Cyber Security Awareness Month is under way and one of this year’s main messages is ‘See Yourself in Cyber’. Whilst you may think that cyber security is solely about computers and technology you also need to consider Physical Cyber Security to truly protect your organisation and reduce the risks.
We sat down with our Cyber security Test Manager Neil Gibb to discuss why Physical Cyber Security remains an important part of the overall security picture and how organisations can improve it.
Q1. What is the difference between Physical Engineering and Red Teaming?
Physical Cyber Security or Physical Social engineering is part of a Red Teaming Assessment as are all other elements of Penetration Testing.
Physical Cyber Security or Physical Social engineering is also a stand-alone assessment phase which is as essential as any other type of penetration testing.
Q2. How do threat actors use Physical Cyber Security?
Physical Cyber Security or Physical Social engineering gives threat actors access to a organisation's physical premises and in turn their corporate systems, employees, and documentation which under normal circumstances are protected via Controls such as firewalls and physical security controls.
They do this often by relying on people's kind natures, so for example, they may arrive at a business premises under the guise of an employee who is reporting for their first day of work and act lost and worried, perhaps they claim to have forgotten their ID or access key.
Most people are kindhearted and will often have sympathy for others in stressful situations. In this scenario we’ve all been in the same boat, so our natural inclination is to help. Threat actors depend on this. Often, they will be let inside a property where they then go on to access computers (which could be unlocked) or gain access to sensitive areas.
Q3. Why should businesses carry out Physical Cyber Security assessments?
Physical Cyber Security or Physical Social engineering is essential to any business with physical premises.
Physical attacks are much quicker and effective than other types of cyber-attacks and are growing in popularity amongst threat actors.
Aside from physical security, employee complacency is one of the areas that is tested along with disgruntled employees, with the insider threat being a critical risk to businesses, not testing these elements is a huge oversight.
Due to the fact that Physical Cyber Security assessments are hands on with a consultant directly interacting with employees, organisations have reported that following Physical Cyber Security assessments, employees are more engaged in cyber security training and often want to pass on their experiences.
Q4. What are the main challenges of Physical Engineering?
Educating clients of the real-world threat and the benefit of Physical Cyber Security is by far the biggest challenge. When budgets are tight an organisation will likely focus on the cyber side of security and neglect the physical side.
Getting organisations to see through the many myths around cyber security is another challenge as large organisations may think that they’re too big to be targeted by a threat actor with dedicated security and high-tech controls. In reality the opposite is the case, larger businesses make favourable targets as they have a large number of employees moving around their premises at any one time, increasing the threat of actors' opportunities
Q5. How often should a business carry out a Physical Cyber Security assessment?
Once or twice a year.
For large organisations with multiple buildings, assessments should be performed on a small number of buildings each year at random intervals.
Complacency is a major challenge organisations face when it comes to physical security as without regular testing and training employees may become lax with the security practices needed to keep properties and in turn their sensitive data safe.