Consumer technology has never been bigger news. The hype surrounding products like the iPhone 4S and the iPad 2 is matched only by the queues they attract outside Apple stores on the morning they go on sale. Meanwhile, leaked figures suggest that Amazon was taking 50,000 pre-orders a day for its Kindle Fire e-reader in October ahead of its UK launch in mid-November; Apple sold 20.4 million iPhones in Q2 of 2011.
It is no surprise that businesses are waking up to the potential of smart devices and manufacturers are starting to build partnerships that can benefit organisations not only in terms of communication, but also in terms of security.
For example, RIM, the company behind the BlackBerry, has teamed up with HID Global to start packaging near field communication (NFC) chips into its future BlackBerry Curve and Bold series. This means that the phones will be able to be used to access locations secured by HID’s existing network of iCLASS readers. These currently use NFC technology to allow access credentials to any protected space and, by integrating them into BlackBerry devices, authorisation can be granted with a simple tap or wave of the phone, without the need for employees to keep track of extra keys, cards, or dongles.
Staff and businesses will certainly like the convenience and efficiency of this solution. It means fewer devices for the employee to handle and if the business is planning to purchase company BlackBerrys anyway, it could potentially represent a lower overall cost to the business. However, the picture is not necessarily as rosy as it might seem and the devices can bring new physical and logical security headaches.
The Trojan wars
For example, hackers are becoming increasingly smart when it comes to targeting mobile devices, which represent a softer target than laptops and desktops. We have already seen a new strain of the Zeus Trojan, which targets personal banking details specifically through smartphones and which highlights a dramatic rise in mobile malware. With 10,000 apps submitted to Apple’s App Store alone every week, the likelihood of an app slipping through the approval process and compromising thousands of mobile devices grows ever higher.
Smartphones also bring with them physical security concerns that could cause businesses more problems than they had initially anticipated. These devices are attractive to thieves at the best of times and incorporating entry permissions into the devices could create worrying loopholes for opportunistic criminals.
There are issues that need to be addressed before we start thinking about using smartphones to access buildings, and this is the result of changing roles in the industry. In the past, the logical security manager and the physical security manager would have been two different positions; now, however, the roles have gone on to be merged into one. This looks great on the balance sheet,and certainly has benefits when it comes to more joined-up thinking. But the fact remains that where there were once two people to take responsibility, there is now only one and in many cases they are too stretched, with skills and training focused on one person instead of two. Compromises are inevitable, with maintenance and monitoring suffering.
This means that even with the best intentions, they cannot react quickly enough. If an alarm is triggered, there simply aren’t the resources in place to take action, unless there are guards in place who can react immediately. As best practice, businesses should have a security or guard room where someone can monitor whether either internal or external barriers to entry have been left open or compromised and keep an eye on the CCTV system after all, these are often expensive investments for businesses and are wasted if they are not used correctly.
To make a security system work, attitudes need to change at the very top. In many organisations, it’s seen as just one more headache to be dealt with. Either that, or directors and senior management are so laid back about the whole issue that they don’t give it the right attention or budget. Some think that there’s no point in bringing in somebody as a ‘just in case’ measure when budgets are squeezed and every penny of investment must be accounted for. It’s vital that top-level management buys into the fact that both logical and physical security is important, and assigns to it the budget it needs.
Spreading the word
Once the company’s board is on side, the same attitudes need to be disseminated throughout the company, so that everyone understands the importance of security and that adhering to the policies is absolutely key. All too often, the commitment is there at a strategic level, but the implementation is lacking. We have worked with a number of companies that had fantastic security polices. However, with all the will in the world, without the correct awareness and training in place they will never be effective.
On one of our inspections of a ‘heavily secure’ site, we came across a post room with the door propped open because the air conditioning was broken and through which anyone could have accessed the facility that was supposed to be protected.
Imagine if NFC-enabled smartphones had been left on desks unattended, as happens in hundreds of workplaces every day leaving the door open not only risks losing company property to an intruder, but might also potentially give them unlimited access to the site if the theft were not noticed quickly enough. In the vast majority of workplaces, this attitude means that physical security is not tight enough to make smartphones a viable option.
What, then, is the alternative? Unifying logical and physical security does, when done well, have its benefits. An example which clearly demonstrates this is the use of employee badging in and out of a building to maintain door access security. This is almost invariably mandatory for all staff in a policy; however, enforcing this ranges from problematic to impossible, given that an employee could easily walk in alongside a colleague (‘tailgating’) and leave no record of their entry. This not only breaks the physical access security policy, but also makes it much more difficult to build a comprehensive list of people in the building in case of evacuation.
By linking the physical and logical security infrastructure, however, the controls can be enforced more strictly. If an employee tailgates into the building without badging in, they can be denied access to IT assets even if they have a viable username and password; the network can query if the building access has been logged correctly before allowing login.
Worth the risk
Decisions on logical and physical security should not be taken on the basis of convenience alone. There may well be a place for smartphones in the future, but it is debatable whether employees and directors have the right attitude towards security to make them the best option for the time being. Instead of jumping on the bandwagon and unthinkingly adopting the latest gadget, companies need to take a smart approach to security, ensuring all assets are protected by a strong and reliable system that suits their premises and their business.
