SlideShare una empresa de Scribd logo

ConvergenceandBS650002014 February2015_riskuk_feb15

J
James Willison BA, MA, MSyI
1 de 3
Descargar para leer sin conexión
L ast November, the disruption and chaos at Sony Pictures Entertainment realised by hackers was all over the national and international news. We then witnessed the significant online attacks targeting US Military Twitter accounts as well as leading French institutions. The issue now is that these occurrences directly affect not just IT systems but also people. What used to be ‘annoying downtime’ has entered the domain of the physical security practitioner because many of them are involved in protecting their colleagues and families from physical harm. In years gone by, you would sometimes hear the physical security manager state: “Well that’s not on my watch” in relation to the online or digital space, but ‘cyber’ is now very much at the door of physical security professionals whether they like it or not. What, then, can be done about all of this? Since the turn of the century several of us have spent much of our lives looking at the subject of convergence and what it actually means. We passionately believe convergence really can make a difference to our organisations. At long last, it does appear the need for such holistic managerial oversight is being recognised. For example, The Security Institute’s new Manifesto for Professional Security (Risk UK, December 2014, pp12-13) declares the foillowing: “The scope of security is rapidly expanding and now encompasses a wide variety of areas ranging from the tangible, such as physical security and property, to the intangible, such as intellectual property and brands alongside cyber security. Security risks are becoming increasingly converged. Whereas in the past physical assets were deemed a priority, in the 21st Century information and intellectual assets demand equal focus. Managing the convergence of threats is a more complex challenge for the security professional and the support they will need from professional bodies and education providers is likely to increase in equal proportion.” The European Union Agency for Network and Information Security (ENISA) has identified cyber-physical systems as an emerging cyber threat. While its focus is on critical infrastructure protection, it also considers the impact of The Internet of Things in this field. In the report entitled ‘ENISA Threat Landscape 2014: Overview of Current and Emerging Cyber Threats’, the organisation recommends: “The main focus should be on breaking silos and enabling the creation of proper grounds for necessary interdisciplinary co-operation.” What do we mean by ‘convergence’? Fundamentally, convergence references the bringing together of different security functions and other departments such as Human Resources (HR), Legal and Finance to identify and respond to risks across the business. It’s not a new concept but the issue is that we need to do this now if we’re to have any chance of countering the aforementioned threat from cyber-physical systems. EY has warned that cyber attacks are only going to cause even more damage, stating that: “67% of respondents to our 2014 Global Information Security Survey see threats rising in their information security risk environment.” In 2011, ASIS Europe and the Information Security Awareness Forum conducted research indicating that around 35% of organisations were operating a converged security strategy but, since then, we haven’t seen widespread progress. For various reasons, many companies continue to operate their physical and cyber security functions separately from one another. 22 www.risk-uk.com James Willison MA MSyI: Founder of Unified Security, Vice-Chairman of the ASIS European Convergence/ESRM Committee and an Associate Senior Lecturer on the Post- Graduate Security Management Programme at Loughborough University In the last year or so the number of cyber attacks targeting major organisations has risen dramatically while their impact has been significant. What are we going to do, then, about the increasing number of blended cyber- physical ‘strikes’ on the business community? James Willison explains why the convergence agenda is now more relevant than ever before ‘Blended Threats’: Defending the Business Community
Convergence, BS 65000:2014 and ANSI/ASIS PAP.1-2012 In more recent times, Government ministers and senior police officers have called on physical security practitioners to participate in cyber security strategies because they acknowledge the level of expertise resident in our industry. It’s an instance of learning from our past. Back in May 1940, Sir Winston Churchill said: “Let us go forward together with our united strength.” We now appreciate to a far greater degree how the technical specialists working diligently at Bletchley Park provided our military leaders with details about the locations of Nazi tanks and battle plans which rendered the Allies’ attacks in World War II so much more effective and, indeed, saved many lives. Frankly, we need to re-establish that unity if we are to have any chance at all of combating the growing complexity of attacks on all of our critical business systems. Collaboration and alignment In truth, physical security has as much to contribute to cyber security as does the IT function. Accordingly, many of us need to respond and seek opportunities to work with our cyber security specialist colleagues while determining how we might actually help them. We also need to ask for help to ensure that our own physical security systems are secure. This is what we mean by the phrase ‘interdependency’. Of late, it has been particularly encouraging to see the importance placed on collaboration, alignment and integration within the pages of the new British Standard BS 65000:2014 Guidelines on Resilience. There’s a section specifically focused on ‘Bringing coherence’. The British Standard states: “The governing body of the organisation sets priorities for that organisation to ensure resilience and inform operational activities. Top management should align operational activities with these priorities and achieve coherence across the various management systems to build resilience. To ensure that organisational silos support resilience, the organisation should integrate risk management activities and operational disciplines and ensure that knowledge is actively shared across internal organisational boundaries so that risks and opportunities are addressed coherently by all parts of the organisation. Specifically, the operational disciplines to be integrated should