Organisational security can be viewed as like peeling the layers of an onion – the asset (whatever it may be) sits in the middle protected by many layers, and if one layer is removed or breached, there’s another one underneath. At least that’s the way it should be.
Too often however, we see a siloed approach to different areas of security. “Cyber security – that’s IT’s problem” is a mindset we regularly encounter. But unless overall security, including physical and cyber, is viewed at a holistic level, led and understood by senior management, gaps for exploitation will inevitably be found by intelligent and experienced individuals. These could even be people who work for you.
Here, we take a closer look at the aspects that comprise a rigorous and holistic approach to overall security, and how MASS puts customers’ systems through their paces to see how secure they really are.
It may seem simple, but the first layer to assess should be the physical access to your facility. This should go back to the basics of how an intruder could gain access by reviewing the perimeter fencing, who has access codes and the CCTV coverage as well as the role of roving security professionals. For vital infrastructure such as datacentres and energy facilities, this remains as true today as it ever has been.
The location and access to the controls for these systems then needs to be investigated. For example, who can access the CCTV footage? The physical security of where the systems are located should also be considered, with the windows, doors, locks and processes for access all subject to review.
Ultimately, physical security systems are only as strong as the employees that enforce them. So, the human behaviour of employees should be evaluated too. Non-compliance can include wearing security access badges outside of work and tailgating through security barriers, so it’s important to consider how actions of the individual affect the overall site security.
There are varying maturity levels for cyber security in different sectors. The financial sector has matured considerably in the cyber resilience space as it’s been dealing with these threats for many years. But they remain a key target for criminals and crime syndicates, and as online transactions evolve, the sector has become more challenging to protect.
For this reason, IT systems and processes should be tested for vulnerability. This can range from an assessment of basic compliance (such as Cyber Essentials), through to advanced threat vulnerability and risk analysis, including assessment of business processes and policies. For targeted in-depth technical analysis, penetration testing can identify potential weaknesses and this can be further enhanced by augmenting with threat intelligence. This allows a 360-degree view of the cyber security to be gained and any weaknesses pinpointed for improvement.
The insider threat
One of the security threats that is often overlooked, or misunderstood, is the potential threat from insiders – those with authorised access to the site, its systems and data. For data centres and other facilities where the onsite physical and cyber security measures are mature, hostile actors could look to exploit those with legitimate access to the facility. For these businesses, a thorough security review should evaluate employee and supplier habits and behaviours as well as the organisation’s digital footprint to identify vulnerabilities.
The hidden layers
Like an onion, there are hidden layers to security that may be overlooked. For example, how resilient is your supply chain? You may have your environment protected, but if documents are shared with your suppliers, are they safe?
Business dependency also needs to be considered. If your main supplier is hit by a security breach, what does it mean for your operation and business continuity?
It’s vital when thoroughly assessing security measures to go an extra layer deeper to review these factors. Document control, patch management, disaster recovery plans and incident response plans should all be ready and secure if the worst should happen.
Why choose MASS as your security assessor?
The make-up of a business’ resilience to security breaches is unique and should be approached holistically to peel back each layer of security and determine weaknesses in its structure. At MASS, our security experts consist of ex-military professionals with extensive experience in preventing security breaches and vulnerability assessments in accordance with Ministry of Defence processes. We’re also CE and CE Plus accredited and meet the latest ISO27001 accreditations, so that you can be sure that your security analysis will meet industry best practice.
For more information, please visit our Cyber Security Training page