Physical security definitionPhysical security is the protection of people, property, and physical assets from actions and events that could cause damage or loss. Though often overlooked in favor of cybersecurity, physical security is equally important. And, indeed, it has grown into a $30 billion industry. All the firewalls in the world can\u2019t help you if an attacker removes your storage media from the storage room.The growing sophistication of physical security through technologies such as artificial intelligence (AI) and the internet of things (IoT) means IT and physical security are becoming more closely connected, and as a result security teams need to be working together to secure both the physical and digital assets.Why physical security is importantAt its core, physical security is about keeping your facilities, people and assets safe from real-world threats. It includes physical deterrence, detection of intruders, and responding to those threats.While it could be from environmental events, the term is usually applied to keeping people \u2013 whether external actors or potential insider threats \u2013 from accessing areas or assets they shouldn\u2019t. It could be keeping the public at large out of your HQ, on-site third parties from areas where sensitive work goes on, or your workers from mission-critical areas such as the server room.Physical attacks could be breaking into a secure data center, sneaking into restricted areas of a building, or using terminals they have no business accessing. Attackers could steal or damage important IT assets such as servers or storage media, gain access to important terminals for mission critical applications, steal information via USB, or upload malware onto your systems.Rigorous controls at the outermost perimeter should be able to keep out external threats, while internal measures around access should be able to reduce the likelihood of internal attackers (or at least flag unusual behavior).One of the most common errors a company makes when approaching physical security, according to David Kennedy, CEO of penetration testing firm TrustedSec, is to focus on the front door. \u201cThey'll put all of the security in the front door; surveillance cameras, security guards, badge access, but what they don't focus on is the entire building of the whole.\u201dSmoking areas, on-site gym entrances, and even loading bays may be left unguarded, unmonitored and insecure, he says. Turnstiles or similar barriers that have movement sensors on the exits can also easily be opened by putting a hand through to the other side and waving it around.While the cost of successful digital attacks keeps increasing, physical damage to your assets can be just as harmful. One notorious example of physical security failing saw a Chicago colocation site robbed four times in two years, with robbers taking 20 servers in the fourth break in.Scope of physical security risksThe pandemic, civil unrest related to the January 6 insurrection, and an increase in gun violence have made CISOs and other executives more concerned about physical security, including the well-being of themselves and their employees. That's according to the 2021 Mid-Year Outlook State of Protective Intelligence Report from the Ontic Center for Protective Intelligence.\u00a0The report, which is based on a survey of 300 physical security decision makers, CISOs, CIOs, CTOs, and other IT leaders, emphasizes four areas of concern over physical threats:Business continuity: Unmanaged and rising physical threats increase corporate risk and potentially could impact business continuity. The report recommends companies invest in physical security to mitigate violent threats.A larger threat landscape: Intelligence failures put executives and employees at risk of physical harm or supply chain damage or property theft by insiders. Seventy-one percent of respondents said the physical threat landscape has "dramatically" changed in 2021.Lack of unification between physical and cybersecurity: Most respondents (69%) said that unifying cyber- and physical security could have helped avoid incidents that resulted in hard or death at their organizations. This includes having a single platform to identify and communicate threats.Unexpected challenges: Compared to an earlier study, some of the key challenges IT and security leaders faced in 2021 were not the ones they expected to have when asked in 2020. Those challenges include regulatory compliance reporting and demonstrating a return on investment in physical security.Overall, 64% of respondents reported an increase in physical threat activity so far in 2021, while 58% say they feel less prepared to handle physical security for their organization.Physical security principles and measuresPhysical security largely comes down to a couple of core components: access control and surveillance.\u00a0Access controlAccess control encompasses a large area that includes basic barriers to more sophisticated things such as keypad, ID card or biometrically-restricted doors.