In the spirit of Cybersecurity Awareness Month, business leaders must be mindful to secure their workplaces, whether that workplace is remote, in an office, or in a hybrid model. Return-to-office (RTO) mandates have been gaining momentum post-Labor Day, with some surveys showing a whopping 90% of companies are planning to implement RTO policies by the end of 2024.
This signals a shift in the way organizations approach work in a post-pandemic world. Three years after the onset of the pandemic, businesses are still grappling with security concerns as they navigate the challenge of securing employees working from various locations and devices. A flexible work approach is emerging as the norm, with employees having the freedom to work from various locations. Business leaders need to recognize that this shift necessitates a comprehensive approach to cybersecurity that bridges the gap between physical and digital security.
The Evolving Landscape
The relationship between information security and physical systems is growing closer each day. Organizations can leverage the vast amount of data now at their disposal to solve problems across the spectrum. A practical approach that focuses on solving “real world” problems can make working with all data—from every system—more manageable.
Historically, operational technology (OT) systems lived in their own environments; now they are getting networked. This transformation has led to data inputs being physical and virtual, with so much data available and so little being understood. Now, information technology (IT), OT, facilities management (FM), and security are intersecting in today’s modern working environments.
These integrated systems encompass several types of data, including:
- Physical security systems, capturing data such as badge reader access logs (identifying who accessed, when, and where), camera motion logs, and glass-break sensor alarms.
- Facilities systems, which record data related to HVAC and fire suppression systems.
- Asset management systems, providing insights into equipment use logs (identifying who used equipment, when, and where), vehicle usage, and mileage records.
- OT systems, which generate industrial control system logs.
These systems provide a lot of valuable data. However, this information frequently gets ignored, or goes without being understood or used. This poses the risk of the workplace’s physical and digital aspects being targeted in unwanted attacks.
Securing Diverse Work Environments
As employees work from diverse locations, securing both the digital and physical aspects of the workplace becomes crucial. Modern workplaces offer a variety of spaces for employees to choose from, and ensuring the safety of these spaces is paramount. Integrating physical and cybersecurity measures is essential, as attackers can exploit gaps in security when employees work from various locations.
Additionally, the safety of employees is impacted by the workplace’s digital and physical aspects, whether it is due to a cyberattack or operational outage. Smart, physical assets that operate a building must be protected operationally, whether employees are in the building or not.
The convergence between physical and digital security has been a long time coming, and it remains an essential need that was left unaddressed even in the pre-pandemic world. Before, there were numerous opportunities for integrating physical and digital security to mitigate cyberattacks, enhance facility security, and prevent operational disruptions. This need has become even more pressing in the current landscape, where the concept of working from a fixed location has blurred.
Employees now work in diverse settings, including homes, offices, coffee shops, or co-working spaces. While it might not always be feasible to integrate the physical aspects of these spaces, especially if they are unfamiliar, there is a valuable opportunity to integrate the physical and informational behaviors of employees as they move between facilities or operate in specific environments.
Best Practices for Enhanced Security
There are simple ways for anyone in any area of an organization to become more vigilant:
- Integrating IT, OT, FM, and security ensures a comprehensive view and a thorough understanding of the overall situation.
- Using security platforms for monitoring helps identify threats and recognizes operational issues.
- Comparing current behavior against established baselines is an effective strategy for securing systems.
- Building simple use cases helps address common operational and security challenges.
- Taking the time to gain a deep understanding of the diverse array of available data is crucial.
- Leveraging the convergence of IT, OT, and FM can be further optimized by implementing IT best practices within your systems, which may include network segregation, multi-factor authentication, encryption, and robust detection and response controls.
The Future of Digital and Physical Security
The convergence of digital and physical security represents a strategic shift in the way organizations protect their assets and data. By safeguarding FM systems and implementing stringent access controls, businesses can bolster their overall security posture, providing protection not only for their employees but also for their valuable assets.
Leveraging the data within an organization’s systems empowers business leaders to address a diverse array of challenges within the facilities landscape, extending beyond cybersecurity issues to encompass physical and facilities-related problems. By aligning these traditionally distinct domains, organizations are better equipped to defend against cyberthreats while concurrently ensuring the safety of physical environments.
James Carder is the chief information security officer at global worktech company Eptura. Carder has over 25 years of experience in corporate IT security and consulting for the Fortune 1000 and U.S. government. He is a frequent speaker at cybersecurity events and a noted author of several cybersecurity publications. Carder is an Advisory Board member for the University of Colorado Denver, PlexTrac, TruKno, Coalfire, Circle Systems, Resurface Labs, Cyber Sainik, and the Identity Defined Security Alliance (IDSA); a Certified Information Systems Security Professional (CISSP); former ICIT Fellow; and a member of the Forbes Technology Council.