Rethinking Physical Security
in the Information Age
Peter English, CISM, is
corporate risk advisor for a
local government in Scotland.
Do you have
something
to say about
this article?
Visit the Journal pages
of the ISACA web site
( www.isaca.org/journal),
find the article, and
choose the Comments
tab to share your
thoughts.
Two hundred and fifty years since the forces set
in motion by the Industrial Age were unleashed,
some of the effects, such as global warming,
are only now beginning to be understood. After
only 30 years, the Information Age is already
profoundly changing all aspects of life and
will continue to do so. Advanced electronic
equipment and fast, cheap communications mean
that many previously static aspects of daily life,
including physical security, are lagging behind the
new reality that has been created.
In the days before the Internet created a global
information-sharing network, ‘security through
obscurity’ was a more viable strategy. Now, those
with criminal intent can go from zero to dangerous
in 60 minutes by searching the Internet for a
tutorial. The threat is not just from malware or
hackers; physical security mechanisms are also
at risk. From videos of how to open cars with a
tennis ball to sites dedicated to opening so-called
‘high-security’ locks in seconds, key areas of the
physical security environment may not be as
secure as one would think.
Inscribed on the Temple of Apollo at Delphi
(Greece) was the imperative to ‘know thyself’.
Organisations wishing to tackle the challenges of
the future would do well to start from a position
of self-awareness. One of the causes of the ‘credit
crunch’ was that banks and regulators did not
really understand the level of risk that they faced.
Likewise, security officers need to understand
the vulnerabilities, limitations and dependencies
of information systems in order to successfully
mitigate risks. While many organisations are
getting better at identifying and understanding
digital weaknesses, the inherent weaknesses
of physical devices are not as well recognised.
Certainly, uncontrolled physical access to
computers can be devastating—a so-called
‘evil maid’ attack can cause the compromise of
sensitive information.
In 2007, the German magazine Der Spiegel
reported that Mossad agents broke into the
London hotel room of a visiting Syrian official
and planted malware on his laptop. 1 According
to the magazine, information gleaned by the
malware was used to degrade Syrian air defences
in a bombing raid on an alleged nuclear facility.
Even if an enterprise does not have a national
air defence system to protect, it is worth
understanding the limitations of its physical
security devices because if the enterprise does
not, its attackers more than likely will.
