Protecting critical information assets is one of the biggest challenges facing businesses worldwide. Increasingly, risk managers are being asked to get their arms around their organizations' cyber vulnerabilities, as cyber security is no longer viewed strictly as a technology risk, but an enterprisewide issue.
To help business strike the proper balance between risk mitigation and information technology solutions. FM Global is developing a suite of cyber risk assessment solutions focusing on these three vital areas of client concern: physical security, information security and industrial control and building systems. Together, these pieces will provide a comprehensive picture of an organizations cyber risk.
"Although there are three distinct components to our cyber risk assessment strategy, the power and innovation behind it is the way they all fit together to help our clients understand, manage, and mitigate that cyber exposure, says FM Global's Mel Borsellino, staff engineering manager and chief engineer who leads the engineering team responsible for the evolving strategy. "We're developing first-party solutions that will best meet our clients' growing cyber security needs—starting with our physical security evaluation.
When most people think of a cyber attack, malicious threat such as hacking and malware often come to mind. Physical security is a worry for business, as they are becoming increasingly vulnerable to threats related to unauthorized physical access to their facilities.
For instance, if a person posing as a contractor gains access to a building, the intruder could then launch a damaging attack on the organization's computer system and network.
Borsellino acknowledges that cyber isn't a static or predictable risk, as hackers' motives for disruption are ever-changing. "Until a few years ago, hackers were mostly interested in third-party theft—theft of data or information. But as threat actors get smarter and more sophisticated, we may see more incidents of interruption or shutdown of business operations—a huge fear for our clients, as this may have considerable financial impact."
"Our approach to cyber risk is the same as we take to fire or any other risk."Amy Anderson, FM Global field engineer
Physical security evaluation
To address these issues, FM Global field engineers now provide a value-added physical security evaluation as part of their loss prevention visits. A physical security evaluation helps clients pinpoint obvious human element deficiencies associated with unauthorized local site access, with an emphasis on direct, in-person access to data and computer networks.
Throughout the physical security evaluations, field engineers ask questions and make observations related to their clients' security programs and how access is controlled and managed throughout their facilities, including an emphasis on controlling physical access to information technology networks and other critical assets. After their visit, field engineers offer actionable recommendations to tighten security programs and access controls.
"Our approach to cyber risk is the same as we take to fire or any other risk," declares Amy Anderson, an FM Global field engineer based in South Carolina, USA. "We are always looking for solutions to help our clients prevent losses. Many of the physical access issues we can gauge simply by observing the building. Is there card access at the doors? Are the gates locked? Simple things like that can go a long way in preventing an unwanted visitor from causing harm. Our recommendations are meant to have a broader appeal to our clients as practical solutions to also prevent theft, terrorist events, arson and equipment sabotage."
Advantages of FM Global's Physical Security Evaluation:
- Provides an objective view of physical security vulnerabilities at your location
- Incorporated into existing engineering site visits
- Offers actionable insight based on information gathered and recorded
A step ahead
As the physical security threat continues to evolve and become more sophisticated, businesses are looking to understand their cyber hazards and seek solutions that meet their growing needs such as smartcards, electronic gates or mobile credentials. The more companies can do to prepare themselves such as by developing and maintaining a comprehensive cyber security plan—the better off they will be.
"As we meet with clients and present our cyber approach, we are noticing a shift," says Borsellino. "Maybe they weren't thinking about cyber a year ago, but now they are and they are anxious to see what we plan to offer. Clients have clearly expressed a desire to recognize their cyber risk and develop practical solutions to mitigate it. Our value-added physical security evaluation is a solid first step to making that happen."