include, but not be limited to, the following: cyber security, fraud, physical security, business continuity… and HR.” BS 65000:2014 goes on to include other functions. It doesn’t limit this integration. This is very similar to the work a dedicated convergence team carried out for ASIS International in the ANSI/ASIS PAP.1-2012 Standard which states: “Analysis, planning, implementation, evaluation, documentation and review activities need to take an enterprise security risk management perspective, integrating all facets of the functions and processes in the organisation. Teaming with other business functions and processes is key to success in protecting the organisation’s assets.” Importantly, the two standards also emphasise the interdependency of risk. BS 65000:2014 says: “The organisation should go beyond information sharing to collaboration (see BS 11000) and joint actions where this realises mutual benefit and where interdependencies require it.” The ANSI/ASIS PAP.1-2012 Standard opines: “Evaluation of interdependencies is critical to a successful ‘protection in depth’ strategy given the reliance of many physical countermeasures on electronic, telecommunications and information systems.” While BS 65000:2014 is a high level document, the terms ‘coherence’ and ‘convergence’ (the latter referenced in the PAP Standard) are almost interchangeable. It’s really significant that the ANSI/ASIS PAP Standard is listed in the ‘Further reading’ for the British Standard, and I would strongly advise security professionals to consider how they might implement both of these standards within their organisations. While I would also advocate using experienced security consultants to assist with that process, it’s possible to start by looking at “Convergence has always championed the view that security professionals from all areas work together to examine the threats and achieve a true understanding of risk” 23 www.risk-uk.com
24 www.risk-uk.com Convergence, BS 65000:2014 and ANSI/ASIS PAP.1-2012 Bibliography *ASIS International (2012): ANSI/ASIS PAP.1-2012 Security Management Standard: Physical Asset Protection *ASIS International Europe (2012): The ASIS/ISAF Security Convergence Survey *BSI: BS 65000:2014 – Guidance on Organisational Resilience *ENISA (2014): ENISA Threat Landscape 2014: Overview of Current and Emerging Cyber Threats *EY (2014): Global Information Security Survey *The Security Institute (2014): ‘Recognised, Respected and Professional: A Manifesto for Professional Security’ *Tyson D (2007): ‘Security Convergence: Managing Enterprise Security Risk’, Burlington, MA: Elsevier Butterworth-Heinemann ways in which to incorporate the standards within security policy. Will IT subsume physical security? In recent years, respected colleagues in the physical security arena have expressed concern that IT will simply take over the area of corporate and physical security and that technology will replace much of what we know as ‘traditional’ security measures. Convergence has always championed the view that security professionals from all areas work together to examine the threats and achieve a true understanding of risk. It certainly doesn’t urge the destruction or replacement of physical security. In many instances, cyber security professionals are the first to acknowledge the skills of their physical security colleagues in the fields of investigation and criminality detection. For many years, I’ve advocated the need for companies to develop policies which train and deploy physical security officers to identify cyber security threats. There are opportunities for forward-thinking businesses to nurture a meaningful unified security strategy which helps them in discovering real threats to the IT infrastructure. In his excellent 2007 book entitled: ‘Security Convergence: Managing Enterprise Security Risk’, ASIS International’s President Dave Tyson writes: “With your in-house guard force you can then expand this role to look for more worrisome breaches, such as rogue wireless access points or passwords left on written notes around work surfaces. In our organisation we were able to reduce IT security policy violations by 54% in three months.” This will involve some training, but there are several ways in which security officers can add value here, and yet few among us have followed this sage advice. Those who are leaders in this field should seriously examine how they can work with the cyber security team to help identify threats, ask for any necessary training and improve the overall security posture of the business. Physical Security Information Management (PSIM) Convergence is effective at many levels throughout an organisation. We’ve looked at what some security officers could do, but how do we identify attacks on our physical systems and who will attend to this point? In recent years we’ve witnessed the growth of Physical Security Information Management (PSIM). Some have seen how this can really help improve our response to threats in real time. That said, we’re now facing up to cyber attacks on our Critical National Infrastructure in addition to our IP-enabled cameras and physical access control systems. This has raised concerns among some and that’s a good thing. At last, colleagues are changing default passwords and even checking for software updates. Progress? Perhaps, but is this enough? The determined hacker will – as we witnessed with the Sony episode – find their way in and then deface the company website. Is there anything further you can do to protect the organisation? Of course there are some excellent consultants out there who can test your systems and be of great assistance. Please do ask for that help if you need it, but what about technology options? In fact, there are real-time solutions available which, once configured, can identify cyber attacks on your IP video and access control systems. These solutions do range in terms of cost but, for some, will be well worth the required investment. Of course, training is important for these systems but if you’re working together with the IT Department then the latter’s constituent members will appreciate your overriding desire to examine these potential vulnerabilities and, on this basis, it’s commendable if you do seek to make that approach. As stated, convergence is the bringing together of security professionals and other areas of the business to identify and respond to the actual threats we face and, in turn, more effectively protect our colleagues. The faster we can do this the less likely attacks will have the impact intended by their perpetrators.