\u00a0The first line of defense is the building itself--the gates fences, windows, walls, and doors. Locking these, adding deterrents such as barbed wire, warning signage, and visible guards will put off most casual attempts on your locations. \u00a0\u00a0Access control systems are many and varied, and each have their own pros and cons. Simple ID card scanners might be cheap but are easily stolen or forged. Near-field communication (NFC) or radio-frequency identification (RFID) cards make forging harder but not impossible. Embedding NFCs in workers \u2013 something that is reportedly becoming a trend in Sweden and drew ire from workers unions in the UK \u2013 is also way to reduce the chance of card loss.\u201cRFID badges are easily cloneable,\u201d warns Kennedy. \u201cInstead, use magnetic strips where you actually have to swipe and maybe use a second form of authorization like a pin number.\u201dBiometric security is also a common option to secure both facilities and devices. In theory our unique body identifiers \u2013 whether fingerprint, iris, face or even your pulse \u2013 are harder to steal or fake than any cards. A report from ABI Research predicts the use of biometrics will only increase in the future. Fingerprint remains the most common method, but ABI suggests it will be augmented with a growth in face, iris and pulse.\u201cI haven\u2019t seen a whole lot of facial recognition in companies yet, but stay away from biometrics,\u201d says Kennedy. \u201cA lot of people want to move to that but there's a lot of issues.\u201dFake fingers can overcome fingerprint readers, photos or masks can be enough to fool facial recognition, and German hacking group Chaos Computer Club found a way to beat iris recognition using only a photo and a contact lens.SurveillanceSurveillance includes everything from guards on patrol, burglar alarms and CCTV to sound and movement sensors and keeping a log of who went where.\u00a0\u00a0At more high-risk locations, companies can deploy far more sophisticated detectors such as proximity, infrared, image, optical, temperature, smoke and pressure sensors to maintain a holistic view of their facilities.IoT and AI bring physical security into the digital worldWhere typically physical security and digital security used to be entirely separate realms, they are slowly becoming more and more intertwined. Surveillance systems are increasingly connected to the internet, access control systems and monitoring systems are keeping digital logs, while use cases for AI in physical security are become more popular.For example, CCTV-based image recognition can alert you to the arrival of people or vehicles. In more sophisticated systems, facial or even walk recognition is possible across entire facilities and let you know if an unknown person is on-site or a worker is somewhere they shouldn\u2019t have access to. Behavioral analytics tied into access controls can alert you to unusual behavior. Companies are also beginning to use drones for facilities surveillance, and increasingly drone manufacturers are looking to add automated, unmanned capabilities. According to research from Memoori, AI-based video analytics could \u201cdominate\u201d physical security investment over the next five years.\u201cOver the last two years that the focus has really shifted from just health and safety to also information security as well to try to really protect all the information as well as the physical location itself,\u201d says TrustedSec\u2019s Kennedy. \u201cWe're very much seeing the convergence of physical and logical security together; if you're doing a badge access swipe in New York but you're logged in through a VPN in China, that's a way in which to detect potentially malicious activity is going on and use physical data to help provide intrusion analysis in your environment.\u201dBringing physical and IT security teams togetherHowever, this growth in physical security technology means IT and physical security need to operate more closely. Digital logs need to be processed, stored and presented to the right people. AI models may need to be created and systems trained. Importantly, all internet-connected devices need to be properly secured.\u201cPhysical security systems are no longer just a sensor that reports back to the user whether it detects motion or not,\u201d says Kennedy. \u201cThese are heavily technological systems that are just increasing every year in sophistication. However, the security providers are often device manufacturers first and now they want to get into the whole IoT business so they're really a development shop second. And what we're finding with these devices are actually introducing more exposures than those closed off systems than we've seen in the past.\u201dThese devices can often be hacked remotely. CCTV cameras, for example, made up a large portion of the Mirai botnet used to take town Dyn in a major DDoS attack in 2016. If your sensor networks are not adequately segmented and protected, a flaw in one device can allow an attacker to disable a range of your security processes.\u201cThe technology these companies are starting to implement is very promising and really with the mindset of trying to stop people from breaking into buildings, but they're still immature in the development cycle and it's going to take a long time to fix,\u201d says Kennedy.As a result of this growing convergence of the physical and digital, physical and IT security are becoming increasingly merged in cross-functional teams, with some companies creating security operation centers (SOCs) that deal with both types of security.