February 28, 2024

Innovation & Tech Today


Buyer’s guide: The Top 50 Most Innovative Products
Photo by Pixabay via Pexels

How to Bridge the Gap Between Cybersecurity and Physical Security

Companies are rapidly realizing that cybersecurity and physical access control are integral aspects of their daily operations. As the risk of physical threats and cyberattacks increases, the consequences become more destructive. Human error remains a major culprit, and cybersecurity awareness training (CSAT) is indispensable across the organization. But this doesn’t just mean teaching employees how to identify phishing attacks or avoid clicking on malware – it also means integrating your approach to cybersecurity with the measures you take for physical security. 

Developments in recent years have made physical security and physical cybersecurity an increasingly urgent priority: the massive influx of Internet of Things (IoT) devices, the shift to remote and hybrid work, and the multiplying intersections between the digital and physical worlds. From a stolen flash drive to unauthorized access to an office or server room, there are many ways physical security breaches can end up infecting an organization’s entire network. This is why employees must be familiar with best practices around physical security and aware of how cybercriminals can strike in tangible ways. 

When employees learn about these breaches and how they could have been prevented, they’ll be in a much stronger position to protect the company from physical cyber threats. 

Physical Security Has Never Been More Important

There’s a long history of hackers breaking into secure systems and inflicting immense damage by exploiting physical vulnerabilities. To take one of the most prominent examples, the Stuxnet worm which targeted Iranian nuclear centrifuges over a decade ago was likely delivered via a USB plugged in on-site. In the years that followed, cybercriminals built upon Stuxnet and used modified versions of the technology to attack critical infrastructure and other targets. 

Threats from compromised flash drives have also increased in recent years. A 2022 report published by Honeywell found that cyber threats capable of propagating through flash drives shot up from 19 percent in 2019 to 52 percent in 2021. As cybercriminals have demonstrated their willingness and ability to use physical attack vectors, the number of those attack vectors is rising. Many of these devices (such as “smart” home products) don’t have robust security protocols and can put other devices on their networks – like a work computer – at risk. 

Finally, there’s the explosion in travel demand and the permanent shift to remote and hybrid work. While business travel hasn’t rebounded as quickly as leisure travel, it’s coming back as well. This means there are more employees working from airports, hotels, and coffee shops around the world – an irresistible opportunity for cybercriminals. 

Why CSAT Is Essential to Build Physical Cybersecurity

Cybersecurity depends upon well-trained employees knowing how to identify and prevent cyberattacks – the latest Verizon Data Breach Investigations Report (DBIR) found that almost three-quarters of all breaches involve a human element. But the same principles behind much of cybersecurity awareness training apply to physical security.

If an employee loses a company keycard, the key card could fall into the wrong hands. In turn, this may lead to a physical security breach or an unauthorized party gaining access to a restricted space. Additionally, key cards and access badges can be cloned, so it’s important to make sure employees are properly educated about keeping these items safe. If all else fails, having a robust, cloud-based access control system capable of providing instant notifications is essential. Such systems provide updated features to define user access, receive detailed alerts, and integrate with your other security tools.

It’s no surprise that physical security professionals are taking a more active interest in cybersecurity. According to a 2022 report published by the Ontic Center for Protective Intelligence, 96 percent of physical security, legal, and compliance leaders agree that “cybersecurity and physical security must be integrated or else both cyber and physical threats will be missed.” 

Take stolen credentials, for instance – the Verizon DBIR found that this is the top action variety in successful breaches, and there are many ways cybercriminals can physically gain access to credentials. Flame is spyware capable of logging keystrokes, and it relies on USB infiltration. Cybercriminals can set up dummy WiFi networks in public places, which give them access to users’ credentials. And bad actors can get wide-ranging access to credentials by eavesdropping or stealing an unlocked device. They can even get direct access to a company’s servers by stealing a lost keycard or employee ID – or just sneaking onto company premises. 

Just as cybercriminals relentlessly exploit employee errors via digital communications, they do the same in the physical world.  

Photo by Tima Miroshnichenko via Pexels

How Companies Can Build Up Their Physical and Cyber Defenses

The prevalence of physical and cyberattacks is yet another reminder that companies have to consistently reinforce the importance of proactive cybersecurity awareness among their employees. Companies can’t provide a couple of rudimentary awareness training courses per year, check the cybersecurity box, and move on. Employees need to see how fundamental cybersecurity has become to their daily activities – whether they’re in the office, working from home, or on the road. 

CSAT should focus on device security, an awareness of cybercriminal tactics like the deployment of USB malware, and the proper use of cybersecurity tools like VPNs. For example, employees should never use public WiFi without a VPN, which automatically encrypts data and hides the IP address of users. This allows employees to work in public places without the risk of their credentials being compromised. While phishing is one of the top strategies used by cybercriminals, employees may not be aware of the ways in which cybercriminals go phishing in the physical world. QR code phishing is when bad actors stick a malicious QR code over a legitimate one at a store or restaurant, which infects devices when employees click on the link. 

Strengthening Your Physical Security

To stay secure, IT and security teams must also invest in their physical security. Cloud-based access control systems help administrators monitor their facilities and grant the correct personnel access while keeping bad actors away from important spaces. With a cloud-based system, IT and security teams can enjoy the benefits of working on or off-site, easy scalability, and the latest features to keep their facilities safe. Additionally, cloud-based access control easily centralizes your other important security programs and hardware by using API integrations. These API integrations connect video management, visitor management, identity, and other systems using a simple API key. 

Employees won’t have a full sense of cybersecurity awareness without understanding the overlap between the physical and digital worlds. As the lines dividing these worlds become blurrier, it will be more important for companies to make physical cybersecurity a core priority.

By Matt Lindley, Mike Maxsenti

By Matt Lindley, Mike Maxsenti

Matt Lindley is the COO and CISO of NINJIO, and he has more than a decade and a half of experience in the cybersecurity space. Prior to NINJIO, Matt was the CEO of REIN Cybersecurity, LLC., the senior technology manager and director of security services at Cal Net Technology Group, and the virtual CIO at Convergence Networks. He has held many other leadership positions in the industry, and he's an authority on IT, security, and a range of other issues.

Mike Maxsenti is the General Manager of Genea Access Control and founder of Sequr, which was acquired by Genea in 2019. Mike heads up Genea's access control operations by helping enterprise companies and property teams automate access control and security management. Mike was born and raised in Orange County, CA, and graduated from the College of Charleston.

All Posts






* indicates required


We hate spam too. You'll get great content and exclusive offers. Nothing more.



Looking for the latest tech news? We have you covered.

Don’t be the office chump. Sign up here for our twice weekly newsletter and outsmart your coworkers.