Recomendados

Mars orbit mission
Mars orbit missionMars orbit mission
Mars orbit missionSiddheshwar Morde
 
5 Classic South American Dishes
5 Classic South American Dishes5 Classic South American Dishes
5 Classic South American DishesPaul Miguel Ortega Gonzales
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled PresentationDr. Christopher Onyemaechi Ezike
 
Plantilla proyectovida tania
Plantilla proyectovida taniaPlantilla proyectovida tania
Plantilla proyectovida taniatania martinez
 
Keynote
KeynoteKeynote
KeynoteSource Conference
 
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillEliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillTheAnfieldGroup
 
A case for identities - Etisalat, George Held at TADSummit
A case for identities - Etisalat, George Held at TADSummitA case for identities - Etisalat, George Held at TADSummit
A case for identities - Etisalat, George Held at TADSummitAlan Quayle
 
Conversion
ConversionConversion
Conversionneicher
 

Recomendados

Mars orbit mission
Mars orbit missionMars orbit mission
Mars orbit missionSiddheshwar Morde
 
5 Classic South American Dishes
5 Classic South American Dishes5 Classic South American Dishes
5 Classic South American DishesPaul Miguel Ortega Gonzales
 
Untitled Presentation
Untitled PresentationUntitled Presentation
Untitled PresentationDr. Christopher Onyemaechi Ezike
 
Plantilla proyectovida tania
Plantilla proyectovida taniaPlantilla proyectovida tania
Plantilla proyectovida taniatania martinez
 
Keynote
KeynoteKeynote
KeynoteSource Conference
 
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillEliminate Silos to Enhance Critical Infrastructure Protection by Jasvir Gill
Eliminate Silos to Enhance Critical Infrastructure Protection by Jasvir GillTheAnfieldGroup
 
A case for identities - Etisalat, George Held at TADSummit
A case for identities - Etisalat, George Held at TADSummitA case for identities - Etisalat, George Held at TADSummit
A case for identities - Etisalat, George Held at TADSummitAlan Quayle
 
