When a Russian-backed group reportedly tried to carry out a cyber espionage attack on the Organization for the Prevention of Chemical weapons in the Hague, security officials did not catch the alleged hackers sitting in some distant small room behind computers, but instead stopped a car full of electronic equipment and four men trying to enter the heavily-guarded building. Officials say the men were planning to use antennas and other devices to intercept information on the wifi network of the organization, which was investigating the poisoning of ex-Russian spy Sergei Skripal and his daughter in England.
This illustrates the increasing overlap of cyber and physical security breaches, crime and espionage. This overlap also became clear in a recent high-profile case in Israel, when officials arrested defense minister Benny Gantz’s housecleaner, who was suspected of offering to spy on Gantz on behalf of the Iranian hacker group named Black Shadow.
These examples demonstrate how criminals slip between the gaps of those tasked with physical, information and cyber security, as these departments often do not coordinate their activities and see their realms as completely separate. This has to change; in fact every organization now needs to appoint one person to oversee all security in a holistic manner and close these gaps. Let’s call this new job a Chief Brand Officer-CBO.
Fragmented security is not effective—and the bad guys know that
Most companies have multiple separate departments and employees dedicated to different aspects of physical, digital, information and financial security, but they work independently, and in a fragmented manner, isolated from and not communicating with each other. It’s common to find that the CISO has often never spoken with the head of physical security or those tasked with developing and promoting a brand’s image. Although many companies do have a chief security officer (CSO), whose title seems to imply a comprehensive approach, this job usually does not include cybersecurity, which is left to the CISO. Many organizations, especially in the financial sector, may also have a chief risk officer (CRO), but their duties are relegated to assessing exposure to factors like market movements, competition and regulatory changes. Yet another set of professionals deals with sensitive information connected to human resources and employee data.
But it is important to remember that the attacking groups, especially state-backed groups, do have a holistic approach. For example, the Russian hacking group APT29, associated with Russian government intelligence, relies on traditional espionage and information-gathering when deciding who to target in cyberattacks. They, and all bad actors, are looking for gaps, for whatever opportunities arise, whether they are cyber or real-world or a hybrid. Organizations need to have the same mindset in order to effectively defend themselves.
Embracing a holistic approach
Organizations will only have adequate cyber security when they have adequate physical security, and vice-versa. As seen in the Dutch example, criminals may enter an organization’s building or physical premises in order to gather digital and other information or begin to carry out a cyber attack. It is only by declaring a holistic approach, and putting one executive or one department in charge of carrying it out that companies will succeed, and remain truly secure. This is where the CBO comes in, as a key addition to any C-suite. This could be a full-time role, or could be part of the duties of an existing C-suite executive, especially in smaller organizations.
The role will involve not just coordination when threats or incidents arise, but developing an understanding of all the assets that need to be protected, as well as defining different general threats and specific threats. The CBO can work with the chief risk officer, who already helps determine some aspects of risk and how those can affect revenue and profits. This will allow the company to take a truly big-picture view of what needs to be protected, across all of its operations and subsidiaries, no matter their geographic location, or position in the corporate structure. This will allow for more efficient and appropriate resource and budget allocations to protect assets. Rather than different departments having to compete with one another for funding, as often happens, the CBO will be able to make sure all assets are protected as needed. This will cut back on waste and make sure money is spent where it is truly needed most and will have the biggest effect on overall security.
The CBO can also continue to prioritize threats and the resources dedicated to them as the threat landscape evolves, bringing together all elements of security, including specialized cyber security professionals who can actively check for real-time threats.
A hybrid but united response to attacks
Not only are attackers using multiple methods to slip through different security realms, but the effects of cyber attacks are increasingly felt in the physical world. For example, when hackers attacked the Colonial Pipeline Co. last spring, and shut down the largest source of fuel in the U.S., motorists, truck drivers and airlines were left scrambling for fuel. Hospitals, which have experienced a growing number of attacks, leaving staff without access to medical records and other networks needed to treat patients, also experience serious physical and operational results from cyber attacks. Medical officials have blamed cyber attacks for increased patient deaths.
This means that the CBO also needs to develop holistic contingency plans, which are critical when an attack inevitably happens. A breach in one area often leads to a threat in another; for example failing to pick up on the criminal background of a cleaner at the residence of Gantz led to a potential cybersecurity threat. The CBO should hold comprehensive drills, involving people from across the company and across the security spectrum, as well as experts with experience in government-level cybersecurity, which often take a more holistic approach.
This holistic approach to security is the only way to effectively protect an organization or company brand. Consumers, clients and employees increasingly expect physical and data security. By ensuring comprehensive security, brands and companies will protect their assets, as well as their reputation and, ultimately their bottom line. They will likely also see a return on investment once they adopt this new approach.