The demands of a modern day security system are changing at pace as different technologies appear on the horizon. These rapid developments very often realise benefits for the procuring organisation by dint of inviting decisions to be taken by security and risk management professionals that were once simply not on the radar or even possible, as Alistair Enser discovers.
Traditionally, a physical security system would be based around a fixed set of rules pre-programmed into that system. These rules might include giving specific users access rights to doors and areas only at certain times, with these areas being monitored by video cameras and protected by alarm zones.
Systems in place might have been supplemented by multiple technologies including card and PIN readers or biometrics, verification using video analytics or manual authorisation by comparing a stored cardholder’s photo ID with a live video image. All of these systems were predominantly designed to prevent unauthorised access to physical areas and site assets.
It’s abundantly clear that, in our increasingly connected world, matters have moved on quite dramatically. When designing an electronic system, security professionals are now forced to consider how it fits within the broader IT environment. As is the case with all security decisions, a wise step is to first confirm the objectives of the system’s installation and identify precisely what it is that needs to be protected going forward.
Are the assets that require protection physical items such as buildings, property and the people that work and live within them? Or are we instead talking about data in the shape of payment information, valuable digital media assets, Intellectual Property or perhaps customers’ sensitive personal details?
It would be incorrect to view this as a binary choice. In reality, most organisations need to secure both realms. The threat in today’s world can invade either through the windows and doors or down a cable. Each can be just as damaging, with the two routes in fact inextricably linked. For their part, smart security managers are now looking as closely at the patterns of threatening behaviour as they are the specific type of behaviour itself.
View from the bridge
From a systems perspective it is, therefore, necessary to look at how we tie these worlds together. For example, by drawing on a wide range of technologies and multiple assets, it’s now possible for a security system to recognise that a regular employee is on their way to work. This might be achieved by calling upon connected devices and advanced analytics which will have already profiled a user’s normal journey time, route, speed and location and then tracked their location and progress into the office using a smart phone or other Internet of Things sensors.
By harnessing Artificial Intelligence (AI) and smart data analytics, the security system can begin to make assumptions and decisions around physical security rights that may be required. These might include switching on the air conditioning in the appropriate area of the office building before the user arrives, or to expect an entry event or alarm arming or disarming event ahead of it actually happening as the user makes it to the building.
Further, potential false alarms could be avoided by validating whether incorrect entry or incorrect disarming events represent user error or genuine attempts at a breach.
Response could be varied
Depending on the profile of the event, the combination of factors and the level of security, the response could be varied from false alarm through to operator query, validation or even full-on, AI-based autonomous decision-making, in turn meaning that the office could, in effect, manage itself.
Building on this approach, it’s now possible to pair multiple assets and credentials with a user and recognise if that user is moving in an unexpected fashion or their credentials are being used unusually. For example, if an end user has just entered their corporate head office building using access control, but their laptop has just made a connection attempt to the company’s VPN from a different location using a single sign-on key, this would create a query for investigation as a potential network hacking event.
Conversely, if what we should most probably call a security ‘ecosystem’ knows that a user’s currently logged on to their computer at home through their login and network activity, it should instantly query any attempted use of a physical security system in another location ostensibly orchestrated by the same individual. Even with the technology now available to us, it’s highly improbable that the same person can be in two places at once.
As has been well documented, a large and increasing proportion of electronic security equipment now sits on data networks, is connected externally and, in a great many cases, isn’t secure. This presents a huge potential risk. Imagine the irony that the very system in place that’s supposed to protect the end user becomes the conduit for a crippling cyber attack which serves to shut down critical business systems or puts sensitive customer data at risk.
Who would be responsible? Is it the security integrator, the product manufacturer or the end user’s own IT Department that would be to blame? How do residential users and SMEs that don’t even have an IT security policy or an IT Department plan for, or manage, a similar risk?
Security professionals need to ask themselves if the electronic security products upon which they rely are hardened to cyber attack. For example, have they been PEN-tested? They also need to ensure that these same products are installed on a secure network or, if not, at the very least make certain that installers are providing a secure network upon which to host them. If users are uncertain about any of these areas, then they need to ask themselves some difficult questions.
The glue that binds
Today’s forward-thinking security integrators and manufacturers have recognised the commercial opportunity that bridging the gap between the physical and cyber realms provides, and are now adding mobile credential management, network security, network asset mapping and tracking and even AI to their traditional ‘arsenal’ of products and services in a bid to provide a one-stop shop approach.
Of course, larger organisations may already have well-established security and IT infrastructures in place and, in these instances, there’s the potential for security integrators, consultants and manufacturers to bridge the two worlds. In effect, they’ll provide the glue that binds them together. This makes it easier to assign tasks and establish responsibility for the overall system and may even serve to eradicate the ‘blame culture’, as well as creating value-add information and services.
For SMEs without dedicated resources, however, the situation is somewhat less clear. However, many of today’s practising security integrators and consultants have already recognised this and, while they cannot necessarily offer a full IT service, they have chosen to partner with other organisations that can ensure information systems are suitably robust and safe from penetration.
Finally, security equipment manufacturers must ensure that their technology is sufficiently ‘open’ to allow integration and the connections essential for sharing information with the wider security ecosystem.
Bridge to the stars
Bridging physical and cyber security brings several issues to the fore for due consideration by security and risk management professionals.
First, careful thought must be given to what’s being protected and how the threat might manifest itself. Once this is determined, a suitable security system can be installed and might include traditional electronic security, network security or pattern and behavioural analysis driven by multiple events across multiple ecosystems.
One size clearly doesn’t fit all here, but as the examples provided beforehand make crystal clear, the benefits of an integrated system are significant, while the potential such a set-up offers is huge.
One thing’s for sure. As technology advances, the ability to connect and analyse a huge amount of data created by linked sensors and devices will continue to grow exponentially. We’ll have the opportunity to turn this into valuable information through data analytics and AI without requiring exponential amounts of human intervention. From this, we will then create more intelligent systems.
Is your organisation ready to transform?
Alistair Enser is General Manager of STANLEY Products and Technology