How to manage the physical risks of cybersecurity
Cybersecurity is a hot topic. Businesses of all sizes are becoming acutely aware of the damage caused by data loss, leakage and theft. They’re aware of the threat posed by malicious intrusions such as denial of service attacks and ransomware infections.
Business leaders know they need to develop strategies based on technology, processes and education to mitigate these risks. Yet many fail to make the link between digital and physical risks. Protecting business systems from unauthorised physical access is a vital first step in preventing malicious or inadvertent damage.
To properly mitigate cyber risks, it makes sense to adopt an engineering-based approach. This should include three levels of cyber-risk assessment – physical, information security and industrial control systems.
Shutting the door
So while businesses must be alert to the risks presented by high-profile ransomware attacks like WannaCry and Petya, or employees opening emails containing malicious code, they should also be shutting the door on unnecessary physical exposure.
A recent story in the Seattle Times highlights the cyber risks posed by physical breaches. Washington State University warned a million people that their personal data may have been accessed by thieves who stole a safe. This contained a backup drive used by the university’s Social & Economic Sciences Research Center.
FM Global is developing a risk assessment framework to cover all aspects of cyber security risk. We currently conduct physical assessments on all commercial and industrial properties we insure, supplemented with a digital security risk assessment which is about to be released. We’ll start assessing industrial control system risks in 2018. Our analytics team is working with external cybersecurity experts to gather intelligence and develop this comprehensive framework. The FM Global research team then apply our proven loss-prevention approach to create thorough account-level cyber-risk assessments.
Our approach extends beyond providing insurance coverage that helps clients manage risk. We also provide coverage for loss of business due to a cyberattack. For example, if a large manufacturer’s industrial control systems fell victim to a malware attack, we would cover loss of production as well as the hardware damage.
We’ve recently started physical assessments of cyber risk at client premises. These have revealed a number of common mistakes that are easily prevented:
- Having a network port on a door intercom
- Unsecured server rooms
- Server racks installed in open areas
- Easily accessible cables and ports
- Data backups stored in accessible areas
- Infrequently used building entrances that are unsecured
Our in-depth research and physical assessments show how the physical component of cyber risk is often overlooked. This exposes companies to considerable financial and reputational damage. We encourage all businesses to evaluate the physical risks inside their doors and implement solutions to protect their future.