In the digital age, a robust security strategy is paramount to safeguarding an organization’s assets and reputation. As cyber threats evolve in sophistication, so too must the strategies we employ to counter them. Here’s a modern approach to crafting an effective security strategy.

1. Understand Your Assets and Threats

A solid security strategy begins with a comprehensive understanding of what needs protection. Identify critical assets – data, applications, infrastructure, and intellectual property. Assess potential threats, both internal and external. Conduct a thorough risk assessment to pinpoint vulnerabilities.

2. Develop a Layered Defence

Implement a multi-layered defence strategy, often referred to as defence-in-depth. This approach ensures that if one security measure fails, others will continue to provide protection. Key components include:

• Network Security: Firewalls, intrusion detection systems, and secure network architecture.
• Endpoint Security: Antivirus software, endpoint detection and response (EDR) solutions.
• Application Security: Secure development practices, code reviews, and application firewalls.
• Data Security: Encryption, access controls, and data loss prevention (DLP) systems.

3. Foster a Security-Aware Culture

Human error is one of the leading causes of security breaches. Foster a culture of security awareness within your organization. Regular training sessions, phishing simulations, and clear communication about security policies can empower employees to recognize and respond to threats.

4. Implement Strong Access Controls

Limit access to sensitive information and systems to only those who need it. Use role-based access controls (RBAC), multi-factor authentication (MFA), and stringent password policies. Regularly review and update access permissions to ensure they remain appropriate.

5. Monitor and Respond to Threats

Continuous monitoring is crucial for detecting and responding to threats in real time. Implement a robust Security Information and Event Management (SIEM) system to collect and analyse security-related data. Develop an incident response plan to outline steps for containing and mitigating breaches.

6. Keep Software and Systems Up-to-Date

Regularly update and patch software, operating systems, and firmware. Outdated systems are a common target for attackers. Implement a patch management process to ensure timely updates.

7. Plan for the Worst

Despite best efforts, breaches can occur. Develop a comprehensive incident response plan that includes procedures for detection, containment, eradication, and recovery. Regularly test the plan through drills and simulations to ensure readiness.

8. Compliance and Legal Considerations

Stay informed about relevant laws, regulations, and industry standards. Ensure your security practices comply with regulations such as GDPR, HIPAA, and PCI-DSS. Non-compliance can result in hefty fines and damage to your reputation.

Conclusion

A robust security strategy is a dynamic and ongoing process. By understanding your assets, implementing layered defences, fostering a security-aware culture, and staying vigilant, you can effectively navigate the complex landscape of cyber threats. Remember, security is not a destination but a journey that requires constant adaptation and improvement.

As part of the government’s three-step framework to return from lockdown, workplaces and premises are required to develop a COVIDsafe plan.

A COVIDsafe plan is a risk assessment with respect to COVID-19 which identifies what could happen if someone is exposed to a hazard, in this case, COVID-19, and the likelihood of it occurring.

The exposure of your workers and/or customers/clients to COVID-19 is a foreseeable risk that must be assessed and managed in the context of your operating environment.[1]

Should you have a COVID-19 outbreak at your premises, you may need to demonstrate that you have taken adequate steps to protect their health and safety.

Assessing and managing risk is a core function that security industry provides, and an area in which it has developed extensive skills and capabilities. As such, there is a great deal of value that the security industry can offer to organisations as they return to their places of business.

In the first instance, security specialists and consultants may be able to assist you in identifying and assessing the risks that are associated with your place of business as well as the development or plans to manage these risks to a tolerable level.

In addition to assisting in the development of your COVIDsafe plan, there may be opportunities to utilise your security technology to support this plan.

Many places of business have security technology in place that may be able to assist in managing your COVID-19 risk either through modified usage or with some modifications. In this article, we take a look at some of the ways in which this can be achieved.

Occupancy Management

As we progress through the phases of the Three Step Framework for a COVIDsafe Australia, different thresholds for people in an area will need to be enforced.

While we’re in phase 1, limiting occupancy to ten people is a relatively straight forward task. As this increase to twenty, then one hundred people, it becomes more challenging.

For spaces with controlled entries and exits such as offices it may be possible to use your electronic access control system (EACS) to enforce these limits. To do so, you will require an EACS that supports occupancy management, then implement a strict badge in badge out policy so that every entry and exit is recorded

For moderate sized spaces such as retail stores with a limited number of entries, you may be able to utilise your people counting systems, or your CCTV system to provide a count of the number of people entering and exiting the premises.

