(ID999) INCIDENT RESPONSE - Tel: UK 0044 1732 897 601

James Rodwell (BII) - Convergence of Physical and Cyber

Today's physical threat

There is quite rightly considerable emphasis at the moment on Cyber security in both the public and private sectors. Now that nearly everyone (with the exception of a minor few technophobes) is connected to the internet via a myriad of devices from smart phones through to home PC's Cyber security is more important than ever.

Businesses should not let this distract them from the importance of basic physical measures. The importance of protecting your business from cyber criminals has never been greater but putting in place very expensive software systems to stop this happening means very little if the criminal can find that same information from your office litter bin.
The same can be said for external contractors such as cleaning companies or much more commonly via social engineering.

A number of recent cases where the information commissioner (IC) has fined leading high street companies for data breaches related to personal data being dumped in the street show the need for a comprehensive plan to dispose of sensitive data held physically. The plan should also incorporate measures to test that this is being adhered to by both staff and contractors regularly. At present time fines from the IC are fairly small in relation to the turnover of the businesses prosecuted. More importantly the reputational damage that occurs whenever one of these breaches occurs cannot be quantified.

It is a proven fact that UK companies and government departments are constantly under attack from the internet as this can be seen by using any number of software monitoring tools readily available. What is not so well known is the attempts made to gain access or information from businesses using very simple tactics such as going through corporate rubbish or bribing staff to gain sensitive information or getting them to divulge confidential information unwittingly via social engineering. 

According to Scott Borg

Director of the U.S. Cyber Consequences Unit

“As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level.”

Read the full article here

Importance of review

As well as having a fully documented IT security policy in place, businesses must pay as much attention to creating and implementing a physical security policy. Not only should both these plans be an integral part of the company daily businesses philosophy and practice they should be constantly reviewed and tested, as threats change so a plan must be adapted to meet those changes.

As a simple example; if you have installed security cameras to cover sensitive areas in your business are these periodically reviewed to make sure they are still in the right place to meet your companies current needs, or that information from them is being stored and monitored correctly? Do you have a policy in place that covers what your approach is to CCTV monitoring? A lot of companies have the same attitude towards physical security in general as they do to CCTV cameras, once it is installed then the box is ticked and doesn't need to be worried about anymore. This is a very dangerous attitude for any business to adopt, security is only as good as the last time it was reviewed. A board room swept for bugs means that there were no bugs there on the day it was swept not that someone hasn't installed a bug the next day. Constant review and test is the only way to ensure a working viable security plan.

BII advise a number of clients on how to create and maintain both IT and Physical security plans and then having created them periodically review and test them. A plan created on the 1st of January and not reviewed till the 31st December is a plan that is most probably not as relevant to the companies security needs as it should be. Training staff not to be fooled by attempts to get information or access to a building is only effective if it is periodically reinforced. There would be little point adding measures to protect your companies IT infrastructure if these systems aren't continually updated and tested and the same can be said for physical security measures.

Cisco - Why integrate physical and logical security?

Today, security can mean either physical security, as in physical access control, or logical security (also known as cybersecurity), as in virus detection or unauthorised network access. The departments that manage the technology for these two types of security are usually entirely separate, and often do not even collaborate. With the proliferation of IP convergence on the network, this can have a dramatic impact on both departments, as well as the safety and security of an organisation.

Read the full article here


A security plan be it Cyber or Physical in nature must protect a business, it's employees and assets as much as is practical to do so. What it should not do is inhibit the company from doing business. Security is essential to any business but it should be a business enabler not a hindrance. Most businesses have online trading or client interaction via their websites; no one would dream of accepting sensitive client data without the relevant IT security measures in place. IT security in this instance is therefore a business enabler and this is how all facets of security physical or cyber must be. However if that same data is lost in a physical state such as paper, a USB device, CD or laptop then the security on the Web site counts for nothing. 

BII are highly skilled in working with companies to either create new policies and practices or to review existing policies. BII uses PREA to test both cyber and physical policies as an aggressor would in a real life scenario. This is the only true way to review policy effectiveness and report and remediate any shortcomings.

Information gained from bugging a companies board room is just as valuable to a competitor or criminal as that obtained via hacking the companies systems. We are able to help companies understand the potential threats that are very real and that can cause catastrophic damage to a business from non IT related sources. When these threats are understood BII consultants can then work with companies to mitigate these threats on a present and on-going basis.