G4S’ Rachelle Loyear points to several risk data points from ISACA’s recent State of Enterprise Risk Management survey, offers tactics to improve risk mitigation efforts and shares tips for learning from past industry trends.
If you keep tabs on trends in cybersecurity, you’ll have noticed a lot of stories in the last year or two focusing on the Industry 4.0 concept — the trend toward the automation and digitization of processes that have traditionally been done by humans. The big story in security news is, of course, that the rush to adopt automated approaches often misses one critical factor in the plan — cybersecurity — and now enterprises and security teams are scrambling to back-fill security holes that were not considered ahead of implementing the “next cool thing.”
Although the earliest adopters of the digitized Fourth Industrial Revolution were in manufacturing, the drive to digitize and automate is now ubiquitous — in everything from ordering a burger to checking into a hotel to calling your smart car to drive itself from its parking spot and pick you up (valet parking without the tip!). This is the vanguard of a trend that is not slowing down, but is heading directly for the security industry. Anyone who has been to an industry trade show recently can see this trend based on the number of intelligent and automated products available. This movement is bringing the security industry into the world of Security 4.0, whether we are prepared to meet the risks associated with it or not.
Some good news, based on the results of the State of Enterprise Risk Management research from ISACA, CMMI Institute and Infosecurity: The security industry seems to be aware of the approaching security digitization storm.
Let’s look at some of the trends in the survey:
- 64 percent of respondents said that, in the near term, their companies would be exposed to risks from changes/advances in technology (e.g., increased use of cloud, increased use of mobile, etc.).
- Adding together cybersecurity and technology risk, 35 percent of respondents see those digitization-related areas as the largest risk exposure to their organizations today. That number is at 41 percent for those two categories being the most critical risks in the short-term.
That’s good, because awareness of the problem was definitely lacking in the Industry 4.0 transition. Unfortunately, awareness of increasing risk does not automatically translate to the ability to mitigate it. We also see that 41 percent of survey respondents rated mitigating cybersecurity risk as difficult or very difficult, with those ratings combining at 34 percent for technology risk.
These risks of exposure through technology systems are bad enough when you are worrying about a potential hack of a menu-kiosk messing up your lunch order, but consider the opportunity for mayhem as we digitize and place cool, new physical security technology on our enterprise networks.
We are moving to a new security program model that deploys connected systems and processes that communicate with each other autonomously. This model uses camera analytics, physical sensors, automated access systems and AI to identify and report security incidents, track them and escalate the information and response procedures to humans based on rule sets and algorithms.
All of these amazing technologies augment the human capacity to monitor and react more quickly, more intelligently and with more preparation to security incidents as they happen. This makes our security programs better, faster and stronger, but also far more vulnerable to the types of attacks that we have never had to consider or anticipate.
Consider the implications of hackers taking over automated gates, security robots, access control systems or even inserting deep-fake videos into our video management systems. These issues could potentially expose our organizations to civil, legal, brand and even criminal liabilities. We see in the survey results that 69 percent of respondents are either very or extremely concerned that cyber issues will impact enterprise reputation, and 53 percent have similar worries of compliance and legal repercussions. It’s critical that we in the security industry take the right steps to prevent these technology exposures from slipping through cracks in our security programs.
As the industry moves into the new realm of automated Security 4.0, we can learn from mistakes the manufacturing industry made on its journey to Industry 4.0. A few tactics to keep in mind are:
- Even the most advanced technology systems require a human response at some point in the process. Security staff training remains critically important to ensuring appropriate actions are taken when warranted. Choose staff who have the right background, awareness, security knowledge, people skills and – above all – training to react appropriately in fast-moving incident situations.
- Many systems rely on security products that are built with an open architecture. This is critical because open software and hardware follows industry standards but has the ability to connect and communicate. Unfortunately, open environments are potentially more prone to cyberattacks than closed systems, making it important to be ever vigilant with cyber controls and proactive with the ongoing examination of possible threats and remedies.
- Take an Enterprise Security Risk Management (ESRM) approach to your entire security program, not only cyber or physical. Develop programs that identify all critical resources, examine risks to those resources and employ holistic resolutions to protect the organization’s networked security programs now and in the future.
- When making decisions on physical security technology, choose security systems that are “Cyber by Design.” In other words, choose reputable technical solutions that embed cyber controls during the manufacturing and installation process. Then make sure you continue to update those systems as part of your overall patch management process.