CyberSecurity and the Personnel Touch

Recent security breaches point to a blurring of the line between physical and logical security, reinforcing the need for security maturity models that incorporate both elements to mitigate the risk of physical systems being compromised (as part of larger digital cyber attacks) and leverage the value of technology such as biometrics and locational information for user authentication and contextual insights.

The Office of Personnel Management (OPM) incident reinforces this maturity model need, demonstrating the relatively immature state of security today (the hack wasn’t discovered immediately, nor was the impact of the hack something that could be countered in the near-term) and the increased value in physical-related data.

• The scope of the attack (actually multiple separate attacks) involving an OPM contractor/partner in 2014 was initially described as limited and thwarted by OPM threat detection systems.
   
• Initial disclosures put the estimate of those impacted at around 25,000 individuals, subsequently updated to approximately 500,000 individuals, then 4,000,000, 14,000,000, and now over 21,000,000 individuals.
   
• Investigations have linked the attack to a similar attack on at least one healthcare provider (an interesting argument for the mass impact of aggregated data stolen from multiple unlinked sources).
   
• Estimates regarding the number of fingerprint records stolen have climbed from an initial 1,000,000 to 5,600,000.

There’s a major lesson here: Even if enterprises are not thinking about the link between physical and logical security, thieves are, and will likely find a creative way to leverage the increased use of biometrics (e.g., access control to physical locations or ID management for smartphone data) to hack logical (digital) systems.

Cybersecurity is no longer a digital only threat – the enterprise toolkit must support the ability to secure and integrate physical information as part of a comprehensive security architecture.

As part of our recently released Digital Enterprise Framework (see How HfS Defines Digital), we’ve included multiple layers of security, touching on both Infrastructure and User/Consumer Engagement to highlight the requirement that security be woven throughout the enterprise. Expanding on that, our Digital Trust & Security Maturity Model (see Transforming the Security Maturity Model) has included the requirement to integrate physical and logical security as a defining element of security maturity.

Despite this, our ongoing conversations with Managed Security Service Providers (MSSPs) and enterprise users (as part of our upcoming Trust-as-a-Service Blueprint) indicate that while both are aware of the potential threat (and the security advantages), both are not yet prepared to leverage elements such as biometrics, location data, or access control data as part of their security architecture.

We’re aggressively recommending that enterprise users adopt the Digital Trust & Security Maturity Model as part of their overall business and security transformational agenda. Given that security breaches often involve lapses of internal staff or shortcomings in corporate behavior or strategy, we’re further asking enterprises to consider the following:

• The upgrading of “value” assigned to “non-transactional” information stored or shared within the enterprise
   
• Reassessing current information sharing policies with third party partners and suppliers
   
• Establishing a roadmap to reach an adequate level of security maturity that includes the integration of both physical and logical assets
   
• Placing increased emphasis on security providers to bridge the monitoring gap, and extend coordinated threat and risk management, between ecosystem partners (including non-traditional ecosystem partners that may have independent information regarding their business or employees)
   
• Developing a resource plan that elevates security and risk management to a transformational role within the enterprise management team.