Michael McKinnon examines the convergence of cyber-physical security, and how security blind spots are often overlooked due to a heavy focus on cyber-related threats.
One of the worst questions a board member or director can ask is: “Are we secure?” – at least, it is according to Michael McKinnon. The CIO of Tesserent explains the importance of taking a holistic approach to security, and shines a spotlight on common security blind spots.
When it comes to convergence and considering security holistically, are we disproportionately allocating resources to cyber and, in turn, creating blind spots for ourselves?
There are some enormous blind spots when it comes to physical security. Not only in the way organisations are managing the problem with their structure and their reporting lines – that’s one issue. But I think what also happens is that when people focus on cybersecurity, they’re thinking of the latest ACSC report or the latest report from some cybersecurity vendor. They’re often looking at statistics and information that is an aggregate of bad stuff that’s happening to organisations, all rolled into one report.
Where it gets lost is that what your organisation is protecting might be very different to the lowest common denominator of threats and risks that are out there. So, if we’re talking about something like ransomware – sure, most organisations have some exposure to that. But then what about on the physical security front? There are organisations that have very specific risks and very specific areas of concern that may relate to their physical security exposure, much of which they may not even be addressing because their eyes are on the ransomware ball.
One of the things we’ve seen in this industry is this idea of people who want to be helpful, but they also don’t want to be a hero. They’re not going to stand in the way of someone they believe is doing something malicious because it’s either too hard or they don’t get paid enough. But security as a culture has to be implemented into the business somehow, that awareness training – is it a challenge?
Absolutely. What you’re talking about there is known as the ‘bystander effect’. There’s been lots of experiments where there’s someone who’s simulating that they’re mugging a person and there’s just people walking by on the street. And, of course, most people just walk by – they don’t want to get involved, right? It’s very hard for us, we just want to follow the crowd. There’s this inherent part of us that wants to do that.
A couple of other experiments I’ve seen were on the BBC production The People Watchers. They set up this scenario where they had people just walking along the street and there was a rubbish bin. They had put some litter on the ground and they were asking people as they were walking by if they could pick up the rubbish and put it in the bin. So, they’re giving them an instruction. But the experimenters had different attempts while dressed as different types of people.
So they were at times dressed as a homeless person, a medical professional, someone in a fancy suit, someone dressed normally, and someone in a hi-vis vest. Ultimately, the hi-vis vest won, because what they realised was that people have this notion of safety as soon as they see a hi-vis vest. You can exploit those biases and scenarios where people will follow a simple instruction just based on what the ‘attacker’ or the person sending the instruction is wearing. It can come down to minute behavioural things like that sometimes.
Some studies have also shown, for example, that just having a picture of human eyes visible in a public space can actually reduce theft. So councils in different parts of the world have actually put up signs next to a bicycle stand in a public area with nothing more than a painted picture of human eyes. That alone is enough to reduce the incidence of theft by a certain percentage. Little things like that can exploit the human condition.
What are your general observations of the security market in Australia right now? How are people thinking about the risk, the importance or the amount of airtime it’s getting at the board level?
I like to use the words of Darren Kane, Chief Security Officer at the NBN, who I really respect in our industry. He’s a real fan of converged security and this notion of having a single reporting chain for your physical and cyber security. He has this great saying: “We’ve won the war.” The boards and the executives, they get it and they understand cyber as a risk. There’s no question about that. We can probably educate them a little bit further down the road about the whole physical and converged issue, and I think that will unfold over time.
But there are still a lot of CISOs and security managers who are focused so much on the virtual aspect of cyber, of protecting the information and the data, that they’re just completely missing the obvious scenario around someone being able to gain easy physical access to an environment. It’s a bit of a bright, shiny object phenomena where it’s easy to focus on all the news headlines about the latest ransomware case and all of those things. You do need to protect your organisation against them, but you need a much more holistic approach, and you need to start with the boring part: the risk assessment.
That means doing the due diligence to look at what your organisation is doing. What is its mission? What are its short and long-term objectives? Who are the threat actors who might be coming after you, who might be seeking to cause you harm? And what can you do about those problems across all the domains, including physical security?
If you were to leave one closing thought for organisations looking to improve their cyber–physical posture right now, what would it be?
Don’t forget about your people. Build some kind of awareness around what you’re trying to do.
There’s also a particular point I’d like to convey here around that human-vulnerability side. I’ll give you an example. We hear a lot of people say, “Don’t click on unfamiliar links” and “Don’t click on bad things”, right? But how does the average person not do that in the heat of the moment, or when they’re snowed under with a huge workload and they’re cranking through emails one after another? How are they going to ever do that effectively? The answer is, they can’t.
It’s often better to give them advice that is more tailored, something that gives them a sense of intuition. In other words, if it doesn’t feel right, then ask for a second opinion. Another great way is to gamify it. Build a process where you reward people when they report suspicious links. Drive that behavioural change.
Despite all that, you do have to wrap some type of technology around your humans because that is the ultimate failsafe. But you need to get the balance right between awareness and technology controls.
Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.