\u201cA limited number of business that do converge both operations centers,\u201d says Steve Kenny, industry liaison of architecture and engineering at physical security and video surveillance provider Axis Communications. \u201cBut at the moment much of the of the focus is around the convergence\u00a0of control centers; rather than have several CCTV controls centers around the UK they'll just have one big one to improve operational efficiency.\u201dEven if the two teams are not merging into one large function, Kenny says it is still important that the two work together and have shared responsibility. \u201cThe cyber criminals don't care what the roles and responsibilities are for an individual, and the different departments can speak completely different languages.\u201dHaving CSOs responsible for both physical and IT security, Kenny says, can bring the different teams together to help raise security across the organization. Given that\u00a0the EU\u2019s GDPR requirements include physical security, ensuring all teams are aligned and working towards the same goal is essential.Social engineering and physical securityIt\u2019s an old adage than you can get in anywhere wearing a high-vis jacket and carrying a ladder, because people are inherently trusting and want to be helpful. And penetration testers often try to gain onsite access during intrusion simulations by impersonating builders, cleaners, or even IT support workers.\u201cOur easiest way by far to get in is just walking to a location you see employees going into wearing a suit,\u201d says Kennedy. \u201cI'll wear a suit to impersonate an executive and walk in behind somebody that is casually dressed because nine times out of 10 they are not going to question who I am because of level of importance. They don't want to cause any disruptions or challenge somebody that may be of higher authority to them.\u201dAt a branch office of a financial organization, Kennedy was able to gain access just by saying that he was from corporate IT there to update the servers. In another case, a story about fixing a server crash was enough to convince a guard at an electricity company\u2019s office that two men who were wearing black and sneaking around at 3 a.m. were legitimate employees.Given the major human element involved in such attacks, they can be hard to defend against. The best security technology will fail if your employees allow friendly but unverified people in places they shouldn\u2019t have access to. Employee education and awareness is key to reducing the potential threat of social engineering.Physical security policiesWhile the scale and sophistication of your controls and monitoring will vary depending on location and need, there are best practices that can be applied across the board to ensure a robust physical security posture.Take a risk based-approach and do your research. Map your risk profile and put in appropriate controls. Don\u2019t employ a team of armed guards where a simple card lock with CCTV will do. \u201cA supplier needs to protect themselves in order to protect their customers so supply chain due diligence in a must\u201d says Kenny. \u201cWho are we working with, what sort of internal processes and policies do they follow, what frameworks do they follow around hardening systems?" Make sure that the people you're buying technologies from understand the risks and have things in place like vulnerability management programs, security advisory notifications if something does go wrong.Make sure access controls are tied to people and customize access. Each ID card or keycode should have a unique person tied to it. Blanket access cards or codes make data leaks more likely and harder to track. If your facility has strict schedules, ensure access is tied to times--for example, no overnight access for caterers.Have audit trails and keep inventory. Keep logs of not only who accessed what, but also of attempts. Repeated failed attempts to access might signal bad actors. Know who is in procession of all cards, keys and other access items. Revoke access if a card is lost or when employee circumstances change. Claim back keys as soon as possible if someone leaves.Educate staff to follow protocol for dealing with guests. People are usually friendly and want to help. Teaching employees \u2013 including guards -- to keep a healthy skepticism, follow proper procedure, and not give out too much information can reduce the chance of your own workers being used against you. Ensure IDs are checked and pre-planned visits are made known, and have processes for dealing with unexpected visitors. Ensure that visitors aren\u2019t left alone in sensitive areas. \u201cEducating your employees is always a good idea to ensure they don't feel afraid to challenge somebody that is not wearing a badge,\u201d says TrustedSec\u2019s Kennedy. \u201cAs is communicating to employees to remove their badge to their pocket when they're going out of the building [to prevent cloning or copying].\u201dTest your capabilities and processes. Run simulations; try to gain access to your own facilities. In the same way companies will often send out fake phishing emails as test of workers' attention to detail, see if your workers give out information over the phone or let unverified guests in.