A famous New Yorker cartoon shows a dog sitting at a computer with one paw on the keyboard speaking to a smaller dog seated on the floor. The caption reads: “On the Internet, nobody knows you’re a dog.”
The cartoon speaks to identity, privacy, and deceit issues in the online world. But it also captures the virtual/physical duality of staff members. When the cartoon ran, cyber and physical were two distinct worlds. An individual’s physical presence now can link to their digital identity in a variety of ways.
Connecting online identity and access management (IAM) and physical access control is the next frontier in security. This is especially important now that COVID-19 has moved work from offices to homes and hybrids. Today’s employees can badge into a workplace or log in from home at their discretion.
Cybercrime already costs the global economy a staggering $6 trillion per year, a total that is expected to exceed $10 trillion by 2025. The toll of cybercrime has surpassed the costs of traditional, physical crime. The 15 largest data breaches of the 21st century alone—and there have been hundreds—have compromised 8 billion customers or records. That’s one for every person on Earth.
In 2020, there were over 2,000 ransomware attacks on government, industry, and academia, costing billions. As a result, insurance premiums for ransomware are skyrocketing. Several insurers have even stopped writing ransomware policies altogether.
The typical culprit of many forms of cyberattacks—breaches, ransomware, phishing, and so on—is a stolen password.
Today, many organizations are ditching usernames and passwords in favor of multi-factor authentication, single sign-on, access governance, and password-less authentication. It’s not about the technology, though. It’s about changing the way people work more securely. Yet, organizations are still sticking to old habits in the physical space—relying on the front desk, facilities, HR or IT staff, to enter access control information into a database, print badges, and create, change, and end access privileges.
The most effective businesses today connect employees, contractors, and others who need access to facilities and systems with their IAM program. Microsoft Azure Active Directory, Okta, and Google’s G-Suite are popular IAM solutions that can connect digital and physical access systems. This method not only improves security but also saves time by avoiding the need to update data or rights in various databases.
By making the connection, security teams have a unified view of who has access to what in the digital and physical worlds. This also provides for quick automated updates when an employee or contractor changes jobs or leaves.
It’s critical not to get lackadaisical about physical security in a business world that is increasingly becoming a hybrid model. Improper physical access exposes staff, visitors, and others to threats to their safety and physical well-being. It also allows adversaries to steal, copy, or alter nondigital assets, such as printed reports, physical assets, and blueprints, or gain unauthorized access to sensitive areas such as server rooms and data centers. That’s why it’s paramount to manage the identities of anyone with physical access and what they can do with that access, where, and when. For example, only certain staff members should be able to access the IT closet, personnel records, and accounting offices.
The keys for security executives are:
- Establish multifactor authentication (e.g. card/token, device biometrics, one-time-passcodes (OTP), and more)
- Establish user access rights based on the least-privilege principle (e.g. a security guard at the Main Street office, should not be able to change access permissions at the corporate HQ in a different state)
- Integrate physical access with IAM so that cyber and physical permissions update with a keystroke, keeping them in sync.
Intruders and others abusing outdated physical access won’t be as obvious as the New Yorker cartoon’s hound prowling the office. But if they combine physical access control with identity and access management, everyone in security will know you’re a dog. Or at least an unwanted guest.