Conversion
ConversionConversion
Conversionneicher
 
VTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityVTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityShane Glenn
 
Cyber Securing Physical Security May 2015
Cyber Securing Physical Security May 2015Cyber Securing Physical Security May 2015
Cyber Securing Physical Security May 2015mauimarketing
 
Integrated Physical and Cybersecurity for Governments and Business
Integrated Physical and Cybersecurity for Governments and BusinessIntegrated Physical and Cybersecurity for Governments and Business
Integrated Physical and Cybersecurity for Governments and BusinessDr David Probert
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Controljwpiccininni
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCloudIDSummit
 
wireless pick and place robotic arm
wireless pick and place robotic armwireless pick and place robotic arm
wireless pick and place robotic armAyush Verma
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber SecurityStephen Lahanas
 

Más contenido relacionado

Destacado

VTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityVTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityShane Glenn
 
Cyber Securing Physical Security May 2015
Cyber Securing Physical Security May 2015Cyber Securing Physical Security May 2015
Cyber Securing Physical Security May 2015mauimarketing
 
Integrated Physical and Cybersecurity for Governments and Business
Integrated Physical and Cybersecurity for Governments and BusinessIntegrated Physical and Cybersecurity for Governments and Business
Integrated Physical and Cybersecurity for Governments and BusinessDr David Probert
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Controljwpiccininni
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCloudIDSummit
 
wireless pick and place robotic arm
wireless pick and place robotic armwireless pick and place robotic arm
wireless pick and place robotic armAyush Verma
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber SecurityStephen Lahanas
 

Destacado (7)

VTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityVTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber Security
 
Cyber Securing Physical Security May 2015
Cyber Securing Physical Security May 2015Cyber Securing Physical Security May 2015
Cyber Securing Physical Security May 2015
 
Integrated Physical and Cybersecurity for Governments and Business
Integrated Physical and Cybersecurity for Governments and BusinessIntegrated Physical and Cybersecurity for Governments and Business
Integrated Physical and Cybersecurity for Governments and Business
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Control
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control Convergence
 
wireless pick and place robotic arm
wireless pick and place robotic armwireless pick and place robotic arm
wireless pick and place robotic arm
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber Security
 