For larger spaces such as shopping centres and clubs, you may need to manage both the total number of people on site as well as ensuring that that crowding does not occur in the various spaces. Whilst more complex, this can be achieved using a combination of technologies such as people counters to measure the total occupancy, as well as video analytics for crowd counting.

Contact Tracing

Should a person who tests positive to COVID be determined to have been in your premises, you will most likely need to determine who else was on site at that time. The more accurately you can record this, the less of your workforce that is likely to be impacted.

By implementing strict access control policies, you can achieve an accurate log of who was in a space at the time that the COVID positive person was in that space.

Visitor Management

Depending on the nature of your premises, a visitor management system provides a powerful tool to assist in contact tracing.

Many visitor management systems allow for the inclusion additional information fields – these can be used to ask the basic COVID risk questions such as recent travel, fever, contact with a known COVID case etc.

You may also wish to have all visitors pre-register and take measures to both reduce the total number of visitors and ensure that the total expected number of visitors and staff are not going to exceed occupancy limits.

Automation

Items that are handled by many people such as doors and exit buttons are potential transmission sources for COVID-19. Depending on the layout of your site, you may be able to utilise technologies such as Facial Recognition, License Plate Recognition, or touch free exit sensors to reduce the number of surfaces that a user needs to interact with.

Thermal Cameras

There has recently been a good deal of discourse about using thermal CCTV Cameras for fever detection. Whilst there may be a few edge cases where the use of any thermal camera will assist in reducing COVID risk, infected people are contagious for up to five days before they display symptoms such as a fever and a large number of cases are asymptomatic, so none of these will be detected by a thermal camera.

If you have an environment in which you need to screen large numbers of people and your risk assessment has shown that fever detection is a required control, then you should probably invest in a medical grade camera as these offer the required accuracy.

Of course none of these controls reduce the requirement to ensure that good hygiene practices are observed such as hand washing or sanitisation, distancing, and ensuring adequate separation between staff.

There are also a lot of process related actions an organisation can take to reduce their COVID risk as discussed in our previous article.

If you would like assistance developing your COVIDsafe plan get in touch with us today.

Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings, and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak

---

[1] https://www.safeworkaustralia.gov.au/covid-19-information-workplaces/industry-information/general-industry-information/risk-assessment?

We’ve all seen the impact that COVID has been having on individuals and organisations around the globe, and as Australia starts to emerge from lockdown, now is the time for organisations to put measures in place to improve their resilience.

All predictions are that as lockdown eases, there will be an increase in case rates; and that there will be spot outbreaks as we’ve already observed to be the case with McDonald’s closing 12 Victorian outlets after they were all visited by an external truck driver who tested positive for COVID-19.

For most organisations, there are steps that you can take now to improve your resilience and reduce the impact if one of your team contracts COVID or comes into contact with someone who tests positive.

Team Structuring

Depending on the nature of your workforce, you should consider how teams can be structured to reduce the number of close contacts that each person has. In this way, if one of your staff members return a positive result, the smallest possible number of people will need to be isolated.

Is there a way that you can break your workforce into small teams that never work in the same space or come into face to face contact with each other?

If you run a service or trades business, can you have fixed teams that never work on the same sites? If you run a manufacturing or sales business, can you change rosters to reduce contact between staff members.

Remote working

Many businesses have been successful in transitioning to a remote working model. If you have been able to manage such a transition, you may want to continue this as much as possible. This could be done by having parts of the team come into the office on different days, or by keeping part of your workforce completely remote.

Social Distancing & Hygiene

Pretty much every adult is now well aware of how to maintain social distancing and good hygiene, but as we start to transition back to business, it is going to be easy to slip back into old habits.

Workplaces should consider what they can do to reinforce good social distancing habits. Some examples of this could include:

• Reducing face to face meetings
• Signage around the office areas
• Cancelling or modifying staff drinks
• Reconfiguring lunch rooms
• Ensuring adequate handwashing and hygiene facilities

Space management

After more than a decade of increases in the prevalence of open plan offices, we’re now in a position where many offices no longer provide the necessary social distancing for safe work in a post-COVID world.

Cushman & Wakefield’s Safe Six – Workplace Readiness Essentials provides some excellent guidance on how to prepare workspaces for bringing workers back with the steps being:

1. Prepare the Building
2. Prepare the Workforce
3. Control Access
4. Create a Social Distancing Plan
5. Reduce Touch Points & Increase Cleaning
6. Communicate for Confidence

Contact Management

One of the key controls as we emerge from lockdown is having robust contact management and tracing systems in place.

