Physical security is a key concern for any organization, but are you spending enough to secure yourself? HFS data has revealed that many organizations acknowledge physical security to be a problem but haven’t adequately invested enough to prepare themselves for the threat.
Physical security can be easily overlooked by an organization in this fast-developing world. External threats are exciting, captivating and seize media headlines. It is understandable that organizations are drawn to the idea of external hacking and penetration. The media attention around external threats is huge, and the attention can either make or break an organization. In recent years, we have seen a host of major organizations that have been breached. This list features Facebook, LinkedIn, The U.S. Military and the UK Ministry of Defence. In 2019, the password manager Blur and Blank Media Games have joined this ever-growing list of hacked organisations.
Physical Security a Major Concern
Source: State of Security 2018, HFS Research
After speaking to 300 security professionals, HFS released data that indicates physical access is of major concern. Exhibit 1 shows the threat of unauthorized physical access was the biggest concern over the last 12 months, with 45% of respondents considering it a major or critical threat.
Exhibit 1: Security threat to almost double in all sectors during the coming months
Source: State of Security 2018, HFS Research
This concern intensified for the future, with 64% saying it was a strong or critical concern for the next 12 to 18 months. Physical security is the biggest threat and that concern in the field continues to grow.
So, what is everyone doing about it?
So, Exhibit 1 indicates high levels of concern about physical security and the effect it may have on your organization. Unfortunately, according to Exhibit 2, organizations don’t seem to be investing in order to mitigate the threat. It shows the biggest inhibitors to your organization’s security readiness comes from limited support from executive managers and tight budgets.
Exhibit 2: Lack of budget and executive support is holding security back
Source: State of Security 2018, HFS Research
The key is the lack of executive level support. Without this, a larger budget won’t be forthcoming. It is important that executives understand security readiness can be an important differentiator for customers. Therefore, external threats get the most management attention – as executives tend to see external threat mitigation as positively marketable and physical threat mitigation as negative. This is part of a wider issue which slows security spend. A previous HFS report found that reporting and increased regulation focused on major breaches in security can create a sense of inevitability among leadership teams. Which, rather than fuel additional spend as might be expected, drives complacency, giving executives license to focus time and resources on other areas.
Physical threats often occur due to internal human error. IBM made this point as part of its security index in 2014 when it stated that 95% of security incidents involve human error. As seen in disparate professions - from pilots to doctors - understanding failure and learning from mistakes is a vital part of process improvement. Organizations are unlikely to solve an issue when they can’t admit to the problem itself. This is often the case with threats caused by human error, given the difficulty saying that staff are incompetent. Creating a paradox without acknowledgement process won’t change to reduce/contain error. This preparation and honesty can then be marketed by your organisation in the same way the defence of personal information and company files from external threat is marketed. Afterall, cybersecurity isn’t just about firewalls, when people and process operate from within it!
Affordable and effective - you need to take this seriously!
Why is it being neglected? Exhibit 3 indicates that professionals believe security products and services are generally too expensive and that they reap little reward.
Exhibit 3: Security investments are expensive and hard to justify.
Source: State of Security 2018, HFS Research
Furthermore, the data suggests that prioritizing security budget spending is a challenge, with physical security spend part of the overall conundrum.
The good news is that the physical element of cyber security can be cheap, easy and effective. This is relative to the exact measures taken, but an effective basic level of physical security can be implemented for little more than a bit of education. This includes teaching staff to lock doors, devices and not leaving passwords on post-it notes under keyboards or stuck to the monitor. This is basic stuff and failing to prepare is preparing to fail!
Let’s get the money to where it’s needed
Exhibit 4 shows security services spending is likely to remain the same or increase slightly in the next year. This suggests that enterprises are willing to continue to invest money into security and that the picture isn’t as gloomy as it might often seem.
Exhibit 4: Majority of enterprises will maintain or increase security spending
Source: State of Security 2018, HFS Research
Bottom-line: mistakes should be embraced for learning, even with an area as sensitive as security
It’s hard to see spend levels on physical security attract the same level of priority as external threats in the current climate. But enterprise leaders need to listen to security staff and free up resources to at least do the basics and develop a climate where errors are logged, and mistakes are seen as learning opportunities.