With so many inlets and devices communicating with a system, these staggering numbers indicate a particularly urgent need for network security. Joining teams to ensure that a business’s physical and cybersecurity practices work together is crucial for preventing breaches in either realm. Without effective cybersecurity, data breaches can lead to physical security issues down the line, and vice versa. 

The current state of physical and cybersecurity already prevents separating the two areas in practice. An organization’s cybersecurity risk will rely heavily on physical security practices such as access control for rooms that house equipment like central servers. Likewise, a breach in cybersecurity can have physical ramifications. For example, a cyber-attack at a hospital can impact tech-based medical equipment, putting the safety of staff and patients in jeopardy even if there is no physical intruder. 

Alignment of IT and physical security teams also allows for a more efficient workflow and quicker responses to possible threats. Because of the technology utilized in each aspect of physical security now, cybersecurity and physical security are already inextricably linked. Pursuing them from separate fronts only leaves room for unnecessary staff overlap and slower response times should an incident occur. Cybersecurity and physical security go hand in hand due to the prevalence of information-based assets as well as technology-powered physical security systems such as hosted video surveillance and mobile credentials for access control. 

Information-based assets

For many types of businesses, physical assets are increasingly less important than information-based assets. Information-based assets are generally housed digitally on computers and servers operating within the business. Organizations like healthcare providers, universities, and law firms have responsibilities to protect personal information of students and clients, keep life-altering records (such as health records, educational reports, and evidence) safe and accurate, and store necessary data for long periods of time. 

Just as much as a warehouse or truck full of product must be protected by a business selling physical products, all of this data must be protected in order for the business to fulfill its purpose and duties responsibly. Without integrating physical security efforts with cybersecurity concepts, there is no way to keep these information-based assets secure. 

Hosted solutions

Hosted access control and video surveillance continue to gain popularity in today’s physical security landscape. This inherently means that the functions behind physical security, such as granting certain staff access to a particular space or managing video data, rely heavily on the security of the cloud systems behind the operation. It’s imperative to involve cybersecurity experts in the processes of ensuring physical safety. To overlook one is to leave the other vulnerable. 

Technology-powered access control

Experts predict that countless corporations will move to phone-based access control credentials in the next few years as NFC technology catches up with the demand for mobile credentials. In order for these tap-and-go systems to remain as secure as card-based credentials, integrated systems for both physical technology and cloud data are crucial. The reality is, anything connected to the cloud can be hacked if the proper security measures are not taken. Transitioning access control credentials to personal devices requires stringent protocols and a united front in terms of communicating and following through on security needs and processes. 

Especially with technology integrated within the workings of physical security, such as weaknesses in cybersecurity also lead to weakness in physical security systems. Hosted access control and video security systems both demand a level of vigilance from a cybersecurity standpoint in order to function as intended. Security threats of any kind are much less likely to get through an integrated system than a patchwork solution with inevitable gaps. 

Best practices

In order to begin the process of converging physical and cybersecurity teams and processes, companies can start with a few big-picture maneuvers. 

Merge leadership

If physical and cybersecurity teams both exist in a corporation as separate entities, a strong step in the right direction is to merge the leadership positions of the two teams. This doesn’t necessarily equate to a personnel change, but rather a shift in roles for leaders of each team to become more aligned. This merge can lend itself to a strategic and aligned strategy between teams.

Leaders must come together to sync ideas and exchange knowledge about the technological and physical implications of each process. This way, teams can help identify any gaps in these plans and ensure the tightest possible security across the organization. Some companies even create a team dedicated to converging security teams, which may be made up of key players such as IT leaders, CSO, CISO, physical security leaders, and facility managers. 

Establish communication

As teams merge and begin to establish systems for collaborating, identifying patterns and systems for easy and frequent communication is key. Setting up processes for checking in about new roles or additional aspects of traditional job functions will help to streamline convergence without unnecessary added stress. An agreed-upon cadence for meeting about and reassessing the convergence process and each overlapping aspect of the security landscape will allow all security professionals to strategize and implement changes quickly and effectively. 

Clearly define roles

Clarity of role distribution is crucial to ensure there are no gaps in the systems and processes keeping the organization secure. Auditing responsibilities of physical security teams and cybersecurity teams is crucial to ensure that no aspects are overlooked and to eliminate unnecessary overlap if needed. Strategically analyzing security teams as a whole will help personnel identify and account for vulnerabilities in current systems. Clarity of what each role entails will allow for more efficient functioning while mitigating risk. 

Train staff

Taking a step back to ensure that security personnel of all functions are appropriately trained on the technology with which they interact must constitute part of the convergence process. Determine any gaps in baseline knowledge and ensure that physical security teams operate with an appropriate knowledge of cybersecurity implications, and vice versa. 

In addition to combining forces to join IT teams and physical security staff into a collaborative unit, companies can involve all employees in regular training to ensure cybersecurity and physical security best practices are consistently followed. In most companies, data and information-based assets lie in the hands of every employee, not just security staff. Teaching and refreshing on key practices for email use and data security can help free up security staff bandwidth while preventing needless breaches in company security. 

Cross-examine and reinforce

One key element to consider is the possibility of using cybersecurity to reinforce physical security measures, and vice versa. Wherever sensitive data and confidential information are physically stored, companies can add access control checkpoints and video surveillance hardware to introduce an extra layer of security to these assets. Similarly, cybersecurity experts can run full diagnostics on the company’s physical security practices and the software supporting them to ensure there are no gaps in vigilance. 

By 2025, cybercrime is expected to cost US businesses over $6.5 billion. Security is no longer a single-faceted issue. While the means of physical and cybersecurity have already overlapped and converged in practice, many organizations have not taken the step of planning and strategizing for these two areas as a united front. Until teams work together to tackle physical and cybersecurity as a joined force, room for error and opportunities for breaches in both types of security will remain. Contact us to learn more; we'll help you get started.