Depending on the nature of your business, can you reduce the number of visitors to your premises, or can you keep a record of all staff and visitors on site on any given day.

Make Use of Technology

Many businesses have technologies in place that can be used to assist in reducing the risk of COVID transmission. This can include people counting systems to manage the number of people in a space at any time, using access control system to limit numbers and maintain a log of who’s been in a space, and visitor management systems to track visitors to a premises.

The good news is that we will get through this.

It will take some time, and there will no doubt be spot outbreaks and other challenges along the way.

The more organisations can do to ensure that their employees, customers, and visitors are kept safe, the more likely they are to get through this in the best possible position.

If you would like assistance developing your COVIDsafe plan get in touch with us today.

Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

Back when they were common place, I recall going into my local bait and tackle store and seeing a display of fishing lures on the counter touting some super power or other that would almost guarantee you’d catch more fish. I asked Steve, the shop owner who I’d known for some years his opinion, and his reply has remained with me ever since. 

“You know what Simon, some lures are designed to catch fish, others are designed to catch fishermen. This one is designed to catch fishermen.”

This advice has served me well in the many intervening years, across many different sets of products. 

In the last few years, with cyber security becoming a concern at all levels of busienss, I am observing far too many decision makers failing to fully consider whether their security expenditure is the most suitable for their organisation. 

There are a number of broad questions that should be asked with any security investment, cyber or otherwise, that will assist in evaluating any expenditure. 

What problem does it solve or what risk does it mitigate for my organisation? 

In the physical security world, we’d find it laughable to deploy a team of Ghurkhas, SEALS, and SAS soldiers to stop kids sneaking in alcohol into a party. Same principle in cyber security – just because a product solves a problem, is it a problem that you need to solve? If you’re not a target for state sponsored hackers, then maybe an APT detection product isn’t the best solution for you. 

Across the spectrum of risks that my organisation faces, does this address a high priority risk or a low priority risk?

Similar to the previous question; is this the best, or at least a good use of my organisation’s resources. Start with the basics. Ensure you have systems and processes in place for patching, identity and access management, encryption, data classification, perimeter security etc. If you have internet connected devices with default credentials or known vulnerabilities, then maybe you should address this before you worry about real time network forensics. 

Can I do something with the output that this solution provides?

There’s a world of difference between information and intelligence. If a solution gives you information that you don’t have the ability to action, does it add any value? Once you know someone from China or Russia has logged into your systems, do you have the ability to assess whether it is genuine or malicious, then block or remove them if it is malicious?

What am I protecting, and why?

Your systems, your processes, and your information all have a value to your organisation. How much value does the solution you are considering protect? A solution that prevents your manufacturing systems going offline for days or weeks may protect a great deal of value, whereas data leakage prevention for information that’s available from your public facing web site less so. 

How does this fit in with my overall security strategy?

As an organisation’s security posture matures, though ideally for all organisations, there will be a security strategy that identifies risks, priorities, and opportunities in the business context. Does this solution align with and assist with progressing that strategy?

Will it integrate with my existing tool set?

If you already have security tools and systems in place, the ability to integrate a new solution into your existing environment is an important consideration. If a product is going to result in a disparate set of notifications that reduce the likelihood of them being actioned correctly, is there a product that will better integrate, or has the cost to integrate been allowed for?

How will it be supported?

It’s all well and good to have the latest, greatest products, however for technology to be effective, it requires support, maintenance, and updates in order to remain effective. Has support; both availability and expense been evaluated as part of the product assessment? What is the product support lifecycle, and will it be adequately supported for as long as you are expecting it to be in use?

There are of course all the other questions to ask as should be the case with any expenditure such as “Can I afford it?” and “Is this the right vendor?”

So, next time your preparing to spend your hard-earned cash on a security solution, just remember to question whether they are fishing for fish or fishing for fishermen. 

If you would like some assistance improving your cyber security get in touch with us today.

Simon Pollak is a security professional with more than 25 years’ experience in physical and cyber security, smart buildings and automation systems. A licensed security consultant and CISSP, he holds a Masters of Cyber Security and a Masters of Business Administration (Technology).

Simon Pollak is the principal consultant at STSC

You can follow him at https://au.linkedin.com/in/simonpollak  

This article was first published in Issue 6 of Australian CyberSecurity Magaxine