The exfiltration of a private, sensitive database is an IT security Armageddon. It can be likened to a mob breaking into the facility, looting and burning everything, including people, which is a protective services Armageddon.
Catastrophic risk to physical (tangible) assets and life in protective services Armageddon scenarios are routinely transferred to general liability insurance. This risk transfer option is increasingly available to IT (software and data stored on physical devices) catastrophic risks in terms of technical errors and omissions, cyber, or specific occurrence (standalone) insurance as well.
Insurance policies require an assessment of the state of current enterprise security. Large corporations are generally assessed by independent third parties, usually at their own expense. These assessments are generally based on the risks being insured and the counter-measures in place.
While IT and protective services both work on managing insured, or self-insured, risks, the two organisations traditionally work on their specialties separately.
Evolving criminal threats
However, criminal threats are increasingly mixing technology with people. For example, “people” have been identified as the number one information security threat and solution since before 2010 in terms of insider and social engineering.
New trends of physical threats, such as FlashRob (a mob, coordinated through social network to converge and rob shops), and collateral damages from political or social actions organised through social networks, demonstate that the internet is a potent new component in physical crimes, which has been the province of protective service. Responding to these growing new threats requires a combination of technology and people skills.
Protective services people are from law enforcement, military and guards, and are highly experienced with human vulgarity, investigation and resolution of people issues, and have the skills to protect people. IT people are not security people by nature – they are technical people who have migrated towards security over the years.
Physical threats include people who intrude or take control of a target within a facility to cause some form of damage, which can include arson, assault, vehicle-borne improvised explosive device (commonly known as a car bomb), burglary, kidnapping, larceny, robbery, vandalism, or workplace violence.
Protective counter-measures include site selection, smart or traditional perimeter fences, employee and visitor access controls, use of an intrusion-detection system, random guard patrols throughout the facility during non-working and working hours, and closed-circuit video monitoring or other safeguards that mitigate the vulnerability of unalarmed storage areas and security storage cabinets during non-working hours.
The obvious answers to combating technology-savvy criminals, such as unrestrained monitoring of internet and social network use, are not an option because they are not only expensive, but socially unacceptable. There is also the problem of attributing an internet alias/avatar to the real criminal. The best hope for enterprises is to source innovative solutions created from the combined talents of the technology savvy IT people and the people-savvy protective services.
What IT can learn from protective services is a practical understanding of how to stop criminals without alienating employees and the public. In return, IT can absorb the technologies used by protective services and integrate them into virtual and real situation awareness, taking advantage of the increasing GPS capability in internet devices and physical surveillance by protective services.
Thomas L Chen, CISSP, ISSAP, ISSEP, CCNA, is an infrastructure and information protection professional.
This was first published in June 2012