Measuring the Gap between Digital and Physical Risk Management Practices

Discussions in the management space are currently focused on the new risks associated with cryptocurrency, climate change, and social unrest. Sometimes this focus makes it easy to forget that more traditional physical security risks are still relevant today. Just as we must update best practices to fit emerging risks, we must also prepare for these physical risks as well. To this end I plan to compare how we work to mitigate ransomware and a traditional physical threat, like an active shooter scenario.

Ransomware has been with us for over two decades. An Eastern European script kiddie looking for digital bragging rights has given way to nation-states and organized crime creating an ecosystem selling ransomware-as-a-service that includes salable private information. It is reasonable that today’s criminal leaders gather their trusted managers to discuss revenue growth and forecasts, revenue per record, labor costs, technology capital requirements, and annual profit.

Traditional firewalls, patch management, and social engineering training were recommended in the years following the advances of internet-based computing environments. Today’s new MITRE ATT&CK® framework has a post-compromise focus that currently includes 14 categories of tactics and 178 categories of techniques. The controls that need to be updated, strengthened, and tested include several items. Passwords are still effective but strong passwords are required. Multi-factor authentication, previously reserved for only the most sensitive systems, should now be deployed on any over-the-internet accessed application. With the growth of SaaS and cloud services, almost every business application now qualifies. Failure to effectively deploy updated password and authentication controls will allow simple phishing attacks to be successful with six and seven figure remediation costs. What is included in today’s remediation process?

Training. The cost of not training still exceeds the cost of training. Social engineering training, specifically for phishing attacks, should result in 1%-5% failure for users clicking a link, 0% of users entering the user ID and password, and 90+% of users reporting the phishing attack to information security or helpdesk personnel.

Multi-factor authentication should be deployed for any device remotely connecting to a business application. Remote devices now include employees working from home, every contractor, and customer collaboration platforms. Email through Microsoft Office365 is now a remote application. Patch management procedures of personal computers and servers has expanded to patch management of every device (think Internet of Things). Remember that TJ Maxx had a $150 million response for a security event that started with a hacked HVAC system.

Security threats and deployment of control procedures has given way to the MITRE ATT&CK® framework that describes threat scenarios and a layered approach to preventive, detective, and response processes. And use the 3-2-1 rules for backup: maintain 3 backups consisting of 2 types of local backup media, and 1 offsite.

When it comes to physical threats the situation is different, but security should be of equal focus. A real active shooter scenario is the most terrifying moment any of us could imagine. The likelihood of being in a violent incident is about 1:325 as reported by Therefore, low likelihood but astronomical impact warrants a level of training and preparedness akin to other events.

Contemporary responses are focusing on training, preparedness, and response. The traditional emergency action plan is to evacuate, hide out if you can’t leave, and as a last resort, strike back. The thinking to support this is logical and reasonable, but people don’t think logically during high-stress events without extensive training.

While a company may be prepared for any number of cybersecurity threats thanks to training and safeguards, the same is not always true of physical threats. Whether we realize it or not, the safety of information has begun to take precedence. As a result, our focus on physical safety may be languishing. Instead, we should be treating it with the reverse level of care.

The full response and training processes related to active shooter incidents is broad and technical, and we should still make a commitment to physical risk management threats at the same financial level as cyber risk management threats.