ConvergenceandBS650002014 February2015_riskuk_feb15

  • 1. L ast November, the disruption and chaos at Sony Pictures Entertainment realised by hackers was all over the national and international news. We then witnessed the significant online attacks targeting US Military Twitter accounts as well as leading French institutions. The issue now is that these occurrences directly affect not just IT systems but also people. What used to be ‘annoying downtime’ has entered the domain of the physical security practitioner because many of them are involved in protecting their colleagues and families from physical harm. In years gone by, you would sometimes hear the physical security manager state: “Well that’s not on my watch” in relation to the online or digital space, but ‘cyber’ is now very much at the door of physical security professionals whether they like it or not. What, then, can be done about all of this? Since the turn of the century several of us have spent much of our lives looking at the subject of convergence and what it actually means. We passionately believe convergence really can make a difference to our organisations. At long last, it does appear the need for such holistic managerial oversight is being recognised. For example, The Security Institute’s new Manifesto for Professional Security (Risk UK, December 2014, pp12-13) declares the foillowing: “The scope of security is rapidly expanding and now encompasses a wide variety of areas ranging from the tangible, such as physical security and property, to the intangible, such as intellectual property and brands alongside cyber security. Security risks are becoming increasingly converged. Whereas in the past physical assets were deemed a priority, in the 21st Century information and intellectual assets demand equal focus. Managing the convergence of threats is a more complex challenge for the security professional and the support they will need from professional bodies and education providers is likely to increase in equal proportion.” The European Union Agency for Network and Information Security (ENISA) has identified cyber-physical systems as an emerging cyber threat. While its focus is on critical infrastructure protection, it also considers the impact of The Internet of Things in this field. In the report entitled ‘ENISA Threat Landscape 2014: Overview of Current and Emerging Cyber Threats’, the organisation recommends: “The main focus should be on breaking silos and enabling the creation of proper grounds for necessary interdisciplinary co-operation.” What do we mean by ‘convergence’? Fundamentally, convergence references the bringing together of different security functions and other departments such as Human Resources (HR), Legal and Finance to identify and respond to risks across the business. It’s not a new concept but the issue is that we need to do this now if we’re to have any chance of countering the aforementioned threat from cyber-physical systems. EY has warned that cyber attacks are only going to cause even more damage, stating that: “67% of respondents to our 2014 Global Information Security Survey see threats rising in their information security risk environment.” In 2011, ASIS Europe and the Information Security Awareness Forum conducted research indicating that around 35% of organisations were operating a converged security strategy but, since then, we haven’t seen widespread progress. For various reasons, many companies continue to operate their physical and cyber security functions separately from one another. 22 www.risk-uk.com James Willison MA MSyI: Founder of Unified Security, Vice-Chairman of the ASIS European Convergence/ESRM Committee and an Associate Senior Lecturer on the Post- Graduate Security Management Programme at Loughborough University In the last year or so the number of cyber attacks targeting major organisations has risen dramatically while their impact has been significant. What are we going to do, then, about the increasing number of blended cyber- physical ‘strikes’ on the business community? James Willison explains why the convergence agenda is now more relevant than ever before ‘Blended Threats’: Defending the Business Community
  • 2. Convergence, BS 65000:2014 and ANSI/ASIS PAP.1-2012 In more recent times, Government ministers and senior police officers have called on physical security practitioners to participate in cyber security strategies because they acknowledge the level of expertise resident in our industry. It’s an instance of learning from our past. Back in May 1940, Sir Winston Churchill said: “Let us go forward together with our united strength.” We now appreciate to a far greater degree how the technical specialists working diligently at Bletchley Park provided our military leaders with details about the locations of Nazi tanks and battle plans which rendered the Allies’ attacks in World War II so much more effective and, indeed, saved many lives. Frankly, we need to re-establish that unity if we are to have any chance at all of combating the growing complexity of attacks on all of our critical business systems. Collaboration and alignment In truth, physical security has as much to contribute to cyber security as does the IT function. Accordingly, many of us need to respond and seek opportunities to work with our cyber security specialist colleagues while determining how we might actually help them. We also need to ask for help to ensure that our own physical security systems are secure. This is what we mean by the phrase ‘interdependency’. Of late, it has been particularly encouraging to see the importance placed on collaboration, alignment and integration within the pages of the new British Standard BS 65000:2014 Guidelines on Resilience. There’s a section specifically focused on ‘Bringing coherence’. The British Standard states: “The governing body of the organisation sets priorities for that organisation to ensure resilience and inform operational activities. Top management should align operational activities with these priorities and achieve coherence across the various management systems to build resilience. To ensure that organisational silos support resilience, the organisation should integrate risk management activities and operational disciplines and ensure that knowledge is actively shared across internal organisational boundaries so that risks and opportunities are addressed coherently by all parts of the organisation. Specifically, the operational disciplines to be integrated should include, but not be limited to, the following: