An Intersecting Issue: Four Tips for Physical Security Professionals to Protect Against Cyber Threats

Physical security, like many industries, is going through a digital transformation. Perimeter, surveillance and patron screening systems, like Patriot One’s Gateway solution, are now equipped with artificial intelligence (AI) to accurately detect weapons people might be carrying, without them needing to divest of personal items when walking through, unlike metal detectors. Using AI in this way means the systems are amassing data, so the technology can learn from situations to increase accuracy moving forward. This is all in an effort to protect from attacks by armed people.

These next-generation systems are internet protocol (IP)-based, meaning they are increasingly exposed to another type of attack: cyber. Cyber threat actors try to expose the latest security weakness in any system they can get into, including these new physical security systems. These “smart” systems are connected to the internet, requiring passwords to access the interface and amassing data, making them vulnerable to attacks like ransomware, if threat actors can get into the system.

Because of this, physical security directors need to also think about cyber protections – likely starting with talking to the person in the organization who controls cybersecurity. Here are four tips to help physical security stay resilient against cyberattacks.

Bring physical security and cybersecurity departments together

Oftentimes, different organizational departments become siloed, even when they have similar responsibilities. Physical security and cybersecurity teams may have similar jobs of providing protection, though they couldn’t operate more differently. However, in this age of digital transformation, these teams should be communicating frequently, and brought together regularly to discuss best practices and company policy.

Modern weapons detection technology requires advanced technology that can become vulnerable to cyberattacks, so an incident response (IR) plan should be in place in case of a breach, much like there are incident response plans ready to go if another cyber aspect of the business is compromised.

Implement the latest protections for a layered approach to security

Next-gen weapons detection solutions require most of the same tools as other network components, including Data Loss Prevention (DLP), firewalls, intrusion prevention and more. These are likely tools that the organization has already implemented elsewhere to protect other IP-enabled endpoints, but they should be extended to physical security systems too. That’s because these new solutions collect and store data to work better, meaning they are at risk of hackers getting hold of that information. We’re talking about things like images of patrons, alert rate and the kinds of weapons the system is trained to detect – all things ransomware actors could hold hostage if they get in.

Make sure software is up to date

The software that allows these systems to run is like any other computer program and needs to stay updated. People are used to regular software updates on smart phones or laptops, but physical security professionals might not think about that for their patron screening technology. These digitally enabled tools will require regular updates to protect against bugs and other vulnerabilities, to remain effective and safe. Outdated software could mean the technology doesn’t work properly or it doesn’t guard against the latest cyber threat. For example, Patriot One periodically releases new software updates to its systems to stay up to date on the latest capabilities and threat risks.

Ensure compliance with local and industry-wide mandates

Data security is not just about keeping the bad guys out. It also bleeds into data privacy and protecting that data according to regulations. These regulations are constantly evolving and span industries and locations, so it can be a lot to keep track of. The General Data Protection Regulation (GDPR) for businesses operating in Europe, and the California Consumer Privacy Act (CCPA) for businesses operating in California both have a stipulation that organizations must only collect data for specific purposes. So, organizations cannot collect and store data if they have no reason to use it – this might include data on people that set off a physical security system alarm (such as images). Of course, there are many more, and security professionals need to ensure their physical security equipment and software is compliant with all of them that are relevant.

This is something, again, physical security professionals may not have thought about before implementing next-generation security technology. It’s important they connect with senior cybersecurity and other business leaders to identify what those regulations are.

The whole reason why physical security is implementing these next-gen solutions is to protect patrons and staff from mass casualty events. This is only possible if the system is also within corporate cybersecurity guidelines. So, the moral of the story is: talk to your senior cybersecurity expert – before it’s too late.