Brown envelope and USB flash memory drive showing cyber physical threat

How CSOs and CISOs Can Bridge the Gap Between Physical and Cybersecurity

Throughout the pandemic, the growing need for companies to rely on digital infrastructure has given CSOs and CISOs plenty of reasons to worry about cybersecurity. The problem is, physical threats like those that come through the mail often go unnoticed, with disastrous results. A physical device hidden in a seemingly innocuous package can introduce malicious code into your network. A cyberthreat that comes by way of a physical device is known as a “phygital” threat.

Phygital threats can take a variety of forms, including “warshipping,” which is a sort of Trojan horse strategy that involves physical devices that hack into digital infrastructure. These devices can be sent through the mail or could be smuggled in by outsiders or disgruntled employees. Warshipping devices range from USB drives, to WiFi network adapters, to mini computers. Once on site, these devices can log into local Wi-Fi networks to install malware or access sensitive data.

What’s more, these devices are really inexpensive. For less than $100, hackers can break into a network just by sending a package in the mail. The accessible nature of launching a phygital attack means that every company is at risk.

CSOs and CISOs around the world have been paying attention, and realizing the necessity of coordinating both physical and digital risk with the safe security strategy. Phygital threats require responses that bridge both physical and digital security.

Threats on all sides

At the start of this year, the FBI put out a warning regarding mail packages that contained USB devices that hold malicious code disguised as important information. Many unsuspecting employees have plugged these devices in and granted unauthorized access to critical information systems. But USBs aren’t necessarily the most dangerous phygital items coming through the mail. After all, someone has to plug a USB drive in before it can proliferate malicious code.

The increased usage of smart devices—physical items that are internet-enabled—has brought additional complexity to phygital security. Hackers can now use a smart thermostat or a digital fitness device and connect it to a local network to access sensitive information. Or they could use a Raspberry Pi, a mini computer that hackers can easily send through the mail to gain access to your systems. Unfortunately, many packages mailed to companies sit for days or weeks in mailrooms or on desks—especially in these days of remote and hybrid work—within easy reach of servers and other critical digital infrastructure.

Defense against phygital threats

So what can you do to protect your company against phygital threats more effectively? The answer is to strengthen both internal and external security measures.

Internal security

Ultimately it’s up to individual companies to provide security for their own systems. And one area that’s seriously lacking is mail security. The onset of hybrid work brings additional challenges: since many employees are constantly in and out of offices, this often leaves mail unattended. Finding and neutralizing mail threats in all the chaos of the new workplace is nearly impossible without the right tools.

CSOs and CISOs need to be aware of what potential threats might be sitting on a desk within their companies. Consider implementing scanning measures for all incoming mail as soon as it’s received. For example, companies can use a 3D mail scanner to check packages for potential threats. Companies can also consider bringing in trained dogs to sniff out suspicious packages, although not every company has the resources to do so.

Also, keep in mind that every person who comes into your company could potentially be carrying one of these phygital hacking devices. If you feel that your company is at sufficiently high risk of such an attack, it might make sense to implement tighter security measures and search procedures for employees, and stricter limits on who can enter your company and when. A minor inconvenience is a small price to pay when you’re talking about preventing millions of dollars in lost data and productivity.

External cybersecurity

External cybersecurity relies on collaboration, often with other companies and even competitors. Working collaboratively, while counterintuitive, also provides huge benefits that can offset the risks and help you respond better to vulnerabilities and attacks

One major hurdle is the potential cost. Without knowing if or when a phygital attack will happen, companies are reluctant to spend on security measures. As this paper from Deloitte explains, many companies don’t have the resources to devote to additional security measures. And when attacks do occur, victim companies are often too concerned with protecting their brands to share with others information about how the attacks occurred.

Putting aside narrow short-term interests for more proactive security measures will ensure protocols are effective in managing the multiple levels of security threats. With proper buy-in and collaboration, CSOs and CISOs from different companies can share security information and together develop new security procedures. Working with other companies allows you to create operational protocols across industries and groups to prevent large-scale attacks.

As the world becomes more digitally integrated, hacker groups will continue to take advantage of the physical blindspot that many companies have to launch attacks against digital infrastructure. The challenge to CSOs and CISOs alike is, can they cover both physical and cyber points of entry? The goal should be to get to the point where the answer is an overwhelming “yes”.