cyber security, fraud, physical security, business continuity… and HR.” BS 65000:2014 goes on to include other functions. It doesn’t limit this integration. This is very similar to the work a dedicated convergence team carried out for ASIS International in the ANSI/ASIS PAP.1-2012 Standard which states: “Analysis, planning, implementation, evaluation, documentation and review activities need to take an enterprise security risk management perspective, integrating all facets of the functions and processes in the organisation. Teaming with other business functions and processes is key to success in protecting the organisation’s assets.” Importantly, the two standards also emphasise the interdependency of risk. BS 65000:2014 says: “The organisation should go beyond information sharing to collaboration (see BS 11000) and joint actions where this realises mutual benefit and where interdependencies require it.” The ANSI/ASIS PAP.1-2012 Standard opines: “Evaluation of interdependencies is critical to a successful ‘protection in depth’ strategy given the reliance of many physical countermeasures on electronic, telecommunications and information systems.” While BS 65000:2014 is a high level document, the terms ‘coherence’ and ‘convergence’ (the latter referenced in the PAP Standard) are almost interchangeable. It’s really significant that the ANSI/ASIS PAP Standard is listed in the ‘Further reading’ for the British Standard, and I would strongly advise security professionals to consider how they might implement both of these standards within their organisations. While I would also advocate using experienced security consultants to assist with that process, it’s possible to start by looking at “Convergence has always championed the view that security professionals from all areas work together to examine the threats and achieve a true understanding of risk” 23 www.risk-uk.com
  • 3. 24 www.risk-uk.com Convergence, BS 65000:2014 and ANSI/ASIS PAP.1-2012 Bibliography *ASIS International (2012): ANSI/ASIS PAP.1-2012 Security Management Standard: Physical Asset Protection *ASIS International Europe (2012): The ASIS/ISAF Security Convergence Survey *BSI: BS 65000:2014 – Guidance on Organisational Resilience *ENISA (2014): ENISA Threat Landscape 2014: Overview of Current and Emerging Cyber Threats *EY (2014): Global Information Security Survey *The Security Institute (2014): ‘Recognised, Respected and Professional: A Manifesto for Professional Security’ *Tyson D (2007): ‘Security Convergence: Managing Enterprise Security Risk’, Burlington, MA: Elsevier Butterworth-Heinemann ways in which to incorporate the standards within security policy. Will IT subsume physical security? In recent years, respected colleagues in the physical security arena have expressed concern that IT will simply take over the area of corporate and physical security and that technology will replace much of what we know as ‘traditional’ security measures. Convergence has always championed the view that security professionals from all areas work together to examine the threats and achieve a true understanding of risk. It certainly doesn’t urge the destruction or replacement of physical security. In many instances, cyber security professionals are the first to acknowledge the skills of their physical security colleagues in the fields of investigation and criminality detection. For many years, I’ve advocated the need for companies to develop policies which train and deploy physical security officers to identify cyber security threats. There are opportunities for forward-thinking businesses to nurture a meaningful unified security strategy which helps them in discovering real threats to the IT infrastructure. In his excellent 2007 book entitled: ‘Security Convergence: Managing Enterprise Security Risk’, ASIS International’s President Dave Tyson writes: “With your in-house guard force you can then expand this role to look for more worrisome breaches, such as rogue wireless access points or passwords left on written notes around work surfaces. In our organisation we were able to reduce IT security policy violations by 54% in three months.” This will involve some training, but there are several ways in which security officers can add value here, and yet few among us have followed this sage advice. Those who are leaders in this field should seriously examine how they can work with the cyber security team to help identify threats, ask for any necessary training and improve the overall security posture of the business. Physical Security Information Management (PSIM) Convergence is effective at many levels throughout an organisation. We’ve looked at what some security officers could do, but how do we identify attacks on our physical systems and who will attend to this point? In recent years we’ve witnessed the growth of Physical Security Information Management (PSIM). Some have seen how this can really help improve our response to threats in real time. That said, we’re now facing up to cyber attacks on our Critical National Infrastructure in addition to our IP-enabled cameras and physical access control systems. This has raised concerns among some and that’s a good thing. At last, colleagues are changing default passwords and even checking for software updates. Progress? Perhaps, but is this enough? The determined hacker will – as we witnessed with the Sony episode – find their way in and then deface the company website. Is there anything further you can do to protect the organisation? Of course there are some excellent consultants out there who can test your systems and be of great assistance. Please do ask for that help if you need it, but what about technology options? In fact, there are real-time solutions available which, once configured, can identify cyber attacks on your IP video and access control systems. These solutions do range in terms of cost but, for some, will be well worth the required investment. Of course, training is important for these systems but if you’re working together with the IT Department then the latter’s constituent members will appreciate your overriding desire to examine these potential vulnerabilities and, on this basis, it’s commendable if you do seek to make that approach. As stated, convergence is the bringing together of security professionals and other areas of the business to identify and respond to the actual threats we face and, in turn, more effectively protect our colleagues. The faster we can do this the less likely attacks will have the impact intended by their perpetrators.