Understanding cybersecurity can be challenging. Although cyber threats such as data theft and financial fraud represent serious business concerns, physical threats often evoke more fear due to their tangible nature. With the boundaries between physical and digital security becoming increasingly blurred, innovative criminals are adopting methods to attack businesses on all fronts. A strategy that tackles the convergence of physical and digital risk is therefore imperative.
The physical threat posed by cybercrime
The intersection of the physical and virtual worlds is an underexplored and misunderstood grey area – but with very real risks. Consider the example of Saflok, the electronic door keycard system used in hotels worldwide. Hackers found a flaw in the lock software, compromising over three million locks across 13,000 locations in 131 countries. Alarmingly, this vulnerability was identified two years ago. This highlights a common issue in cybersecurity: the significant costs and resources needed for a complete overhaul often cause delays. In today’s cyber environment, breaches are inevitable; the only uncertainty is when they will happen.
The flaw in Saflok’s system allows anyone to create a counterfeit keycard capable of unlocking any door connected to the system. The process is surprisingly simple, requiring only an expired or existing room keycard. Labelled as ‘Unsaflok,’ the flaw involves manipulating the encryption algorithms of the keys.
Though this issue affects only one manufacturer’s lock, its widespread use makes hotels vulnerable worldwide. Addressing the problem is a daunting, time-consuming task that involves updating software on each lock individually, as well as replacing keycards and encoders. So, it’s no quick fix.
The perils of procrastination
Organisations must invest in cybersecurity; the cost of inaction could be immense. For instance, if a single room is accessed illegally, resulting in theft or a more serious crime, the hotel can face litigation and serious repercussions such as compensation. In the event of several incidents transpiring, a hotel’s reputation could be significantly and irreparably damaged, with consequences such as a decline in bookings likely to follow.
Costs can escalate rapidly following an incident, leaving hotels that rely on this system physically and virtually vulnerable. For instance, cybersecurity insurance premiums may surge, and the financial impact could extend to declining stock prices. Organisations cannot wait until a breach has occurred to begin securing physical/virtual assets.
Strengthening defence: key steps
To protect against threats at the intersection of physical and digital realms, organisations can draw valuable lessons from the hotel room case and implement several effective strategies.
First, implementing role-based access control is essential. By dividing responsibilities between staff members, such as front desk staff having certain keycard functions and maintenance staff managing lock hardware, access is limited, and only authorised personnel can make system changes. This can help to reduce the risk of misuse.
Next, it is essential to implement secure communication protocols. Encrypting the data transmitted between keycard readers and the central system is vital to thwart hackers from intercepting and tampering with data, ensuring data integrity and confidentiality.
Another crucial measure is regularly updating firmware and software. By consistently applying updates to address vulnerabilities, systems remain up-to-date, significantly reducing the risk of attackers exploiting known weaknesses.
Implementing network segmentation is also essential. By isolating the keycard system from other parts of the network, the potential impact of a breach is minimised, and attackers are prevented from moving laterally within the network.
Lastly, monitoring for anomalies and suspicious activity is imperative. Just as hotels employ security cameras in lobbies, they should actively monitor their digital infrastructure for unusual events or patterns that may signify a threat. For example, repeated failed access attempts on the keycard system could indicate an attempted breach, enabling swift and effective intervention.
Although physical threats are undoubtedly frightening, digital threats can be just as harmful. As the lines between the two blur, organisations must adopt a unified ‘cyber safe’ strategy to protect themselves and their customers.
By Guy Golan, Executive Chairman and CEO, Performanta